Changeset ae015fa in mod_gnutls
- Timestamp:
- Jan 11, 2013, 12:58:03 AM (10 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports
- Children:
- 9c4a7444
- Parents:
- e03f404 (diff), bbb9bb1 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
NEWS
re03f404 rae015fa 1 ** Version 0.5.7 (2010-07-01) 2 - Force usage of SDBM. For some reason the default in 3 my system had issues after reaching a limit of entries. 4 SDBM seems stable so force it. 5 6 - Optimizations in session caching. 7 8 - Added support for session tickets. This allows a 9 server to avoid using a session cache and still support 10 session resumption. This is at the cost of transporting 11 session data during handshake. New option 12 GnuTLSSessionTickets [on|off] 13 14 - Depend on gnutls 2.10.0 to force support for safe 15 renegotiation. 16 1 17 ** Version 0.5.6 (2010-03-24) 2 18 - Corrected issue with firefox and long POST data (by -
configure
re03f404 rae015fa 1 1 #! /bin/sh 2 2 # Guess values for system-dependent variables and create Makefiles. 3 # Generated by GNU Autoconf 2.64 for mod_gnutls 0.5. 6.3 # Generated by GNU Autoconf 2.64 for mod_gnutls 0.5.7. 4 4 # 5 5 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, … … 696 696 PACKAGE_NAME='mod_gnutls' 697 697 PACKAGE_TARNAME='mod_gnutls' 698 PACKAGE_VERSION='0.5. 6'699 PACKAGE_STRING='mod_gnutls 0.5. 6'698 PACKAGE_VERSION='0.5.7' 699 PACKAGE_STRING='mod_gnutls 0.5.7' 700 700 PACKAGE_BUGREPORT='' 701 701 PACKAGE_URL='' … … 1462 1462 # This message is too long to be a string in the A/UX 3.1 sh. 1463 1463 cat <<_ACEOF 1464 \`configure' configures mod_gnutls 0.5. 6to adapt to many kinds of systems.1464 \`configure' configures mod_gnutls 0.5.7 to adapt to many kinds of systems. 1465 1465 1466 1466 Usage: $0 [OPTION]... [VAR=VALUE]... … … 1533 1533 if test -n "$ac_init_help"; then 1534 1534 case $ac_init_help in 1535 short | recursive ) echo "Configuration of mod_gnutls 0.5. 6:";;1535 short | recursive ) echo "Configuration of mod_gnutls 0.5.7:";; 1536 1536 esac 1537 1537 cat <<\_ACEOF … … 1646 1646 if $ac_init_version; then 1647 1647 cat <<\_ACEOF 1648 mod_gnutls configure 0.5. 61648 mod_gnutls configure 0.5.7 1649 1649 generated by GNU Autoconf 2.64 1650 1650 … … 1963 1963 running configure, to aid debugging if configure makes a mistake. 1964 1964 1965 It was created by mod_gnutls $as_me 0.5. 6, which was1965 It was created by mod_gnutls $as_me 0.5.7, which was 1966 1966 generated by GNU Autoconf 2.64. Invocation command line was 1967 1967 … … 2328 2328 chmod +x config.nice 2329 2329 2330 MOD_GNUTLS_VERSION=0.5. 62330 MOD_GNUTLS_VERSION=0.5.7 2331 2331 2332 2332 … … 2938 2938 # Define the identity of the package. 2939 2939 PACKAGE=mod_gnutls 2940 VERSION=0.5. 62940 VERSION=0.5.7 2941 2941 2942 2942 … … 10949 10949 10950 10950 10951 MIN_TLS_VERSION=2. 4.010951 MIN_TLS_VERSION=2.10.0 10952 10952 10953 10953 # Check whether --with-libgnutls-prefix was given. … … 11888 11888 # values after options handling. 11889 11889 ac_log=" 11890 This file was extended by mod_gnutls $as_me 0.5. 6, which was11890 This file was extended by mod_gnutls $as_me 0.5.7, which was 11891 11891 generated by GNU Autoconf 2.64. Invocation command line was 11892 11892 … … 11952 11952 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 11953 11953 ac_cs_version="\\ 11954 mod_gnutls config.status 0.5. 611954 mod_gnutls config.status 0.5.7 11955 11955 configured by $0, generated by GNU Autoconf 2.64, 11956 11956 with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -
configure.ac
re03f404 rae015fa 1 1 dnl 2 AC_INIT(mod_gnutls, 0.5. 6)2 AC_INIT(mod_gnutls, 0.5.7) 3 3 OOO_CONFIG_NICE(config.nice) 4 4 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION … … 29 29 dnl AC_SUBST(LIBTOOL) 30 30 31 MIN_TLS_VERSION=2.4.0 31 dnl Depend on 2.10.0 due to safe renegotiation addition. 32 MIN_TLS_VERSION=2.10.0 32 33 AM_PATH_LIBGNUTLS($MIN_TLS_VERSION,, 33 34 AC_MSG_ERROR([[ -
include/mod_gnutls.h.in
re03f404 rae015fa 28 28 #include "ap_release.h" 29 29 30 #include <gcrypt.h>31 30 #include <gnutls/gnutls.h> 32 31 #include <gnutls/extra.h> … … 110 109 unsigned int ca_list_size; 111 110 int client_verify_mode; 111 apr_time_t last_cache_check; 112 int tickets; /* whether session tickets are allowed */ 112 113 } mgs_srvconf_rec; 113 114 … … 281 282 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, 282 283 const char *arg); 284 const char *mgs_set_tickets(cmd_parms * parms, void *dummy, 285 const char *arg); 283 286 284 287 const char *mgs_set_require_section(cmd_parms *cmd, -
src/gnutls_cache.c
re03f404 rae015fa 34 34 #endif 35 35 36 /* it seems the default has some strange errors. Use SDBM 37 */ 38 #define ODB "SDBM" 36 39 37 40 #define MC_TAG "mod_gnutls:" … … 296 299 #define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) 297 300 298 static intdbm_cache_expire(mgs_handle_t *ctxt)301 static void dbm_cache_expire(mgs_handle_t *ctxt) 299 302 { 300 303 apr_status_t rv; 301 304 apr_dbm_t *dbm; 302 apr_datum_t *keylist;303 305 apr_datum_t dbmkey; 304 306 apr_datum_t dbmval; 305 apr_time_t ex;307 apr_time_t now; 306 308 apr_time_t dtime; 307 309 apr_pool_t* spool; 308 int i = 0; 309 int keyidx = 0; 310 int should_delete = 0; 310 int total, deleted; 311 312 now = apr_time_now(); 313 314 if (now - ctxt->sc->last_cache_check < (ctxt->sc->cache_timeout)/2) 315 return; 316 317 ctxt->sc->last_cache_check = now; 311 318 312 319 apr_pool_create(&spool, ctxt->c->pool); 313 ex = apr_time_now(); 314 315 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, APR_DBM_READONLY, 320 321 total = 0; 322 deleted = 0; 323 324 rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, APR_DBM_RWCREATE, 316 325 SSL_DBM_FILE_MODE, spool); 317 326 if (rv != APR_SUCCESS) { … … 320 329 "[gnutls_cache] error opening cache searcher '%s'", 321 330 ctxt->sc->cache_config); 322 return -1; 323 } 324 325 #define KEYMAX 128 326 327 keylist = apr_palloc(spool, sizeof(dbmkey)*KEYMAX); 331 apr_pool_destroy(spool); 332 return; 333 } 328 334 329 335 apr_dbm_firstkey(dbm, &dbmkey); 330 336 while (dbmkey.dptr != NULL) { 331 337 apr_dbm_fetch(dbm, dbmkey, &dbmval); 332 if (dbmval.dptr != NULL) { 333 if (dbmval.dsize >= sizeof(apr_time_t)) { 338 if (dbmval.dptr != NULL && dbmval.dsize >= sizeof(apr_time_t)) { 334 339 memcpy(&dtime, dbmval.dptr, sizeof(apr_time_t)); 335 if (dtime < ex) { 336 should_delete = 1; 340 341 if (now >= dtime) { 342 apr_dbm_delete(dbm, dbmkey); 343 deleted++; 337 344 } 338 } 339 else { 340 should_delete = 1; 341 } 342 343 if (should_delete == 1) { 344 should_delete = 0; 345 keylist[keyidx].dptr = apr_palloc(spool, dbmkey.dsize) ; 346 memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize); 347 keylist[keyidx].dsize = dbmkey.dsize; 348 keyidx++; 349 if (keyidx == KEYMAX) { 350 break; 351 } 352 } 353 apr_dbm_freedatum( dbm, dbmval); 354 355 } 345 apr_dbm_freedatum( dbm, dbmval); 346 } else { 347 apr_dbm_delete(dbm, dbmkey); 348 deleted++; 349 } 350 total++; 356 351 apr_dbm_nextkey(dbm, &dbmkey); 357 352 } 358 353 apr_dbm_close(dbm); 359 354 360 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, 361 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, spool); 362 if (rv != APR_SUCCESS) { 363 ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, 364 ctxt->c->base_server, 365 "[gnutls_cache] error opening cache writer '%s'", 366 ctxt->sc->cache_config); 367 return -1; 368 } 369 370 for (i = 0; i < keyidx; i++) { 371 apr_dbm_delete(dbm, keylist[i]); 372 } 373 374 apr_dbm_close(dbm); 355 ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, 356 ctxt->c->base_server, 357 "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d", 358 ctxt->sc->cache_config, deleted, total-deleted); 359 375 360 apr_pool_destroy(spool); 376 361 377 return 0;362 return; 378 363 } 379 364 … … 390 375 return data; 391 376 392 rv = apr_dbm_open (&dbm, ctxt->sc->cache_config,393 APR_DBM_R WCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);377 rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, 378 APR_DBM_READONLY, SSL_DBM_FILE_MODE, ctxt->c->pool); 394 379 if (rv != APR_SUCCESS) { 395 380 ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, … … 439 424 apr_status_t rv; 440 425 apr_time_t expiry; 426 apr_pool_t* spool; 441 427 442 428 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) 443 429 return -1; 430 431 /* we expire dbm only on every store 432 */ 433 dbm_cache_expire(ctxt); 434 435 apr_pool_create(&spool, ctxt->c->pool); 444 436 445 437 /* create DBM value */ 446 438 dbmval.dsize = data.size + sizeof(apr_time_t); 447 dbmval.dptr = (char *) malloc(dbmval.dsize);439 dbmval.dptr = (char *)apr_palloc(spool, dbmval.dsize); 448 440 449 441 expiry = apr_time_now() + ctxt->sc->cache_timeout; … … 453 445 data.data, data.size); 454 446 455 /* we expire dbm only on every store 456 */ 457 dbm_cache_expire(ctxt); 458 459 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, 447 rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, 460 448 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool); 461 449 if (rv != APR_SUCCESS) { … … 464 452 "[gnutls_cache] error opening cache '%s'", 465 453 ctxt->sc->cache_config); 466 free(dbmval.dptr);454 apr_pool_destroy(spool); 467 455 return -1; 468 456 } … … 476 464 ctxt->sc->cache_config); 477 465 apr_dbm_close(dbm); 478 free(dbmval.dptr);466 apr_pool_destroy(spool); 479 467 return -1; 480 468 } … … 482 470 apr_dbm_close(dbm); 483 471 484 free(dbmval.dptr);472 apr_pool_destroy(spool); 485 473 486 474 return 0; … … 497 485 return -1; 498 486 499 rv = apr_dbm_open (&dbm, ctxt->sc->cache_config,487 rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, 500 488 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool); 501 489 if (rv != APR_SUCCESS) { … … 531 519 const char* path2; 532 520 533 rv = apr_dbm_open (&dbm, sc->cache_config, APR_DBM_RWCREATE,521 rv = apr_dbm_open_ex(&dbm, ODB, sc->cache_config, APR_DBM_RWCREATE, 534 522 SSL_DBM_FILE_MODE, p); 535 523 … … 543 531 apr_dbm_close(dbm); 544 532 545 apr_dbm_get_usednames (p, sc->cache_config, &path1, &path2);533 apr_dbm_get_usednames_ex(p, ODB, sc->cache_config, &path1, &path2); 546 534 547 535 /* The Following Code takes logic directly from mod_ssl's DBM Cache */ 548 536 #if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE) 549 537 /* Running as Root */ 550 if ( geteuid() == 0) {538 if (path1 && geteuid() == 0) { 551 539 chown(path1, ap_unixd_config.user_id, -1); 552 540 if (path2 != NULL) { -
src/gnutls_config.c
re03f404 rae015fa 286 286 } 287 287 288 const char *mgs_set_tickets(cmd_parms * parms, void *dummy, 289 const char *arg) 290 { 291 mgs_srvconf_rec *sc = 292 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 293 module_config, 294 &gnutls_module); 295 296 sc->tickets = 0; 297 if (strcasecmp("on", arg) == 0) { 298 sc->tickets = 1; 299 } 300 301 return NULL; 302 } 303 288 304 289 305 #ifdef ENABLE_SRP … … 328 344 } 329 345 330 if (strcasecmp("none", type) == 0) { 331 sc->cache_type = mgs_cache_none; 332 } else if (strcasecmp("dbm", type) == 0) { 346 sc->cache_type = mgs_cache_none; 347 if (strcasecmp("dbm", type) == 0) { 333 348 sc->cache_type = mgs_cache_dbm; 334 349 } … … 590 605 sc->certs_x509_num = 0; 591 606 sc->cache_timeout = apr_time_from_sec(300); 592 sc->cache_type = mgs_cache_ dbm;607 sc->cache_type = mgs_cache_none; 593 608 sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache"); 594 609 -
src/gnutls_hooks.c
re03f404 rae015fa 21 21 #include "ap_mpm.h" 22 22 23 #if APR_HAS_THREADS 24 # if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11 25 #include <gcrypt.h> 26 GCRY_THREAD_OPTION_PTHREAD_IMPL; 27 # endif 28 #endif 29 23 30 #if !USING_2_1_RECENT 24 31 extern server_rec *ap_server_conf; 25 32 #endif 26 33 27 #if APR_HAS_THREADS28 GCRY_THREAD_OPTION_PTHREAD_IMPL;29 #endif30 31 34 #if MOD_GNUTLS_DEBUG 32 35 static apr_file_t *debug_log_fp; … … 34 37 35 38 static int mpm_is_threaded; 39 static gnutls_datum session_ticket_key = { NULL, 0 }; 36 40 37 41 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); … … 46 50 static apr_status_t mgs_cleanup_pre_config(void *data) 47 51 { 52 gnutls_free(session_ticket_key.data); 53 session_ticket_key.data = NULL; 54 session_ticket_key.size = 0; 48 55 gnutls_global_deinit(); 49 56 return APR_SUCCESS; … … 80 87 #if APR_HAS_THREADS 81 88 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); 89 #if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) || GNUTLS_VERSION_MAJOR < 2 82 90 if (mpm_is_threaded) { 83 91 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); 84 92 } 93 #endif 85 94 #else 86 95 mpm_is_threaded = 0; 87 96 #endif 97 88 98 89 99 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { … … 97 107 _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret)); 98 108 return -3; 109 } 110 111 ret = gnutls_session_ticket_key_generate( &session_ticket_key); 112 if (ret < 0) { 113 _gnutls_log(debug_log_fp, "gnutls_session_ticket_key_generate: %s\n", gnutls_strerror(ret)); 99 114 } 100 115 … … 145 160 * enabled on this virtual server. Note that here we ignore the version 146 161 * negotiation. 147 */ 162 */ 148 163 ret = gnutls_priority_set(session, ctxt->sc->priorities); 149 164 /* actually it shouldn't fail since we have checked at startup */ … … 659 674 660 675 gnutls_init(&ctxt->session, GNUTLS_SERVER); 676 if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) 677 gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); 661 678 662 679 /* because we don't set any default priorities here (we set later at … … 1028 1045 const gnutls_datum_t *cert_list; 1029 1046 unsigned int cert_list_size, status, expired; 1030 int rv , ret;1047 int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; 1031 1048 unsigned int ch_size = 0; 1032 1049 union { … … 1057 1074 "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size); 1058 1075 1059 for (ch_size = 0; ch_size<cert_list_size; ch_size++) {1076 for (ch_size = 0; ch_size<cert_list_size; ch_size++) { 1060 1077 gnutls_x509_crt_init(&cert.x509[ch_size]); 1061 1078 rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER); -
src/mod_gnutls.c
re03f404 rae015fa 122 122 RSRC_CONF, 123 123 "Cache Configuration"), 124 AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets, 125 NULL, 126 RSRC_CONF, 127 "Session Tickets Configuration"), 124 128 AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities, 125 129 NULL,
Note: See TracChangeset
for help on using the changeset viewer.