Changeset 24c6c16 in mod_gnutls


Ignore:
Timestamp:
Oct 19, 2015, 9:07:41 PM (4 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports
Children:
8bf5809
Parents:
5d13786 (diff), 89f863f (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.7.1' into debian

Upstream version 0.7.1

Files:
38 edited
1 moved

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r5d13786 r24c6c16  
    22- Handle Unclean Shutdowns
    33- make session cache use generic apache caches
     4
     5** Version 0.7.1 (2015-10-18)
     6- Improved handling of PKCS #11 modules: mod_gnutls now loads either
     7  modules specified using GnuTLSP11Module, or the system defaults, but
     8  not both. Thanks to Nikos Mavrogiannopoulos for the report and
     9  initial patch!
     10- Initialize variables to safe defaults during client certificate
     11  verification. Certain error code paths did not set them, but they
     12  should never be hit due to config validation. This adds another line
     13  of defense.
     14- Enable C99 support via autoconf
     15- Test suite improvements. Most importantly, automake now handles
     16  environment setup without any external make calls. Rules to build
     17  the certificates are included from the old test makefile. Note that
     18  the dependency on GNU make is not new (the test makefile always used
     19  GNU make syntax), it just wasn't listed explicitly.
    420
    521** Version 0.7 (2015-07-12)
  • README

    r5d13786 r24c6c16  
    2424 * GnuTLS          >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred)
    2525 * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
    26  * autotools & gcc
     26 * autotools, GNU make, & gcc
    2727 * APR Memcache    >= 0.7.0 (Optional)
    2828 * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)
  • configure

    r5d13786 r24c6c16  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.
     3# Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.1.
    44#
    55#
     
    588588PACKAGE_NAME='mod_gnutls'
    589589PACKAGE_TARNAME='mod_gnutls'
    590 PACKAGE_VERSION='0.7'
    591 PACKAGE_STRING='mod_gnutls 0.7'
     590PACKAGE_VERSION='0.7.1'
     591PACKAGE_STRING='mod_gnutls 0.7.1'
    592592PACKAGE_BUGREPORT=''
    593593PACKAGE_URL=''
     
    13791379  # This message is too long to be a string in the A/UX 3.1 sh.
    13801380  cat <<_ACEOF
    1381 \`configure' configures mod_gnutls 0.7 to adapt to many kinds of systems.
     1381\`configure' configures mod_gnutls 0.7.1 to adapt to many kinds of systems.
    13821382
    13831383Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14501450if test -n "$ac_init_help"; then
    14511451  case $ac_init_help in
    1452      short | recursive ) echo "Configuration of mod_gnutls 0.7:";;
     1452     short | recursive ) echo "Configuration of mod_gnutls 0.7.1:";;
    14531453   esac
    14541454  cat <<\_ACEOF
     
    15841584if $ac_init_version; then
    15851585  cat <<\_ACEOF
    1586 mod_gnutls configure 0.7
     1586mod_gnutls configure 0.7.1
    15871587generated by GNU Autoconf 2.69
    15881588
     
    19951995running configure, to aid debugging if configure makes a mistake.
    19961996
    1997 It was created by mod_gnutls $as_me 0.7, which was
     1997It was created by mod_gnutls $as_me 0.7.1, which was
    19981998generated by GNU Autoconf 2.69.  Invocation command line was
    19991999
     
    23612361  chmod +x config.nice
    23622362
    2363 MOD_GNUTLS_VERSION=0.7
     2363MOD_GNUTLS_VERSION=0.7.1
    23642364
    23652365
     
    25392539    NONENONEs,x,x, &&
    25402540  program_prefix=${target_alias}-
     2541# mod_gnutls test suite requires GNU make
    25412542am__api_version='1.14'
    25422543
     
    30253026# Define the identity of the package.
    30263027 PACKAGE='mod_gnutls'
    3027  VERSION='0.7'
     3028 VERSION='0.7.1'
    30283029
    30293030
     
    41594160  am__fastdepCC_TRUE='#'
    41604161  am__fastdepCC_FALSE=
     4162fi
     4163
     4164
     4165   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5
     4166$as_echo_n "checking for $CC option to accept ISO C99... " >&6; }
     4167if ${ac_cv_prog_cc_c99+:} false; then :
     4168  $as_echo_n "(cached) " >&6
     4169else
     4170  ac_cv_prog_cc_c99=no
     4171ac_save_CC=$CC
     4172cat confdefs.h - <<_ACEOF >conftest.$ac_ext
     4173/* end confdefs.h.  */
     4174#include <stdarg.h>
     4175#include <stdbool.h>
     4176#include <stdlib.h>
     4177#include <wchar.h>
     4178#include <stdio.h>
     4179
     4180// Check varargs macros.  These examples are taken from C99 6.10.3.5.
     4181#define debug(...) fprintf (stderr, __VA_ARGS__)
     4182#define showlist(...) puts (#__VA_ARGS__)
     4183#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__))
     4184static void
     4185test_varargs_macros (void)
     4186{
     4187  int x = 1234;
     4188  int y = 5678;
     4189  debug ("Flag");
     4190  debug ("X = %d\n", x);
     4191  showlist (The first, second, and third items.);
     4192  report (x>y, "x is %d but y is %d", x, y);
     4193}
     4194
     4195// Check long long types.
     4196#define BIG64 18446744073709551615ull
     4197#define BIG32 4294967295ul
     4198#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0)
     4199#if !BIG_OK
     4200  your preprocessor is broken;
     4201#endif
     4202#if BIG_OK
     4203#else
     4204  your preprocessor is broken;
     4205#endif
     4206static long long int bignum = -9223372036854775807LL;
     4207static unsigned long long int ubignum = BIG64;
     4208
     4209struct incomplete_array
     4210{
     4211  int datasize;
     4212  double data[];
     4213};
     4214
     4215struct named_init {
     4216  int number;
     4217  const wchar_t *name;
     4218  double average;
     4219};
     4220
     4221typedef const char *ccp;
     4222
     4223static inline int
     4224test_restrict (ccp restrict text)
     4225{
     4226  // See if C++-style comments work.
     4227  // Iterate through items via the restricted pointer.
     4228  // Also check for declarations in for loops.
     4229  for (unsigned int i = 0; *(text+i) != '\0'; ++i)
     4230    continue;
     4231  return 0;
     4232}
     4233
     4234// Check varargs and va_copy.
     4235static void
     4236test_varargs (const char *format, ...)
     4237{
     4238  va_list args;
     4239  va_start (args, format);
     4240  va_list args_copy;
     4241  va_copy (args_copy, args);
     4242
     4243  const char *str;
     4244  int number;
     4245  float fnumber;
     4246
     4247  while (*format)
     4248    {
     4249      switch (*format++)
     4250        {
     4251        case 's': // string
     4252          str = va_arg (args_copy, const char *);
     4253          break;
     4254        case 'd': // int
     4255          number = va_arg (args_copy, int);
     4256          break;
     4257        case 'f': // float
     4258          fnumber = va_arg (args_copy, double);
     4259          break;
     4260        default:
     4261          break;
     4262        }
     4263    }
     4264  va_end (args_copy);
     4265  va_end (args);
     4266}
     4267
     4268int
     4269main ()
     4270{
     4271
     4272  // Check bool.
     4273  _Bool success = false;
     4274
     4275  // Check restrict.
     4276  if (test_restrict ("String literal") == 0)
     4277    success = true;
     4278  char *restrict newvar = "Another string";
     4279
     4280  // Check varargs.
     4281  test_varargs ("s, d' f .", "string", 65, 34.234);
     4282  test_varargs_macros ();
     4283
     4284  // Check flexible array members.
     4285  struct incomplete_array *ia =
     4286    malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10));
     4287  ia->datasize = 10;
     4288  for (int i = 0; i < ia->datasize; ++i)
     4289    ia->data[i] = i * 1.234;
     4290
     4291  // Check named initializers.
     4292  struct named_init ni = {
     4293    .number = 34,
     4294    .name = L"Test wide string",
     4295    .average = 543.34343,
     4296  };
     4297
     4298  ni.number = 58;
     4299
     4300  int dynamic_array[ni.number];
     4301  dynamic_array[ni.number - 1] = 543;
     4302
     4303  // work around unused variable warnings
     4304  return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
     4305          || dynamic_array[ni.number - 1] != 543);
     4306
     4307  ;
     4308  return 0;
     4309}
     4310_ACEOF
     4311for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99
     4312do
     4313  CC="$ac_save_CC $ac_arg"
     4314  if ac_fn_c_try_compile "$LINENO"; then :
     4315  ac_cv_prog_cc_c99=$ac_arg
     4316fi
     4317rm -f core conftest.err conftest.$ac_objext
     4318  test "x$ac_cv_prog_cc_c99" != "xno" && break
     4319done
     4320rm -f conftest.$ac_ext
     4321CC=$ac_save_CC
     4322
     4323fi
     4324# AC_CACHE_VAL
     4325case "x$ac_cv_prog_cc_c99" in
     4326  x)
     4327    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
     4328$as_echo "none needed" >&6; } ;;
     4329  xno)
     4330    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
     4331$as_echo "unsupported" >&6; } ;;
     4332  *)
     4333    CC="$CC $ac_cv_prog_cc_c99"
     4334    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5
     4335$as_echo "$ac_cv_prog_cc_c99" >&6; } ;;
     4336esac
     4337if test "x$ac_cv_prog_cc_c99" != xno; then :
     4338
    41614339fi
    41624340
     
    1344413622# values after options handling.
    1344513623ac_log="
    13446 This file was extended by mod_gnutls $as_me 0.7, which was
     13624This file was extended by mod_gnutls $as_me 0.7.1, which was
    1344713625generated by GNU Autoconf 2.69.  Invocation command line was
    1344813626
     
    1351013688ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
    1351113689ac_cs_version="\\
    13512 mod_gnutls config.status 0.7
     13690mod_gnutls config.status 0.7.1
    1351313691configured by $0, generated by GNU Autoconf 2.69,
    1351413692  with options \\"\$ac_cs_config\\"
  • configure.ac

    r5d13786 r24c6c16  
    11dnl
    2 AC_INIT(mod_gnutls, 0.7)
     2AC_INIT(mod_gnutls, 0.7.1)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    1010AM_MAINTAINER_MODE
    1111AC_CANONICAL_TARGET
    12 AM_INIT_AUTOMAKE
     12# mod_gnutls test suite requires GNU make
     13AM_INIT_AUTOMAKE([-Wno-portability])
    1314AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
    1415
     
    1617
    1718AC_PROG_CC
     19AC_PROG_CC_C99
    1820AC_PROG_LD
    1921AC_PROG_INSTALL
  • doc/mod_gnutls_manual.mdwn

    r5d13786 r24c6c16  
    375375------------------
    376376
    377 Load an additional PKCS #11 module.
     377Load this PKCS #11 module.
    378378
    379379    GnuTLSP11Module PATH_TO_LIBRARY
     
    382382Context: server config
    383383
    384 Load this PKCS #11 provider module, in addition to the system
    385 defaults.
     384Load this PKCS #11 provider module, instead of the system
     385defaults. May occur multiple times to load multiple modules.
    386386
    387387`GnuTLSPIN`
  • include/mod_gnutls.h.in

    r5d13786 r24c6c16  
    115115    int non_ssl_request;
    116116
    117     /* Additional PKCS #11 provider module to load, only valid in the
     117    /* List of PKCS #11 provider modules to load, only valid in the
    118118     * base config, ignored in virtual hosts */
    119     char *p11_module;
     119    apr_array_header_t *p11_modules;
    120120
    121121    /* PIN used for PKCS #11 operations */
     
    286286int ssl_engine_disable(conn_rec *c);
    287287const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
    288     const char *arg);
     288                                 const int arg);
    289289apr_status_t mgs_cleanup_pre_config(void *data);
    290290
     
    439439
    440440const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
    441                             const char *arg);
     441                            const int arg);
    442442const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
    443443                            const char *arg);
     
    445445                            const char *arg);
    446446const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
    447                             const char *arg);
     447                            const int arg);
    448448
    449449const char *mgs_set_require_section(cmd_parms *cmd,
  • src/gnutls_config.c

    r5d13786 r24c6c16  
    642642}
    643643
    644 const char *mgs_set_tickets(cmd_parms * parms, void *dummy __attribute__((unused)),
    645         const char *arg) {
    646     mgs_srvconf_rec *sc =
    647         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    648                                                  module_config,
    649                                                 &gnutls_module);
    650 
    651     sc->tickets = 0;
    652     if (strcasecmp("on", arg) == 0) {
    653         sc->tickets = 1;
    654     }
     644const char *mgs_set_tickets(cmd_parms *parms,
     645                            void *dummy __attribute__((unused)),
     646                            const int arg)
     647{
     648    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     649        ap_get_module_config(parms->server->module_config, &gnutls_module);
     650
     651    if (arg)
     652        sc->tickets = GNUTLS_ENABLED_TRUE;
     653    else
     654        sc->tickets = GNUTLS_ENABLED_FALSE;
    655655
    656656    return NULL;
     
    826826}
    827827
    828 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy __attribute__((unused)),
    829         const char *arg) {
    830 
     828/*
     829 * Enable TLS proxy operation if arg is true, disable it otherwise.
     830 */
     831const char *mgs_set_proxy_engine(cmd_parms *parms,
     832                                 void *dummy __attribute__((unused)),
     833                                 const int arg)
     834{
    831835    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    832         ap_get_module_config(parms->server->module_config, &gnutls_module);
    833 
    834     if (!strcasecmp(arg, "On")) {
    835         sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
    836     } else if (!strcasecmp(arg, "Off")) {
    837         sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
    838     } else {
    839         return "GnuTLSProxyEngine must be set to 'On' or 'Off'";
    840     }
    841 
    842     return NULL;
    843 }
    844 
    845 const char *mgs_set_enabled(cmd_parms * parms, void *dummy __attribute__((unused)),
    846         const char *arg) {
    847     mgs_srvconf_rec *sc =
    848         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    849                                                  module_config,
    850                                                  &gnutls_module);
    851     if (!strcasecmp(arg, "On")) {
    852         sc->enabled = GNUTLS_ENABLED_TRUE;
    853     } else if (!strcasecmp(arg, "Off")) {
    854         sc->enabled = GNUTLS_ENABLED_FALSE;
    855     } else {
    856         return "GnuTLSEnable must be set to 'On' or 'Off'";
    857     }
     836        ap_get_module_config(parms->server->module_config, &gnutls_module);
     837
     838    if (arg)
     839        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
     840    else
     841        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
     842
     843    return NULL;
     844}
     845
     846/*
     847 * Enable TLS for the server/vhost if arg is true, disable it
     848 * otherwise.
     849 */
     850const char *mgs_set_enabled(cmd_parms *parms,
     851                            void *dummy __attribute__((unused)),
     852                            const int arg)
     853{
     854    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     855        ap_get_module_config(parms->server->module_config, &gnutls_module);
     856
     857    if (arg)
     858        sc->enabled = GNUTLS_ENABLED_TRUE;
     859    else
     860        sc->enabled = GNUTLS_ENABLED_FALSE;
    858861
    859862    return NULL;
     
    949952    sc->privkey_pgp = NULL;
    950953    sc->certs_x509_chain_num = 0;
    951     sc->p11_module = NULL;
     954    sc->p11_modules = NULL;
    952955    sc->pin = NULL;
    953956    sc->priorities_str = NULL;
     
    10101013    gnutls_srvconf_merge(x509_key_file, NULL);
    10111014    gnutls_srvconf_merge(x509_ca_file, NULL);
    1012     gnutls_srvconf_merge(p11_module, NULL);
     1015    gnutls_srvconf_merge(p11_modules, NULL);
    10131016    gnutls_srvconf_merge(pin, NULL);
    10141017    gnutls_srvconf_merge(pgp_cert_file, NULL);
     
    11071110
    11081111/*
    1109  * Record additional PKCS #11 module to load. Note that the value is
    1110  * only used in the base config, settings in virtual hosts are
    1111  * ignored.
     1112 * Record PKCS #11 module to load. Note that the value is only used in
     1113 * the base config, settings in virtual hosts are ignored.
    11121114 */
    11131115const char *mgs_set_p11_module(cmd_parms * parms,
     
    11171119    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    11181120        ap_get_module_config(parms->server->module_config, &gnutls_module);
    1119     sc->p11_module = apr_pstrdup(parms->pool, arg);
    1120     return NULL;
    1121 }
     1121    /* initialize PKCS #11 module list if necessary */
     1122    if (sc->p11_modules == NULL)
     1123        sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
     1124
     1125    *(char **) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
     1126
     1127    return NULL;
     1128}
  • src/gnutls_hooks.c

    r5d13786 r24c6c16  
    220220static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
    221221
    222     int rv = 0, i;
     222    int rv = 0;
    223223    size_t data_len;
    224224
     
    242242        rv = 0;
    243243        /* read subject alternative name */
    244         for (i = 0; !(rv < 0); i++) {
     244        for (int i = 0; !(rv < 0); i++)
     245        {
    245246            data_len = 0;
    246247            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
     
    323324    }
    324325
    325     /* Load additional PKCS #11 module, if requested */
    326     if (sc_base->p11_module != NULL)
    327     {
    328         rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
    329         if (rv != GNUTLS_E_SUCCESS)
     326    /* If GnuTLSP11Module is set, load the listed PKCS #11
     327     * modules. Otherwise system defaults will be used. */
     328    if (sc_base->p11_modules != NULL)
     329    {
     330        rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
     331        if (rv < 0)
     332        {
    330333            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    331                          "GnuTLS: Loading PKCS #11 provider module %s "
     334                         "GnuTLS: Initializing PKCS #11 "
    332335                         "failed: %s (%d).",
    333                          sc_base->p11_module, gnutls_strerror(rv), rv);
     336                         gnutls_strerror(rv), rv);
     337        }
     338        else
     339        {
     340            for (int i = 0; i < sc_base->p11_modules->nelts; i++)
     341            {
     342                char *p11_module =
     343                    APR_ARRAY_IDX(sc_base->p11_modules, i, char *);
     344                rv = gnutls_pkcs11_add_provider(p11_module, NULL);
     345                if (rv != GNUTLS_E_SUCCESS)
     346                    ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     347                                 "GnuTLS: Loading PKCS #11 provider module %s "
     348                                 "failed: %s (%d).",
     349                                 p11_module, gnutls_strerror(rv), rv);
     350            }
     351        }
    334352    }
    335353
     
    355373        if (sc->export_certificates_size < 0)
    356374            sc->export_certificates_size = 0;
    357         if (sc->client_verify_mode ==  -1)
     375        if (sc->client_verify_mode == -1)
    358376            sc->client_verify_mode = GNUTLS_CERT_IGNORE;
    359         if (sc->client_verify_method ==  mgs_cvm_unset)
     377        if (sc->client_verify_method == mgs_cvm_unset)
    360378            sc->client_verify_method = mgs_cvm_cartel;
    361379
     
    541559int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) {
    542560        apr_array_header_t *names;
    543         int i,rv = 0;
     561        int rv = 0;
    544562        char ** name;
    545563
     
    553571                names = s->names;
    554572                name = (char **)names->elts;
    555                 for (i = 0; i < names->nelts; ++i) {
     573                for (int i = 0; i < names->nelts; ++i)
     574        {
    556575                        if (!name[i]) { continue; }
    557576                                if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
     
    565584                names = s->wild_names;
    566585        name = (char **)names->elts;
    567                 for (i = 0; i < names->nelts; ++i) {
     586                for (int i = 0; i < names->nelts; ++i)
     587        {
    568588                        if (!name[i]) { continue; }
    569589                                if(apr_fnmatch(name[i], x->sni_name ,
     
    10161036    char *tmp2;
    10171037    size_t len;
    1018     int ret, i;
     1038    int ret;
    10191039
    10201040    if (r == NULL)
     
    10911111
    10921112    /* export all the alternative names (DNS, RFC822 and URI) */
    1093     for (i = 0; !(ret < 0); i++) {
     1113    for (int i = 0; !(ret < 0); i++)
     1114    {
    10941115        const char *san, *sanlabel;
    10951116        len = 0;
     
    12041225static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
    12051226    const gnutls_datum_t *cert_list;
    1206     unsigned int cert_list_size, status;
     1227    unsigned int cert_list_size;
     1228    /* assume the certificate is invalid unless explicitly set
     1229     * otherwise */
     1230    unsigned int status = GNUTLS_CERT_INVALID;
    12071231    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
    12081232    unsigned int ch_size = 0;
     
    13381362#endif
    13391363        default:
     1364            /* If this block is reached, that indicates a
     1365             * configuration error or bug in mod_gnutls (invalid value
     1366             * of ctxt->sc->client_verify_method). */
    13401367            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13411368                          "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
    13421369                          mgs_readable_cvm(ctxt->sc->client_verify_method));
     1370            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    13431371        }
    13441372
     
    13561384#ifdef ENABLE_MSVA
    13571385        case mgs_cvm_msva:
    1358             /* need to set status and rv */
    13591386            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13601387                          "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
     
    13631390#endif
    13641391        default:
     1392            /* If this block is reached, that indicates a
     1393             * configuration error or bug in mod_gnutls (invalid value
     1394             * of ctxt->sc->client_verify_method). */
    13651395            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13661396                          "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
    13671397                          mgs_readable_cvm(ctxt->sc->client_verify_method));
    1368         }
    1369     }
    1370 
     1398            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
     1399        }
     1400    }
     1401
     1402    /* "goto exit" at the end of this block skips evaluation of the
     1403     * "status" variable */
    13711404    if (rv < 0) {
    13721405        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     
    14441477
    14451478exit:
    1446     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    1447         unsigned int i;
    1448         for (i = 0; i < ch_size; i++) {
     1479    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
     1480        for (unsigned int i = 0; i < ch_size; i++)
    14491481            gnutls_x509_crt_deinit(cert.x509[i]);
    1450         }
    1451     } else if (gnutls_certificate_type_get(ctxt->session) ==
    1452             GNUTLS_CRT_OPENPGP)
     1482    else if (gnutls_certificate_type_get(ctxt->session) ==
     1483             GNUTLS_CRT_OPENPGP)
    14531484        gnutls_openpgp_crt_deinit(cert.pgp);
    14541485    return ret;
    1455 
    1456 
    1457 }
     1486}
     1487
     1488
    14581489
    14591490#ifdef ENABLE_MSVA
  • src/mod_gnutls.c

    r5d13786 r24c6c16  
    137137
    138138static const command_rec mgs_config_cmds[] = {
    139     AP_INIT_TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,
     139    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
    140140    NULL,
    141141    RSRC_CONF | OR_AUTHCFG,
    142     "Enable SSL Proxy Engine"),
     142    "Enable TLS Proxy Engine"),
    143143    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
    144144    NULL,
    145145    RSRC_CONF,
    146     "Load this additional PKCS #11 provider library"),
     146    "Load this specific PKCS #11 provider library"),
    147147    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
    148148    NULL,
     
    180180    NULL,
    181181    RSRC_CONF,
    182     "SSL Server X509 Certificate file"),
     182    "TLS Server X509 Certificate file"),
    183183    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
    184184    NULL,
    185185    RSRC_CONF,
    186     "SSL Server X509 Private Key file"),
     186    "TLS Server X509 Private Key file"),
    187187    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
    188188    NULL,
    189189    RSRC_CONF,
    190     "SSL Server X509 Certificate file"),
     190    "TLS Server X509 Certificate file"),
    191191    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
    192192    NULL,
    193193    RSRC_CONF,
    194     "SSL Server X509 Private Key file"),
     194    "TLS Server X509 Private Key file"),
    195195    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
    196196    NULL,
    197197    RSRC_CONF,
    198     "SSL Server PGP Certificate file"),
     198    "TLS Server PGP Certificate file"),
    199199    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
    200200    NULL,
    201201    RSRC_CONF,
    202     "SSL Server PGP Private key file"),
     202    "TLS Server PGP Private key file"),
    203203#ifdef ENABLE_SRP
    204204    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
    205205    NULL,
    206206    RSRC_CONF,
    207     "SSL Server SRP Password Conf file"),
     207    "TLS Server SRP Password Conf file"),
    208208    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
    209209    mgs_set_srp_tpasswd_conf_file,
    210210    NULL,
    211211    RSRC_CONF,
    212     "SSL Server SRP Parameters file"),
     212    "TLS Server SRP Parameters file"),
    213213#endif
    214214    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
     
    220220    RSRC_CONF,
    221221    "Cache Configuration"),
    222     AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
     222    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
    223223    NULL,
    224224    RSRC_CONF,
     
    228228    RSRC_CONF,
    229229    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
    230     AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
     230    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
    231231    NULL,
    232232    RSRC_CONF,
  • test/Makefile.am

    r5d13786 r24c6c16  
    3131TESTS = $(dist_check_SCRIPTS)
    3232
     33# Identities in the miniature CA, server, and client environment for
     34# the test suite
     35identities = server authority client imposter rogueca
     36# Append strings after ":=" to each identity to generate a list of
     37# necessary files
     38pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
     39        $(identities:=/secret.pgp)
     40x509_keys = $(identities:=/secret.key)
     41x509_certs = $(identities:=/x509.pem)
     42x509_tokens = $(x509_certs) $(x509_keys)
     43tokens = $(x509_tokens) $(pgp_tokens)
     44
     45include $(srcdir)/test_ca.mk
     46
    3347# Test cases trying to create keys and certificates in parallel causes
    3448# race conditions. Ensure that all keys and certificates are generated
     
    4155# running at any time, so test cases actually have to wait for each
    4256# other - just not in any particular order.
    43 check_DATA = setup.done server/crl.pem
     57check_DATA = $(tokens) server/crl.pem
    4458
    45 MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem
     59MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
    4660
    4761cert_templates = authority.template.in client.template.in \
     
    5064        imposter.template server.template
    5165
     66# Delete X.509 private keys on full clean. Note that unless you need
     67# to generate fresh keys, the "mostlyclean" target should be
     68# sufficient (see below).
     69CLEANFILES = $(x509_keys)
     70
    5271# Delete X.509 certificates and generated templates on "mostlyclean"
    5372# target. Certificates can be rebuilt without generating new key
     
    5574# (e.g. host names) without wasting entropy on new keys (which would
    5675# happen after "clean").
    57 MOSTLYCLEANFILES += */x509.pem $(generated_templates)
     76MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
     77
    5878
    5979# Delete PGP keyrings on "mostlyclean" target. They are created from
     
    6181# one day, so regenerating them is both fast and frequently
    6282# necessary.
    63 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf
     83MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
     84# GnuPG random pool, no need to regenerate on every build
     85CLEANFILES += authority/random_seed
    6486
    65 clean-local:
    66         $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
     87# Delete lock files for test servers on "mostlyclean" target.
     88MOSTLYCLEANFILES += *.lock
     89
     90# rule to build MSVA trust database
     91if USE_MSVA
     92msva_home = msva.gnupghome
     93check_DATA += $(msva_home)/trustdb.gpg client.uid
     94MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
     95$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
     96        mkdir -p -m 0700 $(dir $@)
     97        GNUPGHOME=$(dir $@) gpg --import < $<
     98        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
     99        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
     100        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
     101endif
    67102
    68103# SoftHSM files
    69104check_DATA += server/softhsm.db
    70 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf
     105MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
    71106
    72 # This rule can be used for any TestMakefile target not included in
    73 # setup.done. The dependency on setup.done is used to avoid race
    74 # conditions between multiple calls to TestMakefile for key and
    75 # certificate generation. It is ignored for setup.done itself.
    76 server/crl.pem server/softhsm.db setup.done: setup.done
    77         TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
    78         $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
    79107
     108check_DATA += make-test-dirs
     109extra_dirs = logs cache outputs
     110make-test-dirs:
     111        mkdir -p $(extra_dirs)
     112.PHONY: make-test-dirs
     113
     114clean-local:
     115        -rmdir $(identities) || true
     116        -rmdir $(extra_dirs) || true
     117if USE_MSVA
     118        -rmdir $(msva_home) || true
     119endif
     120
     121# Apache configuration and data files
    80122apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    81123
    82124EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    83         runtests server-crl.template server-softhsm.conf softhsm.bash \
    84         TestMakefile
     125        runtests server-crl.template server-softhsm.conf softhsm.bash
    85126
     127# Lockfile for the main Apache process
     128test_lockfile = ./test.lock
    86129# Maximum wait time in seconds for flock to aquire instance lock files
    87130lock_wait = 30
    88131
     132# port for the main Apache server
     133TEST_PORT ?= 9932
     134# port for MSVA in test cases that use it
     135MSVA_PORT ?= 9933
     136# maximum time to wait for MSVA startup
     137TEST_MSVA_MAX_WAIT ?= 10
     138# wait loop time for MSVA startup
     139TEST_MSVA_WAIT ?= 0.4
     140# seconds for the HTTP request to be sent and responded to
     141TEST_QUERY_DELAY ?= 30
     142
    89143AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    90144        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    91         export TEST_LOCK_WAIT=$(lock_wait); \
     145        export TEST_LOCK="$(test_lockfile)"; \
     146        export TEST_LOCK_WAIT="$(lock_wait)"; \
    92147        export TEST_HOST="$(TEST_HOST)"; \
    93148        export TEST_IP="$(TEST_IP)"; \
     149        export TEST_PORT="$(TEST_PORT)"; \
     150        export MSVA_PORT="$(MSVA_PORT)"; \
     151        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
     152        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
     153        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    94154        export BACKEND_HOST="$(TEST_HOST)"; \
    95155        export BACKEND_IP="$(TEST_IP)";
     156
     157# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
     158# you want to manually run an Apache instance with Valgrind using the
     159# same configuration as a test case.
     160show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
     161show-test-env:
     162        @echo "$${TEST_ENV}"
  • test/Makefile.in

    r5d13786 r24c6c16  
    1414
    1515@SET_MAKE@
     16
     17#!/usr/bin/make -f
     18# Authors:
     19# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
     20# Thomas Klute <thomas2.klute@uni-dortmund.de>
     21
     22# General rules to set up a miniature CA & server & client environment
     23# for the test suite
    1624VPATH = @srcdir@
    1725am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
     
    8088target_triplet = @target@
    8189@USE_MSVA_TRUE@am__append_1 = test-15_basic_msva.bash
     90DIST_COMMON = $(srcdir)/test_ca.mk $(srcdir)/Makefile.in \
     91        $(srcdir)/Makefile.am $(am__dist_check_SCRIPTS_DIST) \
     92        $(top_srcdir)/config/test-driver README
     93@USE_MSVA_TRUE@am__append_2 = $(msva_home)/trustdb.gpg client.uid
     94@USE_MSVA_TRUE@am__append_3 = $(msva_home)/trustdb.gpg
    8295subdir = test
    83 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
    84         $(am__dist_check_SCRIPTS_DIST) \
    85         $(top_srcdir)/config/test-driver README
    8696ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
    8797am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \
     
    584594TESTS = $(dist_check_SCRIPTS)
    585595
     596# Identities in the miniature CA, server, and client environment for
     597# the test suite
     598identities = server authority client imposter rogueca
     599# Append strings after ":=" to each identity to generate a list of
     600# necessary files
     601pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
     602        $(identities:=/secret.pgp)
     603
     604x509_keys = $(identities:=/secret.key)
     605x509_certs = $(identities:=/x509.pem)
     606x509_tokens = $(x509_certs) $(x509_keys)
     607tokens = $(x509_tokens) $(pgp_tokens)
     608
    586609# Test cases trying to create keys and certificates in parallel causes
    587610# race conditions. Ensure that all keys and certificates are generated
     
    596619
    597620# SoftHSM files
    598 check_DATA = setup.done server/crl.pem server/softhsm.db
     621check_DATA = $(tokens) server/crl.pem $(am__append_2) \
     622        server/softhsm.db make-test-dirs
    599623
    600624# Delete X.509 certificates and generated templates on "mostlyclean"
     
    608632# one day, so regenerating them is both fast and frequently
    609633# necessary.
    610 MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem \
    611         */x509.pem $(generated_templates) */*.pgp */*.gpg */*.gpg~ \
    612         */gpg.conf tests/24_pkcs11_cert/softhsm.conf
     634
     635# Delete lock files for test servers on "mostlyclean" target.
     636MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem */x509.pem \
     637        $(generated_templates) *.uid */*.pgp */*.gpg */*.gpg~ \
     638        */gpg.conf authority/lock *.lock $(am__append_3) \
     639        tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
    613640cert_templates = authority.template.in client.template.in \
    614641        imposter.template.in rogueca.template server.template.in
     
    617644        imposter.template server.template
    618645
     646
     647# Delete X.509 private keys on full clean. Note that unless you need
     648# to generate fresh keys, the "mostlyclean" target should be
     649# sufficient (see below).
     650# GnuPG random pool, no need to regenerate on every build
     651CLEANFILES = $(x509_keys) authority/random_seed
     652
     653# rule to build MSVA trust database
     654@USE_MSVA_TRUE@msva_home = msva.gnupghome
     655extra_dirs = logs cache outputs
     656
     657# Apache configuration and data files
    619658apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    620659EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    621         runtests server-crl.template server-softhsm.conf softhsm.bash \
    622         TestMakefile
    623 
    624 
     660        runtests server-crl.template server-softhsm.conf softhsm.bash
     661
     662
     663# Lockfile for the main Apache process
     664test_lockfile = ./test.lock
    625665# Maximum wait time in seconds for flock to aquire instance lock files
    626666lock_wait = 30
    627667AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    628668        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    629         export TEST_LOCK_WAIT=$(lock_wait); \
     669        export TEST_LOCK="$(test_lockfile)"; \
     670        export TEST_LOCK_WAIT="$(lock_wait)"; \
    630671        export TEST_HOST="$(TEST_HOST)"; \
    631672        export TEST_IP="$(TEST_IP)"; \
     673        export TEST_PORT="$(TEST_PORT)"; \
     674        export MSVA_PORT="$(MSVA_PORT)"; \
     675        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
     676        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
     677        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    632678        export BACKEND_HOST="$(TEST_HOST)"; \
    633679        export BACKEND_IP="$(TEST_IP)";
     
    637683.SUFFIXES:
    638684.SUFFIXES: .log .test .test$(EXEEXT) .trs
    639 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
     685$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(srcdir)/test_ca.mk $(am__configure_deps)
    640686        @for dep in $?; do \
    641687          case '$(am__configure_deps)' in \
     
    658704            cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
    659705        esac;
     706$(srcdir)/test_ca.mk:
    660707
    661708$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
     
    11921239
    11931240clean-generic:
     1241        -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
    11941242
    11951243distclean-generic:
     
    12831331
    12841332
     1333%.template: $(srcdir)/%.template.in
     1334        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
     1335
     1336%.uid: $(srcdir)/%.uid.in
     1337        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
     1338
     1339%/secret.key:
     1340        mkdir -p $(dir $@)
     1341        chmod 0700 $(dir $@)
     1342        certtool --generate-privkey > $@
     1343
     1344%/secring.gpg: %.uid %/secret.key
     1345        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
     1346        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
     1347        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
     1348
     1349%/gpg.conf: %/secring.gpg
     1350        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     1351
     1352%/secret.pgp: %/secring.gpg
     1353        GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     1354
     1355%/minimal.pgp: %/secring.gpg
     1356        GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     1357
     1358# Import and signing modify the shared keyring, which leads to race
     1359# conditions with parallel make. Locking avoids this problem.
     1360%/cert.pgp: %/minimal.pgp authority/gpg.conf
     1361        GNUPGHOME=authority flock authority/lock gpg --import $<
     1362        GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     1363        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     1364
     1365# special cases for the authorities' root certs:
     1366authority/x509.pem: authority.template authority/secret.key
     1367        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
     1368rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
     1369        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
     1370
     1371%/cert-request: %.template %/secret.key
     1372        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
     1373
     1374%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
     1375        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
     1376
     1377%/softhsm.db: %/x509.pem %/secret.key
     1378        SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
     1379
     1380# Generate CRL revoking a certain certificate. Currently used to
     1381# revoke the server certificate and check if setting the CRL as
     1382# GnuTLSProxyCRLFile causes the connection to the back end server to
     1383# fail.
     1384%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
     1385        certtool --generate-crl \
     1386                --load-ca-privkey authority/secret.key \
     1387                --load-ca-certificate authority/x509.pem \
     1388                --load-certificate $< \
     1389                --template "${srcdir}/$(*)-crl.template" \
     1390                > $@
     1391@USE_MSVA_TRUE@$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
     1392@USE_MSVA_TRUE@ mkdir -p -m 0700 $(dir $@)
     1393@USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < $<
     1394@USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
     1395@USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
     1396@USE_MSVA_TRUE@ printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
     1397make-test-dirs:
     1398        mkdir -p $(extra_dirs)
     1399.PHONY: make-test-dirs
     1400
    12851401clean-local:
    1286         $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
    1287 
    1288 # This rule can be used for any TestMakefile target not included in
    1289 # setup.done. The dependency on setup.done is used to avoid race
    1290 # conditions between multiple calls to TestMakefile for key and
    1291 # certificate generation. It is ignored for setup.done itself.
    1292 server/crl.pem server/softhsm.db setup.done: setup.done
    1293         TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
    1294         $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
     1402        -rmdir $(identities) || true
     1403        -rmdir $(extra_dirs) || true
     1404@USE_MSVA_TRUE@ -rmdir $(msva_home) || true
     1405
     1406# port for the main Apache server
     1407TEST_PORT ?= 9932
     1408# port for MSVA in test cases that use it
     1409MSVA_PORT ?= 9933
     1410# maximum time to wait for MSVA startup
     1411TEST_MSVA_MAX_WAIT ?= 10
     1412# wait loop time for MSVA startup
     1413TEST_MSVA_WAIT ?= 0.4
     1414# seconds for the HTTP request to be sent and responded to
     1415TEST_QUERY_DELAY ?= 30
     1416
     1417# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
     1418# you want to manually run an Apache instance with Valgrind using the
     1419# same configuration as a test case.
     1420show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
     1421show-test-env:
     1422        @echo "$${TEST_ENV}"
    12951423
    12961424# Tell versions [3.59,3.63) of GNU make to not export all variables.
  • test/README

    r5d13786 r24c6c16  
    3232
    3333  TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
     34
    3435
    3536Adding a Test
     
    9798   possible that these tests will fail for timing
    9899   reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
    99    and responded to)] and [TEST_GAP (seconds to wait between tests)]
     100   and responded to)]
     101
     102In some situations you may want to see the exact environment as
     103configured by make, e.g. if you want to manually run an Apache
     104instance with Valgrind using the same configuration as a test
     105case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
  • test/runtests

    r5d13786 r24c6c16  
    77set -e
    88
    9 tests="${1##t-}"
    10 
    11 if [ -n "${TEST_LOCK}" ]; then
    12     TEST_LOCK="$(realpath ${TEST_LOCK})"
    13     flock_cmd="flock -w ${TEST_LOCK_WAIT} ${TEST_LOCK}"
     9testid="${1##t-}"
     10
     11if [ -z "$testid" ] ; then
     12    echo -e "No test case selected.\nUsage: ${0} t-N" >&2
     13    exit 1
     14else
     15    testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
    1416fi
    1517
    1618BADVARS=0
    17 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_GAP MSVA_PORT; do
     19for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     20                 MSVA_PORT TEST_LOCK; do
    1821    if [ ! -v "$v" ]; then
    1922        printf "You need to set the %s environment variable\n" "$v" >&2
     
    111114    fi
    112115}
    113 
    114 if [ -z "$tests" ] ; then
    115     tests=${srcdir}/tests/*
    116 else
    117     tests=${srcdir}/tests/"$(printf "%02d" "$tests")"_*
    118 fi
    119116
    120117if [ -n "${USE_MSVA}" ]; then
     
    137134            echo "MSVA not ready yet"
    138135        fi
    139         sleep "${TEST_GAP}"
    140         waited=$(echo "${waited} + ${TEST_GAP}" | bc)
     136        sleep "${TEST_MSVA_WAIT}"
     137        waited=$(echo "${waited} + ${TEST_MSVA_WAIT}" | bc)
    141138    done
    142139
     
    150147fi
    151148
    152 for t in $tests; do
    153     if [ -z "${flock_cmd}" ]; then
    154         echo "Warning: no lock file set"
    155         sleep "$TEST_GAP"
    156     fi
    157     t="$(realpath ${t})"
    158     export srcdir="$(realpath ${srcdir})"
    159     export TEST_NAME="$(basename "$t")"
    160     output="outputs/${TEST_NAME}.output"
    161     rm -f "$output"
    162 
    163     if [ -e ${t}/fail.* ]; then
    164         EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
    165     else
    166         unset EXPECTED_FAILURE
    167     fi
    168     printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
    169     trap apache_down_err EXIT
    170     if [ -n "${USE_MSVA}" ]; then
    171         MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
    172             ${flock_cmd} \
    173             ${APACHE2} -f "${t}/apache.conf" -k start \
    174             || [ -e "${t}/fail.server" ]
    175     else
    176         ${flock_cmd} \
    177             ${APACHE2} -f "${t}/apache.conf" -k start \
    178             || [ -e "${t}/fail.server" ]
    179     fi
    180 
    181     # PID file for sleep command (explanation below)
    182     sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
    183 
    184     # The sleep call keeps the pipe from the subshell to gnutls-cli
    185     # open. Without it gnutls-cli would terminate as soon as sed is
    186     # done, and not wait for a response from the server, leading to
    187     # failing tests. Sending sleep to the background allows the test
    188     # case to proceed instead of waiting for it to return. The sleep
    189     # process is stopped after gnutls-cli terminates.
    190     if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
    191         run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    192         gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
    193         >"$output";
    194     then
    195         if [ -e ${t}/fail* ]; then
    196             printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
    197             exit 1
    198         fi
    199     else
    200         if [ ! -e ${t}/fail* ]; then
    201             printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
    202             exit 1
    203         fi
    204     fi
    205 
    206     kill_by_pidfile "${sleep_pidfile}"
    207     unset sleep_pidfile
    208 
    209     if [ -e ${t}/output ] ; then
    210         diff_output_filter_headers "${t}/output" "$output" "-q"
    211     fi
    212     if [ -n "${USE_MSVA}" ]; then
    213         trap stop_msva EXIT
    214     else
    215         trap - EXIT
    216     fi
    217     ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
    218     printf "SUCCESS: %s\n" "$TEST_NAME"
    219 done
     149# configure locking for the Apache process
     150flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
     151
     152t="$(realpath ${testid})"
     153export srcdir="$(realpath ${srcdir})"
     154export TEST_NAME="$(basename "$t")"
     155output="outputs/${TEST_NAME}.output"
     156rm -f "$output"
     157
     158if [ -e ${t}/fail.* ]; then
     159    EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
     160else
     161    unset EXPECTED_FAILURE
     162fi
     163printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
     164trap apache_down_err EXIT
     165if [ -n "${USE_MSVA}" ]; then
     166    MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
     167                                        ${flock_cmd} \
     168                                        ${APACHE2} -f "${t}/apache.conf" -k start \
     169        || [ -e "${t}/fail.server" ]
     170else
     171    ${flock_cmd} \
     172        ${APACHE2} -f "${t}/apache.conf" -k start \
     173        || [ -e "${t}/fail.server" ]
     174fi
     175
     176# PID file for sleep command (explanation below)
     177sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
     178
     179# The sleep call keeps the pipe from the subshell to gnutls-cli
     180# open. Without it gnutls-cli would terminate as soon as sed is
     181# done, and not wait for a response from the server, leading to
     182# failing tests. Sending sleep to the background allows the test
     183# case to proceed instead of waiting for it to return. The sleep
     184# process is stopped after gnutls-cli terminates.
     185if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
     186           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
     187       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
     188                  >"$output";
     189then
     190    if [ -e ${t}/fail* ]; then
     191        printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
     192        exit 1
     193    fi
     194else
     195    if [ ! -e ${t}/fail* ]; then
     196        printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
     197        exit 1
     198    fi
     199fi
     200
     201kill_by_pidfile "${sleep_pidfile}"
     202unset sleep_pidfile
     203
     204if [ -e ${t}/output ] ; then
     205    diff_output_filter_headers "${t}/output" "$output" "-q"
     206fi
     207if [ -n "${USE_MSVA}" ]; then
     208    trap stop_msva EXIT
     209else
     210    trap - EXIT
     211fi
     212${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
     213printf "SUCCESS: %s\n" "$TEST_NAME"
    220214
    221215if [ -n "${USE_MSVA}" ]; then
  • test/test-00_basic.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-0
     2${srcdir}/runtests t-0
  • test/test-01_serverwide_priorities.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-1
     2${srcdir}/runtests t-1
  • test/test-02_cache_in_vhost.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-2
     2${srcdir}/runtests t-2
  • test/test-03_cachetimeout_in_vhost.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-3
     2${srcdir}/runtests t-3
  • test/test-04_basic_nosni.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-4
     2${srcdir}/runtests t-4
  • test/test-05_mismatched-priorities.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-5
     2${srcdir}/runtests t-5
  • test/test-06_verify_sni_a.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-6
     2${srcdir}/runtests t-6
  • test/test-07_verify_sni_b.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-7
     2${srcdir}/runtests t-7
  • test/test-08_verify_no_sni_fallback_to_first_vhost.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-8
     2${srcdir}/runtests t-8
  • test/test-09_verify_no_sni_fails_with_wrong_order.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-9
     2${srcdir}/runtests t-9
  • test/test-10_basic_client_verification.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-10
     2${srcdir}/runtests t-10
  • test/test-11_basic_client_verification_fail.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-11
     2${srcdir}/runtests t-11
  • test/test-12_cgi_variables.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-12
     2${srcdir}/runtests t-12
  • test/test-13_cgi_variables_no_client_cert.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-13
     2${srcdir}/runtests t-13
  • test/test-14_basic_openpgp.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-14
     2${srcdir}/runtests t-14
  • test/test-15_basic_msva.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 USE_MSVA="yes" make -f $(dirname ${0})/TestMakefile t-15
     2USE_MSVA="yes" ${srcdir}/runtests t-15
  • test/test-16_view-status.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-16
     2${srcdir}/runtests t-16
  • test/test-17_cgi_vars_large_cert.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-17
     2${srcdir}/runtests t-17
  • test/test-18_client_verification_wrong_cert.bash

    r5d13786 r24c6c16  
    11#!/bin/bash
    2 make -f $(dirname ${0})/TestMakefile t-18
     2${srcdir}/runtests t-18
  • test/test-19_TLS_reverse_proxy.bash

    r5d13786 r24c6c16  
    1414trap stop_backend EXIT
    1515
    16 make -f $(dirname ${0})/TestMakefile t-19
     16${srcdir}/runtests t-19
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r5d13786 r24c6c16  
    1414trap stop_backend EXIT
    1515
    16 make -f $(dirname ${0})/TestMakefile t-20
     16${srcdir}/runtests t-20
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r5d13786 r24c6c16  
    1414trap stop_backend EXIT
    1515
    16 make -f $(dirname ${0})/TestMakefile t-21
     16${srcdir}/runtests t-21
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r5d13786 r24c6c16  
    1414trap stop_backend EXIT
    1515
    16 make -f $(dirname ${0})/TestMakefile t-22
     16${srcdir}/runtests t-22
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r5d13786 r24c6c16  
    1919trap stop_backend EXIT
    2020
    21 make -f $(dirname ${0})/TestMakefile t-23
     21${srcdir}/runtests t-23
    2222
    2323backend_apache "${testdir}" "backend.conf" stop
  • test/test-24_pkcs11_cert.bash

    r5d13786 r24c6c16  
    2525set -e
    2626
    27 make -f $(dirname ${0})/TestMakefile t-24
     27${srcdir}/runtests t-24
    2828
    2929cleanup_tmpconf
  • test/test_ca.mk

    r5d13786 r24c6c16  
    11#!/usr/bin/make -f
     2# Authors:
     3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
     4# Thomas Klute <thomas2.klute@uni-dortmund.de>
    25
    3 # Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    4 
    5 # run these tests to ensure that mod_gnutls can handle a range of
    6 # simple configuration choices.
    7 
    8 export srcdir ?= .
    9 # If the Apache binary is not set, try to find apache2 in default PATH
    10 # (should only happen when the test script is run manually)
    11 export APACHE2 ?= apache2
    12 
    13 export TEST_HOST ?= localhost
    14 export TEST_IP ?= ::1
    15 # chosen at random:
    16 export TEST_PORT ?= 9932
    17 export MSVA_PORT ?= 9933
    18 
    19 export TEST_GAP ?= 0.4
    20 export TEST_MSVA_MAX_WAIT ?= 10
    21 export TEST_QUERY_DELAY ?= 30
    22 export TEST_LOCK_WAIT ?= 30
    23 
    24 TEST_LOCK := ./test.lock
    25 
    26 all: setup.done
    27         TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests
    28 
    29 t-%: setup.done
    30         TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests $@
    31 
    32 
    33 
    34 
    35 
    36 ### for setting up a little miniature CA + server + client environment:
    37 identities := server authority client imposter rogueca
    38 tokens := x509.pem secring.gpg secret.key cert.pgp secret.pgp
    39 all_tokens := $(foreach id,$(identities),$(foreach token,$(tokens),$(id)/$(token)))
     6# General rules to set up a miniature CA & server & client environment
     7# for the test suite
    408
    419%.template: $(srcdir)/%.template.in
     
    9765                --template "${srcdir}/$(*)-crl.template" \
    9866                > $@
    99 
    100 msva.gnupghome/trustdb.gpg: authority/minimal.pgp client/cert.pgp
    101         mkdir -p -m 0700 $(dir $@)
    102         GNUPGHOME=$(dir $@) gpg --import < $<
    103         printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    104         GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
    105         printf "keyserver does-not-exist.example\n" > msva.gnupghome/gpg.conf
    106 
    107 
    108 setup.done: $(all_tokens) msva.gnupghome/trustdb.gpg client.uid
    109         mkdir -p logs cache outputs
    110         touch setup.done
    111 
    112 
    113 clean:
    114         rm -rf server client authority logs cache outputs setup.done \
    115         server.template imposter.template msva.gnupghome \
    116         */*.pgp */*.gpg */*.gpg~ */*.pem */*.key authority.template \
    117         client.template client.uid server.uid *.lock tests/*/*.pem
    118         rmdir imposter rogueca || true
    119 
    120 .PHONY: all clean
Note: See TracChangeset for help on using the changeset viewer.