Changeset 24c6c16 in mod_gnutls
- Timestamp:
- Oct 19, 2015, 9:07:41 PM (7 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports
- Children:
- 8bf5809
- Parents:
- 5d13786 (diff), 89f863f (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - Files:
-
- 38 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
r5d13786 r24c6c16 2 2 - Handle Unclean Shutdowns 3 3 - make session cache use generic apache caches 4 5 ** Version 0.7.1 (2015-10-18) 6 - Improved handling of PKCS #11 modules: mod_gnutls now loads either 7 modules specified using GnuTLSP11Module, or the system defaults, but 8 not both. Thanks to Nikos Mavrogiannopoulos for the report and 9 initial patch! 10 - Initialize variables to safe defaults during client certificate 11 verification. Certain error code paths did not set them, but they 12 should never be hit due to config validation. This adds another line 13 of defense. 14 - Enable C99 support via autoconf 15 - Test suite improvements. Most importantly, automake now handles 16 environment setup without any external make calls. Rules to build 17 the certificates are included from the old test makefile. Note that 18 the dependency on GNU make is not new (the test makefile always used 19 GNU make syntax), it just wasn't listed explicitly. 4 20 5 21 ** Version 0.7 (2015-07-12) -
README
r5d13786 r24c6c16 24 24 * GnuTLS >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred) 25 25 * Apache HTTPD >= 2.2 <http://httpd.apache.org/> (2.4.* preferred) 26 * autotools & gcc26 * autotools, GNU make, & gcc 27 27 * APR Memcache >= 0.7.0 (Optional) 28 28 * libmsv >= 0.1 (Optional, enable with ./configure --enable-msva) -
configure
r5d13786 r24c6c16 1 1 #! /bin/sh 2 2 # Guess values for system-dependent variables and create Makefiles. 3 # Generated by GNU Autoconf 2.69 for mod_gnutls 0.7. 3 # Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.1. 4 4 # 5 5 # … … 588 588 PACKAGE_NAME='mod_gnutls' 589 589 PACKAGE_TARNAME='mod_gnutls' 590 PACKAGE_VERSION='0.7 '591 PACKAGE_STRING='mod_gnutls 0.7 '590 PACKAGE_VERSION='0.7.1' 591 PACKAGE_STRING='mod_gnutls 0.7.1' 592 592 PACKAGE_BUGREPORT='' 593 593 PACKAGE_URL='' … … 1379 1379 # This message is too long to be a string in the A/UX 3.1 sh. 1380 1380 cat <<_ACEOF 1381 \`configure' configures mod_gnutls 0.7 to adapt to many kinds of systems.1381 \`configure' configures mod_gnutls 0.7.1 to adapt to many kinds of systems. 1382 1382 1383 1383 Usage: $0 [OPTION]... [VAR=VALUE]... … … 1450 1450 if test -n "$ac_init_help"; then 1451 1451 case $ac_init_help in 1452 short | recursive ) echo "Configuration of mod_gnutls 0.7 :";;1452 short | recursive ) echo "Configuration of mod_gnutls 0.7.1:";; 1453 1453 esac 1454 1454 cat <<\_ACEOF … … 1584 1584 if $ac_init_version; then 1585 1585 cat <<\_ACEOF 1586 mod_gnutls configure 0.7 1586 mod_gnutls configure 0.7.1 1587 1587 generated by GNU Autoconf 2.69 1588 1588 … … 1995 1995 running configure, to aid debugging if configure makes a mistake. 1996 1996 1997 It was created by mod_gnutls $as_me 0.7 , which was1997 It was created by mod_gnutls $as_me 0.7.1, which was 1998 1998 generated by GNU Autoconf 2.69. Invocation command line was 1999 1999 … … 2361 2361 chmod +x config.nice 2362 2362 2363 MOD_GNUTLS_VERSION=0.7 2363 MOD_GNUTLS_VERSION=0.7.1 2364 2364 2365 2365 … … 2539 2539 NONENONEs,x,x, && 2540 2540 program_prefix=${target_alias}- 2541 # mod_gnutls test suite requires GNU make 2541 2542 am__api_version='1.14' 2542 2543 … … 3025 3026 # Define the identity of the package. 3026 3027 PACKAGE='mod_gnutls' 3027 VERSION='0.7 '3028 VERSION='0.7.1' 3028 3029 3029 3030 … … 4159 4160 am__fastdepCC_TRUE='#' 4160 4161 am__fastdepCC_FALSE= 4162 fi 4163 4164 4165 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5 4166 $as_echo_n "checking for $CC option to accept ISO C99... " >&6; } 4167 if ${ac_cv_prog_cc_c99+:} false; then : 4168 $as_echo_n "(cached) " >&6 4169 else 4170 ac_cv_prog_cc_c99=no 4171 ac_save_CC=$CC 4172 cat confdefs.h - <<_ACEOF >conftest.$ac_ext 4173 /* end confdefs.h. */ 4174 #include <stdarg.h> 4175 #include <stdbool.h> 4176 #include <stdlib.h> 4177 #include <wchar.h> 4178 #include <stdio.h> 4179 4180 // Check varargs macros. These examples are taken from C99 6.10.3.5. 4181 #define debug(...) fprintf (stderr, __VA_ARGS__) 4182 #define showlist(...) puts (#__VA_ARGS__) 4183 #define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) 4184 static void 4185 test_varargs_macros (void) 4186 { 4187 int x = 1234; 4188 int y = 5678; 4189 debug ("Flag"); 4190 debug ("X = %d\n", x); 4191 showlist (The first, second, and third items.); 4192 report (x>y, "x is %d but y is %d", x, y); 4193 } 4194 4195 // Check long long types. 4196 #define BIG64 18446744073709551615ull 4197 #define BIG32 4294967295ul 4198 #define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) 4199 #if !BIG_OK 4200 your preprocessor is broken; 4201 #endif 4202 #if BIG_OK 4203 #else 4204 your preprocessor is broken; 4205 #endif 4206 static long long int bignum = -9223372036854775807LL; 4207 static unsigned long long int ubignum = BIG64; 4208 4209 struct incomplete_array 4210 { 4211 int datasize; 4212 double data[]; 4213 }; 4214 4215 struct named_init { 4216 int number; 4217 const wchar_t *name; 4218 double average; 4219 }; 4220 4221 typedef const char *ccp; 4222 4223 static inline int 4224 test_restrict (ccp restrict text) 4225 { 4226 // See if C++-style comments work. 4227 // Iterate through items via the restricted pointer. 4228 // Also check for declarations in for loops. 4229 for (unsigned int i = 0; *(text+i) != '\0'; ++i) 4230 continue; 4231 return 0; 4232 } 4233 4234 // Check varargs and va_copy. 4235 static void 4236 test_varargs (const char *format, ...) 4237 { 4238 va_list args; 4239 va_start (args, format); 4240 va_list args_copy; 4241 va_copy (args_copy, args); 4242 4243 const char *str; 4244 int number; 4245 float fnumber; 4246 4247 while (*format) 4248 { 4249 switch (*format++) 4250 { 4251 case 's': // string 4252 str = va_arg (args_copy, const char *); 4253 break; 4254 case 'd': // int 4255 number = va_arg (args_copy, int); 4256 break; 4257 case 'f': // float 4258 fnumber = va_arg (args_copy, double); 4259 break; 4260 default: 4261 break; 4262 } 4263 } 4264 va_end (args_copy); 4265 va_end (args); 4266 } 4267 4268 int 4269 main () 4270 { 4271 4272 // Check bool. 4273 _Bool success = false; 4274 4275 // Check restrict. 4276 if (test_restrict ("String literal") == 0) 4277 success = true; 4278 char *restrict newvar = "Another string"; 4279 4280 // Check varargs. 4281 test_varargs ("s, d' f .", "string", 65, 34.234); 4282 test_varargs_macros (); 4283 4284 // Check flexible array members. 4285 struct incomplete_array *ia = 4286 malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); 4287 ia->datasize = 10; 4288 for (int i = 0; i < ia->datasize; ++i) 4289 ia->data[i] = i * 1.234; 4290 4291 // Check named initializers. 4292 struct named_init ni = { 4293 .number = 34, 4294 .name = L"Test wide string", 4295 .average = 543.34343, 4296 }; 4297 4298 ni.number = 58; 4299 4300 int dynamic_array[ni.number]; 4301 dynamic_array[ni.number - 1] = 543; 4302 4303 // work around unused variable warnings 4304 return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x' 4305 || dynamic_array[ni.number - 1] != 543); 4306 4307 ; 4308 return 0; 4309 } 4310 _ACEOF 4311 for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99 4312 do 4313 CC="$ac_save_CC $ac_arg" 4314 if ac_fn_c_try_compile "$LINENO"; then : 4315 ac_cv_prog_cc_c99=$ac_arg 4316 fi 4317 rm -f core conftest.err conftest.$ac_objext 4318 test "x$ac_cv_prog_cc_c99" != "xno" && break 4319 done 4320 rm -f conftest.$ac_ext 4321 CC=$ac_save_CC 4322 4323 fi 4324 # AC_CACHE_VAL 4325 case "x$ac_cv_prog_cc_c99" in 4326 x) 4327 { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 4328 $as_echo "none needed" >&6; } ;; 4329 xno) 4330 { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 4331 $as_echo "unsupported" >&6; } ;; 4332 *) 4333 CC="$CC $ac_cv_prog_cc_c99" 4334 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 4335 $as_echo "$ac_cv_prog_cc_c99" >&6; } ;; 4336 esac 4337 if test "x$ac_cv_prog_cc_c99" != xno; then : 4338 4161 4339 fi 4162 4340 … … 13444 13622 # values after options handling. 13445 13623 ac_log=" 13446 This file was extended by mod_gnutls $as_me 0.7 , which was13624 This file was extended by mod_gnutls $as_me 0.7.1, which was 13447 13625 generated by GNU Autoconf 2.69. Invocation command line was 13448 13626 … … 13510 13688 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" 13511 13689 ac_cs_version="\\ 13512 mod_gnutls config.status 0.7 13690 mod_gnutls config.status 0.7.1 13513 13691 configured by $0, generated by GNU Autoconf 2.69, 13514 13692 with options \\"\$ac_cs_config\\" -
configure.ac
r5d13786 r24c6c16 1 1 dnl 2 AC_INIT(mod_gnutls, 0.7 )2 AC_INIT(mod_gnutls, 0.7.1) 3 3 OOO_CONFIG_NICE(config.nice) 4 4 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION … … 10 10 AM_MAINTAINER_MODE 11 11 AC_CANONICAL_TARGET 12 AM_INIT_AUTOMAKE 12 # mod_gnutls test suite requires GNU make 13 AM_INIT_AUTOMAKE([-Wno-portability]) 13 14 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in) 14 15 … … 16 17 17 18 AC_PROG_CC 19 AC_PROG_CC_C99 18 20 AC_PROG_LD 19 21 AC_PROG_INSTALL -
doc/mod_gnutls_manual.mdwn
r5d13786 r24c6c16 375 375 ------------------ 376 376 377 Load an additionalPKCS #11 module.377 Load this PKCS #11 module. 378 378 379 379 GnuTLSP11Module PATH_TO_LIBRARY … … 382 382 Context: server config 383 383 384 Load this PKCS #11 provider module, in addition tothe system385 defaults. 384 Load this PKCS #11 provider module, instead of the system 385 defaults. May occur multiple times to load multiple modules. 386 386 387 387 `GnuTLSPIN` -
include/mod_gnutls.h.in
r5d13786 r24c6c16 115 115 int non_ssl_request; 116 116 117 /* Additional PKCS #11 provider moduleto load, only valid in the117 /* List of PKCS #11 provider modules to load, only valid in the 118 118 * base config, ignored in virtual hosts */ 119 char *p11_module;119 apr_array_header_t *p11_modules; 120 120 121 121 /* PIN used for PKCS #11 operations */ … … 286 286 int ssl_engine_disable(conn_rec *c); 287 287 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, 288 const char *arg);288 const int arg); 289 289 apr_status_t mgs_cleanup_pre_config(void *data); 290 290 … … 439 439 440 440 const char *mgs_set_enabled(cmd_parms * parms, void *dummy, 441 const char *arg);441 const int arg); 442 442 const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, 443 443 const char *arg); … … 445 445 const char *arg); 446 446 const char *mgs_set_tickets(cmd_parms * parms, void *dummy, 447 const char *arg);447 const int arg); 448 448 449 449 const char *mgs_set_require_section(cmd_parms *cmd, -
src/gnutls_config.c
r5d13786 r24c6c16 642 642 } 643 643 644 const char *mgs_set_tickets(cmd_parms * parms, void *dummy __attribute__((unused)),645 const char *arg) {646 mgs_srvconf_rec *sc =647 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 648 module_config, 649 650 651 sc->tickets = 0;652 if (strcasecmp("on", arg) == 0) {653 sc->tickets = 1; 654 }644 const char *mgs_set_tickets(cmd_parms *parms, 645 void *dummy __attribute__((unused)), 646 const int arg) 647 { 648 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 649 ap_get_module_config(parms->server->module_config, &gnutls_module); 650 651 if (arg) 652 sc->tickets = GNUTLS_ENABLED_TRUE; 653 else 654 sc->tickets = GNUTLS_ENABLED_FALSE; 655 655 656 656 return NULL; … … 826 826 } 827 827 828 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy __attribute__((unused)), 829 const char *arg) { 830 828 /* 829 * Enable TLS proxy operation if arg is true, disable it otherwise. 830 */ 831 const char *mgs_set_proxy_engine(cmd_parms *parms, 832 void *dummy __attribute__((unused)), 833 const int arg) 834 { 831 835 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 832 ap_get_module_config(parms->server->module_config, &gnutls_module); 833 834 if (!strcasecmp(arg, "On")) { 835 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; 836 } else if (!strcasecmp(arg, "Off")) { 837 sc->proxy_enabled = GNUTLS_ENABLED_FALSE; 838 } else { 839 return "GnuTLSProxyEngine must be set to 'On' or 'Off'"; 840 } 841 842 return NULL; 843 } 844 845 const char *mgs_set_enabled(cmd_parms * parms, void *dummy __attribute__((unused)), 846 const char *arg) { 847 mgs_srvconf_rec *sc = 848 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 849 module_config, 850 &gnutls_module); 851 if (!strcasecmp(arg, "On")) { 852 sc->enabled = GNUTLS_ENABLED_TRUE; 853 } else if (!strcasecmp(arg, "Off")) { 854 sc->enabled = GNUTLS_ENABLED_FALSE; 855 } else { 856 return "GnuTLSEnable must be set to 'On' or 'Off'"; 857 } 836 ap_get_module_config(parms->server->module_config, &gnutls_module); 837 838 if (arg) 839 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; 840 else 841 sc->proxy_enabled = GNUTLS_ENABLED_FALSE; 842 843 return NULL; 844 } 845 846 /* 847 * Enable TLS for the server/vhost if arg is true, disable it 848 * otherwise. 849 */ 850 const char *mgs_set_enabled(cmd_parms *parms, 851 void *dummy __attribute__((unused)), 852 const int arg) 853 { 854 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 855 ap_get_module_config(parms->server->module_config, &gnutls_module); 856 857 if (arg) 858 sc->enabled = GNUTLS_ENABLED_TRUE; 859 else 860 sc->enabled = GNUTLS_ENABLED_FALSE; 858 861 859 862 return NULL; … … 949 952 sc->privkey_pgp = NULL; 950 953 sc->certs_x509_chain_num = 0; 951 sc->p11_module = NULL;954 sc->p11_modules = NULL; 952 955 sc->pin = NULL; 953 956 sc->priorities_str = NULL; … … 1010 1013 gnutls_srvconf_merge(x509_key_file, NULL); 1011 1014 gnutls_srvconf_merge(x509_ca_file, NULL); 1012 gnutls_srvconf_merge(p11_module , NULL);1015 gnutls_srvconf_merge(p11_modules, NULL); 1013 1016 gnutls_srvconf_merge(pin, NULL); 1014 1017 gnutls_srvconf_merge(pgp_cert_file, NULL); … … 1107 1110 1108 1111 /* 1109 * Record additional PKCS #11 module to load. Note that the value is 1110 * only used in the base config, settings in virtual hosts are 1111 * ignored. 1112 * Record PKCS #11 module to load. Note that the value is only used in 1113 * the base config, settings in virtual hosts are ignored. 1112 1114 */ 1113 1115 const char *mgs_set_p11_module(cmd_parms * parms, … … 1117 1119 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1118 1120 ap_get_module_config(parms->server->module_config, &gnutls_module); 1119 sc->p11_module = apr_pstrdup(parms->pool, arg); 1120 return NULL; 1121 } 1121 /* initialize PKCS #11 module list if necessary */ 1122 if (sc->p11_modules == NULL) 1123 sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*)); 1124 1125 *(char **) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg); 1126 1127 return NULL; 1128 } -
src/gnutls_hooks.c
r5d13786 r24c6c16 220 220 static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) { 221 221 222 int rv = 0 , i;222 int rv = 0; 223 223 size_t data_len; 224 224 … … 242 242 rv = 0; 243 243 /* read subject alternative name */ 244 for (i = 0; !(rv < 0); i++) { 244 for (int i = 0; !(rv < 0); i++) 245 { 245 246 data_len = 0; 246 247 rv = gnutls_x509_crt_get_subject_alt_name(cert, i, … … 323 324 } 324 325 325 /* Load additional PKCS #11 module, if requested */ 326 if (sc_base->p11_module != NULL) 327 { 328 rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL); 329 if (rv != GNUTLS_E_SUCCESS) 326 /* If GnuTLSP11Module is set, load the listed PKCS #11 327 * modules. Otherwise system defaults will be used. */ 328 if (sc_base->p11_modules != NULL) 329 { 330 rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); 331 if (rv < 0) 332 { 330 333 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 331 "GnuTLS: Loading PKCS #11 provider module %s"334 "GnuTLS: Initializing PKCS #11 " 332 335 "failed: %s (%d).", 333 sc_base->p11_module, gnutls_strerror(rv), rv); 336 gnutls_strerror(rv), rv); 337 } 338 else 339 { 340 for (int i = 0; i < sc_base->p11_modules->nelts; i++) 341 { 342 char *p11_module = 343 APR_ARRAY_IDX(sc_base->p11_modules, i, char *); 344 rv = gnutls_pkcs11_add_provider(p11_module, NULL); 345 if (rv != GNUTLS_E_SUCCESS) 346 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 347 "GnuTLS: Loading PKCS #11 provider module %s " 348 "failed: %s (%d).", 349 p11_module, gnutls_strerror(rv), rv); 350 } 351 } 334 352 } 335 353 … … 355 373 if (sc->export_certificates_size < 0) 356 374 sc->export_certificates_size = 0; 357 if (sc->client_verify_mode == 375 if (sc->client_verify_mode == -1) 358 376 sc->client_verify_mode = GNUTLS_CERT_IGNORE; 359 if (sc->client_verify_method == 377 if (sc->client_verify_method == mgs_cvm_unset) 360 378 sc->client_verify_method = mgs_cvm_cartel; 361 379 … … 541 559 int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) { 542 560 apr_array_header_t *names; 543 int i,rv = 0;561 int rv = 0; 544 562 char ** name; 545 563 … … 553 571 names = s->names; 554 572 name = (char **)names->elts; 555 for (i = 0; i < names->nelts; ++i) { 573 for (int i = 0; i < names->nelts; ++i) 574 { 556 575 if (!name[i]) { continue; } 557 576 if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) { … … 565 584 names = s->wild_names; 566 585 name = (char **)names->elts; 567 for (i = 0; i < names->nelts; ++i) { 586 for (int i = 0; i < names->nelts; ++i) 587 { 568 588 if (!name[i]) { continue; } 569 589 if(apr_fnmatch(name[i], x->sni_name , … … 1016 1036 char *tmp2; 1017 1037 size_t len; 1018 int ret , i;1038 int ret; 1019 1039 1020 1040 if (r == NULL) … … 1091 1111 1092 1112 /* export all the alternative names (DNS, RFC822 and URI) */ 1093 for (i = 0; !(ret < 0); i++) { 1113 for (int i = 0; !(ret < 0); i++) 1114 { 1094 1115 const char *san, *sanlabel; 1095 1116 len = 0; … … 1204 1225 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) { 1205 1226 const gnutls_datum_t *cert_list; 1206 unsigned int cert_list_size, status; 1227 unsigned int cert_list_size; 1228 /* assume the certificate is invalid unless explicitly set 1229 * otherwise */ 1230 unsigned int status = GNUTLS_CERT_INVALID; 1207 1231 int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; 1208 1232 unsigned int ch_size = 0; … … 1338 1362 #endif 1339 1363 default: 1364 /* If this block is reached, that indicates a 1365 * configuration error or bug in mod_gnutls (invalid value 1366 * of ctxt->sc->client_verify_method). */ 1340 1367 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1341 1368 "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported", 1342 1369 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1370 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1343 1371 } 1344 1372 … … 1356 1384 #ifdef ENABLE_MSVA 1357 1385 case mgs_cvm_msva: 1358 /* need to set status and rv */1359 1386 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1360 1387 "GnuTLS: OpenPGP verification via MSVA is not yet implemented"); … … 1363 1390 #endif 1364 1391 default: 1392 /* If this block is reached, that indicates a 1393 * configuration error or bug in mod_gnutls (invalid value 1394 * of ctxt->sc->client_verify_method). */ 1365 1395 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1366 1396 "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported", 1367 1397 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1368 } 1369 } 1370 1398 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1399 } 1400 } 1401 1402 /* "goto exit" at the end of this block skips evaluation of the 1403 * "status" variable */ 1371 1404 if (rv < 0) { 1372 1405 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, … … 1444 1477 1445 1478 exit: 1446 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { 1447 unsigned int i; 1448 for (i = 0; i < ch_size; i++) { 1479 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) 1480 for (unsigned int i = 0; i < ch_size; i++) 1449 1481 gnutls_x509_crt_deinit(cert.x509[i]); 1450 } 1451 } else if (gnutls_certificate_type_get(ctxt->session) == 1452 GNUTLS_CRT_OPENPGP) 1482 else if (gnutls_certificate_type_get(ctxt->session) == 1483 GNUTLS_CRT_OPENPGP) 1453 1484 gnutls_openpgp_crt_deinit(cert.pgp); 1454 1485 return ret; 1455 1456 1457 } 1486 } 1487 1488 1458 1489 1459 1490 #ifdef ENABLE_MSVA -
src/mod_gnutls.c
r5d13786 r24c6c16 137 137 138 138 static const command_rec mgs_config_cmds[] = { 139 AP_INIT_ TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,139 AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine, 140 140 NULL, 141 141 RSRC_CONF | OR_AUTHCFG, 142 "Enable SSLProxy Engine"),142 "Enable TLS Proxy Engine"), 143 143 AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module, 144 144 NULL, 145 145 RSRC_CONF, 146 "Load this additionalPKCS #11 provider library"),146 "Load this specific PKCS #11 provider library"), 147 147 AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin, 148 148 NULL, … … 180 180 NULL, 181 181 RSRC_CONF, 182 " SSLServer X509 Certificate file"),182 "TLS Server X509 Certificate file"), 183 183 AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file, 184 184 NULL, 185 185 RSRC_CONF, 186 " SSLServer X509 Private Key file"),186 "TLS Server X509 Private Key file"), 187 187 AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file, 188 188 NULL, 189 189 RSRC_CONF, 190 " SSLServer X509 Certificate file"),190 "TLS Server X509 Certificate file"), 191 191 AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file, 192 192 NULL, 193 193 RSRC_CONF, 194 " SSLServer X509 Private Key file"),194 "TLS Server X509 Private Key file"), 195 195 AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file, 196 196 NULL, 197 197 RSRC_CONF, 198 " SSLServer PGP Certificate file"),198 "TLS Server PGP Certificate file"), 199 199 AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file, 200 200 NULL, 201 201 RSRC_CONF, 202 " SSLServer PGP Private key file"),202 "TLS Server PGP Private key file"), 203 203 #ifdef ENABLE_SRP 204 204 AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file, 205 205 NULL, 206 206 RSRC_CONF, 207 " SSLServer SRP Password Conf file"),207 "TLS Server SRP Password Conf file"), 208 208 AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile", 209 209 mgs_set_srp_tpasswd_conf_file, 210 210 NULL, 211 211 RSRC_CONF, 212 " SSLServer SRP Parameters file"),212 "TLS Server SRP Parameters file"), 213 213 #endif 214 214 AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout, … … 220 220 RSRC_CONF, 221 221 "Cache Configuration"), 222 AP_INIT_ TAKE1("GnuTLSSessionTickets", mgs_set_tickets,222 AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets, 223 223 NULL, 224 224 RSRC_CONF, … … 228 228 RSRC_CONF, 229 229 "The priorities to enable (ciphers, Key exchange, macs, compression)."), 230 AP_INIT_ TAKE1("GnuTLSEnable", mgs_set_enabled,230 AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled, 231 231 NULL, 232 232 RSRC_CONF, -
test/Makefile.am
r5d13786 r24c6c16 31 31 TESTS = $(dist_check_SCRIPTS) 32 32 33 # Identities in the miniature CA, server, and client environment for 34 # the test suite 35 identities = server authority client imposter rogueca 36 # Append strings after ":=" to each identity to generate a list of 37 # necessary files 38 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \ 39 $(identities:=/secret.pgp) 40 x509_keys = $(identities:=/secret.key) 41 x509_certs = $(identities:=/x509.pem) 42 x509_tokens = $(x509_certs) $(x509_keys) 43 tokens = $(x509_tokens) $(pgp_tokens) 44 45 include $(srcdir)/test_ca.mk 46 33 47 # Test cases trying to create keys and certificates in parallel causes 34 48 # race conditions. Ensure that all keys and certificates are generated … … 41 55 # running at any time, so test cases actually have to wait for each 42 56 # other - just not in any particular order. 43 check_DATA = setup.doneserver/crl.pem57 check_DATA = $(tokens) server/crl.pem 44 58 45 MOSTLYCLEANFILES = setup.donecache/* logs/* outputs/* server/crl.pem59 MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem 46 60 47 61 cert_templates = authority.template.in client.template.in \ … … 50 64 imposter.template server.template 51 65 66 # Delete X.509 private keys on full clean. Note that unless you need 67 # to generate fresh keys, the "mostlyclean" target should be 68 # sufficient (see below). 69 CLEANFILES = $(x509_keys) 70 52 71 # Delete X.509 certificates and generated templates on "mostlyclean" 53 72 # target. Certificates can be rebuilt without generating new key … … 55 74 # (e.g. host names) without wasting entropy on new keys (which would 56 75 # happen after "clean"). 57 MOSTLYCLEANFILES += */x509.pem $(generated_templates) 76 MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid 77 58 78 59 79 # Delete PGP keyrings on "mostlyclean" target. They are created from … … 61 81 # one day, so regenerating them is both fast and frequently 62 82 # necessary. 63 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf 83 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock 84 # GnuPG random pool, no need to regenerate on every build 85 CLEANFILES += authority/random_seed 64 86 65 clean-local: 66 $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean 87 # Delete lock files for test servers on "mostlyclean" target. 88 MOSTLYCLEANFILES += *.lock 89 90 # rule to build MSVA trust database 91 if USE_MSVA 92 msva_home = msva.gnupghome 93 check_DATA += $(msva_home)/trustdb.gpg client.uid 94 MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg 95 $(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp 96 mkdir -p -m 0700 $(dir $@) 97 GNUPGHOME=$(dir $@) gpg --import < $< 98 printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust 99 GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp 100 printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf 101 endif 67 102 68 103 # SoftHSM files 69 104 check_DATA += server/softhsm.db 70 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf 105 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db 71 106 72 # This rule can be used for any TestMakefile target not included in73 # setup.done. The dependency on setup.done is used to avoid race74 # conditions between multiple calls to TestMakefile for key and75 # certificate generation. It is ignored for setup.done itself.76 server/crl.pem server/softhsm.db setup.done: setup.done77 TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \78 $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@79 107 108 check_DATA += make-test-dirs 109 extra_dirs = logs cache outputs 110 make-test-dirs: 111 mkdir -p $(extra_dirs) 112 .PHONY: make-test-dirs 113 114 clean-local: 115 -rmdir $(identities) || true 116 -rmdir $(extra_dirs) || true 117 if USE_MSVA 118 -rmdir $(msva_home) || true 119 endif 120 121 # Apache configuration and data files 80 122 apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf 81 123 82 124 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \ 83 runtests server-crl.template server-softhsm.conf softhsm.bash \ 84 TestMakefile 125 runtests server-crl.template server-softhsm.conf softhsm.bash 85 126 127 # Lockfile for the main Apache process 128 test_lockfile = ./test.lock 86 129 # Maximum wait time in seconds for flock to aquire instance lock files 87 130 lock_wait = 30 88 131 132 # port for the main Apache server 133 TEST_PORT ?= 9932 134 # port for MSVA in test cases that use it 135 MSVA_PORT ?= 9933 136 # maximum time to wait for MSVA startup 137 TEST_MSVA_MAX_WAIT ?= 10 138 # wait loop time for MSVA startup 139 TEST_MSVA_WAIT ?= 0.4 140 # seconds for the HTTP request to be sent and responded to 141 TEST_QUERY_DELAY ?= 30 142 89 143 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \ 90 144 export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \ 91 export TEST_LOCK_WAIT=$(lock_wait); \ 145 export TEST_LOCK="$(test_lockfile)"; \ 146 export TEST_LOCK_WAIT="$(lock_wait)"; \ 92 147 export TEST_HOST="$(TEST_HOST)"; \ 93 148 export TEST_IP="$(TEST_IP)"; \ 149 export TEST_PORT="$(TEST_PORT)"; \ 150 export MSVA_PORT="$(MSVA_PORT)"; \ 151 export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \ 152 export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \ 153 export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \ 94 154 export BACKEND_HOST="$(TEST_HOST)"; \ 95 155 export BACKEND_IP="$(TEST_IP)"; 156 157 # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if 158 # you want to manually run an Apache instance with Valgrind using the 159 # same configuration as a test case. 160 show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT) 161 show-test-env: 162 @echo "$${TEST_ENV}" -
test/Makefile.in
r5d13786 r24c6c16 14 14 15 15 @SET_MAKE@ 16 17 #!/usr/bin/make -f 18 # Authors: 19 # Daniel Kahn Gillmor <dkg@fifthhorseman.net> 20 # Thomas Klute <thomas2.klute@uni-dortmund.de> 21 22 # General rules to set up a miniature CA & server & client environment 23 # for the test suite 16 24 VPATH = @srcdir@ 17 25 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' … … 80 88 target_triplet = @target@ 81 89 @USE_MSVA_TRUE@am__append_1 = test-15_basic_msva.bash 90 DIST_COMMON = $(srcdir)/test_ca.mk $(srcdir)/Makefile.in \ 91 $(srcdir)/Makefile.am $(am__dist_check_SCRIPTS_DIST) \ 92 $(top_srcdir)/config/test-driver README 93 @USE_MSVA_TRUE@am__append_2 = $(msva_home)/trustdb.gpg client.uid 94 @USE_MSVA_TRUE@am__append_3 = $(msva_home)/trustdb.gpg 82 95 subdir = test 83 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \84 $(am__dist_check_SCRIPTS_DIST) \85 $(top_srcdir)/config/test-driver README86 96 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 87 97 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ … … 584 594 TESTS = $(dist_check_SCRIPTS) 585 595 596 # Identities in the miniature CA, server, and client environment for 597 # the test suite 598 identities = server authority client imposter rogueca 599 # Append strings after ":=" to each identity to generate a list of 600 # necessary files 601 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \ 602 $(identities:=/secret.pgp) 603 604 x509_keys = $(identities:=/secret.key) 605 x509_certs = $(identities:=/x509.pem) 606 x509_tokens = $(x509_certs) $(x509_keys) 607 tokens = $(x509_tokens) $(pgp_tokens) 608 586 609 # Test cases trying to create keys and certificates in parallel causes 587 610 # race conditions. Ensure that all keys and certificates are generated … … 596 619 597 620 # SoftHSM files 598 check_DATA = setup.done server/crl.pem server/softhsm.db 621 check_DATA = $(tokens) server/crl.pem $(am__append_2) \ 622 server/softhsm.db make-test-dirs 599 623 600 624 # Delete X.509 certificates and generated templates on "mostlyclean" … … 608 632 # one day, so regenerating them is both fast and frequently 609 633 # necessary. 610 MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem \ 611 */x509.pem $(generated_templates) */*.pgp */*.gpg */*.gpg~ \ 612 */gpg.conf tests/24_pkcs11_cert/softhsm.conf 634 635 # Delete lock files for test servers on "mostlyclean" target. 636 MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem */x509.pem \ 637 $(generated_templates) *.uid */*.pgp */*.gpg */*.gpg~ \ 638 */gpg.conf authority/lock *.lock $(am__append_3) \ 639 tests/24_pkcs11_cert/softhsm.conf server/softhsm.db 613 640 cert_templates = authority.template.in client.template.in \ 614 641 imposter.template.in rogueca.template server.template.in … … 617 644 imposter.template server.template 618 645 646 647 # Delete X.509 private keys on full clean. Note that unless you need 648 # to generate fresh keys, the "mostlyclean" target should be 649 # sufficient (see below). 650 # GnuPG random pool, no need to regenerate on every build 651 CLEANFILES = $(x509_keys) authority/random_seed 652 653 # rule to build MSVA trust database 654 @USE_MSVA_TRUE@msva_home = msva.gnupghome 655 extra_dirs = logs cache outputs 656 657 # Apache configuration and data files 619 658 apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf 620 659 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \ 621 runtests server-crl.template server-softhsm.conf softhsm.bash \ 622 TestMakefile 623 624 660 runtests server-crl.template server-softhsm.conf softhsm.bash 661 662 663 # Lockfile for the main Apache process 664 test_lockfile = ./test.lock 625 665 # Maximum wait time in seconds for flock to aquire instance lock files 626 666 lock_wait = 30 627 667 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \ 628 668 export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \ 629 export TEST_LOCK_WAIT=$(lock_wait); \ 669 export TEST_LOCK="$(test_lockfile)"; \ 670 export TEST_LOCK_WAIT="$(lock_wait)"; \ 630 671 export TEST_HOST="$(TEST_HOST)"; \ 631 672 export TEST_IP="$(TEST_IP)"; \ 673 export TEST_PORT="$(TEST_PORT)"; \ 674 export MSVA_PORT="$(MSVA_PORT)"; \ 675 export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \ 676 export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \ 677 export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \ 632 678 export BACKEND_HOST="$(TEST_HOST)"; \ 633 679 export BACKEND_IP="$(TEST_IP)"; … … 637 683 .SUFFIXES: 638 684 .SUFFIXES: .log .test .test$(EXEEXT) .trs 639 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)685 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(srcdir)/test_ca.mk $(am__configure_deps) 640 686 @for dep in $?; do \ 641 687 case '$(am__configure_deps)' in \ … … 658 704 cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ 659 705 esac; 706 $(srcdir)/test_ca.mk: 660 707 661 708 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) … … 1192 1239 1193 1240 clean-generic: 1241 -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) 1194 1242 1195 1243 distclean-generic: … … 1283 1331 1284 1332 1333 %.template: $(srcdir)/%.template.in 1334 sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ 1335 1336 %.uid: $(srcdir)/%.uid.in 1337 sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ 1338 1339 %/secret.key: 1340 mkdir -p $(dir $@) 1341 chmod 0700 $(dir $@) 1342 certtool --generate-privkey > $@ 1343 1344 %/secring.gpg: %.uid %/secret.key 1345 rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg 1346 PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import 1347 printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust 1348 1349 %/gpg.conf: %/secring.gpg 1350 printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 1351 1352 %/secret.pgp: %/secring.gpg 1353 GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 1354 1355 %/minimal.pgp: %/secring.gpg 1356 GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 1357 1358 # Import and signing modify the shared keyring, which leads to race 1359 # conditions with parallel make. Locking avoids this problem. 1360 %/cert.pgp: %/minimal.pgp authority/gpg.conf 1361 GNUPGHOME=authority flock authority/lock gpg --import $< 1362 GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 1363 GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 1364 1365 # special cases for the authorities' root certs: 1366 authority/x509.pem: authority.template authority/secret.key 1367 certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@ 1368 rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key 1369 certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@ 1370 1371 %/cert-request: %.template %/secret.key 1372 certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@ 1373 1374 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem 1375 certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@ 1376 1377 %/softhsm.db: %/x509.pem %/secret.key 1378 SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem 1379 1380 # Generate CRL revoking a certain certificate. Currently used to 1381 # revoke the server certificate and check if setting the CRL as 1382 # GnuTLSProxyCRLFile causes the connection to the back end server to 1383 # fail. 1384 %/crl.pem: %/x509.pem ${srcdir}/%-crl.template 1385 certtool --generate-crl \ 1386 --load-ca-privkey authority/secret.key \ 1387 --load-ca-certificate authority/x509.pem \ 1388 --load-certificate $< \ 1389 --template "${srcdir}/$(*)-crl.template" \ 1390 > $@ 1391 @USE_MSVA_TRUE@$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp 1392 @USE_MSVA_TRUE@ mkdir -p -m 0700 $(dir $@) 1393 @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < $< 1394 @USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust 1395 @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp 1396 @USE_MSVA_TRUE@ printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf 1397 make-test-dirs: 1398 mkdir -p $(extra_dirs) 1399 .PHONY: make-test-dirs 1400 1285 1401 clean-local: 1286 $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean 1287 1288 # This rule can be used for any TestMakefile target not included in 1289 # setup.done. The dependency on setup.done is used to avoid race 1290 # conditions between multiple calls to TestMakefile for key and 1291 # certificate generation. It is ignored for setup.done itself. 1292 server/crl.pem server/softhsm.db setup.done: setup.done 1293 TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \ 1294 $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@ 1402 -rmdir $(identities) || true 1403 -rmdir $(extra_dirs) || true 1404 @USE_MSVA_TRUE@ -rmdir $(msva_home) || true 1405 1406 # port for the main Apache server 1407 TEST_PORT ?= 9932 1408 # port for MSVA in test cases that use it 1409 MSVA_PORT ?= 9933 1410 # maximum time to wait for MSVA startup 1411 TEST_MSVA_MAX_WAIT ?= 10 1412 # wait loop time for MSVA startup 1413 TEST_MSVA_WAIT ?= 0.4 1414 # seconds for the HTTP request to be sent and responded to 1415 TEST_QUERY_DELAY ?= 30 1416 1417 # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if 1418 # you want to manually run an Apache instance with Valgrind using the 1419 # same configuration as a test case. 1420 show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT) 1421 show-test-env: 1422 @echo "$${TEST_ENV}" 1295 1423 1296 1424 # Tell versions [3.59,3.63) of GNU make to not export all variables. -
test/README
r5d13786 r24c6c16 32 32 33 33 TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure 34 34 35 35 36 Adding a Test … … 97 98 possible that these tests will fail for timing 98 99 reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent 99 and responded to)] and [TEST_GAP (seconds to wait between tests)] 100 and responded to)] 101 102 In some situations you may want to see the exact environment as 103 configured by make, e.g. if you want to manually run an Apache 104 instance with Valgrind using the same configuration as a test 105 case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout. -
test/runtests
r5d13786 r24c6c16 7 7 set -e 8 8 9 tests="${1##t-}" 10 11 if [ -n "${TEST_LOCK}" ]; then 12 TEST_LOCK="$(realpath ${TEST_LOCK})" 13 flock_cmd="flock -w ${TEST_LOCK_WAIT} ${TEST_LOCK}" 9 testid="${1##t-}" 10 11 if [ -z "$testid" ] ; then 12 echo -e "No test case selected.\nUsage: ${0} t-N" >&2 13 exit 1 14 else 15 testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_* 14 16 fi 15 17 16 18 BADVARS=0 17 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_GAP MSVA_PORT; do 19 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \ 20 MSVA_PORT TEST_LOCK; do 18 21 if [ ! -v "$v" ]; then 19 22 printf "You need to set the %s environment variable\n" "$v" >&2 … … 111 114 fi 112 115 } 113 114 if [ -z "$tests" ] ; then115 tests=${srcdir}/tests/*116 else117 tests=${srcdir}/tests/"$(printf "%02d" "$tests")"_*118 fi119 116 120 117 if [ -n "${USE_MSVA}" ]; then … … 137 134 echo "MSVA not ready yet" 138 135 fi 139 sleep "${TEST_ GAP}"140 waited=$(echo "${waited} + ${TEST_ GAP}" | bc)136 sleep "${TEST_MSVA_WAIT}" 137 waited=$(echo "${waited} + ${TEST_MSVA_WAIT}" | bc) 141 138 done 142 139 … … 150 147 fi 151 148 152 for t in $tests; do 153 if [ -z "${flock_cmd}" ]; then 154 echo "Warning: no lock file set" 155 sleep "$TEST_GAP" 156 fi 157 t="$(realpath ${t})" 158 export srcdir="$(realpath ${srcdir})" 159 export TEST_NAME="$(basename "$t")" 160 output="outputs/${TEST_NAME}.output" 161 rm -f "$output" 162 163 if [ -e ${t}/fail.* ]; then 164 EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)" 165 else 166 unset EXPECTED_FAILURE 167 fi 168 printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE" 169 trap apache_down_err EXIT 170 if [ -n "${USE_MSVA}" ]; then 171 MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \ 172 ${flock_cmd} \ 173 ${APACHE2} -f "${t}/apache.conf" -k start \ 174 || [ -e "${t}/fail.server" ] 175 else 176 ${flock_cmd} \ 177 ${APACHE2} -f "${t}/apache.conf" -k start \ 178 || [ -e "${t}/fail.server" ] 179 fi 180 181 # PID file for sleep command (explanation below) 182 sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)" 183 184 # The sleep call keeps the pipe from the subshell to gnutls-cli 185 # open. Without it gnutls-cli would terminate as soon as sed is 186 # done, and not wait for a response from the server, leading to 187 # failing tests. Sending sleep to the background allows the test 188 # case to proceed instead of waiting for it to return. The sleep 189 # process is stopped after gnutls-cli terminates. 190 if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \ 191 run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \ 192 gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \ 193 >"$output"; 194 then 195 if [ -e ${t}/fail* ]; then 196 printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2 197 exit 1 198 fi 199 else 200 if [ ! -e ${t}/fail* ]; then 201 printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2 202 exit 1 203 fi 204 fi 205 206 kill_by_pidfile "${sleep_pidfile}" 207 unset sleep_pidfile 208 209 if [ -e ${t}/output ] ; then 210 diff_output_filter_headers "${t}/output" "$output" "-q" 211 fi 212 if [ -n "${USE_MSVA}" ]; then 213 trap stop_msva EXIT 214 else 215 trap - EXIT 216 fi 217 ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ] 218 printf "SUCCESS: %s\n" "$TEST_NAME" 219 done 149 # configure locking for the Apache process 150 flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" 151 152 t="$(realpath ${testid})" 153 export srcdir="$(realpath ${srcdir})" 154 export TEST_NAME="$(basename "$t")" 155 output="outputs/${TEST_NAME}.output" 156 rm -f "$output" 157 158 if [ -e ${t}/fail.* ]; then 159 EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)" 160 else 161 unset EXPECTED_FAILURE 162 fi 163 printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE" 164 trap apache_down_err EXIT 165 if [ -n "${USE_MSVA}" ]; then 166 MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \ 167 ${flock_cmd} \ 168 ${APACHE2} -f "${t}/apache.conf" -k start \ 169 || [ -e "${t}/fail.server" ] 170 else 171 ${flock_cmd} \ 172 ${APACHE2} -f "${t}/apache.conf" -k start \ 173 || [ -e "${t}/fail.server" ] 174 fi 175 176 # PID file for sleep command (explanation below) 177 sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)" 178 179 # The sleep call keeps the pipe from the subshell to gnutls-cli 180 # open. Without it gnutls-cli would terminate as soon as sed is 181 # done, and not wait for a response from the server, leading to 182 # failing tests. Sending sleep to the background allows the test 183 # case to proceed instead of waiting for it to return. The sleep 184 # process is stopped after gnutls-cli terminates. 185 if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \ 186 run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \ 187 gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \ 188 >"$output"; 189 then 190 if [ -e ${t}/fail* ]; then 191 printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2 192 exit 1 193 fi 194 else 195 if [ ! -e ${t}/fail* ]; then 196 printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2 197 exit 1 198 fi 199 fi 200 201 kill_by_pidfile "${sleep_pidfile}" 202 unset sleep_pidfile 203 204 if [ -e ${t}/output ] ; then 205 diff_output_filter_headers "${t}/output" "$output" "-q" 206 fi 207 if [ -n "${USE_MSVA}" ]; then 208 trap stop_msva EXIT 209 else 210 trap - EXIT 211 fi 212 ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ] 213 printf "SUCCESS: %s\n" "$TEST_NAME" 220 214 221 215 if [ -n "${USE_MSVA}" ]; then -
test/test-00_basic.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-02 ${srcdir}/runtests t-0 -
test/test-01_serverwide_priorities.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-12 ${srcdir}/runtests t-1 -
test/test-02_cache_in_vhost.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-22 ${srcdir}/runtests t-2 -
test/test-03_cachetimeout_in_vhost.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-32 ${srcdir}/runtests t-3 -
test/test-04_basic_nosni.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-42 ${srcdir}/runtests t-4 -
test/test-05_mismatched-priorities.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-52 ${srcdir}/runtests t-5 -
test/test-06_verify_sni_a.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-62 ${srcdir}/runtests t-6 -
test/test-07_verify_sni_b.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-72 ${srcdir}/runtests t-7 -
test/test-08_verify_no_sni_fallback_to_first_vhost.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-82 ${srcdir}/runtests t-8 -
test/test-09_verify_no_sni_fails_with_wrong_order.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-92 ${srcdir}/runtests t-9 -
test/test-10_basic_client_verification.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-102 ${srcdir}/runtests t-10 -
test/test-11_basic_client_verification_fail.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-112 ${srcdir}/runtests t-11 -
test/test-12_cgi_variables.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-122 ${srcdir}/runtests t-12 -
test/test-13_cgi_variables_no_client_cert.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-132 ${srcdir}/runtests t-13 -
test/test-14_basic_openpgp.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-142 ${srcdir}/runtests t-14 -
test/test-15_basic_msva.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 USE_MSVA="yes" make -f $(dirname ${0})/TestMakefilet-152 USE_MSVA="yes" ${srcdir}/runtests t-15 -
test/test-16_view-status.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-162 ${srcdir}/runtests t-16 -
test/test-17_cgi_vars_large_cert.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-172 ${srcdir}/runtests t-17 -
test/test-18_client_verification_wrong_cert.bash
r5d13786 r24c6c16 1 1 #!/bin/bash 2 make -f $(dirname ${0})/TestMakefilet-182 ${srcdir}/runtests t-18 -
test/test-19_TLS_reverse_proxy.bash
r5d13786 r24c6c16 14 14 trap stop_backend EXIT 15 15 16 make -f $(dirname ${0})/TestMakefilet-1916 ${srcdir}/runtests t-19 17 17 18 18 backend_apache "${testdir}" "backend.conf" stop -
test/test-20_TLS_reverse_proxy_client_auth.bash
r5d13786 r24c6c16 14 14 trap stop_backend EXIT 15 15 16 make -f $(dirname ${0})/TestMakefilet-2016 ${srcdir}/runtests t-20 17 17 18 18 backend_apache "${testdir}" "backend.conf" stop -
test/test-21_TLS_reverse_proxy_wrong_cert.bash
r5d13786 r24c6c16 14 14 trap stop_backend EXIT 15 15 16 make -f $(dirname ${0})/TestMakefilet-2116 ${srcdir}/runtests t-21 17 17 18 18 backend_apache "${testdir}" "backend.conf" stop -
test/test-22_TLS_reverse_proxy_crl_revoke.bash
r5d13786 r24c6c16 14 14 trap stop_backend EXIT 15 15 16 make -f $(dirname ${0})/TestMakefilet-2216 ${srcdir}/runtests t-22 17 17 18 18 backend_apache "${testdir}" "backend.conf" stop -
test/test-23_TLS_reverse_proxy_mismatched_priorities.bash
r5d13786 r24c6c16 19 19 trap stop_backend EXIT 20 20 21 make -f $(dirname ${0})/TestMakefilet-2321 ${srcdir}/runtests t-23 22 22 23 23 backend_apache "${testdir}" "backend.conf" stop -
test/test-24_pkcs11_cert.bash
r5d13786 r24c6c16 25 25 set -e 26 26 27 make -f $(dirname ${0})/TestMakefilet-2427 ${srcdir}/runtests t-24 28 28 29 29 cleanup_tmpconf -
test/test_ca.mk
r5d13786 r24c6c16 1 1 #!/usr/bin/make -f 2 # Authors: 3 # Daniel Kahn Gillmor <dkg@fifthhorseman.net> 4 # Thomas Klute <thomas2.klute@uni-dortmund.de> 2 5 3 # Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 4 5 # run these tests to ensure that mod_gnutls can handle a range of 6 # simple configuration choices. 7 8 export srcdir ?= . 9 # If the Apache binary is not set, try to find apache2 in default PATH 10 # (should only happen when the test script is run manually) 11 export APACHE2 ?= apache2 12 13 export TEST_HOST ?= localhost 14 export TEST_IP ?= ::1 15 # chosen at random: 16 export TEST_PORT ?= 9932 17 export MSVA_PORT ?= 9933 18 19 export TEST_GAP ?= 0.4 20 export TEST_MSVA_MAX_WAIT ?= 10 21 export TEST_QUERY_DELAY ?= 30 22 export TEST_LOCK_WAIT ?= 30 23 24 TEST_LOCK := ./test.lock 25 26 all: setup.done 27 TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests 28 29 t-%: setup.done 30 TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests $@ 31 32 33 34 35 36 ### for setting up a little miniature CA + server + client environment: 37 identities := server authority client imposter rogueca 38 tokens := x509.pem secring.gpg secret.key cert.pgp secret.pgp 39 all_tokens := $(foreach id,$(identities),$(foreach token,$(tokens),$(id)/$(token))) 6 # General rules to set up a miniature CA & server & client environment 7 # for the test suite 40 8 41 9 %.template: $(srcdir)/%.template.in … … 97 65 --template "${srcdir}/$(*)-crl.template" \ 98 66 > $@ 99 100 msva.gnupghome/trustdb.gpg: authority/minimal.pgp client/cert.pgp101 mkdir -p -m 0700 $(dir $@)102 GNUPGHOME=$(dir $@) gpg --import < $<103 printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust104 GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp105 printf "keyserver does-not-exist.example\n" > msva.gnupghome/gpg.conf106 107 108 setup.done: $(all_tokens) msva.gnupghome/trustdb.gpg client.uid109 mkdir -p logs cache outputs110 touch setup.done111 112 113 clean:114 rm -rf server client authority logs cache outputs setup.done \115 server.template imposter.template msva.gnupghome \116 */*.pgp */*.gpg */*.gpg~ */*.pem */*.key authority.template \117 client.template client.uid server.uid *.lock tests/*/*.pem118 rmdir imposter rogueca || true119 120 .PHONY: all clean
Note: See TracChangeset
for help on using the changeset viewer.