Changeset 68b5156 in mod_gnutls
- Timestamp:
- Dec 17, 2018, 1:12:17 PM (2 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 0378c22
- Parents:
- 0fcba60
- Location:
- src
- Files:
-
- 2 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
src/Makefile.am
r0fcba60 r68b5156 7 7 8 8 mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \ 9 gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_ sni.c \10 gnutls_ util.c gnutls_watchdog.c9 gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_proxy.c \ 10 gnutls_sni.c gnutls_util.c gnutls_watchdog.c 11 11 mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} 12 12 mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS} 13 noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_sni.h\14 gnutls_ util.h gnutls_watchdog.h13 noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h \ 14 gnutls_proxy.h gnutls_sni.h gnutls_util.h gnutls_watchdog.h 15 15 16 16 apmodpkglib_LTLIBRARIES = mod_gnutls.la -
src/gnutls_hooks.c
r0fcba60 r68b5156 23 23 #include "gnutls_config.h" 24 24 #include "gnutls_ocsp.h" 25 #include "gnutls_proxy.h" 25 26 #include "gnutls_sni.h" 26 27 #include "gnutls_util.h" … … 67 68 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert); 68 69 #endif 69 static int load_proxy_x509_credentials(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)70 __attribute__((nonnull));71 70 72 71 /* Pool Cleanup Function */ … … 2071 2070 return OK; 2072 2071 } 2073 2074 2075 2076 /*2077 * Callback to check the server certificate for proxy HTTPS2078 * connections, to be used with2079 * gnutls_certificate_set_verify_function.2080 2081 * Returns: 0 if certificate check was successful (certificate2082 * trusted), non-zero otherwise (error during check or untrusted2083 * certificate).2084 */2085 static int gtls_check_server_cert(gnutls_session_t session)2086 {2087 mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session);2088 unsigned int status;2089 2090 /* Get peer hostname from a note left by mod_proxy */2091 const char *peer_hostname =2092 apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);2093 if (peer_hostname == NULL)2094 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,2095 "%s: " PROXY_SNI_NOTE " NULL, cannot check "2096 "peer's hostname", __func__);2097 2098 /* Verify certificate, including hostname match. Should2099 * peer_hostname be NULL for some reason, the name is not2100 * checked. */2101 int err = gnutls_certificate_verify_peers3(session, peer_hostname,2102 &status);2103 if (err != GNUTLS_E_SUCCESS)2104 {2105 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,2106 "%s: server certificate check failed: %s (%d)",2107 __func__, gnutls_strerror(err), err);2108 return err;2109 }2110 2111 if (status == 0)2112 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,2113 "%s: server certificate is trusted.",2114 __func__);2115 else2116 {2117 gnutls_datum_t out;2118 /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy2119 * certs 0: according to function API, the last argument2120 * should be 0 */2121 err = gnutls_certificate_verification_status_print(status,2122 GNUTLS_CRT_X509,2123 &out, 0);2124 if (err != GNUTLS_E_SUCCESS)2125 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,2126 "%s: server verify print failed: %s (%d)",2127 __func__, gnutls_strerror(err), err);2128 else2129 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,2130 "%s: %s",2131 __func__, out.data);2132 gnutls_free(out.data);2133 }2134 2135 return status;2136 }2137 2138 2139 2140 static apr_status_t cleanup_proxy_x509_credentials(void *arg)2141 {2142 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg;2143 2144 if (sc->proxy_x509_creds)2145 {2146 /* This implicitly releases the associated trust list2147 * sc->proxy_x509_tl, too. */2148 gnutls_certificate_free_credentials(sc->proxy_x509_creds);2149 sc->proxy_x509_creds = NULL;2150 sc->proxy_x509_tl = NULL;2151 }2152 2153 if (sc->anon_client_creds)2154 {2155 gnutls_anon_free_client_credentials(sc->anon_client_creds);2156 sc->anon_client_creds = NULL;2157 }2158 2159 /* Deinit proxy priorities only if set from2160 * sc->proxy_priorities_str. Otherwise the server is using the2161 * default global priority cache, which must not be deinitialized2162 * here. */2163 if (sc->proxy_priorities_str && sc->proxy_priorities)2164 {2165 gnutls_priority_deinit(sc->proxy_priorities);2166 sc->proxy_priorities = NULL;2167 }2168 2169 return APR_SUCCESS;2170 }2171 2172 2173 2174 static apr_status_t load_proxy_x509_credentials(apr_pool_t *pconf,2175 apr_pool_t *ptemp,2176 server_rec *s)2177 {2178 mgs_srvconf_rec *sc = (mgs_srvconf_rec *)2179 ap_get_module_config(s->module_config, &gnutls_module);2180 2181 if (sc == NULL)2182 return APR_EGENERAL;2183 2184 apr_status_t ret = APR_EINIT;2185 int err = GNUTLS_E_SUCCESS;2186 2187 /* Cleanup function for the GnuTLS structures allocated below */2188 apr_pool_cleanup_register(pconf, sc, cleanup_proxy_x509_credentials,2189 apr_pool_cleanup_null);2190 2191 /* Function pool, gets destroyed before exit. */2192 apr_pool_t *pool;2193 ret = apr_pool_create(&pool, ptemp);2194 if (ret != APR_SUCCESS)2195 {2196 ap_log_error(APLOG_MARK, APLOG_ERR, ret, s,2197 "%s: failed to allocate function memory pool.", __func__);2198 return ret;2199 }2200 2201 /* allocate credentials structures */2202 err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);2203 if (err != GNUTLS_E_SUCCESS)2204 {2205 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2206 "%s: Failed to initialize proxy credentials: (%d) %s",2207 __func__, err, gnutls_strerror(err));2208 return APR_EGENERAL;2209 }2210 err = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds);2211 if (err != GNUTLS_E_SUCCESS)2212 {2213 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2214 "%s: Failed to initialize anon credentials for proxy: "2215 "(%d) %s", __func__, err, gnutls_strerror(err));2216 return APR_EGENERAL;2217 }2218 2219 /* Check if the proxy priorities have been set, fail immediately2220 * if not */2221 if (sc->proxy_priorities_str == NULL)2222 {2223 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,2224 "No GnuTLSProxyPriorities directive for host '%s:%d', "2225 "using default '%s'.",2226 s->server_hostname, s->addrs->host_port,2227 MGS_DEFAULT_PRIORITY);2228 sc->proxy_priorities = mgs_get_default_prio();2229 }2230 else2231 {2232 /* parse proxy priorities */2233 const char *err_pos = NULL;2234 err = gnutls_priority_init(&sc->proxy_priorities,2235 sc->proxy_priorities_str, &err_pos);2236 if (err != GNUTLS_E_SUCCESS)2237 {2238 if (ret == GNUTLS_E_INVALID_REQUEST)2239 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2240 "%s: Syntax error parsing proxy priorities "2241 "string at: %s",2242 __func__, err_pos);2243 else2244 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2245 "Error setting proxy priorities: %s (%d)",2246 gnutls_strerror(err), err);2247 ret = APR_EGENERAL;2248 }2249 }2250 2251 /* load certificate and key for client auth, if configured */2252 if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file)2253 {2254 char* cert_file = ap_server_root_relative(pool,2255 sc->proxy_x509_cert_file);2256 char* key_file = ap_server_root_relative(pool,2257 sc->proxy_x509_key_file);2258 err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds,2259 cert_file,2260 key_file,2261 GNUTLS_X509_FMT_PEM);2262 if (err != GNUTLS_E_SUCCESS)2263 {2264 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2265 "%s: loading proxy client credentials failed: %s (%d)",2266 __func__, gnutls_strerror(err), err);2267 ret = APR_EGENERAL;2268 }2269 }2270 else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file)2271 {2272 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,2273 "%s: proxy key file not set!", __func__);2274 ret = APR_EGENERAL;2275 }2276 else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file)2277 {2278 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,2279 "%s: proxy certificate file not set!", __func__);2280 ret = APR_EGENERAL;2281 }2282 else2283 /* if both key and cert are NULL, client auth is not used */2284 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,2285 "%s: no client credentials for proxy", __func__);2286 2287 /* must be set if the server certificate is to be checked */2288 if (sc->proxy_x509_ca_file)2289 {2290 /* initialize the trust list */2291 err = gnutls_x509_trust_list_init(&sc->proxy_x509_tl, 0);2292 if (err != GNUTLS_E_SUCCESS)2293 {2294 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2295 "%s: gnutls_x509_trust_list_init failed: %s (%d)",2296 __func__, gnutls_strerror(err), err);2297 ret = APR_EGENERAL;2298 }2299 2300 char* ca_file = ap_server_root_relative(pool,2301 sc->proxy_x509_ca_file);2302 /* if no CRL is used, sc->proxy_x509_crl_file is NULL */2303 char* crl_file = NULL;2304 if (sc->proxy_x509_crl_file)2305 crl_file = ap_server_root_relative(pool,2306 sc->proxy_x509_crl_file);2307 2308 /* returns number of loaded elements */2309 err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl,2310 ca_file,2311 crl_file,2312 GNUTLS_X509_FMT_PEM,2313 0 /* tl_flags */,2314 0 /* tl_vflags */);2315 if (err > 0)2316 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,2317 "%s: proxy CA trust list: %d structures loaded",2318 __func__, err);2319 else if (err == 0)2320 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,2321 "%s: proxy CA trust list is empty (%d)",2322 __func__, err);2323 else /* err < 0 */2324 {2325 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,2326 "%s: error loading proxy CA trust list: %s (%d)",2327 __func__, gnutls_strerror(err), err);2328 ret = APR_EGENERAL;2329 }2330 2331 /* attach trust list to credentials */2332 gnutls_certificate_set_trust_list(sc->proxy_x509_creds,2333 sc->proxy_x509_tl, 0);2334 }2335 else2336 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,2337 "%s: no CA trust list for proxy connections, "2338 "TLS connections will fail!", __func__);2339 2340 gnutls_certificate_set_verify_function(sc->proxy_x509_creds,2341 gtls_check_server_cert);2342 apr_pool_destroy(pool);2343 return ret;2344 }
Note: See TracChangeset
for help on using the changeset viewer.