Changeset 2a2272d in mod_gnutls

Timestamp:

Jan 11, 2013, 12:56:01 AM (9 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

dc1e7e6, e86847d

Parents:

a4839ae

Message:

Imported Upstream version 0.4.2

Files:

• Makefile.am (modified) (1 diff)
• NEWS (modified) (1 diff)
• README (modified) (3 diffs)
• configure (modified) (10 diffs)
• configure.ac (modified) (2 diffs)
• include/mod_gnutls.h.in (modified) (2 diffs)
• src/gnutls_cache.c (modified) (10 diffs)
• src/gnutls_config.c (modified) (5 diffs)
• src/gnutls_hooks.c (modified) (8 diffs)

Makefile.am

@@ -8 +8 @@
                 NOTICE LICENSE autogen.sh
 
-SUBDIRS = src data
+SUBDIRS = src
 ACLOCAL_AMFLAGS = -I m4

NEWS

@@ +1 @@
+** Version 0.4.2 (2007-12-10)
+
+- Added support for sending a certificate chain.
+
+- Corrected bug which did not allow the TLS session cache to be used.
+
+- Do not allow resuming sessions on different servers.
+
 ** Version 0.4.1 (2007-12-03)
 

README

@@ -12 +12 @@
 
 Lines of Code in mod_ssl: 15,324
-Lines of Code in mod_gnutls: 1,886
+Lines of Code in mod_gnutls: 3,594
 
 Because of writing mod_gnutls, I now understand how input and output filters work, 
@@ -64 +64 @@
 # a more advanced configuration
 GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
-GnuTLSCacheTimeout 500
-GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0
+GnuTLSCacheTimeout 600
 NameVirtualHost 1.2.3.4:443
 
@@ -71 +70 @@
         Servername server.com:443
         GnuTLSEnable on
-        GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128
-        GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS
-        GnuTLSMACAlgorithms SHA1 MD5
-        GnuTLSCompressionMethods NULL
+        GnuTLSPriority NORMAL
 # To export exactly the same environment variables as mod_ssl to CGI scripts.
         GNUTLSExportCertificates on

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.1.
+# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.2.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -727 +727 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.4.1'
-PACKAGE_STRING='mod_gnutls 0.4.1'
+PACKAGE_VERSION='0.4.2'
+PACKAGE_STRING='mod_gnutls 0.4.2'
 PACKAGE_BUGREPORT=''
 
@@ -1426 +1426 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.4.1 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.4.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1497 +1497 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.4.1:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.4.2:";;
    esac
   cat <<\_ACEOF
@@ -1607 +1607 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.4.1
+mod_gnutls configure 0.4.2
 generated by GNU Autoconf 2.61
 
@@ -1621 +1621 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.4.1, which was
+It was created by mod_gnutls $as_me 0.4.2, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -1992 +1992 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.4.1
+MOD_GNUTLS_VERSION=0.4.2
 
 
@@ -2493 +2493 @@
 # Define the identity of the package.
  PACKAGE=mod_gnutls
- VERSION=0.4.1
+ VERSION=0.4.2
 
 
@@ -21396 +21396 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.4.1, which was
+This file was extended by mod_gnutls $as_me 0.4.2, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -21449 +21449 @@
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-mod_gnutls config.status 0.4.1
+mod_gnutls config.status 0.4.2
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.4.1)
+AC_INIT(mod_gnutls, 0.4.2)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -44 +44 @@
 AC_SUBST(MODULE_LIBS)
 
-AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h data/Makefile])
+AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h])
 AC_OUTPUT
 

include/mod_gnutls.h.in

@@ -81 +81 @@
  */
 #define MAX_CA_CRTS 128
-#define MAX_CIPHERS 16
+
+/* The maximum number of certificates to send in a chain
+ */
+#define MAX_CHAIN_SIZE 8
 
 typedef struct
@@ -89 +92 @@
     gnutls_anon_server_credentials_t anon_creds;
     char* cert_cn;
-    gnutls_x509_crt_t cert_x509;
+    gnutls_x509_crt_t certs_x509[MAX_CHAIN_SIZE]; /* A certificate chain */
+    unsigned int certs_x509_num;
     gnutls_x509_privkey_t privkey_x509;
     int enabled;

src/gnutls_cache.c

@@ -35 +35 @@
 
 #define MC_TAG "mod_gnutls:"
-#define MC_TAG_LEN \
-    (sizeof(MC_TAG))
+#define MC_TAG_LEN sizeof(MC_TAG)
 #define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
 
-#if 0
-static char *gnutls_session_id2sz(unsigned char *id, int idlen,
+char *mgs_session_id2sz(unsigned char *id, int idlen,
                                char *str, int strsize)
 {
     char *cp;
     int n;
- 
-    cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);
+
+    cp = str; 
     for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
         apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
@@ -54 +52 @@
     return str;
 }
-#endif
+
+
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
+                               apr_datum_t* dbmkey)
+{
+char buf[STR_SESSION_LEN];
+char *sz;
+    
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
+    if (sz == NULL)
+      return -1;
+      
+    dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
+    dbmkey->dsize = strlen( dbmkey->dptr);
+    
+    return 0;
+}
 
 #define CTIME "%b %d %k:%M:%S %Y %Z"
@@ -71 +89 @@
 }
 
-char *mgs_session_id2sz(unsigned char *id, int idlen,
-                               char *str, int strsize)
-{
-    char *cp;
-    int n;
-    
-    cp = str;
-    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
-        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
-        cp += 2;
-    }
-    *cp = '\0';
-    return str;
-}
-
-
 #if HAVE_APR_MEMCACHE
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
+{
+char buf[STR_SESSION_LEN];
+char *sz;
+    
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
+    if (sz == NULL)
+      return NULL;
+      
+    return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
+}
 
 /**
@@ -185 +202 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
     apr_uint32_t timeout;
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if(!strkey)
         return -1;
@@ -212 +228 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
     char* value;
@@ -218 +233 @@
     gnutls_datum_t data = { NULL, 0 };
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if (!strkey) {
         return data;
@@ -253 +268 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if(!strkey)
         return -1;
@@ -367 +381 @@
     apr_status_t rv;
 
-    dbmkey.dptr  = (void*)key.data;
-    dbmkey.dsize = key.size;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
 
     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
@@ -414 +428 @@
     apr_status_t rv;
     apr_time_t expiry;
-    
-    dbmkey.dptr  = (char *)key.data;
-    dbmkey.dsize = key.size;
+
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
 
     /* create DBM value */
@@ -468 +482 @@
     mgs_handle_t *ctxt = baton;
     apr_status_t rv;
-    
-    dbmkey.dptr  = (char *)key.data;
-    dbmkey.dsize = key.size;
+
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
 
     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,

src/gnutls_config.c

@@ -73 +73 @@
     }
 
-    gnutls_dh_params_init(&sc->dh_params);
+    ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
-    if (ret != 0) {
+    if (ret < 0) {
         return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
                             "DH params '%s': (%d) %s", file, ret,
@@ -108 +113 @@
     }
 
-    gnutls_rsa_params_init(&sc->rsa_params);
+    ret = gnutls_rsa_params_init(&sc->rsa_params);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
@@ -142 +152 @@
     }
 
-    gnutls_x509_crt_init(&sc->cert_x509);
+    sc->certs_x509_num = MAX_CHAIN_SIZE;
     ret =
-        gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);
-    if (ret != 0) {
+        gnutls_x509_crt_list_import(sc->certs_x509, &sc->certs_x509_num, &data, GNUTLS_X509_FMT_PEM, 0);
+    if (ret < 0) {
         return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
                             "Certificate '%s': (%d) %s", file, ret,
@@ -175 +185 @@
     }
 
-    gnutls_x509_privkey_init(&sc->privkey_x509);
+    ret = gnutls_x509_privkey_init(&sc->privkey_x509);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_x509_privkey_import(sc->privkey_x509, &data,
@@ -396 +411 @@
 {
     mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
-
+    int ret;
+    
     sc->enabled = GNUTLS_ENABLED_FALSE;
 
-    gnutls_certificate_allocate_credentials(&sc->certs);
-    gnutls_anon_allocate_server_credentials(&sc->anon_creds);
-    gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    ret = gnutls_certificate_allocate_credentials(&sc->certs);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
+    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
+    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
 
     sc->srp_tpasswd_conf_file = NULL;
     sc->srp_tpasswd_file = NULL;
     sc->privkey_x509 = NULL;
-    sc->cert_x509 = NULL;
+    memset( sc->certs_x509, 0, sizeof(sc->certs_x509));
+    sc->certs_x509_num = 0;
     sc->cache_timeout = apr_time_from_sec(300);
     sc->cache_type = mgs_cache_dbm;

src/gnutls_hooks.c

@@ -58 +58 @@
                     apr_pool_t * plog, apr_pool_t * ptemp)
 {
+int ret;
 
 #if APR_HAS_THREADS
@@ -68 +69 @@
 #endif
 
-    gnutls_global_init();
-
+    ret = gnutls_global_init();
+    if (ret < 0) /* FIXME: can we print here? */
+        exit(ret);
+                                            
     apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
                               apr_pool_cleanup_null);
@@ -131 +134 @@
         return ret;
 
-    /* allow separate caches per virtual host. Actually allowing the same is a
-     * bad idea, since they might have different security requirements.
-     */
-    mgs_cache_session_init(ctxt);
 
     return 0;
@@ -146 +145 @@
 
     ret->type = GNUTLS_CRT_X509;
-    ret->ncerts = 1;
+    ret->ncerts = ctxt->sc->certs_x509_num;
     ret->deinit_all = 0;
 
-    ret->cert.x509 = &ctxt->sc->cert_x509;
+    ret->cert.x509 = ctxt->sc->certs_x509;
     ret->key.x509 = ctxt->sc->privkey_x509;
     return 0;
@@ -332 +331 @@
             }
 
-            if (sc->cert_x509 == NULL
+            if (sc->certs_x509[0] == NULL
                 && sc->enabled == GNUTLS_ENABLED_TRUE) {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -351 +350 @@
 
             if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-                rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
+                rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
                 if (rv < 0) {
                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -589 +588 @@
                                                     mgs_select_virtual_server_cb);
 
+    mgs_cache_session_init(ctxt);
+
     return ctxt;
 }
@@ -684 +685 @@
     apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
 
-    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
+    mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
                              ctxt->sc->export_certificates_enabled);