Project

General

Profile

Feature #1288 » lighty-sslcert-r2585.patch

patch to r2585 (trunk) - presbrey, 2009-07-14 14:48

View differences:

lighttpd-trunk/src/base.h 2009-04-22 11:34:56.000000000 -0400
301 301

  
302 302

  
303 303
	/* server wide */
304
 	unsigned short ssl_verifyclient;
305
 	unsigned short ssl_verifyclient_enforce;
306
 	unsigned short ssl_verifyclient_depth;
307
 	buffer *ssl_verifyclient_username;
308

  
304 309
	buffer *ssl_pemfile;
305 310
	buffer *ssl_ca_file;
306 311
	buffer *ssl_cipher_list;
lighttpd-trunk/src/configfile.c 2009-07-13 17:16:37.000000000 -0400
106 106
		{ "debug.log-timeouts",          NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 58 */
107 107
		{ "debug.log-ssl-noise",         NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 59 */
108 108

  
109
		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
110
		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 61 */
111
		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 62 */
112
		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 63 */
113

  
109 114
		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
110 115
		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
111 116
		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
......
195 200
		s->global_bytes_per_second_cnt = 0;
196 201
		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
197 202

  
203
		s->ssl_verifyclient = 0;
204
		s->ssl_verifyclient_enforce = 1;
205
		s->ssl_verifyclient_username = buffer_init();
206
		s->ssl_verifyclient_depth = 9;
207

  
198 208
		cv[2].destination = s->errorfile_prefix;
199 209

  
200 210
		cv[7].destination = s->server_tag;
......
242 252
		cv[58].destination = &(s->log_timeouts);
243 253
		cv[59].destination = &(s->log_ssl_noise);
244 254

  
255
		cv[60].destination = &(s->ssl_verifyclient);
256
		cv[61].destination = &(s->ssl_verifyclient_enforce);
257
		cv[62].destination = &(s->ssl_verifyclient_depth);
258
		cv[63].destination = s->ssl_verifyclient_username;
259

  
245 260
		srv->config_storage[i] = s;
246 261

  
247 262
		if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
......
319 334
	PATCH(etag_use_mtime);
320 335
	PATCH(etag_use_size);
321 336

  
337
	PATCH(ssl_verifyclient);
338
	PATCH(ssl_verifyclient_enforce);
339
	PATCH(ssl_verifyclient_depth);
340
	PATCH(ssl_verifyclient_username);
341

  
322 342
	return 0;
323 343
}
324 344

  
......
414 434
				PATCH(global_kbytes_per_second);
415 435
				PATCH(global_bytes_per_second_cnt);
416 436
				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
437
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
438
				PATCH(ssl_verifyclient);
439
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
440
				PATCH(ssl_verifyclient_enforce);
441
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
442
				PATCH(ssl_verifyclient_depth);
443
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
444
				PATCH(ssl_verifyclient_username);
417 445
			}
418 446
		}
419 447
	}
lighttpd-trunk/src/network.c 2009-04-22 11:34:56.000000000 -0400
514 514
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
515 515
				return -1;
516 516
			}
517
			if (s->ssl_verifyclient) { 
518
				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
519
				if (!certs) {
520
					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
521
							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
522
				}
523
				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(host_token)) != 1) { 
524
					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 
525
						ERR_error_string(ERR_get_error(), NULL)); 
526
					return -1; 
527
				}				
528
				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
529
				SSL_CTX_set_verify(
530
					s->ssl_ctx,
531
					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
532
					NULL
533
				); 
534
				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
535
			}
536
		} else if (s->ssl_verifyclient) {
537
			log_error_write(
538
				srv, __FILE__, __LINE__, "s",
539
				"SSL: You specified ssl.verifyclient.activate but no ca_file"
540
			);
517 541
		}
518 542

  
519 543
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
lighttpd-trunk/src/response.c 2009-04-22 11:34:56.000000000 -0400
145 145
	return 0;
146 146
}
147 147

  
148
#ifdef USE_OPENSSL
149
static void https_add_ssl_entries(connection *con) {
150
	X509 *xs;
151
	X509_NAME *xn;
152
	X509_NAME_ENTRY *xe;
153
	if (
154
		SSL_get_verify_result(con->sock->ssl) != X509_V_OK
155
		|| !(xs = SSL_get_peer_certificate(con->sock->ssl))
156
	) {
157
		return;
158
	}
159
	
160
	xn = X509_get_subject_name(xs);
161
	for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
162
		int xobjnid;
163
		const char * xobjsn;
164
		data_string *envds;
165

  
166
		if (!(xe = X509_NAME_get_entry(xn, i))) {
167
			continue;
168
		}
169
		xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
170
		xobjsn = OBJ_nid2sn(xobjnid);
171
		if (!xobjsn) {
172
			continue;
173
		}
174
		
175
		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
176
			envds = data_string_init();
177
		}
178
		buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
179
		buffer_append_string(envds->key, xobjsn);
180
		buffer_copy_string(
181
			envds->value,
182
			(const char *)xe->value->data
183
		);
184
		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
185
			buffer_copy_string_buffer(con->authed_user, envds->value);
186
		}
187
		array_insert_unique(con->environment, (data_unset *)envds);
188
	}
189
	X509_free(xs);
190
}
191
#endif
148 192

  
149 193

  
150 194
handler_t handle_get_backend(server *srv, connection *con) {
......
290 334
			TRACE("URI-path     : %s", SAFE_BUF_STR(con->uri.path));
291 335
		}
292 336

  
337
#ifdef USE_OPENSSL
338
		if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
339
			https_add_ssl_entries(con);
340
		}
341
#endif
342

  
293 343
		/**
294 344
		 *
295 345
		 * call plugins
lighttpd-trunk/src/server.c 2009-07-13 17:22:10.000000000 -0400
334 334
			buffer_free(s->server_tag);
335 335
			buffer_free(s->ssl_pemfile);
336 336
			buffer_free(s->ssl_ca_file);
337
			buffer_free(s->ssl_verifyclient_username);
337 338
			buffer_free(s->error_handler);
338 339
			buffer_free(s->errorfile_prefix);
339 340
			array_free(s->mimetypes);
(11-11/12)