From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 31 Dec 2024 10:21:59 +0000 (+0200)
Subject: login-common: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp if configured
X-Git-Tag: 2.4.2~741
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4d66dc6c00be9333c3a3bcaa2097b5d3614138a;p=thirdparty%2Fdovecot%2Fcore.git

login-common: Add ssl_client_cert_fp and ssl_client_cert_pubkey_fp if configured
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index fd11cb27b5..20b79cc59e 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1029,6 +1029,36 @@ const char *client_get_session_id(struct client *client)
 	return client->session_id;
 }
 
+static int client_get_ssl_client_cert_fp(const char *key, const char **value_r,
+					 void *context, const char **error_r)
+{
+	struct client *client = context;
+
+	if (!client->connection_tls_secured) {
+		*value_r = "";
+		return 0;
+	}
+
+	const char *client_cert_fp, *pubkey_fp;
+	int ret = ssl_iostream_get_peer_cert_fingerprint(client->ssl_iostream,
+							 &client_cert_fp, &pubkey_fp,
+							 error_r);
+	if (ret < 0)
+		return -1;
+	else if (ret == 0) {
+		*value_r = "";
+		return 0;
+	}
+
+	if (strcmp(key, "ssl_client_cert_fp") == 0)
+		*value_r = client_cert_fp;
+	else if (strcmp(key, "ssl_client_cert_pubkey_fp") == 0)
+		*value_r = pubkey_fp;
+	else
+		i_unreached();
+	return 0;
+}
+
 static struct var_expand_table login_var_expand_empty_tab[] = {
 	{ .key = "user", .value = NULL },
 
@@ -1053,6 +1083,8 @@ static struct var_expand_table login_var_expand_empty_tab[] = {
 	{ .key = "local_name", .value = NULL },
 	{ .key = "ssl_ja3", .value = NULL },
 	{ .key = "ssl_ja3_hash", .value = NULL },
+	{ .key = "ssl_client_cert_fp", .func = client_get_ssl_client_cert_fp },
+	{ .key = "ssl_client_cert_pubkey_fp", .func = client_get_ssl_client_cert_fp },
 
 	VAR_EXPAND_TABLE_END
 };
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 08f198752e..9d4bb024e3 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -529,6 +529,20 @@ int sasl_server_auth_request_info_fill(struct client *client,
 			md5_get_digest(ja3, strlen(ja3), hash);
 			info_r->ssl_ja3_hash = binary_to_hex(hash, sizeof(hash));
 		}
+
+		if (*client->ssl_set->ssl_peer_certificate_fingerprint_hash != '\0') {
+			int ret = ssl_iostream_get_peer_cert_fingerprint(
+				client->ssl_iostream, &info_r->ssl_client_cert_fp,
+				&info_r->ssl_client_cert_pubkey_fp,
+				&error);
+			if (ret < 0) {
+				e_error(client->event,
+					"Cannot get client certificate fingerprints: %s",
+					error);
+				*client_error_r = "Unable to validate certificate";
+				return -1;
+			}
+		}
 	}
 	info_r->flags = client_get_auth_flags(client);
 	info_r->local_ip = client->local_ip;