Skip to content

Commit

Permalink
Add AUTHD_CLIENT_SNI_NAME
Browse files Browse the repository at this point in the history
  • Loading branch information
@jedisct1
jedisct1 committed Mar 25, 2019
1 parent 456a1c8 commit dcca5b8
Show file tree
Hide file tree
Showing 9 changed files with 27 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
- SNI support has been added. A new service, pure-certd, can run
external code written in any language in order to map SNI names to
TLS certificates.
- External authentication handlers get a new `AUTHD_CLIENT_SNI_NAME`
environment variable set when the client uses SNI.
- TLS certificates and keys can now be in different files.
- `make install` does not overwrite existing configuration files any
more.
Expand Down
1 change: 1 addition & 0 deletions README.Authentication-Modules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ AUTHD_LOCAL_IP
AUTHD_LOCAL_PORT
AUTHD_REMOTE_IP
AUTHD_ENCRYPTED
AUTHD_CLIENT_SNI_NAME

They are self-explanatory. Previous global environment variables aren't
cleared when the script is called. The content of these variables is
Expand Down
1 change: 1 addition & 0 deletions src/ftpd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6221,6 +6221,7 @@ int pureftpd_start(int argc, char *argv[], const char *home_directory_)
#ifdef WITH_TLS
tls_free_library();
tls_extcert_exit();
free((void *) client_sni_name);
#endif
alt_arc4random_close();

Expand Down
1 change: 1 addition & 0 deletions src/globals.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@ GLOBAL0(signed char ssl_verify_client_cert);
GLOBAL(const char *cert_file, TLS_CERTIFICATE_FILE);
GLOBAL(const char *key_file, TLS_KEY_FILE);
GLOBAL0(signed char use_extcert);
GLOBAL0(const char *client_sni_name);
#endif

GLOBAL0(char *atomic_prefix);
Expand Down
5 changes: 5 additions & 0 deletions src/log_extauth.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,9 @@ void pw_extauth_check(AuthResult * const result,
char peer_hbuf[NI_MAXHOST];
char line[4096];
size_t line_len;
#ifndef WITH_TLS
const char *client_sni_name = "";
#endif

result->auth_ok = 0;
if (getnameinfo((struct sockaddr *) sa, STORAGE_LEN(*sa),
Expand Down Expand Up @@ -203,8 +206,10 @@ void pw_extauth_check(AuthResult * const result,
EXTAUTH_CLIENT_SA_PORT "%s\n"
EXTAUTH_CLIENT_PEER_HOST "%s\n"
EXTAUTH_CLIENT_ENCRYPTED "%d\n"
EXTAUTH_CLIENT_SNI_NAME "%s\n"
EXTAUTH_CLIENT_END "\n",
account, password, sa_hbuf, sa_port, peer_hbuf,
client_sni_name == NULL ? "" : client_sni_name,
tls_cnx != NULL),
sizeof line)) {
goto bye;
Expand Down
1 change: 1 addition & 0 deletions src/log_extauth.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ void pw_extauth_exit(void);
#define EXTAUTH_CLIENT_SA_PORT "localport" EXTAUTH_KEYWORD_SEP
#define EXTAUTH_CLIENT_PEER_HOST "peer" EXTAUTH_KEYWORD_SEP
#define EXTAUTH_CLIENT_ENCRYPTED "encrypted" EXTAUTH_KEYWORD_SEP
#define EXTAUTH_CLIENT_SNI_NAME "sni_name" EXTAUTH_KEYWORD_SEP
#define EXTAUTH_CLIENT_END "end"

#define EXTAUTH_REPLY_AUTH_OK "auth_ok" EXTAUTH_KEYWORD_SEP
Expand Down
7 changes: 7 additions & 0 deletions src/pure-authd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,13 @@ static void callback_client_encrypted(const char *str)
newenv_str(ENV_AUTHD_ENCRYPTED, str);
}

static void callback_client_sni_name(const char *str)
{
if (*str != 0) {
newenv_str(ENV_AUTHD_CLIENT_SNI_NAME, str);
}
}

static void callback_client_end(const char *str)
{
(void) str;
Expand Down
3 changes: 3 additions & 0 deletions src/pure-authd_p.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ static void callback_client_sa_host(const char *str);
static void callback_client_sa_port(const char *str);
static void callback_client_peer_host(const char *str);
static void callback_client_encrypted(const char *str);
static void callback_client_sni_name(const char *str);
static void callback_client_end(const char *str);

typedef struct ExtauthdCallBack_ {
Expand All @@ -76,6 +77,7 @@ static ExtauthdCallBack extauthd_callbacks[] = {
{ EXTAUTH_CLIENT_SA_PORT, callback_client_sa_port },
{ EXTAUTH_CLIENT_PEER_HOST, callback_client_peer_host },
{ EXTAUTH_CLIENT_ENCRYPTED, callback_client_encrypted },
{ EXTAUTH_CLIENT_SNI_NAME, callback_client_sni_name },
{ EXTAUTH_CLIENT_END, callback_client_end },
{ NULL, callback_client_end }
};
Expand All @@ -86,6 +88,7 @@ static ExtauthdCallBack extauthd_callbacks[] = {
#define ENV_AUTHD_SA_PORT "AUTHD_LOCAL_PORT"
#define ENV_AUTHD_PEER_HOST "AUTHD_REMOTE_IP"
#define ENV_AUTHD_ENCRYPTED "AUTHD_ENCRYPTED"
#define ENV_AUTHD_CLIENT_SNI_NAME "AUTHD_CLIENT_SNI_NAME"

#define AUTHD_SCRIPT_TIMEOUT 60U

Expand Down
6 changes: 6 additions & 0 deletions src/tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ static int validate_sni_name(const char * const sni_name)
"abcdefghijklmnopqrstuvwxyz.-0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ";
const char *pnt = sni_name;

if (strlen(sni_name) > 255) {
return -1;
}
while (*pnt != 0) {
if (strchr(valid_chars, *pnt) == NULL) {
return -1;
Expand Down Expand Up @@ -92,6 +95,9 @@ static int ssl_servername_cb(SSL *cnx, int *al, void *arg)
die(400, LOG_ERR, "SSL error");
}
}
if ((client_sni_name = strdup(sni_name)) == NULL) {
die_mem();
}
if (tls_cnx != NULL) {
const long ctx_options = SSL_CTX_get_options(tls_ctx);
SSL_set_SSL_CTX(tls_cnx, tls_ctx);
Expand Down

0 comments on commit dcca5b8

Please sign in to comment.