SQL + SSL Certificate authentication for Apache + mod_ssl

provides fallback for auth_sql authentication and expects certificate
chain verification by mod_ssl. See http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6

admin/setup/config.inc.php

@@ -12,6 +12,7 @@
     <td>
      <select name="newsettings[auth_type]">
       <option value="sql"<?php echo $selected["sql"]; ?>>SQL</option>
+      <option value="sqlssl"<?php echo $selected["sqlssl"]; ?>>SQL / SSL</option>
       <option value="ldap"<?php echo $selected["ldap"]; ?>>LDAP</option>
       <option value="mail"<?php echo $selected["mail"]; ?>>Mail</option>
       <option value="http"<?php echo $selected["http"]; ?>>HTTP</option>

login.php

@@ -125,9 +125,34 @@
 		$passwd = $PHP_AUTH_PW;
 	}
 
+	# Apache + mod_ssl style SSL certificate authentication
+	# Certificate (chain) verification occurs inside mod_ssl
+	if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]) && !isset($cd))
+	{
+		$sslattribs = explode("/",$HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]);
+    		while ($sslattrib = next($sslattribs))
+		{
+       			list($key,$val) = explode("=",$sslattrib);
+       			$sslattributes[$key] = $val;
+     		}                                                             
+                if (isset($sslattributes["Email"]))
+		{
+			$submit = True;
+
+			# login will be set here if the user logged out and uses a different username with
+			# the same SSL-certificate.
+			if (!isset($login)&&isset($sslattributes["Email"])) {
+		           $login  = $sslattributes["Email"];
+			   # not checked against the database, but delivered to authentication module
+			   $passwd = $HTTP_SERVER_VARS["SSL_CLIENT_S_DN"];
+			}
+		}
+		unset ($key,$val,$sslattributes);
+	}
+
 	if (isset($submit) && $submit)
 	{
-		if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER))
+		if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]))
 		{
 			$phpgw->redirect($phpgw->link('/login.php','code=5'));
 		}

phpgwapi/inc/class.auth_sqlssl.inc.php

@@ -0,0 +1,84 @@
+<?php
+  /**************************************************************************\
+  * phpGroupWare API - Auth from SQL, with optional SSL authentication       *
+  * This file written by Andreas 'Count' Kotes <count@flatline.de>           *
+  * Authentication based on SQL table and X.509 certificates                 *
+  * Copyright (C) 2000, 2001 Dan Kuykendall                                  *
+  * -------------------------------------------------------------------------*
+  * This library is part of the phpGroupWare API                             *
+  * http://www.phpgroupware.org/api                                          * 
+  * ------------------------------------------------------------------------ *
+  * This library is free software; you can redistribute it and/or modify it  *
+  * under the terms of the GNU Lesser General Public License as published by *
+  * the Free Software Foundation; either version 2.1 of the License,         *
+  * or any later version.                                                    *
+  * This library is distributed in the hope that it will be useful, but      *
+  * WITHOUT ANY WARRANTY; without even the implied warranty of               *
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                     *
+  * See the GNU Lesser General Public License for more details.              *
+  * You should have received a copy of the GNU Lesser General Public License *
+  * along with this library; if not, write to the Free Software Foundation,  *
+  * Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA            *
+  \**************************************************************************/
+
+  /* $Id$ */
+
+  class auth
+  {
+
+    function authenticate($username, $passwd) {
+      global $phpgw_info, $phpgw, $HTTP_SERVER_VARS;
+      
+      $db = $phpgw->db;
+      
+      $local_debug = False;
+     
+      if ($local_debug) {
+         echo "<b>Debug SQL: uid - $username passwd - $passwd</b>";
+      }
+      
+      # Apache + mod_ssl provide the data in the environment
+      # Certificate (chain) verification occurs inside mod_ssl
+      # see http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
+      if (!isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"])) {
+         # if we're not doing SSL authentication, behave like auth_sql
+         $db->query("SELECT * FROM phpgw_accounts WHERE account_lid = '$username' AND "
+               . "account_pwd='" . md5($passwd) . "' AND account_status ='A'",__LINE__,__FILE__);
+         $db->next_record();
+       } else {
+         # use username only for authentication, ignore X.509 subject in $passwd for now
+         $db->query("SELECT * FROM phpgw_accounts WHERE account_lid = '$username' AND account_status ='A'",__LINE__,__FILE__);
+         $db->next_record();
+       }
+
+      if ($db->f("account_lid")) {
+        return True;
+      } else {
+        return False;
+      }
+    }
+
+    function change_password($old_passwd, $new_passwd) {
+      global $phpgw_info, $phpgw;
+      $encrypted_passwd = md5($new_passwd);
+      $phpgw->db->query("update phpgw_accounts set account_pwd='" . md5($new_passwd) . "' "
+	                  . "where account_lid='" . $phpgw_info["user"]["userid"] . "'",__LINE__,__FILE__);
+      $phpgw->db->query("update phpgw_accounts set account_lastpwd_change='" . time() . "' where account_id='"
+   			    	. $phpgw_info["user"]["account_id"] . "'",__LINE__,__FILE__);
+
+      return $encrypted_passwd;
+    }
+
+   function update_lastlogin($account_id, $ip)
+    {       
+      global $phpgw;
+                        
+      $account_id = get_account_id($account_id);
+                        
+      $phpgw->db->query("update phpgw_accounts set account_lastloginfrom='"
+                      . "$ip', account_lastlogin='" . time()
+                      . "' where account_id='$account_id'",__LINE__,__FILE__);
+    }
+
+  }
+?>