Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ b59327c

Visit:

asynciodebian/masterdebian/stretch-backportsjessie-backportsmainmsvaproxy-ticketupstream

Last change on this file since b59327c was b59327c, checked in by Nikos Mavrogiannopoulos <nmav@…>, 12 years ago
GnuTLSCache can now take a single argument (none).
Property mode set to `100644`
File size: 35.5 KB

Line
1	/**
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2007 Nikos Mavrogiannopoulos
4	*
5	* Licensed under the Apache License, Version 2.0 (the "License");
6	* you may not use this file except in compliance with the License.
7	* You may obtain a copy of the License at
8	*
9	* http://www.apache.org/licenses/LICENSE-2.0
10	*
11	* Unless required by applicable law or agreed to in writing, software
12	* distributed under the License is distributed on an "AS IS" BASIS,
13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14	* See the License for the specific language governing permissions and
15	* limitations under the License.
16	*
17	*/
18
19	#include "mod_gnutls.h"
20	#include "http_vhost.h"
21	#include "ap_mpm.h"
22
23	#if APR_HAS_THREADS
24	# if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
25	#include <gcrypt.h>
26	GCRY_THREAD_OPTION_PTHREAD_IMPL;
27	# endif
28	#endif
29
30	#if !USING_2_1_RECENT
31	extern server_rec *ap_server_conf;
32	#endif
33
34	#if MOD_GNUTLS_DEBUG
35	static apr_file_t *debug_log_fp;
36	#endif
37
38	static int mpm_is_threaded;
39	static gnutls_datum session_ticket_key = { NULL, 0 };
40
41	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
42	/* use side==0 for server and side==1 for client */
43	static void mgs_add_common_cert_vars(request_rec * r,
44	gnutls_x509_crt_t cert, int side,
45	int export_certificates_enabled);
46	static void mgs_add_common_pgpcert_vars(request_rec * r,
47	gnutls_openpgp_crt_t cert,
48	int side,
49	int export_certificates_enabled);
50
51	static apr_status_t mgs_cleanup_pre_config(void *data)
52	{
53	gnutls_free(session_ticket_key.data);
54	session_ticket_key.data = NULL;
55	session_ticket_key.size = 0;
56	gnutls_global_deinit();
57	return APR_SUCCESS;
58	}
59
60	#if MOD_GNUTLS_DEBUG
61	static void gnutls_debug_log_all(int level, const char *str)
62	{
63	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
64	}
65
66	#define _gnutls_log apr_file_printf
67	#else
68	# define _gnutls_log(...)
69	#endif
70
71	int
72	mgs_hook_pre_config(apr_pool_t * pconf,
73	apr_pool_t * plog, apr_pool_t * ptemp)
74	{
75	int ret;
76
77	#if MOD_GNUTLS_DEBUG
78	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
79	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
80	pconf);
81
82	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
83
84	gnutls_global_set_log_level(9);
85	gnutls_global_set_log_function(gnutls_debug_log_all);
86	_gnutls_log(debug_log_fp, "gnutls: %s\n",
87	gnutls_check_version(NULL));
88	#endif
89
90	#if APR_HAS_THREADS
91	ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
92	#if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) \|\| GNUTLS_VERSION_MAJOR < 2
93	if (mpm_is_threaded) {
94	gcry_control(GCRYCTL_SET_THREAD_CBS,
95	&gcry_threads_pthread);
96	}
97	#endif
98	#else
99	mpm_is_threaded = 0;
100	#endif
101
102
103	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
104	_gnutls_log(debug_log_fp,
105	"gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
106	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
107	return -3;
108	}
109
110	ret = gnutls_global_init();
111	if (ret < 0) {
112	_gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
113	gnutls_strerror(ret));
114	return -3;
115	}
116
117	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
118	if (ret < 0) {
119	_gnutls_log(debug_log_fp,
120	"gnutls_session_ticket_key_generate: %s\n",
121	gnutls_strerror(ret));
122	}
123
124	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
125	apr_pool_cleanup_null);
126
127
128	return OK;
129	}
130
131	static int mgs_select_virtual_server_cb(gnutls_session_t session)
132	{
133	mgs_handle_t *ctxt;
134	mgs_srvconf_rec *tsc;
135	int ret;
136	int cprio[2];
137
138	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
139
140	ctxt = gnutls_transport_get_ptr(session);
141
142	/* find the virtual server */
143	tsc = mgs_find_sni_server(session);
144
145	if (tsc != NULL)
146	ctxt->sc = tsc;
147
148	gnutls_certificate_server_set_request(session,
149	ctxt->
150	sc->client_verify_mode);
151
152	/* set the new server credentials
153	*/
154
155	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
156	ctxt->sc->certs);
157
158	gnutls_credentials_set(session, GNUTLS_CRD_ANON,
159	ctxt->sc->anon_creds);
160
161	#ifdef ENABLE_SRP
162	if (ctxt->sc->srp_tpasswd_conf_file != NULL
163	&& ctxt->sc->srp_tpasswd_file != NULL) {
164	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
165	ctxt->sc->srp_creds);
166	}
167	#endif
168
169	/* update the priorities - to avoid negotiating a ciphersuite that is not
170	* enabled on this virtual server. Note that here we ignore the version
171	* negotiation.
172	*/
173	ret = gnutls_priority_set(session, ctxt->sc->priorities);
174	/* actually it shouldn't fail since we have checked at startup */
175	if (ret < 0)
176	return ret;
177
178	/* If both certificate types are not present disallow them from
179	* being negotiated.
180	*/
181	if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
182	cprio[0] = GNUTLS_CRT_X509;
183	cprio[1] = 0;
184	gnutls_certificate_type_set_priority(session, cprio);
185	} else if (ctxt->sc->cert_pgp != NULL
186	&& ctxt->sc->certs_x509[0] == NULL) {
187	cprio[0] = GNUTLS_CRT_OPENPGP;
188	cprio[1] = 0;
189	gnutls_certificate_type_set_priority(session, cprio);
190	}
191
192	return 0;
193	}
194
195	static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
196	{
197	mgs_handle_t *ctxt;
198
199	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
200	ctxt = gnutls_transport_get_ptr(session);
201
202	if (ctxt == NULL)
203	return GNUTLS_E_INTERNAL_ERROR;
204
205	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
206	ret->type = GNUTLS_CRT_X509;
207	ret->ncerts = ctxt->sc->certs_x509_num;
208	ret->deinit_all = 0;
209
210	ret->cert.x509 = ctxt->sc->certs_x509;
211	ret->key.x509 = ctxt->sc->privkey_x509;
212
213	return 0;
214	} else if (gnutls_certificate_type_get(session) ==
215	GNUTLS_CRT_OPENPGP) {
216	ret->type = GNUTLS_CRT_OPENPGP;
217	ret->ncerts = 1;
218	ret->deinit_all = 0;
219
220	ret->cert.pgp = ctxt->sc->cert_pgp;
221	ret->key.pgp = ctxt->sc->privkey_pgp;
222
223	return 0;
224
225	}
226
227	return GNUTLS_E_INTERNAL_ERROR;
228	}
229
230	/* 2048-bit group parameters from SRP specification */
231	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
232	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
233	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
234	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
235	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
236	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
237	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
238	"-----END DH PARAMETERS-----\n";
239
240	/* Read the common name or the alternative name of the certificate.
241	* We only support a single name per certificate.
242	*
243	* Returns negative on error.
244	*/
245	static int read_crt_cn(server_rec * s, apr_pool_t * p,
246	gnutls_x509_crt_t cert, char **cert_cn)
247	{
248	int rv = 0, i;
249	size_t data_len;
250
251
252	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
253	*cert_cn = NULL;
254
255	data_len = 0;
256	rv = gnutls_x509_crt_get_dn_by_oid(cert,
257	GNUTLS_OID_X520_COMMON_NAME,
258	0, 0, NULL, &data_len);
259
260	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
261	*cert_cn = apr_palloc(p, data_len);
262	rv = gnutls_x509_crt_get_dn_by_oid(cert,
263	GNUTLS_OID_X520_COMMON_NAME,
264	0, 0, *cert_cn,
265	&data_len);
266	} else { /* No CN return subject alternative name */
267	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
268	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
269	s->server_hostname, s->port);
270	rv = 0;
271	/* read subject alternative name */
272	for (i = 0; !(rv < 0); i++) {
273	data_len = 0;
274	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
275	NULL,
276	&data_len,
277	NULL);
278
279	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
280	&& data_len > 1) {
281	/* FIXME: not very efficient. What if we have several alt names
282	* before DNSName?
283	*/
284	*cert_cn = apr_palloc(p, data_len + 1);
285
286	rv = gnutls_x509_crt_get_subject_alt_name
287	(cert, i, *cert_cn, &data_len, NULL);
288	(*cert_cn)[data_len] = 0;
289
290	if (rv == GNUTLS_SAN_DNSNAME)
291	break;
292	}
293	}
294	}
295
296	return rv;
297	}
298
299	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
300	gnutls_openpgp_crt_t cert, char **cert_cn)
301	{
302	int rv = 0;
303	size_t data_len;
304
305
306	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
307	*cert_cn = NULL;
308
309	data_len = 0;
310	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
311
312	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
313	*cert_cn = apr_palloc(p, data_len);
314	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
315	&data_len);
316	} else { /* No CN return subject alternative name */
317	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
318	"No name found in PGP certificate for '%s:%d'.",
319	s->server_hostname, s->port);
320	}
321
322	return rv;
323	}
324
325
326	int
327	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
328	apr_pool_t * ptemp, server_rec * base_server)
329	{
330	int rv;
331	server_rec *s;
332	gnutls_dh_params_t dh_params = NULL;
333	gnutls_rsa_params_t rsa_params = NULL;
334	mgs_srvconf_rec *sc;
335	mgs_srvconf_rec *sc_base;
336	void *data = NULL;
337	int first_run = 0;
338	const char *userdata_key = "mgs_init";
339
340	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
341	apr_pool_userdata_get(&data, userdata_key,
342	base_server->process->pool);
343	if (data == NULL) {
344	first_run = 1;
345	apr_pool_userdata_set((const void *) 1, userdata_key,
346	apr_pool_cleanup_null,
347	base_server->process->pool);
348	}
349
350
351	s = base_server;
352	sc_base =
353	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
354	&gnutls_module);
355
356	gnutls_dh_params_init(&dh_params);
357
358	if (sc_base->dh_params == NULL) {
359	gnutls_datum pdata = {
360	(void *) static_dh_params,
361	sizeof(static_dh_params)
362	};
363	/* loading defaults */
364	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
365	GNUTLS_X509_FMT_PEM);
366
367	if (rv < 0) {
368	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
369	"GnuTLS: Unable to load DH Params: (%d) %s",
370	rv, gnutls_strerror(rv));
371	exit(rv);
372	}
373	} else
374	dh_params = sc_base->dh_params;
375
376	if (sc_base->rsa_params != NULL)
377	rsa_params = sc_base->rsa_params;
378
379	/* else not an error but RSA-EXPORT ciphersuites are not available
380	*/
381
382	rv = mgs_cache_post_config(p, s, sc_base);
383	if (rv != 0) {
384	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
385	"GnuTLS: Post Config for GnuTLSCache Failed."
386	" Shutting Down.");
387	exit(-1);
388	}
389
390	for (s = base_server; s; s = s->next) {
391	void *load = NULL;
392	sc = (mgs_srvconf_rec *)
393	ap_get_module_config(s->module_config, &gnutls_module);
394	sc->cache_type = sc_base->cache_type;
395	sc->cache_config = sc_base->cache_config;
396
397	/* Check if the priorities have been set */
398	if (sc->priorities == NULL
399	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
400	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
401	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
402	s->server_hostname, s->port);
403	exit(-1);
404	}
405
406	/* Check if DH or RSA params have been set per host */
407	if (sc->rsa_params != NULL)
408	load = sc->rsa_params;
409	else if (rsa_params)
410	load = rsa_params;
411
412	if (load != NULL)
413	gnutls_certificate_set_rsa_export_params(sc->certs,
414	load);
415
416
417	load = NULL;
418	if (sc->dh_params != NULL)
419	load = sc->dh_params;
420	else if (dh_params)
421	load = dh_params;
422
423	if (load != NULL) { /* not needed but anyway */
424	gnutls_certificate_set_dh_params(sc->certs, load);
425	gnutls_anon_set_server_dh_params(sc->anon_creds,
426	load);
427	}
428
429	gnutls_certificate_server_set_retrieve_function(sc->certs,
430	cert_retrieve_fn);
431
432	#ifdef ENABLE_SRP
433	if (sc->srp_tpasswd_conf_file != NULL
434	&& sc->srp_tpasswd_file != NULL) {
435	rv = gnutls_srp_set_server_credentials_file
436	(sc->srp_creds, sc->srp_tpasswd_file,
437	sc->srp_tpasswd_conf_file);
438
439	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
440	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
441	s,
442	"[GnuTLS] - Host '%s:%d' is missing a "
443	"SRP password or conf File!",
444	s->server_hostname, s->port);
445	exit(-1);
446	}
447	}
448	#endif
449
450	if (sc->certs_x509[0] == NULL &&
451	sc->cert_pgp == NULL &&
452	sc->enabled == GNUTLS_ENABLED_TRUE) {
453	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
454	"[GnuTLS] - Host '%s:%d' is missing a "
455	"Certificate File!",
456	s->server_hostname, s->port);
457	exit(-1);
458	}
459
460	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
461	((sc->certs_x509[0] != NULL
462	&& sc->privkey_x509 == NULL) \|\| (sc->cert_pgp != NULL
463	&& sc->privkey_pgp
464	== NULL))) {
465	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
466	"[GnuTLS] - Host '%s:%d' is missing a "
467	"Private Key File!",
468	s->server_hostname, s->port);
469	exit(-1);
470	}
471
472	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
473	rv = read_crt_cn(s, p, sc->certs_x509[0],
474	&sc->cert_cn);
475	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
476	rv = read_pgpcrt_cn(s, p, sc->cert_pgp,
477	&sc->cert_cn);
478
479	if (rv < 0) {
480	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
481	s,
482	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
483	s->server_hostname, s->port);
484	sc->cert_cn = NULL;
485	continue;
486	}
487	}
488	}
489
490
491	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
492
493	return OK;
494	}
495
496	void mgs_hook_child_init(apr_pool_t * p, server_rec * s)
497	{
498	apr_status_t rv = APR_SUCCESS;
499	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
500	&gnutls_module);
501
502	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
503	if (sc->cache_type != mgs_cache_none) {
504	rv = mgs_cache_child_init(p, s, sc);
505	if (rv != APR_SUCCESS) {
506	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
507	"[GnuTLS] - Failed to run Cache Init");
508	}
509	}
510	}
511
512	const char mgs_hook_http_scheme(const request_rec r)
513	{
514	mgs_srvconf_rec *sc;
515
516	if (r == NULL)
517	return NULL;
518
519	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
520	server->module_config,
521	&gnutls_module);
522
523	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
524	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
525	return NULL;
526	}
527
528	return "https";
529	}
530
531	apr_port_t mgs_hook_default_port(const request_rec * r)
532	{
533	mgs_srvconf_rec *sc;
534
535	if (r == NULL)
536	return 0;
537
538	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
539	server->module_config,
540	&gnutls_module);
541
542	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
543	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
544	return 0;
545	}
546
547	return 443;
548	}
549
550	#define MAX_HOST_LEN 255
551
552	#if USING_2_1_RECENT
553	typedef struct {
554	mgs_handle_t *ctxt;
555	mgs_srvconf_rec *sc;
556	const char *sni_name;
557	} vhost_cb_rec;
558
559	static int vhost_cb(void baton, conn_rec conn, server_rec * s)
560	{
561	mgs_srvconf_rec *tsc;
562	vhost_cb_rec *x = baton;
563
564	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
565	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
566	&gnutls_module);
567
568	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
569	return 0;
570	}
571
572	/* The CN can contain a * -- this will match those too. */
573	if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
574	/* found a match */
575	#if MOD_GNUTLS_DEBUG
576	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
577	x->ctxt->c->base_server,
578	"GnuTLS: Virtual Host CB: "
579	"'%s' == '%s'", tsc->cert_cn, x->sni_name);
580	#endif
581	/* Because we actually change the server used here, we need to reset
582	* things like ClientVerify.
583	*/
584	x->sc = tsc;
585	/* Shit. Crap. Dammit. We really should rehandshake here, as our
586	* certificate structure should change when the server changes.
587	* acccckkkkkk.
588	*/
589	return 1;
590	} else {
591	#if MOD_GNUTLS_DEBUG
592	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
593	x->ctxt->c->base_server,
594	"GnuTLS: Virtual Host CB: "
595	"'%s' != '%s'", tsc->cert_cn, x->sni_name);
596	#endif
597
598	}
599	return 0;
600	}
601	#endif
602
603	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
604	{
605	int rv;
606	unsigned int sni_type;
607	size_t data_len = MAX_HOST_LEN;
608	char sni_name[MAX_HOST_LEN];
609	mgs_handle_t *ctxt;
610	#if USING_2_1_RECENT
611	vhost_cb_rec cbx;
612	#else
613	server_rec *s;
614	mgs_srvconf_rec *tsc;
615	#endif
616
617	if (session == NULL)
618	return NULL;
619
620	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
621	ctxt = gnutls_transport_get_ptr(session);
622
623	rv = gnutls_server_name_get(ctxt->session, sni_name,
624	&data_len, &sni_type, 0);
625
626	if (rv != 0) {
627	return NULL;
628	}
629
630	if (sni_type != GNUTLS_NAME_DNS) {
631	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
632	ctxt->c->base_server,
633	"GnuTLS: Unknown type '%d' for SNI: "
634	"'%s'", sni_type, sni_name);
635	return NULL;
636	}
637
638	/**
639	* Code in the Core already sets up the c->base_server as the base
640	* for this IP/Port combo. Trust that the core did the 'right' thing.
641	*/
642	#if USING_2_1_RECENT
643	cbx.ctxt = ctxt;
644	cbx.sc = NULL;
645	cbx.sni_name = sni_name;
646
647	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
648	if (rv == 1) {
649	return cbx.sc;
650	}
651	#else
652	for (s = ap_server_conf; s; s = s->next) {
653
654	tsc =
655	(mgs_srvconf_rec *)
656	ap_get_module_config(s->module_config, &gnutls_module);
657	if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
658	continue;
659	}
660	#if MOD_GNUTLS_DEBUG
661	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
662	ctxt->c->base_server,
663	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X",
664	tsc->cert_cn, rv,
665	gnutls_pk_algorithm_get_name
666	(gnutls_x509_privkey_get_pk_algorithm
667	(ctxt->sc->privkey_x509)), (unsigned int) s,
668	(unsigned int) s->next, (unsigned int) tsc);
669	#endif
670	/* The CN can contain a * -- this will match those too. */
671	if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
672	#if MOD_GNUTLS_DEBUG
673	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
674	ctxt->c->base_server,
675	"GnuTLS: Virtual Host: "
676	"'%s' == '%s'", tsc->cert_cn,
677	sni_name);
678	#endif
679	return tsc;
680	}
681	}
682	#endif
683	return NULL;
684	}
685
686
687	static const int protocol_priority[] = {
688	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
689	};
690
691
692	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)
693	{
694	mgs_handle_t *ctxt;
695	mgs_srvconf_rec *sc =
696	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
697	module_config,
698	&gnutls_module);
699
700	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
701	ctxt = apr_pcalloc(pool, sizeof(*ctxt));
702	ctxt->c = c;
703	ctxt->sc = sc;
704	ctxt->status = 0;
705
706	ctxt->input_rc = APR_SUCCESS;
707	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
708	ctxt->input_cbuf.length = 0;
709
710	ctxt->output_rc = APR_SUCCESS;
711	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
712	ctxt->output_blen = 0;
713	ctxt->output_length = 0;
714
715	gnutls_init(&ctxt->session, GNUTLS_SERVER);
716	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
717	gnutls_session_ticket_enable_server(ctxt->session,
718	&session_ticket_key);
719
720	/* because we don't set any default priorities here (we set later at
721	* the user hello callback) we need to at least set this in order for
722	* gnutls to be able to read packets.
723	*/
724	gnutls_protocol_set_priority(ctxt->session, protocol_priority);
725
726	gnutls_handshake_set_post_client_hello_function(ctxt->session,
727	mgs_select_virtual_server_cb);
728
729	mgs_cache_session_init(ctxt);
730
731	return ctxt;
732	}
733
734	int mgs_hook_pre_connection(conn_rec * c, void *csd)
735	{
736	mgs_handle_t *ctxt;
737	mgs_srvconf_rec *sc;
738
739	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
740
741	if (c == NULL)
742	return DECLINED;
743
744	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
745	module_config,
746	&gnutls_module);
747
748	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
749	return DECLINED;
750	}
751
752	if (c->remote_addr->hostname)
753	/* Connection initiated by Apache (mod_proxy) => ignore */
754	return OK;
755
756	ctxt = create_gnutls_handle(c->pool, c);
757
758	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
759
760	gnutls_transport_set_pull_function(ctxt->session,
761	mgs_transport_read);
762	gnutls_transport_set_push_function(ctxt->session,
763	mgs_transport_write);
764	gnutls_transport_set_ptr(ctxt->session, ctxt);
765
766	ctxt->input_filter =
767	ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
768	ctxt->output_filter =
769	ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
770
771	return OK;
772	}
773
774	int mgs_hook_fixups(request_rec * r)
775	{
776	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
777	char buf[AP_IOBUFSIZE];
778	const char *tmp;
779	size_t len;
780	mgs_handle_t *ctxt;
781	int rv = OK;
782
783	if (r == NULL)
784	return DECLINED;
785
786	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
787	apr_table_t *env = r->subprocess_env;
788
789	ctxt =
790	ap_get_module_config(r->connection->conn_config,
791	&gnutls_module);
792
793	if (!ctxt \|\| ctxt->session == NULL) {
794	return DECLINED;
795	}
796
797	apr_table_setn(env, "HTTPS", "on");
798
799	apr_table_setn(env, "SSL_VERSION_LIBRARY",
800	"GnuTLS/" LIBGNUTLS_VERSION);
801	apr_table_setn(env, "SSL_VERSION_INTERFACE",
802	"mod_gnutls/" MOD_GNUTLS_VERSION);
803
804	apr_table_setn(env, "SSL_PROTOCOL",
805	gnutls_protocol_get_name(gnutls_protocol_get_version
806	(ctxt->session)));
807
808	/* should have been called SSL_CIPHERSUITE instead */
809	apr_table_setn(env, "SSL_CIPHER",
810	gnutls_cipher_suite_get_name(gnutls_kx_get
811	(ctxt->session),
812	gnutls_cipher_get
813	(ctxt->session),
814	gnutls_mac_get
815	(ctxt->session)));
816
817	apr_table_setn(env, "SSL_COMPRESS_METHOD",
818	gnutls_compression_get_name(gnutls_compression_get
819	(ctxt->session)));
820
821	#ifdef ENABLE_SRP
822	tmp = gnutls_srp_server_get_username(ctxt->session);
823	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
824	#endif
825
826	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
827	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
828
829	unsigned int key_size =
830	8 *
831	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
832	tmp = apr_psprintf(r->pool, "%u", key_size);
833
834	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
835
836	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
837
838	apr_table_setn(env, "SSL_CIPHER_EXPORT",
839	(key_size <= 40) ? "true" : "false");
840
841	len = sizeof(sbuf);
842	gnutls_session_get_id(ctxt->session, sbuf, &len);
843	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
844	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
845
846	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
847	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
848	ctxt->
849	sc->export_certificates_enabled);
850	else if (gnutls_certificate_type_get(ctxt->session) ==
851	GNUTLS_CRT_OPENPGP)
852	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
853	ctxt->
854	sc->export_certificates_enabled);
855
856	return rv;
857	}
858
859	int mgs_hook_authz(request_rec * r)
860	{
861	int rv;
862	mgs_handle_t *ctxt;
863	mgs_dirconf_rec *dc;
864
865	if (r == NULL)
866	return DECLINED;
867
868	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
869
870	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
871	ctxt =
872	ap_get_module_config(r->connection->conn_config,
873	&gnutls_module);
874
875	if (!ctxt \|\| ctxt->session == NULL) {
876	return DECLINED;
877	}
878
879	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
880	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
881	"GnuTLS: Directory set to Ignore Client Certificate!");
882	} else {
883	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
884	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
885	"GnuTLS: Attempting to rehandshake with peer. %d %d",
886	ctxt->sc->client_verify_mode,
887	dc->client_verify_mode);
888
889	/* If we already have a client certificate, there's no point in
890	* re-handshaking... */
891	rv = mgs_cert_verify(r, ctxt);
892	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
893	return rv;
894
895	gnutls_certificate_server_set_request
896	(ctxt->session, dc->client_verify_mode);
897
898	if (mgs_rehandshake(ctxt) != 0) {
899	return HTTP_FORBIDDEN;
900	}
901	} else if (ctxt->sc->client_verify_mode ==
902	GNUTLS_CERT_IGNORE) {
903	#if MOD_GNUTLS_DEBUG
904	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
905	"GnuTLS: Peer is set to IGNORE");
906	#endif
907	return DECLINED;
908	}
909	rv = mgs_cert_verify(r, ctxt);
910	if (rv != DECLINED &&
911	(rv != HTTP_FORBIDDEN \|\|
912	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
913	return rv;
914	}
915	}
916
917	return DECLINED;
918	}
919
920	/* variables that are not sent by default:
921	*
922	* SSL_CLIENT_CERT string PEM-encoded client certificate
923	* SSL_SERVER_CERT string PEM-encoded client certificate
924	*/
925
926	/* side is either 0 for SERVER or 1 for CLIENT
927	*/
928	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
929	static void
930	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
931	int export_certificates_enabled)
932	{
933	unsigned char sbuf[64]; /* buffer to hold serials */
934	char buf[AP_IOBUFSIZE];
935	const char *tmp;
936	char *tmp2;
937	size_t len;
938	int ret, i;
939
940	if (r == NULL)
941	return;
942
943	apr_table_t *env = r->subprocess_env;
944
945	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
946	if (export_certificates_enabled != 0) {
947	char cert_buf[10 * 1024];
948	len = sizeof(cert_buf);
949
950	if (gnutls_x509_crt_export
951	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
952	apr_table_setn(env,
953	apr_pstrcat(r->pool, MGS_SIDE,
954	"_CERT", NULL),
955	apr_pstrmemdup(r->pool, cert_buf,
956	len));
957
958	}
959
960	len = sizeof(buf);
961	gnutls_x509_crt_get_dn(cert, buf, &len);
962	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
963	apr_pstrmemdup(r->pool, buf, len));
964
965	len = sizeof(buf);
966	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
967	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
968	apr_pstrmemdup(r->pool, buf, len));
969
970	len = sizeof(sbuf);
971	gnutls_x509_crt_get_serial(cert, sbuf, &len);
972	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
973	apr_table_setn(env,
974	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
975	apr_pstrdup(r->pool, tmp));
976
977	ret = gnutls_x509_crt_get_version(cert);
978	if (ret > 0)
979	apr_table_setn(env,
980	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
981	NULL), apr_psprintf(r->pool,
982	"%u", ret));
983
984	apr_table_setn(env,
985	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
986	"X.509");
987
988	tmp =
989	mgs_time2sz(gnutls_x509_crt_get_expiration_time
990	(cert), buf, sizeof(buf));
991	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
992	apr_pstrdup(r->pool, tmp));
993
994	tmp =
995	mgs_time2sz(gnutls_x509_crt_get_activation_time
996	(cert), buf, sizeof(buf));
997	apr_table_setn(env,
998	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
999	apr_pstrdup(r->pool, tmp));
1000
1001	ret = gnutls_x509_crt_get_signature_algorithm(cert);
1002	if (ret >= 0) {
1003	apr_table_setn(env,
1004	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
1005	NULL),
1006	gnutls_sign_algorithm_get_name(ret));
1007	}
1008
1009	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
1010	if (ret >= 0) {
1011	apr_table_setn(env,
1012	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
1013	NULL),
1014	gnutls_pk_algorithm_get_name(ret));
1015	}
1016
1017	/* export all the alternative names (DNS, RFC822 and URI) */
1018	for (i = 0; !(ret < 0); i++) {
1019	len = 0;
1020	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
1021	NULL, &len,
1022	NULL);
1023
1024	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
1025	tmp2 = apr_palloc(r->pool, len + 1);
1026
1027	ret =
1028	gnutls_x509_crt_get_subject_alt_name(cert, i,
1029	tmp2,
1030	&len,
1031	NULL);
1032	tmp2[len] = 0;
1033
1034	if (ret == GNUTLS_SAN_DNSNAME) {
1035	apr_table_setn(env,
1036	apr_psprintf(r->pool,
1037	"%s_S_AN%u",
1038	MGS_SIDE, i),
1039	apr_psprintf(r->pool,
1040	"DNSNAME:%s",
1041	tmp2));
1042	} else if (ret == GNUTLS_SAN_RFC822NAME) {
1043	apr_table_setn(env,
1044	apr_psprintf(r->pool,
1045	"%s_S_AN%u",
1046	MGS_SIDE, i),
1047	apr_psprintf(r->pool,
1048	"RFC822NAME:%s",
1049	tmp2));
1050	} else if (ret == GNUTLS_SAN_URI) {
1051	apr_table_setn(env,
1052	apr_psprintf(r->pool,
1053	"%s_S_AN%u",
1054	MGS_SIDE, i),
1055	apr_psprintf(r->pool,
1056	"URI:%s",
1057	tmp2));
1058	} else {
1059	apr_table_setn(env,
1060	apr_psprintf(r->pool,
1061	"%s_S_AN%u",
1062	MGS_SIDE, i),
1063	"UNSUPPORTED");
1064	}
1065	}
1066	}
1067	}
1068
1069	static void
1070	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
1071	int side, int export_certificates_enabled)
1072	{
1073	unsigned char sbuf[64]; /* buffer to hold serials */
1074	char buf[AP_IOBUFSIZE];
1075	const char *tmp;
1076	size_t len;
1077	int ret;
1078
1079	if (r == NULL)
1080	return;
1081
1082	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1083	apr_table_t *env = r->subprocess_env;
1084
1085	if (export_certificates_enabled != 0) {
1086	char cert_buf[10 * 1024];
1087	len = sizeof(cert_buf);
1088
1089	if (gnutls_openpgp_crt_export
1090	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
1091	apr_table_setn(env,
1092	apr_pstrcat(r->pool, MGS_SIDE,
1093	"_CERT", NULL),
1094	apr_pstrmemdup(r->pool, cert_buf,
1095	len));
1096
1097	}
1098
1099	len = sizeof(buf);
1100	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
1101	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
1102	apr_pstrmemdup(r->pool, buf, len));
1103
1104	len = sizeof(sbuf);
1105	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
1106	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
1107	apr_table_setn(env,
1108	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
1109	NULL), apr_pstrdup(r->pool, tmp));
1110
1111	ret = gnutls_openpgp_crt_get_version(cert);
1112	if (ret > 0)
1113	apr_table_setn(env,
1114	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
1115	NULL), apr_psprintf(r->pool,
1116	"%u", ret));
1117
1118	apr_table_setn(env,
1119	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
1120	"OPENPGP");
1121
1122	tmp =
1123	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
1124	(cert), buf, sizeof(buf));
1125	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
1126	apr_pstrdup(r->pool, tmp));
1127
1128	tmp =
1129	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
1130	(cert), buf, sizeof(buf));
1131	apr_table_setn(env,
1132	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
1133	apr_pstrdup(r->pool, tmp));
1134
1135	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
1136	if (ret >= 0) {
1137	apr_table_setn(env,
1138	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
1139	NULL),
1140	gnutls_pk_algorithm_get_name(ret));
1141	}
1142
1143	}
1144
1145	/* TODO: Allow client sending a X.509 certificate chain */
1146	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1147	{
1148	const gnutls_datum_t *cert_list;
1149	unsigned int cert_list_size, status;
1150	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
1151	unsigned int ch_size = 0;
1152	union {
1153	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
1154	gnutls_openpgp_crt_t pgp;
1155	} cert;
1156	apr_time_t expiration_time, cur_time;
1157
1158	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
1159	return HTTP_FORBIDDEN;
1160
1161	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1162	cert_list =
1163	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
1164
1165	if (cert_list == NULL \|\| cert_list_size == 0) {
1166	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
1167	*/
1168	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1169	return OK;
1170
1171	/* no certificate provided by the client, but one was required. */
1172	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1173	"GnuTLS: Failed to Verify Peer: "
1174	"Client did not submit a certificate");
1175	return HTTP_FORBIDDEN;
1176	}
1177
1178	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1179	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
1180	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
1181	cert_list_size);
1182
1183	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
1184	gnutls_x509_crt_init(&cert.x509[ch_size]);
1185	rv = gnutls_x509_crt_import(cert.x509[ch_size],
1186	&cert_list[ch_size],
1187	GNUTLS_X509_FMT_DER);
1188	// When failure to import, leave the loop
1189	if (rv != GNUTLS_E_SUCCESS) {
1190	if (ch_size < 1) {
1191	ap_log_rerror(APLOG_MARK,
1192	APLOG_INFO, 0, r,
1193	"GnuTLS: Failed to Verify Peer: "
1194	"Failed to import peer certificates.");
1195	ret = HTTP_FORBIDDEN;
1196	goto exit;
1197	}
1198	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1199	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
1200	ch_size);
1201	rv = GNUTLS_E_SUCCESS;
1202	break;
1203	}
1204	}
1205	} else if (gnutls_certificate_type_get(ctxt->session) ==
1206	GNUTLS_CRT_OPENPGP) {
1207	if (cert_list_size > 1) {
1208	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1209	"GnuTLS: Failed to Verify Peer: "
1210	"Chained Client Certificates are not supported.");
1211	return HTTP_FORBIDDEN;
1212	}
1213
1214	gnutls_openpgp_crt_init(&cert.pgp);
1215	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
1216	GNUTLS_OPENPGP_FMT_RAW);
1217
1218	} else
1219	return HTTP_FORBIDDEN;
1220
1221	if (rv < 0) {
1222	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1223	"GnuTLS: Failed to Verify Peer: "
1224	"Failed to import peer certificates.");
1225	ret = HTTP_FORBIDDEN;
1226	goto exit;
1227	}
1228
1229	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1230	apr_time_ansi_put(&expiration_time,
1231	gnutls_x509_crt_get_expiration_time
1232	(cert.x509[0]));
1233
1234	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
1235	"GnuTLS: Verifying list of %d certificate(s)",
1236	ch_size);
1237	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
1238	ctxt->sc->ca_list,
1239	ctxt->sc->ca_list_size,
1240	NULL, 0, 0, &status);
1241	} else {
1242	apr_time_ansi_put(&expiration_time,
1243	gnutls_openpgp_crt_get_expiration_time
1244	(cert.pgp));
1245
1246	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
1247	ctxt->sc->pgp_list, 0,
1248	&status);
1249	}
1250
1251	if (rv < 0) {
1252	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1253	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
1254	rv, gnutls_strerror(rv));
1255	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
1256	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
1257	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
1258	ret = HTTP_FORBIDDEN;
1259	goto exit;
1260	}
1261
1262	/* TODO: X509 CRL Verification. */
1263	/* May add later if anyone needs it.
1264	*/
1265	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
1266
1267	cur_time = apr_time_now();
1268
1269	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
1270	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1271	"GnuTLS: Could not find Signer for Peer Certificate");
1272	}
1273
1274	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
1275	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1276	"GnuTLS: Peer's Certificate signer is not a CA");
1277	}
1278
1279	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
1280	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1281	"GnuTLS: Peer's Certificate is using insecure algorithms");
1282	}
1283
1284	if (status & GNUTLS_CERT_EXPIRED
1285	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
1286	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1287	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
1288	}
1289
1290	if (status & GNUTLS_CERT_INVALID) {
1291	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1292	"GnuTLS: Peer Certificate is invalid.");
1293	} else if (status & GNUTLS_CERT_REVOKED) {
1294	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1295	"GnuTLS: Peer Certificate is revoked.");
1296	}
1297
1298	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
1299	mgs_add_common_cert_vars(r, cert.x509[0], 1,
1300	ctxt->
1301	sc->export_certificates_enabled);
1302	else if (gnutls_certificate_type_get(ctxt->session) ==
1303	GNUTLS_CRT_OPENPGP)
1304	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
1305	ctxt->
1306	sc->export_certificates_enabled);
1307
1308	{
1309	/* days remaining */
1310	unsigned long remain =
1311	(apr_time_sec(expiration_time) -
1312	apr_time_sec(cur_time)) / 86400;
1313	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
1314	apr_psprintf(r->pool, "%lu", remain));
1315	}
1316
1317	if (status == 0) {
1318	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
1319	"SUCCESS");
1320	ret = OK;
1321	} else {
1322	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
1323	"FAILED");
1324	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1325	ret = OK;
1326	else
1327	ret = HTTP_FORBIDDEN;
1328	}
1329
1330	exit:
1331	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1332	int i;
1333	for (i = 0; i < ch_size; i++) {
1334	gnutls_x509_crt_deinit(cert.x509[i]);
1335	}
1336	} else if (gnutls_certificate_type_get(ctxt->session) ==
1337	GNUTLS_CRT_OPENPGP)
1338	gnutls_openpgp_crt_deinit(cert.pgp);
1339	return ret;
1340
1341
1342	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: