client certs and basic auth support, unmodified patch from MS

7 files changed, 357 insertions, 7 deletions

diff --git a/src/daemon/EXPORT.sym b/src/daemon/EXPORT.sym
index 28240e00..2d037cf0 100644
--- a/src/daemon/EXPORT.sym
+++ b/src/daemon/EXPORT.sym
@@ -27,3 +27,8 @@ MHD_get_version
 MHD_digest_auth_get_username
 MHD_digest_auth_check
 MHD_queue_auth_fail_response
+MHD_basic_auth_get_username_password
+MHD_queue_basic_auth_fail_response
+MHD_cert_auth_get_certificate
+MHD_cert_auth_get_dn
+MHD_cert_auth_get_alt_name
diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
index 4a380b35..68ca4873 100644
--- a/src/daemon/Makefile.am
+++ b/src/daemon/Makefile.am
@@ -37,7 +37,8 @@ endif
 if ENABLE_DAUTH
 libmicrohttpd_la_SOURCES += \
   digestauth.c \
-  md5.c md5.h 
+  md5.c md5.h \
+  base64.c base64.h
 endif
 
 if ENABLE_HTTPS
diff --git a/src/daemon/connection.c b/src/daemon/connection.c
index 7a05037d..2695be66 100644
--- a/src/daemon/connection.c
+++ b/src/daemon/connection.c
@@ -2316,6 +2316,10 @@ MHD_get_connection_info (struct MHD_Connection *connection,
       if (connection->tls_session == NULL)
         return NULL;
       return (const union MHD_ConnectionInfo *) &connection->tls_session;
+#if DAUTH_SUPPORT
+    case MHD_CONNECTION_INFO_GNUTLS_CLIENT_CERT:
+      return (const union MHD_ConnectionInfo *) MHD_cert_auth_get_certificate(connection);
+#endif
 #endif
     case MHD_CONNECTION_INFO_CLIENT_ADDRESS:
       return (const union MHD_ConnectionInfo *) &connection->addr;
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c
index 1fbd9e7b..d2373dc6 100644
--- a/src/daemon/daemon.c
+++ b/src/daemon/daemon.c
@@ -439,6 +439,19 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
   gnutls_datum_t key;
   gnutls_datum_t cert;
 
+  if (daemon->https_mem_trust) {
+                cert.data = (unsigned char *) daemon->https_mem_trust;
+                cert.size = strlen(daemon->https_mem_trust);
+                if (gnutls_certificate_set_x509_trust_mem(daemon->x509_cred, &cert,
+                                GNUTLS_X509_FMT_PEM) < 0) {
+#if HAVE_MESSAGES
+                        MHD_DLOG(daemon,
+                                        "Bad trust certificate format\n");
+#endif
+                        return -1;
+                }
+        }
+
   /* certificate & key loaded from memory */
   if (daemon->https_mem_cert && daemon->https_mem_key)
     {
@@ -987,6 +1000,10 @@ MHD_accept_connection (struct MHD_Daemon *daemon)
       gnutls_transport_set_push_function (connection->tls_session,
                                           (gnutls_push_func) &
                                                send_param_adapter);
+
+      if (daemon->https_mem_trust){
+      gnutls_certificate_server_set_request(connection->tls_session, GNUTLS_CERT_REQUEST);
+      }
     }
 #endif
 
@@ -1058,6 +1075,8 @@ MHD_cleanup_connections (struct MHD_Daemon *daemon)
 #if HTTPS_SUPPORT
           if (pos->tls_session != NULL)
             gnutls_deinit (pos->tls_session);
+          if (pos->client_cert != NULL)
+            gnutls_x509_crt_deinit (pos->client_cert);
 #endif
           MHD_ip_limit_del (daemon, (struct sockaddr*)pos->addr, pos->addr_len);
           if (pos->response != NULL)
@@ -1474,6 +1493,16 @@ parse_options_va (struct MHD_Daemon *daemon,
                      opt);        
 #endif
           break;
+        case MHD_OPTION_HTTPS_MEM_TRUST:
+          if (0 != (daemon->options & MHD_USE_SSL))
+            daemon->https_mem_trust = va_arg (ap, const char *);
+#if HAVE_MESSAGES
+          else
+            FPRINTF (stderr,
+                     "MHD HTTPS option %d passed to MHD but MHD_USE_SSL not set\n",
+                     opt);
+#endif
+          break;
         case MHD_OPTION_HTTPS_CRED_TYPE:
           daemon->cred_type = va_arg (ap, gnutls_credentials_type_t);
           break;
@@ -1561,6 +1590,7 @@ parse_options_va (struct MHD_Daemon *daemon,
                 case MHD_OPTION_SOCK_ADDR:
                 case MHD_OPTION_HTTPS_MEM_KEY:
                 case MHD_OPTION_HTTPS_MEM_CERT:
+                case MHD_OPTION_HTTPS_MEM_TRUST:
                 case MHD_OPTION_HTTPS_PRIORITIES:
                 case MHD_OPTION_ARRAY:
                   if (MHD_YES != parse_options (daemon,
@@ -1606,8 +1636,8 @@ parse_options_va (struct MHD_Daemon *daemon,
           break;
         default:
 #if HAVE_MESSAGES
-          if ((opt >= MHD_OPTION_HTTPS_MEM_KEY) &&
-              (opt <= MHD_OPTION_HTTPS_PRIORITIES))
+          if (((opt >= MHD_OPTION_HTTPS_MEM_KEY) &&
+              (opt <= MHD_OPTION_HTTPS_PRIORITIES)) || (opt == MHD_OPTION_HTTPS_MEM_TRUST))
             {
               FPRINTF (stderr,
                        "MHD HTTPS option %d passed to MHD compiled without HTTPS support\n",
diff --git a/src/daemon/digestauth.c b/src/daemon/digestauth.c
index b2be0d9d..c0d9abc0 100644
--- a/src/daemon/digestauth.c
+++ b/src/daemon/digestauth.c
@@ -19,13 +19,15 @@
 
 /**
  * @file digestauth.c
- * @brief Implements HTTP/1.1 Digest Auth according to RFC2617
+ * @brief Implements various HTTP authentication methods
  * @author Amr Ali
+ * @author Matthieu Speder
  */
 
 #include "platform.h"
 #include "internal.h"
 #include "md5.h"
+#include "base64.h"
 
 #define HASH_MD5_HEX_LEN (2 * MD5_DIGEST_SIZE)
 
@@ -35,6 +37,11 @@
 #define _BASE           "Digest "
 
 /**
+ * Beginning string for any valid Basic authentication header.
+ */
+#define _BASIC_BASE             "Basic "
+
+/**
  * Maximum length of a username for digest authentication.
  */
 #define MAX_USERNAME_LENGTH 128
@@ -636,5 +643,218 @@ MHD_queue_auth_fail_response(struct MHD_Connection *connection,
   return ret;
 }
 
+/**
+ * Get the username and password from the basic authorization header sent by the client
+ *
+ * @param connection The MHD connection structure
+ * @param password a pointer for the password
+ * @return NULL if no username could be found, a pointer
+ *                      to the username if found
+ */
+char *
+MHD_basic_auth_get_username_password(struct MHD_Connection *connection,
+                char** password) {
+        size_t len;
+        const char *header;
+        char *decode;
+        const char *separator;
+        char *user;
+
+        header = MHD_lookup_connection_value(connection, MHD_HEADER_KIND,
+                        MHD_HTTP_HEADER_AUTHORIZATION);
+        if (header == NULL)
+                return NULL;
+        if (strncmp(header, _BASIC_BASE, strlen(_BASIC_BASE)) != 0)
+                return NULL;
+        header += strlen(_BASIC_BASE);
+        decode = BASE64Decode(header);
+        if (decode == NULL) {
+#if HAVE_MESSAGES
+                MHD_DLOG(connection->daemon, "Error decoding basic authentication\n");
+#endif
+                return NULL;
+        }
+        /* Find user:password pattern */
+        separator = strstr(decode, ":");
+        if (separator == NULL) {
+#if HAVE_MESSAGES
+                MHD_DLOG(connection->daemon,
+                                "Basic authentication doesn't contain ':' separator\n");
+#endif
+                free(decode);
+                return NULL;
+        }
+        user = strndup(decode, separator - decode);
+        if (password != NULL) {
+                *password = strdup(separator + 1);
+        }
+        free(decode);
+        return user;
+}
+
+/**
+ * Queues a response to request basic authentication from the client
+ *
+ * @param connection The MHD connection structure
+ * @param realm the realm presented to the client
+ * @return MHD_YES on success, MHD_NO otherwise
+ */
+int MHD_queue_basic_auth_fail_response(struct MHD_Connection *connection,
+                const char *realm, struct MHD_Response *response) {
+        int ret;
+        size_t hlen = strlen(realm) + sizeof("Basic realm=\"\"");
+        char header[hlen];
+        snprintf(header, sizeof(header), "Basic realm=\"%s\"", realm);
+        ret = MHD_add_response_header(response, MHD_HTTP_HEADER_WWW_AUTHENTICATE,
+                        header);
+        if (MHD_YES == ret)
+                ret = MHD_queue_response(connection, MHD_HTTP_UNAUTHORIZED, response);
+        return ret;
+}
+
+#if HTTPS_SUPPORT
+
+/**
+ * Get the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @return NULL if no valid client certificate could be found, a pointer
+ *                      to the certificate if found
+ */
+void*
+MHD_cert_auth_get_certificate(struct MHD_Connection *connection) {
+
+        if (connection->client_cert == NULL && connection->client_cert_status == 0) {
+                if (connection->tls_session == NULL) {
+                        connection->client_cert_status = GNUTLS_CERT_INVALID;
+                        return NULL;
+                }
+
+                if (gnutls_certificate_verify_peers2(connection->tls_session,
+                                &connection->client_cert_status)) {
+                        connection->client_cert_status = GNUTLS_CERT_INVALID;
+                        return NULL;
+                }
+
+                unsigned int listsize;
+                const gnutls_datum_t * pcert = gnutls_certificate_get_peers(
+                                connection->tls_session, &listsize);
+                if (pcert == NULL || listsize == 0) {
+#if HAVE_MESSAGES
+                        MHD_DLOG(connection->daemon,
+                                        "Failed to retrieve client certificate chain\n");
+#endif
+                        connection->client_cert_status = GNUTLS_CERT_INVALID;
+                        return NULL;
+                }
+
+                if (gnutls_x509_crt_init(&connection->client_cert)) {
+#if HAVE_MESSAGES
+                        MHD_DLOG(connection->daemon,
+                                        "Failed to initialize client certificate\n");
+#endif
+                        connection->client_cert = NULL;
+                        connection->client_cert_status = GNUTLS_CERT_INVALID;
+                        return NULL;
+                }
+                if (gnutls_x509_crt_import(connection->client_cert, &pcert[0],
+                                GNUTLS_X509_FMT_DER)) {
+#if HAVE_MESSAGES
+                        MHD_DLOG(connection->daemon,
+                                        "Failed to import client certificate\n");
+#endif
+                        gnutls_x509_crt_deinit(connection->client_cert);
+                        connection->client_cert = NULL;
+                        connection->client_cert_status = GNUTLS_CERT_INVALID;
+                        return NULL;
+                }
+        }
+
+        return connection->client_cert;
+}
+
+/**
+ * Get the distinguished name from the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @return NULL if no dn or certificate could be found, a pointer
+ *                      to the dn if found
+ */
+char *
+MHD_cert_auth_get_dn(struct MHD_Connection *connection) {
+
+        char* buf;
+        size_t lbuf = 0;
+
+        gnutls_x509_crt_t cert = MHD_cert_auth_get_certificate(connection);
+        if (cert == NULL)
+                return NULL;
+
+        gnutls_x509_crt_get_dn(cert, NULL, &lbuf);
+        buf = malloc(lbuf);
+        if (buf == NULL) {
+#if HAVE_MESSAGES
+                MHD_DLOG(connection->daemon,
+                                "Failed to allocate memory for certificate dn\n");
+#endif
+                return NULL;
+        }
+        gnutls_x509_crt_get_dn(cert, buf, &lbuf);
+        return buf;
+
+}
+
+/**
+ * Get the alternative name of specified type from the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @param nametype The requested name type
+ * @param index The position of the alternative name if multiple names are
+ *                      matching the requested type, 0 for the first matching name
+ * @return NULL if no matching alternative name could be found, a pointer
+ *                      to the alternative name if found
+ */
+char *
+MHD_cert_auth_get_alt_name(struct MHD_Connection *connection, int nametype, unsigned int index) {
+
+        char* buf;
+        size_t lbuf;
+        unsigned int seq = 0;
+        unsigned int subseq = 0;
+        int result;
+        unsigned int type;
+
+        gnutls_x509_crt_t cert = MHD_cert_auth_get_certificate(connection);
+        if (cert == NULL)
+                return NULL;
+
+        for (;; seq++) {
+                lbuf = 0;
+                result = gnutls_x509_crt_get_subject_alt_name2(cert, seq, NULL, &lbuf,
+                                &type, NULL);
+                if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+                        return NULL;
+                if (type != nametype)
+                        continue;
+                if (subseq != index) {
+                        subseq++;
+                        continue;
+                }
+                buf = malloc(lbuf);
+                if (buf == NULL) {
+#if HAVE_MESSAGES
+                        MHD_DLOG(connection->daemon,
+                                        "Failed to allocate memory for certificate alt name\n");
+#endif
+                        return NULL;
+                }
+                gnutls_x509_crt_get_subject_alt_name2(cert, seq, buf, &lbuf, NULL, NULL);
+                return buf;
+
+        }
+
+}
+
+#endif  /* HTTPS */
 
 /* end of digestauth.c */
diff --git a/src/daemon/internal.h b/src/daemon/internal.h
index 328c8433..a156d988 100644
--- a/src/daemon/internal.h
+++ b/src/daemon/internal.h
@@ -705,6 +705,17 @@ struct MHD_Connection
    * Memory location to return for protocol session info.
    */
   int cipher;
+
+  /**
+   * Validation status of client's certificate.
+   */
+  gnutls_certificate_status_t client_cert_status;
+
+  /**
+   * Client's certificate.
+   */
+  gnutls_x509_crt_t client_cert;
+
 #endif
 };
 
@@ -920,6 +931,11 @@ struct MHD_Daemon
    */
   const char *https_mem_cert;
 
+  /**
+   * Pointer to our SSL/TLS certificate authority (in ASCII) in memory.
+   */
+  const char *https_mem_trust;
+
 #endif
 
 #ifdef DAUTH_SUPPORT
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index e97e1abd..f1256149 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -580,9 +580,14 @@ enum MHD_OPTION
    * Desired size of the stack for threads created by MHD. Followed
    * by an argument of type 'size_t'.  Use 0 for system 'default'.
    */
-  MHD_OPTION_THREAD_STACK_SIZE = 19
-
+  MHD_OPTION_THREAD_STACK_SIZE = 19,
 
+  /**
+   * Memory pointer for the certificate (ca.pem) to be used by the
+   * HTTPS daemon for client authentification.
+   * This option should be followed by a "const char*" argument.
+   */
+  MHD_OPTION_HTTPS_MEM_TRUST =20
 };
 
 
@@ -719,7 +724,12 @@ enum MHD_ConnectionInfoType
   /**
    * Get the GNUTLS session handle.
    */
-  MHD_CONNECTION_INFO_GNUTLS_SESSION
+  MHD_CONNECTION_INFO_GNUTLS_SESSION,
+
+  /**
+   * Get the GNUTLS client certificate handle.
+   */
+  MHD_CONNECTION_INFO_GNUTLS_CLIENT_CERT
 };
 
 /**
@@ -1430,6 +1440,65 @@ MHD_queue_auth_fail_response (struct MHD_Connection *connection,
                               int signal_stale);
 
 
+/**
+ * Get the username and password from the basic authorization header sent by the client
+ *
+ * @param connection The MHD connection structure
+ * @param password a pointer for the password
+ * @return NULL if no username could be found, a pointer
+ *                      to the username if found
+ */
+char *
+MHD_basic_auth_get_username_password(struct MHD_Connection *connection,
+                             char** password);
+
+/**
+ * Queues a response to request basic authentication from the client
+ *
+ * @param connection The MHD connection structure
+ * @param realm the realm presented to the client
+ * @return MHD_YES on success, MHD_NO otherwise
+ */
+int
+MHD_queue_basic_auth_fail_response(struct MHD_Connection *connection,
+                             const char *realm,
+                             struct MHD_Response *response);
+
+/**
+ * Get the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @return NULL if no valid client certificate could be found, a pointer
+ *                      to the certificate if found
+ */
+void*
+MHD_cert_auth_get_certificate(struct MHD_Connection *connection);
+
+/**
+ * Get the distinguished name from the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @return NULL if no dn or certificate could be found, a pointer
+ *                      to the dn if found
+ */
+char *
+MHD_cert_auth_get_dn(struct MHD_Connection *connection);
+
+/**
+ * Get the alternative name of specified type from the client's certificate
+ *
+ * @param connection The MHD connection structure
+ * @param nametype The requested name type
+ * @param index The position of the alternative name if multiple names are
+ *                      matching the requested type, 0 for the first matching name
+ * @return NULL if no matching alternative name could be found, a pointer
+ *                      to the alternative name if found
+ */
+char *
+MHD_cert_auth_get_alt_name(struct MHD_Connection *connection,
+                             int nametype,
+                             unsigned int index);
+
 /* ********************** generic query functions ********************** */
 
 /**
@@ -1454,6 +1523,11 @@ union MHD_ConnectionInfo
   void * /* gnutls_session_t */ tls_session;
 
   /**
+   * GNUtls client certificate handle, of type "gnutls_x509_crt_t".
+   */
+  void * /* gnutls_x509_crt_t */ client_cert;
+
+  /**
    * Address information for the client.
    */
   struct sockaddr_in * client_addr;