Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ 2d0f6cf

Visit:

asynciodebian/masterdebian/stretch-backportsjessie-backportsmsvaproxy-ticketupstream

Last change on this file since 2d0f6cf was 369f47a, checked in by Daniel Kahn Gillmor <dkg@…>, 8 years ago
avoid calling gnutls_srp_server_get_username() unless SRP is configured
Property mode set to `100644`
File size: 39.0 KB

Rev	Line
[c301152]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e183628]	3	* Copyright 2008 Nikos Mavrogiannopoulos
	4	* Copyright 2011 Dash Shendy
[c301152]	5	*
	6	* Licensed under the Apache License, Version 2.0 (the "License");
	7	* you may not use this file except in compliance with the License.
	8	* You may obtain a copy of the License at
	9	*
	10	* http://www.apache.org/licenses/LICENSE-2.0
	11	*
	12	* Unless required by applicable law or agreed to in writing, software
	13	* distributed under the License is distributed on an "AS IS" BASIS,
	14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	15	* See the License for the specific language governing permissions and
	16	* limitations under the License.
	17	*
	18	*/
	19
	20	#include "mod_gnutls.h"
	21	#include "http_vhost.h"
[84cb5b2]	22	#include "ap_mpm.h"
[c301152]	23
[0499540]	24
[c301152]	25	#if !USING_2_1_RECENT
	26	extern server_rec *ap_server_conf;
	27	#endif
	28
	29	#if MOD_GNUTLS_DEBUG
[7bebb42]	30	static apr_file_t *debug_log_fp;
[c301152]	31	#endif
	32
[b8df283]	33	static gnutls_datum_t session_ticket_key = {NULL, 0};
[84cb5b2]	34
[7bebb42]	35	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
	36	/* use side==0 for server and side==1 for client */
[3b4c0d0]	37	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side);
	38	static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side);
[e183628]	39
[3b4c0d0]	40	/* Pool Cleanup Function */
[37f8282]	41	apr_status_t mgs_cleanup_pre_config(void *data) {
[3b4c0d0]	42	/* Free all session data */
[e183628]	43	gnutls_free(session_ticket_key.data);
	44	session_ticket_key.data = NULL;
	45	session_ticket_key.size = 0;
[3b4c0d0]	46	/* Deinitialize GnuTLS Library */
[e183628]	47	gnutls_global_deinit();
	48	return APR_SUCCESS;
[c301152]	49	}
	50
[3b4c0d0]	51	/* Logging Function for Maintainers */
[c301152]	52	#if MOD_GNUTLS_DEBUG
[e183628]	53	static void gnutls_debug_log_all(int level, const char *str) {
	54	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
[c301152]	55	}
[a208cd3]	56	#define _gnutls_log apr_file_printf
	57	#else
[e183628]	58	#define _gnutls_log(...)
[c301152]	59	#endif
	60
[3b4c0d0]	61	/* Pre-Configuration HOOK: Runs First */
	62	int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp) {
[26b08fd]	63
[3b4c0d0]	64	/* Maintainer Logging */
	65	#if MOD_GNUTLS_DEBUG
	66	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT, pconf);
[e183628]	67	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	68	gnutls_global_set_log_level(9);
	69	gnutls_global_set_log_function(gnutls_debug_log_all);
[37f8282]	70	_gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
[33826c5]	71	#endif
[3b4c0d0]	72
[33826c5]	73	int ret;
[3b4c0d0]	74	const char * req_GnuTLSVer = "2.12.0";
[26b08fd]	75
[3b4c0d0]	76	/* Check for required GnuTLS Library Version */
	77	if (gnutls_check_version(req_GnuTLSVer) == NULL) {
	78	ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, plog, "gnutls_check_version() failed. Required: "
	79	"gnutls-%s Found: gnutls-%s\n", LIBGNUTLS_VERSION, gnutls_check_version(NULL));
	80	exit(-1);
[e183628]	81	}
[e02dd8c]	82
[3b4c0d0]	83	/* Initialize GnuTLS Library */
[e183628]	84	ret = gnutls_global_init();
	85	if (ret < 0) {
[3b4c0d0]	86	ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, plog, "gnutls_global_init: %s\n", gnutls_strerror(ret));
	87	exit(-1);
[e183628]	88	}
[2b3a248b]	89
[3b4c0d0]	90	/* Generate a Session Key */
[e183628]	91	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
	92	if (ret < 0) {
[3b4c0d0]	93	ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, plog, "gnutls_session_ticket_key_generate: %s\n", gnutls_strerror(ret));
	94	exit(-1);
[e183628]	95	}
[e5bbda4]	96
[3b4c0d0]	97	/* Register a pool clean-up function */
	98	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null);\
[c301152]	99
[e183628]	100	return OK;
[c301152]	101	}
	102
[e183628]	103	static int mgs_select_virtual_server_cb(gnutls_session_t session) {
[3b4c0d0]	104
	105	mgs_handle_t *ctxt = NULL;
	106	mgs_srvconf_rec *tsc = NULL;
[9180a60]	107	int ret = 0;
[7bebb42]	108
[e183628]	109	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[26b08fd]	110
[e183628]	111	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	112
[e183628]	113	/* find the virtual server */
	114	tsc = mgs_find_sni_server(session);
[7bebb42]	115
[3b4c0d0]	116	if (tsc == NULL) {
	117	// No TLS vhost configured!
	118	return GNUTLS_E_NO_CERTIFICATE_FOUND;
	119	} else {
	120	// Found a TLS vhost
[e183628]	121	ctxt->sc = tsc;
[3b4c0d0]	122	}
[7bebb42]	123
[3b4c0d0]	124	gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode);
[7bebb42]	125
[3b4c0d0]	126	/* Set Anon credentials */
	127	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
	128	/* Set x509 credentials */
	129	gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
[7bebb42]	130
[787dab7]	131	#ifdef ENABLE_SRP
[3b4c0d0]	132	/* Set SRP credentials */
	133	if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
	134	gnutls_credentials_set(session, GNUTLS_CRD_SRP, ctxt->sc->srp_creds);
[e183628]	135	}
[787dab7]	136	#endif
[7bebb42]	137
[e183628]	138	/* update the priorities - to avoid negotiating a ciphersuite that is not
	139	* enabled on this virtual server. Note that here we ignore the version
	140	* negotiation.
	141	*/
[3b4c0d0]	142
	143	ret = gnutls_priority_set_direct(session, "NORMAL", NULL);
	144	//ret = gnutls_priority_set(session, ctxt->sc->priorities);
[e183628]	145	/* actually it shouldn't fail since we have checked at startup */
[9180a60]	146	return ret;
[3b4c0d0]	147
[7bebb42]	148	}
	149
[3b4c0d0]	150	static int cert_retrieve_fn(gnutls_session_t session,
	151	const gnutls_datum_t * req_ca_rdn, int nreqs,
	152	const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length,
	153	gnutls_retr2_st *ret) {
[cf10d49]	154
[3b4c0d0]	155
	156	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	157
	158	mgs_handle_t *ctxt = gnutls_transport_get_ptr(session);
	159
	160	if (session == NULL) {
	161	// ERROR INVALID SESSION
	162	ret->ncerts = 0;
	163	ret->deinit_all = 1;
	164	return -1;
	165	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
	166	// X509 CERTIFICATE
	167	ret->cert_type = GNUTLS_CRT_X509;
	168	ret->key_type = GNUTLS_PRIVKEY_X509;
	169	ret->ncerts = ctxt->sc->certs_x509_chain_num;
[e183628]	170	ret->deinit_all = 0;
[3b4c0d0]	171	ret->cert.x509 = ctxt->sc->certs_x509_chain;
[e183628]	172	ret->key.x509 = ctxt->sc->privkey_x509;
	173	return 0;
[9180a60]	174	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
[3b4c0d0]	175	// OPENPGP CERTIFICATE
	176	ret->cert_type = GNUTLS_CRT_OPENPGP;
	177	ret->key_type = GNUTLS_PRIVKEY_OPENPGP;
[e183628]	178	ret->ncerts = 1;
	179	ret->deinit_all = 0;
	180	ret->cert.pgp = ctxt->sc->cert_pgp;
	181	ret->key.pgp = ctxt->sc->privkey_pgp;
	182	return 0;
[3b4c0d0]	183	} else {
	184	// UNKNOWN CERTIFICATE
	185	ret->ncerts = 0;
	186	ret->deinit_all = 1;
	187	return -1;
	188	}
[7bebb42]	189	}
	190
[37f8282]	191	/* 2048-bit group parameters from SRP specification */
[7bebb42]	192	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
[e183628]	193	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
	194	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
	195	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
	196	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
	197	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
	198	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
	199	"-----END DH PARAMETERS-----\n";
[fd73a08]	200
	201	/* Read the common name or the alternative name of the certificate.
	202	* We only support a single name per certificate.
	203	*
	204	* Returns negative on error.
	205	*/
[3b4c0d0]	206	static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
	207
[e183628]	208	int rv = 0, i;
	209	size_t data_len;
	210
	211
	212	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	213	*cert_cn = NULL;
	214
	215	data_len = 0;
[3b4c0d0]	216	rv = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, NULL, &data_len);
[e183628]	217
	218	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	219	*cert_cn = apr_palloc(p, data_len);
	220	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	221	GNUTLS_OID_X520_COMMON_NAME,
	222	0, 0, *cert_cn,
	223	&data_len);
	224	} else { /* No CN return subject alternative name */
	225	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	226	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
	227	s->server_hostname, s->port);
	228	rv = 0;
	229	/* read subject alternative name */
	230	for (i = 0; !(rv < 0); i++) {
	231	data_len = 0;
	232	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
	233	NULL,
	234	&data_len,
	235	NULL);
	236
	237	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
	238	&& data_len > 1) {
	239	/* FIXME: not very efficient. What if we have several alt names
	240	* before DNSName?
	241	*/
	242	*cert_cn = apr_palloc(p, data_len + 1);
	243
	244	rv = gnutls_x509_crt_get_subject_alt_name
	245	(cert, i, *cert_cn, &data_len, NULL);
	246	(*cert_cn)[data_len] = 0;
	247
	248	if (rv == GNUTLS_SAN_DNSNAME)
	249	break;
	250	}
	251	}
	252	}
	253
	254	return rv;
[e5bbda4]	255	}
	256
	257	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
[e183628]	258	gnutls_openpgp_crt_t cert, char **cert_cn) {
	259	int rv = 0;
	260	size_t data_len;
[e5bbda4]	261
	262
[e183628]	263	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	264	*cert_cn = NULL;
[e5bbda4]	265
[e183628]	266	data_len = 0;
	267	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
[e5bbda4]	268
[e183628]	269	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	270	*cert_cn = apr_palloc(p, data_len);
	271	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
	272	&data_len);
	273	} else { /* No CN return subject alternative name */
	274	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	275	"No name found in PGP certificate for '%s:%d'.",
	276	s->server_hostname, s->port);
	277	}
[fd73a08]	278
[e183628]	279	return rv;
[fd73a08]	280	}
[7bebb42]	281
[3b4c0d0]	282	int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, apr_pool_t * ptemp, server_rec * base_server) {
	283
[e183628]	284	int rv;
	285	server_rec *s;
	286	gnutls_dh_params_t dh_params = NULL;
	287	mgs_srvconf_rec *sc;
	288	mgs_srvconf_rec *sc_base;
	289	void *data = NULL;
	290	const char *userdata_key = "mgs_init";
	291
	292	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[3b4c0d0]	293
	294	apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
[e183628]	295	if (data == NULL) {
[3b4c0d0]	296	apr_pool_userdata_set((const void *) 1, userdata_key, apr_pool_cleanup_null, base_server->process->pool);
[e183628]	297	}
	298
	299
	300	s = base_server;
[3b4c0d0]	301	sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	302
	303	gnutls_dh_params_init(&dh_params);
	304
	305	if (sc_base->dh_params == NULL) {
[b8df283]	306	gnutls_datum_t pdata = {
[37f8282]	307	(void *) static_dh_params,
	308	sizeof(static_dh_params)
	309	};
[3b4c0d0]	310	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, GNUTLS_X509_FMT_PEM);
[37f8282]	311	/* Generate DH Params
[74f798f]	312	int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
	313	GNUTLS_SEC_PARAM_NORMAL);
	314	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[da8c2fe]	315	"GnuTLS: Generating DH Params of %i bits. "
[74f798f]	316	"To avoid this use GnuTLSDHFile to specify DH Params for this host",
	317	dh_bits);
[37f8282]	318	#if MOD_GNUTLS_DEBUG
	319	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	320	"GnuTLS: Generated DH Params of %i bits",dh_bits);
	321	#endif
[74f798f]	322	rv = gnutls_dh_params_generate2 (dh_params,dh_bits);
[37f8282]	323	*/
[e183628]	324	if (rv < 0) {
	325	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[37f8282]	326	"GnuTLS: Unable to generate or load DH Params: (%d) %s",
[e183628]	327	rv, gnutls_strerror(rv));
	328	exit(rv);
[37f8282]	329	}
[410d216]	330	} else {
[e183628]	331	dh_params = sc_base->dh_params;
[410d216]	332	}
[e183628]	333
	334	rv = mgs_cache_post_config(p, s, sc_base);
	335	if (rv != 0) {
	336	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	337	"GnuTLS: Post Config for GnuTLSCache Failed."
	338	" Shutting Down.");
	339	exit(-1);
	340	}
	341
	342	for (s = base_server; s; s = s->next) {
[3b4c0d0]	343	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	344	sc->cache_type = sc_base->cache_type;
	345	sc->cache_config = sc_base->cache_config;
	346
	347	/* Check if the priorities have been set */
[33826c5]	348	if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
[e183628]	349	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	350	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
	351	s->server_hostname, s->port);
	352	exit(-1);
	353	}
	354
[3b4c0d0]	355	/* Check if DH params have been set per host */
[410d216]	356	if (sc->dh_params != NULL) {
	357	gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
	358	gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
	359	} else if (dh_params) {
	360	gnutls_certificate_set_dh_params(sc->certs, dh_params);
	361	gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
[e183628]	362	}
	363
[d2ee1a1]	364	gnutls_certificate_set_retrieve_function(sc->certs, cert_retrieve_fn);
[fd73a08]	365
[787dab7]	366	#ifdef ENABLE_SRP
[e183628]	367	if (sc->srp_tpasswd_conf_file != NULL
	368	&& sc->srp_tpasswd_file != NULL) {
	369	rv = gnutls_srp_set_server_credentials_file
	370	(sc->srp_creds, sc->srp_tpasswd_file,
	371	sc->srp_tpasswd_conf_file);
	372
	373	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
	374	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
	375	s,
	376	"[GnuTLS] - Host '%s:%d' is missing a "
	377	"SRP password or conf File!",
	378	s->server_hostname, s->port);
	379	exit(-1);
	380	}
	381	}
[787dab7]	382	#endif
[7bebb42]	383
[2b76a9c]	384	if ((sc->certs_x509_chain == NULL \|\| sc->certs_x509_chain_num < 1) &&
	385	sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
[3b4c0d0]	386	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	387	"[GnuTLS] - Host '%s:%d' is missing a Certificate File!",
	388	s->server_hostname, s->port);
[e183628]	389	exit(-1);
	390	}
	391
[2b76a9c]	392	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
	393	((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) \|\|
	394	(sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
[3b4c0d0]	395	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	396	"[GnuTLS] - Host '%s:%d' is missing a Private Key File!",
	397	s->server_hostname, s->port);
[e183628]	398	exit(-1);
	399	}
	400
	401	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
[2b76a9c]	402	rv = -1;
	403	if (sc->certs_x509_chain_num > 0) {
	404	rv = read_crt_cn(s, p, sc->certs_x509_chain[0], &sc->cert_cn);
	405	}
[3b4c0d0]	406	if (rv < 0 && sc->cert_pgp != NULL) {
	407	rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
	408	}
[e183628]	409
	410	if (rv < 0) {
[3b4c0d0]	411	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	412	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
	413	s->server_hostname, s->port);
[e183628]	414	sc->cert_cn = NULL;
	415	continue;
	416	}
	417	}
	418	}
	419
	420
	421	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	422
	423	return OK;
[c301152]	424	}
	425
[e183628]	426	void mgs_hook_child_init(apr_pool_t * p, server_rec * s) {
	427	apr_status_t rv = APR_SUCCESS;
	428	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
	429	&gnutls_module);
	430
	431	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	432	if (sc->cache_type != mgs_cache_none) {
	433	rv = mgs_cache_child_init(p, s, sc);
	434	if (rv != APR_SUCCESS) {
	435	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
	436	"[GnuTLS] - Failed to run Cache Init");
	437	}
	438	}
[33826c5]	439	/* Block SIGPIPE Signals */
[37f8282]	440	rv = apr_signal_block(SIGPIPE);
	441	if(rv != APR_SUCCESS) {
[33826c5]	442	/* error sending output */
[37f8282]	443	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
[33826c5]	444	"GnuTLS: Error Blocking SIGPIPE Signal!");
	445	}
[c301152]	446	}
	447
[e183628]	448	const char mgs_hook_http_scheme(const request_rec r) {
	449	mgs_srvconf_rec *sc;
[c301152]	450
[e183628]	451	if (r == NULL)
	452	return NULL;
[e02dd8c]	453
[e183628]	454	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	455	server->module_config,
	456	&gnutls_module);
[e02dd8c]	457
[e183628]	458	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	459	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	460	return NULL;
	461	}
[e02dd8c]	462
[e183628]	463	return "https";
[c301152]	464	}
	465
[e183628]	466	apr_port_t mgs_hook_default_port(const request_rec * r) {
	467	mgs_srvconf_rec *sc;
[e02dd8c]	468
[e183628]	469	if (r == NULL)
	470	return 0;
[e02dd8c]	471
[e183628]	472	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	473	server->module_config,
	474	&gnutls_module);
[e02dd8c]	475
[e183628]	476	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	477	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	478	return 0;
	479	}
[c301152]	480
[e183628]	481	return 443;
[c301152]	482	}
	483
	484	#define MAX_HOST_LEN 255
	485
	486	#if USING_2_1_RECENT
[e183628]	487
[7bebb42]	488	typedef struct {
[e183628]	489	mgs_handle_t *ctxt;
	490	mgs_srvconf_rec *sc;
	491	const char *sni_name;
[c301152]	492	} vhost_cb_rec;
	493
[14d718f]	494	/**
	495	* Matches the current vhost's ServerAlias directives
	496	*
	497	* @param x vhost callback record
	498	* @param s server record
	499	* @return true if a match, false otherwise
	500	*
	501	*/
	502	int check_server_aliases(vhost_cb_rec x, server_rec s, mgs_srvconf_rec *tsc) {
	503	apr_array_header_t *names;
	504	int i,rv = 0;
[cb60afc]	505	char ** name;
[14d718f]	506
	507	/* Check ServerName First! */
	508	if(apr_strnatcasecmp(x->sni_name, s->server_hostname) == 0) {
	509	// We have a match, save this server configuration
	510	x->sc = tsc;
	511	rv = 1;
	512	/* Check any ServerAlias directives */
[e3d36c7]	513	} else if(s->names->nelts) {
[14d718f]	514	names = s->names;
[cb60afc]	515	name = (char **)names->elts;
[14d718f]	516	for (i = 0; i < names->nelts; ++i) {
[e3d36c7]	517	if (!name[i]) { continue; }
	518	if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
	519	// We have a match, save this server configuration
	520	x->sc = tsc;
	521	rv = 1;
	522	}
[14d718f]	523	}
	524	/* Wild any ServerAlias Directives */
[e3d36c7]	525	} else if(s->wild_names->nelts) {
[14d718f]	526	names = s->wild_names;
[cb60afc]	527	name = (char **)names->elts;
[14d718f]	528	for (i = 0; i < names->nelts; ++i) {
	529	if (!name[i]) { continue; }
[e3d36c7]	530	if(apr_fnmatch(name[i], x->sni_name ,
	531	APR_FNM_CASE_BLIND\|
	532	APR_FNM_PERIOD\|
	533	APR_FNM_PATHNAME\|
	534	APR_FNM_NOESCAPE) == APR_SUCCESS) {
[14d718f]	535	x->sc = tsc;
	536	rv = 1;
	537	}
	538	}
	539	}
	540	return rv;
	541	}
	542
[e183628]	543	static int vhost_cb(void baton, conn_rec conn, server_rec * s) {
	544	mgs_srvconf_rec *tsc;
	545	vhost_cb_rec *x = baton;
[8764d0d]	546
[e183628]	547	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	548	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	549	&gnutls_module);
[7bebb42]	550
[e183628]	551	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	552	return 0;
	553	}
[3b4c0d0]	554
[2b76a9c]	555	int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[0], s->server_hostname);
[6055aff]	556	if (0 == ret)
	557	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	558	"GnuTLS: Error checking certificate for hostname "
	559	"'%s'", s->server_hostname);
[3b4c0d0]	560	return check_server_aliases(x, s, tsc);
[c301152]	561	}
	562	#endif
	563
[e183628]	564	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) {
	565	int rv;
	566	unsigned int sni_type;
	567	size_t data_len = MAX_HOST_LEN;
	568	char sni_name[MAX_HOST_LEN];
	569	mgs_handle_t *ctxt;
[c301152]	570	#if USING_2_1_RECENT
[e183628]	571	vhost_cb_rec cbx;
[c301152]	572	#else
[e183628]	573	server_rec *s;
	574	mgs_srvconf_rec *tsc;
[c301152]	575	#endif
[7bebb42]	576
[e183628]	577	if (session == NULL)
	578	return NULL;
[368b574]	579
[e183628]	580	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	581	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	582
[e183628]	583	rv = gnutls_server_name_get(ctxt->session, sni_name,
	584	&data_len, &sni_type, 0);
[7bebb42]	585
[e183628]	586	if (rv != 0) {
	587	return NULL;
	588	}
[7bebb42]	589
[e183628]	590	if (sni_type != GNUTLS_NAME_DNS) {
	591	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	592	ctxt->c->base_server,
	593	"GnuTLS: Unknown type '%d' for SNI: "
	594	"'%s'", sni_type, sni_name);
	595	return NULL;
	596	}
[7bebb42]	597
[c301152]	598	/**
	599	* Code in the Core already sets up the c->base_server as the base
	600	* for this IP/Port combo. Trust that the core did the 'right' thing.
	601	*/
	602	#if USING_2_1_RECENT
[e183628]	603	cbx.ctxt = ctxt;
	604	cbx.sc = NULL;
	605	cbx.sni_name = sni_name;
	606
	607	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	608	if (rv == 1) {
	609	return cbx.sc;
	610	}
[e02dd8c]	611	#else
[e183628]	612	for (s = ap_server_conf; s; s = s->next) {
	613
[b7098b2]	614	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	615	&gnutls_module);
	616
	617	if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
[14d718f]	618
	619	if(check_server_aliases(x, s, tsc)) {
	620	return tsc;
	621	}
[c301152]	622	#endif
[e183628]	623	return NULL;
[836417f]	624	}
	625
[33826c5]	626	static void create_gnutls_handle(conn_rec * c) {
[e183628]	627	mgs_handle_t *ctxt;
[d0be765]	628	/* Get mod_gnutls Configuration Record */
	629	mgs_srvconf_rec sc =(mgs_srvconf_rec )
	630	ap_get_module_config(c->base_server->module_config,&gnutls_module);
[e183628]	631
	632	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[33826c5]	633	ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
[e183628]	634	ctxt->c = c;
	635	ctxt->sc = sc;
	636	ctxt->status = 0;
	637	ctxt->input_rc = APR_SUCCESS;
	638	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	639	ctxt->input_cbuf.length = 0;
	640	ctxt->output_rc = APR_SUCCESS;
	641	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	642	ctxt->output_blen = 0;
	643	ctxt->output_length = 0;
[d0be765]	644	/* Initialize GnuTLS Library */
[e183628]	645	gnutls_init(&ctxt->session, GNUTLS_SERVER);
[d0be765]	646	/* Initialize Session Tickets */
	647	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
	648	gnutls_session_ticket_enable_server(ctxt->session,&session_ticket_key);
	649	}
[e183628]	650
[d0be765]	651	/* Set Default Priority */
[3b4c0d0]	652	gnutls_priority_set_direct (ctxt->session, "NORMAL", NULL);
[d0be765]	653	/* Set Handshake function */
[e183628]	654	gnutls_handshake_set_post_client_hello_function(ctxt->session,
	655	mgs_select_virtual_server_cb);
[d0be765]	656	/* Initialize Session Cache */
[e183628]	657	mgs_cache_session_init(ctxt);
[33826c5]	658
	659	/* Set this config for this connection */
	660	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
	661	/* Set pull, push & ptr functions */
	662	gnutls_transport_set_pull_function(ctxt->session,
	663	mgs_transport_read);
	664	gnutls_transport_set_push_function(ctxt->session,
	665	mgs_transport_write);
[9ee0464]	666	gnutls_transport_set_ptr(ctxt->session, ctxt);
[33826c5]	667	/* Add IO filters */
	668	ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME,
	669	ctxt, NULL, c);
	670	ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
	671	ctxt, NULL, c);
[e183628]	672	}
[e02dd8c]	673
[e183628]	674	int mgs_hook_pre_connection(conn_rec * c, void *csd) {
	675	mgs_srvconf_rec *sc;
[e02dd8c]	676
[e183628]	677	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[e02dd8c]	678
[33826c5]	679	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
[e183628]	680	&gnutls_module);
[c301152]	681
[37f8282]	682	if (sc && (!sc->enabled \|\| sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
[e183628]	683	return DECLINED;
	684	}
[ae4a2b0]	685
[33826c5]	686	create_gnutls_handle(c);
[e183628]	687	return OK;
	688	}
[e02dd8c]	689
[e183628]	690	int mgs_hook_fixups(request_rec * r) {
	691	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	692	char buf[AP_IOBUFSIZE];
	693	const char *tmp;
	694	size_t len;
	695	mgs_handle_t *ctxt;
	696	int rv = OK;
[c301152]	697
[e183628]	698	if (r == NULL)
	699	return DECLINED;
[c301152]	700
[e183628]	701	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	702	apr_table_t *env = r->subprocess_env;
[7bebb42]	703
[e183628]	704	ctxt =
	705	ap_get_module_config(r->connection->conn_config,
	706	&gnutls_module);
[c301152]	707
[e183628]	708	if (!ctxt \|\| ctxt->session == NULL) {
	709	return DECLINED;
	710	}
[c301152]	711
[e183628]	712	apr_table_setn(env, "HTTPS", "on");
	713
	714	apr_table_setn(env, "SSL_VERSION_LIBRARY",
	715	"GnuTLS/" LIBGNUTLS_VERSION);
	716	apr_table_setn(env, "SSL_VERSION_INTERFACE",
	717	"mod_gnutls/" MOD_GNUTLS_VERSION);
	718
	719	apr_table_setn(env, "SSL_PROTOCOL",
	720	gnutls_protocol_get_name(gnutls_protocol_get_version
	721	(ctxt->session)));
	722
	723	/* should have been called SSL_CIPHERSUITE instead */
	724	apr_table_setn(env, "SSL_CIPHER",
	725	gnutls_cipher_suite_get_name(gnutls_kx_get
	726	(ctxt->session),
	727	gnutls_cipher_get
	728	(ctxt->session),
	729	gnutls_mac_get
	730	(ctxt->session)));
	731
	732	apr_table_setn(env, "SSL_COMPRESS_METHOD",
	733	gnutls_compression_get_name(gnutls_compression_get
	734	(ctxt->session)));
[7bebb42]	735
[787dab7]	736	#ifdef ENABLE_SRP
[369f47a]	737	if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
	738	tmp = gnutls_srp_server_get_username(ctxt->session);
	739	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
	740	} else {
	741	apr_table_unset(env, "SSL_SRP_USER");
	742	}
[787dab7]	743	#endif
[c301152]	744
[e183628]	745	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
	746	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
[c301152]	747
[e183628]	748	unsigned int key_size =
	749	8 *
	750	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
	751	tmp = apr_psprintf(r->pool, "%u", key_size);
[c301152]	752
[e183628]	753	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
[c301152]	754
[e183628]	755	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
[c301152]	756
[e183628]	757	apr_table_setn(env, "SSL_CIPHER_EXPORT",
	758	(key_size <= 40) ? "true" : "false");
[7bebb42]	759
[e183628]	760	len = sizeof (sbuf);
	761	gnutls_session_get_id(ctxt->session, sbuf, &len);
	762	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	763	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
[7ba803b]	764
[3b4c0d0]	765	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
[2b76a9c]	766	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
[3b4c0d0]	767	} else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
	768	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
	769	}
[7bebb42]	770
[e183628]	771	return rv;
[c301152]	772	}
	773
[e183628]	774	int mgs_hook_authz(request_rec * r) {
	775	int rv;
	776	mgs_handle_t *ctxt;
	777	mgs_dirconf_rec *dc;
	778
	779	if (r == NULL)
	780	return DECLINED;
	781
	782	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
	783
	784	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	785	ctxt =
	786	ap_get_module_config(r->connection->conn_config,
	787	&gnutls_module);
	788
	789	if (!ctxt \|\| ctxt->session == NULL) {
	790	return DECLINED;
	791	}
	792
	793	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	794	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	795	"GnuTLS: Directory set to Ignore Client Certificate!");
	796	} else {
	797	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	798	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	799	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	800	ctxt->sc->client_verify_mode,
	801	dc->client_verify_mode);
	802
	803	/* If we already have a client certificate, there's no point in
	804	* re-handshaking... */
	805	rv = mgs_cert_verify(r, ctxt);
	806	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
	807	return rv;
	808
	809	gnutls_certificate_server_set_request
	810	(ctxt->session, dc->client_verify_mode);
	811
	812	if (mgs_rehandshake(ctxt) != 0) {
	813	return HTTP_FORBIDDEN;
	814	}
	815	} else if (ctxt->sc->client_verify_mode ==
	816	GNUTLS_CERT_IGNORE) {
[c301152]	817	#if MOD_GNUTLS_DEBUG
[e183628]	818	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	819	"GnuTLS: Peer is set to IGNORE");
[c301152]	820	#endif
[e183628]	821	return DECLINED;
	822	}
	823	rv = mgs_cert_verify(r, ctxt);
	824	if (rv != DECLINED &&
	825	(rv != HTTP_FORBIDDEN \|\|
	826	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
	827	return rv;
	828	}
	829	}
	830
	831	return DECLINED;
[7bebb42]	832	}
	833
	834	/* variables that are not sent by default:
	835	*
	836	* SSL_CLIENT_CERT string PEM-encoded client certificate
	837	* SSL_SERVER_CERT string PEM-encoded client certificate
	838	*/
[836c2f9]	839
[7bebb42]	840	/* side is either 0 for SERVER or 1 for CLIENT
	841	*/
	842	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
[e183628]	843
[3b4c0d0]	844	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side) {
[e183628]	845	unsigned char sbuf[64]; /* buffer to hold serials */
	846	char buf[AP_IOBUFSIZE];
	847	const char *tmp;
	848	char *tmp2;
	849	size_t len;
	850	int ret, i;
	851
	852	if (r == NULL)
	853	return;
	854
	855	apr_table_t *env = r->subprocess_env;
	856
	857	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	858
	859	len = sizeof (buf);
	860	gnutls_x509_crt_get_dn(cert, buf, &len);
	861	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
	862	apr_pstrmemdup(r->pool, buf, len));
	863
	864	len = sizeof (buf);
	865	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
	866	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
	867	apr_pstrmemdup(r->pool, buf, len));
	868
	869	len = sizeof (sbuf);
	870	gnutls_x509_crt_get_serial(cert, sbuf, &len);
	871	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	872	apr_table_setn(env,
	873	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
	874	apr_pstrdup(r->pool, tmp));
	875
	876	ret = gnutls_x509_crt_get_version(cert);
	877	if (ret > 0)
	878	apr_table_setn(env,
	879	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	880	NULL), apr_psprintf(r->pool,
	881	"%u", ret));
	882
	883	apr_table_setn(env,
	884	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	885	"X.509");
	886
	887	tmp =
	888	mgs_time2sz(gnutls_x509_crt_get_expiration_time
	889	(cert), buf, sizeof (buf));
	890	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	891	apr_pstrdup(r->pool, tmp));
	892
	893	tmp =
	894	mgs_time2sz(gnutls_x509_crt_get_activation_time
	895	(cert), buf, sizeof (buf));
	896	apr_table_setn(env,
	897	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	898	apr_pstrdup(r->pool, tmp));
	899
	900	ret = gnutls_x509_crt_get_signature_algorithm(cert);
	901	if (ret >= 0) {
	902	apr_table_setn(env,
	903	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
	904	NULL),
	905	gnutls_sign_algorithm_get_name(ret));
	906	}
	907
	908	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
	909	if (ret >= 0) {
	910	apr_table_setn(env,
	911	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	912	NULL),
	913	gnutls_pk_algorithm_get_name(ret));
	914	}
	915
	916	/* export all the alternative names (DNS, RFC822 and URI) */
	917	for (i = 0; !(ret < 0); i++) {
	918	len = 0;
	919	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
	920	NULL, &len,
	921	NULL);
	922
	923	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
	924	tmp2 = apr_palloc(r->pool, len + 1);
	925
	926	ret =
	927	gnutls_x509_crt_get_subject_alt_name(cert, i,
	928	tmp2,
	929	&len,
	930	NULL);
	931	tmp2[len] = 0;
	932
	933	if (ret == GNUTLS_SAN_DNSNAME) {
	934	apr_table_setn(env,
	935	apr_psprintf(r->pool,
	936	"%s_S_AN%u",
	937	MGS_SIDE, i),
	938	apr_psprintf(r->pool,
	939	"DNSNAME:%s",
	940	tmp2));
	941	} else if (ret == GNUTLS_SAN_RFC822NAME) {
	942	apr_table_setn(env,
	943	apr_psprintf(r->pool,
	944	"%s_S_AN%u",
	945	MGS_SIDE, i),
	946	apr_psprintf(r->pool,
	947	"RFC822NAME:%s",
	948	tmp2));
	949	} else if (ret == GNUTLS_SAN_URI) {
	950	apr_table_setn(env,
	951	apr_psprintf(r->pool,
	952	"%s_S_AN%u",
	953	MGS_SIDE, i),
	954	apr_psprintf(r->pool,
	955	"URI:%s",
	956	tmp2));
	957	} else {
	958	apr_table_setn(env,
	959	apr_psprintf(r->pool,
	960	"%s_S_AN%u",
	961	MGS_SIDE, i),
	962	"UNSUPPORTED");
	963	}
	964	}
	965	}
[e5bbda4]	966	}
[7bebb42]	967
[3b4c0d0]	968	static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) {
	969
	970	unsigned char sbuf[64]; /* buffer to hold serials */
[e183628]	971	char buf[AP_IOBUFSIZE];
	972	const char *tmp;
	973	size_t len;
	974	int ret;
	975
	976	if (r == NULL)
	977	return;
	978
	979	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	980	apr_table_t *env = r->subprocess_env;
	981
	982	len = sizeof (buf);
	983	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
	984	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
	985	apr_pstrmemdup(r->pool, buf, len));
	986
	987	len = sizeof (sbuf);
	988	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
	989	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	990	apr_table_setn(env,
	991	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
	992	NULL), apr_pstrdup(r->pool, tmp));
	993
	994	ret = gnutls_openpgp_crt_get_version(cert);
	995	if (ret > 0)
	996	apr_table_setn(env,
	997	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
	998	NULL), apr_psprintf(r->pool,
	999	"%u", ret));
	1000
	1001	apr_table_setn(env,
	1002	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
	1003	"OPENPGP");
	1004
	1005	tmp =
	1006	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
	1007	(cert), buf, sizeof (buf));
	1008	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
	1009	apr_pstrdup(r->pool, tmp));
	1010
	1011	tmp =
	1012	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
	1013	(cert), buf, sizeof (buf));
	1014	apr_table_setn(env,
	1015	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
	1016	apr_pstrdup(r->pool, tmp));
	1017
	1018	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
	1019	if (ret >= 0) {
	1020	apr_table_setn(env,
	1021	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
	1022	NULL),
	1023	gnutls_pk_algorithm_get_name(ret));
	1024	}
[e5bbda4]	1025
	1026	}
	1027
[2b3a248b]	1028	/* TODO: Allow client sending a X.509 certificate chain */
[e183628]	1029	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
	1030	const gnutls_datum_t *cert_list;
	1031	unsigned int cert_list_size, status;
	1032	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
	1033	unsigned int ch_size = 0;
	1034
	1035	union {
	1036	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
	1037	gnutls_openpgp_crt_t pgp;
	1038	} cert;
	1039	apr_time_t expiration_time, cur_time;
	1040
	1041	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
	1042	return HTTP_FORBIDDEN;
	1043
	1044	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1045	cert_list =
	1046	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
	1047
	1048	if (cert_list == NULL \|\| cert_list_size == 0) {
	1049	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
	1050	*/
	1051	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1052	return OK;
	1053
	1054	/* no certificate provided by the client, but one was required. */
	1055	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1056	"GnuTLS: Failed to Verify Peer: "
	1057	"Client did not submit a certificate");
	1058	return HTTP_FORBIDDEN;
	1059	}
	1060
	1061	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1062	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1063	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
	1064	cert_list_size);
	1065
	1066	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
	1067	gnutls_x509_crt_init(&cert.x509[ch_size]);
	1068	rv = gnutls_x509_crt_import(cert.x509[ch_size],
	1069	&cert_list[ch_size],
	1070	GNUTLS_X509_FMT_DER);
	1071	// When failure to import, leave the loop
	1072	if (rv != GNUTLS_E_SUCCESS) {
	1073	if (ch_size < 1) {
	1074	ap_log_rerror(APLOG_MARK,
	1075	APLOG_INFO, 0, r,
	1076	"GnuTLS: Failed to Verify Peer: "
	1077	"Failed to import peer certificates.");
	1078	ret = HTTP_FORBIDDEN;
	1079	goto exit;
	1080	}
	1081	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1082	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
	1083	ch_size);
	1084	rv = GNUTLS_E_SUCCESS;
	1085	break;
	1086	}
	1087	}
	1088	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1089	GNUTLS_CRT_OPENPGP) {
	1090	if (cert_list_size > 1) {
	1091	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1092	"GnuTLS: Failed to Verify Peer: "
	1093	"Chained Client Certificates are not supported.");
	1094	return HTTP_FORBIDDEN;
	1095	}
	1096
	1097	gnutls_openpgp_crt_init(&cert.pgp);
	1098	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
	1099	GNUTLS_OPENPGP_FMT_RAW);
	1100
	1101	} else
	1102	return HTTP_FORBIDDEN;
	1103
	1104	if (rv < 0) {
	1105	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1106	"GnuTLS: Failed to Verify Peer: "
	1107	"Failed to import peer certificates.");
	1108	ret = HTTP_FORBIDDEN;
	1109	goto exit;
	1110	}
	1111
	1112	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1113	apr_time_ansi_put(&expiration_time,
	1114	gnutls_x509_crt_get_expiration_time
	1115	(cert.x509[0]));
	1116
	1117	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1118	"GnuTLS: Verifying list of %d certificate(s)",
	1119	ch_size);
	1120	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
	1121	ctxt->sc->ca_list,
	1122	ctxt->sc->ca_list_size,
	1123	NULL, 0, 0, &status);
	1124	} else {
	1125	apr_time_ansi_put(&expiration_time,
	1126	gnutls_openpgp_crt_get_expiration_time
	1127	(cert.pgp));
	1128
	1129	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
	1130	ctxt->sc->pgp_list, 0,
	1131	&status);
	1132	}
	1133
	1134	if (rv < 0) {
	1135	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1136	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
	1137	rv, gnutls_strerror(rv));
	1138	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
	1139	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
	1140	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
	1141	ret = HTTP_FORBIDDEN;
	1142	goto exit;
	1143	}
	1144
	1145	/* TODO: X509 CRL Verification. */
	1146	/* May add later if anyone needs it.
	1147	*/
	1148	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
	1149
	1150	cur_time = apr_time_now();
	1151
	1152	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	1153	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1154	"GnuTLS: Could not find Signer for Peer Certificate");
	1155	}
	1156
	1157	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	1158	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1159	"GnuTLS: Peer's Certificate signer is not a CA");
	1160	}
	1161
	1162	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
	1163	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1164	"GnuTLS: Peer's Certificate is using insecure algorithms");
	1165	}
	1166
	1167	if (status & GNUTLS_CERT_EXPIRED
	1168	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
	1169	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1170	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
	1171	}
	1172
	1173	if (status & GNUTLS_CERT_INVALID) {
	1174	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1175	"GnuTLS: Peer Certificate is invalid.");
	1176	} else if (status & GNUTLS_CERT_REVOKED) {
	1177	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1178	"GnuTLS: Peer Certificate is revoked.");
	1179	}
	1180
	1181	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
[3b4c0d0]	1182	mgs_add_common_cert_vars(r, cert.x509[0], 1);
[e183628]	1183	else if (gnutls_certificate_type_get(ctxt->session) ==
	1184	GNUTLS_CRT_OPENPGP)
[3b4c0d0]	1185	mgs_add_common_pgpcert_vars(r, cert.pgp, 1);
[e183628]	1186
	1187	{
	1188	/* days remaining */
	1189	unsigned long remain =
	1190	(apr_time_sec(expiration_time) -
	1191	apr_time_sec(cur_time)) / 86400;
	1192	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
	1193	apr_psprintf(r->pool, "%lu", remain));
	1194	}
	1195
	1196	if (status == 0) {
	1197	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1198	"SUCCESS");
	1199	ret = OK;
	1200	} else {
	1201	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1202	"FAILED");
	1203	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1204	ret = OK;
	1205	else
	1206	ret = HTTP_FORBIDDEN;
	1207	}
	1208
	1209	exit:
	1210	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1211	int i;
	1212	for (i = 0; i < ch_size; i++) {
	1213	gnutls_x509_crt_deinit(cert.x509[i]);
	1214	}
	1215	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1216	GNUTLS_CRT_OPENPGP)
	1217	gnutls_openpgp_crt_deinit(cert.pgp);
	1218	return ret;
[7bebb42]	1219
	1220
[9ee0464]	1221	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: