aboutsummaryrefslogtreecommitdiffstats
path: root/src/gnutls_hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gnutls_hooks.c')
-rw-r--r--src/gnutls_hooks.c53
1 files changed, 29 insertions, 24 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 6223d89..70254bb 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -71,14 +71,20 @@ int ret;
71 mpm_is_threaded = 0; 71 mpm_is_threaded = 0;
72#endif 72#endif
73 73
74 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
75 fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
76 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
77 return -3;
78 }
79
74 ret = gnutls_global_init(); 80 ret = gnutls_global_init();
75 if (ret < 0) /* FIXME: can we print here? */ { 81 if (ret < 0) {
76 fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret)); 82 fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret));
77 return -3; 83 return -3;
78 } 84 }
79 85
80 ret = gnutls_global_init_extra(); 86 ret = gnutls_global_init_extra();
81 if (ret < 0) { /* FIXME: can we print here? */ 87 if (ret < 0) {
82 fprintf(stderr, "gnutls_global_init_extra: %s\n", gnutls_strerror(ret)); 88 fprintf(stderr, "gnutls_global_init_extra: %s\n", gnutls_strerror(ret));
83 return -3; 89 return -3;
84 } 90 }
@@ -93,6 +99,7 @@ int ret;
93 99
94 gnutls_global_set_log_level(9); 100 gnutls_global_set_log_level(9);
95 gnutls_global_set_log_function(gnutls_debug_log_all); 101 gnutls_global_set_log_function(gnutls_debug_log_all);
102 apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
96#endif 103#endif
97 104
98 return OK; 105 return OK;
@@ -103,7 +110,7 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session)
103 mgs_handle_t *ctxt; 110 mgs_handle_t *ctxt;
104 mgs_srvconf_rec *tsc; 111 mgs_srvconf_rec *tsc;
105 int ret; 112 int ret;
106 int cprio[3] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; 113 int cprio[2];
107 114
108 ctxt = gnutls_transport_get_ptr(session); 115 ctxt = gnutls_transport_get_ptr(session);
109 116
@@ -135,24 +142,23 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session)
135 * negotiation. 142 * negotiation.
136 */ 143 */
137 ret = gnutls_priority_set(session, ctxt->sc->priorities); 144 ret = gnutls_priority_set(session, ctxt->sc->priorities);
145 /* actually it shouldn't fail since we have checked at startup */
146 if (ret < 0)
147 return ret;
138 148
139 /* Do not allow the user to override certificate priorities. We know 149 /* If both certificate types are not present disallow them from
140 * better if the certificate of certain type is enabled. */ 150 * being negotiated.
141 if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0] != NULL) { 151 */
142 gnutls_certificate_type_set_priority( session, cprio); 152 if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
143 } else if (ctxt->sc->certs_x509[0] != NULL) {
144 cprio[0] = GNUTLS_CRT_X509; 153 cprio[0] = GNUTLS_CRT_X509;
145 cprio[1] = 0; 154 cprio[1] = 0;
146 gnutls_certificate_type_set_priority( session, cprio); 155 gnutls_certificate_type_set_priority( session, cprio);
147 } else if (ctxt->sc->cert_pgp != NULL) { 156 } else if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0]==NULL) {
148 cprio[0] = GNUTLS_CRT_OPENPGP; 157 cprio[0] = GNUTLS_CRT_OPENPGP;
149 cprio[1] = 0; 158 cprio[1] = 0;
150 gnutls_certificate_type_set_priority( session, cprio); 159 gnutls_certificate_type_set_priority( session, cprio);
151 } 160 }
152 161
153 /* actually it shouldn't fail since we have checked at startup */
154 if (ret < 0)
155 return ret;
156 162
157 163
158 return 0; 164 return 0;
@@ -188,6 +194,7 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
188 return GNUTLS_E_INTERNAL_ERROR; 194 return GNUTLS_E_INTERNAL_ERROR;
189} 195}
190 196
197/* 2048-bit group parameters from SRP specification */
191const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 198const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
192 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 199 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
193 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 200 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
@@ -411,7 +418,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
411 418
412 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 419 if (sc->enabled == GNUTLS_ENABLED_TRUE) {
413 rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn); 420 rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
414 if (rv < 0) /* try openpgp certificate */ 421 if (rv < 0 && sc->cert_pgp != NULL) /* try openpgp certificate */
415 rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn); 422 rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
416 423
417 if (rv < 0) { 424 if (rv < 0) {
@@ -977,7 +984,7 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side
977 984
978} 985}
979 986
980/* FIXME: Allow client sending a certificate chain */ 987/* TODO: Allow client sending a X.509 certificate chain */
981static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) 988static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
982{ 989{
983 const gnutls_datum_t *cert_list; 990 const gnutls_datum_t *cert_list;
@@ -1046,15 +1053,22 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1046 0, &status); 1053 0, &status);
1047 } 1054 }
1048 1055
1049
1050 if (rv < 0) { 1056 if (rv < 0) {
1051 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1057 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1052 "GnuTLS: Failed to Verify Peer certificate: (%d) %s", 1058 "GnuTLS: Failed to Verify Peer certificate: (%d) %s",
1053 rv, gnutls_strerror(rv)); 1059 rv, gnutls_strerror(rv));
1060 if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
1061 ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
1062 "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
1054 ret = HTTP_FORBIDDEN; 1063 ret = HTTP_FORBIDDEN;
1055 goto exit; 1064 goto exit;
1056 } 1065 }
1057 1066
1067 /* TODO: X509 CRL Verification. */
1068 /* May add later if anyone needs it.
1069 */
1070 /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
1071
1058 expired = 0; 1072 expired = 0;
1059 cur_time = apr_time_now(); 1073 cur_time = apr_time_now();
1060 if (activation_time > cur_time) { 1074 if (activation_time > cur_time) {
@@ -1089,15 +1103,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1089 "GnuTLS: Peer Certificate is revoked."); 1103 "GnuTLS: Peer Certificate is revoked.");
1090 } 1104 }
1091 1105
1092 /* TODO: Further Verification. */
1093 /* Revocation is X.509 non workable paradigm, I really doubt implementation
1094 * is worth doing --nmav
1095 */
1096/// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size);
1097
1098// mgs_hook_fixups(r);
1099// rv = mgs_authz_lua(r);
1100
1101 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) 1106 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
1102 mgs_add_common_cert_vars(r, cert.x509, 1, 1107 mgs_add_common_cert_vars(r, cert.x509, 1,
1103 ctxt->sc->export_certificates_enabled); 1108 ctxt->sc->export_certificates_enabled);