Project

General

Profile

Feature #1288 » lighty-clientvalidation-1.4.22.patch

patch for 1.4.22 (please read comment below) - bjuchli, 2009-03-16 18:02

View differences:

./src/base.h Thu Mar 5 08:41:25 2009
269 269
	buffer *ssl_cipher_list;
270 270
	unsigned short ssl_use_sslv2;
271 271

  
272
	unsigned short ssl_verifyclient;
273
	unsigned short ssl_verifyclient_enforce;
274
	unsigned short ssl_verifyclient_depth;
275
	buffer *ssl_verifyclient_username;
276

  
272 277
	unsigned short use_ipv6;
273 278
	unsigned short is_ssl;
274 279
	unsigned short allow_http11;
./src/configfile.c Thu Mar 5 08:42:53 2009
96 96
		{ "etag.use-size",               NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
97 97
		{ "server.reject-expect-100-with-417",  NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
98 98
		{ "debug.log-timeouts",          NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */
99
 		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 54 */
100
 		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 55 */
101
 		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 56 */
102
 		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 57 */
99 103
		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
100 104
		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
101 105
		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
......
177 181
		s->global_kbytes_per_second = 0;
178 182
		s->global_bytes_per_second_cnt = 0;
179 183
		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
184
		
185
		s->ssl_verifyclient = 0;
186
		s->ssl_verifyclient_enforce = 1;
187
		s->ssl_verifyclient_username = buffer_init();
188
		s->ssl_verifyclient_depth = 9;
180 189

  
181 190
		cv[2].destination = s->errorfile_prefix;
182 191

  
......
222 231
		cv[50].destination = &(s->etag_use_mtime);
223 232
		cv[51].destination = &(s->etag_use_size);
224 233

  
234
		/* ssl.verify */
235
		cv[54].destination = &(s->ssl_verifyclient);
236
		cv[55].destination = &(s->ssl_verifyclient_enforce);
237
		cv[56].destination = &(s->ssl_verifyclient_depth);
238
		cv[57].destination = s->ssl_verifyclient_username;
239

  
225 240
		srv->config_storage[i] = s;
226 241

  
227 242
		if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
......
299 314
	PATCH(etag_use_inode);
300 315
	PATCH(etag_use_mtime);
301 316
	PATCH(etag_use_size);
317

  
318
	PATCH(ssl_verifyclient);
319
	PATCH(ssl_verifyclient_enforce);
320
	PATCH(ssl_verifyclient_depth);
321
	PATCH(ssl_verifyclient_username);
302 322
 
303 323
	return 0;
304 324
}
......
388 408
				PATCH(global_kbytes_per_second);
389 409
				PATCH(global_bytes_per_second_cnt);
390 410
				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
411
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
412
				PATCH(ssl_verifyclient);
413
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
414
				PATCH(ssl_verifyclient_enforce);
415
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
416
				PATCH(ssl_verifyclient_depth);
417
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
418
				PATCH(ssl_verifyclient_username);
391 419
			}
392 420
		}
393 421
	}
./src/configfile.c.rej Thu Mar 5 08:41:25 2009
1
***************
2
*** 94,99 ****
3
  		{ "etag.use-inode",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
4
  		{ "etag.use-mtime",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
5
  		{ "etag.use-size",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
6
  		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
7
  		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
8
  		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
9
--- 94,103 ----
10
  		{ "etag.use-inode",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
11
  		{ "etag.use-mtime",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
12
  		{ "etag.use-size",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */
13
+ 		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
14
+ 		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 53 */
15
+ 		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 54 */
16
+ 		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 55 */
17
  		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
18
  		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
19
  		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
./src/network.c Thu Mar 5 08:41:25 2009
359 359
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360 360
				return -1;
361 361
			}
362
			if (s->ssl_verifyclient) { 
363
				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
364
				if (!certs) {
365
					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
367
				}
368
				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(host_token)) != 1) { 
369
					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 
370
						ERR_error_string(ERR_get_error(), NULL)); 
371
					return -1; 
372
				}				
373
				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
374
				SSL_CTX_set_verify(
375
					s->ssl_ctx,
376
					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
377
					NULL
378
				); 
379
				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
380
			}
381
		} else if (s->ssl_verifyclient) {
382
			log_error_write(
383
				srv, __FILE__, __LINE__, "s",
384
				"SSL: You specified ssl.verifyclient.activate but no ca_file"
385
			);
362 386
		}
363 387

  
364 388
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
./src/response.c Thu Mar 5 08:41:25 2009
123 123
	return 0;
124 124
}
125 125

  
126

  
126
#ifdef USE_OPENSSL
127
static void https_add_ssl_entries(connection *con) {
128
	X509 *xs;
129
	X509_NAME *xn;
130
	X509_NAME_ENTRY *xe;
131
	if (
132
		SSL_get_verify_result(con->ssl) != X509_V_OK
133
		|| !(xs = SSL_get_peer_certificate(con->ssl))
134
	) {
135
		return;
136
	}
137
	
138
	xn = X509_get_subject_name(xs);
139
	for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
140
		int xobjnid;
141
		const char * xobjsn;
142
		data_string *envds;
143

  
144
		if (!(xe = X509_NAME_get_entry(xn, i))) {
145
			continue;
146
		}
147
		xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
148
		xobjsn = OBJ_nid2sn(xobjnid);
149
		if (!xobjsn) {
150
			continue;
151
		}
152
		
153
		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
154
			envds = data_string_init();
155
		}
156
		buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
157
		buffer_append_string(envds->key, xobjsn);
158
		buffer_copy_string(
159
			envds->value,
160
			(const char *)xe->value->data
161
		);
162
		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
163
			buffer_copy_string_buffer(con->authed_user, envds->value);
164
		}
165
		array_insert_unique(con->environment, (data_unset *)envds);
166
	}
167
	X509_free(xs);
168
}
169
#endif
127 170

  
128 171
handler_t http_response_prepare(server *srv, connection *con) {
129 172
	handler_t r;
......
329 372
		 */
330 373

  
331 374

  
375
#ifdef USE_OPENSSL
376
		if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
377
			https_add_ssl_entries(con);
378
		}
379
#endif
332 380

  
333 381

  
334 382
		/* 1. stat()
./src/server.c Thu Mar 5 08:41:25 2009
278 278
			buffer_free(s->ssl_cipher_list);
279 279
			buffer_free(s->error_handler);
280 280
			buffer_free(s->errorfile_prefix);
281
			buffer_free(s->ssl_verifyclient_username);
281 282
			array_free(s->mimetypes);
282 283
#ifdef USE_OPENSSL
283 284
			SSL_CTX_free(s->ssl_ctx);
(9-9/12)