From: Matthew Newton Date: Mon, 16 Jan 2012 16:24:53 +0000 (+0000) Subject: Add OCSP timeout option X-Git-Tag: release_2_2_0~191 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07a4b30f181;p=thirdparty%2Ffreeradius-server.git Add OCSP timeout option Ability to reduce the amount of time waited for an OCSP response, for example the responder is not currently available. --- diff --git a/raddb/eap.conf b/raddb/eap.conf index 031a5976013..5bf4ed2d0a0 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -441,6 +441,12 @@ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx # # use_nonce = yes + + # + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 } } diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index ea6f336c0d1..68acde6aac8 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -79,6 +79,8 @@ static CONF_PARSER ocsp_config[] = { offsetof(EAP_TLS_CONF, ocsp_url), NULL, NULL }, { "use_nonce", PW_TYPE_BOOLEAN, offsetof(EAP_TLS_CONF, ocsp_use_nonce), NULL, "yes"}, + { "timeout", PW_TYPE_INTEGER, + offsetof(EAP_TLS_CONF, ocsp_timeout), NULL, "0" }, { NULL, -1, 0, NULL, NULL } /* end the list */ }; #endif @@ -295,7 +297,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, { OCSP_CERTID *certid; OCSP_REQUEST *req; - OCSP_RESPONSE *resp; + OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bresp = NULL; char *host = NULL; char *port = NULL; @@ -307,6 +309,10 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, int status ; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; int reason; + OCSP_REQ_CTX *ctx; + int rc; + struct timeval now; + struct timeval when; /* * Create OCSP Request @@ -338,11 +344,42 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_set_conn_port(cbio, port); - BIO_do_connect(cbio); - /* Send OCSP request and wait for response */ - resp = OCSP_sendreq_bio(cbio, path, req); - if(resp==0) { + if (conf->ocsp_timeout) + BIO_set_nbio(cbio, 1); + + rc = BIO_do_connect(cbio); + if ((rc <= 0) && ((!conf->ocsp_timeout) || !BIO_should_retry(cbio))) { + radlog(L_ERR, "Error: Couldn't connect to OCSP responder"); + goto ocsp_end; + } + + ctx = OCSP_sendreq_new(cbio, path, req, -1); + if (!ctx) { + radlog(L_ERR, "Error: Couldn't send OCSP request"); + goto ocsp_end; + } + + gettimeofday(&when, NULL); + when.tv_sec += conf->ocsp_timeout; + + do { + rc = OCSP_sendreq_nbio(&resp, ctx); + if (conf->ocsp_timeout) { + gettimeofday(&now, NULL); + if (!timercmp(&now, &when, <)) + break; + } + } while ((rc == -1) && BIO_should_retry(cbio)); + + if (conf->ocsp_timeout && (rc == -1) && BIO_should_retry(cbio)) { + radlog(L_ERR, "Error: OCSP response timed out"); + goto ocsp_end; + } + + OCSP_REQ_CTX_free(ctx); + + if (rc == 0) { radlog(L_ERR, "Error: Couldn't get OCSP response"); goto ocsp_end; } diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h index a306a28ff8c..8376adf0705 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h @@ -79,6 +79,7 @@ typedef struct eap_tls_conf { int ocsp_override_url; char *ocsp_url; int ocsp_use_nonce; + int ocsp_timeout; #endif #if OPENSSL_VERSION_NUMBER >= 0x0090800fL