Feature #1288 » lighty-clientvalidation-1.4.21.patch
./src/base.h Thu Mar 5 08:41:25 2009 | ||
---|---|---|
buffer *ssl_cipher_list;
|
||
unsigned short ssl_use_sslv2;
|
||
unsigned short ssl_verifyclient;
|
||
unsigned short ssl_verifyclient_enforce;
|
||
unsigned short ssl_verifyclient_depth;
|
||
buffer *ssl_verifyclient_username;
|
||
unsigned short use_ipv6;
|
||
unsigned short is_ssl;
|
||
unsigned short allow_http11;
|
./src/configfile.c Thu Mar 5 08:42:53 2009 | ||
---|---|---|
{ "etag.use-size", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
|
||
{ "server.reject-expect-100-with-417", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
|
||
{ "debug.log-timeouts", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */
|
||
{ "ssl.verifyclient.activate", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 54 */
|
||
{ "ssl.verifyclient.enforce", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 55 */
|
||
{ "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 56 */
|
||
{ "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 57 */
|
||
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
... | ... | |
s->global_kbytes_per_second = 0;
|
||
s->global_bytes_per_second_cnt = 0;
|
||
s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
|
||
|
||
s->ssl_verifyclient = 0;
|
||
s->ssl_verifyclient_enforce = 1;
|
||
s->ssl_verifyclient_username = buffer_init();
|
||
s->ssl_verifyclient_depth = 9;
|
||
cv[2].destination = s->errorfile_prefix;
|
||
... | ... | |
cv[50].destination = &(s->etag_use_mtime);
|
||
cv[51].destination = &(s->etag_use_size);
|
||
/* ssl.verify */
|
||
cv[54].destination = &(s->ssl_verifyclient);
|
||
cv[55].destination = &(s->ssl_verifyclient_enforce);
|
||
cv[56].destination = &(s->ssl_verifyclient_depth);
|
||
cv[57].destination = s->ssl_verifyclient_username;
|
||
srv->config_storage[i] = s;
|
||
if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
|
||
... | ... | |
PATCH(etag_use_inode);
|
||
PATCH(etag_use_mtime);
|
||
PATCH(etag_use_size);
|
||
PATCH(ssl_verifyclient);
|
||
PATCH(ssl_verifyclient_enforce);
|
||
PATCH(ssl_verifyclient_depth);
|
||
PATCH(ssl_verifyclient_username);
|
||
|
||
return 0;
|
||
}
|
||
... | ... | |
PATCH(global_kbytes_per_second);
|
||
PATCH(global_bytes_per_second_cnt);
|
||
con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
|
||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
|
||
PATCH(ssl_verifyclient);
|
||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
|
||
PATCH(ssl_verifyclient_enforce);
|
||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
|
||
PATCH(ssl_verifyclient_depth);
|
||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
|
||
PATCH(ssl_verifyclient_username);
|
||
}
|
||
}
|
||
}
|
./src/configfile.c.rej Thu Mar 5 08:41:25 2009 | ||
---|---|---|
***************
|
||
*** 94,99 ****
|
||
{ "etag.use-inode", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
|
||
{ "etag.use-mtime", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
|
||
{ "etag.use-size", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
|
||
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
--- 94,103 ----
|
||
{ "etag.use-inode", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
|
||
{ "etag.use-mtime", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
|
||
{ "etag.use-size", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
|
||
+ { "ssl.verifyclient.activate", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
|
||
+ { "ssl.verifyclient.enforce", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 53 */
|
||
+ { "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 54 */
|
||
+ { "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 55 */
|
||
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||
{ "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
./src/network.c Thu Mar 5 08:41:25 2009 | ||
---|---|---|
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
|
||
return -1;
|
||
}
|
||
if (s->ssl_verifyclient) {
|
||
STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
|
||
if (!certs) {
|
||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
|
||
}
|
||
if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(host_token)) != 1) {
|
||
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||
ERR_error_string(ERR_get_error(), NULL));
|
||
return -1;
|
||
}
|
||
SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
|
||
SSL_CTX_set_verify(
|
||
s->ssl_ctx,
|
||
SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
|
||
NULL
|
||
);
|
||
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
|
||
}
|
||
} else if (s->ssl_verifyclient) {
|
||
log_error_write(
|
||
srv, __FILE__, __LINE__, "s",
|
||
"SSL: You specified ssl.verifyclient.activate but no ca_file"
|
||
);
|
||
}
|
||
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
|
./src/response.c Thu Mar 5 08:41:25 2009 | ||
---|---|---|
return 0;
|
||
}
|
||
#ifdef USE_OPENSSL
|
||
static void https_add_ssl_entries(connection *con) {
|
||
X509 *xs;
|
||
X509_NAME *xn;
|
||
X509_NAME_ENTRY *xe;
|
||
if (
|
||
SSL_get_verify_result(con->ssl) != X509_V_OK
|
||
|| !(xs = SSL_get_peer_certificate(con->ssl))
|
||
) {
|
||
return;
|
||
}
|
||
|
||
xn = X509_get_subject_name(xs);
|
||
for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
|
||
int xobjnid;
|
||
const char * xobjsn;
|
||
data_string *envds;
|
||
if (!(xe = X509_NAME_get_entry(xn, i))) {
|
||
continue;
|
||
}
|
||
xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
|
||
xobjsn = OBJ_nid2sn(xobjnid);
|
||
if (!xobjsn) {
|
||
continue;
|
||
}
|
||
|
||
if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
|
||
envds = data_string_init();
|
||
}
|
||
buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
|
||
buffer_append_string(envds->key, xobjsn);
|
||
buffer_copy_string(
|
||
envds->value,
|
||
(const char *)xe->value->data
|
||
);
|
||
if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
|
||
buffer_copy_string_buffer(con->authed_user, envds->value);
|
||
}
|
||
array_insert_unique(con->environment, (data_unset *)envds);
|
||
}
|
||
X509_free(xs);
|
||
}
|
||
#endif
|
||
handler_t http_response_prepare(server *srv, connection *con) {
|
||
handler_t r;
|
||
... | ... | |
*/
|
||
#ifdef USE_OPENSSL
|
||
if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
|
||
https_add_ssl_entries(con);
|
||
}
|
||
#endif
|
||
/* 1. stat()
|
./src/server.c Thu Mar 5 08:41:25 2009 | ||
---|---|---|
buffer_free(s->ssl_cipher_list);
|
||
buffer_free(s->error_handler);
|
||
buffer_free(s->errorfile_prefix);
|
||
buffer_free(s->ssl_verifyclient_username);
|
||
array_free(s->mimetypes);
|
||
#ifdef USE_OPENSSL
|
||
SSL_CTX_free(s->ssl_ctx);
|