Added support for subject alternative names. (untested)

author: Nokis Mavrogiannopoulos 2007-12-01 09:12:01 +0000
committer: Nokis Mavrogiannopoulos 2007-12-01 09:12:01 +0000
commit: 94d92bd1b7b5696044c6293fc77292d3ad535148 (patch)
tree: 222abe5cf70397429dc90f48aa8d880943406b46 /src
parent: 30c3470aac7dc3553882b018e69cf1f1ce13d5ff (diff)
2 files changed, 155 insertions, 100 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index cad078c..3771e04 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -332,7 +332,7 @@ const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
 {
    int ret;
-    char *err;
+    const char *err;
    mgs_srvconf_rec *sc =
        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
                                                 module_config,
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index f776def..920eccc 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -37,7 +37,8 @@ static int mpm_is_threaded;
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
-                                     int side, int export_certificates_enabled);
+                                     int side,
+                                     int export_certificates_enabled);
 static apr_status_t mgs_cleanup_pre_config(void *data)
 {
@@ -97,7 +98,8 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
                       pool);
    if (rv != APR_SUCCESS) {
        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
-                     "GnuTLS failed to load params file at: %s. Will use internal params.", file);
+                     "GnuTLS failed to load params file at: %s. Will use internal params.",
+                     file);
        return ret;
    }
@@ -127,7 +129,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
 /* We don't support openpgp certificates, yet */
 const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
-static int mgs_select_virtual_server_cb( gnutls_session_t session)
+static int mgs_select_virtual_server_cb(gnutls_session_t session)
 {
    mgs_handle_t *ctxt;
    mgs_srvconf_rec *tsc;
@@ -142,35 +144,36 @@ static int mgs_select_virtual_server_cb( gnutls_session_t session)
        ctxt->sc = tsc;
    gnutls_certificate_server_set_request(session,
-       ctxt->sc->client_verify_mode);
+                                          ctxt->sc->client_verify_mode);
    /* set the new server credentials 
     */
    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
-      ctxt->sc->certs);
+                           ctxt->sc->certs);
-    gnutls_credentials_set(session, GNUTLS_CRD_ANON,
+    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
-      ctxt->sc->anon_creds);
-    if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
+    if (ctxt->sc->srp_tpasswd_conf_file != NULL
-       gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+        && ctxt->sc->srp_tpasswd_file != NULL) {
-         ctxt->sc->srp_creds);
+        gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                               ctxt->sc->srp_creds);
    }
    /* update the priorities - to avoid negotiating a ciphersuite that is not
     * enabled on this virtual server. Note that here we ignore the version
     * negotiation.
     */
-    ret = gnutls_priority_set( session, ctxt->sc->priorities);
+    ret = gnutls_priority_set(session, ctxt->sc->priorities);
-    gnutls_certificate_type_set_priority( session, cert_type_prio);
+    gnutls_certificate_type_set_priority(session, cert_type_prio);
-    
-    
    /* actually it shouldn't fail since we have checked at startup */
-    if (ret < 0) return ret;
+    if (ret < 0)
+        return ret;
-    /* allow separate caches per virtual host. Actually allowing the same is not
+    /* allow separate caches per virtual host. Actually allowing the same is a
-     * a good idea, especially if they have different security requirements.
+     * bad idea, since they might have different security requirements.
     */
    mgs_cache_session_init(ctxt);
@@ -193,20 +196,63 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
 }
 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
-"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
+    "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
-"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
+    "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
-"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
+    "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
-"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
+    "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
-"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
+    "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
-"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
+    "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
-"-----END DH PARAMETERS-----\n";
+    "-----END DH PARAMETERS-----\n";
+/* Read the common name or the alternative name of the certificate.
+ * We only support a single name per certificate.
+ *
+ * Returns negative on error.
+ */
+static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
+                       char **cert_cn)
+{
+    int rv = 0, i;
+    size_t data_len;
+    *cert_cn = NULL;
+    rv = gnutls_x509_crt_get_dn_by_oid(cert,
+                                       GNUTLS_OID_X520_COMMON_NAME,
+                                       0, 0, NULL, &data_len);
+    if (rv >= 0 && data_len > 1) {
+        *cert_cn = apr_palloc(p, data_len);
+        rv = gnutls_x509_crt_get_dn_by_oid(cert,
+                                           GNUTLS_OID_X520_COMMON_NAME, 0,
+                                           0, *cert_cn, &data_len);
+    } else {                    /* No CN return subject alternative name */
+        /* read subject alternative name */
+        for (i = 0; !(rv < 0); i++) {
+            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                    NULL, &data_len, NULL);
+                    
+            if (rv == GNUTLS_SAN_DNSNAME) {
+                *cert_cn = apr_palloc(p, data_len);
+                rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                    *cert_cn, &data_len, NULL);
+                break;
+            }
+        }
+    }
+    
+    return rv;
+}
 int
 mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
                     apr_pool_t * ptemp, server_rec * base_server)
 {
    int rv;
-    size_t data_len;
    server_rec *s;
    gnutls_dh_params_t dh_params;
    gnutls_rsa_params_t rsa_params;
@@ -251,26 +297,26 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
        } else {
            /* If the file does not exist use internal parameters
             */
-            pdata.data = (void*)static_dh_params;
+            pdata.data = (void *) static_dh_params;
-            pdata.size = sizeof( static_dh_params);
+            pdata.size = sizeof(static_dh_params);
            rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
                                               GNUTLS_X509_FMT_PEM);
-            if (rv < 0) {
+            if (rv < 0) {
-              ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Unable to load internal DH Params."
+                             "GnuTLS: Unable to load internal DH Params."
-                         " Shutting down.");
+                             " Shutting down.");
-              exit(-1);
+                exit(-1);
-            }
+            }
        }
        apr_pool_clear(tpool);
-        rsa_params = NULL;
+        rsa_params = NULL;
-        
        pdata = load_params(sc_base->rsa_params_file, s, tpool);
        if (pdata.size != 0) {
-            gnutls_rsa_params_init(&rsa_params);
+            gnutls_rsa_params_init(&rsa_params);
            rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
                                                GNUTLS_X509_FMT_PEM);
            if (rv != 0) {
@@ -279,9 +325,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
                             rv, gnutls_strerror(rv));
                exit(rv);
            }
-        } 
+        }
-        /* not an error but RSA-EXPORT ciphersuites are not available 
+        /* not an error but RSA-EXPORT ciphersuites are not available 
-         */
+         */
        apr_pool_destroy(tpool);
        rv = mgs_cache_post_config(p, s, sc_base);
@@ -299,20 +345,24 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
            sc->cache_config = sc_base->cache_config;
            if (rsa_params != NULL)
-              gnutls_certificate_set_rsa_export_params(sc->certs,
+                gnutls_certificate_set_rsa_export_params(sc->certs,
-                                                     rsa_params);
+                                                         rsa_params);
            gnutls_certificate_set_dh_params(sc->certs, dh_params);
-            gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params);
+            gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
-            
-            gnutls_certificate_server_set_retrieve_function(sc->certs,
+            gnutls_certificate_server_set_retrieve_function(sc->certs,
-                                                    cert_retrieve_fn);
+                                                            cert_retrieve_fn);
+            if (sc->srp_tpasswd_conf_file != NULL
+                && sc->srp_tpasswd_file != NULL) {
+                gnutls_srp_set_server_credentials_file(sc->srp_creds,
+                                                       sc->
+                                                       srp_tpasswd_file,
+                                                       sc->
+                                                       srp_tpasswd_conf_file);
+            }
-            if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
-                gnutls_srp_set_server_credentials_file( sc->srp_creds, 
-                    sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file);
-            }
-            
            if (sc->cert_x509 == NULL
                && sc->enabled == GNUTLS_ENABLED_TRUE) {
                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -332,22 +382,13 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
            }
            if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
+                rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);
-                                               GNUTLS_OID_X520_COMMON_NAME,
+                if (rv < 0) {
-                                               0, 0, NULL, &data_len);
+                    sc->enabled = GNUTLS_ENABLED_FALSE;
+                    sc->cert_cn = NULL;
-            if (data_len < 1) {
+                    continue;
-                sc->enabled = GNUTLS_ENABLED_FALSE;
+                }
-                sc->cert_cn = NULL;
-                continue;
            }
-            sc->cert_cn = apr_palloc(p, data_len);
-            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
-                                               GNUTLS_OID_X520_COMMON_NAME,
-                                               0, 0, sc->cert_cn,
-                                               &data_len);
-            }
        }
    }
@@ -532,8 +573,9 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
 static const int protocol_priority[] = {
-  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+    GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
-          
+};
 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
 {
@@ -558,19 +600,20 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
    ctxt->output_length = 0;
    gnutls_init(&ctxt->session, GNUTLS_SERVER);
-    
    /* This is not very good as it trades security for compatibility,
     * but it is the only way to be ultra-portable.
     */
-    gnutls_session_enable_compatibility_mode( ctxt->session);
+    gnutls_session_enable_compatibility_mode(ctxt->session);
-    
    /* because we don't set any default priorities here (we set later at
     * the user hello callback) we need to at least set this in order for
     * gnutls to be able to read packets.
     */
-    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
+    gnutls_protocol_set_priority(ctxt->session, protocol_priority);
-    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
+    gnutls_handshake_set_post_client_hello_function(ctxt->session,
+                                                    mgs_select_virtual_server_cb);
    return ctxt;
 }
@@ -623,25 +666,30 @@ int mgs_hook_fixups(request_rec * r)
    apr_table_setn(env, "HTTPS", "on");
-    apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION);
+    apr_table_setn(env, "SSL_VERSION_LIBRARY",
-    apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION);
+                   "GnuTLS/" LIBGNUTLS_VERSION);
+    apr_table_setn(env, "SSL_VERSION_INTERFACE",
+                   "mod_gnutls/" MOD_GNUTLS_VERSION);
    apr_table_setn(env, "SSL_PROTOCOL",
                   gnutls_protocol_get_name(gnutls_protocol_get_version
                                            (ctxt->session)));
-    /* should have been called SSL_CIPHERSUITE instead */                                          
+    /* should have been called SSL_CIPHERSUITE instead */
    apr_table_setn(env, "SSL_CIPHER",
-          gnutls_cipher_suite_get_name(
+                   gnutls_cipher_suite_get_name(gnutls_kx_get
-            gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session),
+                                                (ctxt->session),
-                    gnutls_mac_get(ctxt->session)));
+                                                gnutls_cipher_get(ctxt->
+                                                                  session),
+                                                gnutls_mac_get(ctxt->
+                                                               session)));
    apr_table_setn(env, "SSL_COMPRESS_METHOD",
                   gnutls_compression_get_name(gnutls_compression_get
-                                          (ctxt->session)));
+                                               (ctxt->session)));
    apr_table_setn(env, "SSL_SRP_USER",
-                   gnutls_srp_server_get_username( ctxt->session));
+                   gnutls_srp_server_get_username(ctxt->session));
    if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
        apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
@@ -662,7 +710,8 @@ int mgs_hook_fixups(request_rec * r)
    tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
    apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
-    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled);
+    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
+                             ctxt->sc->export_certificates_enabled);
    return rv;
 }
@@ -723,7 +772,8 @@ int mgs_hook_authz(request_rec * r)
 */
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 static void
-mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled)
+mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
+                         int export_certificates_enabled)
 {
    unsigned char sbuf[64];     /* buffer to hold serials */
    char buf[AP_IOBUFSIZE];
@@ -734,13 +784,15 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
    apr_table_t *env = r->subprocess_env;
    if (export_certificates_enabled != 0) {
-      char cert_buf[10*1024];
+        char cert_buf[10 * 1024];
-      len = sizeof(cert_buf);
+        len = sizeof(cert_buf);
+        if (gnutls_x509_crt_export
+            (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
+            apr_table_setn(env,
+                           apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
-      if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
-        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
-                   apr_pstrmemdup(r->pool, cert_buf, len));
-      
    }
    len = sizeof(buf);
@@ -771,16 +823,16 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
                   apr_pstrdup(r->pool, tmp));
-    alg = gnutls_x509_crt_get_signature_algorithm( cert);
+    alg = gnutls_x509_crt_get_signature_algorithm(cert);
    if (alg >= 0) {
-      apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
+        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
-          gnutls_sign_algorithm_get_name( alg));
+                       gnutls_sign_algorithm_get_name(alg));
    }
-    alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL);
+    alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
    if (alg >= 0) {
-      apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
+        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
-          gnutls_pk_algorithm_get_name( alg));
+                       gnutls_pk_algorithm_get_name(alg));
    }
@@ -887,13 +939,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
 //    mgs_hook_fixups(r);
 //    rv = mgs_authz_lua(r);
-    mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled);
+    mgs_add_common_cert_vars(r, cert, 1,
+                             ctxt->sc->export_certificates_enabled);
    {
-      /* days remaining */
+        /* days remaining */
-      unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400;
+        unsigned long remain =
-      apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 
+            (apr_time_sec(expiration_time) -
-          apr_psprintf(r->pool, "%lu", remain));
+             apr_time_sec(cur_time)) / 86400;
+        apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
+                       apr_psprintf(r->pool, "%lu", remain));
    }
    if (status == 0 && expired == 0) {
author	Nokis Mavrogiannopoulos	2007-12-01 09:12:01 +0000
committer	Nokis Mavrogiannopoulos	2007-12-01 09:12:01 +0000
commit	94d92bd1b7b5696044c6293fc77292d3ad535148 (patch)
tree	222abe5cf70397429dc90f48aa8d880943406b46 /src
parent	30c3470aac7dc3553882b018e69cf1f1ce13d5ff (diff)

diff --git a/src/gnutls_config.c b/src/gnutls_config.c index cad078c..3771e04 100644 --- a/src/gnutls_config.c +++ b/src/gnutls_config.c
@@ -332,7 +332,7 @@ const char mgs_set_export_certificates_enabled(cmd_parms parms, void *dummy,
332	const char mgs_set_priorities(cmd_parms parms, void dummy, const char arg)	332	const char mgs_set_priorities(cmd_parms parms, void dummy, const char arg)
333	{	333	{
334	int ret;	334	int ret;
335	char *err;	335	const char *err;
336	mgs_srvconf_rec *sc =	336	mgs_srvconf_rec *sc =
337	(mgs_srvconf_rec *) ap_get_module_config(parms->server->	337	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
338	module_config,	338	module_config,


diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index f776def..920eccc 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c
@@ -37,7 +37,8 @@ static int mpm_is_threaded;
37	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);	37	static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
38	/* use side==0 for server and side==1 for client */	38	/* use side==0 for server and side==1 for client */
39	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,	39	static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
40	int side, int export_certificates_enabled);	40	int side,
		41	int export_certificates_enabled);
41		42
42	static apr_status_t mgs_cleanup_pre_config(void *data)	43	static apr_status_t mgs_cleanup_pre_config(void *data)
43	{	44	{
@@ -97,7 +98,8 @@ load_params(const char file, server_rec s, apr_pool_t * pool)
97	pool);	98	pool);
98	if (rv != APR_SUCCESS) {	99	if (rv != APR_SUCCESS) {
99	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,	100	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
100	"GnuTLS failed to load params file at: %s. Will use internal params.", file);	101	"GnuTLS failed to load params file at: %s. Will use internal params.",
		102	file);
101	return ret;	103	return ret;
102	}	104	}
103		105
@@ -127,7 +129,7 @@ load_params(const char file, server_rec s, apr_pool_t * pool)
127	/* We don't support openpgp certificates, yet */	129	/* We don't support openpgp certificates, yet */
128	const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };	130	const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
129		131
130	static int mgs_select_virtual_server_cb( gnutls_session_t session)	132	static int mgs_select_virtual_server_cb(gnutls_session_t session)
131	{	133	{
132	mgs_handle_t *ctxt;	134	mgs_handle_t *ctxt;
133	mgs_srvconf_rec *tsc;	135	mgs_srvconf_rec *tsc;
@@ -142,35 +144,36 @@ static int mgs_select_virtual_server_cb( gnutls_session_t session)
142	ctxt->sc = tsc;	144	ctxt->sc = tsc;
143		145
144	gnutls_certificate_server_set_request(session,	146	gnutls_certificate_server_set_request(session,
145	ctxt->sc->client_verify_mode);	147	ctxt->sc->client_verify_mode);
146		148
147	/* set the new server credentials	149	/* set the new server credentials
148	*/	150	*/
149		151
150	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,	152	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
151	ctxt->sc->certs);	153	ctxt->sc->certs);
152		154
153	gnutls_credentials_set(session, GNUTLS_CRD_ANON,	155	gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
154	ctxt->sc->anon_creds);
155		156
156	if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {	157	if (ctxt->sc->srp_tpasswd_conf_file != NULL
157	gnutls_credentials_set(session, GNUTLS_CRD_SRP,	158	&& ctxt->sc->srp_tpasswd_file != NULL) {
158	ctxt->sc->srp_creds);	159	gnutls_credentials_set(session, GNUTLS_CRD_SRP,
		160	ctxt->sc->srp_creds);
159	}	161	}
160		162
161	/* update the priorities - to avoid negotiating a ciphersuite that is not	163	/* update the priorities - to avoid negotiating a ciphersuite that is not
162	* enabled on this virtual server. Note that here we ignore the version	164	* enabled on this virtual server. Note that here we ignore the version
163	* negotiation.	165	* negotiation.
164	*/	166	*/
165	ret = gnutls_priority_set( session, ctxt->sc->priorities);	167	ret = gnutls_priority_set(session, ctxt->sc->priorities);
166	gnutls_certificate_type_set_priority( session, cert_type_prio);	168	gnutls_certificate_type_set_priority(session, cert_type_prio);
167		169
168		170
169	/* actually it shouldn't fail since we have checked at startup */	171	/* actually it shouldn't fail since we have checked at startup */
170	if (ret < 0) return ret;	172	if (ret < 0)
		173	return ret;
171		174
172	/* allow separate caches per virtual host. Actually allowing the same is not	175	/* allow separate caches per virtual host. Actually allowing the same is a
173	* a good idea, especially if they have different security requirements.	176	* bad idea, since they might have different security requirements.
174	*/	177	*/
175	mgs_cache_session_init(ctxt);	178	mgs_cache_session_init(ctxt);
176		179
@@ -193,20 +196,63 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
193	}	196	}
194		197
195	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"	198	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
196	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"	199	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
197	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"	200	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
198	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"	201	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
199	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"	202	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
200	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"	203	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
201	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"	204	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
202	"-----END DH PARAMETERS-----\n";	205	"-----END DH PARAMETERS-----\n";
		206
		207	/* Read the common name or the alternative name of the certificate.
		208	* We only support a single name per certificate.
		209	*
		210	* Returns negative on error.
		211	*/
		212	static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
		213	char **cert_cn)
		214	{
		215	int rv = 0, i;
		216	size_t data_len;
		217
		218
		219	*cert_cn = NULL;
		220
		221	rv = gnutls_x509_crt_get_dn_by_oid(cert,
		222	GNUTLS_OID_X520_COMMON_NAME,
		223	0, 0, NULL, &data_len);
		224
		225	if (rv >= 0 && data_len > 1) {
		226	*cert_cn = apr_palloc(p, data_len);
		227	rv = gnutls_x509_crt_get_dn_by_oid(cert,
		228	GNUTLS_OID_X520_COMMON_NAME, 0,
		229	0, *cert_cn, &data_len);
		230	} else { /* No CN return subject alternative name */
		231
		232	/* read subject alternative name */
		233	for (i = 0; !(rv < 0); i++) {
		234	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
		235	NULL, &data_len, NULL);
		236
		237	if (rv == GNUTLS_SAN_DNSNAME) {
		238	*cert_cn = apr_palloc(p, data_len);
		239	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
		240	*cert_cn, &data_len, NULL);
		241	break;
		242
		243	}
		244	}
		245	}
		246
		247	return rv;
		248
		249	}
203		250
204	int	251	int
205	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,	252	mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
206	apr_pool_t * ptemp, server_rec * base_server)	253	apr_pool_t * ptemp, server_rec * base_server)
207	{	254	{
208	int rv;	255	int rv;
209	size_t data_len;
210	server_rec *s;	256	server_rec *s;
211	gnutls_dh_params_t dh_params;	257	gnutls_dh_params_t dh_params;
212	gnutls_rsa_params_t rsa_params;	258	gnutls_rsa_params_t rsa_params;
@@ -251,26 +297,26 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
251	} else {	297	} else {
252	/* If the file does not exist use internal parameters	298	/* If the file does not exist use internal parameters
253	*/	299	*/
254	pdata.data = (void*)static_dh_params;	300	pdata.data = (void *) static_dh_params;
255	pdata.size = sizeof( static_dh_params);	301	pdata.size = sizeof(static_dh_params);
256	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,	302	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
257	GNUTLS_X509_FMT_PEM);	303	GNUTLS_X509_FMT_PEM);
258		304
259	if (rv < 0) {	305	if (rv < 0) {
260	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,	306	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
261	"GnuTLS: Unable to load internal DH Params."	307	"GnuTLS: Unable to load internal DH Params."
262	" Shutting down.");	308	" Shutting down.");
263	exit(-1);	309	exit(-1);
264	}	310	}
265	}	311	}
266	apr_pool_clear(tpool);	312	apr_pool_clear(tpool);
267		313
268	rsa_params = NULL;	314	rsa_params = NULL;
269		315
270	pdata = load_params(sc_base->rsa_params_file, s, tpool);	316	pdata = load_params(sc_base->rsa_params_file, s, tpool);
271		317
272	if (pdata.size != 0) {	318	if (pdata.size != 0) {
273	gnutls_rsa_params_init(&rsa_params);	319	gnutls_rsa_params_init(&rsa_params);
274	rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,	320	rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
275	GNUTLS_X509_FMT_PEM);	321	GNUTLS_X509_FMT_PEM);
276	if (rv != 0) {	322	if (rv != 0) {
@@ -279,9 +325,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
279	rv, gnutls_strerror(rv));	325	rv, gnutls_strerror(rv));
280	exit(rv);	326	exit(rv);
281	}	327	}
282	}	328	}
283	/* not an error but RSA-EXPORT ciphersuites are not available	329	/* not an error but RSA-EXPORT ciphersuites are not available
284	*/	330	*/
285		331
286	apr_pool_destroy(tpool);	332	apr_pool_destroy(tpool);
287	rv = mgs_cache_post_config(p, s, sc_base);	333	rv = mgs_cache_post_config(p, s, sc_base);
@@ -299,20 +345,24 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
299	sc->cache_config = sc_base->cache_config;	345	sc->cache_config = sc_base->cache_config;
300		346
301	if (rsa_params != NULL)	347	if (rsa_params != NULL)
302	gnutls_certificate_set_rsa_export_params(sc->certs,	348	gnutls_certificate_set_rsa_export_params(sc->certs,
303	rsa_params);	349	rsa_params);
304	gnutls_certificate_set_dh_params(sc->certs, dh_params);	350	gnutls_certificate_set_dh_params(sc->certs, dh_params);
305		351
306	gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params);	352	gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
307		353
308	gnutls_certificate_server_set_retrieve_function(sc->certs,	354	gnutls_certificate_server_set_retrieve_function(sc->certs,
309	cert_retrieve_fn);	355	cert_retrieve_fn);
		356
		357	if (sc->srp_tpasswd_conf_file != NULL
		358	&& sc->srp_tpasswd_file != NULL) {
		359	gnutls_srp_set_server_credentials_file(sc->srp_creds,
		360	sc->
		361	srp_tpasswd_file,
		362	sc->
		363	srp_tpasswd_conf_file);
		364	}
310		365
311	if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
312	gnutls_srp_set_server_credentials_file( sc->srp_creds,
313	sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file);
314	}
315
316	if (sc->cert_x509 == NULL	366	if (sc->cert_x509 == NULL
317	&& sc->enabled == GNUTLS_ENABLED_TRUE) {	367	&& sc->enabled == GNUTLS_ENABLED_TRUE) {
318	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,	368	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -332,22 +382,13 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
332	}	382	}
333		383
334	if (sc->enabled == GNUTLS_ENABLED_TRUE) {	384	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
335	rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,	385	rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);
336	GNUTLS_OID_X520_COMMON_NAME,	386	if (rv < 0) {
337	0, 0, NULL, &data_len);	387	sc->enabled = GNUTLS_ENABLED_FALSE;
338		388	sc->cert_cn = NULL;
339	if (data_len < 1) {	389	continue;
340	sc->enabled = GNUTLS_ENABLED_FALSE;	390	}
341	sc->cert_cn = NULL;
342	continue;
343	}	391	}
344
345	sc->cert_cn = apr_palloc(p, data_len);
346	rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
347	GNUTLS_OID_X520_COMMON_NAME,
348	0, 0, sc->cert_cn,
349	&data_len);
350	}
351	}	392	}
352	}	393	}
353		394
@@ -532,8 +573,9 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
532		573
533		574
534	static const int protocol_priority[] = {	575	static const int protocol_priority[] = {
535	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };	576	GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
536		577	};
		578
537		579
538	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)	580	static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)
539	{	581	{
@@ -558,19 +600,20 @@ static mgs_handle_t create_gnutls_handle(apr_pool_t pool, conn_rec * c)
558	ctxt->output_length = 0;	600	ctxt->output_length = 0;
559		601
560	gnutls_init(&ctxt->session, GNUTLS_SERVER);	602	gnutls_init(&ctxt->session, GNUTLS_SERVER);
561		603
562	/* This is not very good as it trades security for compatibility,	604	/* This is not very good as it trades security for compatibility,
563	* but it is the only way to be ultra-portable.	605	* but it is the only way to be ultra-portable.
564	*/	606	*/
565	gnutls_session_enable_compatibility_mode( ctxt->session);	607	gnutls_session_enable_compatibility_mode(ctxt->session);
566		608
567	/* because we don't set any default priorities here (we set later at	609	/* because we don't set any default priorities here (we set later at
568	* the user hello callback) we need to at least set this in order for	610	* the user hello callback) we need to at least set this in order for
569	* gnutls to be able to read packets.	611	* gnutls to be able to read packets.
570	*/	612	*/
571	gnutls_protocol_set_priority( ctxt->session, protocol_priority);	613	gnutls_protocol_set_priority(ctxt->session, protocol_priority);
572		614
573	gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);	615	gnutls_handshake_set_post_client_hello_function(ctxt->session,
		616	mgs_select_virtual_server_cb);
574		617
575	return ctxt;	618	return ctxt;
576	}	619	}
@@ -623,25 +666,30 @@ int mgs_hook_fixups(request_rec * r)
623		666
624	apr_table_setn(env, "HTTPS", "on");	667	apr_table_setn(env, "HTTPS", "on");
625		668
626	apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION);	669	apr_table_setn(env, "SSL_VERSION_LIBRARY",
627	apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION);	670	"GnuTLS/" LIBGNUTLS_VERSION);
		671	apr_table_setn(env, "SSL_VERSION_INTERFACE",
		672	"mod_gnutls/" MOD_GNUTLS_VERSION);
628		673
629	apr_table_setn(env, "SSL_PROTOCOL",	674	apr_table_setn(env, "SSL_PROTOCOL",
630	gnutls_protocol_get_name(gnutls_protocol_get_version	675	gnutls_protocol_get_name(gnutls_protocol_get_version
631	(ctxt->session)));	676	(ctxt->session)));
632		677
633	/* should have been called SSL_CIPHERSUITE instead */	678	/* should have been called SSL_CIPHERSUITE instead */
634	apr_table_setn(env, "SSL_CIPHER",	679	apr_table_setn(env, "SSL_CIPHER",
635	gnutls_cipher_suite_get_name(	680	gnutls_cipher_suite_get_name(gnutls_kx_get
636	gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session),	681	(ctxt->session),
637	gnutls_mac_get(ctxt->session)));	682	gnutls_cipher_get(ctxt->
		683	session),
		684	gnutls_mac_get(ctxt->
		685	session)));
638		686
639	apr_table_setn(env, "SSL_COMPRESS_METHOD",	687	apr_table_setn(env, "SSL_COMPRESS_METHOD",
640	gnutls_compression_get_name(gnutls_compression_get	688	gnutls_compression_get_name(gnutls_compression_get
641	(ctxt->session)));	689	(ctxt->session)));
642		690
643	apr_table_setn(env, "SSL_SRP_USER",	691	apr_table_setn(env, "SSL_SRP_USER",
644	gnutls_srp_server_get_username( ctxt->session));	692	gnutls_srp_server_get_username(ctxt->session));
645		693
646	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)	694	if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
647	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");	695	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
@@ -662,7 +710,8 @@ int mgs_hook_fixups(request_rec * r)
662	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));	710	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
663	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));	711	apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
664		712
665	mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled);	713	mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
		714	ctxt->sc->export_certificates_enabled);
666		715
667	return rv;	716	return rv;
668	}	717	}
@@ -723,7 +772,8 @@ int mgs_hook_authz(request_rec * r)
723	*/	772	*/
724	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")	773	#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
725	static void	774	static void
726	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled)	775	mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
		776	int export_certificates_enabled)
727	{	777	{
728	unsigned char sbuf[64]; /* buffer to hold serials */	778	unsigned char sbuf[64]; /* buffer to hold serials */
729	char buf[AP_IOBUFSIZE];	779	char buf[AP_IOBUFSIZE];
@@ -734,13 +784,15 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
734	apr_table_t *env = r->subprocess_env;	784	apr_table_t *env = r->subprocess_env;
735		785
736	if (export_certificates_enabled != 0) {	786	if (export_certificates_enabled != 0) {
737	char cert_buf[10*1024];	787	char cert_buf[10 * 1024];
738	len = sizeof(cert_buf);	788	len = sizeof(cert_buf);
		789
		790	if (gnutls_x509_crt_export
		791	(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
		792	apr_table_setn(env,
		793	apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
		794	apr_pstrmemdup(r->pool, cert_buf, len));
739		795
740	if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
741	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
742	apr_pstrmemdup(r->pool, cert_buf, len));
743
744	}	796	}
745		797
746	len = sizeof(buf);	798	len = sizeof(buf);
@@ -771,16 +823,16 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
771	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),	823	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
772	apr_pstrdup(r->pool, tmp));	824	apr_pstrdup(r->pool, tmp));
773		825
774	alg = gnutls_x509_crt_get_signature_algorithm( cert);	826	alg = gnutls_x509_crt_get_signature_algorithm(cert);
775	if (alg >= 0) {	827	if (alg >= 0) {
776	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),	828	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
777	gnutls_sign_algorithm_get_name( alg));	829	gnutls_sign_algorithm_get_name(alg));
778	}	830	}
779		831
780	alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL);	832	alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
781	if (alg >= 0) {	833	if (alg >= 0) {
782	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),	834	apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
783	gnutls_pk_algorithm_get_name( alg));	835	gnutls_pk_algorithm_get_name(alg));
784	}	836	}
785		837
786		838
@@ -887,13 +939,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
887	// mgs_hook_fixups(r);	939	// mgs_hook_fixups(r);
888	// rv = mgs_authz_lua(r);	940	// rv = mgs_authz_lua(r);
889		941
890	mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled);	942	mgs_add_common_cert_vars(r, cert, 1,
		943	ctxt->sc->export_certificates_enabled);
891		944
892	{	945	{
893	/* days remaining */	946	/* days remaining */
894	unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400;	947	unsigned long remain =
895	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",	948	(apr_time_sec(expiration_time) -
896	apr_psprintf(r->pool, "%lu", remain));	949	apr_time_sec(cur_time)) / 86400;
		950	apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
		951	apr_psprintf(r->pool, "%lu", remain));
897	}	952	}
898		953
899	if (status == 0 && expired == 0) {	954	if (status == 0 && expired == 0) {