gnutls_certificate_set_ocsp_status_request_file: match input response to certificates

That is, iterate through the certificate chain to figure to which
certificate the response corresponds to, and assign it to it.
That allows for applications to re-use this function to set
multiple responses when available.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 23 insertions, 9 deletions

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 9b9cd39c3c..89d0aa248e 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -491,7 +491,8 @@ _gnutls_select_client_cert(gnutls_session_t session,
 					   cert_list[0],
 					   cred->certs[indx].
 					   cert_list_length,
-					   NULL, 0,
+					   cred->certs[indx].ocsp_responses,
+					   cred->certs[indx].ocsp_responses_length,
 					   cred->certs[indx].pkey, 0,
 					   NULL, 0);
 		} else {
@@ -1426,13 +1427,23 @@ _gnutls_server_select_cert(gnutls_session_t session, const gnutls_cipher_suite_e
 	 */
  finished:
 	if (idx >= 0) {
-		selected_certs_set(session,
-				   &cred->certs[idx].cert_list[0],
-				   cred->certs[idx].cert_list_length,
-				   NULL, 0,
-				   cred->certs[idx].pkey, 0,
-				   cred->certs[idx].ocsp_func,
-				   cred->certs[idx].ocsp_func_ptr);
+		if (cred->certs[idx].ocsp_func) {
+			selected_certs_set(session,
+					   &cred->certs[idx].cert_list[0],
+					   cred->certs[idx].cert_list_length,
+					   NULL, 0,
+					   cred->certs[idx].pkey, 0,
+					   cred->certs[idx].ocsp_func,
+					   cred->certs[idx].ocsp_func_ptr);
+		} else {
+			selected_certs_set(session,
+					   &cred->certs[idx].cert_list[0],
+					   cred->certs[idx].cert_list_length,
+					   &cred->certs[idx].ocsp_responses[0],
+					   cred->certs[idx].ocsp_responses_length,
+					   cred->certs[idx].pkey, 0,
+					   NULL, NULL);
+		}
 	} else {
 		gnutls_assert();
 		/* Certificate does not support REQUESTED_ALGO.  */
diff --git a/lib/auth/cert.h b/lib/auth/cert.h
index f890f48624..9a3ecb6434 100644
--- a/lib/auth/cert.h
+++ b/lib/auth/cert.h
@@ -30,6 +30,8 @@
 #include <gnutls/compat.h>
 #include <str_array.h>
 
+#define MAX_OCSP_RESPONSES 8
+
 typedef struct {
 	gnutls_pcert_st *cert_list;	/* a certificate chain */
 	unsigned int cert_list_length;	/* its length */
@@ -37,7 +39,8 @@ typedef struct {
 
 	gnutls_status_request_ocsp_func ocsp_func;
 	void *ocsp_func_ptr; /* corresponding OCSP response function + ptr */
-	char *ocsp_response_file; /* corresponding OCSP response file */
+	gnutls_datum_t ocsp_responses[MAX_OCSP_RESPONSES]; /* corresponding OCSP response file */
+	unsigned int ocsp_responses_length;
 
 	/* the private key corresponding to certificate */
 	gnutls_privkey_t pkey;