Project

General

Profile

Feature #1288 » lighty-clientvalidation-1.4.x.patch

fixing segfault, wrong patch location (see further comments) - nmaier, 2007-08-13 20:06

View differences:

src/base.h (Arbeitskopie)
267 267
	buffer *ssl_cipher_list;
268 268
	unsigned short ssl_use_sslv2;
269 269

  
270
	unsigned short ssl_verifyclient;
271
	unsigned short ssl_verifyclient_enforce;
272
	unsigned short ssl_verifyclient_depth;
273
	buffer *ssl_verifyclient_username;
274

  
270 275
	unsigned short use_ipv6;
271 276
	unsigned short is_ssl;
272 277
	unsigned short allow_http11;
src/network.c (Arbeitskopie)
359 359
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360 360
				return -1;
361 361
			}
362
			if (s->ssl_verifyclient) { 
363
				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
364
				if (!certs) {
365
					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
367
				}
368
				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(host_token)) != 1) { 
369
					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 
370
						ERR_error_string(ERR_get_error(), NULL)); 
371
					return -1; 
372
				}				
373
				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
374
				SSL_CTX_set_verify(
375
					s->ssl_ctx,
376
					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
377
					NULL
378
				); 
379
				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
380
			}
381
		} else if (s->ssl_verifyclient) {
382
			log_error_write(
383
				srv, __FILE__, __LINE__, "s",
384
				"SSL: You specified ssl.verifyclient.activate but no ca_file"
385
			);
362 386
		}
363 387

  
364 388
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
src/configfile.c (Arbeitskopie)
92 92
		{ "etag.use-inode",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 48 */
93 93
		{ "etag.use-mtime",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
94 94
		{ "etag.use-size",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
95
		
96
		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
97
		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
98
		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 53 */
99
		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 54 */
100

  
95 101
		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
96 102
		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
97 103
		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
......
172 178
		s->global_kbytes_per_second = 0;
173 179
		s->global_bytes_per_second_cnt = 0;
174 180
		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
181
		
182
		s->ssl_verifyclient = 0;
183
		s->ssl_verifyclient_enforce = 1;
184
		s->ssl_verifyclient_username = buffer_init();
185
		s->ssl_verifyclient_depth = 9;
175 186

  
176 187
		cv[2].destination = s->errorfile_prefix;
177 188

  
......
214 225
		cv[48].destination = &(s->etag_use_inode);
215 226
		cv[49].destination = &(s->etag_use_mtime);
216 227
		cv[50].destination = &(s->etag_use_size);
228
		
229
		/* ssl.verify */
230
		cv[51].destination = &(s->ssl_verifyclient);
231
		cv[52].destination = &(s->ssl_verifyclient_enforce);
232
		cv[53].destination = &(s->ssl_verifyclient_depth);
233
		cv[54].destination = s->ssl_verifyclient_username;
217 234

  
218 235
		srv->config_storage[i] = s;
219 236

  
......
291 308
	PATCH(etag_use_inode);
292 309
	PATCH(etag_use_mtime);
293 310
	PATCH(etag_use_size);
311

  
312
	PATCH(ssl_verifyclient);
313
	PATCH(ssl_verifyclient_enforce);
314
	PATCH(ssl_verifyclient_depth);
315
	PATCH(ssl_verifyclient_username);
294 316
 
295 317
	return 0;
296 318
}
......
377 399
				PATCH(global_kbytes_per_second);
378 400
				PATCH(global_bytes_per_second_cnt);
379 401
				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
402
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
403
				PATCH(ssl_verifyclient);
404
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
405
				PATCH(ssl_verifyclient_enforce);
406
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
407
				PATCH(ssl_verifyclient_depth);
408
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
409
				PATCH(ssl_verifyclient_username);
380 410
			}
381 411
		}
382 412
	}
src/response.c (Arbeitskopie)
117 117
	return 0;
118 118
}
119 119

  
120
#ifdef USE_OPENSSL
121
static void https_add_ssl_entries(connection *con) {
122
	X509 *xs;
123
	X509_NAME *xn;
124
	X509_NAME_ENTRY *xe;
125
	if (
126
		SSL_get_verify_result(con->ssl) != X509_V_OK
127
		|| !(xs = SSL_get_peer_certificate(con->ssl))
128
	) {
129
		return;
130
	}
131
	
132
	xn = X509_get_subject_name(xs);
133
	for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
134
		int xobjnid;
135
		const char * xobjsn;
136
		data_string *envds;
120 137

  
138
		if (!(xe = X509_NAME_get_entry(xn, i))) {
139
			continue;
140
		}
141
		xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
142
		xobjsn = OBJ_nid2sn(xobjnid);
143
		if (!xobjsn) {
144
			continue;
145
		}
146
		
147
		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
148
			envds = data_string_init();
149
		}
150
		buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
151
		buffer_append_string(envds->key, xobjsn);
152
		buffer_copy_string(
153
			envds->value,
154
			(const char *)xe->value->data
155
		);
156
		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
157
			buffer_copy_string_buffer(con->authed_user, envds->value);
158
		}
159
		array_insert_unique(con->environment, (data_unset *)envds);
160
	}
161
	X509_free(xs);
162
}
163
#endif
121 164

  
122 165
handler_t http_response_prepare(server *srv, connection *con) {
123 166
	handler_t r;
......
216 259
			con->keep_alive = 0;
217 260
		}
218 261

  
262
#ifdef USE_OPENSSL
263
			if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
264
				https_add_ssl_entries(con);
265
			}
266
#endif
219 267

  
220 268
		/**
221 269
		 *
src/server.c (Arbeitskopie)
247 247
			buffer_free(s->ssl_cipher_list);
248 248
			buffer_free(s->error_handler);
249 249
			buffer_free(s->errorfile_prefix);
250
			buffer_free(s->ssl_verifyclient_username);
250 251
			array_free(s->mimetypes);
251 252
#ifdef USE_OPENSSL
252 253
			SSL_CTX_free(s->ssl_ctx);
(3-3/12)