On Mon, Jan 08, 2001 at 04:59:28PM +0000, Dr S N Henson wrote:
> Lutz Jaenicke wrote:
> > I just had a look into it. Maybe I will undertand it tomorrow.
> > Once I understood it I will consider writing a manual page and update
> > the example for the verify_callback...
> >
>
> There is a manual page describing the ex_data functions in the
> RSA_get_ex_new_index(1), other than the fact that the data is stored in
> X509_STORE_CTX and the different function names the usage is identical.
Thanks, I finally understood how it works. I was first confused by the
specially crafted SSL_get_ex_data_X509_STORE_CTX_idx() function but
I managed to use it now :-)
Ok, now directed to the original poster of this thread: I have just
enhanced/changed Postfix/TLS to use the just discovered functionality
and can share my experiences with you. (The full change will be released
as Postfix/TLS 0.6.33 after I have re-checked every change and added
appropriate comments.)
First, for your information I have all necessary informations about
a SSL connection in a special structur anyway, so I have just enhanced
it to contain the enforce_CN and enforce_verify_errors flags, which
I had as global variables before (please just ignore the other fields
which are filled in as appropriate during the run):
typedef struct {
SSL *con;
BIO *internal_bio; /* postfix/TLS side of pair */
BIO *network_bio; /* netsork side of pair */
char peer_subject[CCERT_BUFSIZ];
char peer_issuer[CCERT_BUFSIZ];
char peer_CN[CCERT_BUFSIZ];
char issuer_CN[CCERT_BUFSIZ];
unsigned char md[EVP_MAX_MD_SIZE];
char fingerprint[EVP_MAX_MD_SIZE * 3];
char peername_save[129];
int enforce_verify_errors;
int enforce_CN;
} TLScontext_t;
Now you need one global variable that however has the same value for all
SSL structures and is therefore no problem:
static int TLScontext_index;
You need to initialize this index once in the program to identify the type
of information to be retrieved! (The SSL internals don't have an idea what
an TLScontext is, so the pointer to it is handled based on the index-number.)
TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
NULL, NULL, NULL);
The informations here NULL'ed are needed for copying the structure etc,
The TLScontext is just one entity the pointer to which is enough, so
I don't need these functionality. Check out the manual page for
RSA_get_ex_new_index(3) (as suggested by Steve) to learn more about it.
Ok, now when establishing a new SSL connection, I create a new TLScontext
and a new SSL, and then store the pointer to TLScontext into the SSL:
TLScontext->con = SSL_new();
SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext);
(setting of other parameters...)
Now later in the verify_callback I can do:
int verify_callback(int ok, X509_STORE_CTX * ctx)
{
SSL *con;
TLScontext_t *TLScontext;
con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
TLScontext = SSL_get_ex_data(con, TLScontext_index);
/* Now happily use all informations about this connection. */
}
SSL_get_ex_data_X509_STORE_CTX_idx() is a fixed functionality that will always
point you to the (pointer to SSL) always stored inside (ctx).
If you are happy to just now the (pointer to SSL) you wouldn't even need the
other things around, but then you would have to search your database of
active SSLs to find which one you are currently investigating.
Of course, you don't need to use a general structure, you can also store more
then one information with an index each.
Hmm. It will probably take some days before I find the time to do it, but
I will integrate this one way or the other to the verify_callback()
manual page already available and SSL_set_ex_data() and friends
yet-to-be-written manual page...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
