aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikos Mavrogiannopoulos 2007-12-09 11:12:23 +0000
committerGravatar Nokis Mavrogiannopoulos 2007-12-09 11:12:23 +0000
commitc055502e2b369f6c57b3b01fd4c110bb196c8051 (patch)
tree9b53d1cd7f4240e56b9b47b280ce0f3c782cfac0
parentae4a2b0a8b10e98f2c74163f33a27be704ded09f (diff)
Do not allow resuming sessions on different servers.
-rw-r--r--NEWS2
-rw-r--r--src/gnutls_cache.c84
2 files changed, 51 insertions, 35 deletions
diff --git a/NEWS b/NEWS
index bb2df34..116ce34 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@
4 4
5- Corrected bug which did not allow the TLS session cache to be used. 5- Corrected bug which did not allow the TLS session cache to be used.
6 6
7- Do not allow resuming sessions on different servers.
8
7** Version 0.4.1 (2007-12-03) 9** Version 0.4.1 (2007-12-03)
8 10
9- Added support for subject alternative names in certificates. 11- Added support for subject alternative names in certificates.
diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c
index 86b843e..b29086b 100644
--- a/src/gnutls_cache.c
+++ b/src/gnutls_cache.c
@@ -34,18 +34,16 @@
34 34
35 35
36#define MC_TAG "mod_gnutls:" 36#define MC_TAG "mod_gnutls:"
37#define MC_TAG_LEN \ 37#define MC_TAG_LEN sizeof(MC_TAG)
38 (sizeof(MC_TAG))
39#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN) 38#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
40 39
41#if 0 40char *mgs_session_id2sz(unsigned char *id, int idlen,
42static char *gnutls_session_id2sz(unsigned char *id, int idlen,
43 char *str, int strsize) 41 char *str, int strsize)
44{ 42{
45 char *cp; 43 char *cp;
46 int n; 44 int n;
47 45
48 cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN); 46 cp = str;
49 for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) { 47 for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
50 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]); 48 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
51 cp += 2; 49 cp += 2;
@@ -53,7 +51,27 @@ static char *gnutls_session_id2sz(unsigned char *id, int idlen,
53 *cp = '\0'; 51 *cp = '\0';
54 return str; 52 return str;
55} 53}
56#endif 54
55
56/* Name the Session ID as:
57 * IP:port.SessionID
58 * to disallow resuming sessions on different servers
59 */
60static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
61 apr_datum_t* dbmkey)
62{
63char buf[STR_SESSION_LEN];
64char *sz;
65
66 sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
67 if (sz == NULL)
68 return -1;
69
70 dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->local_ip, c->base_server->port, sz);
71 dbmkey->dsize = strlen( dbmkey->dptr);
72
73 return 0;
74}
57 75
58#define CTIME "%b %d %k:%M:%S %Y %Z" 76#define CTIME "%b %d %k:%M:%S %Y %Z"
59char *mgs_time2sz(time_t in_time, char *str, int strsize) 77char *mgs_time2sz(time_t in_time, char *str, int strsize)
@@ -70,24 +88,23 @@ char *mgs_time2sz(time_t in_time, char *str, int strsize)
70 return str; 88 return str;
71} 89}
72 90
73char *mgs_session_id2sz(unsigned char *id, int idlen, 91#if HAVE_APR_MEMCACHE
74 char *str, int strsize) 92/* Name the Session ID as:
93 * IP:port.SessionID
94 * to disallow resuming sessions on different servers
95 */
96static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
75{ 97{
76 char *cp; 98char buf[STR_SESSION_LEN];
77 int n; 99char *sz;
78 100
79 cp = str; 101 sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
80 for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) { 102 if (sz == NULL)
81 apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]); 103 return NULL;
82 cp += 2; 104
83 } 105 return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->local_ip, c->base_server->port, sz);
84 *cp = '\0';
85 return str;
86} 106}
87 107
88
89#if HAVE_APR_MEMCACHE
90
91/** 108/**
92 * GnuTLS Session Cache using libmemcached 109 * GnuTLS Session Cache using libmemcached
93 * 110 *
@@ -184,11 +201,10 @@ static int mc_cache_store(void* baton, gnutls_datum_t key,
184{ 201{
185 apr_status_t rv = APR_SUCCESS; 202 apr_status_t rv = APR_SUCCESS;
186 mgs_handle_t *ctxt = baton; 203 mgs_handle_t *ctxt = baton;
187 char buf[STR_SESSION_LEN];
188 char* strkey = NULL; 204 char* strkey = NULL;
189 apr_uint32_t timeout; 205 apr_uint32_t timeout;
190 206
191 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf)); 207 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
192 if(!strkey) 208 if(!strkey)
193 return -1; 209 return -1;
194 210
@@ -211,13 +227,12 @@ static gnutls_datum_t mc_cache_fetch(void* baton, gnutls_datum_t key)
211{ 227{
212 apr_status_t rv = APR_SUCCESS; 228 apr_status_t rv = APR_SUCCESS;
213 mgs_handle_t *ctxt = baton; 229 mgs_handle_t *ctxt = baton;
214 char buf[STR_SESSION_LEN];
215 char* strkey = NULL; 230 char* strkey = NULL;
216 char* value; 231 char* value;
217 apr_size_t value_len; 232 apr_size_t value_len;
218 gnutls_datum_t data = { NULL, 0 }; 233 gnutls_datum_t data = { NULL, 0 };
219 234
220 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf)); 235 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
221 if (!strkey) { 236 if (!strkey) {
222 return data; 237 return data;
223 } 238 }
@@ -252,10 +267,9 @@ static int mc_cache_delete(void* baton, gnutls_datum_t key)
252{ 267{
253 apr_status_t rv = APR_SUCCESS; 268 apr_status_t rv = APR_SUCCESS;
254 mgs_handle_t *ctxt = baton; 269 mgs_handle_t *ctxt = baton;
255 char buf[STR_SESSION_LEN];
256 char* strkey = NULL; 270 char* strkey = NULL;
257 271
258 strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf)); 272 strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
259 if(!strkey) 273 if(!strkey)
260 return -1; 274 return -1;
261 275
@@ -366,8 +380,8 @@ static gnutls_datum_t dbm_cache_fetch(void* baton, gnutls_datum_t key)
366 mgs_handle_t *ctxt = baton; 380 mgs_handle_t *ctxt = baton;
367 apr_status_t rv; 381 apr_status_t rv;
368 382
369 dbmkey.dptr = (void*)key.data; 383 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
370 dbmkey.dsize = key.size; 384 return data;
371 385
372 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, 386 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
373 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool); 387 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
@@ -413,9 +427,9 @@ static int dbm_cache_store(void* baton, gnutls_datum_t key,
413 mgs_handle_t *ctxt = baton; 427 mgs_handle_t *ctxt = baton;
414 apr_status_t rv; 428 apr_status_t rv;
415 apr_time_t expiry; 429 apr_time_t expiry;
416 430
417 dbmkey.dptr = (char *)key.data; 431 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
418 dbmkey.dsize = key.size; 432 return -1;
419 433
420 /* create DBM value */ 434 /* create DBM value */
421 dbmval.dsize = data.size + sizeof(apr_time_t); 435 dbmval.dsize = data.size + sizeof(apr_time_t);
@@ -467,9 +481,9 @@ static int dbm_cache_delete(void* baton, gnutls_datum_t key)
467 apr_datum_t dbmkey; 481 apr_datum_t dbmkey;
468 mgs_handle_t *ctxt = baton; 482 mgs_handle_t *ctxt = baton;
469 apr_status_t rv; 483 apr_status_t rv;
470 484
471 dbmkey.dptr = (char *)key.data; 485 if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
472 dbmkey.dsize = key.size; 486 return -1;
473 487
474 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config, 488 rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
475 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool); 489 APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);