You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2014/12/15 02:37:40 UTC
svn commit: r1645546 - /httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
Author: trawick
Date: Mon Dec 15 01:37:40 2014
New Revision: 1645546
URL: http://svn.apache.org/r1645546
Log:
Fix extraction of an SCT list from a stapled OCSP response.
The hard-coded 2 byte offset to get to the list (in lieu of
the proper logic) didn't survive the addition of the SCT
from an additional log.
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1645546&r1=1645545&r2=1645546&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Mon Dec 15 01:37:40 2014
@@ -1963,9 +1963,10 @@ static int ocsp_resp_cb(SSL *ssl, void *
rd = br->tbsResponseData;
for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { /* UNDOC */
+ const unsigned char *p;
X509_EXTENSION *ext;
int idx;
- ASN1_OCTET_STRING *oct;
+ ASN1_OCTET_STRING *oct1, *oct2;
single = sk_OCSP_SINGLERESP_value(rd->responses, i); /* UNDOC */
if (!single) {
@@ -1979,19 +1980,23 @@ static int ocsp_resp_cb(SSL *ssl, void *
continue;
}
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"index of NID_ct_cert_scts: %d", idx);
exts = single->singleExtensions;
ext = sk_X509_EXTENSION_value(exts, idx); /* UNDOC */
- oct = X509_EXTENSION_get_data(ext); /* UNDOC */
+ oct1 = X509_EXTENSION_get_data(ext); /* UNDOC */
- conncfg->ocsp_has_sct_list = 1;
- conncfg->peer_ct_aware = 1;
- conncfg->ocsp_sct_list_size = oct->length - 2;
- conncfg->ocsp_sct_list = apr_pmemdup(c->pool, oct->data + 2,
- conncfg->ocsp_sct_list_size);
+ p = oct1->data;
+ if ((oct2 = d2i_ASN1_OCTET_STRING(NULL, &p, oct1->length)) != NULL) {
+ conncfg->ocsp_has_sct_list = 1;
+ conncfg->peer_ct_aware = 1;
+ conncfg->ocsp_sct_list_size = oct2->length;
+ conncfg->ocsp_sct_list = apr_pmemdup(c->pool, oct2->data,
+ conncfg->ocsp_sct_list_size);
+ ASN1_OCTET_STRING_free(oct2);
+ }
}
OCSP_RESPONSE_free(rsp); /* UNDOC */