dovecot - Jun 2006 - ssl-proxy: client certificates and crl check

Skipped content of type multipart/alternative-------------- next part
--------------
--- ssl-proxy-openssl.c.orig	2006-04-04 10:32:58.000000000 +0200
+++ ssl-proxy-openssl.c	2006-06-01 09:24:57.000000000 +0200
@@ -498,7 +498,7 @@
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 {
 	X509 *x509;
-	char buf[1024];
+	char buf[256];
 	const char *name;
 
 	if (!ssl_proxy_has_valid_client_cert(proxy))
@@ -508,10 +508,16 @@
 	if (x509 == NULL)
 		return NULL; /* we should have had it.. */
 
-	X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
-	name = t_strndup(buf, sizeof(buf));
+	/* HJHJ */
+	/* the X509_N_gtbN can return -1 without 0-terminating buf */
+	/* if the call succeeds buf is 0-terminated (openssl 0.9.7e / 0.9.8b src) */
+	buf[0] = '\0';
+	if(
X509_NAME_get_text_by_NID(X509_get_subject_name(x509),NID_commonName,buf,sizeof(buf))
< 0 )
+		{ buf[0] = '\0'; }
+	name = t_strndup(buf, sizeof(buf) );
 	X509_free(x509);
-
+	/* HJHJ */
+	
 	return *name == '\0' ? NULL : name;
 }
 
@@ -582,10 +588,22 @@
 	proxy = SSL_get_ex_data(ssl, extdata_index);
 
 	proxy->cert_received = TRUE;
+	
+	/* HJHJ */
+	char buf[1024];
+	X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),buf,sizeof(buf));
+
 	if (!preverify_ok)
+		{
 		proxy->cert_broken = TRUE;
+		i_warning("BAD CERT %s:
%s",X509_verify_cert_error_string(ctx->error),buf);
+		}
+	else
+		{ i_warning("CERT: %s",buf); } /* logging */
 
-	return 1;
+	return preverify_ok;
+	/* HJHJ */
+	
 }
 
 static int
@@ -666,10 +684,20 @@
 
 	if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
 		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
-				   SSL_VERIFY_CLIENT_ONCE,
+				   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 				   ssl_verify_client_cert);
 	}
 
+	/* HJHJ */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	X509_STORE *store;
+	if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
+		{ X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL); }
+	else
+		{ i_warning("X509 get cert store failed..."); }	
+#endif
+	/* HJHJ */
+
 	/* PRNG initialization might want to use /dev/urandom, make sure it
 	   does it before chrooting. We might not have enough entropy at
 	   the first try, so this function may fail. It's still been

On Thu, 2006-06-01 at 10:13 +0200, HenkJan Wolthuis
wrote:
> Hi,
> 
> I've attached a new version of my patch against ssl_proxy-openssl.c
> which:
Thanks, committed to CVS now although with some changes.
> - ssl_verify_client_cert now returns 0 in case of an invalid cert. was
> there a reason why it always returned 1?
Yes. ssl_verify_client_cert=yes doesn't require the certificate to be
valid. Only ssl_require_valid_client_cert=yes in auth settings does
that. This allows for some people to authenticate with certificates and
others to authenticate the usual way. So I dropped this part of your
patch.
> +	if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
> +		{ X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL); }
> +	else
> +		{ i_warning("X509 get cert store failed..."); }	
Can it ever return NULL? Looking at the manual page it didn't seem so,
so I dropped the NULL-check from here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20060611/11b9b17e/attachment.pgp