You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@serf.apache.org by br...@apache.org on 2016/12/15 06:29:10 UTC

svn commit: r1774373 - in /serf/branches/ocsp-verification: BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c

Author: brane
Date: Thu Dec 15 06:29:09 2016
New Revision: 1774373

URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
Log:
On the ocsp-verification branch: Introduce scratch pools for a couple functions.

* BRANCH-README: Update branch docs.

* serf_bucket_types.h
  (serf_ssl_cert_export2): New prototype.
  (serf_ssl_cert_export): Update docstring.
  (serf_ssl_cert_import): Update docstring and add scratch pool parameter.
  (serf_ssl_ocsp_request_create): Update docstring.

* buckets/ssl_buckets.c
  (serf_ssl_cert_export2): Rename from serf_ssl_cert_export and update pool usage.
  (serf_ssl_cert_export2): Call serf_ssl_cert_export2.
  (serf_ssl_cert_import): Update pool usage.

* test/test_ssl.c
  (test_ssl_cert_import): Update test to match new API.

Modified:
    serf/branches/ocsp-verification/BRANCH-README
    serf/branches/ocsp-verification/buckets/ssl_buckets.c
    serf/branches/ocsp-verification/serf_bucket_types.h
    serf/branches/ocsp-verification/test/test_ssl.c

Modified: serf/branches/ocsp-verification/BRANCH-README
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/BRANCH-README (original)
+++ serf/branches/ocsp-verification/BRANCH-README Thu Dec 15 06:29:09 2016
@@ -19,18 +19,43 @@ These are the proposed changes:
    insert the array into the returned hash table with key "OCSP".
 
 
-2. serf_ssl_cert_import()
+2. serf_ssl_cert_export2()
+
+   /**
+    * Export a certificate to base64-encoded, zero-terminated string.
+    * The returned string is allocated in @a result_pool.
+    * Uses @a scratch_pool for temporary allocations.
+    * Returns NULL on failure.
+    */
+   const char *serf_ssl_cert_export2(
+       const serf_ssl_certificate_t *cert,
+       apr_pool_t *result_pool,
+       apr_pool_t *scratch_pool);
+
+
+   Discussion:
+
+     serf_ssl_cert_export() uses a single pool for both the result and
+     for teporary allocations. The size of the temporary buffer is on
+     the order of the size of the result, so if we can use a scratch
+     pool for that, we can effectively halve the memory used by
+     exported certs.
+
+
+3. serf_ssl_cert_import()
 
    Add a new function that is the inverse of serf_ssl_cert_export():
 
    /**
-    * Imports certificate from a base64-encoded, zero-terminated
-    * string. The returned certificate is allocated in @a pool.
+    * Import a certificate from a base64-encoded, zero-terminated string.
+    * The returned certificate is allocated in @a result_pool.
+    * Uses @a scratch_pool for temporary allocations.
     * Returns NULL on failure.
     */
    serf_ssl_certificate_t *serf_ssl_cert_import(
        const char *encoded_cert,
-       apr_pool_t *pool);
+       apr_pool_t *result_pool,
+       apr_pool_t *scratch_pool);
 
    Discussion:
 
@@ -45,7 +70,7 @@ These are the proposed changes:
      through serf_ssl_load_cert_file() is neither easy nor sane).
 
 
-3. OCSP requests
+4. OCSP requests
 
    Add a new opaque type and accessor functions that can be used from
    within a request setup handler to create an OCSP request.
@@ -71,6 +96,13 @@ These are the proposed changes:
     * The request will be allocated from @a result_pool.
     *
     * Use @a scratch_pool for temporary allocations.
+    *
+    * Returns @c NULL on failure, e.g., if @a issuer_cert is not the
+    * issuer certificate of @a server_cert.
+    *
+    * @note The @a server_cert and @a issuer_cert will be copied into the
+    * OCSP request structure. The lifetime of the copies is controlled by
+    * the lifetime of @a result_pool.
     */
    serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create(
        const serf_ssl_certificate_t *server_cert,
@@ -128,7 +160,7 @@ These are the proposed changes:
        apr_pool_t *scratch_pool);
 
 
-4. OCSP responses
+5. OCSP responses
 
    Add a new opaque type, response body parser and response validator.
 
@@ -193,7 +225,7 @@ These are the proposed changes:
        apr_pool_t *scratch_pool);
 
 
-5. New error codes and macros
+6. New error codes and macros
 
        #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED
        #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN

Modified: serf/branches/ocsp-verification/buckets/ssl_buckets.c
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/buckets/ssl_buckets.c?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/buckets/ssl_buckets.c (original)
+++ serf/branches/ocsp-verification/buckets/ssl_buckets.c Thu Dec 15 06:29:09 2016
@@ -2365,6 +2365,14 @@ const char *serf_ssl_cert_export(
     const serf_ssl_certificate_t *cert,
     apr_pool_t *pool)
 {
+    return serf_ssl_cert_export2(cert, pool, pool);
+}
+
+const char *serf_ssl_cert_export2(
+    const serf_ssl_certificate_t *cert,
+    apr_pool_t *result_pool,
+    apr_pool_t *scratch_pool)
+{
     char *binary_cert;
     char *encoded_cert;
     int len;
@@ -2376,14 +2384,14 @@ const char *serf_ssl_cert_export(
         return NULL;
     }
 
-    binary_cert = apr_palloc(pool, len);
+    binary_cert = apr_palloc(scratch_pool, len);
     unused = (unsigned char *)binary_cert;
     len = i2d_X509(cert->ssl_cert, &unused);  /* unused is incremented  */
     if (len < 0) {
         return NULL;
     }
 
-    encoded_cert = apr_palloc(pool, apr_base64_encode_len(len));
+    encoded_cert = apr_palloc(result_pool, apr_base64_encode_len(len));
     apr_base64_encode(encoded_cert, binary_cert, len);
 
     return encoded_cert;
@@ -2392,7 +2400,8 @@ const char *serf_ssl_cert_export(
 
 serf_ssl_certificate_t *serf_ssl_cert_import(
     const char *encoded_cert,
-    apr_pool_t *pool)
+    apr_pool_t *result_pool,
+    apr_pool_t *scratch_pool)
 {
     char *binary_cert;
     int binary_len;
@@ -2400,7 +2409,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im
     X509* ssl_cert;
     serf_ssl_certificate_t *cert;
 
-    binary_cert = apr_palloc(pool, apr_base64_decode_len(encoded_cert));
+    binary_cert = apr_palloc(scratch_pool, apr_base64_decode_len(encoded_cert));
     binary_len = apr_base64_decode(binary_cert, encoded_cert);
 
     unused = (unsigned char*) binary_cert; /* unused is incremented  */
@@ -2410,7 +2419,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im
     }
 
     /* TODO: Setup pool cleanup to free certificate */
-    cert = apr_palloc(pool, sizeof(serf_ssl_certificate_t));
+    cert = apr_palloc(result_pool, sizeof(serf_ssl_certificate_t));
     cert->ssl_cert = ssl_cert;
     return cert;
 }

Modified: serf/branches/ocsp-verification/serf_bucket_types.h
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf_bucket_types.h?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/serf_bucket_types.h (original)
+++ serf/branches/ocsp-verification/serf_bucket_types.h Thu Dec 15 06:29:09 2016
@@ -710,20 +710,34 @@ apr_hash_t *serf_ssl_cert_certificate(
     apr_pool_t *pool);
 
 /**
- * Export a certificate to base64-encoded, zero-terminated string.
- * The returned string is allocated in @a pool. Returns NULL on failure.
+ * Like serf_ssl_cert_export2() but uses a single pool for both the
+ * result and temporary allocations.
  */
 const char *serf_ssl_cert_export(
     const serf_ssl_certificate_t *cert,
     apr_pool_t *pool);
 
 /**
+ * Export a certificate to base64-encoded, zero-terminated string.
+ * The returned string is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
+ * Returns NULL on failure.
+ */
+const char *serf_ssl_cert_export2(
+    const serf_ssl_certificate_t *cert,
+    apr_pool_t *result_pool,
+    apr_pool_t *scratch_pool);
+
+/**
  * Import a certificate from a base64-encoded, zero-terminated string.
- * The returned certificates is allocated in @a pool. Returns NULL on failure.
+ * The returned certificate is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
+ * Returns NULL on failure.
  */
 serf_ssl_certificate_t *serf_ssl_cert_import(
     const char *encoded_cert,
-    apr_pool_t *pool);
+    apr_pool_t *result_pool,
+    apr_pool_t *scratch_pool);
 
 /**
  * Load a CA certificate file from a path @a file_path. If the file was loaded
@@ -800,6 +814,13 @@ typedef struct serf_ssl_ocsp_request_t s
  * The request will be allocated from @a result_pool.
  *
  * Use @a scratch_pool for temporary allocations.
+ *
+ * Returns @c NULL on failure, e.g., if @a issuer_cert is not the
+ * issuer certificate of @a server_cert.
+ *
+ * @note The @a server_cert and @a issuer_cert will be copied into the
+ * OCSP request structure. The lifetime of the copies is controlled by
+ * the lifetime of @a result_pool.
  */
 serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create(
     const serf_ssl_certificate_t *server_cert,

Modified: serf/branches/ocsp-verification/test/test_ssl.c
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/test_ssl.c?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/test/test_ssl.c (original)
+++ serf/branches/ocsp-verification/test/test_ssl.c Thu Dec 15 06:29:09 2016
@@ -337,10 +337,10 @@ static void test_ssl_cert_import(CuTest
                                                       "test/serftestca.pem"),
                                       tb->pool);
 
-    imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool);
+    imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool, tb->pool);
     CuAssertPtrNotNull(tc, imported_cert);
 
-    base64derbuf = serf_ssl_cert_export(imported_cert, tb->pool);
+    base64derbuf = serf_ssl_cert_export2(imported_cert, tb->pool, tb->pool);
     CuAssertStrEquals(tc, extractedbuf, base64derbuf);
 }

Re: svn commit: r1774373 - in /serf/branches/ocsp-verification: BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c

Posted by Branko Čibej <br...@apache.org>.

On 15.12.2016 07:45, Greg Stein wrote:
> On Thu, Dec 15, 2016 at 12:29 AM, <br...@apache.org> wrote:
>
>> Author: brane
>> Date: Thu Dec 15 06:29:09 2016
>> New Revision: 1774373
>>
>> URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
>> Log:
>> On the ocsp-verification branch: Introduce scratch pools for a couple
>> functions.
>>
> Oh, good! ... i was gonna respond to your earlier email and ask that you
> introduce dual-pools for new APIs. ... the serf API was written before we
> discovered the utility of dual-pools in Subversion, and hadn't been carried
> over. Might as well start doing so!

Happy to oblige. :)

-- Brane

Re: svn commit: r1774373 - in /serf/branches/ocsp-verification: BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c

Posted by Greg Stein <gs...@gmail.com>.

On Thu, Dec 15, 2016 at 12:29 AM, <br...@apache.org> wrote:

> Author: brane
> Date: Thu Dec 15 06:29:09 2016
> New Revision: 1774373
>
> URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
> Log:
> On the ocsp-verification branch: Introduce scratch pools for a couple
> functions.
>

Oh, good! ... i was gonna respond to your earlier email and ask that you
introduce dual-pools for new APIs. ... the serf API was written before we
discovered the utility of dual-pools in Subversion, and hadn't been carried
over. Might as well start doing so!

Thx,
-g