+++ /dev/null
-/*
- * Copyright (c) 2004,2011,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * tpOcspCache.cpp - local OCSP response cache.
- */
-
-#include "tpOcspCache.h"
-#include "tpdebugging.h"
-#include "certGroupUtils.h"
-#include <security_utilities/globalizer.h>
-#include <security_utilities/threading.h>
-#include <security_ocspd/ocspdUtils.h>
-#include <assert.h>
-
-/*
- * Set this flag nonzero to turn off this cache module. Generally used to debug
- * the ocspd disk cache.
- */
-#ifndef NDEBUG
-#define TP_OCSP_CACHE_DISABLE 0
-#else
-/* cache always enabled in production build */
-#define TP_OCSP_CACHE_DISABLE 0
-#endif
-
-#pragma mark ---- single cache entry ----
-
-/*
- * One cache entry, just a parsed OCSPResponse plus an optional URI and a
- * "latest" nextUpdate time. An entry is stale when its nextUpdate time has
- * come and gone.
- */
-class OcspCacheEntry : public OCSPResponse
-{
-public:
- OcspCacheEntry(
- const CSSM_DATA derEncoded,
- const CSSM_DATA *localResponder); // optional
- ~OcspCacheEntry();
-
- /* a trusting environment, this module...all public */
- CSSM_DATA mLocalResponder; // we new[]
-};
-
-OcspCacheEntry::OcspCacheEntry(
- const CSSM_DATA derEncoded,
- const CSSM_DATA *localResponder) // optional
- : OCSPResponse(derEncoded, TP_OCSP_CACHE_TTL)
-{
- if(localResponder) {
- mLocalResponder.Data = new uint8[localResponder->Length];
- mLocalResponder.Length = localResponder->Length;
- memmove(mLocalResponder.Data, localResponder->Data, localResponder->Length);
- }
- else {
- mLocalResponder.Data = NULL;
- mLocalResponder.Length = 0;
- }
-}
-
-OcspCacheEntry::~OcspCacheEntry()
-{
- delete[] mLocalResponder.Data;
-}
-
-#pragma mark ---- global cache object ----
-
-/*
- * The cache object; ModuleNexus provides each task with at most of of these.
- * All ops which affect the contents of the cache hold the (essentially) global
- * mCacheLock.
- */
-class OcspCache
-{
-public:
- OcspCache();
- ~OcspCache();
-
- /* The methods corresponding to this module's public interface */
- OCSPSingleResponse *lookup(
- OCSPClientCertID &certID,
- const CSSM_DATA *localResponderURI); // optional
- void addResponse(
- const CSSM_DATA &ocspResp, // we'll decode it
- const CSSM_DATA *localResponderURI); // optional
- void flush(
- OCSPClientCertID &certID);
-
-private:
- void removeEntry(unsigned dex);
- void scanForStale();
- OCSPSingleResponse *lookupPriv(
- OCSPClientCertID &certID,
- const CSSM_DATA *localResponderURI, // optional
- unsigned &rtnDex); // RETURNED on success
-
- Mutex mCacheLock;
-
- /*
- * NOTE: I am aware that most folks would just use an array<> here, but
- * gdb is so lame that it doesn't even let one examine the contents
- * of an array<> (or just about anything else in the STL). I prefer
- * debuggability over saving a few lines of trivial code.
- */
- OcspCacheEntry **mEntries; // just an array of pointers
- unsigned mNumEntries; // valid entries in mEntries
- unsigned mSizeofEntries; // mallocd space in mEntries
-};
-
-OcspCache::OcspCache()
- : mEntries(NULL), mNumEntries(0), mSizeofEntries(0)
-{
-
-}
-
-/* As of Tiger I believe that this code never runs */
-OcspCache::~OcspCache()
-{
- for(unsigned dex=0; dex<mNumEntries; dex++) {
- delete mEntries[dex];
- }
- if(mEntries) {
- free(mEntries);
- }
-}
-
-/*
- * Private routine, remove entry 'n' from cache.
- * -- caller must hold mCacheLock
- * -- if caller is traversing mEntries, they must start over because we
- * manipulate it.
- */
-void OcspCache::removeEntry(
- unsigned dex)
-{
- assert(dex <= (mNumEntries - 1));
-
- /* removed requested element and compact remaining array */
- delete mEntries[dex];
- for(unsigned i=dex; i<(mNumEntries - 1); i++) {
- mEntries[i] = mEntries[i+1];
- }
- mNumEntries--;
-}
-
-/*
- * Private routine to scan cache, deleting stale entries.
- * Caller must hold mCacheLock, and not be traversing mEntries.
- */
-void OcspCache::scanForStale()
-{
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
- bool foundOne;
- do {
- /* restart every time we delete a stale entry */
- foundOne = false;
- for(unsigned dex=0; dex<mNumEntries; dex++) {
- OcspCacheEntry *entry = mEntries[dex];
- if(entry->expireTime() < now) {
- tpOcspCacheDebug("OcspCache::scanForStale: deleting stale entry %p",
- entry);
- removeEntry(dex);
- foundOne = true;
- break;
- }
- }
- } while(foundOne);
-}
-
-/*
- * Private lookup routine. Caller holds mCacheLock. We return both an
- * OCSPSingleResponse and the index into mEntries at which we found it.
- */
- OCSPSingleResponse *OcspCache::lookupPriv(
- OCSPClientCertID &certID,
- const CSSM_DATA *localResponderURI, // optional
- unsigned &rtnDex) // RETURNED on success
-{
- OCSPSingleResponse *resp = NULL;
- for(unsigned dex=0; dex<mNumEntries; dex++) {
- OcspCacheEntry *entry = mEntries[dex];
- if(localResponderURI) {
- /* if caller specifies, it must match */
- if(entry->mLocalResponder.Data == NULL) {
- /* came from somewhere else, skip it */
- tpOcspCacheDebug("OcspCache::lookup: uri mismatch (1) on entry %p",
- entry);
- continue;
- }
- if(!tpCompareCssmData(localResponderURI, &entry->mLocalResponder)) {
- tpOcspCacheDebug("OcspCache::lookup: uri mismatch (2) on entry %p",
- entry);
- continue;
- }
- }
- resp = entry->singleResponseFor(certID);
- if(resp) {
- tpOcspCacheDebug("OcspCache::lookupPriv: cache HIT on entry %p", entry);
- rtnDex=dex;
- return resp;
- }
- }
- tpOcspCacheDebug("OcspCache::lookupPriv: cache MISS");
- return NULL;
-}
-
-OCSPSingleResponse *OcspCache::lookup(
- OCSPClientCertID &certID,
- const CSSM_DATA *localResponderURI) // optional
-{
- StLock<Mutex> _(mCacheLock);
-
- /* take care of stale entries right away */
- scanForStale();
-
- unsigned rtnDex;
- return lookupPriv(certID, localResponderURI, rtnDex);
-}
-
-void OcspCache::addResponse(
- const CSSM_DATA &ocspResp, // we'll decode it
- const CSSM_DATA *localResponderURI) // optional
-{
- StLock<Mutex> _(mCacheLock);
-
- OcspCacheEntry *entry = new OcspCacheEntry(ocspResp, localResponderURI);
- if(mNumEntries == mSizeofEntries) {
- if(mSizeofEntries == 0) {
- /* appending to empty array */
- mSizeofEntries = 1;
- }
- else {
- mSizeofEntries *= 2;
- }
- mEntries = (OcspCacheEntry **)realloc(mEntries,
- mSizeofEntries * sizeof(OcspCacheEntry *));
- }
- mEntries[mNumEntries++] = entry;
- tpOcspCacheDebug("OcspCache::addResponse: add entry %p", entry);
-}
-
-void OcspCache::flush(
- OCSPClientCertID &certID)
-{
- StLock<Mutex> _(mCacheLock);
-
- /* take care of all stale entries */
- scanForStale();
-
- unsigned rtnDex;
- OCSPSingleResponse *resp;
- do {
- /* execute as until we find no more entries matching */
- resp = lookupPriv(certID, NULL, rtnDex);
- if(resp) {
- assert((rtnDex >= 0) && (rtnDex < mNumEntries));
- tpOcspCacheDebug("OcspCache::flush: deleting entry %p", mEntries[rtnDex]);
- removeEntry(rtnDex);
- }
- } while(resp != NULL);
-}
-
-
-static ModuleNexus<OcspCache> tpOcspCache;
-
-#pragma mark ---- Public API ----
-/*
- * Lookup locally cached response. Caller must free the returned OCSPSingleResponse.
- */
-OCSPSingleResponse *tpOcspCacheLookup(
- OCSPClientCertID &certID,
- const CSSM_DATA *localResponderURI) // optional
-{
- return tpOcspCache().lookup(certID, localResponderURI);
-}
-
-/*
- * Add a fully verified OCSP response to cache.
- */
-void tpOcspCacheAdd(
- const CSSM_DATA &ocspResp, // we'll decode it, not keep a ref
- const CSSM_DATA *localResponderURI) // optional
-{
- #if TP_OCSP_CACHE_DISABLE
- return;
- #endif
- tpOcspCache().addResponse(ocspResp, localResponderURI);
-}
-
-/*
- * Delete any entry associated with specified certID from cache.
- */
-void tpOcspCacheFlush(
- OCSPClientCertID &certID)
-{
- tpOcspCache().flush(certID);
-}
-
projects / apple / security.git / blobdiff