You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/02/15 13:39:49 UTC

svn commit: r153933 - in httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.h modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h

Author: jorton
Date: Tue Feb 15 04:39:45 2005
New Revision: 153933

URL: http://svn.apache.org/viewcvs?view=rev&rev=153933
Log:
* modules/ssl/mod_ssl.h: Add ssl_ext_lookup optional hook declaration.

* modules/ssl/ssl_engine_vars.c (ssl_ext_lookup): New function.
(ssl_var_register): Register optional function.

* modules/ssl/ssl_private.h (ssl_ext_lookup): Add prototype.

Submitted by: David Reid, Joe Orton

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/mod_ssl.h
    httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?view=diff&r1=153932&r2=153933
==============================================================================
--- httpd/httpd/trunk/CHANGES (original)
+++ httpd/httpd/trunk/CHANGES Tue Feb 15 04:39:45 2005
@@ -2,6 +2,9 @@
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_ssl: Add ssl_ext_lookup optional function for accessing
+     certificate extensions.   [David Reid, Joe Orton]
+
   *) Add support for use of an external PCRE library; pass the
      --with-pcre flag to configure.  PR 27550.  [Joe Orton,
      Andres Salomon <dilinger voxel.net>]

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/mod_ssl.h?view=diff&r1=153932&r2=153933
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.h Tue Feb 15 04:39:45 2005
@@ -27,6 +27,16 @@
                          conn_rec *, request_rec *,
                          char *));
 
+/* The ssl_ext_lookup() optional function retrieves the value of a SSL
+ * certificate X.509 extension.  The client certificate is used if
+ * peer is non-zero; the server certificate is used otherwise.  The
+ * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
+ * desired extension.  The string value of the extension is returned,
+ * or NULL on error. */
+APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
+                        (apr_pool_t *p, conn_rec *c, int peer,
+                         const char *oidnum));
+
 /* An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?view=diff&r1=153932&r2=153933
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Tue Feb 15 04:39:45 2005
@@ -61,6 +61,7 @@
 {
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+    APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
     return;
 }
 
@@ -652,6 +653,61 @@
                 *cp2 = NUL;
         }
     }
+    return result;
+}
+
+const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
+                           const char *oidnum)
+{
+    SSLConnRec *sslconn = myConnConfig(c);
+    SSL *ssl;
+    X509 *xs = NULL;
+    ASN1_OBJECT *oid;
+    int count = 0, j;
+    char *result = NULL;
+    
+    if (!sslconn || !sslconn->ssl) {
+        return NULL;
+    }
+    ssl = sslconn->ssl;
+
+    oid = OBJ_txt2obj(oidnum, 1);
+    if (!oid) {
+        ERR_clear_error();
+        return NULL;
+    }
+
+    xs = peer ? SSL_get_peer_certificate(ssl) : SSL_get_certificate(ssl);
+    if (xs == NULL) {
+        return NULL;
+    }
+    
+    count = X509_get_ext_count(xs);
+
+    for (j = 0; j < count; j++) {
+        X509_EXTENSION *ext = X509_get_ext(xs, j);
+
+        if (OBJ_cmp(ext->object, oid) == 0) {
+            BIO *bio = BIO_new(BIO_s_mem());
+
+            if (X509V3_EXT_print(bio, ext, 0, 0) == 1) {
+                BUF_MEM *buf;
+
+                BIO_get_mem_ptr(bio, &buf);
+                result = apr_pstrmemdup(p, buf->data, buf->length);
+            }
+
+            BIO_vfree(bio);
+            break;
+        }
+    }
+
+    if (peer) {
+        /* only SSL_get_peer_certificate raises the refcount */
+        X509_free(xs);
+    }
+
+    ERR_clear_error();
     return result;
 }
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_private.h?view=diff&r1=153932&r2=153933
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Feb 15 04:39:45 2005
@@ -641,6 +641,8 @@
 /*  Variables  */
 void         ssl_var_register(void);
 char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
+
 void         ssl_var_log_config_register(apr_pool_t *p);
 
 #define APR_SHM_MAXSIZE (64 * 1024 * 1024)