Project

General

Profile

0007-response.c-set-SSL_CLIENT_VERIFY-SSL_CLIENT_S_DN_patch.txt

mackyle, 2015-12-03 22:59

 
1
From fdd341bf61ffb5e2c4a7807b8235c9f4ab14d019 Mon Sep 17 00:00:00 2001
2
From: "Kyle J. McKay" <mackyle@gmail.com>
3
Date: Thu, 3 Dec 2015 11:20:35 -0800
4
Subject: [PATCH] response.c: set SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN
5

    
6
SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
7
This is compatible with Apache's mod_ssl variable of the same name.
8

    
9
SSL_CLIENT_S_DN is set to the oneline version of the client certificate
10
subject's distinguished name and may be used as a setting for the
11
ssl.verifyclient.username config option.  When Apache's mod_ssl is
12
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
13
the username (that ultimately may end up in REMOTE_USER).  The value
14
that will be set for SSL_CLIENT_S_DN may be determined using the
15
`openssl x509 -noout -subject -in <cert.pem>` command.
16

    
17
Signed-off-by: Kyle J. McKay
18
---
19
 src/response.c | 37 ++++++++++++++++++++++++++++++++++++-
20
 1 file changed, 36 insertions(+), 1 deletion(-)
21

    
22
diff --git a/src/response.c b/src/response.c
23
index 357f43bc..5ced9937 100644
24
--- a/src/response.c
25
+++ b/src/response.c
26
@@ -135,16 +135,51 @@ static void https_add_ssl_entries(connection *con) {
27
 	X509 *xs;
28
 	X509_NAME *xn;
29
 	X509_NAME_ENTRY *xe;
30
+	data_string *ds_cv;
31
+	char *s_dn;
32
+	long vr;
33
 	int i, nentries;
34
 
35
+	if (NULL == (ds_cv = (data_string *)array_get_element(con->environment, "SSL_CLIENT_VERIFY"))) {
36
+		if (NULL == (ds_cv = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
37
+			ds_cv = data_string_init();
38
+		}
39
+		buffer_copy_string(ds_cv->key, "SSL_CLIENT_VERIFY");
40
+	}
41
+
42
 	if (
43
-		SSL_get_verify_result(con->ssl) != X509_V_OK
44
+		(vr = SSL_get_verify_result(con->ssl)) != X509_V_OK
45
 		|| !(xs = SSL_get_peer_certificate(con->ssl))
46
 	) {
47
+		buffer_copy_string(ds_cv->value, (vr == X509_V_OK && !xs) ? "NONE" : "FAILED:bad verify result");
48
+		array_insert_unique(con->environment, (data_unset *)ds_cv);
49
 		return;
50
 	}
51
 
52
+	buffer_copy_string(ds_cv->value, "SUCCESS");
53
+	array_insert_unique(con->environment, (data_unset *)ds_cv);
54
 	xn = X509_get_subject_name(xs);
55
+	if (NULL != (s_dn = X509_NAME_oneline(xn, NULL, 0))) {
56
+		data_string *envds;
57
+		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
58
+			envds = data_string_init();
59
+		}
60
+		buffer_copy_string(envds->key, "SSL_CLIENT_S_DN");
61
+		buffer_copy_string(envds->value, s_dn);
62
+		OPENSSL_free(s_dn);
63
+		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
64
+			data_string *ds;
65
+			if (NULL == (ds = (data_string *)array_get_element(con->environment, "REMOTE_USER"))) {
66
+				if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
67
+					ds = data_string_init();
68
+				}
69
+				buffer_copy_string(ds->key, "REMOTE_USER");
70
+				array_insert_unique(con->environment, (data_unset *)ds);
71
+			}
72
+			buffer_copy_buffer(ds->value, envds->value);
73
+		}
74
+		array_insert_unique(con->environment, (data_unset *)envds);
75
+	}
76
 	for (i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
77
 		int xobjnid;
78
 		const char * xobjsn;
79
-- 
80
2.4.10
81