Changeset e376ed8 in mod_gnutls for src


Ignore:
Timestamp:
Nov 29, 2019, 4:30:08 PM (14 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master, proxy-ticket
Children:
618ee14
Parents:
d4c9331 (diff), 556783e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge branch 'subca'

Location:
src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_cache.c

    rd4c9331 re376ed8  
    5252/** Maximum length of the hex string representation of a GnuTLS
    5353 * session ID: two characters per byte, plus one more for `\0` */
    54 #if GNUTLS_VERSION_NUMBER >= 0x030400
    5554#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1)
    56 #else
    57 #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)
    58 #endif
    5955
    6056#ifdef APLOG_USE_MODULE
     
    179175#define SOCACHE_FETCH_BUF_SIZE (8 * 1024)
    180176
    181 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
    182                                gnutls_datum_t key, apr_pool_t *pool)
    183 {
    184     gnutls_datum_t data = {NULL, 0};
    185     data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
    186     if (data.data == NULL)
    187         return data;
    188     data.size = SOCACHE_FETCH_BUF_SIZE;
    189 
     177apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
     178                             gnutls_datum_t key, gnutls_datum_t *output,
     179                             apr_pool_t *pool)
     180{
    190181    apr_pool_t *spool;
    191182    apr_pool_create(&spool, pool);
     
    195186    apr_status_t rv = cache->prov->retrieve(cache->socache, server,
    196187                                            key.data, key.size,
    197                                             data.data, &data.size,
     188                                            output->data, &output->size,
    198189                                            spool);
    199190    if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE)
     
    211202                         "error fetching from cache '%s:%s'",
    212203                         cache->prov->name, cache->config);
     204    }
     205    else
     206    {
     207        ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
     208                     "fetched %u bytes from cache '%s:%s'",
     209                     output->size, cache->prov->name, cache->config);
     210    }
     211    apr_pool_destroy(spool);
     212
     213    return rv;
     214}
     215
     216
     217
     218/**
     219 * Fetch function for the GnuTLS session cache, see
     220 * gnutls_db_set_retrieve_function().
     221 *
     222 * *Warning*: The `data` element of the returned `gnutls_datum_t` is
     223 * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
     224 * session caching API, and must be released using `gnutls_free()`.
     225 *
     226 * @param baton mgs_handle_t for the connection, as set via
     227 * gnutls_db_set_ptr()
     228 *
     229 * @param key object key to fetch
     230 *
     231 * @return the requested cache entry, or `{NULL, 0}`
     232 */
     233static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
     234{
     235    gnutls_datum_t data = {NULL, 0};
     236    gnutls_datum_t dbmkey;
     237    mgs_handle_t *ctxt = baton;
     238
     239    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
     240        return data;
     241
     242    data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
     243    if (data.data == NULL)
     244        return data;
     245    data.size = SOCACHE_FETCH_BUF_SIZE;
     246
     247    apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
     248                                      dbmkey, &data, ctxt->c->pool);
     249
     250    if (rv != APR_SUCCESS)
     251    {
    213252        /* free unused buffer */
    214253        gnutls_free(data.data);
     
    218257    else
    219258    {
    220         ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server,
    221                      "fetched %u bytes from cache '%s:%s'",
    222                      data.size, cache->prov->name, cache->config);
    223 
    224259        /* Realloc buffer to data.size. Data size must be less than or
    225260         * equal to the initial buffer size, so this REALLY should not
     
    228263        if (__builtin_expect(data.data == NULL, 0))
    229264        {
    230             ap_log_error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server,
     265            ap_log_cerror(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, ctxt->c,
    231266                         "%s: Could not realloc fetch buffer to data size!",
    232267                         __func__);
     
    234269        }
    235270    }
    236     apr_pool_destroy(spool);
    237271
    238272    return data;
    239 }
    240 
    241 
    242 
    243 /**
    244  * Fetch function for the GnuTLS session cache, see
    245  * gnutls_db_set_retrieve_function().
    246  *
    247  * *Warning*: The `data` element of the returned `gnutls_datum_t` is
    248  * allocated using `gnutls_malloc()` for compatibility with the GnuTLS
    249  * session caching API, and must be released using `gnutls_free()`.
    250  *
    251  * @param baton mgs_handle_t for the connection, as set via
    252  * gnutls_db_set_ptr()
    253  *
    254  * @param key object key to fetch
    255  *
    256  * @return the requested cache entry, or `{NULL, 0}`
    257  */
    258 static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key)
    259 {
    260     gnutls_datum_t data = {NULL, 0};
    261     gnutls_datum_t dbmkey;
    262     mgs_handle_t *ctxt = baton;
    263 
    264     if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
    265         return data;
    266 
    267     return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
    268                            dbmkey, ctxt->c->pool);
    269273}
    270274
  • src/gnutls_cache.h

    rd4c9331 re376ed8  
    139139 * @param key key for the cache entry to be fetched
    140140 *
    141  * @param pool pool to allocate the response and other temporary
    142  * memory from
     141 * @param output pre-allocated buffer to write to and its size
    143142 *
    144  * @return the requested cache entry, or `{NULL, 0}`
     143 * @param pool pool to allocate temporary memory from
     144 *
     145 * @return APR status or error value
    145146 */
    146 gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
    147                                gnutls_datum_t key, apr_pool_t *pool);
     147apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
     148                             gnutls_datum_t key, gnutls_datum_t *output,
     149                             apr_pool_t *pool);
    148150
    149151/**
  • src/gnutls_hooks.c

    rd4c9331 re376ed8  
    7373{
    7474    /* Free session ticket master key */
    75 #if GNUTLS_VERSION_NUMBER >= 0x030400
    7675    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
    77 #endif
    7876    gnutls_free(session_ticket_key.data);
    7977    session_ticket_key.data = NULL;
     
    384382
    385383static int cert_retrieve_fn(gnutls_session_t session,
    386                             const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
    387                             int nreqs __attribute__((unused)),
    388                             const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
    389                             int pk_algos_length __attribute__((unused)),
     384                            const struct gnutls_cert_retr_st *info __attribute__((unused)),
    390385                            gnutls_pcert_st **pcerts,
    391386                            unsigned int *pcert_length,
    392                             gnutls_privkey_t *privkey)
     387                            gnutls_ocsp_data_st **ocsp,
     388                            unsigned int *ocsp_length,
     389                            gnutls_privkey_t *privkey,
     390                            unsigned int *flags)
    393391{
    394392    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     
    407405        *pcerts = ctxt->sc->certs_x509_chain;
    408406        *pcert_length = ctxt->sc->certs_x509_chain_num;
     407        *ocsp = NULL;
     408        *ocsp_length = 0;
    409409        *privkey = ctxt->sc->privkey_x509;
     410        *flags = 0;
     411
     412        if (ctxt->sc->ocsp_staple == GNUTLS_ENABLED_TRUE)
     413        {
     414            gnutls_ocsp_data_st *resp =
     415                apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st));
     416            resp->version = 0;
     417            resp->exptime = 0;
     418
     419            int ret = mgs_get_ocsp_response(session, NULL, &resp->response);
     420            if (ret == GNUTLS_E_SUCCESS)
     421            {
     422                *ocsp = resp;
     423                *ocsp_length = 1;
     424            }
     425        }
     426
    410427        return 0;
    411428    } else {
     
    417434
    418435
    419 #if GNUTLS_VERSION_NUMBER >= 0x030506
    420 #define HAVE_KNOWN_DH_GROUPS 1
    421 #endif
    422 #ifdef HAVE_KNOWN_DH_GROUPS
    423436/**
    424437 * Try to estimate a GnuTLS security parameter based on the given
     
    447460    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
    448461}
    449 #else
    450 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
    451  * the default DH group if mod_gnutls is compiled agains a GnuTLS
    452  * version that does not provide known DH groups based on security
    453  * parameters (before 3.5.6). */
    454 static const char FFDHE2048_PKCS3[] =
    455     "-----BEGIN DH PARAMETERS-----\n"
    456     "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
    457     "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
    458     "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
    459     "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
    460     "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
    461     "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
    462     "-----END DH PARAMETERS-----\n";
    463 const gnutls_datum_t default_dh_params = {
    464     (void *) FFDHE2048_PKCS3,
    465     sizeof(FFDHE2048_PKCS3)
    466 };
    467 #endif
    468462
    469463
     
    485479        ap_get_module_config(server->module_config, &gnutls_module);
    486480
    487 #ifdef HAVE_KNOWN_DH_GROUPS
    488481    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
    489482    if (sc->privkey_x509)
     
    519512        return HTTP_UNAUTHORIZED;
    520513    }
    521 #else
    522     int ret = gnutls_dh_params_init(&sc->dh_params);
    523     if (ret < 0)
    524     {
    525         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    526                      "%s: Failed to initialize DH params structure: "
    527                      "%s (%d)", __func__, gnutls_strerror(ret), ret);
    528         return HTTP_UNAUTHORIZED;
    529     }
    530     ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
    531                                         GNUTLS_X509_FMT_PEM);
    532     if (ret < 0)
    533     {
    534         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    535                      "%s: Failed to import default DH params: %s (%d)",
    536                      __func__, gnutls_strerror(ret), ret);
    537         return HTTP_UNAUTHORIZED;
    538     }
    539 
    540     gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
    541     gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
    542 #endif
    543514
    544515    return OK;
     
    731702        }
    732703
    733         /* The call after this comment is a workaround for bug in
    734          * gnutls_certificate_set_retrieve_function2 that ignores
    735          * supported certificate types. Should be fixed in GnuTLS
    736          * 3.3.12.
    737          *
    738          * Details:
    739          * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
    740          * Workaround from:
    741          * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
    742 #if GNUTLS_VERSION_NUMBER < 0x030312
    743         gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
    744 #endif
    745 
    746         gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
     704        gnutls_certificate_set_retrieve_function3(sc->certs, cert_retrieve_fn);
    747705
    748706        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
     
    13721330                                         gnutls_mac_get(ctxt->session)));
    13731331
    1374 #if GNUTLS_VERSION_NUMBER >= 0x030600
    13751332    /* Compression support has been removed since GnuTLS 3.6.0 */
    13761333    apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL");
    1377 #else
    1378     apr_table_setn(env, "SSL_COMPRESS_METHOD",
    1379             gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));
    1380 #endif
    13811334
    13821335#ifdef ENABLE_SRP
  • src/gnutls_ocsp.c

    rd4c9331 re376ed8  
    4141/** Dummy data for failure cache entries (one byte). */
    4242#define OCSP_FAILURE_CACHE_DATA 0x0f
     43/** Macro to check if an OCSP reponse pointer contains a cached
     44 * failure */
     45#define IS_FAILURE_RESPONSE(resp) \
     46    (((resp)->size == sizeof(unsigned char)) &&                     \
     47     (*((unsigned char *) (resp)->data) == OCSP_FAILURE_CACHE_DATA))
    4348
    4449
     
    786791    }
    787792
    788     *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    789                                      ctxt->c->base_server,
    790                                      ctxt->sc->ocsp->fingerprint,
    791                                      ctxt->c->pool);
    792     if (ocsp_response->size == 0)
     793    // TODO: Large allocation, and the pool system doesn't offer realloc
     794    ocsp_response->data = apr_palloc(ctxt->c->pool, OCSP_RESP_SIZE_MAX);
     795    ocsp_response->size = OCSP_RESP_SIZE_MAX;
     796
     797    apr_status_t rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     798                                      ctxt->c->base_server,
     799                                      ctxt->sc->ocsp->fingerprint,
     800                                      ocsp_response,
     801                                      ctxt->c->pool);
     802    if (rv != APR_SUCCESS)
    793803    {
    794804        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
    795805                      "Fetching OCSP response from cache failed.");
    796806    }
    797     else if ((ocsp_response->size == sizeof(unsigned char)) &&
    798              (*((unsigned char *) ocsp_response->data) == OCSP_FAILURE_CACHE_DATA))
     807    else if (IS_FAILURE_RESPONSE(ocsp_response))
    799808    {
    800809        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
     
    807816        return GNUTLS_E_SUCCESS;
    808817    }
    809     /* get rid of invalid response (if any) */
    810     gnutls_free(ocsp_response->data);
    811     ocsp_response->data = NULL;
     818    /* keep response buffer, reset size for reuse */
     819    ocsp_response->size = OCSP_RESP_SIZE_MAX;
    812820
    813821    /* If the cache had no response or an invalid one, try to update. */
     
    815823                  "No valid OCSP response in cache, trying to update.");
    816824
    817     apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
     825    rv = apr_global_mutex_trylock(sc->ocsp_mutex);
    818826    if (APR_STATUS_IS_EBUSY(rv))
    819827    {
     
    824832         * moment there's no good way to integrate that with the
    825833         * Apache Mutex directive. */
    826         *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    827                                          ctxt->c->base_server,
    828                                          ctxt->sc->ocsp->fingerprint,
    829                                          ctxt->c->pool);
    830         if (ocsp_response->size > 0)
    831         {
    832             /* Got a valid response now, unlock mutex and return. */
     834        rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     835                             ctxt->c->base_server,
     836                             ctxt->sc->ocsp->fingerprint,
     837                             ocsp_response,
     838                             ctxt->c->pool);
     839        if (rv == APR_SUCCESS)
     840        {
    833841            apr_global_mutex_unlock(sc->ocsp_mutex);
    834             return GNUTLS_E_SUCCESS;
     842            /* Check if the response is valid. */
     843            if (IS_FAILURE_RESPONSE(ocsp_response))
     844            {
     845                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
     846                              "Cached OCSP failure found for %s.",
     847                              ctxt->c->base_server->server_hostname);
     848                goto fail_cleanup;
     849            }
     850            else
     851                return GNUTLS_E_SUCCESS;
    835852        }
    836853        else
    837854        {
    838             gnutls_free(ocsp_response->data);
    839             ocsp_response->data = NULL;
     855            /* keep response buffer, reset size for reuse */
     856            ocsp_response->size = OCSP_RESP_SIZE_MAX;
    840857        }
    841858    }
     
    855872
    856873    /* retry reading from cache */
    857     *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache,
    858                                      ctxt->c->base_server,
    859                                      ctxt->sc->ocsp->fingerprint,
    860                                      ctxt->c->pool);
    861     if (ocsp_response->size == 0)
     874    rv = mgs_cache_fetch(ctxt->sc->ocsp_cache,
     875                         ctxt->c->base_server,
     876                         ctxt->sc->ocsp->fingerprint,
     877                         ocsp_response,
     878                         ctxt->c->pool);
     879    if (rv != APR_SUCCESS)
    862880    {
    863881        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     
    869887    }
    870888
    871     /* failure, clean up response data */
     889    /* failure, reset struct, buffer will be released with the
     890     * connection pool */
    872891 fail_cleanup:
    873     gnutls_free(ocsp_response->data);
    874892    ocsp_response->size = 0;
    875893    ocsp_response->data = NULL;
     
    10611079    if (rv != APR_SUCCESS)
    10621080    {
    1063         const gnutls_datum_t ocsp_response =
    1064             mgs_cache_fetch(sc->ocsp_cache, server,
    1065                             sc->ocsp->fingerprint, pool);
    1066 
    1067         if (ocsp_response.size == 0 ||
    1068             ((ocsp_response.size == sizeof(unsigned char)) &&
    1069              (*((unsigned char *) ocsp_response.data) ==
    1070               OCSP_FAILURE_CACHE_DATA)))
     1081        gnutls_datum_t ocsp_response;
     1082        ocsp_response.data = apr_palloc(pool, OCSP_RESP_SIZE_MAX);
     1083        ocsp_response.size = OCSP_RESP_SIZE_MAX;
     1084
     1085        apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache, server,
     1086                                          sc->ocsp->fingerprint,
     1087                                          &ocsp_response,
     1088                                          pool);
     1089
     1090        if (rv != APR_SUCCESS || (IS_FAILURE_RESPONSE(&ocsp_response)))
    10711091        {
    10721092            ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
     
    10751095            mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2);
    10761096        }
    1077 
    1078         /* Get rid of the response, if any */
    1079         if (ocsp_response.size != 0)
    1080             gnutls_free(ocsp_response.data);
    10811097    }
    10821098    apr_global_mutex_unlock(sc->ocsp_mutex);
     
    11961212                              apr_pool_cleanup_null);
    11971213
    1198     /* enable status request callback */
    1199     gnutls_certificate_set_ocsp_status_request_function(sc->certs,
    1200                                                         mgs_get_ocsp_response,
    1201                                                         sc);
    1202 
    12031214    /* The watchdog structure may be NULL if mod_watchdog is
    12041215     * unavailable. */
Note: See TracChangeset for help on using the changeset viewer.