Browse Source

[TLS] https_add_ssl_client_verify_err()

separate routine for printing client certificate verification error

more consistent SSL_CLIENT_M_SERIAL between modules
master
Glenn Strauss 9 months ago
parent
commit
250ced26d8
  1. 40
      src/mod_gnutls.c
  2. 40
      src/mod_mbedtls.c
  3. 30
      src/mod_nss.c
  4. 15
      src/mod_openssl.c
  5. 15
      src/mod_wolfssl.c

40
src/mod_gnutls.c

@ -2707,6 +2707,31 @@ https_add_ssl_client_subject (request_st * const r, gnutls_x509_dn_t dn)
"gnutls_x509_dn_get_rdn_ava()");
}
__attribute_cold__
static void
https_add_ssl_client_verify_err (buffer * const b, unsigned int status)
{
#if GNUTLS_VERSION_NUMBER >= 0x030104
/* get failure string and translate newline to ':', removing last one */
/* (preserving behavior from mod_openssl) */
gnutls_datum_t msg = { NULL, 0 };
if (gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509,
&msg, 0) >= 0) {
size_t sz = msg.size-1; /* '\0'-terminated string */
for (char *nl=(char *)msg.data; NULL != (nl=strchr(nl, '\n')); ++nl)
nl[0] = ('\0' == nl[1] ? (--sz, '\0') : ':');
buffer_append_string_len(b, (char *)msg.data, sz);
}
if (msg.data) gnutls_free(msg.data);
#else
UNUSED(b);
UNUSED(status);
#endif
}
__attribute_noinline__
static void
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
{
@ -2724,20 +2749,7 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
}
else if (0 != hctx->verify_status) {
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
#if GNUTLS_VERSION_NUMBER >= 0x030104
/* get failure string and translate newline to ':', removing last one */
/* (preserving behavior from mod_openssl) */
gnutls_datum_t msg = { NULL, 0 };
if (gnutls_certificate_verification_status_print(hctx->verify_status,
GNUTLS_CRT_X509,
&msg, 0) >= 0) {
size_t sz = msg.size-1; /* '\0'-terminated string */
for (char *nl=(char *)msg.data; NULL != (nl=strchr(nl, '\n')); ++nl)
nl[0] = ('\0' == nl[1] ? (--sz, '\0') : ':');
buffer_append_string_len(vb, (char *)msg.data, sz);
}
if (msg.data) gnutls_free(msg.data);
#endif
https_add_ssl_client_verify_err(vb, hctx->verify_status);
return;
}
else {

40
src/mod_mbedtls.c

@ -2362,6 +2362,22 @@ https_add_ssl_client_subject (request_st * const r, const mbedtls_x509_name *nam
}
__attribute_cold__
static void
https_add_ssl_client_verify_err (buffer * const b, uint32_t status)
{
/* get failure string and translate newline to ':', removing last one */
char buf[512];
int n = mbedtls_x509_crt_verify_info(buf, sizeof(buf), "", status);
if (n > 0) {
for (char *nl = buf; NULL != (nl = strchr(nl, '\n')); ++nl)
nl[0] = ('\0' == nl[1] ? (--n, '\0') : ':');
buffer_append_string_len(b, buf, n);
}
}
__attribute_noinline__
static void
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
{
@ -2372,7 +2388,6 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
* the peer cert and check for NULL before using it. */
const mbedtls_x509_crt *crt = mbedtls_ssl_get_peer_cert(&hctx->ssl);
buffer *vb = http_header_env_set_ptr(r, CONST_STR_LEN("SSL_CLIENT_VERIFY"));
char buf[512];
int n;
uint32_t rc = (NULL != crt)
@ -2383,20 +2398,15 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
return;
}
else if (0 != rc) {
/* get failure string and translate newline to ':', removing last one */
n = mbedtls_x509_crt_verify_info(buf, sizeof(buf), "", rc);
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
if (n > 0) {
for (char *nl = buf; NULL != (nl = strchr(nl, '\n')); ++nl)
nl[0] = ('\0' == nl[1] ? (--n, '\0') : ':');
buffer_append_string_len(vb, buf, n);
}
https_add_ssl_client_verify_err(vb, rc);
return;
}
else {
buffer_copy_string_len(vb, CONST_STR_LEN("SUCCESS"));
}
char buf[512];
n = mbedtls_x509_dn_gets(buf, sizeof(buf), &crt->subject);
if (n > 0 && n < (int)sizeof(buf)) {
http_header_env_set(r,
@ -2406,12 +2416,14 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
https_add_ssl_client_subject(r, &crt->subject);
n = mbedtls_x509_serial_gets(buf, sizeof(buf), &crt->serial);
if (n > 0 && n < (int)sizeof(buf)) {
http_header_env_set(r,
CONST_STR_LEN("SSL_CLIENT_M_SERIAL"),
buf, n);
}
/* mbedtls_x509_serial_gets() (inefficiently) formats to hex separated by
* colons, but would differ from behavior of other lighttpd TLS modules */
size_t i = 0; /* skip leading 0's per Distinguished Encoding Rules (DER) */
while (i < crt->serial.len && crt->serial.p[i] == 0) ++i;
if (i == crt->serial.len) --i;
buffer_append_string_encoded_hex_uc(
http_header_env_set_ptr(r, CONST_STR_LEN("SSL_CLIENT_M_SERIAL")),
(char *)crt->serial.p+i, crt->serial.len-i);
if (!buffer_string_is_empty(hctx->conf.ssl_verifyclient_username)) {
/* pick one of the exported values as "REMOTE_USER", for example

30
src/mod_nss.c

@ -2472,6 +2472,21 @@ https_add_ssl_client_subject (request_st * const r, CERTName * const subj)
}
}
__attribute_cold__
static void
https_add_ssl_client_verify_err (buffer * const b, unsigned int status)
{
const char *s = PR_ErrorToName(status);
if (s)
buffer_append_string_len(b, s, strlen(s));
buffer_append_string_len(b, CONST_STR_LEN(":"));
s = PR_ErrorToString(status, PR_LANGUAGE_I_DEFAULT);
buffer_append_string_len(b, s, strlen(s));
}
__attribute_noinline__
static void
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
{
@ -2488,12 +2503,7 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
}
else if (0 != hctx->verify_status) {
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
const char *s = PR_ErrorToName(hctx->verify_status);
if (s)
buffer_append_string_len(vb, s, strlen(s));
buffer_append_string_len(vb, CONST_STR_LEN(":"));
s = PR_ErrorToString(hctx->verify_status, PR_LANGUAGE_I_DEFAULT);
buffer_append_string_len(vb, s, strlen(s));
https_add_ssl_client_verify_err(vb, hctx->verify_status);
CERT_DestroyCertificate(crt);
return;
}
@ -2511,9 +2521,13 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
https_add_ssl_client_subject(r, &crt->subject);
buffer_append_uint_hex_lc(
s = (char *)crt->serialNumber.data;
size_t i = 0; /* skip leading 0's per Distinguished Encoding Rules (DER) */
while (i < crt->serialNumber.len && s[i] == 0) ++i;
if (i == crt->serialNumber.len) --i;
buffer_append_string_encoded_hex_uc(
http_header_env_set_ptr(r, CONST_STR_LEN("SSL_CLIENT_M_SERIAL")),
DER_GetInteger(&crt->serialNumber));
s+i, crt->serialNumber.len-i);
if (!buffer_string_is_empty(hctx->conf.ssl_verifyclient_username)) {
/* pick one of the exported values as "REMOTE_USER", for example

15
src/mod_openssl.c

@ -3374,6 +3374,17 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
}
__attribute_cold__
static void
https_add_ssl_client_verify_err (buffer * const b, long status)
{
char errstr[256];
ERR_error_string_n(status, errstr, sizeof(errstr));
buffer_append_string(b, errstr);
}
__attribute_noinline__
static void
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
{
@ -3383,10 +3394,8 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
long vr = SSL_get_verify_result(hctx->ssl);
if (vr != X509_V_OK) {
char errstr[256];
ERR_error_string_n(vr, errstr, sizeof(errstr));
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
buffer_append_string(vb, errstr);
https_add_ssl_client_verify_err(vb, vr);
return;
} else if (!(xs = SSL_get_peer_certificate(hctx->ssl))) {
buffer_copy_string_len(vb, CONST_STR_LEN("NONE"));

15
src/mod_wolfssl.c

@ -3157,6 +3157,17 @@ https_add_ssl_client_subject (request_st * const r, X509_NAME *xn)
}
__attribute_cold__
static void
https_add_ssl_client_verify_err (buffer * const b, long status)
{
char errstr[256];
ERR_error_string_n(status, errstr, sizeof(errstr));
buffer_append_string(b, errstr);
}
__attribute_noinline__
static void
https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
{
@ -3166,10 +3177,8 @@ https_add_ssl_client_entries (request_st * const r, handler_ctx * const hctx)
long vr = SSL_get_verify_result(hctx->ssl);
if (vr != X509_V_OK) {
char errstr[256];
ERR_error_string_n(vr, errstr, sizeof(errstr));
buffer_copy_string_len(vb, CONST_STR_LEN("FAILED:"));
buffer_append_string(vb, errstr);
https_add_ssl_client_verify_err(vb, vr);
return;
} else if (!(xs = SSL_get_peer_certificate(hctx->ssl))) {
buffer_copy_string_len(vb, CONST_STR_LEN("NONE"));

Loading…
Cancel
Save