Changeset 0de1839 in mod_gnutls for src/gnutls_config.c

Timestamp:

Mar 19, 2015, 8:27:45 AM (6 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream

Children:

91ccb87

Parents:

10b3370

Message:

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

File:

• src/gnutls_config.c (modified) (4 diffs)

src/gnutls_config.c

@@ -101 +101 @@
 }
 
-const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
-
+const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg)
+{
     int ret;
     gnutls_datum_t data;
@@ -631 +631 @@
         return NULL;
     }
+
+    sc->proxy_x509_key_file = NULL;
+    sc->proxy_x509_cert_file = NULL;
+    sc->proxy_x509_ca_file = NULL;
+    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
+    if (ret < 0)
+    {
+        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret,
+                            gnutls_strerror(ret));
+        return NULL;
+    }
+
 #ifdef ENABLE_SRP
     ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
@@ -698 +711 @@
     gnutls_srvconf_merge(dh_params, NULL);
 
+    gnutls_srvconf_merge(proxy_x509_key_file, NULL);
+    gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
+    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
+
     /* FIXME: the following items are pre-allocated, and should be
      * properly disposed of before assigning in order to avoid leaks;
@@ -748 +765 @@
 }
 
+/*
+ * Store paths to proxy credentials
+ *
+ * This function copies the paths provided in the configuration file
+ * into the server configuration. The post configuration hook takes
+ * care of actually loading the credentials, which means than invalid
+ * paths or the like will be detected there.
+ */
+const char *mgs_store_cred_path(cmd_parms * parms,
+                                void *dummy __attribute__((unused)),
+                                const char *arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    /* parms->directive->directive contains the directive string */
+    if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
+        sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
+    else if (!strcasecmp(parms->directive->directive,
+                         "GnuTLSProxyCertificateFile"))
+        sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
+    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
+        sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
+    /* TODO: Add CRL parameter */
+    return NULL;
+}