aboutsummaryrefslogtreecommitdiffstats
path: root/src/gnutls_hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gnutls_hooks.c')
-rw-r--r--src/gnutls_hooks.c654
1 files changed, 654 insertions, 0 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
new file mode 100644
index 0000000..5429d66
--- /dev/null
+++ b/src/gnutls_hooks.c
@@ -0,0 +1,654 @@
1/**
2 * Copyright 2004-2005 Paul Querna
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18#include "mod_gnutls.h"
19#include "http_vhost.h"
20
21#if !USING_2_1_RECENT
22extern server_rec *ap_server_conf;
23#endif
24
25#if APR_HAS_THREADS
26GCRY_THREAD_OPTION_PTHREAD_IMPL;
27#endif
28
29#if MOD_GNUTLS_DEBUG
30static apr_file_t* debug_log_fp;
31#endif
32
33static apr_status_t mgs_cleanup_pre_config(void *data)
34{
35 gnutls_global_deinit();
36 return APR_SUCCESS;
37}
38
39#if MOD_GNUTLS_DEBUG
40static void gnutls_debug_log_all( int level, const char* str)
41{
42 apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
43}
44#endif
45
46int mgs_hook_pre_config(apr_pool_t * pconf,
47 apr_pool_t * plog, apr_pool_t * ptemp)
48{
49
50#if APR_HAS_THREADS
51 /* TODO: Check MPM Type here */
52 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
53#endif
54
55 gnutls_global_init();
56
57 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
58 apr_pool_cleanup_null);
59
60#if MOD_GNUTLS_DEBUG
61 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
62 APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, pconf);
63
64 gnutls_global_set_log_level(9);
65 gnutls_global_set_log_function(gnutls_debug_log_all);
66#endif
67
68 return OK;
69}
70
71
72static gnutls_datum load_params(const char* file, server_rec* s,
73 apr_pool_t* pool)
74{
75 gnutls_datum ret = { NULL, 0 };
76 apr_file_t* fp;
77 apr_finfo_t finfo;
78 apr_status_t rv;
79 apr_size_t br = 0;
80
81 rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT,
82 pool);
83 if (rv != APR_SUCCESS) {
84 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
85 "GnuTLS failed to load params file at: %s", file);
86 return ret;
87 }
88
89 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
90
91 if (rv != APR_SUCCESS) {
92 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
93 "GnuTLS failed to stat params file at: %s", file);
94 return ret;
95 }
96
97 ret.data = apr_palloc(pool, finfo.size+1);
98 rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
99
100 if (rv != APR_SUCCESS) {
101 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
102 "GnuTLS failed to read params file at: %s", file);
103 return ret;
104 }
105 apr_file_close(fp);
106 ret.data[br] = '\0';
107 ret.size = br;
108
109 return ret;
110}
111
112int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
113 apr_pool_t * ptemp,
114 server_rec * base_server)
115{
116 int rv;
117 int data_len;
118 server_rec *s;
119 gnutls_dh_params_t dh_params;
120 gnutls_rsa_params_t rsa_params;
121 mgs_srvconf_rec *sc;
122 mgs_srvconf_rec *sc_base;
123 void *data = NULL;
124 int first_run = 0;
125 const char *userdata_key = "mgs_init";
126
127 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
128 if (data == NULL) {
129 first_run = 1;
130 apr_pool_userdata_set((const void *)1, userdata_key,
131 apr_pool_cleanup_null,
132 base_server->process->pool);
133 }
134
135
136 {
137 gnutls_datum pdata;
138 apr_pool_t* tpool;
139 s = base_server;
140 sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
141 &gnutls_module);
142
143 apr_pool_create(&tpool, p);
144
145 gnutls_dh_params_init(&dh_params);
146
147 pdata = load_params(sc_base->dh_params_file, s, tpool);
148
149 if (pdata.size != 0) {
150 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
151 GNUTLS_X509_FMT_PEM);
152 if (rv != 0) {
153 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
154 "GnuTLS: Unable to load DH Params: (%d) %s",
155 rv, gnutls_strerror(rv));
156 exit(rv);
157 }
158 }
159 else {
160 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
161 "GnuTLS: Unable to load DH Params."
162 " Shutting Down.");
163 exit(-1);
164 }
165 apr_pool_clear(tpool);
166
167 gnutls_rsa_params_init(&rsa_params);
168
169 pdata = load_params(sc_base->rsa_params_file, s, tpool);
170
171 if (pdata.size != 0) {
172 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
173 GNUTLS_X509_FMT_PEM);
174 if (rv != 0) {
175 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
176 "GnuTLS: Unable to load RSA Params: (%d) %s",
177 rv, gnutls_strerror(rv));
178 exit(rv);
179 }
180 }
181 else {
182 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
183 "GnuTLS: Unable to load RSA Params."
184 " Shutting Down.");
185 exit(-1);
186 }
187
188 apr_pool_destroy(tpool);
189 rv = mgs_cache_post_config(p, s, sc_base);
190 if (rv != 0) {
191 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
192 "GnuTLS: Post Config for GnuTLSCache Failed."
193 " Shutting Down.");
194 exit(-1);
195 }
196
197 for (s = base_server; s; s = s->next) {
198 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
199 &gnutls_module);
200 sc->cache_type = sc_base->cache_type;
201 sc->cache_config = sc_base->cache_config;
202
203 gnutls_certificate_set_rsa_export_params(sc->certs,
204 rsa_params);
205 gnutls_certificate_set_dh_params(sc->certs, dh_params);
206
207 if (sc->cert_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
208 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
209 "[GnuTLS] - Host '%s:%d' is missing a "
210 "Certificate File!",
211 s->server_hostname, s->port);
212 exit(-1);
213 }
214
215 if (sc->privkey_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
216 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
217 "[GnuTLS] - Host '%s:%d' is missing a "
218 "Private Key File!",
219 s->server_hostname, s->port);
220 exit(-1);
221 }
222
223 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
224 GNUTLS_OID_X520_COMMON_NAME, 0, 0,
225 NULL, &data_len);
226
227 if (data_len < 1) {
228 sc->enabled = GNUTLS_ENABLED_FALSE;
229 sc->cert_cn = NULL;
230 continue;
231 }
232
233 sc->cert_cn = apr_palloc(p, data_len);
234 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
235 GNUTLS_OID_X520_COMMON_NAME, 0, 0,
236 sc->cert_cn, &data_len);
237 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
238 s,
239 "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", sc->cert_cn, rv,
240 gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(sc->privkey_x509)),
241 (unsigned int)s, (unsigned int)sc);
242 }
243 }
244
245 ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION);
246
247 return OK;
248}
249
250void mgs_hook_child_init(apr_pool_t *p, server_rec *s)
251{
252 apr_status_t rv = APR_SUCCESS;
253 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
254 &gnutls_module);
255
256 if (sc->cache_type != mgs_cache_none) {
257 rv = mgs_cache_child_init(p, s, sc);
258 if(rv != APR_SUCCESS) {
259 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
260 "[GnuTLS] - Failed to run Cache Init");
261 }
262 }
263 else {
264 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
265 "[GnuTLS] - No Cache Configured. Hint: GnuTLSCache");
266 }
267}
268
269const char *mgs_hook_http_scheme(const request_rec * r)
270{
271 mgs_srvconf_rec *sc =
272 (mgs_srvconf_rec *) ap_get_module_config(r->server->
273 module_config,
274 &gnutls_module);
275
276 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
277 return NULL;
278 }
279
280 return "https";
281}
282
283apr_port_t mgs_hook_default_port(const request_rec * r)
284{
285 mgs_srvconf_rec *sc =
286 (mgs_srvconf_rec *) ap_get_module_config(r->server->
287 module_config,
288 &gnutls_module);
289
290 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
291 return 0;
292 }
293
294 return 443;
295}
296
297#define MAX_HOST_LEN 255
298
299#if USING_2_1_RECENT
300typedef struct
301{
302 mgs_handle_t *ctxt;
303 gnutls_retr_st* ret;
304 const char* sni_name;
305} vhost_cb_rec;
306
307static int vhost_cb (void* baton, conn_rec* conn, server_rec* s)
308{
309 mgs_srvconf_rec *tsc;
310 vhost_cb_rec* x = baton;
311
312 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
313 &gnutls_module);
314
315 if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) {
316 return 0;
317 }
318
319 /* The CN can contain a * -- this will match those too. */
320 if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
321 /* found a match */
322 x->ret->cert.x509 = &tsc->cert_x509;
323 x->ret->key.x509 = tsc->privkey_x509;
324#if MOD_GNUTLS_DEBUG
325 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
326 x->ctxt->c->base_server,
327 "GnuTLS: Virtual Host CB: "
328 "'%s' == '%s'", tsc->cert_cn, x->sni_name);
329#endif
330 /* Because we actually change the server used here, we need to reset
331 * things like ClientVerify.
332 */
333 x->ctxt->sc = tsc;
334 /* Shit. Crap. Dammit. We *really* should rehandshake here, as our
335 * certificate structure *should* change when the server changes.
336 * acccckkkkkk.
337 */
338 gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode);
339 return 1;
340 }
341 return 0;
342}
343#endif
344
345static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret)
346{
347 int rv;
348 int sni_type;
349 int data_len = MAX_HOST_LEN;
350 char sni_name[MAX_HOST_LEN];
351 mgs_handle_t *ctxt;
352#if USING_2_1_RECENT
353 vhost_cb_rec cbx;
354#else
355 server_rec* s;
356 mgs_srvconf_rec *tsc;
357#endif
358
359 ctxt = gnutls_transport_get_ptr(session);
360
361 sni_type = gnutls_certificate_type_get(session);
362 if (sni_type != GNUTLS_CRT_X509) {
363 /* In theory, we could support OpenPGP Certificates. Theory != code. */
364 ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
365 ctxt->c->base_server,
366 "GnuTLS: Only x509 Certificates are currently supported.");
367 return -1;
368 }
369
370 ret->type = GNUTLS_CRT_X509;
371 ret->ncerts = 1;
372 ret->deinit_all = 0;
373
374 rv = gnutls_server_name_get(ctxt->session, sni_name,
375 &data_len, &sni_type, 0);
376
377 if (rv != 0) {
378 goto use_default_crt;
379 }
380
381 if (sni_type != GNUTLS_NAME_DNS) {
382 ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
383 ctxt->c->base_server,
384 "GnuTLS: Unknown type '%d' for SNI: "
385 "'%s'", sni_type, sni_name);
386 goto use_default_crt;
387 }
388
389 /**
390 * Code in the Core already sets up the c->base_server as the base
391 * for this IP/Port combo. Trust that the core did the 'right' thing.
392 */
393#if USING_2_1_RECENT
394 cbx.ctxt = ctxt;
395 cbx.ret = ret;
396 cbx.sni_name = sni_name;
397
398 rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
399 if (rv == 1) {
400 return 0;
401 }
402#else
403 for (s = ap_server_conf; s; s = s->next) {
404
405 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
406 &gnutls_module);
407 if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
408 continue;
409 }
410#if MOD_GNUTLS_DEBUG
411 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
412 ctxt->c->base_server,
413 "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X", tsc->cert_cn, rv,
414 gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)),
415 (unsigned int)s, (unsigned int)s->next, (unsigned int)tsc);
416#endif
417 /* The CN can contain a * -- this will match those too. */
418 if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
419 /* found a match */
420 ret->cert.x509 = &tsc->cert_x509;
421 ret->key.x509 = tsc->privkey_x509;
422#if MOD_GNUTLS_DEBUG
423 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
424 ctxt->c->base_server,
425 "GnuTLS: Virtual Host: "
426 "'%s' == '%s'", tsc->cert_cn, sni_name);
427#endif
428 ctxt->sc = tsc;
429 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
430 return 0;
431 }
432 }
433#endif
434
435 /**
436 * If the client does not support the Server Name Indication, give the default
437 * certificate for this server.
438 */
439use_default_crt:
440 ret->cert.x509 = &ctxt->sc->cert_x509;
441 ret->key.x509 = ctxt->sc->privkey_x509;
442#if MOD_GNUTLS_DEBUG
443 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
444 ctxt->c->base_server,
445 "GnuTLS: Using Default Certificate.");
446#endif
447 return 0;
448}
449
450static mgs_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c)
451{
452 mgs_handle_t *ctxt;
453 mgs_srvconf_rec *sc =
454 (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
455 module_config,
456 &gnutls_module);
457
458 ctxt = apr_pcalloc(pool, sizeof(*ctxt));
459 ctxt->c = c;
460 ctxt->sc = sc;
461 ctxt->status = 0;
462
463 ctxt->input_rc = APR_SUCCESS;
464 ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
465 ctxt->input_cbuf.length = 0;
466
467 ctxt->output_rc = APR_SUCCESS;
468 ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
469 ctxt->output_blen = 0;
470 ctxt->output_length = 0;
471
472 gnutls_init(&ctxt->session, GNUTLS_SERVER);
473
474 gnutls_protocol_set_priority(ctxt->session, sc->protocol);
475 gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
476 gnutls_compression_set_priority(ctxt->session, sc->compression);
477 gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
478 gnutls_mac_set_priority(ctxt->session, sc->macs);
479 gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types);
480
481 mgs_cache_session_init(ctxt);
482
483 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
484
485 gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn);
486 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
487 return ctxt;
488}
489
490int mgs_hook_pre_connection(conn_rec * c, void *csd)
491{
492 mgs_handle_t *ctxt;
493 mgs_srvconf_rec *sc =
494 (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
495 module_config,
496 &gnutls_module);
497
498 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
499 return DECLINED;
500 }
501
502 ctxt = create_gnutls_handle(c->pool, c);
503
504 ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
505
506 gnutls_transport_set_pull_function(ctxt->session,
507 mgs_transport_read);
508 gnutls_transport_set_push_function(ctxt->session,
509 mgs_transport_write);
510 gnutls_transport_set_ptr(ctxt->session, ctxt);
511
512 ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt,
513 NULL, c);
514 ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt,
515 NULL, c);
516
517 return OK;
518}
519
520int mgs_hook_fixups(request_rec *r)
521{
522 unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
523 char buf[GNUTLS_SESSION_ID_STRING_LEN];
524 const char* tmp;
525 int len;
526 mgs_handle_t *ctxt;
527 apr_table_t *env = r->subprocess_env;
528
529 ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
530
531 if(!ctxt) {
532 return DECLINED;
533 }
534
535 apr_table_setn(env, "HTTPS", "on");
536
537 apr_table_setn(env, "GNUTLS_VERSION_INTERFACE", MOD_GNUTLS_VERSION);
538 apr_table_setn(env, "GNUTLS_VERSION_LIBRARY", LIBGNUTLS_VERSION);
539
540 apr_table_setn(env, "SSL_PROTOCOL",
541 gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
542
543 apr_table_setn(env, "SSL_CIPHER",
544 gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session)));
545
546 apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
547
548 tmp = apr_psprintf(r->pool, "%d",
549 8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session)));
550
551 apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
552
553 apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
554
555 len = sizeof(sbuf);
556 gnutls_session_get_id(ctxt->session, sbuf, &len);
557 tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
558 apr_table_setn(env, "SSL_SESSION_ID", tmp);
559
560 return OK;
561}
562
563int mgs_hook_authz(request_rec *r)
564{
565 int rv;
566 int status;
567 mgs_handle_t *ctxt;
568 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
569 &gnutls_module);
570
571 ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
572
573 if (!ctxt) {
574 return DECLINED;
575 }
576
577 if (!dc) {
578 dc = mgs_config_dir_create(r->pool, NULL);
579 }
580
581 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) {
582 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
583 "GnuTLS: Directory set to Ignore Client Certificate!");
584 return DECLINED;
585 }
586
587 if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
588 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
589 "GnuTLS: Attempting to rehandshake with peer. %d %d",
590 ctxt->sc->client_verify_mode, dc->client_verify_mode);
591
592 gnutls_certificate_server_set_request(ctxt->session,
593 dc->client_verify_mode);
594
595 if (mgs_rehandshake(ctxt) != 0) {
596 return HTTP_FORBIDDEN;
597 }
598 }
599 else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) {
600#if MOD_GNUTLS_DEBUG
601 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
602 "GnuTLS: Peer is set to IGNORE");
603#endif
604 return DECLINED;
605 }
606
607 rv = gnutls_certificate_verify_peers2(ctxt->session, &status);
608
609 if (rv < 0) {
610 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
611 "GnuTLS: Failed to Verify Peer: (%d) %s",
612 rv, gnutls_strerror(rv));
613 return HTTP_FORBIDDEN;
614 }
615
616 if (status < 0) {
617 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
618 "GnuTLS: Peer Status is invalid.");
619 return HTTP_FORBIDDEN;
620 }
621
622 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
623 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
624 "GnuTLS: Could not find Signer for Peer Certificate");
625 }
626
627 if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
628 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
629 "GnuTLS: Could not find CA for Peer Certificate");
630 }
631
632 if (status & GNUTLS_CERT_INVALID) {
633 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
634 "GnuTLS: Peer Certificate is invalid.");
635 return HTTP_FORBIDDEN;
636 }
637 else if (status & GNUTLS_CERT_REVOKED) {
638 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
639 "GnuTLS: Peer Certificate is revoked.");
640 return HTTP_FORBIDDEN;
641 }
642
643 /* TODO: OpenPGP Certificates */
644 if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) {
645 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
646 "GnuTLS: Only x509 is supported for client certificates");
647 return HTTP_FORBIDDEN;
648 }
649 /* TODO: Further Verification. */
650 ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
651 "GnuTLS: Verified Peer.");
652 return OK;
653}
654