mod_md, update tp v2.6.5

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1929514 13f79535-47bb-0310-9956-ffa450edef68

Author: icing

changes-entries/md_v2.6.5.txt

@@ -0,0 +1,9 @@
+  *) mod_md: update to version 2.6.5
+     - New directive `MDInitialDelay`, controlling how longer to wait after
+       a server restart before checking certificates for renewal.
+       [Michael Kaufmann]
+     - Hardening: when build with OpenSSL older than 1.0.2 or old libressl
+       versions, the parsing of ASN.1 time strings did not do a length check.
+     - Hardening: when reading back OCSP responses stored in the local JSON
+       store, missing 'valid' key led to uninitialized values, resulting in
+       wrong refresh behaviour.

docs/manual/mod/mod_md.xml

@@ -1582,4 +1582,21 @@ MDMessageCmd /etc/apache/md-message
             </p>
         </usage>
     </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDInitialDelay</name>
+        <description>How long to delay the first certificate check.</description>
+        <syntax>MDInitialDelay <var>duration</var></syntax>
+        <default>MDInitialDelay 0s</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.66 and later</compatibility>
+        <usage>
+            <p>
+                The amount of time to wait after the server start to check
+                renewals of certificates. By default this occurs right away.
+            </p>
+        </usage>
+    </directivesynopsis>
 </modulesynopsis>

modules/md/md_crypt.c

@@ -206,7 +206,7 @@ static int pem_passwd(char *buf, int size, int rwflag, void *baton)
 
 /* Get the apr time (micro seconds, since 1970) from an ASN1 time, as stored in X509
  * certificates. OpenSSL now has a utility function, but other *SSL derivatives have
- * not caughts up yet or chose to ignore. An alternative is implemented, we prefer 
+ * not caught up yet or chose to ignore. An alternative is implemented, we prefer
  * however the *SSL to maintain such things.
  */
 static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
@@ -220,6 +220,10 @@ static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
     const char* str = (const char*) time->data;
     apr_size_t i = 0;
 
+    if ((time->length < 12) || (
+        (time->type == V_ASN1_GENERALIZEDTIME) && time->length < 16))
+      return 0;
+
     memset(&t, 0, sizeof(t));
 
     if (time->type == V_ASN1_UTCTIME) {/* two digit year */

modules/md/md_ocsp.c

@@ -190,6 +190,7 @@ static apr_status_t ostat_from_json(md_ocsp_cert_stat_t *pstat,
     md_timeperiod_t valid;
     apr_status_t rv = APR_ENOENT;
 
+    memset(&valid, 0, sizeof(valid));
     memset(resp_der, 0, sizeof(*resp_der));
     memset(resp_valid, 0, sizeof(*resp_valid));
     s = md_json_dups(p, json, MD_KEY_VALID, MD_KEY_FROM, NULL);

modules/md/md_version.h

@@ -27,15 +27,15 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.6.2"
+#define MOD_MD_VERSION "2.6.5-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020602
+#define MOD_MD_VERSION_NUM 0x020605
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"
 

modules/md/mod_md_config.c

@@ -84,6 +84,7 @@ static md_mod_conf_t defmc = {
     "crt.sh",                  /* default cert checker site name */
     "https://crt.sh?q=",       /* default cert checker site url */
     NULL,                      /* CA cert file to use */
+    APR_TIME_C(0),             /* initial cert check delay */
     apr_time_from_sec(MD_SECS_PER_DAY/2), /* default time between cert checks */
     apr_time_from_sec(30),     /* minimum delay for retries */
     13,                        /* retry_failover after 14 errors, with 5s delay ~ half a day */
@@ -676,6 +677,24 @@ static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const cha
     return set_on_off(&config->mc->manage_base_server, value, cmd->pool);
 }
 
+static const char *md_config_set_initial_delay(cmd_parms *cmd, void *dc, const char *value)
+{
+    md_srv_conf_t *config = md_config_get(cmd->server);
+    const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD);
+    apr_time_t delay;
+
+    (void)dc;
+    if (err) return err;
+    if (md_duration_parse(&delay, value, "s") != APR_SUCCESS) {
+        return "unrecognized duration format";
+    }
+    if (delay < 0) {
+        return "initial delay must not be negative";
+    }
+    config->mc->initial_delay = delay;
+    return NULL;
+}
+
 static const char *md_config_set_check_interval(cmd_parms *cmd, void *dc, const char *value)
 {
     md_srv_conf_t *config = md_config_get(cmd->server);
@@ -1377,6 +1396,8 @@ const command_rec md_cmds[] = {
                   "Configure locking of store for updates."),
     AP_INIT_TAKE1("MDMatchNames", md_config_set_match_mode, NULL, RSRC_CONF,
                   "Determines how DNS names are matched to vhosts."),
+    AP_INIT_TAKE1("MDInitialDelay", md_config_set_initial_delay, NULL, RSRC_CONF,
+                  "How long to delay the first certificate check."),
     AP_INIT_TAKE1("MDCheckInterval", md_config_set_check_interval, NULL, RSRC_CONF,
                   "Time between certificate checks."),
     AP_INIT_TAKE1("MDProfile", md_config_set_profile, NULL, RSRC_CONF,

modules/md/mod_md_config.h

@@ -78,6 +78,7 @@ struct md_mod_conf_t {
     const char *cert_check_name;       /* name of the linked certificate check site */
     const char *cert_check_url;        /* url "template for" checking a certificate */
     const char *ca_certs;              /* root certificates to use for connections */
+    apr_time_t initial_delay;          /* how long to delay the first cert renewal check */
     apr_time_t check_interval;         /* duration between cert renewal checks */
     apr_time_t min_delay;              /* minimum delay for retries */
     int retry_failover;                /* number of errors to trigger CA failover */

modules/md/mod_md_drive.c

@@ -403,7 +403,7 @@ apr_status_t md_renew_start_watching(md_mod_conf_t *mc, server_rec *s, apr_pool_
                      "create md renew watchdog(%s)", MD_RENEW_WATCHDOG_NAME);
         return rv;
     }
-    rv = wd_register_callback(dctx->watchdog, 0, dctx, run_watchdog);
+    rv = wd_register_callback(dctx->watchdog, mc->initial_delay, dctx, run_watchdog);
     ap_log_error(APLOG_MARK, rv? APLOG_CRIT : APLOG_DEBUG, rv, s, APLOGNO(10067) 
                  "register md renew watchdog(%s)", MD_RENEW_WATCHDOG_NAME);
     return rv;