Checkout
Jim Jagielski
committed
on 27 Oct 14
Merge r1629372, r1629485, r1629519 from trunk:

Move OCSP stapling information from a per-certificate store
(ex_data attached to an X509 *) … Show more
Merge r1629372, r1629485, r1629519 from trunk:

Move OCSP stapling information from a per-certificate store

(ex_data attached to an X509 *) to a per-server hash which is

allocated from the pconf pool. Fixes PR 54357, PR 56919 and

a leak with the certinfo_free cleanup function (missing

OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add

 ssl_stapling_certid_free (used with apr_pool_cleanup_register).

 Switch to a stapling_certinfo hash which is keyed by the SHA-1

 digest of the certificate's DER encoding, rework ssl_stapling_init_cert

 to only store info once per certificate (allocated from the pconf

 to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for

 ssl_stapling_init_cert, replace ssl_stapling_ex_init with

 ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>

Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).

Submitted by: kbrand, ylavic, ylavic

Reviewed/backported by: jim

Show less