[Modules] mod_gnutls/libmsv

Clint Adams clint at debian.org
Thu May 5 11:18:36 EDT 2011 

I'm trying to get mod_gnutls to use libmsv for an alternate
X.509 validation method.

Can someone advise on how to do this better?

--- mod-gnutls-0.5.9.orig/src/gnutls_hooks.c
+++ mod-gnutls-0.5.9/src/gnutls_hooks.c
@@ -20,6 +20,8 @@
 #include "http_vhost.h"
 #include "ap_mpm.h"
 
+#include <msv/msv.h>
+
 #if APR_HAS_THREADS
 # if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
 #include <gcrypt.h>
@@ -38,6 +40,8 @@ static apr_file_t *debug_log_fp;
 static int mpm_is_threaded;
 static gnutls_datum session_ticket_key = { NULL, 0 };
 
+static int monkeysphere = 1;
+
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert,
@@ -1155,9 +1159,38 @@ static int mgs_cert_verify(request_rec *
 
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
             "GnuTLS: Verifying list of  %d certificate(s)", ch_size);
-        rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, 
-                ctxt->sc->ca_list, ctxt->sc->ca_list_size,
-                NULL, 0, 0, &status);
+
+        if (monkeysphere) {
+            struct msv_response resp;
+            char *buf;
+            size_t oidsize = 512;
+
+            buf = malloc(512);
+
+            if (gnutls_x509_crt_get_subject_alt_othername_oid(cert.x509[0], 0, (void *)buf, &oidsize) == GNUTLS_SAN_OTHERNAME) {
+	        rv = msv_query_agent(NULL, "https", "client", buf, "x509der", (char *)&cert_list[0], &resp);
+                free(buf);
+                if (rv != LIBMSV_ERROR_SUCCESS) {
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                        "GnuTLS: Monkeysphere validation failed: %s", msv_strerror(rv));
+                    rv = GNUTLS_E_NO_CERTIFICATE_FOUND;
+                    ret = HTTP_FORBIDDEN;
+	            goto exit;
+                }
+
+                rv = 0;
+                status = 0;
+            } else {
+                free(buf);
+                rv = GNUTLS_E_NO_CERTIFICATE_FOUND;
+                ret = HTTP_FORBIDDEN;
+	        goto exit;
+            }
+        } else {
+            rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, 
+                    ctxt->sc->ca_list, ctxt->sc->ca_list_size,
+                    NULL, 0, 0, &status);
+        }
     } else {
         apr_time_ansi_put(&expiration_time,
 		      gnutls_openpgp_crt_get_expiration_time(cert.pgp));

More information about the Modules mailing list