008793
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
008793
index 926e05e..bbe1d20 100644
008793
--- a/modules/ssl/mod_ssl.c
008793
+++ b/modules/ssl/mod_ssl.c
008793
@@ -333,6 +333,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
008793
     OpenSSL_add_all_algorithms();
008793
     OPENSSL_load_builtin_modules();
008793
 
008793
+    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
008793
+        (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
008793
+                         "SRVName otherName form");
008793
+    }
008793
+
008793
     /*
008793
      * Let us cleanup the ssl library when the module is unloaded
008793
      */
008793
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
008793
index eb11a38..27eaa5a 100644
008793
--- a/modules/ssl/ssl_engine_kernel.c
008793
+++ b/modules/ssl/ssl_engine_kernel.c
008793
@@ -1156,6 +1156,7 @@ int ssl_hook_Fixup(request_rec *r)
008793
     /* standard SSL environment variables */
008793
     if (dc->nOptions & SSL_OPT_STDENVVARS) {
008793
         modssl_var_extract_dns(env, sslconn->ssl, r->pool);
008793
+        modssl_var_extract_san_entries(env, sslconn->ssl, r->pool);
008793
 
008793
         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
008793
             var = (char *)ssl_hook_Fixup_vars[i];
008793
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
008793
index c508fff..2b7c9ba 100644
008793
--- a/modules/ssl/ssl_engine_vars.c
008793
+++ b/modules/ssl/ssl_engine_vars.c
008793
@@ -42,6 +42,7 @@
008793
 static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);
008793
 static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
008793
 static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
008793
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
008793
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
008793
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
008793
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
008793
@@ -509,6 +510,10 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
008793
         result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
008793
         resdup = FALSE;
008793
     }
008793
+    else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) {
008793
+        result = ssl_var_lookup_ssl_cert_san(p, xs, var+4);
008793
+        resdup = FALSE;
008793
+    }
008793
     else if (strcEQ(var, "A_SIG")) {
008793
         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
008793
         result = apr_pstrdup(p,
008793
@@ -597,6 +602,49 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
008793
     return result;
008793
 }
008793
 
008793
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
008793
+{
008793
+    int type, numlen;
008793
+    const char *onf = NULL;
008793
+    apr_array_header_t *entries;
008793
+
008793
+    if (strcEQn(var, "Email_", 6)) {
008793
+        type = GEN_EMAIL;
008793
+        var += 6;
008793
+    }
008793
+    else if (strcEQn(var, "DNS_", 4)) {
008793
+        type = GEN_DNS;
008793
+        var += 4;
008793
+    }
008793
+    else if (strcEQn(var, "OTHER_", 6)) {
008793
+        type = GEN_OTHERNAME;
008793
+        var += 6;
008793
+        if (strEQn(var, "msUPN_", 6)) {
008793
+            var += 6;
008793
+            onf = "msUPN";
008793
+        }
008793
+        else if (strEQn(var, "dnsSRV_", 7)) {
008793
+            var += 7;
008793
+            onf = "id-on-dnsSRV";
008793
+        }
008793
+        else
008793
+           return NULL;
008793
+    }
008793
+    else
008793
+        return NULL;
008793
+
008793
+    /* sanity check: number must be between 1 and 4 digits */
008793
+    numlen = strspn(var, "0123456789");
008793
+    if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
008793
+        return NULL;
008793
+
008793
+    if (SSL_X509_getSAN(p, xs, type, onf, atoi(var), &entries))
008793
+        /* return the first entry from this 1-element array */
008793
+        return APR_ARRAY_IDX(entries, 0, char *);
008793
+    else
008793
+        return NULL;
008793
+}
008793
+
008793
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
008793
 {
008793
     char *result;
008793
@@ -890,6 +938,54 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
008793
     }
008793
 }
008793
 
008793
+static void extract_san_array(apr_table_t *t, const char *pfx,
008793
+                              apr_array_header_t *entries, apr_pool_t *p)
008793
+{
008793
+    int i;
008793
+
008793
+    for (i = 0; i < entries->nelts; i++) {
008793
+        const char *key = apr_psprintf(p, "%s_%d", pfx, i);
008793
+        apr_table_setn(t, key, APR_ARRAY_IDX(entries, i, const char *));
008793
+    }
008793
+}
008793
+
008793
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
008793
+{
008793
+    X509 *xs;
008793
+    apr_array_header_t *entries;
008793
+
008793
+    /* subjectAltName entries of the server certificate */
008793
+    xs = SSL_get_certificate(ssl);
008793
+    if (xs) {
008793
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
008793
+            extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
008793
+        }
008793
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
008793
+            extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
008793
+        }
008793
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "id-on-dnsSRV", -1,
008793
+                               &entries)) {
008793
+            extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);
008793
+        }
008793
+        /* no need to free xs (refcount does not increase) */
008793
+    }
008793
+
008793
+    /* subjectAltName entries of the client certificate */
008793
+    xs = SSL_get_peer_certificate(ssl);
008793
+    if (xs) {
008793
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
008793
+            extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
008793
+        }
008793
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
008793
+            extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
008793
+        }
008793
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "msUPN", -1, &entries)) {
008793
+            extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);
008793
+        }
008793
+        X509_free(xs);
008793
+    }
008793
+}
008793
+
008793
 /* For an extension type which OpenSSL does not recognize, attempt to
008793
  * parse the extension type as a primitive string.  This will fail for
008793
  * any structured extension type per the docs.  Returns non-zero on
008793
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
008793
index a5ede6e..80e1e8e 100644
008793
--- a/modules/ssl/ssl_private.h
008793
+++ b/modules/ssl/ssl_private.h
008793
@@ -974,6 +974,10 @@ void         ssl_var_log_config_register(apr_pool_t *p);
008793
  * allocating from 'p': */
008793
 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
008793
 
008793
+/* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
008793
+ * from SSL object 'ssl', allocating from 'p'. */
008793
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);
008793
+
008793
 #ifndef OPENSSL_NO_OCSP
008793
 /* Perform OCSP validation of the current cert in the given context.
008793
  * Returns non-zero on success or zero on failure.  On failure, the
008793
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
008793
index 588ceba..09a9877 100644
008793
--- a/modules/ssl/ssl_util_ssl.c
008793
+++ b/modules/ssl/ssl_util_ssl.c
008793
@@ -236,22 +236,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
008793
     return TRUE;
008793
 }
008793
 
008793
-/* convert a NAME_ENTRY to UTF8 string */
008793
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
008793
+/* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
008793
+char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
008793
 {
008793
     char *result = NULL;
008793
-    BIO* bio;
008793
+    BIO *bio;
008793
     int len;
008793
 
008793
     if ((bio = BIO_new(BIO_s_mem())) == NULL)
008793
         return NULL;
008793
-    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
008793
-                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
008793
+
008793
+    ASN1_STRING_print_ex(bio, asn1str, ASN1_STRFLGS_ESC_CTRL|
008793
+                                       ASN1_STRFLGS_UTF8_CONVERT);
008793
     len = BIO_pending(bio);
008793
-    result = apr_palloc(p, len+1);
008793
-    len = BIO_read(bio, result, len);
008793
-    result[len] = NUL;
008793
+    if (len > 0) {
008793
+        result = apr_palloc(p, len+1);
008793
+        len = BIO_read(bio, result, len);
008793
+        result[len] = NUL;
008793
+    }
008793
     BIO_free(bio);
008793
+    return result;
008793
+}
008793
+
008793
+/* convert a NAME_ENTRY to UTF8 string */
008793
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
008793
+{
008793
+    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
008793
     ap_xlate_proto_from_ascii(result, len);
008793
     return result;
008793
 }
008793
@@ -288,51 +298,123 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
008793
     return result;
008793
 }
008793
 
008793
-/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
008793
-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
008793
+static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,
008793
+                                  const char *onf, apr_array_header_t **entries)
008793
+{
008793
+    const char *str;
008793
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
008793
+
008793
+    if (!value || (nid == NID_undef) || !*entries)
008793
+       return;
008793
+
008793
+    /* 
008793
+     * Currently supported otherName forms (values for "onf"):
008793
+     * "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name
008793
+     * "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985
008793
+     */
008793
+    if ((nid == NID_ms_upn) && (value->type == V_ASN1_UTF8STRING) &&
008793
+        (str = SSL_ASN1_STRING_to_utf8(p, value->value.utf8string))) {
008793
+        APR_ARRAY_PUSH(*entries, const char *) = str;
008793
+    } else if (strEQ(onf, "id-on-dnsSRV") &&
008793
+               (value->type == V_ASN1_IA5STRING) &&
008793
+               (str = SSL_ASN1_STRING_to_utf8(p, value->value.ia5string))) {
008793
+        APR_ARRAY_PUSH(*entries, const char *) = str;
008793
+    }
008793
+}
008793
+
008793
+/* 
008793
+ * Return an array of subjectAltName entries of type "type". If idx is -1,
008793
+ * return all entries of the given type, otherwise return an array consisting
008793
+ * of the n-th occurrence of that type only. Currently supported types:
008793
+ * GEN_EMAIL (rfc822Name)
008793
+ * GEN_DNS (dNSName)
008793
+ * GEN_OTHERNAME (requires the otherName form ["onf"] argument to be supplied,
008793
+ *                see parse_otherName_value for the currently supported forms)
008793
+ */
008793
+BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
008793
+                     int idx, apr_array_header_t **entries)
008793
 {
008793
     STACK_OF(GENERAL_NAME) *names;
008793
-    BIO *bio;
008793
-    X509_NAME *subj;
008793
-    char **cpp;
008793
-    int i, n;
008793
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
008793
 
008793
-    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
008793
-        *ids = NULL;
008793
+    if (!x509 || (type < GEN_OTHERNAME) ||
008793
+        ((type == GEN_OTHERNAME) && (nid == NID_undef)) ||
008793
+        (type > GEN_RID) || (idx < -1) ||
008793
+        !(*entries = apr_array_make(p, 0, sizeof(char *)))) {
008793
+        *entries = NULL;
008793
         return FALSE;
008793
     }
008793
 
008793
-    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
008793
-    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
008793
-        (bio = BIO_new(BIO_s_mem()))) {
008793
+    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL))) {
008793
+        int i, n = 0;
008793
         GENERAL_NAME *name;
008793
+        const char *utf8str;
008793
 
008793
         for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
008793
             name = sk_GENERAL_NAME_value(names, i);
008793
-            if (name->type == GEN_DNS) {
008793
-                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
008793
-                                     ASN1_STRFLGS_UTF8_CONVERT);
008793
-                n = BIO_pending(bio);
008793
-                if (n > 0) {
008793
-                    cpp = (char **)apr_array_push(*ids);
008793
-                    *cpp = apr_palloc(p, n+1);
008793
-                    n = BIO_read(bio, *cpp, n);
008793
-                    (*cpp)[n] = NUL;
008793
+
008793
+            if (name->type != type)
008793
+                continue;
008793
+
008793
+            switch (type) {
008793
+            case GEN_EMAIL:
008793
+            case GEN_DNS:
008793
+                if (((idx == -1) || (n == idx)) &&
008793
+                    (utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5))) {
008793
+                    APR_ARRAY_PUSH(*entries, const char *) = utf8str;
008793
+                }
008793
+                n++;
008793
+                break;
008793
+            case GEN_OTHERNAME:
008793
+                if (OBJ_obj2nid(name->d.otherName->type_id) == nid) {
008793
+                    if (((idx == -1) || (n == idx))) {
008793
+                        parse_otherName_value(p, name->d.otherName->value,
008793
+                                              onf, entries);
008793
+                    }
008793
+                    n++;
008793
                 }
008793
+                break;
008793
+            default:
008793
+                /*
008793
+                 * Not implemented right now:
008793
+                 * GEN_X400 (x400Address)
008793
+                 * GEN_DIRNAME (directoryName)
008793
+                 * GEN_EDIPARTY (ediPartyName)
008793
+                 * GEN_URI (uniformResourceIdentifier)
008793
+                 * GEN_IPADD (iPAddress)
008793
+                 * GEN_RID (registeredID)
008793
+                 */
008793
+                break;
008793
             }
008793
+
008793
+            if ((idx != -1) && (n > idx))
008793
+               break;
008793
         }
008793
-        BIO_free(bio);
008793
-    }
008793
 
008793
-    if (names)
008793
         sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
008793
+    }
008793
+
008793
+    return apr_is_empty_array(*entries) ? FALSE : TRUE;
008793
+}
008793
+
008793
+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
008793
+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
008793
+{
008793
+    X509_NAME *subj;
008793
+    int i = -1;
008793
+
008793
+    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
008793
+    if (!x509 ||
008793
+        (SSL_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE && !*ids)) {
008793
+        *ids = NULL;
008793
+        return FALSE;
008793
+    }
008793
 
008793
     /* Second, the CN-IDs (commonName attributes in the subject DN) */
008793
     subj = X509_get_subject_name(x509);
008793
-    i = -1;
008793
     while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
008793
-        cpp = (char **)apr_array_push(*ids);
008793
-        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
008793
+        APR_ARRAY_PUSH(*ids, const char *) = 
008793
+            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
008793
     }
008793
 
008793
     return apr_is_empty_array(*ids) ? FALSE : TRUE;
008793
diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
008793
index 4b882db..be07ab7 100644
008793
--- a/modules/ssl/ssl_util_ssl.h
008793
+++ b/modules/ssl/ssl_util_ssl.h
008793
@@ -65,8 +65,10 @@ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
008793
 int         SSL_smart_shutdown(SSL *ssl);
008793
 BOOL        SSL_X509_isSGC(X509 *);
008793
 BOOL        SSL_X509_getBC(X509 *, int *, int *);
008793
+char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
008793
 char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
008793
 char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
008793
+BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
008793
 BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
008793
 BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
008793
 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);