Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ 180e49f

Visit:

debian/masterdebian/stretch-backportsjessie-backportsupstream upstream/0.5.10

Last change on this file since 180e49f was 180e49f, checked in by Daniel Kahn Gillmor <dkg@…>, 7 years ago
Imported Upstream version 0.5.10
Property mode set to `100644`
File size: 35.6 KB

Rev	Line
[3e94bd3]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[70c2d86]	3	* Copyright 2007 Nikos Mavrogiannopoulos
[3e94bd3]	4	*
	5	* Licensed under the Apache License, Version 2.0 (the "License");
	6	* you may not use this file except in compliance with the License.
	7	* You may obtain a copy of the License at
	8	*
	9	* http://www.apache.org/licenses/LICENSE-2.0
	10	*
	11	* Unless required by applicable law or agreed to in writing, software
	12	* distributed under the License is distributed on an "AS IS" BASIS,
	13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	* See the License for the specific language governing permissions and
	15	* limitations under the License.
	16	*
	17	*/
	18
	19	#include "mod_gnutls.h"
	20	#include "http_vhost.h"
[70c2d86]	21	#include "ap_mpm.h"
[3e94bd3]	22
	23	#if APR_HAS_THREADS
[bbb9bb1]	24	# if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
	25	#include <gcrypt.h>
[3e94bd3]	26	GCRY_THREAD_OPTION_PTHREAD_IMPL;
[bbb9bb1]	27	# endif
	28	#endif
	29
	30	#if !USING_2_1_RECENT
	31	extern server_rec *ap_server_conf;
[3e94bd3]	32	#endif
	33
	34	#if MOD_GNUTLS_DEBUG
[70c2d86]	35	static apr_file_t *debug_log_fp;
[3e94bd3]	36	#endif
	37
[70c2d86]	38	static int mpm_is_threaded;
[bbb9bb1]	39	static gnutls_datum session_ticket_key = { NULL, 0 };
[70c2d86]	40
	41	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
	42	/* use side==0 for server and side==1 for client */
[180e49f]	43	static void mgs_add_common_cert_vars(request_rec * r,
	44	gnutls_x509_crt_t cert, int side,
[a4839ae]	45	int export_certificates_enabled);
[180e49f]	46	static void mgs_add_common_pgpcert_vars(request_rec * r,
	47	gnutls_openpgp_crt_t cert,
	48	int side,
	49	int export_certificates_enabled);
[70c2d86]	50
[3e94bd3]	51	static apr_status_t mgs_cleanup_pre_config(void *data)
	52	{
[180e49f]	53	gnutls_free(session_ticket_key.data);
	54	session_ticket_key.data = NULL;
	55	session_ticket_key.size = 0;
	56	gnutls_global_deinit();
	57	return APR_SUCCESS;
[3e94bd3]	58	}
	59
	60	#if MOD_GNUTLS_DEBUG
[70c2d86]	61	static void gnutls_debug_log_all(int level, const char *str)
[3e94bd3]	62	{
[180e49f]	63	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
[3e94bd3]	64	}
[180e49f]	65
[f8ffc43]	66	#define _gnutls_log apr_file_printf
	67	#else
[180e49f]	68	# define _gnutls_log(...)
[3e94bd3]	69	#endif
	70
[70c2d86]	71	int
	72	mgs_hook_pre_config(apr_pool_t * pconf,
	73	apr_pool_t * plog, apr_pool_t * ptemp)
[3e94bd3]	74	{
[180e49f]	75	int ret;
[3e94bd3]	76
[f8ffc43]	77	#if MOD_GNUTLS_DEBUG
[180e49f]	78	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
	79	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
	80	pconf);
[f8ffc43]	81
[180e49f]	82	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[f8ffc43]	83
[180e49f]	84	gnutls_global_set_log_level(9);
	85	gnutls_global_set_log_function(gnutls_debug_log_all);
	86	_gnutls_log(debug_log_fp, "gnutls: %s\n",
	87	gnutls_check_version(NULL));
[f8ffc43]	88	#endif
	89
[3e94bd3]	90	#if APR_HAS_THREADS
[180e49f]	91	ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
[bbb9bb1]	92	#if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) \|\| GNUTLS_VERSION_MAJOR < 2
[180e49f]	93	if (mpm_is_threaded) {
	94	gcry_control(GCRYCTL_SET_THREAD_CBS,
	95	&gcry_threads_pthread);
	96	}
[bbb9bb1]	97	#endif
[70c2d86]	98	#else
[180e49f]	99	mpm_is_threaded = 0;
[3e94bd3]	100	#endif
	101
[bbb9bb1]	102
[180e49f]	103	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
	104	_gnutls_log(debug_log_fp,
	105	"gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
	106	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
	107	return -3;
	108	}
	109
	110	ret = gnutls_global_init();
	111	if (ret < 0) {
	112	_gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
	113	gnutls_strerror(ret));
	114	return -3;
	115	}
[9d9b093]	116
[180e49f]	117	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
	118	if (ret < 0) {
	119	_gnutls_log(debug_log_fp,
	120	"gnutls_session_ticket_key_generate: %s\n",
	121	gnutls_strerror(ret));
	122	}
[9d9b093]	123
[180e49f]	124	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
	125	apr_pool_cleanup_null);
[3e94bd3]	126
	127
[180e49f]	128	return OK;
[3e94bd3]	129	}
	130
[a4839ae]	131	static int mgs_select_virtual_server_cb(gnutls_session_t session)
[70c2d86]	132	{
[180e49f]	133	mgs_handle_t *ctxt;
	134	mgs_srvconf_rec *tsc;
	135	int ret;
	136	int cprio[2];
[70c2d86]	137
[180e49f]	138	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[f8ffc43]	139
[180e49f]	140	ctxt = gnutls_transport_get_ptr(session);
[70c2d86]	141
[180e49f]	142	/* find the virtual server */
	143	tsc = mgs_find_sni_server(session);
[70c2d86]	144
[180e49f]	145	if (tsc != NULL)
	146	ctxt->sc = tsc;
[70c2d86]	147
[180e49f]	148	gnutls_certificate_server_set_request(session,
	149	ctxt->
	150	sc->client_verify_mode);
[70c2d86]	151
[180e49f]	152	/* set the new server credentials
	153	*/
[70c2d86]	154
[180e49f]	155	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
	156	ctxt->sc->certs);
[70c2d86]	157
[180e49f]	158	gnutls_credentials_set(session, GNUTLS_CRD_ANON,
	159	ctxt->sc->anon_creds);
[70c2d86]	160
[8df5b25]	161	#ifdef ENABLE_SRP
[180e49f]	162	if (ctxt->sc->srp_tpasswd_conf_file != NULL
	163	&& ctxt->sc->srp_tpasswd_file != NULL) {
	164	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
	165	ctxt->sc->srp_creds);
	166	}
[8df5b25]	167	#endif
[70c2d86]	168
[180e49f]	169	/* update the priorities - to avoid negotiating a ciphersuite that is not
	170	* enabled on this virtual server. Note that here we ignore the version
	171	* negotiation.
	172	*/
	173	ret = gnutls_priority_set(session, ctxt->sc->priorities);
	174	/* actually it shouldn't fail since we have checked at startup */
	175	if (ret < 0)
	176	return ret;
[ec06980]	177
[180e49f]	178	/* If both certificate types are not present disallow them from
	179	* being negotiated.
	180	*/
	181	if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
	182	cprio[0] = GNUTLS_CRT_X509;
	183	cprio[1] = 0;
	184	gnutls_certificate_type_set_priority(session, cprio);
	185	} else if (ctxt->sc->cert_pgp != NULL
	186	&& ctxt->sc->certs_x509[0] == NULL) {
	187	cprio[0] = GNUTLS_CRT_OPENPGP;
	188	cprio[1] = 0;
	189	gnutls_certificate_type_set_priority(session, cprio);
	190	}
	191
	192	return 0;
[70c2d86]	193	}
	194
	195	static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
	196	{
[180e49f]	197	mgs_handle_t *ctxt;
	198
	199	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	200	ctxt = gnutls_transport_get_ptr(session);
[70c2d86]	201
[180e49f]	202	if (ctxt == NULL)
	203	return GNUTLS_E_INTERNAL_ERROR;
[70c2d86]	204
[180e49f]	205	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
	206	ret->type = GNUTLS_CRT_X509;
	207	ret->ncerts = ctxt->sc->certs_x509_num;
	208	ret->deinit_all = 0;
[f8ffc43]	209
[180e49f]	210	ret->cert.x509 = ctxt->sc->certs_x509;
	211	ret->key.x509 = ctxt->sc->privkey_x509;
[9d9b093]	212
[180e49f]	213	return 0;
	214	} else if (gnutls_certificate_type_get(session) ==
	215	GNUTLS_CRT_OPENPGP) {
	216	ret->type = GNUTLS_CRT_OPENPGP;
	217	ret->ncerts = 1;
	218	ret->deinit_all = 0;
[9d9b093]	219
[180e49f]	220	ret->cert.pgp = ctxt->sc->cert_pgp;
	221	ret->key.pgp = ctxt->sc->privkey_pgp;
[9d9b093]	222
[180e49f]	223	return 0;
[70c2d86]	224
[180e49f]	225	}
	226
	227	return GNUTLS_E_INTERNAL_ERROR;
[70c2d86]	228	}
	229
[9d9b093]	230	/* 2048-bit group parameters from SRP specification */
[70c2d86]	231	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
[a4839ae]	232	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
	233	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
	234	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
	235	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
	236	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
	237	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
	238	"-----END DH PARAMETERS-----\n";
	239
	240	/* Read the common name or the alternative name of the certificate.
	241	* We only support a single name per certificate.
	242	*
	243	* Returns negative on error.
	244	*/
	245	static int read_crt_cn(server_rec * s, apr_pool_t * p,
[9d9b093]	246	gnutls_x509_crt_t cert, char **cert_cn)
[a4839ae]	247	{
[180e49f]	248	int rv = 0, i;
	249	size_t data_len;
[a4839ae]	250
	251
[180e49f]	252	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	253	*cert_cn = NULL;
[a4839ae]	254
[180e49f]	255	data_len = 0;
[a4839ae]	256	rv = gnutls_x509_crt_get_dn_by_oid(cert,
[180e49f]	257	GNUTLS_OID_X520_COMMON_NAME,
	258	0, 0, NULL, &data_len);
	259
	260	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	261	*cert_cn = apr_palloc(p, data_len);
	262	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	263	GNUTLS_OID_X520_COMMON_NAME,
	264	0, 0, *cert_cn,
	265	&data_len);
	266	} else { /* No CN return subject alternative name */
	267	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	268	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
	269	s->server_hostname, s->port);
	270	rv = 0;
	271	/* read subject alternative name */
	272	for (i = 0; !(rv < 0); i++) {
	273	data_len = 0;
	274	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
	275	NULL,
	276	&data_len,
	277	NULL);
	278
	279	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
	280	&& data_len > 1) {
	281	/* FIXME: not very efficient. What if we have several alt names
	282	* before DNSName?
	283	*/
	284	*cert_cn = apr_palloc(p, data_len + 1);
	285
	286	rv = gnutls_x509_crt_get_subject_alt_name
	287	(cert, i, *cert_cn, &data_len, NULL);
	288	(*cert_cn)[data_len] = 0;
	289
	290	if (rv == GNUTLS_SAN_DNSNAME)
	291	break;
	292	}
	293	}
[a4839ae]	294	}
	295
[180e49f]	296	return rv;
[9d9b093]	297	}
	298
	299	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
[180e49f]	300	gnutls_openpgp_crt_t cert, char **cert_cn)
[9d9b093]	301	{
[180e49f]	302	int rv = 0;
	303	size_t data_len;
[9d9b093]	304
[a4839ae]	305
[180e49f]	306	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	307	*cert_cn = NULL;
[9d9b093]	308
[180e49f]	309	data_len = 0;
	310	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
[9d9b093]	311
[180e49f]	312	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	313	*cert_cn = apr_palloc(p, data_len);
	314	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
	315	&data_len);
	316	} else { /* No CN return subject alternative name */
	317	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	318	"No name found in PGP certificate for '%s:%d'.",
	319	s->server_hostname, s->port);
	320	}
[9d9b093]	321
[180e49f]	322	return rv;
[a4839ae]	323	}
[70c2d86]	324
[9d9b093]	325
[70c2d86]	326	int
	327	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
	328	apr_pool_t * ptemp, server_rec * base_server)
[3e94bd3]	329	{
[180e49f]	330	int rv;
	331	server_rec *s;
	332	gnutls_dh_params_t dh_params = NULL;
	333	gnutls_rsa_params_t rsa_params = NULL;
	334	mgs_srvconf_rec *sc;
	335	mgs_srvconf_rec *sc_base;
	336	void *data = NULL;
	337	int first_run = 0;
	338	const char *userdata_key = "mgs_init";
	339
	340	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	341	apr_pool_userdata_get(&data, userdata_key,
[70c2d86]	342	base_server->process->pool);
[180e49f]	343	if (data == NULL) {
	344	first_run = 1;
	345	apr_pool_userdata_set((const void *) 1, userdata_key,
	346	apr_pool_cleanup_null,
	347	base_server->process->pool);
	348	}
[3e94bd3]	349
	350
[70c2d86]	351	s = base_server;
	352	sc_base =
	353	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	354	&gnutls_module);
	355
	356	gnutls_dh_params_init(&dh_params);
	357
[a4839ae]	358	if (sc_base->dh_params == NULL) {
[180e49f]	359	gnutls_datum pdata = {
	360	(void *) static_dh_params,
	361	sizeof(static_dh_params)
	362	};
	363	/* loading defaults */
	364	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
	365	GNUTLS_X509_FMT_PEM);
	366
	367	if (rv < 0) {
	368	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	369	"GnuTLS: Unable to load DH Params: (%d) %s",
	370	rv, gnutls_strerror(rv));
	371	exit(rv);
	372	}
	373	} else
	374	dh_params = sc_base->dh_params;
	375
	376	if (sc_base->rsa_params != NULL)
	377	rsa_params = sc_base->rsa_params;
[a4839ae]	378
	379	/* else not an error but RSA-EXPORT ciphersuites are not available
	380	*/
[70c2d86]	381
	382	rv = mgs_cache_post_config(p, s, sc_base);
	383	if (rv != 0) {
[180e49f]	384	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	385	"GnuTLS: Post Config for GnuTLSCache Failed."
	386	" Shutting Down.");
	387	exit(-1);
[70c2d86]	388	}
	389
	390	for (s = base_server; s; s = s->next) {
[180e49f]	391	void *load = NULL;
	392	sc = (mgs_srvconf_rec *)
	393	ap_get_module_config(s->module_config, &gnutls_module);
	394	sc->cache_type = sc_base->cache_type;
	395	sc->cache_config = sc_base->cache_config;
	396
	397	/* Check if the priorities have been set */
	398	if (sc->priorities == NULL
	399	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
	400	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	401	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
	402	s->server_hostname, s->port);
	403	exit(-1);
	404	}
	405
	406	/* Check if DH or RSA params have been set per host */
	407	if (sc->rsa_params != NULL)
	408	load = sc->rsa_params;
	409	else if (rsa_params)
	410	load = rsa_params;
	411
	412	if (load != NULL)
	413	gnutls_certificate_set_rsa_export_params(sc->certs,
	414	load);
	415
	416
	417	load = NULL;
	418	if (sc->dh_params != NULL)
	419	load = sc->dh_params;
	420	else if (dh_params)
	421	load = dh_params;
	422
	423	if (load != NULL) { /* not needed but anyway */
	424	gnutls_certificate_set_dh_params(sc->certs, load);
	425	gnutls_anon_set_server_dh_params(sc->anon_creds,
	426	load);
	427	}
	428
	429	gnutls_certificate_server_set_retrieve_function(sc->certs,
	430	cert_retrieve_fn);
[a4839ae]	431
[8df5b25]	432	#ifdef ENABLE_SRP
[180e49f]	433	if (sc->srp_tpasswd_conf_file != NULL
	434	&& sc->srp_tpasswd_file != NULL) {
	435	rv = gnutls_srp_set_server_credentials_file
	436	(sc->srp_creds, sc->srp_tpasswd_file,
	437	sc->srp_tpasswd_conf_file);
	438
	439	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
	440	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	441	s,
	442	"[GnuTLS] - Host '%s:%d' is missing a "
	443	"SRP password or conf File!",
	444	s->server_hostname, s->port);
	445	exit(-1);
	446	}
[a4839ae]	447	}
[8df5b25]	448	#endif
[a4839ae]	449
[180e49f]	450	if (sc->certs_x509[0] == NULL &&
	451	sc->cert_pgp == NULL &&
	452	sc->enabled == GNUTLS_ENABLED_TRUE) {
	453	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	454	"[GnuTLS] - Host '%s:%d' is missing a "
	455	"Certificate File!",
	456	s->server_hostname, s->port);
	457	exit(-1);
	458	}
[70c2d86]	459
[180e49f]	460	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
	461	((sc->certs_x509[0] != NULL
	462	&& sc->privkey_x509 == NULL) \|\| (sc->cert_pgp != NULL
	463	&& sc->privkey_pgp
	464	== NULL))) {
	465	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	466	"[GnuTLS] - Host '%s:%d' is missing a "
	467	"Private Key File!",
	468	s->server_hostname, s->port);
	469	exit(-1);
	470	}
[9d9b093]	471
[180e49f]	472	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
	473	rv = read_crt_cn(s, p, sc->certs_x509[0],
	474	&sc->cert_cn);
	475	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
	476	rv = read_pgpcrt_cn(s, p, sc->cert_pgp,
	477	&sc->cert_cn);
	478
	479	if (rv < 0) {
	480	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	481	s,
	482	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
	483	s->server_hostname, s->port);
	484	sc->cert_cn = NULL;
	485	continue;
	486	}
[a4839ae]	487	}
[70c2d86]	488	}
[3e94bd3]	489
	490
[180e49f]	491	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	492
	493	return OK;
[3e94bd3]	494	}
	495
[70c2d86]	496	void mgs_hook_child_init(apr_pool_t * p, server_rec * s)
[3e94bd3]	497	{
[180e49f]	498	apr_status_t rv = APR_SUCCESS;
	499	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
	500	&gnutls_module);
	501
	502	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	503	if (sc->cache_type != mgs_cache_none) {
	504	rv = mgs_cache_child_init(p, s, sc);
	505	if (rv != APR_SUCCESS) {
	506	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
	507	"[GnuTLS] - Failed to run Cache Init");
	508	}
[70c2d86]	509	}
[3e94bd3]	510	}
	511
	512	const char mgs_hook_http_scheme(const request_rec r)
	513	{
[180e49f]	514	mgs_srvconf_rec *sc;
	515
	516	if (r == NULL)
	517	return NULL;
	518
	519	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	520	server->module_config,
	521	&gnutls_module);
	522
	523	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	524	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	525	return NULL;
	526	}
[3e94bd3]	527
[180e49f]	528	return "https";
[3e94bd3]	529	}
	530
	531	apr_port_t mgs_hook_default_port(const request_rec * r)
	532	{
[180e49f]	533	mgs_srvconf_rec *sc;
	534
	535	if (r == NULL)
	536	return 0;
	537
	538	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	539	server->module_config,
	540	&gnutls_module);
[3e94bd3]	541
[180e49f]	542	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	543	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	544	return 0;
	545	}
	546
	547	return 443;
[3e94bd3]	548	}
	549
	550	#define MAX_HOST_LEN 255
	551
	552	#if USING_2_1_RECENT
[70c2d86]	553	typedef struct {
[180e49f]	554	mgs_handle_t *ctxt;
	555	mgs_srvconf_rec *sc;
	556	const char *sni_name;
[3e94bd3]	557	} vhost_cb_rec;
	558
[70c2d86]	559	static int vhost_cb(void baton, conn_rec conn, server_rec * s)
[3e94bd3]	560	{
[180e49f]	561	mgs_srvconf_rec *tsc;
	562	vhost_cb_rec *x = baton;
[3e94bd3]	563
[180e49f]	564	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	565	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	566	&gnutls_module);
[70c2d86]	567
[180e49f]	568	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	569	return 0;
	570	}
[70c2d86]	571
[180e49f]	572	/* The CN can contain a * -- this will match those too. */
	573	if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
	574	/* found a match */
[3e94bd3]	575	#if MOD_GNUTLS_DEBUG
[180e49f]	576	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	577	x->ctxt->c->base_server,
	578	"GnuTLS: Virtual Host CB: "
	579	"'%s' == '%s'", tsc->cert_cn, x->sni_name);
[3e94bd3]	580	#endif
[180e49f]	581	/* Because we actually change the server used here, we need to reset
	582	* things like ClientVerify.
	583	*/
	584	x->sc = tsc;
	585	/* Shit. Crap. Dammit. We really should rehandshake here, as our
	586	* certificate structure should change when the server changes.
	587	* acccckkkkkk.
	588	*/
	589	return 1;
	590	} else {
[a4839ae]	591	#if MOD_GNUTLS_DEBUG
[180e49f]	592	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	593	x->ctxt->c->base_server,
	594	"GnuTLS: Virtual Host CB: "
	595	"'%s' != '%s'", tsc->cert_cn, x->sni_name);
[a4839ae]	596	#endif
	597
[180e49f]	598	}
	599	return 0;
[3e94bd3]	600	}
	601	#endif
	602
[70c2d86]	603	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
[3e94bd3]	604	{
[180e49f]	605	int rv;
	606	unsigned int sni_type;
	607	size_t data_len = MAX_HOST_LEN;
	608	char sni_name[MAX_HOST_LEN];
	609	mgs_handle_t *ctxt;
[3e94bd3]	610	#if USING_2_1_RECENT
[180e49f]	611	vhost_cb_rec cbx;
[3e94bd3]	612	#else
[180e49f]	613	server_rec *s;
	614	mgs_srvconf_rec *tsc;
[3e94bd3]	615	#endif
[70c2d86]	616
[180e49f]	617	if (session == NULL)
	618	return NULL;
[5508683]	619
[180e49f]	620	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	621	ctxt = gnutls_transport_get_ptr(session);
[70c2d86]	622
[180e49f]	623	rv = gnutls_server_name_get(ctxt->session, sni_name,
	624	&data_len, &sni_type, 0);
[70c2d86]	625
[180e49f]	626	if (rv != 0) {
	627	return NULL;
	628	}
[70c2d86]	629
[180e49f]	630	if (sni_type != GNUTLS_NAME_DNS) {
	631	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	632	ctxt->c->base_server,
	633	"GnuTLS: Unknown type '%d' for SNI: "
	634	"'%s'", sni_type, sni_name);
	635	return NULL;
	636	}
[70c2d86]	637
[3e94bd3]	638	/**
	639	* Code in the Core already sets up the c->base_server as the base
	640	* for this IP/Port combo. Trust that the core did the 'right' thing.
	641	*/
	642	#if USING_2_1_RECENT
[180e49f]	643	cbx.ctxt = ctxt;
	644	cbx.sc = NULL;
	645	cbx.sni_name = sni_name;
[70c2d86]	646
[180e49f]	647	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	648	if (rv == 1) {
	649	return cbx.sc;
[70c2d86]	650	}
[180e49f]	651	#else
	652	for (s = ap_server_conf; s; s = s->next) {
	653
	654	tsc =
	655	(mgs_srvconf_rec *)
	656	ap_get_module_config(s->module_config, &gnutls_module);
	657	if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
	658	continue;
	659	}
[3e94bd3]	660	#if MOD_GNUTLS_DEBUG
[180e49f]	661	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	662	ctxt->c->base_server,
	663	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X",
	664	tsc->cert_cn, rv,
	665	gnutls_pk_algorithm_get_name
	666	(gnutls_x509_privkey_get_pk_algorithm
	667	(ctxt->sc->privkey_x509)), (unsigned int) s,
	668	(unsigned int) s->next, (unsigned int) tsc);
[70c2d86]	669	#endif
[180e49f]	670	/* The CN can contain a * -- this will match those too. */
	671	if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
[3e94bd3]	672	#if MOD_GNUTLS_DEBUG
[180e49f]	673	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	674	ctxt->c->base_server,
	675	"GnuTLS: Virtual Host: "
	676	"'%s' == '%s'", tsc->cert_cn,
	677	sni_name);
[3e94bd3]	678	#endif
[180e49f]	679	return tsc;
	680	}
[70c2d86]	681	}
[3e94bd3]	682	#endif
[180e49f]	683	return NULL;
[3e94bd3]	684	}
	685
	686
[ec06980]	687	static const int protocol_priority[] = {
[180e49f]	688	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
[a4839ae]	689	};
	690
[3e94bd3]	691
[70c2d86]	692	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)
[3e94bd3]	693	{
[180e49f]	694	mgs_handle_t *ctxt;
	695	mgs_srvconf_rec *sc =
	696	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
	697	module_config,
	698	&gnutls_module);
[3e94bd3]	699
[180e49f]	700	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	701	ctxt = apr_pcalloc(pool, sizeof(*ctxt));
	702	ctxt->c = c;
	703	ctxt->sc = sc;
	704	ctxt->status = 0;
	705
	706	ctxt->input_rc = APR_SUCCESS;
	707	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	708	ctxt->input_cbuf.length = 0;
	709
	710	ctxt->output_rc = APR_SUCCESS;
	711	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	712	ctxt->output_blen = 0;
	713	ctxt->output_length = 0;
	714
	715	gnutls_init(&ctxt->session, GNUTLS_SERVER);
	716	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
	717	gnutls_session_ticket_enable_server(ctxt->session,
	718	&session_ticket_key);
	719
	720	/* because we don't set any default priorities here (we set later at
	721	* the user hello callback) we need to at least set this in order for
	722	* gnutls to be able to read packets.
	723	*/
	724	gnutls_protocol_set_priority(ctxt->session, protocol_priority);
[3e94bd3]	725
[180e49f]	726	gnutls_handshake_set_post_client_hello_function(ctxt->session,
	727	mgs_select_virtual_server_cb);
[2a2272d]	728
[180e49f]	729	mgs_cache_session_init(ctxt);
	730
	731	return ctxt;
[3e94bd3]	732	}
	733
	734	int mgs_hook_pre_connection(conn_rec * c, void *csd)
	735	{
[180e49f]	736	mgs_handle_t *ctxt;
	737	mgs_srvconf_rec *sc;
	738
	739	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	740
	741	if (c == NULL) {
	742	return DECLINED;
	743	}
	744
	745	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
	746	module_config,
	747	&gnutls_module);
[3e94bd3]	748
[180e49f]	749	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
	750	return DECLINED;
	751	}
[4ecf14f]	752
[180e49f]	753	if (c->remote_addr->hostname \|\| apr_strnatcmp(c->remote_ip,c->local_ip) == 0) {
	754	/* Connection initiated by Apache (mod_proxy) => ignore */
	755	return OK;
	756	}
	757
	758	ctxt = create_gnutls_handle(c->pool, c);
[3e94bd3]	759
[180e49f]	760	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
[3e94bd3]	761
[180e49f]	762	gnutls_transport_set_pull_function(ctxt->session,
	763	mgs_transport_read);
	764	gnutls_transport_set_push_function(ctxt->session,
	765	mgs_transport_write);
	766	gnutls_transport_set_ptr(ctxt->session, ctxt);
[70c2d86]	767
[180e49f]	768	ctxt->input_filter =
	769	ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
	770	ctxt->output_filter =
	771	ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
[3e94bd3]	772
[180e49f]	773	return OK;
[3e94bd3]	774	}
	775
[70c2d86]	776	int mgs_hook_fixups(request_rec * r)
[3e94bd3]	777	{
[180e49f]	778	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	779	char buf[AP_IOBUFSIZE];
	780	const char *tmp;
	781	size_t len;
	782	mgs_handle_t *ctxt;
	783	int rv = OK;
[70c2d86]	784
[180e49f]	785	if (r == NULL)
	786	return DECLINED;
[5508683]	787
[180e49f]	788	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	789	apr_table_t *env = r->subprocess_env;
[3e94bd3]	790
[180e49f]	791	ctxt =
	792	ap_get_module_config(r->connection->conn_config,
	793	&gnutls_module);
[3e94bd3]	794
[180e49f]	795	if (!ctxt \|\| ctxt->session == NULL) {
	796	return DECLINED;
	797	}
[3e94bd3]	798
[180e49f]	799	apr_table_setn(env, "HTTPS", "on");
[3e94bd3]	800
[180e49f]	801	apr_table_setn(env, "SSL_VERSION_LIBRARY",
	802	"GnuTLS/" LIBGNUTLS_VERSION);
	803	apr_table_setn(env, "SSL_VERSION_INTERFACE",
	804	"mod_gnutls/" MOD_GNUTLS_VERSION);
[3e94bd3]	805
[180e49f]	806	apr_table_setn(env, "SSL_PROTOCOL",
	807	gnutls_protocol_get_name(gnutls_protocol_get_version
	808	(ctxt->session)));
[3e94bd3]	809
[180e49f]	810	/* should have been called SSL_CIPHERSUITE instead */
	811	apr_table_setn(env, "SSL_CIPHER",
	812	gnutls_cipher_suite_get_name(gnutls_kx_get
	813	(ctxt->session),
	814	gnutls_cipher_get
	815	(ctxt->session),
	816	gnutls_mac_get
	817	(ctxt->session)));
[70c2d86]	818
[180e49f]	819	apr_table_setn(env, "SSL_COMPRESS_METHOD",
	820	gnutls_compression_get_name(gnutls_compression_get
	821	(ctxt->session)));
[70c2d86]	822
[8df5b25]	823	#ifdef ENABLE_SRP
[180e49f]	824	tmp = gnutls_srp_server_get_username(ctxt->session);
	825	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
[8df5b25]	826	#endif
[3e94bd3]	827
[180e49f]	828	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
	829	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
[3e94bd3]	830
[180e49f]	831	unsigned int key_size =
	832	8 *
	833	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
	834	tmp = apr_psprintf(r->pool, "%u", key_size);
[3e94bd3]	835
[180e49f]	836	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
[3e94bd3]	837
[180e49f]	838	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
[3e94bd3]	839
[180e49f]	840	apr_table_setn(env, "SSL_CIPHER_EXPORT",
	841	(key_size <= 40) ? "true" : "false");
[70c2d86]	842
[180e49f]	843	len = sizeof(sbuf);
	844	gnutls_session_get_id(ctxt->session, sbuf, &len);
	845	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
	846	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
[3e94bd3]	847
[180e49f]	848	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	849	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
	850	ctxt->
	851	sc->export_certificates_enabled);
	852	else if (gnutls_certificate_type_get(ctxt->session) ==
	853	GNUTLS_CRT_OPENPGP)
	854	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
	855	ctxt->
	856	sc->export_certificates_enabled);
[70c2d86]	857
[180e49f]	858	return rv;
[3e94bd3]	859	}
	860
[70c2d86]	861	int mgs_hook_authz(request_rec * r)
[3e94bd3]	862	{
[180e49f]	863	int rv;
	864	mgs_handle_t *ctxt;
	865	mgs_dirconf_rec *dc;
	866
	867	if (r == NULL)
	868	return DECLINED;
	869
	870	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
	871
	872	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	873	ctxt =
	874	ap_get_module_config(r->connection->conn_config,
	875	&gnutls_module);
	876
	877	if (!ctxt \|\| ctxt->session == NULL) {
	878	return DECLINED;
	879	}
	880
	881	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	882	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	883	"GnuTLS: Directory set to Ignore Client Certificate!");
	884	} else {
	885	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	886	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	887	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	888	ctxt->sc->client_verify_mode,
	889	dc->client_verify_mode);
	890
	891	/* If we already have a client certificate, there's no point in
	892	* re-handshaking... */
	893	rv = mgs_cert_verify(r, ctxt);
	894	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
	895	return rv;
	896
	897	gnutls_certificate_server_set_request
	898	(ctxt->session, dc->client_verify_mode);
	899
	900	if (mgs_rehandshake(ctxt) != 0) {
	901	return HTTP_FORBIDDEN;
	902	}
	903	} else if (ctxt->sc->client_verify_mode ==
	904	GNUTLS_CERT_IGNORE) {
[70c2d86]	905	#if MOD_GNUTLS_DEBUG
[180e49f]	906	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	907	"GnuTLS: Peer is set to IGNORE");
[70c2d86]	908	#endif
[180e49f]	909	return DECLINED;
	910	}
	911	rv = mgs_cert_verify(r, ctxt);
	912	if (rv != DECLINED &&
	913	(rv != HTTP_FORBIDDEN \|\|
	914	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
	915	return rv;
	916	}
[70c2d86]	917	}
[3e94bd3]	918
[180e49f]	919	return DECLINED;
[70c2d86]	920	}
	921
	922	/* variables that are not sent by default:
	923	*
	924	* SSL_CLIENT_CERT string PEM-encoded client certificate
	925	* SSL_SERVER_CERT string PEM-encoded client certificate
	926	*/
	927
	928	/* side is either 0 for SERVER or 1 for CLIENT
	929	*/
	930	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
	931	static void
[9d9b093]	932	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
[a4839ae]	933	int export_certificates_enabled)
[70c2d86]	934	{
[180e49f]	935	unsigned char sbuf[64]; /* buffer to hold serials */
	936	char buf[AP_IOBUFSIZE];
	937	const char *tmp;
	938	char *tmp2;
	939	size_t len;
	940	int ret, i;
	941
	942	if (r == NULL)
	943	return;
	944
	945	apr_table_t *env = r->subprocess_env;
	946
	947	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	948	if (export_certificates_enabled != 0) {
	949	char cert_buf[10 * 1024];
	950	len = sizeof(cert_buf);
	951
	952	if (gnutls_x509_crt_export
	953	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
	954	apr_table_setn(env,
	955	apr_pstrcat(r->pool, MGS_SIDE,
	956	"_CERT", NULL),
	957	apr_pstrmemdup(r->pool, cert_buf,
	958	len));
	959
	960	}
	961
	962	len = sizeof(buf);
	963	gnutls_x509_crt_get_dn(cert, buf, &len);
	964	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
	965	apr_pstrmemdup(r->pool, buf, len));
	966
	967	len = sizeof(buf);
	968	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
	969	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
	970	apr_pstrmemdup(r->pool, buf, len));
	971
	972	len = sizeof(sbuf);
	973	gnutls_x509_crt_get_serial(cert, sbuf, &len);
	974	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
[a4839ae]	975	apr_table_setn(env,
[180e49f]	976	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
	977	apr_pstrdup(r->pool, tmp));
	978
	979	ret = gnutls_x509_crt_get_version(cert);
	980	if (ret > 0)
[a4839ae]	981	apr_table_setn(env,
[180e49f]	982	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	983	NULL), apr_psprintf(r->pool,
	984	"%u", ret));
	985
	986	apr_table_setn(env,
	987	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	988	"X.509");
	989
	990	tmp =
	991	mgs_time2sz(gnutls_x509_crt_get_expiration_time
	992	(cert), buf, sizeof(buf));
	993	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	994	apr_pstrdup(r->pool, tmp));
	995
	996	tmp =
	997	mgs_time2sz(gnutls_x509_crt_get_activation_time
	998	(cert), buf, sizeof(buf));
	999	apr_table_setn(env,
	1000	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	1001	apr_pstrdup(r->pool, tmp));
	1002
	1003	ret = gnutls_x509_crt_get_signature_algorithm(cert);
	1004	if (ret >= 0) {
[a4839ae]	1005	apr_table_setn(env,
[180e49f]	1006	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
	1007	NULL),
	1008	gnutls_sign_algorithm_get_name(ret));
	1009	}
	1010
	1011	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
	1012	if (ret >= 0) {
[a4839ae]	1013	apr_table_setn(env,
[180e49f]	1014	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	1015	NULL),
	1016	gnutls_pk_algorithm_get_name(ret));
	1017	}
	1018
	1019	/* export all the alternative names (DNS, RFC822 and URI) */
	1020	for (i = 0; !(ret < 0); i++) {
	1021	len = 0;
	1022	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
	1023	NULL, &len,
	1024	NULL);
	1025
	1026	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
	1027	tmp2 = apr_palloc(r->pool, len + 1);
	1028
	1029	ret =
	1030	gnutls_x509_crt_get_subject_alt_name(cert, i,
	1031	tmp2,
	1032	&len,
	1033	NULL);
	1034	tmp2[len] = 0;
	1035
	1036	if (ret == GNUTLS_SAN_DNSNAME) {
	1037	apr_table_setn(env,
	1038	apr_psprintf(r->pool,
	1039	"%s_S_AN%u",
	1040	MGS_SIDE, i),
	1041	apr_psprintf(r->pool,
	1042	"DNSNAME:%s",
	1043	tmp2));
	1044	} else if (ret == GNUTLS_SAN_RFC822NAME) {
	1045	apr_table_setn(env,
	1046	apr_psprintf(r->pool,
	1047	"%s_S_AN%u",
	1048	MGS_SIDE, i),
	1049	apr_psprintf(r->pool,
	1050	"RFC822NAME:%s",
	1051	tmp2));
	1052	} else if (ret == GNUTLS_SAN_URI) {
	1053	apr_table_setn(env,
	1054	apr_psprintf(r->pool,
	1055	"%s_S_AN%u",
	1056	MGS_SIDE, i),
	1057	apr_psprintf(r->pool,
	1058	"URI:%s",
	1059	tmp2));
	1060	} else {
	1061	apr_table_setn(env,
	1062	apr_psprintf(r->pool,
	1063	"%s_S_AN%u",
	1064	MGS_SIDE, i),
	1065	"UNSUPPORTED");
	1066	}
	1067	}
[a4839ae]	1068	}
[9d9b093]	1069	}
	1070
	1071	static void
[180e49f]	1072	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
	1073	int side, int export_certificates_enabled)
[9d9b093]	1074	{
[180e49f]	1075	unsigned char sbuf[64]; /* buffer to hold serials */
	1076	char buf[AP_IOBUFSIZE];
	1077	const char *tmp;
	1078	size_t len;
	1079	int ret;
	1080
	1081	if (r == NULL)
	1082	return;
	1083
	1084	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1085	apr_table_t *env = r->subprocess_env;
	1086
	1087	if (export_certificates_enabled != 0) {
	1088	char cert_buf[10 * 1024];
	1089	len = sizeof(cert_buf);
	1090
	1091	if (gnutls_openpgp_crt_export
	1092	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
	1093	apr_table_setn(env,
	1094	apr_pstrcat(r->pool, MGS_SIDE,
	1095	"_CERT", NULL),
	1096	apr_pstrmemdup(r->pool, cert_buf,
	1097	len));
	1098
	1099	}
	1100
	1101	len = sizeof(buf);
	1102	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
	1103	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
	1104	apr_pstrmemdup(r->pool, buf, len));
	1105
	1106	len = sizeof(sbuf);
	1107	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
	1108	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
	1109	apr_table_setn(env,
	1110	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
	1111	NULL), apr_pstrdup(r->pool, tmp));
	1112
	1113	ret = gnutls_openpgp_crt_get_version(cert);
	1114	if (ret > 0)
	1115	apr_table_setn(env,
	1116	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	1117	NULL), apr_psprintf(r->pool,
	1118	"%u", ret));
	1119
	1120	apr_table_setn(env,
	1121	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	1122	"OPENPGP");
	1123
	1124	tmp =
	1125	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
	1126	(cert), buf, sizeof(buf));
	1127	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	1128	apr_pstrdup(r->pool, tmp));
	1129
	1130	tmp =
	1131	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
	1132	(cert), buf, sizeof(buf));
[9d9b093]	1133	apr_table_setn(env,
[180e49f]	1134	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	1135	apr_pstrdup(r->pool, tmp));
	1136
	1137	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
	1138	if (ret >= 0) {
	1139	apr_table_setn(env,
	1140	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	1141	NULL),
	1142	gnutls_pk_algorithm_get_name(ret));
	1143	}
[9d9b093]	1144
	1145	}
	1146
	1147	/* TODO: Allow client sending a X.509 certificate chain */
[70c2d86]	1148	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
	1149	{
[180e49f]	1150	const gnutls_datum_t *cert_list;
	1151	unsigned int cert_list_size, status;
	1152	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
	1153	unsigned int ch_size = 0;
	1154	union {
	1155	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
	1156	gnutls_openpgp_crt_t pgp;
	1157	} cert;
	1158	apr_time_t expiration_time, cur_time;
	1159
	1160	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
	1161	return HTTP_FORBIDDEN;
	1162
	1163	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1164	cert_list =
	1165	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
	1166
	1167	if (cert_list == NULL \|\| cert_list_size == 0) {
	1168	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
	1169	*/
	1170	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1171	return OK;
	1172
	1173	/* no certificate provided by the client, but one was required. */
	1174	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1175	"GnuTLS: Failed to Verify Peer: "
	1176	"Client did not submit a certificate");
	1177	return HTTP_FORBIDDEN;
	1178	}
	1179
	1180	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1181	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1182	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
	1183	cert_list_size);
	1184
	1185	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
	1186	gnutls_x509_crt_init(&cert.x509[ch_size]);
	1187	rv = gnutls_x509_crt_import(cert.x509[ch_size],
	1188	&cert_list[ch_size],
	1189	GNUTLS_X509_FMT_DER);
	1190	// When failure to import, leave the loop
	1191	if (rv != GNUTLS_E_SUCCESS) {
	1192	if (ch_size < 1) {
	1193	ap_log_rerror(APLOG_MARK,
	1194	APLOG_INFO, 0, r,
	1195	"GnuTLS: Failed to Verify Peer: "
	1196	"Failed to import peer certificates.");
	1197	ret = HTTP_FORBIDDEN;
	1198	goto exit;
	1199	}
	1200	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1201	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
	1202	ch_size);
	1203	rv = GNUTLS_E_SUCCESS;
	1204	break;
	1205	}
	1206	}
	1207	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1208	GNUTLS_CRT_OPENPGP) {
	1209	if (cert_list_size > 1) {
	1210	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1211	"GnuTLS: Failed to Verify Peer: "
	1212	"Chained Client Certificates are not supported.");
	1213	return HTTP_FORBIDDEN;
	1214	}
	1215
	1216	gnutls_openpgp_crt_init(&cert.pgp);
	1217	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
	1218	GNUTLS_OPENPGP_FMT_RAW);
	1219
	1220	} else
	1221	return HTTP_FORBIDDEN;
	1222
	1223	if (rv < 0) {
	1224	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1225	"GnuTLS: Failed to Verify Peer: "
	1226	"Failed to import peer certificates.");
	1227	ret = HTTP_FORBIDDEN;
	1228	goto exit;
	1229	}
	1230
	1231	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1232	apr_time_ansi_put(&expiration_time,
	1233	gnutls_x509_crt_get_expiration_time
	1234	(cert.x509[0]));
	1235
	1236	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1237	"GnuTLS: Verifying list of %d certificate(s)",
	1238	ch_size);
	1239	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
	1240	ctxt->sc->ca_list,
	1241	ctxt->sc->ca_list_size,
	1242	NULL, 0, 0, &status);
	1243	} else {
	1244	apr_time_ansi_put(&expiration_time,
	1245	gnutls_openpgp_crt_get_expiration_time
	1246	(cert.pgp));
	1247
	1248	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
	1249	ctxt->sc->pgp_list, 0,
	1250	&status);
	1251	}
	1252
	1253	if (rv < 0) {
	1254	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1255	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
	1256	rv, gnutls_strerror(rv));
	1257	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
	1258	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
	1259	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
	1260	ret = HTTP_FORBIDDEN;
	1261	goto exit;
	1262	}
	1263
	1264	/* TODO: X509 CRL Verification. */
	1265	/* May add later if anyone needs it.
[70c2d86]	1266	*/
[180e49f]	1267	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
[70c2d86]	1268
[180e49f]	1269	cur_time = apr_time_now();
	1270
	1271	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	1272	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1273	"GnuTLS: Could not find Signer for Peer Certificate");
	1274	}
	1275
	1276	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	1277	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1278	"GnuTLS: Peer's Certificate signer is not a CA");
	1279	}
	1280
	1281	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
	1282	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1283	"GnuTLS: Peer's Certificate is using insecure algorithms");
	1284	}
	1285
	1286	if (status & GNUTLS_CERT_EXPIRED
	1287	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
	1288	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1289	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
	1290	}
	1291
	1292	if (status & GNUTLS_CERT_INVALID) {
	1293	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1294	"GnuTLS: Peer Certificate is invalid.");
	1295	} else if (status & GNUTLS_CERT_REVOKED) {
	1296	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1297	"GnuTLS: Peer Certificate is revoked.");
	1298	}
	1299
	1300	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
	1301	mgs_add_common_cert_vars(r, cert.x509[0], 1,
	1302	ctxt->
	1303	sc->export_certificates_enabled);
	1304	else if (gnutls_certificate_type_get(ctxt->session) ==
	1305	GNUTLS_CRT_OPENPGP)
	1306	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
	1307	ctxt->
	1308	sc->export_certificates_enabled);
	1309
	1310	{
	1311	/* days remaining */
	1312	unsigned long remain =
	1313	(apr_time_sec(expiration_time) -
	1314	apr_time_sec(cur_time)) / 86400;
	1315	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
	1316	apr_psprintf(r->pool, "%lu", remain));
	1317	}
	1318
	1319	if (status == 0) {
	1320	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1321	"SUCCESS");
	1322	ret = OK;
	1323	} else {
	1324	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1325	"FAILED");
	1326	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1327	ret = OK;
	1328	else
	1329	ret = HTTP_FORBIDDEN;
	1330	}
	1331
	1332	exit:
	1333	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1334	int i;
	1335	for (i = 0; i < ch_size; i++) {
	1336	gnutls_x509_crt_deinit(cert.x509[i]);
	1337	}
	1338	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1339	GNUTLS_CRT_OPENPGP)
	1340	gnutls_openpgp_crt_deinit(cert.pgp);
	1341	return ret;
[70c2d86]	1342
	1343
	1344	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: