1 files changed, 654 insertions, 0 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
new file mode 100644
index 0000000..5429d66
--- /dev/null
+++ b/src/gnutls_hooks.c
@@ -0,0 +1,654 @@
+/**
+ *  Copyright 2004-2005 Paul Querna
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+#include "mod_gnutls.h"
+#include "http_vhost.h"
+#if !USING_2_1_RECENT
+extern server_rec *ap_server_conf;
+#endif
+#if APR_HAS_THREADS
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
+#if MOD_GNUTLS_DEBUG
+static apr_file_t* debug_log_fp;
+#endif
+static apr_status_t mgs_cleanup_pre_config(void *data)
+{
+    gnutls_global_deinit();
+    return APR_SUCCESS;
+}
+#if MOD_GNUTLS_DEBUG
+static void gnutls_debug_log_all( int level, const char* str)
+{
+    apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
+}
+#endif
+int mgs_hook_pre_config(apr_pool_t * pconf,
+                        apr_pool_t * plog, apr_pool_t * ptemp)
+{
+#if APR_HAS_THREADS
+    /* TODO: Check MPM Type here */
+    gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+#endif
+    gnutls_global_init();
+    apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
+                              apr_pool_cleanup_null);
+#if MOD_GNUTLS_DEBUG
+    apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
+                  APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, pconf);
+    gnutls_global_set_log_level(9);
+    gnutls_global_set_log_function(gnutls_debug_log_all);
+#endif
+    return OK;
+}
+static gnutls_datum load_params(const char* file, server_rec* s, 
+                                apr_pool_t* pool) 
+{
+    gnutls_datum ret = { NULL, 0 };
+    apr_file_t* fp;
+    apr_finfo_t finfo;
+    apr_status_t rv;
+    apr_size_t br = 0;
+    rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT, 
+                       pool);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 
+                     "GnuTLS failed to load params file at: %s", file);
+        return ret;
+    }
+    rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 
+                     "GnuTLS failed to stat params file at: %s", file);
+        return ret;
+    }
+    ret.data = apr_palloc(pool, finfo.size+1);
+    rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
+    if (rv != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 
+                     "GnuTLS failed to read params file at: %s", file);
+        return ret;
+    }
+    apr_file_close(fp);
+    ret.data[br] = '\0';
+    ret.size = br;
+    return ret;
+}
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
+                                       apr_pool_t * ptemp,
+                                       server_rec * base_server)
+{
+    int rv;
+    int data_len;
+    server_rec *s;
+    gnutls_dh_params_t dh_params;
+    gnutls_rsa_params_t rsa_params;
+    mgs_srvconf_rec *sc;
+    mgs_srvconf_rec *sc_base;
+    void *data = NULL;
+    int first_run = 0;
+    const char *userdata_key = "mgs_init";
+         
+    apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
+    if (data == NULL) {
+        first_run = 1;
+        apr_pool_userdata_set((const void *)1, userdata_key, 
+                              apr_pool_cleanup_null, 
+                              base_server->process->pool);
+    }
+    {
+        gnutls_datum pdata;
+        apr_pool_t* tpool;
+        s = base_server;
+        sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                             &gnutls_module);
+        apr_pool_create(&tpool, p);
+        gnutls_dh_params_init(&dh_params);
+        pdata = load_params(sc_base->dh_params_file, s, tpool);
+        if (pdata.size != 0) {
+            rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 
+                                               GNUTLS_X509_FMT_PEM);
+            if (rv != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
+                             "GnuTLS: Unable to load DH Params: (%d) %s",
+                             rv, gnutls_strerror(rv));
+                exit(rv);
+            }
+        }
+        else {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
+                         "GnuTLS: Unable to load DH Params."
+                         " Shutting Down.");
+            exit(-1);
+        }
+        apr_pool_clear(tpool);
+        gnutls_rsa_params_init(&rsa_params);
+        pdata = load_params(sc_base->rsa_params_file, s, tpool);
+        if (pdata.size != 0) {
+            rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, 
+                                                GNUTLS_X509_FMT_PEM);
+            if (rv != 0) {
+                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
+                             "GnuTLS: Unable to load RSA Params: (%d) %s",
+                             rv, gnutls_strerror(rv));
+                exit(rv);
+            }
+        }
+        else {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
+                         "GnuTLS: Unable to load RSA Params."
+                         " Shutting Down.");
+            exit(-1);
+        }
+        apr_pool_destroy(tpool);
+        rv = mgs_cache_post_config(p, s, sc_base);
+        if (rv != 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 
+                         "GnuTLS: Post Config for GnuTLSCache Failed."
+                         " Shutting Down.");
+            exit(-1);
+        }
+         
+        for (s = base_server; s; s = s->next) {
+            sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                                 &gnutls_module);
+            sc->cache_type = sc_base->cache_type;
+            sc->cache_config = sc_base->cache_config;
+            gnutls_certificate_set_rsa_export_params(sc->certs, 
+                                                     rsa_params);
+            gnutls_certificate_set_dh_params(sc->certs, dh_params);
+            if (sc->cert_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+                             "[GnuTLS] - Host '%s:%d' is missing a "
+                             "Certificate File!",
+                         s->server_hostname, s->port);
+                exit(-1);
+            }
+            
+            if (sc->privkey_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+                             "[GnuTLS] - Host '%s:%d' is missing a "
+                             "Private Key File!",
+                             s->server_hostname, s->port);
+                exit(-1);
+            }
+            
+            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 
+                                               GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                               NULL, &data_len);
+            
+            if (data_len < 1) {
+                sc->enabled = GNUTLS_ENABLED_FALSE;
+                sc->cert_cn = NULL;
+                continue;
+            }
+            
+            sc->cert_cn = apr_palloc(p, data_len);
+            rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 
+                                               GNUTLS_OID_X520_COMMON_NAME, 0, 0,
+                                               sc->cert_cn, &data_len);
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                         s,
+                         "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", sc->cert_cn, rv,
+                         gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(sc->privkey_x509)),
+                         (unsigned int)s, (unsigned int)sc);
+        }
+    }
+    ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
+    return OK;
+}
+void mgs_hook_child_init(apr_pool_t *p, server_rec *s)
+{
+    apr_status_t rv = APR_SUCCESS;
+    mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
+                                                      &gnutls_module);
+    if (sc->cache_type != mgs_cache_none) {
+        rv = mgs_cache_child_init(p, s, sc);
+        if(rv != APR_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
+                             "[GnuTLS] - Failed to run Cache Init");
+        }
+    }
+    else {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
+                     "[GnuTLS] - No Cache Configured. Hint: GnuTLSCache");
+    }
+}
+const char *mgs_hook_http_scheme(const request_rec * r)
+{
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(r->server->
+                                                        module_config,
+                                                        &gnutls_module);
+    if (sc->enabled == GNUTLS_ENABLED_FALSE) {
+        return NULL;
+    }
+    return "https";
+}
+apr_port_t mgs_hook_default_port(const request_rec * r)
+{
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(r->server->
+                                                        module_config,
+                                                        &gnutls_module);
+    if (sc->enabled == GNUTLS_ENABLED_FALSE) {
+        return 0;
+    }
+    return 443;
+}
+#define MAX_HOST_LEN 255
+#if USING_2_1_RECENT
+typedef struct
+{
+    mgs_handle_t *ctxt;
+    gnutls_retr_st* ret;
+    const char* sni_name;
+} vhost_cb_rec;
+static int vhost_cb (void* baton, conn_rec* conn, server_rec* s)
+{
+    mgs_srvconf_rec *tsc;
+    vhost_cb_rec* x = baton;
+    tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                          &gnutls_module);
+    
+    if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) {
+        return 0;
+    }
+    
+    /* The CN can contain a * -- this will match those too. */
+    if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
+        /* found a match */
+        x->ret->cert.x509 = &tsc->cert_x509;
+        x->ret->key.x509 = tsc->privkey_x509;
+#if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                     x->ctxt->c->base_server,
+                     "GnuTLS: Virtual Host CB: "
+                     "'%s' == '%s'", tsc->cert_cn, x->sni_name);
+#endif
+        /* Because we actually change the server used here, we need to reset
+         * things like ClientVerify.
+         */
+        x->ctxt->sc = tsc;
+        /* Shit. Crap. Dammit. We *really* should rehandshake here, as our
+         * certificate structure *should* change when the server changes. 
+         * acccckkkkkk. 
+         */
+        gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode);
+        return 1;
+    }
+    return 0;
+}
+#endif
+static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret) 
+{
+    int rv;
+    int sni_type;
+    int data_len = MAX_HOST_LEN;
+    char sni_name[MAX_HOST_LEN];
+    mgs_handle_t *ctxt;
+#if USING_2_1_RECENT
+    vhost_cb_rec cbx;
+#else
+    server_rec* s;
+    mgs_srvconf_rec *tsc;    
+#endif
+    
+    ctxt = gnutls_transport_get_ptr(session);
+    
+    sni_type = gnutls_certificate_type_get(session);
+    if (sni_type != GNUTLS_CRT_X509) {
+        /* In theory, we could support OpenPGP Certificates. Theory != code. */
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
+                     ctxt->c->base_server,
+                     "GnuTLS: Only x509 Certificates are currently supported.");
+        return -1;
+    }
+    ret->type = GNUTLS_CRT_X509;
+    ret->ncerts = 1;
+    ret->deinit_all = 0;
+    
+    rv = gnutls_server_name_get(ctxt->session, sni_name, 
+                                &data_len, &sni_type, 0);
+    if (rv != 0) {
+        goto use_default_crt;
+    }
+    if (sni_type != GNUTLS_NAME_DNS) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
+                     ctxt->c->base_server,
+                     "GnuTLS: Unknown type '%d' for SNI: "
+                     "'%s'", sni_type, sni_name);        
+        goto use_default_crt;
+    }
+    
+    /**
+     * Code in the Core already sets up the c->base_server as the base
+     * for this IP/Port combo.  Trust that the core did the 'right' thing.
+     */
+#if USING_2_1_RECENT
+    cbx.ctxt = ctxt;
+    cbx.ret = ret;
+    cbx.sni_name = sni_name;
+    rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
+    if (rv == 1) {
+        return 0;
+    }
+#else
+    for (s = ap_server_conf; s; s = s->next) {
+        
+        tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
+                                                             &gnutls_module);
+        if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
+            continue;
+        }
+#if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                     ctxt->c->base_server,
+                     "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X  sc: 0x%08X", tsc->cert_cn, rv,
+                     gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)),
+                     (unsigned int)s, (unsigned int)s->next, (unsigned int)tsc);
+#endif            
+        /* The CN can contain a * -- this will match those too. */
+        if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
+            /* found a match */
+            ret->cert.x509 = &tsc->cert_x509;
+            ret->key.x509 = tsc->privkey_x509;
+#if MOD_GNUTLS_DEBUG
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                         ctxt->c->base_server,
+                         "GnuTLS: Virtual Host: "
+                         "'%s' == '%s'", tsc->cert_cn, sni_name);
+#endif
+            ctxt->sc = tsc;
+            gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
+            return 0;
+        }
+    }
+#endif
+    
+    /**
+     * If the client does not support the Server Name Indication, give the default 
+     * certificate for this server. 
+     */
+use_default_crt:
+    ret->cert.x509 = &ctxt->sc->cert_x509;
+    ret->key.x509 = ctxt->sc->privkey_x509;
+#if MOD_GNUTLS_DEBUG
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                 ctxt->c->base_server,
+                 "GnuTLS: Using Default Certificate.");
+#endif
+    return 0;
+}
+static mgs_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c)
+{
+    mgs_handle_t *ctxt;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
+                                                        module_config,
+                                                        &gnutls_module);
+    ctxt = apr_pcalloc(pool, sizeof(*ctxt));
+    ctxt->c = c;
+    ctxt->sc = sc;
+    ctxt->status = 0;
+    ctxt->input_rc = APR_SUCCESS;
+    ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
+    ctxt->input_cbuf.length = 0;
+    ctxt->output_rc = APR_SUCCESS;
+    ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
+    ctxt->output_blen = 0;
+    ctxt->output_length = 0;
+    gnutls_init(&ctxt->session, GNUTLS_SERVER);
+    gnutls_protocol_set_priority(ctxt->session, sc->protocol);
+    gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
+    gnutls_compression_set_priority(ctxt->session, sc->compression);
+    gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
+    gnutls_mac_set_priority(ctxt->session, sc->macs);
+    gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types);
+    mgs_cache_session_init(ctxt);
+    
+    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
+    gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn);
+    gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
+    return ctxt;
+}
+int mgs_hook_pre_connection(conn_rec * c, void *csd)
+{
+    mgs_handle_t *ctxt;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
+                                                        module_config,
+                                                        &gnutls_module);
+    if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
+        return DECLINED;
+    }
+    ctxt = create_gnutls_handle(c->pool, c);
+    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+    gnutls_transport_set_pull_function(ctxt->session,
+                                       mgs_transport_read);
+    gnutls_transport_set_push_function(ctxt->session,
+                                       mgs_transport_write);
+    gnutls_transport_set_ptr(ctxt->session, ctxt);
+    
+    ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, 
+                                             NULL, c);
+    ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt,
+                                               NULL, c);
+    return OK;
+}
+int mgs_hook_fixups(request_rec *r)
+{
+    unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
+    char buf[GNUTLS_SESSION_ID_STRING_LEN];
+    const char* tmp;
+    int len;
+    mgs_handle_t *ctxt;
+    apr_table_t *env = r->subprocess_env;
+    ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
+    if(!ctxt) {
+        return DECLINED;
+    }
+    apr_table_setn(env, "HTTPS", "on");
+    apr_table_setn(env, "GNUTLS_VERSION_INTERFACE", MOD_GNUTLS_VERSION);
+    apr_table_setn(env, "GNUTLS_VERSION_LIBRARY", LIBGNUTLS_VERSION);
+    apr_table_setn(env, "SSL_PROTOCOL",
+                   gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
+    apr_table_setn(env, "SSL_CIPHER",
+                   gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session)));
+    apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
+    tmp = apr_psprintf(r->pool, "%d",
+              8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session)));
+    apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
+    apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
+    len = sizeof(sbuf);
+    gnutls_session_get_id(ctxt->session, sbuf, &len);
+    tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
+    apr_table_setn(env, "SSL_SESSION_ID", tmp);
+    
+    return OK;
+}
+int mgs_hook_authz(request_rec *r)
+{
+    int rv;
+    int status;
+    mgs_handle_t *ctxt;
+    mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
+                                                      &gnutls_module);
+    
+    ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
+    
+    if (!ctxt) {
+        return DECLINED;
+    }
+    
+    if (!dc) {
+        dc = mgs_config_dir_create(r->pool, NULL);
+    }
+    if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 
+                      "GnuTLS: Directory set to Ignore Client Certificate!");
+        return DECLINED;
+    }
+    if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 
+                     "GnuTLS: Attempting to rehandshake with peer. %d %d",
+                      ctxt->sc->client_verify_mode, dc->client_verify_mode);
+        
+        gnutls_certificate_server_set_request(ctxt->session,
+                                              dc->client_verify_mode);
+    
+        if (mgs_rehandshake(ctxt) != 0) {
+            return HTTP_FORBIDDEN;
+        }
+    }
+    else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
+#if MOD_GNUTLS_DEBUG
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                      "GnuTLS: Peer is set to IGNORE");
+#endif
+        return DECLINED;
+    }
+    
+    rv = gnutls_certificate_verify_peers2(ctxt->session, &status);
+    if (rv < 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Failed to Verify Peer: (%d) %s", 
+                     rv, gnutls_strerror(rv));
+        return HTTP_FORBIDDEN;
+    }
+    
+    if (status < 0) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Status is invalid."); 
+        return HTTP_FORBIDDEN;
+    }
+    
+    if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Could not find Signer for Peer Certificate"); 
+    }
+    
+    if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Could not find CA for Peer Certificate"); 
+    }
+    
+    if (status & GNUTLS_CERT_INVALID) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Certificate is invalid."); 
+        return HTTP_FORBIDDEN;
+    }
+    else if (status & GNUTLS_CERT_REVOKED) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                     "GnuTLS: Peer Certificate is revoked."); 
+        return HTTP_FORBIDDEN;
+    }
+    
+    /* TODO: OpenPGP Certificates */
+    if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) {
+        ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 
+                     "GnuTLS: Only x509 is supported for client certificates");         
+        return HTTP_FORBIDDEN;
+    }
+    /* TODO: Further Verification. */
+    ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, 
+                 "GnuTLS: Verified Peer.");             
+    return OK;
+}

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c new file mode 100644 index 0000000..5429d66 --- /dev/null +++ b/src/gnutls_hooks.c
@@ -0,0 +1,654 @@
	1	/**
	2	* Copyright 2004-2005 Paul Querna
	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*
	16	*/
	17
	18	#include "mod_gnutls.h"
	19	#include "http_vhost.h"
	20
	21	#if !USING_2_1_RECENT
	22	extern server_rec *ap_server_conf;
	23	#endif
	24
	25	#if APR_HAS_THREADS
	26	GCRY_THREAD_OPTION_PTHREAD_IMPL;
	27	#endif
	28
	29	#if MOD_GNUTLS_DEBUG
	30	static apr_file_t* debug_log_fp;
	31	#endif
	32
	33	static apr_status_t mgs_cleanup_pre_config(void *data)
	34	{
	35	gnutls_global_deinit();
	36	return APR_SUCCESS;
	37	}
	38
	39	#if MOD_GNUTLS_DEBUG
	40	static void gnutls_debug_log_all( int level, const char* str)
	41	{
	42	apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
	43	}
	44	#endif
	45
	46	int mgs_hook_pre_config(apr_pool_t * pconf,
	47	apr_pool_t * plog, apr_pool_t * ptemp)
	48	{
	49
	50	#if APR_HAS_THREADS
	51	/* TODO: Check MPM Type here */
	52	gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
	53	#endif
	54
	55	gnutls_global_init();
	56
	57	apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
	58	apr_pool_cleanup_null);
	59
	60	#if MOD_GNUTLS_DEBUG
	61	apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
	62	APR_APPEND\|APR_WRITE\|APR_CREATE, APR_OS_DEFAULT, pconf);
	63
	64	gnutls_global_set_log_level(9);
	65	gnutls_global_set_log_function(gnutls_debug_log_all);
	66	#endif
	67
	68	return OK;
	69	}
	70
	71
	72	static gnutls_datum load_params(const char* file, server_rec* s,
	73	apr_pool_t* pool)
	74	{
	75	gnutls_datum ret = { NULL, 0 };
	76	apr_file_t* fp;
	77	apr_finfo_t finfo;
	78	apr_status_t rv;
	79	apr_size_t br = 0;
	80
	81	rv = apr_file_open(&fp, file, APR_READ\|APR_BINARY, APR_OS_DEFAULT,
	82	pool);
	83	if (rv != APR_SUCCESS) {
	84	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	85	"GnuTLS failed to load params file at: %s", file);
	86	return ret;
	87	}
	88
	89	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
	90
	91	if (rv != APR_SUCCESS) {
	92	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	93	"GnuTLS failed to stat params file at: %s", file);
	94	return ret;
	95	}
	96
	97	ret.data = apr_palloc(pool, finfo.size+1);
	98	rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
	99
	100	if (rv != APR_SUCCESS) {
	101	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	102	"GnuTLS failed to read params file at: %s", file);
	103	return ret;
	104	}
	105	apr_file_close(fp);
	106	ret.data[br] = '\0';
	107	ret.size = br;
	108
	109	return ret;
	110	}
	111
	112	int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
	113	apr_pool_t * ptemp,
	114	server_rec * base_server)
	115	{
	116	int rv;
	117	int data_len;
	118	server_rec *s;
	119	gnutls_dh_params_t dh_params;
	120	gnutls_rsa_params_t rsa_params;
	121	mgs_srvconf_rec *sc;
	122	mgs_srvconf_rec *sc_base;
	123	void *data = NULL;
	124	int first_run = 0;
	125	const char *userdata_key = "mgs_init";
	126
	127	apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
	128	if (data == NULL) {
	129	first_run = 1;
	130	apr_pool_userdata_set((const void *)1, userdata_key,
	131	apr_pool_cleanup_null,
	132	base_server->process->pool);
	133	}
	134
	135
	136	{
	137	gnutls_datum pdata;
	138	apr_pool_t* tpool;
	139	s = base_server;
	140	sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	141	&gnutls_module);
	142
	143	apr_pool_create(&tpool, p);
	144
	145	gnutls_dh_params_init(&dh_params);
	146
	147	pdata = load_params(sc_base->dh_params_file, s, tpool);
	148
	149	if (pdata.size != 0) {
	150	rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
	151	GNUTLS_X509_FMT_PEM);
	152	if (rv != 0) {
	153	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	154	"GnuTLS: Unable to load DH Params: (%d) %s",
	155	rv, gnutls_strerror(rv));
	156	exit(rv);
	157	}
	158	}
	159	else {
	160	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	161	"GnuTLS: Unable to load DH Params."
	162	" Shutting Down.");
	163	exit(-1);
	164	}
	165	apr_pool_clear(tpool);
	166
	167	gnutls_rsa_params_init(&rsa_params);
	168
	169	pdata = load_params(sc_base->rsa_params_file, s, tpool);
	170
	171	if (pdata.size != 0) {
	172	rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
	173	GNUTLS_X509_FMT_PEM);
	174	if (rv != 0) {
	175	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	176	"GnuTLS: Unable to load RSA Params: (%d) %s",
	177	rv, gnutls_strerror(rv));
	178	exit(rv);
	179	}
	180	}
	181	else {
	182	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	183	"GnuTLS: Unable to load RSA Params."
	184	" Shutting Down.");
	185	exit(-1);
	186	}
	187
	188	apr_pool_destroy(tpool);
	189	rv = mgs_cache_post_config(p, s, sc_base);
	190	if (rv != 0) {
	191	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
	192	"GnuTLS: Post Config for GnuTLSCache Failed."
	193	" Shutting Down.");
	194	exit(-1);
	195	}
	196
	197	for (s = base_server; s; s = s->next) {
	198	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	199	&gnutls_module);
	200	sc->cache_type = sc_base->cache_type;
	201	sc->cache_config = sc_base->cache_config;
	202
	203	gnutls_certificate_set_rsa_export_params(sc->certs,
	204	rsa_params);
	205	gnutls_certificate_set_dh_params(sc->certs, dh_params);
	206
	207	if (sc->cert_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
	208	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
	209	"[GnuTLS] - Host '%s:%d' is missing a "
	210	"Certificate File!",
	211	s->server_hostname, s->port);
	212	exit(-1);
	213	}
	214
	215	if (sc->privkey_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
	216	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
	217	"[GnuTLS] - Host '%s:%d' is missing a "
	218	"Private Key File!",
	219	s->server_hostname, s->port);
	220	exit(-1);
	221	}
	222
	223	rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
	224	GNUTLS_OID_X520_COMMON_NAME, 0, 0,
	225	NULL, &data_len);
	226
	227	if (data_len < 1) {
	228	sc->enabled = GNUTLS_ENABLED_FALSE;
	229	sc->cert_cn = NULL;
	230	continue;
	231	}
	232
	233	sc->cert_cn = apr_palloc(p, data_len);
	234	rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
	235	GNUTLS_OID_X520_COMMON_NAME, 0, 0,
	236	sc->cert_cn, &data_len);
	237	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	238	s,
	239	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", sc->cert_cn, rv,
	240	gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(sc->privkey_x509)),
	241	(unsigned int)s, (unsigned int)sc);
	242	}
	243	}
	244
	245	ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
	246
	247	return OK;
	248	}
	249
	250	void mgs_hook_child_init(apr_pool_t p, server_rec s)
	251	{
	252	apr_status_t rv = APR_SUCCESS;
	253	mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
	254	&gnutls_module);
	255
	256	if (sc->cache_type != mgs_cache_none) {
	257	rv = mgs_cache_child_init(p, s, sc);
	258	if(rv != APR_SUCCESS) {
	259	ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
	260	"[GnuTLS] - Failed to run Cache Init");
	261	}
	262	}
	263	else {
	264	ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
	265	"[GnuTLS] - No Cache Configured. Hint: GnuTLSCache");
	266	}
	267	}
	268
	269	const char mgs_hook_http_scheme(const request_rec r)
	270	{
	271	mgs_srvconf_rec *sc =
	272	(mgs_srvconf_rec *) ap_get_module_config(r->server->
	273	module_config,
	274	&gnutls_module);
	275
	276	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	277	return NULL;
	278	}
	279
	280	return "https";
	281	}
	282
	283	apr_port_t mgs_hook_default_port(const request_rec * r)
	284	{
	285	mgs_srvconf_rec *sc =
	286	(mgs_srvconf_rec *) ap_get_module_config(r->server->
	287	module_config,
	288	&gnutls_module);
	289
	290	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
	291	return 0;
	292	}
	293
	294	return 443;
	295	}
	296
	297	#define MAX_HOST_LEN 255
	298
	299	#if USING_2_1_RECENT
	300	typedef struct
	301	{
	302	mgs_handle_t *ctxt;
	303	gnutls_retr_st* ret;
	304	const char* sni_name;
	305	} vhost_cb_rec;
	306
	307	static int vhost_cb (void* baton, conn_rec* conn, server_rec* s)
	308	{
	309	mgs_srvconf_rec *tsc;
	310	vhost_cb_rec* x = baton;
	311
	312	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	313	&gnutls_module);
	314
	315	if (tsc->enabled != GNUTLS_ENABLED_TRUE \|\| tsc->cert_cn == NULL) {
	316	return 0;
	317	}
	318
	319	/* The CN can contain a * -- this will match those too. */
	320	if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
	321	/* found a match */
	322	x->ret->cert.x509 = &tsc->cert_x509;
	323	x->ret->key.x509 = tsc->privkey_x509;
	324	#if MOD_GNUTLS_DEBUG
	325	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	326	x->ctxt->c->base_server,
	327	"GnuTLS: Virtual Host CB: "
	328	"'%s' == '%s'", tsc->cert_cn, x->sni_name);
	329	#endif
	330	/* Because we actually change the server used here, we need to reset
	331	* things like ClientVerify.
	332	*/
	333	x->ctxt->sc = tsc;
	334	/* Shit. Crap. Dammit. We really should rehandshake here, as our
	335	* certificate structure should change when the server changes.
	336	* acccckkkkkk.
	337	*/
	338	gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode);
	339	return 1;
	340	}
	341	return 0;
	342	}
	343	#endif
	344
	345	static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret)
	346	{
	347	int rv;
	348	int sni_type;
	349	int data_len = MAX_HOST_LEN;
	350	char sni_name[MAX_HOST_LEN];
	351	mgs_handle_t *ctxt;
	352	#if USING_2_1_RECENT
	353	vhost_cb_rec cbx;
	354	#else
	355	server_rec* s;
	356	mgs_srvconf_rec *tsc;
	357	#endif
	358
	359	ctxt = gnutls_transport_get_ptr(session);
	360
	361	sni_type = gnutls_certificate_type_get(session);
	362	if (sni_type != GNUTLS_CRT_X509) {
	363	/* In theory, we could support OpenPGP Certificates. Theory != code. */
	364	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	365	ctxt->c->base_server,
	366	"GnuTLS: Only x509 Certificates are currently supported.");
	367	return -1;
	368	}
	369
	370	ret->type = GNUTLS_CRT_X509;
	371	ret->ncerts = 1;
	372	ret->deinit_all = 0;
	373
	374	rv = gnutls_server_name_get(ctxt->session, sni_name,
	375	&data_len, &sni_type, 0);
	376
	377	if (rv != 0) {
	378	goto use_default_crt;
	379	}
	380
	381	if (sni_type != GNUTLS_NAME_DNS) {
	382	ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
	383	ctxt->c->base_server,
	384	"GnuTLS: Unknown type '%d' for SNI: "
	385	"'%s'", sni_type, sni_name);
	386	goto use_default_crt;
	387	}
	388
	389	/**
	390	* Code in the Core already sets up the c->base_server as the base
	391	* for this IP/Port combo. Trust that the core did the 'right' thing.
	392	*/
	393	#if USING_2_1_RECENT
	394	cbx.ctxt = ctxt;
	395	cbx.ret = ret;
	396	cbx.sni_name = sni_name;
	397
	398	rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
	399	if (rv == 1) {
	400	return 0;
	401	}
	402	#else
	403	for (s = ap_server_conf; s; s = s->next) {
	404
	405	tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	406	&gnutls_module);
	407	if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
	408	continue;
	409	}
	410	#if MOD_GNUTLS_DEBUG
	411	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	412	ctxt->c->base_server,
	413	"GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X", tsc->cert_cn, rv,
	414	gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)),
	415	(unsigned int)s, (unsigned int)s->next, (unsigned int)tsc);
	416	#endif
	417	/* The CN can contain a * -- this will match those too. */
	418	if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
	419	/* found a match */
	420	ret->cert.x509 = &tsc->cert_x509;
	421	ret->key.x509 = tsc->privkey_x509;
	422	#if MOD_GNUTLS_DEBUG
	423	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	424	ctxt->c->base_server,
	425	"GnuTLS: Virtual Host: "
	426	"'%s' == '%s'", tsc->cert_cn, sni_name);
	427	#endif
	428	ctxt->sc = tsc;
	429	gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
	430	return 0;
	431	}
	432	}
	433	#endif
	434
	435	/**
	436	* If the client does not support the Server Name Indication, give the default
	437	* certificate for this server.
	438	*/
	439	use_default_crt:
	440	ret->cert.x509 = &ctxt->sc->cert_x509;
	441	ret->key.x509 = ctxt->sc->privkey_x509;
	442	#if MOD_GNUTLS_DEBUG
	443	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
	444	ctxt->c->base_server,
	445	"GnuTLS: Using Default Certificate.");
	446	#endif
	447	return 0;
	448	}
	449
	450	static mgs_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c)
	451	{
	452	mgs_handle_t *ctxt;
	453	mgs_srvconf_rec *sc =
	454	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
	455	module_config,
	456	&gnutls_module);
	457
	458	ctxt = apr_pcalloc(pool, sizeof(*ctxt));
	459	ctxt->c = c;
	460	ctxt->sc = sc;
	461	ctxt->status = 0;
	462
	463	ctxt->input_rc = APR_SUCCESS;
	464	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	465	ctxt->input_cbuf.length = 0;
	466
	467	ctxt->output_rc = APR_SUCCESS;
	468	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
	469	ctxt->output_blen = 0;
	470	ctxt->output_length = 0;
	471
	472	gnutls_init(&ctxt->session, GNUTLS_SERVER);
	473
	474	gnutls_protocol_set_priority(ctxt->session, sc->protocol);
	475	gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
	476	gnutls_compression_set_priority(ctxt->session, sc->compression);
	477	gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
	478	gnutls_mac_set_priority(ctxt->session, sc->macs);
	479	gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types);
	480
	481	mgs_cache_session_init(ctxt);
	482
	483	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
	484
	485	gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn);
	486	gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
	487	return ctxt;
	488	}
	489
	490	int mgs_hook_pre_connection(conn_rec * c, void *csd)
	491	{
	492	mgs_handle_t *ctxt;
	493	mgs_srvconf_rec *sc =
	494	(mgs_srvconf_rec *) ap_get_module_config(c->base_server->
	495	module_config,
	496	&gnutls_module);
	497
	498	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
	499	return DECLINED;
	500	}
	501
	502	ctxt = create_gnutls_handle(c->pool, c);
	503
	504	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
	505
	506	gnutls_transport_set_pull_function(ctxt->session,
	507	mgs_transport_read);
	508	gnutls_transport_set_push_function(ctxt->session,
	509	mgs_transport_write);
	510	gnutls_transport_set_ptr(ctxt->session, ctxt);
	511
	512	ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt,
	513	NULL, c);
	514	ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt,
	515	NULL, c);
	516
	517	return OK;
	518	}
	519
	520	int mgs_hook_fixups(request_rec *r)
	521	{
	522	unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
	523	char buf[GNUTLS_SESSION_ID_STRING_LEN];
	524	const char* tmp;
	525	int len;
	526	mgs_handle_t *ctxt;
	527	apr_table_t *env = r->subprocess_env;
	528
	529	ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
	530
	531	if(!ctxt) {
	532	return DECLINED;
	533	}
	534
	535	apr_table_setn(env, "HTTPS", "on");
	536
	537	apr_table_setn(env, "GNUTLS_VERSION_INTERFACE", MOD_GNUTLS_VERSION);
	538	apr_table_setn(env, "GNUTLS_VERSION_LIBRARY", LIBGNUTLS_VERSION);
	539
	540	apr_table_setn(env, "SSL_PROTOCOL",
	541	gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
	542
	543	apr_table_setn(env, "SSL_CIPHER",
	544	gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session)));
	545
	546	apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
	547
	548	tmp = apr_psprintf(r->pool, "%d",
	549	8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session)));
	550
	551	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
	552
	553	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
	554
	555	len = sizeof(sbuf);
	556	gnutls_session_get_id(ctxt->session, sbuf, &len);
	557	tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
	558	apr_table_setn(env, "SSL_SESSION_ID", tmp);
	559
	560	return OK;
	561	}
	562
	563	int mgs_hook_authz(request_rec *r)
	564	{
	565	int rv;
	566	int status;
	567	mgs_handle_t *ctxt;
	568	mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
	569	&gnutls_module);
	570
	571	ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
	572
	573	if (!ctxt) {
	574	return DECLINED;
	575	}
	576
	577	if (!dc) {
	578	dc = mgs_config_dir_create(r->pool, NULL);
	579	}
	580
	581	if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	582	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	583	"GnuTLS: Directory set to Ignore Client Certificate!");
	584	return DECLINED;
	585	}
	586
	587	if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
	588	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
	589	"GnuTLS: Attempting to rehandshake with peer. %d %d",
	590	ctxt->sc->client_verify_mode, dc->client_verify_mode);
	591
	592	gnutls_certificate_server_set_request(ctxt->session,
	593	dc->client_verify_mode);
	594
	595	if (mgs_rehandshake(ctxt) != 0) {
	596	return HTTP_FORBIDDEN;
	597	}
	598	}
	599	else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
	600	#if MOD_GNUTLS_DEBUG
	601	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	602	"GnuTLS: Peer is set to IGNORE");
	603	#endif
	604	return DECLINED;
	605	}
	606
	607	rv = gnutls_certificate_verify_peers2(ctxt->session, &status);
	608
	609	if (rv < 0) {
	610	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	611	"GnuTLS: Failed to Verify Peer: (%d) %s",
	612	rv, gnutls_strerror(rv));
	613	return HTTP_FORBIDDEN;
	614	}
	615
	616	if (status < 0) {
	617	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	618	"GnuTLS: Peer Status is invalid.");
	619	return HTTP_FORBIDDEN;
	620	}
	621
	622	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
	623	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	624	"GnuTLS: Could not find Signer for Peer Certificate");
	625	}
	626
	627	if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
	628	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	629	"GnuTLS: Could not find CA for Peer Certificate");
	630	}
	631
	632	if (status & GNUTLS_CERT_INVALID) {
	633	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	634	"GnuTLS: Peer Certificate is invalid.");
	635	return HTTP_FORBIDDEN;
	636	}
	637	else if (status & GNUTLS_CERT_REVOKED) {
	638	ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	639	"GnuTLS: Peer Certificate is revoked.");
	640	return HTTP_FORBIDDEN;
	641	}
	642
	643	/* TODO: OpenPGP Certificates */
	644	if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) {
	645	ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
	646	"GnuTLS: Only x509 is supported for client certificates");
	647	return HTTP_FORBIDDEN;
	648	}
	649	/* TODO: Further Verification. */
	650	ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
	651	"GnuTLS: Verified Peer.");
	652	return OK;
	653	}
	654