ngx_int_t
ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
/*
* As far as I can tell, both of ngx_ssl_get_certificate and
* ngx_ssl_get_raw_certificate just return the peer certificate
* in PEM format, with ngx_ssl_get_certificate messing with
* whitespace.
*
* Since our PEM generator doesn't prefix any lines with whitespace
* at all, the functions can just return identical output.
*/
return ngx_ssl_get_raw_certificate(c, pool, s);
}
static ngx_buf_t *
ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
ngx_mail_auth_http_conf_t *ahcf)
{
size_t len;
ngx_buf_t *b;
ngx_str_t login, passwd;
#if (NGX_MAIL_SSL)
ngx_str_t verify, subject, issuer, serial, fingerprint,
raw_cert, cert;
ngx_connection_t *c;
ngx_mail_ssl_conf_t *sslcf;
#endif
ngx_mail_core_srv_conf_t *cscf;
if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) {
return NULL;
}
if (ngx_mail_auth_http_escape(pool, &s->passwd, &passwd) != NGX_OK) {
return NULL;
}
#if (NGX_MAIL_SSL)
c = s->connection;
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (c->ssl && sslcf->verify) {
/* certificate details */
if (ngx_ssl_get_client_verify(c, pool, &verify) != NGX_OK) {
return NULL;
}
if (ngx_ssl_get_subject_dn(c, pool, &subject) != NGX_OK) {
return NULL;
}
if (ngx_ssl_get_issuer_dn(c, pool, &issuer) != NGX_OK) {
return NULL;
}
if (ngx_ssl_get_serial_number(c, pool, &serial) != NGX_OK) {
return NULL;
}
if (ngx_ssl_get_fingerprint(c, pool, &fingerprint) != NGX_OK) {
return NULL;
}
if (ahcf->pass_client_cert) {
/* certificate itself, if configured */
if (ngx_ssl_get_raw_certificate(c, pool, &raw_cert) != NGX_OK) {
return NULL;
}
if (ngx_mail_auth_http_escape(pool, &raw_cert, &cert) != NGX_OK) {
return NULL;
}
} else {
ngx_str_null(&cert);
}
} else {
ngx_str_null(&verify);
ngx_str_null(&subject);
ngx_str_null(&issuer);
ngx_str_null(&serial);
ngx_str_null(&fingerprint);
ngx_str_null(&cert);
}
#endif
cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
len = sizeof("GET ") - 1 + ahcf->uri.len + sizeof(" HTTP/1.0" CRLF) - 1
+ sizeof("Host: ") - 1 + ahcf->host_header.len + sizeof(CRLF) - 1
+ sizeof("Auth-Method: ") - 1
+ ngx_mail_auth_http_method[s->auth_method].len
+ sizeof(CRLF) - 1
+ sizeof("Auth-User: "******"Auth-Pass: "******"Auth-Salt: ") - 1 + s->salt.len
+ sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN
+ sizeof(CRLF) - 1
+ sizeof("Client-IP: ") - 1 + s->connection->addr_text.len
+ sizeof(CRLF) - 1
+ sizeof("Client-Host: ") - 1 + s->host.len + sizeof(CRLF) - 1
+ sizeof("Auth-SMTP-Helo: ") - 1 + s->smtp_helo.len + sizeof(CRLF) - 1
+ sizeof("Auth-SMTP-From: ") - 1 + s->smtp_from.len + sizeof(CRLF) - 1
+ sizeof("Auth-SMTP-To: ") - 1 + s->smtp_to.len + sizeof(CRLF) - 1
#if (NGX_MAIL_SSL)
+ sizeof("Auth-SSL: on" CRLF) - 1
+ sizeof("Auth-SSL-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Subject: ") - 1 + subject.len + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Issuer: ") - 1 + issuer.len + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Serial: ") - 1 + serial.len + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Fingerprint: ") - 1 + fingerprint.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Cert: ") - 1 + cert.len + sizeof(CRLF) - 1
#endif
+ ahcf->header.len
+ sizeof(CRLF) - 1;
b = ngx_create_temp_buf(pool, len);
if (b == NULL) {
return NULL;
}
b->last = ngx_cpymem(b->last, "GET ", sizeof("GET ") - 1);
b->last = ngx_copy(b->last, ahcf->uri.data, ahcf->uri.len);
b->last = ngx_cpymem(b->last, " HTTP/1.0" CRLF,
sizeof(" HTTP/1.0" CRLF) - 1);
b->last = ngx_cpymem(b->last, "Host: ", sizeof("Host: ") - 1);
b->last = ngx_copy(b->last, ahcf->host_header.data,
ahcf->host_header.len);
*b->last++ = CR; *b->last++ = LF;
b->last = ngx_cpymem(b->last, "Auth-Method: ",
sizeof("Auth-Method: ") - 1);
b->last = ngx_cpymem(b->last,
ngx_mail_auth_http_method[s->auth_method].data,
ngx_mail_auth_http_method[s->auth_method].len);
*b->last++ = CR; *b->last++ = LF;
b->last = ngx_cpymem(b->last, "Auth-User: "******"Auth-User: "******"Auth-Pass: "******"Auth-Pass: "******"Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
s->passwd.data = NULL;
}
b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
sizeof("Auth-Protocol: ") - 1);
b->last = ngx_cpymem(b->last, cscf->protocol->name.data,
cscf->protocol->name.len);
*b->last++ = CR; *b->last++ = LF;
b->last = ngx_sprintf(b->last, "Auth-Login-Attempt: %ui" CRLF,
s->login_attempt);
b->last = ngx_cpymem(b->last, "Client-IP: ", sizeof("Client-IP: ") - 1);
b->last = ngx_copy(b->last, s->connection->addr_text.data,
s->connection->addr_text.len);
*b->last++ = CR; *b->last++ = LF;
if (s->host.len) {
b->last = ngx_cpymem(b->last, "Client-Host: ",
sizeof("Client-Host: ") - 1);
b->last = ngx_copy(b->last, s->host.data, s->host.len);
*b->last++ = CR; *b->last++ = LF;
}
if (s->auth_method == NGX_MAIL_AUTH_NONE) {
/* HELO, MAIL FROM, and RCPT TO can't contain CRLF, no need to escape */
b->last = ngx_cpymem(b->last, "Auth-SMTP-Helo: ",
sizeof("Auth-SMTP-Helo: ") - 1);
b->last = ngx_copy(b->last, s->smtp_helo.data, s->smtp_helo.len);
*b->last++ = CR; *b->last++ = LF;
b->last = ngx_cpymem(b->last, "Auth-SMTP-From: ",
sizeof("Auth-SMTP-From: ") - 1);
b->last = ngx_copy(b->last, s->smtp_from.data, s->smtp_from.len);
*b->last++ = CR; *b->last++ = LF;
b->last = ngx_cpymem(b->last, "Auth-SMTP-To: ",
sizeof("Auth-SMTP-To: ") - 1);
b->last = ngx_copy(b->last, s->smtp_to.data, s->smtp_to.len);
*b->last++ = CR; *b->last++ = LF;
}
#if (NGX_MAIL_SSL)
if (c->ssl) {
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
sizeof("Auth-SSL: on" CRLF) - 1);
if (verify.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
sizeof("Auth-SSL-Verify: ") - 1);
b->last = ngx_copy(b->last, verify.data, verify.len);
*b->last++ = CR; *b->last++ = LF;
}
if (subject.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Subject: ",
sizeof("Auth-SSL-Subject: ") - 1);
b->last = ngx_copy(b->last, subject.data, subject.len);
*b->last++ = CR; *b->last++ = LF;
}
if (issuer.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Issuer: ",
sizeof("Auth-SSL-Issuer: ") - 1);
b->last = ngx_copy(b->last, issuer.data, issuer.len);
*b->last++ = CR; *b->last++ = LF;
}
if (serial.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Serial: ",
sizeof("Auth-SSL-Serial: ") - 1);
b->last = ngx_copy(b->last, serial.data, serial.len);
*b->last++ = CR; *b->last++ = LF;
}
if (fingerprint.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Fingerprint: ",
sizeof("Auth-SSL-Fingerprint: ") - 1);
b->last = ngx_copy(b->last, fingerprint.data, fingerprint.len);
*b->last++ = CR; *b->last++ = LF;
}
if (cert.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Cert: ",
sizeof("Auth-SSL-Cert: ") - 1);
b->last = ngx_copy(b->last, cert.data, cert.len);
*b->last++ = CR; *b->last++ = LF;
}
}
#endif
if (ahcf->header.len) {
b->last = ngx_copy(b->last, ahcf->header.data, ahcf->header.len);
}
/* add "\r\n" at the header end */
*b->last++ = CR; *b->last++ = LF;
#if (NGX_DEBUG_MAIL_PASSWD)
ngx_log_debug2(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
"mail auth http header:%N\"%*s\"",
(size_t) (b->last - b->pos), b->pos);
#endif
return b;
}
