commit - 9f006a2127398af12ecf9159cd5ef28b3685e7a6
commit + b63e30ff449ee1cf0091d5431f9b72cdd3b1e7e0
blob - 187a4ac461eb025869e5586e5aecd819b4ee8344
blob + 1f9865329807229011b4d195234cf2f3d8985fd0
--- ChangeLog
+++ ChangeLog
2021-02-07 Omar Polo <op@omarpolo.com>
* ex.c (do_exec): [cgi] split the query in words if needed and add them to the argv
+ (launch_cgi): define TLS_CLIENT_NOT_BEFORE/NOT_AFTER in CGI scripts
* parse.y (option): added prefork option
blob - 0a65472deabc66510a2c758b4d3ac50ecb837912
blob + 8d9f4965a03450f16e513f9818f33d329989f2ce
--- ex.c
+++ ex.c
if ((*vhost)->domain == NULL)
return 0;
return 1;
+}
+
+int
+send_time(int fd, time_t t)
+{
+ return write(fd, &t, sizeof(t)) == sizeof(t);
+}
+
+int
+recv_time(int fd, time_t *t)
+{
+ return read(fd, t, sizeof(*t)) == sizeof(*t);
}
/* send d though fd. see /usr/src/usr.sbin/syslogd/privsep_fdpass.c
execvp(ex, argv);
warn("execvp: %s", argv[0]);
+}
+
+static inline void
+setenv_time(const char *var, time_t t)
+{
+ char timebuf[21];
+ struct tm tminfo;
+
+ if (t == -1)
+ return;
+
+ strftime(timebuf, sizeof(timebuf), "%FT%TZ",
+ gmtime_r(&t, &tminfo));
+ setenv(var, timebuf, 1);
}
/* fd or -1 on error */
static int
launch_cgi(struct iri *iri, const char *spath, char *relpath,
const char *addr, const char *ruser, const char *cissuer,
- const char *chash, struct vhost *vhost)
+ const char *chash, time_t notbefore, time_t notafter,
+ struct vhost *vhost)
{
int p[2]; /* read end, write end */
safe_setenv("REMOTE_USER", ruser);
safe_setenv("TLS_CLIENT_ISSUER", cissuer);
safe_setenv("TLS_CLIENT_HASH", chash);
+ setenv_time("TLS_CLIENT_NOT_AFTER", notafter);
+ setenv_time("TLS_CLIENT_NOT_BEFORE", notbefore);
strlcpy(path, ex, sizeof(path));
char *spath, *relpath, *addr, *ruser, *cissuer, *chash;
struct vhost *vhost;
struct iri iri;
+ time_t notbefore, notafter;
int d;
#ifdef __OpenBSD__
|| !recv_string(exfd, &ruser)
|| !recv_string(exfd, &cissuer)
|| !recv_string(exfd, &chash)
+ || !recv_time(exfd, ¬before)
+ || !recv_time(exfd, ¬after)
|| !recv_vhost(exfd, &vhost))
break;
d = launch_cgi(&iri, spath, relpath, addr, ruser, cissuer, chash,
- vhost);
+ notbefore, notafter, vhost);
if (!send_fd(exfd, d))
break;
close(d);
blob - 08b8e6eaf8e94371c03717db9c5ebc3c77440f92
blob + faf3e4fb8c3accc0c4c5af162be196b51755286e
--- gmid.1
+++ gmid.1
The hash of the client certificate if provided, otherwise unset.
The format is
.Dq ALGO:HASH .
+.It Ev TLS_CLIENT_NOT_AFTER
+The time corresponding to the end of the validity period of the peer
+certificate in the ISO 8601 format
+.Pq e.g. Dq 2021-02-07T20:17:41Z .
+.It Ev TLS_CLIENT_NOT_BEFORE
+The time corresponding to the start of the validity period of the peer
+certificate in the ISO 8601 format.
.El
.Pp
.Sh MIME
blob - 1beb95e383fae7773dede8dc27991e251dc5e9d7
blob + f6567ce4f928171f7ca94f96a29c9c3003fccb30
--- gmid.h
+++ gmid.h
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
+#include <time.h>
#include <tls.h>
#include <unistd.h>
void free_recvd_iri(struct iri*);
int send_vhost(int, struct vhost*);
int recv_vhost(int, struct vhost**);
+int send_time(int, time_t);
+int recv_time(int, time_t*);
int send_fd(int, int);
int recv_fd(int);
int executor_main(void);
blob - d44783f6d85fba8a7d17e67980a1c403c3d7467c
blob + d7e2e12aa6331b14655f151ffa73bd15a07ba7cf
--- regress/env
+++ regress/env
echo REMOTE_USER=$REMOTE_USER
echo TLS_CLIENT_ISSUER=$TLS_CLIENT_ISSUER
echo TLS_CLIENT_HASH=$TLS_CLIENT_HASH
+echo TLS_CLIENT_NOT_AFTER=$TLS_CLIENT_NOT_AFTER
+echo TLS_CLIENT_NOT_BEFORE=$TLS_CLIENT_NOT_BEFORE
echo
echo
echo " CGI Argument List"
blob - 52c7420fa109b806d15f084a8527aede6cfa5eb0
blob + 6feb7b5df19f540a6cdd6d79f919f0a7555dd429
--- server.c
+++ server.c
struct pollfd *fds, struct client *c)
{
char addr[NI_MAXHOST];
- const char *ruser, *cissuer, *chash;
int e;
e = getnameinfo((struct sockaddr*)&c->addr, sizeof(c->addr),
if (e != 0)
goto err;
- if (tls_peer_cert_provided(c->ctx)) {
- ruser = tls_peer_cert_subject(c->ctx);
- cissuer = tls_peer_cert_issuer(c->ctx);
- chash = tls_peer_cert_hash(c->ctx);
- } else {
- ruser = NULL;
- cissuer = NULL;
- chash = NULL;
- }
-
if (!send_iri(exfd, &c->iri)
|| !send_string(exfd, spath)
|| !send_string(exfd, relpath)
|| !send_string(exfd, addr)
- || !send_string(exfd, ruser)
- || !send_string(exfd, cissuer)
- || !send_string(exfd, chash)
+ || !send_string(exfd, tls_peer_cert_subject(c->ctx))
+ || !send_string(exfd, tls_peer_cert_issuer(c->ctx))
+ || !send_string(exfd, tls_peer_cert_hash(c->ctx))
+ || !send_time(exfd, tls_peer_cert_notbefore(c->ctx))
+ || !send_time(exfd, tls_peer_cert_notafter(c->ctx))
|| !send_vhost(exfd, c->host))
goto err;