Add client certificate support in secure connections.

By setting PMCD_REQUIRE_CLIENT_CERT, pmcd can require that a client making a secure connection provide a valid certificate.
ubccr · 07e750df6e3afd0176f8ce135a1856e272fb1f90 · minnus committed Apr 14, 2016 · Apr 14, 2016 · 07e750d
1 parent e440d98
commit 07e750df6e3afd0176f8ce135a1856e272fb1f90
Unified Split

Showing with 17 additions and 2 deletions.

+17 −2 src/libpcp/src/secureconnect.c
diff --git a/src/libpcp/src/secureconnect.c b/src/libpcp/src/secureconnect.c
@@ -469,6 +469,13 @@ queryCertificateDomain(PRFileDesc *sslsocket)
 }
 
 static SECStatus
+getClientCert(void *arg, PRFileDesc *ssl_fd, CERTDistNames *ca_names, CERTCertificate **out_return_cert, SECKEYPrivateKey **out_return_key)
+{
+    SECStatus ret = NSS_GetClientAuthData(0, ssl_fd, ca_names, out_return_cert, out_return_key);
+    return ret;
+}
+
+static SECStatus
 badCertificate(void *arg, PRFileDesc *sslsocket)
 {
     (void)arg;
@@ -869,6 +876,10 @@ __pmSecureClientIPCFlags(int fd, int flags, const char *hostname, __pmHashCtl *a
 				(SSLBadCertHandler)badCertificate, NULL);
 	if (secsts != SECSuccess)
 	    return __pmSecureSocketsError(PR_GetError());
+	secsts = SSL_GetClientAuthDataHook(socket.sslFd,
+				(SSLGetClientAuthData)getClientCert, NULL);
+	if (secsts != SECSuccess)
+	    return __pmSecureSocketsError(PR_GetError());
     }
 
     if ((flags & PDU_FLAG_COMPRESS) != 0) {
@@ -1254,6 +1265,7 @@ __pmSecureServerIPCFlags(int fd, int flags)
 {
     __pmSecureSocket socket;
     SECStatus secsts;
+    PRBool RequestClientCert;
     int saslsts;
     int sts;
 
@@ -1297,13 +1309,16 @@ __pmSecureServerIPCFlags(int fd, int flags)
 	    sendSecureAck(fd, flags, sts);
 	    return sts;
 	}
-	secsts = SSL_OptionSet(socket.sslFd, SSL_REQUEST_CERTIFICATE, PR_FALSE);
+
+	RequestClientCert = (getenv("PMCD_REQUIRE_CLIENT_CERT") != NULL )?PR_TRUE:PR_FALSE;
+
+	secsts = SSL_OptionSet(socket.sslFd, SSL_REQUEST_CERTIFICATE, RequestClientCert);
 	if (secsts != SECSuccess) {
 	    sts = __pmSecureSocketsError(PR_GetError());
 	    sendSecureAck(fd, flags, sts);
 	    return sts;
 	}
-	secsts = SSL_OptionSet(socket.sslFd, SSL_REQUIRE_CERTIFICATE, PR_FALSE);
+	secsts = SSL_OptionSet(socket.sslFd, SSL_REQUIRE_CERTIFICATE, RequestClientCert);
 	if (secsts != SECSuccess) {
 	    sts = __pmSecureSocketsError(PR_GetError());
 	    sendSecureAck(fd, flags, sts);