From 8de8bfb8712855ee391c3702604f2acb6ffa124e Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 28 Mar 2011 09:45:23 +0400 Subject: [PATCH] authenticate against a hash of identifyable information from certificate instead of only serial (refs #324) --- functions.php | 12 +++++++++++- modules/pref-prefs.php | 10 +++++++--- schema/ttrss_schema_mysql.sql | 2 +- schema/ttrss_schema_pgsql.sql | 2 +- schema/versions/mysql/82.sql | 2 +- schema/versions/pgsql/82.sql | 2 +- 6 files changed, 22 insertions(+), 8 deletions(-) diff --git a/functions.php b/functions.php index 51731fa6..c31727ca 100644 --- a/functions.php +++ b/functions.php @@ -1757,9 +1757,19 @@ return true; } + function get_ssl_certificate_id() { + if ($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]) { + return sha1($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"] . + $_SERVER["REDIRECT_SSL_CLIENT_V_START"] . + $_SERVER["REDIRECT_SSL_CLIENT_V_END"] . + $_SERVER["REDIRECT_SSL_CLIENT_S_DN"]); + } + return ""; + } + function get_login_by_ssl_certificate($link) { - $cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]); + $cert_serial = db_escape_string(get_ssl_certificate_id()); if ($cert_serial) { $result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users diff --git a/modules/pref-prefs.php b/modules/pref-prefs.php index 1a2b2cd7..ab54ea17 100644 --- a/modules/pref-prefs.php +++ b/modules/pref-prefs.php @@ -435,17 +435,21 @@ } else if ($pref_name == "SSL_CERT_SERIAL") { print ""; - $cert_serial = htmlspecialchars($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]); + $cert_serial = htmlspecialchars(get_ssl_certificate_id()); if ($cert_serial) { print " "; + __('Register') . ""; } + print " "; + } else { $regexp = ($type_name == 'integer') ? 'regexp="^\d*$"' : ''; diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index a4acf1e4..69cf6dce 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -391,7 +391,7 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1); -insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss'); create table ttrss_user_prefs ( owner_uid integer not null, diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index fbb693ce..7718aa30 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -355,7 +355,7 @@ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_ insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id) values('_MOBILE_BROWSE_CATS', 1, 'true', '', 1); -insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss'); create table ttrss_user_prefs ( owner_uid integer not null references ttrss_users(id) ON DELETE CASCADE, diff --git a/schema/versions/mysql/82.sql b/schema/versions/mysql/82.sql index 79fe5f49..80ca24e7 100644 --- a/schema/versions/mysql/82.sql +++ b/schema/versions/mysql/82.sql @@ -1,6 +1,6 @@ begin; -insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss'); update ttrss_version set schema_version = 82; diff --git a/schema/versions/pgsql/82.sql b/schema/versions/pgsql/82.sql index 79fe5f49..80ca24e7 100644 --- a/schema/versions/pgsql/82.sql +++ b/schema/versions/pgsql/82.sql @@ -1,6 +1,6 @@ begin; -insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'You can login automatically with an active client SSL certificate if you fill in its serial number here.'); +insert into ttrss_prefs (pref_name,type_id,def_value,short_desc,section_id,help_text) values('SSL_CERT_SERIAL', 2, '', 'Login with an SSL certificate',3, 'Click to register your SSL client certificate with tt-rss'); update ttrss_version set schema_version = 82; -- 2.39.5