Changeset bbb9bb1 in mod_gnutls for src

Timestamp:

Jan 11, 2013, 12:58:02 AM (9 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

5508683, ae015fa

Parents:

66b608e

Message:

Imported Upstream version 0.5.7

Location:

src

Files:

• gnutls_cache.c (modified) (12 diffs)
• gnutls_config.c (modified) (3 diffs)
• gnutls_hooks.c (modified) (9 diffs)
• mod_gnutls.c (modified) (1 diff)

src/gnutls_cache.c

@@ -34 +34 @@
 #endif
 
+/* it seems the default has some strange errors. Use SDBM 
+ */
+#define ODB "SDBM"
 
 #define MC_TAG "mod_gnutls:"
@@ -296 +299 @@
 #define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
 
-static int dbm_cache_expire(mgs_handle_t *ctxt)
+static void dbm_cache_expire(mgs_handle_t *ctxt)
 {
     apr_status_t rv;
     apr_dbm_t *dbm;
-    apr_datum_t *keylist;
     apr_datum_t dbmkey;
     apr_datum_t dbmval;
-    apr_time_t ex;
+    apr_time_t now;
     apr_time_t dtime;
     apr_pool_t* spool;
-    int i = 0;
-    int keyidx = 0;
-    int should_delete = 0;
+    int total, deleted;
+
+    now = apr_time_now();
+    
+    if (now - ctxt->sc->last_cache_check < (ctxt->sc->cache_timeout)/2)
+        return;
+
+    ctxt->sc->last_cache_check = now;
 
     apr_pool_create(&spool, ctxt->c->pool);
-    ex = apr_time_now();
-    
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, APR_DBM_READONLY,
+
+    total = 0;
+    deleted = 0;
+
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config, APR_DBM_RWCREATE,
                       SSL_DBM_FILE_MODE, spool);
     if (rv != APR_SUCCESS) {
@@ -320 +329 @@
                      "[gnutls_cache] error opening cache searcher '%s'",
                      ctxt->sc->cache_config);
-        return -1;
-    }
-
-#define KEYMAX 128
-
-    keylist = apr_palloc(spool, sizeof(dbmkey)*KEYMAX);
+        apr_pool_destroy(spool);
+        return;
+    }
 
     apr_dbm_firstkey(dbm, &dbmkey);
     while (dbmkey.dptr != NULL) {
         apr_dbm_fetch(dbm, dbmkey, &dbmval);
-        if (dbmval.dptr != NULL) {
-            if (dbmval.dsize >= sizeof(apr_time_t)) {
+        if (dbmval.dptr != NULL && dbmval.dsize >= sizeof(apr_time_t)) {
                 memcpy(&dtime, dbmval.dptr, sizeof(apr_time_t));
-                if (dtime < ex) {
-                    should_delete = 1;
+
+                if (now >= dtime) {
+                    apr_dbm_delete(dbm, dbmkey);
+                    deleted++;
                 }
-            }
-            else {
-                should_delete = 1;
-            }
-            
-            if (should_delete == 1) {
-                should_delete = 0;
-                keylist[keyidx].dptr = apr_palloc(spool, dbmkey.dsize) ;
-                memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize);
-                keylist[keyidx].dsize = dbmkey.dsize;
-                keyidx++;
-                if (keyidx == KEYMAX) {
-                    break;
-                }
-            }
-            apr_dbm_freedatum( dbm, dbmval);
-            
-        }
+                apr_dbm_freedatum( dbm, dbmval);
+        } else {
+            apr_dbm_delete(dbm, dbmkey);
+            deleted++;
+        }
+        total++;
         apr_dbm_nextkey(dbm, &dbmkey);
     }
     apr_dbm_close(dbm);
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
-                  APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, spool);
-    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
-                 ctxt->c->base_server,
-                 "[gnutls_cache] error opening cache writer '%s'",
-                 ctxt->sc->cache_config);
-        return -1;
-    }
-
-    for (i = 0; i < keyidx; i++) {
-        apr_dbm_delete(dbm, keylist[i]);
-    }
-
-    apr_dbm_close(dbm);
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
+                     ctxt->c->base_server,
+                     "[gnutls_cache] Cleaned up cache '%s'. Deleted %d and left %d",
+                     ctxt->sc->cache_config, deleted, total-deleted);
+
     apr_pool_destroy(spool);
     
-    return 0;
+    return;
 }
 
@@ -390 +375 @@
         return data;
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
-                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
+                      APR_DBM_READONLY, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_NOTICE, rv,
@@ -439 +424 @@
     apr_status_t rv;
     apr_time_t expiry;
+    apr_pool_t* spool;
 
     if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
         return -1;
+
+    /* we expire dbm only on every store
+     */
+    dbm_cache_expire(ctxt);
+
+    apr_pool_create(&spool, ctxt->c->pool);
 
     /* create DBM value */
     dbmval.dsize = data.size + sizeof(apr_time_t);
-    dbmval.dptr  = (char *)malloc(dbmval.dsize);
+    dbmval.dptr  = (char *)apr_palloc(spool, dbmval.dsize);
 
     expiry = apr_time_now() + ctxt->sc->cache_timeout;
@@ -453 +445 @@
            data.data, data.size);
 
-    /* we expire dbm only on every store
-     */
-    dbm_cache_expire(ctxt);
-
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
                       APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
@@ -464 +452 @@
                      "[gnutls_cache] error opening cache '%s'",
                      ctxt->sc->cache_config);
-        free(dbmval.dptr);        
+        apr_pool_destroy(spool);
         return -1;
     }
@@ -476 +464 @@
                      ctxt->sc->cache_config);
         apr_dbm_close(dbm);
-        free(dbmval.dptr);
+        apr_pool_destroy(spool);
         return -1;
     }
@@ -482 +470 @@
     apr_dbm_close(dbm);
 
-    free(dbmval.dptr);
+    apr_pool_destroy(spool);
     
     return 0;
@@ -497 +485 @@
         return -1;
 
-    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
+    rv = apr_dbm_open_ex(&dbm, ODB, ctxt->sc->cache_config,
                       APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
     if (rv != APR_SUCCESS) {
@@ -531 +519 @@
     const char* path2;
 
-    rv = apr_dbm_open(&dbm, sc->cache_config, APR_DBM_RWCREATE, 
+    rv = apr_dbm_open_ex(&dbm, ODB, sc->cache_config, APR_DBM_RWCREATE, 
                       SSL_DBM_FILE_MODE, p);
 
@@ -543 +531 @@
     apr_dbm_close(dbm);
 
-    apr_dbm_get_usednames(p, sc->cache_config, &path1, &path2);
+    apr_dbm_get_usednames_ex(p, ODB, sc->cache_config, &path1, &path2);
 
     /* The Following Code takes logic directly from mod_ssl's DBM Cache */ 
 #if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
     /* Running as Root */
-    if (geteuid() == 0)  {
+    if (path1 && geteuid() == 0)  {
         chown(path1, ap_unixd_config.user_id, -1);
         if (path2 != NULL) { 

src/gnutls_config.c

@@ -286 +286 @@
 }
 
+const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
+                                     const char *arg)
+{
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+
+    sc->tickets = 0;
+    if (strcasecmp("on", arg) == 0) {
+        sc->tickets = 1;
+    }
+
+    return NULL;
+}
+
 
 #ifdef ENABLE_SRP
@@ -328 +344 @@
     }
 
-    if (strcasecmp("none", type) == 0) {
-        sc->cache_type = mgs_cache_none;
-    } else if (strcasecmp("dbm", type) == 0) {
+    sc->cache_type = mgs_cache_none;
+    if (strcasecmp("dbm", type) == 0) {
         sc->cache_type = mgs_cache_dbm;
     }
@@ -590 +605 @@
     sc->certs_x509_num = 0;
     sc->cache_timeout = apr_time_from_sec(300);
-    sc->cache_type = mgs_cache_dbm;
+    sc->cache_type = mgs_cache_none;
     sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
 

src/gnutls_hooks.c

@@ -21 +21 @@
 #include "ap_mpm.h"
 
+#if APR_HAS_THREADS
+# if GNUTLS_VERSION_MAJOR <= 2 && GNUTLS_VERSION_MINOR < 11
+#include <gcrypt.h>
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+# endif
+#endif
+
 #if !USING_2_1_RECENT
 extern server_rec *ap_server_conf;
 #endif
 
-#if APR_HAS_THREADS
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-#endif
-
 #if MOD_GNUTLS_DEBUG
 static apr_file_t *debug_log_fp;
@@ -34 +37 @@
 
 static int mpm_is_threaded;
+static gnutls_datum session_ticket_key = { NULL, 0 };
 
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
@@ -46 +50 @@
 static apr_status_t mgs_cleanup_pre_config(void *data)
 {
+    gnutls_free(session_ticket_key.data);
+    session_ticket_key.data = NULL;
+    session_ticket_key.size = 0;
     gnutls_global_deinit();
     return APR_SUCCESS;
@@ -80 +87 @@
 #if APR_HAS_THREADS
     ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
+#if (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR < 11) || GNUTLS_VERSION_MAJOR < 2
     if (mpm_is_threaded) {
         gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
     }
+#endif
 #else
     mpm_is_threaded = 0;
 #endif
+
 
     if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
@@ -97 +107 @@
         _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
         return -3;
+    }
+    
+    ret = gnutls_session_ticket_key_generate( &session_ticket_key);
+    if (ret < 0) {
+        _gnutls_log(debug_log_fp, "gnutls_session_ticket_key_generate: %s\n", gnutls_strerror(ret));
     }
 
@@ -145 +160 @@
      * enabled on this virtual server. Note that here we ignore the version
      * negotiation.
-     */
+     */   
     ret = gnutls_priority_set(session, ctxt->sc->priorities);
     /* actually it shouldn't fail since we have checked at startup */
@@ -659 +674 @@
 
     gnutls_init(&ctxt->session, GNUTLS_SERVER);
+    if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
+        gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
 
     /* because we don't set any default priorities here (we set later at
@@ -1028 +1045 @@
     const gnutls_datum_t *cert_list;
     unsigned int cert_list_size, status, expired;
-    int rv, ret;
+    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
     unsigned int ch_size = 0;
     union {
@@ -1057 +1074 @@
             "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size);
 
-        for (ch_size =0; ch_size<cert_list_size; ch_size++) {
+        for (ch_size = 0; ch_size<cert_list_size; ch_size++) {
             gnutls_x509_crt_init(&cert.x509[ch_size]);
             rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER);

src/mod_gnutls.c

@@ -122 +122 @@
                   RSRC_CONF,
                   "Cache Configuration"),
+    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
+                  NULL,
+                  RSRC_CONF,
+                  "Session Tickets Configuration"),
     AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
                   NULL,