Changeset babdb29 in mod_gnutls


Ignore:
Timestamp:
May 16, 2018, 2:12:08 AM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
92b5f4d
Parents:
d036f96
Message:

Initialize and clean up the OCSP cache, following session cache patterns

Files:
6 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rd036f96 rbabdb29  
    182182    /* Mutex to prevent parallel OCSP requests */
    183183    apr_global_mutex_t *ocsp_mutex;
     184    /* Enable OCSP cache */
     185    unsigned char ocsp_cache_enable : 2;
     186    /* Internal OCSP cache data */
     187    mgs_cache_t ocsp_cache;
    184188    /* Cache timeout for OCSP responses. Note that the nextUpdate
    185189     * field of the response takes precedence if shorter. */
  • src/gnutls_cache.c

    rd036f96 rbabdb29  
    3131#include "mod_gnutls.h"
    3232#include "gnutls_config.h"
     33#include "gnutls_ocsp.h"
    3334
    3435#include <ap_socache.h>
     
    414415    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    415416        ap_get_module_config(s->module_config, &gnutls_module);
    416     ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
    417                  "Cleaning up socache '%s:%s'",
    418                  sc->cache->prov->name, sc->cache->config);
    419     sc->cache->prov->destroy(sc->cache->socache, s);
     417    if (sc->cache)
     418    {
     419        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
     420                     "Cleaning up session cache '%s:%s'",
     421                     sc->cache->prov->name, sc->cache->config);
     422        sc->cache->prov->destroy(sc->cache->socache, s);
     423    }
     424    if (sc->ocsp_cache)
     425    {
     426        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
     427                     "Cleaning up OCSP cache '%s:%s'",
     428                     sc->ocsp_cache->prov->name, sc->ocsp_cache->config);
     429        sc->ocsp_cache->prov->destroy(sc->ocsp_cache->socache, s);
     430    }
    420431    return APR_SUCCESS;
    421432}
     
    428439{
    429440    apr_status_t rv = APR_SUCCESS;
     441
     442    /* Initialize the OCSP cache first so it's not skipped if the
     443     * session cache is disabled. */
     444    if (sc->ocsp_cache != NULL)
     445    {
     446        /* TODO: Maybe initialize only if explicitly enabled OR at
     447         * least one (virtual) host has OCSP enabled? */
     448        rv = mgs_cache_inst_init(sc->ocsp_cache, MGS_OCSP_CACHE_NAME,
     449                                 MGS_OCSP_CACHE_MUTEX_NAME, s, pconf);
     450        if (rv != APR_SUCCESS)
     451            return HTTP_INSUFFICIENT_STORAGE;
     452    }
     453
    430454    /* GnuTLSCache was never explicitly set or is disabled: */
    431455    if (sc->cache_enable == GNUTLS_ENABLED_UNSET
     
    450474}
    451475
    452 int mgs_cache_child_init(apr_pool_t * p,
    453                          server_rec * s,
    454                          mgs_srvconf_rec * sc)
     476int mgs_cache_child_init(apr_pool_t *p, server_rec *server,
     477                         mgs_cache_t cache, const char *mutex_name)
    455478{
    456479    /* reinit cache mutex */
    457     const char *lockfile = apr_global_mutex_lockfile(sc->cache->mutex);
    458     apr_status_t rv = apr_global_mutex_child_init(&sc->cache->mutex,
     480    const char *lockfile = apr_global_mutex_lockfile(cache->mutex);
     481    apr_status_t rv = apr_global_mutex_child_init(&cache->mutex,
    459482                                                  lockfile, p);
    460483    if (rv != APR_SUCCESS)
    461         ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
    462                      "Failed to reinit mutex '%s'", MGS_CACHE_MUTEX_NAME);
    463 
    464     return 0;
     484        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, server,
     485                     "Failed to reinit mutex '%s'", mutex_name);
     486
     487    return rv;
    465488}
    466489
  • src/gnutls_cache.h

    rd036f96 rbabdb29  
    8181 * @param s default server of the Apache configuration, head of the
    8282 * server list
    83  * @param sc mod_gnutls data associated with `s`
     83 * @param cache the cache to reinit
     84 * @param mutex_name name of the mutex associated with the cache for
     85 * logging purposes
    8486 */
    85 int mgs_cache_child_init(apr_pool_t *p, server_rec *s, mgs_srvconf_rec *sc);
     87int mgs_cache_child_init(apr_pool_t *p, server_rec *server,
     88                         mgs_cache_t cache, const char *mutex_name);
    8689
    8790/**
  • src/gnutls_config.c

    rd036f96 rbabdb29  
    625625    else if (!strcasecmp(parms->directive->directive, "GnuTLSOCSPCache"))
    626626    {
    627         // TODO
    628         return NULL;
     627        if (enable == GNUTLS_ENABLED_FALSE)
     628        {
     629            /* TODO: Should this return an error like "use
     630             * GnuTLSOCSPStapling off if you want to disable OCSP
     631             * stapling"? */
     632            sc->ocsp_cache_enable = GNUTLS_ENABLED_FALSE;
     633            return NULL;
     634        }
     635        sc->ocsp_cache_enable = GNUTLS_ENABLED_TRUE;
     636        cache = &sc->ocsp_cache;
    629637    }
    630638    else
     
    899907    sc->ocsp_response_file = NULL;
    900908    sc->ocsp_mutex = NULL;
     909    sc->ocsp_cache_enable = GNUTLS_ENABLED_UNSET;
     910    sc->ocsp_cache = NULL;
    901911    sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
    902912    sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
  • src/gnutls_hooks.c

    rd036f96 rbabdb29  
    130130    ap_mutex_register(pconf, MGS_CACHE_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
    131131    ap_mutex_register(pconf, MGS_OCSP_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0);
     132    ap_mutex_register(pconf, MGS_OCSP_CACHE_MUTEX_NAME, NULL,
     133                      APR_LOCK_DEFAULT, 0);
    132134
    133135    /* Register a pool clean-up function */
     
    633635        if (sc->cache_timeout == MGS_TIMEOUT_UNSET)
    634636            sc->cache_timeout = sc_base->cache_timeout;
     637        sc->ocsp_cache_enable = sc_base->ocsp_cache_enable;
     638        sc->ocsp_cache = sc_base->ocsp_cache;
    635639
    636640        sc->singleton_wd = sc_base->singleton_wd;
     
    775779    }
    776780
    777     if (sc->cache_enable) {
    778         rv = mgs_cache_child_init(p, s, sc);
    779         if (rv != APR_SUCCESS) {
     781    if (sc->cache_enable == GNUTLS_ENABLED_TRUE)
     782    {
     783        rv = mgs_cache_child_init(p, s, sc->cache, MGS_CACHE_MUTEX_NAME);
     784        if (rv != APR_SUCCESS)
    780785            ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
    781                     "GnuTLS: Failed to run Cache Init");
    782         }
    783     }
    784 
    785     /* reinit OCSP mutex */
     786                    "Child init for session cache failed!");
     787    }
     788
     789    if (sc->ocsp_cache_enable == GNUTLS_ENABLED_TRUE)
     790    {
     791        rv = mgs_cache_child_init(p, s, sc->ocsp_cache,
     792                                  MGS_OCSP_CACHE_MUTEX_NAME);
     793        if (rv != APR_SUCCESS)
     794            ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
     795                    "Child init for OCSP cache failed!");
     796    }
     797
     798    /* reinit OCSP request mutex */
    786799    const char *lockfile = apr_global_mutex_lockfile(sc->ocsp_mutex);
    787800    rv = apr_global_mutex_child_init(&sc->ocsp_mutex, lockfile, p);
  • src/gnutls_ocsp.h

    rd036f96 rbabdb29  
    2424
    2525#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
     26#define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache"
     27#define MGS_OCSP_CACHE_NAME "gnutls_ocsp"
    2628
    2729/** Default OCSP response cache timeout in seconds */
Note: See TracChangeset for help on using the changeset viewer.