Bug 205406, Need a local OCSP cache

Second checkin attempt after fixing win tinderbox breakage.

security/nss/lib/certhigh/ocsp.h

@@ -37,7 +37,7 @@
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.9 2007-03-23 06:09:58 kaie%kuix.de Exp $
+ * $Id: ocsp.h,v 1.10 2007-03-23 06:57:57 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSP_H_
@@ -67,6 +67,37 @@ SEC_BEGIN_PROTOS
 extern SECStatus
 SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable);
 
+/*
+ * Sets parameters that control NSS' internal OCSP cache.
+ * maxCacheEntries, special varlues are:
+ *   -1 disable cache
+ *   0 unlimited cache entries
+ * minimumSecondsToNextFetchAttempt:
+ *   whenever an OCSP request was attempted or completed over the network,
+ *   wait at least this number of seconds before trying to fetch again.
+ * maximumSecondsToNextFetchAttempt:
+ *   this is the maximum age of a cached response we allow, until we try
+ *   to fetch an updated response, even if the OCSP responder expects
+ *   that newer information update will not be available yet.
+ */
+extern SECStatus
+CERT_OCSPCacheSettings(PRInt32 maxCacheEntries,
+                       PRUint32 minimumSecondsToNextFetchAttempt,
+                       PRUint32 maximumSecondsToNextFetchAttempt);
+
+/*
+ * Set the desired behaviour on OCSP failures.
+ * See definition of ocspFailureMode for allowed choices.
+ */
+extern SECStatus
+CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode);
+
+/*
+ * Removes all items currently stored in the OCSP cache.
+ */
+extern SECStatus
+CERT_ClearOCSPCache(void);
+
 /*
  * FUNCTION: CERT_EnableOCSPChecking
  *   Turns on OCSP checking for the given certificate database.

security/nss/lib/certhigh/ocspi.h

@@ -36,12 +36,13 @@
 /*
  * ocspi.h - NSS internal interfaces to OCSP code
  *
- * $Id: ocspi.h,v 1.4 2007-03-23 06:09:58 kaie%kuix.de Exp $
+ * $Id: ocspi.h,v 1.5 2007-03-23 06:57:57 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSPI_H_
 #define _OCSPI_H_
 
 SECStatus InitOCSPGlobal(void);
+SECStatus ShutdownOCSPCache(void);
 
 #endif /* _OCSPI_H_ */

security/nss/lib/certhigh/ocspt.h

@@ -37,7 +37,7 @@
 /*
  * Public header for exported OCSP types.
  *
- * $Id: ocspt.h,v 1.8 2007-03-23 06:09:58 kaie%kuix.de Exp $
+ * $Id: ocspt.h,v 1.9 2007-03-23 06:57:57 kaie%kuix.de Exp $
  */
 
 #ifndef _OCSPT_H_
@@ -290,4 +290,27 @@ typedef struct SEC_HttpClientFcnStruct {
    } fcnTable;
 } SEC_HttpClientFcn;
 
+/*
+ * ocspMode_FailureIsVerificationFailure:
+ * This is the classic behaviour of NSS.
+ * Any OCSP failure is a verification failure (classic mode, default).
+ * Without a good response, OCSP networking will be retried each time
+ * it is required for verifying a cert.
+ *
+ * ocspMode_FailureIsNotAVerificationFailure:
+ * If we fail to obtain a valid OCSP response, consider the
+ * cert as good.
+ * Failed OCSP attempts might get cached and not retried until
+ * minimumSecondsToNextFetchAttempt.
+ * If we are able to obtain a valid response, the cert
+ * will be considered good, if either status is "good"
+ * or the cert was not yet revoked at verification time.
+ *
+ * Additional failure modes might be added in the future.
+ */
+typedef enum {
+    ocspMode_FailureIsVerificationFailure = 0,
+    ocspMode_FailureIsNotAVerificationFailure = 1
+} SEC_OcspFailureMode;
+
 #endif /* _OCSPT_H_ */

security/nss/lib/nss/nss.def

@@ -899,6 +899,9 @@ VFY_VerifyDataDirect;
 VFY_VerifyDataWithAlgorithmID;
 VFY_VerifyDigestDirect;
 VFY_VerifyDigestWithAlgorithmID;
+CERT_SetOCSPFailureMode;
+CERT_OCSPCacheSettings;
+CERT_ClearOCSPCache;
 ;+    local:
 ;+       *;
 ;+};

security/nss/lib/nss/nssinit.c

@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nssinit.c,v 1.77 2007-03-23 06:09:58 kaie%kuix.de Exp $ */
+/* $Id: nssinit.c,v 1.78 2007-03-23 06:57:57 kaie%kuix.de Exp $ */
 
 #include <ctype.h>
 #include "seccomon.h"
@@ -788,6 +788,7 @@ NSS_Shutdown(void)
 	shutdownRV = SECFailure;
     }
     ShutdownCRLCache();
+    ShutdownOCSPCache();
     SECOID_Shutdown();
     status = STAN_Shutdown();
     cert_DestroySubjectKeyIDHashTable();