httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bri...@apache.org
Subject svn commit: r306538 - in /httpd/httpd/branches/async-dev/modules: metadata/ ssl/
Date Thu, 06 Oct 2005 06:11:50 GMT
Author: brianp
Date: Wed Oct  5 23:11:43 2005
New Revision: 306538

URL: http://svn.apache.org/viewcvs?rev=306538&view=rev
Log:
forward-port the latest versions of mod_ssl and mod_setenvif from the 2.3 trunk to the async-dev
branch so t/TEST will work once again

Modified:
    httpd/httpd/branches/async-dev/modules/metadata/mod_mime_magic.c
    httpd/httpd/branches/async-dev/modules/metadata/mod_setenvif.c
    httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.c
    httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.h
    httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_io.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_vars.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr.h
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_eval.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.h
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.y
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.c
    httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.l
    httpd/httpd/branches/async-dev/modules/ssl/ssl_private.h
    httpd/httpd/branches/async-dev/modules/ssl/ssl_util.c

Modified: httpd/httpd/branches/async-dev/modules/metadata/mod_mime_magic.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/metadata/mod_mime_magic.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/metadata/mod_mime_magic.c (original)
+++ httpd/httpd/branches/async-dev/modules/metadata/mod_mime_magic.c Wed Oct  5 23:11:43 2005
@@ -947,15 +947,15 @@
     /* parse it */
     for (lineno = 1; apr_file_gets(line, BUFSIZ, f) == APR_SUCCESS; lineno++) {
 	int ws_offset;
-        char *last = line + strlen(line) - 1; /* guaranteed that len >= 1 */
+        char *last = line + strlen(line) - 1; /* guaranteed that len >= 1 since an
+                                               * "empty" line contains a '\n'
+                                               */
 
-	/* delete newline and potential carriage return */
-        if (*last == '\n') {
+	/* delete newline and any other trailing whitespace */
+        while (last >= line
+               && apr_isspace(*last)) {
             *last = '\0';
             --last;
-        }
-        if (*last == '\r') {
-            *last = '\0';
         }
         
 	/* skip leading whitespace */

Modified: httpd/httpd/branches/async-dev/modules/metadata/mod_setenvif.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/metadata/mod_setenvif.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/metadata/mod_setenvif.c (original)
+++ httpd/httpd/branches/async-dev/modules/metadata/mod_setenvif.c Wed Oct  5 23:11:43 2005
@@ -123,7 +123,7 @@
 
 module AP_MODULE_DECLARE_DATA setenvif_module;
 
-static APR_OPTIONAL_FN_TYPE(ssl_extlist_by_oid) *ssl_extlist_by_oid_func = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_ext_list) *ssl_ext_list_func = NULL;
 
 /*
  * These routines, the create- and merge-config functions, are called
@@ -531,7 +531,7 @@
                 break;
             case SPECIAL_OID_VALUE:
                 /* If mod_ssl is not loaded, the accessor function is NULL */
-                if (ssl_extlist_by_oid_func != NULL)
+                if (ssl_ext_list_func != NULL)
                 {
                     apr_array_header_t *oid_array;
                     char **oid_value;
@@ -539,7 +539,8 @@
                     char *retval = NULL;
 
                     /* The given oid can occur multiple times. Concatenate the values */
-                    if ((oid_array = ssl_extlist_by_oid_func(r, b->name)) != NULL) {
+                    if ((oid_array = ssl_ext_list_func(r->pool, r->connection, 1,
+                                                       b->name)) != NULL) {
                         oid_value = (char **) oid_array->elts;
                         /* pass 1: determine the size of the string */
                         for (len=j=0; j < oid_array->nelts; j++) {
@@ -630,7 +631,7 @@
 static int setenvif_post_config(apr_pool_t *pconf, apr_pool_t *plog,
                                 apr_pool_t *ptemp, server_rec *s)
 {
-    ssl_extlist_by_oid_func = APR_RETRIEVE_OPTIONAL_FN(ssl_extlist_by_oid);
+    ssl_ext_list_func = APR_RETRIEVE_OPTIONAL_FN(ssl_ext_list);
     return OK;
 }
 

Modified: httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.c Wed Oct  5 23:11:43 2005
@@ -504,8 +504,6 @@
 
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-
-    APR_REGISTER_OPTIONAL_FN(ssl_extlist_by_oid);
 }
 
 module AP_MODULE_DECLARE_DATA ssl_module = {

Modified: httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.h?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.h (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/mod_ssl.h Wed Oct  5 23:11:43 2005
@@ -36,15 +36,20 @@
                          conn_rec *, request_rec *,
                          char *));
 
-/** The ssl_ext_lookup() optional function retrieves the value of a SSL
- * certificate X.509 extension.  The client certificate is used if
- * peer is non-zero; the server certificate is used otherwise.  The
- * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
- * desired extension.  The string value of the extension is returned,
- * or NULL on error. */
-APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
+/** The ssl_ext_list() optional function attempts to build an array
+ * of all the values contained in the named X.509 extension. The 
+ * returned array will be created in the supplied pool.
+ * The client certificate is used if peer is non-zero; the server 
+ * certificate is used otherwise.
+ * Extension specifies the extensions to use as a string. This can be
+ * one of the "known" long or short names, or a numeric OID,
+ * e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid.
+ * A pointer to an apr_array_header_t structure is returned if at
+ * least one matching extension is found, NULL otherwise.
+ */
+APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_ext_list,
                         (apr_pool_t *p, conn_rec *c, int peer,
-                         const char *oidnum));
+                         const char *extension));
 
 /** An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */
@@ -57,8 +62,6 @@
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
-
-APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const
char *oidstr));
 
 #endif /* __MOD_SSL_H__ */
 /** @} */

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_io.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_io.c Wed Oct  5 23:11:43 2005
@@ -882,6 +882,7 @@
 }
 
 static const char ssl_io_filter[] = "SSL/TLS Filter";
+static const char ssl_io_buffer[] = "SSL/TLS Buffer";
 
 /*
  *  Close the SSL part of the socket connection
@@ -1446,6 +1447,187 @@
     return status;
 }
 
+/* 128K maximum buffer size by default. */
+#ifndef SSL_MAX_IO_BUFFER
+#define SSL_MAX_IO_BUFFER (128 * 1024)
+#endif
+
+struct modssl_buffer_ctx {
+    apr_bucket_brigade *bb;
+    apr_pool_t *pool;
+};
+
+int ssl_io_buffer_fill(request_rec *r)
+{
+    conn_rec *c = r->connection;
+    struct modssl_buffer_ctx *ctx;
+    apr_bucket_brigade *tempb;
+    apr_off_t total = 0; /* total length buffered */
+    int eos = 0; /* non-zero once EOS is seen */
+    
+    /* Create the context which will be passed to the input filter;
+     * containing a setaside pool and a brigade which constrain the
+     * lifetime of the buffered data. */
+    ctx = apr_palloc(r->pool, sizeof *ctx);
+    apr_pool_create(&ctx->pool, r->pool);
+    ctx->bb = apr_brigade_create(ctx->pool, c->bucket_alloc);
+
+    /* ... and a temporary brigade. */
+    tempb = apr_brigade_create(r->pool, c->bucket_alloc);
+
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "filling buffer");
+
+    do {
+        apr_status_t rv;
+        apr_bucket *e, *next;
+
+        /* The request body is read from the protocol-level input
+         * filters; the buffering filter will reinject it from that
+         * level, allowing content/resource filters to run later, if
+         * necessary. */
+
+        rv = ap_get_brigade(r->proto_input_filters, tempb, AP_MODE_READBYTES,
+                            APR_BLOCK_READ, 8192);
+        if (rv) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+                          "could not read request body for SSL buffer");
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+        
+        /* Iterate through the returned brigade: setaside each bucket
+         * into the context's pool and move it into the brigade. */
+        for (e = APR_BRIGADE_FIRST(tempb); 
+             e != APR_BRIGADE_SENTINEL(tempb) && !eos; e = next) {
+            const char *data;
+            apr_size_t len;
+
+            next = APR_BUCKET_NEXT(e);
+
+            if (APR_BUCKET_IS_EOS(e)) {
+                eos = 1;
+            } else if (!APR_BUCKET_IS_METADATA(e)) {
+                rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+                if (rv != APR_SUCCESS) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+                                  "could not read bucket for SSL buffer");
+                    return HTTP_INTERNAL_SERVER_ERROR;
+                }
+                total += len;
+            }
+                
+            rv = apr_bucket_setaside(e, ctx->pool);
+            if (rv != APR_SUCCESS) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+                              "could not setaside bucket for SSL buffer");
+                return HTTP_INTERNAL_SERVER_ERROR;
+            }
+            
+            APR_BUCKET_REMOVE(e);
+            APR_BRIGADE_INSERT_TAIL(ctx->bb, e);
+        }
+
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, 
+                      "total of %" APR_OFF_T_FMT " bytes in buffer, eos=%d",
+                      total, eos);
+
+        /* Fail if this exceeds the maximum buffer size. */
+        if (total > SSL_MAX_IO_BUFFER) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "request body exceeds maximum size for SSL buffer");
+            return HTTP_REQUEST_ENTITY_TOO_LARGE;
+        }
+
+    } while (!eos);
+
+    apr_brigade_destroy(tempb);
+
+    /* Insert the filter which will supply the buffered data. */
+    ap_add_input_filter(ssl_io_buffer, ctx, r, c);
+
+    return 0;
+}
+
+/* This input filter supplies the buffered request body to the caller
+ * from the brigade stored in f->ctx. */
+static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
+                                         apr_bucket_brigade *bb,
+                                         ap_input_mode_t mode,
+                                         apr_read_type_e block,
+                                         apr_off_t bytes)
+{
+    struct modssl_buffer_ctx *ctx = f->ctx;
+    apr_status_t rv;
+
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c,
+                  "read from buffered SSL brigade, mode %d, "
+                  "%" APR_OFF_T_FMT " bytes",
+                  mode, bytes);
+
+    if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
+        return APR_ENOTIMPL;
+    }
+
+    if (mode == AP_MODE_READBYTES) {
+        apr_bucket *e;
+
+        /* Partition the buffered brigade. */
+        rv = apr_brigade_partition(ctx->bb, bytes, &e);
+        if (rv && rv != APR_INCOMPLETE) {
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c,
+                          "could not partition buffered SSL brigade");
+            ap_remove_input_filter(f);
+            return rv;
+        }
+
+        /* If the buffered brigade contains less then the requested
+         * length, just pass it all back. */
+        if (rv == APR_INCOMPLETE) {
+            APR_BRIGADE_CONCAT(bb, ctx->bb);
+        } else {
+            apr_bucket *d = APR_BRIGADE_FIRST(ctx->bb);
+
+            e = APR_BUCKET_PREV(e);
+            
+            /* Unsplice the partitioned segment and move it into the
+             * passed-in brigade; no convenient way to do this with
+             * the APR_BRIGADE_* macros. */
+            APR_RING_UNSPLICE(d, e, link);
+            APR_RING_SPLICE_HEAD(&bb->list, d, e, apr_bucket, link);
+
+            APR_BRIGADE_CHECK_CONSISTENCY(bb);
+            APR_BRIGADE_CHECK_CONSISTENCY(ctx->bb);
+        }
+    }
+    else {
+        /* Split a line into the passed-in brigade. */
+        rv = apr_brigade_split_line(bb, ctx->bb, mode, bytes);
+
+        if (rv) {
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c,
+                          "could not split line from buffered SSL brigade");
+            ap_remove_input_filter(f);
+            return rv;
+        }
+    }
+
+    if (APR_BRIGADE_EMPTY(ctx->bb)) {
+        apr_bucket *e = APR_BRIGADE_LAST(bb);
+        
+        /* Ensure that the brigade is terminated by an EOS if the
+         * buffered request body has been entirely consumed. */
+        if (e == APR_BRIGADE_SENTINEL(bb) || !APR_BUCKET_IS_EOS(e)) {
+            e = apr_bucket_eos_create(f->c->bucket_alloc);
+            APR_BRIGADE_INSERT_TAIL(bb, e);
+        }
+
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c,
+                      "buffered SSL brigade now exhausted; removing filter");
+        ap_remove_input_filter(f);
+    }
+
+    return APR_SUCCESS;
+}
+
 static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
                                     SSL *ssl)
 {
@@ -1508,6 +1690,9 @@
 
     ap_register_input_filter  (ssl_io_filter, ssl_io_filter_input,  NULL, AP_FTYPE_CONNECTION
+ 5);
     ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION
+ 5);
+    
+    ap_register_input_filter  (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL
- 1);
+
     return;
 }
 

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_kernel.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_kernel.c Wed Oct  5 23:11:43 2005
@@ -490,73 +490,35 @@
     }
 #endif /* HAVE_SSL_SET_CERT_STORE */
 
-    /* 
-     * SSL renegotiations in conjunction with HTTP
-     * requests using the POST method are not supported.
-     *
-     * Background:
-     *
-     * 1. When the client sends a HTTP/HTTPS request, Apache's core code
-     * reads only the request line ("METHOD /path HTTP/x.y") and the
-     * attached MIME headers ("Foo: bar") up to the terminating line ("CR
-     * LF"). An attached request body (for instance the data of a POST
-     * method) is _NOT_ read. Instead it is read by mod_cgi's content
-     * handler and directly passed to the CGI script.
-     *
-     * 2. mod_ssl supports per-directory re-configuration of SSL parameters.
-     * This is implemented by performing an SSL renegotiation of the
-     * re-configured parameters after the request is read, but before the
-     * response is sent. In more detail: the renegotiation happens after the
-     * request line and MIME headers were read, but _before_ the attached
-     * request body is read. The reason simply is that in the HTTP protocol
-     * usually there is no acknowledgment step between the headers and the
-     * body (there is the 100-continue feature and the chunking facility
-     * only), so Apache has no API hook for this step.
-     *
-     * 3. the problem now occurs when the client sends a POST request for
-     * URL /foo via HTTPS the server and the server has SSL parameters
-     * re-configured on a per-URL basis for /foo. Then mod_ssl has to
-     * perform an SSL renegotiation after the request was read and before
-     * the response is sent. But the problem is the pending POST body data
-     * in the receive buffer of SSL (which Apache still has not read - it's
-     * pending until mod_cgi sucks it in). When mod_ssl now tries to perform
-     * the renegotiation the pending data leads to an I/O error.
-     *
-     * Solution Idea:
-     *
-     * There are only two solutions: Either to simply state that POST
-     * requests to URLs with SSL re-configurations are not allowed, or to
-     * renegotiate really after the _complete_ request (i.e. including
-     * the POST body) was read. Obviously the latter would be preferred,
-     * but it cannot be done easily inside Apache, because as already
-     * mentioned, there is no API step between the body reading and the body
-     * processing. And even when we mod_ssl would hook directly into the
-     * loop of mod_cgi, we wouldn't solve the problem for other handlers, of
-     * course. So the only general solution is to suck in the pending data
-     * of the request body from the OpenSSL BIO into the Apache BUFF. Then
-     * the renegotiation can be done and after this step Apache can proceed
-     * processing the request as before.
-     *
-     * Solution Implementation:
-     *
-     * We cannot simply suck in the data via an SSL_read-based loop because of
-     * HTTP chunking. Instead we _have_ to use the Apache API for this step which
-     * is aware of HTTP chunking. So the trick is to suck in the pending request
-     * data via the Apache API (which uses Apache's BUFF code and in the
-     * background mod_ssl's I/O glue code) and re-inject it later into the Apache
-     * BUFF code again. This way the data flows twice through the Apache BUFF, of
-     * course. But this way the solution doesn't depend on any Apache specifics
-     * and is fully transparent to Apache modules.
-     *
-     * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
+    /* If a renegotiation is now required for this location, and the
+     * request includes a message body (and the client has not
+     * requested a "100 Continue" response), then the client will be
+     * streaming the request body over the wire already.  In that
+     * case, it is not possible to stop and perform a new SSL
+     * handshake immediately; once the SSL library moves to the
+     * "accept" state, it will reject the SSL packets which the client
+     * is sending for the request body.
+     * 
+     * To allow authentication to complete in this auth hook, the
+     * solution used here is to fill a (bounded) buffer with the
+     * request body, and then to reinject that request body later.
      */
-    if (renegotiate && !renegotiate_quick && (r->method_number == M_POST))
{
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                     "SSL Re-negotiation in conjunction "
-                     "with POST method not supported! "
-                     "hint: try SSLOptions +OptRenegotiate");
-
-        return HTTP_METHOD_NOT_ALLOWED;
+    if (renegotiate && !renegotiate_quick
+        && (apr_table_get(r->headers_in, "transfer-encoding")
+            || (apr_table_get(r->headers_in, "content-length")
+                && strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
+        && !r->expecting_100) {
+        int rv;
+
+        /* Fill the I/O buffer with the request body if possible. */
+        rv = ssl_io_buffer_fill(r);
+
+        if (rv) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "could not buffer message body to allow "
+                          "SSL renegotiation to proceed");
+            return rv;
+        }
     }
 
     /*
@@ -753,6 +715,9 @@
                                    r, (char *)dc->szUserName);
         if (val && val[0])
             r->user = val;
+        else
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                          "Failed to set r->user to '%s'", dc->szUserName);
     } 
 
     /*

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_vars.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_engine_vars.c Wed Oct  5 23:11:43 2005
@@ -62,7 +62,7 @@
 {
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
-    APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
+    APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
     return;
 }
 
@@ -431,8 +431,9 @@
                 n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
 
                 if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
-                    result = apr_pstrmemdup(p, 
-                                            X509_NAME_ENTRY_get_data_ptr(xsne),
+                    unsigned char *data = X509_NAME_ENTRY_get_data_ptr(xsne);
+                    /* cast needed from unsigned char to char */
+                    result = apr_pstrmemdup(p, (char *)data,
                                             X509_NAME_ENTRY_get_data_len(xsne));
 #if APR_CHARSET_EBCDIC
                     ap_xlate_proto_from_ascii(result, X509_NAME_ENTRY_get_data_len(xsne));
@@ -660,23 +661,30 @@
     return result;
 }
 
-const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
-                           const char *oidnum)
+apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
+                                 const char *extension)
 {
     SSLConnRec *sslconn = myConnConfig(c);
-    SSL *ssl;
+    SSL *ssl = NULL;
+    apr_array_header_t *array = NULL;
     X509 *xs = NULL;
-    ASN1_OBJECT *oid;
+    ASN1_OBJECT *oid = NULL;
     int count = 0, j;
-    char *result = NULL;
-    
-    if (!sslconn || !sslconn->ssl) {
+
+    if (!sslconn || !sslconn->ssl || !extension) {
         return NULL;
     }
     ssl = sslconn->ssl;
 
-    oid = OBJ_txt2obj(oidnum, 1);
+    /* We accept the "extension" string to be converted as 
+     * a long name (nsComment), short name (DN) or 
+     * numeric OID (1.2.3.4).
+     */
+    oid = OBJ_txt2obj(extension, 0);
     if (!oid) {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, 
+                      "Failed to create an object for extension '%s'",
+                      extension);
         ERR_clear_error();
         return NULL;
     }
@@ -685,34 +693,50 @@
     if (xs == NULL) {
         return NULL;
     }
-    
-    count = X509_get_ext_count(xs);
 
+    count = X509_get_ext_count(xs);
+    /* Create an array large enough to accomodate every extension. This is
+     * likely overkill, but safe.
+     */
+    array = apr_array_make(p, count, sizeof(char *));
     for (j = 0; j < count; j++) {
         X509_EXTENSION *ext = X509_get_ext(xs, j);
 
         if (OBJ_cmp(ext->object, oid) == 0) {
             BIO *bio = BIO_new(BIO_s_mem());
 
-            if (X509V3_EXT_print(bio, ext, 0, 0) == 1) {
+            /* We want to obtain a string representation of the extensions
+             * value and add it to the array we're building.
+             * X509V3_EXT_print() doesn't know about all the possible 
+             * data types, but the value is stored as an ASN1_OCTET_STRING
+             * allowing us a fallback in case of X509V3_EXT_print 
+             * not knowing how to handle the data.
+             */
+            if (X509V3_EXT_print(bio, ext, 0, 0) == 1 ||
+                ASN1_STRING_print(bio, ext->value) == 1) {
                 BUF_MEM *buf;
-
+                char **ptr = apr_array_push(array);
                 BIO_get_mem_ptr(bio, &buf);
-                result = apr_pstrmemdup(p, buf->data, buf->length);
+                *ptr = apr_pstrmemdup(p, buf->data, buf->length);
+            } else {
+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+                              "Found an extension '%s', but failed to "
+                              "create a string from it", extension); 
             }
-
             BIO_vfree(bio);
-            break;
         }
     }
 
+    if (array->nelts == 0)
+        array = NULL;
+
     if (peer) {
         /* only SSL_get_peer_certificate raises the refcount */
         X509_free(xs);
     }
 
     ERR_clear_error();
-    return result;
+    return array;
 }
 
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr.h?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr.h (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr.h Wed Oct  5 23:11:43 2005
@@ -68,7 +68,7 @@
 #endif
 
 typedef enum {
-    op_NOP, op_ListElement, op_OidListElement,
+    op_NOP, op_ListElement, op_PeerExtElement,
     op_True, op_False, op_Not, op_Or, op_And, op_Comp,
     op_EQ, op_NE, op_LT, op_LE, op_GT, op_GE, op_IN, op_REG, op_NRE,
     op_Digit, op_String, op_Regex, op_Var, op_Func

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_eval.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_eval.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_eval.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_eval.c Wed Oct  5 23:11:43 2005
@@ -118,7 +118,7 @@
                 e3 = (ssl_expr *)e2->node_arg1;
                 e2 = (ssl_expr *)e2->node_arg2;
 
-                if (op == op_OidListElement) {
+                if (op == op_PeerExtElement) {
                     char *w3 = ssl_expr_eval_word(r, e3);
 
                     found = ssl_expr_eval_oid(r, w1, w3);
@@ -198,63 +198,6 @@
     }
 }
 
-#define NUM_OID_ELTS 8 /* start with 8 oid slots, resize when needed */
-
-apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr)
-{
-    int count = 0, j;
-    X509 *xs = NULL;
-    ASN1_OBJECT *oid;
-    apr_array_header_t *val_array;
-    SSLConnRec *sslconn = myConnConfig(r->connection);
-
-    /* trivia */
-    if (oidstr == NULL || sslconn == NULL || sslconn->ssl == NULL)
-        return NULL;
-
-    /* Determine the oid we are looking for */
-    if ((oid = OBJ_txt2obj(oidstr, 1)) == NULL) {
-        ERR_clear_error();
-        return NULL;
-    }
-
-    /* are there any extensions in the cert? */
-    if ((xs = SSL_get_peer_certificate(sslconn->ssl)) == NULL ||
-        (count = X509_get_ext_count(xs)) == 0) {
-        return NULL;
-    }
-
-    val_array = apr_array_make(r->pool, NUM_OID_ELTS, sizeof(char *));
-
-    /* Loop over all extensions, extract the desired oids */
-    for (j = 0; j < count; j++) {
-        X509_EXTENSION *ext = X509_get_ext(xs, j);
-
-        if (OBJ_cmp(ext->object, oid) == 0) {
-            BIO *bio = BIO_new(BIO_s_mem());
-
-            if (X509V3_EXT_print(bio, ext, 0, 0) == 1) {
-                BUF_MEM *buf;
-                char **new = apr_array_push(val_array);
-
-                BIO_get_mem_ptr(bio, &buf);
-
-                *new = apr_pstrdup(r->pool, buf->data);
-            }
-
-            BIO_vfree(bio);
-        }
-    }
-
-    X509_free(xs);
-    ERR_clear_error();
-
-    if (val_array->nelts == 0)
-        return NULL;
-    else
-        return val_array;
-}
-
 static BOOL ssl_expr_eval_oid(request_rec *r, const char *word, const char *oidstr)
 {
     int j;
@@ -262,7 +205,7 @@
     apr_array_header_t *oid_array;
     char **oid_value;
 
-    if (NULL == (oid_array = ssl_extlist_by_oid(r, oidstr))) {
+    if (NULL == (oid_array = ssl_ext_list(r->pool, r->connection, 1, oidstr))) {
         return FALSE;
     }
 

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.c Wed Oct  5 23:11:43 2005
@@ -43,7 +43,7 @@
 #define T_OP_REG 271
 #define T_OP_NRE 272
 #define T_OP_IN 273
-#define T_OP_OID 274
+#define T_OP_PEEREXTLIST 274
 #define T_OP_OR 275
 #define T_OP_AND 276
 #define T_OP_NOT 277
@@ -164,7 +164,7 @@
 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"T_TRUE",
 "T_FALSE","T_DIGIT","T_ID","T_STRING","T_REGEX","T_REGEX_I","T_FUNC_FILE",
 "T_OP_EQ","T_OP_NE","T_OP_LT","T_OP_LE","T_OP_GT","T_OP_GE","T_OP_REG",
-"T_OP_NRE","T_OP_IN","T_OP_OID","T_OP_OR","T_OP_AND","T_OP_NOT",
+"T_OP_NRE","T_OP_IN","T_OP_PEEREXTLIST","T_OP_OR","T_OP_AND","T_OP_NOT",
 };
 const char * const ssl_expr_yyrule[] = {
 "$accept : root",
@@ -185,7 +185,7 @@
 "comparison : word T_OP_IN wordlist",
 "comparison : word T_OP_REG regex",
 "comparison : word T_OP_NRE regex",
-"wordlist : T_OP_OID '(' word ')'",
+"wordlist : T_OP_PEEREXTLIST '(' word ')'",
 "wordlist : '{' words '}'",
 "words : word",
 "words : words ',' word",
@@ -498,7 +498,7 @@
 break;
 case 18:
 #line 107 "ssl_expr_parse.y"
-{ ssl_expr_yyval.exVal = ssl_expr_make(op_OidListElement, ssl_expr_yyvsp[-1].exVal, NULL);
}
+{ ssl_expr_yyval.exVal = ssl_expr_make(op_PeerExtElement, ssl_expr_yyvsp[-1].exVal, NULL);
}
 break;
 case 19:
 #line 108 "ssl_expr_parse.y"

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.h?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.h (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.h Wed Oct  5 23:11:43 2005
@@ -19,7 +19,7 @@
 #define T_OP_REG 271
 #define T_OP_NRE 272
 #define T_OP_IN 273
-#define T_OP_OID 274
+#define T_OP_PEEREXTLIST 274
 #define T_OP_OR 275
 #define T_OP_AND 276
 #define T_OP_NOT 277

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.y
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.y?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.y (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_parse.y Wed Oct  5 23:11:43 2005
@@ -61,7 +61,7 @@
 %token  T_OP_REG
 %token  T_OP_NRE
 %token  T_OP_IN
-%token  T_OP_OID
+%token  T_OP_PEEREXTLIST
 
 %token  T_OP_OR
 %token  T_OP_AND
@@ -104,7 +104,7 @@
           | word T_OP_NRE regex          { $$ = ssl_expr_make(op_NRE, $1, $3); }
           ;
 
-wordlist  : T_OP_OID '(' word ')'	 { $$ = ssl_expr_make(op_OidListElement, $3, NULL); }
+wordlist  : T_OP_PEEREXTLIST '(' word ')' { $$ = ssl_expr_make(op_PeerExtElement, $3, NULL);
}
           | '{' words '}'                { $$ = $2 ; }
 	  ;
 

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.c Wed Oct  5 23:11:43 2005
@@ -304,7 +304,7 @@
 
 #define YY_NUM_RULES 47
 #define YY_END_OF_BUFFER 48
-static yyconst short int yy_accept[89] =
+static yyconst short int yy_accept[97] =
     {   0,
         0,    0,    0,    0,    0,    0,    0,    0,   48,   46,
         1,   38,    2,   46,   44,   24,   46,   28,   45,   45,
@@ -313,8 +313,10 @@
        32,   34,   44,   26,   20,   31,   30,   45,   45,   45,
        19,   45,   45,   29,   27,   39,   25,   23,   15,   15,
        21,   45,   35,   45,   36,   13,   12,    5,    6,   10,
-       11,    7,    8,    9,   40,   33,   45,   45,   37,   45,
-        5,    6,   45,   41,   42,    5,   43,    0
+       11,    7,    8,    9,   45,   33,   45,   45,   37,   45,
+        5,    6,   45,   45,   41,   42,    5,   45,   43,   45,
+       45,   45,   45,   45,   40,    0
+
     } ;
 
 static yyconst int yy_ec[256] =
@@ -325,14 +327,14 @@
         1,    2,    4,    5,    1,    1,    1,    6,    1,    1,
         1,    1,    1,    1,    7,    1,    1,    8,    8,    8,
         8,    8,    8,    8,    8,    9,    9,    7,    1,   10,
-       11,   12,    1,    1,   13,   13,   13,   14,   13,   13,
-       13,   13,   15,   13,   13,   13,   13,   13,   16,   13,
-       13,   13,   13,   13,   13,   13,   13,   13,   13,   13,
-        1,   17,    1,    1,    7,    1,   18,   19,   13,   20,
-
-       21,   22,   23,   13,   24,   13,   13,   25,   26,   27,
-       28,   13,   29,   30,   31,   32,   33,   13,   13,   13,
-       13,   13,    1,   34,    1,   35,    1,    1,    1,    1,
+       11,   12,    1,    1,   13,   13,   13,   13,   14,   13,
+       13,   13,   15,   13,   13,   16,   13,   13,   13,   17,
+       13,   18,   19,   20,   13,   13,   13,   21,   13,   13,
+        1,   22,    1,    1,    7,    1,   23,   24,   13,   25,
+
+       26,   27,   28,   13,   29,   13,   13,   30,   31,   32,
+       33,   17,   34,   35,   36,   37,   38,   13,   13,   21,
+       13,   13,    1,   39,    1,   40,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -349,90 +351,100 @@
         1,    1,    1,    1,    1
     } ;
 
-static yyconst int yy_meta[36] =
+static yyconst int yy_meta[41] =
     {   0,
         1,    1,    2,    1,    3,    1,    4,    4,    4,    1,
-        1,    1,    4,    4,    4,    4,    3,    4,    4,    4,
-        4,    4,    4,    4,    4,    4,    4,    4,    4,    4,
-        4,    4,    4,    1,    1
+        1,    1,    4,    4,    4,    4,    4,    4,    4,    4,
+        4,    3,    4,    4,    4,    4,    4,    4,    4,    4,
+        4,    4,    4,    4,    4,    4,    4,    4,    1,    1
     } ;
 
-static yyconst short int yy_base[96] =
+static yyconst short int yy_base[104] =
     {   0,
-        0,    0,   33,   34,    0,    0,   88,   87,  110,  154,
-       38,   31,  154,  103,   35,   97,   34,   96,    0,   31,
-       75,   72,   29,   27,   73,   28,   69,   33,   48,   69,
-       64,    0,  154,  154,   97,  154,  154,  154,   54,  154,
-      154,  154,   56,  154,  154,  154,  154,    0,   38,   77,
-        0,   71,   70,    0,    0,    0,    0,    0,  154,    0,
-        0,   62,    0,   60,  154,    0,  154,   59,   68,  154,
-      154,  154,  154,  154,    0,    0,   61,   70,    0,   69,
-       74,   76,   68,    0,    0,   79,    0,  154,  129,  133,
-      137,   58,  141,  145,  149
+        0,    0,   38,   39,    0,    0,  101,  100,  128,  174,
+       43,   36,  174,  121,   40,  115,   39,  114,    0,   37,
+       92,   89,   29,   27,   90,   28,   79,   29,   82,   81,
+       76,    0,  174,  174,  112,  174,  174,  174,   54,  174,
+      174,  174,   58,  174,  174,  174,  174,    0,   45,   87,
+        0,   81,   80,    0,    0,    0,    0,    0,  174,    0,
+        0,   71,    0,   69,  174,    0,  174,   60,   64,  174,
+      174,  174,  174,  174,   52,    0,   70,   79,    0,   78,
+       66,   69,   68,   74,    0,    0,   84,   78,    0,   66,
+       72,   80,   77,   77,    0,  174,  149,  153,  157,   94,
 
+      161,  165,  169
     } ;
 
-static yyconst short int yy_def[96] =
+static yyconst short int yy_def[104] =
     {   0,
-       88,    1,   89,   89,   90,   90,   91,   91,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   92,   92,
-       92,   92,   92,   92,   92,   92,   93,   92,   92,   92,
-       88,   94,   88,   88,   95,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   92,   92,   92,
-       92,   92,   92,   92,   92,   92,   92,   92,   88,   92,
-       92,   92,   92,   92,   88,   94,   88,   88,   88,   88,
-       88,   88,   88,   88,   92,   92,   92,   92,   92,   92,
-       88,   88,   92,   92,   92,   88,   92,    0,   88,   88,
-       88,   88,   88,   88,   88
+       96,    1,   97,   97,   98,   98,   99,   99,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,   96,  100,  100,
+      100,  100,  100,  100,  100,  100,  101,  100,  100,  100,
+       96,  102,   96,   96,  103,   96,   96,   96,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,  100,  100,  100,
+      100,  100,  100,  100,  100,  100,  100,  100,   96,  100,
+      100,  100,  100,  100,   96,  102,   96,   96,   96,   96,
+       96,   96,   96,   96,  100,  100,  100,  100,  100,  100,
+       96,   96,  100,  100,  100,  100,   96,  100,  100,  100,
+      100,  100,  100,  100,  100,    0,   96,   96,   96,   96,
 
+       96,   96,   96
     } ;
 
-static yyconst short int yy_nxt[190] =
+static yyconst short int yy_nxt[215] =
     {   0,
        10,   11,   11,   12,   13,   14,   10,   15,   15,   16,
-       17,   18,   19,   19,   19,   20,   10,   21,   19,   19,
-       22,   23,   24,   25,   26,   27,   28,   29,   19,   19,
-       19,   30,   19,   31,   10,   33,   33,   34,   34,   39,
-       39,   40,   43,   43,   45,   49,   52,   54,   57,   35,
-       35,   75,   53,   61,   49,   39,   39,   75,   55,   58,
-       62,   48,   49,   43,   43,   41,   81,   82,   46,   59,
-       59,   49,   59,   59,   59,   82,   82,   63,   59,   59,
-       59,   86,   82,   82,   82,   59,   82,   82,   87,   85,
-       84,   83,   80,   79,   78,   77,   76,   65,   64,   56,
-
-       51,   50,   59,   59,   68,   69,   47,   44,   42,   88,
-       38,   38,   88,   88,   88,   70,   88,   88,   71,   88,
-       88,   88,   88,   72,   88,   88,   73,   88,   74,   32,
+       17,   18,   19,   19,   19,   19,   20,   19,   19,   19,
+       19,   10,   21,   19,   19,   22,   23,   24,   25,   26,
+       27,   28,   29,   19,   19,   19,   30,   19,   31,   10,
+       33,   33,   34,   34,   39,   39,   40,   43,   43,   45,
+       49,   52,   54,   57,   61,   39,   39,   53,   75,   35,
+       35,   62,   49,   55,   58,   43,   43,   81,   82,   83,
+       75,   82,   82,   87,   82,   41,   82,   82,   46,   59,
+       59,   88,   59,   59,   59,   91,   83,   92,   59,   59,
+       59,   82,   82,   88,   93,   94,   95,   48,   90,   89,
+
+       59,   92,   91,   86,   85,   84,   80,   79,   93,   78,
+       77,   76,   94,   95,   65,   64,   63,   59,   59,   68,
+       69,   56,   51,   50,   47,   44,   42,   96,   38,   38,
+       96,   96,   96,   96,   96,   70,   96,   96,   71,   96,
+       96,   96,   96,   72,   96,   96,   73,   96,   74,   32,
        32,   32,   32,   36,   36,   36,   36,   37,   37,   37,
-       37,   60,   88,   60,   60,   66,   88,   88,   66,   67,
-       67,   67,   67,    9,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88
+       37,   60,   96,   60,   60,   66,   96,   96,   66,   67,
+       67,   67,   67,    9,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96
     } ;
 
-static yyconst short int yy_chk[190] =
+static yyconst short int yy_chk[215] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    3,    4,    3,    4,   11,
-       11,   12,   15,   15,   17,   20,   23,   24,   26,    3,
-        4,   49,   23,   28,   20,   39,   39,   49,   24,   26,
-       28,   92,   29,   43,   43,   12,   68,   68,   17,   27,
-       27,   29,   27,   27,   27,   69,   69,   29,   27,   27,
-       27,   81,   81,   82,   82,   27,   86,   86,   83,   80,
-       78,   77,   64,   62,   53,   52,   50,   31,   30,   25,
-
-       22,   21,   27,   27,   35,   35,   18,   16,   14,    9,
-        8,    7,    0,    0,    0,   35,    0,    0,   35,    0,
-        0,    0,    0,   35,    0,    0,   35,    0,   35,   89,
-       89,   89,   89,   90,   90,   90,   90,   91,   91,   91,
-       91,   93,    0,   93,   93,   94,    0,    0,   94,   95,
-       95,   95,   95,   88,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88,   88,
-       88,   88,   88,   88,   88,   88,   88,   88,   88
+        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
+        3,    4,    3,    4,   11,   11,   12,   15,   15,   17,
+       20,   23,   24,   26,   28,   39,   39,   23,   49,    3,
+        4,   28,   20,   24,   26,   43,   43,   68,   68,   75,
+       49,   69,   69,   81,   81,   12,   82,   82,   17,   27,
+       27,   83,   27,   27,   27,   90,   75,   91,   27,   27,
+       27,   87,   87,   83,   92,   93,   94,  100,   88,   84,
+
+       27,   91,   90,   80,   78,   77,   64,   62,   92,   53,
+       52,   50,   93,   94,   31,   30,   29,   27,   27,   35,
+       35,   25,   22,   21,   18,   16,   14,    9,    8,    7,
+        0,    0,    0,    0,    0,   35,    0,    0,   35,    0,
+        0,    0,    0,   35,    0,    0,   35,    0,   35,   97,
+       97,   97,   97,   98,   98,   98,   98,   99,   99,   99,
+       99,  101,    0,  101,  101,  102,    0,    0,  102,  103,
+      103,  103,  103,   96,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+
+       96,   96,   96,   96,   96,   96,   96,   96,   96,   96,
+       96,   96,   96,   96
     } ;
 
 static yy_state_type yy_last_accepting_state;
@@ -500,7 +512,7 @@
 #define regex 2
 #define regex_flags 3
 
-#line 505 "lex.ssl_expr_yy.c"
+#line 517 "lex.ssl_expr_yy.c"
 
 /* Macros after this point can all be overridden by user definitions in
  * section 1.
@@ -663,7 +675,7 @@
  /*
   * Whitespaces
   */
-#line 668 "lex.ssl_expr_yy.c"
+#line 680 "lex.ssl_expr_yy.c"
 
 	if ( yy_init )
 		{
@@ -714,13 +726,13 @@
 			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 				{
 				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 89 )
+				if ( yy_current_state >= 97 )
 					yy_c = yy_meta[(unsigned int) yy_c];
 				}
 			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
 			++yy_cp;
 			}
-		while ( yy_current_state != 88 );
+		while ( yy_current_state != 96 );
 		yy_cp = yy_last_accepting_cpos;
 		yy_current_state = yy_last_accepting_state;
 
@@ -1008,7 +1020,7 @@
 case 40:
 YY_RULE_SETUP
 #line 176 "ssl_expr_scan.l"
-{ return T_OP_OID; }
+{ return T_OP_PEEREXTLIST; }
 	YY_BREAK
 /*
   * Functions
@@ -1068,7 +1080,7 @@
 #line 212 "ssl_expr_scan.l"
 YY_FATAL_ERROR( "flex scanner jammed" );
 	YY_BREAK
-#line 1073 "lex.ssl_expr_yy.c"
+#line 1085 "lex.ssl_expr_yy.c"
 case YY_STATE_EOF(INITIAL):
 case YY_STATE_EOF(str):
 case YY_STATE_EOF(regex):
@@ -1363,7 +1375,7 @@
 		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 			{
 			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 89 )
+			if ( yy_current_state >= 97 )
 				yy_c = yy_meta[(unsigned int) yy_c];
 			}
 		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -1398,11 +1410,11 @@
 	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
 		{
 		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 89 )
+		if ( yy_current_state >= 97 )
 			yy_c = yy_meta[(unsigned int) yy_c];
 		}
 	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-	yy_is_jam = (yy_current_state == 88);
+	yy_is_jam = (yy_current_state == 96);
 
 	return yy_is_jam ? 0 : yy_current_state;
 	}

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.l
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.l?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.l (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_expr_scan.l Wed Oct  5 23:11:43 2005
@@ -173,7 +173,7 @@
 "not" { return T_OP_NOT; }
 "!"   { return T_OP_NOT; }
 "in"  { return T_OP_IN; }
-[Oo][Ii][Dd] { return T_OP_OID; }
+[Pp][Ee][Ee][Rr][Ee][Xx][Tt][Ll][Ii][Ss][Tt] { return T_OP_PEEREXTLIST; }
 
  /*
   * Functions

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_private.h?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_private.h Wed Oct  5 23:11:43 2005
@@ -595,6 +595,10 @@
 void         ssl_io_filter_register(apr_pool_t *);
 long         ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
 
+/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
+ * to allow an SSL renegotiation to take place. */
+int          ssl_io_buffer_fill(request_rec *r);
+
 /**  PRNG  */
 int          ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
 
@@ -646,9 +650,7 @@
 /**  Variables  */
 void         ssl_var_register(void);
 char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
-const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
-
-extern apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr);
+apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
 
 void         ssl_var_log_config_register(apr_pool_t *p);
 

Modified: httpd/httpd/branches/async-dev/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/async-dev/modules/ssl/ssl_util.c?rev=306538&r1=306537&r2=306538&view=diff
==============================================================================
--- httpd/httpd/branches/async-dev/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/branches/async-dev/modules/ssl/ssl_util.c Wed Oct  5 23:11:43 2005
@@ -137,10 +137,11 @@
 ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey) 
 {
     ssl_algo_t t;
+    EVP_PKEY *pFreeKey = NULL;
             
     t = SSL_ALGO_UNKNOWN;
     if (pCert != NULL)
-        pKey = X509_get_pubkey(pCert);
+        pFreeKey = pKey = X509_get_pubkey(pCert);
     if (pKey != NULL) {
         switch (EVP_PKEY_key_type(pKey)) {
             case EVP_PKEY_RSA: 
@@ -153,6 +154,11 @@
                 break;
         }
     }
+#ifdef OPENSSL_VERSION_NUMBER
+    /* Only refcounted in OpenSSL */
+    if (pFreeKey != NULL)
+        EVP_PKEY_free(pFreeKey);
+#endif
     return t;
 }
 



Mime
View raw message