MINOR: ssl: Limit ocsp_uri buffer size to minimum

The ocsp_uri field of the certificate_ocsp structure was a 16k buffer
when it could be hand allocated to just the required size to store the
OCSP uri. This field is now behaving the same way as the sctl and
ocsp_response buffers of the ckch_store structure.

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 4b1b65961f593395df5774461a9507b2c8c17410..73679cbd4786e9519d5ec3cae917f73e7394e27f 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -373,8 +373,10 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
                sk_X509_pop_free(ocsp->chain, X509_free);
                ocsp->chain = NULL;
                chunk_destroy(&ocsp->response);
-               free_trash_chunk(ocsp->uri);
-               ocsp->uri = NULL;
+               if (ocsp->uri) {
+                       ha_free(&ocsp->uri->area);
+                       ha_free(&ocsp->uri);
+               }
 
                free(ocsp);
        }

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 18d006feb57e247b79e7ffa129d9b3a69f306f08..5bdab8cccb5f22ea483e3d89d9333f3b714cf3a1 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1255,11 +1255,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
                        if (data->chain)
                                iocsp->chain = X509_chain_up_ref(data->chain);
 
-                       iocsp->uri = alloc_trash_chunk();
-                       if (!iocsp->uri)
-                               goto out;
-                       if (!chunk_cpy(iocsp->uri, ocsp_uri))
+                       iocsp->uri = calloc(1, sizeof(*iocsp->uri));
+                       if (!chunk_dup(iocsp->uri, ocsp_uri)) {
+                               ha_free(&iocsp->uri);
                                goto out;
+                       }
 
                        ssl_ocsp_update_insert(iocsp);
                }