Fix client certificate login #16

This change fixes the client certificate login for cases where duplicate
serial numbers have been issued and recorded in the emailcerts table.

Email addresses from the client certificate are used as an additional
matching parameter.

includes/lib/general.php got a new function
get_email_addresses_from_client_cert to create an array of email
addresses from the environment variables set by Apache httpd
includes/loggedin.php and www/index.php use the new function to pass
email addresses to the get_user_id_from_cert function
get_user_id_from_cert in includes/lib/general.php has been enhanced to
use a JOIN over the emailcerts, root_certs and email tables. All
parameters are escaped via mysql_real_escape_string
SQL errors in get_user_id_from_cert are now handled
a match from get_user_id_from_cert is only returned when there is
exactly one row in the result set

The code and the used query have been tested with Apache 2.4.10 and PHP
5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a
container based test setup to match the current production setup as
close as possible.

This change fixes the client certificate login for cases where duplicate serial numbers have been issued and recorded in the emailcerts table. Email addresses from the client certificate are used as an additional matching parameter. - includes/lib/general.php got a new function get_email_addresses_from_client_cert to create an array of email addresses from the environment variables set by Apache httpd - includes/loggedin.php and www/index.php use the new function to pass email addresses to the get_user_id_from_cert function - get_user_id_from_cert in includes/lib/general.php has been enhanced to use a JOIN over the emailcerts, root_certs and email tables. All parameters are escaped via mysql_real_escape_string - SQL errors in get_user_id_from_cert are now handled - a match from get_user_id_from_cert is only returned when there is exactly one row in the result set The code and the used query have been tested with Apache 2.4.10 and PHP 5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a container based test setup to match the current production setup as close as possible.

Logically, the suggested changes seem to do what is said.
Applauds on the very descriptive PR! Made me feel I could follow both the intent and the actual suggested code and compare with the old.

Sadly, I don't know PHP, so I can't confirm that a change this big will do what is expected.

I assume both Dirk and Ted will easily confirm if that is the case.

Perhaps Brian will also be able to review soon.

Logically, the suggested changes seem to do what is said. Applauds on the very descriptive PR! Made me feel I could follow both the intent and the actual suggested code and compare with the old. Sadly, I don't know PHP, so I can't confirm that a change this big will do what is expected. I assume both Dirk and Ted will easily confirm if that is the case. Perhaps Brian will also be able to review soon.

 @ -19,0 +30,4 @@
 	// try SAN email addresses first
 	$envNameBase = "SSL_CLIENT_SAN_Email";
 	for ($i = 0; $i <= $maxAddresses; $i++) {

Labels Milestones

Fix client certificate login #16

Reviewers