[dovecot-cvs] dovecot/src/login-common ssl-proxy-openssl.c, 1.37, 1.37.2.1

Sun Jun 11 17:48:44 EEST 2006

Update of /var/lib/cvs/dovecot/src/login-common
In directory talvi:/tmp/cvs-serv24229

Modified Files:
      Tag: branch_1_0
	ssl-proxy-openssl.c 
Log Message:
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
invalid sent certificates. If verbose_ssl=yes, log even the valid
certificates. When using the username from the certificate, use CommonName.
Based on patch by HenkJan Wolthuis



Index: ssl-proxy-openssl.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v
retrieving revision 1.37
retrieving revision 1.37.2.1
diff -u -d -r1.37 -r1.37.2.1

--- ssl-proxy-openssl.c	4 Apr 2006 08:33:11 -0000	1.37
+++ ssl-proxy-openssl.c	11 Jun 2006 14:48:42 -0000	1.37.2.1
@@ -508,10 +508,13 @@
 	if (x509 == NULL)
 		return NULL; /* we should have had it.. */
 
-	X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
-	name = t_strndup(buf, sizeof(buf));
+	if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
+				      NID_commonName, buf, sizeof(buf)) < 0)
+		name = "";
+	else
+		name = t_strndup(buf, sizeof(buf));
 	X509_free(x509);
-
+	
 	return *name == '\0' ? NULL : name;
 }
 
@@ -580,11 +583,25 @@
 	ssl = X509_STORE_CTX_get_ex_data(ctx,
 					 SSL_get_ex_data_X509_STORE_CTX_idx());
 	proxy = SSL_get_ex_data(ssl, extdata_index);
-
 	proxy->cert_received = TRUE;
+
+	if (verbose_ssl || (verbose_auth && !preverify_ok)) {
+		char buf[1024];
+		X509_NAME *subject;
+
+		subject = X509_get_subject_name(ctx->current_cert);
+		(void)X509_NAME_oneline(subject, buf, sizeof(buf));
+		buf[sizeof(buf)-1] = '\0'; /* just in case.. */
+		if (!preverify_ok)
+			i_info("Invalid certificate: %s", buf);
+		else
+			i_info("Valid certificate: %s", buf);
+	}
 	if (!preverify_ok)
 		proxy->cert_broken = TRUE;
 
+	/* Return success anyway, because if ssl_require_client_cert=no we
+	   could still allow authentication. */
 	return 1;
 }
 
@@ -665,6 +682,13 @@
 	SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback);
 
 	if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		X509_STORE *store;
+
+		store = SSL_CTX_get_cert_store(ssl_ctx);
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
+				     X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
 				   SSL_VERIFY_CLIENT_ONCE,
 				   ssl_verify_client_cert);

