Added initial skeleton for caching of responses.

Author: opencrypto

src/ocspd/Makefile.am

@@ -14,7 +14,8 @@ ocspd_SOURCES = \
 	request.c \
 	response.c \
 	config.c \
-	crl.c 
+	crl.c \
+	cache.c
 
 EXTRA_DIST = \
 	includes/*.h

src/ocspd/Makefile.in

@@ -108,7 +108,7 @@ PROGRAMS = $(sbin_PROGRAMS)
 am_ocspd_OBJECTS = ocspd-ocspd.$(OBJEXT) ocspd-core.$(OBJEXT) \
 	ocspd-threads.$(OBJEXT) ocspd-request.$(OBJEXT) \
 	ocspd-response.$(OBJEXT) ocspd-config.$(OBJEXT) \
-	ocspd-crl.$(OBJEXT)
+	ocspd-crl.$(OBJEXT) ocspd-cache.$(OBJEXT)
 ocspd_OBJECTS = $(am_ocspd_OBJECTS)
 ocspd_DEPENDENCIES =
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -339,7 +339,8 @@ ocspd_SOURCES = \
 	request.c \
 	response.c \
 	config.c \
-	crl.c 
+	crl.c \
+	cache.c
 
 EXTRA_DIST = \
 	includes/*.h
@@ -439,6 +440,7 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspd-cache.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspd-config.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspd-core.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspd-crl.Po@am__quote@
@@ -566,6 +568,20 @@ ocspd-crl.obj: crl.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(ocspd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocspd-crl.obj `if test -f 'crl.c'; then $(CYGPATH_W) 'crl.c'; else $(CYGPATH_W) '$(srcdir)/crl.c'; fi`
 
+ocspd-cache.o: cache.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(ocspd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocspd-cache.o -MD -MP -MF $(DEPDIR)/ocspd-cache.Tpo -c -o ocspd-cache.o `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocspd-cache.Tpo $(DEPDIR)/ocspd-cache.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cache.c' object='ocspd-cache.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(ocspd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocspd-cache.o `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
+
+ocspd-cache.obj: cache.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(ocspd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocspd-cache.obj -MD -MP -MF $(DEPDIR)/ocspd-cache.Tpo -c -o ocspd-cache.obj `if test -f 'cache.c'; then $(CYGPATH_W) 'cache.c'; else $(CYGPATH_W) '$(srcdir)/cache.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocspd-cache.Tpo $(DEPDIR)/ocspd-cache.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cache.c' object='ocspd-cache.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(ocspd_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocspd-cache.obj `if test -f 'cache.c'; then $(CYGPATH_W) 'cache.c'; else $(CYGPATH_W) '$(srcdir)/cache.c'; fi`
+
 mostlyclean-libtool:
 	-rm -f *.lo
 

src/ocspd/cache.c

@@ -0,0 +1,56 @@
+/* src/ocspd/cache.c */
+
+#include "general.h"
+
+void OCSPD_CACHE_free(OCSPD_CACHE * oc) {
+
+	// Input check
+	if (!oc) return;
+
+	// Free the memory
+	if (oc->idx) PKI_Free(oc->idx);
+
+	// Free the data structure
+	PKI_Free(oc);
+}
+
+OCSPD_CACHE * OCSPD_CACHE_new(size_t size) {
+
+	OCSPD_CACHE * oc = NULL;
+
+	// Input checks
+	if (size <= 0) size = 1000;
+
+	// Allocates the memory
+	if ((oc = PKI_Malloc(sizeof(OCSPD_CACHE))) == NULL) {
+		PKI_log_err("Can not allocate cache memory");
+		return NULL;
+	}
+
+	// Allocates the memory for the cache
+	if ((oc->idx = PKI_Malloc(sizeof(OCSPD_CACHE_ENTRY) * size)) == NULL) {
+		OCSPD_CACHE_free(oc);
+		PKI_log_err("Can not allocate cache memory");
+		return NULL;
+	}
+
+	// Sets the size of the index
+	oc->size = size;
+	
+	// Initializes the lock
+	PKI_RWLOCK_init(&oc->lock);
+
+	// Return the initialized data structure
+	return oc;
+
+}
+
+int OCSPD_CACHE_entry_idx(OCSPD_CACHE_ENTRY *entry) {
+}
+
+int OCSPD_CACHE_set_entry(OCSPD_CACHE * cache, OCSPD_CACHE_ENTRY *entry) {
+}
+
+OCSPD_CACHE_ENTRY * OCSPD_CACHE_get0_entry(OCSPD_CACHE * cache, ASN1_INTEGER *serialNumber) {
+}
+

src/ocspd/config.c

@@ -519,8 +519,6 @@ int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
 		}
 		else
 		{
-			PKI_log_debug("Got CRL Url -> %s", tmp_s );
-
 			if((ca->crl_url = URL_new ( tmp_s )) == NULL )
 			{
 				PKI_log_err ("Error Parsing CRL URL [%s] for CA [%s]", ca->ca_id, tmp_s);
@@ -585,12 +583,17 @@ int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
 		}
 		*/
 
+		// Failure loading the CRL was a fatal error, now
+		// we let the OCSP continue since the loading error
+		// might be temporary
 		if (OCSPD_load_crl(ca, handler) == PKI_ERR )
 		{
-			PKI_log_err ( "Can not get CRL for %s", ca->ca_id);
-			CA_LIST_ENTRY_free ( ca );
+			PKI_log_err ( "Can not get CRL for %s (%s)", 
+					ca->ca_id, ca->crl_url->addr);
 
-			continue;
+			// Switched to non-fatal error
+			// CA_LIST_ENTRY_free ( ca );
+			// continue;
 		}
 
 		/* If the Server has a Token to be used with this CA, let's

src/ocspd/crl.c

@@ -77,15 +77,13 @@ int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {
 	if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);
 
 	/* Get new values from the recently loaded CRL */
-	a->lastUpdate = M_ASN1_TIME_dup (
+	a->lastUpdate = PKI_TIME_dup(
 		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));
-	a->nextUpdate = M_ASN1_TIME_dup (
+	a->nextUpdate = PKI_TIME_dup (
 		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));
 
-	if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");
+	// Releases the lock
 	PKI_RWLOCK_release_write ( &conf->crl_lock );
-	// pthread_rwlock_unlock ( &crl_lock );
-	if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");
 
 	/* Now check the CRL validity */
 	a->crl_status = check_crl_validity( a, conf );
@@ -366,4 +364,4 @@ void force_crl_reload ( int sig ) {
 	ocspd_reload_crls ( ocspd_conf );
 
 	return;
-};
+}

src/ocspd/includes/cache.h

@@ -0,0 +1,63 @@
+/*
+ * OCSP responder
+ * by Massimiliano Pala (madwolf@openca.org)
+ * OpenCA Labs project 2001-2017
+ *
+ * Copyright (c) 2001-2017 The OpenCA Project.  All rights reserved.
+ *
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Functions prototypes*/
+
+#ifndef OCSPD_CACHE_H
+#define OCSPD_CACHE_H
+
+typedef struct ocspd_cache_entry_st {
+	// Serial Number of the Certificate
+	ASN1_INTEGER		* serialNumber;
+	// Cached Response
+	PKI_OCSP_RESP		* response;
+	// Time until the response is valid
+	time_t			   expires;
+	// Mutex to be acquired before updating the entry
+	PKI_MUTEX		   mutext;
+} OCSPD_CACHE_ENTRY;
+
+typedef struct ocspd_cache_st {
+
+	// Lock for the [data] access
+	PKI_RWLOCK		   lock;
+
+	// Condition Variable and Mutex (TBD)
+	PKI_COND		   cond_var;
+	PKI_MUTEX		   mutext;
+
+	// Size of the [data] pointers array
+	size_t			   size;
+
+	// Pointers array
+	OCSPD_CACHE_ENTRY	** idx;
+} OCSPD_CACHE;
+
+// Allocates a new caching buffer
+OCSPD_CACHE * OCSPD_CACHE_new(size_t num_of_entries);
+
+// Frees all the memory associated with the cache structure
+void OCSPD_CACHE_free(OCSPD_CACHE * oc);
+
+// Returns the number of the entry in the hash table
+int OCSPD_CACHE_entry_idx(OCSPD_CACHE_ENTRY *e);
+
+// Adds the entry to the cache (no copy)
+int OCSPD_CACHE_add0_entry(OCSPD_CACHE * oc, OCSPD_CACHE_ENTRY *e);
+
+// Returns the entry for the serial number
+OCSPD_CACHE_ENTRY * OCSPD_CACHE_get0_entry(OCSPD_CACHE * oc, ASN1_INTEGER *serialNumber);
+
+#endif

src/ocspd/includes/general.h

@@ -117,6 +117,7 @@ typedef struct ca_entry_certid
 
 /* List of available CAs */
 typedef struct ca_list_st {
+
 	/* CA Identifier - Name from config file */
 	char *ca_id;
 
@@ -165,6 +166,12 @@ typedef struct ca_list_st {
 	/* CREDS for TLS connections */
 	PKI_CRED * creds;
 
+	/* Basic Template for the response */
+	PKI_OCSP_RESP * resp_template;
+
+	/* CA Cache */
+	OCSPD_CACHE * oc;
+
 } CA_LIST_ENTRY;
 
 typedef struct {
@@ -289,6 +296,7 @@ typedef struct ocspd_config {
 #include "response.h"
 #include "request.h"
 #include "crl.h"
+#include "cache.h"
 
 #define HTTP_POST		0
 #endif

src/ocspd/response.c

@@ -419,7 +419,11 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
 			void *ext = NULL;
 
 			// If extensions are found, process them
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+			if (X509_REVOKED_get0_extensions(entry))
+#else
 			if (entry->extensions)
+#endif
 			{
 				ASN1_ENUMERATED *asn = NULL;
 
@@ -433,8 +437,14 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
 				ext = X509_REVOKED_get_ext_d2i( entry, NID_invalidity_date, NULL, NULL );
 			}
 
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+			if ((PKI_X509_OCSP_RESP_add(resp, cid, PKI_OCSP_CERTSTATUS_REVOKED,
+					X509_REVOKED_get0_serialNumber(entry), thisupd, 
+									nextupd, reason, ext )) == PKI_ERR)
+#else
 			if ((PKI_X509_OCSP_RESP_add(resp, cid, PKI_OCSP_CERTSTATUS_REVOKED,
 					entry->revocationDate, thisupd, nextupd, reason, ext )) == PKI_ERR)
+#endif
 			{
 				PKI_log_err ("Can not add a simple resp into the OCSP response");
 
@@ -675,7 +685,11 @@ CA_LIST_ENTRY *OCSPD_CA_ENTRY_find(OCSPD_CONFIG *conf, OCSP_CERTID *cid)
 		tmp = ca->cid;
 
 		/* Check for hashes */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+		if((ret = ASN1_OCTET_STRING_cmp(tmp->nameHash, &(b->issuerNameHash))) != 0 )
+#else
 		if((ret = ASN1_OCTET_STRING_cmp(tmp->nameHash, b->issuerNameHash)) != 0 )
+#endif
 		{
 			if (conf->debug) 
 			{
@@ -689,7 +703,11 @@ CA_LIST_ENTRY *OCSPD_CA_ENTRY_find(OCSPD_CONFIG *conf, OCSP_CERTID *cid)
 			PKI_log_debug("CRL::CA [%s] nameHash OK", ca->ca_id);
 		}
 
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+		if ((ret = ASN1_OCTET_STRING_cmp(tmp->keyHash, &(b->issuerKeyHash))) != 0)
+#else
 		if ((ret = ASN1_OCTET_STRING_cmp(tmp->keyHash, b->issuerKeyHash)) != 0)
+#endif
 		{
 			if (conf->debug)
 			{
@@ -740,7 +758,11 @@ X509_REVOKED *OCSPD_REVOKED_find (CA_LIST_ENTRY *ca, ASN1_INTEGER *serial) {
 		r = sk_X509_REVOKED_value(ca->crl_list, curr);
 
 		/* Compare the two serials */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+		cmp_val = ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(r), serial);
+#else
 		cmp_val = ASN1_INTEGER_cmp(r->serialNumber, serial);
+#endif
 
 		if( cmp_val > 0 ) {
 			end = curr - 1;