diff options
| author |   jsing <jsing@openbsd.org> | 2018-05-19 13:56:56 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2018-05-19 13:56:56 +0000 |
| commit | 1d0dc528c071fa459d01d783c0d8749797459e37 (patch) | |
| tree | 11ceb1fccfba099eccbaf30eca0cca44c2c9d5a3 /usr.sbin/httpd/server.c | |
| parent | Do not ignore nice time in systat(1). The sum would not be 100%, (diff) | |
| download | wireguard-openbsd-1d0dc528c071fa459d01d783c0d8749797459e37.tar.xz wireguard-openbsd-1d0dc528c071fa459d01d783c0d8749797459e37.zip | |
Add support for client certificate authentication to httpd.
From Jack Burton <jack at saosce dot com dot au> - thanks!
Also tested by Jan Klemkow <j.klemkow at wemelug dot de>.
ok beck@ reyk@
Diffstat (limited to 'usr.sbin/httpd/server.c')
| -rw-r--r-- | usr.sbin/httpd/server.c | 71 |
1 files changed, 69 insertions, 2 deletions
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 2a505ace8de..5f4304705d8 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.113 2017/11/29 16:55:08 beck Exp $ */ +/* $OpenBSD: server.c,v 1.114 2018/05/19 13:56:56 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -134,6 +134,8 @@ server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) sc1 = &s1->srv_conf; sc2 = &s2->srv_conf; + if (sc1->tls_flags != sc2->tls_flags) + return (-1); if (sc1->tls_protocols != sc2->tls_protocols) return (-1); if (sc1->tls_ticket_lifetime != sc2->tls_ticket_lifetime) @@ -207,6 +209,40 @@ server_tls_load_ocsp(struct server *srv) } int +server_tls_load_ca(struct server *srv) +{ + if ((srv->srv_conf.tls_flags & TLSFLAG_CA) == 0 || + srv->srv_conf.tls_ca_file == NULL) + return (0); + + if ((srv->srv_conf.tls_ca = tls_load_file( + srv->srv_conf.tls_ca_file, + &srv->srv_conf.tls_ca_len, NULL)) == NULL) + return (-1); + log_debug("%s: using ca cert(s) from %s", __func__, + srv->srv_conf.tls_ca_file); + + return (0); +} + +int +server_tls_load_crl(struct server *srv) +{ + if ((srv->srv_conf.tls_flags & TLSFLAG_CA) == 0 || + srv->srv_conf.tls_crl_file == NULL) + return (0); + + if ((srv->srv_conf.tls_crl = tls_load_file( + srv->srv_conf.tls_crl_file, + &srv->srv_conf.tls_crl_len, NULL)) == NULL) + return (-1); + log_debug("%s: using crl(s) from %s", __func__, + srv->srv_conf.tls_crl_file); + + return (0); +} + +int server_tls_init(struct server *srv) { struct server_config *srv_conf; @@ -264,6 +300,23 @@ server_tls_init(struct server *srv) return (-1); } + if (srv->srv_conf.tls_ca != NULL) { + if (tls_config_set_ca_mem(srv->srv_tls_config, + srv->srv_conf.tls_ca, srv->srv_conf.tls_ca_len) != 0) { + log_warnx("%s: failed to add ca cert(s)", __func__); + return (-1); + } + if (tls_config_set_crl_mem(srv->srv_tls_config, + srv->srv_conf.tls_crl, srv->srv_conf.tls_crl_len) != 0) { + log_warnx("%s: failed to add crl(s)", __func__); + return (-1); + } + if (srv->srv_conf.tls_flags & TLSFLAG_OPTIONAL) + tls_config_verify_client_optional(srv->srv_tls_config); + else + tls_config_verify_client(srv->srv_tls_config); + } + TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) continue; @@ -310,13 +363,19 @@ server_tls_init(struct server *srv) return (-1); } - /* We're now done with the public/private key... */ + /* We're now done with the public/private key & ca/crl... */ tls_config_clear_keys(srv->srv_tls_config); freezero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); freezero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); + free(srv->srv_conf.tls_ca); + free(srv->srv_conf.tls_crl); + srv->srv_conf.tls_ca = NULL; srv->srv_conf.tls_cert = NULL; + srv->srv_conf.tls_crl = NULL; srv->srv_conf.tls_key = NULL; + srv->srv_conf.tls_ca_len = 0; srv->srv_conf.tls_cert_len = 0; + srv->srv_conf.tls_crl_len = 0; srv->srv_conf.tls_key_len = 0; return (0); @@ -422,7 +481,11 @@ void serverconfig_free(struct server_config *srv_conf) { free(srv_conf->return_uri); + free(srv_conf->tls_ca_file); + free(srv_conf->tls_ca); free(srv_conf->tls_cert_file); + free(srv_conf->tls_crl_file); + free(srv_conf->tls_crl); free(srv_conf->tls_key_file); free(srv_conf->tls_ocsp_staple_file); free(srv_conf->tls_ocsp_staple); @@ -435,8 +498,12 @@ serverconfig_reset(struct server_config *srv_conf) { srv_conf->auth = NULL; srv_conf->return_uri = NULL; + srv_conf->tls_ca = NULL; + srv_conf->tls_ca_file = NULL; srv_conf->tls_cert = NULL; srv_conf->tls_cert_file = NULL; + srv_conf->tls_crl = NULL; + srv_conf->tls_crl_file = NULL; srv_conf->tls_key = NULL; srv_conf->tls_key_file = NULL; srv_conf->tls_ocsp_staple = NULL; |