From ba94a608a89110740cb24ef098c476c84d371918 Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Tue, 4 Jan 2022 23:14:34 +0000 Subject: add `require client ca' for proxy blocks refactor the code that calls validate_against_ca into an helper function to reuse it in both apply_require_ca and (optionally) in apply_reverse_proxy. --- server.c | 39 ++++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 15 deletions(-) (limited to 'server.c') diff --git a/server.c b/server.c index 991e126..2faf792 100644 --- a/server.c +++ b/server.c @@ -630,6 +630,26 @@ matched_proxy(struct client *c) return NULL; } +static int +check_matching_certificate(X509_STORE *store, struct client *c) +{ + const uint8_t *cert; + size_t len; + + if (!tls_peer_cert_provided(c->ctx)) { + start_reply(c, CLIENT_CERT_REQ, "client certificate required"); + return 1; + } + + cert = tls_peer_cert_chain_pem(c->ctx, &len); + if (!validate_against_ca(store, cert, len)) { + start_reply(c, CERT_NOT_AUTH, "certificate not authorised"); + return 1; + } + + return 0; +} + /* 1 if matching a proxy relay-to (and apply it), 0 otherwise */ static int apply_reverse_proxy(struct client *c) @@ -642,6 +662,9 @@ apply_reverse_proxy(struct client *c) c->proxy = p; + if (p->reqca != NULL && check_matching_certificate(p->reqca, c)) + return 1; + log_debug(c, "opening proxy connection for %s:%s", p->host, p->port); @@ -680,24 +703,10 @@ static int apply_require_ca(struct client *c) { X509_STORE *store; - const uint8_t *cert; - size_t len; if ((store = vhost_require_ca(c->host, c->iri.path)) == NULL) return 0; - - if (!tls_peer_cert_provided(c->ctx)) { - start_reply(c, CLIENT_CERT_REQ, "client certificate required"); - return 1; - } - - cert = tls_peer_cert_chain_pem(c->ctx, &len); - if (!validate_against_ca(store, cert, len)) { - start_reply(c, CERT_NOT_AUTH, "certificate not authorised"); - return 1; - } - - return 0; + return check_matching_certificate(store, c); } static size_t -- cgit v1.2.3