[PATCH] Mail: added support for SSL client certificate

Sun Apr 27 13:04:06 UTC 2014

Hi,

Am 27.04.2014 12:53, schrieb Filipe Da Silva:
> I'm not sure about this, as this buffer already has an oversized allocation:

...I hope so...

> Same about the certificate subject.
> C strings are zero terminated, whatever its contains :  UTF-8 or not.

if all used libraries do so, this should be ok.

> Please try this patch :
> It will directly check if there is any buffer overflow.

I will try that, but reproduction is difficult, I got sometimes that
Signal 11 with Thunderbird as client and Dovecot 2.1.12 as IMAP backend,
where Nginx talks via port 143 with Dovecot.

May Perl auth script able to generate such effects?

best regards
Christian

---My Nginx
nginx-1.7.0 built on Debian 7.4 - 64 bit (latest updates)

./configure   --with-file-aio   --with-ipv6
--with-openssl=../openssl-1.0.1g   --with-openssl-opt="fips shared -g
-march=native -DOPENSSL_NO_HEARTBEATS"   --with-mail
--with-mail_ssl_module   --with-http_ssl_module
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--pid-path=/var/run/nginx/nginx.pid
--lock-path=/var/lock/nginx/nginx.lock   --with-http_perl_module

Perl script for auth (/usr/local/nginx/perl/lib/mailauth.pm):

package mailauth;

# from
# http://wiki.nginx.org/ImapAuthenticateWithEmbeddedPerlScript

use strict;

use nginx;

my $DEBUG=1;

our $auth_ok;
our $mail_server_ip={};
our $protocol_ports={};
$mail_server_ip->{'mailhost01'}="192.168.42.1";
$protocol_ports->{'pop3'}=110;
$protocol_ports->{'imap'}=143;

sub handler {
  my $r = shift;

  # security depends only on Nginx certificate verification
  # configuration. You may add additional verification here.
  # If Nginx comes to here, it already verified users
  # client certificate.
  # YOU MUST SET ssl_verify_client on; OTHERWISE WHOLE
  # WORLD CAN ACCESS ALL YOUR MAILS.
  my @subject=split(/\//,$r->header_in("Auth-Subject-DN"));

  my $emailAddress=undef;
  foreach (@subject) {
    if ($_=~/^emailAddress=(\S+)/) { $emailAddress="$1"; }
  }
  # Care about broken client certs
  if (!defined($emailAddress)) { return DECLINED; }

  $auth_ok=1; # Think twice about your Nginx config
  if ($auth_ok==1){
    $r->header_out("Auth-Status", "OK") ;
    $r->header_out("Auth-Server", $mail_server_ip->{'mailhost01'});
    $r->header_out("Auth-Port",
        $protocol_ports->{$r->header_in("Auth-Protocol")});
    $r->header_out("Auth-User", "$emailAddress");
    $r->header_out("Auth-Pass",
        "Some arbitrary password where Dovecot does not care about");
    # Nginx: Talk to me
    if ($DEBUG) {
      $r->log_error(0, "emailAddress: $emailAddress");
      $r->log_error(0, "Auth-Server: " .
        $mail_server_ip->{'mailhost01'});
      $r->log_error(0, "Auth-Protocol: " .
        $r->header_in("Auth-Protocol"));
      $r->log_error(0, "Auth-Port: " .
        $protocol_ports->{$r->header_in("Auth-Protocol")});
      $r->log_error(0, "Auth-User: " . "$emailAddress");
    }
  } else {
    $r->header_out("Auth-Status", "Invalid login or password") ;
  }

  $r->send_http_header("text/html");

  return OK;
}

1;
__END__