Changeset 0de1839 in mod_gnutls

Timestamp:

Mar 19, 2015, 8:27:45 AM (4 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

91ccb87

Parents:

10b3370

Message:

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

Files:

• README (modified) (1 diff)
• configure.ac (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (2 diffs)
• src/gnutls_config.c (modified) (4 diffs)
• src/gnutls_hooks.c (modified) (5 diffs)
• src/mod_gnutls.c (modified) (1 diff)

README

@@ -22 +22 @@
 -------------
 
- * GnuTLS          >= 2.12.6 <http://www.gnutls.org/> (3.* preferred)
+ * GnuTLS          >= 3.1.4 <http://www.gnutls.org/>
  * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
  * autotools & gcc

configure.ac

@@ -28 +28 @@
 )
 
-PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 2.12.6])
+PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.1.4])
 
 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`

include/mod_gnutls.h.in

@@ -104 +104 @@
 /* Server Configuration Record */
 typedef struct {
-        /* x509 Certificate Structure */
+    /* x509 Certificate Structure */
     gnutls_certificate_credentials_t certs;
-        /* SRP Certificate Structure*/
+    /* x509 credentials for proxy connections */
+    gnutls_certificate_credentials_t proxy_x509_creds;
+    const char* proxy_x509_key_file;
+    const char* proxy_x509_cert_file;
+    const char* proxy_x509_ca_file;
+    /* SRP Certificate Structure*/
     gnutls_srp_server_credentials_t srp_creds;
     /* Anonymous Certificate Structure */
@@ -388 +393 @@
 mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
 
+const char *mgs_store_cred_path(cmd_parms * parms,
+                                void *dummy __attribute__((unused)),
+                                const char *arg);
+
 /* mod_gnutls Hooks. */
 

src/gnutls_config.c

@@ -101 +101 @@
 }
 
-const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
-
+const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg)
+{
     int ret;
     gnutls_datum_t data;
@@ -631 +631 @@
         return NULL;
     }
+
+    sc->proxy_x509_key_file = NULL;
+    sc->proxy_x509_cert_file = NULL;
+    sc->proxy_x509_ca_file = NULL;
+    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
+    if (ret < 0)
+    {
+        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret,
+                            gnutls_strerror(ret));
+        return NULL;
+    }
+
 #ifdef ENABLE_SRP
     ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
@@ -698 +711 @@
     gnutls_srvconf_merge(dh_params, NULL);
 
+    gnutls_srvconf_merge(proxy_x509_key_file, NULL);
+    gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
+    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
+
     /* FIXME: the following items are pre-allocated, and should be
      * properly disposed of before assigning in order to avoid leaks;
@@ -748 +765 @@
 }
 
+/*
+ * Store paths to proxy credentials
+ *
+ * This function copies the paths provided in the configuration file
+ * into the server configuration. The post configuration hook takes
+ * care of actually loading the credentials, which means than invalid
+ * paths or the like will be detected there.
+ */
+const char *mgs_store_cred_path(cmd_parms * parms,
+                                void *dummy __attribute__((unused)),
+                                const char *arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    /* parms->directive->directive contains the directive string */
+    if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
+        sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSProxyCertificateFile"))
+        sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
+    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
+        sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
+    /* TODO: Add CRL parameter */
+    return NULL;
+}

src/gnutls_hooks.c

@@ -53 +53 @@
 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
 #endif
+static int load_proxy_x509_credentials(server_rec *s);
 
 /* Pool Cleanup Function */
@@ -457 +458 @@
                 continue;
             }
+        }
+
+        if (sc->enabled == GNUTLS_ENABLED_TRUE
+            && sc->proxy_enabled == GNUTLS_ENABLED_TRUE)
+        {
+            load_proxy_x509_credentials(s);
         }
     }
@@ -802 +809 @@
             mgs_select_virtual_server_cb);
 
+    /* Set GnuTLS user pointer, so we can access the module session
+     * context in GnuTLS callbacks */
+    gnutls_session_set_ptr(ctxt->session, ctxt);
+
     /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb
      * will load appropriate credentials during handshake. However,
@@ -813 +824 @@
         /* Set x509 credentials */
         gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE,
-                               ctxt->sc->certs);
+                               ctxt->sc->proxy_x509_creds);
         /* Load priorities from the server configuration */
         err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
@@ -1669 +1680 @@
 }
 
+
+
+/*
+ * Callback to check the server certificate for proxy HTTPS
+ * connections, to be used with
+ * gnutls_certificate_set_verify_function.
+
+ * Returns: 0 if certificate check was successful (certificate
+ * trusted), non-zero otherwise (error during check or untrusted
+ * certificate).
+ */
+static int gtls_check_server_cert(gnutls_session_t session)
+{
+    mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session);
+    unsigned int status;
+
+    int err = gnutls_certificate_verify_peers3(session, NULL, &status);
+    if (err != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
+                      "%s: server certificate check failed: %s (%d)",
+                      __func__, gnutls_strerror(err), err);
+        return err;
+    }
+
+    gnutls_datum_t * out = gnutls_malloc(sizeof(gnutls_datum_t));
+    /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy certs
+     * 0: according to function API, the last argument should be 0 */
+    err = gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509,
+                                                       out, 0);
+    if (err != GNUTLS_E_SUCCESS)
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
+                      "%s: server verify print failed: %s (%d)",
+                      __func__, gnutls_strerror(err), err);
+    else
+    {
+        /* If the certificate is trusted, logging the result is just
+         * nice for debugging. But if the back end server provided an
+         * untrusted certificate, warn! */
+        int level = (status == 0 ? APLOG_DEBUG : APLOG_WARNING);
+        ap_log_cerror(APLOG_MARK, level, 0, ctxt->c,
+                      "%s: server certificate verify result: %s",
+                      __func__, out->data);
+    }
+
+    gnutls_free(out);
+    return status;
+}
+
+
+
+static int load_proxy_x509_credentials(server_rec *s)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(s->module_config, &gnutls_module);
+
+    if (sc == NULL)
+        return APR_EGENERAL;
+
+    int ret = APR_SUCCESS;
+    int err = GNUTLS_E_SUCCESS;
+    if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file)
+    {
+        err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds,
+                                                   sc->proxy_x509_cert_file,
+                                                   sc->proxy_x509_key_file,
+                                                   GNUTLS_X509_FMT_PEM);
+        if (err != GNUTLS_E_SUCCESS)
+        {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                         "%s: loading proxy client credentials failed: %s (%d)",
+                         __func__, gnutls_strerror(err), err);
+            ret = APR_EGENERAL;
+        }
+    }
+    else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file)
+    {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                     "%s: proxy key file not set!", __func__);
+        ret = APR_EGENERAL;
+    }
+    else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file)
+    {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                     "%s: proxy certificate file not set!", __func__);
+        ret = APR_EGENERAL;
+    }
+    else
+        /* if both key and cert are NULL, client auth is not used */
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                     "%s: no client credentials for proxy", __func__);
+
+    /* must be set if the server certificate is to be checked */
+    if (sc->proxy_x509_ca_file)
+    {
+        /* returns number of loaded certificates */
+        err = gnutls_certificate_set_x509_trust_file(sc->proxy_x509_creds,
+                                                     sc->proxy_x509_ca_file,
+                                                     GNUTLS_X509_FMT_PEM);
+        if (err <= 0)
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                         "%s: proxy CA trust list is empty",
+                         __func__);
+        else
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                         "%s: proxy CA trust list: %d certificates loaded",
+                         __func__, err);
+    }
+    else
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                     "%s: no CA trust list for proxy connections missing, "
+                     "TLS connections will fail!", __func__);
+
+    gnutls_certificate_set_verify_function(sc->proxy_x509_creds,
+                                           gtls_check_server_cert);
+    return ret;
+}

src/mod_gnutls.c

@@ -224 +224 @@
     RSRC_CONF,
     "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
+    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client private file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client certificate file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 trusted CA file for proxy connections"),
     { NULL },
 };