-
Notifications
You must be signed in to change notification settings - Fork 446
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDRIVER-3668 support OCSP back to OpenSSL 1.0.1 #623
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,6 +80,26 @@ update_entry (cache_entry_list_t *entry, | |
entry->cert_status = cert_status; | ||
entry->reason = reason; | ||
} | ||
|
||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L | ||
static int | ||
_cmp_time (ASN1_TIME *a, ASN1_TIME *b) | ||
{ | ||
return ASN1_TIME_compare (a, b); | ||
} | ||
#else | ||
static int | ||
_cmp_time (ASN1_TIME *a, ASN1_TIME *b) | ||
{ | ||
/* For older OpenSSL, always report that "a" is before "b". I.e. do not | ||
* replace the entry. | ||
* If a driver would accept a stapled OCSP response and that response has a | ||
* later nextUpdate than the response already in the cache, drivers SHOULD | ||
* replace the older entry in the cache with the fresher response. */ | ||
return -1; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll admit, this is not ideal. After searching a bit, and checking with Shreyas to see how the server polyfilled the time comparison, it seems like we'd need to parse the string representation of the time to something we can easily compare: It doesn't look like it's required by the spec to check If this seems ok with you, I'll create a ticket to do this as post-4.4 follow-up. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
} | ||
#endif | ||
|
||
void | ||
_mongoc_ocsp_cache_set_resp (OCSP_CERTID *id, | ||
int cert_status, | ||
|
@@ -96,8 +116,7 @@ _mongoc_ocsp_cache_set_resp (OCSP_CERTID *id, | |
entry->id = OCSP_CERTID_dup (id); | ||
LL_APPEND (cache, entry); | ||
update_entry (entry, cert_status, reason, this_update, next_update); | ||
} else if (next_update && | ||
ASN1_TIME_compare (next_update, entry->next_update) == 1) { | ||
} else if (next_update && _cmp_time (next_update, entry->next_update) == 1) { | ||
update_entry (entry, cert_status, reason, this_update, next_update); | ||
} else { | ||
/* Do nothing; our next_update is at a later date */ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added "prefix_commands" here, so I could create a debug-compile task that used OpenSSL 1.0.1 specifically. That needs to call the "install ssl" evergreen function first.