diff options
Diffstat (limited to 'src/gnutls_hooks.c')
-rw-r--r-- | src/gnutls_hooks.c | 654 |
1 files changed, 654 insertions, 0 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c new file mode 100644 index 0000000..5429d66 --- /dev/null +++ b/src/gnutls_hooks.c | |||
@@ -0,0 +1,654 @@ | |||
1 | /** | ||
2 | * Copyright 2004-2005 Paul Querna | ||
3 | * | ||
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
5 | * you may not use this file except in compliance with the License. | ||
6 | * You may obtain a copy of the License at | ||
7 | * | ||
8 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
9 | * | ||
10 | * Unless required by applicable law or agreed to in writing, software | ||
11 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
13 | * See the License for the specific language governing permissions and | ||
14 | * limitations under the License. | ||
15 | * | ||
16 | */ | ||
17 | |||
18 | #include "mod_gnutls.h" | ||
19 | #include "http_vhost.h" | ||
20 | |||
21 | #if !USING_2_1_RECENT | ||
22 | extern server_rec *ap_server_conf; | ||
23 | #endif | ||
24 | |||
25 | #if APR_HAS_THREADS | ||
26 | GCRY_THREAD_OPTION_PTHREAD_IMPL; | ||
27 | #endif | ||
28 | |||
29 | #if MOD_GNUTLS_DEBUG | ||
30 | static apr_file_t* debug_log_fp; | ||
31 | #endif | ||
32 | |||
33 | static apr_status_t mgs_cleanup_pre_config(void *data) | ||
34 | { | ||
35 | gnutls_global_deinit(); | ||
36 | return APR_SUCCESS; | ||
37 | } | ||
38 | |||
39 | #if MOD_GNUTLS_DEBUG | ||
40 | static void gnutls_debug_log_all( int level, const char* str) | ||
41 | { | ||
42 | apr_file_printf(debug_log_fp, "<%d> %s\n", level, str); | ||
43 | } | ||
44 | #endif | ||
45 | |||
46 | int mgs_hook_pre_config(apr_pool_t * pconf, | ||
47 | apr_pool_t * plog, apr_pool_t * ptemp) | ||
48 | { | ||
49 | |||
50 | #if APR_HAS_THREADS | ||
51 | /* TODO: Check MPM Type here */ | ||
52 | gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); | ||
53 | #endif | ||
54 | |||
55 | gnutls_global_init(); | ||
56 | |||
57 | apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, | ||
58 | apr_pool_cleanup_null); | ||
59 | |||
60 | #if MOD_GNUTLS_DEBUG | ||
61 | apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", | ||
62 | APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, pconf); | ||
63 | |||
64 | gnutls_global_set_log_level(9); | ||
65 | gnutls_global_set_log_function(gnutls_debug_log_all); | ||
66 | #endif | ||
67 | |||
68 | return OK; | ||
69 | } | ||
70 | |||
71 | |||
72 | static gnutls_datum load_params(const char* file, server_rec* s, | ||
73 | apr_pool_t* pool) | ||
74 | { | ||
75 | gnutls_datum ret = { NULL, 0 }; | ||
76 | apr_file_t* fp; | ||
77 | apr_finfo_t finfo; | ||
78 | apr_status_t rv; | ||
79 | apr_size_t br = 0; | ||
80 | |||
81 | rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT, | ||
82 | pool); | ||
83 | if (rv != APR_SUCCESS) { | ||
84 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
85 | "GnuTLS failed to load params file at: %s", file); | ||
86 | return ret; | ||
87 | } | ||
88 | |||
89 | rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); | ||
90 | |||
91 | if (rv != APR_SUCCESS) { | ||
92 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
93 | "GnuTLS failed to stat params file at: %s", file); | ||
94 | return ret; | ||
95 | } | ||
96 | |||
97 | ret.data = apr_palloc(pool, finfo.size+1); | ||
98 | rv = apr_file_read_full(fp, ret.data, finfo.size, &br); | ||
99 | |||
100 | if (rv != APR_SUCCESS) { | ||
101 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
102 | "GnuTLS failed to read params file at: %s", file); | ||
103 | return ret; | ||
104 | } | ||
105 | apr_file_close(fp); | ||
106 | ret.data[br] = '\0'; | ||
107 | ret.size = br; | ||
108 | |||
109 | return ret; | ||
110 | } | ||
111 | |||
112 | int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | ||
113 | apr_pool_t * ptemp, | ||
114 | server_rec * base_server) | ||
115 | { | ||
116 | int rv; | ||
117 | int data_len; | ||
118 | server_rec *s; | ||
119 | gnutls_dh_params_t dh_params; | ||
120 | gnutls_rsa_params_t rsa_params; | ||
121 | mgs_srvconf_rec *sc; | ||
122 | mgs_srvconf_rec *sc_base; | ||
123 | void *data = NULL; | ||
124 | int first_run = 0; | ||
125 | const char *userdata_key = "mgs_init"; | ||
126 | |||
127 | apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); | ||
128 | if (data == NULL) { | ||
129 | first_run = 1; | ||
130 | apr_pool_userdata_set((const void *)1, userdata_key, | ||
131 | apr_pool_cleanup_null, | ||
132 | base_server->process->pool); | ||
133 | } | ||
134 | |||
135 | |||
136 | { | ||
137 | gnutls_datum pdata; | ||
138 | apr_pool_t* tpool; | ||
139 | s = base_server; | ||
140 | sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | ||
141 | &gnutls_module); | ||
142 | |||
143 | apr_pool_create(&tpool, p); | ||
144 | |||
145 | gnutls_dh_params_init(&dh_params); | ||
146 | |||
147 | pdata = load_params(sc_base->dh_params_file, s, tpool); | ||
148 | |||
149 | if (pdata.size != 0) { | ||
150 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, | ||
151 | GNUTLS_X509_FMT_PEM); | ||
152 | if (rv != 0) { | ||
153 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
154 | "GnuTLS: Unable to load DH Params: (%d) %s", | ||
155 | rv, gnutls_strerror(rv)); | ||
156 | exit(rv); | ||
157 | } | ||
158 | } | ||
159 | else { | ||
160 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
161 | "GnuTLS: Unable to load DH Params." | ||
162 | " Shutting Down."); | ||
163 | exit(-1); | ||
164 | } | ||
165 | apr_pool_clear(tpool); | ||
166 | |||
167 | gnutls_rsa_params_init(&rsa_params); | ||
168 | |||
169 | pdata = load_params(sc_base->rsa_params_file, s, tpool); | ||
170 | |||
171 | if (pdata.size != 0) { | ||
172 | rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, | ||
173 | GNUTLS_X509_FMT_PEM); | ||
174 | if (rv != 0) { | ||
175 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
176 | "GnuTLS: Unable to load RSA Params: (%d) %s", | ||
177 | rv, gnutls_strerror(rv)); | ||
178 | exit(rv); | ||
179 | } | ||
180 | } | ||
181 | else { | ||
182 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
183 | "GnuTLS: Unable to load RSA Params." | ||
184 | " Shutting Down."); | ||
185 | exit(-1); | ||
186 | } | ||
187 | |||
188 | apr_pool_destroy(tpool); | ||
189 | rv = mgs_cache_post_config(p, s, sc_base); | ||
190 | if (rv != 0) { | ||
191 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
192 | "GnuTLS: Post Config for GnuTLSCache Failed." | ||
193 | " Shutting Down."); | ||
194 | exit(-1); | ||
195 | } | ||
196 | |||
197 | for (s = base_server; s; s = s->next) { | ||
198 | sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | ||
199 | &gnutls_module); | ||
200 | sc->cache_type = sc_base->cache_type; | ||
201 | sc->cache_config = sc_base->cache_config; | ||
202 | |||
203 | gnutls_certificate_set_rsa_export_params(sc->certs, | ||
204 | rsa_params); | ||
205 | gnutls_certificate_set_dh_params(sc->certs, dh_params); | ||
206 | |||
207 | if (sc->cert_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { | ||
208 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | ||
209 | "[GnuTLS] - Host '%s:%d' is missing a " | ||
210 | "Certificate File!", | ||
211 | s->server_hostname, s->port); | ||
212 | exit(-1); | ||
213 | } | ||
214 | |||
215 | if (sc->privkey_x509 == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { | ||
216 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | ||
217 | "[GnuTLS] - Host '%s:%d' is missing a " | ||
218 | "Private Key File!", | ||
219 | s->server_hostname, s->port); | ||
220 | exit(-1); | ||
221 | } | ||
222 | |||
223 | rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, | ||
224 | GNUTLS_OID_X520_COMMON_NAME, 0, 0, | ||
225 | NULL, &data_len); | ||
226 | |||
227 | if (data_len < 1) { | ||
228 | sc->enabled = GNUTLS_ENABLED_FALSE; | ||
229 | sc->cert_cn = NULL; | ||
230 | continue; | ||
231 | } | ||
232 | |||
233 | sc->cert_cn = apr_palloc(p, data_len); | ||
234 | rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, | ||
235 | GNUTLS_OID_X520_COMMON_NAME, 0, 0, | ||
236 | sc->cert_cn, &data_len); | ||
237 | ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, | ||
238 | s, | ||
239 | "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X sc: 0x%08X", sc->cert_cn, rv, | ||
240 | gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(sc->privkey_x509)), | ||
241 | (unsigned int)s, (unsigned int)sc); | ||
242 | } | ||
243 | } | ||
244 | |||
245 | ap_add_version_component(p, "mod_gnutls/" MOD_GNUTLS_VERSION); | ||
246 | |||
247 | return OK; | ||
248 | } | ||
249 | |||
250 | void mgs_hook_child_init(apr_pool_t *p, server_rec *s) | ||
251 | { | ||
252 | apr_status_t rv = APR_SUCCESS; | ||
253 | mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, | ||
254 | &gnutls_module); | ||
255 | |||
256 | if (sc->cache_type != mgs_cache_none) { | ||
257 | rv = mgs_cache_child_init(p, s, sc); | ||
258 | if(rv != APR_SUCCESS) { | ||
259 | ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, | ||
260 | "[GnuTLS] - Failed to run Cache Init"); | ||
261 | } | ||
262 | } | ||
263 | else { | ||
264 | ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, | ||
265 | "[GnuTLS] - No Cache Configured. Hint: GnuTLSCache"); | ||
266 | } | ||
267 | } | ||
268 | |||
269 | const char *mgs_hook_http_scheme(const request_rec * r) | ||
270 | { | ||
271 | mgs_srvconf_rec *sc = | ||
272 | (mgs_srvconf_rec *) ap_get_module_config(r->server-> | ||
273 | module_config, | ||
274 | &gnutls_module); | ||
275 | |||
276 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | ||
277 | return NULL; | ||
278 | } | ||
279 | |||
280 | return "https"; | ||
281 | } | ||
282 | |||
283 | apr_port_t mgs_hook_default_port(const request_rec * r) | ||
284 | { | ||
285 | mgs_srvconf_rec *sc = | ||
286 | (mgs_srvconf_rec *) ap_get_module_config(r->server-> | ||
287 | module_config, | ||
288 | &gnutls_module); | ||
289 | |||
290 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | ||
291 | return 0; | ||
292 | } | ||
293 | |||
294 | return 443; | ||
295 | } | ||
296 | |||
297 | #define MAX_HOST_LEN 255 | ||
298 | |||
299 | #if USING_2_1_RECENT | ||
300 | typedef struct | ||
301 | { | ||
302 | mgs_handle_t *ctxt; | ||
303 | gnutls_retr_st* ret; | ||
304 | const char* sni_name; | ||
305 | } vhost_cb_rec; | ||
306 | |||
307 | static int vhost_cb (void* baton, conn_rec* conn, server_rec* s) | ||
308 | { | ||
309 | mgs_srvconf_rec *tsc; | ||
310 | vhost_cb_rec* x = baton; | ||
311 | |||
312 | tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | ||
313 | &gnutls_module); | ||
314 | |||
315 | if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) { | ||
316 | return 0; | ||
317 | } | ||
318 | |||
319 | /* The CN can contain a * -- this will match those too. */ | ||
320 | if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) { | ||
321 | /* found a match */ | ||
322 | x->ret->cert.x509 = &tsc->cert_x509; | ||
323 | x->ret->key.x509 = tsc->privkey_x509; | ||
324 | #if MOD_GNUTLS_DEBUG | ||
325 | ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, | ||
326 | x->ctxt->c->base_server, | ||
327 | "GnuTLS: Virtual Host CB: " | ||
328 | "'%s' == '%s'", tsc->cert_cn, x->sni_name); | ||
329 | #endif | ||
330 | /* Because we actually change the server used here, we need to reset | ||
331 | * things like ClientVerify. | ||
332 | */ | ||
333 | x->ctxt->sc = tsc; | ||
334 | /* Shit. Crap. Dammit. We *really* should rehandshake here, as our | ||
335 | * certificate structure *should* change when the server changes. | ||
336 | * acccckkkkkk. | ||
337 | */ | ||
338 | gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode); | ||
339 | return 1; | ||
340 | } | ||
341 | return 0; | ||
342 | } | ||
343 | #endif | ||
344 | |||
345 | static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret) | ||
346 | { | ||
347 | int rv; | ||
348 | int sni_type; | ||
349 | int data_len = MAX_HOST_LEN; | ||
350 | char sni_name[MAX_HOST_LEN]; | ||
351 | mgs_handle_t *ctxt; | ||
352 | #if USING_2_1_RECENT | ||
353 | vhost_cb_rec cbx; | ||
354 | #else | ||
355 | server_rec* s; | ||
356 | mgs_srvconf_rec *tsc; | ||
357 | #endif | ||
358 | |||
359 | ctxt = gnutls_transport_get_ptr(session); | ||
360 | |||
361 | sni_type = gnutls_certificate_type_get(session); | ||
362 | if (sni_type != GNUTLS_CRT_X509) { | ||
363 | /* In theory, we could support OpenPGP Certificates. Theory != code. */ | ||
364 | ap_log_error(APLOG_MARK, APLOG_CRIT, 0, | ||
365 | ctxt->c->base_server, | ||
366 | "GnuTLS: Only x509 Certificates are currently supported."); | ||
367 | return -1; | ||
368 | } | ||
369 | |||
370 | ret->type = GNUTLS_CRT_X509; | ||
371 | ret->ncerts = 1; | ||
372 | ret->deinit_all = 0; | ||
373 | |||
374 | rv = gnutls_server_name_get(ctxt->session, sni_name, | ||
375 | &data_len, &sni_type, 0); | ||
376 | |||
377 | if (rv != 0) { | ||
378 | goto use_default_crt; | ||
379 | } | ||
380 | |||
381 | if (sni_type != GNUTLS_NAME_DNS) { | ||
382 | ap_log_error(APLOG_MARK, APLOG_CRIT, 0, | ||
383 | ctxt->c->base_server, | ||
384 | "GnuTLS: Unknown type '%d' for SNI: " | ||
385 | "'%s'", sni_type, sni_name); | ||
386 | goto use_default_crt; | ||
387 | } | ||
388 | |||
389 | /** | ||
390 | * Code in the Core already sets up the c->base_server as the base | ||
391 | * for this IP/Port combo. Trust that the core did the 'right' thing. | ||
392 | */ | ||
393 | #if USING_2_1_RECENT | ||
394 | cbx.ctxt = ctxt; | ||
395 | cbx.ret = ret; | ||
396 | cbx.sni_name = sni_name; | ||
397 | |||
398 | rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx); | ||
399 | if (rv == 1) { | ||
400 | return 0; | ||
401 | } | ||
402 | #else | ||
403 | for (s = ap_server_conf; s; s = s->next) { | ||
404 | |||
405 | tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | ||
406 | &gnutls_module); | ||
407 | if (tsc->enabled != GNUTLS_ENABLED_TRUE) { | ||
408 | continue; | ||
409 | } | ||
410 | #if MOD_GNUTLS_DEBUG | ||
411 | ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, | ||
412 | ctxt->c->base_server, | ||
413 | "GnuTLS: sni-x509 cn: %s/%d pk: %s s: 0x%08X s->n: 0x%08X sc: 0x%08X", tsc->cert_cn, rv, | ||
414 | gnutls_pk_algorithm_get_name(gnutls_x509_privkey_get_pk_algorithm(ctxt->sc->privkey_x509)), | ||
415 | (unsigned int)s, (unsigned int)s->next, (unsigned int)tsc); | ||
416 | #endif | ||
417 | /* The CN can contain a * -- this will match those too. */ | ||
418 | if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) { | ||
419 | /* found a match */ | ||
420 | ret->cert.x509 = &tsc->cert_x509; | ||
421 | ret->key.x509 = tsc->privkey_x509; | ||
422 | #if MOD_GNUTLS_DEBUG | ||
423 | ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, | ||
424 | ctxt->c->base_server, | ||
425 | "GnuTLS: Virtual Host: " | ||
426 | "'%s' == '%s'", tsc->cert_cn, sni_name); | ||
427 | #endif | ||
428 | ctxt->sc = tsc; | ||
429 | gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); | ||
430 | return 0; | ||
431 | } | ||
432 | } | ||
433 | #endif | ||
434 | |||
435 | /** | ||
436 | * If the client does not support the Server Name Indication, give the default | ||
437 | * certificate for this server. | ||
438 | */ | ||
439 | use_default_crt: | ||
440 | ret->cert.x509 = &ctxt->sc->cert_x509; | ||
441 | ret->key.x509 = ctxt->sc->privkey_x509; | ||
442 | #if MOD_GNUTLS_DEBUG | ||
443 | ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, | ||
444 | ctxt->c->base_server, | ||
445 | "GnuTLS: Using Default Certificate."); | ||
446 | #endif | ||
447 | return 0; | ||
448 | } | ||
449 | |||
450 | static mgs_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c) | ||
451 | { | ||
452 | mgs_handle_t *ctxt; | ||
453 | mgs_srvconf_rec *sc = | ||
454 | (mgs_srvconf_rec *) ap_get_module_config(c->base_server-> | ||
455 | module_config, | ||
456 | &gnutls_module); | ||
457 | |||
458 | ctxt = apr_pcalloc(pool, sizeof(*ctxt)); | ||
459 | ctxt->c = c; | ||
460 | ctxt->sc = sc; | ||
461 | ctxt->status = 0; | ||
462 | |||
463 | ctxt->input_rc = APR_SUCCESS; | ||
464 | ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc); | ||
465 | ctxt->input_cbuf.length = 0; | ||
466 | |||
467 | ctxt->output_rc = APR_SUCCESS; | ||
468 | ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc); | ||
469 | ctxt->output_blen = 0; | ||
470 | ctxt->output_length = 0; | ||
471 | |||
472 | gnutls_init(&ctxt->session, GNUTLS_SERVER); | ||
473 | |||
474 | gnutls_protocol_set_priority(ctxt->session, sc->protocol); | ||
475 | gnutls_cipher_set_priority(ctxt->session, sc->ciphers); | ||
476 | gnutls_compression_set_priority(ctxt->session, sc->compression); | ||
477 | gnutls_kx_set_priority(ctxt->session, sc->key_exchange); | ||
478 | gnutls_mac_set_priority(ctxt->session, sc->macs); | ||
479 | gnutls_certificate_type_set_priority(ctxt->session, sc->cert_types); | ||
480 | |||
481 | mgs_cache_session_init(ctxt); | ||
482 | |||
483 | gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); | ||
484 | |||
485 | gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn); | ||
486 | gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); | ||
487 | return ctxt; | ||
488 | } | ||
489 | |||
490 | int mgs_hook_pre_connection(conn_rec * c, void *csd) | ||
491 | { | ||
492 | mgs_handle_t *ctxt; | ||
493 | mgs_srvconf_rec *sc = | ||
494 | (mgs_srvconf_rec *) ap_get_module_config(c->base_server-> | ||
495 | module_config, | ||
496 | &gnutls_module); | ||
497 | |||
498 | if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { | ||
499 | return DECLINED; | ||
500 | } | ||
501 | |||
502 | ctxt = create_gnutls_handle(c->pool, c); | ||
503 | |||
504 | ap_set_module_config(c->conn_config, &gnutls_module, ctxt); | ||
505 | |||
506 | gnutls_transport_set_pull_function(ctxt->session, | ||
507 | mgs_transport_read); | ||
508 | gnutls_transport_set_push_function(ctxt->session, | ||
509 | mgs_transport_write); | ||
510 | gnutls_transport_set_ptr(ctxt->session, ctxt); | ||
511 | |||
512 | ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, | ||
513 | NULL, c); | ||
514 | ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, | ||
515 | NULL, c); | ||
516 | |||
517 | return OK; | ||
518 | } | ||
519 | |||
520 | int mgs_hook_fixups(request_rec *r) | ||
521 | { | ||
522 | unsigned char sbuf[GNUTLS_MAX_SESSION_ID]; | ||
523 | char buf[GNUTLS_SESSION_ID_STRING_LEN]; | ||
524 | const char* tmp; | ||
525 | int len; | ||
526 | mgs_handle_t *ctxt; | ||
527 | apr_table_t *env = r->subprocess_env; | ||
528 | |||
529 | ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); | ||
530 | |||
531 | if(!ctxt) { | ||
532 | return DECLINED; | ||
533 | } | ||
534 | |||
535 | apr_table_setn(env, "HTTPS", "on"); | ||
536 | |||
537 | apr_table_setn(env, "GNUTLS_VERSION_INTERFACE", MOD_GNUTLS_VERSION); | ||
538 | apr_table_setn(env, "GNUTLS_VERSION_LIBRARY", LIBGNUTLS_VERSION); | ||
539 | |||
540 | apr_table_setn(env, "SSL_PROTOCOL", | ||
541 | gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session))); | ||
542 | |||
543 | apr_table_setn(env, "SSL_CIPHER", | ||
544 | gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session))); | ||
545 | |||
546 | apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); | ||
547 | |||
548 | tmp = apr_psprintf(r->pool, "%d", | ||
549 | 8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session))); | ||
550 | |||
551 | apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp); | ||
552 | |||
553 | apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp); | ||
554 | |||
555 | len = sizeof(sbuf); | ||
556 | gnutls_session_get_id(ctxt->session, sbuf, &len); | ||
557 | tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf)); | ||
558 | apr_table_setn(env, "SSL_SESSION_ID", tmp); | ||
559 | |||
560 | return OK; | ||
561 | } | ||
562 | |||
563 | int mgs_hook_authz(request_rec *r) | ||
564 | { | ||
565 | int rv; | ||
566 | int status; | ||
567 | mgs_handle_t *ctxt; | ||
568 | mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, | ||
569 | &gnutls_module); | ||
570 | |||
571 | ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); | ||
572 | |||
573 | if (!ctxt) { | ||
574 | return DECLINED; | ||
575 | } | ||
576 | |||
577 | if (!dc) { | ||
578 | dc = mgs_config_dir_create(r->pool, NULL); | ||
579 | } | ||
580 | |||
581 | if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { | ||
582 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, | ||
583 | "GnuTLS: Directory set to Ignore Client Certificate!"); | ||
584 | return DECLINED; | ||
585 | } | ||
586 | |||
587 | if (ctxt->sc->client_verify_mode < dc->client_verify_mode) { | ||
588 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, | ||
589 | "GnuTLS: Attempting to rehandshake with peer. %d %d", | ||
590 | ctxt->sc->client_verify_mode, dc->client_verify_mode); | ||
591 | |||
592 | gnutls_certificate_server_set_request(ctxt->session, | ||
593 | dc->client_verify_mode); | ||
594 | |||
595 | if (mgs_rehandshake(ctxt) != 0) { | ||
596 | return HTTP_FORBIDDEN; | ||
597 | } | ||
598 | } | ||
599 | else if (ctxt->sc->client_verify_mode == GNUTLS_CERT_IGNORE) { | ||
600 | #if MOD_GNUTLS_DEBUG | ||
601 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
602 | "GnuTLS: Peer is set to IGNORE"); | ||
603 | #endif | ||
604 | return DECLINED; | ||
605 | } | ||
606 | |||
607 | rv = gnutls_certificate_verify_peers2(ctxt->session, &status); | ||
608 | |||
609 | if (rv < 0) { | ||
610 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
611 | "GnuTLS: Failed to Verify Peer: (%d) %s", | ||
612 | rv, gnutls_strerror(rv)); | ||
613 | return HTTP_FORBIDDEN; | ||
614 | } | ||
615 | |||
616 | if (status < 0) { | ||
617 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
618 | "GnuTLS: Peer Status is invalid."); | ||
619 | return HTTP_FORBIDDEN; | ||
620 | } | ||
621 | |||
622 | if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { | ||
623 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
624 | "GnuTLS: Could not find Signer for Peer Certificate"); | ||
625 | } | ||
626 | |||
627 | if (status & GNUTLS_CERT_SIGNER_NOT_CA) { | ||
628 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
629 | "GnuTLS: Could not find CA for Peer Certificate"); | ||
630 | } | ||
631 | |||
632 | if (status & GNUTLS_CERT_INVALID) { | ||
633 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
634 | "GnuTLS: Peer Certificate is invalid."); | ||
635 | return HTTP_FORBIDDEN; | ||
636 | } | ||
637 | else if (status & GNUTLS_CERT_REVOKED) { | ||
638 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
639 | "GnuTLS: Peer Certificate is revoked."); | ||
640 | return HTTP_FORBIDDEN; | ||
641 | } | ||
642 | |||
643 | /* TODO: OpenPGP Certificates */ | ||
644 | if (gnutls_certificate_type_get(ctxt->session) != GNUTLS_CRT_X509) { | ||
645 | ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, | ||
646 | "GnuTLS: Only x509 is supported for client certificates"); | ||
647 | return HTTP_FORBIDDEN; | ||
648 | } | ||
649 | /* TODO: Further Verification. */ | ||
650 | ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, | ||
651 | "GnuTLS: Verified Peer."); | ||
652 | return OK; | ||
653 | } | ||
654 | |||