From dev-return-49167-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Sat Sep 10 01:47:28 2005 Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 17499 invoked from network); 10 Sep 2005 01:47:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Sep 2005 01:47:27 -0000 Received: (qmail 42470 invoked by uid 500); 10 Sep 2005 01:47:20 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 42445 invoked by uid 500); 10 Sep 2005 01:47:20 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 42432 invoked by uid 99); 10 Sep 2005 01:47:20 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Sep 2005 18:47:19 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of david@jetnet.co.uk designates 80.87.128.128 as permitted sender) Received: from [80.87.128.128] (HELO kosh.jetnet.co.uk) (80.87.128.128) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Sep 2005 18:47:30 -0700 Received: from localhost (localhost [127.0.0.1]) by kosh.jetnet.co.uk (Postfix) with ESMTP id 5186822216 for ; Sat, 10 Sep 2005 01:47:15 +0000 (GMT) Received: from kosh.jetnet.co.uk ([127.0.0.1]) by localhost (mail.jetnet.co.uk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 05118-04 for ; Sat, 10 Sep 2005 01:47:13 +0000 (GMT) Received: from [192.168.0.100] (82-69-108-39.dsl.in-addr.zen.co.uk [82.69.108.39]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by kosh.jetnet.co.uk (Postfix) with ESMTP id DA8EA20AA2 for ; Sat, 10 Sep 2005 01:47:12 +0000 (GMT) Message-ID: <43223B25.5070908@jetnet.co.uk> Date: Sat, 10 Sep 2005 02:47:17 +0100 From: David Reid User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050908) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: [PATCH] ssl_ext_lookup X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at jetnet.co.uk X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Following patch makes some changes to ssl_ext_lookup and changes it's API, hence the post for review. Add some more warnings when things don't go as advertised. We now allow the "known" names to be used as extensions to lookup expanding the flexability of the function. Add an index to allow repeated calls to get different values to handle the case when the same extension is present multiple times (there is no restriction how often they can appear I'm aware of). X509V3_EXT_print seems to have trouble printing some simple strings and despite having a default fallback it's still not able to decode them, so we allow a plain return of the data. This could also (concievably) be a small binary section, so we return the length to allow the caller to know how much data is provided. This can probably be improved on. With these changes I was able to get mod_authz_svn working correctly with certificates produced from BaDCA :-) Comments? david Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 279892) +++ modules/ssl/ssl_private.h (working copy) @@ -646,7 +646,7 @@ /** Variables */ void ssl_var_register(void); char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); -const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid); +const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *extension, int index, int *len); extern apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr); Index: modules/ssl/ssl_engine_vars.c =================================================================== --- modules/ssl/ssl_engine_vars.c (revision 279892) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -661,7 +661,7 @@ } const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, - const char *oidnum) + const char *extension, int index, int *len) { SSLConnRec *sslconn = myConnConfig(c); SSL *ssl; @@ -669,14 +669,24 @@ ASN1_OBJECT *oid; int count = 0, j; char *result = NULL; - + + /* Make sure we don't say we're returning any data unless we are */ + *len = 0; + if (!sslconn || !sslconn->ssl) { return NULL; } ssl = sslconn->ssl; - oid = OBJ_txt2obj(oidnum, 1); + /* We accept the "extension" string to be converted as + * a long name (nsComment), short name (DN) or + * numeric OID (1.2.3.4). + */ + oid = OBJ_txt2obj(extension, 0); if (!oid) { + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, + "Failed to create an OID object for extension '%s'", + extension); ERR_clear_error(); return NULL; } @@ -692,14 +702,30 @@ X509_EXTENSION *ext = X509_get_ext(xs, j); if (OBJ_cmp(ext->object, oid) == 0) { - BIO *bio = BIO_new(BIO_s_mem()); + BIO *bio = NULL; + + if (index != -1 && --index > 0) + continue; + + bio = BIO_new(BIO_s_mem()); if (X509V3_EXT_print(bio, ext, 0, 0) == 1) { BUF_MEM *buf; BIO_get_mem_ptr(bio, &buf); result = apr_pstrmemdup(p, buf->data, buf->length); + *len = buf->length; } + /* XXX - Not 100% sure this is really a good idea... */ + else if (ext->value->length > 0) { + result = apr_pmemdup(p, ext->value->data, ext->value->length); + *len = ext->value->length; + /* This is a good idea though :-) */ + } else { + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, + "Found an extension '%s', but failed to " + "create a string from it", extension); + } BIO_vfree(bio); break; Index: modules/ssl/mod_ssl.h =================================================================== --- modules/ssl/mod_ssl.h (revision 279892) +++ modules/ssl/mod_ssl.h (working copy) @@ -37,14 +37,21 @@ char *)); /** The ssl_ext_lookup() optional function retrieves the value of a SSL - * certificate X.509 extension. The client certificate is used if - * peer is non-zero; the server certificate is used otherwise. The - * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the - * desired extension. The string value of the extension is returned, - * or NULL on error. */ + * certificate X.509 extension. + * The client certificate is used if peer is non-zero; the server + * certificate is used otherwise. + * Extension specifies the extensions to use as a string. This can be + * one of the "known" long or short names, or a numeric OID, + * e.g. "1.2.3.4", 'nsComment' and 'DN' are all valid. + * The index parameter allows for multiple values to be retrieved by + * repeated calls with the index incremented. Using an index of 0 will + * provide the first matching result. + * The string value of the extension is returned, or NULL on error. + * The length of the returned data will be stored in *len. + */ APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup, (apr_pool_t *p, conn_rec *c, int peer, - const char *oidnum)); + const char *extension, int index, int *len)); /** An optional function which returns non-zero if the given connection * is using SSL/TLS. */