*) ssl_verify_client ask

author Igor Sysoev <igor@sysoev.ru>

Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)

committer Igor Sysoev <igor@sysoev.ru>

Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)
author Igor Sysoev <igor@sysoev.ru>
Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)
committer Igor Sysoev <igor@sysoev.ru>
Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c

index 029d7dbfb68bb508908262fc6105d9929ccf642c..af54b50503f67c9ce92d81ad8003ff66527161ab 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1884,7 +1884,7 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
  
  
  ngx_int_t
-ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
  {
      size_t   len;
      BIO     *bio;
@@ -1933,6 +1933,50 @@ failed:
  }
  
  
+ngx_int_t
+ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    u_char      *p;
+    size_t       len;
+    ngx_uint_t   i;
+    ngx_str_t    cert;
+
+    if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (cert.len == 0) {
+        s->len = 0;
+        return NGX_OK;
+    }
+
+    len = cert.len - 1;
+
+    for (i = 0; i < cert.len - 1; i++) {
+        if (cert.data[i] == LF) {
+            len++;
+        }
+    }
+
+    s->len = len;
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        return NGX_ERROR;
+    }
+
+    p = s->data;
+
+    for (i = 0; i < len; i++) {
+        *p++ = cert.data[i];
+        if (cert.data[i] == LF) {
+            *p++ = '\t';
+        }
+    }
+
+    return NGX_OK;
+}
+
+
  ngx_int_t
  ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
  {
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h

index f5627701d57f2432ddb977825860106853a808a7..1e83606fd8f1d71ef20a8e15508500ed46685f8c 100644 (file)
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -121,6 +121,8 @@ ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
  ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
+ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
  ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
      ngx_str_t *s);
  ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c

index c0f0fdadb5fd4d5e21885312afdc2adb7dcc41e2..26c3c67a143a57a54c16544c7c63fc085c1dd5f4 100644 (file)
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -49,6 +49,14 @@ static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
  };
  
  
+static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
+    { ngx_string("off"), 0 },
+    { ngx_string("on"), 1 },
+    { ngx_string("ask"), 2 },
+    { ngx_null_string, 0 }
+};
+
+
  static ngx_command_t  ngx_http_ssl_commands[] = {
  
      { ngx_string("ssl"),
@@ -95,10 +103,10 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
  
      { ngx_string("ssl_verify_client"),
        NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
+      ngx_conf_set_enum_slot,
        NGX_HTTP_SRV_CONF_OFFSET,
        offsetof(ngx_http_ssl_srv_conf_t, verify),
-      NULL },
+      &ngx_http_ssl_verify },
  
      { ngx_string("ssl_verify_depth"),
        NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
@@ -185,6 +193,10 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
      { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
        (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
  
+    { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_raw_certificate,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+
      { ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
        (uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
  
@@ -307,9 +319,9 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
       */
  
      sscf->enable = NGX_CONF_UNSET;
+    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
      sscf->verify = NGX_CONF_UNSET;
      sscf->verify_depth = NGX_CONF_UNSET;
-    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
      sscf->builtin_session_cache = NGX_CONF_UNSET;
      sscf->session_timeout = NGX_CONF_UNSET;
  
@@ -341,8 +353,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                           (NGX_CONF_BITMASK_SET
                            |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
  
-    ngx_conf_merge_value(conf->verify, prev->verify, 0);
-    ngx_conf_merge_value(conf->verify_depth, prev->verify_depth, 1);
+    ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+    ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
  
      ngx_conf_merge_str_value(conf->certificate, prev->certificate,
                           NGX_DEFLAUT_CERTIFICATE);
@@ -402,6 +414,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
      }
  
      if (conf->verify) {
+
+        if (conf->client_certificate.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl_client_certificate for ssl_client_verify");
+            return NGX_CONF_ERROR;
+        }
+
          if (ngx_ssl_client_certificate(cf, &conf->ssl,
                                         &conf->client_certificate,
                                         conf->verify_depth)
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h

index 74bf6e56eb98b58d92268cdcb212438d3ad471f9..2322d90c1e090032155d540139b921a27e6ba3d0 100644 (file)
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -22,8 +22,8 @@ typedef struct {
  
      ngx_uint_t                      protocols;
  
-    ngx_int_t                       verify;
-    ngx_int_t                       verify_depth;
+    ngx_uint_t                      verify;
+    ngx_uint_t                      verify_depth;
  
      ssize_t                         builtin_session_cache;
  
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c

index 8dc562f28b229540d9bb4f25a8d41686e9ca59a3..9aad1a4870f84a5342f20054eb694d486b8c0c07 100644 (file)
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1446,7 +1446,7 @@ ngx_http_process_request(ngx_http_request_t *r)
  
          sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
  
-        if (sscf->verify) {
+        if (sscf->verify == 1) {
              rc = SSL_get_verify_result(c->ssl->connection);
  
              if (rc != X509_V_OK) {
author	Igor Sysoev <igor@sysoev.ru>
	Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)
committer	Igor Sysoev <igor@sysoev.ru>
	Tue, 29 Jul 2008 14:29:02 +0000 (14:29 +0000)
src/event/ngx_event_openssl.c		patch \| blob \| history
src/event/ngx_event_openssl.h		patch \| blob \| history
src/http/modules/ngx_http_ssl_module.c		patch \| blob \| history
src/http/modules/ngx_http_ssl_module.h		patch \| blob \| history
src/http/ngx_http_request.c		patch \| blob \| history