arrfab / rpms / httpd

Forked from rpms/httpd 5 years ago
Clone

Blame SOURCES/httpd-2.4.6-upn.patch

0943f8
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
0943f8
index 926e05e..bbe1d20 100644
0943f8
--- a/modules/ssl/mod_ssl.c
0943f8
+++ b/modules/ssl/mod_ssl.c
0943f8
@@ -333,6 +333,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
0943f8
     OpenSSL_add_all_algorithms();
0943f8
     OPENSSL_load_builtin_modules();
0943f8
 
0943f8
+    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
0943f8
+        (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
0943f8
+                         "SRVName otherName form");
0943f8
+    }
0943f8
+
0943f8
     /*
0943f8
      * Let us cleanup the ssl library when the module is unloaded
0943f8
      */
0943f8
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
0943f8
index eb11a38..27eaa5a 100644
0943f8
--- a/modules/ssl/ssl_engine_kernel.c
0943f8
+++ b/modules/ssl/ssl_engine_kernel.c
0943f8
@@ -1156,6 +1156,7 @@ int ssl_hook_Fixup(request_rec *r)
0943f8
     /* standard SSL environment variables */
0943f8
     if (dc->nOptions & SSL_OPT_STDENVVARS) {
0943f8
         modssl_var_extract_dns(env, sslconn->ssl, r->pool);
0943f8
+        modssl_var_extract_san_entries(env, sslconn->ssl, r->pool);
0943f8
 
0943f8
         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
0943f8
             var = (char *)ssl_hook_Fixup_vars[i];
0943f8
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
0943f8
index c508fff..2b7c9ba 100644
0943f8
--- a/modules/ssl/ssl_engine_vars.c
0943f8
+++ b/modules/ssl/ssl_engine_vars.c
0943f8
@@ -42,6 +42,7 @@
0943f8
 static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);
0943f8
 static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
0943f8
 static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
0943f8
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
0943f8
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
0943f8
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
0943f8
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
0943f8
@@ -509,6 +510,10 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
0943f8
         result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
0943f8
         resdup = FALSE;
0943f8
     }
0943f8
+    else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) {
0943f8
+        result = ssl_var_lookup_ssl_cert_san(p, xs, var+4);
0943f8
+        resdup = FALSE;
0943f8
+    }
0943f8
     else if (strcEQ(var, "A_SIG")) {
0943f8
         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
0943f8
         result = apr_pstrdup(p,
0943f8
@@ -597,6 +602,49 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
0943f8
     return result;
0943f8
 }
0943f8
 
0943f8
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
0943f8
+{
0943f8
+    int type, numlen;
0943f8
+    const char *onf = NULL;
0943f8
+    apr_array_header_t *entries;
0943f8
+
0943f8
+    if (strcEQn(var, "Email_", 6)) {
0943f8
+        type = GEN_EMAIL;
0943f8
+        var += 6;
0943f8
+    }
0943f8
+    else if (strcEQn(var, "DNS_", 4)) {
0943f8
+        type = GEN_DNS;
0943f8
+        var += 4;
0943f8
+    }
0943f8
+    else if (strcEQn(var, "OTHER_", 6)) {
0943f8
+        type = GEN_OTHERNAME;
0943f8
+        var += 6;
0943f8
+        if (strEQn(var, "msUPN_", 6)) {
0943f8
+            var += 6;
0943f8
+            onf = "msUPN";
0943f8
+        }
0943f8
+        else if (strEQn(var, "dnsSRV_", 7)) {
0943f8
+            var += 7;
0943f8
+            onf = "id-on-dnsSRV";
0943f8
+        }
0943f8
+        else
0943f8
+           return NULL;
0943f8
+    }
0943f8
+    else
0943f8
+        return NULL;
0943f8
+
0943f8
+    /* sanity check: number must be between 1 and 4 digits */
0943f8
+    numlen = strspn(var, "0123456789");
0943f8
+    if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
0943f8
+        return NULL;
0943f8
+
0943f8
+    if (SSL_X509_getSAN(p, xs, type, onf, atoi(var), &entries))
0943f8
+        /* return the first entry from this 1-element array */
0943f8
+        return APR_ARRAY_IDX(entries, 0, char *);
0943f8
+    else
0943f8
+        return NULL;
0943f8
+}
0943f8
+
0943f8
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
0943f8
 {
0943f8
     char *result;
0943f8
@@ -890,6 +938,54 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
0943f8
     }
0943f8
 }
0943f8
 
0943f8
+static void extract_san_array(apr_table_t *t, const char *pfx,
0943f8
+                              apr_array_header_t *entries, apr_pool_t *p)
0943f8
+{
0943f8
+    int i;
0943f8
+
0943f8
+    for (i = 0; i < entries->nelts; i++) {
0943f8
+        const char *key = apr_psprintf(p, "%s_%d", pfx, i);
0943f8
+        apr_table_setn(t, key, APR_ARRAY_IDX(entries, i, const char *));
0943f8
+    }
0943f8
+}
0943f8
+
0943f8
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
0943f8
+{
0943f8
+    X509 *xs;
0943f8
+    apr_array_header_t *entries;
0943f8
+
0943f8
+    /* subjectAltName entries of the server certificate */
0943f8
+    xs = SSL_get_certificate(ssl);
0943f8
+    if (xs) {
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
0943f8
+            extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
0943f8
+        }
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
0943f8
+            extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
0943f8
+        }
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "id-on-dnsSRV", -1,
0943f8
+                               &entries)) {
0943f8
+            extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);
0943f8
+        }
0943f8
+        /* no need to free xs (refcount does not increase) */
0943f8
+    }
0943f8
+
0943f8
+    /* subjectAltName entries of the client certificate */
0943f8
+    xs = SSL_get_peer_certificate(ssl);
0943f8
+    if (xs) {
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
0943f8
+            extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
0943f8
+        }
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
0943f8
+            extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
0943f8
+        }
0943f8
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "msUPN", -1, &entries)) {
0943f8
+            extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);
0943f8
+        }
0943f8
+        X509_free(xs);
0943f8
+    }
0943f8
+}
0943f8
+
0943f8
 /* For an extension type which OpenSSL does not recognize, attempt to
0943f8
  * parse the extension type as a primitive string.  This will fail for
0943f8
  * any structured extension type per the docs.  Returns non-zero on
0943f8
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
0943f8
index a5ede6e..80e1e8e 100644
0943f8
--- a/modules/ssl/ssl_private.h
0943f8
+++ b/modules/ssl/ssl_private.h
0943f8
@@ -974,6 +974,10 @@ void         ssl_var_log_config_register(apr_pool_t *p);
0943f8
  * allocating from 'p': */
0943f8
 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
0943f8
 
0943f8
+/* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
0943f8
+ * from SSL object 'ssl', allocating from 'p'. */
0943f8
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);
0943f8
+
0943f8
 #ifndef OPENSSL_NO_OCSP
0943f8
 /* Perform OCSP validation of the current cert in the given context.
0943f8
  * Returns non-zero on success or zero on failure.  On failure, the
0943f8
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
0943f8
index 588ceba..09a9877 100644
0943f8
--- a/modules/ssl/ssl_util_ssl.c
0943f8
+++ b/modules/ssl/ssl_util_ssl.c
0943f8
@@ -236,22 +236,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
0943f8
     return TRUE;
0943f8
 }
0943f8
 
0943f8
-/* convert a NAME_ENTRY to UTF8 string */
0943f8
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
0943f8
+/* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
0943f8
+char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
0943f8
 {
0943f8
     char *result = NULL;
0943f8
-    BIO* bio;
0943f8
+    BIO *bio;
0943f8
     int len;
0943f8
 
0943f8
     if ((bio = BIO_new(BIO_s_mem())) == NULL)
0943f8
         return NULL;
0943f8
-    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
0943f8
-                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
0943f8
+
0943f8
+    ASN1_STRING_print_ex(bio, asn1str, ASN1_STRFLGS_ESC_CTRL|
0943f8
+                                       ASN1_STRFLGS_UTF8_CONVERT);
0943f8
     len = BIO_pending(bio);
0943f8
-    result = apr_palloc(p, len+1);
0943f8
-    len = BIO_read(bio, result, len);
0943f8
-    result[len] = NUL;
0943f8
+    if (len > 0) {
0943f8
+        result = apr_palloc(p, len+1);
0943f8
+        len = BIO_read(bio, result, len);
0943f8
+        result[len] = NUL;
0943f8
+    }
0943f8
     BIO_free(bio);
0943f8
+    return result;
0943f8
+}
0943f8
+
0943f8
+/* convert a NAME_ENTRY to UTF8 string */
0943f8
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
0943f8
+{
0943f8
+    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
0943f8
     ap_xlate_proto_from_ascii(result, len);
0943f8
     return result;
0943f8
 }
0943f8
@@ -288,51 +298,123 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
0943f8
     return result;
0943f8
 }
0943f8
 
0943f8
-/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
0943f8
-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
0943f8
+static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,
0943f8
+                                  const char *onf, apr_array_header_t **entries)
0943f8
+{
0943f8
+    const char *str;
0943f8
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
0943f8
+
0943f8
+    if (!value || (nid == NID_undef) || !*entries)
0943f8
+       return;
0943f8
+
0943f8
+    /* 
0943f8
+     * Currently supported otherName forms (values for "onf"):
0943f8
+     * "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name
0943f8
+     * "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985
0943f8
+     */
0943f8
+    if ((nid == NID_ms_upn) && (value->type == V_ASN1_UTF8STRING) &&
0943f8
+        (str = SSL_ASN1_STRING_to_utf8(p, value->value.utf8string))) {
0943f8
+        APR_ARRAY_PUSH(*entries, const char *) = str;
0943f8
+    } else if (strEQ(onf, "id-on-dnsSRV") &&
0943f8
+               (value->type == V_ASN1_IA5STRING) &&
0943f8
+               (str = SSL_ASN1_STRING_to_utf8(p, value->value.ia5string))) {
0943f8
+        APR_ARRAY_PUSH(*entries, const char *) = str;
0943f8
+    }
0943f8
+}
0943f8
+
0943f8
+/* 
0943f8
+ * Return an array of subjectAltName entries of type "type". If idx is -1,
0943f8
+ * return all entries of the given type, otherwise return an array consisting
0943f8
+ * of the n-th occurrence of that type only. Currently supported types:
0943f8
+ * GEN_EMAIL (rfc822Name)
0943f8
+ * GEN_DNS (dNSName)
0943f8
+ * GEN_OTHERNAME (requires the otherName form ["onf"] argument to be supplied,
0943f8
+ *                see parse_otherName_value for the currently supported forms)
0943f8
+ */
0943f8
+BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
0943f8
+                     int idx, apr_array_header_t **entries)
0943f8
 {
0943f8
     STACK_OF(GENERAL_NAME) *names;
0943f8
-    BIO *bio;
0943f8
-    X509_NAME *subj;
0943f8
-    char **cpp;
0943f8
-    int i, n;
0943f8
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
0943f8
 
0943f8
-    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
0943f8
-        *ids = NULL;
0943f8
+    if (!x509 || (type < GEN_OTHERNAME) ||
0943f8
+        ((type == GEN_OTHERNAME) && (nid == NID_undef)) ||
0943f8
+        (type > GEN_RID) || (idx < -1) ||
0943f8
+        !(*entries = apr_array_make(p, 0, sizeof(char *)))) {
0943f8
+        *entries = NULL;
0943f8
         return FALSE;
0943f8
     }
0943f8
 
0943f8
-    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
0943f8
-    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
0943f8
-        (bio = BIO_new(BIO_s_mem()))) {
0943f8
+    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL))) {
0943f8
+        int i, n = 0;
0943f8
         GENERAL_NAME *name;
0943f8
+        const char *utf8str;
0943f8
 
0943f8
         for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
0943f8
             name = sk_GENERAL_NAME_value(names, i);
0943f8
-            if (name->type == GEN_DNS) {
0943f8
-                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
0943f8
-                                     ASN1_STRFLGS_UTF8_CONVERT);
0943f8
-                n = BIO_pending(bio);
0943f8
-                if (n > 0) {
0943f8
-                    cpp = (char **)apr_array_push(*ids);
0943f8
-                    *cpp = apr_palloc(p, n+1);
0943f8
-                    n = BIO_read(bio, *cpp, n);
0943f8
-                    (*cpp)[n] = NUL;
0943f8
+
0943f8
+            if (name->type != type)
0943f8
+                continue;
0943f8
+
0943f8
+            switch (type) {
0943f8
+            case GEN_EMAIL:
0943f8
+            case GEN_DNS:
0943f8
+                if (((idx == -1) || (n == idx)) &&
0943f8
+                    (utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5))) {
0943f8
+                    APR_ARRAY_PUSH(*entries, const char *) = utf8str;
0943f8
+                }
0943f8
+                n++;
0943f8
+                break;
0943f8
+            case GEN_OTHERNAME:
0943f8
+                if (OBJ_obj2nid(name->d.otherName->type_id) == nid) {
0943f8
+                    if (((idx == -1) || (n == idx))) {
0943f8
+                        parse_otherName_value(p, name->d.otherName->value,
0943f8
+                                              onf, entries);
0943f8
+                    }
0943f8
+                    n++;
0943f8
                 }
0943f8
+                break;
0943f8
+            default:
0943f8
+                /*
0943f8
+                 * Not implemented right now:
0943f8
+                 * GEN_X400 (x400Address)
0943f8
+                 * GEN_DIRNAME (directoryName)
0943f8
+                 * GEN_EDIPARTY (ediPartyName)
0943f8
+                 * GEN_URI (uniformResourceIdentifier)
0943f8
+                 * GEN_IPADD (iPAddress)
0943f8
+                 * GEN_RID (registeredID)
0943f8
+                 */
0943f8
+                break;
0943f8
             }
0943f8
+
0943f8
+            if ((idx != -1) && (n > idx))
0943f8
+               break;
0943f8
         }
0943f8
-        BIO_free(bio);
0943f8
-    }
0943f8
 
0943f8
-    if (names)
0943f8
         sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
0943f8
+    }
0943f8
+
0943f8
+    return apr_is_empty_array(*entries) ? FALSE : TRUE;
0943f8
+}
0943f8
+
0943f8
+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
0943f8
+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
0943f8
+{
0943f8
+    X509_NAME *subj;
0943f8
+    int i = -1;
0943f8
+
0943f8
+    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
0943f8
+    if (!x509 ||
0943f8
+        (SSL_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE && !*ids)) {
0943f8
+        *ids = NULL;
0943f8
+        return FALSE;
0943f8
+    }
0943f8
 
0943f8
     /* Second, the CN-IDs (commonName attributes in the subject DN) */
0943f8
     subj = X509_get_subject_name(x509);
0943f8
-    i = -1;
0943f8
     while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
0943f8
-        cpp = (char **)apr_array_push(*ids);
0943f8
-        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
0943f8
+        APR_ARRAY_PUSH(*ids, const char *) = 
0943f8
+            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
0943f8
     }
0943f8
 
0943f8
     return apr_is_empty_array(*ids) ? FALSE : TRUE;
0943f8
diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
0943f8
index 4b882db..be07ab7 100644
0943f8
--- a/modules/ssl/ssl_util_ssl.h
0943f8
+++ b/modules/ssl/ssl_util_ssl.h
0943f8
@@ -65,8 +65,10 @@ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
0943f8
 int         SSL_smart_shutdown(SSL *ssl);
0943f8
 BOOL        SSL_X509_isSGC(X509 *);
0943f8
 BOOL        SSL_X509_getBC(X509 *, int *, int *);
0943f8
+char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
0943f8
 char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
0943f8
 char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
0943f8
+BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
0943f8
 BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
0943f8
 BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
0943f8
 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);