Context Navigation

source: server/common/oursrc/httpdmods/mod_auth_sslcert.c @ 781

Last change on this file since 781 was 436, checked in by andersk, 18 years ago
Fix dir config merging in mod_auth_sslcert.
File size: 5.3 KB

Rev	Line
[54]	1	/* mod_auth_sslcert
[436]	2	* version 1.1.1, released 2007-10-01
[390]	3	* Anders Kaseorg <andersk@mit.edu>
[54]	4	*
	5	* This module does authentication based on SSL client certificates:
	6	* AuthType SSLCert
	7	* AuthSSLCertVar SSL_CLIENT_S_DN_Email
	8	* AuthSSLCertStripSuffix "@MIT.EDU"
	9	*/
	10
	11	#include "apr_strings.h"
	12	#define APR_WANT_STRFUNC /* for strcasecmp */
	13	#include "apr_want.h"
	14
	15	#include "ap_config.h"
	16	#include "httpd.h"
	17	#include "http_config.h"
	18	#include "http_core.h"
	19	#include "http_log.h"
[390]	20	#include "http_request.h"
[54]	21
	22	#include "mod_auth.h"
	23	#include "mod_ssl.h"
	24
	25	static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *ssl_var_lookup;
	26
	27	typedef struct {
	28	int authoritative;
	29	char *var;
	30	char *strip_suffix;
[390]	31	int strip_suffix_required;
[54]	32	} auth_sslcert_config_rec;
	33
[390]	34	static void create_auth_sslcert_dir_config(apr_pool_t p, char *dirspec)
[54]	35	{
	36	auth_sslcert_config_rec conf = apr_pcalloc(p, sizeof(conf));
	37
[436]	38	conf->authoritative = -1;
[54]	39	conf->var = NULL;
	40	conf->strip_suffix = NULL;
[436]	41	conf->strip_suffix_required = -1;
[54]	42
	43	return conf;
	44	}
	45
[390]	46	static void merge_auth_sslcert_dir_config(apr_pool_t p, void parent_conf, void newloc_conf)
	47	{
	48	auth_sslcert_config_rec pconf = parent_conf, nconf = newloc_conf,
	49	conf = apr_pcalloc(p, sizeof(conf));
	50
[436]	51	conf->authoritative = (nconf->authoritative != -1) ?
	52	nconf->authoritative : pconf->authoritative;
	53	conf->var = (nconf->var != NULL) ?
	54	nconf->var : pconf->var;
[390]	55	conf->strip_suffix = (nconf->var != NULL \|\| nconf->strip_suffix != NULL) ?
	56	nconf->strip_suffix : pconf->strip_suffix;
[436]	57	conf->strip_suffix_required = (nconf->var != NULL \|\| nconf->strip_suffix_required != -1) ?
	58	nconf->authoritative : pconf->authoritative;
[390]	59
	60	return conf;
	61	}
	62
[54]	63	static const command_rec auth_sslcert_cmds[] =
	64	{
	65	AP_INIT_FLAG("AuthSSLCertAuthoritative", ap_set_flag_slot,
	66	(void *)APR_OFFSETOF(auth_sslcert_config_rec, authoritative),
	67	OR_AUTHCFG,
	68	"Set to 'Off' to allow access control to be passed along to "
	69	"lower modules if the UserID is not known to this module"),
	70	AP_INIT_TAKE1("AuthSSLCertVar", ap_set_string_slot,
	71	(void*)APR_OFFSETOF(auth_sslcert_config_rec, var),
	72	OR_AUTHCFG,
	73	"SSL variable to use as the username"),
	74	AP_INIT_TAKE1("AuthSSLCertStripSuffix", ap_set_string_slot,
	75	(void*)APR_OFFSETOF(auth_sslcert_config_rec, strip_suffix),
	76	OR_AUTHCFG,
	77	"An optional suffix to strip from the username"),
[390]	78	AP_INIT_FLAG("AuthSSLCertStripSuffixRequired", ap_set_flag_slot,
	79	(void *)APR_OFFSETOF(auth_sslcert_config_rec, strip_suffix_required),
	80	OR_AUTHCFG,
	81	"Set to 'Off' to allow certs that don't end with a recognized "
	82	"suffix to still authenticate"),
[54]	83	{NULL}
	84	};
	85
	86	module AP_MODULE_DECLARE_DATA auth_sslcert_module;
	87
	88	static int authenticate_sslcert_user(request_rec *r)
	89	{
	90	auth_sslcert_config_rec *conf = ap_get_module_config(r->per_dir_config,
	91	&auth_sslcert_module);
	92	const char *current_auth;
	93
	94	/* Are we configured to be SSLCert auth? */
	95	current_auth = ap_auth_type(r);
	96	if (!current_auth \|\| strcasecmp(current_auth, "SSLCert") != 0) {
	97	return DECLINED;
	98	}
	99
	100	r->ap_auth_type = "SSLCert";
	101
	102	if (strcasecmp((char *)ssl_var_lookup(r->pool, r->server, r->connection, r,
	103	"SSL_CLIENT_VERIFY"),
	104	"SUCCESS") == 0) {
	105	if (conf->var == NULL) {
	106	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
	107	"AuthSSLCertVar is not set: \"%s\"", r->uri);
	108	return HTTP_INTERNAL_SERVER_ERROR;
	109	}
	110	char user = (char )ssl_var_lookup(r->pool, r->server, r->connection, r,
	111	conf->var);
	112	if (user != NULL && user[0] != '\0') {
	113	if (conf->strip_suffix != NULL) {
	114	int i = strlen(user) - strlen(conf->strip_suffix);
	115	if (i >= 0 && strcasecmp(user + i, conf->strip_suffix) == 0) {
	116	r->user = apr_pstrmemdup(r->pool, user, i);
	117	return OK;
[390]	118	} else if (!conf->strip_suffix_required) {
	119	r->user = user;
	120	return OK;
[54]	121	} else {
	122	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
	123	"SSL username for \"%s\" has wrong suffix: \"%s\"",
[390]	124	r->uri, user);
[54]	125	}
	126	} else {
	127	r->user = user;
	128	return OK;
	129	}
	130	} else {
	131	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
	132	"no SSL username for \"%s\"", r->uri);
	133	}
[390]	134	} else if (conf->authoritative) {
	135	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
[54]	136	"SSL client not verified for \"%s\"", r->uri);
	137	}
	138
	139	/* If we're not authoritative, then any error is ignored. */
	140	if (!conf->authoritative) {
	141	return DECLINED;
	142	}
	143
	144	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
	145	"SSLCert authentication failure for \"%s\"",
	146	r->uri);
	147	return HTTP_UNAUTHORIZED;
	148	}
	149
	150	static void import_ssl_var_lookup()
	151	{
	152	ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
	153	}
	154
	155	static void register_hooks(apr_pool_t *p)
	156	{
[390]	157	ap_hook_check_user_id(authenticate_sslcert_user, NULL, NULL, APR_HOOK_MIDDLE);
	158	ap_hook_optional_fn_retrieve(import_ssl_var_lookup, NULL, NULL, APR_HOOK_MIDDLE);
[54]	159	}
	160
	161	module AP_MODULE_DECLARE_DATA auth_sslcert_module =
	162	{
	163	STANDARD20_MODULE_STUFF,
	164	create_auth_sslcert_dir_config, /* dir config creater */
[390]	165	merge_auth_sslcert_dir_config, /* dir merger */
[54]	166	NULL, /* server config */
	167	NULL, /* merge server config */
	168	auth_sslcert_cmds, /* command apr_table_t */
	169	register_hooks /* register hooks */
	170	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: