Ticket #921: lighttpd-1.4.13_ssl_client_verify_0.2.patch

lighttpd-1.4.13

@@ -265 +265 @@
         buffer *ssl_ca_file;
         buffer *ssl_cipher_list;
         unsigned short ssl_use_sslv2;
+        unsigned short ssl_verify_peer;
+        unsigned short ssl_verify_depth;
 
         unsigned short use_ipv6;
         unsigned short is_ssl;

src/configfile.c

@@ -89 +89 @@
                 { "server.core-files",           NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 45 */
                 { "ssl.cipher-list",             NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER },      /* 46 */
                 { "ssl.use-sslv2",               NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 47 */
+                { "ssl.verify-peer",             NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 48 */
+                { "ssl.verify-depth",            NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER },       /* 49 */
 
                 { "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
                 { "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@@ -155 +157 @@
                 s->max_write_idle = 360;
                 s->use_xattr     = 0;
                 s->is_ssl        = 0;
+                s->ssl_verify_peer = 0;
+                s->ssl_verify_depth = 9;
                 s->ssl_use_sslv2 = 1;
                 s->use_ipv6      = 0;
 #ifdef HAVE_LSTAT
@@ -206 +210 @@
 
                 cv[46].destination = s->ssl_cipher_list;
                 cv[47].destination = &(s->ssl_use_sslv2);
+                cv[48].destination = &(s->ssl_verify_peer);
+                cv[49].destination = &(s->ssl_verify_depth);
 
                 srv->config_storage[i] = s;
 
@@ -327 +333 @@
                                 PATCH(ssl_cipher_list);
                         } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
                                 PATCH(is_ssl);
+                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verify-peer"))) {
+                                PATCH(ssl_verify_peer);
+                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verify-depth"))) {
+                                PATCH(ssl_verify_depth);
 #ifdef HAVE_LSTAT
                         } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) {
                                 PATCH(follow_symlink);

src/connections.c

@@ -1320 +1320 @@
                                                 ERR_error_string(ERR_get_error(), NULL));
                                 return NULL;
                         }
+                        if (con->conf.ssl_verify_peer)
+                        {
+                                if(SSL_get_verify_result(con->ssl) != X509_V_OK)
+                                {
+                                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                                        ERR_error_string(ERR_get_error(), NULL));
+                                        return NULL;
+                                }
+                                
+                        }
                 }
 #endif
                 return con;

lighttpd-1.4.13

@@ -72 +72 @@
         buffer *b;
         int is_unix_domain_socket = 0;
         int fd;
+#ifdef USE_OPENSSL
+        pid_t pid;
+#endif
 
 #ifdef SO_ACCEPTFILTER
         struct accept_filter_arg afa;
@@ -359 +362 @@
                                                 ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
                                 return -1;
                         }
+                        if (s->ssl_verify_peer) {
+                                SSL_CTX_set_client_CA_list(
+                                        s->ssl_ctx, SSL_load_client_CA_file(s->ssl_ca_file->ptr));
+                        }
                 }
 
                 if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
@@ -380 +387 @@
                                         s->ssl_pemfile);
                         return -1;
                 }
+                
+                if (s->ssl_verify_peer) {
+                        SSL_CTX_set_verify(s->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+                        SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verify_depth);
+                }
+                
+                pid = getpid();
+                if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*)&pid, sizeof(pid)) != 1) {
+                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+                                        ERR_error_string(ERR_get_error(), NULL));
+                        return -1;
+                }
+                
                 SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
                 SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);