Context Navigation

source: mod_gnutls/src/gnutls_hooks.c @ f548f15

Visit:

asynciodebian/masterdebian/stretch-backportsjessie-backportsmainmsvaproxy-ticketupstream

Last change on this file since f548f15 was f548f15, checked in by Nokis Mavrogiannopoulos <nmav@…>, 15 years ago
prepare for an alpha release
Property mode set to `100644`
File size: 32.7 KB

Line
1	/**
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2007 Nikos Mavrogiannopoulos
4	*
5	* Licensed under the Apache License, Version 2.0 (the "License");
6	* you may not use this file except in compliance with the License.
7	* You may obtain a copy of the License at
8	*
9	* http://www.apache.org/licenses/LICENSE-2.0
10	*
11	* Unless required by applicable law or agreed to in writing, software
12	* distributed under the License is distributed on an "AS IS" BASIS,
13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14	* See the License for the specific language governing permissions and
15	* limitations under the License.
16	*
17	*/
18
19	#include "mod_gnutls.h"
20	#include "http_vhost.h"
21	#include "ap_mpm.h"
22
23	#if !USING_2_1_RECENT
24	extern server_rec *ap_server_conf;
25	#endif
26
27	#if APR_HAS_THREADS
28	GCRY_THREAD_OPTION_PTHREAD_IMPL;
29	#endif
30
31	#if MOD_GNUTLS_DEBUG
32	static apr_file_t *debug_log_fp;
33	#endif
34
35	static int mpm_is_threaded;
36
37	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
38	/* use side==0 for server and side==1 for client */
39	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert,
40	int side,
41	int export_certificates_enabled);
42	static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
43	int side,
44	int export_certificates_enabled);
45
46	static apr_status_t mgs_cleanup_pre_config(void *data)
47	{
48	gnutls_global_deinit();
49	return APR_SUCCESS;
50	}
51
52	#if MOD_GNUTLS_DEBUG
53	static void gnutls_debug_log_all(int level, const char *str)
54	{
55	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
56	}
57	#endif
58
59	int
60	mgs_hook_pre_config(apr_pool_t * pconf,
61	apr_pool_t * plog, apr_pool_t * ptemp)
62	{
63	int ret;
64
65	#if APR_HAS_THREADS
66	ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
67	if (mpm_is_threaded) {
68	gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
69	}
70	#else
71	mpm_is_threaded = 0;
72	#endif
73
74	if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
75	fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
76	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
77	return -3;
78	}
79
80	ret = gnutls_global_init();
81	if (ret < 0) {
82	fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret));
83	return -3;
84	}
85
86	ret = gnutls_global_init_extra();
87	if (ret < 0) {
88	fprintf(stderr, "gnutls_global_init_extra: %s\n", gnutls_strerror(ret));
89	return -3;
90	}
91
92	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
93	apr_pool_cleanup_null);
94
95	#if MOD_GNUTLS_DEBUG
96	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
97	APR_APPEND \| APR_WRITE \| APR_CREATE, APR_OS_DEFAULT,
98	pconf);
99
100	gnutls_global_set_log_level(9);
101	gnutls_global_set_log_function(gnutls_debug_log_all);
102	apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
103	#endif
104
105	return OK;
106	}
107
108	static int mgs_select_virtual_server_cb(gnutls_session_t session)
109	{
110	mgs_handle_t *ctxt;
111	mgs_srvconf_rec *tsc;
112	int ret;
113	int cprio[2];
114
115	ctxt = gnutls_transport_get_ptr(session);
116
117	/* find the virtual server */
118	tsc = mgs_find_sni_server(session);
119
120	if (tsc != NULL)
121	ctxt->sc = tsc;
122
123	gnutls_certificate_server_set_request(session,
124	ctxt->sc->client_verify_mode);
125
126	/* set the new server credentials
127	*/
128
129	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
130	ctxt->sc->certs);
131
132	gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
133
134	if (ctxt->sc->srp_tpasswd_conf_file != NULL
135	&& ctxt->sc->srp_tpasswd_file != NULL) {
136	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
137	ctxt->sc->srp_creds);
138	}
139
140	/* update the priorities - to avoid negotiating a ciphersuite that is not
141	* enabled on this virtual server. Note that here we ignore the version
142	* negotiation.
143	*/
144	ret = gnutls_priority_set(session, ctxt->sc->priorities);
145	/* actually it shouldn't fail since we have checked at startup */
146	if (ret < 0)
147	return ret;
148
149	/* If both certificate types are not present disallow them from
150	* being negotiated.
151	*/
152	if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
153	cprio[0] = GNUTLS_CRT_X509;
154	cprio[1] = 0;
155	gnutls_certificate_type_set_priority( session, cprio);
156	} else if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0]==NULL) {
157	cprio[0] = GNUTLS_CRT_OPENPGP;
158	cprio[1] = 0;
159	gnutls_certificate_type_set_priority( session, cprio);
160	}
161
162	return 0;
163	}
164
165	static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
166	{
167	mgs_handle_t *ctxt;
168
169	ctxt = gnutls_transport_get_ptr(session);
170
171	if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) {
172	ret->type = GNUTLS_CRT_X509;
173	ret->ncerts = ctxt->sc->certs_x509_num;
174	ret->deinit_all = 0;
175
176	ret->cert.x509 = ctxt->sc->certs_x509;
177	ret->key.x509 = ctxt->sc->privkey_x509;
178
179	return 0;
180	} else if (gnutls_certificate_type_get( session) == GNUTLS_CRT_OPENPGP) {
181	ret->type = GNUTLS_CRT_OPENPGP;
182	ret->ncerts = 1;
183	ret->deinit_all = 0;
184
185	ret->cert.pgp = ctxt->sc->cert_pgp;
186	ret->key.pgp = ctxt->sc->privkey_pgp;
187
188	return 0;
189
190	}
191
192	return GNUTLS_E_INTERNAL_ERROR;
193	}
194
195	/* 2048-bit group parameters from SRP specification */
196	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
197	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
198	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
199	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
200	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
201	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
202	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
203	"-----END DH PARAMETERS-----\n";
204
205	/* Read the common name or the alternative name of the certificate.
206	* We only support a single name per certificate.
207	*
208	* Returns negative on error.
209	*/
210	static int read_crt_cn(server_rec * s, apr_pool_t * p,
211	gnutls_x509_crt_t cert, char **cert_cn)
212	{
213	int rv = 0, i;
214	size_t data_len;
215
216
217	*cert_cn = NULL;
218
219	data_len = 0;
220	rv = gnutls_x509_crt_get_dn_by_oid(cert,
221	GNUTLS_OID_X520_COMMON_NAME,
222	0, 0, NULL, &data_len);
223
224	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
225	*cert_cn = apr_palloc(p, data_len);
226	rv = gnutls_x509_crt_get_dn_by_oid(cert,
227	GNUTLS_OID_X520_COMMON_NAME, 0,
228	0, *cert_cn, &data_len);
229	} else { /* No CN return subject alternative name */
230	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
231	"No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
232	s->server_hostname, s->port);
233	rv = 0;
234	/* read subject alternative name */
235	for (i = 0; !(rv < 0); i++) {
236	data_len = 0;
237	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
238	NULL, &data_len,
239	NULL);
240
241	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
242	/* FIXME: not very efficient. What if we have several alt names
243	* before DNSName?
244	*/
245	*cert_cn = apr_palloc(p, data_len + 1);
246
247	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
248	*cert_cn,
249	&data_len, NULL);
250	(*cert_cn)[data_len] = 0;
251
252	if (rv == GNUTLS_SAN_DNSNAME)
253	break;
254	}
255	}
256	}
257
258	return rv;
259	}
260
261	static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
262	gnutls_openpgp_crt_t cert, char **cert_cn)
263	{
264	int rv = 0;
265	size_t data_len;
266
267
268	*cert_cn = NULL;
269
270	data_len = 0;
271	rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
272
273	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
274	*cert_cn = apr_palloc(p, data_len);
275	rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn, &data_len);
276	} else { /* No CN return subject alternative name */
277	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
278	"No name found in PGP certificate for '%s:%d'.",
279	s->server_hostname, s->port);
280	}
281
282	return rv;
283	}
284
285
286	int
287	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
288	apr_pool_t * ptemp, server_rec * base_server)
289	{
290	int rv;
291	server_rec *s;
292	gnutls_dh_params_t dh_params = NULL;
293	gnutls_rsa_params_t rsa_params = NULL;
294	mgs_srvconf_rec *sc;
295	mgs_srvconf_rec *sc_base;
296	void *data = NULL;
297	int first_run = 0;
298	const char *userdata_key = "mgs_init";
299
300	apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
301	if (data == NULL) {
302	first_run = 1;
303	apr_pool_userdata_set((const void *) 1, userdata_key,
304	apr_pool_cleanup_null,
305	base_server->process->pool);
306	}
307
308
309	{
310	s = base_server;
311	sc_base =
312	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
313	&gnutls_module);
314
315	gnutls_dh_params_init(&dh_params);
316
317	if (sc_base->dh_params == NULL) {
318	gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) };
319	/* loading defaults */
320	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
321	GNUTLS_X509_FMT_PEM);
322
323	if (rv < 0) {
324	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
325	"GnuTLS: Unable to load DH Params: (%d) %s",
326	rv, gnutls_strerror(rv));
327	exit(rv);
328	}
329	} else dh_params = sc_base->dh_params;
330
331	if (sc_base->rsa_params != NULL)
332	rsa_params = sc_base->rsa_params;
333
334	/* else not an error but RSA-EXPORT ciphersuites are not available
335	*/
336
337	rv = mgs_cache_post_config(p, s, sc_base);
338	if (rv != 0) {
339	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
340	"GnuTLS: Post Config for GnuTLSCache Failed."
341	" Shutting Down.");
342	exit(-1);
343	}
344
345	for (s = base_server; s; s = s->next) {
346	void *load = NULL;
347	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
348	&gnutls_module);
349	sc->cache_type = sc_base->cache_type;
350	sc->cache_config = sc_base->cache_config;
351
352	/* Check if the priorities have been set */
353	if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
354	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
355	"GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
356	s->server_hostname, s->port);
357	exit(-1);
358	}
359
360	/* Check if DH or RSA params have been set per host */
361	if (sc->rsa_params != NULL)
362	load = sc->rsa_params;
363	else if (rsa_params) load = rsa_params;
364
365	if (load != NULL)
366	gnutls_certificate_set_rsa_export_params(sc->certs, load);
367
368
369	load = NULL;
370	if (sc->dh_params != NULL)
371	load = sc->dh_params;
372	else if (dh_params) load = dh_params;
373
374	if (load != NULL) { /* not needed but anyway */
375	gnutls_certificate_set_dh_params(sc->certs, load);
376	gnutls_anon_set_server_dh_params(sc->anon_creds, load);
377	}
378
379	gnutls_certificate_server_set_retrieve_function(sc->certs,
380	cert_retrieve_fn);
381
382	if (sc->srp_tpasswd_conf_file != NULL
383	&& sc->srp_tpasswd_file != NULL) {
384	rv = gnutls_srp_set_server_credentials_file(sc->srp_creds,
385	sc->
386	srp_tpasswd_file,
387	sc->
388	srp_tpasswd_conf_file);
389
390	if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
391	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
392	"[GnuTLS] - Host '%s:%d' is missing a "
393	"SRP password or conf File!",
394	s->server_hostname, s->port);
395	exit(-1);
396	}
397	}
398
399	if (sc->certs_x509[0] == NULL
400	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
401	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
402	"[GnuTLS] - Host '%s:%d' is missing a "
403	"Certificate File!", s->server_hostname,
404	s->port);
405	exit(-1);
406	}
407
408	if (sc->privkey_x509 == NULL
409	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
410	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
411	"[GnuTLS] - Host '%s:%d' is missing a "
412	"Private Key File!",
413	s->server_hostname, s->port);
414	exit(-1);
415	}
416
417	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
418	rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
419	if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
420	rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
421
422	if (rv < 0) {
423	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
424	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
425	s->server_hostname, s->port);
426	sc->cert_cn = NULL;
427	continue;
428	}
429	}
430	}
431	}
432
433	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
434
435	return OK;
436	}
437
438	void mgs_hook_child_init(apr_pool_t * p, server_rec * s)
439	{
440	apr_status_t rv = APR_SUCCESS;
441	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
442	&gnutls_module);
443
444	if (sc->cache_type != mgs_cache_none) {
445	rv = mgs_cache_child_init(p, s, sc);
446	if (rv != APR_SUCCESS) {
447	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
448	"[GnuTLS] - Failed to run Cache Init");
449	}
450	} else {
451	ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
452	"[GnuTLS] - No Cache Configured. Hint: GnuTLSCache");
453	}
454	}
455
456	const char mgs_hook_http_scheme(const request_rec r)
457	{
458	mgs_srvconf_rec *sc =
459	(mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
460	&gnutls_module);
461
462	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
463	return NULL;
464	}
465
466	return "https";
467	}
468
469	apr_port_t mgs_hook_default_port(const request_rec * r)
470	{
471	mgs_srvconf_rec *sc =
472	(mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
473	&gnutls_module);
474
475	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
476	return 0;
477	}
478
479	return 443;
480	}
481
482	#define MAX_HOST_LEN 255
483
484	#if USING_2_1_RECENT
485	typedef struct {
486	mgs_handle_t *ctxt;
487	mgs_srvconf_rec *sc;
488	const char *sni_name;
489	} vhost_cb_rec;
490
491	static int vhost_cb(void baton, conn_rec conn, server_rec * s)
492	{
493	mgs_srvconf_rec *tsc;
494	vhost_cb_rec *x = baton;
495
496	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
497	&gnutls_module);
498
499	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
500	return 0;
501	}
502
503	/* The CN can contain a * -- this will match those too. */
504	if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
505	/* found a match */
506	#if MOD_GNUTLS_DEBUG
507	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
508	x->ctxt->c->base_server,
509	"GnuTLS: Virtual Host CB: "
510	"'%s' == '%s'", tsc->cert_cn, x->sni_name);
511	#endif
512	/* Because we actually change the server used here, we need to reset
513	* things like ClientVerify.
514	*/
515	x->sc = tsc;
516	/* Shit. Crap. Dammit. We really should rehandshake here, as our
517	* certificate structure should change when the server changes.
518	* acccckkkkkk.
519	*/
520	return 1;
521	} else {
522	#if MOD_GNUTLS_DEBUG
523	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
524	x->ctxt->c->base_server,
525	"GnuTLS: Virtual Host CB: "
526	"'%s' != '%s'", tsc->cert_cn, x->sni_name);
527	#endif
528
529	}
530	return 0;
531	}
532	#endif
533
534	mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
535	{
536	int rv;
537	unsigned int sni_type;
538	size_t data_len = MAX_HOST_LEN;
539	char sni_name[MAX_HOST_LEN];
540	mgs_handle_t *ctxt;
541	#if USING_2_1_RECENT
542	vhost_cb_rec cbx;
543	#else
544	server_rec *s;
545	mgs_srvconf_rec *tsc;
546	#endif
547
548	ctxt = gnutls_transport_get_ptr(session);
549
550	rv = gnutls_server_name_get(ctxt->session, sni_name,
551	&data_len, &sni_type, 0);
552
553	if (rv != 0) {
554	return NULL;
555	}
556
557	if (sni_type != GNUTLS_NAME_DNS) {
558	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
559	ctxt->c->base_server,
560	"GnuTLS: Unknown type '%d' for SNI: "
561	"'%s'", sni_type, sni_name);
562	return NULL;
563	}
564
565	/**
566	* Code in the Core already sets up the c->base_server as the base
567	* for this IP/Port combo. Trust that the core did the 'right' thing.
568	*/
569	#if USING_2_1_RECENT
570	cbx.ctxt = ctxt;
571	cbx.sc = NULL;
572	cbx.sni_name = sni_name;
573
574	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
575	if (rv == 1) {
576	return cbx.sc;
577	}
578	#else
579	for (s = ap_server_conf; s; s = s->next) {
580
581	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
582	&gnutls_module);
583	if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
584	continue;
585	}
586	#if MOD_GNUTLS_DEBUG
587	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
588	ctxt->c->base_server,
589	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X",
590	tsc->cert_cn, rv,
591	gnutls_pk_algorithm_get_name
592	(gnutls_x509_privkey_get_pk_algorithm
593	(ctxt->sc->privkey_x509)), (unsigned int) s,
594	(unsigned int) s->next, (unsigned int) tsc);
595	#endif
596	/* The CN can contain a * -- this will match those too. */
597	if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
598	#if MOD_GNUTLS_DEBUG
599	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
600	ctxt->c->base_server,
601	"GnuTLS: Virtual Host: "
602	"'%s' == '%s'", tsc->cert_cn, sni_name);
603	#endif
604	return tsc;
605	}
606	}
607	#endif
608	return NULL;
609	}
610
611
612	static const int protocol_priority[] = {
613	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
614	};
615
616
617	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)
618	{
619	mgs_handle_t *ctxt;
620	mgs_srvconf_rec *sc =
621	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
622	module_config,
623	&gnutls_module);
624
625	ctxt = apr_pcalloc(pool, sizeof(*ctxt));
626	ctxt->c = c;
627	ctxt->sc = sc;
628	ctxt->status = 0;
629
630	ctxt->input_rc = APR_SUCCESS;
631	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
632	ctxt->input_cbuf.length = 0;
633
634	ctxt->output_rc = APR_SUCCESS;
635	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
636	ctxt->output_blen = 0;
637	ctxt->output_length = 0;
638
639	gnutls_init(&ctxt->session, GNUTLS_SERVER);
640
641	/* because we don't set any default priorities here (we set later at
642	* the user hello callback) we need to at least set this in order for
643	* gnutls to be able to read packets.
644	*/
645	gnutls_protocol_set_priority(ctxt->session, protocol_priority);
646
647	gnutls_handshake_set_post_client_hello_function(ctxt->session,
648	mgs_select_virtual_server_cb);
649
650	mgs_cache_session_init(ctxt);
651
652	return ctxt;
653	}
654
655	int mgs_hook_pre_connection(conn_rec * c, void *csd)
656	{
657	mgs_handle_t *ctxt;
658	mgs_srvconf_rec *sc =
659	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
660	module_config,
661	&gnutls_module);
662
663	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
664	return DECLINED;
665	}
666
667	ctxt = create_gnutls_handle(c->pool, c);
668
669	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
670
671	gnutls_transport_set_pull_function(ctxt->session, mgs_transport_read);
672	gnutls_transport_set_push_function(ctxt->session, mgs_transport_write);
673	gnutls_transport_set_ptr(ctxt->session, ctxt);
674
675	ctxt->input_filter =
676	ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
677	ctxt->output_filter =
678	ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
679
680	return OK;
681	}
682
683	int mgs_hook_fixups(request_rec * r)
684	{
685	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
686	char buf[AP_IOBUFSIZE];
687	const char *tmp;
688	size_t len;
689	mgs_handle_t *ctxt;
690	int rv = OK;
691
692	apr_table_t *env = r->subprocess_env;
693
694	ctxt =
695	ap_get_module_config(r->connection->conn_config, &gnutls_module);
696
697	if (!ctxt) {
698	return DECLINED;
699	}
700
701	apr_table_setn(env, "HTTPS", "on");
702
703	apr_table_setn(env, "SSL_VERSION_LIBRARY",
704	"GnuTLS/" LIBGNUTLS_VERSION);
705	apr_table_setn(env, "SSL_VERSION_INTERFACE",
706	"mod_gnutls/" MOD_GNUTLS_VERSION);
707
708	apr_table_setn(env, "SSL_PROTOCOL",
709	gnutls_protocol_get_name(gnutls_protocol_get_version
710	(ctxt->session)));
711
712	/* should have been called SSL_CIPHERSUITE instead */
713	apr_table_setn(env, "SSL_CIPHER",
714	gnutls_cipher_suite_get_name(gnutls_kx_get
715	(ctxt->session),
716	gnutls_cipher_get(ctxt->
717	session),
718	gnutls_mac_get(ctxt->
719	session)));
720
721	apr_table_setn(env, "SSL_COMPRESS_METHOD",
722	gnutls_compression_get_name(gnutls_compression_get
723	(ctxt->session)));
724
725	apr_table_setn(env, "SSL_SRP_USER",
726	gnutls_srp_server_get_username(ctxt->session));
727
728	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
729	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
730
731	unsigned int key_size =
732	8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session));
733	tmp = apr_psprintf(r->pool, "%u", key_size);
734
735	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
736
737	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
738
739	apr_table_setn(env, "SSL_CIPHER_EXPORT",
740	(key_size <= 40) ? "true" : "false");
741
742	len = sizeof(sbuf);
743	gnutls_session_get_id(ctxt->session, sbuf, &len);
744	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
745	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
746
747	if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
748	mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
749	ctxt->sc->export_certificates_enabled);
750	else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
751	mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
752	ctxt->sc->export_certificates_enabled);
753
754	return rv;
755	}
756
757	int mgs_hook_authz(request_rec * r)
758	{
759	int rv;
760	mgs_handle_t *ctxt;
761	mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
762	&gnutls_module);
763
764	ctxt =
765	ap_get_module_config(r->connection->conn_config, &gnutls_module);
766
767	if (!ctxt) {
768	return DECLINED;
769	}
770
771	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
772	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
773	"GnuTLS: Directory set to Ignore Client Certificate!");
774	} else {
775	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
776	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
777	"GnuTLS: Attempting to rehandshake with peer. %d %d",
778	ctxt->sc->client_verify_mode,
779	dc->client_verify_mode);
780
781	gnutls_certificate_server_set_request(ctxt->session,
782	dc->client_verify_mode);
783
784	if (mgs_rehandshake(ctxt) != 0) {
785	return HTTP_FORBIDDEN;
786	}
787	} else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
788	#if MOD_GNUTLS_DEBUG
789	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
790	"GnuTLS: Peer is set to IGNORE");
791	#endif
792	} else {
793	rv = mgs_cert_verify(r, ctxt);
794	if (rv != DECLINED) {
795	return rv;
796	}
797	}
798	}
799
800	return DECLINED;
801	}
802
803	/* variables that are not sent by default:
804	*
805	* SSL_CLIENT_CERT string PEM-encoded client certificate
806	* SSL_SERVER_CERT string PEM-encoded client certificate
807	*/
808
809	/* side is either 0 for SERVER or 1 for CLIENT
810	*/
811	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
812	static void
813	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
814	int export_certificates_enabled)
815	{
816	unsigned char sbuf[64]; /* buffer to hold serials */
817	char buf[AP_IOBUFSIZE];
818	const char *tmp;
819	char *tmp2;
820	size_t len;
821	int ret, i;
822
823	apr_table_t *env = r->subprocess_env;
824
825	if (export_certificates_enabled != 0) {
826	char cert_buf[10 * 1024];
827	len = sizeof(cert_buf);
828
829	if (gnutls_x509_crt_export
830	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
831	apr_table_setn(env,
832	apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
833	apr_pstrmemdup(r->pool, cert_buf, len));
834
835	}
836
837	len = sizeof(buf);
838	gnutls_x509_crt_get_dn(cert, buf, &len);
839	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL),
840	apr_pstrmemdup(r->pool, buf, len));
841
842	len = sizeof(buf);
843	gnutls_x509_crt_get_issuer_dn(cert, buf, &len);
844	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL),
845	apr_pstrmemdup(r->pool, buf, len));
846
847	len = sizeof(sbuf);
848	gnutls_x509_crt_get_serial(cert, sbuf, &len);
849	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
850	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL),
851	apr_pstrdup(r->pool, tmp));
852
853	ret = gnutls_x509_crt_get_version(cert);
854	if (ret > 0)
855	apr_table_setn(env,
856	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION", NULL),
857	apr_psprintf(r->pool, "%u", ret));
858
859	apr_table_setn(env,
860	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL), "X.509");
861
862	tmp =
863	mgs_time2sz(gnutls_x509_crt_get_expiration_time
864	(cert), buf, sizeof(buf));
865	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
866	apr_pstrdup(r->pool, tmp));
867
868	tmp =
869	mgs_time2sz(gnutls_x509_crt_get_activation_time
870	(cert), buf, sizeof(buf));
871	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
872	apr_pstrdup(r->pool, tmp));
873
874	ret = gnutls_x509_crt_get_signature_algorithm(cert);
875	if (ret >= 0) {
876	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
877	gnutls_sign_algorithm_get_name(ret));
878	}
879
880	ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
881	if (ret >= 0) {
882	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
883	gnutls_pk_algorithm_get_name(ret));
884	}
885
886	/* export all the alternative names (DNS, RFC822 and URI) */
887	for (i = 0; !(ret < 0); i++) {
888	len = 0;
889	ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
890	NULL, &len, NULL);
891
892	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
893	tmp2 = apr_palloc(r->pool, len + 1);
894
895	ret =
896	gnutls_x509_crt_get_subject_alt_name(cert, i, tmp2, &len,
897	NULL);
898	tmp2[len] = 0;
899
900	if (ret == GNUTLS_SAN_DNSNAME) {
901	apr_table_setn(env,
902	apr_psprintf(r->pool, "%s_S_AN%u", MGS_SIDE, i),
903	apr_psprintf(r->pool, "DNSNAME:%s", tmp2));
904	} else if (ret == GNUTLS_SAN_RFC822NAME) {
905	apr_table_setn(env,
906	apr_psprintf(r->pool, "%s_S_AN%u", MGS_SIDE, i),
907	apr_psprintf(r->pool, "RFC822NAME:%s", tmp2));
908	} else if (ret == GNUTLS_SAN_URI) {
909	apr_table_setn(env,
910	apr_psprintf(r->pool, "%s_S_AN%u", MGS_SIDE, i),
911	apr_psprintf(r->pool, "URI:%s", tmp2));
912	} else {
913	apr_table_setn(env,
914	apr_psprintf(r->pool, "%s_S_AN%u", MGS_SIDE, i),
915	"UNSUPPORTED");
916	}
917	}
918	}
919	}
920
921	static void
922	mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side,
923	int export_certificates_enabled)
924	{
925	unsigned char sbuf[64]; /* buffer to hold serials */
926	char buf[AP_IOBUFSIZE];
927	const char *tmp;
928	size_t len;
929	int ret;
930
931	apr_table_t *env = r->subprocess_env;
932
933	if (export_certificates_enabled != 0) {
934	char cert_buf[10 * 1024];
935	len = sizeof(cert_buf);
936
937	if (gnutls_openpgp_crt_export
938	(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
939	apr_table_setn(env,
940	apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
941	apr_pstrmemdup(r->pool, cert_buf, len));
942
943	}
944
945	len = sizeof(buf);
946	gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
947	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
948	apr_pstrmemdup(r->pool, buf, len));
949
950	len = sizeof(sbuf);
951	gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
952	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
953	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT", NULL),
954	apr_pstrdup(r->pool, tmp));
955
956	ret = gnutls_openpgp_crt_get_version(cert);
957	if (ret > 0)
958	apr_table_setn(env,
959	apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION", NULL),
960	apr_psprintf(r->pool, "%u", ret));
961
962	apr_table_setn(env,
963	apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL), "OPENPGP");
964
965	tmp =
966	mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
967	(cert), buf, sizeof(buf));
968	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
969	apr_pstrdup(r->pool, tmp));
970
971	tmp =
972	mgs_time2sz(gnutls_openpgp_crt_get_creation_time
973	(cert), buf, sizeof(buf));
974	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
975	apr_pstrdup(r->pool, tmp));
976
977	ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
978	if (ret >= 0) {
979	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
980	gnutls_pk_algorithm_get_name(ret));
981	}
982
983	}
984
985	/* TODO: Allow client sending a X.509 certificate chain */
986	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
987	{
988	const gnutls_datum_t *cert_list;
989	unsigned int cert_list_size, status, expired;
990	int rv, ret;
991	union {
992	gnutls_x509_crt_t x509;
993	gnutls_openpgp_crt_t pgp;
994	} cert;
995	apr_time_t activation_time, expiration_time, cur_time;
996
997	cert_list =
998	gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
999
1000	if (cert_list == NULL \|\| cert_list_size == 0) {
1001	/* It is perfectly OK for a client not to send a certificate if on REQUEST mode
1002	*/
1003	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1004	return OK;
1005
1006	/* no certificate provided by the client, but one was required. */
1007	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1008	"GnuTLS: Failed to Verify Peer: "
1009	"Client did not submit a certificate");
1010	return HTTP_FORBIDDEN;
1011	}
1012
1013	if (cert_list_size > 1) {
1014	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1015	"GnuTLS: Failed to Verify Peer: "
1016	"Chained Client Certificates are not supported.");
1017	return HTTP_FORBIDDEN;
1018	}
1019
1020	if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
1021	gnutls_x509_crt_init(&cert.x509);
1022	rv = gnutls_x509_crt_import(cert.x509, &cert_list[0], GNUTLS_X509_FMT_DER);
1023	} else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) {
1024	gnutls_openpgp_crt_init(&cert.pgp);
1025	rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
1026	} else return HTTP_FORBIDDEN;
1027
1028	if (rv < 0) {
1029	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1030	"GnuTLS: Failed to Verify Peer: "
1031	"Failed to import peer certificates.");
1032	ret = HTTP_FORBIDDEN;
1033	goto exit;
1034	}
1035
1036	if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
1037	apr_time_ansi_put(&expiration_time,
1038	gnutls_x509_crt_get_expiration_time(cert.x509));
1039	apr_time_ansi_put(&activation_time,
1040	gnutls_x509_crt_get_activation_time(cert.x509));
1041
1042	rv = gnutls_x509_crt_verify(cert.x509, ctxt->sc->ca_list,
1043	ctxt->sc->ca_list_size, 0, &status);
1044	} else {
1045	apr_time_ansi_put(&expiration_time,
1046	gnutls_openpgp_crt_get_expiration_time(cert.pgp));
1047	apr_time_ansi_put(&activation_time,
1048	gnutls_openpgp_crt_get_creation_time(cert.pgp));
1049
1050	rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list,
1051	0, &status);
1052	}
1053
1054	if (rv < 0) {
1055	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1056	"GnuTLS: Failed to Verify Peer certificate: (%d) %s",
1057	rv, gnutls_strerror(rv));
1058	if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
1059	ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
1060	"GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
1061	ret = HTTP_FORBIDDEN;
1062	goto exit;
1063	}
1064
1065	/* TODO: X509 CRL Verification. */
1066	/* May add later if anyone needs it.
1067	*/
1068	/* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
1069
1070	expired = 0;
1071	cur_time = apr_time_now();
1072	if (activation_time > cur_time) {
1073	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1074	"GnuTLS: Failed to Verify Peer: "
1075	"Peer Certificate is not yet activated.");
1076	expired = 1;
1077	}
1078
1079	if (expiration_time < cur_time) {
1080	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1081	"GnuTLS: Failed to Verify Peer: "
1082	"Peer Certificate is expired.");
1083	expired = 1;
1084	}
1085
1086	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
1087	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1088	"GnuTLS: Could not find Signer for Peer Certificate");
1089	}
1090
1091	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
1092	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1093	"GnuTLS: Peer's Certificate signer is not a CA");
1094	}
1095
1096	if (status & GNUTLS_CERT_INVALID) {
1097	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1098	"GnuTLS: Peer Certificate is invalid.");
1099	} else if (status & GNUTLS_CERT_REVOKED) {
1100	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1101	"GnuTLS: Peer Certificate is revoked.");
1102	}
1103
1104	if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
1105	mgs_add_common_cert_vars(r, cert.x509, 1,
1106	ctxt->sc->export_certificates_enabled);
1107	else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
1108	mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
1109	ctxt->sc->export_certificates_enabled);
1110
1111	{
1112	/* days remaining */
1113	unsigned long remain =
1114	(apr_time_sec(expiration_time) -
1115	apr_time_sec(cur_time)) / 86400;
1116	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
1117	apr_psprintf(r->pool, "%lu", remain));
1118	}
1119
1120	if (status == 0 && expired == 0) {
1121	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS");
1122	ret = OK;
1123	} else {
1124	apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "FAILED");
1125	if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST)
1126	ret = OK;
1127	else
1128	ret = HTTP_FORBIDDEN;
1129	}
1130
1131	exit:
1132	if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
1133	gnutls_x509_crt_deinit(cert.x509);
1134	else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
1135	gnutls_openpgp_crt_deinit(cert.pgp);
1136	return ret;
1137
1138
1139	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: