From: Aki Tuomi Date: Fri, 14 Feb 2025 13:29:34 +0000 (+0200) Subject: auth: Allow ssl cert to be validated by fingerprint X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88b00251ecf879d96c99c248c90ed88b7367342b;p=thirdparty%2Fdovecot%2Fcore.git auth: Allow ssl cert to be validated by fingerprint --- diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c index 35acb240b9..6e007852be 100644 --- a/src/auth/auth-request-handler.c +++ b/src/auth/auth-request-handler.c @@ -668,8 +668,20 @@ int auth_request_handler_auth_begin(struct auth_request_handler *handler, auth_request_timeout, request); hash_table_insert(handler->requests, POINTER_CAST(id), request); + /* If the provided certificate is not valid (untrusted CA signature), + we allow continuing only if there are fingerprints for the certificate + too. If there are no certificate fingerprints, we can already fail + here. + + Actual validity is re-checked after authentication, so that + certificate fingeprints can be checked too. + */ if (request->set->ssl_require_client_cert && - !request->fields.valid_client_cert) { + !request->fields.valid_client_cert && + (request->fields.ssl_client_cert_fp == NULL || + *request->fields.ssl_client_cert_fp == '\0') && + (request->fields.ssl_client_cert_pubkey_fp == NULL || + *request->fields.ssl_client_cert_pubkey_fp == '\0')) { /* we fail without valid certificate */ auth_request_handler_auth_fail(handler, request, "Client didn't present valid SSL certificate"); diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c index dab547f5e8..07580e270e 100644 --- a/src/auth/auth-request.c +++ b/src/auth/auth-request.c @@ -702,6 +702,19 @@ void auth_request_passdb_lookup_end(struct auth_request *request, enum passdb_result result) { i_assert(array_count(&request->authdb_event) > 0); + + /* If client certificates are required, ensure that something + checked the certificate, either it was valid due to CA checks + or certificate fingerprint checks. */ + if (result == PASSDB_RESULT_OK && + request->set->ssl_require_client_cert && + !request->fields.valid_client_cert) { + const char *reply = "Client didn't present valid SSL certificate"; + request->failed = TRUE; + auth_request_set_field(request, "reason", reply, STATIC_PASS_SCHEME); + result = PASSDB_RESULT_PASSWORD_MISMATCH; + } + struct event *event = authdb_event(request); struct event_passthrough *e = event_create_passthrough(event)->