Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ cf10d49

Visit:

asynciodebian/masterdebian/stretch-backportsjessie-backportsmsvaproxy-ticketupstream

Last change on this file since cf10d49 was cf10d49, checked in by Dash Shendy <neuromancer@…>, 9 years ago
Added new definition for function cert_retrieve_fn()
Property mode set to `100644`
File size: 40.0 KB

Line
1	/**
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	*
6	* Licensed under the Apache License, Version 2.0 (the "License");
7	* you may not use this file except in compliance with the License.
8	* You may obtain a copy of the License at
9	*
10	* http://www.apache.org/licenses/LICENSE-2.0
11	*
12	* Unless required by applicable law or agreed to in writing, software
13	* distributed under the License is distributed on an "AS IS" BASIS,
14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15	* See the License for the specific language governing permissions and
16	* limitations under the License.
17	*
18	*/
19
20	#include "mod_gnutls.h"
21	#include "http_vhost.h"
22	#include "ap_mpm.h"
23
24
25	#if !USING_2_1_RECENT
26	extern server_rec *ap_server_conf;
27	#endif
28
29	#if MOD_GNUTLS_DEBUG
30	static apr_file_t *debug_log_fp;
31	#endif
32
33	static gnutls_datum session_ticket_key = {NULL, 0};
34
35	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
36	/* use side==0 for server and side==1 for client */
37	static void mgs_add_common_cert_vars(request_rec * r,
38	gnutls_x509_crt_t cert, int side,
39	int export_certificates_enabled);
40	static void mgs_add_common_pgpcert_vars(request_rec * r,
41	gnutls_openpgp_crt_t cert,
42	int side,
43	int export_certificates_enabled);
44
45	static apr_status_t mgs_cleanup_pre_config(void *data) {
46	gnutls_free(session_ticket_key.data);
47	session_ticket_key.data = NULL;
48	session_ticket_key.size = 0;
49	gnutls_global_deinit();
50	return APR_SUCCESS;
51	}
52
53	#if MOD_GNUTLS_DEBUG
54
55	static void gnutls_debug_log_all(int level, const char *str) {
56	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
57	}
58
59	#define _gnutls_log apr_file_printf
60	#else
61	#define _gnutls_log(...)
62	#endif
63
64	int
65	mgs_hook_pre_config(apr_pool_t * pconf,
66	apr_pool_t * plog, apr_pool_t * ptemp) {
67	int ret;
68
69	#if MOD_GNUTLS_DEBUG
70	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
71	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
72	pconf);
73
74	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
75
76	gnutls_global_set_log_level(9);
77	gnutls_global_set_log_function(gnutls_debug_log_all);
78	_gnutls_log(debug_log_fp, "gnutls: %s\n",
79	gnutls_check_version(NULL));
80	#endif
81
82	if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
83	_gnutls_log(debug_log_fp,
84	"gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
85	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
86	return -3;
87	}
88
89	ret = gnutls_global_init();
90	if (ret < 0) {
91	_gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
92	gnutls_strerror(ret));
93	return -3;
94	}
95
96	ret = gnutls_session_ticket_key_generate(&session_ticket_key);
97	if (ret < 0) {
98	_gnutls_log(debug_log_fp,
99	"gnutls_session_ticket_key_generate: %s\n",
100	gnutls_strerror(ret));
101	}
102
103	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
104	apr_pool_cleanup_null);
105
106
107	return OK;
108	}
109
110	static int mgs_select_virtual_server_cb(gnutls_session_t session) {
111	mgs_handle_t *ctxt;
112	mgs_srvconf_rec *tsc;
113	int ret = 0;
114
115	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
116
117	ctxt = gnutls_transport_get_ptr(session);
118
119	/* find the virtual server */
120	tsc = mgs_find_sni_server(session);
121
122	if (tsc != NULL)
123	ctxt->sc = tsc;
124
125	gnutls_certificate_server_set_request(session,
126	ctxt->
127	sc->client_verify_mode);
128
129	/* set the new server credentials
130	*/
131
132	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
133	ctxt->sc->certs);
134
135	gnutls_credentials_set(session, GNUTLS_CRD_ANON,
136	ctxt->sc->anon_creds);
137
138	#ifdef ENABLE_SRP
139	if (ctxt->sc->srp_tpasswd_conf_file != NULL
140	&& ctxt->sc->srp_tpasswd_file != NULL) {
141	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
142	ctxt->sc->srp_creds);
143	}
144	#endif
145
146	/* update the priorities - to avoid negotiating a ciphersuite that is not
147	* enabled on this virtual server. Note that here we ignore the version
148	* negotiation.
149	*/
150	ret = gnutls_priority_set(session, ctxt->sc->priorities);
151	/* actually it shouldn't fail since we have checked at startup */
152	return ret;
153	}
154
155	static int cert_retrieve_fn(gnutls_session_t session,
156	const gnutls_datum_t * req_ca_rdn, int nreqs,
157	const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length,
158	gnutls_retr2_st *ret) {
159
160	mgs_handle_t *ctxt;
161
162	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
163	ctxt = gnutls_transport_get_ptr(session);
164
165	if (ctxt == NULL)
166	return GNUTLS_E_INTERNAL_ERROR;
167
168	if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
169	ret->cert_type = GNUTLS_CRT_X509;
170	ret->key_type = GNUTLS_PRIVKEY_X509;
171	ret->ncerts = ctxt->sc->certs_x509_num;
172	ret->deinit_all = 0;
173
174	ret->cert.x509 = ctxt->sc->certs_x509;
175	ret->key.x509 = ctxt->sc->privkey_x509;
176
177	return 0;
178	} else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
179	ret->cert_type = GNUTLS_CRT_OPENPGP;
180	ret->key_type = GNUTLS_PRIVKEY_OPENPGP;
181	ret->ncerts = 1;
182	ret->deinit_all = 0;
183
184	ret->cert.pgp = ctxt->sc->cert_pgp;
185	ret->key.pgp = ctxt->sc->privkey_pgp;
186
187	return 0;
188
189	}
190
191	return GNUTLS_E_INTERNAL_ERROR;
192	}
193
194	/* 2048-bit group parameters from SRP specification */
195	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
196	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
197	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
198	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
199	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
200	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
201	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
202	"-----END DH PARAMETERS-----\n";
203
204	/* Read the common name or the alternative name of the certificate.
205	* We only support a single name per certificate.
206	*
207	* Returns negative on error.
208	*/
209	static int read_crt_cn(server_rec * s, apr_pool_t * p,
210	gnutls_x509_crt_t cert, char **cert_cn) {
211	int rv = 0, i;
212	size_t data_len;
213
214
215	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
216	*cert_cn = NULL;
217
218	data_len = 0;
219	rv = gnutls_x509_crt_get_dn_by_oid(cert,
220	GNUTLS_OID_X520_COMMON_NAME,
221	0, 0, NULL, &data_len);
222
223	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
224	*cert_cn = apr_palloc(p, data_len);
225	rv = gnutls_x509_crt_get_dn_by_oid(cert,
226	GNUTLS_OID_X520_COMMON_NAME,
227	0, 0, *cert_cn,
228	&data_len);
229	} else { /* No CN return subject alternative name */
230	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
231	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
232	s->server_hostname, s->port);
233	rv = 0;
234	/* read subject alternative name */
235	for (i = 0; !(rv < 0); i++) {
236	data_len = 0;
237	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
238	NULL,
239	&data_len,
240	NULL);
241
242	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER
243	&& data_len > 1) {
244	/* FIXME: not very efficient. What if we have several alt names
245	* before DNSName?
246	*/
247	*cert_cn = apr_palloc(p, data_len + 1);
248
249	rv = gnutls_x509_crt_get_subject_alt_name
250	(cert, i, *cert_cn, &data_len, NULL);
251	(*cert_cn)[data_len] = 0;
252
253	if (rv == GNUTLS_SAN_DNSNAME)
254	break;
255	}
256	}
257	}
258
259	return rv;
260	}
261
262	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
263	gnutls_openpgp_crt_t cert, char **cert_cn) {
264	int rv = 0;
265	size_t data_len;
266
267
268	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
269	*cert_cn = NULL;
270
271	data_len = 0;
272	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
273
274	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
275	*cert_cn = apr_palloc(p, data_len);
276	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
277	&data_len);
278	} else { /* No CN return subject alternative name */
279	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
280	"No name found in PGP certificate for '%s:%d'.",
281	s->server_hostname, s->port);
282	}
283
284	return rv;
285	}
286
287	int
288	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
289	apr_pool_t * ptemp, server_rec * base_server) {
290	int rv;
291	server_rec *s;
292	gnutls_dh_params_t dh_params = NULL;
293	gnutls_rsa_params_t rsa_params = NULL;
294	mgs_srvconf_rec *sc;
295	mgs_srvconf_rec *sc_base;
296	void *data = NULL;
297	int first_run = 0;
298	const char *userdata_key = "mgs_init";
299
300	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
301	apr_pool_userdata_get(&data, userdata_key,
302	base_server->process->pool);
303	if (data == NULL) {
304	first_run = 1;
305	apr_pool_userdata_set((const void *) 1, userdata_key,
306	apr_pool_cleanup_null,
307	base_server->process->pool);
308	}
309
310
311	s = base_server;
312	sc_base =
313	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
314	&gnutls_module);
315
316	gnutls_dh_params_init(&dh_params);
317
318	if (sc_base->dh_params == NULL) {
319	gnutls_datum pdata = {
320	(void *) static_dh_params,
321	sizeof (static_dh_params)
322	};
323	/* loading defaults */
324	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
325	GNUTLS_X509_FMT_PEM);
326
327	if (rv < 0) {
328	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
329	"GnuTLS: Unable to load DH Params: (%d) %s",
330	rv, gnutls_strerror(rv));
331	exit(rv);
332	}
333	} else
334	dh_params = sc_base->dh_params;
335
336	if (sc_base->rsa_params != NULL)
337	rsa_params = sc_base->rsa_params;
338
339	/* else not an error but RSA-EXPORT ciphersuites are not available
340	*/
341
342	rv = mgs_cache_post_config(p, s, sc_base);
343	if (rv != 0) {
344	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
345	"GnuTLS: Post Config for GnuTLSCache Failed."
346	" Shutting Down.");
347	exit(-1);
348	}
349
350	for (s = base_server; s; s = s->next) {
351	void *load = NULL;
352	sc = (mgs_srvconf_rec *)
353	ap_get_module_config(s->module_config, &gnutls_module);
354	sc->cache_type = sc_base->cache_type;
355	sc->cache_config = sc_base->cache_config;
356
357	/* Check if the priorities have been set */
358	if (sc->priorities == NULL
359	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
360	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
361	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
362	s->server_hostname, s->port);
363	exit(-1);
364	}
365
366	/* Check if DH or RSA params have been set per host */
367	if (sc->rsa_params != NULL)
368	load = sc->rsa_params;
369	else if (rsa_params)
370	load = rsa_params;
371
372	if (load != NULL)
373	gnutls_certificate_set_rsa_export_params(sc->certs,
374	load);
375
376
377	load = NULL;
378	if (sc->dh_params != NULL)
379	load = sc->dh_params;
380	else if (dh_params)
381	load = dh_params;
382
383	if (load != NULL) { /* not needed but anyway */
384	gnutls_certificate_set_dh_params(sc->certs, load);
385	gnutls_anon_set_server_dh_params(sc->anon_creds,
386	load);
387	}
388
389	gnutls_certificate_server_set_retrieve_function(sc->certs,
390	cert_retrieve_fn);
391
392	#ifdef ENABLE_SRP
393	if (sc->srp_tpasswd_conf_file != NULL
394	&& sc->srp_tpasswd_file != NULL) {
395	rv = gnutls_srp_set_server_credentials_file
396	(sc->srp_creds, sc->srp_tpasswd_file,
397	sc->srp_tpasswd_conf_file);
398
399	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
400	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
401	s,
402	"[GnuTLS] - Host '%s:%d' is missing a "
403	"SRP password or conf File!",
404	s->server_hostname, s->port);
405	exit(-1);
406	}
407	}
408	#endif
409
410	if (sc->certs_x509[0] == NULL &&
411	sc->cert_pgp == NULL &&
412	sc->enabled == GNUTLS_ENABLED_TRUE) {
413	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
414	"[GnuTLS] - Host '%s:%d' is missing a "
415	"Certificate File!",
416	s->server_hostname, s->port);
417	exit(-1);
418	}
419
420	if (sc->enabled == GNUTLS_ENABLED_TRUE &&
421	((sc->certs_x509[0] != NULL
422	&& sc->privkey_x509 == NULL) \|\| (sc->cert_pgp != NULL
423	&& sc->privkey_pgp
424	== NULL))) {
425	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
426	"[GnuTLS] - Host '%s:%d' is missing a "
427	"Private Key File!",
428	s->server_hostname, s->port);
429	exit(-1);
430	}
431
432	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
433	rv = read_crt_cn(s, p, sc->certs_x509[0],
434	&sc->cert_cn);
435	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
436	rv = read_pgpcrt_cn(s, p, sc->cert_pgp,
437	&sc->cert_cn);
438
439	if (rv < 0) {
440	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0,
441	s,
442	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
443	s->server_hostname, s->port);
444	sc->cert_cn = NULL;
445	continue;
446	}
447	}
448	}
449
450
451	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
452
453	return OK;
454	}
455
456	void mgs_hook_child_init(apr_pool_t * p, server_rec * s) {
457	apr_status_t rv = APR_SUCCESS;
458	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
459	&gnutls_module);
460
461	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
462	if (sc->cache_type != mgs_cache_none) {
463	rv = mgs_cache_child_init(p, s, sc);
464	if (rv != APR_SUCCESS) {
465	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
466	"[GnuTLS] - Failed to run Cache Init");
467	}
468	}
469	}
470
471	const char mgs_hook_http_scheme(const request_rec r) {
472	mgs_srvconf_rec *sc;
473
474	if (r == NULL)
475	return NULL;
476
477	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
478	server->module_config,
479	&gnutls_module);
480
481	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
482	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
483	return NULL;
484	}
485
486	return "https";
487	}
488
489	apr_port_t mgs_hook_default_port(const request_rec * r) {
490	mgs_srvconf_rec *sc;
491
492	if (r == NULL)
493	return 0;
494
495	sc = (mgs_srvconf_rec *) ap_get_module_config(r->
496	server->module_config,
497	&gnutls_module);
498
499	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
500	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
501	return 0;
502	}
503
504	return 443;
505	}
506
507	#define MAX_HOST_LEN 255
508
509	#if USING_2_1_RECENT
510
511	typedef struct {
512	mgs_handle_t *ctxt;
513	mgs_srvconf_rec *sc;
514	const char *sni_name;
515	} vhost_cb_rec;
516
517	static int vhost_cb(void baton, conn_rec conn, server_rec * s) {
518	mgs_srvconf_rec *tsc;
519	vhost_cb_rec *x = baton;
520
521	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
522	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
523	&gnutls_module);
524
525	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
526	return 0;
527	}
528
529	/* The CN can contain a * -- this will match those too. */
530	if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
531	/* found a match */
532	#if MOD_GNUTLS_DEBUG
533	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
534	x->ctxt->c->base_server,
535	"GnuTLS: Virtual Host CB: "
536	"'%s' == '%s'", tsc->cert_cn, x->sni_name);
537	#endif
538	/* Because we actually change the server used here, we need to reset
539	* things like ClientVerify.
540	*/
541	x->sc = tsc;
542	/* Shit. Crap. Dammit. We really should rehandshake here, as our
543	* certificate structure should change when the server changes.
544	* acccckkkkkk.
545	*/
546	return 1;
547	} else {
548	#if MOD_GNUTLS_DEBUG
549	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
550	x->ctxt->c->base_server,
551	"GnuTLS: Virtual Host CB: "
552	"'%s' != '%s'", tsc->cert_cn, x->sni_name);
553	#endif
554
555	}
556	return 0;
557	}
558	#endif
559
560	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) {
561	int rv;
562	unsigned int sni_type;
563	size_t data_len = MAX_HOST_LEN;
564	char sni_name[MAX_HOST_LEN];
565	mgs_handle_t *ctxt;
566	#if USING_2_1_RECENT
567	vhost_cb_rec cbx;
568	#else
569	server_rec *s;
570	mgs_srvconf_rec *tsc;
571	#endif
572
573	if (session == NULL)
574	return NULL;
575
576	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
577	ctxt = gnutls_transport_get_ptr(session);
578
579	rv = gnutls_server_name_get(ctxt->session, sni_name,
580	&data_len, &sni_type, 0);
581
582	if (rv != 0) {
583	return NULL;
584	}
585
586	if (sni_type != GNUTLS_NAME_DNS) {
587	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
588	ctxt->c->base_server,
589	"GnuTLS: Unknown type '%d' for SNI: "
590	"'%s'", sni_type, sni_name);
591	return NULL;
592	}
593
594	/**
595	* Code in the Core already sets up the c->base_server as the base
596	* for this IP/Port combo. Trust that the core did the 'right' thing.
597	*/
598	#if USING_2_1_RECENT
599	cbx.ctxt = ctxt;
600	cbx.sc = NULL;
601	cbx.sni_name = sni_name;
602
603	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
604	if (rv == 1) {
605	return cbx.sc;
606	}
607	#else
608	for (s = ap_server_conf; s; s = s->next) {
609
610	tsc =
611	(mgs_srvconf_rec *)
612	ap_get_module_config(s->module_config, &gnutls_module);
613	if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
614	continue;
615	}
616	#if MOD_GNUTLS_DEBUG
617	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
618	ctxt->c->base_server,
619	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X",
620	tsc->cert_cn, rv,
621	gnutls_pk_algorithm_get_name
622	(gnutls_x509_privkey_get_pk_algorithm
623	(ctxt->sc->privkey_x509)), (unsigned int) s,
624	(unsigned int) s->next, (unsigned int) tsc);
625	#endif
626	/* The CN can contain a * -- this will match those too. */
627	if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
628	#if MOD_GNUTLS_DEBUG
629	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
630	ctxt->c->base_server,
631	"GnuTLS: Virtual Host: "
632	"'%s' == '%s'", tsc->cert_cn,
633	sni_name);
634	#endif
635	return tsc;
636	}
637	}
638	#endif
639	return NULL;
640	}
641
642
643	static const int protocol_priority[] = {
644	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
645	};
646
647	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c) {
648	mgs_handle_t *ctxt;
649	/* Get mod_gnutls Configuration Record */
650	mgs_srvconf_rec sc =(mgs_srvconf_rec )
651	ap_get_module_config(c->base_server->module_config,&gnutls_module);
652
653	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
654	ctxt = apr_pcalloc(pool, sizeof (*ctxt));
655	ctxt->c = c;
656	ctxt->sc = sc;
657	ctxt->status = 0;
658	ctxt->input_rc = APR_SUCCESS;
659	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
660	ctxt->input_cbuf.length = 0;
661	ctxt->output_rc = APR_SUCCESS;
662	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
663	ctxt->output_blen = 0;
664	ctxt->output_length = 0;
665	/* Initialize GnuTLS Library */
666	gnutls_init(&ctxt->session, GNUTLS_SERVER);
667	/* Initialize Session Tickets */
668	if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
669	gnutls_session_ticket_enable_server(ctxt->session,&session_ticket_key);
670	}
671
672	/* Set Default Priority */
673	gnutls_set_default_priority(ctxt->session);
674	/* Set Handshake function */
675	gnutls_handshake_set_post_client_hello_function(ctxt->session,
676	mgs_select_virtual_server_cb);
677	/* Initialize Session Cache */
678	mgs_cache_session_init(ctxt);
679	/* Return GnuTLS Handle */
680	return ctxt;
681	}
682
683	int mgs_hook_pre_connection(conn_rec * c, void *csd) {
684	mgs_handle_t *ctxt;
685	mgs_srvconf_rec *sc;
686
687	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
688
689	if (c == NULL) {
690	return DECLINED;
691	}
692
693	sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
694	module_config,
695	&gnutls_module);
696
697	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
698	return DECLINED;
699	}
700
701	if (c->remote_addr->hostname \|\| apr_strnatcmp(c->remote_ip, c->local_ip) == 0) {
702	/* Connection initiated by Apache (mod_proxy) => ignore */
703	return OK;
704	}
705
706	ctxt = create_gnutls_handle(c->pool, c);
707
708	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
709
710	gnutls_transport_set_pull_function(ctxt->session,
711	mgs_transport_read);
712	gnutls_transport_set_push_function(ctxt->session,
713	mgs_transport_write);
714	gnutls_transport_set_ptr(ctxt->session, ctxt);
715
716	ctxt->input_filter =
717	ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
718	ctxt->output_filter =
719	ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
720
721	return OK;
722	}
723
724	int mgs_hook_fixups(request_rec * r) {
725	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
726	char buf[AP_IOBUFSIZE];
727	const char *tmp;
728	size_t len;
729	mgs_handle_t *ctxt;
730	int rv = OK;
731
732	if (r == NULL)
733	return DECLINED;
734
735	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
736	apr_table_t *env = r->subprocess_env;
737
738	ctxt =
739	ap_get_module_config(r->connection->conn_config,
740	&gnutls_module);
741
742	if (!ctxt \|\| ctxt->session == NULL) {
743	return DECLINED;
744	}
745
746	apr_table_setn(env, "HTTPS", "on");
747
748	apr_table_setn(env, "SSL_VERSION_LIBRARY",
749	"GnuTLS/" LIBGNUTLS_VERSION);
750	apr_table_setn(env, "SSL_VERSION_INTERFACE",
751	"mod_gnutls/" MOD_GNUTLS_VERSION);
752
753	apr_table_setn(env, "SSL_PROTOCOL",
754	gnutls_protocol_get_name(gnutls_protocol_get_version
755	(ctxt->session)));
756
757	/* should have been called SSL_CIPHERSUITE instead */
758	apr_table_setn(env, "SSL_CIPHER",
759	gnutls_cipher_suite_get_name(gnutls_kx_get
760	(ctxt->session),
761	gnutls_cipher_get
762	(ctxt->session),
763	gnutls_mac_get
764	(ctxt->session)));
765
766	apr_table_setn(env, "SSL_COMPRESS_METHOD",
767	gnutls_compression_get_name(gnutls_compression_get
768	(ctxt->session)));
769
770	#ifdef ENABLE_SRP
771	tmp = gnutls_srp_server_get_username(ctxt->session);
772	apr_table_setn(env, "SSL_SRP_USER", (tmp != NULL) ? tmp : "");
773	#endif
774
775	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
776	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
777
778	unsigned int key_size =
779	8 *
780	gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
781	tmp = apr_psprintf(r->pool, "%u", key_size);
782
783	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
784
785	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
786
787	apr_table_setn(env, "SSL_CIPHER_EXPORT",
788	(key_size <= 40) ? "true" : "false");
789
790	len = sizeof (sbuf);
791	gnutls_session_get_id(ctxt->session, sbuf, &len);
792	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
793	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
794
795	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
796	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
797	ctxt->
798	sc->export_certificates_enabled);
799	else if (gnutls_certificate_type_get(ctxt->session) ==
800	GNUTLS_CRT_OPENPGP)
801	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
802	ctxt->
803	sc->export_certificates_enabled);
804
805	return rv;
806	}
807
808	int mgs_hook_authz(request_rec * r) {
809	int rv;
810	mgs_handle_t *ctxt;
811	mgs_dirconf_rec *dc;
812
813	if (r == NULL)
814	return DECLINED;
815
816	dc = ap_get_module_config(r->per_dir_config, &gnutls_module);
817
818	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
819	ctxt =
820	ap_get_module_config(r->connection->conn_config,
821	&gnutls_module);
822
823	if (!ctxt \|\| ctxt->session == NULL) {
824	return DECLINED;
825	}
826
827	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
828	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
829	"GnuTLS: Directory set to Ignore Client Certificate!");
830	} else {
831	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
832	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
833	"GnuTLS: Attempting to rehandshake with peer. %d %d",
834	ctxt->sc->client_verify_mode,
835	dc->client_verify_mode);
836
837	/* If we already have a client certificate, there's no point in
838	* re-handshaking... */
839	rv = mgs_cert_verify(r, ctxt);
840	if (rv != DECLINED && rv != HTTP_FORBIDDEN)
841	return rv;
842
843	gnutls_certificate_server_set_request
844	(ctxt->session, dc->client_verify_mode);
845
846	if (mgs_rehandshake(ctxt) != 0) {
847	return HTTP_FORBIDDEN;
848	}
849	} else if (ctxt->sc->client_verify_mode ==
850	GNUTLS_CERT_IGNORE) {
851	#if MOD_GNUTLS_DEBUG
852	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
853	"GnuTLS: Peer is set to IGNORE");
854	#endif
855	return DECLINED;
856	}
857	rv = mgs_cert_verify(r, ctxt);
858	if (rv != DECLINED &&
859	(rv != HTTP_FORBIDDEN \|\|
860	dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
861	return rv;
862	}
863	}
864
865	return DECLINED;
866	}
867
868	/* variables that are not sent by default:
869	*
870	* SSL_CLIENT_CERT string PEM-encoded client certificate
871	* SSL_SERVER_CERT string PEM-encoded client certificate
872	*/
873
874	/* side is either 0 for SERVER or 1 for CLIENT
875	*/
876	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
877
878	static void
879	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
880	int export_certificates_enabled) {
881	unsigned char sbuf[64]; /* buffer to hold serials */
882	char buf[AP_IOBUFSIZE];
883	const char *tmp;
884	char *tmp2;
885	size_t len;
886	int ret, i;
887
888	if (r == NULL)
889	return;
890
891	apr_table_t *env = r->subprocess_env;
892
893	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
894	if (export_certificates_enabled != 0) {
895	char cert_buf[10 * 1024];
896	len = sizeof (cert_buf);
897
898	if (gnutls_x509_crt_export
899	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
900	apr_table_setn(env,
901	apr_pstrcat(r->pool, MGS_SIDE,
902	"_CERT", NULL),
903	apr_pstrmemdup(r->pool, cert_buf,
904	len));
905
906	}
907
908	len = sizeof (buf);
909	gnutls_x509_crt_get_dn(cert, buf, &len);
910	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
911	apr_pstrmemdup(r->pool, buf, len));
912
913	len = sizeof (buf);
914	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
915	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
916	apr_pstrmemdup(r->pool, buf, len));
917
918	len = sizeof (sbuf);
919	gnutls_x509_crt_get_serial(cert, sbuf, &len);
920	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
921	apr_table_setn(env,
922	apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
923	apr_pstrdup(r->pool, tmp));
924
925	ret = gnutls_x509_crt_get_version(cert);
926	if (ret > 0)
927	apr_table_setn(env,
928	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
929	NULL), apr_psprintf(r->pool,
930	"%u", ret));
931
932	apr_table_setn(env,
933	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
934	"X.509");
935
936	tmp =
937	mgs_time2sz(gnutls_x509_crt_get_expiration_time
938	(cert), buf, sizeof (buf));
939	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
940	apr_pstrdup(r->pool, tmp));
941
942	tmp =
943	mgs_time2sz(gnutls_x509_crt_get_activation_time
944	(cert), buf, sizeof (buf));
945	apr_table_setn(env,
946	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
947	apr_pstrdup(r->pool, tmp));
948
949	ret = gnutls_x509_crt_get_signature_algorithm(cert);
950	if (ret >= 0) {
951	apr_table_setn(env,
952	apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG",
953	NULL),
954	gnutls_sign_algorithm_get_name(ret));
955	}
956
957	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
958	if (ret >= 0) {
959	apr_table_setn(env,
960	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
961	NULL),
962	gnutls_pk_algorithm_get_name(ret));
963	}
964
965	/* export all the alternative names (DNS, RFC822 and URI) */
966	for (i = 0; !(ret < 0); i++) {
967	len = 0;
968	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
969	NULL, &len,
970	NULL);
971
972	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
973	tmp2 = apr_palloc(r->pool, len + 1);
974
975	ret =
976	gnutls_x509_crt_get_subject_alt_name(cert, i,
977	tmp2,
978	&len,
979	NULL);
980	tmp2[len] = 0;
981
982	if (ret == GNUTLS_SAN_DNSNAME) {
983	apr_table_setn(env,
984	apr_psprintf(r->pool,
985	"%s_S_AN%u",
986	MGS_SIDE, i),
987	apr_psprintf(r->pool,
988	"DNSNAME:%s",
989	tmp2));
990	} else if (ret == GNUTLS_SAN_RFC822NAME) {
991	apr_table_setn(env,
992	apr_psprintf(r->pool,
993	"%s_S_AN%u",
994	MGS_SIDE, i),
995	apr_psprintf(r->pool,
996	"RFC822NAME:%s",
997	tmp2));
998	} else if (ret == GNUTLS_SAN_URI) {
999	apr_table_setn(env,
1000	apr_psprintf(r->pool,
1001	"%s_S_AN%u",
1002	MGS_SIDE, i),
1003	apr_psprintf(r->pool,
1004	"URI:%s",
1005	tmp2));
1006	} else {
1007	apr_table_setn(env,
1008	apr_psprintf(r->pool,
1009	"%s_S_AN%u",
1010	MGS_SIDE, i),
1011	"UNSUPPORTED");
1012	}
1013	}
1014	}
1015	}
1016
1017	static void
1018	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
1019	int side, int export_certificates_enabled) {
1020	unsigned char sbuf[64]; /* buffer to hold serials */
1021	char buf[AP_IOBUFSIZE];
1022	const char *tmp;
1023	size_t len;
1024	int ret;
1025
1026	if (r == NULL)
1027	return;
1028
1029	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1030	apr_table_t *env = r->subprocess_env;
1031
1032	if (export_certificates_enabled != 0) {
1033	char cert_buf[10 * 1024];
1034	len = sizeof (cert_buf);
1035
1036	if (gnutls_openpgp_crt_export
1037	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
1038	apr_table_setn(env,
1039	apr_pstrcat(r->pool, MGS_SIDE,
1040	"_CERT", NULL),
1041	apr_pstrmemdup(r->pool, cert_buf,
1042	len));
1043
1044	}
1045
1046	len = sizeof (buf);
1047	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
1048	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
1049	apr_pstrmemdup(r->pool, buf, len));
1050
1051	len = sizeof (sbuf);
1052	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
1053	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof (buf));
1054	apr_table_setn(env,
1055	apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT",
1056	NULL), apr_pstrdup(r->pool, tmp));
1057
1058	ret = gnutls_openpgp_crt_get_version(cert);
1059	if (ret > 0)
1060	apr_table_setn(env,
1061	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION",
1062	NULL), apr_psprintf(r->pool,
1063	"%u", ret));
1064
1065	apr_table_setn(env,
1066	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL),
1067	"OPENPGP");
1068
1069	tmp =
1070	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
1071	(cert), buf, sizeof (buf));
1072	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
1073	apr_pstrdup(r->pool, tmp));
1074
1075	tmp =
1076	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
1077	(cert), buf, sizeof (buf));
1078	apr_table_setn(env,
1079	apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
1080	apr_pstrdup(r->pool, tmp));
1081
1082	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
1083	if (ret >= 0) {
1084	apr_table_setn(env,
1085	apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY",
1086	NULL),
1087	gnutls_pk_algorithm_get_name(ret));
1088	}
1089
1090	}
1091
1092	/* TODO: Allow client sending a X.509 certificate chain */
1093	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
1094	const gnutls_datum_t *cert_list;
1095	unsigned int cert_list_size, status;
1096	int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
1097	unsigned int ch_size = 0;
1098
1099	union {
1100	gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
1101	gnutls_openpgp_crt_t pgp;
1102	} cert;
1103	apr_time_t expiration_time, cur_time;
1104
1105	if (r == NULL \|\| ctxt == NULL \|\| ctxt->session == NULL)
1106	return HTTP_FORBIDDEN;
1107
1108	_gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1109	cert_list =
1110	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
1111
1112	if (cert_list == NULL \|\| cert_list_size == 0) {
1113	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
1114	*/
1115	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1116	return OK;
1117
1118	/* no certificate provided by the client, but one was required. */
1119	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1120	"GnuTLS: Failed to Verify Peer: "
1121	"Client did not submit a certificate");
1122	return HTTP_FORBIDDEN;
1123	}
1124
1125	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1126	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
1127	"GnuTLS: A Chain of %d certificate(s) was provided for validation",
1128	cert_list_size);
1129
1130	for (ch_size = 0; ch_size < cert_list_size; ch_size++) {
1131	gnutls_x509_crt_init(&cert.x509[ch_size]);
1132	rv = gnutls_x509_crt_import(cert.x509[ch_size],
1133	&cert_list[ch_size],
1134	GNUTLS_X509_FMT_DER);
1135	// When failure to import, leave the loop
1136	if (rv != GNUTLS_E_SUCCESS) {
1137	if (ch_size < 1) {
1138	ap_log_rerror(APLOG_MARK,
1139	APLOG_INFO, 0, r,
1140	"GnuTLS: Failed to Verify Peer: "
1141	"Failed to import peer certificates.");
1142	ret = HTTP_FORBIDDEN;
1143	goto exit;
1144	}
1145	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1146	"GnuTLS: Failed to import some peer certificates. Using %d certificates",
1147	ch_size);
1148	rv = GNUTLS_E_SUCCESS;
1149	break;
1150	}
1151	}
1152	} else if (gnutls_certificate_type_get(ctxt->session) ==
1153	GNUTLS_CRT_OPENPGP) {
1154	if (cert_list_size > 1) {
1155	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1156	"GnuTLS: Failed to Verify Peer: "
1157	"Chained Client Certificates are not supported.");
1158	return HTTP_FORBIDDEN;
1159	}
1160
1161	gnutls_openpgp_crt_init(&cert.pgp);
1162	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
1163	GNUTLS_OPENPGP_FMT_RAW);
1164
1165	} else
1166	return HTTP_FORBIDDEN;
1167
1168	if (rv < 0) {
1169	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1170	"GnuTLS: Failed to Verify Peer: "
1171	"Failed to import peer certificates.");
1172	ret = HTTP_FORBIDDEN;
1173	goto exit;
1174	}
1175
1176	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1177	apr_time_ansi_put(&expiration_time,
1178	gnutls_x509_crt_get_expiration_time
1179	(cert.x509[0]));
1180
1181	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
1182	"GnuTLS: Verifying list of %d certificate(s)",
1183	ch_size);
1184	rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
1185	ctxt->sc->ca_list,
1186	ctxt->sc->ca_list_size,
1187	NULL, 0, 0, &status);
1188	} else {
1189	apr_time_ansi_put(&expiration_time,
1190	gnutls_openpgp_crt_get_expiration_time
1191	(cert.pgp));
1192
1193	rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
1194	ctxt->sc->pgp_list, 0,
1195	&status);
1196	}
1197
1198	if (rv < 0) {
1199	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1200	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
1201	rv, gnutls_strerror(rv));
1202	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
1203	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
1204	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
1205	ret = HTTP_FORBIDDEN;
1206	goto exit;
1207	}
1208
1209	/* TODO: X509 CRL Verification. */
1210	/* May add later if anyone needs it.
1211	*/
1212	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
1213
1214	cur_time = apr_time_now();
1215
1216	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
1217	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1218	"GnuTLS: Could not find Signer for Peer Certificate");
1219	}
1220
1221	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
1222	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1223	"GnuTLS: Peer's Certificate signer is not a CA");
1224	}
1225
1226	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
1227	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1228	"GnuTLS: Peer's Certificate is using insecure algorithms");
1229	}
1230
1231	if (status & GNUTLS_CERT_EXPIRED
1232	\|\| status & GNUTLS_CERT_NOT_ACTIVATED) {
1233	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1234	"GnuTLS: Peer's Certificate signer is expired or not yet activated");
1235	}
1236
1237	if (status & GNUTLS_CERT_INVALID) {
1238	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1239	"GnuTLS: Peer Certificate is invalid.");
1240	} else if (status & GNUTLS_CERT_REVOKED) {
1241	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1242	"GnuTLS: Peer Certificate is revoked.");
1243	}
1244
1245	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
1246	mgs_add_common_cert_vars(r, cert.x509[0], 1,
1247	ctxt->
1248	sc->export_certificates_enabled);
1249	else if (gnutls_certificate_type_get(ctxt->session) ==
1250	GNUTLS_CRT_OPENPGP)
1251	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
1252	ctxt->
1253	sc->export_certificates_enabled);
1254
1255	{
1256	/* days remaining */
1257	unsigned long remain =
1258	(apr_time_sec(expiration_time) -
1259	apr_time_sec(cur_time)) / 86400;
1260	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
1261	apr_psprintf(r->pool, "%lu", remain));
1262	}
1263
1264	if (status == 0) {
1265	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
1266	"SUCCESS");
1267	ret = OK;
1268	} else {
1269	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY",
1270	"FAILED");
1271	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1272	ret = OK;
1273	else
1274	ret = HTTP_FORBIDDEN;
1275	}
1276
1277	exit:
1278	if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
1279	int i;
1280	for (i = 0; i < ch_size; i++) {
1281	gnutls_x509_crt_deinit(cert.x509[i]);
1282	}
1283	} else if (gnutls_certificate_type_get(ctxt->session) ==
1284	GNUTLS_CRT_OPENPGP)
1285	gnutls_openpgp_crt_deinit(cert.pgp);
1286	return ret;
1287
1288
1289	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: