Add user_subject_as_username option

This adds an alternative option to use_identity_as_username. In contrast to use_identity_as_username this option uses the full x509 subject as the username. The subject is formatted as an rfc4514 distingushed name e.g. CN=client,OU=unit,O=org Signed-off-by: Fabian Ruff <fabian@progra.de>
10 years ago · f0511d0ff7
parent e469843ed9
commit f0511d0ff7
3 changed files with 31 additions and 9 deletions
--- a/src/conf.c
+++ b/src/conf.c
@ -194,6 +194,7 @@ void config__init(struct mosquitto__config *config)
 	config->default_listener.require_certificate = false;
 	config->default_listener.crlfile = NULL;
 	config->default_listener.use_identity_as_username = false;
+	config->default_listener.use_subject_as_username = false;
 #endif
 	config->listeners = NULL;
 	config->listener_count = 0;
@ -385,6 +386,7 @@ int config__parse_args(struct mosquitto__config *config, int argc, char *argv[])
 			|| config->default_listener.require_certificate
 			|| config->default_listener.crlfile
 			|| config->default_listener.use_identity_as_username
+			|| config->default_listener.use_subject_as_username
 #endif
 			|| config->default_listener.use_username_as_clientid
 			|| config->default_listener.host
@ -434,6 +436,7 @@ int config__parse_args(struct mosquitto__config *config, int argc, char *argv[])
 		config->listeners[config->listener_count-1].ssl_ctx = NULL;
 		config->listeners[config->listener_count-1].crlfile = config->default_listener.crlfile;
 		config->listeners[config->listener_count-1].use_identity_as_username = config->default_listener.use_identity_as_username;
+		config->listeners[config->listener_count-1].use_subject_as_username = config->default_listener.use_subject_as_username;
 #endif
 	}

@ -1851,6 +1854,13 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 					if(conf__parse_bool(&token, "use_identity_as_username", &cur_listener->use_identity_as_username, saveptr)) return MOSQ_ERR_INVAL;
 #else
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
+#endif
+				}else if(!strcmp(token, "use_subject_as_username")){
+#ifdef WITH_TLS
+					if(reload) continue; // Listeners not valid for reloading.
+					if(conf__parse_bool(&token, "use_subject_as_username", &cur_listener->use_subject_as_username, saveptr)) return MOSQ_ERR_INVAL;
+#else
+					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
 #endif
 				}else if(!strcmp(token, "user")){
 					if(reload) continue; // Drop privileges user not valid for reloading.
--- a/src/mosquitto_broker.h
+++ b/src/mosquitto_broker.h
@ -142,6 +142,7 @@ struct mosquitto__listener {
 	SSL_CTX *ssl_ctx;
 	char *crlfile;
 	bool use_identity_as_username;
+	bool use_subject_as_username;
 	char *tls_version;
 #endif
 #ifdef WITH_WEBSOCKETS
--- a/src/read_handle_server.c
+++ b/src/read_handle_server.c
@ -308,7 +308,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 	}

 #ifdef WITH_TLS
-	if(context->listener && context->listener->ssl_ctx && context->listener->use_identity_as_username){
+	if(context->listener && context->listener->ssl_ctx && (context->listener->use_identity_as_username || context->listener->use_subject_as_username)){
 		if(!context->ssl){
 			send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
 			rc = 1;
@ -336,15 +336,26 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 				rc = 1;
 				goto handle_connect_error;
 			}
-
-			i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
-			if(i == -1){
-				send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
-				rc = 1;
-				goto handle_connect_error;
+			if (context->listener->use_identity_as_username) { //use_identity_as_username
+				i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+				if(i == -1){
+					send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
+					rc = 1;
+					goto handle_connect_error;
+				}
+				name_entry = X509_NAME_get_entry(name, i);
+				context->username = _mosquitto_strdup((char *)ASN1_STRING_data(name_entry->value));
+			} else { // use_subject_as_username
+				BIO *subjectBio = BIO_new(BIO_s_mem());
+				X509_NAME_print_ex(subjectBio, X509_get_subject_name(client_cert) , 0, XN_FLAG_RFC2253);
+				char *dataStart = NULL;
+				long nameLength = BIO_get_mem_data(subjectBio, &dataStart);
+				char *subject = mosquitto__malloc(sizeof(char)*nameLength);
+				memset(subject, 0x00, sizeof(char)*(nameLength + 1));
+				memcpy(subject, dataStart, nameLength);
+				BIO_free(subjectBio);
+				context->username = subject;
 			}
-			name_entry = X509_NAME_get_entry(name, i);
-			context->username = mosquitto__strdup((char *)ASN1_STRING_data(name_entry->value));
 			if(!context->username){
 				rc = 1;
 				goto handle_connect_error;