Changeset 7bebb42 in mod_gnutls for src/gnutls_hooks.c
- Timestamp:
- Nov 28, 2007, 1:29:21 PM (13 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 3e6bc31
- Parents:
- 8e33f2d
- git-author:
- Nikos Mavrogiannopoulos <nmav@…> (11/28/07 13:29:21)
- git-committer:
- Nokis Mavrogiannopoulos <nmav@…> (11/28/07 13:29:21)
- File:
-
- 1 edited
-
src/gnutls_hooks.c (modified) (22 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r8e33f2d r7bebb42 1 1 /** 2 2 * Copyright 2004-2005 Paul Querna 3 * Copyright 2007 Nikos Mavrogiannopoulos 3 4 * 4 5 * Licensed under the Apache License, Version 2.0 (the "License"); … … 29 30 30 31 #if MOD_GNUTLS_DEBUG 31 static apr_file_t *debug_log_fp;32 static apr_file_t *debug_log_fp; 32 33 #endif 33 34 34 35 static int mpm_is_threaded; 36 37 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); 38 /* use side==0 for server and side==1 for client */ 39 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, 40 int side, int export_certificates_enabled); 35 41 36 42 static apr_status_t mgs_cleanup_pre_config(void *data) … … 41 47 42 48 #if MOD_GNUTLS_DEBUG 43 static void gnutls_debug_log_all( int level, const char*str)49 static void gnutls_debug_log_all(int level, const char *str) 44 50 { 45 51 apr_file_printf(debug_log_fp, "<%d> %s\n", level, str); … … 47 53 #endif 48 54 49 int mgs_hook_pre_config(apr_pool_t * pconf, 50 apr_pool_t * plog, apr_pool_t * ptemp) 55 int 56 mgs_hook_pre_config(apr_pool_t * pconf, 57 apr_pool_t * plog, apr_pool_t * ptemp) 51 58 { 52 59 … … 54 61 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); 55 62 if (mpm_is_threaded) { 56 63 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); 57 64 } 58 65 #else … … 63 70 64 71 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, 65 72 apr_pool_cleanup_null); 66 73 67 74 #if MOD_GNUTLS_DEBUG 68 75 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", 69 APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, pconf); 76 APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT, 77 pconf); 70 78 71 79 gnutls_global_set_log_level(9); … … 77 85 78 86 79 static gnutls_datum load_params(const char* file, server_rec* s,80 apr_pool_t* pool) 87 static gnutls_datum 88 load_params(const char *file, server_rec * s, apr_pool_t * pool) 81 89 { 82 90 gnutls_datum ret = { NULL, 0 }; 83 apr_file_t *fp;91 apr_file_t *fp; 84 92 apr_finfo_t finfo; 85 93 apr_status_t rv; 86 94 apr_size_t br = 0; 87 95 88 rv = apr_file_open(&fp, file, APR_READ |APR_BINARY, APR_OS_DEFAULT,89 96 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT, 97 pool); 90 98 if (rv != APR_SUCCESS) { 91 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 92 "GnuTLS failed to load params file at: %s", file);93 99 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 100 "GnuTLS failed to load params file at: %s. Will use internal params.", file); 101 return ret; 94 102 } 95 103 … … 97 105 98 106 if (rv != APR_SUCCESS) { 99 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 100 101 102 } 103 104 ret.data = apr_palloc(pool, finfo.size +1);107 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 108 "GnuTLS failed to stat params file at: %s", file); 109 return ret; 110 } 111 112 ret.data = apr_palloc(pool, finfo.size + 1); 105 113 rv = apr_file_read_full(fp, ret.data, finfo.size, &br); 106 114 107 115 if (rv != APR_SUCCESS) { 108 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 109 110 116 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 117 "GnuTLS failed to read params file at: %s", file); 118 return ret; 111 119 } 112 120 apr_file_close(fp); … … 117 125 } 118 126 119 int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, 120 apr_pool_t * ptemp, 121 server_rec * base_server) 127 /* We don't support openpgp certificates, yet */ 128 const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 129 130 static int mgs_select_virtual_server_cb( gnutls_session_t session) 131 { 132 mgs_handle_t *ctxt; 133 mgs_srvconf_rec *tsc; 134 int ret; 135 136 ctxt = gnutls_transport_get_ptr(session); 137 138 /* find the virtual server */ 139 tsc = mgs_find_sni_server(session); 140 141 if (tsc != NULL) 142 ctxt->sc = tsc; 143 144 gnutls_certificate_server_set_request(session, 145 ctxt->sc->client_verify_mode); 146 147 /* set the new server credentials 148 */ 149 150 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, 151 ctxt->sc->certs); 152 153 gnutls_credentials_set(session, GNUTLS_CRD_ANON, 154 ctxt->sc->anon_creds); 155 156 if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) { 157 gnutls_credentials_set(session, GNUTLS_CRD_SRP, 158 ctxt->sc->srp_creds); 159 } 160 161 /* update the priorities - to avoid negotiating a ciphersuite that is not 162 * enabled on this virtual server. Note that here we ignore the version 163 * negotiation. 164 */ 165 ret = gnutls_priority_set( session, ctxt->sc->priorities); 166 gnutls_certificate_type_set_priority( session, cert_type_prio); 167 168 169 /* actually it shouldn't fail since we have checked at startup */ 170 if (ret < 0) return ret; 171 172 /* allow separate caches per virtual host. Actually allowing the same is not 173 * a good idea, especially if they have different security requirements. 174 */ 175 mgs_cache_session_init(ctxt); 176 177 return 0; 178 } 179 180 static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret) 181 { 182 mgs_handle_t *ctxt; 183 184 ctxt = gnutls_transport_get_ptr(session); 185 186 ret->type = GNUTLS_CRT_X509; 187 ret->ncerts = 1; 188 ret->deinit_all = 0; 189 190 ret->cert.x509 = &ctxt->sc->cert_x509; 191 ret->key.x509 = ctxt->sc->privkey_x509; 192 return 0; 193 } 194 195 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 196 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 197 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 198 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 199 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 200 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 201 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 202 "-----END DH PARAMETERS-----\n"; 203 204 int 205 mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, 206 apr_pool_t * ptemp, server_rec * base_server) 122 207 { 123 208 int rv; 124 int data_len;209 size_t data_len; 125 210 server_rec *s; 126 211 gnutls_dh_params_t dh_params; … … 131 216 int first_run = 0; 132 217 const char *userdata_key = "mgs_init"; 133 218 134 219 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); 135 220 if (data == NULL) { 136 137 apr_pool_userdata_set((const void *)1, userdata_key, 138 apr_pool_cleanup_null, 139 221 first_run = 1; 222 apr_pool_userdata_set((const void *) 1, userdata_key, 223 apr_pool_cleanup_null, 224 base_server->process->pool); 140 225 } 141 226 142 227 143 228 { 144 gnutls_datum pdata; 145 apr_pool_t* tpool; 146 s = base_server; 147 sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 148 &gnutls_module); 149 150 apr_pool_create(&tpool, p); 151 152 gnutls_dh_params_init(&dh_params); 153 154 pdata = load_params(sc_base->dh_params_file, s, tpool); 155 156 if (pdata.size != 0) { 157 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 158 GNUTLS_X509_FMT_PEM); 159 if (rv != 0) { 160 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 161 "GnuTLS: Unable to load DH Params: (%d) %s", 162 rv, gnutls_strerror(rv)); 163 exit(rv); 229 gnutls_datum pdata; 230 apr_pool_t *tpool; 231 s = base_server; 232 sc_base = 233 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 234 &gnutls_module); 235 236 apr_pool_create(&tpool, p); 237 238 gnutls_dh_params_init(&dh_params); 239 240 pdata = load_params(sc_base->dh_params_file, s, tpool); 241 242 if (pdata.size != 0) { 243 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 244 GNUTLS_X509_FMT_PEM); 245 if (rv != 0) { 246 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 247 "GnuTLS: Unable to load DH Params: (%d) %s", 248 rv, gnutls_strerror(rv)); 249 exit(rv); 250 } 251 } else { 252 /* If the file does not exist use internal parameters 253 */ 254 pdata.data = (void*)static_dh_params; 255 pdata.size = sizeof( static_dh_params); 256 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 257 GNUTLS_X509_FMT_PEM); 258 259 if (rv < 0) { 260 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 261 "GnuTLS: Unable to load internal DH Params." 262 " Shutting down."); 263 exit(-1); 164 264 } 165 } 166 else { 167 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 168 "GnuTLS: Unable to load DH Params." 169 " Shutting Down."); 170 exit(-1); 171 } 172 apr_pool_clear(tpool); 173 174 gnutls_rsa_params_init(&rsa_params); 175 176 pdata = load_params(sc_base->rsa_params_file, s, tpool); 177 178 if (pdata.size != 0) { 179 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, 180 GNUTLS_X509_FMT_PEM); 181 if (rv != 0) { 182 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 183 "GnuTLS: Unable to load RSA Params: (%d) %s", 184 rv, gnutls_strerror(rv)); 185 exit(rv); 186 } 187 } 188 else { 189 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 190 "GnuTLS: Unable to load RSA Params." 191 " Shutting Down."); 192 exit(-1); 193 } 194 195 apr_pool_destroy(tpool); 196 rv = mgs_cache_post_config(p, s, sc_base); 197 if (rv != 0) { 198 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 199 "GnuTLS: Post Config for GnuTLSCache Failed." 200 " Shutting Down."); 201 exit(-1); 202 } 203 204 for (s = base_server; s; s = s->next) { 205 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 206 &gnutls_module); 207 sc->cache_type = sc_base->cache_type; 208 sc->cache_config = sc_base->cache_config; 209 210 gnutls_certificate_set_rsa_export_params(sc->certs, 211 rsa_params); 212 gnutls_certificate_set_dh_params(sc->certs, dh_params); 213 214 if (sc->cert_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { 215 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 216 "[GnuTLS] - Host '%s:%d' is missing a " 217 "Certificate File!", 218 s->server_hostname, s->port); 219 exit(-1); 265 } 266 apr_pool_clear(tpool); 267 268 rsa_params = NULL; 269 270 pdata = load_params(sc_base->rsa_params_file, s, tpool); 271 272 if (pdata.size != 0) { 273 gnutls_rsa_params_init(&rsa_params); 274 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, 275 GNUTLS_X509_FMT_PEM); 276 if (rv != 0) { 277 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 278 "GnuTLS: Unable to load RSA Params: (%d) %s", 279 rv, gnutls_strerror(rv)); 280 exit(rv); 281 } 282 } 283 /* not an error but RSA-EXPORT ciphersuites are not available 284 */ 285 286 apr_pool_destroy(tpool); 287 rv = mgs_cache_post_config(p, s, sc_base); 288 if (rv != 0) { 289 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 290 "GnuTLS: Post Config for GnuTLSCache Failed." 291 " Shutting Down."); 292 exit(-1); 293 } 294 295 for (s = base_server; s; s = s->next) { 296 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 297 &gnutls_module); 298 sc->cache_type = sc_base->cache_type; 299 sc->cache_config = sc_base->cache_config; 300 301 if (rsa_params != NULL) 302 gnutls_certificate_set_rsa_export_params(sc->certs, 303 rsa_params); 304 gnutls_certificate_set_dh_params(sc->certs, dh_params); 305 306 gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params); 307 308 gnutls_certificate_server_set_retrieve_function(sc->certs, 309 cert_retrieve_fn); 310 311 if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) { 312 gnutls_srp_set_server_credentials_file( sc->srp_creds, 313 sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file); 220 314 } 221 315 222 if (sc->privkey_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { 223 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 224 "[GnuTLS] - Host '%s:%d' is missing a " 225 "Private Key File!", 226 s->server_hostname, s->port); 227 exit(-1); 316 if (sc->cert_x509 == NULL 317 && sc->enabled == GNUTLS_ENABLED_TRUE) { 318 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 319 "[GnuTLS] - Host '%s:%d' is missing a " 320 "Certificate File!", s->server_hostname, 321 s->port); 322 exit(-1); 323 } 324 325 if (sc->privkey_x509 == NULL 326 && sc->enabled == GNUTLS_ENABLED_TRUE) { 327 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 328 "[GnuTLS] - Host '%s:%d' is missing a " 329 "Private Key File!", 330 s->server_hostname, s->port); 331 exit(-1); 332 } 333 334 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 335 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 336 GNUTLS_OID_X520_COMMON_NAME, 337 0, 0, NULL, &data_len); 338 339 if (data_len < 1) { 340 sc->enabled = GNUTLS_ENABLED_FALSE; 341 sc->cert_cn = NULL; 342 continue; 343 } 344 345 sc->cert_cn = apr_palloc(p, data_len); 346 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 347 GNUTLS_OID_X520_COMMON_NAME, 348 0, 0, sc->cert_cn, 349 &data_len); 228 350 } 229 230 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 231 GNUTLS_OID_X520_COMMON_NAME, 0, 0, 232 NULL, &data_len); 233 234 if (data_len < 1) { 235 sc->enabled = GNUTLS_ENABLED_FALSE; 236 sc->cert_cn = NULL; 237 continue; 238 } 239 240 sc->cert_cn = apr_palloc(p, data_len); 241 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 242 GNUTLS_OID_X520_COMMON_NAME, 0, 0, 243 sc->cert_cn, &data_len); 244 } 351 } 245 352 } 246 353 … … 250 357 } 251 358 252 void mgs_hook_child_init(apr_pool_t * p, server_rec *s)359 void mgs_hook_child_init(apr_pool_t * p, server_rec * s) 253 360 { 254 361 apr_status_t rv = APR_SUCCESS; 255 362 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, 256 363 &gnutls_module); 257 364 258 365 if (sc->cache_type != mgs_cache_none) { 259 rv = mgs_cache_child_init(p, s, sc); 260 if(rv != APR_SUCCESS) { 261 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, 262 "[GnuTLS] - Failed to run Cache Init"); 263 } 264 } 265 else { 266 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, 267 "[GnuTLS] - No Cache Configured. Hint: GnuTLSCache"); 366 rv = mgs_cache_child_init(p, s, sc); 367 if (rv != APR_SUCCESS) { 368 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, 369 "[GnuTLS] - Failed to run Cache Init"); 370 } 371 } else { 372 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, 373 "[GnuTLS] - No Cache Configured. Hint: GnuTLSCache"); 268 374 } 269 375 } … … 272 378 { 273 379 mgs_srvconf_rec *sc = 274 (mgs_srvconf_rec *) ap_get_module_config(r->server-> 275 module_config, 276 &gnutls_module); 380 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 381 &gnutls_module); 277 382 278 383 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 279 384 return NULL; 280 385 } 281 386 … … 286 391 { 287 392 mgs_srvconf_rec *sc = 288 (mgs_srvconf_rec *) ap_get_module_config(r->server-> 289 module_config, 290 &gnutls_module); 393 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 394 &gnutls_module); 291 395 292 396 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 293 397 return 0; 294 398 } 295 399 … … 300 404 301 405 #if USING_2_1_RECENT 302 typedef struct 303 { 406 typedef struct { 304 407 mgs_handle_t *ctxt; 305 408 mgs_srvconf_rec *sc; 306 const char *sni_name;409 const char *sni_name; 307 410 } vhost_cb_rec; 308 411 309 static int vhost_cb (void* baton, conn_rec* conn, server_rec* s)412 static int vhost_cb(void *baton, conn_rec * conn, server_rec * s) 310 413 { 311 414 mgs_srvconf_rec *tsc; 312 vhost_cb_rec *x = baton;415 vhost_cb_rec *x = baton; 313 416 314 417 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 315 316 418 &gnutls_module); 419 317 420 if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) { 318 319 } 320 421 return 0; 422 } 423 321 424 /* The CN can contain a * -- this will match those too. */ 322 425 if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) { 323 426 /* found a match */ 324 427 #if MOD_GNUTLS_DEBUG 325 326 327 328 329 #endif 330 331 332 333 334 335 336 337 338 428 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, 429 x->ctxt->c->base_server, 430 "GnuTLS: Virtual Host CB: " 431 "'%s' == '%s'", tsc->cert_cn, x->sni_name); 432 #endif 433 /* Because we actually change the server used here, we need to reset 434 * things like ClientVerify. 435 */ 436 x->sc = tsc; 437 /* Shit. Crap. Dammit. We *really* should rehandshake here, as our 438 * certificate structure *should* change when the server changes. 439 * acccckkkkkk. 440 */ 441 return 1; 339 442 } 340 443 return 0; … … 342 445 #endif 343 446 344 mgs_srvconf_rec * mgs_find_sni_server(gnutls_session_t session)447 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) 345 448 { 346 449 int rv; 347 int sni_type;348 int data_len = MAX_HOST_LEN;450 unsigned int sni_type; 451 size_t data_len = MAX_HOST_LEN; 349 452 char sni_name[MAX_HOST_LEN]; 350 453 mgs_handle_t *ctxt; … … 352 455 vhost_cb_rec cbx; 353 456 #else 354 server_rec *s;355 mgs_srvconf_rec *tsc; 356 #endif 357 457 server_rec *s; 458 mgs_srvconf_rec *tsc; 459 #endif 460 358 461 ctxt = gnutls_transport_get_ptr(session); 359 462 360 463 sni_type = gnutls_certificate_type_get(session); 361 464 if (sni_type != GNUTLS_CRT_X509) { 362 363 364 365 366 367 } 368 369 rv = gnutls_server_name_get(ctxt->session, sni_name, 370 371 465 /* In theory, we could support OpenPGP Certificates. Theory != code. */ 466 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, 467 ctxt->c->base_server, 468 "GnuTLS: Only x509 Certificates are currently supported."); 469 return NULL; 470 } 471 472 rv = gnutls_server_name_get(ctxt->session, sni_name, 473 &data_len, &sni_type, 0); 474 372 475 if (rv != 0) { 373 374 } 375 476 return NULL; 477 } 478 376 479 if (sni_type != GNUTLS_NAME_DNS) { 377 378 379 380 381 382 } 383 480 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, 481 ctxt->c->base_server, 482 "GnuTLS: Unknown type '%d' for SNI: " 483 "'%s'", sni_type, sni_name); 484 return NULL; 485 } 486 384 487 /** 385 488 * Code in the Core already sets up the c->base_server as the base … … 390 493 cbx.sc = NULL; 391 494 cbx.sni_name = sni_name; 392 495 393 496 rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx); 394 497 if (rv == 1) { 395 498 return cbx.sc; 396 499 } 397 500 #else 398 501 for (s = ap_server_conf; s; s = s->next) { 399 400 401 402 403 404 502 503 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 504 &gnutls_module); 505 if (tsc->enabled != GNUTLS_ENABLED_TRUE) { 506 continue; 507 } 405 508 #if MOD_GNUTLS_DEBUG 406 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, 407 ctxt->c->base_server, 408 "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X", tsc->cert_cn, rv, 409 gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)), 410 (unsigned int)s, (unsigned int)s->next, (unsigned int)tsc); 411 #endif 412 /* The CN can contain a * -- this will match those too. */ 413 if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) { 509 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, 510 ctxt->c->base_server, 511 "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X", 512 tsc->cert_cn, rv, 513 gnutls_pk_algorithm_get_name 514 (gnutls_x509_privkey_get_pk_algorithm 515 (ctxt->sc->privkey_x509)), (unsigned int) s, 516 (unsigned int) s->next, (unsigned int) tsc); 517 #endif 518 /* The CN can contain a * -- this will match those too. */ 519 if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) { 414 520 #if MOD_GNUTLS_DEBUG 415 416 417 418 419 #endif 420 421 521 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, 522 ctxt->c->base_server, 523 "GnuTLS: Virtual Host: " 524 "'%s' == '%s'", tsc->cert_cn, sni_name); 525 #endif 526 return tsc; 527 } 422 528 } 423 529 #endif … … 426 532 427 533 428 static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret) 429 { 430 mgs_handle_t *ctxt; 431 mgs_srvconf_rec *tsc; 432 433 ctxt = gnutls_transport_get_ptr(session); 434 435 ret->type = GNUTLS_CRT_X509; 436 ret->ncerts = 1; 437 ret->deinit_all = 0; 438 439 tsc = mgs_find_sni_server(session); 440 441 if (tsc != NULL) { 442 ctxt->sc = tsc; 443 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); 444 } 445 446 ret->cert.x509 = &ctxt->sc->cert_x509; 447 ret->key.x509 = ctxt->sc->privkey_x509; 448 return 0; 449 } 450 451 static mgs_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c) 534 static const int protocol_priority[] = { 535 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; 536 537 538 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) 452 539 { 453 540 mgs_handle_t *ctxt; 454 541 mgs_srvconf_rec *sc = 455 456 457 542 (mgs_srvconf_rec *) ap_get_module_config(c->base_server-> 543 module_config, 544 &gnutls_module); 458 545 459 546 ctxt = apr_pcalloc(pool, sizeof(*ctxt)); … … 472 559 473 560 gnutls_init(&ctxt->session, GNUTLS_SERVER); 474 475 gnutls_protocol_set_priority(ctxt->session, sc->protocol);476 gnutls_cipher_set_priority(ctxt->session, sc->ciphers);477 gnutls_compression_set_priority(ctxt->session, sc->compression);478 gnutls_kx_set_priority(ctxt->session, sc->key_exchange);479 gnutls_mac_set_priority(ctxt->session, sc->macs);480 gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types);481 482 mgs_cache_session_init(ctxt);483 561 484 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); 485 486 gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn); 487 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); 562 /* This is not very good as it trades security for compatibility, 563 * but it is the only way to be ultra-portable. 564 */ 565 gnutls_session_enable_compatibility_mode( ctxt->session); 566 567 /* because we don't set any default priorities here (we set later at 568 * the user hello callback) we need to at least set this in order for 569 * gnutls to be able to read packets. 570 */ 571 gnutls_protocol_set_priority( ctxt->session, protocol_priority); 572 573 gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb); 574 488 575 return ctxt; 489 576 } … … 493 580 mgs_handle_t *ctxt; 494 581 mgs_srvconf_rec *sc = 495 496 497 582 (mgs_srvconf_rec *) ap_get_module_config(c->base_server-> 583 module_config, 584 &gnutls_module); 498 585 499 586 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { 500 587 return DECLINED; 501 588 } 502 589 … … 505 592 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 506 593 507 gnutls_transport_set_pull_function(ctxt->session, 508 mgs_transport_read); 509 gnutls_transport_set_push_function(ctxt->session, 510 mgs_transport_write); 594 gnutls_transport_set_pull_function(ctxt->session, mgs_transport_read); 595 gnutls_transport_set_push_function(ctxt->session, mgs_transport_write); 511 596 gnutls_transport_set_ptr(ctxt->session, ctxt); 512 513 ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt,514 515 ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt,516 597 598 ctxt->input_filter = 599 ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c); 600 ctxt->output_filter = 601 ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c); 517 602 518 603 return OK; 519 604 } 520 605 521 int mgs_hook_fixups(request_rec * r)606 int mgs_hook_fixups(request_rec * r) 522 607 { 523 608 unsigned char sbuf[GNUTLS_MAX_SESSION_ID]; 524 609 char buf[AP_IOBUFSIZE]; 525 const char *tmp;526 int len;610 const char *tmp; 611 size_t len; 527 612 mgs_handle_t *ctxt; 528 613 int rv = OK; 529 614 530 615 apr_table_t *env = r->subprocess_env; 531 616 532 ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); 533 534 if(!ctxt) { 535 return DECLINED; 617 ctxt = 618 ap_get_module_config(r->connection->conn_config, &gnutls_module); 619 620 if (!ctxt) { 621 return DECLINED; 536 622 } 537 623 538 624 apr_table_setn(env, "HTTPS", "on"); 539 625 540 apr_table_setn(env, " GNUTLS_VERSION_INTERFACE", MOD_GNUTLS_VERSION);541 apr_table_setn(env, " GNUTLS_VERSION_LIBRARY", LIBGNUTLS_VERSION);626 apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION); 627 apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION); 542 628 543 629 apr_table_setn(env, "SSL_PROTOCOL", 544 gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session))); 545 630 gnutls_protocol_get_name(gnutls_protocol_get_version 631 (ctxt->session))); 632 633 /* should have been called SSL_CIPHERSUITE instead */ 546 634 apr_table_setn(env, "SSL_CIPHER", 547 gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session))); 548 549 apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); 550 551 tmp = apr_psprintf(r->pool, "%d", 552 8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session))); 635 gnutls_cipher_suite_get_name( 636 gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session), 637 gnutls_mac_get(ctxt->session))); 638 639 apr_table_setn(env, "SSL_COMPRESS_METHOD", 640 gnutls_compression_get_name(gnutls_compression_get 641 (ctxt->session))); 642 643 apr_table_setn(env, "SSL_SRP_USER", 644 gnutls_srp_server_get_username( ctxt->session)); 645 646 if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL) 647 apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); 648 649 unsigned int key_size = 650 8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session)); 651 tmp = apr_psprintf(r->pool, "%u", key_size); 553 652 554 653 apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp); 555 654 556 655 apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp); 656 657 apr_table_setn(env, "SSL_CIPHER_EXPORT", 658 (key_size <= 40) ? "true" : "false"); 557 659 558 660 len = sizeof(sbuf); … … 561 663 apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); 562 664 563 /* TODO: There are many other env vars that we need to add */ 564 { 565 len = sizeof(buf); 566 gnutls_x509_crt_get_dn(ctxt->sc->cert_x509, buf, &len); 567 apr_table_setn(env, "SSL_SERVER_S_DN", apr_pstrmemdup(r->pool, buf, len)); 568 569 len = sizeof(buf); 570 gnutls_x509_crt_get_issuer_dn(ctxt->sc->cert_x509, buf, &len); 571 apr_table_setn(env, "SSL_SERVER_I_DN", apr_pstrmemdup(r->pool, buf, len)); 572 } 665 mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled); 666 573 667 return rv; 574 668 } 575 669 576 int mgs_hook_authz(request_rec * r)670 int mgs_hook_authz(request_rec * r) 577 671 { 578 672 int rv; 579 int status;580 673 mgs_handle_t *ctxt; 581 674 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, 582 &gnutls_module); 583 584 ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); 585 675 &gnutls_module); 676 677 ctxt = 678 ap_get_module_config(r->connection->conn_config, &gnutls_module); 679 586 680 if (!ctxt) { 587 681 return DECLINED; 588 682 } 589 683 590 684 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { 591 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 592 "GnuTLS: Directory set to Ignore Client Certificate!"); 593 } 594 else { 595 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { 596 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 597 "GnuTLS: Attempting to rehandshake with peer. %d %d", 598 ctxt->sc->client_verify_mode, dc->client_verify_mode); 599 600 gnutls_certificate_server_set_request(ctxt->session, 601 dc->client_verify_mode); 602 603 if (mgs_rehandshake(ctxt) != 0) { 604 return HTTP_FORBIDDEN; 605 } 606 } 607 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) { 685 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 686 "GnuTLS: Directory set to Ignore Client Certificate!"); 687 } else { 688 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { 689 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 690 "GnuTLS: Attempting to rehandshake with peer. %d %d", 691 ctxt->sc->client_verify_mode, 692 dc->client_verify_mode); 693 694 gnutls_certificate_server_set_request(ctxt->session, 695 dc->client_verify_mode); 696 697 if (mgs_rehandshake(ctxt) != 0) { 698 return HTTP_FORBIDDEN; 699 } 700 } else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) { 608 701 #if MOD_GNUTLS_DEBUG 609 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 610 "GnuTLS: Peer is set to IGNORE"); 611 #endif 612 } 613 else { 614 rv = mgs_cert_verify(r, ctxt); 615 if (rv != DECLINED) { 616 return rv; 617 } 618 } 619 620 621 static int mgs_cert_verify(request_rec *r, mgs_handle_t *ctxt) 622 { 623 const gnutls_datum_t* cert_list; 624 int cert_list_size; 702 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 703 "GnuTLS: Peer is set to IGNORE"); 704 #endif 705 } else { 706 rv = mgs_cert_verify(r, ctxt); 707 if (rv != DECLINED) { 708 return rv; 709 } 710 } 711 } 712 713 return DECLINED; 714 } 715 716 /* variables that are not sent by default: 717 * 718 * SSL_CLIENT_CERT string PEM-encoded client certificate 719 * SSL_SERVER_CERT string PEM-encoded client certificate 720 */ 721 722 /* side is either 0 for SERVER or 1 for CLIENT 723 */ 724 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") 725 static void 726 mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled) 727 { 728 unsigned char sbuf[64]; /* buffer to hold serials */ 729 char buf[AP_IOBUFSIZE]; 730 const char *tmp; 731 size_t len; 732 int alg; 733 734 apr_table_t *env = r->subprocess_env; 735 736 if (export_certificates_enabled != 0) { 737 char cert_buf[10*1024]; 738 len = sizeof(cert_buf); 739 740 if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) 741 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 742 apr_pstrmemdup(r->pool, cert_buf, len)); 743 744 } 745 746 len = sizeof(buf); 747 gnutls_x509_crt_get_dn(cert, buf, &len); 748 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_S_DN", NULL), 749 apr_pstrmemdup(r->pool, buf, len)); 750 751 len = sizeof(buf); 752 gnutls_x509_crt_get_issuer_dn(cert, buf, &len); 753 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_I_DN", NULL), 754 apr_pstrmemdup(r->pool, buf, len)); 755 756 len = sizeof(sbuf); 757 gnutls_x509_crt_get_serial(cert, sbuf, &len); 758 tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf)); 759 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_M_SERIAL", NULL), 760 apr_pstrdup(r->pool, tmp)); 761 762 tmp = 763 mgs_time2sz(gnutls_x509_crt_get_expiration_time 764 (cert), buf, sizeof(buf)); 765 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL), 766 apr_pstrdup(r->pool, tmp)); 767 768 tmp = 769 mgs_time2sz(gnutls_x509_crt_get_activation_time 770 (cert), buf, sizeof(buf)); 771 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL), 772 apr_pstrdup(r->pool, tmp)); 773 774 alg = gnutls_x509_crt_get_signature_algorithm( cert); 775 if (alg >= 0) { 776 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL), 777 gnutls_sign_algorithm_get_name( alg)); 778 } 779 780 alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL); 781 if (alg >= 0) { 782 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL), 783 gnutls_pk_algorithm_get_name( alg)); 784 } 785 786 787 } 788 789 790 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) 791 { 792 const gnutls_datum_t *cert_list; 793 unsigned int cert_list_size, status, expired; 794 int rv, ret; 625 795 gnutls_x509_crt_t cert; 626 627 628 cert_list = gnutls_certificate_get_peers(ctxt->session, &cert_list_size); 796 apr_time_t activation_time, expiration_time, cur_time; 797 798 cert_list = 799 gnutls_certificate_get_peers(ctxt->session, &cert_list_size); 629 800 630 801 if (cert_list == NULL || cert_list_size == 0) { 631 /* no certificate provided by the client, but one was required. */ 632 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 633 "GnuTLS: Failed to Verify Peer: " 634 "Client did not submit a certificate"); 635 return HTTP_FORBIDDEN; 802 /* It is perfectly OK for a client not to send a certificate if on REQUEST mode 803 */ 804 if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST) 805 return OK; 806 807 /* no certificate provided by the client, but one was required. */ 808 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 809 "GnuTLS: Failed to Verify Peer: " 810 "Client did not submit a certificate"); 811 return HTTP_FORBIDDEN; 636 812 } 637 813 638 814 if (cert_list_size > 1) { 639 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 640 641 642 815 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 816 "GnuTLS: Failed to Verify Peer: " 817 "Chained Client Certificates are not supported."); 818 return HTTP_FORBIDDEN; 643 819 } 644 820 645 821 gnutls_x509_crt_init(&cert); 646 gnutls_x509_crt_import(cert, &cert_chain[0], GNUTLS_X509_FMT_DER); 647 648 rv = gnutls_x509_crt_verify(cert, ctxt->sc->ca_list, ctxt->sc->ca_list_size, 0, &status); 649 822 rv = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); 650 823 if (rv < 0) { 651 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 652 "GnuTLS: Failed to Verify Peer: (%d) %s", 653 rv, gnutls_strerror(rv)); 654 return HTTP_FORBIDDEN; 655 } 656 657 if (status < 0) { 658 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 659 "GnuTLS: Peer Status is invalid."); 660 return HTTP_FORBIDDEN; 661 } 662 663 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 664 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 665 "GnuTLS: Could not find Signer for Peer Certificate"); 666 } 667 668 if (status & GNUTLS_CERT_SIGNER_NOT_CA) { 669 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 670 "GnuTLS: Could not find CA for Peer Certificate"); 671 } 672 673 if (status & GNUTLS_CERT_INVALID) { 674 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 675 "GnuTLS: Peer Certificate is invalid."); 676 return HTTP_FORBIDDEN; 677 } 678 else if (status & GNUTLS_CERT_REVOKED) { 679 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 680 "GnuTLS: Peer Certificate is revoked."); 681 return HTTP_FORBIDDEN; 682 } 683 684 /* TODO: OpenPGP Certificates */ 685 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) { 686 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 687 "GnuTLS: Only x509 is supported for client certificates"); 688 return HTTP_FORBIDDEN; 689 } 690 /* TODO: Further Verification. */ 691 // gnutls_x509_crt_get_expiration_time() < time 692 // gnutls_x509_crt_get_activation_time() > time 824 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 825 "GnuTLS: Failed to Verify Peer: " 826 "Failed to import peer certificates."); 827 ret = HTTP_FORBIDDEN; 828 goto exit; 829 } 830 831 apr_time_ansi_put(&expiration_time, 832 gnutls_x509_crt_get_expiration_time(cert)); 833 apr_time_ansi_put(&activation_time, 834 gnutls_x509_crt_get_activation_time(cert)); 835 836 rv = gnutls_x509_crt_verify(cert, ctxt->sc->ca_list, 837 ctxt->sc->ca_list_size, 0, &status); 838 839 if (rv < 0) { 840 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 841 "GnuTLS: Failed to Verify Peer certificate: (%d) %s", 842 rv, gnutls_strerror(rv)); 843 ret = HTTP_FORBIDDEN; 844 goto exit; 845 } 846 847 expired = 0; 848 cur_time = apr_time_now(); 849 if (activation_time > cur_time) { 850 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 851 "GnuTLS: Failed to Verify Peer: " 852 "Peer Certificate is not yet activated."); 853 expired = 1; 854 } 855 856 if (expiration_time < cur_time) { 857 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 858 "GnuTLS: Failed to Verify Peer: " 859 "Peer Certificate is expired."); 860 expired = 1; 861 } 862 863 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 864 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 865 "GnuTLS: Could not find Signer for Peer Certificate"); 866 } 867 868 if (status & GNUTLS_CERT_SIGNER_NOT_CA) { 869 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 870 "GnuTLS: Peer's Certificate signer is not a CA"); 871 } 872 873 if (status & GNUTLS_CERT_INVALID) { 874 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 875 "GnuTLS: Peer Certificate is invalid."); 876 } else if (status & GNUTLS_CERT_REVOKED) { 877 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 878 "GnuTLS: Peer Certificate is revoked."); 879 } 880 881 /* TODO: Further Verification. */ 882 /* Revocation is X.509 non workable paradigm, I really doubt implementation 883 * is worth doing --nmav 884 */ 693 885 /// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); 694 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 695 "GnuTLS: Verified Peer."); 696 } 697 698 ap_add_common_vars(r); 699 mgs_hook_fixups(r); 700 status = mgs_authz_lua(r); 701 702 if (status != 0) { 703 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 704 "GnuTLS: FAILED Authorization Test"); 705 return HTTP_FORBIDDEN; 706 } 707 708 } 709 886 887 // mgs_hook_fixups(r); 888 // rv = mgs_authz_lua(r); 889 890 mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled); 891 892 { 893 /* days remaining */ 894 unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400; 895 apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 896 apr_psprintf(r->pool, "%lu", remain)); 897 } 898 899 if (status == 0 && expired == 0) { 900 apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS"); 901 ret = OK; 902 } else { 903 apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "FAILED"); 904 if (ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUEST) 905 ret = OK; 906 else 907 ret = HTTP_FORBIDDEN; 908 } 909 910 exit: 911 gnutls_x509_crt_deinit(cert); 912 return ret; 913 914 915 }
Note: See TracChangeset
for help on using the changeset viewer.
