|
 |
ae961a |
From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001
|
|
|
ae961a |
From: Aki Tuomi <aki.tuomi@open-xchange.com>
|
|
|
ae961a |
Date: Mon, 21 Jan 2019 11:36:30 +0200
|
|
|
ae961a |
Subject: [PATCH] login-common: Ensure we get username from certificate
|
|
|
ae961a |
|
|
|
ae961a |
---
|
|
|
ae961a |
src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++--
|
|
|
ae961a |
1 file changed, 40 insertions(+), 2 deletions(-)
|
|
|
ae961a |
|
|
|
ae961a |
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
|
|
|
ae961a |
index a833c9a6d4..9465da9657 100644
|
|
|
ae961a |
--- a/src/login-common/sasl-server.c
|
|
|
ae961a |
+++ b/src/login-common/sasl-server.c
|
|
|
ae961a |
@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request,
|
|
|
ae961a |
}
|
|
|
ae961a |
}
|
|
|
ae961a |
|
|
|
ae961a |
+static bool get_cert_username(struct client *client, const char **username_r,
|
|
|
ae961a |
+ const char **error_r)
|
|
|
ae961a |
+{
|
|
|
ae961a |
+ /* no SSL */
|
|
|
ae961a |
+ if (client->ssl_proxy == NULL) {
|
|
|
ae961a |
+ *username_r = NULL;
|
|
|
ae961a |
+ return TRUE;
|
|
|
ae961a |
+ }
|
|
|
ae961a |
+
|
|
|
ae961a |
+ /* no client certificate */
|
|
|
ae961a |
+ if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) {
|
|
|
ae961a |
+ *username_r = NULL;
|
|
|
ae961a |
+ return TRUE;
|
|
|
ae961a |
+ }
|
|
|
ae961a |
+
|
|
|
ae961a |
+ /* get peer name */
|
|
|
ae961a |
+ const char *username = ssl_proxy_get_peer_name(client->ssl_proxy);
|
|
|
ae961a |
+
|
|
|
ae961a |
+ /* if we wanted peer name, but it was not there, fail */
|
|
|
ae961a |
+ if (client->set->auth_ssl_username_from_cert &&
|
|
|
ae961a |
+ (username == NULL || *username == '\0')) {
|
|
|
ae961a |
+ if (client->set->auth_ssl_require_client_cert) {
|
|
|
ae961a |
+ *error_r = "Missing username in certificate";
|
|
|
ae961a |
+ return FALSE;
|
|
|
ae961a |
+ }
|
|
|
ae961a |
+ }
|
|
|
ae961a |
+
|
|
|
ae961a |
+ *username_r = username;
|
|
|
ae961a |
+ return TRUE;
|
|
|
ae961a |
+}
|
|
|
ae961a |
+
|
|
|
ae961a |
void sasl_server_auth_begin(struct client *client,
|
|
|
ae961a |
const char *service, const char *mech_name,
|
|
|
ae961a |
const char *initial_resp_base64,
|
|
|
ae961a |
@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client,
|
|
|
ae961a |
info.mech = mech->name;
|
|
|
ae961a |
info.service = service;
|
|
|
ae961a |
info.session_id = client_get_session_id(client);
|
|
|
ae961a |
- info.cert_username = client->ssl_proxy == NULL ? NULL :
|
|
|
ae961a |
- ssl_proxy_get_peer_name(client->ssl_proxy);
|
|
|
ae961a |
+ if (client->set->auth_ssl_username_from_cert) {
|
|
|
ae961a |
+ const char *error;
|
|
|
ae961a |
+ if (!get_cert_username(client, &info.cert_username, &error)) {
|
|
|
ae961a |
+ client_log_err(client, t_strdup_printf("Cannot get username "
|
|
|
ae961a |
+ "from certificate: %s", error));
|
|
|
ae961a |
+ sasl_server_auth_failed(client, "Unable to validate certificate");
|
|
|
ae961a |
+ return;
|
|
|
ae961a |
+ }
|
|
|
ae961a |
+ }
|
|
|
ae961a |
info.flags = client_get_auth_flags(client);
|
|
|
ae961a |
info.local_ip = client->local_ip;
|
|
|
ae961a |
info.remote_ip = client->ip;
|