From d9710462fcceb5f5bc076483dff288f149503a5d Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <giaco at cnaf dot infn dot it>
Date: Thu, 28 Jun 2018 15:24:01 +0200
Subject: [PATCH] reorder code
---
src/ngx_http_voms_module.cpp | 412 +++++++++++++++++------------------
1 file changed, 206 insertions(+), 206 deletions(-)
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index a0a1e19..de7b737 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -209,212 +209,6 @@ static ngx_http_variable_t variables[] = {
ngx_http_null_variable //
};
-static std::string to_rfc2253(X509_NAME* name)
-{
- std::string result;
-
- BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
- if (!bio) {
- return result;
- }
-
- if (X509_NAME_print_ex(bio.get(), name, 0, XN_FLAG_RFC2253) < 0) {
- return result;
- }
-
- auto len = BIO_pending(bio.get());
- result.resize(len);
-
- BIO_read(bio.get(), &result[0], result.size());
-
- return result;
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static uint32_t X509_get_extension_flags(X509* x)
-{
- return x->ex_flags;
-}
-#endif
-
-static bool is_proxy(X509* cert)
-{
- return X509_get_extension_flags(cert) & EXFLAG_PROXY;
-}
-
-static X509* get_ee_cert(ngx_http_request_t* r)
-{
- auto chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
- if (!chain) {
- ngx_log_error(
- NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
- return nullptr;
- }
-
- X509* ee_cert = nullptr;
-
- if (sk_X509_num(chain) == 0) {
- ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
- } else {
- // find first non-proxy
- for (int i = 0; i != sk_X509_num(chain); ++i) {
- auto cert = sk_X509_value(chain, i);
- if (cert && !is_proxy(cert)) {
- ee_cert = cert;
- break;
- }
- }
- }
-
- return ee_cert;
-}
-
-static ngx_int_t get_ssl_client_ee_cert_raw(ngx_http_request_t* r, ngx_str_t* s)
-{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
- s->len = 0;
-
- auto ee_cert = get_ee_cert(r);
-
- if (!ee_cert) {
- ngx_log_error(NGX_LOG_DEBUG,
- r->connection->log,
- 0,
- "cannot identify end-entity certificate");
- return NGX_OK;
- }
-
- BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
- if (!bio) {
- ngx_log_error(
- NGX_LOG_ERR, r->connection->log, 0, "cannot create OpenSSL BIO");
- return NGX_ERROR;
- }
-
- if (PEM_write_bio_X509(bio.get(), ee_cert) == 0) {
- ngx_log_error(
- NGX_LOG_ERR, r->connection->log, 0, "cannot write EEC to OpenSSL bio");
- return NGX_ERROR;
- }
-
- size_t len = BIO_pending(bio.get());
-
- s->len = len;
- s->data = static_cast<u_char*>(ngx_pnalloc(r->pool, len));
-
- if (s->data == nullptr) {
- return NGX_ERROR;
- }
-
- BIO_read(bio.get(), s->data, len);
-
- return NGX_OK;
-}
-
-static ngx_int_t get_ssl_client_ee_cert(ngx_http_request_t* r,
- ngx_http_variable_value_t* v,
- uintptr_t data)
-{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
-
- v->not_found = 1;
- v->valid = 0;
-
- ngx_str_t cert;
-
- if (get_ssl_client_ee_cert_raw(r, &cert) != NGX_OK) {
- return NGX_ERROR;
- }
-
- if (cert.len == 0) {
- v->len = 0;
- return NGX_OK;
- }
-
- size_t len = cert.len - 1;
-
- for (int i = 0; i < cert.len - 1; i++) {
- if (cert.data[i] == '\n') {
- len++;
- }
- }
-
- auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, len));
-
- if (!buffer) {
- return NGX_OK;
- }
-
- u_char* p = buffer;
-
- for (int i = 0; i < cert.len - 1; i++) {
- *p++ = cert.data[i];
- if (cert.data[i] == '\n') {
- *p++ = '\t';
- }
- }
-
- v->data = buffer;
- v->len = len;
- v->valid = 1;
- v->not_found = 0;
- v->no_cacheable = 0;
- return NGX_OK;
-}
-
-static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
- ngx_http_variable_value_t* v,
- uintptr_t data)
-{
- ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
-
- v->not_found = 1;
- v->valid = 0;
-
- auto ee_cert = get_ee_cert(r);
-
- if (!ee_cert) {
- ngx_log_error(NGX_LOG_DEBUG,
- r->connection->log,
- 0,
- "cannot identify end-entity certificate");
- return NGX_OK;
- }
-
- X509_NAME* dn;
-
- switch (static_cast<EeDn>(data)) {
- case EeDn::SUBJECT:
- dn = X509_get_subject_name(ee_cert);
- break;
- case EeDn::ISSUER:
- dn = X509_get_issuer_name(ee_cert);
- break;
- default:
- dn = nullptr;
- }
-
- if (!dn) {
- ngx_log_error(
- NGX_LOG_DEBUG, r->connection->log, 0, "cannot get DN from certificate");
- return NGX_OK;
- }
- std::string value = to_rfc2253(dn);
-
- auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
- if (!buffer) {
- return NGX_OK;
- }
- ngx_memcpy(buffer, value.c_str(), value.size());
-
- v->data = buffer;
- v->len = value.size();
- v->valid = 1;
- v->not_found = 0;
- v->no_cacheable = 0;
- return NGX_OK;
-}
-
static ngx_int_t add_variables(ngx_conf_t* cf)
{
for (ngx_http_variable_t* v = variables; v->name.len; ++v) {
@@ -651,3 +445,209 @@ std::string get_voms_serial(VomsAc const& ac)
{
return ac.serial;
}
+
+static std::string to_rfc2253(X509_NAME* name)
+{
+ std::string result;
+
+ BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
+ if (!bio) {
+ return result;
+ }
+
+ if (X509_NAME_print_ex(bio.get(), name, 0, XN_FLAG_RFC2253) < 0) {
+ return result;
+ }
+
+ auto len = BIO_pending(bio.get());
+ result.resize(len);
+
+ BIO_read(bio.get(), &result[0], result.size());
+
+ return result;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static uint32_t X509_get_extension_flags(X509* x)
+{
+ return x->ex_flags;
+}
+#endif
+
+static bool is_proxy(X509* cert)
+{
+ return X509_get_extension_flags(cert) & EXFLAG_PROXY;
+}
+
+static X509* get_ee_cert(ngx_http_request_t* r)
+{
+ auto chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
+ if (!chain) {
+ ngx_log_error(
+ NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
+ return nullptr;
+ }
+
+ X509* ee_cert = nullptr;
+
+ if (sk_X509_num(chain) == 0) {
+ ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
+ } else {
+ // find first non-proxy
+ for (int i = 0; i != sk_X509_num(chain); ++i) {
+ auto cert = sk_X509_value(chain, i);
+ if (cert && !is_proxy(cert)) {
+ ee_cert = cert;
+ break;
+ }
+ }
+ }
+
+ return ee_cert;
+}
+
+static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
+ ngx_http_variable_value_t* v,
+ uintptr_t data)
+{
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
+
+ v->not_found = 1;
+ v->valid = 0;
+
+ auto ee_cert = get_ee_cert(r);
+
+ if (!ee_cert) {
+ ngx_log_error(NGX_LOG_DEBUG,
+ r->connection->log,
+ 0,
+ "cannot identify end-entity certificate");
+ return NGX_OK;
+ }
+
+ X509_NAME* dn;
+
+ switch (static_cast<EeDn>(data)) {
+ case EeDn::SUBJECT:
+ dn = X509_get_subject_name(ee_cert);
+ break;
+ case EeDn::ISSUER:
+ dn = X509_get_issuer_name(ee_cert);
+ break;
+ default:
+ dn = nullptr;
+ }
+
+ if (!dn) {
+ ngx_log_error(
+ NGX_LOG_DEBUG, r->connection->log, 0, "cannot get DN from certificate");
+ return NGX_OK;
+ }
+ std::string value = to_rfc2253(dn);
+
+ auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
+ if (!buffer) {
+ return NGX_OK;
+ }
+ ngx_memcpy(buffer, value.c_str(), value.size());
+
+ v->data = buffer;
+ v->len = value.size();
+ v->valid = 1;
+ v->not_found = 0;
+ v->no_cacheable = 0;
+ return NGX_OK;
+}
+
+static ngx_int_t get_ssl_client_ee_cert_raw(ngx_http_request_t* r, ngx_str_t* s)
+{
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
+ s->len = 0;
+
+ auto ee_cert = get_ee_cert(r);
+
+ if (!ee_cert) {
+ ngx_log_error(NGX_LOG_DEBUG,
+ r->connection->log,
+ 0,
+ "cannot identify end-entity certificate");
+ return NGX_OK;
+ }
+
+ BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
+ if (!bio) {
+ ngx_log_error(
+ NGX_LOG_ERR, r->connection->log, 0, "cannot create OpenSSL BIO");
+ return NGX_ERROR;
+ }
+
+ if (PEM_write_bio_X509(bio.get(), ee_cert) == 0) {
+ ngx_log_error(
+ NGX_LOG_ERR, r->connection->log, 0, "cannot write EEC to OpenSSL bio");
+ return NGX_ERROR;
+ }
+
+ size_t len = BIO_pending(bio.get());
+
+ s->len = len;
+ s->data = static_cast<u_char*>(ngx_pnalloc(r->pool, len));
+
+ if (s->data == nullptr) {
+ return NGX_ERROR;
+ }
+
+ BIO_read(bio.get(), s->data, len);
+
+ return NGX_OK;
+}
+
+static ngx_int_t get_ssl_client_ee_cert(ngx_http_request_t* r,
+ ngx_http_variable_value_t* v,
+ uintptr_t data)
+{
+ ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
+
+ v->not_found = 1;
+ v->valid = 0;
+
+ ngx_str_t cert;
+
+ if (get_ssl_client_ee_cert_raw(r, &cert) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (cert.len == 0) {
+ v->len = 0;
+ return NGX_OK;
+ }
+
+ size_t len = cert.len - 1;
+
+ for (int i = 0; i < cert.len - 1; i++) {
+ if (cert.data[i] == '\n') {
+ len++;
+ }
+ }
+
+ auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, len));
+
+ if (!buffer) {
+ return NGX_OK;
+ }
+
+ u_char* p = buffer;
+
+ for (int i = 0; i < cert.len - 1; i++) {
+ *p++ = cert.data[i];
+ if (cert.data[i] == '\n') {
+ *p++ = '\t';
+ }
+ }
+
+ v->data = buffer;
+ v->len = len;
+ v->valid = 1;
+ v->not_found = 0;
+ v->no_cacheable = 0;
+ return NGX_OK;
+}
--
GitLab