Changeset e86847d in mod_gnutls


Ignore:
Timestamp:
Jan 11, 2013, 12:56:02 AM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports
Children:
0ab45ea
Parents:
9a9f943 (diff), 2a2272d (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.4.2'

Upstream version 0.4.2

Files:
9 edited

Legend:

Unmodified
Added
Removed
  • Makefile.am

    r9a9f943 re86847d  
    88                NOTICE LICENSE autogen.sh
    99
    10 SUBDIRS = src data
     10SUBDIRS = src
    1111ACLOCAL_AMFLAGS = -I m4
  • NEWS

    r9a9f943 re86847d  
     1** Version 0.4.2 (2007-12-10)
     2
     3- Added support for sending a certificate chain.
     4
     5- Corrected bug which did not allow the TLS session cache to be used.
     6
     7- Do not allow resuming sessions on different servers.
     8
    19** Version 0.4.1 (2007-12-03)
    210
  • README

    r9a9f943 re86847d  
    1212
    1313Lines of Code in mod_ssl: 15,324
    14 Lines of Code in mod_gnutls: 1,886
     14Lines of Code in mod_gnutls: 3,594
    1515
    1616Because of writing mod_gnutls, I now understand how input and output filters work,
     
    6464# a more advanced configuration
    6565GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
    66 GnuTLSCacheTimeout 500
    67 GnuTLSProtocols TLS1.1 TLS1.0 SSL3.0
     66GnuTLSCacheTimeout 600
    6867NameVirtualHost 1.2.3.4:443
    6968
     
    7170        Servername server.com:443
    7271        GnuTLSEnable on
    73         GnuTLSCiphers AES-128-CBC 3DES-CBC ARCFOUR-128
    74         GnuTLSKeyExchangeAlgorithms RSA DHE-RSA DHE-DSS SRP SRP-RSA SRP-DSS
    75         GnuTLSMACAlgorithms SHA1 MD5
    76         GnuTLSCompressionMethods NULL
     72        GnuTLSPriority NORMAL
    7773# To export exactly the same environment variables as mod_ssl to CGI scripts.
    7874        GNUTLSExportCertificates on
  • configure

    r9a9f943 re86847d  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.1.
     3# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.2.
    44#
    55# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
     
    727727PACKAGE_NAME='mod_gnutls'
    728728PACKAGE_TARNAME='mod_gnutls'
    729 PACKAGE_VERSION='0.4.1'
    730 PACKAGE_STRING='mod_gnutls 0.4.1'
     729PACKAGE_VERSION='0.4.2'
     730PACKAGE_STRING='mod_gnutls 0.4.2'
    731731PACKAGE_BUGREPORT=''
    732732
     
    14261426  # This message is too long to be a string in the A/UX 3.1 sh.
    14271427  cat <<_ACEOF
    1428 \`configure' configures mod_gnutls 0.4.1 to adapt to many kinds of systems.
     1428\`configure' configures mod_gnutls 0.4.2 to adapt to many kinds of systems.
    14291429
    14301430Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14971497if test -n "$ac_init_help"; then
    14981498  case $ac_init_help in
    1499      short | recursive ) echo "Configuration of mod_gnutls 0.4.1:";;
     1499     short | recursive ) echo "Configuration of mod_gnutls 0.4.2:";;
    15001500   esac
    15011501  cat <<\_ACEOF
     
    16071607if $ac_init_version; then
    16081608  cat <<\_ACEOF
    1609 mod_gnutls configure 0.4.1
     1609mod_gnutls configure 0.4.2
    16101610generated by GNU Autoconf 2.61
    16111611
     
    16211621running configure, to aid debugging if configure makes a mistake.
    16221622
    1623 It was created by mod_gnutls $as_me 0.4.1, which was
     1623It was created by mod_gnutls $as_me 0.4.2, which was
    16241624generated by GNU Autoconf 2.61.  Invocation command line was
    16251625
     
    19921992  chmod +x config.nice
    19931993
    1994 MOD_GNUTLS_VERSION=0.4.1
     1994MOD_GNUTLS_VERSION=0.4.2
    19951995
    19961996
     
    24932493# Define the identity of the package.
    24942494 PACKAGE=mod_gnutls
    2495  VERSION=0.4.1
     2495 VERSION=0.4.2
    24962496
    24972497
     
    2139621396# values after options handling.
    2139721397ac_log="
    21398 This file was extended by mod_gnutls $as_me 0.4.1, which was
     21398This file was extended by mod_gnutls $as_me 0.4.2, which was
    2139921399generated by GNU Autoconf 2.61.  Invocation command line was
    2140021400
     
    2144921449cat >>$CONFIG_STATUS <<_ACEOF
    2145021450ac_cs_version="\\
    21451 mod_gnutls config.status 0.4.1
     21451mod_gnutls config.status 0.4.2
    2145221452configured by $0, generated by GNU Autoconf 2.61,
    2145321453  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
  • configure.ac

    r9a9f943 re86847d  
    11dnl
    2 AC_INIT(mod_gnutls, 0.4.1)
     2AC_INIT(mod_gnutls, 0.4.2)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    4444AC_SUBST(MODULE_LIBS)
    4545
    46 AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h data/Makefile])
     46AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h])
    4747AC_OUTPUT
    4848
  • include/mod_gnutls.h.in

    r9a9f943 re86847d  
    8181 */
    8282#define MAX_CA_CRTS 128
    83 #define MAX_CIPHERS 16
     83
     84/* The maximum number of certificates to send in a chain
     85 */
     86#define MAX_CHAIN_SIZE 8
    8487
    8588typedef struct
     
    8992    gnutls_anon_server_credentials_t anon_creds;
    9093    char* cert_cn;
    91     gnutls_x509_crt_t cert_x509;
     94    gnutls_x509_crt_t certs_x509[MAX_CHAIN_SIZE]; /* A certificate chain */
     95    unsigned int certs_x509_num;
    9296    gnutls_x509_privkey_t privkey_x509;
    9397    int enabled;
  • src/gnutls_cache.c

    r9a9f943 re86847d  
    3535
    3636#define MC_TAG "mod_gnutls:"
    37 #define MC_TAG_LEN \
    38     (sizeof(MC_TAG))
     37#define MC_TAG_LEN sizeof(MC_TAG)
    3938#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
    4039
    41 #if 0
    42 static char *gnutls_session_id2sz(unsigned char *id, int idlen,
     40char *mgs_session_id2sz(unsigned char *id, int idlen,
    4341                               char *str, int strsize)
    4442{
    4543    char *cp;
    4644    int n;
    47  
    48     cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);
     45
     46    cp = str;
    4947    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
    5048        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
     
    5452    return str;
    5553}
    56 #endif
     54
     55
     56/* Name the Session ID as:
     57 * server:port.SessionID
     58 * to disallow resuming sessions on different servers
     59 */
     60static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
     61                               apr_datum_t* dbmkey)
     62{
     63char buf[STR_SESSION_LEN];
     64char *sz;
     65   
     66    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
     67    if (sz == NULL)
     68      return -1;
     69     
     70    dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
     71    dbmkey->dsize = strlen( dbmkey->dptr);
     72   
     73    return 0;
     74}
    5775
    5876#define CTIME "%b %d %k:%M:%S %Y %Z"
     
    7189}
    7290
    73 char *mgs_session_id2sz(unsigned char *id, int idlen,
    74                                char *str, int strsize)
    75 {
    76     char *cp;
    77     int n;
    78    
    79     cp = str;
    80     for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
    81         apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
    82         cp += 2;
    83     }
    84     *cp = '\0';
    85     return str;
    86 }
    87 
    88 
    8991#if HAVE_APR_MEMCACHE
     92/* Name the Session ID as:
     93 * server:port.SessionID
     94 * to disallow resuming sessions on different servers
     95 */
     96static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
     97{
     98char buf[STR_SESSION_LEN];
     99char *sz;
     100   
     101    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
     102    if (sz == NULL)
     103      return NULL;
     104     
     105    return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->base_server->server_hostname, c->base_server->port, sz);
     106}
    90107
    91108/**
     
    185202    apr_status_t rv = APR_SUCCESS;
    186203    mgs_handle_t *ctxt = baton;
    187     char buf[STR_SESSION_LEN];
    188204    char* strkey = NULL;
    189205    apr_uint32_t timeout;
    190206
    191     strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
     207    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    192208    if(!strkey)
    193209        return -1;
     
    212228    apr_status_t rv = APR_SUCCESS;
    213229    mgs_handle_t *ctxt = baton;
    214     char buf[STR_SESSION_LEN];
    215230    char* strkey = NULL;
    216231    char* value;
     
    218233    gnutls_datum_t data = { NULL, 0 };
    219234
    220     strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
     235    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    221236    if (!strkey) {
    222237        return data;
     
    253268    apr_status_t rv = APR_SUCCESS;
    254269    mgs_handle_t *ctxt = baton;
    255     char buf[STR_SESSION_LEN];
    256270    char* strkey = NULL;
    257271
    258     strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
     272    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    259273    if(!strkey)
    260274        return -1;
     
    367381    apr_status_t rv;
    368382
    369     dbmkey.dptr  = (void*)key.data;
    370     dbmkey.dsize = key.size;
     383    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
     384        return data;
    371385
    372386    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
     
    414428    apr_status_t rv;
    415429    apr_time_t expiry;
    416    
    417     dbmkey.dptr  = (char *)key.data;
    418     dbmkey.dsize = key.size;
     430
     431    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
     432        return -1;
    419433
    420434    /* create DBM value */
     
    468482    mgs_handle_t *ctxt = baton;
    469483    apr_status_t rv;
    470    
    471     dbmkey.dptr  = (char *)key.data;
    472     dbmkey.dsize = key.size;
     484
     485    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
     486        return -1;
    473487
    474488    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
  • src/gnutls_config.c

    r9a9f943 re86847d  
    7373    }
    7474
    75     gnutls_dh_params_init(&sc->dh_params);
     75    ret = gnutls_dh_params_init(&sc->dh_params);
     76    if (ret < 0) {
     77        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
     78                            ": (%d) %s", ret, gnutls_strerror(ret));
     79    }
     80
    7681    ret =
    7782        gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
    78     if (ret != 0) {
     83    if (ret < 0) {
    7984        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
    8085                            "DH params '%s': (%d) %s", file, ret,
     
    108113    }
    109114
    110     gnutls_rsa_params_init(&sc->rsa_params);
     115    ret = gnutls_rsa_params_init(&sc->rsa_params);
     116    if (ret < 0) {
     117        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
     118                            ": (%d) %s", ret, gnutls_strerror(ret));
     119    }
     120
    111121    ret =
    112122        gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
     
    142152    }
    143153
    144     gnutls_x509_crt_init(&sc->cert_x509);
     154    sc->certs_x509_num = MAX_CHAIN_SIZE;
    145155    ret =
    146         gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);
    147     if (ret != 0) {
     156        gnutls_x509_crt_list_import(sc->certs_x509, &sc->certs_x509_num, &data, GNUTLS_X509_FMT_PEM, 0);
     157    if (ret < 0) {
    148158        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
    149159                            "Certificate '%s': (%d) %s", file, ret,
     
    175185    }
    176186
    177     gnutls_x509_privkey_init(&sc->privkey_x509);
     187    ret = gnutls_x509_privkey_init(&sc->privkey_x509);
     188    if (ret < 0) {
     189        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
     190                            ": (%d) %s", ret, gnutls_strerror(ret));
     191    }
     192
    178193    ret =
    179194        gnutls_x509_privkey_import(sc->privkey_x509, &data,
     
    396411{
    397412    mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
    398 
     413    int ret;
     414   
    399415    sc->enabled = GNUTLS_ENABLED_FALSE;
    400416
    401     gnutls_certificate_allocate_credentials(&sc->certs);
    402     gnutls_anon_allocate_server_credentials(&sc->anon_creds);
    403     gnutls_srp_allocate_server_credentials(&sc->srp_creds);
     417    ret = gnutls_certificate_allocate_credentials(&sc->certs);
     418    if (ret < 0) {
     419        return apr_psprintf(p, "GnuTLS: Failed to initialize"
     420                            ": (%d) %s", ret, gnutls_strerror(ret));
     421    }
     422
     423    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
     424    if (ret < 0) {
     425        return apr_psprintf(p, "GnuTLS: Failed to initialize"
     426                            ": (%d) %s", ret, gnutls_strerror(ret));
     427    }
     428
     429    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
     430    if (ret < 0) {
     431        return apr_psprintf(p, "GnuTLS: Failed to initialize"
     432                            ": (%d) %s", ret, gnutls_strerror(ret));
     433    }
    404434
    405435    sc->srp_tpasswd_conf_file = NULL;
    406436    sc->srp_tpasswd_file = NULL;
    407437    sc->privkey_x509 = NULL;
    408     sc->cert_x509 = NULL;
     438    memset( sc->certs_x509, 0, sizeof(sc->certs_x509));
     439    sc->certs_x509_num = 0;
    409440    sc->cache_timeout = apr_time_from_sec(300);
    410441    sc->cache_type = mgs_cache_dbm;
  • src/gnutls_hooks.c

    r9a9f943 re86847d  
    5858                    apr_pool_t * plog, apr_pool_t * ptemp)
    5959{
     60int ret;
    6061
    6162#if APR_HAS_THREADS
     
    6869#endif
    6970
    70     gnutls_global_init();
    71 
     71    ret = gnutls_global_init();
     72    if (ret < 0) /* FIXME: can we print here? */
     73        exit(ret);
     74                                           
    7275    apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
    7376                              apr_pool_cleanup_null);
     
    131134        return ret;
    132135
    133     /* allow separate caches per virtual host. Actually allowing the same is a
    134      * bad idea, since they might have different security requirements.
    135      */
    136     mgs_cache_session_init(ctxt);
    137136
    138137    return 0;
     
    146145
    147146    ret->type = GNUTLS_CRT_X509;
    148     ret->ncerts = 1;
     147    ret->ncerts = ctxt->sc->certs_x509_num;
    149148    ret->deinit_all = 0;
    150149
    151     ret->cert.x509 = &ctxt->sc->cert_x509;
     150    ret->cert.x509 = ctxt->sc->certs_x509;
    152151    ret->key.x509 = ctxt->sc->privkey_x509;
    153152    return 0;
     
    332331            }
    333332
    334             if (sc->cert_x509 == NULL
     333            if (sc->certs_x509[0] == NULL
    335334                && sc->enabled == GNUTLS_ENABLED_TRUE) {
    336335                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
     
    351350
    352351            if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    353                 rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
     352                rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
    354353                if (rv < 0) {
    355354                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
     
    589588                                                    mgs_select_virtual_server_cb);
    590589
     590    mgs_cache_session_init(ctxt);
     591
    591592    return ctxt;
    592593}
     
    684685    apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
    685686
    686     mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
     687    mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
    687688                             ctxt->sc->export_certificates_enabled);
    688689
Note: See TracChangeset for help on using the changeset viewer.