Context Navigation

gnutls_hooks.c @ 14d718f

Visit:

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream

Last change on this file since 14d718f was 14d718f, checked in by Dash Shendy <neuromancer@…>, 7 years ago

Added support for wildcards in ServerAlias? configuration directive

Signed-off-by: Dash Shendy <neuromancer@…>

Property mode set to 100644

File size: 39.7 KB

Rev	Line
[c301152]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e183628]	3	* Copyright 2008 Nikos Mavrogiannopoulos
	4	* Copyright 2011 Dash Shendy
[c301152]	5	*
	6	* Licensed under the Apache License, Version 2.0 (the "License");
	7	* you may not use this file except in compliance with the License.
	8	* You may obtain a copy of the License at
	9	*
	10	* http://www.apache.org/licenses/LICENSE-2.0
	11	*
	12	* Unless required by applicable law or agreed to in writing, software
	13	* distributed under the License is distributed on an "AS IS" BASIS,
	14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	15	* See the License for the specific language governing permissions and
	16	* limitations under the License.
	17	*
	18	*/
	19
	20	#include "mod_gnutls.h"
	21	#include "http_vhost.h"
[84cb5b2]	22	#include "ap_mpm.h"
[c301152]	23
[0499540]	24
[c301152]	25	#if !USING_2_1_RECENT
	26	extern server_rec *ap_server_conf;
	27	#endif
	28
	29	#if MOD_GNUTLS_DEBUG
[7bebb42]	30	static apr_file_t *debug_log_fp;
[c301152]	31	#endif
	32
[e183628]	33	static gnutls_datum session_ticket_key = {NULL, 0};
[84cb5b2]	34
[7bebb42]	35	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
	36	/* use side==0 for server and side==1 for client */
[e02dd8c]	37	static void mgs_add_common_cert_vars(request_rec * r,
[e183628]	38	gnutls_x509_crt_t cert, int side,
	39	int export_certificates_enabled);
[e02dd8c]	40	static void mgs_add_common_pgpcert_vars(request_rec * r,
[e183628]	41	gnutls_openpgp_crt_t cert,
	42	int side,
	43	int export_certificates_enabled);
	44
[37f8282]	45	apr_status_t mgs_cleanup_pre_config(void *data) {
[e183628]	46	gnutls_free(session_ticket_key.data);
	47	session_ticket_key.data = NULL;
	48	session_ticket_key.size = 0;
	49	gnutls_global_deinit();
	50	return APR_SUCCESS;
[c301152]	51	}
	52
	53	#if MOD_GNUTLS_DEBUG
[e183628]	54	static void gnutls_debug_log_all(int level, const char *str) {
	55	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
[c301152]	56	}
[a208cd3]	57	#define _gnutls_log apr_file_printf
	58	#else
[e183628]	59	#define _gnutls_log(...)
[c301152]	60	#endif
	61
[37f8282]	62	int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,
	63	apr_pool_t * ptemp) {
[26b08fd]	64	#if MOD_GNUTLS_DEBUG
[e183628]	65	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
	66	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
	67	pconf);
[26b08fd]	68
[e183628]	69	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	70	gnutls_global_set_log_level(9);
	71	gnutls_global_set_log_function(gnutls_debug_log_all);
[37f8282]	72	_gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
[33826c5]	73	#endif
	74	int ret;
[26b08fd]	75
[e183628]	76	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
	77	_gnutls_log(debug_log_fp,
	78	"gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
	79	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
[33826c5]	80	return DECLINED;
[e183628]	81	}
[e02dd8c]	82
[e183628]	83	ret = gnutls_global_init();
	84	if (ret < 0) {
	85	_gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
	86	gnutls_strerror(ret));
[33826c5]	87	return DECLINED;
[e183628]	88	}
[2b3a248]	89
[e183628]	90	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
	91	if (ret < 0) {
	92	_gnutls_log(debug_log_fp,
	93	"gnutls_session_ticket_key_generate: %s\n",
	94	gnutls_strerror(ret));
	95	}
[e5bbda4]	96
[e183628]	97	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
	98	apr_pool_cleanup_null);
[c301152]	99
	100
[e183628]	101	return OK;
[c301152]	102	}
	103
[e183628]	104	static int mgs_select_virtual_server_cb(gnutls_session_t session) {
	105	mgs_handle_t *ctxt;
	106	mgs_srvconf_rec *tsc;
[9180a60]	107	int ret = 0;
[7bebb42]	108
[e183628]	109	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[26b08fd]	110
[e183628]	111	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	112
[e183628]	113	/* find the virtual server */
	114	tsc = mgs_find_sni_server(session);
[7bebb42]	115
[e183628]	116	if (tsc != NULL)
	117	ctxt->sc = tsc;
[7bebb42]	118
[e183628]	119	gnutls_certificate_server_set_request(session,
	120	ctxt->
	121	sc->client_verify_mode);
[7bebb42]	122
[e183628]	123	/* set the new server credentials
	124	*/
[7bebb42]	125
[e183628]	126	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
	127	ctxt->sc->certs);
[7bebb42]	128
[e183628]	129	gnutls_credentials_set(session, GNUTLS_CRD_ANON,
	130	ctxt->sc->anon_creds);
[7bebb42]	131
[787dab7]	132	#ifdef ENABLE_SRP
[e183628]	133	if (ctxt->sc->srp_tpasswd_conf_file != NULL
	134	&& ctxt->sc->srp_tpasswd_file != NULL) {
	135	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
	136	ctxt->sc->srp_creds);
	137	}
[787dab7]	138	#endif
[7bebb42]	139
[e183628]	140	/* update the priorities - to avoid negotiating a ciphersuite that is not
	141	* enabled on this virtual server. Note that here we ignore the version
	142	* negotiation.
	143	*/
	144	ret = gnutls_priority_set(session, ctxt->sc->priorities);
	145	/* actually it shouldn't fail since we have checked at startup */
[9180a60]	146	return ret;
[7bebb42]	147	}
	148
[cf10d49]	149	static int cert_retrieve_fn(gnutls_session_t session,
	150	const gnutls_datum_t * req_ca_rdn, int nreqs,
	151	const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length,
	152	gnutls_retr2_st *ret) {
	153
[e183628]	154	mgs_handle_t *ctxt;
[e02dd8c]	155
[e183628]	156	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	157	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	158
[e183628]	159	if (ctxt == NULL)
	160	return GNUTLS_E_INTERNAL_ERROR;
[7bebb42]	161
[e183628]	162	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
[9180a60]	163	ret->cert_type = GNUTLS_CRT_X509;
	164	ret->key_type = GNUTLS_PRIVKEY_X509;
[e183628]	165	ret->ncerts = ctxt->sc->certs_x509_num;
	166	ret->deinit_all = 0;
[df34f08]	167
[e183628]	168	ret->cert.x509 = ctxt->sc->certs_x509;
	169	ret->key.x509 = ctxt->sc->privkey_x509;
[e5bbda4]	170
[e183628]	171	return 0;
[9180a60]	172	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
	173	ret->cert_type = GNUTLS_CRT_OPENPGP;
	174	ret->key_type = GNUTLS_PRIVKEY_OPENPGP;
[e183628]	175	ret->ncerts = 1;
	176	ret->deinit_all = 0;
[e5bbda4]	177
[e183628]	178	ret->cert.pgp = ctxt->sc->cert_pgp;
	179	ret->key.pgp = ctxt->sc->privkey_pgp;
[e5bbda4]	180
[e183628]	181	return 0;
[7bebb42]	182
[e183628]	183	}
[e02dd8c]	184
[e183628]	185	return GNUTLS_E_INTERNAL_ERROR;
[7bebb42]	186	}
	187
[37f8282]	188	/* 2048-bit group parameters from SRP specification */
[7bebb42]	189	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
[e183628]	190	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
	191	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
	192	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
	193	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
	194	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
	195	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
	196	"-----END DH PARAMETERS-----\n";
[fd73a08]	197
	198	/* Read the common name or the alternative name of the certificate.
	199	* We only support a single name per certificate.
	200	*
	201	* Returns negative on error.
	202	*/
[a5dc815]	203	static int read_crt_cn(server_rec * s, apr_pool_t * p,
[e183628]	204	gnutls_x509_crt_t cert, char **cert_cn) {
	205	int rv = 0, i;
	206	size_t data_len;
	207
	208
	209	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	210	*cert_cn = NULL;
	211
	212	data_len = 0;
	213	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	214	GNUTLS_OID_X520_COMMON_NAME,
	215	0, 0, NULL, &data_len);
	216
	217	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	218	*cert_cn = apr_palloc(p, data_len);
	219	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	220	GNUTLS_OID_X520_COMMON_NAME,
	221	0, 0, *cert_cn,
	222	&data_len);
	223	} else { /* No CN return subject alternative name */
	224	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	225	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
	226	s->server_hostname, s->port);
	227	rv = 0;
	228	/* read subject alternative name */
	229	for (i = 0; !(rv < 0); i++) {
	230	data_len = 0;
	231	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
	232	NULL,
	233	&data_len,
	234	NULL);
	235
	236	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
	237	&& data_len > 1) {
	238	/* FIXME: not very efficient. What if we have several alt names
	239	* before DNSName?
	240	*/
	241	*cert_cn = apr_palloc(p, data_len + 1);
	242
	243	rv = gnutls_x509_crt_get_subject_alt_name
	244	(cert, i, *cert_cn, &data_len, NULL);
	245	(*cert_cn)[data_len] = 0;
	246
	247	if (rv == GNUTLS_SAN_DNSNAME)
	248	break;
	249	}
	250	}
	251	}
	252
	253	return rv;
[e5bbda4]	254	}
	255
	256	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
[e183628]	257	gnutls_openpgp_crt_t cert, char **cert_cn) {
	258	int rv = 0;
	259	size_t data_len;
[e5bbda4]	260
	261
[e183628]	262	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	263	*cert_cn = NULL;
[e5bbda4]	264
[e183628]	265	data_len = 0;
	266	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
[e5bbda4]	267
[e183628]	268	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	269	*cert_cn = apr_palloc(p, data_len);
	270	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
	271	&data_len);
	272	} else { /* No CN return subject alternative name */
	273	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	274	"No name found in PGP certificate for '%s:%d'.",
	275	s->server_hostname, s->port);
	276	}
[fd73a08]	277
[e183628]	278	return rv;
[fd73a08]	279	}
[7bebb42]	280
	281	int
	282	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
[e183628]	283	apr_pool_t * ptemp, server_rec * base_server) {
	284	int rv;
	285	server_rec *s;
	286	gnutls_dh_params_t dh_params = NULL;
	287	mgs_srvconf_rec *sc;
	288	mgs_srvconf_rec *sc_base;
	289	void *data = NULL;
	290	int first_run = 0;
	291	const char *userdata_key = "mgs_init";
	292
	293	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	294	apr_pool_userdata_get(&data, userdata_key,
	295	base_server->process->pool);
	296	if (data == NULL) {
	297	first_run = 1;
	298	apr_pool_userdata_set((const void *) 1, userdata_key,
	299	apr_pool_cleanup_null,
	300	base_server->process->pool);
	301	}
	302
	303
	304	s = base_server;
	305	sc_base =
	306	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	307	&gnutls_module);
	308
	309	gnutls_dh_params_init(&dh_params);
	310
	311	if (sc_base->dh_params == NULL) {
[37f8282]	312	gnutls_datum pdata = {
	313	(void *) static_dh_params,
	314	sizeof(static_dh_params)
	315	};
	316	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
	317	GNUTLS_X509_FMT_PEM);
	318	/* Generate DH Params
[74f798f]	319	int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
	320	GNUTLS_SEC_PARAM_NORMAL);
	321	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[da8c2fe]	322	"GnuTLS: Generating DH Params of %i bits. "
[74f798f]	323	"To avoid this use GnuTLSDHFile to specify DH Params for this host",
	324	dh_bits);
[37f8282]	325	#if MOD_GNUTLS_DEBUG
	326	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	327	"GnuTLS: Generated DH Params of %i bits",dh_bits);
	328	#endif
[74f798f]	329	rv = gnutls_dh_params_generate2 (dh_params,dh_bits);
[37f8282]	330	*/
[e183628]	331	if (rv < 0) {
	332	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[37f8282]	333	"GnuTLS: Unable to generate or load DH Params: (%d) %s",
[e183628]	334	rv, gnutls_strerror(rv));
	335	exit(rv);
[37f8282]	336	}
[410d216]	337	} else {
[e183628]	338	dh_params = sc_base->dh_params;
[410d216]	339	}
[e183628]	340
	341	rv = mgs_cache_post_config(p, s, sc_base);
	342	if (rv != 0) {
	343	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	344	"GnuTLS: Post Config for GnuTLSCache Failed."
	345	" Shutting Down.");
	346	exit(-1);
	347	}
	348
	349	for (s = base_server; s; s = s->next) {
	350	sc = (mgs_srvconf_rec *)
	351	ap_get_module_config(s->module_config, &gnutls_module);
	352	sc->cache_type = sc_base->cache_type;
	353	sc->cache_config = sc_base->cache_config;
	354
	355	/* Check if the priorities have been set */
[33826c5]	356	if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
[e183628]	357	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	358	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
	359	s->server_hostname, s->port);
	360	exit(-1);
	361	}
	362
	363	/* Check if DH or RSA params have been set per host */
[410d216]	364	if (sc->rsa_params != NULL) {
	365	gnutls_certificate_set_rsa_export_params(sc->certs, sc->rsa_params);
	366	}
	367	/* else not an error but RSA-EXPORT ciphersuites are not available */
	368
	369	if (sc->dh_params != NULL) {
	370	gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
	371	gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
	372	} else if (dh_params) {
	373	gnutls_certificate_set_dh_params(sc->certs, dh_params);
	374	gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
[e183628]	375	}
	376
[d2ee1a1]	377	gnutls_certificate_set_retrieve_function(sc->certs, cert_retrieve_fn);
[fd73a08]	378
[787dab7]	379	#ifdef ENABLE_SRP
[e183628]	380	if (sc->srp_tpasswd_conf_file != NULL
	381	&& sc->srp_tpasswd_file != NULL) {
	382	rv = gnutls_srp_set_server_credentials_file
	383	(sc->srp_creds, sc->srp_tpasswd_file,
	384	sc->srp_tpasswd_conf_file);
	385
	386	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
	387	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	388	s,
	389	"[GnuTLS] - Host '%s:%d' is missing a "
	390	"SRP password or conf File!",
	391	s->server_hostname, s->port);
	392	exit(-1);
	393	}
	394	}
[787dab7]	395	#endif
[7bebb42]	396
[e183628]	397	if (sc->certs_x509[0] == NULL &&
	398	sc->cert_pgp == NULL &&
	399	sc->enabled == GNUTLS_ENABLED_TRUE) {
	400	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	401	"[GnuTLS] - Host '%s:%d' is missing a "
	402	"Certificate File!",
	403	s->server_hostname, s->port);
	404	exit(-1);
	405	}
	406
	407	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
	408	((sc->certs_x509[0] != NULL
	409	&& sc->privkey_x509 == NULL) \|\| (sc->cert_pgp != NULL
	410	&& sc->privkey_pgp
	411	== NULL))) {
	412	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	413	"[GnuTLS] - Host '%s:%d' is missing a "
	414	"Private Key File!",
	415	s->server_hostname, s->port);
	416	exit(-1);
	417	}
	418
	419	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
	420	rv = read_crt_cn(s, p, sc->certs_x509[0],
	421	&sc->cert_cn);
	422	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
	423	rv = read_pgpcrt_cn(s, p, sc->cert_pgp,
	424	&sc->cert_cn);
	425
	426	if (rv < 0) {
	427	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	428	s,
	429	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
	430	s->server_hostname, s->port);
	431	sc->cert_cn = NULL;
	432	continue;
	433	}
	434	}
	435	}
	436
	437
	438	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	439
	440	return OK;
[c301152]	441	}
	442
[e183628]	443	void mgs_hook_child_init(apr_pool_t * p, server_rec * s) {
	444	apr_status_t rv = APR_SUCCESS;
	445	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
	446	&gnutls_module);
	447
	448	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	449	if (sc->cache_type != mgs_cache_none) {
	450	rv = mgs_cache_child_init(p, s, sc);
	451	if (rv != APR_SUCCESS) {
	452	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
	453	"[GnuTLS] - Failed to run Cache Init");
	454	}
	455	}
[33826c5]	456	/* Block SIGPIPE Signals */
[37f8282]	457	rv = apr_signal_block(SIGPIPE);
	458	if(rv != APR_SUCCESS) {
[33826c5]	459	/* error sending output */
[37f8282]	460	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
[33826c5]	461	"GnuTLS: Error Blocking SIGPIPE Signal!");
	462	}
[c301152]	463	}
	464
[e183628]	465	const char mgs_hook_http_scheme(const request_rec r) {
	466	mgs_srvconf_rec *sc;
[c301152]	467
[e183628]	468	if (r == NULL)
	469	return NULL;
[e02dd8c]	470
[e183628]	471	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	472	server->module_config,
	473	&gnutls_module);
[e02dd8c]	474
[e183628]	475	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	476	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	477	return NULL;
	478	}
[e02dd8c]	479
[e183628]	480	return "https";
[c301152]	481	}
	482
[e183628]	483	apr_port_t mgs_hook_default_port(const request_rec * r) {
	484	mgs_srvconf_rec *sc;
[e02dd8c]	485
[e183628]	486	if (r == NULL)
	487	return 0;
[e02dd8c]	488
[e183628]	489	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	490	server->module_config,
	491	&gnutls_module);
[e02dd8c]	492
[e183628]	493	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	494	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	495	return 0;
	496	}
[c301152]	497
[e183628]	498	return 443;
[c301152]	499	}
	500
	501	#define MAX_HOST_LEN 255
	502
	503	#if USING_2_1_RECENT
[e183628]	504
[7bebb42]	505	typedef struct {
[e183628]	506	mgs_handle_t *ctxt;
	507	mgs_srvconf_rec *sc;
	508	const char *sni_name;
[c301152]	509	} vhost_cb_rec;
	510
[14d718f]	511	/**
	512	* Matches the current vhost's ServerAlias directives
	513	*
	514	* @param x vhost callback record
	515	* @param s server record
	516	* @return true if a match, false otherwise
	517	*
	518	*/
	519	int check_server_aliases(vhost_cb_rec x, server_rec s, mgs_srvconf_rec *tsc) {
	520	apr_array_header_t *names;
	521	int i,rv = 0;
	522
	523	/* Check ServerName First! */
	524	if(apr_strnatcasecmp(x->sni_name, s->server_hostname) == 0) {
	525	// We have a match, save this server configuration
	526	x->sc = tsc;
	527	rv = 1;
	528	/* Check any ServerAlias directives */
	529	} else if(s->names) {
	530	names = s->names;
	531	char name = (char )names->elts;
	532	for (i = 0; i < names->nelts; ++i) {
	533	if (!name[i]) { continue; }
	534	if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
	535	// We have a match, save this server configuration
	536	x->sc = tsc;
	537	rv = 1;
	538	}
	539	}
	540	/* Wild any ServerAlias Directives */
	541	} else if(s->wild_names) {
	542	names = s->wild_names;
	543	char name = (char )names->elts;
	544	for (i = 0; i < names->nelts; ++i) {
	545	if (!name[i]) { continue; }
	546	if(apr_fnmatch(name[i], x->sni_name ,
	547	APR_FNM_CASE_BLIND\|
	548	APR_FNM_PERIOD\|
	549	APR_FNM_PATHNAME\|
	550	APR_FNM_NOESCAPE) == APR_SUCCESS) {
	551	x->sc = tsc;
	552	rv = 1;
	553	}
	554	}
	555	}
	556	return rv;
	557	}
	558
[e183628]	559	static int vhost_cb(void baton, conn_rec conn, server_rec * s) {
	560	mgs_srvconf_rec *tsc;
	561	vhost_cb_rec *x = baton;
[8764d0d]	562
[e183628]	563	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	564	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	565	&gnutls_module);
[7bebb42]	566
[e183628]	567	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	568	return 0;
	569	}
[8764d0d]	570
[14d718f]	571	return check_server_aliases(x, s, tsc);
[c301152]	572	}
	573	#endif
	574
[e183628]	575	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) {
	576	int rv;
	577	unsigned int sni_type;
	578	size_t data_len = MAX_HOST_LEN;
	579	char sni_name[MAX_HOST_LEN];
	580	mgs_handle_t *ctxt;
[c301152]	581	#if USING_2_1_RECENT
[e183628]	582	vhost_cb_rec cbx;
[c301152]	583	#else
[e183628]	584	server_rec *s;
	585	mgs_srvconf_rec *tsc;
[c301152]	586	#endif
[7bebb42]	587
[e183628]	588	if (session == NULL)
	589	return NULL;
[368b574]	590
[e183628]	591	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	592	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	593
[e183628]	594	rv = gnutls_server_name_get(ctxt->session, sni_name,
	595	&data_len, &sni_type, 0);
[7bebb42]	596
[e183628]	597	if (rv != 0) {
	598	return NULL;
	599	}
[7bebb42]	600
[e183628]	601	if (sni_type != GNUTLS_NAME_DNS) {
	602	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	603	ctxt->c->base_server,
	604	"GnuTLS: Unknown type '%d' for SNI: "
	605	"'%s'", sni_type, sni_name);
	606	return NULL;
	607	}
[7bebb42]	608
[c301152]	609	/**
	610	* Code in the Core already sets up the c->base_server as the base
	611	* for this IP/Port combo. Trust that the core did the 'right' thing.
	612	*/
	613	#if USING_2_1_RECENT
[e183628]	614	cbx.ctxt = ctxt;
	615	cbx.sc = NULL;
	616	cbx.sni_name = sni_name;
	617
	618	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	619	if (rv == 1) {
	620	return cbx.sc;
	621	}
[e02dd8c]	622	#else
[e183628]	623	for (s = ap_server_conf; s; s = s->next) {
	624
[b7098b2]	625	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	626	&gnutls_module);
	627
	628	if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
[14d718f]	629
	630	if(check_server_aliases(x, s, tsc)) {
	631	return tsc;
	632	}
[c301152]	633	#endif
[e183628]	634	return NULL;
[836417f]	635	}
	636
[33826c5]	637	static void create_gnutls_handle(conn_rec * c) {
[e183628]	638	mgs_handle_t *ctxt;
[d0be765]	639	/* Get mod_gnutls Configuration Record */
	640	mgs_srvconf_rec sc =(mgs_srvconf_rec )
	641	ap_get_module_config(c->base_server->module_config,&gnutls_module);
[e183628]	642
	643	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[33826c5]	644	ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
[e183628]	645	ctxt->c = c;
	646	ctxt->sc = sc;
	647	ctxt->status = 0;
	648	ctxt->input_rc = APR_SUCCESS;
	649	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	650	ctxt->input_cbuf.length = 0;
	651	ctxt->output_rc = APR_SUCCESS;
	652	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	653	ctxt->output_blen = 0;
	654	ctxt->output_length = 0;
[d0be765]	655	/* Initialize GnuTLS Library */
[e183628]	656	gnutls_init(&ctxt->session, GNUTLS_SERVER);
[d0be765]	657	/* Initialize Session Tickets */
	658	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
	659	gnutls_session_ticket_enable_server(ctxt->session,&session_ticket_key);
	660	}
[e183628]	661
[d0be765]	662	/* Set Default Priority */
[9180a60]	663	gnutls_set_default_priority(ctxt->session);
[d0be765]	664	/* Set Handshake function */
[e183628]	665	gnutls_handshake_set_post_client_hello_function(ctxt->session,
	666	mgs_select_virtual_server_cb);
[d0be765]	667	/* Initialize Session Cache */
[e183628]	668	mgs_cache_session_init(ctxt);
[33826c5]	669
	670	/* Set this config for this connection */
	671	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
	672	/* Set pull, push & ptr functions */
	673	gnutls_transport_set_pull_function(ctxt->session,
	674	mgs_transport_read);
	675	gnutls_transport_set_push_function(ctxt->session,
	676	mgs_transport_write);
[9ee0464]	677	gnutls_transport_set_ptr(ctxt->session, ctxt);
[33826c5]	678	/* Add IO filters */
	679	ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME,
	680	ctxt, NULL, c);
	681	ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
	682	ctxt, NULL, c);
[e183628]	683	}
[e02dd8c]	684
[e183628]	685	int mgs_hook_pre_connection(conn_rec * c, void *csd) {
	686	mgs_srvconf_rec *sc;
[e02dd8c]	687
[e183628]	688	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[e02dd8c]	689
[33826c5]	690	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
[e183628]	691	&gnutls_module);
[c301152]	692
[37f8282]	693	if (sc && (!sc->enabled \|\| sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
[e183628]	694	return DECLINED;
	695	}
[ae4a2b0]	696
[33826c5]	697	create_gnutls_handle(c);
[e183628]	698	return OK;
	699	}
[e02dd8c]	700
[e183628]	701	int mgs_hook_fixups(request_rec * r) {
	702	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	703	char buf[AP_IOBUFSIZE];
	704	const char *tmp;
	705	size_t len;
	706	mgs_handle_t *ctxt;
	707	int rv = OK;
[c301152]	708
[e183628]	709	if (r == NULL)
	710	return DECLINED;
[c301152]	711
[e183628]	712	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	713	apr_table_t *env = r->subprocess_env;
[7bebb42]	714
[e183628]	715	ctxt =
	716	ap_get_module_config(r->connection->conn_config,
	717	&gnutls_module);
[c301152]	718
[e183628]	719	if (!ctxt \|\| ctxt->session == NULL) {
	720	return DECLINED;
	721	}
[c301152]	722
[e183628]	723	apr_table_setn(env, "HTTPS", "on");
	724
	725	apr_table_setn(env, "SSL_VERSION_LIBRARY",
	726	"GnuTLS/" LIBGNUTLS_VERSION);
	727	apr_table_setn(env, "SSL_VERSION_INTERFACE",
	728	"mod_gnutls/" MOD_GNUTLS_VERSION);
	729
	730	apr_table_setn(env, "SSL_PROTOCOL",
	731	gnutls_protocol_get_name(gnutls_protocol_get_version
	732	(ctxt->session)));
	733
	734	/* should have been called SSL_CIPHERSUITE instead */
	735	apr_table_setn(env, "SSL_CIPHER",
	736	gnutls_cipher_suite_get_name(gnutls_kx_get
	737	(ctxt->session),
	738	gnutls_cipher_get
	739	(ctxt->session),
	740	gnutls_mac_get
	741	(ctxt->session)));
	742
	743	apr_table_setn(env, "SSL_COMPRESS_METHOD",
	744	gnutls_compression_get_name(gnutls_compression_get
	745	(ctxt->session)));
[7bebb42]	746
[787dab7]	747	#ifdef ENABLE_SRP
[e183628]	748	tmp = gnutls_srp_server_get_username(ctxt->session);
	749	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
[787dab7]	750	#endif
[c301152]	751
[e183628]	752	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
	753	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
[c301152]	754
[e183628]	755	unsigned int key_size =
	756	8 *
	757	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
	758	tmp = apr_psprintf(r->pool, "%u", key_size);
[c301152]	759
[e183628]	760	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
[c301152]	761
[e183628]	762	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
[c301152]	763
[e183628]	764	apr_table_setn(env, "SSL_CIPHER_EXPORT",
	765	(key_size <= 40) ? "true" : "false");
[7bebb42]	766
[e183628]	767	len = sizeof (sbuf);
	768	gnutls_session_get_id(ctxt->session, sbuf, &len);
	769	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	770	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
[7ba803b]	771
[e183628]	772	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	773	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
	774	ctxt->
	775	sc->export_certificates_enabled);
	776	else if (gnutls_certificate_type_get(ctxt->session) ==
	777	GNUTLS_CRT_OPENPGP)
	778	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
[33826c5]	779	ctxt->sc->export_certificates_enabled);
[7bebb42]	780
[e183628]	781	return rv;
[c301152]	782	}
	783
[e183628]	784	int mgs_hook_authz(request_rec * r) {
	785	int rv;
	786	mgs_handle_t *ctxt;
	787	mgs_dirconf_rec *dc;
	788
	789	if (r == NULL)
	790	return DECLINED;
	791
	792	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
	793
	794	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	795	ctxt =
	796	ap_get_module_config(r->connection->conn_config,
	797	&gnutls_module);
	798
	799	if (!ctxt \|\| ctxt->session == NULL) {
	800	return DECLINED;
	801	}
	802
	803	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	804	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	805	"GnuTLS: Directory set to Ignore Client Certificate!");
	806	} else {
	807	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	808	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	809	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	810	ctxt->sc->client_verify_mode,
	811	dc->client_verify_mode);
	812
	813	/* If we already have a client certificate, there's no point in
	814	* re-handshaking... */
	815	rv = mgs_cert_verify(r, ctxt);
	816	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
	817	return rv;
	818
	819	gnutls_certificate_server_set_request
	820	(ctxt->session, dc->client_verify_mode);
	821
	822	if (mgs_rehandshake(ctxt) != 0) {
	823	return HTTP_FORBIDDEN;
	824	}
	825	} else if (ctxt->sc->client_verify_mode ==
	826	GNUTLS_CERT_IGNORE) {
[c301152]	827	#if MOD_GNUTLS_DEBUG
[e183628]	828	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	829	"GnuTLS: Peer is set to IGNORE");
[c301152]	830	#endif
[e183628]	831	return DECLINED;
	832	}
	833	rv = mgs_cert_verify(r, ctxt);
	834	if (rv != DECLINED &&
	835	(rv != HTTP_FORBIDDEN \|\|
	836	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
	837	return rv;
	838	}
	839	}
	840
	841	return DECLINED;
[7bebb42]	842	}
	843
	844	/* variables that are not sent by default:
	845	*
	846	* SSL_CLIENT_CERT string PEM-encoded client certificate
	847	* SSL_SERVER_CERT string PEM-encoded client certificate
	848	*/
[836c2f9]	849
[7bebb42]	850	/* side is either 0 for SERVER or 1 for CLIENT
	851	*/
	852	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
[e183628]	853
[7bebb42]	854	static void
[e5bbda4]	855	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
[e183628]	856	int export_certificates_enabled) {
	857	unsigned char sbuf[64]; /* buffer to hold serials */
	858	char buf[AP_IOBUFSIZE];
	859	const char *tmp;
	860	char *tmp2;
	861	size_t len;
	862	int ret, i;
	863
	864	if (r == NULL)
	865	return;
	866
	867	apr_table_t *env = r->subprocess_env;
	868
	869	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	870	if (export_certificates_enabled != 0) {
	871	char cert_buf[10 * 1024];
	872	len = sizeof (cert_buf);
	873
	874	if (gnutls_x509_crt_export
	875	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
	876	apr_table_setn(env,
	877	apr_pstrcat(r->pool, MGS_SIDE,
	878	"_CERT", NULL),
	879	apr_pstrmemdup(r->pool, cert_buf,
	880	len));
	881
	882	}
	883
	884	len = sizeof (buf);
	885	gnutls_x509_crt_get_dn(cert, buf, &len);
	886	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
	887	apr_pstrmemdup(r->pool, buf, len));
	888
	889	len = sizeof (buf);
	890	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
	891	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
	892	apr_pstrmemdup(r->pool, buf, len));
	893
	894	len = sizeof (sbuf);
	895	gnutls_x509_crt_get_serial(cert, sbuf, &len);
	896	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	897	apr_table_setn(env,
	898	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
	899	apr_pstrdup(r->pool, tmp));
	900
	901	ret = gnutls_x509_crt_get_version(cert);
	902	if (ret > 0)
	903	apr_table_setn(env,
	904	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	905	NULL), apr_psprintf(r->pool,
	906	"%u", ret));
	907
	908	apr_table_setn(env,
	909	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	910	"X.509");
	911
	912	tmp =
	913	mgs_time2sz(gnutls_x509_crt_get_expiration_time
	914	(cert), buf, sizeof (buf));
	915	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	916	apr_pstrdup(r->pool, tmp));
	917
	918	tmp =
	919	mgs_time2sz(gnutls_x509_crt_get_activation_time
	920	(cert), buf, sizeof (buf));
	921	apr_table_setn(env,
	922	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	923	apr_pstrdup(r->pool, tmp));
	924
	925	ret = gnutls_x509_crt_get_signature_algorithm(cert);
	926	if (ret >= 0) {
	927	apr_table_setn(env,
	928	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
	929	NULL),
	930	gnutls_sign_algorithm_get_name(ret));
	931	}
	932
	933	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
	934	if (ret >= 0) {
	935	apr_table_setn(env,
	936	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	937	NULL),
	938	gnutls_pk_algorithm_get_name(ret));
	939	}
	940
	941	/* export all the alternative names (DNS, RFC822 and URI) */
	942	for (i = 0; !(ret < 0); i++) {
	943	len = 0;
	944	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
	945	NULL, &len,
	946	NULL);
	947
	948	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
	949	tmp2 = apr_palloc(r->pool, len + 1);
	950
	951	ret =
	952	gnutls_x509_crt_get_subject_alt_name(cert, i,
	953	tmp2,
	954	&len,
	955	NULL);
	956	tmp2[len] = 0;
	957
	958	if (ret == GNUTLS_SAN_DNSNAME) {
	959	apr_table_setn(env,
	960	apr_psprintf(r->pool,
	961	"%s_S_AN%u",
	962	MGS_SIDE, i),
	963	apr_psprintf(r->pool,
	964	"DNSNAME:%s",
	965	tmp2));
	966	} else if (ret == GNUTLS_SAN_RFC822NAME) {
	967	apr_table_setn(env,
	968	apr_psprintf(r->pool,
	969	"%s_S_AN%u",
	970	MGS_SIDE, i),
	971	apr_psprintf(r->pool,
	972	"RFC822NAME:%s",
	973	tmp2));
	974	} else if (ret == GNUTLS_SAN_URI) {
	975	apr_table_setn(env,
	976	apr_psprintf(r->pool,
	977	"%s_S_AN%u",
	978	MGS_SIDE, i),
	979	apr_psprintf(r->pool,
	980	"URI:%s",
	981	tmp2));
	982	} else {
	983	apr_table_setn(env,
	984	apr_psprintf(r->pool,
	985	"%s_S_AN%u",
	986	MGS_SIDE, i),
	987	"UNSUPPORTED");
	988	}
	989	}
	990	}
[e5bbda4]	991	}
[7bebb42]	992
[e5bbda4]	993	static void
[e02dd8c]	994	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
[e183628]	995	int side, int export_certificates_enabled) {
	996	unsigned char sbuf[64]; /* buffer to hold serials */
	997	char buf[AP_IOBUFSIZE];
	998	const char *tmp;
	999	size_t len;
	1000	int ret;
	1001
	1002	if (r == NULL)
	1003	return;
	1004
	1005	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1006	apr_table_t *env = r->subprocess_env;
	1007
	1008	if (export_certificates_enabled != 0) {
	1009	char cert_buf[10 * 1024];
	1010	len = sizeof (cert_buf);
	1011
	1012	if (gnutls_openpgp_crt_export
	1013	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
	1014	apr_table_setn(env,
	1015	apr_pstrcat(r->pool, MGS_SIDE,
	1016	"_CERT", NULL),
	1017	apr_pstrmemdup(r->pool, cert_buf,
	1018	len));
	1019
	1020	}
	1021
	1022	len = sizeof (buf);
	1023	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
	1024	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
	1025	apr_pstrmemdup(r->pool, buf, len));
	1026
	1027	len = sizeof (sbuf);
	1028	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
	1029	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	1030	apr_table_setn(env,
	1031	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
	1032	NULL), apr_pstrdup(r->pool, tmp));
	1033
	1034	ret = gnutls_openpgp_crt_get_version(cert);
	1035	if (ret > 0)
	1036	apr_table_setn(env,
	1037	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	1038	NULL), apr_psprintf(r->pool,
	1039	"%u", ret));
	1040
	1041	apr_table_setn(env,
	1042	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	1043	"OPENPGP");
	1044
	1045	tmp =
	1046	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
	1047	(cert), buf, sizeof (buf));
	1048	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	1049	apr_pstrdup(r->pool, tmp));
	1050
	1051	tmp =
	1052	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
	1053	(cert), buf, sizeof (buf));
	1054	apr_table_setn(env,
	1055	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	1056	apr_pstrdup(r->pool, tmp));
	1057
	1058	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
	1059	if (ret >= 0) {
	1060	apr_table_setn(env,
	1061	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	1062	NULL),
	1063	gnutls_pk_algorithm_get_name(ret));
	1064	}
[e5bbda4]	1065
	1066	}
	1067
[2b3a248]	1068	/* TODO: Allow client sending a X.509 certificate chain */
[e183628]	1069	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
	1070	const gnutls_datum_t *cert_list;
	1071	unsigned int cert_list_size, status;
	1072	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
	1073	unsigned int ch_size = 0;
	1074
	1075	union {
	1076	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
	1077	gnutls_openpgp_crt_t pgp;
	1078	} cert;
	1079	apr_time_t expiration_time, cur_time;
	1080
	1081	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
	1082	return HTTP_FORBIDDEN;
	1083
	1084	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1085	cert_list =
	1086	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
	1087
	1088	if (cert_list == NULL \|\| cert_list_size == 0) {
	1089	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
	1090	*/
	1091	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1092	return OK;
	1093
	1094	/* no certificate provided by the client, but one was required. */
	1095	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1096	"GnuTLS: Failed to Verify Peer: "
	1097	"Client did not submit a certificate");
	1098	return HTTP_FORBIDDEN;
	1099	}
	1100
	1101	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1102	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1103	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
	1104	cert_list_size);
	1105
	1106	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
	1107	gnutls_x509_crt_init(&cert.x509[ch_size]);
	1108	rv = gnutls_x509_crt_import(cert.x509[ch_size],
	1109	&cert_list[ch_size],
	1110	GNUTLS_X509_FMT_DER);
	1111	// When failure to import, leave the loop
	1112	if (rv != GNUTLS_E_SUCCESS) {
	1113	if (ch_size < 1) {
	1114	ap_log_rerror(APLOG_MARK,
	1115	APLOG_INFO, 0, r,
	1116	"GnuTLS: Failed to Verify Peer: "
	1117	"Failed to import peer certificates.");
	1118	ret = HTTP_FORBIDDEN;
	1119	goto exit;
	1120	}
	1121	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1122	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
	1123	ch_size);
	1124	rv = GNUTLS_E_SUCCESS;
	1125	break;
	1126	}
	1127	}
	1128	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1129	GNUTLS_CRT_OPENPGP) {
	1130	if (cert_list_size > 1) {
	1131	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1132	"GnuTLS: Failed to Verify Peer: "
	1133	"Chained Client Certificates are not supported.");
	1134	return HTTP_FORBIDDEN;
	1135	}
	1136
	1137	gnutls_openpgp_crt_init(&cert.pgp);
	1138	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
	1139	GNUTLS_OPENPGP_FMT_RAW);
	1140
	1141	} else
	1142	return HTTP_FORBIDDEN;
	1143
	1144	if (rv < 0) {
	1145	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1146	"GnuTLS: Failed to Verify Peer: "
	1147	"Failed to import peer certificates.");
	1148	ret = HTTP_FORBIDDEN;
	1149	goto exit;
	1150	}
	1151
	1152	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1153	apr_time_ansi_put(&expiration_time,
	1154	gnutls_x509_crt_get_expiration_time
	1155	(cert.x509[0]));
	1156
	1157	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1158	"GnuTLS: Verifying list of %d certificate(s)",
	1159	ch_size);
	1160	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
	1161	ctxt->sc->ca_list,
	1162	ctxt->sc->ca_list_size,
	1163	NULL, 0, 0, &status);
	1164	} else {
	1165	apr_time_ansi_put(&expiration_time,
	1166	gnutls_openpgp_crt_get_expiration_time
	1167	(cert.pgp));
	1168
	1169	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
	1170	ctxt->sc->pgp_list, 0,
	1171	&status);
	1172	}
	1173
	1174	if (rv < 0) {
	1175	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1176	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
	1177	rv, gnutls_strerror(rv));
	1178	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
	1179	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
	1180	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
	1181	ret = HTTP_FORBIDDEN;
	1182	goto exit;
	1183	}
	1184
	1185	/* TODO: X509 CRL Verification. */
	1186	/* May add later if anyone needs it.
	1187	*/
	1188	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
	1189
	1190	cur_time = apr_time_now();
	1191
	1192	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	1193	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1194	"GnuTLS: Could not find Signer for Peer Certificate");
	1195	}
	1196
	1197	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	1198	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1199	"GnuTLS: Peer's Certificate signer is not a CA");
	1200	}
	1201
	1202	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
	1203	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1204	"GnuTLS: Peer's Certificate is using insecure algorithms");
	1205	}
	1206
	1207	if (status & GNUTLS_CERT_EXPIRED
	1208	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
	1209	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1210	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
	1211	}
	1212
	1213	if (status & GNUTLS_CERT_INVALID) {
	1214	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1215	"GnuTLS: Peer Certificate is invalid.");
	1216	} else if (status & GNUTLS_CERT_REVOKED) {
	1217	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1218	"GnuTLS: Peer Certificate is revoked.");
	1219	}
	1220
	1221	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	1222	mgs_add_common_cert_vars(r, cert.x509[0], 1,
	1223	ctxt->
	1224	sc->export_certificates_enabled);
	1225	else if (gnutls_certificate_type_get(ctxt->session) ==
	1226	GNUTLS_CRT_OPENPGP)
	1227	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
	1228	ctxt->
	1229	sc->export_certificates_enabled);
	1230
	1231	{
	1232	/* days remaining */
	1233	unsigned long remain =
	1234	(apr_time_sec(expiration_time) -
	1235	apr_time_sec(cur_time)) / 86400;
	1236	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
	1237	apr_psprintf(r->pool, "%lu", remain));
	1238	}
	1239
	1240	if (status == 0) {
	1241	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1242	"SUCCESS");
	1243	ret = OK;
	1244	} else {
	1245	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1246	"FAILED");
	1247	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1248	ret = OK;
	1249	else
	1250	ret = HTTP_FORBIDDEN;
	1251	}
	1252
	1253	exit:
	1254	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1255	int i;
	1256	for (i = 0; i < ch_size; i++) {
	1257	gnutls_x509_crt_deinit(cert.x509[i]);
	1258	}
	1259	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1260	GNUTLS_CRT_OPENPGP)
	1261	gnutls_openpgp_crt_deinit(cert.pgp);
	1262	return ret;
[7bebb42]	1263
	1264
[9ee0464]	1265	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ 14d718f

Download in other formats: