httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Thinkng something like this for mod_auth_svn
Date Mon, 01 Aug 2005 09:32:50 GMT

Ok found the problem; turns out that if openssl does not have the
extension hardcoded in its objects.c (from objects.txt in crypto/objects;
compiled by a objects.pl perl scripts) then X509V3_EXT_print() does not do
anything sensible with that string unless the flag
X509V3_EXT_PARSE_UNKNOWN or X509V3_EXT_DUMP_UNKNOWN is passed. (And Martin
his code does then sensibly ignore it).

But once you pass either of these flags it then yields a string which is
not proberly terminated - hence making it possible for a bad cert to
segfault the server. Plus the format in any case not usable for any proper
access control.

So that perhaps means that this OID thing requires the re-use an existing
extension (like id-aca, role, etc) known to the locally installed version
of openssl or add to our code some ability, like a DER format string, to
handle arbitrary string extraction from the extension fields.

Dw.


PS: plus right now it seems that ssl_expr_parse.* and ssl_expr_scan.*
    which are generated from the lex/yax files - are under svn control.

Index: ssl_expr_eval.c
===================================================================
--- ssl_expr_eval.c     (revision 226665)
+++ ssl_expr_eval.c     (working copy)
@@ -229,7 +229,25 @@
     /* Loop over all extensions, extract the desired oids */
     for (j = 0; j < count; j++) {
         X509_EXTENSION *ext = X509_get_ext(xs, j);
+#if 1
+       {
+               char buff[16*1024];
+                BUF_MEM *buf;
+               BIO *bio = BIO_new(BIO_s_mem());
+               OBJ_obj2txt(buff, sizeof(buff), ext->object, 0);

+               if (X509V3_EXT_print(bio, ext, /* X509V3_EXT_ERROR_UNKNOWN
*/ X509V3_EXT_PARSE_UNKNOWN /*  X509V3_EXT_DUMP_UNKNOWN */, 0) == 1) {
+                       BIO_get_mem_ptr(bio, &buf);
+
+                       /* XXX for some reason the PARSE_UNK do not have a
trailing \0 */
+                       buf->data[ buf->length -1 ] = 0;
+
+                       ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
r->server, "Extension '%s': %s", buff,buf->data);
+               };
+               BIO_vfree(bio);
+
+       };
+#endif
         if (OBJ_cmp(ext->object, oid) == 0) {
             BIO *bio = BIO_new(BIO_s_mem());

Mime
View raw message