Changeset adceac0 in mod_gnutls


Ignore:
Timestamp:
Sep 26, 2018, 3:21:32 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
2ec3e54
Parents:
cb6476c
Message:

Remove unneeded server variables "cert_cn" and "cert_san"

"cert_san" wasn't used or assigned at all, "cert_cn" filled but used
only in a redundant check for assignment and a log message that's
better served by the server name of the virtual host.

Files:
4 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rcb6476c radceac0  
    7979/* The maximum number of certificates to send in a chain */
    8080#define MAX_CHAIN_SIZE 8
    81 /* The maximum number of SANs to read from a x509 certificate */
    82 #define MAX_CERT_SAN 5
    8381
    8482/** Server Configuration Record */
     
    141139     * connections */
    142140    gnutls_anon_client_credentials_t anon_client_creds;
    143         /* Current x509 Certificate CN [Common Name] */
    144     char* cert_cn;
    145         /* Current x509 Certificate SAN [Subject Alternate Name]s*/
    146     char* cert_san[MAX_CERT_SAN];
    147141        /* An x509 Certificate Chain */
    148142    gnutls_pcert_st *certs_x509_chain;
  • src/gnutls_config.c

    rcb6476c radceac0  
    931931void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD)
    932932{
    933     int i;
    934933    char *err = NULL;
    935934    mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE;
     
    981980    gnutls_srvconf_assign(certs_x509_crt_chain);
    982981    gnutls_srvconf_assign(certs_x509_chain_num);
    983 
    984     /* how do these get transferred cleanly before the data from ADD
    985      * goes away? */
    986     gnutls_srvconf_assign(cert_cn);
    987     for (i = 0; i < MAX_CERT_SAN; i++)
    988         gnutls_srvconf_assign(cert_san[i]);
    989982
    990983    return sc;
  • src/gnutls_hooks.c

    rcb6476c radceac0  
    358358            return -1;
    359359        }
    360 }
    361 
    362 /* Read the common name or the alternative name of the certificate.
    363  * We only support a single name per certificate.
    364  *
    365  * Returns negative on error.
    366  */
    367 static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
    368 
    369     int rv = 0;
    370     size_t data_len;
    371 
    372 
    373     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    374     *cert_cn = NULL;
    375 
    376     data_len = 0;
    377     rv = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, NULL, &data_len);
    378 
    379     if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
    380         *cert_cn = apr_palloc(p, data_len);
    381         rv = gnutls_x509_crt_get_dn_by_oid(cert,
    382                 GNUTLS_OID_X520_COMMON_NAME,
    383                 0, 0, *cert_cn,
    384                 &data_len);
    385     } else { /* No CN return subject alternative name */
    386         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
    387                 "No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
    388                 s->server_hostname, s->port);
    389         rv = 0;
    390         /* read subject alternative name */
    391         for (int i = 0; !(rv < 0); i++)
    392         {
    393             data_len = 0;
    394             rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
    395                     NULL,
    396                     &data_len,
    397                     NULL);
    398 
    399             if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
    400                     && data_len > 1) {
    401                 /* FIXME: not very efficient. What if we have several alt names
    402                  * before DNSName?
    403                  */
    404                 *cert_cn = apr_palloc(p, data_len + 1);
    405 
    406                 rv = gnutls_x509_crt_get_subject_alt_name
    407                         (cert, i, *cert_cn, &data_len, NULL);
    408                 (*cert_cn)[data_len] = 0;
    409 
    410                 if (rv == GNUTLS_SAN_DNSNAME)
    411                     break;
    412             }
    413         }
    414     }
    415 
    416     return rv;
    417360}
    418361
     
    752695        }
    753696
    754         if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    755             rv = -1;
    756             if (sc->certs_x509_chain_num > 0) {
    757                 rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn);
    758             }
    759 
    760             if (rv < 0) {
    761                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    762                                                         "GnuTLS: Cannot find a certificate for host '%s:%d'!",
    763                                                         s->server_hostname, s->port);
    764                 sc->cert_cn = NULL;
    765                 continue;
    766             }
    767         }
    768 
    769697        if (sc->enabled == GNUTLS_ENABLED_TRUE
    770698            && sc->proxy_enabled == GNUTLS_ENABLED_TRUE
     
    956884            &gnutls_module);
    957885
    958     if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) {
     886    if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
    959887        return 0;
    960888    }
  • src/mod_gnutls.c

    rcb6476c radceac0  
    219219        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
    220220                      "%s: mod_proxy requested TLS proxy, but not enabled "
    221                       "for %s", __func__, ctxt->sc->cert_cn);
     221                      "for %s:%d", __func__,
     222                      ctxt->c->base_server->server_hostname,
     223                      ctxt->c->base_server->addrs->host_port);
    222224        return 0;
    223225    }
Note: See TracChangeset for help on using the changeset viewer.