Changeset 2a2272d in mod_gnutls
- Timestamp:
- Jan 11, 2013, 12:56:01 AM (10 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports, upstream
- Children:
- dc1e7e6, e86847d
- Parents:
- a4839ae
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
Makefile.am
ra4839ae r2a2272d 8 8 NOTICE LICENSE autogen.sh 9 9 10 SUBDIRS = src data10 SUBDIRS = src 11 11 ACLOCAL_AMFLAGS = -I m4 -
NEWS
ra4839ae r2a2272d 1 ** Version 0.4.2 (2007-12-10) 2 3 - Added support for sending a certificate chain. 4 5 - Corrected bug which did not allow the TLS session cache to be used. 6 7 - Do not allow resuming sessions on different servers. 8 1 9 ** Version 0.4.1 (2007-12-03) 2 10 -
README
ra4839ae r2a2272d 12 12 13 13 Lines of Code in mod_ssl: 15,324 14 Lines of Code in mod_gnutls: 1,88614 Lines of Code in mod_gnutls: 3,594 15 15 16 16 Because of writing mod_gnutls, I now understand how input and output filters work, … … 64 64 # a more advanced configuration 65 65 GnuTLSCache dbm "/var/cache/www-tls-cache/cache" 66 GnuTLSCacheTimeout 500 67 GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0 66 GnuTLSCacheTimeout 600 68 67 NameVirtualHost 1.2.3.4:443 69 68 … … 71 70 Servername server.com:443 72 71 GnuTLSEnable on 73 GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128 74 GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS 75 GnuTLSMACAlgorithms SHA1 MD5 76 GnuTLSCompressionMethods NULL 72 GnuTLSPriority NORMAL 77 73 # To export exactly the same environment variables as mod_ssl to CGI scripts. 78 74 GNUTLSExportCertificates on -
configure
ra4839ae r2a2272d 1 1 #! /bin/sh 2 2 # Guess values for system-dependent variables and create Makefiles. 3 # Generated by GNU Autoconf 2.61 for mod_gnutls 0.4. 1.3 # Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.2. 4 4 # 5 5 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, … … 727 727 PACKAGE_NAME='mod_gnutls' 728 728 PACKAGE_TARNAME='mod_gnutls' 729 PACKAGE_VERSION='0.4. 1'730 PACKAGE_STRING='mod_gnutls 0.4. 1'729 PACKAGE_VERSION='0.4.2' 730 PACKAGE_STRING='mod_gnutls 0.4.2' 731 731 PACKAGE_BUGREPORT='' 732 732 … … 1426 1426 # This message is too long to be a string in the A/UX 3.1 sh. 1427 1427 cat <<_ACEOF 1428 \`configure' configures mod_gnutls 0.4. 1to adapt to many kinds of systems.1428 \`configure' configures mod_gnutls 0.4.2 to adapt to many kinds of systems. 1429 1429 1430 1430 Usage: $0 [OPTION]... [VAR=VALUE]... … … 1497 1497 if test -n "$ac_init_help"; then 1498 1498 case $ac_init_help in 1499 short | recursive ) echo "Configuration of mod_gnutls 0.4. 1:";;1499 short | recursive ) echo "Configuration of mod_gnutls 0.4.2:";; 1500 1500 esac 1501 1501 cat <<\_ACEOF … … 1607 1607 if $ac_init_version; then 1608 1608 cat <<\_ACEOF 1609 mod_gnutls configure 0.4. 11609 mod_gnutls configure 0.4.2 1610 1610 generated by GNU Autoconf 2.61 1611 1611 … … 1621 1621 running configure, to aid debugging if configure makes a mistake. 1622 1622 1623 It was created by mod_gnutls $as_me 0.4. 1, which was1623 It was created by mod_gnutls $as_me 0.4.2, which was 1624 1624 generated by GNU Autoconf 2.61. Invocation command line was 1625 1625 … … 1992 1992 chmod +x config.nice 1993 1993 1994 MOD_GNUTLS_VERSION=0.4. 11994 MOD_GNUTLS_VERSION=0.4.2 1995 1995 1996 1996 … … 2493 2493 # Define the identity of the package. 2494 2494 PACKAGE=mod_gnutls 2495 VERSION=0.4. 12495 VERSION=0.4.2 2496 2496 2497 2497 … … 21396 21396 # values after options handling. 21397 21397 ac_log=" 21398 This file was extended by mod_gnutls $as_me 0.4. 1, which was21398 This file was extended by mod_gnutls $as_me 0.4.2, which was 21399 21399 generated by GNU Autoconf 2.61. Invocation command line was 21400 21400 … … 21449 21449 cat >>$CONFIG_STATUS <<_ACEOF 21450 21450 ac_cs_version="\\ 21451 mod_gnutls config.status 0.4. 121451 mod_gnutls config.status 0.4.2 21452 21452 configured by $0, generated by GNU Autoconf 2.61, 21453 21453 with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -
configure.ac
ra4839ae r2a2272d 1 1 dnl 2 AC_INIT(mod_gnutls, 0.4. 1)2 AC_INIT(mod_gnutls, 0.4.2) 3 3 OOO_CONFIG_NICE(config.nice) 4 4 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION … … 44 44 AC_SUBST(MODULE_LIBS) 45 45 46 AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h data/Makefile])46 AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h]) 47 47 AC_OUTPUT 48 48 -
include/mod_gnutls.h.in
ra4839ae r2a2272d 81 81 */ 82 82 #define MAX_CA_CRTS 128 83 #define MAX_CIPHERS 16 83 84 /* The maximum number of certificates to send in a chain 85 */ 86 #define MAX_CHAIN_SIZE 8 84 87 85 88 typedef struct … … 89 92 gnutls_anon_server_credentials_t anon_creds; 90 93 char* cert_cn; 91 gnutls_x509_crt_t cert_x509; 94 gnutls_x509_crt_t certs_x509[MAX_CHAIN_SIZE]; /* A certificate chain */ 95 unsigned int certs_x509_num; 92 96 gnutls_x509_privkey_t privkey_x509; 93 97 int enabled; -
src/gnutls_cache.c
ra4839ae r2a2272d 35 35 36 36 #define MC_TAG "mod_gnutls:" 37 #define MC_TAG_LEN \ 38 (sizeof(MC_TAG)) 37 #define MC_TAG_LEN sizeof(MC_TAG) 39 38 #define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN) 40 39 41 #if 0 42 static char *gnutls_session_id2sz(unsigned char *id, int idlen, 40 char *mgs_session_id2sz(unsigned char *id, int idlen, 43 41 char *str, int strsize) 44 42 { 45 43 char *cp; 46 44 int n; 47 48 cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);45 46 cp = str; 49 47 for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) { 50 48 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]); … … 54 52 return str; 55 53 } 56 #endif 54 55 56 /* Name the Session ID as: 57 * server:port.SessionID 58 * to disallow resuming sessions on different servers 59 */ 60 static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen, 61 apr_datum_t* dbmkey) 62 { 63 char buf[STR_SESSION_LEN]; 64 char *sz; 65 66 sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf)); 67 if (sz == NULL) 68 return -1; 69 70 dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz); 71 dbmkey->dsize = strlen( dbmkey->dptr); 72 73 return 0; 74 } 57 75 58 76 #define CTIME "%b %d %k:%M:%S %Y %Z" … … 71 89 } 72 90 73 char *mgs_session_id2sz(unsigned char *id, int idlen,74 char *str, int strsize)75 {76 char *cp;77 int n;78 79 cp = str;80 for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {81 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);82 cp += 2;83 }84 *cp = '\0';85 return str;86 }87 88 89 91 #if HAVE_APR_MEMCACHE 92 /* Name the Session ID as: 93 * server:port.SessionID 94 * to disallow resuming sessions on different servers 95 */ 96 static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen) 97 { 98 char buf[STR_SESSION_LEN]; 99 char *sz; 100 101 sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf)); 102 if (sz == NULL) 103 return NULL; 104 105 return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz); 106 } 90 107 91 108 /** … … 185 202 apr_status_t rv = APR_SUCCESS; 186 203 mgs_handle_t *ctxt = baton; 187 char buf[STR_SESSION_LEN];188 204 char* strkey = NULL; 189 205 apr_uint32_t timeout; 190 206 191 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));207 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); 192 208 if(!strkey) 193 209 return -1; … … 212 228 apr_status_t rv = APR_SUCCESS; 213 229 mgs_handle_t *ctxt = baton; 214 char buf[STR_SESSION_LEN];215 230 char* strkey = NULL; 216 231 char* value; … … 218 233 gnutls_datum_t data = { NULL, 0 }; 219 234 220 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));235 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); 221 236 if (!strkey) { 222 237 return data; … … 253 268 apr_status_t rv = APR_SUCCESS; 254 269 mgs_handle_t *ctxt = baton; 255 char buf[STR_SESSION_LEN];256 270 char* strkey = NULL; 257 271 258 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));272 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); 259 273 if(!strkey) 260 274 return -1; … … 367 381 apr_status_t rv; 368 382 369 dbmkey.dptr = (void*)key.data;370 dbmkey.dsize = key.size;383 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) 384 return data; 371 385 372 386 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, … … 414 428 apr_status_t rv; 415 429 apr_time_t expiry; 416 417 dbmkey.dptr = (char *)key.data;418 dbmkey.dsize = key.size;430 431 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) 432 return -1; 419 433 420 434 /* create DBM value */ … … 468 482 mgs_handle_t *ctxt = baton; 469 483 apr_status_t rv; 470 471 dbmkey.dptr = (char *)key.data;472 dbmkey.dsize = key.size;484 485 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) 486 return -1; 473 487 474 488 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, -
src/gnutls_config.c
ra4839ae r2a2272d 73 73 } 74 74 75 gnutls_dh_params_init(&sc->dh_params); 75 ret = gnutls_dh_params_init(&sc->dh_params); 76 if (ret < 0) { 77 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize" 78 ": (%d) %s", ret, gnutls_strerror(ret)); 79 } 80 76 81 ret = 77 82 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM); 78 if (ret !=0) {83 if (ret < 0) { 79 84 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 80 85 "DH params '%s': (%d) %s", file, ret, … … 108 113 } 109 114 110 gnutls_rsa_params_init(&sc->rsa_params); 115 ret = gnutls_rsa_params_init(&sc->rsa_params); 116 if (ret < 0) { 117 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize" 118 ": (%d) %s", ret, gnutls_strerror(ret)); 119 } 120 111 121 ret = 112 122 gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM); … … 142 152 } 143 153 144 gnutls_x509_crt_init(&sc->cert_x509);154 sc->certs_x509_num = MAX_CHAIN_SIZE; 145 155 ret = 146 gnutls_x509_crt_ import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);147 if (ret !=0) {156 gnutls_x509_crt_list_import(sc->certs_x509, &sc->certs_x509_num, &data, GNUTLS_X509_FMT_PEM, 0); 157 if (ret < 0) { 148 158 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 149 159 "Certificate '%s': (%d) %s", file, ret, … … 175 185 } 176 186 177 gnutls_x509_privkey_init(&sc->privkey_x509); 187 ret = gnutls_x509_privkey_init(&sc->privkey_x509); 188 if (ret < 0) { 189 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize" 190 ": (%d) %s", ret, gnutls_strerror(ret)); 191 } 192 178 193 ret = 179 194 gnutls_x509_privkey_import(sc->privkey_x509, &data, … … 396 411 { 397 412 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 398 413 int ret; 414 399 415 sc->enabled = GNUTLS_ENABLED_FALSE; 400 416 401 gnutls_certificate_allocate_credentials(&sc->certs); 402 gnutls_anon_allocate_server_credentials(&sc->anon_creds); 403 gnutls_srp_allocate_server_credentials(&sc->srp_creds); 417 ret = gnutls_certificate_allocate_credentials(&sc->certs); 418 if (ret < 0) { 419 return apr_psprintf(p, "GnuTLS: Failed to initialize" 420 ": (%d) %s", ret, gnutls_strerror(ret)); 421 } 422 423 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds); 424 if (ret < 0) { 425 return apr_psprintf(p, "GnuTLS: Failed to initialize" 426 ": (%d) %s", ret, gnutls_strerror(ret)); 427 } 428 429 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); 430 if (ret < 0) { 431 return apr_psprintf(p, "GnuTLS: Failed to initialize" 432 ": (%d) %s", ret, gnutls_strerror(ret)); 433 } 404 434 405 435 sc->srp_tpasswd_conf_file = NULL; 406 436 sc->srp_tpasswd_file = NULL; 407 437 sc->privkey_x509 = NULL; 408 sc->cert_x509 = NULL; 438 memset( sc->certs_x509, 0, sizeof(sc->certs_x509)); 439 sc->certs_x509_num = 0; 409 440 sc->cache_timeout = apr_time_from_sec(300); 410 441 sc->cache_type = mgs_cache_dbm; -
src/gnutls_hooks.c
ra4839ae r2a2272d 58 58 apr_pool_t * plog, apr_pool_t * ptemp) 59 59 { 60 int ret; 60 61 61 62 #if APR_HAS_THREADS … … 68 69 #endif 69 70 70 gnutls_global_init(); 71 71 ret = gnutls_global_init(); 72 if (ret < 0) /* FIXME: can we print here? */ 73 exit(ret); 74 72 75 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, 73 76 apr_pool_cleanup_null); … … 131 134 return ret; 132 135 133 /* allow separate caches per virtual host. Actually allowing the same is a134 * bad idea, since they might have different security requirements.135 */136 mgs_cache_session_init(ctxt);137 136 138 137 return 0; … … 146 145 147 146 ret->type = GNUTLS_CRT_X509; 148 ret->ncerts = 1;147 ret->ncerts = ctxt->sc->certs_x509_num; 149 148 ret->deinit_all = 0; 150 149 151 ret->cert.x509 = &ctxt->sc->cert_x509;150 ret->cert.x509 = ctxt->sc->certs_x509; 152 151 ret->key.x509 = ctxt->sc->privkey_x509; 153 152 return 0; … … 332 331 } 333 332 334 if (sc->cert _x509== NULL333 if (sc->certs_x509[0] == NULL 335 334 && sc->enabled == GNUTLS_ENABLED_TRUE) { 336 335 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, … … 351 350 352 351 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 353 rv = read_crt_cn(s, p, sc->cert _x509, &sc->cert_cn);352 rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn); 354 353 if (rv < 0) { 355 354 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, … … 589 588 mgs_select_virtual_server_cb); 590 589 590 mgs_cache_session_init(ctxt); 591 591 592 return ctxt; 592 593 } … … 684 685 apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); 685 686 686 mgs_add_common_cert_vars(r, ctxt->sc->cert _x509, 0,687 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0, 687 688 ctxt->sc->export_certificates_enabled); 688 689
Note: See TracChangeset
for help on using the changeset viewer.