Improve mod_ssl's environment variable extraction to correctly handle

DNs with duplicate tags: * modules/ssl/ssl_engine_vars.c: Augment the ssl_var_lookup_ssl_cert_dn_rec table with a flag to indicate whether RDNs of the given NID should be extracted to the environment. (extract_dn, modssl_var_extract_dns): New functions. * modules/ssl/ssl_private.h (modssl_var_extract_dns): Add prototype. * modules/ssl/ssl_engine_kernel.c: Remove SSL_*_DN_ from the list of variables to insert into the environment. (ssl_hook_Fixup): Use modssl_var_extract_dns to insert the SSL_*_DN_ variables efficiently and accurately, handling certs with duplicate RDN tags correctly. PR: 45875 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@724717 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2008-12-09 14:41:21 +00:00
parent dce91079c1
commit 778a79de65
4 changed files with 118 additions and 71 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1012,68 +1012,12 @@ static const char *ssl_hook_Fixup_vars[] = {
    "SSL_CLIENT_V_START",
    "SSL_CLIENT_V_END",
    "SSL_CLIENT_V_REMAIN",
-    "SSL_CLIENT_S_DN",
-    "SSL_CLIENT_S_DN_C",
-    "SSL_CLIENT_S_DN_ST",
-    "SSL_CLIENT_S_DN_L",
-    "SSL_CLIENT_S_DN_O",
-    "SSL_CLIENT_S_DN_OU",
-    "SSL_CLIENT_S_DN_CN",
-    "SSL_CLIENT_S_DN_T",
-    "SSL_CLIENT_S_DN_I",
-    "SSL_CLIENT_S_DN_G",
-    "SSL_CLIENT_S_DN_S",
-    "SSL_CLIENT_S_DN_D",
-    "SSL_CLIENT_S_DN_UID",
-    "SSL_CLIENT_S_DN_Email",
-    "SSL_CLIENT_I_DN",
-    "SSL_CLIENT_I_DN_C",
-    "SSL_CLIENT_I_DN_ST",
-    "SSL_CLIENT_I_DN_L",
-    "SSL_CLIENT_I_DN_O",
-    "SSL_CLIENT_I_DN_OU",
-    "SSL_CLIENT_I_DN_CN",
-    "SSL_CLIENT_I_DN_T",
-    "SSL_CLIENT_I_DN_I",
-    "SSL_CLIENT_I_DN_G",
-    "SSL_CLIENT_I_DN_S",
-    "SSL_CLIENT_I_DN_D",
-    "SSL_CLIENT_I_DN_UID",
-    "SSL_CLIENT_I_DN_Email",
    "SSL_CLIENT_A_KEY",
    "SSL_CLIENT_A_SIG",
    "SSL_SERVER_M_VERSION",
    "SSL_SERVER_M_SERIAL",
    "SSL_SERVER_V_START",
    "SSL_SERVER_V_END",
-    "SSL_SERVER_S_DN",
-    "SSL_SERVER_S_DN_C",
-    "SSL_SERVER_S_DN_ST",
-    "SSL_SERVER_S_DN_L",
-    "SSL_SERVER_S_DN_O",
-    "SSL_SERVER_S_DN_OU",
-    "SSL_SERVER_S_DN_CN",
-    "SSL_SERVER_S_DN_T",
-    "SSL_SERVER_S_DN_I",
-    "SSL_SERVER_S_DN_G",
-    "SSL_SERVER_S_DN_S",
-    "SSL_SERVER_S_DN_D",
-    "SSL_SERVER_S_DN_UID",
-    "SSL_SERVER_S_DN_Email",
-    "SSL_SERVER_I_DN",
-    "SSL_SERVER_I_DN_C",
-    "SSL_SERVER_I_DN_ST",
-    "SSL_SERVER_I_DN_L",
-    "SSL_SERVER_I_DN_O",
-    "SSL_SERVER_I_DN_OU",
-    "SSL_SERVER_I_DN_CN",
-    "SSL_SERVER_I_DN_T",
-    "SSL_SERVER_I_DN_I",
-    "SSL_SERVER_I_DN_G",
-    "SSL_SERVER_I_DN_S",
-    "SSL_SERVER_I_DN_D",
-    "SSL_SERVER_I_DN_UID",
-    "SSL_SERVER_I_DN_Email",
    "SSL_SERVER_A_KEY",
    "SSL_SERVER_A_SIG",
    "SSL_SESSION_ID",
@@ -1125,6 +1069,8 @@ int ssl_hook_Fixup(request_rec *r)

    /* standard SSL environment variables */
    if (dc->nOptions & SSL_OPT_STDENVVARS) {
+        modssl_var_extract_dns(env, sslconn->ssl, r->pool);
+
        for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
            var = (char *)ssl_hook_Fixup_vars[i];
            val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);