Project

General

Profile

Feature #1288 » lighty-clientvalidation-1.4.20.patch

akrus, 2008-12-03 06:47

View differences:

./src/base.h 2008-12-03 07:34:52.000000000 +0100
268 268
	buffer *ssl_cipher_list;
269 269
	unsigned short ssl_use_sslv2;
270 270

  
271
	unsigned short ssl_verifyclient;
272
	unsigned short ssl_verifyclient_enforce;
273
	unsigned short ssl_verifyclient_depth;
274
	buffer *ssl_verifyclient_username;
275

  
271 276
	unsigned short use_ipv6;
272 277
	unsigned short is_ssl;
273 278
	unsigned short allow_http11;
./src/configfile.c 2008-12-03 07:37:35.000000000 +0100
94 94
		{ "etag.use-inode",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
95 95
		{ "etag.use-mtime",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
96 96
		{ "etag.use-size",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
97
		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
98
		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 53 */
99
		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 54 */
100
		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 55 */
97 101
		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
98 102
		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
99 103
		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
......
174 178
		s->global_kbytes_per_second = 0;
175 179
		s->global_bytes_per_second_cnt = 0;
176 180
		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
181
		
182
		s->ssl_verifyclient = 0;
183
		s->ssl_verifyclient_enforce = 1;
184
		s->ssl_verifyclient_username = buffer_init();
185
		s->ssl_verifyclient_depth = 9;
177 186

  
178 187
		cv[2].destination = s->errorfile_prefix;
179 188

  
......
218 227
		cv[50].destination = &(s->etag_use_mtime);
219 228
		cv[51].destination = &(s->etag_use_size);
220 229

  
230
		/* ssl.verify */
231
		cv[52].destination = &(s->ssl_verifyclient);
232
		cv[53].destination = &(s->ssl_verifyclient_enforce);
233
		cv[54].destination = &(s->ssl_verifyclient_depth);
234
		cv[55].destination = s->ssl_verifyclient_username;
235

  
221 236
		srv->config_storage[i] = s;
222 237

  
223 238
		if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
......
295 310
	PATCH(etag_use_inode);
296 311
	PATCH(etag_use_mtime);
297 312
	PATCH(etag_use_size);
313

  
314
	PATCH(ssl_verifyclient);
315
	PATCH(ssl_verifyclient_enforce);
316
	PATCH(ssl_verifyclient_depth);
317
	PATCH(ssl_verifyclient_username);
298 318
 
299 319
	return 0;
300 320
}
......
382 402
				PATCH(global_kbytes_per_second);
383 403
				PATCH(global_bytes_per_second_cnt);
384 404
				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
405
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
406
				PATCH(ssl_verifyclient);
407
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
408
				PATCH(ssl_verifyclient_enforce);
409
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
410
				PATCH(ssl_verifyclient_depth);
411
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
412
				PATCH(ssl_verifyclient_username);
385 413
			}
386 414
		}
387 415
	}
./src/network.c 2008-12-03 07:34:52.000000000 +0100
359 359
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360 360
				return -1;
361 361
			}
362
			if (s->ssl_verifyclient) { 
363
				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
364
				if (!certs) {
365
					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
367
				}
368
				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(host_token)) != 1) { 
369
					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 
370
						ERR_error_string(ERR_get_error(), NULL)); 
371
					return -1; 
372
				}				
373
				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
374
				SSL_CTX_set_verify(
375
					s->ssl_ctx,
376
					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
377
					NULL
378
				); 
379
				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
380
			}
381
		} else if (s->ssl_verifyclient) {
382
			log_error_write(
383
				srv, __FILE__, __LINE__, "s",
384
				"SSL: You specified ssl.verifyclient.activate but no ca_file"
385
			);
362 386
		}
363 387

  
364 388
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
./src/response.c 2008-12-03 07:34:52.000000000 +0100
124 124
	return 0;
125 125
}
126 126

  
127

  
127
#ifdef USE_OPENSSL
128
static void https_add_ssl_entries(connection *con) {
129
	X509 *xs;
130
	X509_NAME *xn;
131
	X509_NAME_ENTRY *xe;
132
	if (
133
		SSL_get_verify_result(con->ssl) != X509_V_OK
134
		|| !(xs = SSL_get_peer_certificate(con->ssl))
135
	) {
136
		return;
137
	}
138
	
139
	xn = X509_get_subject_name(xs);
140
	for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
141
		int xobjnid;
142
		const char * xobjsn;
143
		data_string *envds;
144

  
145
		if (!(xe = X509_NAME_get_entry(xn, i))) {
146
			continue;
147
		}
148
		xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
149
		xobjsn = OBJ_nid2sn(xobjnid);
150
		if (!xobjsn) {
151
			continue;
152
		}
153
		
154
		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
155
			envds = data_string_init();
156
		}
157
		buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
158
		buffer_append_string(envds->key, xobjsn);
159
		buffer_copy_string(
160
			envds->value,
161
			(const char *)xe->value->data
162
		);
163
		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
164
			buffer_copy_string_buffer(con->authed_user, envds->value);
165
		}
166
		array_insert_unique(con->environment, (data_unset *)envds);
167
	}
168
	X509_free(xs);
169
}
170
#endif
128 171

  
129 172
handler_t http_response_prepare(server *srv, connection *con) {
130 173
	handler_t r;
......
329 372
		 */
330 373

  
331 374

  
375
#ifdef USE_OPENSSL
376
		if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
377
			https_add_ssl_entries(con);
378
		}
379
#endif
332 380

  
333 381

  
334 382
		/* 1. stat()
./src/server.c 2008-12-03 07:34:52.000000000 +0100
274 274
			buffer_free(s->ssl_cipher_list);
275 275
			buffer_free(s->error_handler);
276 276
			buffer_free(s->errorfile_prefix);
277
			buffer_free(s->ssl_verifyclient_username);
277 278
			array_free(s->mimetypes);
278 279
#ifdef USE_OPENSSL
279 280
			SSL_CTX_free(s->ssl_ctx);
(7-7/12)