From 8de8bfb8712855ee391c3702604f2acb6ffa124e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 28 Mar 2011 09:45:23 +0400
Subject: [PATCH] authenticate against a hash of identifyable information from
 certificate instead of only serial (refs #324)

---
 functions.php                 | 12 +++++++++++-
 modules/pref-prefs.php        | 10 +++++++---
 schema/ttrss_schema_mysql.sql |  2 +-
 schema/ttrss_schema_pgsql.sql |  2 +-
 schema/versions/mysql/82.sql  |  2 +-
 schema/versions/pgsql/82.sql  |  2 +-
 6 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/functions.php b/functions.php
index 51731fa6..c31727ca 100644
--- a/functions.php
+++ b/functions.php
@@ -1757,9 +1757,19 @@
 		return true;
 	}
 
+	function get_ssl_certificate_id() {
+		if ($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]) {
+			return sha1($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"] .
+				$_SERVER["REDIRECT_SSL_CLIENT_V_START"] .
+				$_SERVER["REDIRECT_SSL_CLIENT_V_END"] .
+				$_SERVER["REDIRECT_SSL_CLIENT_S_DN"]);
+		}
+		return "";
+	}
+
 	function get_login_by_ssl_certificate($link) {
 
-		$cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
+		$cert_serial = db_escape_string(get_ssl_certificate_id());
 
 		if ($cert_serial) {
 			$result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users
diff --git a/modules/pref-prefs.php b/modules/pref-prefs.php
index 1a2b2cd7..ab54ea17 100644
--- a/modules/pref-prefs.php
+++ b/modules/pref-prefs.php
@@ -435,17 +435,21 @@
 				} else if ($pref_name == "SSL_CERT_SERIAL") {
 
 					print "<input dojoType=\"dijit.form.ValidationTextBox\"
-						id=\"SSL_CERT_SERIAL\"
+						id=\"SSL_CERT_SERIAL\" readonly=\"1\"
 						name=\"$pref_name\" value=\"$value\">";
 
-					$cert_serial = htmlspecialchars($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]);
+					$cert_serial = htmlspecialchars(get_ssl_certificate_id());
 
 					if ($cert_serial) {
 						print " <button dojoType=\"dijit.form.Button\"
 							onclick=\"insertSSLserial('$cert_serial')\">" .
-							__('Fill automatically') . "</button>";
+							__('Register') . "</button>";
 					}
 
+					print " <button dojoType=\"dijit.form.Button\"
+						onclick=\"insertSSLserial('')\">" .
+						__('Clear') . "</button>";
+
 				} else {
 					$regexp = ($type_name == 'integer') ? 'regexp="^\d*$"' : '';
 
diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql
index a4acf1e4..69cf6dce 100644
--- a/schema/ttrss_schema_mysql.sql
+++ b/schema/ttrss_schema_mysql.sql
@@ -391,7 +391,7 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
 
 insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
 
-insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
+insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss');
 
 create table ttrss_user_prefs (
    owner_uid integer not null,
diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql
index fbb693ce..7718aa30 100644
--- a/schema/ttrss_schema_pgsql.sql
+++ b/schema/ttrss_schema_pgsql.sql
@@ -355,7 +355,7 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_
 
 insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1);
 
-insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
+insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss');
 
 create table ttrss_user_prefs (
 	owner_uid integer not null references ttrss_users(id) ON DELETE CASCADE,
diff --git a/schema/versions/mysql/82.sql b/schema/versions/mysql/82.sql
index 79fe5f49..80ca24e7 100644
--- a/schema/versions/mysql/82.sql
+++ b/schema/versions/mysql/82.sql
@@ -1,6 +1,6 @@
 begin;
 
-insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
+insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss');
 
 update ttrss_version set schema_version = 82;
 
diff --git a/schema/versions/pgsql/82.sql b/schema/versions/pgsql/82.sql
index 79fe5f49..80ca24e7 100644
--- a/schema/versions/pgsql/82.sql
+++ b/schema/versions/pgsql/82.sql
@@ -1,6 +1,6 @@
 begin;
 
-insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.');
+insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss');
 
 update ttrss_version set schema_version = 82;
 
-- 
2.39.2