www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-05 16:55:50 +03:00
Code Activity

the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth

Browse Source 
is happening.  so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92240 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2001-11-29 07:07:36 +00:00
parent 398bb6bde9
commit d06327e27b
3 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/ssl/mod_ssl.c
View File

@@ -422,9 +422,8 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
* Remember the peer certificate's DN * Remember the peer certificate's DN
*/ */
if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) { if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0); sslconn->client_cert = xs;
sslconn->client_dn = apr_pstrdup(c->pool, cp); sslconn->client_dn = NULL;
free(cp);
} }
/* /*
@@ -432,7 +431,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
* is required we really got one... (be paranoid) * is required we really got one... (be paranoid)
*/ */
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& sslconn->client_dn == NULL) { && sslconn->client_cert == NULL) {
ssl_log(c->base_server, SSL_LOG_ERROR, ssl_log(c->base_server, SSL_LOG_ERROR,
"No acceptable peer certificate available"); "No acceptable peer certificate available");
return ssl_abort(pRec, c); return ssl_abort(pRec, c);

1
modules/ssl/mod_ssl.h
View File

@@ -455,6 +455,7 @@ typedef enum {
typedef struct { typedef struct {
SSL *ssl; SSL *ssl;
const char *client_dn; const char *client_dn;
X509 *client_cert;
ssl_shutdown_type_e shutdown_type; ssl_shutdown_type_e shutdown_type;
const char *verify_info; const char *verify_info;
const char *verify_error; const char *verify_error;

18
modules/ssl/ssl_engine_kernel.c
View File

@@ -804,9 +804,8 @@ int ssl_hook_Access(request_rec *r)
* Remember the peer certificate's DN * Remember the peer certificate's DN
*/ */
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) { if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); sslconn->client_cert = cert;
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); sslconn->client_dn = NULL;
free(cp);
} }
/* /*
@@ -948,9 +947,18 @@ int ssl_hook_UserCheck(request_rec *r)
return DECLINED; return DECLINED;
if (r->user) if (r->user)
return DECLINED; return DECLINED;
if ((clientdn = (char *)sslconn->client_dn) == NULL) if (sslconn->client_cert == NULL)
return DECLINED; return DECLINED;
if (!sslconn->client_dn) {
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
free(cp);
}
clientdn = (char *)sslconn->client_dn;
/* /*
* Fake a password - which one would be immaterial, as, it seems, an empty * Fake a password - which one would be immaterial, as, it seems, an empty
* password in the users file would match ALL incoming passwords, if only * password in the users file would match ALL incoming passwords, if only
@@ -1304,7 +1312,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
if (!ok) { if (!ok) {
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s", ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum)); errnum, X509_verify_cert_error_string(errnum));
sslconn->client_dn = NULL; sslconn->client_cert = sslconn->client_dn = NULL;
sslconn->verify_error = sslconn->verify_error =
X509_verify_cert_error_string(errnum); X509_verify_cert_error_string(errnum);
} }