Add SSL Client Certificate verification (#1288)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2654 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -55,6 +55,7 @@ NEWS
   * Fix close_timeout_ts trigger (should finally fix lingering close)
   * mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if file doesn't exist or is not a regular file (fixes #985, thx lucas aerbeydt)
   * Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <peter@colberg.org>)
+  * Add SSL Client Certificate verification (#1288)
 
 - 1.4.23 - 2009-06-19
   * Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)

src/base.h

@@ -276,6 +276,10 @@ typedef struct {
 	buffer *ssl_ca_file;
 	buffer *ssl_cipher_list;
 	unsigned short ssl_use_sslv2;
+	unsigned short ssl_verifyclient;
+	unsigned short ssl_verifyclient_enforce;
+	unsigned short ssl_verifyclient_depth;
+	buffer *ssl_verifyclient_username;
 
 	unsigned short use_ipv6;
 	unsigned short defer_accept;

src/configfile.c

@@ -95,6 +95,10 @@ static int config_insert(server *srv) {
 		{ "debug.log-timeouts",          NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */
 		{ "server.defer-accept",         NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },   /* 54 */
 		{ "server.breakagelog",          NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER },      /* 55 */
+		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 56 */
+		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 57 */
+		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER },     /* 58 */
+		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER },     /* 59 */
 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
 		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -179,6 +183,10 @@ static int config_insert(server *srv) {
 		s->global_kbytes_per_second = 0;
 		s->global_bytes_per_second_cnt = 0;
 		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
+		s->ssl_verifyclient = 0;
+		s->ssl_verifyclient_enforce = 1;
+		s->ssl_verifyclient_username = buffer_init();
+		s->ssl_verifyclient_depth = 9;
 
 		cv[2].destination = s->errorfile_prefix;
 
@@ -225,6 +233,12 @@ static int config_insert(server *srv) {
 		cv[50].destination = &(s->etag_use_mtime);
 		cv[51].destination = &(s->etag_use_size);
 
+		/* ssl.verify */
+		cv[56].destination = &(s->ssl_verifyclient);
+		cv[57].destination = &(s->ssl_verifyclient_enforce);
+		cv[58].destination = &(s->ssl_verifyclient_depth);
+		cv[59].destination = s->ssl_verifyclient_username;
+
 		srv->config_storage[i] = s;
 
 		if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
@@ -304,7 +318,12 @@ int config_setup_connection(server *srv, connection *con) {
 	PATCH(etag_use_inode);
 	PATCH(etag_use_mtime);
 	PATCH(etag_use_size);
- 
+
+	PATCH(ssl_verifyclient);
+	PATCH(ssl_verifyclient_enforce);
+	PATCH(ssl_verifyclient_depth);
+	PATCH(ssl_verifyclient_username);
+
 	return 0;
 }
 
@@ -394,6 +413,14 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
 				PATCH(global_kbytes_per_second);
 				PATCH(global_bytes_per_second_cnt);
 				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
+				PATCH(ssl_verifyclient);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
+				PATCH(ssl_verifyclient_enforce);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
+				PATCH(ssl_verifyclient_depth);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
+				PATCH(ssl_verifyclient_username);
 			}
 		}
 	}

src/network.c

@@ -543,6 +543,30 @@ int network_init(server *srv) {
 						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
 				return -1;
 			}
+			if (s->ssl_verifyclient) {
+				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
+				if (!certs) {
+					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+				}
+				if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
+					log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+						ERR_error_string(ERR_get_error(), NULL));
+					return -1;
+				}
+				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
+				SSL_CTX_set_verify(
+					s->ssl_ctx,
+					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
+					NULL
+				);
+				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
+			}
+		} else if (s->ssl_verifyclient) {
+			log_error_write(
+				srv, __FILE__, __LINE__, "s",
+				"SSL: You specified ssl.verifyclient.activate but no ca_file"
+			);
 		}
 
 		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {

src/server.c

@@ -307,6 +307,7 @@ static void server_free(server *srv) {
 			buffer_free(s->error_handler);
 			buffer_free(s->errorfile_prefix);
 			array_free(s->mimetypes);
+			buffer_free(s->ssl_verifyclient_username);
 #ifdef USE_OPENSSL
 			SSL_CTX_free(s->ssl_ctx);
 #endif