Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ 0cfcbf3

Visit:

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream

Last change on this file since 0cfcbf3 was 0cfcbf3, checked in by Dash Shendy <neuromancer@…>, 8 years ago
Removed DEBUGLOG
Property mode set to `100644`
File size: 40.1 KB

Rev	Line
[c301152]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e183628]	3	* Copyright 2008 Nikos Mavrogiannopoulos
	4	* Copyright 2011 Dash Shendy
[c301152]	5	*
	6	* Licensed under the Apache License, Version 2.0 (the "License");
	7	* you may not use this file except in compliance with the License.
	8	* You may obtain a copy of the License at
	9	*
	10	* http://www.apache.org/licenses/LICENSE-2.0
	11	*
	12	* Unless required by applicable law or agreed to in writing, software
	13	* distributed under the License is distributed on an "AS IS" BASIS,
	14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	15	* See the License for the specific language governing permissions and
	16	* limitations under the License.
	17	*
	18	*/
	19
	20	#include "mod_gnutls.h"
	21	#include "http_vhost.h"
[84cb5b2]	22	#include "ap_mpm.h"
[c301152]	23
[0499540]	24
[c301152]	25	#if !USING_2_1_RECENT
	26	extern server_rec *ap_server_conf;
	27	#endif
	28
	29	#if MOD_GNUTLS_DEBUG
[7bebb42]	30	static apr_file_t *debug_log_fp;
[c301152]	31	#endif
	32
[e183628]	33	static gnutls_datum session_ticket_key = {NULL, 0};
[84cb5b2]	34
[7bebb42]	35	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
	36	/* use side==0 for server and side==1 for client */
[e02dd8c]	37	static void mgs_add_common_cert_vars(request_rec * r,
[e183628]	38	gnutls_x509_crt_t cert, int side,
	39	int export_certificates_enabled);
[e02dd8c]	40	static void mgs_add_common_pgpcert_vars(request_rec * r,
[e183628]	41	gnutls_openpgp_crt_t cert,
	42	int side,
	43	int export_certificates_enabled);
	44
	45	static apr_status_t mgs_cleanup_pre_config(void *data) {
	46	gnutls_free(session_ticket_key.data);
	47	session_ticket_key.data = NULL;
	48	session_ticket_key.size = 0;
	49	gnutls_global_deinit();
	50	return APR_SUCCESS;
[c301152]	51	}
	52
	53	#if MOD_GNUTLS_DEBUG
[e183628]	54
	55	static void gnutls_debug_log_all(int level, const char *str) {
	56	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
[c301152]	57	}
[e02dd8c]	58
[a208cd3]	59	#define _gnutls_log apr_file_printf
	60	#else
[e183628]	61	#define _gnutls_log(...)
[c301152]	62	#endif
	63
[7bebb42]	64	int
	65	mgs_hook_pre_config(apr_pool_t * pconf,
[e183628]	66	apr_pool_t * plog, apr_pool_t * ptemp) {
	67	int ret;
[c301152]	68
[26b08fd]	69	#if MOD_GNUTLS_DEBUG
[e183628]	70	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
	71	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
	72	pconf);
[26b08fd]	73
[e183628]	74	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[26b08fd]	75
[e183628]	76	gnutls_global_set_log_level(9);
	77	gnutls_global_set_log_function(gnutls_debug_log_all);
	78	_gnutls_log(debug_log_fp, "gnutls: %s\n",
	79	gnutls_check_version(NULL));
[26b08fd]	80	#endif
	81
[e183628]	82	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
	83	_gnutls_log(debug_log_fp,
	84	"gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
	85	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
	86	return -3;
	87	}
[e02dd8c]	88
[e183628]	89	ret = gnutls_global_init();
	90	if (ret < 0) {
	91	_gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
	92	gnutls_strerror(ret));
	93	return -3;
	94	}
[2b3a248]	95
[e183628]	96	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
	97	if (ret < 0) {
	98	_gnutls_log(debug_log_fp,
	99	"gnutls_session_ticket_key_generate: %s\n",
	100	gnutls_strerror(ret));
	101	}
[e5bbda4]	102
[e183628]	103	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
	104	apr_pool_cleanup_null);
[c301152]	105
	106
[e183628]	107	return OK;
[c301152]	108	}
	109
[e183628]	110	static int mgs_select_virtual_server_cb(gnutls_session_t session) {
	111	mgs_handle_t *ctxt;
	112	mgs_srvconf_rec *tsc;
[9180a60]	113	int ret = 0;
[7bebb42]	114
[e183628]	115	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[26b08fd]	116
[e183628]	117	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	118
[e183628]	119	/* find the virtual server */
	120	tsc = mgs_find_sni_server(session);
[7bebb42]	121
[e183628]	122	if (tsc != NULL)
	123	ctxt->sc = tsc;
[7bebb42]	124
[e183628]	125	gnutls_certificate_server_set_request(session,
	126	ctxt->
	127	sc->client_verify_mode);
[7bebb42]	128
[e183628]	129	/* set the new server credentials
	130	*/
[7bebb42]	131
[e183628]	132	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
	133	ctxt->sc->certs);
[7bebb42]	134
[e183628]	135	gnutls_credentials_set(session, GNUTLS_CRD_ANON,
	136	ctxt->sc->anon_creds);
[7bebb42]	137
[787dab7]	138	#ifdef ENABLE_SRP
[e183628]	139	if (ctxt->sc->srp_tpasswd_conf_file != NULL
	140	&& ctxt->sc->srp_tpasswd_file != NULL) {
	141	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
	142	ctxt->sc->srp_creds);
	143	}
[787dab7]	144	#endif
[7bebb42]	145
[e183628]	146	/* update the priorities - to avoid negotiating a ciphersuite that is not
	147	* enabled on this virtual server. Note that here we ignore the version
	148	* negotiation.
	149	*/
	150	ret = gnutls_priority_set(session, ctxt->sc->priorities);
	151	/* actually it shouldn't fail since we have checked at startup */
[9180a60]	152	return ret;
[7bebb42]	153	}
	154
[cf10d49]	155	static int cert_retrieve_fn(gnutls_session_t session,
	156	const gnutls_datum_t * req_ca_rdn, int nreqs,
	157	const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length,
	158	gnutls_retr2_st *ret) {
	159
[e183628]	160	mgs_handle_t *ctxt;
[e02dd8c]	161
[e183628]	162	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	163	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	164
[e183628]	165	if (ctxt == NULL)
	166	return GNUTLS_E_INTERNAL_ERROR;
[7bebb42]	167
[e183628]	168	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
[9180a60]	169	ret->cert_type = GNUTLS_CRT_X509;
	170	ret->key_type = GNUTLS_PRIVKEY_X509;
[e183628]	171	ret->ncerts = ctxt->sc->certs_x509_num;
	172	ret->deinit_all = 0;
[df34f08]	173
[e183628]	174	ret->cert.x509 = ctxt->sc->certs_x509;
	175	ret->key.x509 = ctxt->sc->privkey_x509;
[e5bbda4]	176
[e183628]	177	return 0;
[9180a60]	178	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
	179	ret->cert_type = GNUTLS_CRT_OPENPGP;
	180	ret->key_type = GNUTLS_PRIVKEY_OPENPGP;
[e183628]	181	ret->ncerts = 1;
	182	ret->deinit_all = 0;
[e5bbda4]	183
[e183628]	184	ret->cert.pgp = ctxt->sc->cert_pgp;
	185	ret->key.pgp = ctxt->sc->privkey_pgp;
[e5bbda4]	186
[e183628]	187	return 0;
[7bebb42]	188
[e183628]	189	}
[e02dd8c]	190
[e183628]	191	return GNUTLS_E_INTERNAL_ERROR;
[7bebb42]	192	}
	193
[2b3a248]	194	/* 2048-bit group parameters from SRP specification */
[7bebb42]	195	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
[e183628]	196	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
	197	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
	198	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
	199	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
	200	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
	201	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
	202	"-----END DH PARAMETERS-----\n";
[fd73a08]	203
	204	/* Read the common name or the alternative name of the certificate.
	205	* We only support a single name per certificate.
	206	*
	207	* Returns negative on error.
	208	*/
[a5dc815]	209	static int read_crt_cn(server_rec * s, apr_pool_t * p,
[e183628]	210	gnutls_x509_crt_t cert, char **cert_cn) {
	211	int rv = 0, i;
	212	size_t data_len;
	213
	214
	215	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	216	*cert_cn = NULL;
	217
	218	data_len = 0;
	219	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	220	GNUTLS_OID_X520_COMMON_NAME,
	221	0, 0, NULL, &data_len);
	222
	223	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	224	*cert_cn = apr_palloc(p, data_len);
	225	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	226	GNUTLS_OID_X520_COMMON_NAME,
	227	0, 0, *cert_cn,
	228	&data_len);
	229	} else { /* No CN return subject alternative name */
	230	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	231	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
	232	s->server_hostname, s->port);
	233	rv = 0;
	234	/* read subject alternative name */
	235	for (i = 0; !(rv < 0); i++) {
	236	data_len = 0;
	237	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
	238	NULL,
	239	&data_len,
	240	NULL);
	241
	242	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
	243	&& data_len > 1) {
	244	/* FIXME: not very efficient. What if we have several alt names
	245	* before DNSName?
	246	*/
	247	*cert_cn = apr_palloc(p, data_len + 1);
	248
	249	rv = gnutls_x509_crt_get_subject_alt_name
	250	(cert, i, *cert_cn, &data_len, NULL);
	251	(*cert_cn)[data_len] = 0;
	252
	253	if (rv == GNUTLS_SAN_DNSNAME)
	254	break;
	255	}
	256	}
	257	}
	258
	259	return rv;
[e5bbda4]	260	}
	261
	262	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
[e183628]	263	gnutls_openpgp_crt_t cert, char **cert_cn) {
	264	int rv = 0;
	265	size_t data_len;
[e5bbda4]	266
	267
[e183628]	268	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	269	*cert_cn = NULL;
[e5bbda4]	270
[e183628]	271	data_len = 0;
	272	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
[e5bbda4]	273
[e183628]	274	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	275	*cert_cn = apr_palloc(p, data_len);
	276	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
	277	&data_len);
	278	} else { /* No CN return subject alternative name */
	279	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	280	"No name found in PGP certificate for '%s:%d'.",
	281	s->server_hostname, s->port);
	282	}
[fd73a08]	283
[e183628]	284	return rv;
[fd73a08]	285	}
[7bebb42]	286
	287	int
	288	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
[e183628]	289	apr_pool_t * ptemp, server_rec * base_server) {
	290	int rv;
	291	server_rec *s;
	292	gnutls_dh_params_t dh_params = NULL;
	293	gnutls_rsa_params_t rsa_params = NULL;
	294	mgs_srvconf_rec *sc;
	295	mgs_srvconf_rec *sc_base;
	296	void *data = NULL;
	297	int first_run = 0;
	298	const char *userdata_key = "mgs_init";
	299
	300	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	301	apr_pool_userdata_get(&data, userdata_key,
	302	base_server->process->pool);
	303	if (data == NULL) {
	304	first_run = 1;
	305	apr_pool_userdata_set((const void *) 1, userdata_key,
	306	apr_pool_cleanup_null,
	307	base_server->process->pool);
	308	}
	309
	310
	311	s = base_server;
	312	sc_base =
	313	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	314	&gnutls_module);
	315
	316	gnutls_dh_params_init(&dh_params);
	317
	318	if (sc_base->dh_params == NULL) {
	319	gnutls_datum pdata = {
	320	(void *) static_dh_params,
	321	sizeof (static_dh_params)
	322	};
	323	/* loading defaults */
	324	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
	325	GNUTLS_X509_FMT_PEM);
	326
	327	if (rv < 0) {
	328	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	329	"GnuTLS: Unable to load DH Params: (%d) %s",
	330	rv, gnutls_strerror(rv));
	331	exit(rv);
	332	}
	333	} else
	334	dh_params = sc_base->dh_params;
	335
	336	if (sc_base->rsa_params != NULL)
	337	rsa_params = sc_base->rsa_params;
	338
	339	/* else not an error but RSA-EXPORT ciphersuites are not available
	340	*/
	341
	342	rv = mgs_cache_post_config(p, s, sc_base);
	343	if (rv != 0) {
	344	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	345	"GnuTLS: Post Config for GnuTLSCache Failed."
	346	" Shutting Down.");
	347	exit(-1);
	348	}
	349
	350	for (s = base_server; s; s = s->next) {
	351	void *load = NULL;
	352	sc = (mgs_srvconf_rec *)
	353	ap_get_module_config(s->module_config, &gnutls_module);
	354	sc->cache_type = sc_base->cache_type;
	355	sc->cache_config = sc_base->cache_config;
	356
	357	/* Check if the priorities have been set */
	358	if (sc->priorities == NULL
	359	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
	360	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	361	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
	362	s->server_hostname, s->port);
	363	exit(-1);
	364	}
	365
	366	/* Check if DH or RSA params have been set per host */
	367	if (sc->rsa_params != NULL)
	368	load = sc->rsa_params;
	369	else if (rsa_params)
	370	load = rsa_params;
	371
	372	if (load != NULL)
	373	gnutls_certificate_set_rsa_export_params(sc->certs,
	374	load);
	375
	376
	377	load = NULL;
	378	if (sc->dh_params != NULL)
	379	load = sc->dh_params;
	380	else if (dh_params)
	381	load = dh_params;
	382
	383	if (load != NULL) { /* not needed but anyway */
	384	gnutls_certificate_set_dh_params(sc->certs, load);
	385	gnutls_anon_set_server_dh_params(sc->anon_creds,
	386	load);
	387	}
	388
[d2ee1a1]	389	gnutls_certificate_set_retrieve_function(sc->certs, cert_retrieve_fn);
[fd73a08]	390
[787dab7]	391	#ifdef ENABLE_SRP
[e183628]	392	if (sc->srp_tpasswd_conf_file != NULL
	393	&& sc->srp_tpasswd_file != NULL) {
	394	rv = gnutls_srp_set_server_credentials_file
	395	(sc->srp_creds, sc->srp_tpasswd_file,
	396	sc->srp_tpasswd_conf_file);
	397
	398	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
	399	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	400	s,
	401	"[GnuTLS] - Host '%s:%d' is missing a "
	402	"SRP password or conf File!",
	403	s->server_hostname, s->port);
	404	exit(-1);
	405	}
	406	}
[787dab7]	407	#endif
[7bebb42]	408
[e183628]	409	if (sc->certs_x509[0] == NULL &&
	410	sc->cert_pgp == NULL &&
	411	sc->enabled == GNUTLS_ENABLED_TRUE) {
	412	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	413	"[GnuTLS] - Host '%s:%d' is missing a "
	414	"Certificate File!",
	415	s->server_hostname, s->port);
	416	exit(-1);
	417	}
	418
	419	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
	420	((sc->certs_x509[0] != NULL
	421	&& sc->privkey_x509 == NULL) \|\| (sc->cert_pgp != NULL
	422	&& sc->privkey_pgp
	423	== NULL))) {
	424	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	425	"[GnuTLS] - Host '%s:%d' is missing a "
	426	"Private Key File!",
	427	s->server_hostname, s->port);
	428	exit(-1);
	429	}
	430
	431	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
	432	rv = read_crt_cn(s, p, sc->certs_x509[0],
	433	&sc->cert_cn);
	434	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
	435	rv = read_pgpcrt_cn(s, p, sc->cert_pgp,
	436	&sc->cert_cn);
	437
	438	if (rv < 0) {
	439	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	440	s,
	441	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
	442	s->server_hostname, s->port);
	443	sc->cert_cn = NULL;
	444	continue;
	445	}
	446	}
	447	}
	448
	449
	450	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	451
	452	return OK;
[c301152]	453	}
	454
[e183628]	455	void mgs_hook_child_init(apr_pool_t * p, server_rec * s) {
	456	apr_status_t rv = APR_SUCCESS;
	457	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
	458	&gnutls_module);
	459
	460	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	461	if (sc->cache_type != mgs_cache_none) {
	462	rv = mgs_cache_child_init(p, s, sc);
	463	if (rv != APR_SUCCESS) {
	464	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
	465	"[GnuTLS] - Failed to run Cache Init");
	466	}
	467	}
[c301152]	468	}
	469
[e183628]	470	const char mgs_hook_http_scheme(const request_rec r) {
	471	mgs_srvconf_rec *sc;
[c301152]	472
[e183628]	473	if (r == NULL)
	474	return NULL;
[e02dd8c]	475
[e183628]	476	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	477	server->module_config,
	478	&gnutls_module);
[e02dd8c]	479
[e183628]	480	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	481	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	482	return NULL;
	483	}
[e02dd8c]	484
[e183628]	485	return "https";
[c301152]	486	}
	487
[e183628]	488	apr_port_t mgs_hook_default_port(const request_rec * r) {
	489	mgs_srvconf_rec *sc;
[e02dd8c]	490
[e183628]	491	if (r == NULL)
	492	return 0;
[e02dd8c]	493
[e183628]	494	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	495	server->module_config,
	496	&gnutls_module);
[e02dd8c]	497
[e183628]	498	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	499	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	500	return 0;
	501	}
[c301152]	502
[e183628]	503	return 443;
[c301152]	504	}
	505
	506	#define MAX_HOST_LEN 255
	507
	508	#if USING_2_1_RECENT
[e183628]	509
[7bebb42]	510	typedef struct {
[e183628]	511	mgs_handle_t *ctxt;
	512	mgs_srvconf_rec *sc;
	513	const char *sni_name;
[c301152]	514	} vhost_cb_rec;
	515
[e183628]	516	static int vhost_cb(void baton, conn_rec conn, server_rec * s) {
	517	mgs_srvconf_rec *tsc;
	518	vhost_cb_rec *x = baton;
[8764d0d]	519	apr_array_header_t *names;
	520	int i;
	521
[e183628]	522	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	523	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	524	&gnutls_module);
[7bebb42]	525
[e183628]	526	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	527	return 0;
	528	}
[8764d0d]	529
	530	/* Check ServerName First! */
	531	if(!apr_strnatcasecmp(x->sni_name, s->server_hostname)) {
	532	x->sc = tsc;return 1;
	533	} else if(s->names) {
	534	/* ServerAlias Directives */
[8581fac]	535	names = s->names;
[8764d0d]	536	char name = (char )names->elts;
	537	for (i = 0; i < names->nelts; ++i) {
	538	if (!name[i]) { continue; }
	539	if (!apr_strnatcasecmp(x->sni_name, name[i])) {
	540	x->sc = tsc;return 1; }
	541	}
	542	} else if(s->wild_names) {
	543	/* Wild ServerAlias Directives */
[8581fac]	544	names = s->wild_names;
	545	char name = (char )names->elts;
	546	for (i = 0; i < names->nelts; ++i) {
[8764d0d]	547	if (!name[i]) { continue; }
	548	if (!ap_strcasecmp_match(x->sni_name, name[i])) {
	549	x->sc = tsc;return 1; }
	550	}
[e183628]	551	}
[8764d0d]	552
[e183628]	553	return 0;
[c301152]	554	}
	555	#endif
	556
[e183628]	557	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) {
	558	int rv;
	559	unsigned int sni_type;
	560	size_t data_len = MAX_HOST_LEN;
	561	char sni_name[MAX_HOST_LEN];
	562	mgs_handle_t *ctxt;
[c301152]	563	#if USING_2_1_RECENT
[e183628]	564	vhost_cb_rec cbx;
[c301152]	565	#else
[e183628]	566	server_rec *s;
	567	mgs_srvconf_rec *tsc;
[c301152]	568	#endif
[7bebb42]	569
[e183628]	570	if (session == NULL)
	571	return NULL;
[368b574]	572
[e183628]	573	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	574	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	575
[e183628]	576	rv = gnutls_server_name_get(ctxt->session, sni_name,
	577	&data_len, &sni_type, 0);
[7bebb42]	578
[e183628]	579	if (rv != 0) {
	580	return NULL;
	581	}
[7bebb42]	582
[e183628]	583	if (sni_type != GNUTLS_NAME_DNS) {
	584	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	585	ctxt->c->base_server,
	586	"GnuTLS: Unknown type '%d' for SNI: "
	587	"'%s'", sni_type, sni_name);
	588	return NULL;
	589	}
[7bebb42]	590
[c301152]	591	/**
	592	* Code in the Core already sets up the c->base_server as the base
	593	* for this IP/Port combo. Trust that the core did the 'right' thing.
	594	*/
	595	#if USING_2_1_RECENT
[e183628]	596	cbx.ctxt = ctxt;
	597	cbx.sc = NULL;
	598	cbx.sni_name = sni_name;
	599
	600	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	601	if (rv == 1) {
	602	return cbx.sc;
	603	}
[e02dd8c]	604	#else
[e183628]	605	for (s = ap_server_conf; s; s = s->next) {
	606
[b7098b2]	607	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	608	&gnutls_module);
	609
	610	if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
[0cfcbf3]	611
[b7098b2]	612	/* Check ServerName First! */
	613	if(!apr_strnatcasecmp(sni_name, s->server_hostname)) {
	614	return tsc;
	615	} else if(s->names) {
	616	/* ServerAlias Directives */
	617	names = s->names;
	618	char name = (char )names->elts;
	619	for (i = 0; i < names->nelts; ++i) {
	620	if (!name[i]) { continue; }
	621	if (!apr_strnatcasecmp(sni_name, name[i])) {
	622	return tsc; }
	623	}
	624	} else if(s->wild_names) {
	625	/* Wild ServerAlias Directives */
	626	names = s->wild_names;
	627	char name = (char )names->elts;
	628	for (i = 0; i < names->nelts; ++i) {
	629	if (!name[i]) { continue; }
	630	if (!ap_strcasecmp_match(sni_name, name[i])) {
	631	return tsc; }
	632	}
	633	} /* End Wild Names*/
	634	} /* End For Loop */
[c301152]	635	#endif
[e183628]	636	return NULL;
[836417f]	637	}
	638
	639
[7bebb42]	640	static const int protocol_priority[] = {
[e183628]	641	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
[fd73a08]	642	};
	643
[e183628]	644	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c) {
	645	mgs_handle_t *ctxt;
[d0be765]	646	/* Get mod_gnutls Configuration Record */
	647	mgs_srvconf_rec sc =(mgs_srvconf_rec )
	648	ap_get_module_config(c->base_server->module_config,&gnutls_module);
[e183628]	649
	650	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	651	ctxt = apr_pcalloc(pool, sizeof (*ctxt));
	652	ctxt->c = c;
	653	ctxt->sc = sc;
	654	ctxt->status = 0;
	655	ctxt->input_rc = APR_SUCCESS;
	656	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	657	ctxt->input_cbuf.length = 0;
	658	ctxt->output_rc = APR_SUCCESS;
	659	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	660	ctxt->output_blen = 0;
	661	ctxt->output_length = 0;
[d0be765]	662	/* Initialize GnuTLS Library */
[e183628]	663	gnutls_init(&ctxt->session, GNUTLS_SERVER);
[d0be765]	664	/* Initialize Session Tickets */
	665	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
	666	gnutls_session_ticket_enable_server(ctxt->session,&session_ticket_key);
	667	}
[e183628]	668
[d0be765]	669	/* Set Default Priority */
[9180a60]	670	gnutls_set_default_priority(ctxt->session);
[d0be765]	671	/* Set Handshake function */
[e183628]	672	gnutls_handshake_set_post_client_hello_function(ctxt->session,
	673	mgs_select_virtual_server_cb);
[d0be765]	674	/* Initialize Session Cache */
[e183628]	675	mgs_cache_session_init(ctxt);
[d0be765]	676	/* Return GnuTLS Handle */
[e183628]	677	return ctxt;
	678	}
[e02dd8c]	679
[e183628]	680	int mgs_hook_pre_connection(conn_rec * c, void *csd) {
	681	mgs_handle_t *ctxt;
	682	mgs_srvconf_rec *sc;
[e02dd8c]	683
[e183628]	684	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[e02dd8c]	685
[e183628]	686	if (c == NULL) {
	687	return DECLINED;
	688	}
[7bebb42]	689
[e183628]	690	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
	691	module_config,
	692	&gnutls_module);
[c301152]	693
[e183628]	694	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
	695	return DECLINED;
	696	}
[ae4a2b0]	697
[e183628]	698	if (c->remote_addr->hostname \|\| apr_strnatcmp(c->remote_ip, c->local_ip) == 0) {
	699	/* Connection initiated by Apache (mod_proxy) => ignore */
	700	return OK;
	701	}
[c301152]	702
[e183628]	703	ctxt = create_gnutls_handle(c->pool, c);
[e02dd8c]	704
[e183628]	705	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
[e02dd8c]	706
[e183628]	707	gnutls_transport_set_pull_function(ctxt->session,
	708	mgs_transport_read);
	709	gnutls_transport_set_push_function(ctxt->session,
	710	mgs_transport_write);
	711	gnutls_transport_set_ptr(ctxt->session, ctxt);
[c301152]	712
[e183628]	713	ctxt->input_filter =
	714	ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
	715	ctxt->output_filter =
	716	ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
[56f3628]	717
[e183628]	718	return OK;
	719	}
[e02dd8c]	720
[e183628]	721	int mgs_hook_fixups(request_rec * r) {
	722	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	723	char buf[AP_IOBUFSIZE];
	724	const char *tmp;
	725	size_t len;
	726	mgs_handle_t *ctxt;
	727	int rv = OK;
[c301152]	728
[e183628]	729	if (r == NULL)
	730	return DECLINED;
[c301152]	731
[e183628]	732	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	733	apr_table_t *env = r->subprocess_env;
[7bebb42]	734
[e183628]	735	ctxt =
	736	ap_get_module_config(r->connection->conn_config,
	737	&gnutls_module);
[c301152]	738
[e183628]	739	if (!ctxt \|\| ctxt->session == NULL) {
	740	return DECLINED;
	741	}
[c301152]	742
[e183628]	743	apr_table_setn(env, "HTTPS", "on");
	744
	745	apr_table_setn(env, "SSL_VERSION_LIBRARY",
	746	"GnuTLS/" LIBGNUTLS_VERSION);
	747	apr_table_setn(env, "SSL_VERSION_INTERFACE",
	748	"mod_gnutls/" MOD_GNUTLS_VERSION);
	749
	750	apr_table_setn(env, "SSL_PROTOCOL",
	751	gnutls_protocol_get_name(gnutls_protocol_get_version
	752	(ctxt->session)));
	753
	754	/* should have been called SSL_CIPHERSUITE instead */
	755	apr_table_setn(env, "SSL_CIPHER",
	756	gnutls_cipher_suite_get_name(gnutls_kx_get
	757	(ctxt->session),
	758	gnutls_cipher_get
	759	(ctxt->session),
	760	gnutls_mac_get
	761	(ctxt->session)));
	762
	763	apr_table_setn(env, "SSL_COMPRESS_METHOD",
	764	gnutls_compression_get_name(gnutls_compression_get
	765	(ctxt->session)));
[7bebb42]	766
[787dab7]	767	#ifdef ENABLE_SRP
[e183628]	768	tmp = gnutls_srp_server_get_username(ctxt->session);
	769	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
[787dab7]	770	#endif
[c301152]	771
[e183628]	772	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
	773	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
[c301152]	774
[e183628]	775	unsigned int key_size =
	776	8 *
	777	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
	778	tmp = apr_psprintf(r->pool, "%u", key_size);
[c301152]	779
[e183628]	780	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
[c301152]	781
[e183628]	782	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
[c301152]	783
[e183628]	784	apr_table_setn(env, "SSL_CIPHER_EXPORT",
	785	(key_size <= 40) ? "true" : "false");
[7bebb42]	786
[e183628]	787	len = sizeof (sbuf);
	788	gnutls_session_get_id(ctxt->session, sbuf, &len);
	789	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	790	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
[7ba803b]	791
[e183628]	792	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	793	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
	794	ctxt->
	795	sc->export_certificates_enabled);
	796	else if (gnutls_certificate_type_get(ctxt->session) ==
	797	GNUTLS_CRT_OPENPGP)
	798	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
	799	ctxt->
	800	sc->export_certificates_enabled);
[7bebb42]	801
[e183628]	802	return rv;
[c301152]	803	}
	804
[e183628]	805	int mgs_hook_authz(request_rec * r) {
	806	int rv;
	807	mgs_handle_t *ctxt;
	808	mgs_dirconf_rec *dc;
	809
	810	if (r == NULL)
	811	return DECLINED;
	812
	813	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
	814
	815	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	816	ctxt =
	817	ap_get_module_config(r->connection->conn_config,
	818	&gnutls_module);
	819
	820	if (!ctxt \|\| ctxt->session == NULL) {
	821	return DECLINED;
	822	}
	823
	824	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	825	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	826	"GnuTLS: Directory set to Ignore Client Certificate!");
	827	} else {
	828	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	829	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	830	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	831	ctxt->sc->client_verify_mode,
	832	dc->client_verify_mode);
	833
	834	/* If we already have a client certificate, there's no point in
	835	* re-handshaking... */
	836	rv = mgs_cert_verify(r, ctxt);
	837	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
	838	return rv;
	839
	840	gnutls_certificate_server_set_request
	841	(ctxt->session, dc->client_verify_mode);
	842
	843	if (mgs_rehandshake(ctxt) != 0) {
	844	return HTTP_FORBIDDEN;
	845	}
	846	} else if (ctxt->sc->client_verify_mode ==
	847	GNUTLS_CERT_IGNORE) {
[c301152]	848	#if MOD_GNUTLS_DEBUG
[e183628]	849	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	850	"GnuTLS: Peer is set to IGNORE");
[c301152]	851	#endif
[e183628]	852	return DECLINED;
	853	}
	854	rv = mgs_cert_verify(r, ctxt);
	855	if (rv != DECLINED &&
	856	(rv != HTTP_FORBIDDEN \|\|
	857	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
	858	return rv;
	859	}
	860	}
	861
	862	return DECLINED;
[7bebb42]	863	}
	864
	865	/* variables that are not sent by default:
	866	*
	867	* SSL_CLIENT_CERT string PEM-encoded client certificate
	868	* SSL_SERVER_CERT string PEM-encoded client certificate
	869	*/
[836c2f9]	870
[7bebb42]	871	/* side is either 0 for SERVER or 1 for CLIENT
	872	*/
	873	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
[e183628]	874
[7bebb42]	875	static void
[e5bbda4]	876	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
[e183628]	877	int export_certificates_enabled) {
	878	unsigned char sbuf[64]; /* buffer to hold serials */
	879	char buf[AP_IOBUFSIZE];
	880	const char *tmp;
	881	char *tmp2;
	882	size_t len;
	883	int ret, i;
	884
	885	if (r == NULL)
	886	return;
	887
	888	apr_table_t *env = r->subprocess_env;
	889
	890	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	891	if (export_certificates_enabled != 0) {
	892	char cert_buf[10 * 1024];
	893	len = sizeof (cert_buf);
	894
	895	if (gnutls_x509_crt_export
	896	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
	897	apr_table_setn(env,
	898	apr_pstrcat(r->pool, MGS_SIDE,
	899	"_CERT", NULL),
	900	apr_pstrmemdup(r->pool, cert_buf,
	901	len));
	902
	903	}
	904
	905	len = sizeof (buf);
	906	gnutls_x509_crt_get_dn(cert, buf, &len);
	907	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
	908	apr_pstrmemdup(r->pool, buf, len));
	909
	910	len = sizeof (buf);
	911	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
	912	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
	913	apr_pstrmemdup(r->pool, buf, len));
	914
	915	len = sizeof (sbuf);
	916	gnutls_x509_crt_get_serial(cert, sbuf, &len);
	917	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	918	apr_table_setn(env,
	919	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
	920	apr_pstrdup(r->pool, tmp));
	921
	922	ret = gnutls_x509_crt_get_version(cert);
	923	if (ret > 0)
	924	apr_table_setn(env,
	925	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	926	NULL), apr_psprintf(r->pool,
	927	"%u", ret));
	928
	929	apr_table_setn(env,
	930	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	931	"X.509");
	932
	933	tmp =
	934	mgs_time2sz(gnutls_x509_crt_get_expiration_time
	935	(cert), buf, sizeof (buf));
	936	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	937	apr_pstrdup(r->pool, tmp));
	938
	939	tmp =
	940	mgs_time2sz(gnutls_x509_crt_get_activation_time
	941	(cert), buf, sizeof (buf));
	942	apr_table_setn(env,
	943	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	944	apr_pstrdup(r->pool, tmp));
	945
	946	ret = gnutls_x509_crt_get_signature_algorithm(cert);
	947	if (ret >= 0) {
	948	apr_table_setn(env,
	949	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
	950	NULL),
	951	gnutls_sign_algorithm_get_name(ret));
	952	}
	953
	954	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
	955	if (ret >= 0) {
	956	apr_table_setn(env,
	957	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	958	NULL),
	959	gnutls_pk_algorithm_get_name(ret));
	960	}
	961
	962	/* export all the alternative names (DNS, RFC822 and URI) */
	963	for (i = 0; !(ret < 0); i++) {
	964	len = 0;
	965	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
	966	NULL, &len,
	967	NULL);
	968
	969	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
	970	tmp2 = apr_palloc(r->pool, len + 1);
	971
	972	ret =
	973	gnutls_x509_crt_get_subject_alt_name(cert, i,
	974	tmp2,
	975	&len,
	976	NULL);
	977	tmp2[len] = 0;
	978
	979	if (ret == GNUTLS_SAN_DNSNAME) {
	980	apr_table_setn(env,
	981	apr_psprintf(r->pool,
	982	"%s_S_AN%u",
	983	MGS_SIDE, i),
	984	apr_psprintf(r->pool,
	985	"DNSNAME:%s",
	986	tmp2));
	987	} else if (ret == GNUTLS_SAN_RFC822NAME) {
	988	apr_table_setn(env,
	989	apr_psprintf(r->pool,
	990	"%s_S_AN%u",
	991	MGS_SIDE, i),
	992	apr_psprintf(r->pool,
	993	"RFC822NAME:%s",
	994	tmp2));
	995	} else if (ret == GNUTLS_SAN_URI) {
	996	apr_table_setn(env,
	997	apr_psprintf(r->pool,
	998	"%s_S_AN%u",
	999	MGS_SIDE, i),
	1000	apr_psprintf(r->pool,
	1001	"URI:%s",
	1002	tmp2));
	1003	} else {
	1004	apr_table_setn(env,
	1005	apr_psprintf(r->pool,
	1006	"%s_S_AN%u",
	1007	MGS_SIDE, i),
	1008	"UNSUPPORTED");
	1009	}
	1010	}
	1011	}
[e5bbda4]	1012	}
[7bebb42]	1013
[e5bbda4]	1014	static void
[e02dd8c]	1015	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
[e183628]	1016	int side, int export_certificates_enabled) {
	1017	unsigned char sbuf[64]; /* buffer to hold serials */
	1018	char buf[AP_IOBUFSIZE];
	1019	const char *tmp;
	1020	size_t len;
	1021	int ret;
	1022
	1023	if (r == NULL)
	1024	return;
	1025
	1026	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1027	apr_table_t *env = r->subprocess_env;
	1028
	1029	if (export_certificates_enabled != 0) {
	1030	char cert_buf[10 * 1024];
	1031	len = sizeof (cert_buf);
	1032
	1033	if (gnutls_openpgp_crt_export
	1034	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
	1035	apr_table_setn(env,
	1036	apr_pstrcat(r->pool, MGS_SIDE,
	1037	"_CERT", NULL),
	1038	apr_pstrmemdup(r->pool, cert_buf,
	1039	len));
	1040
	1041	}
	1042
	1043	len = sizeof (buf);
	1044	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
	1045	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
	1046	apr_pstrmemdup(r->pool, buf, len));
	1047
	1048	len = sizeof (sbuf);
	1049	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
	1050	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	1051	apr_table_setn(env,
	1052	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
	1053	NULL), apr_pstrdup(r->pool, tmp));
	1054
	1055	ret = gnutls_openpgp_crt_get_version(cert);
	1056	if (ret > 0)
	1057	apr_table_setn(env,
	1058	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	1059	NULL), apr_psprintf(r->pool,
	1060	"%u", ret));
	1061
	1062	apr_table_setn(env,
	1063	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	1064	"OPENPGP");
	1065
	1066	tmp =
	1067	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
	1068	(cert), buf, sizeof (buf));
	1069	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	1070	apr_pstrdup(r->pool, tmp));
	1071
	1072	tmp =
	1073	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
	1074	(cert), buf, sizeof (buf));
	1075	apr_table_setn(env,
	1076	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	1077	apr_pstrdup(r->pool, tmp));
	1078
	1079	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
	1080	if (ret >= 0) {
	1081	apr_table_setn(env,
	1082	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	1083	NULL),
	1084	gnutls_pk_algorithm_get_name(ret));
	1085	}
[e5bbda4]	1086
	1087	}
	1088
[2b3a248]	1089	/* TODO: Allow client sending a X.509 certificate chain */
[e183628]	1090	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
	1091	const gnutls_datum_t *cert_list;
	1092	unsigned int cert_list_size, status;
	1093	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
	1094	unsigned int ch_size = 0;
	1095
	1096	union {
	1097	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
	1098	gnutls_openpgp_crt_t pgp;
	1099	} cert;
	1100	apr_time_t expiration_time, cur_time;
	1101
	1102	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
	1103	return HTTP_FORBIDDEN;
	1104
	1105	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1106	cert_list =
	1107	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
	1108
	1109	if (cert_list == NULL \|\| cert_list_size == 0) {
	1110	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
	1111	*/
	1112	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1113	return OK;
	1114
	1115	/* no certificate provided by the client, but one was required. */
	1116	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1117	"GnuTLS: Failed to Verify Peer: "
	1118	"Client did not submit a certificate");
	1119	return HTTP_FORBIDDEN;
	1120	}
	1121
	1122	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1123	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1124	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
	1125	cert_list_size);
	1126
	1127	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
	1128	gnutls_x509_crt_init(&cert.x509[ch_size]);
	1129	rv = gnutls_x509_crt_import(cert.x509[ch_size],
	1130	&cert_list[ch_size],
	1131	GNUTLS_X509_FMT_DER);
	1132	// When failure to import, leave the loop
	1133	if (rv != GNUTLS_E_SUCCESS) {
	1134	if (ch_size < 1) {
	1135	ap_log_rerror(APLOG_MARK,
	1136	APLOG_INFO, 0, r,
	1137	"GnuTLS: Failed to Verify Peer: "
	1138	"Failed to import peer certificates.");
	1139	ret = HTTP_FORBIDDEN;
	1140	goto exit;
	1141	}
	1142	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1143	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
	1144	ch_size);
	1145	rv = GNUTLS_E_SUCCESS;
	1146	break;
	1147	}
	1148	}
	1149	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1150	GNUTLS_CRT_OPENPGP) {
	1151	if (cert_list_size > 1) {
	1152	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1153	"GnuTLS: Failed to Verify Peer: "
	1154	"Chained Client Certificates are not supported.");
	1155	return HTTP_FORBIDDEN;
	1156	}
	1157
	1158	gnutls_openpgp_crt_init(&cert.pgp);
	1159	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
	1160	GNUTLS_OPENPGP_FMT_RAW);
	1161
	1162	} else
	1163	return HTTP_FORBIDDEN;
	1164
	1165	if (rv < 0) {
	1166	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1167	"GnuTLS: Failed to Verify Peer: "
	1168	"Failed to import peer certificates.");
	1169	ret = HTTP_FORBIDDEN;
	1170	goto exit;
	1171	}
	1172
	1173	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1174	apr_time_ansi_put(&expiration_time,
	1175	gnutls_x509_crt_get_expiration_time
	1176	(cert.x509[0]));
	1177
	1178	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1179	"GnuTLS: Verifying list of %d certificate(s)",
	1180	ch_size);
	1181	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
	1182	ctxt->sc->ca_list,
	1183	ctxt->sc->ca_list_size,
	1184	NULL, 0, 0, &status);
	1185	} else {
	1186	apr_time_ansi_put(&expiration_time,
	1187	gnutls_openpgp_crt_get_expiration_time
	1188	(cert.pgp));
	1189
	1190	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
	1191	ctxt->sc->pgp_list, 0,
	1192	&status);
	1193	}
	1194
	1195	if (rv < 0) {
	1196	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1197	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
	1198	rv, gnutls_strerror(rv));
	1199	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
	1200	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
	1201	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
	1202	ret = HTTP_FORBIDDEN;
	1203	goto exit;
	1204	}
	1205
	1206	/* TODO: X509 CRL Verification. */
	1207	/* May add later if anyone needs it.
	1208	*/
	1209	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
	1210
	1211	cur_time = apr_time_now();
	1212
	1213	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	1214	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1215	"GnuTLS: Could not find Signer for Peer Certificate");
	1216	}
	1217
	1218	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	1219	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1220	"GnuTLS: Peer's Certificate signer is not a CA");
	1221	}
	1222
	1223	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
	1224	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1225	"GnuTLS: Peer's Certificate is using insecure algorithms");
	1226	}
	1227
	1228	if (status & GNUTLS_CERT_EXPIRED
	1229	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
	1230	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1231	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
	1232	}
	1233
	1234	if (status & GNUTLS_CERT_INVALID) {
	1235	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1236	"GnuTLS: Peer Certificate is invalid.");
	1237	} else if (status & GNUTLS_CERT_REVOKED) {
	1238	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1239	"GnuTLS: Peer Certificate is revoked.");
	1240	}
	1241
	1242	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	1243	mgs_add_common_cert_vars(r, cert.x509[0], 1,
	1244	ctxt->
	1245	sc->export_certificates_enabled);
	1246	else if (gnutls_certificate_type_get(ctxt->session) ==
	1247	GNUTLS_CRT_OPENPGP)
	1248	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
	1249	ctxt->
	1250	sc->export_certificates_enabled);
	1251
	1252	{
	1253	/* days remaining */
	1254	unsigned long remain =
	1255	(apr_time_sec(expiration_time) -
	1256	apr_time_sec(cur_time)) / 86400;
	1257	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
	1258	apr_psprintf(r->pool, "%lu", remain));
	1259	}
	1260
	1261	if (status == 0) {
	1262	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1263	"SUCCESS");
	1264	ret = OK;
	1265	} else {
	1266	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1267	"FAILED");
	1268	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1269	ret = OK;
	1270	else
	1271	ret = HTTP_FORBIDDEN;
	1272	}
	1273
	1274	exit:
	1275	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1276	int i;
	1277	for (i = 0; i < ch_size; i++) {
	1278	gnutls_x509_crt_deinit(cert.x509[i]);
	1279	}
	1280	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1281	GNUTLS_CRT_OPENPGP)
	1282	gnutls_openpgp_crt_deinit(cert.pgp);
	1283	return ret;
[7bebb42]	1284
	1285
	1286	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: