diff options
-rw-r--r-- | ssl_verify.c | 38 | ||||
-rw-r--r-- | ssl_verify_backend.h | 38 | ||||
-rw-r--r-- | ssl_verify_openssl.c | 37 | ||||
-rw-r--r-- | syshead.h | 2 |
4 files changed, 65 insertions, 50 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index ac5c03b..fe14992 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -281,31 +281,6 @@ tls_lock_cert_hash_set (struct tls_multi *multi) multi->locked_cert_hash_set = cert_hash_copy (chs); } -#ifdef ENABLE_X509_TRACK - -void -x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) -{ - struct x509_track *xt; - ALLOC_OBJ_CLEAR_GC (xt, struct x509_track, gc); - if (*name == '+') - { - xt->flags |= XT_FULL_CHAIN; - ++name; - } - xt->name = name; - xt->nid = OBJ_txt2nid(name); - if (xt->nid != NID_undef) - { - xt->next = *ll_head; - *ll_head = xt; - } - else - msg(msglevel, "x509_track: no such attribute '%s'", name); -} - -#endif - /* * Returns the string associated with the given certificate type. */ @@ -406,8 +381,11 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, */ static void verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, - const char *subject, const char *common_name, - const struct x509_track *x509_track) + const char *subject, const char *common_name +#ifdef ENABLE_X509_TRACK + , const struct x509_track *x509_track +#endif + ) { char envname[64]; @@ -635,7 +613,11 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) session->verify_maxlevel = max_int (session->verify_maxlevel, cert_depth); /* export certificate values to the environment */ - verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name, opt->x509_track); + verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name +#ifdef ENABLE_X509_TRACK + , opt->x509_track +#endif + ); /* export current untrusted IP */ setenv_untrusted (session); diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index f3773b3..d526270 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -148,24 +148,52 @@ void x509_free_serial (char *serial); * * X509_{cert_depth}_{name}={value} * - * @param xt * @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ -void x509_setenv_track (const struct x509_track *xt, struct env_set *es, - const int depth, x509_cert_t *x509); +void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert); + +#ifdef ENABLE_X509_TRACK + +/* + * Start tracking the given attribute. + * + * The tracked attributes are stored in ll_head. + * + * @param ll_head The x509_track to store tracked atttributes in + * @param name Name of the attribute to track + * @param msglevel Message level for errors + * @param gc Garbage collection arena for temp data + * + */ +void x509_track_add (const struct x509_track **ll_head, const char *name, + int msglevel, struct gc_arena *gc); /* * Save X509 fields to environment, using the naming convention: * - * X509_{cert_depth}_{name}={value} + * X509_{cert_depth}_{name}={value} + * + * This function differs from setenv_x509 below in the following ways: * + * (1) Only explicitly named attributes in xt are saved, per usage + * of --x509-track program options. + * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN + * flag is set in xt->flags (corresponds with prepending a '+' + * to the name when specified by --x509-track program option). + * (3) This function supports both X509 subject name fields as + * well as X509 V3 extensions. + * + * @param xt * @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ -void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert); +void x509_setenv_track (const struct x509_track *xt, struct env_set *es, + const int depth, x509_cert_t *x509); + +#endif /* * Check X.509 Netscape certificate type field, if available. diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 1d32255..e49363e 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -254,22 +254,27 @@ x509_free_subject (char *subject) #ifdef ENABLE_X509_TRACK -/* - * setenv_x509_track function -- save X509 fields to environment, - * using the naming convention: - * - * X509_{cert_depth}_{name}={value} - * - * This function differs from setenv_x509 below in the following ways: - * - * (1) Only explicitly named attributes in xt are saved, per usage - * of --x509-track program options. - * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN - * flag is set in xt->flags (corresponds with prepending a '+' - * to the name when specified by --x509-track program option). - * (3) This function supports both X509 subject name fields as - * well as X509 V3 extensions. - */ + +void +x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) +{ + struct x509_track *xt; + ALLOC_OBJ_CLEAR_GC (xt, struct x509_track, gc); + if (*name == '+') + { + xt->flags |= XT_FULL_CHAIN; + ++name; + } + xt->name = name; + xt->nid = OBJ_txt2nid(name); + if (xt->nid != NID_undef) + { + xt->next = *ll_head; + *ll_head = xt; + } + else + msg(msglevel, "x509_track: no such attribute '%s'", name); +} /* worker method for setenv_x509_track */ static void @@ -620,7 +620,7 @@ socket_defined (const socket_descriptor_t sd) /* * Enable x509-track feature? */ -#if defined(USE_CRYPTO) && defined(USE_SSL) +#if defined(USE_CRYPTO) && defined(USE_SSL) && defined USE_OPENSSL #define ENABLE_X509_TRACK #endif |