httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Reid <da...@jetnet.co.uk>
Subject [PATCH] ssl_ext_lookup
Date Sat, 10 Sep 2005 01:47:17 GMT
Following patch makes some changes to ssl_ext_lookup and changes it's
API, hence the post for review.

Add some more warnings when things don't go as advertised.

We now allow the "known" names to be used as extensions to lookup
expanding the flexability of the function.

Add an index to allow repeated calls to get different values to handle
the case when the same extension is present multiple times (there is no
restriction how often they can appear I'm aware of).

X509V3_EXT_print seems to have trouble printing some simple strings and
despite having a default fallback it's still not able to decode them, so
we allow a plain return of the data. This could also (concievably) be a
small binary section, so we return the length to allow the caller to
know how much data is provided. This can probably be improved on.

With these changes I was able to get mod_authz_svn working correctly
with certificates produced from BaDCA :-)

Comments?

david

Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h   (revision 279892)
+++ modules/ssl/ssl_private.h   (working copy)
@@ -646,7 +646,7 @@
 /**  Variables  */
 void         ssl_var_register(void);
 char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *,
request_rec *, char *);
-const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const
char *oid);
+const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const
char *extension, int index, int *len);

 extern apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const
char *oidstr);

Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c       (revision 279892)
+++ modules/ssl/ssl_engine_vars.c       (working copy)
@@ -661,7 +661,7 @@
 }

 const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
-                           const char *oidnum)
+                           const char *extension, int index, int *len)
 {
     SSLConnRec *sslconn = myConnConfig(c);
     SSL *ssl;
@@ -669,14 +669,24 @@
     ASN1_OBJECT *oid;
     int count = 0, j;
     char *result = NULL;
-
+
+    /* Make sure we don't say we're returning any data unless we are */
+    *len = 0;
+
     if (!sslconn || !sslconn->ssl) {
         return NULL;
     }
     ssl = sslconn->ssl;

-    oid = OBJ_txt2obj(oidnum, 1);
+    /* We accept the "extension" string to be converted as
+     * a long name (nsComment), short name (DN) or
+     * numeric OID (1.2.3.4).
+     */
+    oid = OBJ_txt2obj(extension, 0);
     if (!oid) {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
+                      "Failed to create an OID object for extension '%s'",
+                      extension);
         ERR_clear_error();
         return NULL;
     }
@@ -692,14 +702,30 @@
         X509_EXTENSION *ext = X509_get_ext(xs, j);

         if (OBJ_cmp(ext->object, oid) == 0) {
-            BIO *bio = BIO_new(BIO_s_mem());
+            BIO *bio = NULL;

+
+            if (index != -1 && --index > 0)
+                continue;
+
+            bio = BIO_new(BIO_s_mem());
             if (X509V3_EXT_print(bio, ext, 0, 0) == 1) {
                 BUF_MEM *buf;

                 BIO_get_mem_ptr(bio, &buf);
                 result = apr_pstrmemdup(p, buf->data, buf->length);
+                *len = buf->length;
             }
+            /* XXX - Not 100% sure this is really a good idea... */
+            else if (ext->value->length > 0) {
+                result = apr_pmemdup(p, ext->value->data,
ext->value->length);
+                *len = ext->value->length;
+            /* This is a good idea though :-) */
+            } else {
+                ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
+                              "Found an extension '%s', but failed to "
+                              "create a string from it", extension);
+            }

             BIO_vfree(bio);
             break;
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h       (revision 279892)
+++ modules/ssl/mod_ssl.h       (working copy)
@@ -37,14 +37,21 @@
                          char *));

 /** The ssl_ext_lookup() optional function retrieves the value of a SSL
- * certificate X.509 extension.  The client certificate is used if
- * peer is non-zero; the server certificate is used otherwise.  The
- * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
- * desired extension.  The string value of the extension is returned,
- * or NULL on error. */
+ * certificate X.509 extension.
+ * The client certificate is used if peer is non-zero; the server
+ * certificate is used otherwise.
+ * Extension specifies the extensions to use as a string. This can be
+ * one of the "known" long or short names, or a numeric OID,
+ * e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid.
+ * The index parameter allows for multiple values to be retrieved by
+ * repeated calls with the index incremented. Using an index of 0 will
+ * provide the first matching result.
+ * The string value of the extension is returned, or NULL on error.
+ * The length of the returned data will be stored in *len.
+ */
 APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
                         (apr_pool_t *p, conn_rec *c, int peer,
-                         const char *oidnum));
+                         const char *extension, int index, int *len));

 /** An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */

Mime
View raw message