[Devel] TLS ...

Klaus Darilion klaus.mailinglists at pernau.at
Wed Feb 22 17:45:14 CET 2006


Daniel-Constantin Mierla wrote:
> On 02/22/06 17:58, Klaus Darilion wrote:
>> Daniel-Constantin Mierla wrote:
>>> On 02/22/06 16:52, Klaus Darilion wrote:
>>>> I just got another idea/question: How should the certificate 
>>>> parameters be exported?
>>>>
>>>> ° via AVPs during a dedicated call
>>>>   tls_get_cert_subject("s:cert_subject");
>>>>
>>>> ° via pre-defined AVPs
>>>>    tls_get_cert_params(); # copy parameters into
>>>>                           # predefined AVPs
>>>>
>>>> ° via pseude variables
>>>>   $cs    # certificate subject
>>>>   $cc    # certificate common name
>>>>   $cin    # certificate issuer name
>>>>   $cif    # certificate issuer fingerprint
>>>>   ...
>>>>
>>>> any comments?
>>> They should be pure pseudo-variables (non-avp) since they are read 
>>> only. It is in the plan of the development version to add support for 
>>> longer names for pseudo-variables under a $(pseudo-variable-name) 
>>> format and allow the modules to register custom pseudo-variables at 
>>> runtime. I will start working on it after the 1.0.1 release.
>>
>> I've studied the pseudo variables parser and as far as I see they just 
>> reference to existing buffers, e.g.:
>>
>>         res->rs.s = msg->callid->body.s;
>>         res->rs.len = msg->callid->body.len;
>>
>>
>> In the case of certificate parameters, there are no existing buffers. 
>> Thus, when e.g. using $cs (certificate subject), a new buffer must be 
>> created for the ASCII version of the subject.
>>
>> How can be ensured, that this is buffer is freed after message 
>> processing?
> there could be some static buffers, some pseudo-variables are using such 
> buffers - like time, or all conversion from int to str are using a 
> static buffer all over the openser/ser.

Please check if I got it right:
We can make a function ascii2str which copies the ascii string into a 
statice buffer (e.g. maxlen=255, I have to check if there a length 
limits for certificate parameters).

$cn retrieves the certificate subject from openssl as ASCII. it then 
uses ascii2str to copy it into the static buffer.

Would that mean also that in the following snippet all these tasks are 
done 3 times (xlog+xlog+accounting)?

   modparam("acc", "db_extra", "subj=$cs")
route{
   ...
   xlog("TLS request from $cs received");
   ...
   xlog("TLS request from $cs should valid certificate");
   ...
}

regards
klaus



More information about the Devel mailing list