1
/* Licensed to the Apache Software Foundation (ASF) under one or more
2
* contributor license agreements. See the NOTICE file distributed with
3
* this work for additional information regarding copyright ownership.
4
* The ASF licenses this file to You under the Apache License, Version 2.0
5
* (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* _ __ ___ ___ __| | ___ ___| | mod_ssl
19
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20
* | | | | | | (_) | (_| | \__ \__ \ |
21
* |_| |_| |_|\___/ \__,_|___|___/___/_|
24
* Expression Evaluation
29
#include "ssl_private.h"
31
/* _________________________________________________________________
33
** Expression Evaluation
34
** _________________________________________________________________
37
static BOOL ssl_expr_eval_comp(request_rec *, ssl_expr *);
38
static char *ssl_expr_eval_word(request_rec *, ssl_expr *);
39
static BOOL ssl_expr_eval_oid(request_rec *r, const char *word, const char *oidstr);
40
static char *ssl_expr_eval_func_file(request_rec *, char *);
41
static int ssl_expr_eval_strcmplex(char *, char *);
43
BOOL ssl_expr_eval(request_rec *r, ssl_expr *node)
45
switch (node->node_op) {
53
ssl_expr *e = (ssl_expr *)node->node_arg1;
54
return (!ssl_expr_eval(r, e));
57
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
58
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
59
return (ssl_expr_eval(r, e1) || ssl_expr_eval(r, e2));
62
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
63
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
64
return (ssl_expr_eval(r, e1) && ssl_expr_eval(r, e2));
67
ssl_expr *e = (ssl_expr *)node->node_arg1;
68
return ssl_expr_eval_comp(r, e);
71
ssl_expr_error = "Internal evaluation error: Unknown expression node";
77
static BOOL ssl_expr_eval_comp(request_rec *r, ssl_expr *node)
79
switch (node->node_op) {
81
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
82
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
83
return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) == 0);
86
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
87
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
88
return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) != 0);
91
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
92
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
93
return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) < 0);
96
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
97
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
98
return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) <= 0);
101
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
102
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
103
return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) > 0);
106
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
107
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
108
return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) >= 0);
111
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
112
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
114
char *w1 = ssl_expr_eval_word(r, e1);
117
ssl_expr_node_op op = e2->node_op;
118
e3 = (ssl_expr *)e2->node_arg1;
119
e2 = (ssl_expr *)e2->node_arg2;
121
if (op == op_OidListElement) {
122
char *w3 = ssl_expr_eval_word(r, e3);
124
found = ssl_expr_eval_oid(r, w1, w3);
126
/* There will be no more nodes on the list, so the result is authoritative */
130
if (strcmp(w1, ssl_expr_eval_word(r, e3)) == 0) {
134
} while (e2 != NULL);
143
e1 = (ssl_expr *)node->node_arg1;
144
e2 = (ssl_expr *)node->node_arg2;
145
word = ssl_expr_eval_word(r, e1);
146
regex = (ap_regex_t *)(e2->node_arg1);
147
return (ap_regexec(regex, word, 0, NULL, 0) == 0);
155
e1 = (ssl_expr *)node->node_arg1;
156
e2 = (ssl_expr *)node->node_arg2;
157
word = ssl_expr_eval_word(r, e1);
158
regex = (ap_regex_t *)(e2->node_arg1);
159
return !(ap_regexec(regex, word, 0, NULL, 0) == 0);
162
ssl_expr_error = "Internal evaluation error: Unknown expression node";
168
static char *ssl_expr_eval_word(request_rec *r, ssl_expr *node)
170
switch (node->node_op) {
172
char *string = (char *)node->node_arg1;
176
char *string = (char *)node->node_arg1;
180
char *var = (char *)node->node_arg1;
181
char *val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
182
return (val == NULL ? "" : val);
185
char *name = (char *)node->node_arg1;
186
ssl_expr *args = (ssl_expr *)node->node_arg2;
187
if (strEQ(name, "file"))
188
return ssl_expr_eval_func_file(r, (char *)(args->node_arg1));
190
ssl_expr_error = "Internal evaluation error: Unknown function name";
195
ssl_expr_error = "Internal evaluation error: Unknown expression node";
201
#define NUM_OID_ELTS 8 /* start with 8 oid slots, resize when needed */
203
apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr)
208
apr_array_header_t *val_array;
209
SSLConnRec *sslconn = myConnConfig(r->connection);
212
if (oidstr == NULL || sslconn == NULL || sslconn->ssl == NULL)
215
/* Determine the oid we are looking for */
216
if ((oid = OBJ_txt2obj(oidstr, 1)) == NULL) {
221
/* are there any extensions in the cert? */
222
if ((xs = SSL_get_peer_certificate(sslconn->ssl)) == NULL ||
223
(count = X509_get_ext_count(xs)) == 0) {
227
val_array = apr_array_make(r->pool, NUM_OID_ELTS, sizeof(char *));
229
/* Loop over all extensions, extract the desired oids */
230
for (j = 0; j < count; j++) {
231
X509_EXTENSION *ext = X509_get_ext(xs, j);
233
if (OBJ_cmp(ext->object, oid) == 0) {
234
BIO *bio = BIO_new(BIO_s_mem());
236
if (X509V3_EXT_print(bio, ext, 0, 0) == 1) {
238
char **new = apr_array_push(val_array);
240
BIO_get_mem_ptr(bio, &buf);
242
*new = apr_pstrdup(r->pool, buf->data);
252
if (val_array->nelts == 0)
258
static BOOL ssl_expr_eval_oid(request_rec *r, const char *word, const char *oidstr)
262
apr_array_header_t *oid_array;
265
if (NULL == (oid_array = ssl_extlist_by_oid(r, oidstr))) {
269
oid_value = (char **) oid_array->elts;
270
for (j = 0; j < oid_array->nelts; j++) {
271
if (strcmp(word, oid_value[j]) == 0) {
280
static char *ssl_expr_eval_func_file(request_rec *r, char *filename)
288
if (apr_file_open(&fp, filename, APR_READ|APR_BUFFERED,
289
APR_OS_DEFAULT, r->pool) != APR_SUCCESS) {
290
ssl_expr_error = "Cannot open file";
293
apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
294
if ((finfo.size + 1) != ((apr_size_t)finfo.size + 1)) {
295
ssl_expr_error = "Huge file cannot be read";
299
len = (apr_size_t)finfo.size;
301
buf = (char *)apr_palloc(r->pool, sizeof(char) * 1);
305
if ((buf = (char *)apr_palloc(r->pool, sizeof(char)*(len+1))) == NULL) {
306
ssl_expr_error = "Cannot allocate memory";
311
apr_file_seek(fp, APR_SET, &offset);
312
if (apr_file_read(fp, buf, &len) != APR_SUCCESS) {
313
ssl_expr_error = "Cannot read from file";
323
/* a variant of strcmp(3) which works correctly also for number strings */
324
static int ssl_expr_eval_strcmplex(char *cpNum1, char *cpNum2)
338
for (i = 0; i < n1; i++) {
339
if (cpNum1[i] > cpNum2[i])
341
if (cpNum1[i] < cpNum2[i])