|
|
|
@ -2362,6 +2362,22 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
__attribute_cold__
|
|
|
|
|
static void
|
|
|
|
|
https_add_ssl_client_verify_err (buffer * const b, uint32_t status)
|
|
|
|
|
{
|
|
|
|
|
/* get failure string and translate newline to ':', removing last one */
|
|
|
|
|
char buf[512];
|
|
|
|
|
int n = mbedtls_x509_crt_verify_info(buf, sizeof(buf), "", status);
|
|
|
|
|
if (n > 0) {
|
|
|
|
|
for (char *nl = buf; NULL != (nl = strchr(nl, '\n')); ++nl)
|
|
|
|
|
nl[0] = ('\0' == nl[1] ? (--n, '\0') : ':');
|
|
|
|
|
buffer_append_string_len(b, buf, n);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
__attribute_noinline__
|
|
|
|
|
static void
|
|
|
|
|
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
|
|
|
|
|
{
|
|
|
|
@ -2372,7 +2388,6 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
|
|
|
|
|
* the peer cert and check for NULL before using it. */
|
|
|
|
|
const mbedtls_x509_crt *crt = mbedtls_ssl_get_peer_cert(&hctx->ssl);
|
|
|
|
|
buffer *vb = http_header_env_set_ptr(r, CONST_STR_LEN("SSL_CLIENT_VERIFY"));
|
|
|
|
|
char buf[512];
|
|
|
|
|
int n;
|
|
|
|
|
|
|
|
|
|
uint32_t rc = (NULL != crt)
|
|
|
|
@ -2383,20 +2398,15 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
else if (0 != rc) {
|
|
|
|
|
/* get failure string and translate newline to ':', removing last one */
|
|
|
|
|
n = mbedtls_x509_crt_verify_info(buf, sizeof(buf), "", rc);
|
|
|
|
|
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
|
|
|
|
|
if (n > 0) {
|
|
|
|
|
for (char *nl = buf; NULL != (nl = strchr(nl, '\n')); ++nl)
|
|
|
|
|
nl[0] = ('\0' == nl[1] ? (--n, '\0') : ':');
|
|
|
|
|
buffer_append_string_len(vb, buf, n);
|
|
|
|
|
}
|
|
|
|
|
https_add_ssl_client_verify_err(vb, rc);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
buffer_copy_string_len(vb, CONST_STR_LEN("SUCCESS"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
char buf[512];
|
|
|
|
|
n = mbedtls_x509_dn_gets(buf, sizeof(buf), &crt->subject);
|
|
|
|
|
if (n > 0 && n < (int)sizeof(buf)) {
|
|
|
|
|
http_header_env_set(r,
|
|
|
|
@ -2406,12 +2416,14 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
|
|
|
|
|
|
|
|
|
|
https_add_ssl_client_subject(r, &crt->subject);
|
|
|
|
|
|
|
|
|
|
n = mbedtls_x509_serial_gets(buf, sizeof(buf), &crt->serial);
|
|
|
|
|
if (n > 0 && n < (int)sizeof(buf)) {
|
|
|
|
|
http_header_env_set(r,
|
|
|
|
|
CONST_STR_LEN("SSL_CLIENT_M_SERIAL"),
|
|
|
|
|
buf, n);
|
|
|
|
|
}
|
|
|
|
|
/* mbedtls_x509_serial_gets() (inefficiently) formats to hex separated by
|
|
|
|
|
* colons, but would differ from behavior of other lighttpd TLS modules */
|
|
|
|
|
size_t i = 0; /* skip leading 0's per Distinguished Encoding Rules (DER) */
|
|
|
|
|
while (i < crt->serial.len && crt->serial.p[i] == 0) ++i;
|
|
|
|
|
if (i == crt->serial.len) --i;
|
|
|
|
|
buffer_append_string_encoded_hex_uc(
|
|
|
|
|
http_header_env_set_ptr(r, CONST_STR_LEN("SSL_CLIENT_M_SERIAL")),
|
|
|
|
|
(char *)crt->serial.p+i, crt->serial.len-i);
|
|
|
|
|
|
|
|
|
|
if (!buffer_string_is_empty(hctx->conf.ssl_verifyclient_username)) {
|
|
|
|
|
/* pick one of the exported values as "REMOTE_USER", for example
|
|
|
|
|