Extreme paranoia sanity check to make sure that the script was invoked

with the proper SSL environment. This is so we can use "optional" client verification in the apache config file, and avoid SSL renegotiation, which is currently a mess cause of the security flaws in it.

Extreme paranoia sanity check to make sure that the script was invoked
with the proper SSL environment. This is so we can use "optional" client verification in the apache config file, and avoid SSL renegotiation, which is currently a mess cause of the security flaws in it.
1358a9af · Leigh B Stoller · 44c91102 · 1358a9af · 1358a9af · 1358a9af
Commit 1358a9af authored Apr 08, 2010 by Leigh B Stoller
4 changed files
--- a/protogeni/xmlrpc/protogeni-ch.pl.in
+++ b/protogeni/xmlrpc/protogeni-ch.pl.in
 #!/usr/bin/perl -w
 #
 # GENIPUBLIC-COPYRIGHT
-# Copyright (c) 2008-2009 University of Utah and the Flux Group.
+# Copyright (c) 2008-2010 University of Utah and the Flux Group.
 # All rights reserved.
 #

@@ -64,6 +64,25 @@ if (!defined($certificate)) {
 }
 $ENV{'MYUUID'} = $certificate->uuid();

+#
+# Make sure the client presented a valid certificate that apache says
+# is okay.
+#
+# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
+# renegotiation, which is needed when a subdir turns on ssl client
+# verification (as httpd.conf used to). Now, we set it to "optional",
+# which avoids the renegotiation problem, but we have to make that
+# this interface is always invoked by a client supplying a verifiable
+# certificate. 
+#
+if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
+       $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
+    my $decoder = Frontier::RPC2->new();
+    print "Content-Type: text/xml \n\n";
+    print $decoder->encode_fault(-1, "Invalid or missing certificate");
+    exit(0);
+}
+
 #
 # In the prototype, we accept certificate signed by trusted roots
 # (CA certs we have locally cached). This script runs as "geniuser"

--- a/protogeni/xmlrpc/protogeni-cm.pl.in
+++ b/protogeni/xmlrpc/protogeni-cm.pl.in
@@ -79,6 +79,25 @@ $ENV{'MYUUID'} = $certificate->uuid();
 # upgrade to URNs in their certificates, so we can't assume it yet.
 $ENV{'MYURN'} = "urn:publicid:IDN+@OURDOMAIN@+authority+cm";

+#
+# Make sure the client presented a valid certificate that apache says
+# is okay.
+#
+# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
+# renegotiation, which is needed when a subdir turns on ssl client
+# verification (as httpd.conf used to). Now, we set it to "optional",
+# which avoids the renegotiation problem, but we have to make that
+# this interface is always invoked by a client supplying a verifiable
+# certificate. 
+#
+if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
+       $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
+    my $decoder = Frontier::RPC2->new();
+    print "Content-Type: text/xml \n\n";
+    print $decoder->encode_fault(-1, "Invalid or missing certificate");
+    exit(0);
+}
+
 #
 # In the prototype, we accept certificate signed by trusted roots
 # (CA certs we have locally cached). This script runs as "geniuser"

--- a/protogeni/xmlrpc/protogeni-sa.pl.in
+++ b/protogeni/xmlrpc/protogeni-sa.pl.in
@@ -30,6 +30,7 @@ use vars qw($GENI_DBNAME);
 BEGIN { $GENI_DBNAME = "geni"; }

 # Configure variables
+my $TBOPS          = "@TBOPSEMAIL@";
 my $EMULAB_PEMFILE = "@prefix@/etc/genisa.pem";
 my $MAINSITE 	   = @TBMAINSITE@;
 my $VERSION	   = "1.0";
@@ -40,6 +41,7 @@ use GeniSA;
 use Genixmlrpc;
 use GeniResponse;
 use libaudit;
+use libtestbed;

 # Geniuser.
 my $user  = "geniuser";
@@ -66,6 +68,25 @@ if (!defined($certificate)) {
 }
 $ENV{'MYUUID'} = $certificate->uuid();

+#
+# Make sure the client presented a valid certificate that apache says
+# is okay.
+#
+# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
+# renegotiation, which is needed when a subdir turns on ssl client
+# verification (as httpd.conf used to). Now, we set it to "optional",
+# which avoids the renegotiation problem, but we have to make that
+# this interface is always invoked by a client supplying a verifiable
+# certificate. 
+#
+if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
+       $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
+    my $decoder = Frontier::RPC2->new();
+    print "Content-Type: text/xml \n\n";
+    print $decoder->encode_fault(-1, "Invalid or missing certificate");
+    exit(0);
+}
+
 #
 # In the prototype, we accept certificate signed by trusted roots
 # (CA certs we have locally cached). This script runs as "geniuser"

--- a/protogeni/xmlrpc/protogeni-ses.pl.in
+++ b/protogeni/xmlrpc/protogeni-ses.pl.in
 #!/usr/bin/perl -w
 #
 # GENIPUBLIC-COPYRIGHT
-# Copyright (c) 2008-2009 University of Utah and the Flux Group.
+# Copyright (c) 2008-2010 University of Utah and the Flux Group.
 # All rights reserved.
 #

@@ -65,6 +65,25 @@ if (!defined($certificate)) {
 }
 $ENV{'MYUUID'} = $certificate->uuid();

+#
+# Make sure the client presented a valid certificate that apache says
+# is okay.
+#
+# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
+# renegotiation, which is needed when a subdir turns on ssl client
+# verification (as httpd.conf used to). Now, we set it to "optional",
+# which avoids the renegotiation problem, but we have to make that
+# this interface is always invoked by a client supplying a verifiable
+# certificate. 
+#
+if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
+       $ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
+    my $decoder = Frontier::RPC2->new();
+    print "Content-Type: text/xml \n\n";
+    print $decoder->encode_fault(-1, "Invalid or missing certificate");
+    exit(0);
+}
+
 #
 # In the prototype, we accept certificate signed by trusted roots
 # (CA certs we have locally cached). This script runs as "geniuser"