[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
[1440]
[1441]
[1442]
[1443]
[1444]
[1445]
[1446]
[1447]
[1448]
[1449]
[1450]
[1451]
[1452]
[1453]
[1454]
[1455]
[1456]
[1457]
[1458]
[1459]
[1460]
[1461]
[1462]
[1463]
[1464]
[1465]
[1466]
[1467]
[1468]
[1469]
[1470]
[1471]
[1472]
[1473]
[1474]
[1475]
[1476]
[1477]
[1478]
[1479]
[1480]
[1481]
[1482]
[1483]
[1484]
[1485]
[1486]
[1487]
[1488]
[1489]
[1490]
[1491]
[1492]
[1493]
[1494]
[1495]
[1496]
[1497]
[1498]
[1499]
[1500]
[1501]
[1502]
[1503]
[1504]
[1505]
[1506]
[1507]
[1508]
[1509]
[1510]
[1511]
[1512]
[1513]
[1514]
[1515]
[1516]
[1517]
[1518]
[1519]
[1520]
[1521]
[1522]
[1523]
[1524]
[1525]
[1526]
[1527]
[1528]
[1529]
[1530]
[1531]
[1532]
[1533]
/*****************************************************************************/
/*
SesolaClient.c
Secure Sockets Layer client (peer) certificate.
VERSION HISTORY
---------------
10-AUG-2020 MGD SesolaClientCert() propagate connect cert into client cert
SesolaClientCertEnd() both HTTP/1.n and HTTP/2
17-MAY-2020 MGD bugfix; SesolaClientCertGet() SSL_VERIFY_POST_HANDSHAKE
19-JUN-2019 MGD bugfix; SesolaClientCertGet() status 0 an issue
bugfix; SesolaClientCertGet() if (value <= 0) break;
17-APR-2019 MGD bugfix; SesolaClientCert() allow pattern per 25-AUG-2015
10-OCT-2018 MGD SesolaClientCertGet() retrieves the client certificate
by renegotiation for TLSv1.2 and earlier, or post
handshake for TVSv1.3 and later
27-JUL-2018 MGD bugfix; X509_free() memory leak with ->ClientCertPtr
26-JAN-2018 MGD SesolaClientCertUserName()
10-JUN-2017 MGD SesolaClientCertRenegotiate() allow for pre- and post-
OpenSSL 1.1.0 due to MSIE11 (Edge) stalling on a read
after renegotiation (pre reverts to v11.0 and earlier code)
bugfix; SesolaClientCertConditional() 'IS' processing
bugfix; SesolaClientCertRenegotiate() allow for low-level
(i.e. SSL) I/O errors (e.g. link disconnection)
23-JUL-2016 MGD SesolaClientCertRenegotiate() rework due to OpenSSL v1.1.0
08-JUL-2016 MGD bugfix; SesolaClientCert() move X509 RENEGOTIATE switch
HTTP/2 to HTTP/1.1 after SSL_get_peer_certificate()
05-JUN-2016 MGD bugfix; SesolaClientCertRenegotiate() ensure application
data is cleared before renegotiate initiated
11-MAY-2016 MGD bugfix; SesolaClientCert() just return status
20-DEC-2015 MGD SesolaClientCertMetaCon()
27-SEP-2015 MGD SesolaClientCert() if SesolaCertParseDn() does not return
the user DN record then try SesolaCertExtension()
SesolaClientCert() display client certificate extensions
25-AUG-2015 MGD [ru:/CN=<pattern>] allows multiple to be selected between
(e.g. "[ru:/CN=user*]", "[ru:/CN=^^\[^/=\]*$]" )
[ru:..] escape characters using '\' (especially ']')
07-JUL-2013 MGD SesolaWatchErrors() during renegotiation
21-AUG-2004 MGD significant refinements to SSL processing
22-JUL-2004 MGD SesolaClientCert() call RequestEnd() instead of
SesolaNetSesolaClientCert() on network read/write error
14-JAN-2003 MGD DN record /email and /emailAddress
28-AUG-2002 MGD add SHA1 fingerprint (everybody else has it ;^)
07-APR-2002 MGD bugfix; SesolaClientCert() call SesolaNetRequestEnd()
after network error for v8.0 SesolaNet..() support
28-FEB-2002 MGD bugfix; SesolaRenegotiateClientCert()
reset SSL state to SSL_ST_OK if renegotiation fails
21-OCT-2001 MGD rework SESOLA.C
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* VMS related header files */
#include <ssdef.h>
#include <stsdef.h>
/* application header files */
#define SESOLA_REQUIRED
#include "Sesola.h"
#define WASD_MODULE "SESOLACLIENT"
/***************************************/
#ifdef SESOLA /* secure sockets layer */
/***************************************/
/********************/
/* external storage */
/********************/
extern int ExitStatus,
OpcomMessages,
SesolaVerifyPeerDataMax;
extern char ErrorSanityCheck[],
SoftwareID[];
extern uchar SesolaSessionId[16];
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
This function is used for two purposes, authorization via a client certificate,
and just getting the client certificate (for reports, etc.)
Get the client certificate associated with the request. If none is available
on the first call then initiate an SSL renegotiation with the client to supply
one.
If not authorizing using this certificate then just call the original AST to
return the certificate via 'rqptr->NetIoPtr->SesolaPtr->ClientCertPtr' (or of
course no certificate if the pointer is NULL).
When authorizing (SESOLA_VERIFY_PEER_AUTH) and a certificate is available
(either on first call, i.e. session cached, or after renegotiation) then get a
fingerprint of the certificate that can be used to identify the client user.
Setting 'VerifyParam' to SESOLA_VERIFY_PEER_NONE (aka SSL_VERIFY_NONE) can be
used to "logout" the client from it's current authorization, allowing another
certficiate to be selected and used (via "?httpd=logout"). If a certificate is
available this function generates all the appropriate authorization, user
detail and certificate information.
Values that can be passed via the 'VerifyMode' argument.
SESOLA_VERIFY_PEER_AUTH verify the cert, fail, use for WASD authentication
SESOLA_VERIFY_PEER_NONE renegotiate without peer verification
SESOLA_VERIFY_PEER_OPTIONAL get and verify the certificate (continue on fail)
SESOLA_VERIFY_PEER_REQUIRED abort the connection if the cert does not verify
*/
int SesolaClientCert
(
REQUEST_STRUCT *rqptr,
int VerifyParam,
REQUEST_AST AstFunction
)
{
int status, number, value, version,
SessionHits,
SessionTimeout,
SessionTimeCSec,
SessionTimeoutCSec,
VerifyMode,
WatchThisType;
char *aptr, *cptr, *sptr, *zptr,
*CurrentPtr,
*DigestTypePtr;
char AuthFingerprint [64],
CertFingerprintMD5 [64],
CertFingerprintSHA1 [64],
CertFingerprintSHA256 [128],
CertIssuer [512],
CertSubject [512],
String [256],
TimeString [32],
TimeoutString [32],
UserDetails [256];
SESOLA_STRUCT *sesolaptr;
SSL_SESSION *SessionPtr;
struct tm *tmptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SesolaClientCert() !&A !UL", AstFunction, VerifyParam);
/* network errors? */
if (rqptr->NetIoPtr->ReadStatus &&
VMSnok (rqptr->NetIoPtr->ReadStatus))
return (rqptr->NetIoPtr->ReadStatus);
if (rqptr->NetIoPtr->WriteStatus &&
VMSnok (rqptr->NetIoPtr->WriteStatus))
return (rqptr->NetIoPtr->WriteStatus);
if (HTTP2_REQUEST(rqptr))
sesolaptr = rqptr->Http2Stream.Http2Ptr->NetIoPtr->SesolaPtr;
else
sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr;
version = SSL_version (sesolaptr->SslPtr);
SessionPtr = SSL_get_session (sesolaptr->SslPtr);
if (VerifyParam != SESOLA_VERIFY_AST)
{
/* initial call, not AST delivery - must have an AST address */
if (!AstFunction)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
/* set the peer verification type */
sesolaptr->CertVerifyMode = VerifyParam;
}
/* mask off any WASD-specific bits */
VerifyMode = sesolaptr->CertVerifyMode & SESOLA_VERIFY_PEER_MASK;
if (sesolaptr->CertVerifyMode == SESOLA_VERIFY_PEER_AUTH)
{
/*****************/
/* authorization */
/*****************/
/*
Check for directives about how to make the verification.
We must do this every time, whether or not an actual renegotiation
will take place, to set things like session timeouts, etc.
I've tried to make it as efficient as possible.
*/
if ((cptr = rqptr->rqAuth.PathParameterPtr)[0])
{
while (*cptr)
{
while (*cptr && *cptr != '[')
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) cptr++;
}
if (!*cptr) break;
switch (*(ULONGPTR)cptr)
{
case '[dp:' :
case '[DP:' :
/*****************************/
/* set CA verification depth */
/*****************************/
cptr += sizeof(unsigned long);
if (isdigit (*cptr) || *cptr == '-')
{
number = atoi(cptr);
SSL_set_verify_depth (sesolaptr->SslPtr, number);
}
break;
case '[lt:' :
case '[LT:' :
/************************/
/* set session lifetime */
/************************/
cptr += sizeof(unsigned long);
if (MATCH4 (cptr, "expi") ||
MATCH4 (cptr, "EXPI"))
sesolaptr->SessionTimeoutMinutes = -1;
else
if (isdigit (*cptr) || *cptr == '-')
sesolaptr->SessionLifetimeMinutes = atoi(cptr);
break;
case '[ru:' :
case '[RU:' :
/***************************/
/* source or 'remote-user' */
/***************************/
zptr = (sptr = sesolaptr->X509RemoteUserDnRecord) +
sizeof(sesolaptr->X509RemoteUserDnRecord)-1;
cptr += 4;
while (*cptr && !ISLWS(*cptr) && *cptr != ']' && sptr < zptr)
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
*sptr++ = *cptr++;
}
*sptr = '\0';
break;
case '[to:' :
case '[TO:' :
/***********************/
/* set session timeout */
/***********************/
cptr += sizeof(unsigned long);
if (MATCH4 (cptr, "expi") ||
MATCH4 (cptr, "EXPI"))
sesolaptr->SessionTimeoutMinutes = -1;
else
if (isdigit (*cptr) || *cptr == '-')
sesolaptr->SessionTimeoutMinutes = atoi(cptr);
break;
case '[vf:' :
case '[VF:' :
/************************************/
/* type of client cert verification */
/************************************/
cptr += sizeof(unsigned long);
switch (*(ULONGPTR)cptr)
{
case 'none' :
case 'NONE' :
/* [VF:NONE] */
VerifyMode = SSL_VERIFY_NONE;
break;
case 'opti' :
case 'OPTI' :
/* [VF:OPTIONAL] */
sesolaptr->X509optionalNoCa = true;
VerifyMode = SSL_VERIFY_PEER;
break;
case 'requ' :
case 'REQU' :
/* [VF:REQUIRED] */
VerifyMode = SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
break;
}
#if SESOLA_SINCE_111
if (version >= TLS1_3_VERSION)
VerifyMode |= SSL_VERIFY_POST_HANDSHAKE;
#endif
break;
default :
/* encountered some other directive, note it's location */
sesolaptr->X509ConditionalPtr = cptr;
/* this *must* be done after the notation! */
cptr += sizeof(unsigned long);
}
}
}
}
/* if the rule wants it pre-expired then ignore any cached certificate */
if (sesolaptr->SessionTimeoutMinutes < 0 &&
VerifyParam != SESOLA_VERIFY_AST)
{
if (sesolaptr->ClientCertPtr) X509_free (sesolaptr->ClientCertPtr);
sesolaptr->ClientCertPtr = NULL;
}
else
if (sesolaptr->CertVerifyMode == SESOLA_VERIFY_PEER_NONE)
{
if (sesolaptr->ClientCertPtr) X509_free (sesolaptr->ClientCertPtr);
sesolaptr->ClientCertPtr = NULL;
}
else
if (!sesolaptr->ClientCertPtr)
sesolaptr->ClientCertPtr = SSL_get_peer_certificate (sesolaptr->SslPtr);
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"->ClientCertPtr !&X", sesolaptr->ClientCertPtr);
if (!sesolaptr->ClientCertPtr)
{
/***********************************************/
/* no client certficiate (currently) available */
/***********************************************/
if (HTTP2_REQUEST(rqptr))
{
/* RFC7540 9.2.1 */
if (WATCHPNT(rqptr) && (WATCH_CATEGORY(WATCH_HTTP2) ||
WATCH_CATEGORY(WATCH_SESOLA) ||
WATCH_CATEGORY(WATCH_AUTH)))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"X509 RENEGOTIATE switch HTTP/2 to HTTP/1.1");
Http2Error (rqptr->Http2Stream.Http2Ptr, 0, HTTP2_ERROR_HTTP11);
rqptr->rqResponse.HttpStatus = 101;
return (SS$_ABORT);
}
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet(), no certificate! */
if (sesolaptr->CertVerifyMode == SESOLA_VERIFY_PEER_AUTH)
{
/*****************/
/* authorization */
/*****************/
/* no certificate - no authentication! */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
}
/* called as an AST, therefore call the original AST address */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
return (SS$_NORMAL);
}
/* let's renegotiate with the client, trying to get a certificate */
sesolaptr->ClientCertAstFunction = AstFunction;
sesolaptr->CertVerifyCallbackCount = 0;
SSL_set_verify (sesolaptr->SslPtr, VerifyMode,
&SesolaCertVerifyCallback);
/* provide the request pointer for the verify callback */
SSL_set_ex_data (sesolaptr->SslPtr, 0, sesolaptr);
SesolaClientCertGet (sesolaptr);
if (sesolaptr->CertVerifyMode == SESOLA_VERIFY_PEER_AUTH)
{
/*****************/
/* authorization */
/*****************/
/* returning AUTH_PENDING, activate authorization AST function */
rqptr->rqAuth.AstFunction = rqptr->rqAuth.AstFunctionBuffer;
rqptr->rqAuth.FinalStatus = AUTH_PENDING;
}
/* the faux "waiting for user labels" status indicates renegotiation */
return (SS$_WAITUSRLBL);
}
/*************************************/
/* yes, we have a client certificate */
/*************************************/
/* if a [LT:integer] was set earlier then now's the time to apply it */
if (sesolaptr->SessionLifetimeMinutes)
{
/*
Hmmm, not sure if this is the absolutely best thing to do!
Now that we've got a certificate make it a little easier on the
client by extending the session timeout so the user will not need
to respecify the certificate too often provided the session is
continually used (updated each request by resetting the session
timestamp).
*/
SSL_SESSION_set_time (SessionPtr, time(NULL));
}
/* a [TO:integer] value will override a [LT:integer] one */
if (sesolaptr->SessionTimeoutMinutes)
SSL_SESSION_set_timeout (SessionPtr,
sesolaptr->SessionTimeoutMinutes*60);
else
if (sesolaptr->SessionLifetimeMinutes)
SSL_SESSION_set_timeout (SessionPtr,
sesolaptr->SessionLifetimeMinutes*60);
WatchThisType = 0;
if (WATCH_CAT && WATCHPNT(rqptr))
{
if WATCH_CATEGORY(WATCH_SESOLA)
WatchThisType = WATCH_SESOLA;
else
if WATCH_CATEGORY(WATCH_AUTH)
WatchThisType = WATCH_AUTH;
}
if (WatchThisType ||
sesolaptr->CertVerifyMode == SESOLA_VERIFY_PEER_AUTH)
{
X509_NAME_oneline (X509_get_issuer_name(sesolaptr->ClientCertPtr),
CertIssuer, sizeof(CertIssuer));
X509_NAME_oneline (X509_get_subject_name(sesolaptr->ClientCertPtr),
CertSubject, sizeof(CertSubject));
DigestTypePtr = SesolaCertFingerprint (sesolaptr->ClientCertPtr,
&EVP_md5,
CertFingerprintMD5,
sizeof(CertFingerprintMD5));
if (*DigestTypePtr)
DigestTypePtr = SesolaCertFingerprint (sesolaptr->ClientCertPtr,
&EVP_sha1,
CertFingerprintSHA1,
sizeof(CertFingerprintSHA1));
}
if (WATCH_CAT && WatchThisType)
{
SesolaCertFingerprint (sesolaptr->ClientCertPtr,
&EVP_sha256,
CertFingerprintSHA256,
sizeof(CertFingerprintSHA256));
zptr = (sptr = AuthFingerprint) + sizeof(AuthFingerprint)-1;
for (cptr = CertFingerprintMD5; *cptr; cptr++)
if (*cptr != ':') *sptr++ = *cptr;
*sptr = '\0';
SessionTimeCSec = SSL_SESSION_get_time (SessionPtr);
SessionTimeout = SSL_SESSION_get_timeout (SessionPtr);
SessionTimeoutCSec = SessionTimeCSec + SessionTimeout;
tmptr = localtime (&SessionTimeCSec);
if (!strftime (TimeString, sizeof(TimeString),
"%b %d %T %Y", tmptr))
strcpy (TimeString, "strftime() error");
tmptr = localtime (&SessionTimeoutCSec);
if (!strftime (TimeoutString, sizeof(TimeoutString),
"%b %d %T %Y", tmptr))
strcpy (TimeoutString, "strftime() error");
SessionHits = SSL_CTX_sess_hits (sesolaptr->SslCtx);
WatchThis (WATCHITM(rqptr), WatchThisType,
"X509 client certificate");
WatchDataFormatted ("ISSUER: !AZ\n", CertIssuer);
WatchDataFormatted ("SUBJECT: !AZ\n", CertSubject);
SesolaCertExtension (sesolaptr->ClientCertPtr, (char*)-1);
while (cptr = SesolaCertExtension (NULL, NULL))
WatchDataFormatted ("EXTENSION: !AZ\n", cptr);
WatchDataFormatted ("SHA256: !AZ\n", CertFingerprintSHA256);
WatchDataFormatted ("SHA1: !AZ\n", CertFingerprintSHA1);
WatchDataFormatted ("MD5: !AZ\n", CertFingerprintMD5);
WatchDataFormatted ("FINGERPRINT: !AZ \n", AuthFingerprint);
WatchDataFormatted ("SESSION: !UL hit!%s since !AZ, timeout (!SL) at !AZ\n",
SessionHits, TimeString, SessionTimeout / 60,
TimeoutString);
}
if (sesolaptr->CertVerifyMode != SESOLA_VERIFY_PEER_AUTH)
{
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet() */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
}
return (SS$_NORMAL);
}
/*****************/
/* authorization */
/*****************/
if (sesolaptr->X509optionalNoCa)
SSL_set_verify_result (sesolaptr->SslPtr, X509_V_OK);
if (SSL_get_verify_result (sesolaptr->SslPtr) != X509_V_OK)
{
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_LOGIN;
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet() */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
}
/* cancel the cached session by adjusting the timeout backwards */
SSL_SESSION_set_timeout (SessionPtr, -1);
return (SS$_NORMAL);
}
if (!*DigestTypePtr)
{
/* hmmm, problem in generating the fingerprint */
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_OTHER;
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet() */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
}
/* cancel the cached session by adjusting the timeout backwards */
SSL_SESSION_set_timeout (SessionPtr, -1);
return (SS$_NORMAL);
}
/******************/
/* authenticated! */
/******************/
/* X509 authentication, full r+w access implied */
rqptr->rqAuth.UserCan = AUTH_READWRITE_ACCESS;
rqptr->rqAuth.FinalStatus = SS$_NORMAL;
rqptr->rqAuth.ClientCertIssuerLength = strlen(CertIssuer);
rqptr->rqAuth.ClientCertIssuerPtr =
VmGetHeap (rqptr, rqptr->rqAuth.ClientCertIssuerLength+1);
strcpy (rqptr->rqAuth.ClientCertIssuerPtr, CertIssuer);
rqptr->rqAuth.ClientCertSubjectLength = strlen(CertSubject);
rqptr->rqAuth.ClientCertSubjectPtr =
VmGetHeap (rqptr, rqptr->rqAuth.ClientCertSubjectLength+1);
strcpy (rqptr->rqAuth.ClientCertSubjectPtr, CertSubject);
/* if a conditional was detected during an earlier phase */
if (sesolaptr->X509ConditionalPtr)
{
if (!SesolaClientCertConditional (rqptr, sesolaptr->X509ConditionalPtr))
{
rqptr->rqAuth.FinalStatus = AUTH_DENIED_BY_OTHER;
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet() */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
}
/* cancel the cached session by adjusting the timeout backwards */
SSL_SESSION_set_timeout (SessionPtr, -1);
return (SS$_NORMAL);
}
}
/* derive the user details from the /CN and /EMAIL of the subject */
zptr = (sptr = UserDetails) + sizeof(UserDetails)-1;
cptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr, "/CN=");
if (cptr)
{
while (*cptr && *cptr != '=') cptr++;
if (*cptr) cptr++;
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
}
cptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr, "/Email=");
if (!cptr)
cptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr,
"/emailAddress=");
if (cptr)
{
while (*cptr && *cptr != '=') cptr++;
if (*cptr)
{
cptr++;
if (sptr < zptr) *sptr++ = ',';
if (sptr < zptr) *sptr++ = ' ';
while (*cptr && sptr < zptr) *sptr++ = *cptr++;
}
}
*sptr = '\0';
rqptr->rqAuth.UserDetailsLength = sptr - UserDetails;
rqptr->rqAuth.UserDetailsPtr =
VmGetHeap (rqptr, rqptr->rqAuth.UserDetailsLength+1);
strcpy (rqptr->rqAuth.UserDetailsPtr, UserDetails);
rqptr->rqAuth.ClientCertFingerprintLength = strlen(CertFingerprintMD5);
rqptr->rqAuth.ClientCertFingerprintPtr =
VmGetHeap (rqptr, rqptr->rqAuth.ClientCertFingerprintLength+1);
strcpy (rqptr->rqAuth.ClientCertFingerprintPtr, CertFingerprintMD5);
zptr = (sptr = rqptr->RemoteUser) + sizeof(rqptr->RemoteUser)-1;
if (sesolaptr->X509RemoteUserDnRecord[0])
{
cptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr,
sesolaptr->X509RemoteUserDnRecord);
if (!cptr)
cptr = SesolaCertName (sesolaptr->ClientCertPtr,
sesolaptr->X509RemoteUserDnRecord);
if (!cptr)
cptr = SesolaCertExtension (sesolaptr->ClientCertPtr,
sesolaptr->X509RemoteUserDnRecord);
if (cptr)
{
/* check for wildcard pattern */
for (aptr = sesolaptr->X509RemoteUserDnRecord;
*aptr && *aptr != '*' && *aptr != '^';
aptr++);
/* if something like (DTAG) /CN=User-Id* */
if (*aptr)
while (*cptr && *cptr != '=') cptr++;
else
for (aptr = sesolaptr->X509RemoteUserDnRecord;
*aptr && *cptr;
aptr++, cptr++);
while (*cptr && *cptr != '_' && !isalnum(*cptr)) cptr++;
while (*cptr && sptr < zptr)
{
/* convert white-space to underscores */
if (ISLWS(*cptr))
*sptr++ = '_';
else
*sptr++ = *cptr;
cptr++;
}
}
}
else
{
/* "remote user name" is derived from fingerprint without the colons */
cptr = rqptr->rqAuth.ClientCertFingerprintPtr;
while (*cptr && sptr < zptr)
{
if (*cptr == ':')
cptr++;
else
*sptr++ = *cptr++;
}
}
/* overflow does not truncate, it empties (does not authorize)!! */
if (sptr >= zptr)
{
*sptr = '\0';
if (WATCH_CAT && WatchThisType)
WatchThis (WATCHITM(rqptr), WatchThisType,
"X509 overflow at !UL bytes REMOTE_USER !AZ",
sizeof(rqptr->RemoteUser)-1, rqptr->RemoteUser);
sptr = rqptr->RemoteUser;
}
*sptr = '\0';
rqptr->RemoteUserLength = sptr - rqptr->RemoteUser;
if (rqptr->RemoteUserLength)
strcpy (rqptr->RemoteUserPassword, "anystringwilldo");
if (WATCH_CAT && WatchThisType)
WatchThis (WATCHITM(rqptr), WatchThisType,
"X509 client certificate REMOTE_USER !AZ",
rqptr->RemoteUser[0] ? rqptr->RemoteUser : "(none)");
if (VerifyParam == SESOLA_VERIFY_AST)
{
/* call from SesolaClientCertGet() */
SysDclAst (sesolaptr->ClientCertAstFunction, rqptr);
}
return (SS$_NORMAL);
}
/*****************************************************************************/
/*
Called by RequestEnd2() to dispose of any client certificate reference.
*/
void SesolaClientCertEnd (REQUEST_STRUCT *rqptr)
{
HTTP2_STRUCT *h2ptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "SesolaClientCertEnd()");
if (!(sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr))
{
if (!(h2ptr = rqptr->Http2Stream.Http2Ptr)) return;
if (!(sesolaptr = (SESOLA_STRUCT*)h2ptr->NetIoPtr->SesolaPtr)) return;
}
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHALL, WATCH_MOD_SESOLA, "->ClientCertPtr !8XL",
sesolaptr->ClientCertPtr);
if (!sesolaptr->ClientCertPtr) return;
X509_free (sesolaptr->ClientCertPtr);
sesolaptr->ClientCertPtr = NULL;
}
/*****************************************************************************/
/*
Scan the authorization parameter string evaluating the conditions! Return true
or false. Anything it cannot understand it ignores! (and yes, it does look a
little like MapUrl_Conditional() :^)
*/
BOOL SesolaClientCertConditional
(
REQUEST_STRUCT *rqptr,
char *ConditionalPtr
)
{
BOOL NegateThisCondition,
NegateEntireConditional,
Result,
SoFarSoGood,
WatchThisOne;
int AlgKeySize,
ConditionalCount,
MinKeySize,
UseKeySize;
char *cptr, *csptr, *sptr, *zptr,
*CipherNamePtr,
*CurrentPtr,
*VersionNamePtr;
char Scratch [AUTH_MAX_PATH_PARAM_LENGTH+1];
SESOLA_STRUCT *sesolaptr;
SSL_CIPHER *CipherPtr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SesolaClientCertConditional() !&Z\n", ConditionalPtr);
sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr;
if (WATCHPNT(rqptr) && (WATCH_CATEGORY(WATCH_SESOLA) ||
WATCH_CATEGORY(WATCH_AUTH)))
WatchThisOne = true;
else
WatchThisOne = false;
CurrentPtr = NULL;
ConditionalCount = 0;
NegateEntireConditional = NegateThisCondition = SoFarSoGood = false;
cptr = ConditionalPtr;
while (*cptr)
{
while (ISLWS(*cptr)) cptr++;
if (!*cptr) break;
if (*cptr == '[' || SAME2(cptr,'!['))
{
CurrentPtr = cptr;
if (*cptr == '!')
{
NegateEntireConditional = true;
cptr++;
}
else
NegateEntireConditional = false;
cptr++;
ConditionalCount = 0;
SoFarSoGood = false;
continue;
}
if (*cptr == ']')
{
cptr++;
if (NegateEntireConditional)
{
SoFarSoGood = !SoFarSoGood;
NegateEntireConditional = false;
}
if (ConditionalCount && !SoFarSoGood)
{
cptr = "";
break;
}
continue;
}
if (SoFarSoGood)
{
if (NegateEntireConditional)
{
SoFarSoGood = !SoFarSoGood;
NegateEntireConditional = false;
}
/* at least one OK, skip to the end of the conditional */
while (*cptr && *cptr != ']') cptr++;
if (!*cptr) break;
}
if (!CurrentPtr) CurrentPtr = cptr;
NegateThisCondition = Result = false;
zptr = (sptr = Scratch) + sizeof(Scratch)-1;
if (*cptr == '!')
{
cptr++;
NegateThisCondition = true;
}
switch (*(USHORTPTR)cptr)
{
case 'ci' :
case 'CI' :
/***************/
/* Cipher Name */
/***************/
ConditionalCount++;
cptr += 3;
while (*cptr && !ISLWS(*cptr) && *cptr != ']' && sptr < zptr)
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) *sptr++ = *cptr++;
}
*sptr = '\0';
if (!CipherPtr)
CipherPtr = SSL_get_current_cipher (sesolaptr->SslPtr);
if (!CipherPtr)
{
CipherNamePtr = "";
AlgKeySize = UseKeySize = 0;
}
if (!CipherNamePtr)
CipherNamePtr = (char*)SSL_CIPHER_get_name (CipherPtr);
if (!CipherNamePtr) CipherNamePtr = "";
Result = StringMatch (rqptr, CipherNamePtr, Scratch);
break;
case 'is' :
case 'IS' :
/******************/
/* Cert Issuer DN */
/******************/
ConditionalCount++;
cptr += 3;
while (*cptr && !ISLWS(*cptr) && *cptr != ']' && sptr < zptr)
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) *sptr++ = *cptr++;
}
*sptr = '\0';
csptr = rqptr->rqAuth.ClientCertIssuerPtr;
/* if it begins with DN record name then confine to that record */
if (*(sptr = Scratch) == '/')
{
/* must begin with something like "/CN=string" */
if (!SesolaCertParseDn (csptr, sptr))
Result = false;
else
{
/* found the (example) "/CN=", skip over BOTH */
while (*sptr && *sptr != '=') sptr++;
if (*sptr) sptr++;
while (*csptr && *csptr != '=') csptr++;
if (*csptr) csptr++;
/* now search only the returned DN record value */
Result = StringMatch (rqptr, csptr, sptr);
}
}
else
{
/* search the entire DN */
Result = StringMatch (rqptr, csptr, sptr);
}
break;
case 'ks' :
case 'KS' :
/*****************/
/* User Key Size */
/*****************/
ConditionalCount++;
cptr += 3;
while (*cptr && !ISLWS(*cptr) && *cptr != ']' && sptr < zptr)
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) *sptr++ = *cptr++;
}
*sptr = '\0';
MinKeySize = atoi(Scratch);
if (MinKeySize < 0) MinKeySize = 0;
if (!CipherPtr)
CipherPtr = SSL_get_current_cipher (sesolaptr->SslPtr);
if (!CipherPtr)
UseKeySize = 0;
else
UseKeySize = SSL_CIPHER_get_bits(CipherPtr, &AlgKeySize);
Result = UseKeySize >= MinKeySize;
break;
case 'su' :
case 'SU' :
/*******************/
/* Cert Subject DN */
/*******************/
ConditionalCount++;
cptr += 3;
while (*cptr && !ISLWS(*cptr) && *cptr != ']' && sptr < zptr)
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) *sptr++ = *cptr++;
}
*sptr = '\0';
csptr = rqptr->rqAuth.ClientCertSubjectPtr;
/* if it begins with DN record name then confine to that record */
if (*(sptr = Scratch) == '/')
{
/* must begin with something like "/CN=string" */
if (!(csptr = SesolaCertParseDn (csptr, sptr)))
Result = false;
else
{
/* found the (example) "/CN=", skip over BOTH */
while (*sptr && *sptr != '=') sptr++;
if (*sptr) sptr++;
while (*csptr && *csptr != '=') csptr++;
if (*csptr) csptr++;
/* now search only the returned DN record value */
Result = StringMatch (rqptr, csptr, sptr);
}
}
else
{
/* search the entire DN */
Result = StringMatch (rqptr, csptr, sptr);
}
break;
default :
/***********************************/
/* unknown (or 'VF', etc.), ignore */
/***********************************/
if (WATCH_CAT && WatchThisOne)
WatchDataFormatted ("IGNORE !AZ\n", CurrentPtr);
while (*cptr && !ISLWS(*cptr) && *cptr != ']')
{
if (cptr[0] == '\\' && cptr[1]) cptr++;
if (*cptr) cptr++;
}
continue;
}
if (NegateThisCondition)
SoFarSoGood = SoFarSoGood || !Result;
else
SoFarSoGood = SoFarSoGood || Result;
if (WATCH_CAT && WatchThisOne)
WatchDataFormatted ("!AZ !AZ\n",
SoFarSoGood ? "PASS" : "FAIL", CurrentPtr);
CurrentPtr = NULL;
}
if (!ConditionalCount)
SoFarSoGood = true;
else
if (NegateEntireConditional)
SoFarSoGood = !SoFarSoGood;
if (WATCH_CAT && WatchThisOne)
WatchDataFormatted ("!AZ conditional\n",
SoFarSoGood ? "PASSED" : "FAILED");
return (SoFarSoGood);
}
/*****************************************************************************/
/*
Get an X509 certificate from the client, or try to anyway.
With TLSv1.2 and earlier: Initiate an SSL renegotiate to give the client an
opportunity to supply a client certificate.
With TLSv1.3 (OpenSSL 1.1.1 and later): Renegotation is no longer available
and it is done by having the service enable the TLSv1.3 post handshake
authentication extension that provides a client certificate.
Due to the non-blocking I/O used by WASD this function will be called multiple
times to complete the handshake. Ensure pending request data (typically from a
PROPFIND, PUT or POST) is cleared before attempting to renegotiate.
As there is lots of negotiation going on underneath all the asynchronous I/O in
this behaviour some fine-grained inspection of the connection state is needed.
Essentially at each handshake I/O the state is checked for client certificate
exchange. This sets a flag and the next "SSL negotiation finished
successfully" message considered certificate negotiation concluded.
*/
void SesolaClientCertGet (SESOLA_STRUCT *sesolaptr)
{
static char buf[1];
int sane, state, value, verify, version;
char *cptr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
rqptr = sesolaptr->RequestPtr;
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SesolaClientCertGet() !&B !&B",
sesolaptr->SslStateFunction == &SesolaClientCertGet,
sesolaptr->ReadClientCert);
if (sesolaptr->VerifyPeerDataSize &&
sesolaptr->VerifyPeerDataCount < sesolaptr->VerifyPeerDataSize)
{
if ((value = SesolaClientRequestData (sesolaptr)) < 0)
{
SesolaWatchErrors (sesolaptr);
SesolaClientCert (rqptr, SESOLA_VERIFY_AST, NULL);
return;
}
/* if waiting on I/O */
if (value == 0) return;
}
version = SSL_version (sesolaptr->SslPtr);
if (sesolaptr->SslStateFunction != &SesolaClientCertGet)
{
/*********/
/* start */
/*********/
if (rqptr->rqHeader.ContentLength64)
{
if ((value = SesolaClientRequestData (sesolaptr)) < 0)
{
SesolaWatchErrors (sesolaptr);
SesolaClientCert (rqptr, SESOLA_VERIFY_AST, NULL);
return;
}
/* if waiting on I/O */
if (value == 0) return;
}
if (WATCHING (rqptr, WATCH_SESOLA))
{
verify = SSL_get_verify_mode (sesolaptr->SslPtr);
switch (verify)
{
case SSL_VERIFY_NONE :
cptr = "NONE"; break;
case SSL_VERIFY_PEER :
cptr = "OPTIONAL"; break;
case (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT) :
cptr = "REQUIRED"; break;
#if SESOLA_SINCE_111
case (SSL_VERIFY_PEER |
SSL_VERIFY_POST_HANDSHAKE) :
cptr = "OPTIONAL-POST_HANDSHAKE"; break;
case (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_POST_HANDSHAKE) :
cptr = "REQUIRED-POST_HANDSHAKE"; break;
#endif
default : cptr = "unknown!";
}
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"X509 client certificate VERIFY:!AZ", cptr);
SesolaWatchErrors (sesolaptr);
}
#if SESOLA_SINCE_111
if (version >= TLS1_3_VERSION)
{
if (SSL_verify_client_post_handshake (sesolaptr->SslPtr) != 1)
{
SesolaWatchErrors (sesolaptr);
SesolaClientCert (rqptr, SESOLA_VERIFY_AST, NULL);
return;
}
}
else
#endif
/* <= TLS1_2_VERSION */
{
SSL_set_session_id_context (sesolaptr->SslPtr, SesolaSessionId,
SSL_MAX_SSL_SESSION_ID_LENGTH);
SSL_renegotiate (sesolaptr->SslPtr);
}
sesolaptr->ReadClientCert = false;
sesolaptr->X509CertRequested = true;
sesolaptr->SslStateFunction = &SesolaClientCertGet;
}
for (sane = 16; sane; sane--)
{
/*************/
/* handshake */
/*************/
/* allow for low-level SSL I/O here (e.g. link disconnection) */
if (VMSnok(sesolaptr->ReadIOsb.Status)) break;
if (VMSnok(sesolaptr->WriteIOsb.Status)) break;
value = SSL_do_handshake (sesolaptr->SslPtr);
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
{
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SSL_do_handshake() !SL !SL",
value, SSL_get_error(sesolaptr->SslPtr,value));
SesolaWatchErrors (sesolaptr);
}
/* tweak the client into providing data (per Apache mod_ssl) */
SSL_peek (sesolaptr->SslPtr, buf, 0);
/*****************/
/* current state */
/*****************/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"STATE !UL \"!AZ\" !AZ cert:!&B",
SSL_get_state (sesolaptr->SslPtr),
SSL_state_string (sesolaptr->SslPtr),
SSL_state_string_long (sesolaptr->SslPtr),
sesolaptr->ReadClientCert);
state = SSL_get_state (sesolaptr->SslPtr);
#if SESOLA_SINCE_110
if (state == TLS_ST_SR_CERT)
sesolaptr->ReadClientCert = true;
else
if (state == TLS_ST_SR_CERT_VRFY)
sesolaptr->ReadClientCert = true;
else
if (state == TLS_ST_OK)
if (sesolaptr->ReadClientCert)
break;
#else
if (state == SSL3_ST_SR_CERT_A)
sesolaptr->ReadClientCert = true;
else
if (state == SSL3_ST_SR_CERT_B)
sesolaptr->ReadClientCert = true;
else
if (state == SSL_ST_OK)
if (sesolaptr->ReadClientCert)
break;
#endif
/* if non-blocking IO in progress just return and wait for delivery */
if (sesolaptr->ReadInProgress ||
sesolaptr->WriteInProgress)
{
/****************/
/* wait for I/O */
/****************/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"READ:!&?yes\rno\r WRITE:!&?yes\rno\r",
sesolaptr->ReadInProgress, sesolaptr->WriteInProgress);
return;
}
/* if the handshake was broken */
if (value <= 0) break;
}
/************/
/* finished */
/************/
if (!sane) ErrorNoticed (rqptr, SS$_BUGCHECK, NULL, FI_LI);
if (WATCHING (rqptr, WATCH_SESOLA))
SesolaWatchSession (sesolaptr);
sesolaptr->ReadClientCert = false;
sesolaptr->SslStateFunction = NULL;
SesolaClientCert (rqptr, SESOLA_VERIFY_AST, NULL);
}
/*****************************************************************************/
/*
Request data being sent by the client (e.g. PROFIND/PUT/POST) will interfere
with renegotiation so read and buffer this (up to a reasonable quantity).
Reinsert this into the application stream in SesolaNetIoRead(). Return -1 to
indicate an error, 0 that application data is still being read, or the number
of bytes in the application data (at the end of the read(s)). Renegotiation
does not proceed until non-zero is returned.
*/
int SesolaClientRequestData (SESOLA_STRUCT *sesolaptr)
{
int size, value;
uchar *aptr;
REQUEST_STRUCT *rqptr;
SESOLA_CONTEXT *ctxptr;
/*********/
/* begin */
/*********/
rqptr = sesolaptr->RequestPtr;
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"BUFFER client data !UL !UL/!UL",
rqptr->rqHeader.ContentLength64,
sesolaptr->VerifyPeerDataCount,
sesolaptr->VerifyPeerDataSize);
if (sesolaptr->VerifyPeerDataSize &&
sesolaptr->VerifyPeerDataCount >= sesolaptr->VerifyPeerDataSize)
return (sesolaptr->VerifyPeerDataCount);
if (!sesolaptr->VerifyPeerDataSize)
{
/* per-service data max falling back to global data max */
ctxptr = (SESOLA_CONTEXT*)rqptr->ServicePtr->SSLserverPtr;
if (!(size = ctxptr->VerifyDataMax)) size = SesolaVerifyPeerDataMax;
value = rqptr->rqHeader.ContentLength64;
if (value > size)
{
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"X509 RENEGOTIATE request data exceeds !UL kBytes",
size / 1024);
return (sesolaptr->VerifyPeerDataCount = -1);
}
sesolaptr->VerifyPeerDataSize = value;
/* global memory used (SesolaNetRead() is request-agnostic) */
sesolaptr->VerifyPeerDataPtr = sesolaptr->VerifyPeerReadPtr =
aptr = VmGet (value);
}
while (sesolaptr->VerifyPeerDataCount < sesolaptr->VerifyPeerDataSize)
{
size = sesolaptr->VerifyPeerDataSize - sesolaptr->VerifyPeerDataCount;
aptr = sesolaptr->VerifyPeerDataPtr + sesolaptr->VerifyPeerDataCount;
value = SSL_read (sesolaptr->SslPtr, aptr, size);
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
{
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SSL_read() !SL !SL",
value, SSL_get_error(sesolaptr->SslPtr,value));
SesolaWatchErrors (sesolaptr);
}
/* if non-blocking IO in progress just return and wait for delivery */
if (sesolaptr->ReadInProgress ||
sesolaptr->WriteInProgress)
{
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"READ:!&?yes\rno\r WRITE:!&?yes\rno\r",
sesolaptr->ReadInProgress, sesolaptr->WriteInProgress);
return (0);
}
if (value <= 0)
{
if (WATCHING (rqptr, WATCH_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_SESOLA,
"X509 RENEGOTIATE request data read FAILURE");
SesolaWatchErrors (sesolaptr);
return (sesolaptr->VerifyPeerDataCount = -1);
}
sesolaptr->VerifyPeerDataCount += value;
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"content:!UL/!UL !UL/!UL", value, size,
sesolaptr->VerifyPeerDataCount,
sesolaptr->VerifyPeerDataSize);
}
return (sesolaptr->VerifyPeerDataCount);
}
/*****************************************************************************/
/*
MetaConEvaluate() has hit an "X509:" conditional. Process this and return true
if the conditional is met, false if not met. The conditional can be empty in
which case the availability of an X509 client certificate is tested, returning
true if one is, false if not. The conditional can also supply a keyword,
equate symbol, and optional wildcard or regex. The keyword is progressively
searched for in the client certificate subject, certificate name and then in
the certificate extensions (in much the same way as authorisation X509). If a
keyword has no parameter then the directive just tests for the presence of the
keyword in the certificate. A parameter is a wildcard or regex which is
matched against the content corresponding to the keyword, returning true if it
matches, false if it does not.
*/
BOOL SesolaClientCertMetaCon
(
REQUEST_STRUCT *rqptr,
METACON_LINE *mclptr,
int WatchThisOne
)
{
BOOL result;
char *cptr, *sptr, *zptr;
char keyword [256];
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SesolaClientCertMetaCon() !AZ", mclptr->BufferPtr);
if (HTTP2_REQUEST(rqptr))
sesolaptr = rqptr->Http2Stream.Http2Ptr->NetIoPtr->SesolaPtr;
else
sesolaptr = rqptr->NetIoPtr->SesolaPtr;
if (sesolaptr == NULL)
{
/* not SSL service so X509 certificate impossible - test with "ssl:" */
if (WatchThisOne) WatchDataFormatted ("X509 requires an SSL service!!\n");
return (false);
}
/* parse the keyword */
cptr = mclptr->BufferPtr;
zptr = (sptr = keyword) + sizeof(keyword)-1;
while (*cptr && *cptr != '=' && sptr < zptr) *sptr++ = *cptr++;
*sptr = '\0';
while (*cptr && *cptr != '=') cptr++;
/* |cptr| now points to any keyword parameter (wildcard or regex) */
if (*cptr == '=') cptr++;
if (sesolaptr->X509CertRequested)
{
/* has been requested (at SSL connect or previous renegotiation) */
rqptr->X509ClientCertMeta = false;
if (sesolaptr->ClientCertPtr == NULL)
{
/* no certificate supplied - if just testing for one */
if (!keyword[0]) return (false);
/* wanting to match to X509 certificate (i.e. keyword supplied) */
return (false);
}
}
else
{
/* certificate has not (yet) been requested (via renegotiation) */
rqptr->X509ClientCertMeta = true;
return (false);
}
/* if no keyword then just testing for an X509 certificate */
if (keyword[0]) return (true);
/* search for the keyword */
sptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr, keyword);
if (!sptr)
sptr = SesolaCertName (sesolaptr->ClientCertPtr, keyword);
if (!sptr)
sptr = SesolaCertExtension (sesolaptr->ClientCertPtr, keyword);
/* if keyword not found */
if (!sptr)
{
if (WatchThisOne) WatchDataFormatted ("Keyword \"!AZ\" not found.\n");
return (false);
}
/* if keyword has no parameter */
if (!*cptr) return (true);
result = StringMatchAndRegex (rqptr, sptr, cptr,
SMATCH_GREEDY_REGEX,
mclptr->RegexPregPtr,
NULL);
return (result);
}
/*****************************************************************************/
/*
Return a pointer to a null-terminated string containing the common name from
any client certificate present.
*/
char* SesolaClientCertRemoteUser (REQUEST_STRUCT *rqptr)
{
char *bptr, *cptr, *sptr;
SESOLA_STRUCT *sesolaptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_SESOLA))
WatchThis (WATCHITM(rqptr), WATCH_MOD_SESOLA,
"SesolaClientCertRemoteUser()");
if (HTTP2_REQUEST(rqptr))
sesolaptr = rqptr->Http2Stream.Http2Ptr->NetIoPtr->SesolaPtr;
else
sesolaptr = (SESOLA_STRUCT*)rqptr->NetIoPtr->SesolaPtr;
if (!sesolaptr) return (NULL);
if (!sesolaptr->ClientCertPtr) return (NULL);
cptr = SesolaCertParseDn (rqptr->rqAuth.ClientCertSubjectPtr, "/CN=");
if (!cptr) return (cptr);
for (sptr = (cptr += 4); *sptr; sptr++);
bptr = sptr = VmGetHeap (rqptr, sptr-cptr+1);
while (*cptr) *sptr++ = *cptr++;
*sptr = '\0';
return (bptr);
}
/*****************************************************************************/
/*
For compilations without SSL these functions provide LINKage stubs for the
rest of the HTTPd modules, allowing for just recompiling the Sesola module to
integrate the SSL functionality.
*/
/*********************/
#else /* not SESOLA */
/*********************/
extern char ErrorSanityCheck[];
void SesolaClientCertEnd (REQUEST_STRUCT *rqptr)
{
/* always called by RequestEnd(); empty function; just return */
}
SesolaClientCertGet (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
char* SesolaClientCertRemoteUser (void *sesolaptr)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
BOOL SesolaClientCertMetaCon
(
REQUEST_STRUCT *rqptr,
METACON_LINE *mclptr,
int WatchThisOne
)
{
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
/************************/
#endif /* ifdef SESOLA */
/************************/
/*****************************************************************************/