Changeset fd73a08 in mod_gnutls for src/gnutls_hooks.c
- Timestamp:
- Dec 1, 2007, 4:12:01 AM (15 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 3dbff0d
- Parents:
- 3e6bc31
- git-author:
- Nikos Mavrogiannopoulos <nmav@…> (12/01/07 04:12:01)
- git-committer:
- Nokis Mavrogiannopoulos <nmav@…> (12/01/07 04:12:01)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r3e6bc31 rfd73a08 38 38 /* use side==0 for server and side==1 for client */ 39 39 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, 40 int side, int export_certificates_enabled); 40 int side, 41 int export_certificates_enabled); 41 42 42 43 static apr_status_t mgs_cleanup_pre_config(void *data) … … 98 99 if (rv != APR_SUCCESS) { 99 100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 100 "GnuTLS failed to load params file at: %s. Will use internal params.", file); 101 "GnuTLS failed to load params file at: %s. Will use internal params.", 102 file); 101 103 return ret; 102 104 } … … 128 130 const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 129 131 130 static int mgs_select_virtual_server_cb( 132 static int mgs_select_virtual_server_cb(gnutls_session_t session) 131 133 { 132 134 mgs_handle_t *ctxt; … … 143 145 144 146 gnutls_certificate_server_set_request(session, 145 147 ctxt->sc->client_verify_mode); 146 148 147 149 /* set the new server credentials … … 149 151 150 152 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, 151 152 153 gnutls_credentials_set(session, GNUTLS_CRD_ANON, 154 ctxt->sc->anon_creds); 155 156 if ( ctxt->sc->srp_tpasswd_conf_file != NULL&& ctxt->sc->srp_tpasswd_file != NULL) {157 158 153 ctxt->sc->certs); 154 155 gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds); 156 157 if (ctxt->sc->srp_tpasswd_conf_file != NULL 158 && ctxt->sc->srp_tpasswd_file != NULL) { 159 gnutls_credentials_set(session, GNUTLS_CRD_SRP, 160 ctxt->sc->srp_creds); 159 161 } 160 162 … … 163 165 * negotiation. 164 166 */ 165 ret = gnutls_priority_set( 166 gnutls_certificate_type_set_priority( 167 168 167 ret = gnutls_priority_set(session, ctxt->sc->priorities); 168 gnutls_certificate_type_set_priority(session, cert_type_prio); 169 170 169 171 /* actually it shouldn't fail since we have checked at startup */ 170 if (ret < 0) return ret; 171 172 /* allow separate caches per virtual host. Actually allowing the same is not 173 * a good idea, especially if they have different security requirements. 172 if (ret < 0) 173 return ret; 174 175 /* allow separate caches per virtual host. Actually allowing the same is a 176 * bad idea, since they might have different security requirements. 174 177 */ 175 178 mgs_cache_session_init(ctxt); … … 194 197 195 198 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 196 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 197 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 198 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 199 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 200 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 201 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 202 "-----END DH PARAMETERS-----\n"; 199 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 200 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 201 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 202 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 203 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 204 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 205 "-----END DH PARAMETERS-----\n"; 206 207 /* Read the common name or the alternative name of the certificate. 208 * We only support a single name per certificate. 209 * 210 * Returns negative on error. 211 */ 212 static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert, 213 char **cert_cn) 214 { 215 int rv = 0, i; 216 size_t data_len; 217 218 219 *cert_cn = NULL; 220 221 rv = gnutls_x509_crt_get_dn_by_oid(cert, 222 GNUTLS_OID_X520_COMMON_NAME, 223 0, 0, NULL, &data_len); 224 225 if (rv >= 0 && data_len > 1) { 226 *cert_cn = apr_palloc(p, data_len); 227 rv = gnutls_x509_crt_get_dn_by_oid(cert, 228 GNUTLS_OID_X520_COMMON_NAME, 0, 229 0, *cert_cn, &data_len); 230 } else { /* No CN return subject alternative name */ 231 232 /* read subject alternative name */ 233 for (i = 0; !(rv < 0); i++) { 234 rv = gnutls_x509_crt_get_subject_alt_name(cert, i, 235 NULL, &data_len, NULL); 236 237 if (rv == GNUTLS_SAN_DNSNAME) { 238 *cert_cn = apr_palloc(p, data_len); 239 rv = gnutls_x509_crt_get_subject_alt_name(cert, i, 240 *cert_cn, &data_len, NULL); 241 break; 242 243 } 244 } 245 } 246 247 return rv; 248 249 } 203 250 204 251 int … … 207 254 { 208 255 int rv; 209 size_t data_len;210 256 server_rec *s; 211 257 gnutls_dh_params_t dh_params; … … 252 298 /* If the file does not exist use internal parameters 253 299 */ 254 pdata.data = (void*)static_dh_params;255 pdata.size = sizeof(static_dh_params);300 pdata.data = (void *) static_dh_params; 301 pdata.size = sizeof(static_dh_params); 256 302 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 257 303 GNUTLS_X509_FMT_PEM); 258 304 259 260 261 "GnuTLS: Unable to load internal DH Params."262 " Shutting down.");263 264 305 if (rv < 0) { 306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 307 "GnuTLS: Unable to load internal DH Params." 308 " Shutting down."); 309 exit(-1); 310 } 265 311 } 266 312 apr_pool_clear(tpool); 267 313 268 269 314 rsa_params = NULL; 315 270 316 pdata = load_params(sc_base->rsa_params_file, s, tpool); 271 317 272 318 if (pdata.size != 0) { 273 319 gnutls_rsa_params_init(&rsa_params); 274 320 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, 275 321 GNUTLS_X509_FMT_PEM); … … 280 326 exit(rv); 281 327 } 282 } 283 284 328 } 329 /* not an error but RSA-EXPORT ciphersuites are not available 330 */ 285 331 286 332 apr_pool_destroy(tpool); … … 300 346 301 347 if (rsa_params != NULL) 302 303 348 gnutls_certificate_set_rsa_export_params(sc->certs, 349 rsa_params); 304 350 gnutls_certificate_set_dh_params(sc->certs, dh_params); 305 351 306 gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params); 307 308 gnutls_certificate_server_set_retrieve_function(sc->certs, 309 cert_retrieve_fn); 310 311 if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) { 312 gnutls_srp_set_server_credentials_file( sc->srp_creds, 313 sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file); 314 } 315 352 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 353 354 gnutls_certificate_server_set_retrieve_function(sc->certs, 355 cert_retrieve_fn); 356 357 if (sc->srp_tpasswd_conf_file != NULL 358 && sc->srp_tpasswd_file != NULL) { 359 gnutls_srp_set_server_credentials_file(sc->srp_creds, 360 sc-> 361 srp_tpasswd_file, 362 sc-> 363 srp_tpasswd_conf_file); 364 } 365 316 366 if (sc->cert_x509 == NULL 317 367 && sc->enabled == GNUTLS_ENABLED_TRUE) { … … 333 383 334 384 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 335 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 336 GNUTLS_OID_X520_COMMON_NAME, 337 0, 0, NULL, &data_len); 338 339 if (data_len < 1) { 340 sc->enabled = GNUTLS_ENABLED_FALSE; 341 sc->cert_cn = NULL; 342 continue; 385 rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn); 386 if (rv < 0) { 387 sc->enabled = GNUTLS_ENABLED_FALSE; 388 sc->cert_cn = NULL; 389 continue; 390 } 343 391 } 344 345 sc->cert_cn = apr_palloc(p, data_len);346 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,347 GNUTLS_OID_X520_COMMON_NAME,348 0, 0, sc->cert_cn,349 &data_len);350 }351 392 } 352 393 } … … 533 574 534 575 static const int protocol_priority[] = { 535 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; 536 576 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 577 }; 578 537 579 538 580 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) … … 559 601 560 602 gnutls_init(&ctxt->session, GNUTLS_SERVER); 561 603 562 604 /* This is not very good as it trades security for compatibility, 563 605 * but it is the only way to be ultra-portable. 564 606 */ 565 gnutls_session_enable_compatibility_mode( 566 607 gnutls_session_enable_compatibility_mode(ctxt->session); 608 567 609 /* because we don't set any default priorities here (we set later at 568 610 * the user hello callback) we need to at least set this in order for 569 611 * gnutls to be able to read packets. 570 612 */ 571 gnutls_protocol_set_priority( ctxt->session, protocol_priority); 572 573 gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb); 613 gnutls_protocol_set_priority(ctxt->session, protocol_priority); 614 615 gnutls_handshake_set_post_client_hello_function(ctxt->session, 616 mgs_select_virtual_server_cb); 574 617 575 618 return ctxt; … … 624 667 apr_table_setn(env, "HTTPS", "on"); 625 668 626 apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION); 627 apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION); 669 apr_table_setn(env, "SSL_VERSION_LIBRARY", 670 "GnuTLS/" LIBGNUTLS_VERSION); 671 apr_table_setn(env, "SSL_VERSION_INTERFACE", 672 "mod_gnutls/" MOD_GNUTLS_VERSION); 628 673 629 674 apr_table_setn(env, "SSL_PROTOCOL", … … 631 676 (ctxt->session))); 632 677 633 /* should have been called SSL_CIPHERSUITE instead */ 678 /* should have been called SSL_CIPHERSUITE instead */ 634 679 apr_table_setn(env, "SSL_CIPHER", 635 gnutls_cipher_suite_get_name( 636 gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session), 637 gnutls_mac_get(ctxt->session))); 680 gnutls_cipher_suite_get_name(gnutls_kx_get 681 (ctxt->session), 682 gnutls_cipher_get(ctxt-> 683 session), 684 gnutls_mac_get(ctxt-> 685 session))); 638 686 639 687 apr_table_setn(env, "SSL_COMPRESS_METHOD", 640 688 gnutls_compression_get_name(gnutls_compression_get 641 (ctxt->session)));689 (ctxt->session))); 642 690 643 691 apr_table_setn(env, "SSL_SRP_USER", 644 gnutls_srp_server_get_username(ctxt->session));692 gnutls_srp_server_get_username(ctxt->session)); 645 693 646 694 if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL) … … 663 711 apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); 664 712 665 mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled); 713 mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, 714 ctxt->sc->export_certificates_enabled); 666 715 667 716 return rv; … … 724 773 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") 725 774 static void 726 mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled) 775 mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, 776 int export_certificates_enabled) 727 777 { 728 778 unsigned char sbuf[64]; /* buffer to hold serials */ … … 735 785 736 786 if (export_certificates_enabled != 0) { 737 char cert_buf[10*1024]; 738 len = sizeof(cert_buf); 739 740 if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) 741 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 742 apr_pstrmemdup(r->pool, cert_buf, len)); 743 787 char cert_buf[10 * 1024]; 788 len = sizeof(cert_buf); 789 790 if (gnutls_x509_crt_export 791 (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) 792 apr_table_setn(env, 793 apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 794 apr_pstrmemdup(r->pool, cert_buf, len)); 795 744 796 } 745 797 … … 772 824 apr_pstrdup(r->pool, tmp)); 773 825 774 alg = gnutls_x509_crt_get_signature_algorithm( 826 alg = gnutls_x509_crt_get_signature_algorithm(cert); 775 827 if (alg >= 0) { 776 777 gnutls_sign_algorithm_get_name(alg));778 } 779 780 alg = gnutls_x509_crt_get_pk_algorithm( 828 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL), 829 gnutls_sign_algorithm_get_name(alg)); 830 } 831 832 alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); 781 833 if (alg >= 0) { 782 783 gnutls_pk_algorithm_get_name(alg));834 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL), 835 gnutls_pk_algorithm_get_name(alg)); 784 836 } 785 837 … … 888 940 // rv = mgs_authz_lua(r); 889 941 890 mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled); 942 mgs_add_common_cert_vars(r, cert, 1, 943 ctxt->sc->export_certificates_enabled); 891 944 892 945 { 893 /* days remaining */ 894 unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400; 895 apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 896 apr_psprintf(r->pool, "%lu", remain)); 946 /* days remaining */ 947 unsigned long remain = 948 (apr_time_sec(expiration_time) - 949 apr_time_sec(cur_time)) / 86400; 950 apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 951 apr_psprintf(r->pool, "%lu", remain)); 897 952 } 898 953
Note: See TracChangeset
for help on using the changeset viewer.