Browse Source

[TLS] use stack for SSL_CLIENT_S_DN_* tag

(reduce use of r->tmp_buf in TLS modules)
master
Glenn Strauss 1 year ago
parent
commit
0ffb8167c1
  1. 11
      src/mod_gnutls.c
  2. 13
      src/mod_mbedtls.c
  3. 10
      src/mod_nss.c
  4. 12
      src/mod_openssl.c
  5. 12
      src/mod_wolfssl.c

11
src/mod_gnutls.c

@ -2667,13 +2667,13 @@ https_add_ssl_client_cert (request_st * const r, const gnutls_x509_crt_t peer)
static void
https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
{
buffer * const tb = r->tmp_buf;
int irdn = 0, i, rc;
gnutls_x509_ava_st ava;
const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
char key[64] = "SSL_CLIENT_S_DN_";
char buf[512]; /*(expecting element value len <= 256)*/
/* add components of client Subject DN */
buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
/* man gnutls_x509_dn_get_rdn_ava()
* The X.509 distinguished name is a sequence of sequences of strings and
@ -2688,8 +2688,9 @@ https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
const char *name =
gnutls_x509_dn_oid_name((char *)ava.oid.data,
GNUTLS_X509_DN_OID_RETURN_OID);
buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
buffer_append_string_len(tb, name, strlen(name));
const size_t len = strlen(name);
if (prelen+len >= sizeof(key)) continue;
memcpy(key+prelen, name, len); /*(not '\0'-terminated)*/
unsigned int v, n = 0;
for (v = 0; v < ava.value.size && n < sizeof(buf)-1; ++n) {
@ -2697,7 +2698,7 @@ https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
buf[n] = (c < 32 || c == 127 || (c > 128 && c < 160)) ? '?' : c;
}
http_header_env_set(r, CONST_BUF_LEN(tb), buf, n);
http_header_env_set(r, key, prelen+len, buf, n);
}
++irdn;
} while (rc == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND && i > 0);

13
src/mod_mbedtls.c

@ -2324,10 +2324,10 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
{
/* add components of client Subject DN */
/* code block is similar to mbedtls_x509_dn_gets() */
buffer * const tb = r->tmp_buf;
const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
char key[64] = "SSL_CLIENT_S_DN_";
char buf[MBEDTLS_X509_MAX_DN_NAME_SIZE]; /*(256)*/
buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
while (name != NULL) {
if (!name->oid.p) {
name = name->next;
@ -2337,8 +2337,9 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
const char *short_name = NULL;
if (0 != mbedtls_oid_get_attr_short_name(&name->oid, &short_name))
continue;
buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
buffer_append_string(tb, short_name);
const size_t len = strlen(short_name);
if (prelen+len >= sizeof(key)) continue;
memcpy(key+prelen, short_name, len); /*(not '\0'-terminated)*/
const mbedtls_x509_name *nm = name;
int n = 0;
@ -2355,9 +2356,7 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
while (nm->next_merged && nm->next) nm = nm->next;
name = nm->next;
http_header_env_set(r,
CONST_BUF_LEN(tb),
buf, n);
http_header_env_set(r, key, prelen+len, buf, n);
}
}

10
src/mod_nss.c

@ -2452,8 +2452,8 @@ https_add_ssl_client_subject (request_st * const r, CERTName * const subj)
{ CONST_STR_LEN("emailAddress"), CERT_GetCertEmailAddress },
{ CONST_STR_LEN("DC"), CERT_GetDomainComponentName },
};
buffer * const tb = r->tmp_buf;
buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
char key[64] = "SSL_CLIENT_S_DN_";
for (uint32_t i = 0; i < sizeof(comp)/sizeof(*comp); ++i) {
char *s = comp[i].fn(subj);
if (NULL == s) continue;
@ -2464,9 +2464,9 @@ https_add_ssl_client_subject (request_st * const r, CERTName * const subj)
if (c < 32 || c == 127 || (c > 128 && c < 160)) s[n] = '?';
}
buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
buffer_append_string_len(tb, comp[i].tag, comp[i].tlen);
http_header_env_set(r, CONST_BUF_LEN(tb), s, n);
/*if (prelen+comp[i].tlen >= sizeof(key)) continue;*//*(not possible)*/
memcpy(key+prelen, comp[i].tag, comp[i].tlen); /*(not '\0'-terminated)*/
http_header_env_set(r, key, prelen+comp[i].tlen, s, n);
PR_Free(s);
}

12
src/mod_openssl.c

@ -3350,8 +3350,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_close)
static void
https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
{
buffer * const tb = r->tmp_buf;
buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
char key[64] = "SSL_CLIENT_S_DN_";
for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
int xobjnid;
const char * xobjsn;
@ -3363,10 +3363,10 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
xobjsn = OBJ_nid2sn(xobjnid);
if (xobjsn) {
buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
buffer_append_string(tb, xobjsn);
http_header_env_set(r,
CONST_BUF_LEN(tb),
const size_t len = strlen(xobjsn);
if (prelen+len >= sizeof(key)) continue;
memcpy(key+prelen, xobjsn, len); /*(not '\0'-terminated)*/
http_header_env_set(r, key, prelen+len,
(const char*)X509_NAME_ENTRY_get_data(xe)->data,
X509_NAME_ENTRY_get_data(xe)->length);
}

12
src/mod_wolfssl.c

@ -3133,8 +3133,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_close)
static void
https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
{
buffer * const tb = r->tmp_buf;
buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
char key[64] = "SSL_CLIENT_S_DN_";
for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
int xobjnid;
const char * xobjsn;
@ -3146,10 +3146,10 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
xobjsn = OBJ_nid2sn(xobjnid);
if (xobjsn) {
buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
buffer_append_string(tb, xobjsn);
http_header_env_set(r,
CONST_BUF_LEN(tb),
const size_t len = strlen(xobjsn);
if (prelen+len >= sizeof(key)) continue;
memcpy(key+prelen, xobjsn, len); /*(not '\0'-terminated)*/
http_header_env_set(r, key, prelen+len,
(const char*)X509_NAME_ENTRY_get_data(xe)->data,
X509_NAME_ENTRY_get_data(xe)->length);
}

Loading…
Cancel
Save