diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-12-12 08:47:00 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:37 +0100 |
| commit | 8e96ba96acc105dc7882626e688d2602cc934474 (patch) | |
| tree | faf9d6658f49b74a326668d965f7a05e0c01fcdc | |
| parent | ddef51dde37bde22ae351b4cd36cc86e5ecc4049 (diff) | |
| download | gnutls-8e96ba96acc105dc7882626e688d2602cc934474.tar.gz | |
cert auth: use a single callback to call for OCSP
That is, when selecting the certificate to use, point to
the callback to use as well (whether it being the global or
a specific) one, for OCSP.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/auth/cert.c | 40 | ||||
| -rw-r--r-- | lib/ext/status_request.c | 3 | ||||
| -rw-r--r-- | lib/tls13/certificate.c | 12 |
3 files changed, 25 insertions, 30 deletions
diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 465bcf4888..54a15db2ad 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -394,7 +394,7 @@ call_get_cert_callback(gnutls_session_t session, selected_certs_set(session, pcert, pcert_length, ocsp, ocsp_length, local_key, flags&GNUTLS_CERT_RETR_DEINIT_ALL?1:0, - NULL, NULL); + cred->glob_ocsp_func, cred->glob_ocsp_func_ptr); return 0; } else { @@ -1427,23 +1427,29 @@ _gnutls_server_select_cert(gnutls_session_t session, const gnutls_cipher_suite_e */ finished: if (idx >= 0) { - if (cred->certs[idx].ocsp_func) { - selected_certs_set(session, - &cred->certs[idx].cert_list[0], - cred->certs[idx].cert_list_length, - NULL, 0, - cred->certs[idx].pkey, 0, - cred->certs[idx].ocsp_func, - cred->certs[idx].ocsp_func_ptr); - } else { - selected_certs_set(session, - &cred->certs[idx].cert_list[0], - cred->certs[idx].cert_list_length, - &cred->certs[idx].ocsp_data[0], - cred->certs[idx].ocsp_data_length, - cred->certs[idx].pkey, 0, - NULL, NULL); + gnutls_status_request_ocsp_func ocsp_func = NULL; + void *ocsp_ptr = NULL; + gnutls_ocsp_data_st *ocsp = NULL; + unsigned nocsp = 0; + + if (cred->certs[idx].ocsp_data_length > 0) { + ocsp = &cred->certs[idx].ocsp_data[0]; + nocsp = cred->certs[idx].ocsp_data_length; + } else if (cred->glob_ocsp_func != NULL) { + ocsp_func = cred->glob_ocsp_func; + ocsp_ptr = cred->glob_ocsp_func_ptr; + } else if (cred->certs[idx].ocsp_func != NULL) { + ocsp_func = cred->certs[idx].ocsp_func; + ocsp_ptr = cred->certs[idx].ocsp_func_ptr; } + + selected_certs_set(session, + &cred->certs[idx].cert_list[0], + cred->certs[idx].cert_list_length, + ocsp, nocsp, + cred->certs[idx].pkey, 0, + ocsp_func, + ocsp_ptr); } else { gnutls_assert(); /* Certificate does not support REQUESTED_ALGO. */ diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index a16a092e22..550b4307d3 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -192,9 +192,6 @@ server_send(gnutls_session_t session, } else if (session->internals.selected_ocsp_func) { func = session->internals.selected_ocsp_func; func_ptr = session->internals.selected_ocsp_func_ptr; - } else if (cred->glob_ocsp_func) { - func = cred->glob_ocsp_func; - func_ptr = cred->glob_ocsp_func_ptr; } else { return 0; } diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index b8451220e9..1d688de0b2 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -123,7 +123,7 @@ int append_status_request(void *_ctx, gnutls_buffer_st *buf) gnutls_datum_t resp; unsigned free_resp = 0; - assert(session->internals.selected_ocsp_func != NULL || ctx->cred->glob_ocsp_func != NULL || + assert(session->internals.selected_ocsp_func != NULL || session->internals.selected_ocsp_length != 0); /* The global ocsp callback function can only be used to return @@ -152,13 +152,6 @@ int append_status_request(void *_ctx, gnutls_buffer_st *buf) } else { return 0; } - } else if (ctx->cred->glob_ocsp_func) { - if (ctx->cert_index == 0) { - ret = ctx->cred->glob_ocsp_func(session, ctx->cred->glob_ocsp_func_ptr, &resp); - free_resp = 1; - } else { - return 0; - } } else return 0; @@ -261,8 +254,7 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) #ifdef ENABLE_OCSP if ((session->internals.selected_ocsp_length > 0 || - session->internals.selected_ocsp_func || - cred->glob_ocsp_func) && + session->internals.selected_ocsp_func) && _gnutls_hello_ext_is_present(session, GNUTLS_EXTENSION_STATUS_REQUEST)) { /* append status response if available */ ret = _gnutls_extv_append_init(&buf); |