Changeset e924ddd in mod_gnutls for src

Timestamp:

Apr 21, 2005, 8:26:57 PM (15 years ago)

Author:

Paul Querna <chip@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream

Children:

316bd8c

Parents:

31645b2

Message:

client auth is sort of working.

Location:

src

Files:

• gnutls_io.c (modified) (3 diffs)
• mod_gnutls.c (modified) (19 diffs)

src/gnutls_io.c

@@ -359 +359 @@
     int errcode;
     if (ctxt->status != 0) {
-        return 0;
+        return -1;
     }
 
 tryagain:
-
-    ret = gnutls_handshake(ctxt->session);
+    do {
+        ret = gnutls_handshake(ctxt->session);
+    } while (ret == GNUTLS_E_AGAIN);
+    
     if (ret < 0) {
         if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
@@ -393 +395 @@
         /* all done with the handshake */
         ctxt->status = 1;
-        return ret;
+        return 0;
     }
 }
@@ -412 +414 @@
     ctxt->status = 0;
 
-    gnutls_do_handshake(ctxt);
-    
-    if (ctxt->status == 1) {
-        return 0;
-    }
-    else {
-        return -1;
-    }
+    rv = gnutls_do_handshake(ctxt);
+
+    return rv;
 }
 

src/mod_gnutls.c

@@ -17 +17 @@
 
 #include "mod_gnutls.h"
+#include "http_vhost.h"
 
 extern server_rec *ap_server_conf;
@@ -112 +113 @@
 {
     int rv;
+    int data_len;
     server_rec *s;
     gnutls_dh_params_t dh_params;
@@ -216 +218 @@
                 exit(-1);
             }
-            {
-                int rv;
-                int data_len = 255;
-                char crt_name[255];
-                for (rv = 0; rv < data_len; rv++) {
-                    crt_name[rv] = '\0';
-                }
-                rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 
-                                                   GNUTLS_OID_X520_COMMON_NAME, 0, 0,
-                                                   crt_name, &data_len);
-                
+            
+            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 
+                                               GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                               NULL, &data_len);
+            
+            if (data_len < 1) {
+                sc->enabled = GNUTLS_ENABLED_FALSE;
+                sc->cert_cn = NULL;
+                continue;
+            }
+            
+            sc->cert_cn = apr_palloc(p, data_len);
+            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 
+                                               GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                               sc->cert_cn, &data_len);
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
                          s,
-                         "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", crt_name, rv,
+                         "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", sc->cert_cn, rv,
                          gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(sc->privkey_x509)),
                          (unsigned int)s, (unsigned int)sc);
-            }
         }
     }
@@ -288 +293 @@
 }
 
+static void mod_gnutls_changed_servers(mod_gnutls_handle_t *ctxt)
+{
+    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
+    gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
+}
+
 #define MAX_HOST_LEN 255
+
+#if USING_2_1_RECENT
+typedef struct
+{
+    mod_gnutls_handle_t *ctxt;
+    gnutls_retr_st* ret;
+    const char* sni_name;
+} vhost_cb_rec;
+
+int vhost_cb (void* baton, conn_rec* conn, server_rec* s)
+{
+    mod_gnutls_srvconf_rec *tsc;
+    vhost_cb_rec* x = baton;
+
+    tsc = (mod_gnutls_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                          &gnutls_module);
+    
+    if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) {
+        return 0;
+    }
+    
+    /* The CN can contain a * -- this will match those too. */
+    if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
+        /* found a match */
+        x->ret->cert.x509 = &tsc->cert_x509;
+        x->ret->key.x509 = tsc->privkey_x509;
+#if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                     x->ctxt->c->base_server,
+                     "GnuTLS: Virtual Host CB: "
+                     "'%s' == '%s'", tsc->cert_cn, x->sni_name);
+#endif
+        /* Because we actually change the server used here, we need to reset
+         * things like ClientVerify.
+         */
+        x->ctxt->sc = tsc;
+        mod_gnutls_changed_servers(x->ctxt);
+        return 1;
+    }
+    return 0;
+}
+#endif
+
 static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret) 
 {
@@ -295 +349 @@
     int data_len = MAX_HOST_LEN;
     char sni_name[MAX_HOST_LEN];
-    char crt_name[MAX_HOST_LEN];
     mod_gnutls_handle_t *ctxt;
-    mod_gnutls_srvconf_rec *tsc;
+#if USING_2_1_RECENT
+    vhost_cb_rec cbx;
+#else
     server_rec* s;
+    mod_gnutls_srvconf_rec *tsc;    
+#endif
     
     ctxt = gnutls_transport_get_ptr(session);
@@ -334 +391 @@
      * for this IP/Port combo.  Trust that the core did the 'right' thing.
      */
+#if USING_2_1_RECENT
+    cbx.ctxt = ctxt;
+    cbx.ret = ret;
+    cbx.sni_name = sni_name;
+
+    rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
+    if (rv == 1) {
+        return 0;
+    }
+#else
     for (s = ap_server_conf; s; s = s->next) {
         
@@ -341 +408 @@
             continue;
         }
-        
-        data_len = MAX_HOST_LEN;
-        rv = gnutls_x509_crt_get_dn_by_oid(tsc->cert_x509, 
-                                           GNUTLS_OID_X520_COMMON_NAME, 0, 0,
-                                           crt_name, &data_len);
+#if MOD_GNUTLS_DEBUG
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
                      ctxt->c->base_server,
-                     "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X  sc: 0x%08X", crt_name, rv,
+                     "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X  sc: 0x%08X", tsc->cert_cn, rv,
                      gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)),
                      (unsigned int)s, (unsigned int)s->next, (unsigned int)tsc);
-
-        if (rv != 0) {
-            continue;
-        }
-            
+#endif            
         /* The CN can contain a * -- this will match those too. */
-        if (ap_strcasecmp_match(sni_name, crt_name) == 0) {
+        if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
             /* found a match */
             ret->cert.x509 = &tsc->cert_x509;
@@ -365 +424 @@
                          ctxt->c->base_server,
                          "GnuTLS: Virtual Host: "
-                         "'%s' == '%s'", crt_name, sni_name);
-#endif
+                         "'%s' == '%s'", tsc->cert_cn, sni_name);
+#endif
+            ctxt->sc = tsc;
+            mod_gnutls_changed_servers(ctxt);
             return 0;
         }
     }
-
+#endif
     
     /**
@@ -377 +438 @@
      */
 use_default_crt:
-    data_len = MAX_HOST_LEN;
-    rv = gnutls_x509_crt_get_dn_by_oid(ctxt->sc->cert_x509, 
-                                  GNUTLS_OID_X520_COMMON_NAME, 0, 0,
-                                  crt_name, &data_len);
-        
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
-                     ctxt->c->base_server,
-                     "GnuTLS: x509 cn: %s/%d pk: %s", crt_name, rv,
-                 gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)));
-    
     ret->cert.x509 = &ctxt->sc->cert_x509;
     ret->key.x509 = ctxt->sc->privkey_x509;
@@ -428 +479 @@
     gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types);
 
-    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs);
-
-    gnutls_certificate_server_set_request(ctxt->session, sc->client_verify_mode);
-
     mod_gnutls_cache_session_init(ctxt);
 
-    /* TODO: Finish Support for Server Name Indication */
     gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn);
+
+    mod_gnutls_changed_servers(ctxt);
     return ctxt;
 }
@@ -575 +623 @@
     }
     
-    //apr_pool_destroy(spool);
+    apr_pool_destroy(spool);
     return NULL;
 }
@@ -606 +654 @@
                             gnutls_strerror(ret));
     }
-    //apr_pool_destroy(spool);
+    apr_pool_destroy(spool);
     return NULL;
 }
@@ -674 +722 @@
                                             const char *arg)
 {
-    gnutls_certificate_request_t mode;
-
-    if (strcasecmp("none", arg) == 0  || strcasecmp("ignore", arg) == 0) {
+    int mode;
+
+    if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) {
         mode = GNUTLS_CERT_IGNORE;
     }
@@ -682 +730 @@
         mode = GNUTLS_CERT_REQUEST;
     }
-    else if (strcasecmp("optional", arg) == 0) {
+    else if (strcasecmp("require", arg) == 0) {
         mode = GNUTLS_CERT_REQUIRE;
     }
@@ -704 +752 @@
     return NULL;
 }
+
+static const char *gnutls_set_client_ca_file(cmd_parms * parms, void *dummy,
+                                            const char *arg)
+{
+    int rv;
+    const char* file;
+    mod_gnutls_srvconf_rec *sc = 
+        (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->
+                                                        module_config,
+                                                        &gnutls_module);        
+    file = ap_server_root_relative(parms->pool, arg);
+    rv = gnutls_certificate_set_x509_trust_file(sc->certs, 
+                                                file, GNUTLS_X509_FMT_PEM);
+    
+    if (rv < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+                            "Client CA File '%s': (%d) %s", file, rv, 
+                            gnutls_strerror(rv));   
+    }
+    return NULL;
+}
+
+
 static const char *gnutls_set_enabled(cmd_parms * parms, void *dummy,
                                       const char *arg)
@@ -729 +800 @@
                   RSRC_CONF|OR_AUTHCFG,
                   "Set Verification Requirements of the Client Certificate"),
+    AP_INIT_TAKE1("GnuTLSClientCAFile", gnutls_set_client_ca_file,
+                  NULL,
+                  RSRC_CONF,
+                  "Set the CA File for Client Certificates"),
     AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file,
                   NULL,
@@ -752 +827 @@
 };
 
-/* TODO: CACertificateFile & Client Authentication
- *    AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot,
- *                 (void *) APR_OFFSETOF(gnutls_srvconf_rec, key_file), NULL,
- *                 RSRC_CONF,
- *                 "CA"),
- */
-
 int mod_gnutls_hook_authz(request_rec *r)
 {
-    return OK;
-#if 0
+    int rv;
+    int status;
     mod_gnutls_handle_t *ctxt;
     mod_gnutls_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
@@ -769 +837 @@
     ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
 
-    if (dc->client_verify_mode == -1 || 
-        dc->client_verify_mode == GNUTLS_CERT_IGNORE ||
-        ctxt->sc->client_verify_mode > dc->client_verify_mode) {
+    if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 
+                      "GnuTLS: Ignoring Client Certificate!");
         return DECLINED;
     }
 
-    gnutls_certificate_server_set_request(ctxt->session, dc->client_verify_mode);
-    if (mod_gnutls_rehandshake(ctxt) != 0) {
+    if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 
+                     "GnuTLS: Attempting to rehandshake with peer. %d %d",
+                      ctxt->sc->client_verify_mode, dc->client_verify_mode);
+        
+        gnutls_certificate_server_set_request(ctxt->session,
+                                              dc->client_verify_mode);
+    
+        if (mod_gnutls_rehandshake(ctxt) != 0) {
+            return HTTP_FORBIDDEN;
+        }
+    }
+    else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                      "GnuTLS: Peer is set to IGNORE");
+        return DECLINED;
+    }
+    
+    rv = gnutls_certificate_verify_peers2(ctxt->session, &status);
+
+    if (rv < 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Failed to Verify Peer: (%d) %s", 
+                     rv, gnutls_strerror(rv));
         return HTTP_FORBIDDEN;
     }
-#endif    
+    
+    if (status < 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Status is invalid."); 
+        return HTTP_FORBIDDEN;
+    }
+    
+    if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Could not find Signer for Peer Certificate"); 
+    }
+    
+    if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Could not find CA for Peer Certificate"); 
+    }
+    
+    if (status & GNUTLS_CERT_INVALID) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Certificate is invalid."); 
+        return HTTP_FORBIDDEN;
+    }
+    else if (status & GNUTLS_CERT_REVOKED) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Certificate is revoked."); 
+        return HTTP_FORBIDDEN;
+    }
+    
+    /* TODO: OpenPGP Certificates */
+    if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) {
+        ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 
+                     "GnuTLS: Only x509 is supported for client certificates");         
+        return HTTP_FORBIDDEN;
+    }
+    /* TODO: Further Verification. */
+    ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 
+                 "GnuTLS: Verified Peer.");             
+    return OK;
 }
 
@@ -802 +929 @@
                        APR_HOOK_MIDDLE);
     
-    ap_hook_auth_checker(mod_gnutls_hook_authz, NULL, NULL, APR_HOOK_MIDDLE);
-    
+    ap_hook_access_checker(mod_gnutls_hook_authz, NULL, NULL, APR_HOOK_REALLY_FIRST);
+
     ap_hook_fixups(mod_gnutls_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);