aboutsummaryrefslogtreecommitdiffstats
path: root/src/gnutls_hooks.c
diff options
context:
space:
mode:
authorGravatar Paul Querna 2005-05-24 17:55:17 +0000
committerGravatar Paul Querna 2005-05-24 17:55:17 +0000
commit836c2f9f5d0d3c6cc1369a08683860e940c935b8 (patch)
tree96f31a9b0f769110d72963b5f6a58edb60eb58f5 /src/gnutls_hooks.c
parent84cb5b2ad2abada1069659895d16dcb64f669008 (diff)
start the CA Certificate code.
Diffstat (limited to 'src/gnutls_hooks.c')
-rw-r--r--src/gnutls_hooks.c143
1 files changed, 91 insertions, 52 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 3862c9d..8452d36 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -586,41 +586,66 @@ int mgs_hook_authz(request_rec *r)
586 if (!ctxt) { 586 if (!ctxt) {
587 return DECLINED; 587 return DECLINED;
588 } 588 }
589 ap_add_common_vars(r); 589
590 mgs_hook_fixups(r);
591 status = mgs_authz_lua(r);
592 if (status != 0) {
593 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
594 "GnuTLS: FAILED Lua Authorization Test");
595 return HTTP_FORBIDDEN;
596 }
597 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { 590 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
598 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 591 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
599 "GnuTLS: Directory set to Ignore Client Certificate!"); 592 "GnuTLS: Directory set to Ignore Client Certificate!");
600 return DECLINED;
601 } 593 }
602 594 else {
603 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { 595 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
604 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 596 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
605 "GnuTLS: Attempting to rehandshake with peer. %d %d", 597 "GnuTLS: Attempting to rehandshake with peer. %d %d",
606 ctxt->sc->client_verify_mode, dc->client_verify_mode); 598 ctxt->sc->client_verify_mode, dc->client_verify_mode);
607 599
608 gnutls_certificate_server_set_request(ctxt->session, 600 gnutls_certificate_server_set_request(ctxt->session,
609 dc->client_verify_mode); 601 dc->client_verify_mode);
610 602
611 if (mgs_rehandshake(ctxt) != 0) { 603 if (mgs_rehandshake(ctxt) != 0) {
612 return HTTP_FORBIDDEN; 604 return HTTP_FORBIDDEN;
605 }
613 } 606 }
614 } 607 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
615 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
616#if MOD_GNUTLS_DEBUG 608#if MOD_GNUTLS_DEBUG
617 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 609 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
618 "GnuTLS: Peer is set to IGNORE"); 610 "GnuTLS: Peer is set to IGNORE");
619#endif 611#endif
620 return DECLINED; 612 }
613 else {
614 rv = mgs_cert_verify(r, ctxt);
615 if (rv != DECLINED) {
616 return rv;
617 }
618 }
619
620
621static int mgs_cert_verify(request_rec *r, mgs_handle_t *ctxt)
622{
623 const gnutls_datum_t* cert_list;
624 int cert_list_size;
625 gnutls_x509_crt_t cert;
626
627
628 cert_list = gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
629
630 if (cert_list == NULL || cert_list_size == 0) {
631 /* no certificate provided by the client, but one was required. */
632 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
633 "GnuTLS: Failed to Verify Peer: "
634 "Client did not submit a certificate");
635 return HTTP_FORBIDDEN;
621 } 636 }
622 637
623 rv = gnutls_certificate_verify_peers2(ctxt->session, &status); 638 if (cert_list_size > 1) {
639 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
640 "GnuTLS: Failed to Verify Peer: "
641 "Chained Client Certificates are not supported.");
642 return HTTP_FORBIDDEN;
643 }
644
645 gnutls_x509_crt_init(&cert);
646 gnutls_x509_crt_import(cert, &cert_chain[0], GNUTLS_X509_FMT_DER);
647
648 rv = gnutls_x509_crt_verify(cert, ctxt->sc->ca_list, ctxt->sc->ca_list_size, 0, &status);
624 649
625 if (rv < 0) { 650 if (rv < 0) {
626 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 651 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
@@ -629,42 +654,56 @@ int mgs_hook_authz(request_rec *r)
629 return HTTP_FORBIDDEN; 654 return HTTP_FORBIDDEN;
630 } 655 }
631 656
632 if (status < 0) { 657 if (status < 0) {
633 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 658 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
634 "GnuTLS: Peer Status is invalid."); 659 "GnuTLS: Peer Status is invalid.");
635 return HTTP_FORBIDDEN; 660 return HTTP_FORBIDDEN;
636 } 661 }
637 662
638 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 663 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
639 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 664 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
640 "GnuTLS: Could not find Signer for Peer Certificate"); 665 "GnuTLS: Could not find Signer for Peer Certificate");
641 } 666 }
642 667
643 if (status & GNUTLS_CERT_SIGNER_NOT_CA) { 668 if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
644 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 669 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
645 "GnuTLS: Could not find CA for Peer Certificate"); 670 "GnuTLS: Could not find CA for Peer Certificate");
646 } 671 }
647 672
648 if (status & GNUTLS_CERT_INVALID) { 673 if (status & GNUTLS_CERT_INVALID) {
649 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 674 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
650 "GnuTLS: Peer Certificate is invalid."); 675 "GnuTLS: Peer Certificate is invalid.");
651 return HTTP_FORBIDDEN; 676 return HTTP_FORBIDDEN;
652 } 677 }
653 else if (status & GNUTLS_CERT_REVOKED) { 678 else if (status & GNUTLS_CERT_REVOKED) {
654 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 679 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
655 "GnuTLS: Peer Certificate is revoked."); 680 "GnuTLS: Peer Certificate is revoked.");
656 return HTTP_FORBIDDEN; 681 return HTTP_FORBIDDEN;
657 } 682 }
658 683
659 /* TODO: OpenPGP Certificates */ 684 /* TODO: OpenPGP Certificates */
660 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) { 685 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) {
686 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
687 "GnuTLS: Only x509 is supported for client certificates");
688 return HTTP_FORBIDDEN;
689 }
690 /* TODO: Further Verification. */
691// gnutls_x509_crt_get_expiration_time() < time
692// gnutls_x509_crt_get_activation_time() > time
693/// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size);
661 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 694 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
662 "GnuTLS: Only x509 is supported for client certificates"); 695 "GnuTLS: Verified Peer.");
696 }
697
698 ap_add_common_vars(r);
699 mgs_hook_fixups(r);
700 status = mgs_authz_lua(r);
701
702 if (status != 0) {
703 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
704 "GnuTLS: FAILED Authorization Test");
663 return HTTP_FORBIDDEN; 705 return HTTP_FORBIDDEN;
664 } 706 }
665 /* TODO: Further Verification. */ 707
666 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
667 "GnuTLS: Verified Peer.");
668 return OK;
669} 708}
670 709