httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From do...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
Date Thu, 29 Nov 2001 07:07:37 GMT
dougm       01/11/28 23:07:36

  Modified:    modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
  Log:
  the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth
  is happening.  so avoid calling that unless needed and just stash a
  pointer to the client cert for the boolean checks that the client
  provided a cert.
  
  Revision  Changes    Path
  1.42      +3 -4      httpd-2.0/modules/ssl/mod_ssl.c
  
  Index: mod_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
  retrieving revision 1.41
  retrieving revision 1.42
  diff -u -r1.41 -r1.42
  --- mod_ssl.c	2001/11/28 05:50:55	1.41
  +++ mod_ssl.c	2001/11/29 07:07:36	1.42
  @@ -422,9 +422,8 @@
            * Remember the peer certificate's DN
            */
           if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
  -            char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
  -            sslconn->client_dn = apr_pstrdup(c->pool, cp);
  -            free(cp);
  +            sslconn->client_cert = xs;
  +            sslconn->client_dn = NULL;
           }
   
           /*
  @@ -432,7 +431,7 @@
            * is required we really got one... (be paranoid)
            */
           if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
  -            && sslconn->client_dn == NULL) {
  +            && sslconn->client_cert == NULL) {
               ssl_log(c->base_server, SSL_LOG_ERROR,
                       "No acceptable peer certificate available");
               return ssl_abort(pRec, c);
  
  
  
  1.50      +1 -0      httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.49
  retrieving revision 1.50
  diff -u -r1.49 -r1.50
  --- mod_ssl.h	2001/11/29 06:34:53	1.49
  +++ mod_ssl.h	2001/11/29 07:07:36	1.50
  @@ -455,6 +455,7 @@
   typedef struct {
       SSL *ssl;
       const char *client_dn;
  +    X509 *client_cert;
       ssl_shutdown_type_e shutdown_type;
       const char *verify_info;
       const char *verify_error;
  
  
  
  1.36      +13 -5     httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.35
  retrieving revision 1.36
  diff -u -r1.35 -r1.36
  --- ssl_engine_kernel.c	2001/11/29 06:52:18	1.35
  +++ ssl_engine_kernel.c	2001/11/29 07:07:36	1.36
  @@ -804,9 +804,8 @@
            * Remember the peer certificate's DN
            */
           if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
  -            cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
  -            sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
  -            free(cp);
  +            sslconn->client_cert = cert;
  +            sslconn->client_dn = NULL;
           }
   
           /*
  @@ -948,9 +947,18 @@
           return DECLINED;
       if (r->user)
           return DECLINED;
  -    if ((clientdn = (char *)sslconn->client_dn) == NULL)
  +    if (sslconn->client_cert == NULL)
           return DECLINED;
   
  +    if (!sslconn->client_dn) {
  +        X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
  +        char *cp = X509_NAME_oneline(name, NULL, 0);
  +        sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
  +        free(cp);
  +    }
  +
  +    clientdn = (char *)sslconn->client_dn;
  +
       /*
        * Fake a password - which one would be immaterial, as, it seems, an empty
        * password in the users file would match ALL incoming passwords, if only
  @@ -1304,7 +1312,7 @@
       if (!ok) {
           ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
                   errnum, X509_verify_cert_error_string(errnum));
  -        sslconn->client_dn = NULL;
  +        sslconn->client_cert = sslconn->client_dn = NULL;
           sslconn->verify_error = 
               X509_verify_cert_error_string(errnum);
       }
  
  
  

Mime
View raw message