Changeset fd73a08 in mod_gnutls for src/gnutls_hooks.c

Timestamp:

Dec 1, 2007, 4:12:01 AM (12 years ago)

Author:

Nokis Mavrogiannopoulos <nmav@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream

Children:

3dbff0d

Parents:

3e6bc31

git-author:

Nikos Mavrogiannopoulos <nmav@…> (12/01/07 04:12:01)

git-committer:

Nokis Mavrogiannopoulos <nmav@…> (12/01/07 04:12:01)

Message:

Added support for subject alternative names. (untested)

File:

• src/gnutls_hooks.c (modified) (21 diffs)

src/gnutls_hooks.c

@@ -38 +38 @@
 /* use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
-                                     int side, int export_certificates_enabled);
+                                     int side,
+                                     int export_certificates_enabled);
 
 static apr_status_t mgs_cleanup_pre_config(void *data)
@@ -98 +99 @@
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
-                     "GnuTLS failed to load params file at: %s. Will use internal params.", file);
+                     "GnuTLS failed to load params file at: %s. Will use internal params.",
+                     file);
         return ret;
     }
@@ -128 +130 @@
 const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
 
-static int mgs_select_virtual_server_cb( gnutls_session_t session)
+static int mgs_select_virtual_server_cb(gnutls_session_t session)
 {
     mgs_handle_t *ctxt;
@@ -143 +145 @@
 
     gnutls_certificate_server_set_request(session,
-       ctxt->sc->client_verify_mode);
+                                          ctxt->sc->client_verify_mode);
 
     /* set the new server credentials 
@@ -149 +151 @@
 
     gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
-      ctxt->sc->certs);
-
-    gnutls_credentials_set(session, GNUTLS_CRD_ANON,
-      ctxt->sc->anon_creds);
-
-    if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
-       gnutls_credentials_set(session, GNUTLS_CRD_SRP,
-         ctxt->sc->srp_creds);
+                           ctxt->sc->certs);
+
+    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
+
+    if (ctxt->sc->srp_tpasswd_conf_file != NULL
+        && ctxt->sc->srp_tpasswd_file != NULL) {
+        gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                               ctxt->sc->srp_creds);
     }
 
@@ -163 +165 @@
      * negotiation.
      */
-    ret = gnutls_priority_set( session, ctxt->sc->priorities);
-    gnutls_certificate_type_set_priority( session, cert_type_prio);
-    
-    
+    ret = gnutls_priority_set(session, ctxt->sc->priorities);
+    gnutls_certificate_type_set_priority(session, cert_type_prio);
+
+
     /* actually it shouldn't fail since we have checked at startup */
-    if (ret < 0) return ret;
-
-    /* allow separate caches per virtual host. Actually allowing the same is not
-     * a good idea, especially if they have different security requirements.
+    if (ret < 0)
+        return ret;
+
+    /* allow separate caches per virtual host. Actually allowing the same is a
+     * bad idea, since they might have different security requirements.
      */
     mgs_cache_session_init(ctxt);
@@ -194 +197 @@
 
 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
-"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
-"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
-"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
-"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
-"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
-"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
-"-----END DH PARAMETERS-----\n";
+    "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
+    "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
+    "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
+    "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
+    "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
+    "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
+    "-----END DH PARAMETERS-----\n";
+
+/* Read the common name or the alternative name of the certificate.
+ * We only support a single name per certificate.
+ *
+ * Returns negative on error.
+ */
+static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
+                       char **cert_cn)
+{
+    int rv = 0, i;
+    size_t data_len;
+
+
+    *cert_cn = NULL;
+
+    rv = gnutls_x509_crt_get_dn_by_oid(cert,
+                                       GNUTLS_OID_X520_COMMON_NAME,
+                                       0, 0, NULL, &data_len);
+
+    if (rv >= 0 && data_len > 1) {
+        *cert_cn = apr_palloc(p, data_len);
+        rv = gnutls_x509_crt_get_dn_by_oid(cert,
+                                           GNUTLS_OID_X520_COMMON_NAME, 0,
+                                           0, *cert_cn, &data_len);
+    } else {                    /* No CN return subject alternative name */
+
+        /* read subject alternative name */
+        for (i = 0; !(rv < 0); i++) {
+            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                    NULL, &data_len, NULL);
+                    
+            if (rv == GNUTLS_SAN_DNSNAME) {
+                *cert_cn = apr_palloc(p, data_len);
+                rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                    *cert_cn, &data_len, NULL);
+                break;
+
+            }
+        }
+    }
+    
+    return rv;
+
+}
 
 int
@@ -207 +254 @@
 {
     int rv;
-    size_t data_len;
     server_rec *s;
     gnutls_dh_params_t dh_params;
@@ -252 +298 @@
             /* If the file does not exist use internal parameters
              */
-            pdata.data = (void*)static_dh_params;
-            pdata.size = sizeof( static_dh_params);
+            pdata.data = (void *) static_dh_params;
+            pdata.size = sizeof(static_dh_params);
             rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
                                                GNUTLS_X509_FMT_PEM);
 
-            if (rv < 0) {
-              ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Unable to load internal DH Params."
-                         " Shutting down.");
-              exit(-1);
-            }
+            if (rv < 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                             "GnuTLS: Unable to load internal DH Params."
+                             " Shutting down.");
+                exit(-1);
+            }
         }
         apr_pool_clear(tpool);
 
-        rsa_params = NULL;
-        
+        rsa_params = NULL;
+
         pdata = load_params(sc_base->rsa_params_file, s, tpool);
 
         if (pdata.size != 0) {
-            gnutls_rsa_params_init(&rsa_params);
+            gnutls_rsa_params_init(&rsa_params);
             rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
                                                 GNUTLS_X509_FMT_PEM);
@@ -280 +326 @@
                 exit(rv);
             }
-        } 
-        /* not an error but RSA-EXPORT ciphersuites are not available 
-         */
+        }
+        /* not an error but RSA-EXPORT ciphersuites are not available 
+         */
 
         apr_pool_destroy(tpool);
@@ -300 +346 @@
 
             if (rsa_params != NULL)
-              gnutls_certificate_set_rsa_export_params(sc->certs,
-                                                     rsa_params);
+                gnutls_certificate_set_rsa_export_params(sc->certs,
+                                                         rsa_params);
             gnutls_certificate_set_dh_params(sc->certs, dh_params);
 
-            gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params);
-            
-            gnutls_certificate_server_set_retrieve_function(sc->certs,
-                                                    cert_retrieve_fn);
-
-            if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
-                gnutls_srp_set_server_credentials_file( sc->srp_creds, 
-                    sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file);
-            }
-            
+            gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
+
+            gnutls_certificate_server_set_retrieve_function(sc->certs,
+                                                            cert_retrieve_fn);
+
+            if (sc->srp_tpasswd_conf_file != NULL
+                && sc->srp_tpasswd_file != NULL) {
+                gnutls_srp_set_server_credentials_file(sc->srp_creds,
+                                                       sc->
+                                                       srp_tpasswd_file,
+                                                       sc->
+                                                       srp_tpasswd_conf_file);
+            }
+
             if (sc->cert_x509 == NULL
                 && sc->enabled == GNUTLS_ENABLED_TRUE) {
@@ -333 +383 @@
 
             if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
-                                               GNUTLS_OID_X520_COMMON_NAME,
-                                               0, 0, NULL, &data_len);
-
-            if (data_len < 1) {
-                sc->enabled = GNUTLS_ENABLED_FALSE;
-                sc->cert_cn = NULL;
-                continue;
+                rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);
+                if (rv < 0) {
+                    sc->enabled = GNUTLS_ENABLED_FALSE;
+                    sc->cert_cn = NULL;
+                    continue;
+                }
             }
-
-            sc->cert_cn = apr_palloc(p, data_len);
-            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
-                                               GNUTLS_OID_X520_COMMON_NAME,
-                                               0, 0, sc->cert_cn,
-                                               &data_len);
-            }
         }
     }
@@ -533 +574 @@
 
 static const int protocol_priority[] = {
-  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-          
+    GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+};
+
 
 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
@@ -559 +601 @@
 
     gnutls_init(&ctxt->session, GNUTLS_SERVER);
-    
+
     /* This is not very good as it trades security for compatibility,
      * but it is the only way to be ultra-portable.
      */
-    gnutls_session_enable_compatibility_mode( ctxt->session);
-    
+    gnutls_session_enable_compatibility_mode(ctxt->session);
+
     /* because we don't set any default priorities here (we set later at
      * the user hello callback) we need to at least set this in order for
      * gnutls to be able to read packets.
      */
-    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
-
-    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
+    gnutls_protocol_set_priority(ctxt->session, protocol_priority);
+
+    gnutls_handshake_set_post_client_hello_function(ctxt->session,
+                                                    mgs_select_virtual_server_cb);
 
     return ctxt;
@@ -624 +667 @@
     apr_table_setn(env, "HTTPS", "on");
 
-    apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION);
-    apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION);
+    apr_table_setn(env, "SSL_VERSION_LIBRARY",
+                   "GnuTLS/" LIBGNUTLS_VERSION);
+    apr_table_setn(env, "SSL_VERSION_INTERFACE",
+                   "mod_gnutls/" MOD_GNUTLS_VERSION);
 
     apr_table_setn(env, "SSL_PROTOCOL",
@@ -631 +676 @@
                                             (ctxt->session)));
 
-    /* should have been called SSL_CIPHERSUITE instead */                                          
+    /* should have been called SSL_CIPHERSUITE instead */
     apr_table_setn(env, "SSL_CIPHER",
-          gnutls_cipher_suite_get_name(
-            gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session),
-                    gnutls_mac_get(ctxt->session)));
+                   gnutls_cipher_suite_get_name(gnutls_kx_get
+                                                (ctxt->session),
+                                                gnutls_cipher_get(ctxt->
+                                                                  session),
+                                                gnutls_mac_get(ctxt->
+                                                               session)));
 
     apr_table_setn(env, "SSL_COMPRESS_METHOD",
                    gnutls_compression_get_name(gnutls_compression_get
-                                          (ctxt->session)));
+                                               (ctxt->session)));
 
     apr_table_setn(env, "SSL_SRP_USER",
-                   gnutls_srp_server_get_username( ctxt->session));
+                   gnutls_srp_server_get_username(ctxt->session));
 
     if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
@@ -663 +711 @@
     apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
 
-    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled);
+    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
+                             ctxt->sc->export_certificates_enabled);
 
     return rv;
@@ -724 +773 @@
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 static void
-mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled)
+mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
+                         int export_certificates_enabled)
 {
     unsigned char sbuf[64];     /* buffer to hold serials */
@@ -735 +785 @@
 
     if (export_certificates_enabled != 0) {
-      char cert_buf[10*1024];
-      len = sizeof(cert_buf);
-
-      if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
-        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
-                   apr_pstrmemdup(r->pool, cert_buf, len));
-      
+        char cert_buf[10 * 1024];
+        len = sizeof(cert_buf);
+
+        if (gnutls_x509_crt_export
+            (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
+            apr_table_setn(env,
+                           apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+
     }
 
@@ -772 +824 @@
                    apr_pstrdup(r->pool, tmp));
 
-    alg = gnutls_x509_crt_get_signature_algorithm( cert);
+    alg = gnutls_x509_crt_get_signature_algorithm(cert);
     if (alg >= 0) {
-      apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
-          gnutls_sign_algorithm_get_name( alg));
-    }
-
-    alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL);
+        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
+                       gnutls_sign_algorithm_get_name(alg));
+    }
+
+    alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
     if (alg >= 0) {
-      apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
-          gnutls_pk_algorithm_get_name( alg));
+        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
+                       gnutls_pk_algorithm_get_name(alg));
     }
 
@@ -888 +940 @@
 //    rv = mgs_authz_lua(r);
 
-    mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled);
+    mgs_add_common_cert_vars(r, cert, 1,
+                             ctxt->sc->export_certificates_enabled);
 
     {
-      /* days remaining */
-      unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400;
-      apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 
-          apr_psprintf(r->pool, "%lu", remain));
+        /* days remaining */
+        unsigned long remain =
+            (apr_time_sec(expiration_time) -
+             apr_time_sec(cur_time)) / 86400;
+        apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
+                       apr_psprintf(r->pool, "%lu", remain));
     }