Open Bug 489694 Opened 15 years ago Updated 5 months ago

OCSP nextFetchAttemptTime incorrectly (?) computed in some cases

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Version:
3.12.3
Type:
defect

Tracking

(Not tracked)

People

(Reporter: ngm+mozilla, Unassigned)

Details

Attachments

(1 file)

Fix logging (checked in)
572 bytes, patch
nelson
: review+
Details | Diff | Splinter Review 
From security/nss/lib/certhigh/ocsp.c:

716     if (cacheItem->haveThisUpdate) {
717         OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
718         latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
719             OCSP_Global.maximumSecondsToNextFetchAttempt * 
720                 MICROSECONDS_PER_SECOND;
721         OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", 
722                         latestTimeWhenResponseIsConsideredFresh);
723     } else {
724         latestTimeWhenResponseIsConsideredFresh = now +
725             OCSP_Global.minimumSecondsToNextFetchAttempt *
726                 MICROSECONDS_PER_SECOND;
727         OCSP_TRACE_TIME("no thisUpdate, "
728                         "latestTimeWhenResponseIsConsideredFresh:", 
729                         latestTimeWhenResponseIsConsideredFresh);
730     }

...
750     if (latestTimeWhenResponseIsConsideredFresh < 
751         earliestAllowedNextFetchAttemptTime) {
752         latestTimeWhenResponseIsConsideredFresh = 
753             earliestAllowedNextFetchAttemptTime;
754         OCSP_TRACE_TIME("latest < earliest, setting latest to:", 
755                         latestTimeWhenResponseIsConsideredFresh);
756     }


latestTimeWhenResponseIsConsideredFresh is computed based on when the OCSP response was generated, rather then when the lookup is performed.  This means that 24hrs (i.e. maximumSecondsToNextFetchAttempt) later than when the response was been generated, the response will get cached for no more than (1hr) minimumSecondsToNextFetchAttempt seconds.  Is this the expected behavior?

There's a minor bug in a logging statement:
732     if (cacheItem->haveNextUpdate) {
733         OCSP_TRACE_TIME("have nextUpdate:", cacheItem->thisUpdate);

cacheItem->thisUpdate ---> cacheItem->nextUpdate
Good to hear from you, Nagendra.

We'll have to decide on the "expected behavior" question, I think.
Assignee: nobody → julien.pierre.boogz

        Attachment #377027 -
        Flags: review?(nelson)

    
    

    
  
Regarding the question of the expected behavior, I believe the answering is yes, the freshness should be based on the thisUpdate of the response, so the behavior is correct.

    
    

    
  
Comment on attachment 377027 [details] [diff] [review]
Fix logging (checked in)

This patch is fine, and a good thing, but I am not sure that 
the behavior Nagendra described is desired behavior.  
We should discuss it further, preferably by phone or in person.

        Attachment #377027 -
        Flags: review?(nelson) → review+

    
    

    
  
I checked in the fix for the logging.

Checking in ocsp.c;
/cvsroot/mozilla/security/nss/lib/certhigh/ocsp.c,v  <--  ocsp.c
new revision: 1.59; previous revision: 1.58
done

    
    

    
  
Bugs that are currently assigned to Julien => assigning to nobody.
Search for 20100628-kaie-jp
Assignee: bugzilla+nospam → nobody

        Attachment #377027 -
        Attachment description: Fix logging → Fix logging (checked in)

    
  
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: