changes to fix BZ#453508

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@165 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

4 files changed, 156 insertions, 51 deletions

diff --git a/pki/base/tps/src/engine/RA.cpp b/pki/base/tps/src/engine/RA.cpp
index be17177f0..460f9d0bc 100644
--- a/pki/base/tps/src/engine/RA.cpp
+++ b/pki/base/tps/src/engine/RA.cpp
@@ -37,7 +37,7 @@ extern "C"
 #include "cert.h"
 #include "tus/tus_db.h"
 #include "secder.h"
-
+#include "nss.h"
 
 #ifdef __cplusplus
 }
@@ -170,10 +170,6 @@ PRLock *RA::GetVerifyLock()
  */
 TPS_PUBLIC int RA::Initialize(char *cfg_path, RA_Context *ctx)
 {
-    int ca_status = 0;
-    int tks_status = 0;
-    int drm_status = 0;
-
 	int rc = -1;
         int i = 0;
 
@@ -287,39 +283,6 @@ TPS_PUBLIC int RA::Initialize(char *cfg_path, RA_Context *ctx)
     // even rc != 0, we still go ahead starting up the server.
     rc = InitializeAuthentication();
 
-    // initialize CA connections
-    ca_status = InitializeHttpConnections("ca", &m_caConns_len,
-                                          m_caConnection, ctx);
-
-    if( ca_status != 0 ) {
-#if 0
-        RA::Shutdown();
-        goto loser;
-#endif
-    }
-
-    // initialize TKS connections
-    tks_status = InitializeHttpConnections("tks", &m_tksConns_len,
-                                           m_tksConnection, ctx);
-
-    if( tks_status != 0 ) {
-#if 0
-        RA::Shutdown();
-        goto loser;
-#endif
-    }
-
-    // initialize DRM connections
-    drm_status = InitializeHttpConnections("drm", &m_drmConns_len,
-                                           m_drmConnection, ctx);
-
-    if( drm_status != 0 ) {
-#if 0
-        RA::Shutdown();
-        goto loser;
-#endif
-    }
-
     //Initialize Publisher Library
       InitializePublishers();
 
@@ -343,6 +306,58 @@ loser:
 	return rc;
 }
 
+int RA::InitializeInChild(RA_Context *ctx) {
+
+    int rc = -1;
+    SECStatus rv;
+    int status = 0;
+    char configname[256];
+
+    if (!NSS_IsInitialized()) {
+
+        RA::Debug( LL_PER_SERVER, "RA::InitializeInChild", "Initializing NSS");
+
+        PR_snprintf((char *)configname, 256, "%s/alias", 
+            m_cfg->GetConfigAsString("service.instanceDir", NULL));
+        rv = NSS_Initialize (configname, "", "", SECMOD_DB, NSS_INIT_READONLY);
+        if (rv != SECSuccess) {
+            RA::Error( LL_PER_SERVER, "RA::InitializeInChild",
+                "NSS not initialized successfully");
+            ctx->InitializationError( "RA::InitializeHttpConnections",
+                                       __LINE__ );
+            goto loser;
+        }
+    }
+
+    //initialize CA Connections
+    status = InitializeHttpConnections("ca", &m_caConns_len,
+         m_caConnection, ctx);
+    if (status != 0) {
+        RA::Debug( LL_PER_SERVER, "RA::InitializeInChild", 
+            "Failed to initialize CA Connection, rc=%i", 
+            (int)status);
+    } 
+    // initialize TKS connections
+    status = InitializeHttpConnections("tks", &m_tksConns_len,
+        m_tksConnection, ctx);
+    if (status != 0) {
+        RA::Debug( LL_PER_SERVER, "RA::InitializeInChild", 
+            "Failed to initialize TKS Connection, rc=%i", 
+            (int)status);
+    } 
+    // initialize DRM connections
+    status = InitializeHttpConnections("drm", &m_drmConns_len,
+        m_drmConnection, ctx);
+    if (status != 0) {
+        RA::Debug( LL_PER_SERVER, "RA::InitializeInChild", 
+            "Failed to initialize DRM Connection, rc=%i", 
+            (int)status);
+    } 
+
+    rc =1;
+loser: 
+    return rc;
+}
 
 int RA::testTokendb() {
 	// try to see if we can talk to the database
@@ -1764,13 +1779,6 @@ int RA::InitializeHttpConnections(const char *id, int *len, HttpConnection **con
         PR_snprintf((char *)configname, 256, "conn.%s%d.clientNickname", id, i);
         const char *clientnickname = m_cfg->GetConfigAsString(configname);
 
-        // Bugscape Bug #56583:  insure that specified certificate is present
-        //
-        // (1) To prevent a coredump, we need to determine if NSS has been
-        //     initialized prior to loading this TPS plugin.  However,
-        //     since NSS does not provide a callable initialization check
-        //     to inform the caller whether or not NSS has been initialized,
-        //     we need to supply the following workaround solution:
         handle = CERT_GetDefaultCertDB();
         if( handle == 0 ) {
             ctx->InitializationError( "RA::InitializeHttpConnections",
diff --git a/pki/base/tps/src/httpClient/engine.cpp b/pki/base/tps/src/httpClient/engine.cpp
index 6c5013869..46efe42d3 100644
--- a/pki/base/tps/src/httpClient/engine.cpp
+++ b/pki/base/tps/src/httpClient/engine.cpp
@@ -126,9 +126,18 @@ PRBool __EXPORT InitSecurity(char* certDir, char* certname, char* certpassword,
         certName = PL_strdup(certname);
     }
 
+    SECStatus stat;
 	PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 0 );
-    SECStatus stat = NSS_Initialize( certDir, prefix, prefix,"secmod.db",
+     if (!NSS_IsInitialized()) { 
+        stat = NSS_Initialize( certDir, prefix, prefix,"secmod.db",
 									 NSS_INIT_READONLY);
+     } else {
+        stat = SECSuccess;
+        RA::Debug( LL_PER_PDU,
+                        "initSecurity: ",
+                        "NSS Already initialized" );
+
+    }
 
     if (SECSuccess != stat) {
 		// int err = PR_GetError();
diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h
index beda779d5..d0625f2b2 100644
--- a/pki/base/tps/src/include/engine/RA.h
+++ b/pki/base/tps/src/include/engine/RA.h
@@ -98,6 +98,7 @@ class RA
   public:
 	  static int IsTokendbInitialized();
 	  TPS_PUBLIC static int Initialize(char *cfg_path, RA_Context *ctx);
+	  TPS_PUBLIC static int InitializeInChild(RA_Context *ctx);
 	  TPS_PUBLIC static int Shutdown();
   public:
 
diff --git a/pki/base/tps/src/modules/tps/mod_tps.cpp b/pki/base/tps/src/modules/tps/mod_tps.cpp
index 47e3194fb..fa98aaa9a 100644
--- a/pki/base/tps/src/modules/tps/mod_tps.cpp
+++ b/pki/base/tps/src/modules/tps/mod_tps.cpp
@@ -38,6 +38,7 @@ extern "C"
 */
 
 #include <stdio.h>
+#include <unistd.h>
 #include "nspr.h"
 
 #include "httpd/httpd.h"
@@ -61,7 +62,9 @@ extern "C"
 #include "processor/RA_Pin_Reset_Processor.h"
 #include "processor/RA_Renew_Processor.h"
 #include "processor/RA_Unblock_Processor.h"
+#include "ssl.h"
 
+#define MOD_TPS_KEY_NAME "mod_tps"
 
 /*  _________________________________________________________________
 **
@@ -91,6 +94,10 @@ static const char MOD_TPS_CONFIGURATION_FILE_USAGE[] =
 "TPS Configuration Filename prefixed by a complete path, or\n"
 "a path that is relative to the Apache server root.";
 
+/* per-process config structure */
+typedef struct {
+    int nInitCount;
+} mod_tps_global_config;
 
 
 /*  _________________________________________________________________
@@ -102,6 +109,7 @@ static const char MOD_TPS_CONFIGURATION_FILE_USAGE[] =
 typedef struct {
     char *TPS_Configuration_File;
     AP_Context *context;
+    mod_tps_global_config *gconfig; /* pointer to per-process config */
 } mod_tps_server_configuration;
 
 
@@ -126,6 +134,34 @@ extern module TPS_PUBLIC MOD_TPS_CONFIG_KEY;
 **  _________________________________________________________________
 */
 
+mod_tps_global_config *mod_tps_config_global_create(server_rec *s)
+{
+    apr_pool_t *pool = s->process->pool;
+    mod_tps_global_config *globalc = NULL;
+    void *vglobalc = NULL;
+
+    apr_pool_userdata_get(&vglobalc, MOD_TPS_KEY_NAME, pool);
+    if (vglobalc) {
+        return (mod_tps_global_config *) vglobalc; /* reused for lifetime of the server */
+    }
+
+    /*
+     * allocate an own subpool which survives server restarts
+     */
+    globalc = (mod_tps_global_config *)apr_palloc(pool, sizeof(*globalc));
+
+    /*
+     * initialize per-module configuration
+     */
+    globalc->nInitCount = 0;
+
+    apr_pool_userdata_set(globalc, MOD_TPS_KEY_NAME,
+                          apr_pool_cleanup_null,
+                          pool);
+
+    return globalc;
+}
+
 /**
  * Terminate Apache
  */
@@ -197,6 +233,7 @@ mod_tps_terminate( void *data )
     MEM_shutdown();
 #endif
 
+    SSL_ClearSessionCache();
     /* Shutdown all APR library routines.                   */
     /* NOTE:  This automatically destroys all memory pools. */
     /*        Allow the NSS Module to perform this task.    */
@@ -210,10 +247,6 @@ mod_tps_terminate( void *data )
     return OK;
 }
 
-
-/**
- * Initialize the TPS module (Context)
- */
 static int
 mod_tps_initialize( apr_pool_t *p,
                     apr_pool_t *plog,
@@ -234,6 +267,12 @@ mod_tps_initialize( apr_pool_t *p,
         return OK;
     }
 
+    sc->gconfig->nInitCount++;
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, sv,
+                 "Entering mod_tps_initialize - init count is [%d]",
+                 sc->gconfig->nInitCount);
+
     /* Load the TPS module. */
 
 #ifdef MEM_PROFILING
@@ -300,6 +339,25 @@ mod_tps_initialize( apr_pool_t *p,
 
         goto loser;
     }
+  
+    if (sc->gconfig->nInitCount < 2 ) {
+        status = RA::InitializeInChild( sc->context); 
+    } else {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, sv,
+            "mod_tps_initialize - pid is [%d] - post config already done once -"
+            " additional config will be done in init_child",
+            getpid());
+        status = RA_INITIALIZATION_SUCCESS;
+    }
+
+    if (status !=  RA_INITIALIZATION_SUCCESS ) {
+        ap_log_error( "mod_tps_initialize",
+                      __LINE__, APLOG_ERR, 0, sv,
+                      "The tps module failed to do the initializeInChild tasks. ");
+        printf( "\nUnable to start Apache:\n"
+                "    The tps module failed to do the initializeInChild tasks. ");
+        goto loser;
+    }
 
     /* Register a server termination routine. */
     apr_pool_cleanup_register( p,
@@ -341,7 +399,6 @@ loser:
     return DECLINED;
 }
 
-
 /**
  * mod_tps_handler handles the protocol between the token client
  * and the RA (Session)
@@ -535,10 +592,38 @@ mod_tps_config_server_create( apr_pool_t *p, server_rec *sv )
     /* Initialize all members of mod_tps_server_configuration. */
     sc->TPS_Configuration_File = NULL;
     sc->context = NULL;
+    sc->gconfig = mod_tps_config_global_create(sv);
 
     return sc;
 }
 
+static void mod_tps_init_child(apr_pool_t *p, server_rec *sv)
+{
+     int status = -1;
+    mod_tps_server_configuration *srv_cfg = NULL;
+    srv_cfg = ( ( mod_tps_server_configuration * )
+           ap_get_module_config(sv->module_config, &MOD_TPS_CONFIG_KEY));
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
+                 "Entering mod_tps_init_child pid [%d] init count is [%d]",
+                 getpid(), srv_cfg->gconfig->nInitCount);
+
+    srv_cfg = ( ( mod_tps_server_configuration * )
+           ap_get_module_config(sv->module_config, &MOD_TPS_CONFIG_KEY));
+
+    if (srv_cfg->gconfig->nInitCount > 1) {
+        status = RA::InitializeInChild(srv_cfg->context);
+    } else {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, sv,
+                     "mod_tps_init_child - pid is [%d] - config should be done in regular post config",
+                     getpid());
+    }
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
+                 "Leaving mod_tps_init_child");
+    return;
+}
+
 
 
 /*  _________________________________________________________________
@@ -558,6 +643,8 @@ mod_tps_register_hooks( apr_pool_t *p )
                          mod_tps_preloaded_modules,
                          mod_tps_postloaded_modules,
                          APR_HOOK_MIDDLE );
+  
+    ap_hook_child_init(mod_tps_init_child, NULL,NULL, APR_HOOK_MIDDLE);
 
     ap_hook_handler( mod_tps_handler,
                      mod_tps_preloaded_modules,