Changeset 0de1839 in mod_gnutls
- Timestamp:
- Mar 19, 2015, 8:27:45 AM (8 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
- Children:
- 91ccb87
- Parents:
- 10b3370
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
README
r10b3370 r0de1839 22 22 ------------- 23 23 24 * GnuTLS >= 2.12.6 <http://www.gnutls.org/> (3.* preferred)24 * GnuTLS >= 3.1.4 <http://www.gnutls.org/> 25 25 * Apache HTTPD >= 2.2 <http://httpd.apache.org/> (2.4.* preferred) 26 26 * autotools & gcc -
configure.ac
r10b3370 r0de1839 28 28 ) 29 29 30 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 2.12.6])30 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.1.4]) 31 31 32 32 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls` -
include/mod_gnutls.h.in
r10b3370 r0de1839 104 104 /* Server Configuration Record */ 105 105 typedef struct { 106 106 /* x509 Certificate Structure */ 107 107 gnutls_certificate_credentials_t certs; 108 /* SRP Certificate Structure*/ 108 /* x509 credentials for proxy connections */ 109 gnutls_certificate_credentials_t proxy_x509_creds; 110 const char* proxy_x509_key_file; 111 const char* proxy_x509_cert_file; 112 const char* proxy_x509_ca_file; 113 /* SRP Certificate Structure*/ 109 114 gnutls_srp_server_credentials_t srp_creds; 110 115 /* Anonymous Certificate Structure */ … … 388 393 mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session); 389 394 395 const char *mgs_store_cred_path(cmd_parms * parms, 396 void *dummy __attribute__((unused)), 397 const char *arg); 398 390 399 /* mod_gnutls Hooks. */ 391 400 -
src/gnutls_config.c
r10b3370 r0de1839 101 101 } 102 102 103 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {104 103 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) 104 { 105 105 int ret; 106 106 gnutls_datum_t data; … … 631 631 return NULL; 632 632 } 633 634 sc->proxy_x509_key_file = NULL; 635 sc->proxy_x509_cert_file = NULL; 636 sc->proxy_x509_ca_file = NULL; 637 ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds); 638 if (ret < 0) 639 { 640 *err = apr_psprintf(p, "GnuTLS: Failed to initialize" 641 ": (%d) %s", ret, 642 gnutls_strerror(ret)); 643 return NULL; 644 } 645 633 646 #ifdef ENABLE_SRP 634 647 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); … … 698 711 gnutls_srvconf_merge(dh_params, NULL); 699 712 713 gnutls_srvconf_merge(proxy_x509_key_file, NULL); 714 gnutls_srvconf_merge(proxy_x509_cert_file, NULL); 715 gnutls_srvconf_merge(proxy_x509_ca_file, NULL); 716 700 717 /* FIXME: the following items are pre-allocated, and should be 701 718 * properly disposed of before assigning in order to avoid leaks; … … 748 765 } 749 766 767 /* 768 * Store paths to proxy credentials 769 * 770 * This function copies the paths provided in the configuration file 771 * into the server configuration. The post configuration hook takes 772 * care of actually loading the credentials, which means than invalid 773 * paths or the like will be detected there. 774 */ 775 const char *mgs_store_cred_path(cmd_parms * parms, 776 void *dummy __attribute__((unused)), 777 const char *arg) 778 { 779 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 780 ap_get_module_config(parms->server->module_config, &gnutls_module); 781 782 /* parms->directive->directive contains the directive string */ 783 if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile")) 784 sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg); 785 else if (!strcasecmp(parms->directive->directive, 786 "GnuTLSProxyCertificateFile")) 787 sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg); 788 else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile")) 789 sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg); 790 /* TODO: Add CRL parameter */ 791 return NULL; 792 } -
src/gnutls_hooks.c
r10b3370 r0de1839 53 53 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert); 54 54 #endif 55 static int load_proxy_x509_credentials(server_rec *s); 55 56 56 57 /* Pool Cleanup Function */ … … 457 458 continue; 458 459 } 460 } 461 462 if (sc->enabled == GNUTLS_ENABLED_TRUE 463 && sc->proxy_enabled == GNUTLS_ENABLED_TRUE) 464 { 465 load_proxy_x509_credentials(s); 459 466 } 460 467 } … … 802 809 mgs_select_virtual_server_cb); 803 810 811 /* Set GnuTLS user pointer, so we can access the module session 812 * context in GnuTLS callbacks */ 813 gnutls_session_set_ptr(ctxt->session, ctxt); 814 804 815 /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb 805 816 * will load appropriate credentials during handshake. However, … … 813 824 /* Set x509 credentials */ 814 825 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, 815 ctxt->sc-> certs);826 ctxt->sc->proxy_x509_creds); 816 827 /* Load priorities from the server configuration */ 817 828 err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities); … … 1669 1680 } 1670 1681 1682 1683 1684 /* 1685 * Callback to check the server certificate for proxy HTTPS 1686 * connections, to be used with 1687 * gnutls_certificate_set_verify_function. 1688 1689 * Returns: 0 if certificate check was successful (certificate 1690 * trusted), non-zero otherwise (error during check or untrusted 1691 * certificate). 1692 */ 1693 static int gtls_check_server_cert(gnutls_session_t session) 1694 { 1695 mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session); 1696 unsigned int status; 1697 1698 int err = gnutls_certificate_verify_peers3(session, NULL, &status); 1699 if (err != GNUTLS_E_SUCCESS) 1700 { 1701 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c, 1702 "%s: server certificate check failed: %s (%d)", 1703 __func__, gnutls_strerror(err), err); 1704 return err; 1705 } 1706 1707 gnutls_datum_t * out = gnutls_malloc(sizeof(gnutls_datum_t)); 1708 /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy certs 1709 * 0: according to function API, the last argument should be 0 */ 1710 err = gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, 1711 out, 0); 1712 if (err != GNUTLS_E_SUCCESS) 1713 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, 1714 "%s: server verify print failed: %s (%d)", 1715 __func__, gnutls_strerror(err), err); 1716 else 1717 { 1718 /* If the certificate is trusted, logging the result is just 1719 * nice for debugging. But if the back end server provided an 1720 * untrusted certificate, warn! */ 1721 int level = (status == 0 ? APLOG_DEBUG : APLOG_WARNING); 1722 ap_log_cerror(APLOG_MARK, level, 0, ctxt->c, 1723 "%s: server certificate verify result: %s", 1724 __func__, out->data); 1725 } 1726 1727 gnutls_free(out); 1728 return status; 1729 } 1730 1731 1732 1733 static int load_proxy_x509_credentials(server_rec *s) 1734 { 1735 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1736 ap_get_module_config(s->module_config, &gnutls_module); 1737 1738 if (sc == NULL) 1739 return APR_EGENERAL; 1740 1741 int ret = APR_SUCCESS; 1742 int err = GNUTLS_E_SUCCESS; 1743 if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file) 1744 { 1745 err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds, 1746 sc->proxy_x509_cert_file, 1747 sc->proxy_x509_key_file, 1748 GNUTLS_X509_FMT_PEM); 1749 if (err != GNUTLS_E_SUCCESS) 1750 { 1751 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 1752 "%s: loading proxy client credentials failed: %s (%d)", 1753 __func__, gnutls_strerror(err), err); 1754 ret = APR_EGENERAL; 1755 } 1756 } 1757 else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file) 1758 { 1759 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 1760 "%s: proxy key file not set!", __func__); 1761 ret = APR_EGENERAL; 1762 } 1763 else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file) 1764 { 1765 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 1766 "%s: proxy certificate file not set!", __func__); 1767 ret = APR_EGENERAL; 1768 } 1769 else 1770 /* if both key and cert are NULL, client auth is not used */ 1771 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 1772 "%s: no client credentials for proxy", __func__); 1773 1774 /* must be set if the server certificate is to be checked */ 1775 if (sc->proxy_x509_ca_file) 1776 { 1777 /* returns number of loaded certificates */ 1778 err = gnutls_certificate_set_x509_trust_file(sc->proxy_x509_creds, 1779 sc->proxy_x509_ca_file, 1780 GNUTLS_X509_FMT_PEM); 1781 if (err <= 0) 1782 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 1783 "%s: proxy CA trust list is empty", 1784 __func__); 1785 else 1786 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 1787 "%s: proxy CA trust list: %d certificates loaded", 1788 __func__, err); 1789 } 1790 else 1791 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 1792 "%s: no CA trust list for proxy connections missing, " 1793 "TLS connections will fail!", __func__); 1794 1795 gnutls_certificate_set_verify_function(sc->proxy_x509_creds, 1796 gtls_check_server_cert); 1797 return ret; 1798 } -
src/mod_gnutls.c
r10b3370 r0de1839 224 224 RSRC_CONF, 225 225 "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"), 226 AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path, 227 NULL, 228 RSRC_CONF, 229 "X509 client private file for proxy connections"), 230 AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path, 231 NULL, 232 RSRC_CONF, 233 "X509 client certificate file for proxy connections"), 234 AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path, 235 NULL, 236 RSRC_CONF, 237 "X509 trusted CA file for proxy connections"), 226 238 { NULL }, 227 239 };
Note: See TracChangeset
for help on using the changeset viewer.