|
|
@@ -15858,14 +15858,13 @@ hexdump2string(void *mem, int memlen, char *buf, int buflen)
|
|
|
}
|
|
|
|
|
|
|
|
|
-static void
|
|
|
-ssl_get_client_cert_info(struct mg_connection *conn)
|
|
|
+static int
|
|
|
+ssl_get_client_cert_info(const struct mg_connection *conn,
|
|
|
+ struct mg_client_cert *client_cert)
|
|
|
{
|
|
|
X509 *cert = SSL_get_peer_certificate(conn->ssl);
|
|
|
if (cert) {
|
|
|
- char str_subject[1024];
|
|
|
- char str_issuer[1024];
|
|
|
- char str_finger[1024];
|
|
|
+ char str_buf[1024];
|
|
|
unsigned char buf[256];
|
|
|
char *str_serial = NULL;
|
|
|
unsigned int ulen;
|
|
|
@@ -15885,12 +15884,18 @@ ssl_get_client_cert_info(struct mg_connection *conn)
|
|
|
|
|
|
/* Translate serial number to a hex string */
|
|
|
BIGNUM *serial_bn = ASN1_INTEGER_to_BN(serial, NULL);
|
|
|
- str_serial = BN_bn2hex(serial_bn);
|
|
|
- BN_free(serial_bn);
|
|
|
+ if (serial_bn) {
|
|
|
+ str_serial = BN_bn2hex(serial_bn);
|
|
|
+ BN_free(serial_bn);
|
|
|
+ }
|
|
|
+ client_cert->serial =
|
|
|
+ str_serial ? mg_strdup_ctx(str_serial, conn->phys_ctx) : NULL;
|
|
|
|
|
|
/* Translate subject and issuer to a string */
|
|
|
- (void)X509_NAME_oneline(subj, str_subject, (int)sizeof(str_subject));
|
|
|
- (void)X509_NAME_oneline(iss, str_issuer, (int)sizeof(str_issuer));
|
|
|
+ (void)X509_NAME_oneline(subj, str_buf, (int)sizeof(str_buf));
|
|
|
+ client_cert->subject = mg_strdup_ctx(str_buf, conn->phys_ctx);
|
|
|
+ (void)X509_NAME_oneline(iss, str_buf, (int)sizeof(str_buf));
|
|
|
+ client_cert->issuer = mg_strdup_ctx(str_buf, conn->phys_ctx);
|
|
|
|
|
|
/* Calculate SHA1 fingerprint and store as a hex string */
|
|
|
ulen = 0;
|
|
|
@@ -15912,34 +15917,19 @@ ssl_get_client_cert_info(struct mg_connection *conn)
|
|
|
mg_free(tmp_buf);
|
|
|
}
|
|
|
|
|
|
- if (!hexdump2string(
|
|
|
- buf, (int)ulen, str_finger, (int)sizeof(str_finger))) {
|
|
|
- *str_finger = 0;
|
|
|
+ if (!hexdump2string(buf, (int)ulen, str_buf, (int)sizeof(str_buf))) {
|
|
|
+ *str_buf = 0;
|
|
|
}
|
|
|
+ client_cert->finger = mg_strdup_ctx(str_buf, conn->phys_ctx);
|
|
|
|
|
|
- conn->request_info.client_cert = (struct mg_client_cert *)
|
|
|
- mg_malloc_ctx(sizeof(struct mg_client_cert), conn->phys_ctx);
|
|
|
- if (conn->request_info.client_cert) {
|
|
|
- conn->request_info.client_cert->peer_cert = (void *)cert;
|
|
|
- conn->request_info.client_cert->subject =
|
|
|
- mg_strdup_ctx(str_subject, conn->phys_ctx);
|
|
|
- conn->request_info.client_cert->issuer =
|
|
|
- mg_strdup_ctx(str_issuer, conn->phys_ctx);
|
|
|
- conn->request_info.client_cert->serial =
|
|
|
- mg_strdup_ctx(str_serial, conn->phys_ctx);
|
|
|
- conn->request_info.client_cert->finger =
|
|
|
- mg_strdup_ctx(str_finger, conn->phys_ctx);
|
|
|
- } else {
|
|
|
- mg_cry_internal(conn,
|
|
|
- "%s",
|
|
|
- "Out of memory: Cannot allocate memory for client "
|
|
|
- "certificate");
|
|
|
- }
|
|
|
+ client_cert->peer_cert = (void *)cert;
|
|
|
|
|
|
/* Strings returned from bn_bn2hex must be freed using OPENSSL_free,
|
|
|
* see https://linux.die.net/man/3/bn_bn2hex */
|
|
|
OPENSSL_free(str_serial);
|
|
|
+ return 1;
|
|
|
}
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
|
|
|
@@ -18920,7 +18910,10 @@ worker_thread_run(struct mg_connection *conn)
|
|
|
/* conn->dom_ctx is set in get_request */
|
|
|
|
|
|
/* Get SSL client certificate information (if set) */
|
|
|
- ssl_get_client_cert_info(conn);
|
|
|
+ struct mg_client_cert client_cert;
|
|
|
+ if (ssl_get_client_cert_info(conn, &client_cert)) {
|
|
|
+ conn->request_info.client_cert = &client_cert;
|
|
|
+ }
|
|
|
|
|
|
/* process HTTPS connection */
|
|
|
#if defined(USE_HTTP2)
|
|
|
@@ -18954,7 +18947,6 @@ worker_thread_run(struct mg_connection *conn)
|
|
|
conn->request_info.client_cert->issuer = 0;
|
|
|
conn->request_info.client_cert->serial = 0;
|
|
|
conn->request_info.client_cert->finger = 0;
|
|
|
- mg_free(conn->request_info.client_cert);
|
|
|
conn->request_info.client_cert = 0;
|
|
|
}
|
|
|
} else {
|
xtne6f