Author: brane Date: Thu Dec 15 06:29:09 2016 New Revision: 1774373 URL: http://svn.apache.org/viewvc?rev=1774373&view=rev Log: On the ocsp-verification branch: Introduce scratch pools for a couple functions.
* BRANCH-README: Update branch docs. * serf_bucket_types.h (serf_ssl_cert_export2): New prototype. (serf_ssl_cert_export): Update docstring. (serf_ssl_cert_import): Update docstring and add scratch pool parameter. (serf_ssl_ocsp_request_create): Update docstring. * buckets/ssl_buckets.c (serf_ssl_cert_export2): Rename from serf_ssl_cert_export and update pool usage. (serf_ssl_cert_export2): Call serf_ssl_cert_export2. (serf_ssl_cert_import): Update pool usage. * test/test_ssl.c (test_ssl_cert_import): Update test to match new API. Modified: serf/branches/ocsp-verification/BRANCH-README serf/branches/ocsp-verification/buckets/ssl_buckets.c serf/branches/ocsp-verification/serf_bucket_types.h serf/branches/ocsp-verification/test/test_ssl.c Modified: serf/branches/ocsp-verification/BRANCH-README URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1774373&r1=1774372&r2=1774373&view=diff ============================================================================== --- serf/branches/ocsp-verification/BRANCH-README (original) +++ serf/branches/ocsp-verification/BRANCH-README Thu Dec 15 06:29:09 2016 @@ -19,18 +19,43 @@ These are the proposed changes: insert the array into the returned hash table with key "OCSP". -2. serf_ssl_cert_import() +2. serf_ssl_cert_export2() + + /** + * Export a certificate to base64-encoded, zero-terminated string. + * The returned string is allocated in @a result_pool. + * Uses @a scratch_pool for temporary allocations. + * Returns NULL on failure. + */ + const char *serf_ssl_cert_export2( + const serf_ssl_certificate_t *cert, + apr_pool_t *result_pool, + apr_pool_t *scratch_pool); + + + Discussion: + + serf_ssl_cert_export() uses a single pool for both the result and + for teporary allocations. The size of the temporary buffer is on + the order of the size of the result, so if we can use a scratch + pool for that, we can effectively halve the memory used by + exported certs. + + +3. serf_ssl_cert_import() Add a new function that is the inverse of serf_ssl_cert_export(): /** - * Imports certificate from a base64-encoded, zero-terminated - * string. The returned certificate is allocated in @a pool. + * Import a certificate from a base64-encoded, zero-terminated string. + * The returned certificate is allocated in @a result_pool. + * Uses @a scratch_pool for temporary allocations. * Returns NULL on failure. */ serf_ssl_certificate_t *serf_ssl_cert_import( const char *encoded_cert, - apr_pool_t *pool); + apr_pool_t *result_pool, + apr_pool_t *scratch_pool); Discussion: @@ -45,7 +70,7 @@ These are the proposed changes: through serf_ssl_load_cert_file() is neither easy nor sane). -3. OCSP requests +4. OCSP requests Add a new opaque type and accessor functions that can be used from within a request setup handler to create an OCSP request. @@ -71,6 +96,13 @@ These are the proposed changes: * The request will be allocated from @a result_pool. * * Use @a scratch_pool for temporary allocations. + * + * Returns @c NULL on failure, e.g., if @a issuer_cert is not the + * issuer certificate of @a server_cert. + * + * @note The @a server_cert and @a issuer_cert will be copied into the + * OCSP request structure. The lifetime of the copies is controlled by + * the lifetime of @a result_pool. */ serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create( const serf_ssl_certificate_t *server_cert, @@ -128,7 +160,7 @@ These are the proposed changes: apr_pool_t *scratch_pool); -4. OCSP responses +5. OCSP responses Add a new opaque type, response body parser and response validator. @@ -193,7 +225,7 @@ These are the proposed changes: apr_pool_t *scratch_pool); -5. New error codes and macros +6. New error codes and macros #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN Modified: serf/branches/ocsp-verification/buckets/ssl_buckets.c URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/buckets/ssl_buckets.c?rev=1774373&r1=1774372&r2=1774373&view=diff ============================================================================== --- serf/branches/ocsp-verification/buckets/ssl_buckets.c (original) +++ serf/branches/ocsp-verification/buckets/ssl_buckets.c Thu Dec 15 06:29:09 2016 @@ -2365,6 +2365,14 @@ const char *serf_ssl_cert_export( const serf_ssl_certificate_t *cert, apr_pool_t *pool) { + return serf_ssl_cert_export2(cert, pool, pool); +} + +const char *serf_ssl_cert_export2( + const serf_ssl_certificate_t *cert, + apr_pool_t *result_pool, + apr_pool_t *scratch_pool) +{ char *binary_cert; char *encoded_cert; int len; @@ -2376,14 +2384,14 @@ const char *serf_ssl_cert_export( return NULL; } - binary_cert = apr_palloc(pool, len); + binary_cert = apr_palloc(scratch_pool, len); unused = (unsigned char *)binary_cert; len = i2d_X509(cert->ssl_cert, &unused); /* unused is incremented */ if (len < 0) { return NULL; } - encoded_cert = apr_palloc(pool, apr_base64_encode_len(len)); + encoded_cert = apr_palloc(result_pool, apr_base64_encode_len(len)); apr_base64_encode(encoded_cert, binary_cert, len); return encoded_cert; @@ -2392,7 +2400,8 @@ const char *serf_ssl_cert_export( serf_ssl_certificate_t *serf_ssl_cert_import( const char *encoded_cert, - apr_pool_t *pool) + apr_pool_t *result_pool, + apr_pool_t *scratch_pool) { char *binary_cert; int binary_len; @@ -2400,7 +2409,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im X509* ssl_cert; serf_ssl_certificate_t *cert; - binary_cert = apr_palloc(pool, apr_base64_decode_len(encoded_cert)); + binary_cert = apr_palloc(scratch_pool, apr_base64_decode_len(encoded_cert)); binary_len = apr_base64_decode(binary_cert, encoded_cert); unused = (unsigned char*) binary_cert; /* unused is incremented */ @@ -2410,7 +2419,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im } /* TODO: Setup pool cleanup to free certificate */ - cert = apr_palloc(pool, sizeof(serf_ssl_certificate_t)); + cert = apr_palloc(result_pool, sizeof(serf_ssl_certificate_t)); cert->ssl_cert = ssl_cert; return cert; } Modified: serf/branches/ocsp-verification/serf_bucket_types.h URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf_bucket_types.h?rev=1774373&r1=1774372&r2=1774373&view=diff ============================================================================== --- serf/branches/ocsp-verification/serf_bucket_types.h (original) +++ serf/branches/ocsp-verification/serf_bucket_types.h Thu Dec 15 06:29:09 2016 @@ -710,20 +710,34 @@ apr_hash_t *serf_ssl_cert_certificate( apr_pool_t *pool); /** - * Export a certificate to base64-encoded, zero-terminated string. - * The returned string is allocated in @a pool. Returns NULL on failure. + * Like serf_ssl_cert_export2() but uses a single pool for both the + * result and temporary allocations. */ const char *serf_ssl_cert_export( const serf_ssl_certificate_t *cert, apr_pool_t *pool); /** + * Export a certificate to base64-encoded, zero-terminated string. + * The returned string is allocated in @a result_pool. + * Uses @a scratch_pool for temporary allocations. + * Returns NULL on failure. + */ +const char *serf_ssl_cert_export2( + const serf_ssl_certificate_t *cert, + apr_pool_t *result_pool, + apr_pool_t *scratch_pool); + +/** * Import a certificate from a base64-encoded, zero-terminated string. - * The returned certificates is allocated in @a pool. Returns NULL on failure. + * The returned certificate is allocated in @a result_pool. + * Uses @a scratch_pool for temporary allocations. + * Returns NULL on failure. */ serf_ssl_certificate_t *serf_ssl_cert_import( const char *encoded_cert, - apr_pool_t *pool); + apr_pool_t *result_pool, + apr_pool_t *scratch_pool); /** * Load a CA certificate file from a path @a file_path. If the file was loaded @@ -800,6 +814,13 @@ typedef struct serf_ssl_ocsp_request_t s * The request will be allocated from @a result_pool. * * Use @a scratch_pool for temporary allocations. + * + * Returns @c NULL on failure, e.g., if @a issuer_cert is not the + * issuer certificate of @a server_cert. + * + * @note The @a server_cert and @a issuer_cert will be copied into the + * OCSP request structure. The lifetime of the copies is controlled by + * the lifetime of @a result_pool. */ serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create( const serf_ssl_certificate_t *server_cert, Modified: serf/branches/ocsp-verification/test/test_ssl.c URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/test_ssl.c?rev=1774373&r1=1774372&r2=1774373&view=diff ============================================================================== --- serf/branches/ocsp-verification/test/test_ssl.c (original) +++ serf/branches/ocsp-verification/test/test_ssl.c Thu Dec 15 06:29:09 2016 @@ -337,10 +337,10 @@ static void test_ssl_cert_import(CuTest "test/serftestca.pem"), tb->pool); - imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool); + imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool, tb->pool); CuAssertPtrNotNull(tc, imported_cert); - base64derbuf = serf_ssl_cert_export(imported_cert, tb->pool); + base64derbuf = serf_ssl_cert_export2(imported_cert, tb->pool, tb->pool); CuAssertStrEquals(tc, extractedbuf, base64derbuf); }