From d06327e27b8bd0547f3b20827ab2ebff4cec8cec Mon Sep 17 00:00:00 2001 From: Doug MacEachern Date: Thu, 29 Nov 2001 07:07:36 +0000 Subject: [PATCH] the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth is happening. so avoid calling that unless needed and just stash a pointer to the client cert for the boolean checks that the client provided a cert. PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92240 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 7 +++---- modules/ssl/mod_ssl.h | 1 + modules/ssl/ssl_engine_kernel.c | 18 +++++++++++++----- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 621a3439f9..71a81e26e7 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -422,9 +422,8 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) * Remember the peer certificate's DN */ if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) { - char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0); - sslconn->client_dn = apr_pstrdup(c->pool, cp); - free(cp); + sslconn->client_cert = xs; + sslconn->client_dn = NULL; } /* @@ -432,7 +431,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec) * is required we really got one... (be paranoid) */ if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE - && sslconn->client_dn == NULL) { + && sslconn->client_cert == NULL) { ssl_log(c->base_server, SSL_LOG_ERROR, "No acceptable peer certificate available"); return ssl_abort(pRec, c); diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 325cc16461..699848279e 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -455,6 +455,7 @@ typedef enum { typedef struct { SSL *ssl; const char *client_dn; + X509 *client_cert; ssl_shutdown_type_e shutdown_type; const char *verify_info; const char *verify_error; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index e96bd84cc2..fe72904f70 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -804,9 +804,8 @@ int ssl_hook_Access(request_rec *r) * Remember the peer certificate's DN */ if ((cert = SSL_get_peer_certificate(ssl)) != NULL) { - cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); - free(cp); + sslconn->client_cert = cert; + sslconn->client_dn = NULL; } /* @@ -948,9 +947,18 @@ int ssl_hook_UserCheck(request_rec *r) return DECLINED; if (r->user) return DECLINED; - if ((clientdn = (char *)sslconn->client_dn) == NULL) + if (sslconn->client_cert == NULL) return DECLINED; + if (!sslconn->client_dn) { + X509_NAME *name = X509_get_subject_name(sslconn->client_cert); + char *cp = X509_NAME_oneline(name, NULL, 0); + sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + free(cp); + } + + clientdn = (char *)sslconn->client_dn; + /* * Fake a password - which one would be immaterial, as, it seems, an empty * password in the users file would match ALL incoming passwords, if only @@ -1304,7 +1312,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) if (!ok) { ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s", errnum, X509_verify_cert_error_string(errnum)); - sslconn->client_dn = NULL; + sslconn->client_cert = sslconn->client_dn = NULL; sslconn->verify_error = X509_verify_cert_error_string(errnum); } -- 2.40.0