Context Navigation

gnutls_hooks.c @ 99f8375

Visit:

asynciodebian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream

Last change on this file since 99f8375 was 99f8375, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Ensure safe defaults during client verification

Initialize the validation status to "invalid". Two error codepaths do
not set status, though it might be read later. They should never be hit
(invalid verification modes should be rejected during server config),
but this adds another line of defense.

Also, the error paths now set the "rv" variable to an error code, which
means client verification fails without checking of the status variable.

Property mode set to 100644

File size: 66.8 KB

Rev	Line
[c301152]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e021722]	3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
[e183628]	4	* Copyright 2011 Dash Shendy
[765cac2]	5	* Copyright 2013-2014 Daniel Kahn Gillmor
[e391197]	6	* Copyright 2015 Thomas Klute
[c301152]	7	*
	8	* Licensed under the Apache License, Version 2.0 (the "License");
	9	* you may not use this file except in compliance with the License.
	10	* You may obtain a copy of the License at
	11	*
	12	* http://www.apache.org/licenses/LICENSE-2.0
	13	*
	14	* Unless required by applicable law or agreed to in writing, software
	15	* distributed under the License is distributed on an "AS IS" BASIS,
	16	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	17	* See the License for the specific language governing permissions and
	18	* limitations under the License.
	19	*
	20	*/
	21
	22	#include "mod_gnutls.h"
	23	#include "http_vhost.h"
[84cb5b2]	24	#include "ap_mpm.h"
[b4739cd]	25	#include "mod_status.h"
[c301152]	26
[07889ab]	27	#ifdef ENABLE_MSVA
	28	#include <msv/msv.h>
	29	#endif
[0499540]	30
[55dc3f0]	31	#ifdef APLOG_USE_MODULE
	32	APLOG_USE_MODULE(gnutls);
	33	#endif
	34
[c301152]	35	#if !USING_2_1_RECENT
	36	extern server_rec *ap_server_conf;
	37	#endif
	38
	39	#if MOD_GNUTLS_DEBUG
[7bebb42]	40	static apr_file_t *debug_log_fp;
[c301152]	41	#endif
	42
[b429e4c]	43	#define IS_PROXY_STR(c) \
	44	((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
	45
[b8df283]	46	static gnutls_datum_t session_ticket_key = {NULL, 0};
[84cb5b2]	47
[7bebb42]	48	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
	49	/* use side==0 for server and side==1 for client */
[fd82e59]	50	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
	51	static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);
[b4739cd]	52	static int mgs_status_hook(request_rec *r, int flags);
[fd82e59]	53	#ifdef ENABLE_MSVA
	54	static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
	55	#endif
[0de1839]	56	static int load_proxy_x509_credentials(server_rec *s);
[e183628]	57
[3b4c0d0]	58	/* Pool Cleanup Function */
[fd82e59]	59	apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused))) {
[3b4c0d0]	60	/* Free all session data */
[e183628]	61	gnutls_free(session_ticket_key.data);
	62	session_ticket_key.data = NULL;
	63	session_ticket_key.size = 0;
[3b4c0d0]	64	/* Deinitialize GnuTLS Library */
[e183628]	65	gnutls_global_deinit();
	66	return APR_SUCCESS;
[c301152]	67	}
	68
[3b4c0d0]	69	/* Logging Function for Maintainers */
[c301152]	70	#if MOD_GNUTLS_DEBUG
[e183628]	71	static void gnutls_debug_log_all(int level, const char *str) {
[9ecd212]	72	apr_file_printf(debug_log_fp, "<%d> %s", level, str);
[c301152]	73	}
[a208cd3]	74	#define _gnutls_log apr_file_printf
	75	#else
[e183628]	76	#define _gnutls_log(...)
[c301152]	77	#endif
	78
[07889ab]	79	static const char* mgs_readable_cvm(mgs_client_verification_method_e m) {
	80	switch(m) {
	81	case mgs_cvm_unset:
	82	return "unset";
	83	case mgs_cvm_cartel:
	84	return "cartel";
	85	case mgs_cvm_msva:
	86	return "msva";
	87	}
	88	return "unknown";
	89	}
	90
[3b4c0d0]	91	/* Pre-Configuration HOOK: Runs First */
[fd82e59]	92	int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp __attribute__((unused))) {
[26b08fd]	93
[3b4c0d0]	94	/* Maintainer Logging */
	95	#if MOD_GNUTLS_DEBUG
	96	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT, pconf);
[e183628]	97	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	98	gnutls_global_set_log_level(9);
	99	gnutls_global_set_log_function(gnutls_debug_log_all);
[37f8282]	100	_gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
[671b64f]	101	#endif
[3b4c0d0]	102
[33826c5]	103	int ret;
[26b08fd]	104
[3b4c0d0]	105	/* Check for required GnuTLS Library Version */
[932b68e]	106	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
[cb5188f]	107	ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_check_version() failed. Required: "
[9ecd212]	108	"gnutls-%s Found: gnutls-%s", LIBGNUTLS_VERSION, gnutls_check_version(NULL));
[421ef1c]	109	return DONE;
[e183628]	110	}
[e02dd8c]	111
[3b4c0d0]	112	/* Initialize GnuTLS Library */
[e183628]	113	ret = gnutls_global_init();
	114	if (ret < 0) {
[9ecd212]	115	ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret));
[421ef1c]	116	return DONE;
[e183628]	117	}
[2b3a248b]	118
[3b4c0d0]	119	/* Generate a Session Key */
[e183628]	120	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
	121	if (ret < 0) {
[9ecd212]	122	ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_session_ticket_key_generate: %s", gnutls_strerror(ret));
[421ef1c]	123	return DONE;
[e183628]	124	}
[e5bbda4]	125
[b4739cd]	126	AP_OPTIONAL_HOOK(status_hook, mgs_status_hook, NULL, NULL, APR_HOOK_MIDDLE);
	127
[3b4c0d0]	128	/* Register a pool clean-up function */
[421ef1c]	129	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null);
[c301152]	130
[e183628]	131	return OK;
[c301152]	132	}
	133
[e183628]	134	static int mgs_select_virtual_server_cb(gnutls_session_t session) {
[3b4c0d0]	135
	136	mgs_handle_t *ctxt = NULL;
	137	mgs_srvconf_rec *tsc = NULL;
[9180a60]	138	int ret = 0;
[7bebb42]	139
[e183628]	140	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[26b08fd]	141
[e183628]	142	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	143
[e183628]	144	/* find the virtual server */
	145	tsc = mgs_find_sni_server(session);
[7bebb42]	146
[8985a6b]	147	if (tsc != NULL) {
	148	// Found a TLS vhost based on the SNI from the client; use it instead.
[e183628]	149	ctxt->sc = tsc;
[3b4c0d0]	150	}
[7bebb42]	151
[3b4c0d0]	152	gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode);
[7bebb42]	153
[beb14d9]	154	/* Set x509 credentials */
[3b4c0d0]	155	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
[beb14d9]	156	/* Set Anon credentials */
[3b4c0d0]	157	gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
[7bebb42]	158
[787dab7]	159	#ifdef ENABLE_SRP
[3b4c0d0]	160	/* Set SRP credentials */
	161	if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
	162	gnutls_credentials_set(session, GNUTLS_CRD_SRP, ctxt->sc->srp_creds);
[e183628]	163	}
[787dab7]	164	#endif
[7bebb42]	165
[e183628]	166	/* update the priorities - to avoid negotiating a ciphersuite that is not
	167	* enabled on this virtual server. Note that here we ignore the version
	168	* negotiation.
	169	*/
[3b4c0d0]	170
[b668622]	171	ret = gnutls_priority_set(session, ctxt->sc->priorities);
[e183628]	172	/* actually it shouldn't fail since we have checked at startup */
[9180a60]	173	return ret;
[3b4c0d0]	174
[7bebb42]	175	}
	176
[671b64f]	177	static int cert_retrieve_fn(gnutls_session_t session,
[259e835]	178	const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
	179	int nreqs __attribute__((unused)),
	180	const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
	181	int pk_algos_length __attribute__((unused)),
	182	gnutls_pcert_st **pcerts,
	183	unsigned int *pcert_length,
[031acac]	184	gnutls_privkey_t *privkey)
	185	{
	186	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[3b4c0d0]	187
[031acac]	188	mgs_handle_t *ctxt;
[3b4c0d0]	189
	190	if (session == NULL) {
	191	// ERROR INVALID SESSION
	192	return -1;
[031acac]	193	}
	194
[c0dd3ab]	195	ctxt = gnutls_transport_get_ptr(session);
	196
	197	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
[3b4c0d0]	198	// X509 CERTIFICATE
[031acac]	199	*pcerts = ctxt->sc->certs_x509_chain;
	200	*pcert_length = ctxt->sc->certs_x509_chain_num;
	201	*privkey = ctxt->sc->privkey_x509;
[e183628]	202	return 0;
[9180a60]	203	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
[3b4c0d0]	204	// OPENPGP CERTIFICATE
[031acac]	205	*pcerts = ctxt->sc->cert_pgp;
	206	*pcert_length = 1;
	207	*privkey = ctxt->sc->privkey_pgp;
[e183628]	208	return 0;
[3b4c0d0]	209	} else {
	210	// UNKNOWN CERTIFICATE
	211	return -1;
	212	}
[7bebb42]	213	}
	214
[fd73a08]	215	/* Read the common name or the alternative name of the certificate.
	216	* We only support a single name per certificate.
	217	*
	218	* Returns negative on error.
	219	*/
[3b4c0d0]	220	static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
	221
[e183628]	222	int rv = 0, i;
	223	size_t data_len;
	224
	225
	226	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	227	*cert_cn = NULL;
	228
	229	data_len = 0;
[3b4c0d0]	230	rv = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, NULL, &data_len);
[e183628]	231
	232	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	233	*cert_cn = apr_palloc(p, data_len);
	234	rv = gnutls_x509_crt_get_dn_by_oid(cert,
	235	GNUTLS_OID_X520_COMMON_NAME,
	236	0, 0, *cert_cn,
	237	&data_len);
	238	} else { /* No CN return subject alternative name */
	239	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	240	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
	241	s->server_hostname, s->port);
	242	rv = 0;
	243	/* read subject alternative name */
	244	for (i = 0; !(rv < 0); i++) {
	245	data_len = 0;
	246	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
	247	NULL,
	248	&data_len,
	249	NULL);
	250
	251	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
	252	&& data_len > 1) {
	253	/* FIXME: not very efficient. What if we have several alt names
	254	* before DNSName?
	255	*/
	256	*cert_cn = apr_palloc(p, data_len + 1);
	257
	258	rv = gnutls_x509_crt_get_subject_alt_name
	259	(cert, i, *cert_cn, &data_len, NULL);
	260	(*cert_cn)[data_len] = 0;
	261
	262	if (rv == GNUTLS_SAN_DNSNAME)
	263	break;
	264	}
	265	}
	266	}
	267
	268	return rv;
[e5bbda4]	269	}
	270
	271	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
[e183628]	272	gnutls_openpgp_crt_t cert, char **cert_cn) {
	273	int rv = 0;
	274	size_t data_len;
[e5bbda4]	275
	276
[e183628]	277	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	278	*cert_cn = NULL;
[e5bbda4]	279
[e183628]	280	data_len = 0;
	281	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
[e5bbda4]	282
[e183628]	283	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
	284	*cert_cn = apr_palloc(p, data_len);
	285	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
	286	&data_len);
	287	} else { /* No CN return subject alternative name */
	288	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
	289	"No name found in PGP certificate for '%s:%d'.",
	290	s->server_hostname, s->port);
	291	}
[fd73a08]	292
[e183628]	293	return rv;
[fd73a08]	294	}
[7bebb42]	295
[fd82e59]	296	int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog __attribute__((unused)), apr_pool_t * ptemp __attribute__((unused)), server_rec * base_server) {
[3b4c0d0]	297
[e183628]	298	int rv;
	299	server_rec *s;
	300	gnutls_dh_params_t dh_params = NULL;
	301	mgs_srvconf_rec *sc;
	302	mgs_srvconf_rec *sc_base;
	303	void *data = NULL;
	304	const char *userdata_key = "mgs_init";
	305
	306	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[3b4c0d0]	307
	308	apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
[e183628]	309	if (data == NULL) {
[3b4c0d0]	310	apr_pool_userdata_set((const void *) 1, userdata_key, apr_pool_cleanup_null, base_server->process->pool);
[e183628]	311	}
	312
	313	s = base_server;
[3b4c0d0]	314	sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	315
	316
	317	rv = mgs_cache_post_config(p, s, sc_base);
	318	if (rv != 0) {
	319	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	320	"GnuTLS: Post Config for GnuTLSCache Failed."
	321	" Shutting Down.");
	322	exit(-1);
	323	}
	324
[87f1ed2]	325	/* Load additional PKCS #11 module, if requested */
	326	if (sc_base->p11_module != NULL)
	327	{
	328	rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
	329	if (rv != GNUTLS_E_SUCCESS)
	330	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	331	"GnuTLS: Loading PKCS #11 provider module %s "
	332	"failed: %s (%d).",
	333	sc_base->p11_module, gnutls_strerror(rv), rv);
	334	}
	335
[e183628]	336	for (s = base_server; s; s = s->next) {
[3b4c0d0]	337	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	338	sc->cache_type = sc_base->cache_type;
	339	sc->cache_config = sc_base->cache_config;
[040387c]	340	sc->cache_timeout = sc_base->cache_timeout;
	341
[031acac]	342	rv = mgs_load_files(p, s);
	343	if (rv != 0) {
	344	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	345	"GnuTLS: Loading required files failed."
	346	" Shutting Down.");
	347	exit(-1);
	348	}
	349
[040387c]	350	/* defaults for unset values: */
	351	if (sc->enabled == GNUTLS_ENABLED_UNSET)
	352	sc->enabled = GNUTLS_ENABLED_FALSE;
[7d1ab49]	353	if (sc->tickets == GNUTLS_ENABLED_UNSET)
[040387c]	354	sc->tickets = GNUTLS_ENABLED_TRUE;
[2aaf4f5]	355	if (sc->export_certificates_size < 0)
	356	sc->export_certificates_size = 0;
[040387c]	357	if (sc->client_verify_mode == -1)
	358	sc->client_verify_mode = GNUTLS_CERT_IGNORE;
[cf2b905]	359	if (sc->client_verify_method == mgs_cvm_unset)
	360	sc->client_verify_method = mgs_cvm_cartel;
[040387c]	361
[e183628]	362	/* Check if the priorities have been set */
[33826c5]	363	if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
[e183628]	364	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	365	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
	366	s->server_hostname, s->port);
	367	exit(-1);
	368	}
	369
[3b4c0d0]	370	/* Check if DH params have been set per host */
[410d216]	371	if (sc->dh_params != NULL) {
	372	gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
[671b64f]	373	gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
[410d216]	374	} else if (dh_params) {
	375	gnutls_certificate_set_dh_params(sc->certs, dh_params);
[671b64f]	376	gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
[e183628]	377	}
	378
[2cde8111]	379	/* The call after this comment is a workaround for bug in
	380	* gnutls_certificate_set_retrieve_function2 that ignores
	381	* supported certificate types. Should be fixed in GnuTLS
	382	* 3.3.12.
	383	*
	384	* Details:
	385	* https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
	386	* Workaround from:
[d04f7da]	387	* https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
[2cde8111]	388	#if GNUTLS_VERSION_NUMBER < 0x030312
	389	gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
[787dab7]	390	#endif
[7bebb42]	391
[031acac]	392	gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
[7bebb42]	393
[2b76a9c]	394	if ((sc->certs_x509_chain == NULL \|\| sc->certs_x509_chain_num < 1) &&
	395	sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
[671b64f]	396	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[031acac]	397	"GnuTLS: Host '%s:%d' is missing a Certificate File!",
[3b4c0d0]	398	s->server_hostname, s->port);
[e183628]	399	exit(-1);
	400	}
[2b76a9c]	401	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
[031acac]	402	((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) \|\|
	403	(sc->cert_crt_pgp[0] != NULL && sc->privkey_pgp == NULL))) {
[671b64f]	404	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[031acac]	405	"GnuTLS: Host '%s:%d' is missing a Private Key File!",
[3b4c0d0]	406	s->server_hostname, s->port);
[e183628]	407	exit(-1);
	408	}
	409
	410	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
[2b76a9c]	411	rv = -1;
	412	if (sc->certs_x509_chain_num > 0) {
[031acac]	413	rv = read_crt_cn(s, p, sc->certs_x509_crt_chain[0], &sc->cert_cn);
[2b76a9c]	414	}
[671b64f]	415	if (rv < 0 && sc->cert_pgp != NULL) {
[031acac]	416	rv = read_pgpcrt_cn(s, p, sc->cert_crt_pgp[0], &sc->cert_cn);
[3b4c0d0]	417	}
[e183628]	418
	419	if (rv < 0) {
[671b64f]	420	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
[031acac]	421	"GnuTLS: Cannot find a certificate for host '%s:%d'!",
[3b4c0d0]	422	s->server_hostname, s->port);
[e183628]	423	sc->cert_cn = NULL;
	424	continue;
	425	}
	426	}
[0de1839]	427
	428	if (sc->enabled == GNUTLS_ENABLED_TRUE
[4133f2d]	429	&& sc->proxy_enabled == GNUTLS_ENABLED_TRUE
	430	&& load_proxy_x509_credentials(s) != APR_SUCCESS)
[0de1839]	431	{
[4133f2d]	432	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	433	"%s: loading proxy credentials for host "
	434	"'%s:%d' failed, exiting!",
	435	__func__, s->server_hostname, s->port);
	436	exit(-1);
[0de1839]	437	}
[e183628]	438	}
	439
	440
	441	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	442
[4ec9183]	443	{
[83eafed]	444	const char* libvers = gnutls_check_version(NULL);
	445	char* gnutls_version = NULL;
	446	if(libvers && (gnutls_version = apr_psprintf(p, "GnuTLS/%s", libvers))) {
	447	ap_add_version_component(p, gnutls_version);
	448	} else {
[4ec9183]	449	// In case we could not create the above string go for the static version instead
	450	ap_add_version_component(p, "GnuTLS/" GNUTLS_VERSION "-static");
	451	}
	452	}
	453
[e183628]	454	return OK;
[c301152]	455	}
	456
[031acac]	457	void mgs_hook_child_init(apr_pool_t * p, server_rec *s) {
[e183628]	458	apr_status_t rv = APR_SUCCESS;
[031acac]	459	mgs_srvconf_rec *sc =
	460	(mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	461
	462	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[031acac]	463	/* if we use PKCS #11 reinitialize it */
	464
	465	if (mgs_pkcs11_reinit(s) < 0) {
	466	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
	467	"GnuTLS: Failed to reinitialize PKCS #11");
	468	exit(-1);
	469	}
	470
[e183628]	471	if (sc->cache_type != mgs_cache_none) {
	472	rv = mgs_cache_child_init(p, s, sc);
	473	if (rv != APR_SUCCESS) {
	474	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
[031acac]	475	"GnuTLS: Failed to run Cache Init");
[e183628]	476	}
	477	}
[33826c5]	478	/* Block SIGPIPE Signals */
[671b64f]	479	rv = apr_signal_block(SIGPIPE);
[37f8282]	480	if(rv != APR_SUCCESS) {
[33826c5]	481	/* error sending output */
[37f8282]	482	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
[671b64f]	483	"GnuTLS: Error Blocking SIGPIPE Signal!");
	484	}
[c301152]	485	}
	486
[e183628]	487	const char mgs_hook_http_scheme(const request_rec r) {
	488	mgs_srvconf_rec *sc;
[c301152]	489
[e183628]	490	if (r == NULL)
	491	return NULL;
[e02dd8c]	492
[e183628]	493	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	494	server->module_config,
	495	&gnutls_module);
[e02dd8c]	496
[e183628]	497	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	498	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	499	return NULL;
	500	}
[e02dd8c]	501
[e183628]	502	return "https";
[c301152]	503	}
	504
[e183628]	505	apr_port_t mgs_hook_default_port(const request_rec * r) {
	506	mgs_srvconf_rec *sc;
[e02dd8c]	507
[e183628]	508	if (r == NULL)
	509	return 0;
[e02dd8c]	510
[e183628]	511	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
	512	server->module_config,
	513	&gnutls_module);
[e02dd8c]	514
[e183628]	515	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	516	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	517	return 0;
	518	}
[c301152]	519
[e183628]	520	return 443;
[c301152]	521	}
	522
	523	#define MAX_HOST_LEN 255
	524
	525	#if USING_2_1_RECENT
[e183628]	526
[7bebb42]	527	typedef struct {
[e183628]	528	mgs_handle_t *ctxt;
	529	mgs_srvconf_rec *sc;
	530	const char *sni_name;
[c301152]	531	} vhost_cb_rec;
	532
[14d718f]	533	/**
	534	* Matches the current vhost's ServerAlias directives
	535	*
	536	* @param x vhost callback record
	537	* @param s server record
	538	* @return true if a match, false otherwise
	539	*
	540	*/
	541	int check_server_aliases(vhost_cb_rec x, server_rec s, mgs_srvconf_rec *tsc) {
	542	apr_array_header_t *names;
	543	int i,rv = 0;
[cb60afc]	544	char ** name;
[14d718f]	545
	546	/* Check ServerName First! */
	547	if(apr_strnatcasecmp(x->sni_name, s->server_hostname) == 0) {
	548	// We have a match, save this server configuration
	549	x->sc = tsc;
	550	rv = 1;
	551	/* Check any ServerAlias directives */
[e3d36c7]	552	} else if(s->names->nelts) {
[14d718f]	553	names = s->names;
[cb60afc]	554	name = (char **)names->elts;
[14d718f]	555	for (i = 0; i < names->nelts; ++i) {
[671b64f]	556	if (!name[i]) { continue; }
	557	if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
[e3d36c7]	558	// We have a match, save this server configuration
	559	x->sc = tsc;
	560	rv = 1;
[671b64f]	561	}
[14d718f]	562	}
	563	/* Wild any ServerAlias Directives */
[e3d36c7]	564	} else if(s->wild_names->nelts) {
[14d718f]	565	names = s->wild_names;
[cb60afc]	566	name = (char **)names->elts;
[14d718f]	567	for (i = 0; i < names->nelts; ++i) {
	568	if (!name[i]) { continue; }
[671b64f]	569	if(apr_fnmatch(name[i], x->sni_name ,
[e3d36c7]	570	APR_FNM_CASE_BLIND\|
	571	APR_FNM_PERIOD\|
	572	APR_FNM_PATHNAME\|
[671b64f]	573	APR_FNM_NOESCAPE) == APR_SUCCESS) {
[14d718f]	574	x->sc = tsc;
[671b64f]	575	rv = 1;
[14d718f]	576	}
	577	}
	578	}
	579	return rv;
	580	}
	581
[fd82e59]	582	static int vhost_cb(void baton, conn_rec conn __attribute__((unused)), server_rec * s) {
[e183628]	583	mgs_srvconf_rec *tsc;
	584	vhost_cb_rec *x = baton;
[b1c2b01]	585	int ret;
[671b64f]	586
[e183628]	587	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	588	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	589	&gnutls_module);
[7bebb42]	590
[e183628]	591	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	592	return 0;
	593	}
[671b64f]	594
[b1c2b01]	595	if (tsc->certs_x509_chain_num > 0) {
[031acac]	596	/* this check is there to warn administrator of any missing hostname
	597	* in the certificate. */
	598	ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0], s->server_hostname);
[b1c2b01]	599	if (0 == ret)
[031acac]	600	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	601	"GnuTLS: the certificate doesn't match requested hostname "
[b1c2b01]	602	"'%s'", s->server_hostname);
	603	} else {
[6055aff]	604	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
[b1c2b01]	605	"GnuTLS: SNI request for '%s' but no X.509 certs available at all",
	606	s->server_hostname);
	607	}
[3b4c0d0]	608	return check_server_aliases(x, s, tsc);
[c301152]	609	}
	610	#endif
	611
[5342265]	612	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
	613	{
[e183628]	614	int rv;
	615	unsigned int sni_type;
	616	size_t data_len = MAX_HOST_LEN;
	617	char sni_name[MAX_HOST_LEN];
	618	mgs_handle_t *ctxt;
[c301152]	619	#if USING_2_1_RECENT
[e183628]	620	vhost_cb_rec cbx;
[c301152]	621	#else
[e183628]	622	server_rec *s;
	623	mgs_srvconf_rec *tsc;
[c301152]	624	#endif
[7bebb42]	625
[e183628]	626	if (session == NULL)
	627	return NULL;
[368b574]	628
[e183628]	629	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	630	ctxt = gnutls_transport_get_ptr(session);
[7bebb42]	631
[e183628]	632	rv = gnutls_server_name_get(ctxt->session, sni_name,
	633	&data_len, &sni_type, 0);
[7bebb42]	634
[e183628]	635	if (rv != 0) {
	636	return NULL;
	637	}
[7bebb42]	638
[e183628]	639	if (sni_type != GNUTLS_NAME_DNS) {
	640	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	641	ctxt->c->base_server,
	642	"GnuTLS: Unknown type '%d' for SNI: "
	643	"'%s'", sni_type, sni_name);
	644	return NULL;
	645	}
[7bebb42]	646
[c301152]	647	/**
	648	* Code in the Core already sets up the c->base_server as the base
	649	* for this IP/Port combo. Trust that the core did the 'right' thing.
	650	*/
	651	#if USING_2_1_RECENT
[e183628]	652	cbx.ctxt = ctxt;
	653	cbx.sc = NULL;
	654	cbx.sni_name = sni_name;
	655
	656	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	657	if (rv == 1) {
	658	return cbx.sc;
	659	}
[e02dd8c]	660	#else
[e183628]	661	for (s = ap_server_conf; s; s = s->next) {
	662
[671b64f]	663	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
[5342265]	664	&gnutls_module);
[671b64f]	665
[b7098b2]	666	if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; }
[671b64f]	667
[5342265]	668	if(check_server_aliases(x, s, tsc)) {
	669	return tsc;
	670	}
	671	}
[c301152]	672	#endif
[e183628]	673	return NULL;
[836417f]	674	}
	675
[b429e4c]	676	/*
	677	* This function is intended as a cleanup handler for connections
	678	* using GnuTLS.
	679	*
	680	* @param data must point to the mgs_handle_t associated with the
	681	* connection
	682	*/
	683	static apr_status_t cleanup_gnutls_session(void *data)
	684	{
	685	/* nothing to do */
	686	if (data == NULL)
	687	return APR_SUCCESS;
	688
	689	/* check if session needs closing */
	690	mgs_handle_t ctxt = (mgs_handle_t ) data;
	691	if (ctxt->session != NULL)
	692	{
	693	int ret;
	694	/* Try A Clean Shutdown */
	695	do
	696	ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR);
	697	while (ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN);
	698	if (ret != GNUTLS_E_SUCCESS)
	699	ap_log_cerror(APLOG_MARK, APLOG_INFO, ret, ctxt->c,
	700	"%s: error while closing TLS %sconnection: %s (%d)",
	701	__func__, IS_PROXY_STR(ctxt),
	702	gnutls_strerror(ret), ret);
	703	else
	704	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c,
	705	"%s: TLS %sconnection closed.",
	706	__func__, IS_PROXY_STR(ctxt));
	707	/* De-Initialize Session */
	708	gnutls_deinit(ctxt->session);
	709	ctxt->session = NULL;
	710	}
	711	return APR_SUCCESS;
	712	}
	713
[e8acf05]	714	static void create_gnutls_handle(conn_rec * c)
	715	{
	716	/* Get mod_gnutls server configuration */
	717	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	718	ap_get_module_config(c->base_server->module_config, &gnutls_module);
[e183628]	719
	720	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[e8acf05]	721
	722	/* Get connection specific configuration */
	723	mgs_handle_t ctxt = (mgs_handle_t ) ap_get_module_config(c->conn_config, &gnutls_module);
	724	if (ctxt == NULL)
	725	{
	726	ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
	727	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
[c1ef069]	728	ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
[e8acf05]	729	}
	730	ctxt->enabled = GNUTLS_ENABLED_TRUE;
[e183628]	731	ctxt->c = c;
	732	ctxt->sc = sc;
	733	ctxt->status = 0;
	734	ctxt->input_rc = APR_SUCCESS;
	735	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	736	ctxt->input_cbuf.length = 0;
	737	ctxt->output_rc = APR_SUCCESS;
	738	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	739	ctxt->output_blen = 0;
	740	ctxt->output_length = 0;
[e8acf05]	741
[d0be765]	742	/* Initialize GnuTLS Library */
[beb14d9]	743	int err = 0;
	744	if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
	745	{
	746	/* this is an outgoing proxy connection, client mode */
	747	err = gnutls_init(&ctxt->session, GNUTLS_CLIENT);
	748	if (err != GNUTLS_E_SUCCESS)
	749	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
	750	"gnutls_init for proxy connection failed: %s (%d)",
	751	gnutls_strerror(err), err);
	752	err = gnutls_session_ticket_enable_client(ctxt->session);
	753	if (err != GNUTLS_E_SUCCESS)
	754	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
	755	"gnutls_session_ticket_enable_client failed: %s (%d)",
	756	gnutls_strerror(err), err);
[b429e4c]	757	/* Try to close and deinit the session when the connection
	758	* pool is cleared. Note that mod_proxy might not close
	759	* connections immediately, if you need that, look at the
	760	* "proxy-nokeepalive" environment variable for
	761	* mod_proxy_http. */
	762	apr_pool_pre_cleanup_register(c->pool, ctxt, cleanup_gnutls_session);
[beb14d9]	763	}
	764	else
	765	{
	766	/* incoming connection, server mode */
	767	err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
[e4b58b6]	768	if (err != GNUTLS_E_SUCCESS)
[beb14d9]	769	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
	770	"gnutls_init for server side failed: %s (%d)",
	771	gnutls_strerror(err), err);
	772	/* Initialize Session Tickets */
	773	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
	774	{
	775	err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
	776	if (err != GNUTLS_E_SUCCESS)
	777	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
	778	"gnutls_session_ticket_enable_server failed: %s (%d)",
	779	gnutls_strerror(err), err);
	780	}
[d0be765]	781	}
[e183628]	782
[d0be765]	783	/* Set Default Priority */
[e4b58b6]	784	err = gnutls_priority_set_direct(ctxt->session, "NORMAL", NULL);
	785	if (err != GNUTLS_E_SUCCESS)
	786	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_priority_set_direct failed!");
[d0be765]	787	/* Set Handshake function */
[e183628]	788	gnutls_handshake_set_post_client_hello_function(ctxt->session,
	789	mgs_select_virtual_server_cb);
[beb14d9]	790
[0de1839]	791	/* Set GnuTLS user pointer, so we can access the module session
	792	* context in GnuTLS callbacks */
	793	gnutls_session_set_ptr(ctxt->session, ctxt);
	794
[beb14d9]	795	/* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb
	796	* will load appropriate credentials during handshake. However,
	797	* when handling a proxy backend connection, mod_gnutls acts as
	798	* TLS client and credentials must be loaded here. */
	799	if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
	800	{
	801	/* Set anonymous client credentials for proxy connections */
	802	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON,
	803	ctxt->sc->anon_client_creds);
	804	/* Set x509 credentials */
	805	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE,
[0de1839]	806	ctxt->sc->proxy_x509_creds);
[beb14d9]	807	/* Load priorities from the server configuration */
[f030883]	808	err = gnutls_priority_set(ctxt->session, ctxt->sc->proxy_priorities);
[beb14d9]	809	if (err != GNUTLS_E_SUCCESS)
	810	ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
[f030883]	811	"%s: setting priorities for proxy connection "
	812	"failed: %s (%d)",
[beb14d9]	813	__func__, gnutls_strerror(err), err);
	814	}
	815
[d0be765]	816	/* Initialize Session Cache */
[e183628]	817	mgs_cache_session_init(ctxt);
[671b64f]	818
[33826c5]	819	/* Set pull, push & ptr functions */
	820	gnutls_transport_set_pull_function(ctxt->session,
	821	mgs_transport_read);
	822	gnutls_transport_set_push_function(ctxt->session,
	823	mgs_transport_write);
[9ee0464]	824	gnutls_transport_set_ptr(ctxt->session, ctxt);
[33826c5]	825	/* Add IO filters */
[671b64f]	826	ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME,
	827	ctxt, NULL, c);
	828	ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
[33826c5]	829	ctxt, NULL, c);
[e183628]	830	}
[e02dd8c]	831
[e8acf05]	832	int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused)))
	833	{
[e183628]	834	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[e02dd8c]	835
[e8acf05]	836	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	837	ap_get_module_config(c->base_server->module_config, &gnutls_module);
	838	mgs_handle_t ctxt = (mgs_handle_t )
	839	ap_get_module_config(c->conn_config, &gnutls_module);
[c301152]	840
[07d548d]	841	if ((sc && (!sc->enabled)) \|\| (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
[e8acf05]	842	{
	843	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
	844	__func__);
[e183628]	845	return DECLINED;
	846	}
[ae4a2b0]	847
[33826c5]	848	create_gnutls_handle(c);
[e183628]	849	return OK;
	850	}
[e02dd8c]	851
[e183628]	852	int mgs_hook_fixups(request_rec * r) {
	853	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	854	char buf[AP_IOBUFSIZE];
	855	const char *tmp;
	856	size_t len;
	857	mgs_handle_t *ctxt;
	858	int rv = OK;
[c301152]	859
[e183628]	860	if (r == NULL)
	861	return DECLINED;
[c301152]	862
[e183628]	863	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	864	apr_table_t *env = r->subprocess_env;
[7bebb42]	865
[e8acf05]	866	ctxt = ap_get_module_config(r->connection->conn_config,
	867	&gnutls_module);
[c301152]	868
[e8acf05]	869	if (!ctxt \|\| ctxt->enabled != GNUTLS_ENABLED_TRUE \|\| ctxt->session == NULL)
	870	{
	871	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
[e183628]	872	return DECLINED;
	873	}
[c301152]	874
[e183628]	875	apr_table_setn(env, "HTTPS", "on");
	876
	877	apr_table_setn(env, "SSL_VERSION_LIBRARY",
	878	"GnuTLS/" LIBGNUTLS_VERSION);
	879	apr_table_setn(env, "SSL_VERSION_INTERFACE",
	880	"mod_gnutls/" MOD_GNUTLS_VERSION);
	881
	882	apr_table_setn(env, "SSL_PROTOCOL",
[9720026]	883	gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
[e183628]	884
	885	/* should have been called SSL_CIPHERSUITE instead */
	886	apr_table_setn(env, "SSL_CIPHER",
[9720026]	887	gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
	888	gnutls_cipher_get(ctxt->session),
	889	gnutls_mac_get(ctxt->session)));
[e183628]	890
	891	apr_table_setn(env, "SSL_COMPRESS_METHOD",
[9720026]	892	gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));
[7bebb42]	893
[787dab7]	894	#ifdef ENABLE_SRP
[369f47a]	895	if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
	896	tmp = gnutls_srp_server_get_username(ctxt->session);
	897	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
	898	} else {
	899	apr_table_unset(env, "SSL_SRP_USER");
	900	}
[787dab7]	901	#endif
[c301152]	902
[e183628]	903	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
	904	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
[c301152]	905
[9720026]	906	unsigned int key_size = 8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
[e183628]	907	tmp = apr_psprintf(r->pool, "%u", key_size);
[c301152]	908
[e183628]	909	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
[c301152]	910
[e183628]	911	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
[c301152]	912
[e183628]	913	apr_table_setn(env, "SSL_CIPHER_EXPORT",
	914	(key_size <= 40) ? "true" : "false");
[7bebb42]	915
[5674676]	916	int dhsize = gnutls_dh_get_prime_bits(ctxt->session);
	917	if (dhsize > 0) {
	918	tmp = apr_psprintf(r->pool, "%d", dhsize);
	919	apr_table_setn(env, "SSL_DH_PRIME_BITS", tmp);
	920	}
	921
[e183628]	922	len = sizeof (sbuf);
	923	gnutls_session_get_id(ctxt->session, sbuf, &len);
	924	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
	925	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
[7ba803b]	926
[3b4c0d0]	927	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
[031acac]	928	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size);
	929	} else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
	930	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size);
	931	}
[7bebb42]	932
[e183628]	933	return rv;
[c301152]	934	}
	935
[e183628]	936	int mgs_hook_authz(request_rec * r) {
	937	int rv;
	938	mgs_handle_t *ctxt;
	939	mgs_dirconf_rec *dc;
	940
	941	if (r == NULL)
	942	return DECLINED;
	943
	944	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
	945
	946	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	947	ctxt =
	948	ap_get_module_config(r->connection->conn_config,
	949	&gnutls_module);
	950
	951	if (!ctxt \|\| ctxt->session == NULL) {
	952	return DECLINED;
	953	}
	954
	955	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	956	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	957	"GnuTLS: Directory set to Ignore Client Certificate!");
	958	} else {
	959	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	960	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	961	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	962	ctxt->sc->client_verify_mode,
	963	dc->client_verify_mode);
	964
	965	/* If we already have a client certificate, there's no point in
	966	* re-handshaking... */
	967	rv = mgs_cert_verify(r, ctxt);
	968	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
	969	return rv;
	970
	971	gnutls_certificate_server_set_request
	972	(ctxt->session, dc->client_verify_mode);
	973
	974	if (mgs_rehandshake(ctxt) != 0) {
	975	return HTTP_FORBIDDEN;
	976	}
	977	} else if (ctxt->sc->client_verify_mode ==
	978	GNUTLS_CERT_IGNORE) {
[c301152]	979	#if MOD_GNUTLS_DEBUG
[e183628]	980	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	981	"GnuTLS: Peer is set to IGNORE");
[c301152]	982	#endif
[e183628]	983	return DECLINED;
	984	}
	985	rv = mgs_cert_verify(r, ctxt);
[5a8a32b]	986	if (rv != DECLINED
	987	&& (rv != HTTP_FORBIDDEN
	988	\|\| dc->client_verify_mode == GNUTLS_CERT_REQUIRE
	989	\|\| (dc->client_verify_mode == -1
	990	&& ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)))
	991	{
[e183628]	992	return rv;
	993	}
	994	}
	995
	996	return DECLINED;
[7bebb42]	997	}
	998
	999	/* variables that are not sent by default:
	1000	*
	1001	* SSL_CLIENT_CERT string PEM-encoded client certificate
	1002	* SSL_SERVER_CERT string PEM-encoded client certificate
	1003	*/
[836c2f9]	1004
[7d1ab49]	1005	/* @param side is either 0 for SERVER or 1 for CLIENT
[671b64f]	1006	*
[2aaf4f5]	1007	* @param export_cert_size (int) maximum size for environment variable
	1008	* to use for the PEM-encoded certificate (0 means do not export)
[7bebb42]	1009	*/
[765cac2]	1010	#define MGS_SIDE(suffix) ((side==0) ? "SSL_SERVER" suffix : "SSL_CLIENT" suffix)
[e183628]	1011
[fd82e59]	1012	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size) {
[e183628]	1013	unsigned char sbuf[64]; /* buffer to hold serials */
	1014	char buf[AP_IOBUFSIZE];
	1015	const char *tmp;
	1016	char *tmp2;
	1017	size_t len;
	1018	int ret, i;
	1019
	1020	if (r == NULL)
	1021	return;
	1022
	1023	apr_table_t *env = r->subprocess_env;
	1024
	1025	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
[2aaf4f5]	1026	if (export_cert_size > 0) {
	1027	len = 0;
	1028	ret = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, NULL, &len);
	1029	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
	1030	if (len >= export_cert_size) {
[765cac2]	1031	apr_table_setn(env, MGS_SIDE("_CERT"), "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
[2aaf4f5]	1032	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1033	"GnuTLS: Failed to export too-large X.509 certificate to environment");
	1034	} else {
	1035	char* cert_buf = apr_palloc(r->pool, len + 1);
	1036	if (cert_buf != NULL && gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) {
	1037	cert_buf[len] = 0;
[765cac2]	1038	apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf);
[2aaf4f5]	1039	} else {
	1040	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
	1041	"GnuTLS: failed to export X.509 certificate");
	1042	}
	1043	}
	1044	} else {
	1045	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
	1046	"GnuTLS: dazed and confused about X.509 certificate size");
	1047	}
[7d1ab49]	1048	}
[671b64f]	1049
[e183628]	1050	len = sizeof (buf);
	1051	gnutls_x509_crt_get_dn(cert, buf, &len);
[765cac2]	1052	apr_table_setn(env, MGS_SIDE("_S_DN"), apr_pstrmemdup(r->pool, buf, len));
[e183628]	1053
	1054	len = sizeof (buf);
	1055	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
[765cac2]	1056	apr_table_setn(env, MGS_SIDE("_I_DN"), apr_pstrmemdup(r->pool, buf, len));
[e183628]	1057
	1058	len = sizeof (sbuf);
	1059	gnutls_x509_crt_get_serial(cert, sbuf, &len);
	1060	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
[765cac2]	1061	apr_table_setn(env, MGS_SIDE("_M_SERIAL"), apr_pstrdup(r->pool, tmp));
[e183628]	1062
	1063	ret = gnutls_x509_crt_get_version(cert);
	1064	if (ret > 0)
[765cac2]	1065	apr_table_setn(env, MGS_SIDE("_M_VERSION"),
	1066	apr_psprintf(r->pool, "%u", ret));
[e183628]	1067
[765cac2]	1068	apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "X.509");
[e183628]	1069
	1070	tmp =
	1071	mgs_time2sz(gnutls_x509_crt_get_expiration_time
	1072	(cert), buf, sizeof (buf));
[765cac2]	1073	apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp));
[e183628]	1074
	1075	tmp =
	1076	mgs_time2sz(gnutls_x509_crt_get_activation_time
	1077	(cert), buf, sizeof (buf));
[765cac2]	1078	apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp));
[e183628]	1079
	1080	ret = gnutls_x509_crt_get_signature_algorithm(cert);
	1081	if (ret >= 0) {
[765cac2]	1082	apr_table_setn(env, MGS_SIDE("_A_SIG"),
[e183628]	1083	gnutls_sign_algorithm_get_name(ret));
	1084	}
	1085
	1086	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
	1087	if (ret >= 0) {
[765cac2]	1088	apr_table_setn(env, MGS_SIDE("_A_KEY"),
[e183628]	1089	gnutls_pk_algorithm_get_name(ret));
	1090	}
	1091
	1092	/* export all the alternative names (DNS, RFC822 and URI) */
	1093	for (i = 0; !(ret < 0); i++) {
[765cac2]	1094	const char san, sanlabel;
[e183628]	1095	len = 0;
	1096	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
	1097	NULL, &len,
	1098	NULL);
	1099
	1100	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
	1101	tmp2 = apr_palloc(r->pool, len + 1);
	1102
	1103	ret =
	1104	gnutls_x509_crt_get_subject_alt_name(cert, i,
	1105	tmp2,
	1106	&len,
	1107	NULL);
	1108	tmp2[len] = 0;
	1109
[765cac2]	1110	sanlabel = apr_psprintf(r->pool, "%s%u", MGS_SIDE("_S_AN"), i);
[e183628]	1111	if (ret == GNUTLS_SAN_DNSNAME) {
[765cac2]	1112	san = apr_psprintf(r->pool, "DNSNAME:%s", tmp2);
[e183628]	1113	} else if (ret == GNUTLS_SAN_RFC822NAME) {
[765cac2]	1114	san = apr_psprintf(r->pool, "RFC822NAME:%s", tmp2);
[e183628]	1115	} else if (ret == GNUTLS_SAN_URI) {
[765cac2]	1116	san = apr_psprintf(r->pool, "URI:%s", tmp2);
[e183628]	1117	} else {
[765cac2]	1118	san = "UNSUPPORTED";
[e183628]	1119	}
[765cac2]	1120	apr_table_setn(env, sanlabel, san);
[e183628]	1121	}
	1122	}
[e5bbda4]	1123	}
[7bebb42]	1124
[7d1ab49]	1125
	1126	/* @param side 0: server, 1: client
[671b64f]	1127	*
[2aaf4f5]	1128	* @param export_cert_size (int) maximum size for environment variable
	1129	* to use for the PEM-encoded certificate (0 means do not export)
[7d1ab49]	1130	*/
[fd82e59]	1131	static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) {
[3b4c0d0]	1132
	1133	unsigned char sbuf[64]; /* buffer to hold serials */
[e183628]	1134	char buf[AP_IOBUFSIZE];
	1135	const char *tmp;
	1136	size_t len;
	1137	int ret;
	1138
	1139	if (r == NULL)
	1140	return;
	1141
	1142	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1143	apr_table_t *env = r->subprocess_env;
	1144
[2aaf4f5]	1145	if (export_cert_size > 0) {
	1146	len = 0;
	1147	ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len);
	1148	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
	1149	if (len >= export_cert_size) {
[765cac2]	1150	apr_table_setn(env, MGS_SIDE("_CERT"),
[2aaf4f5]	1151	"GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
	1152	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1153	"GnuTLS: Failed to export too-large OpenPGP certificate to environment");
	1154	} else {
	1155	char* cert_buf = apr_palloc(r->pool, len + 1);
	1156	if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) {
	1157	cert_buf[len] = 0;
[765cac2]	1158	apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf);
[2aaf4f5]	1159	} else {
	1160	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
	1161	"GnuTLS: failed to export OpenPGP certificate");
	1162	}
	1163	}
	1164	} else {
	1165	ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
	1166	"GnuTLS: dazed and confused about OpenPGP certificate size");
	1167	}
[7d1ab49]	1168	}
	1169
[e183628]	1170	len = sizeof (buf);
	1171	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
[765cac2]	1172	apr_table_setn(env, MGS_SIDE("_NAME"), apr_pstrmemdup(r->pool, buf, len));
[e183628]	1173
	1174	len = sizeof (sbuf);
	1175	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
	1176	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
[765cac2]	1177	apr_table_setn(env, MGS_SIDE("_FINGERPRINT"), apr_pstrdup(r->pool, tmp));
[e183628]	1178
	1179	ret = gnutls_openpgp_crt_get_version(cert);
	1180	if (ret > 0)
[765cac2]	1181	apr_table_setn(env, MGS_SIDE("_M_VERSION"),
	1182	apr_psprintf(r->pool, "%u", ret));
[e183628]	1183
[765cac2]	1184	apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "OPENPGP");
[e183628]	1185
	1186	tmp =
	1187	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
	1188	(cert), buf, sizeof (buf));
[765cac2]	1189	apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp));
[e183628]	1190
	1191	tmp =
	1192	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
	1193	(cert), buf, sizeof (buf));
[765cac2]	1194	apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp));
[e183628]	1195
	1196	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
	1197	if (ret >= 0) {
[765cac2]	1198	apr_table_setn(env, MGS_SIDE("_A_KEY"), gnutls_pk_algorithm_get_name(ret));
[e183628]	1199	}
[e5bbda4]	1200
	1201	}
	1202
[2b3a248b]	1203	/* TODO: Allow client sending a X.509 certificate chain */
[e183628]	1204	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
	1205	const gnutls_datum_t *cert_list;
[99f8375]	1206	unsigned int cert_list_size;
	1207	/* assume the certificate is invalid unless explicitly set
	1208	* otherwise */
	1209	unsigned int status = GNUTLS_CERT_INVALID;
[e183628]	1210	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
	1211	unsigned int ch_size = 0;
	1212
	1213	union {
	1214	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
	1215	gnutls_openpgp_crt_t pgp;
	1216	} cert;
	1217	apr_time_t expiration_time, cur_time;
	1218
	1219	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
	1220	return HTTP_FORBIDDEN;
	1221
	1222	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1223	cert_list =
	1224	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
	1225
	1226	if (cert_list == NULL \|\| cert_list_size == 0) {
	1227	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
	1228	*/
	1229	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1230	return OK;
	1231
	1232	/* no certificate provided by the client, but one was required. */
	1233	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1234	"GnuTLS: Failed to Verify Peer: "
	1235	"Client did not submit a certificate");
	1236	return HTTP_FORBIDDEN;
	1237	}
	1238
	1239	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1240	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	1241	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
	1242	cert_list_size);
	1243
	1244	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
	1245	gnutls_x509_crt_init(&cert.x509[ch_size]);
	1246	rv = gnutls_x509_crt_import(cert.x509[ch_size],
	1247	&cert_list[ch_size],
	1248	GNUTLS_X509_FMT_DER);
	1249	// When failure to import, leave the loop
	1250	if (rv != GNUTLS_E_SUCCESS) {
	1251	if (ch_size < 1) {
	1252	ap_log_rerror(APLOG_MARK,
	1253	APLOG_INFO, 0, r,
	1254	"GnuTLS: Failed to Verify Peer: "
	1255	"Failed to import peer certificates.");
	1256	ret = HTTP_FORBIDDEN;
	1257	goto exit;
	1258	}
	1259	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1260	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
	1261	ch_size);
	1262	rv = GNUTLS_E_SUCCESS;
	1263	break;
	1264	}
	1265	}
[07889ab]	1266	} else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
[e183628]	1267	if (cert_list_size > 1) {
	1268	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1269	"GnuTLS: Failed to Verify Peer: "
	1270	"Chained Client Certificates are not supported.");
	1271	return HTTP_FORBIDDEN;
	1272	}
	1273
	1274	gnutls_openpgp_crt_init(&cert.pgp);
	1275	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
	1276	GNUTLS_OPENPGP_FMT_RAW);
	1277
	1278	} else
	1279	return HTTP_FORBIDDEN;
	1280
	1281	if (rv < 0) {
	1282	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1283	"GnuTLS: Failed to Verify Peer: "
	1284	"Failed to import peer certificates.");
	1285	ret = HTTP_FORBIDDEN;
	1286	goto exit;
	1287	}
	1288
	1289	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
	1290	apr_time_ansi_put(&expiration_time,
	1291	gnutls_x509_crt_get_expiration_time
	1292	(cert.x509[0]));
	1293
	1294	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
[5c0d491]	1295	"GnuTLS: Verifying list of %d certificate(s) via method '%s'",
	1296	ch_size, mgs_readable_cvm(ctxt->sc->client_verify_method));
	1297	switch(ctxt->sc->client_verify_method) {
	1298	case mgs_cvm_cartel:
	1299	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
	1300	ctxt->sc->ca_list,
	1301	ctxt->sc->ca_list_size,
	1302	NULL, 0, 0, &status);
	1303	break;
	1304	#ifdef ENABLE_MSVA
	1305	case mgs_cvm_msva:
	1306	{
[a01f8ab]	1307	struct msv_response* resp = NULL;
	1308	struct msv_query q = { .context="https", .peertype="client", .pkctype="x509pem" };
	1309	msv_ctxt_t ctx = msv_ctxt_init(NULL);
[5c0d491]	1310	char cert_pem_buf[10 * 1024];
	1311	size_t len = sizeof (cert_pem_buf);
	1312
	1313	rv = 0;
	1314	if (gnutls_x509_crt_export(cert.x509[0], GNUTLS_X509_FMT_PEM, cert_pem_buf, &len) >= 0) {
	1315	/* FIXME : put together a name from the cert we received, instead of hard-coding this value: */
[a01f8ab]	1316	q.peername = mgs_x509_construct_uid(r, cert.x509[0]);
	1317	q.pkcdata = cert_pem_buf;
	1318	rv = msv_query_agent(ctx, q, &resp);
[5c0d491]	1319	if (rv == LIBMSV_ERROR_SUCCESS) {
	1320	status = 0;
	1321	} else if (rv == LIBMSV_ERROR_INVALID) {
	1322	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
[a01f8ab]	1323	"GnuTLS: Monkeysphere validation failed: (message: %s)", resp->message);
[5c0d491]	1324	status = GNUTLS_CERT_INVALID;
	1325	} else {
	1326	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
[a01f8ab]	1327	"GnuTLS: Error communicating with the Monkeysphere Validation Agent: (%d) %s", rv, msv_strerror(ctx, rv));
[5c0d491]	1328	status = GNUTLS_CERT_INVALID;
	1329	rv = -1;
[671b64f]	1330	}
[5c0d491]	1331	} else {
	1332	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1333	"GnuTLS: Could not convert the client certificate to PEM format");
	1334	status = GNUTLS_CERT_INVALID;
	1335	rv = GNUTLS_E_ASN1_ELEMENT_NOT_FOUND;
	1336	}
[a01f8ab]	1337	msv_response_destroy(resp);
	1338	msv_ctxt_destroy(ctx);
[5c0d491]	1339	}
	1340	break;
	1341	#endif
	1342	default:
[99f8375]	1343	/* If this block is reached, that indicates a
	1344	* configuration error or bug in mod_gnutls (invalid value
	1345	* of ctxt->sc->client_verify_method). */
[5c0d491]	1346	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1347	"GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
	1348	mgs_readable_cvm(ctxt->sc->client_verify_method));
[99f8375]	1349	rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
[5c0d491]	1350	}
[671b64f]	1351
[e183628]	1352	} else {
	1353	apr_time_ansi_put(&expiration_time,
	1354	gnutls_openpgp_crt_get_expiration_time
	1355	(cert.pgp));
	1356
[5c0d491]	1357	switch(ctxt->sc->client_verify_method) {
	1358	case mgs_cvm_cartel:
	1359	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
	1360	ctxt->sc->pgp_list, 0,
	1361	&status);
	1362	break;
	1363	#ifdef ENABLE_MSVA
	1364	case mgs_cvm_msva:
	1365	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1366	"GnuTLS: OpenPGP verification via MSVA is not yet implemented");
	1367	rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
	1368	break;
	1369	#endif
	1370	default:
[99f8375]	1371	/* If this block is reached, that indicates a
	1372	* configuration error or bug in mod_gnutls (invalid value
	1373	* of ctxt->sc->client_verify_method). */
[5c0d491]	1374	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1375	"GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
	1376	mgs_readable_cvm(ctxt->sc->client_verify_method));
[99f8375]	1377	rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
[5c0d491]	1378	}
[e183628]	1379	}
	1380
[99f8375]	1381	/* "goto exit" at the end of this block skips evaluation of the
	1382	* "status" variable */
[e183628]	1383	if (rv < 0) {
	1384	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1385	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
	1386	rv, gnutls_strerror(rv));
	1387	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
	1388	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
	1389	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
	1390	ret = HTTP_FORBIDDEN;
	1391	goto exit;
	1392	}
	1393
	1394	/* TODO: X509 CRL Verification. */
	1395	/* May add later if anyone needs it.
	1396	*/
	1397	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
	1398
	1399	cur_time = apr_time_now();
	1400
	1401	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	1402	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1403	"GnuTLS: Could not find Signer for Peer Certificate");
	1404	}
	1405
	1406	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	1407	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1408	"GnuTLS: Peer's Certificate signer is not a CA");
	1409	}
	1410
	1411	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
	1412	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1413	"GnuTLS: Peer's Certificate is using insecure algorithms");
	1414	}
	1415
	1416	if (status & GNUTLS_CERT_EXPIRED
	1417	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
	1418	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1419	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
	1420	}
	1421
	1422	if (status & GNUTLS_CERT_INVALID) {
	1423	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1424	"GnuTLS: Peer Certificate is invalid.");
	1425	} else if (status & GNUTLS_CERT_REVOKED) {
	1426	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1427	"GnuTLS: Peer Certificate is revoked.");
	1428	}
	1429
	1430	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
[2aaf4f5]	1431	mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
[7d1ab49]	1432	else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
[2aaf4f5]	1433	mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size);
[e183628]	1434
	1435	{
	1436	/* days remaining */
	1437	unsigned long remain =
	1438	(apr_time_sec(expiration_time) -
	1439	apr_time_sec(cur_time)) / 86400;
	1440	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
	1441	apr_psprintf(r->pool, "%lu", remain));
	1442	}
	1443
	1444	if (status == 0) {
	1445	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1446	"SUCCESS");
	1447	ret = OK;
	1448	} else {
	1449	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
	1450	"FAILED");
	1451	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
	1452	ret = OK;
	1453	else
	1454	ret = HTTP_FORBIDDEN;
	1455	}
	1456
	1457	exit:
	1458	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
[fd82e59]	1459	unsigned int i;
[e183628]	1460	for (i = 0; i < ch_size; i++) {
	1461	gnutls_x509_crt_deinit(cert.x509[i]);
	1462	}
	1463	} else if (gnutls_certificate_type_get(ctxt->session) ==
	1464	GNUTLS_CRT_OPENPGP)
	1465	gnutls_openpgp_crt_deinit(cert.pgp);
	1466	return ret;
[7bebb42]	1467
	1468
[9ee0464]	1469	}
[832182b]	1470
[fd82e59]	1471	#ifdef ENABLE_MSVA
	1472	/* this section of code is used only when trying to talk to the MSVA */
[832182b]	1473	static const char* mgs_x509_leaf_oid_from_dn(apr_pool_t pool, const char oid, gnutls_x509_crt_t cert) {
	1474	int rv=GNUTLS_E_SUCCESS, i;
	1475	size_t sz=0, lastsz=0;
	1476	char* data=NULL;
	1477
	1478	i = -1;
	1479	while(rv != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
	1480	i++;
	1481	lastsz=sz;
	1482	sz=0;
	1483	rv = gnutls_x509_crt_get_dn_by_oid (cert, oid, i, 0, NULL, &sz);
	1484	}
	1485	if (i > 0) {
	1486	data = apr_palloc(pool, lastsz);
	1487	sz=lastsz;
	1488	rv = gnutls_x509_crt_get_dn_by_oid (cert, oid, i-1, 0, data, &sz);
	1489	if (rv == GNUTLS_E_SUCCESS)
	1490	return data;
	1491	}
	1492	return NULL;
	1493	}
	1494
	1495	static const char* mgs_x509_first_type_from_san(apr_pool_t *pool, gnutls_x509_subject_alt_name_t target, gnutls_x509_crt_t cert) {
	1496	int rv=GNUTLS_E_SUCCESS;
	1497	size_t sz;
	1498	char* data=NULL;
	1499	unsigned int i;
	1500	gnutls_x509_subject_alt_name_t thistype;
	1501
	1502	i = 0;
	1503	while(rv != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
	1504	sz = 0;
	1505	rv = gnutls_x509_crt_get_subject_alt_name2(cert, i, NULL, &sz, &thistype, NULL);
	1506	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && thistype == target) {
	1507	data = apr_palloc(pool, sz);
	1508	rv = gnutls_x509_crt_get_subject_alt_name2(cert, i, data, &sz, &thistype, NULL);
[fd82e59]	1509	if (rv >=0 && (thistype == target))
[832182b]	1510	return data;
	1511	}
	1512	i++;
	1513	}
	1514	return NULL;
	1515	}
	1516
[fd82e59]	1517
[832182b]	1518	/* Create a string representing a candidate User ID from an X.509
	1519	* certificate
	1520
	1521	* We need this for client certification because a client gives us a
	1522	* certificate, but doesn't tell us (in any other way) who they are
	1523	* trying to authenticate as.
	1524
	1525	* TODO: we might need another parallel for OpenPGP, but for that it's
	1526	* much simpler: we can just assume that the first User ID marked as
	1527	* "primary" (or the first User ID, period) is the identity the user
	1528	* is trying to present as.
	1529
	1530	* one complaint might be "but the user wanted to be another identity,
	1531	* which is also in the certificate (e.g. in a SubjectAltName)"
	1532	* However, given that any user can regenerate their own X.509
	1533	* certificate with their own public key content, they should just do
	1534	* so, and not expect us to guess at their identity :)
	1535
	1536	* This function allocates it's response from the pool given it. When
	1537	* that pool is reclaimed, the response will also be deallocated.
	1538
	1539	* FIXME: what about extracting a server-style cert
	1540	* (e.g. https://imposter.example) from the DN or any sAN?
	1541
	1542	* FIXME: what if we want to call this outside the context of a
	1543	* request? That complicates the logging.
	1544	*/
	1545	static const char* mgs_x509_construct_uid(request_rec *r, gnutls_x509_crt_t cert) {
	1546	/* basic strategy, assuming humans are the users: we are going to
	1547	* try to reconstruct a "conventional" User ID by pulling in a
	1548	* name, comment, and e-mail address.
	1549	*/
	1550	apr_pool_t *pool = r->pool;
	1551	const char name=NULL, comment=NULL, *email=NULL;
	1552	const char *ret=NULL;
	1553	/* subpool for temporary allocation: */
	1554	apr_pool_t *sp=NULL;
	1555
[671b64f]	1556	if (APR_SUCCESS != apr_pool_create(&sp, pool))
[832182b]	1557	return NULL; /* i'm assuming that libapr would log this kind
	1558	* of error on its own */
	1559
	1560	/* Name
[671b64f]	1561
[832182b]	1562	the name comes from the leaf commonName of the cert's Subject.
[671b64f]	1563
[832182b]	1564	(MAYBE: should we look at trying to assemble a candidate from
	1565	givenName, surName, suffix, etc? the "name" field
	1566	appears to be case-insensitive, which seems problematic
	1567	from what we expect; see:
	1568	http://www.itu.int/rec/T-REC-X.520-200102-s/e )
	1569
	1570	(MAYBE: should we try pulling a commonName or otherName or
	1571	something from subjectAltName? see:
	1572	https://tools.ietf.org/html/rfc5280#section-4.2.1.6
	1573	GnuTLS does not support looking for Common Names in the
	1574	SAN yet)
	1575	*/
	1576	name = mgs_x509_leaf_oid_from_dn(sp, GNUTLS_OID_X520_COMMON_NAME, cert);
	1577
	1578	/* Comment
	1579
	1580	I am inclined to punt on this for now, as Comment has been so
	1581	atrociously misused in OpenPGP. Perhaps if there is a
	1582	pseudonym (OID 2.5.4.65, aka GNUTLS_OID_X520_PSEUDONYM) field
	1583	in the subject or sAN?
	1584	*/
	1585	comment = mgs_x509_leaf_oid_from_dn(sp, GNUTLS_OID_X520_PSEUDONYM, cert);
	1586
	1587	/* E-mail
	1588
	1589	This should be the the first rfc822Name from the sAN.
	1590
[b55bf71]	1591	failing that, we'll take the leaf email in the certificate's
	1592	subject; this is a deprecated use though.
[832182b]	1593	*/
	1594	email = mgs_x509_first_type_from_san(sp, GNUTLS_SAN_RFC822NAME, cert);
[b55bf71]	1595	if (email == NULL)
	1596	email = mgs_x509_leaf_oid_from_dn(sp, GNUTLS_OID_PKCS9_EMAIL, cert);
[832182b]	1597
	1598	/* assemble all the parts: */
	1599
	1600	/* must have at least a name or an e-mail. */
	1601	if (name == NULL && email == NULL) {
	1602	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	1603	"GnuTLS: Need either a name or an e-mail address to get a User ID from an X.509 certificate.");
	1604	goto end;
	1605	}
	1606	if (name) {
	1607	if (comment) {
	1608	if (email) {
	1609	ret = apr_psprintf(pool, "%s (%s) <%s>", name, comment, email);
	1610	} else {
	1611	ret = apr_psprintf(pool, "%s (%s)", name, comment);
	1612	}
	1613	} else {
	1614	if (email) {
	1615	ret = apr_psprintf(pool, "%s <%s>", name, email);
	1616	} else {
	1617	ret = apr_pstrdup(pool, name);
	1618	}
	1619	}
	1620	} else {
	1621	if (comment) {
	1622	ret = apr_psprintf(pool, "(%s) <%s>", comment, email);
	1623	} else {
	1624	ret = apr_psprintf(pool, "<%s>", email);
	1625	}
	1626	}
	1627
	1628	end:
	1629	apr_pool_destroy(sp);
	1630	return ret;
	1631	}
[fd82e59]	1632	#endif /* ENABLE_MSVA */
[b4739cd]	1633
[fd82e59]	1634	static int mgs_status_hook(request_rec *r, int flags __attribute__((unused)))
[b4739cd]	1635	{
	1636	mgs_srvconf_rec *sc;
	1637
	1638	if (r == NULL)
	1639	return OK;
	1640
	1641	sc = (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module);
	1642
	1643	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
	1644
	1645	ap_rputs("<hr>\n", r);
	1646	ap_rputs("<h2>GnuTLS Information:</h2>\n<dl>\n", r);
	1647
	1648	ap_rprintf(r, "<dt>GnuTLS version:</dt><dd>%s</dd>\n", gnutls_check_version(NULL));
	1649	ap_rputs("<dt>Built against:</dt><dd>" GNUTLS_VERSION "</dd>\n", r);
	1650	ap_rprintf(r, "<dt>using TLS:</dt><dd>%s</dd>\n", (sc->enabled == GNUTLS_ENABLED_FALSE ? "no" : "yes"));
	1651	if (sc->enabled != GNUTLS_ENABLED_FALSE) {
	1652	mgs_handle_t* ctxt;
	1653	ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
	1654	if (ctxt && ctxt->session != NULL) {
[46de753]	1655	#if GNUTLS_VERSION_MAJOR < 3
	1656	ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n",
	1657	gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
	1658	gnutls_cipher_get(ctxt->session),
	1659	gnutls_mac_get(ctxt->session)));
	1660	#else
	1661	char* z = NULL;
[b4739cd]	1662	z = gnutls_session_get_desc(ctxt->session);
	1663	if (z) {
	1664	ap_rprintf(r, "<dt>This TLS Session:</dt><dd>%s</dd>\n", z);
	1665	gnutls_free(z);
	1666	}
[46de753]	1667	#endif
[b4739cd]	1668	}
	1669	}
	1670
	1671	ap_rputs("</dl>\n", r);
	1672	return OK;
	1673	}
	1674
[0de1839]	1675
	1676
	1677	/*
	1678	* Callback to check the server certificate for proxy HTTPS
	1679	* connections, to be used with
	1680	* gnutls_certificate_set_verify_function.
	1681
	1682	* Returns: 0 if certificate check was successful (certificate
	1683	* trusted), non-zero otherwise (error during check or untrusted
	1684	* certificate).
	1685	*/
	1686	static int gtls_check_server_cert(gnutls_session_t session)
	1687	{
	1688	mgs_handle_t ctxt = (mgs_handle_t ) gnutls_session_get_ptr(session);
	1689	unsigned int status;
	1690
[6bbc00a]	1691	/* Get peer hostname from a note left by mod_proxy */
	1692	const char *peer_hostname =
	1693	apr_table_get(ctxt->c->notes, "proxy-request-hostname");
	1694	if (peer_hostname == NULL)
	1695	ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
	1696	"%s: proxy-request-hostname is NULL, cannot check "
	1697	"peer's hostname", __func__);
	1698
	1699	/* Verify certificate, including hostname match. Should
	1700	* peer_hostname be NULL for some reason, the name is not
	1701	* checked. */
	1702	int err = gnutls_certificate_verify_peers3(session, peer_hostname,
	1703	&status);
[0de1839]	1704	if (err != GNUTLS_E_SUCCESS)
	1705	{
	1706	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
	1707	"%s: server certificate check failed: %s (%d)",
	1708	__func__, gnutls_strerror(err), err);
	1709	return err;
	1710	}
	1711
	1712	gnutls_datum_t * out = gnutls_malloc(sizeof(gnutls_datum_t));
	1713	/* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy certs
	1714	* 0: according to function API, the last argument should be 0 */
	1715	err = gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509,
	1716	out, 0);
	1717	if (err != GNUTLS_E_SUCCESS)
	1718	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
	1719	"%s: server verify print failed: %s (%d)",
	1720	__func__, gnutls_strerror(err), err);
	1721	else
	1722	{
	1723	/* If the certificate is trusted, logging the result is just
	1724	* nice for debugging. But if the back end server provided an
	1725	* untrusted certificate, warn! */
	1726	int level = (status == 0 ? APLOG_DEBUG : APLOG_WARNING);
	1727	ap_log_cerror(APLOG_MARK, level, 0, ctxt->c,
	1728	"%s: server certificate verify result: %s",
	1729	__func__, out->data);
	1730	}
	1731
	1732	gnutls_free(out);
	1733	return status;
	1734	}
	1735
	1736
	1737
[8b472af]	1738	static apr_status_t load_proxy_x509_credentials(server_rec *s)
[0de1839]	1739	{
	1740	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	1741	ap_get_module_config(s->module_config, &gnutls_module);
	1742
	1743	if (sc == NULL)
	1744	return APR_EGENERAL;
	1745
[8b472af]	1746	apr_status_t ret = APR_SUCCESS;
[0de1839]	1747	int err = GNUTLS_E_SUCCESS;
[bd24203]	1748
[8b472af]	1749	/* Function pool, gets destroyed before exit. */
	1750	apr_pool_t *pool;
	1751	ret = apr_pool_create(&pool, s->process->pool);
	1752	if (ret != APR_SUCCESS)
	1753	{
	1754	ap_log_error(APLOG_MARK, APLOG_ERR, ret, s,
	1755	"%s: failed to allocate function memory pool.", __func__);
	1756	return ret;
	1757	}
	1758
[2cde026d]	1759	/* allocate credentials structures */
	1760	err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
	1761	if (err != GNUTLS_E_SUCCESS)
	1762	{
	1763	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1764	"%s: Failed to initialize proxy credentials: (%d) %s",
	1765	__func__, err, gnutls_strerror(err));
	1766	return APR_EGENERAL;
	1767	}
	1768	err = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds);
	1769	if (err != GNUTLS_E_SUCCESS)
	1770	{
	1771	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1772	"%s: Failed to initialize anon credentials for proxy: "
	1773	"(%d) %s", __func__, err, gnutls_strerror(err));
	1774	return APR_EGENERAL;
	1775	}
	1776
[4133f2d]	1777	/* Check if the proxy priorities have been set, fail immediately
	1778	* if not */
	1779	if (sc->proxy_priorities_str == NULL)
	1780	{
	1781	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	1782	"Host '%s:%d' is missing the GnuTLSProxyPriorities "
	1783	"directive!",
	1784	s->server_hostname, s->port);
	1785	return APR_EGENERAL;
	1786	}
	1787	/* parse proxy priorities */
	1788	const char *err_pos = NULL;
	1789	err = gnutls_priority_init(&sc->proxy_priorities,
	1790	sc->proxy_priorities_str, &err_pos);
	1791	if (err != GNUTLS_E_SUCCESS)
	1792	{
	1793	if (ret == GNUTLS_E_INVALID_REQUEST)
	1794	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1795	"%s: Syntax error parsing proxy priorities "
	1796	"string at: %s",
	1797	__func__, err_pos);
	1798	else
	1799	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1800	"Error setting proxy priorities: %s (%d)",
	1801	gnutls_strerror(err), err);
	1802	ret = APR_EGENERAL;
	1803	}
	1804
[bd24203]	1805	/* load certificate and key for client auth, if configured */
[0de1839]	1806	if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file)
	1807	{
[8b472af]	1808	char* cert_file = ap_server_root_relative(pool,
	1809	sc->proxy_x509_cert_file);
	1810	char* key_file = ap_server_root_relative(pool,
	1811	sc->proxy_x509_key_file);
[0de1839]	1812	err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds,
[8b472af]	1813	cert_file,
	1814	key_file,
[0de1839]	1815	GNUTLS_X509_FMT_PEM);
	1816	if (err != GNUTLS_E_SUCCESS)
	1817	{
	1818	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1819	"%s: loading proxy client credentials failed: %s (%d)",
	1820	__func__, gnutls_strerror(err), err);
	1821	ret = APR_EGENERAL;
	1822	}
	1823	}
	1824	else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file)
	1825	{
	1826	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
	1827	"%s: proxy key file not set!", __func__);
	1828	ret = APR_EGENERAL;
	1829	}
	1830	else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file)
	1831	{
	1832	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
	1833	"%s: proxy certificate file not set!", __func__);
	1834	ret = APR_EGENERAL;
	1835	}
	1836	else
	1837	/* if both key and cert are NULL, client auth is not used */
[8b472af]	1838	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
[0de1839]	1839	"%s: no client credentials for proxy", __func__);
	1840
	1841	/* must be set if the server certificate is to be checked */
	1842	if (sc->proxy_x509_ca_file)
	1843	{
[bd24203]	1844	/* initialize the trust list */
	1845	err = gnutls_x509_trust_list_init(&sc->proxy_x509_tl, 0);
	1846	if (err != GNUTLS_E_SUCCESS)
	1847	{
	1848	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1849	"%s: gnutls_x509_trust_list_init failed: %s (%d)",
	1850	__func__, gnutls_strerror(err), err);
	1851	ret = APR_EGENERAL;
	1852	}
	1853
[8b472af]	1854	char* ca_file = ap_server_root_relative(pool,
	1855	sc->proxy_x509_ca_file);
	1856	/* if no CRL is used, sc->proxy_x509_crl_file is NULL */
	1857	char* crl_file = NULL;
	1858	if (sc->proxy_x509_crl_file)
	1859	crl_file = ap_server_root_relative(pool,
	1860	sc->proxy_x509_crl_file);
	1861
[bd24203]	1862	/* returns number of loaded elements */
	1863	err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl,
[8b472af]	1864	ca_file,
	1865	crl_file,
[bd24203]	1866	GNUTLS_X509_FMT_PEM,
	1867	0 /* tl_flags */,
	1868	0 /* tl_vflags */);
[7d2123d]	1869	if (err > 0)
[0de1839]	1870	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
[bd24203]	1871	"%s: proxy CA trust list: %d structures loaded",
[0de1839]	1872	__func__, err);
[7d2123d]	1873	else if (err == 0)
	1874	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
	1875	"%s: proxy CA trust list is empty (%d)",
	1876	__func__, err);
	1877	else /* err < 0 */
[8b472af]	1878	{
[7d2123d]	1879	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	1880	"%s: error loading proxy CA trust list: %s (%d)",
	1881	__func__, gnutls_strerror(err), err);
[8b472af]	1882	ret = APR_EGENERAL;
	1883	}
[bd24203]	1884
	1885	/* attach trust list to credentials */
	1886	gnutls_certificate_set_trust_list(sc->proxy_x509_creds,
	1887	sc->proxy_x509_tl, 0);
[0de1839]	1888	}
	1889	else
	1890	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
[bd24203]	1891	"%s: no CA trust list for proxy connections, "
[0de1839]	1892	"TLS connections will fail!", __func__);
	1893
	1894	gnutls_certificate_set_verify_function(sc->proxy_x509_creds,
	1895	gtls_check_server_cert);
[8b472af]	1896	apr_pool_destroy(pool);
[0de1839]	1897	return ret;
	1898	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ 99f8375

Download in other formats: