[Devel] TLS ...

Wed Feb 22 18:03:37 CET 2006

On 02/22/06 18:45, Klaus Darilion wrote:
> Daniel-Constantin Mierla wrote:
>> On 02/22/06 17:58, Klaus Darilion wrote:
>>> Daniel-Constantin Mierla wrote:
>>>> On 02/22/06 16:52, Klaus Darilion wrote:
>>>>> I just got another idea/question: How should the certificate 
>>>>> parameters be exported?
>>>>>
>>>>> ° via AVPs during a dedicated call
>>>>>   tls_get_cert_subject("s:cert_subject");
>>>>>
>>>>> ° via pre-defined AVPs
>>>>>    tls_get_cert_params(); # copy parameters into
>>>>>                           # predefined AVPs
>>>>>
>>>>> ° via pseude variables
>>>>>   $cs    # certificate subject
>>>>>   $cc    # certificate common name
>>>>>   $cin    # certificate issuer name
>>>>>   $cif    # certificate issuer fingerprint
>>>>>   ...
>>>>>
>>>>> any comments?
>>>> They should be pure pseudo-variables (non-avp) since they are read 
>>>> only. It is in the plan of the development version to add support 
>>>> for longer names for pseudo-variables under a 
>>>> $(pseudo-variable-name) format and allow the modules to register 
>>>> custom pseudo-variables at runtime. I will start working on it 
>>>> after the 1.0.1 release.
>>>
>>> I've studied the pseudo variables parser and as far as I see they 
>>> just reference to existing buffers, e.g.:
>>>
>>>         res->rs.s = msg->callid->body.s;
>>>         res->rs.len = msg->callid->body.len;
>>>
>>>
>>> In the case of certificate parameters, there are no existing 
>>> buffers. Thus, when e.g. using $cs (certificate subject), a new 
>>> buffer must be created for the ASCII version of the subject.
>>>
>>> How can be ensured, that this is buffer is freed after message 
>>> processing?
>> there could be some static buffers, some pseudo-variables are using 
>> such buffers - like time, or all conversion from int to str are using 
>> a static buffer all over the openser/ser.
>
> Please check if I got it right:
> We can make a function ascii2str which copies the ascii string into a 
> statice buffer (e.g. maxlen=255, I have to check if there a length 
> limits for certificate parameters).
>
> $cn retrieves the certificate subject from openssl as ASCII. it then 
> uses ascii2str to copy it into the static buffer.
>
> Would that mean also that in the following snippet all these tasks are 
> done 3 times (xlog+xlog+accounting)?
It is up to the implementation. The pseudo-variables getting the time 
calls time(NULL) only once per message, as well as TM module sets one 
time the global transaction variable (it does not search the transaction 
each time is needed per script processing). So, you can do it each time, 
or once per script processing, it is a matter of internal design and 
developer's choice - recommended is to be once per script processing.

Cheers,
Daniel
 
>
>   modparam("acc", "db_extra", "subj=$cs")
> route{
>   ...
>   xlog("TLS request from $cs received");
>   ...
>   xlog("TLS request from $cs should valid certificate");
>   ...
> }
>
> regards
> klaus
>