You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@serf.apache.org by br...@apache.org on 2016/12/15 06:29:10 UTC
svn commit: r1774373 - in /serf/branches/ocsp-verification: BRANCH-README
buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c
Author: brane
Date: Thu Dec 15 06:29:09 2016
New Revision: 1774373
URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
Log:
On the ocsp-verification branch: Introduce scratch pools for a couple functions.
* BRANCH-README: Update branch docs.
* serf_bucket_types.h
(serf_ssl_cert_export2): New prototype.
(serf_ssl_cert_export): Update docstring.
(serf_ssl_cert_import): Update docstring and add scratch pool parameter.
(serf_ssl_ocsp_request_create): Update docstring.
* buckets/ssl_buckets.c
(serf_ssl_cert_export2): Rename from serf_ssl_cert_export and update pool usage.
(serf_ssl_cert_export2): Call serf_ssl_cert_export2.
(serf_ssl_cert_import): Update pool usage.
* test/test_ssl.c
(test_ssl_cert_import): Update test to match new API.
Modified:
serf/branches/ocsp-verification/BRANCH-README
serf/branches/ocsp-verification/buckets/ssl_buckets.c
serf/branches/ocsp-verification/serf_bucket_types.h
serf/branches/ocsp-verification/test/test_ssl.c
Modified: serf/branches/ocsp-verification/BRANCH-README
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/BRANCH-README (original)
+++ serf/branches/ocsp-verification/BRANCH-README Thu Dec 15 06:29:09 2016
@@ -19,18 +19,43 @@ These are the proposed changes:
insert the array into the returned hash table with key "OCSP".
-2. serf_ssl_cert_import()
+2. serf_ssl_cert_export2()
+
+ /**
+ * Export a certificate to base64-encoded, zero-terminated string.
+ * The returned string is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
+ * Returns NULL on failure.
+ */
+ const char *serf_ssl_cert_export2(
+ const serf_ssl_certificate_t *cert,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool);
+
+
+ Discussion:
+
+ serf_ssl_cert_export() uses a single pool for both the result and
+ for teporary allocations. The size of the temporary buffer is on
+ the order of the size of the result, so if we can use a scratch
+ pool for that, we can effectively halve the memory used by
+ exported certs.
+
+
+3. serf_ssl_cert_import()
Add a new function that is the inverse of serf_ssl_cert_export():
/**
- * Imports certificate from a base64-encoded, zero-terminated
- * string. The returned certificate is allocated in @a pool.
+ * Import a certificate from a base64-encoded, zero-terminated string.
+ * The returned certificate is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
* Returns NULL on failure.
*/
serf_ssl_certificate_t *serf_ssl_cert_import(
const char *encoded_cert,
- apr_pool_t *pool);
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool);
Discussion:
@@ -45,7 +70,7 @@ These are the proposed changes:
through serf_ssl_load_cert_file() is neither easy nor sane).
-3. OCSP requests
+4. OCSP requests
Add a new opaque type and accessor functions that can be used from
within a request setup handler to create an OCSP request.
@@ -71,6 +96,13 @@ These are the proposed changes:
* The request will be allocated from @a result_pool.
*
* Use @a scratch_pool for temporary allocations.
+ *
+ * Returns @c NULL on failure, e.g., if @a issuer_cert is not the
+ * issuer certificate of @a server_cert.
+ *
+ * @note The @a server_cert and @a issuer_cert will be copied into the
+ * OCSP request structure. The lifetime of the copies is controlled by
+ * the lifetime of @a result_pool.
*/
serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create(
const serf_ssl_certificate_t *server_cert,
@@ -128,7 +160,7 @@ These are the proposed changes:
apr_pool_t *scratch_pool);
-4. OCSP responses
+5. OCSP responses
Add a new opaque type, response body parser and response validator.
@@ -193,7 +225,7 @@ These are the proposed changes:
apr_pool_t *scratch_pool);
-5. New error codes and macros
+6. New error codes and macros
#define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED
#define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN
Modified: serf/branches/ocsp-verification/buckets/ssl_buckets.c
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/buckets/ssl_buckets.c?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/buckets/ssl_buckets.c (original)
+++ serf/branches/ocsp-verification/buckets/ssl_buckets.c Thu Dec 15 06:29:09 2016
@@ -2365,6 +2365,14 @@ const char *serf_ssl_cert_export(
const serf_ssl_certificate_t *cert,
apr_pool_t *pool)
{
+ return serf_ssl_cert_export2(cert, pool, pool);
+}
+
+const char *serf_ssl_cert_export2(
+ const serf_ssl_certificate_t *cert,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool)
+{
char *binary_cert;
char *encoded_cert;
int len;
@@ -2376,14 +2384,14 @@ const char *serf_ssl_cert_export(
return NULL;
}
- binary_cert = apr_palloc(pool, len);
+ binary_cert = apr_palloc(scratch_pool, len);
unused = (unsigned char *)binary_cert;
len = i2d_X509(cert->ssl_cert, &unused); /* unused is incremented */
if (len < 0) {
return NULL;
}
- encoded_cert = apr_palloc(pool, apr_base64_encode_len(len));
+ encoded_cert = apr_palloc(result_pool, apr_base64_encode_len(len));
apr_base64_encode(encoded_cert, binary_cert, len);
return encoded_cert;
@@ -2392,7 +2400,8 @@ const char *serf_ssl_cert_export(
serf_ssl_certificate_t *serf_ssl_cert_import(
const char *encoded_cert,
- apr_pool_t *pool)
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool)
{
char *binary_cert;
int binary_len;
@@ -2400,7 +2409,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im
X509* ssl_cert;
serf_ssl_certificate_t *cert;
- binary_cert = apr_palloc(pool, apr_base64_decode_len(encoded_cert));
+ binary_cert = apr_palloc(scratch_pool, apr_base64_decode_len(encoded_cert));
binary_len = apr_base64_decode(binary_cert, encoded_cert);
unused = (unsigned char*) binary_cert; /* unused is incremented */
@@ -2410,7 +2419,7 @@ serf_ssl_certificate_t *serf_ssl_cert_im
}
/* TODO: Setup pool cleanup to free certificate */
- cert = apr_palloc(pool, sizeof(serf_ssl_certificate_t));
+ cert = apr_palloc(result_pool, sizeof(serf_ssl_certificate_t));
cert->ssl_cert = ssl_cert;
return cert;
}
Modified: serf/branches/ocsp-verification/serf_bucket_types.h
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf_bucket_types.h?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/serf_bucket_types.h (original)
+++ serf/branches/ocsp-verification/serf_bucket_types.h Thu Dec 15 06:29:09 2016
@@ -710,20 +710,34 @@ apr_hash_t *serf_ssl_cert_certificate(
apr_pool_t *pool);
/**
- * Export a certificate to base64-encoded, zero-terminated string.
- * The returned string is allocated in @a pool. Returns NULL on failure.
+ * Like serf_ssl_cert_export2() but uses a single pool for both the
+ * result and temporary allocations.
*/
const char *serf_ssl_cert_export(
const serf_ssl_certificate_t *cert,
apr_pool_t *pool);
/**
+ * Export a certificate to base64-encoded, zero-terminated string.
+ * The returned string is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
+ * Returns NULL on failure.
+ */
+const char *serf_ssl_cert_export2(
+ const serf_ssl_certificate_t *cert,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool);
+
+/**
* Import a certificate from a base64-encoded, zero-terminated string.
- * The returned certificates is allocated in @a pool. Returns NULL on failure.
+ * The returned certificate is allocated in @a result_pool.
+ * Uses @a scratch_pool for temporary allocations.
+ * Returns NULL on failure.
*/
serf_ssl_certificate_t *serf_ssl_cert_import(
const char *encoded_cert,
- apr_pool_t *pool);
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool);
/**
* Load a CA certificate file from a path @a file_path. If the file was loaded
@@ -800,6 +814,13 @@ typedef struct serf_ssl_ocsp_request_t s
* The request will be allocated from @a result_pool.
*
* Use @a scratch_pool for temporary allocations.
+ *
+ * Returns @c NULL on failure, e.g., if @a issuer_cert is not the
+ * issuer certificate of @a server_cert.
+ *
+ * @note The @a server_cert and @a issuer_cert will be copied into the
+ * OCSP request structure. The lifetime of the copies is controlled by
+ * the lifetime of @a result_pool.
*/
serf_ssl_ocsp_request_t *serf_ssl_ocsp_request_create(
const serf_ssl_certificate_t *server_cert,
Modified: serf/branches/ocsp-verification/test/test_ssl.c
URL: http://svn.apache.org/viewvc/serf/branches/ocsp-verification/test/test_ssl.c?rev=1774373&r1=1774372&r2=1774373&view=diff
==============================================================================
--- serf/branches/ocsp-verification/test/test_ssl.c (original)
+++ serf/branches/ocsp-verification/test/test_ssl.c Thu Dec 15 06:29:09 2016
@@ -337,10 +337,10 @@ static void test_ssl_cert_import(CuTest
"test/serftestca.pem"),
tb->pool);
- imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool);
+ imported_cert = serf_ssl_cert_import(extractedbuf, tb->pool, tb->pool);
CuAssertPtrNotNull(tc, imported_cert);
- base64derbuf = serf_ssl_cert_export(imported_cert, tb->pool);
+ base64derbuf = serf_ssl_cert_export2(imported_cert, tb->pool, tb->pool);
CuAssertStrEquals(tc, extractedbuf, base64derbuf);
}
Re: svn commit: r1774373 - in /serf/branches/ocsp-verification:
BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c
Posted by Branko Čibej <br...@apache.org>.
On 15.12.2016 07:45, Greg Stein wrote:
> On Thu, Dec 15, 2016 at 12:29 AM, <br...@apache.org> wrote:
>
>> Author: brane
>> Date: Thu Dec 15 06:29:09 2016
>> New Revision: 1774373
>>
>> URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
>> Log:
>> On the ocsp-verification branch: Introduce scratch pools for a couple
>> functions.
>>
> Oh, good! ... i was gonna respond to your earlier email and ask that you
> introduce dual-pools for new APIs. ... the serf API was written before we
> discovered the utility of dual-pools in Subversion, and hadn't been carried
> over. Might as well start doing so!
Happy to oblige. :)
-- Brane
Re: svn commit: r1774373 - in /serf/branches/ocsp-verification:
BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h test/test_ssl.c
Posted by Greg Stein <gs...@gmail.com>.
On Thu, Dec 15, 2016 at 12:29 AM, <br...@apache.org> wrote:
> Author: brane
> Date: Thu Dec 15 06:29:09 2016
> New Revision: 1774373
>
> URL: http://svn.apache.org/viewvc?rev=1774373&view=rev
> Log:
> On the ocsp-verification branch: Introduce scratch pools for a couple
> functions.
>
Oh, good! ... i was gonna respond to your earlier email and ask that you
introduce dual-pools for new APIs. ... the serf API was written before we
discovered the utility of dual-pools in Subversion, and hadn't been carried
over. Might as well start doing so!
Thx,
-g