Changeset 33fa7d5 in mod_gnutls

Timestamp:

Jan 12, 2020, 4:34:33 PM (8 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

master, proxy-ticket

Children:

9bc842e

Parents:

5c9ca6b

Message:

Ensure stapling is active for server certificates with "must-staple"

RFC 7633, 4.3.2:

A server SHOULD verify that its configuration is compatible with the
TLS feature extension expressed in a certificate it presents.

Files:

• src/gnutls_hooks.c (modified) (5 diffs)
• test/authority/subca/server/template.in (modified) (1 diff)
• test/tests/00_basic/apache.conf (modified) (1 diff)

src/gnutls_hooks.c

@@ -37 +37 @@
 #include <apr_want.h>
 
+#include <gnutls/x509-ext.h>
+
 #ifdef ENABLE_MSVA
 #include <msv/msv.h>
@@ -51 +53 @@
 #define IS_PROXY_STR(c) \
     ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
+
+/** Feature number for "must-staple" in the RFC 7633 X.509 TLS Feature
+ * Extension (status_request, defined in RFC 6066) */
+#define TLSFEATURE_MUST_STAPLE 5
 
 /** Key to encrypt session tickets. Must be kept secret. This key is
@@ -527 +533 @@
 
 /**
+ * Pool cleanup hook to release a gnutls_x509_tlsfeatures_t structure.
+ */
+apr_status_t mgs_cleanup_tlsfeatures(void *data)
+{
+    gnutls_x509_tlsfeatures_t feat = *((gnutls_x509_tlsfeatures_t*) data);
+    gnutls_x509_tlsfeatures_deinit(feat);
+    return APR_SUCCESS;
+}
+
+
+
+/**
  * Post config hook.
  *
@@ -608 +626 @@
     sc_base->singleton_wd =
         mgs_new_singleton_watchdog(base_server, MGS_SINGLETON_WATCHDOG, pconf);
+
+    gnutls_x509_tlsfeatures_t *must_staple =
+        apr_palloc(ptemp, sizeof(gnutls_x509_tlsfeatures_t));
+    gnutls_x509_tlsfeatures_init(must_staple);
+    gnutls_x509_tlsfeatures_add(*must_staple, TLSFEATURE_MUST_STAPLE);
+    apr_pool_cleanup_register(ptemp, must_staple,
+                              mgs_cleanup_tlsfeatures,
+                              apr_pool_cleanup_null);
 
     for (s = base_server; s; s = s->next)
@@ -728 +754 @@
         }
 
+        if (sc->certs_x509_chain_num > 0
+            && gnutls_x509_tlsfeatures_check_crt(*must_staple,
+                                                 sc->certs_x509_crt_chain[0])
+            && sc->ocsp_staple == GNUTLS_ENABLED_FALSE)
+        {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                         "Must-Staple is set in the host certificate "
+                         "of '%s:%d', but stapling is disabled!",
+                         s->server_hostname, s->addrs->host_port);
+            return HTTP_UNAUTHORIZED;
+        }
+
         if (sc->enabled == GNUTLS_ENABLED_TRUE
             && sc->proxy_enabled == GNUTLS_ENABLED_TRUE

test/authority/subca/server/template.in

@@ -5 +5 @@
 encryption_key
 dns_name="__HOSTNAME__"
+# must-staple
+tls_feature = 5
 __OCSP_URI__
 __IP_ADDRESSES__

test/tests/00_basic/apache.conf

@@ -6 +6 @@
  ServerName ${TEST_HOST}
  GnuTLSEnable On
- GnuTLSCertificateFile  authority/subca/server/x509-chain.pem
- GnuTLSKeyFile          authority/subca/server/secret.key
+ GnuTLSCertificateFile  authority/server/x509-chain.pem
+ GnuTLSKeyFile          authority/server/secret.key
 </VirtualHost>