define TLS_CLIENT_NOT_BEFORE/NOT_AFTER in CGI scripts

2021-02-07 21:47:01 +00:00 · 2021-02-07 21:47:01 +00:00 · b63e30ff44
parent 9f006a2127
commit b63e30ff44
6 changed files with 52 additions and 16 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 2021-02-07  Omar Polo  <op@omarpolo.com>
 	* ex.c (do_exec): [cgi] split the query in words if needed and add them to the argv
 	(launch_cgi): define TLS_CLIENT_NOT_BEFORE/NOT_AFTER in CGI scripts
 	* parse.y (option): added prefork option
--- a/ex.c
+++ b/ex.c
@ -131,6 +131,18 @@ recv_vhost(int fd, struct vhost **vhost)
 	return 1;
 }
 int
 send_time(int fd, time_t t)
 {
 	return write(fd, &t, sizeof(t)) == sizeof(t);
 }
 int
 recv_time(int fd, time_t *t)
 {
 	return read(fd, t, sizeof(*t)) == sizeof(*t);
 }
 /* send d though fd. see /usr/src/usr.sbin/syslogd/privsep_fdpass.c
 * for an example */
 int
@ -270,11 +282,26 @@ do_exec(const char *ex, const char *spath, char *query)
 	warn("execvp: %s", argv[0]);
 }
 static inline void
 setenv_time(const char *var, time_t t)
 {
 	char timebuf[21];
 	struct tm tminfo;
 	if (t == -1)
 		return;
 	strftime(timebuf, sizeof(timebuf), "%FT%TZ",
 	    gmtime_r(&t, &tminfo));
 	setenv(var, timebuf, 1);
 }
 /* fd or -1 on error */
 static int
 launch_cgi(struct iri *iri, const char *spath, char *relpath,
    const char *addr, const char *ruser, const char *cissuer,
-    const char *chash, struct vhost *vhost)
+    const char *chash, time_t notbefore, time_t notafter,
    struct vhost *vhost)
 {
 	int p[2];		/* read end, write end */
@ -344,6 +371,8 @@ launch_cgi(struct iri *iri, const char *spath, char *relpath,
 		safe_setenv("REMOTE_USER", ruser);
 		safe_setenv("TLS_CLIENT_ISSUER", cissuer);
 		safe_setenv("TLS_CLIENT_HASH", chash);
 		setenv_time("TLS_CLIENT_NOT_AFTER", notafter);
 		setenv_time("TLS_CLIENT_NOT_BEFORE", notbefore);
 		strlcpy(path, ex, sizeof(path));
@ -374,6 +403,7 @@ executor_main()
 	char *spath, *relpath, *addr, *ruser, *cissuer, *chash;
        struct vhost *vhost;
 	struct iri iri;
 	time_t notbefore, notafter;
 	int d;
 #ifdef __OpenBSD__
@ -397,11 +427,13 @@ executor_main()
 		    || !recv_string(exfd, &ruser)
 		    || !recv_string(exfd, &cissuer)
 		    || !recv_string(exfd, &chash)
 		    || !recv_time(exfd, &notbefore)
 		    || !recv_time(exfd, &notafter)
 		    || !recv_vhost(exfd, &vhost))
 			break;
 		d = launch_cgi(&iri, spath, relpath, addr, ruser, cissuer, chash,
-		    vhost);
+		    notbefore, notafter, vhost);
 		if (!send_fd(exfd, d))
 			break;
 		close(d);
--- a/gmid.1
+++ b/gmid.1
@ -351,6 +351,13 @@ unset.
 The hash of the client certificate if provided, otherwise unset.
 The format is
 .Dq ALGO:HASH .
 .It Ev TLS_CLIENT_NOT_AFTER
 The time corresponding to the end of the validity period of the peer
 certificate in the ISO 8601 format
 .Pq e.g. Dq 2021-02-07T20:17:41Z .
 .It Ev TLS_CLIENT_NOT_BEFORE
 The time corresponding to the start of the validity period of the peer
 certificate in the ISO 8601 format.
 .El
 .Pp
 .Sh MIME
--- a/gmid.h
+++ b/gmid.h
@ -28,6 +28,7 @@
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <tls.h>
 #include <unistd.h>
@ -242,6 +243,8 @@ int		 recv_iri(int, struct iri*);
 void		 free_recvd_iri(struct iri*);
 int		 send_vhost(int, struct vhost*);
 int		 recv_vhost(int, struct vhost**);
 int		 send_time(int, time_t);
 int		 recv_time(int, time_t*);
 int		 send_fd(int, int);
 int		 recv_fd(int);
 int		 executor_main(void);
--- a/regress/env
+++ b/regress/env
@ -42,6 +42,8 @@ echo AUTH_TYPE=$AUTH_TYPE
 echo REMOTE_USER=$REMOTE_USER
 echo TLS_CLIENT_ISSUER=$TLS_CLIENT_ISSUER
 echo TLS_CLIENT_HASH=$TLS_CLIENT_HASH
 echo TLS_CLIENT_NOT_AFTER=$TLS_CLIENT_NOT_AFTER
 echo TLS_CLIENT_NOT_BEFORE=$TLS_CLIENT_NOT_BEFORE
 echo
 echo
 echo "                          CGI Argument List"
--- a/server.c
+++ b/server.c
@ -550,7 +550,6 @@ start_cgi(const char *spath, const char *relpath,
    struct pollfd *fds, struct client *c)
 {
 	char addr[NI_MAXHOST];
 	const char *ruser, *cissuer, *chash;
 	int e;
 	e = getnameinfo((struct sockaddr*)&c->addr, sizeof(c->addr),
@ -560,23 +559,15 @@ start_cgi(const char *spath, const char *relpath,
 	if (e != 0)
 		goto err;
 	if (tls_peer_cert_provided(c->ctx)) {
 		ruser = tls_peer_cert_subject(c->ctx);
 		cissuer = tls_peer_cert_issuer(c->ctx);
 		chash = tls_peer_cert_hash(c->ctx);
 	} else {
 		ruser = NULL;
 		cissuer = NULL;
 		chash = NULL;
 	}
 	if (!send_iri(exfd, &c->iri)
 	    || !send_string(exfd, spath)
 	    || !send_string(exfd, relpath)
 	    || !send_string(exfd, addr)
-	    || !send_string(exfd, ruser)
+	    || !send_string(exfd, tls_peer_cert_subject(c->ctx))
-	    || !send_string(exfd, cissuer)
+	    || !send_string(exfd, tls_peer_cert_issuer(c->ctx))
-	    || !send_string(exfd, chash)
+	    || !send_string(exfd, tls_peer_cert_hash(c->ctx))
 	    || !send_time(exfd, tls_peer_cert_notbefore(c->ctx))
 	    || !send_time(exfd, tls_peer_cert_notafter(c->ctx))
 	    || !send_vhost(exfd, c->host))
 		goto err;