Do not allow resuming sessions on different servers.

author: Nokis Mavrogiannopoulos 2007-12-09 11:12:23 +0000
committer: Nokis Mavrogiannopoulos 2007-12-09 11:12:23 +0000
commit: ae5263c379cc43e451102e4c4e193f48fd91df88 (patch)
tree: 9b53d1cd7f4240e56b9b47b280ce0f3c782cfac0
parent: e2ba0d06fd1edd80ca76bb2279b76944b6e6a901 (diff)
2 files changed, 51 insertions, 35 deletions
diff --git a/NEWS b/NEWS
index bb2df34..116ce34 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@
 - Corrected bug which did not allow the TLS session cache to be used.
+- Do not allow resuming sessions on different servers.
 ** Version 0.4.1 (2007-12-03)
 - Added support for subject alternative names in certificates.
diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c
index 86b843e..b29086b 100644
--- a/src/gnutls_cache.c
+++ b/src/gnutls_cache.c
@@ -34,18 +34,16 @@
 #define MC_TAG "mod_gnutls:"
-#define MC_TAG_LEN \
+#define MC_TAG_LEN sizeof(MC_TAG)
-    (sizeof(MC_TAG))
 #define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
-#if 0
+char *mgs_session_id2sz(unsigned char *id, int idlen,
-static char *gnutls_session_id2sz(unsigned char *id, int idlen,
                               char *str, int strsize)
 {
    char *cp;
    int n;
- 
-    cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);
+    cp = str; 
    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
        cp += 2;
@@ -53,7 +51,27 @@ static char *gnutls_session_id2sz(unsigned char *id, int idlen,
    *cp = '\0';
    return str;
 }
-#endif
+/* Name the Session ID as:
+ * IP:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
+                               apr_datum_t* dbmkey)
+{
+char buf[STR_SESSION_LEN];
+char *sz;
+    
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
+    if (sz == NULL)
+      return -1;
+      
+    dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->local_ip, c->base_server->port, sz);
+    dbmkey->dsize = strlen( dbmkey->dptr);
+    
+    return 0;
+}
 #define CTIME "%b %d %k:%M:%S %Y %Z"
 char *mgs_time2sz(time_t in_time, char *str, int strsize)
@@ -70,24 +88,23 @@ char *mgs_time2sz(time_t in_time, char *str, int strsize)
    return str;
 }
-char *mgs_session_id2sz(unsigned char *id, int idlen,
+#if HAVE_APR_MEMCACHE
-                               char *str, int strsize)
+/* Name the Session ID as:
+ * IP:port.SessionID
+ * to disallow resuming sessions on different servers
+ */
+static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
 {
-    char *cp;
+char buf[STR_SESSION_LEN];
-    int n;
+char *sz;
    
-    cp = str;
+    sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
-    for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
+    if (sz == NULL)
-        apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
+      return NULL;
-        cp += 2;
+      
-    }
+    return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->local_ip, c->base_server->port, sz);
-    *cp = '\0';
-    return str;
 }
-#if HAVE_APR_MEMCACHE
 /**
 * GnuTLS Session Cache using libmemcached
 *
@@ -184,11 +201,10 @@ static int mc_cache_store(void* baton, gnutls_datum_t key,
 {
    apr_status_t rv = APR_SUCCESS;
    mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
    char* strkey = NULL;
    apr_uint32_t timeout;
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    if(!strkey)
        return -1;
@@ -211,13 +227,12 @@ static gnutls_datum_t mc_cache_fetch(void* baton, gnutls_datum_t key)
 {
    apr_status_t rv = APR_SUCCESS;
    mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
    char* strkey = NULL;
    char* value;
    apr_size_t value_len;
    gnutls_datum_t data = { NULL, 0 };
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    if (!strkey) {
        return data;
    }
@@ -252,10 +267,9 @@ static int mc_cache_delete(void* baton, gnutls_datum_t key)
 {
    apr_status_t rv = APR_SUCCESS;
    mgs_handle_t *ctxt = baton;
-    char buf[STR_SESSION_LEN];
    char* strkey = NULL;
-    strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));
+    strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
    if(!strkey)
        return -1;
@@ -366,8 +380,8 @@ static gnutls_datum_t dbm_cache_fetch(void* baton, gnutls_datum_t key)
    mgs_handle_t *ctxt = baton;
    apr_status_t rv;
-    dbmkey.dptr  = (void*)key.data;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
-    dbmkey.dsize = key.size;
+        return data;
    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
@@ -413,9 +427,9 @@ static int dbm_cache_store(void* baton, gnutls_datum_t key,
    mgs_handle_t *ctxt = baton;
    apr_status_t rv;
    apr_time_t expiry;
-    
-    dbmkey.dptr  = (char *)key.data;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
-    dbmkey.dsize = key.size;
+        return -1;
    /* create DBM value */
    dbmval.dsize = data.size + sizeof(apr_time_t);
@@ -467,9 +481,9 @@ static int dbm_cache_delete(void* baton, gnutls_datum_t key)
    apr_datum_t dbmkey;
    mgs_handle_t *ctxt = baton;
    apr_status_t rv;
-    
-    dbmkey.dptr  = (char *)key.data;
+    if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
-    dbmkey.dsize = key.size;
+        return -1;
    rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
                      APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
author	Nokis Mavrogiannopoulos	2007-12-09 11:12:23 +0000
committer	Nokis Mavrogiannopoulos	2007-12-09 11:12:23 +0000
commit	ae5263c379cc43e451102e4c4e193f48fd91df88 (patch)
tree	9b53d1cd7f4240e56b9b47b280ce0f3c782cfac0
parent	e2ba0d06fd1edd80ca76bb2279b76944b6e6a901 (diff)

diff --git a/NEWS b/NEWS index bb2df34..116ce34 100644 --- a/NEWS +++ b/NEWS
@@ -4,6 +4,8 @@
4		4
5	- Corrected bug which did not allow the TLS session cache to be used.	5	- Corrected bug which did not allow the TLS session cache to be used.
6		6
		7	- Do not allow resuming sessions on different servers.
		8
7	** Version 0.4.1 (2007-12-03)	9	** Version 0.4.1 (2007-12-03)
8		10
9	- Added support for subject alternative names in certificates.	11	- Added support for subject alternative names in certificates.


diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c index 86b843e..b29086b 100644 --- a/src/gnutls_cache.c +++ b/src/gnutls_cache.c
@@ -34,18 +34,16 @@
34		34
35		35
36	#define MC_TAG "mod_gnutls:"	36	#define MC_TAG "mod_gnutls:"
37	#define MC_TAG_LEN \	37	#define MC_TAG_LEN sizeof(MC_TAG)
38	(sizeof(MC_TAG))
39	#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)	38	#define STR_SESSION_LEN (GNUTLS_SESSION_ID_STRING_LEN + MC_TAG_LEN)
40		39
41	#if 0	40	char mgs_session_id2sz(unsigned char id, int idlen,
42	static char gnutls_session_id2sz(unsigned char id, int idlen,
43	char *str, int strsize)	41	char *str, int strsize)
44	{	42	{
45	char *cp;	43	char *cp;
46	int n;	44	int n;
47		45
48	cp = apr_cpystrn(str, MC_TAG, MC_TAG_LEN);	46	cp = str;
49	for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {	47	for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {
50	apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);	48	apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);
51	cp += 2;	49	cp += 2;
@@ -53,7 +51,27 @@ static char gnutls_session_id2sz(unsigned char id, int idlen,
53	*cp = '\0';	51	*cp = '\0';
54	return str;	52	return str;
55	}	53	}
56	#endif	54
		55
		56	/* Name the Session ID as:
		57	* IP:port.SessionID
		58	* to disallow resuming sessions on different servers
		59	*/
		60	static int mgs_session_id2dbm(conn_rec* c, unsigned char *id, int idlen,
		61	apr_datum_t* dbmkey)
		62	{
		63	char buf[STR_SESSION_LEN];
		64	char *sz;
		65
		66	sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
		67	if (sz == NULL)
		68	return -1;
		69
		70	dbmkey->dptr = apr_psprintf(c->pool, "%s:%d.%s", c->local_ip, c->base_server->port, sz);
		71	dbmkey->dsize = strlen( dbmkey->dptr);
		72
		73	return 0;
		74	}
57		75
58	#define CTIME "%b %d %k:%M:%S %Y %Z"	76	#define CTIME "%b %d %k:%M:%S %Y %Z"
59	char mgs_time2sz(time_t in_time, char str, int strsize)	77	char mgs_time2sz(time_t in_time, char str, int strsize)
@@ -70,24 +88,23 @@ char mgs_time2sz(time_t in_time, char str, int strsize)
70	return str;	88	return str;
71	}	89	}
72		90
73	char mgs_session_id2sz(unsigned char id, int idlen,	91	#if HAVE_APR_MEMCACHE
74	char *str, int strsize)	92	/* Name the Session ID as:
		93	* IP:port.SessionID
		94	* to disallow resuming sessions on different servers
		95	*/
		96	static char* mgs_session_id2mc(conn_rec* c, unsigned char *id, int idlen)
75	{	97	{
76	char *cp;	98	char buf[STR_SESSION_LEN];
77	int n;	99	char *sz;
78		100
79	cp = str;	101	sz = mgs_session_id2sz(id, idlen, buf, sizeof(buf));
80	for (n = 0; n < idlen && n < GNUTLS_MAX_SESSION_ID; n++) {	102	if (sz == NULL)
81	apr_snprintf(cp, strsize - (cp-str), "%02X", id[n]);	103	return NULL;
82	cp += 2;	104
83	}	105	return apr_psprintf(c->pool, MC_TAG"%s:%d.%s", c->local_ip, c->base_server->port, sz);
84	*cp = '\0';
85	return str;
86	}	106	}
87		107
88
89	#if HAVE_APR_MEMCACHE
90
91	/**	108	/**
92	* GnuTLS Session Cache using libmemcached	109	* GnuTLS Session Cache using libmemcached
93	*	110	*
@@ -184,11 +201,10 @@ static int mc_cache_store(void* baton, gnutls_datum_t key,
184	{	201	{
185	apr_status_t rv = APR_SUCCESS;	202	apr_status_t rv = APR_SUCCESS;
186	mgs_handle_t *ctxt = baton;	203	mgs_handle_t *ctxt = baton;
187	char buf[STR_SESSION_LEN];
188	char* strkey = NULL;	204	char* strkey = NULL;
189	apr_uint32_t timeout;	205	apr_uint32_t timeout;
190		206
191	strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));	207	strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
192	if(!strkey)	208	if(!strkey)
193	return -1;	209	return -1;
194		210
@@ -211,13 +227,12 @@ static gnutls_datum_t mc_cache_fetch(void* baton, gnutls_datum_t key)
211	{	227	{
212	apr_status_t rv = APR_SUCCESS;	228	apr_status_t rv = APR_SUCCESS;
213	mgs_handle_t *ctxt = baton;	229	mgs_handle_t *ctxt = baton;
214	char buf[STR_SESSION_LEN];
215	char* strkey = NULL;	230	char* strkey = NULL;
216	char* value;	231	char* value;
217	apr_size_t value_len;	232	apr_size_t value_len;
218	gnutls_datum_t data = { NULL, 0 };	233	gnutls_datum_t data = { NULL, 0 };
219		234
220	strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));	235	strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
221	if (!strkey) {	236	if (!strkey) {
222	return data;	237	return data;
223	}	238	}
@@ -252,10 +267,9 @@ static int mc_cache_delete(void* baton, gnutls_datum_t key)
252	{	267	{
253	apr_status_t rv = APR_SUCCESS;	268	apr_status_t rv = APR_SUCCESS;
254	mgs_handle_t *ctxt = baton;	269	mgs_handle_t *ctxt = baton;
255	char buf[STR_SESSION_LEN];
256	char* strkey = NULL;	270	char* strkey = NULL;
257		271
258	strkey = gnutls_session_id2sz(key.data, key.size, buf, sizeof(buf));	272	strkey = mgs_session_id2mc(ctxt->c, key.data, key.size);
259	if(!strkey)	273	if(!strkey)
260	return -1;	274	return -1;
261		275
@@ -366,8 +380,8 @@ static gnutls_datum_t dbm_cache_fetch(void* baton, gnutls_datum_t key)
366	mgs_handle_t *ctxt = baton;	380	mgs_handle_t *ctxt = baton;
367	apr_status_t rv;	381	apr_status_t rv;
368		382
369	dbmkey.dptr = (void*)key.data;	383	if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
370	dbmkey.dsize = key.size;	384	return data;
371		385
372	rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,	386	rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
373	APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);	387	APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);
@@ -413,9 +427,9 @@ static int dbm_cache_store(void* baton, gnutls_datum_t key,
413	mgs_handle_t *ctxt = baton;	427	mgs_handle_t *ctxt = baton;
414	apr_status_t rv;	428	apr_status_t rv;
415	apr_time_t expiry;	429	apr_time_t expiry;
416		430
417	dbmkey.dptr = (char *)key.data;	431	if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
418	dbmkey.dsize = key.size;	432	return -1;
419		433
420	/* create DBM value */	434	/* create DBM value */
421	dbmval.dsize = data.size + sizeof(apr_time_t);	435	dbmval.dsize = data.size + sizeof(apr_time_t);
@@ -467,9 +481,9 @@ static int dbm_cache_delete(void* baton, gnutls_datum_t key)
467	apr_datum_t dbmkey;	481	apr_datum_t dbmkey;
468	mgs_handle_t *ctxt = baton;	482	mgs_handle_t *ctxt = baton;
469	apr_status_t rv;	483	apr_status_t rv;
470		484
471	dbmkey.dptr = (char *)key.data;	485	if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0)
472	dbmkey.dsize = key.size;	486	return -1;
473		487
474	rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,	488	rv = apr_dbm_open(&dbm, ctxt->sc->cache_config,
475	APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);	489	APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, ctxt->c->pool);