From c6f6ba6a77a2ad4be37eab64b7c4a9e40c386882 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Thu, 27 Sep 2012 14:51:27 +0000 Subject: [PATCH] Do not duplicate variables needed by ocsp request (in canl_ocsprequest_t). --- emi.canl.canl-c/src/canl_ocsp.c | 190 ++--------------------------------- emi.canl.canl-c/src/canl_ocsp.h | 12 +-- emi.canl.canl-c/src/proxy/sslutils.c | 29 +++--- 3 files changed, 21 insertions(+), 210 deletions(-) diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c index 635d32e..0304ff6 100644 --- a/emi.canl.canl-c/src/canl_ocsp.c +++ b/emi.canl.canl-c/src/canl_ocsp.c @@ -4,7 +4,6 @@ #define USENONCE 0 -static canl_x509store_t * store_dup(canl_x509store_t *store_from); static X509_STORE * canl_create_x509store(canl_x509store_t *store); static OCSP_RESPONSE *send_request(OCSP_REQUEST *req, char *host, char *path, @@ -19,99 +18,17 @@ int ocsprequest_init(canl_ocsprequest_t **ocspreq) { if (!ocspreq) return 1; - if (*ocspreq) { - ocsprequest_free(*ocspreq); - } - else { - *ocspreq = calloc(1, sizeof(**ocspreq)); - if (!(*ocspreq)) - return 1; - } - - return 0; -} - -int canl_x509store_init(canl_x509store_t **cs) -{ - if (!cs) + *ocspreq = calloc(1, sizeof(**ocspreq)); + if (!(*ocspreq)) return 1; - if (*cs) { - canl_x509store_free(*cs); - } - else { - *cs = calloc(1, sizeof(**cs)); - if (!(*cs)) - return 1; - } return 0; } -void ocsprequest_free(canl_ocsprequest_t *or) +void ocsprequest_free(canl_ocsprequest_t *ocspreq) { - if (!or) - return; - if (or->url){ - free(or->url); - or->url = NULL; - } - if (or->cert){ - X509_free(or->cert); - or->cert = NULL; - } - if (or->issuer){ - X509_free(or->issuer); - or->issuer = NULL; - } - if (or->store){ - canl_x509store_free((or->store)); - or->store = NULL; - } - if (or->sign_cert){ - X509_free(or->sign_cert); - or->sign_cert = NULL; - } - if (or->sign_key){ - EVP_PKEY_free(or->sign_key); - or->sign_key = NULL; - } - or->skew = 0; - or->maxage = 0; -} - -void canl_x509store_free(canl_x509store_t *cs) -{ - if (!cs) - return; - if (cs->ca_dir){ - free(cs->ca_dir); - cs->ca_dir = NULL; - } - if (cs->crl_dir){ - free(cs->crl_dir); - cs->crl_dir = NULL; - } - if (cs->ca_file){ - free(cs->ca_file); - cs->ca_file = NULL; - } -} - -int set_ocsp_cert(canl_ocsprequest_t *ocspreq, X509 *cert) -{ - if (!ocspreq) - return 1; - - if (cert) { - if (!ocspreq->cert) { - X509_free(ocspreq->cert); - ocspreq->cert = NULL; - } - ocspreq->cert = X509_dup(cert); - if (!ocspreq->cert) - return 1; - } - return 0; + if (ocspreq) + free(ocspreq); } int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url) @@ -134,22 +51,6 @@ int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url) return 0; } -int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer) -{ - if (!ocspreq) - return 1; - if (issuer) { - if (!ocspreq->issuer) { - X509_free (ocspreq->issuer); - ocspreq->issuer = NULL; - } - ocspreq->issuer = X509_dup(issuer); - if (!ocspreq->issuer) - return 1; - } - return 0; -} - int set_ocsp_sign_cert(canl_ocsprequest_t *ocspreq, X509 *sign_cert) { if (!ocspreq) @@ -182,85 +83,6 @@ int set_ocsp_sign_key(canl_ocsprequest_t *ocspreq, EVP_PKEY *sign_key) return 0; } -int set_ocsp_skew(canl_ocsprequest_t *ocspreq, int skew) -{ - if (!ocspreq) - return 1; - if (skew) - ocspreq->skew = skew; - return 0; -} - -int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage) -{ - if (!ocspreq) - return 1; - if (maxage) - ocspreq->maxage = maxage; - return 0; -} - -int set_ocsp_timeout(canl_ocsprequest_t *ocspreq, int timeout) -{ - if (!ocspreq) - return 1; - if (timeout) - ocspreq->timeout = timeout; - return 0; -} - -int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain) -{ - if (!ocspreq) - return 1; - if (chain) - ocspreq->cert_chain = chain; - return 0; -} - -static canl_x509store_t * -store_dup(canl_x509store_t *store_from) -{ - canl_x509store_t *store_to = NULL; - if (!store_from) - return NULL; - - store_to = calloc(1, sizeof(*store_to)); - if (!store_to) - return NULL; - - if (store_from->ca_dir) { - int len = strlen(store_from->ca_dir); - store_to->ca_dir = (char *) malloc((len + 1) * sizeof (char)); - if (!store_to->ca_dir) - return NULL; - strncpy (store_to->ca_dir, store_from->ca_dir, len + 1); - } - if (store_from->crl_dir) { - int len = strlen(store_from->crl_dir); - store_to->crl_dir = (char *) malloc((len + 1) * sizeof (char)); - if (!store_to->crl_dir) - return NULL; - strncpy (store_to->crl_dir, store_from->crl_dir, len + 1); - } - return store_to; -} - -int -set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store) -{ - if (!ocspreq) - return 1; - if (store){ - if (ocspreq->store) - canl_x509store_free(ocspreq->store); - ocspreq->store = store_dup(store); - if (!ocspreq->store) - return 1; - } - return 0; -} - static X509_STORE * canl_create_x509store(canl_x509store_t *c_store) { @@ -465,7 +287,7 @@ int do_ocsp_verify (canl_ocsprequest_t *data) if (USENONCE && OCSP_check_nonce(req, basic) <= 0) goto end; /* TODO is this compulsory? */ - store = canl_create_x509store(data->store); + store = canl_create_x509store(&data->store); if (!store) goto end; diff --git a/emi.canl.canl-c/src/canl_ocsp.h b/emi.canl.canl-c/src/canl_ocsp.h index 7e693f3..085bb3e 100644 --- a/emi.canl.canl-c/src/canl_ocsp.h +++ b/emi.canl.canl-c/src/canl_ocsp.h @@ -13,7 +13,7 @@ typedef struct { X509 *cert; X509 *issuer; STACK_OF(X509) *cert_chain; - canl_x509store_t *store; + canl_x509store_t store; X509 *sign_cert; EVP_PKEY *sign_key; long skew; @@ -45,18 +45,10 @@ typedef enum { /* Methods to access canl_ocsprequest_t */ int set_ocsp_sign_cert(canl_ocsprequest_t *ocspreq, X509 *sign_cert); int set_ocsp_sign_key(canl_ocsprequest_t *ocspreq, EVP_PKEY *sign_key); -int set_ocsp_cert(canl_ocsprequest_t *ocspreq, X509 *cert); -int set_ocsp_skew(canl_ocsprequest_t *ocspreq, int skew); -int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage); int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url); -int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer); -int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store); -int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain); int ocsprequest_init(canl_ocsprequest_t **ocspreq); -void ocsprequest_free(canl_ocsprequest_t *or); -int canl_x509store_init(canl_x509store_t **cs); -void canl_x509store_free(canl_x509store_t *cs); +void ocsprequest_free(canl_ocsprequest_t *ocspreq); int do_ocsp_verify (canl_ocsprequest_t *data); diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c index 15befe4..c37a981 100644 --- a/emi.canl.canl-c/src/proxy/sslutils.c +++ b/emi.canl.canl-c/src/proxy/sslutils.c @@ -2198,31 +2198,28 @@ proxy_verify_callback( ocsprequest_init(&ocsp_data); if (ocsp_data) { if (ctx->current_cert) - set_ocsp_cert(ocsp_data, ctx->current_cert); + ocsp_data->cert = ctx->current_cert; if (ctx->current_issuer) - set_ocsp_issuer(ocsp_data, ctx->current_issuer); - if (cert_dir){ - canl_x509store_t *c_store = NULL; - if (!canl_x509store_init(&c_store)) { - c_store->ca_dir = strdup(cert_dir); - set_ocsp_store(ocsp_data, c_store); - canl_x509store_free(c_store); - c_store = NULL; - } - } - set_ocsp_skew(ocsp_data, MAX_VALIDITY_PERIOD); - set_ocsp_maxage(ocsp_data, -1); - set_ocsp_chain(ocsp_data, ctx->chain); + ocsp_data->issuer = ctx->current_issuer; + if (cert_dir) + ocsp_data->store.ca_dir = cert_dir; + + ocsp_data->skew = MAX_VALIDITY_PERIOD; + ocsp_data->maxage = -1; + if (ctx->chain) + ocsp_data->cert_chain = ctx->chain; /*Timeout should be set here - set_ocsp_timeout(pvd->timeout, -1); */ + ocsp_data->timeout = -1; */ do_ocsp_verify (ocsp_data); /* TODO sign key and cert */ + ocsprequest_free(ocsp_data); + ocsp_data = NULL; } EVP_PKEY_free(key); if (objset) - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free_contents(&obj); return(ok); -- 1.8.2.3