the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth

is happening.  so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by:

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92240 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 621a3439f90e83d909d173fb926fab703c573b54..71a81e26e70c7e90dc5ac350f4b50c8d292f5ee4 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -422,9 +422,8 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
          * Remember the peer certificate's DN
          */
         if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
-            char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
-            sslconn->client_dn = apr_pstrdup(c->pool, cp);
-            free(cp);
+            sslconn->client_cert = xs;
+            sslconn->client_dn = NULL;
         }
 
         /*
@@ -432,7 +431,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
          * is required we really got one... (be paranoid)
          */
         if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
-            && sslconn->client_dn == NULL) {
+            && sslconn->client_cert == NULL) {
             ssl_log(c->base_server, SSL_LOG_ERROR,
                     "No acceptable peer certificate available");
             return ssl_abort(pRec, c);

diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 325cc164616a05db0d060b869460052f6f3a24b0..699848279e430cdf450c1ce3e4ebe08fa6523277 100644 (file)
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -455,6 +455,7 @@ typedef enum {
 typedef struct {
     SSL *ssl;
     const char *client_dn;
+    X509 *client_cert;
     ssl_shutdown_type_e shutdown_type;
     const char *verify_info;
     const char *verify_error;

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index e96bd84cc2bfa2c12371c4dd9c4a943d687478c0..fe72904f7066db8ff82c325057995744eaff0ebe 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -804,9 +804,8 @@ int ssl_hook_Access(request_rec *r)
          * Remember the peer certificate's DN
          */
         if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
-            cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-            sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
-            free(cp);
+            sslconn->client_cert = cert;
+            sslconn->client_dn = NULL;
         }
 
         /*
@@ -948,9 +947,18 @@ int ssl_hook_UserCheck(request_rec *r)
         return DECLINED;
     if (r->user)
         return DECLINED;
-    if ((clientdn = (char *)sslconn->client_dn) == NULL)
+    if (sslconn->client_cert == NULL)
         return DECLINED;
 
+    if (!sslconn->client_dn) {
+        X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
+        char *cp = X509_NAME_oneline(name, NULL, 0);
+        sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+        free(cp);
+    }
+
+    clientdn = (char *)sslconn->client_dn;
+
     /*
      * Fake a password - which one would be immaterial, as, it seems, an empty
      * password in the users file would match ALL incoming passwords, if only
@@ -1304,7 +1312,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     if (!ok) {
         ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
                 errnum, X509_verify_cert_error_string(errnum));
-        sslconn->client_dn = NULL;
+        sslconn->client_cert = sslconn->client_dn = NULL;
         sslconn->verify_error = 
             X509_verify_cert_error_string(errnum);
     }