[TLS] use stack for SSL_CLIENT_S_DN_* tag

(reduce use of r->tmp_buf in TLS modules)
10 months ago · 0ffb8167c1
5 changed files with 29 additions and 29 deletions
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@ -2667,13 +2667,13 @@ https_add_ssl_client_cert (request_st * const r, const gnutls_x509_crt_t peer)
 static void
 https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
 {
-    buffer * const tb = r->tmp_buf;
    int irdn = 0, i, rc;
    gnutls_x509_ava_st ava;
+    const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
+    char key[64] = "SSL_CLIENT_S_DN_";
    char buf[512]; /*(expecting element value len <= 256)*/

    /* add components of client Subject DN */
-    buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));

    /* man gnutls_x509_dn_get_rdn_ava()
     *   The X.509 distinguished name is a sequence of sequences of strings and
@ -2688,8 +2688,9 @@ https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
            const char *name =
              gnutls_x509_dn_oid_name((char *)ava.oid.data,
                                      GNUTLS_X509_DN_OID_RETURN_OID);
-            buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
-            buffer_append_string_len(tb, name, strlen(name));
+            const size_t len = strlen(name);
+            if (prelen+len >= sizeof(key)) continue;
+            memcpy(key+prelen, name, len); /*(not '\0'-terminated)*/

            unsigned int v, n = 0;
            for (v = 0; v < ava.value.size && n < sizeof(buf)-1; ++n) {
@ -2697,7 +2698,7 @@ https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
                buf[n] = (c < 32 || c == 127 || (c > 128 && c < 160)) ? '?' : c;
            }

-            http_header_env_set(r, CONST_BUF_LEN(tb), buf, n);
+            http_header_env_set(r, key, prelen+len, buf, n);
        }
        ++irdn;
    } while (rc == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND && i > 0);
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@ -2324,10 +2324,10 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
 {
    /* add components of client Subject DN */
    /* code block is similar to mbedtls_x509_dn_gets() */
-    buffer * const tb = r->tmp_buf;
+    const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
+    char key[64] = "SSL_CLIENT_S_DN_";
    char buf[MBEDTLS_X509_MAX_DN_NAME_SIZE]; /*(256)*/

-    buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
    while (name != NULL) {
        if (!name->oid.p) {
            name = name->next;
@ -2337,8 +2337,9 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
        const char *short_name = NULL;
        if (0 != mbedtls_oid_get_attr_short_name(&name->oid, &short_name))
            continue;
-        buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
-        buffer_append_string(tb, short_name);
+        const size_t len = strlen(short_name);
+        if (prelen+len >= sizeof(key)) continue;
+        memcpy(key+prelen, short_name, len); /*(not '\0'-terminated)*/

        const mbedtls_x509_name *nm = name;
        int n = 0;
@ -2355,9 +2356,7 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
            while (nm->next_merged && nm->next) nm = nm->next;
        name = nm->next;

-        http_header_env_set(r,
-                            CONST_BUF_LEN(tb),
-                            buf, n);
+        http_header_env_set(r, key, prelen+len, buf, n);
    }
 }

--- a/src/mod_nss.c
+++ b/src/mod_nss.c
@ -2452,8 +2452,8 @@ https_add_ssl_client_subject (request_st * const r, CERTName * const subj)
        { CONST_STR_LEN("emailAddress"), CERT_GetCertEmailAddress },
        { CONST_STR_LEN("DC"),           CERT_GetDomainComponentName },
      };
-    buffer * const tb = r->tmp_buf;
-    buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
+    const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
+    char key[64] = "SSL_CLIENT_S_DN_";
    for (uint32_t i = 0; i < sizeof(comp)/sizeof(*comp); ++i) {
        char *s = comp[i].fn(subj);
        if (NULL == s) continue;
@ -2464,9 +2464,9 @@ https_add_ssl_client_subject (request_st * const r, CERTName * const subj)
            if (c < 32 || c == 127 || (c > 128 && c < 160)) s[n] = '?';
        }

-        buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
-        buffer_append_string_len(tb, comp[i].tag, comp[i].tlen);
-        http_header_env_set(r, CONST_BUF_LEN(tb), s, n);
+        /*if (prelen+comp[i].tlen >= sizeof(key)) continue;*//*(not possible)*/
+        memcpy(key+prelen, comp[i].tag, comp[i].tlen); /*(not '\0'-terminated)*/
+        http_header_env_set(r, key, prelen+comp[i].tlen, s, n);

        PR_Free(s);
    }
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -3350,8 +3350,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_close)
 static void
 https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
 {
-    buffer * const tb = r->tmp_buf;
-    buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
+    const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
+    char key[64] = "SSL_CLIENT_S_DN_";
    for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
        int xobjnid;
        const char * xobjsn;
@ -3363,10 +3363,10 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
        xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
        xobjsn = OBJ_nid2sn(xobjnid);
        if (xobjsn) {
-            buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
-            buffer_append_string(tb, xobjsn);
-            http_header_env_set(r,
-                                CONST_BUF_LEN(tb),
+            const size_t len = strlen(xobjsn);
+            if (prelen+len >= sizeof(key)) continue;
+            memcpy(key+prelen, xobjsn, len); /*(not '\0'-terminated)*/
+            http_header_env_set(r, key, prelen+len,
                                (const char*)X509_NAME_ENTRY_get_data(xe)->data,
                                X509_NAME_ENTRY_get_data(xe)->length);
        }
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@ -3133,8 +3133,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_close)
 static void
 https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
 {
-    buffer * const tb = r->tmp_buf;
-    buffer_copy_string_len(tb, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
+    const size_t prelen = sizeof("SSL_CLIENT_S_DN_")-1;
+    char key[64] = "SSL_CLIENT_S_DN_";
    for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
        int xobjnid;
        const char * xobjsn;
@ -3146,10 +3146,10 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
        xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
        xobjsn = OBJ_nid2sn(xobjnid);
        if (xobjsn) {
-            buffer_string_set_length(tb, sizeof("SSL_CLIENT_S_DN_")-1);
-            buffer_append_string(tb, xobjsn);
-            http_header_env_set(r,
-                                CONST_BUF_LEN(tb),
+            const size_t len = strlen(xobjsn);
+            if (prelen+len >= sizeof(key)) continue;
+            memcpy(key+prelen, xobjsn, len); /*(not '\0'-terminated)*/
+            http_header_env_set(r, key, prelen+len,
                                (const char*)X509_NAME_ENTRY_get_data(xe)->data,
                                X509_NAME_ENTRY_get_data(xe)->length);
        }