Changeset 2a2272d in mod_gnutls for src

Timestamp:

Jan 11, 2013, 12:56:01 AM (8 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

dc1e7e6, e86847d

Parents:

a4839ae

Message:

Imported Upstream version 0.4.2

Location:

src

Files:

• gnutls_cache.c (modified) (10 diffs)
• gnutls_config.c (modified) (5 diffs)
• gnutls_hooks.c (modified) (8 diffs)

src/gnutls_cache.c

@@ -35 +35 @@
 
 #define MC_TAG "mod_gnutls:"
-#define MC_TAG_LEN \
-    (sizeof(MC_TAG))
+#define MC_TAG_LEN sizeof(MC_TAG)
 #define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
 
-#if 0
-static char *gnutls_session_id2sz(unsigned char *id, int idlen,
+char *mgs_session_id2sz(unsigned char *id, int idlen,
                                char *str, int strsize)
 {
     char *cp;
     int n;
- 
-    cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);
+
+    cp = str; 
     for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
         apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
@@ -54 +52 @@
     return str;
 }
-#endif
+
+
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
+                               apr_datum_t* dbmkey)
+{
+char buf[STR_SESSION_LEN];
+char *sz;
+    
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
+    if (sz == NULL)
+      return -1;
+      
+    dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
+    dbmkey->dsize = strlen( dbmkey->dptr);
+    
+    return 0;
+}
 
 #define CTIME "%b %d %k:%M:%S %Y %Z"
@@ -71 +89 @@
 }
 
-char *mgs_session_id2sz(unsigned char *id, int idlen,
-                               char *str, int strsize)
-{
-    char *cp;
-    int n;
-    
-    cp = str;
-    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
-        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
-        cp += 2;
-    }
-    *cp = '\0';
-    return str;
-}
-
-
 #if HAVE_APR_MEMCACHE
+/* Name the Session ID as:
+ * server:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
+{
+char buf[STR_SESSION_LEN];
+char *sz;
+    
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
+    if (sz == NULL)
+      return NULL;
+      
+    return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
+}
 
 /**
@@ -185 +202 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
     apr_uint32_t timeout;
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if(!strkey)
         return -1;
@@ -212 +228 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
     char* value;
@@ -218 +233 @@
     gnutls_datum_t data = { NULL, 0 };
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if (!strkey) {
         return data;
@@ -253 +268 @@
     apr_status_t rv = APR_SUCCESS;
     mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
     char* strkey = NULL;
 
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
     if(!strkey)
         return -1;
@@ -367 +381 @@
     apr_status_t rv;
 
-    dbmkey.dptr  = (void*)key.data;
-    dbmkey.dsize = key.size;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return data;
 
     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
@@ -414 +428 @@
     apr_status_t rv;
     apr_time_t expiry;
-    
-    dbmkey.dptr  = (char *)key.data;
-    dbmkey.dsize = key.size;
+
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
 
     /* create DBM value */
@@ -468 +482 @@
     mgs_handle_t *ctxt = baton;
     apr_status_t rv;
-    
-    dbmkey.dptr  = (char *)key.data;
-    dbmkey.dsize = key.size;
+
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
+        return -1;
 
     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,

src/gnutls_config.c

@@ -73 +73 @@
     }
 
-    gnutls_dh_params_init(&sc->dh_params);
+    ret = gnutls_dh_params_init(&sc->dh_params);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
-    if (ret != 0) {
+    if (ret < 0) {
         return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
                             "DH params '%s': (%d) %s", file, ret,
@@ -108 +113 @@
     }
 
-    gnutls_rsa_params_init(&sc->rsa_params);
+    ret = gnutls_rsa_params_init(&sc->rsa_params);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
@@ -142 +152 @@
     }
 
-    gnutls_x509_crt_init(&sc->cert_x509);
+    sc->certs_x509_num = MAX_CHAIN_SIZE;
     ret =
-        gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);
-    if (ret != 0) {
+        gnutls_x509_crt_list_import(sc->certs_x509, &sc->certs_x509_num, &data, GNUTLS_X509_FMT_PEM, 0);
+    if (ret < 0) {
         return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
                             "Certificate '%s': (%d) %s", file, ret,
@@ -175 +185 @@
     }
 
-    gnutls_x509_privkey_init(&sc->privkey_x509);
+    ret = gnutls_x509_privkey_init(&sc->privkey_x509);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
     ret =
         gnutls_x509_privkey_import(sc->privkey_x509, &data,
@@ -396 +411 @@
 {
     mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
-
+    int ret;
+    
     sc->enabled = GNUTLS_ENABLED_FALSE;
 
-    gnutls_certificate_allocate_credentials(&sc->certs);
-    gnutls_anon_allocate_server_credentials(&sc->anon_creds);
-    gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    ret = gnutls_certificate_allocate_credentials(&sc->certs);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
+    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
+    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
+    if (ret < 0) {
+        return apr_psprintf(p, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
 
     sc->srp_tpasswd_conf_file = NULL;
     sc->srp_tpasswd_file = NULL;
     sc->privkey_x509 = NULL;
-    sc->cert_x509 = NULL;
+    memset( sc->certs_x509, 0, sizeof(sc->certs_x509));
+    sc->certs_x509_num = 0;
     sc->cache_timeout = apr_time_from_sec(300);
     sc->cache_type = mgs_cache_dbm;

src/gnutls_hooks.c

@@ -58 +58 @@
                     apr_pool_t * plog, apr_pool_t * ptemp)
 {
+int ret;
 
 #if APR_HAS_THREADS
@@ -68 +69 @@
 #endif
 
-    gnutls_global_init();
-
+    ret = gnutls_global_init();
+    if (ret < 0) /* FIXME: can we print here? */
+        exit(ret);
+                                            
     apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
                               apr_pool_cleanup_null);
@@ -131 +134 @@
         return ret;
 
-    /* allow separate caches per virtual host. Actually allowing the same is a
-     * bad idea, since they might have different security requirements.
-     */
-    mgs_cache_session_init(ctxt);
 
     return 0;
@@ -146 +145 @@
 
     ret->type = GNUTLS_CRT_X509;
-    ret->ncerts = 1;
+    ret->ncerts = ctxt->sc->certs_x509_num;
     ret->deinit_all = 0;
 
-    ret->cert.x509 = &ctxt->sc->cert_x509;
+    ret->cert.x509 = ctxt->sc->certs_x509;
     ret->key.x509 = ctxt->sc->privkey_x509;
     return 0;
@@ -332 +331 @@
             }
 
-            if (sc->cert_x509 == NULL
+            if (sc->certs_x509[0] == NULL
                 && sc->enabled == GNUTLS_ENABLED_TRUE) {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -351 +350 @@
 
             if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-                rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
+                rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
                 if (rv < 0) {
                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -589 +588 @@
                                                     mgs_select_virtual_server_cb);
 
+    mgs_cache_session_init(ctxt);
+
     return ctxt;
 }
@@ -684 +685 @@
     apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
 
-    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
+    mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
                              ctxt->sc->export_certificates_enabled);