/* mod_auth_sslcert * version 1.0, released 2007-01-04 * Anders Kaseorg * * This module does authentication based on SSL client certificates: * AuthType SSLCert * AuthSSLCertVar SSL_CLIENT_S_DN_Email * AuthSSLCertStripSuffix "@MIT.EDU" */ #include "apr_strings.h" #define APR_WANT_STRFUNC /* for strcasecmp */ #include "apr_want.h" #include "ap_config.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_log.h" #include "mod_auth.h" #include "mod_ssl.h" static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *ssl_var_lookup; typedef struct { char *dir; int authoritative; char *var; char *strip_suffix; } auth_sslcert_config_rec; static void *create_auth_sslcert_dir_config(apr_pool_t *p, char *d) { auth_sslcert_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); conf->dir = d; /* Any failures are fatal. */ conf->authoritative = 1; conf->var = NULL; conf->strip_suffix = NULL; return conf; } static const command_rec auth_sslcert_cmds[] = { AP_INIT_FLAG("AuthSSLCertAuthoritative", ap_set_flag_slot, (void *)APR_OFFSETOF(auth_sslcert_config_rec, authoritative), OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to " "lower modules if the UserID is not known to this module"), AP_INIT_TAKE1("AuthSSLCertVar", ap_set_string_slot, (void*)APR_OFFSETOF(auth_sslcert_config_rec, var), OR_AUTHCFG, "SSL variable to use as the username"), AP_INIT_TAKE1("AuthSSLCertStripSuffix", ap_set_string_slot, (void*)APR_OFFSETOF(auth_sslcert_config_rec, strip_suffix), OR_AUTHCFG, "An optional suffix to strip from the username"), {NULL} }; module AP_MODULE_DECLARE_DATA auth_sslcert_module; static int authenticate_sslcert_user(request_rec *r) { auth_sslcert_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_sslcert_module); const char *current_auth; /* Are we configured to be SSLCert auth? */ current_auth = ap_auth_type(r); if (!current_auth || strcasecmp(current_auth, "SSLCert") != 0) { return DECLINED; } r->ap_auth_type = "SSLCert"; if (strcasecmp((char *)ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_VERIFY"), "SUCCESS") == 0) { if (conf->var == NULL) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AuthSSLCertVar is not set: \"%s\"", r->uri); return HTTP_INTERNAL_SERVER_ERROR; } char *user = (char *)ssl_var_lookup(r->pool, r->server, r->connection, r, conf->var); if (user != NULL && user[0] != '\0') { if (conf->strip_suffix != NULL) { int i = strlen(user) - strlen(conf->strip_suffix); if (i >= 0 && strcasecmp(user + i, conf->strip_suffix) == 0) { r->user = apr_pstrmemdup(r->pool, user, i); return OK; } else { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SSL username for \"%s\" has wrong suffix: \"%s\"", r->uri, r->user); } } else { r->user = user; return OK; } } else { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "no SSL username for \"%s\"", r->uri); } } else { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SSL client not verified for \"%s\"", r->uri); } /* If we're not authoritative, then any error is ignored. */ if (!conf->authoritative) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "SSLCert authentication failure for \"%s\"", r->uri); return HTTP_UNAUTHORIZED; } static void import_ssl_var_lookup() { ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); } static void register_hooks(apr_pool_t *p) { ap_hook_check_user_id(authenticate_sslcert_user,NULL,NULL,APR_HOOK_MIDDLE); ap_hook_optional_fn_retrieve(import_ssl_var_lookup,NULL,NULL,APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA auth_sslcert_module = { STANDARD20_MODULE_STUFF, create_auth_sslcert_dir_config, /* dir config creater */ NULL, /* dir merger --- default is to override */ NULL, /* server config */ NULL, /* merge server config */ auth_sslcert_cmds, /* command apr_table_t */ register_hooks /* register hooks */ };