Changeset ae015fa in mod_gnutls

Timestamp:

Jan 11, 2013, 12:58:03 AM (7 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports

Children:

9c4a744

Parents:

e03f404 (diff), bbb9bb1 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge tag 'upstream/0.5.7'

Upstream version 0.5.7

Files:

• NEWS (modified) (1 diff)
• configure (modified) (11 diffs)
• configure.ac (modified) (2 diffs)
• include/mod_gnutls.h.in (modified) (3 diffs)
• src/gnutls_cache.c (modified) (12 diffs)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (9 diffs)
• src/mod_gnutls.c (modified) (1 diff)

NEWS

@@ +1 @@
+** Version 0.5.7 (2010-07-01)
+- Force usage of SDBM. For some reason the default in
+  my system had issues after reaching a limit of entries.
+  SDBM seems stable so force it.
+
+- Optimizations in session caching.
+
+- Added support for session tickets. This allows a
+  server to avoid using a session cache and still support
+  session resumption. This is at the cost of transporting
+  session data during handshake. New option
+  GnuTLSSessionTickets [on|off]
+
+- Depend on gnutls 2.10.0 to force support for safe
+  renegotiation.
+
 ** Version 0.5.6 (2010-03-24)
 - Corrected issue with firefox and long POST data (by

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.64 for mod_gnutls 0.5.6.
+# Generated by GNU Autoconf 2.64 for mod_gnutls 0.5.7.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -696 +696 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.5.6'
-PACKAGE_STRING='mod_gnutls 0.5.6'
+PACKAGE_VERSION='0.5.7'
+PACKAGE_STRING='mod_gnutls 0.5.7'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
@@ -1462 +1462 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.5.6 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.5.7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1533 +1533 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.5.6:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.5.7:";;
    esac
   cat <<\_ACEOF
@@ -1646 +1646 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.5.6
+mod_gnutls configure 0.5.7
 generated by GNU Autoconf 2.64
 
@@ -1963 +1963 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.5.6, which was
+It was created by mod_gnutls $as_me 0.5.7, which was
 generated by GNU Autoconf 2.64.  Invocation command line was
 
@@ -2328 +2328 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.5.6
+MOD_GNUTLS_VERSION=0.5.7
 
 
@@ -2938 +2938 @@
 # Define the identity of the package.
  PACKAGE=mod_gnutls
- VERSION=0.5.6
+ VERSION=0.5.7
 
 
@@ -10949 +10949 @@
 
 
-MIN_TLS_VERSION=2.4.0
+MIN_TLS_VERSION=2.10.0
 
 # Check whether --with-libgnutls-prefix was given.
@@ -11888 +11888 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.5.6, which was
+This file was extended by mod_gnutls $as_me 0.5.7, which was
 generated by GNU Autoconf 2.64.  Invocation command line was
 
@@ -11952 +11952 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-mod_gnutls config.status 0.5.6
+mod_gnutls config.status 0.5.7
 configured by $0, generated by GNU Autoconf 2.64,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.5.6)
+AC_INIT(mod_gnutls, 0.5.7)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -29 +29 @@
 dnl AC_SUBST(LIBTOOL)
 
-MIN_TLS_VERSION=2.4.0
+dnl Depend on 2.10.0 due to safe renegotiation addition.
+MIN_TLS_VERSION=2.10.0
 AM_PATH_LIBGNUTLS($MIN_TLS_VERSION,,
         AC_MSG_ERROR([[

include/mod_gnutls.h.in

@@ -28 +28 @@
 #include "ap_release.h"
 
-#include <gcrypt.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/extra.h>
@@ -110 +109 @@
     unsigned int ca_list_size;
     int client_verify_mode;
+    apr_time_t last_cache_check;
+    int tickets; /* whether session tickets are allowed */
 } mgs_srvconf_rec;
 
@@ -281 +282 @@
 const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
                             const char *arg);
+const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
+                            const char *arg);
                             
 const char *mgs_set_require_section(cmd_parms *cmd, 

src/gnutls_cache.c

@@ -34 +34 @@
 #endif
 
+/* it seems the default has some strange errors. Use SDBM 
+ */
+#define ODB "SDBM"
 
 #define MC_TAG "mod_gnutls:"
@@ -296 +299 @@
 #define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
 
-static int dbm_cache_expire(mgs_handle_t *ctxt)
+static void dbm_cache_expire(mgs_handle_t *ctxt)
 {
     apr_status_t rv;
     apr_dbm_t *dbm;
-    apr_datum_t *keylist;
     apr_datum_t dbmkey;
     apr_datum_t dbmval;
-    apr_time_t ex;
+    apr_time_t now;
     apr_time_t dtime;
     apr_pool_t* spool;
-    int i = 0;
-    int keyidx = 0;
-    int should_delete = 0;
+    int total, deleted;
+
+    now = apr_time_now();
+    
+    if (now - ctxt->sc->last_cache_check < (ctxt->sc->cache_timeout)/2)
+        return;
+
+    ctxt->sc->last_cache_check = now;
 
     apr_pool_create(&spool, ctxt->c->pool);
-    ex = apr_time_now();
-    
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, APR_DBM_READONLY,
+
+    total = 0;
+    deleted = 0;
+
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, APR_DBM_RWCREATE,
                       SSL_DBM_FILE_MODE, spool);
     if (rv != APR_SUCCESS) {
@@ -320 +329 @@
                      "[gnutls_cache] error opening cache searcher '%s'",
                      ctxt->sc->cache_config);
-        return -1;
-    }
-
-#define KEYMAX 128
-
-    keylist = apr_palloc(spool, sizeof(dbmkey)*KEYMAX);
+        apr_pool_destroy(spool);
+        return;
+    }
 
     apr_dbm_firstkey(dbm, &dbmkey);
     while (dbmkey.dptr != NULL) {
         apr_dbm_fetch(dbm, dbmkey, &dbmval);
-        if (dbmval.dptr != NULL) {
-            if (dbmval.dsize >= sizeof(apr_time_t)) {
+        if (dbmval.dptr != NULL && dbmval.dsize >= sizeof(apr_time_t)) {
                 memcpy(&dtime, dbmval.dptr, sizeof(apr_time_t));
-                if (dtime < ex) {
-                    should_delete = 1;
+
+                if (now >= dtime) {
+                    apr_dbm_delete(dbm, dbmkey);
+                    deleted++;
                 }
-            }
-            else {
-                should_delete = 1;
-            }
-            
-            if (should_delete == 1) {
-                should_delete = 0;
-                keylist[keyidx].dptr = apr_palloc(spool, dbmkey.dsize) ;
-                memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize);
-                keylist[keyidx].dsize = dbmkey.dsize;
-                keyidx++;
-                if (keyidx == KEYMAX) {
-                    break;
-                }
-            }
-            apr_dbm_freedatum( dbm, dbmval);
-            
-        }
+                apr_dbm_freedatum( dbm, dbmval);
+        } else {
+            apr_dbm_delete(dbm, dbmkey);
+            deleted++;
+        }
+        total++;
         apr_dbm_nextkey(dbm, &dbmkey);
     }
     apr_dbm_close(dbm);
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
-                  APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, spool);
-    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
-                 ctxt->c->base_server,
-                 "[gnutls_cache] error opening cache writer '%s'",
-                 ctxt->sc->cache_config);
-        return -1;
-    }
-
-    for (i = 0; i < keyidx; i++) {
-        apr_dbm_delete(dbm, keylist[i]);
-    }
-
-    apr_dbm_close(dbm);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                     ctxt->c->base_server,
+                     "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d",
+                     ctxt->sc->cache_config, deleted, total-deleted);
+
     apr_pool_destroy(spool);
     
-    return 0;
+    return;
 }
 
@@ -390 +375 @@
         return data;
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
-                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
+                      APR_DBM_READONLY, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
@@ -439 +424 @@
     apr_status_t rv;
     apr_time_t expiry;
+    apr_pool_t* spool;
 
     if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
         return -1;
+
+    /* we expire dbm only on every store
+     */
+    dbm_cache_expire(ctxt);
+
+    apr_pool_create(&spool, ctxt->c->pool);
 
     /* create DBM value */
     dbmval.dsize = data.size + sizeof(apr_time_t);
-    dbmval.dptr  = (char *)malloc(dbmval.dsize);
+    dbmval.dptr  = (char *)apr_palloc(spool, dbmval.dsize);
 
     expiry = apr_time_now() + ctxt->sc->cache_timeout;
@@ -453 +445 @@
            data.data, data.size);
 
-    /* we expire dbm only on every store
-     */
-    dbm_cache_expire(ctxt);
-
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
                       APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
@@ -464 +452 @@
                      "[gnutls_cache] error opening cache '%s'",
                      ctxt->sc->cache_config);
-        free(dbmval.dptr);        
+        apr_pool_destroy(spool);
         return -1;
     }
@@ -476 +464 @@
                      ctxt->sc->cache_config);
         apr_dbm_close(dbm);
-        free(dbmval.dptr);
+        apr_pool_destroy(spool);
         return -1;
     }
@@ -482 +470 @@
     apr_dbm_close(dbm);
 
-    free(dbmval.dptr);
+    apr_pool_destroy(spool);
     
     return 0;
@@ -497 +485 @@
         return -1;
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
                       APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
@@ -531 +519 @@
     const char* path2;
 
-    rv = apr_dbm_open(&dbm, sc->cache_config, APR_DBM_RWCREATE, 
+    rv = apr_dbm_open_ex(&dbm, ODB, sc->cache_config, APR_DBM_RWCREATE, 
                       SSL_DBM_FILE_MODE, p);
 
@@ -543 +531 @@
     apr_dbm_close(dbm);
 
-    apr_dbm_get_usednames(p, sc->cache_config, &path1, &path2);
+    apr_dbm_get_usednames_ex(p, ODB, sc->cache_config, &path1, &path2);
 
     /* The Following Code takes logic directly from mod_ssl's DBM Cache */ 
 #if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
     /* Running as Root */
-    if (geteuid() == 0)  {
+    if (path1 && geteuid() == 0)  {
         chown(path1, ap_unixd_config.user_id, -1);
         if (path2 != NULL) { 

src/gnutls_config.c

@@ -286 +286 @@
 }
 
+const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
+                                     const char *arg)
+{
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+
+    sc->tickets = 0;
+    if (strcasecmp("on", arg) == 0) {
+        sc->tickets = 1;
+    }
+
+    return NULL;
+}
+
 
 #ifdef ENABLE_SRP
@@ -328 +344 @@
     }
 
-    if (strcasecmp("none", type) == 0) {
-        sc->cache_type = mgs_cache_none;
-    } else if (strcasecmp("dbm", type) == 0) {
+    sc->cache_type = mgs_cache_none;
+    if (strcasecmp("dbm", type) == 0) {
         sc->cache_type = mgs_cache_dbm;
     }
@@ -590 +605 @@
     sc->certs_x509_num = 0;
     sc->cache_timeout = apr_time_from_sec(300);
-    sc->cache_type = mgs_cache_dbm;
+    sc->cache_type = mgs_cache_none;
     sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
 

src/gnutls_hooks.c

@@ -21 +21 @@
 #include "ap_mpm.h"
 
+#if APR_HAS_THREADS
+# if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
+#include <gcrypt.h>
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+# endif
+#endif
+
 #if !USING_2_1_RECENT
 extern server_rec *ap_server_conf;
 #endif
 
-#if APR_HAS_THREADS
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-#endif
-
 #if MOD_GNUTLS_DEBUG
 static apr_file_t *debug_log_fp;
@@ -34 +37 @@
 
 static int mpm_is_threaded;
+static gnutls_datum session_ticket_key = { NULL, 0 };
 
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
@@ -46 +50 @@
 static apr_status_t mgs_cleanup_pre_config(void *data)
 {
+    gnutls_free(session_ticket_key.data);
+    session_ticket_key.data = NULL;
+    session_ticket_key.size = 0;
     gnutls_global_deinit();
     return APR_SUCCESS;
@@ -80 +87 @@
 #if APR_HAS_THREADS
     ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
+#if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) || GNUTLS_VERSION_MAJOR < 2
     if (mpm_is_threaded) {
         gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
     }
+#endif
 #else
     mpm_is_threaded = 0;
 #endif
+
 
     if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
@@ -97 +107 @@
         _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
         return -3;
+    }
+    
+    ret = gnutls_session_ticket_key_generate( &session_ticket_key);
+    if (ret < 0) {
+        _gnutls_log(debug_log_fp, "gnutls_session_ticket_key_generate: %s\n", gnutls_strerror(ret));
     }
 
@@ -145 +160 @@
      * enabled on this virtual server. Note that here we ignore the version
      * negotiation.
-     */
+     */   
     ret = gnutls_priority_set(session, ctxt->sc->priorities);
     /* actually it shouldn't fail since we have checked at startup */
@@ -659 +674 @@
 
     gnutls_init(&ctxt->session, GNUTLS_SERVER);
+    if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
+        gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
 
     /* because we don't set any default priorities here (we set later at
@@ -1028 +1045 @@
     const gnutls_datum_t *cert_list;
     unsigned int cert_list_size, status, expired;
-    int rv, ret;
+    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
     unsigned int ch_size = 0;
     union {
@@ -1057 +1074 @@
             "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size);
 
-        for (ch_size =0; ch_size<cert_list_size; ch_size++) {
+        for (ch_size = 0; ch_size<cert_list_size; ch_size++) {
             gnutls_x509_crt_init(&cert.x509[ch_size]);
             rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER);

src/mod_gnutls.c

@@ -122 +122 @@
                   RSRC_CONF,
                   "Cache Configuration"),
+    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
+                  NULL,
+                  RSRC_CONF,
+                  "Session Tickets Configuration"),
     AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
                   NULL,