Hi Jack, On Wed, May 16, 2018 at 05:32:56PM +0930, Jack Burton wrote: > I figured that if we can agree on this much, so httpd can be used for > the authentication-only case (which is all non-fastcgi sites would want) > straight away, that's be a good first step -- then we can come back and > argue the toss over how much client cert data is necessary/sufficient > to pass through for authorisation/accounting purposes.
I agree with you. Lets commit this first step. I tested your diff on current amd64 and sparc64 with an own PKI [1] and the firefox browser. Every thing works for me. I also looked down your source code which also seams fine to me. I tested the optional and non-optional "client ca" configuration, as well as the revocation and the fastcgi environment feature on both architectures. Everything works so far. Hopefully, it will committed this time! :-) Thanks! Jan [1]: https://github.com/younix/ca > There's also a trivial regression test (unchanged from last year), which > I'll post again separately next. > > > Index: config.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/config.c,v > retrieving revision 1.53 > diff -u -p -r1.53 config.c > --- config.c 19 Jul 2017 17:36:25 -0000 1.53 > +++ config.c 16 May 2018 07:59:10 -0000 > @@ -304,10 +304,18 @@ config_setserver_tls(struct httpd *env, > > log_debug("%s: configuring tls for %s", __func__, srv_conf->name); > > + if (config_settls(env, srv, TLS_CFG_CA, "ca", srv_conf->tls_ca, > + srv_conf->tls_ca_len) != 0) > + return (-1); > + > if (config_settls(env, srv, TLS_CFG_CERT, "cert", srv_conf->tls_cert, > srv_conf->tls_cert_len) != 0) > return (-1); > > + if (config_settls(env, srv, TLS_CFG_CRL, "crl", srv_conf->tls_crl, > + srv_conf->tls_crl_len) != 0) > + return (-1); > + > if (config_settls(env, srv, TLS_CFG_KEY, "key", srv_conf->tls_key, > srv_conf->tls_key_len) != 0) > return (-1); > @@ -431,6 +439,7 @@ config_getserver_config(struct httpd *en > > f = SRVFLAG_TLS; > srv_conf->flags |= parent->flags & f; > + srv_conf->tls_flags = parent->tls_flags; > > f = SRVFLAG_ACCESS_LOG; > if ((srv_conf->flags & f) == 0) { > @@ -655,9 +664,21 @@ config_getserver_tls(struct httpd *env, > } > > switch (tls_conf.tls_type) { > + case TLS_CFG_CA: > + if (config_gettls(env, srv_conf, &tls_conf, "ca", p, len, > + &srv_conf->tls_ca, &srv_conf->tls_ca_len) != 0) > + goto fail; > + break; > + > case TLS_CFG_CERT: > if (config_gettls(env, srv_conf, &tls_conf, "cert", p, len, > &srv_conf->tls_cert, &srv_conf->tls_cert_len) != 0) > + goto fail; > + break; > + > + case TLS_CFG_CRL: > + if (config_gettls(env, srv_conf, &tls_conf, "crl", p, len, > + &srv_conf->tls_crl, &srv_conf->tls_crl_len) != 0) > goto fail; > break; > > Index: httpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v > retrieving revision 1.90 > diff -u -p -r1.90 httpd.conf.5 > --- httpd.conf.5 11 Apr 2018 15:50:46 -0000 1.90 > +++ httpd.conf.5 16 May 2018 07:59:10 -0000 > @@ -342,6 +342,10 @@ The revision of the HTTP specification u > .It Ic SERVER_SOFTWARE > The server software name of > .Xr httpd 8 . > +.It Ic TLS_PEER_VERIFY > +A variable that is set to a comma separated list of TLS client verification > +features in use > +.Pq omitted when TLS client verification is not in use . > .El > .It Ic hsts Oo Ar option Oc > Enable HTTP Strict Transport Security. > @@ -526,6 +530,23 @@ will be used (strong crypto cipher suite > See the CIPHERS section of > .Xr openssl 1 > for information about SSL/TLS cipher suites and preference lists. > +.It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional > +Require > +.Po > +or, if > +.Ic optional > +is specified, request but do not require > +.Pc > +TLS client certificates whose authenticity can be verified > +against the CA certificate(s) in > +.Ar cafile > +in order to proceed beyond the TLS handshake. > +With > +.Ic crl > +specified, additionally require that no certificate in the client chain be > +listed as revoked in the CRL(s) in > +.Ar crlfile . > +CA certificates and CRLs should be PEM encoded. > .It Ic dhe Ar params > Specify the DHE parameters to use for DHE cipher suites. > Valid parameter values are none, legacy and auto. > Index: httpd.h > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v > retrieving revision 1.136 > diff -u -p -r1.136 httpd.h > --- httpd.h 11 Apr 2018 15:50:46 -0000 1.136 > +++ httpd.h 16 May 2018 07:59:10 -0000 > @@ -424,6 +424,11 @@ SPLAY_HEAD(client_tree, client); > #define HSTSFLAG_PRELOAD 0x02 > #define HSTSFLAG_BITS "\10\01SUBDOMAINS\02PRELOAD" > > +#define TLSFLAG_CA 0x01 > +#define TLSFLAG_CRL 0x02 > +#define TLSFLAG_OPTIONAL 0x04 > +#define TLSFLAG_BITS "\10\01CA\02CRL\3OPTIONAL" > + > enum log_format { > LOG_FORMAT_COMMON, > LOG_FORMAT_COMBINED, > @@ -480,12 +485,19 @@ struct server_config { > uint32_t maxrequests; > size_t maxrequestbody; > > + uint8_t *tls_ca; > + char *tls_ca_file; > + size_t tls_ca_len; > uint8_t *tls_cert; > size_t tls_cert_len; > char *tls_cert_file; > char tls_ciphers[HTTPD_TLS_CONFIG_MAX]; > + uint8_t *tls_crl; > + char *tls_crl_file; > + size_t tls_crl_len; > char tls_dhe_params[HTTPD_TLS_CONFIG_MAX]; > char tls_ecdhe_curves[HTTPD_TLS_CONFIG_MAX]; > + uint8_t tls_flags; > uint8_t *tls_key; > size_t tls_key_len; > char *tls_key_file; > @@ -524,7 +536,9 @@ struct server_config { > TAILQ_HEAD(serverhosts, server_config); > > enum tls_config_type { > + TLS_CFG_CA, > TLS_CFG_CERT, > + TLS_CFG_CRL, > TLS_CFG_KEY, > TLS_CFG_OCSP_STAPLE, > }; > @@ -598,6 +612,8 @@ int cmdline_symset(char *); > /* server.c */ > void server(struct privsep *, struct privsep_proc *); > int server_tls_cmp(struct server *, struct server *, int); > +int server_tls_load_ca(struct server *); > +int server_tls_load_crl(struct server *); > int server_tls_load_keypair(struct server *); > int server_tls_load_ocsp(struct server *); > void server_generate_ticket_key(struct server_config *); > Index: parse.y > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/parse.y,v > retrieving revision 1.94 > diff -u -p -r1.94 parse.y > --- parse.y 26 Apr 2018 14:12:19 -0000 1.94 > +++ parse.y 16 May 2018 07:59:11 -0000 > @@ -134,6 +134,7 @@ typedef struct { > %token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG > TCP TICKET > %token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD > REQUEST > %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS > +%token CA CLIENT CRL OPTIONAL > %token <v.string> STRING > %token <v.number> NUMBER > %type <v.port> port > @@ -345,6 +346,22 @@ server : SERVER optmatch STRING { > YYERROR; > } > > + if (server_tls_load_ca(srv) == -1) { > + yyerror("server \"%s\": failed to load " > + "ca cert(s)", srv->srv_conf.name); > + serverconfig_free(srv_conf); > + free(srv); > + YYERROR; > + } > + > + if (server_tls_load_crl(srv) == -1) { > + yyerror("server \"%s\": failed to load crl(s)", > + srv->srv_conf.name); > + serverconfig_free(srv_conf); > + free(srv); > + YYERROR; > + } > + > if (server_tls_load_ocsp(srv) == -1) { > yyerror("server \"%s\": failed to load " > "ocsp staple", srv->srv_conf.name); > @@ -587,6 +604,7 @@ serveroptsl : LISTEN ON STRING opttls po > sizeof(s->srv_conf.ss)); > s->srv_conf.port = srv->srv_conf.port; > s->srv_conf.prefixlen = srv->srv_conf.prefixlen; > + s->srv_conf.tls_flags = srv->srv_conf.tls_flags; > > if (last_server_id == INT_MAX) { > yyerror("too many servers/locations defined"); > @@ -760,6 +778,13 @@ tlsopts : CERTIFICATE STRING { > } > free($2); > } > + | CLIENT CA STRING tlsclientopt { > + srv_conf->tls_flags |= TLSFLAG_CA; > + free(srv_conf->tls_ca_file); > + if ((srv_conf->tls_ca_file = strdup($3)) == NULL) > + fatal("out of memory"); > + free($3); > + } > | DHE STRING { > if (strlcpy(srv_conf->tls_dhe_params, $2, > sizeof(srv_conf->tls_dhe_params)) >= > @@ -808,6 +833,18 @@ tlsopts : CERTIFICATE STRING { > } > ; > > +tlsclientopt : /* empty */ > + | tlsclientopt CRL STRING { > + srv_conf->tls_flags = TLSFLAG_CRL; > + free(srv_conf->tls_crl_file); > + if ((srv_conf->tls_crl_file = strdup($3)) == NULL) > + fatal("out of memory"); > + free($3); > + } > + | tlsclientopt OPTIONAL { > + srv_conf->tls_flags |= TLSFLAG_OPTIONAL; > + } > + ; > root : ROOT rootflags > | ROOT '{' optnl rootflags_l '}' > ; > @@ -1240,12 +1277,15 @@ lookup(char *s) > { "block", BLOCK }, > { "body", BODY }, > { "buffer", BUFFER }, > + { "ca", CA }, > { "certificate", CERTIFICATE }, > { "chroot", CHROOT }, > { "ciphers", CIPHERS }, > + { "client", CLIENT }, > { "combined", COMBINED }, > { "common", COMMON }, > { "connection", CONNECTION }, > + { "crl", CRL }, > { "default", DEFAULT }, > { "dhe", DHE }, > { "directory", DIRECTORY }, > @@ -1270,6 +1310,7 @@ lookup(char *s) > { "nodelay", NODELAY }, > { "ocsp", OCSP }, > { "on", ON }, > + { "optional", OPTIONAL }, > { "pass", PASS }, > { "port", PORT }, > { "prefork", PREFORK }, > @@ -2100,6 +2141,21 @@ server_inherit(struct server *src, struc > serverconfig_free(&dst->srv_conf); > free(dst); > return (NULL); > + } > + > + if (server_tls_load_ca(dst) == -1) { > + yyerror("falied to load ca cert(s) for server %s", > + dst->srv_conf.name); > + serverconfig_free(&dst->srv_conf); > + return NULL; > + } > + > + if (server_tls_load_crl(dst) == -1) { > + yyerror("failed to load crl(s) for server %s", > + dst->srv_conf.name); > + serverconfig_free(&dst->srv_conf); > + free(dst); > + return NULL; > } > > if (server_tls_load_ocsp(dst) == -1) { > Index: server.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server.c,v > retrieving revision 1.113 > diff -u -p -r1.113 server.c > --- server.c 29 Nov 2017 16:55:08 -0000 1.113 > +++ server.c 16 May 2018 07:59:11 -0000 > @@ -134,6 +134,8 @@ server_tls_cmp(struct server *s1, struct > sc1 = &s1->srv_conf; > sc2 = &s2->srv_conf; > > + if (sc1->tls_flags != sc2->tls_flags) > + return (-1); > if (sc1->tls_protocols != sc2->tls_protocols) > return (-1); > if (sc1->tls_ticket_lifetime != sc2->tls_ticket_lifetime) > @@ -207,6 +209,40 @@ server_tls_load_ocsp(struct server *srv) > } > > int > +server_tls_load_ca(struct server *srv) > +{ > + if ((srv->srv_conf.tls_flags & TLSFLAG_CA) == 0 || > + srv->srv_conf.tls_ca_file == NULL) > + return (0); > + > + if ((srv->srv_conf.tls_ca = tls_load_file( > + srv->srv_conf.tls_ca_file, > + &srv->srv_conf.tls_ca_len, NULL)) == NULL) > + return (-1); > + log_debug("%s: using ca cert(s) from %s", __func__, > + srv->srv_conf.tls_ca_file); > + > + return (0); > +} > + > +int > +server_tls_load_crl(struct server *srv) > +{ > + if ((srv->srv_conf.tls_flags & TLSFLAG_CA) == 0 || > + srv->srv_conf.tls_crl_file == NULL) > + return (0); > + > + if ((srv->srv_conf.tls_crl = tls_load_file( > + srv->srv_conf.tls_crl_file, > + &srv->srv_conf.tls_crl_len, NULL)) == NULL) > + return (-1); > + log_debug("%s: using crl(s) from %s", __func__, > + srv->srv_conf.tls_crl_file); > + > + return (0); > +} > + > +int > server_tls_init(struct server *srv) > { > struct server_config *srv_conf; > @@ -264,6 +300,27 @@ server_tls_init(struct server *srv) > return (-1); > } > > + if (srv->srv_conf.tls_ca != NULL) { > + if (tls_config_set_ca_mem(srv->srv_tls_config, > + srv->srv_conf.tls_ca, srv->srv_conf.tls_ca_len) != 0) { > + log_warnx("%s: failed to add ca cert(s)", __func__); > + return (-1); > + } > + if (srv->srv_conf.tls_flags & TLSFLAG_OPTIONAL) > + tls_config_verify_client_optional(srv->srv_tls_config); > + else > + tls_config_verify_client(srv->srv_tls_config); > + > + if (srv->srv_conf.tls_crl != NULL) { > + if (tls_config_set_crl_mem(srv->srv_tls_config, > + srv->srv_conf.tls_crl, > + srv->srv_conf.tls_crl_len) != 0) { > + log_warnx("%s: failed to add crl(s)", __func__); > + return (-1); > + } > + } > + } > + > TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { > if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) > continue; > @@ -277,6 +334,26 @@ server_tls_init(struct server *srv) > log_warnx("%s: failed to add tls keypair", __func__); > return (-1); > } > + > + if (srv->srv_conf.tls_ca == NULL) > + continue; > + log_debug("%s: adding ca cert(s) for server %s", __func__, > + srv->srv_conf.name); > + if (tls_config_set_ca_mem(srv->srv_tls_config, > + srv_conf->tls_ca, srv_conf->tls_ca_len) != 0) { > + log_warnx("%s: failed to add ca cert(s)", __func__); > + return (-1); > + } > + > + if (srv->srv_conf.tls_crl == NULL) > + continue; > + > + log_debug("%s: adding crl(s) for server %s", __func__, > + srv->srv_conf.name); > + if (tls_config_set_crl_mem(srv->srv_tls_config, > + srv_conf->tls_crl, srv_conf->tls_crl_len) != 0) { > + return (-1); > + } > } > > /* set common session ID among all processes */ > @@ -310,13 +387,19 @@ server_tls_init(struct server *srv) > return (-1); > } > > - /* We're now done with the public/private key... */ > + /* We're now done with the public/private key & ca/crl... */ > tls_config_clear_keys(srv->srv_tls_config); > freezero(srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len); > freezero(srv->srv_conf.tls_key, srv->srv_conf.tls_key_len); > + free(srv->srv_conf.tls_ca); > + free(srv->srv_conf.tls_crl); > + srv->srv_conf.tls_ca = NULL; > srv->srv_conf.tls_cert = NULL; > + srv->srv_conf.tls_crl = NULL; > srv->srv_conf.tls_key = NULL; > + srv->srv_conf.tls_ca_len = 0; > srv->srv_conf.tls_cert_len = 0; > + srv->srv_conf.tls_crl_len = 0; > srv->srv_conf.tls_key_len = 0; > > return (0); > @@ -422,7 +505,11 @@ void > serverconfig_free(struct server_config *srv_conf) > { > free(srv_conf->return_uri); > + free(srv_conf->tls_ca_file); > + free(srv_conf->tls_ca); > free(srv_conf->tls_cert_file); > + free(srv_conf->tls_crl_file); > + free(srv_conf->tls_crl); > free(srv_conf->tls_key_file); > free(srv_conf->tls_ocsp_staple_file); > free(srv_conf->tls_ocsp_staple); > @@ -435,8 +522,12 @@ serverconfig_reset(struct server_config > { > srv_conf->auth = NULL; > srv_conf->return_uri = NULL; > + srv_conf->tls_ca = NULL; > + srv_conf->tls_ca_file = NULL; > srv_conf->tls_cert = NULL; > srv_conf->tls_cert_file = NULL; > + srv_conf->tls_crl = NULL; > + srv_conf->tls_crl_file = NULL; > srv_conf->tls_key = NULL; > srv_conf->tls_key_file = NULL; > srv_conf->tls_ocsp_staple = NULL; > Index: server_fcgi.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v > retrieving revision 1.75 > diff -u -p -r1.75 server_fcgi.c > --- server_fcgi.c 31 Jul 2017 08:02:49 -0000 1.75 > +++ server_fcgi.c 16 May 2018 07:59:12 -0000 > @@ -282,11 +282,18 @@ server_fcgi(struct httpd *env, struct cl > goto fail; > } > > - if (srv_conf->flags & SRVFLAG_TLS) > + if (srv_conf->flags & SRVFLAG_TLS) { > if (fcgi_add_param(¶m, "HTTPS", "on", clt) == -1) { > errstr = "failed to encode param"; > goto fail; > } > + if (srv_conf->tls_flags != 0 && fcgi_add_param(¶m, > + "TLS_PEER_VERIFY", printb_flags(srv_conf->tls_flags, > + TLSFLAG_BITS), clt) == -1) { > + errstr = "failed to encode param"; > + goto fail; > + } > + } > > (void)print_host(&clt->clt_ss, hbuf, sizeof(hbuf)); > if (fcgi_add_param(¶m, "REMOTE_ADDR", hbuf, clt) == -1) { >
