From 528d82b219919244103aae6cdbef3eaa9ff7f55b Mon Sep 17 00:00:00 2001 From: stskeeps Date: Sun, 2 Dec 2001 14:39:59 +0000 Subject: [PATCH] +- Added ssl-pubkey auth method (parameter = pem file for public key) --- Changes | 1 + include/auth.h | 11 ++++++----- src/auth.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 55 insertions(+), 6 deletions(-) diff --git a/Changes b/Changes index 2ea06024e..73336336a 100644 --- a/Changes +++ b/Changes @@ -959,3 +959,4 @@ seen. gmtime warning still there makefile.win32?. If SSL is enabled, we can use MD5, SHA1, and crypt() even on win32 - Added ssl.c and cidr.c to the win32 makefile +- Added ssl-pubkey auth method (parameter = pem file for public key) diff --git a/include/auth.h b/include/auth.h index 17a7de9a8..8279dcd34 100644 --- a/include/auth.h +++ b/include/auth.h @@ -24,15 +24,16 @@ typedef struct { short type; } anAuthStruct; -#define AUTHTYPE_PLAINTEXT 0 -#define AUTHTYPE_UNIXCRYPT 1 -#define AUTHTYPE_MD5 2 -#define AUTHTYPE_SHA1 3 - +#define AUTHTYPE_PLAINTEXT 0 +#define AUTHTYPE_UNIXCRYPT 1 +#define AUTHTYPE_MD5 2 +#define AUTHTYPE_SHA1 3 +#define AUTHTYPE_SSL_PUBKEY 4 #ifdef USE_SSL #define AUTHENABLE_MD5 #define AUTHENABLE_SHA1 +#define AUTHENABLE_SSL_PUBKEY /* OpenSSL provides a crypt() */ #ifndef AUTHENABLE_UNIXCRYPT #define AUTHENABLE_UNIXCRYPT diff --git a/src/auth.c b/src/auth.c index 220e8a99b..3a5c8b7b5 100644 --- a/src/auth.c +++ b/src/auth.c @@ -51,6 +51,9 @@ anAuthStruct AuthTypes[] = { #endif #ifdef AUTHENABLE_SHA1 {"sha1", AUTHTYPE_SHA1}, +#endif +#ifdef AUTHENABLE_SSL_PUBKEY + {"sslpubkey", AUTHTYPE_SSL_PUBKEY}, #endif {NULL, 0} }; @@ -144,6 +147,12 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) #endif #ifdef AUTHENABLE_SHA1 SHA_CTX sha1_ctx; +#endif +#ifdef AUTHENABLE_SSL_PUBKEY + EVP_PKEY *evp_pkey = NULL; + EVP_PKEY *evp_pkeyfile = NULL; + X509 *x509_client = NULL; + FILE *key_file = NULL; #endif int i = 0; /* We can always use this .. */ @@ -211,7 +220,45 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) return -1; break; #endif - +#ifdef AUTHENABLE_SSL_PUBKEY + case AUTHTYPE_SSL_PUBKEY: + if (!para) + return -1; + if (!cptr->ssl) + return -1; + x509_client = SSL_get_peer_certificate(cptr->ssl); + if (!x509_client) + return -1; + evp_pkey = X509_get_pubkey(x509_client); + if (!(key_file = fopen(para, "r"))) + { + EVP_PKEY_free(evp_pkey); + X509_free(x509_client); + return -1; + } + evp_pkeyfile = PEM_read_PUBKEY(key_file, NULL, + NULL, NULL); + if (!evp_pkeyfile) + { + fclose(key_file); + EVP_PKEY_free(evp_pkey); + X509_free(x509_client); + return -1; + } + if (!(EVP_PKEY_cmp_parameters(evp_pkeyfile, evp_pkey)) + { + fclose(key_file); + EVP_PKEY_free(evp_pkey); + EVP_PKEY_free(evp_pkeyfile); + X509_free(x509_client); + return -1; + } + fclose(key_file); + EVP_PKEY_free(evp_pkey); + EVP_PKEY_free(evp_pkeyfile); + X509_free(x509_client); + return 2; +#endif } }