From ac259b2187b81631f51372e959de3c8e9c58e199 Mon Sep 17 00:00:00 2001 From: Doug MacEachern Date: Wed, 21 Nov 2001 22:29:14 +0000 Subject: [PATCH] move c->notes.ssl::verify::{info,error} to SSLConnRec.verify_{info,error} PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92109 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 16 +++++----------- modules/ssl/mod_ssl.h | 2 ++ modules/ssl/ssl_engine_kernel.c | 10 +++++----- modules/ssl/ssl_engine_vars.c | 10 +++++----- 4 files changed, 17 insertions(+), 21 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 2ed5962187..3977c73b08 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -285,11 +285,6 @@ static int ssl_hook_pre_connection(conn_rec *c) SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); - /* - * Predefine some client verification results - */ - apr_table_setn(c->notes, "ssl::verify::error", NULL); - apr_table_setn(c->notes, "ssl::verify::info", NULL); SSL_set_verify_result(ssl, X509_V_OK); /* @@ -336,7 +331,6 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) { int n, err; X509 *xs; - char *cp = NULL; conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl); SSLConnRec *sslconn = myConnConfig(c); SSLSrvConfigRec *sc = mySrvConfig(c->base_server); @@ -412,8 +406,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) verify_result = SSL_get_verify_result(pRec->pssl); if (verify_result != X509_V_OK || - ((cp = (char *)apr_table_get(c->notes, - "ssl::verify::error")) != NULL)) + sslconn->verify_error != NULL) { if (ssl_verify_error_is_optional(verify_result) && (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) @@ -433,11 +426,12 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) } else { - const char *verror = + const char *error = sslconn->verify_error ? + sslconn->verify_error : X509_verify_cert_error_string(verify_result); ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "SSL client authentication failed: %s", - cp ? cp : verror ? verror : "unknown"); + error ? error : "unknown"); return ssl_abort(pRec, c); } } @@ -446,7 +440,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) * Remember the peer certificate's DN */ if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) { - cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0); + char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0); sslconn->client_dn = apr_pstrdup(c->pool, cp); free(cp); } diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 3ff4c7efff..50471a81d1 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -460,6 +460,8 @@ typedef struct { SSL *ssl; const char *client_dn; ssl_shutdown_type_e shutdown_type; + const char *verify_info; + const char *verify_error; } SSLConnRec; typedef struct { diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 234e391569..19c13eb5e2 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1258,7 +1258,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) ssl_log(s, SSL_LOG_TRACE, "Certificate Verification: Verifiable Issuer is configured as " "optional, therefore we're accepting the certificate"); - apr_table_setn(conn->notes, "ssl::verify::info", "GENEROUS"); + sslconn->verify_info = "GENEROUS"; ok = TRUE; } @@ -1278,8 +1278,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s", errnum, X509_verify_cert_error_string(errnum)); sslconn->client_dn = NULL; - apr_table_setn(conn->notes, "ssl::verify::error", - (void *)X509_verify_cert_error_string(errnum)); + sslconn->verify_error = + X509_verify_cert_error_string(errnum); } /* @@ -1294,8 +1294,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) "Certificate Verification: Certificate Chain too long " "(chain has %d certificates, but maximum allowed are only %d)", errdepth, depth); - apr_table_setn(conn->notes, "ssl::verify::error", - (void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG)); + sslconn->verify_error = + X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG); ok = FALSE; } diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 7ded33a239..6e2e190166 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -499,15 +499,15 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) SSLConnRec *sslconn = myConnConfig(c); char *result; long vrc; - char *verr; - char *vinfo; + const char *verr; + const char *vinfo; SSL *ssl; X509 *xs; result = NULL; ssl = sslconn->ssl; - verr = (char *)apr_table_get(c->notes, "ssl::verify::error"); - vinfo = (char *)apr_table_get(c->notes, "ssl::verify::info"); + verr = sslconn->verify_error; + vinfo = sslconn->verify_info; vrc = SSL_get_verify_result(ssl); xs = SSL_get_peer_certificate(ssl); @@ -649,7 +649,7 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) else if (strEQ(a, "errcode")) result = "-"; else if (strEQ(a, "errstr")) - result = (char *)apr_table_get(r->connection->notes, "ssl::verify::error"); + result = (char *)sslconn->verify_error; if (result != NULL && result[0] == NUL) result = NULL; return result; -- 2.50.1