SSL (authenticated poster, HMAC patches)
Bear Giles
bear at coyotesong.com
Sun May 26 19:58:56 UTC 2002
The final patch provides sample code to compute information that
can be used for authenticated poster or HMAC headers. The former
can be added early, the latter must be added last and in a way that
allows the original message and headers to be easily retrieved.
Neither header is actually added to posted messages.
Bear Giles
-- Attached file included as plaintext by Ecartis --
-- Desc: /tmp/inn8
Index: inn/nnrpd/post.c
diff -c inn/nnrpd/post.c:1.1.1.1 inn/nnrpd/post.c:1.2
*** inn/nnrpd/post.c:1.1.1.1 Sun May 26 09:49:31 2002
--- inn/nnrpd/post.c Sun May 26 13:55:06 2002
***************
*** 1,4 ****
! /* $Revision: 1.1.1.1 $
**
** Check article, send it to the local server.
*/
--- 1,4 ----
! /* $Revision: 1.2 $
**
** Check article, send it to the local server.
*/
***************
*** 9,14 ****
--- 9,19 ----
#include "ov.h"
#include "post.h"
+ #ifdef HAVE_SSL
+ #include <openssl/ssl.h>
+ extern SSL *tls_conn;
+ #endif
+
#define FLUSH_ERROR(F) (fflush((F)) == EOF || ferror((F)))
#define HEADER_DELTA 20
***************
*** 941,946 ****
--- 946,973 ----
int len;
char SDir[255];
+ #ifdef HAVE_SSL
+ X509 *peer;
+ char cn[256];
+ extern unsigned char hmac_key[20];
+ unsigned char md[20];
+ unsigned int mdlen;
+ #endif
+
+ #ifdef HAVE_SSL
+ if (tls_conn && (peer = SSL_get_peer_certificate(tls_conn))) {
+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+ NID_commonName, cn, sizeof cn);
+
+ /* we can create new header with this value. We could also
+ * pull the email field, but that's asking for trouble with
+ * spam harvesters.
+ *
+ * Perhaps "X-Authenticated-User: %s" with common name?
+ */
+ }
+ #endif
+
/* Set up the other headers list. */
if (OtherHeaders == NULL) {
OtherSize = HEADER_DELTA;
***************
*** 1046,1051 ****
--- 1073,1090 ----
}
}
#endif /* defined(DO_PERL) */
+
+ #ifdef HAVE_SSL
+ HMAC(EVP_sha1(), hmac_key, sizeof hmac_key,
+ article, strlen(article), md, &mdlen);
+
+ /* we can create new header with this hash code - allows
+ * us to detect if message has been modified when complaints
+ * received.
+ *
+ * Perhaps "X-HMAC: sha1:..." with 40-character hex value?
+ */
+ #endif
/* handle mailing to moderated groups */
Index: inn/nnrpd/tls.c
diff -c inn/nnrpd/tls.c:1.7 inn/nnrpd/tls.c:1.8
*** inn/nnrpd/tls.c:1.7 Sun May 26 12:20:11 2002
--- inn/nnrpd/tls.c Sun May 26 13:55:06 2002
***************
*** 32,37 ****
--- 32,39 ----
#include <sys/uio.h>
#include <sys/stat.h>
+ #include <openssl/hmac.h>
+
/* taken from lib/parsedate.c */
#ifndef WRITEV_USE_ALLOCA
#ifdef alloca
***************
*** 99,104 ****
--- 101,107 ----
int tls_loglevel = 0;
+ unsigned char hmac_key[20];
/* taken from OpenSSL apps/s_cb.c
* tim - this seems to just be giving logging messages
***************
*** 419,425 ****
static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
{
struct stat buf;
!
if (cert_file != NULL) {
if (SSL_CTX_use_certificate_file(ctx, cert_file,
SSL_FILETYPE_PEM) <= 0) {
--- 422,434 ----
static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
{
struct stat buf;
! HMAC_CTX hctx;
! FILE *fp;
! char buffer[1024];
! int n;
! static const char *key = "some arbitrary string";
!
! memset(hmac_key, 0, sizeof hmac_key);
if (cert_file != NULL) {
if (SSL_CTX_use_certificate_file(ctx, cert_file,
SSL_FILETYPE_PEM) <= 0) {
***************
*** 452,458 ****
--- 461,484 ----
syslog(L_ERROR, "Private key does not match the certificate public key");
return (0);
}
+
+ /*
+ * Use private key file to generate HMAC key. This is
+ * something that should only be known to us, and with
+ * an HMAC (instead of a simple hash) we can periodically
+ * generate new keys if necessary or desired.
+ */
+ fp = fopen(key_file, "r");
+ if (fp != NULL) {
+ HMAC_Init(&hctx, key, strlen(key), EVP_sha1());
+ while ((n = fread(buffer, 1, sizeof buffer, fp)) > 0)
+ HMAC_Update(&hctx, buffer, n);
+ fclose(fp);
+ HMAC_Final(&hctx, hmac_key, &n);
+ HMAC_cleanup(&hctx);
+ }
}
+
return (1);
}
More information about the inn-patches
mailing list