Changeset ae015fa in mod_gnutls


Ignore:
Timestamp:
Jan 11, 2013, 12:58:03 AM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports
Children:
9c4a744
Parents:
e03f404 (diff), bbb9bb1 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.5.7'

Upstream version 0.5.7

Files:
8 edited

Legend:

Unmodified
Added
Removed
  • NEWS

    re03f404 rae015fa  
     1** Version 0.5.7 (2010-07-01)
     2- Force usage of SDBM. For some reason the default in
     3  my system had issues after reaching a limit of entries.
     4  SDBM seems stable so force it.
     5
     6- Optimizations in session caching.
     7
     8- Added support for session tickets. This allows a
     9  server to avoid using a session cache and still support
     10  session resumption. This is at the cost of transporting
     11  session data during handshake. New option
     12  GnuTLSSessionTickets [on|off]
     13
     14- Depend on gnutls 2.10.0 to force support for safe
     15  renegotiation.
     16
    117** Version 0.5.6 (2010-03-24)
    218- Corrected issue with firefox and long POST data (by
  • configure

    re03f404 rae015fa  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.64 for mod_gnutls 0.5.6.
     3# Generated by GNU Autoconf 2.64 for mod_gnutls 0.5.7.
    44#
    55# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
     
    696696PACKAGE_NAME='mod_gnutls'
    697697PACKAGE_TARNAME='mod_gnutls'
    698 PACKAGE_VERSION='0.5.6'
    699 PACKAGE_STRING='mod_gnutls 0.5.6'
     698PACKAGE_VERSION='0.5.7'
     699PACKAGE_STRING='mod_gnutls 0.5.7'
    700700PACKAGE_BUGREPORT=''
    701701PACKAGE_URL=''
     
    14621462  # This message is too long to be a string in the A/UX 3.1 sh.
    14631463  cat <<_ACEOF
    1464 \`configure' configures mod_gnutls 0.5.6 to adapt to many kinds of systems.
     1464\`configure' configures mod_gnutls 0.5.7 to adapt to many kinds of systems.
    14651465
    14661466Usage: $0 [OPTION]... [VAR=VALUE]...
     
    15331533if test -n "$ac_init_help"; then
    15341534  case $ac_init_help in
    1535      short | recursive ) echo "Configuration of mod_gnutls 0.5.6:";;
     1535     short | recursive ) echo "Configuration of mod_gnutls 0.5.7:";;
    15361536   esac
    15371537  cat <<\_ACEOF
     
    16461646if $ac_init_version; then
    16471647  cat <<\_ACEOF
    1648 mod_gnutls configure 0.5.6
     1648mod_gnutls configure 0.5.7
    16491649generated by GNU Autoconf 2.64
    16501650
     
    19631963running configure, to aid debugging if configure makes a mistake.
    19641964
    1965 It was created by mod_gnutls $as_me 0.5.6, which was
     1965It was created by mod_gnutls $as_me 0.5.7, which was
    19661966generated by GNU Autoconf 2.64.  Invocation command line was
    19671967
     
    23282328  chmod +x config.nice
    23292329
    2330 MOD_GNUTLS_VERSION=0.5.6
     2330MOD_GNUTLS_VERSION=0.5.7
    23312331
    23322332
     
    29382938# Define the identity of the package.
    29392939 PACKAGE=mod_gnutls
    2940  VERSION=0.5.6
     2940 VERSION=0.5.7
    29412941
    29422942
     
    1094910949
    1095010950
    10951 MIN_TLS_VERSION=2.4.0
     10951MIN_TLS_VERSION=2.10.0
    1095210952
    1095310953# Check whether --with-libgnutls-prefix was given.
     
    1188811888# values after options handling.
    1188911889ac_log="
    11890 This file was extended by mod_gnutls $as_me 0.5.6, which was
     11890This file was extended by mod_gnutls $as_me 0.5.7, which was
    1189111891generated by GNU Autoconf 2.64.  Invocation command line was
    1189211892
     
    1195211952cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
    1195311953ac_cs_version="\\
    11954 mod_gnutls config.status 0.5.6
     11954mod_gnutls config.status 0.5.7
    1195511955configured by $0, generated by GNU Autoconf 2.64,
    1195611956  with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
  • configure.ac

    re03f404 rae015fa  
    11dnl
    2 AC_INIT(mod_gnutls, 0.5.6)
     2AC_INIT(mod_gnutls, 0.5.7)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    2929dnl AC_SUBST(LIBTOOL)
    3030
    31 MIN_TLS_VERSION=2.4.0
     31dnl Depend on 2.10.0 due to safe renegotiation addition.
     32MIN_TLS_VERSION=2.10.0
    3233AM_PATH_LIBGNUTLS($MIN_TLS_VERSION,,
    3334        AC_MSG_ERROR([[
  • include/mod_gnutls.h.in

    re03f404 rae015fa  
    2828#include "ap_release.h"
    2929
    30 #include <gcrypt.h>
    3130#include <gnutls/gnutls.h>
    3231#include <gnutls/extra.h>
     
    110109    unsigned int ca_list_size;
    111110    int client_verify_mode;
     111    apr_time_t last_cache_check;
     112    int tickets; /* whether session tickets are allowed */
    112113} mgs_srvconf_rec;
    113114
     
    281282const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
    282283                            const char *arg);
     284const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
     285                            const char *arg);
    283286                           
    284287const char *mgs_set_require_section(cmd_parms *cmd,
  • src/gnutls_cache.c

    re03f404 rae015fa  
    3434#endif
    3535
     36/* it seems the default has some strange errors. Use SDBM
     37 */
     38#define ODB "SDBM"
    3639
    3740#define MC_TAG "mod_gnutls:"
     
    296299#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
    297300
    298 static int dbm_cache_expire(mgs_handle_t *ctxt)
     301static void dbm_cache_expire(mgs_handle_t *ctxt)
    299302{
    300303    apr_status_t rv;
    301304    apr_dbm_t *dbm;
    302     apr_datum_t *keylist;
    303305    apr_datum_t dbmkey;
    304306    apr_datum_t dbmval;
    305     apr_time_t ex;
     307    apr_time_t now;
    306308    apr_time_t dtime;
    307309    apr_pool_t* spool;
    308     int i = 0;
    309     int keyidx = 0;
    310     int should_delete = 0;
     310    int total, deleted;
     311
     312    now = apr_time_now();
     313   
     314    if (now - ctxt->sc->last_cache_check < (ctxt->sc->cache_timeout)/2)
     315        return;
     316
     317    ctxt->sc->last_cache_check = now;
    311318
    312319    apr_pool_create(&spool, ctxt->c->pool);
    313     ex = apr_time_now();
    314    
    315     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, APR_DBM_READONLY,
     320
     321    total = 0;
     322    deleted = 0;
     323
     324    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, APR_DBM_RWCREATE,
    316325                      SSL_DBM_FILE_MODE, spool);
    317326    if (rv != APR_SUCCESS) {
     
    320329                     "[gnutls_cache] error opening cache searcher '%s'",
    321330                     ctxt->sc->cache_config);
    322         return -1;
    323     }
    324 
    325 #define KEYMAX 128
    326 
    327     keylist = apr_palloc(spool, sizeof(dbmkey)*KEYMAX);
     331        apr_pool_destroy(spool);
     332        return;
     333    }
    328334
    329335    apr_dbm_firstkey(dbm, &dbmkey);
    330336    while (dbmkey.dptr != NULL) {
    331337        apr_dbm_fetch(dbm, dbmkey, &dbmval);
    332         if (dbmval.dptr != NULL) {
    333             if (dbmval.dsize >= sizeof(apr_time_t)) {
     338        if (dbmval.dptr != NULL && dbmval.dsize >= sizeof(apr_time_t)) {
    334339                memcpy(&dtime, dbmval.dptr, sizeof(apr_time_t));
    335                 if (dtime < ex) {
    336                     should_delete = 1;
     340
     341                if (now >= dtime) {
     342                    apr_dbm_delete(dbm, dbmkey);
     343                    deleted++;
    337344                }
    338             }
    339             else {
    340                 should_delete = 1;
    341             }
    342            
    343             if (should_delete == 1) {
    344                 should_delete = 0;
    345                 keylist[keyidx].dptr = apr_palloc(spool, dbmkey.dsize) ;
    346                 memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize);
    347                 keylist[keyidx].dsize = dbmkey.dsize;
    348                 keyidx++;
    349                 if (keyidx == KEYMAX) {
    350                     break;
    351                 }
    352             }
    353             apr_dbm_freedatum( dbm, dbmval);
    354            
    355         }
     345                apr_dbm_freedatum( dbm, dbmval);
     346        } else {
     347            apr_dbm_delete(dbm, dbmkey);
     348            deleted++;
     349        }
     350        total++;
    356351        apr_dbm_nextkey(dbm, &dbmkey);
    357352    }
    358353    apr_dbm_close(dbm);
    359354
    360     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
    361                   APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, spool);
    362     if (rv != APR_SUCCESS) {
    363         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
    364                  ctxt->c->base_server,
    365                  "[gnutls_cache] error opening cache writer '%s'",
    366                  ctxt->sc->cache_config);
    367         return -1;
    368     }
    369 
    370     for (i = 0; i < keyidx; i++) {
    371         apr_dbm_delete(dbm, keylist[i]);
    372     }
    373 
    374     apr_dbm_close(dbm);
     355    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
     356                     ctxt->c->base_server,
     357                     "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d",
     358                     ctxt->sc->cache_config, deleted, total-deleted);
     359
    375360    apr_pool_destroy(spool);
    376361   
    377     return 0;
     362    return;
    378363}
    379364
     
    390375        return data;
    391376
    392     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
    393                       APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
     377    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
     378                      APR_DBM_READONLY, SSL_DBM_FILE_MODE, ctxt->c->pool);
    394379    if (rv != APR_SUCCESS) {
    395380        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
     
    439424    apr_status_t rv;
    440425    apr_time_t expiry;
     426    apr_pool_t* spool;
    441427
    442428    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
    443429        return -1;
     430
     431    /* we expire dbm only on every store
     432     */
     433    dbm_cache_expire(ctxt);
     434
     435    apr_pool_create(&spool, ctxt->c->pool);
    444436
    445437    /* create DBM value */
    446438    dbmval.dsize = data.size + sizeof(apr_time_t);
    447     dbmval.dptr  = (char *)malloc(dbmval.dsize);
     439    dbmval.dptr  = (char *)apr_palloc(spool, dbmval.dsize);
    448440
    449441    expiry = apr_time_now() + ctxt->sc->cache_timeout;
     
    453445           data.data, data.size);
    454446
    455     /* we expire dbm only on every store
    456      */
    457     dbm_cache_expire(ctxt);
    458 
    459     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
     447    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
    460448                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
    461449    if (rv != APR_SUCCESS) {
     
    464452                     "[gnutls_cache] error opening cache '%s'",
    465453                     ctxt->sc->cache_config);
    466         free(dbmval.dptr);       
     454        apr_pool_destroy(spool);
    467455        return -1;
    468456    }
     
    476464                     ctxt->sc->cache_config);
    477465        apr_dbm_close(dbm);
    478         free(dbmval.dptr);
     466        apr_pool_destroy(spool);
    479467        return -1;
    480468    }
     
    482470    apr_dbm_close(dbm);
    483471
    484     free(dbmval.dptr);
     472    apr_pool_destroy(spool);
    485473   
    486474    return 0;
     
    497485        return -1;
    498486
    499     rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
     487    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
    500488                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
    501489    if (rv != APR_SUCCESS) {
     
    531519    const char* path2;
    532520
    533     rv = apr_dbm_open(&dbm, sc->cache_config, APR_DBM_RWCREATE,
     521    rv = apr_dbm_open_ex(&dbm, ODB, sc->cache_config, APR_DBM_RWCREATE,
    534522                      SSL_DBM_FILE_MODE, p);
    535523
     
    543531    apr_dbm_close(dbm);
    544532
    545     apr_dbm_get_usednames(p, sc->cache_config, &path1, &path2);
     533    apr_dbm_get_usednames_ex(p, ODB, sc->cache_config, &path1, &path2);
    546534
    547535    /* The Following Code takes logic directly from mod_ssl's DBM Cache */
    548536#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
    549537    /* Running as Root */
    550     if (geteuid() == 0)  {
     538    if (path1 && geteuid() == 0)  {
    551539        chown(path1, ap_unixd_config.user_id, -1);
    552540        if (path2 != NULL) {
  • src/gnutls_config.c

    re03f404 rae015fa  
    286286}
    287287
     288const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
     289                                     const char *arg)
     290{
     291    mgs_srvconf_rec *sc =
     292        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     293                                                 module_config,
     294                                                 &gnutls_module);
     295
     296    sc->tickets = 0;
     297    if (strcasecmp("on", arg) == 0) {
     298        sc->tickets = 1;
     299    }
     300
     301    return NULL;
     302}
     303
    288304
    289305#ifdef ENABLE_SRP
     
    328344    }
    329345
    330     if (strcasecmp("none", type) == 0) {
    331         sc->cache_type = mgs_cache_none;
    332     } else if (strcasecmp("dbm", type) == 0) {
     346    sc->cache_type = mgs_cache_none;
     347    if (strcasecmp("dbm", type) == 0) {
    333348        sc->cache_type = mgs_cache_dbm;
    334349    }
     
    590605    sc->certs_x509_num = 0;
    591606    sc->cache_timeout = apr_time_from_sec(300);
    592     sc->cache_type = mgs_cache_dbm;
     607    sc->cache_type = mgs_cache_none;
    593608    sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
    594609
  • src/gnutls_hooks.c

    re03f404 rae015fa  
    2121#include "ap_mpm.h"
    2222
     23#if APR_HAS_THREADS
     24# if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
     25#include <gcrypt.h>
     26GCRY_THREAD_OPTION_PTHREAD_IMPL;
     27# endif
     28#endif
     29
    2330#if !USING_2_1_RECENT
    2431extern server_rec *ap_server_conf;
    2532#endif
    2633
    27 #if APR_HAS_THREADS
    28 GCRY_THREAD_OPTION_PTHREAD_IMPL;
    29 #endif
    30 
    3134#if MOD_GNUTLS_DEBUG
    3235static apr_file_t *debug_log_fp;
     
    3437
    3538static int mpm_is_threaded;
     39static gnutls_datum session_ticket_key = { NULL, 0 };
    3640
    3741static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
     
    4650static apr_status_t mgs_cleanup_pre_config(void *data)
    4751{
     52    gnutls_free(session_ticket_key.data);
     53    session_ticket_key.data = NULL;
     54    session_ticket_key.size = 0;
    4855    gnutls_global_deinit();
    4956    return APR_SUCCESS;
     
    8087#if APR_HAS_THREADS
    8188    ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
     89#if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) || GNUTLS_VERSION_MAJOR < 2
    8290    if (mpm_is_threaded) {
    8391        gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
    8492    }
     93#endif
    8594#else
    8695    mpm_is_threaded = 0;
    8796#endif
     97
    8898
    8999    if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
     
    97107        _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
    98108        return -3;
     109    }
     110   
     111    ret = gnutls_session_ticket_key_generate( &session_ticket_key);
     112    if (ret < 0) {
     113        _gnutls_log(debug_log_fp, "gnutls_session_ticket_key_generate: %s\n", gnutls_strerror(ret));
    99114    }
    100115
     
    145160     * enabled on this virtual server. Note that here we ignore the version
    146161     * negotiation.
    147      */
     162     */   
    148163    ret = gnutls_priority_set(session, ctxt->sc->priorities);
    149164    /* actually it shouldn't fail since we have checked at startup */
     
    659674
    660675    gnutls_init(&ctxt->session, GNUTLS_SERVER);
     676    if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
     677        gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
    661678
    662679    /* because we don't set any default priorities here (we set later at
     
    10281045    const gnutls_datum_t *cert_list;
    10291046    unsigned int cert_list_size, status, expired;
    1030     int rv, ret;
     1047    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
    10311048    unsigned int ch_size = 0;
    10321049    union {
     
    10571074            "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size);
    10581075
    1059         for (ch_size =0; ch_size<cert_list_size; ch_size++) {
     1076        for (ch_size = 0; ch_size<cert_list_size; ch_size++) {
    10601077            gnutls_x509_crt_init(&cert.x509[ch_size]);
    10611078            rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER);
  • src/mod_gnutls.c

    re03f404 rae015fa  
    122122                  RSRC_CONF,
    123123                  "Cache Configuration"),
     124    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
     125                  NULL,
     126                  RSRC_CONF,
     127                  "Session Tickets Configuration"),
    124128    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
    125129                  NULL,
Note: See TracChangeset for help on using the changeset viewer.