Changeset 836c2f9 in mod_gnutls for src/gnutls_hooks.c
- Timestamp:
- May 24, 2005, 1:55:17 PM (17 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 740a39e
- Parents:
- 84cb5b2
- File:
-
- 1 edited
-
src/gnutls_hooks.c (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r84cb5b2 r836c2f9 587 587 return DECLINED; 588 588 } 589 ap_add_common_vars(r); 590 mgs_hook_fixups(r); 591 status = mgs_authz_lua(r); 592 if (status != 0) { 593 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 594 "GnuTLS: FAILED Lua Authorization Test"); 595 return HTTP_FORBIDDEN; 596 } 589 597 590 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { 598 591 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 599 592 "GnuTLS: Directory set to Ignore Client Certificate!"); 600 return DECLINED; 601 } 602 603 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { 604 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 605 "GnuTLS: Attempting to rehandshake with peer. %d %d", 606 ctxt->sc->client_verify_mode, dc->client_verify_mode); 593 } 594 else { 595 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { 596 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 597 "GnuTLS: Attempting to rehandshake with peer. %d %d", 598 ctxt->sc->client_verify_mode, dc->client_verify_mode); 607 599 608 gnutls_certificate_server_set_request(ctxt->session,600 gnutls_certificate_server_set_request(ctxt->session, 609 601 dc->client_verify_mode); 610 602 611 if (mgs_rehandshake(ctxt) != 0) {612 return HTTP_FORBIDDEN;613 }614 }615 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {603 if (mgs_rehandshake(ctxt) != 0) { 604 return HTTP_FORBIDDEN; 605 } 606 } 607 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) { 616 608 #if MOD_GNUTLS_DEBUG 617 609 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 618 610 "GnuTLS: Peer is set to IGNORE"); 619 611 #endif 620 return DECLINED; 621 } 622 623 rv = gnutls_certificate_verify_peers2(ctxt->session, &status); 612 } 613 else { 614 rv = mgs_cert_verify(r, ctxt); 615 if (rv != DECLINED) { 616 return rv; 617 } 618 } 619 620 621 static int mgs_cert_verify(request_rec *r, mgs_handle_t *ctxt) 622 { 623 const gnutls_datum_t* cert_list; 624 int cert_list_size; 625 gnutls_x509_crt_t cert; 626 627 628 cert_list = gnutls_certificate_get_peers(ctxt->session, &cert_list_size); 629 630 if (cert_list == NULL || cert_list_size == 0) { 631 /* no certificate provided by the client, but one was required. */ 632 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 633 "GnuTLS: Failed to Verify Peer: " 634 "Client did not submit a certificate"); 635 return HTTP_FORBIDDEN; 636 } 637 638 if (cert_list_size > 1) { 639 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 640 "GnuTLS: Failed to Verify Peer: " 641 "Chained Client Certificates are not supported."); 642 return HTTP_FORBIDDEN; 643 } 644 645 gnutls_x509_crt_init(&cert); 646 gnutls_x509_crt_import(cert, &cert_chain[0], GNUTLS_X509_FMT_DER); 647 648 rv = gnutls_x509_crt_verify(cert, ctxt->sc->ca_list, ctxt->sc->ca_list_size, 0, &status); 624 649 625 650 if (rv < 0) { … … 630 655 } 631 656 632 if (status < 0) { 633 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 634 "GnuTLS: Peer Status is invalid."); 657 if (status < 0) { 658 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 659 "GnuTLS: Peer Status is invalid."); 660 return HTTP_FORBIDDEN; 661 } 662 663 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 664 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 665 "GnuTLS: Could not find Signer for Peer Certificate"); 666 } 667 668 if (status & GNUTLS_CERT_SIGNER_NOT_CA) { 669 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 670 "GnuTLS: Could not find CA for Peer Certificate"); 671 } 672 673 if (status & GNUTLS_CERT_INVALID) { 674 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 675 "GnuTLS: Peer Certificate is invalid."); 676 return HTTP_FORBIDDEN; 677 } 678 else if (status & GNUTLS_CERT_REVOKED) { 679 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 680 "GnuTLS: Peer Certificate is revoked."); 681 return HTTP_FORBIDDEN; 682 } 683 684 /* TODO: OpenPGP Certificates */ 685 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) { 686 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 687 "GnuTLS: Only x509 is supported for client certificates"); 688 return HTTP_FORBIDDEN; 689 } 690 /* TODO: Further Verification. */ 691 // gnutls_x509_crt_get_expiration_time() < time 692 // gnutls_x509_crt_get_activation_time() > time 693 /// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); 694 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 695 "GnuTLS: Verified Peer."); 696 } 697 698 ap_add_common_vars(r); 699 mgs_hook_fixups(r); 700 status = mgs_authz_lua(r); 701 702 if (status != 0) { 703 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 704 "GnuTLS: FAILED Authorization Test"); 635 705 return HTTP_FORBIDDEN; 636 706 } 637 638 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 639 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 640 "GnuTLS: Could not find Signer for Peer Certificate"); 641 } 642 643 if (status & GNUTLS_CERT_SIGNER_NOT_CA) { 644 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 645 "GnuTLS: Could not find CA for Peer Certificate"); 646 } 647 648 if (status & GNUTLS_CERT_INVALID) { 649 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 650 "GnuTLS: Peer Certificate is invalid."); 651 return HTTP_FORBIDDEN; 652 } 653 else if (status & GNUTLS_CERT_REVOKED) { 654 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 655 "GnuTLS: Peer Certificate is revoked."); 656 return HTTP_FORBIDDEN; 657 } 658 659 /* TODO: OpenPGP Certificates */ 660 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) { 661 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 662 "GnuTLS: Only x509 is supported for client certificates"); 663 return HTTP_FORBIDDEN; 664 } 665 /* TODO: Further Verification. */ 666 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 667 "GnuTLS: Verified Peer."); 668 return OK; 669 } 670 707 708 } 709
Note: See TracChangeset
for help on using the changeset viewer.
