diff -Naur osiris-4.0.3/src/libosirisctl/osirisctl.h osiris-4.0.3.patched/src/libosirisctl/osirisctl.h --- osiris-4.0.3/src/libosirisctl/osirisctl.h 2004-04-30 03:58:22.000000000 +0200 +++ osiris-4.0.3.patched/src/libosirisctl/osirisctl.h 2004-09-30 14:51:16.000000000 +0200 @@ -32,7 +32,7 @@ #define OSIRISCTL_H -#define MAX_AUTH_USERNAME_LENGTH 20 +#define MAX_AUTH_USERNAME_LENGTH 256 #define MAX_AUTH_PASSWORD_LENGTH 20 #define MAX_HELLO_VERSION_LENGTH 20 diff -Naur osiris-4.0.3/src/osirismd/md_http.c osiris-4.0.3.patched/src/osirismd/md_http.c --- osiris-4.0.3/src/osirismd/md_http.c 2004-04-26 15:21:36.000000000 +0200 +++ osiris-4.0.3.patched/src/osirismd/md_http.c 2004-09-30 14:51:07.000000000 +0200 @@ -97,30 +97,51 @@ char *host = NULL; char *base_db = NULL; char *logname = NULL; + X509 *peer; if( ( ssl == NULL ) || ( http_message == NULL ) ) { return; } - /* if this request does not have an authorization field. */ - /* we ask for it. */ - - if( strstr( http_message, HTTP_AUTH_HEADER ) == NULL ) + /* first check for strong authentication */ + if ((peer = SSL_get_peer_certificate(ssl))) { - osi_ssl_write_bytes( ssl, HTTP_AUTH_REQUEST, - strlen( HTTP_AUTH_REQUEST ) ); - return; + char *dn = X509_NAME_oneline(X509_get_subject_name(peer), NULL, 0); + OSI_AUTH_CONTEXT auth_context; + + + memset( &auth_context, 0, sizeof( auth_context ) ); + osi_strlcpy( auth_context.auth_user, dn, + sizeof( auth_context.auth_user ) ); + + if (md_auth_authenticate( &auth_context) == FALSE) + { + osi_strlcpy( response, "authorization failure.", sizeof( response ) ); + goto exit_error; + } } - - /* we have an auth header; first, we must authorize this user. */ - - if( http_request_is_authorized( http_message ) == FALSE ) + else { - osi_strlcpy( response, "authorization failure.", - sizeof( response ) ); + /* if this request does not have an authorization field. */ + /* we ask for it. */ + + if( strstr( http_message, HTTP_AUTH_HEADER ) == NULL ) + { + osi_ssl_write_bytes( ssl, HTTP_AUTH_REQUEST, + strlen( HTTP_AUTH_REQUEST ) ); + return; + } + + /* we have an auth header; first, we must authorize this user. */ + + if( http_request_is_authorized( http_message ) == FALSE ) + { + osi_strlcpy( response, "authorization failure.", + sizeof( response ) ); - goto exit_error; + goto exit_error; + } } /* make a copy. */ diff -Naur osiris-4.0.3/src/osirismd/osirismd.c osiris-4.0.3.patched/src/osirismd/osirismd.c --- osiris-4.0.3/src/osirismd/osirismd.c 2004-05-02 19:01:15.000000000 +0200 +++ osiris-4.0.3.patched/src/osirismd/osirismd.c 2004-09-30 14:52:02.000000000 +0200 @@ -66,6 +66,7 @@ static void genrsa_cb( int p, int n, void *arg ); extern osi_bool name_regex( const char *name, const char *pattern ); +#define FILE_ROOT_CERT "osiris_root.pem" /****************************************************************************** ** @@ -919,6 +920,7 @@ { int result; SSL_METHOD *method = NULL; + char *root_certs; bio_error = BIO_new_fp( stderr, BIO_NOCLOSE ); @@ -1030,6 +1032,13 @@ halt( EXIT_CODE_ERROR ); } + /* since client verification (strong authentication) is enabled via the + * SSL_VERIFY_PEER flag, a trusted root store must be given */ + if ((root_certs = malloc(strlen(root_path) + strlen(FILE_ROOT_CERT) + 2))) + { + sprintf(root_certs, "%s/%s", root_path, FILE_ROOT_CERT); + SSL_CTX_load_verify_locations( ssl_context, root_certs, NULL ); + } SSL_CTX_set_verify( ssl_context, SSL_VERIFY_PEER, ssl_verify_callback ); SSL_CTX_set_verify_depth( ssl_context, OSIRISMD_SERVER_CERT_CHAIN_DEPTH ); SSL_CTX_set_options( ssl_context, OSIRISMD_SSL_OPTIONS );