mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
move c->notes.ssl::client::dn to SSLConnRec.client_dn
PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92094 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
@@ -288,7 +288,6 @@ static int ssl_hook_pre_connection(conn_rec *c)
|
|||||||
/*
|
/*
|
||||||
* Predefine some client verification results
|
* Predefine some client verification results
|
||||||
*/
|
*/
|
||||||
apr_table_setn(c->notes, "ssl::client::dn", NULL);
|
|
||||||
apr_table_setn(c->notes, "ssl::verify::error", NULL);
|
apr_table_setn(c->notes, "ssl::verify::error", NULL);
|
||||||
apr_table_setn(c->notes, "ssl::verify::info", NULL);
|
apr_table_setn(c->notes, "ssl::verify::info", NULL);
|
||||||
SSL_set_verify_result(ssl, X509_V_OK);
|
SSL_set_verify_result(ssl, X509_V_OK);
|
||||||
@@ -339,6 +338,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
|
|||||||
X509 *xs;
|
X509 *xs;
|
||||||
char *cp = NULL;
|
char *cp = NULL;
|
||||||
conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
|
conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
|
||||||
|
SSLConnRec *sslconn = myConnConfig(c);
|
||||||
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
||||||
long verify_result;
|
long verify_result;
|
||||||
|
|
||||||
@@ -447,7 +447,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
|
|||||||
*/
|
*/
|
||||||
if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
|
if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
|
||||||
cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
|
cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
|
||||||
apr_table_setn(c->notes,"ssl::client::dn",apr_pstrdup(c->pool, cp));
|
sslconn->client_dn = apr_pstrdup(c->pool, cp);
|
||||||
free(cp);
|
free(cp);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -456,7 +456,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
|
|||||||
* is required we really got one... (be paranoid)
|
* is required we really got one... (be paranoid)
|
||||||
*/
|
*/
|
||||||
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
|
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
|
||||||
&& apr_table_get(c->notes, "ssl::client::dn") == NULL) {
|
&& sslconn->client_dn == NULL) {
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"No acceptable peer certificate available");
|
"No acceptable peer certificate available");
|
||||||
return ssl_abort(pRec, c);
|
return ssl_abort(pRec, c);
|
||||||
|
|||||||
@@ -452,6 +452,7 @@ typedef struct {
|
|||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
|
const char *client_dn;
|
||||||
} SSLConnRec;
|
} SSLConnRec;
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
|
|||||||
@@ -75,6 +75,7 @@ apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
|
|||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
char *cpType;
|
char *cpType;
|
||||||
conn_rec *conn;
|
conn_rec *conn;
|
||||||
|
SSLConnRec *sslconn;
|
||||||
|
|
||||||
ssl = filter->pssl;
|
ssl = filter->pssl;
|
||||||
conn = (conn_rec *)SSL_get_app_data(ssl);
|
conn = (conn_rec *)SSL_get_app_data(ssl);
|
||||||
@@ -82,6 +83,8 @@ apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
|
|||||||
if (ssl == NULL)
|
if (ssl == NULL)
|
||||||
return APR_SUCCESS;
|
return APR_SUCCESS;
|
||||||
|
|
||||||
|
sslconn = myConnConfig(conn);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Now close the SSL layer of the connection. We've to take
|
* Now close the SSL layer of the connection. We've to take
|
||||||
* the TLSv1 standard into account here:
|
* the TLSv1 standard into account here:
|
||||||
@@ -775,8 +778,7 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
*/
|
*/
|
||||||
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
|
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
|
||||||
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
|
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
|
||||||
apr_table_setn(r->connection->notes, "ssl::client::dn",
|
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
|
||||||
apr_pstrdup(r->connection->pool, cp));
|
|
||||||
free(cp);
|
free(cp);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -919,7 +921,7 @@ int ssl_hook_UserCheck(request_rec *r)
|
|||||||
return DECLINED;
|
return DECLINED;
|
||||||
if (r->user)
|
if (r->user)
|
||||||
return DECLINED;
|
return DECLINED;
|
||||||
if ((clientdn = (char *)apr_table_get(r->connection->notes, "ssl::client::dn")) == NULL)
|
if ((clientdn = (char *)sslconn->client_dn) == NULL)
|
||||||
return DECLINED;
|
return DECLINED;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1200,6 +1202,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
|||||||
request_rec *r;
|
request_rec *r;
|
||||||
SSLSrvConfigRec *sc;
|
SSLSrvConfigRec *sc;
|
||||||
SSLDirConfigRec *dc;
|
SSLDirConfigRec *dc;
|
||||||
|
SSLConnRec *sslconn;
|
||||||
apr_table_t *actx;
|
apr_table_t *actx;
|
||||||
X509 *xs;
|
X509 *xs;
|
||||||
int errnum;
|
int errnum;
|
||||||
@@ -1214,6 +1217,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
|||||||
*/
|
*/
|
||||||
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
|
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
|
||||||
conn = (conn_rec *)SSL_get_app_data(ssl);
|
conn = (conn_rec *)SSL_get_app_data(ssl);
|
||||||
|
sslconn = myConnConfig(conn);
|
||||||
actx = (apr_table_t *)SSL_get_app_data2(ssl);
|
actx = (apr_table_t *)SSL_get_app_data2(ssl);
|
||||||
r = (request_rec *)apr_table_get(actx, "ssl::request_rec");
|
r = (request_rec *)apr_table_get(actx, "ssl::request_rec");
|
||||||
s = conn->base_server;
|
s = conn->base_server;
|
||||||
@@ -1273,7 +1277,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
|||||||
if (!ok) {
|
if (!ok) {
|
||||||
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
|
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
|
||||||
errnum, X509_verify_cert_error_string(errnum));
|
errnum, X509_verify_cert_error_string(errnum));
|
||||||
apr_table_setn(conn->notes, "ssl::client::dn", NULL);
|
sslconn->client_dn = NULL;
|
||||||
apr_table_setn(conn->notes, "ssl::verify::error",
|
apr_table_setn(conn->notes, "ssl::verify::error",
|
||||||
(void *)X509_verify_cert_error_string(errnum));
|
(void *)X509_verify_cert_error_string(errnum));
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user