Changeset 24c6c16 in mod_gnutls

Timestamp:

Oct 19, 2015, 9:07:41 PM (4 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports

Children:

8bf5809

Parents:

5d13786 (diff), 89f863f (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge tag 'upstream/0.7.1' into debian

Upstream version 0.7.1

Files:

• CHANGELOG (modified) (1 diff)
• README (modified) (1 diff)
• configure (modified) (12 diffs)
• configure.ac (modified) (3 diffs)
• doc/mod_gnutls_manual.mdwn (modified) (2 diffs)
• include/mod_gnutls.h.in (modified) (4 diffs)
• src/gnutls_config.c (modified) (6 diffs)
• src/gnutls_hooks.c (modified) (14 diffs)
• src/mod_gnutls.c (modified) (4 diffs)
• test/Makefile.am (modified) (5 diffs)
• test/Makefile.in (modified) (10 diffs)
• test/README (modified) (2 diffs)
• test/runtests (modified) (4 diffs)
• test/test-00_basic.bash (modified) (1 diff)
• test/test-01_serverwide_priorities.bash (modified) (1 diff)
• test/test-02_cache_in_vhost.bash (modified) (1 diff)
• test/test-03_cachetimeout_in_vhost.bash (modified) (1 diff)
• test/test-04_basic_nosni.bash (modified) (1 diff)
• test/test-05_mismatched-priorities.bash (modified) (1 diff)
• test/test-06_verify_sni_a.bash (modified) (1 diff)
• test/test-07_verify_sni_b.bash (modified) (1 diff)
• test/test-08_verify_no_sni_fallback_to_first_vhost.bash (modified) (1 diff)
• test/test-09_verify_no_sni_fails_with_wrong_order.bash (modified) (1 diff)
• test/test-10_basic_client_verification.bash (modified) (1 diff)
• test/test-11_basic_client_verification_fail.bash (modified) (1 diff)
• test/test-12_cgi_variables.bash (modified) (1 diff)
• test/test-13_cgi_variables_no_client_cert.bash (modified) (1 diff)
• test/test-14_basic_openpgp.bash (modified) (1 diff)
• test/test-15_basic_msva.bash (modified) (1 diff)
• test/test-16_view-status.bash (modified) (1 diff)
• test/test-17_cgi_vars_large_cert.bash (modified) (1 diff)
• test/test-18_client_verification_wrong_cert.bash (modified) (1 diff)
• test/test-19_TLS_reverse_proxy.bash (modified) (1 diff)
• test/test-20_TLS_reverse_proxy_client_auth.bash (modified) (1 diff)
• test/test-21_TLS_reverse_proxy_wrong_cert.bash (modified) (1 diff)
• test/test-22_TLS_reverse_proxy_crl_revoke.bash (modified) (1 diff)
• test/test-23_TLS_reverse_proxy_mismatched_priorities.bash (modified) (1 diff)
• test/test-24_pkcs11_cert.bash (modified) (1 diff)
• test/test_ca.mk (moved) (moved from test/TestMakefile) (2 diffs)

CHANGELOG

@@ -2 +2 @@
 - Handle Unclean Shutdowns
 - make session cache use generic apache caches
+
+** Version 0.7.1 (2015-10-18)
+- Improved handling of PKCS #11 modules: mod_gnutls now loads either
+  modules specified using GnuTLSP11Module, or the system defaults, but
+  not both. Thanks to Nikos Mavrogiannopoulos for the report and
+  initial patch!
+- Initialize variables to safe defaults during client certificate
+  verification. Certain error code paths did not set them, but they
+  should never be hit due to config validation. This adds another line
+  of defense.
+- Enable C99 support via autoconf
+- Test suite improvements. Most importantly, automake now handles
+  environment setup without any external make calls. Rules to build
+  the certificates are included from the old test makefile. Note that
+  the dependency on GNU make is not new (the test makefile always used
+  GNU make syntax), it just wasn't listed explicitly.
 
 ** Version 0.7 (2015-07-12)

README

@@ -24 +24 @@
  * GnuTLS          >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred)
  * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
- * autotools & gcc
+ * autotools, GNU make, & gcc
  * APR Memcache    >= 0.7.0 (Optional)
  * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.
+# Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.1.
 #
 #
@@ -588 +588 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.7'
-PACKAGE_STRING='mod_gnutls 0.7'
+PACKAGE_VERSION='0.7.1'
+PACKAGE_STRING='mod_gnutls 0.7.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
@@ -1379 +1379 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.7 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.7.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1450 +1450 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.7:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.7.1:";;
    esac
   cat <<\_ACEOF
@@ -1584 +1584 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.7
+mod_gnutls configure 0.7.1
 generated by GNU Autoconf 2.69
 
@@ -1995 +1995 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.7, which was
+It was created by mod_gnutls $as_me 0.7.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
@@ -2361 +2361 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.7
+MOD_GNUTLS_VERSION=0.7.1
 
 
@@ -2539 +2539 @@
     NONENONEs,x,x, &&
   program_prefix=${target_alias}-
+# mod_gnutls test suite requires GNU make
 am__api_version='1.14'
 
@@ -3025 +3026 @@
 # Define the identity of the package.
  PACKAGE='mod_gnutls'
- VERSION='0.7'
+ VERSION='0.7.1'
 
 
@@ -4159 +4160 @@
   am__fastdepCC_TRUE='#'
   am__fastdepCC_FALSE=
+fi
+
+
+   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5
+$as_echo_n "checking for $CC option to accept ISO C99... " >&6; }
+if ${ac_cv_prog_cc_c99+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_prog_cc_c99=no
+ac_save_CC=$CC
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <wchar.h>
+#include <stdio.h>
+
+// Check varargs macros.  These examples are taken from C99 6.10.3.5.
+#define debug(...) fprintf (stderr, __VA_ARGS__)
+#define showlist(...) puts (#__VA_ARGS__)
+#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__))
+static void
+test_varargs_macros (void)
+{
+  int x = 1234;
+  int y = 5678;
+  debug ("Flag");
+  debug ("X = %d\n", x);
+  showlist (The first, second, and third items.);
+  report (x>y, "x is %d but y is %d", x, y);
+}
+
+// Check long long types.
+#define BIG64 18446744073709551615ull
+#define BIG32 4294967295ul
+#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0)
+#if !BIG_OK
+  your preprocessor is broken;
+#endif
+#if BIG_OK
+#else
+  your preprocessor is broken;
+#endif
+static long long int bignum = -9223372036854775807LL;
+static unsigned long long int ubignum = BIG64;
+
+struct incomplete_array
+{
+  int datasize;
+  double data[];
+};
+
+struct named_init {
+  int number;
+  const wchar_t *name;
+  double average;
+};
+
+typedef const char *ccp;
+
+static inline int
+test_restrict (ccp restrict text)
+{
+  // See if C++-style comments work.
+  // Iterate through items via the restricted pointer.
+  // Also check for declarations in for loops.
+  for (unsigned int i = 0; *(text+i) != '\0'; ++i)
+    continue;
+  return 0;
+}
+
+// Check varargs and va_copy.
+static void
+test_varargs (const char *format, ...)
+{
+  va_list args;
+  va_start (args, format);
+  va_list args_copy;
+  va_copy (args_copy, args);
+
+  const char *str;
+  int number;
+  float fnumber;
+
+  while (*format)
+    {
+      switch (*format++)
+        {
+        case 's': // string
+          str = va_arg (args_copy, const char *);
+          break;
+        case 'd': // int
+          number = va_arg (args_copy, int);
+          break;
+        case 'f': // float
+          fnumber = va_arg (args_copy, double);
+          break;
+        default:
+          break;
+        }
+    }
+  va_end (args_copy);
+  va_end (args);
+}
+
+int
+main ()
+{
+
+  // Check bool.
+  _Bool success = false;
+
+  // Check restrict.
+  if (test_restrict ("String literal") == 0)
+    success = true;
+  char *restrict newvar = "Another string";
+
+  // Check varargs.
+  test_varargs ("s, d' f .", "string", 65, 34.234);
+  test_varargs_macros ();
+
+  // Check flexible array members.
+  struct incomplete_array *ia =
+    malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10));
+  ia->datasize = 10;
+  for (int i = 0; i < ia->datasize; ++i)
+    ia->data[i] = i * 1.234;
+
+  // Check named initializers.
+  struct named_init ni = {
+    .number = 34,
+    .name = L"Test wide string",
+    .average = 543.34343,
+  };
+
+  ni.number = 58;
+
+  int dynamic_array[ni.number];
+  dynamic_array[ni.number - 1] = 543;
+
+  // work around unused variable warnings
+  return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
+          || dynamic_array[ni.number - 1] != 543);
+
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99
+do
+  CC="$ac_save_CC $ac_arg"
+  if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_prog_cc_c99=$ac_arg
+fi
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c99" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c99" in
+  x)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+  xno)
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c99"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5
+$as_echo "$ac_cv_prog_cc_c99" >&6; } ;;
+esac
+if test "x$ac_cv_prog_cc_c99" != xno; then :
+
 fi
 
@@ -13444 +13622 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.7, which was
+This file was extended by mod_gnutls $as_me 0.7.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
@@ -13510 +13688 @@
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-mod_gnutls config.status 0.7
+mod_gnutls config.status 0.7.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.7)
+AC_INIT(mod_gnutls, 0.7.1)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -10 +10 @@
 AM_MAINTAINER_MODE
 AC_CANONICAL_TARGET
-AM_INIT_AUTOMAKE
+# mod_gnutls test suite requires GNU make
+AM_INIT_AUTOMAKE([-Wno-portability])
 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
 
@@ -16 +17 @@
 
 AC_PROG_CC
+AC_PROG_CC_C99
 AC_PROG_LD
 AC_PROG_INSTALL

doc/mod_gnutls_manual.mdwn

@@ -375 +375 @@
 ------------------
 
-Load an additional PKCS #11 module.
+Load this PKCS #11 module.
 
     GnuTLSP11Module PATH_TO_LIBRARY
@@ -382 +382 @@
 Context: server config
 
-Load this PKCS #11 provider module, in addition to the system
-defaults.
+Load this PKCS #11 provider module, instead of the system
+defaults. May occur multiple times to load multiple modules.
 
 `GnuTLSPIN`

include/mod_gnutls.h.in

@@ -115 +115 @@
     int non_ssl_request;
 
-    /* Additional PKCS #11 provider module to load, only valid in the
+    /* List of PKCS #11 provider modules to load, only valid in the
      * base config, ignored in virtual hosts */
-    char *p11_module;
+    apr_array_header_t *p11_modules;
 
     /* PIN used for PKCS #11 operations */
@@ -286 +286 @@
 int ssl_engine_disable(conn_rec *c);
 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
-    const char *arg);
+                                 const int arg);
 apr_status_t mgs_cleanup_pre_config(void *data);
 
@@ -439 +439 @@
 
 const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
-                            const char *arg);
+                            const int arg);
 const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
                             const char *arg);
@@ -445 +445 @@
                             const char *arg);
 const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
-                            const char *arg);
+                            const int arg);
 
 const char *mgs_set_require_section(cmd_parms *cmd,

src/gnutls_config.c

@@ -642 +642 @@
 }
 
-const char *mgs_set_tickets(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    sc->tickets = 0;
-    if (strcasecmp("on", arg) == 0) {
-        sc->tickets = 1;
-    }
+const char *mgs_set_tickets(cmd_parms *parms,
+                            void *dummy __attribute__((unused)),
+                            const int arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    if (arg)
+        sc->tickets = GNUTLS_ENABLED_TRUE;
+    else
+        sc->tickets = GNUTLS_ENABLED_FALSE;
 
     return NULL;
@@ -826 +826 @@
 }
 
-const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-
+/*
+ * Enable TLS proxy operation if arg is true, disable it otherwise.
+ */
+const char *mgs_set_proxy_engine(cmd_parms *parms,
+                                 void *dummy __attribute__((unused)),
+                                 const int arg)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(parms->server->module_config, &gnutls_module);
-
-    if (!strcasecmp(arg, "On")) {
-        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
-    } else if (!strcasecmp(arg, "Off")) {
-        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
-    } else {
-        return "GnuTLSProxyEngine must be set to 'On' or 'Off'";
-    }
-
-    return NULL;
-}
-
-const char *mgs_set_enabled(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-    if (!strcasecmp(arg, "On")) {
-        sc->enabled = GNUTLS_ENABLED_TRUE;
-    } else if (!strcasecmp(arg, "Off")) {
-        sc->enabled = GNUTLS_ENABLED_FALSE;
-    } else {
-        return "GnuTLSEnable must be set to 'On' or 'Off'";
-    }
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    if (arg)
+        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
+    else
+        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
+
+    return NULL;
+}
+
+/*
+ * Enable TLS for the server/vhost if arg is true, disable it
+ * otherwise.
+ */
+const char *mgs_set_enabled(cmd_parms *parms,
+                            void *dummy __attribute__((unused)),
+                            const int arg)
+{
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    if (arg)
+        sc->enabled = GNUTLS_ENABLED_TRUE;
+    else
+        sc->enabled = GNUTLS_ENABLED_FALSE;
 
     return NULL;
@@ -949 +952 @@
     sc->privkey_pgp = NULL;
     sc->certs_x509_chain_num = 0;
-    sc->p11_module = NULL;
+    sc->p11_modules = NULL;
     sc->pin = NULL;
     sc->priorities_str = NULL;
@@ -1010 +1013 @@
     gnutls_srvconf_merge(x509_key_file, NULL);
     gnutls_srvconf_merge(x509_ca_file, NULL);
-    gnutls_srvconf_merge(p11_module, NULL);
+    gnutls_srvconf_merge(p11_modules, NULL);
     gnutls_srvconf_merge(pin, NULL);
     gnutls_srvconf_merge(pgp_cert_file, NULL);
@@ -1107 +1110 @@
 
 /*
- * Record additional PKCS #11 module to load. Note that the value is
- * only used in the base config, settings in virtual hosts are
- * ignored.
+ * Record PKCS #11 module to load. Note that the value is only used in
+ * the base config, settings in virtual hosts are ignored.
  */
 const char *mgs_set_p11_module(cmd_parms * parms,
@@ -1117 +1119 @@
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(parms->server->module_config, &gnutls_module);
-    sc->p11_module = apr_pstrdup(parms->pool, arg);
-    return NULL;
-}
+    /* initialize PKCS #11 module list if necessary */
+    if (sc->p11_modules == NULL)
+        sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
+
+    *(char **) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
+
+    return NULL;
+}

src/gnutls_hooks.c

@@ -220 +220 @@
 static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
 
-    int rv = 0, i;
+    int rv = 0;
     size_t data_len;
 
@@ -242 +242 @@
         rv = 0;
         /* read subject alternative name */
-        for (i = 0; !(rv < 0); i++) {
+        for (int i = 0; !(rv < 0); i++)
+        {
             data_len = 0;
             rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
@@ -323 +324 @@
     }
 
-    /* Load additional PKCS #11 module, if requested */
-    if (sc_base->p11_module != NULL)
-    {
-        rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
-        if (rv != GNUTLS_E_SUCCESS)
+    /* If GnuTLSP11Module is set, load the listed PKCS #11
+     * modules. Otherwise system defaults will be used. */
+    if (sc_base->p11_modules != NULL)
+    {
+        rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+        if (rv < 0)
+        {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Loading PKCS #11 provider module %s "
+                         "GnuTLS: Initializing PKCS #11 "
                          "failed: %s (%d).",
-                         sc_base->p11_module, gnutls_strerror(rv), rv);
+                         gnutls_strerror(rv), rv);
+        }
+        else
+        {
+            for (int i = 0; i < sc_base->p11_modules->nelts; i++)
+            {
+                char *p11_module =
+                    APR_ARRAY_IDX(sc_base->p11_modules, i, char *);
+                rv = gnutls_pkcs11_add_provider(p11_module, NULL);
+                if (rv != GNUTLS_E_SUCCESS)
+                    ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                                 "GnuTLS: Loading PKCS #11 provider module %s "
+                                 "failed: %s (%d).",
+                                 p11_module, gnutls_strerror(rv), rv);
+            }
+        }
     }
 
@@ -355 +373 @@
         if (sc->export_certificates_size < 0)
             sc->export_certificates_size = 0;
-        if (sc->client_verify_mode ==  -1)
+        if (sc->client_verify_mode == -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
-        if (sc->client_verify_method ==  mgs_cvm_unset)
+        if (sc->client_verify_method == mgs_cvm_unset)
             sc->client_verify_method = mgs_cvm_cartel;
 
@@ -541 +559 @@
 int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) {
         apr_array_header_t *names;
-        int i,rv = 0;
+        int rv = 0;
         char ** name;
 
@@ -553 +571 @@
                 names = s->names;
                 name = (char **)names->elts;
-                for (i = 0; i < names->nelts; ++i) {
+                for (int i = 0; i < names->nelts; ++i)
+        {
                         if (!name[i]) { continue; }
                                 if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
@@ -565 +584 @@
                 names = s->wild_names;
         name = (char **)names->elts;
-                for (i = 0; i < names->nelts; ++i) {
+                for (int i = 0; i < names->nelts; ++i)
+        {
                         if (!name[i]) { continue; }
                                 if(apr_fnmatch(name[i], x->sni_name ,
@@ -1016 +1036 @@
     char *tmp2;
     size_t len;
-    int ret, i;
+    int ret;
 
     if (r == NULL)
@@ -1091 +1111 @@
 
     /* export all the alternative names (DNS, RFC822 and URI) */
-    for (i = 0; !(ret < 0); i++) {
+    for (int i = 0; !(ret < 0); i++)
+    {
         const char *san, *sanlabel;
         len = 0;
@@ -1204 +1225 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
     const gnutls_datum_t *cert_list;
-    unsigned int cert_list_size, status;
+    unsigned int cert_list_size;
+    /* assume the certificate is invalid unless explicitly set
+     * otherwise */
+    unsigned int status = GNUTLS_CERT_INVALID;
     int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
     unsigned int ch_size = 0;
@@ -1338 +1362 @@
 #endif
         default:
+            /* If this block is reached, that indicates a
+             * configuration error or bug in mod_gnutls (invalid value
+             * of ctxt->sc->client_verify_method). */
             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                           "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
                           mgs_readable_cvm(ctxt->sc->client_verify_method));
+            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
         }
 
@@ -1356 +1384 @@
 #ifdef ENABLE_MSVA
         case mgs_cvm_msva:
-            /* need to set status and rv */
             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                           "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
@@ -1363 +1390 @@
 #endif
         default:
+            /* If this block is reached, that indicates a
+             * configuration error or bug in mod_gnutls (invalid value
+             * of ctxt->sc->client_verify_method). */
             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                           "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
                           mgs_readable_cvm(ctxt->sc->client_verify_method));
-        }
-    }
-
+            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
+        }
+    }
+
+    /* "goto exit" at the end of this block skips evaluation of the
+     * "status" variable */
     if (rv < 0) {
         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
@@ -1444 +1477 @@
 
 exit:
-    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-        unsigned int i;
-        for (i = 0; i < ch_size; i++) {
+    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
+        for (unsigned int i = 0; i < ch_size; i++)
             gnutls_x509_crt_deinit(cert.x509[i]);
-        }
-    } else if (gnutls_certificate_type_get(ctxt->session) ==
-            GNUTLS_CRT_OPENPGP)
+    else if (gnutls_certificate_type_get(ctxt->session) ==
+             GNUTLS_CRT_OPENPGP)
         gnutls_openpgp_crt_deinit(cert.pgp);
     return ret;
-
-
-}
+}
+
+
 
 #ifdef ENABLE_MSVA

src/mod_gnutls.c

@@ -137 +137 @@
 
 static const command_rec mgs_config_cmds[] = {
-    AP_INIT_TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,
+    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
     NULL,
     RSRC_CONF | OR_AUTHCFG,
-    "Enable SSL Proxy Engine"),
+    "Enable TLS Proxy Engine"),
     AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
     NULL,
     RSRC_CONF,
-    "Load this additional PKCS #11 provider library"),
+    "Load this specific PKCS #11 provider library"),
     AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
     NULL,
@@ -180 +180 @@
     NULL,
     RSRC_CONF,
-    "SSL Server X509 Certificate file"),
+    "TLS Server X509 Certificate file"),
     AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
     NULL,
     RSRC_CONF,
-    "SSL Server X509 Private Key file"),
+    "TLS Server X509 Private Key file"),
     AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
     NULL,
     RSRC_CONF,
-    "SSL Server X509 Certificate file"),
+    "TLS Server X509 Certificate file"),
     AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
     NULL,
     RSRC_CONF,
-    "SSL Server X509 Private Key file"),
+    "TLS Server X509 Private Key file"),
     AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
     NULL,
     RSRC_CONF,
-    "SSL Server PGP Certificate file"),
+    "TLS Server PGP Certificate file"),
     AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
     NULL,
     RSRC_CONF,
-    "SSL Server PGP Private key file"),
+    "TLS Server PGP Private key file"),
 #ifdef ENABLE_SRP
     AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
     NULL,
     RSRC_CONF,
-    "SSL Server SRP Password Conf file"),
+    "TLS Server SRP Password Conf file"),
     AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
     mgs_set_srp_tpasswd_conf_file,
     NULL,
     RSRC_CONF,
-    "SSL Server SRP Parameters file"),
+    "TLS Server SRP Parameters file"),
 #endif
     AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
@@ -220 +220 @@
     RSRC_CONF,
     "Cache Configuration"),
-    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
+    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
     NULL,
     RSRC_CONF,
@@ -228 +228 @@
     RSRC_CONF,
     "The priorities to enable (ciphers, Key exchange, macs, compression)."),
-    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
+    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
     NULL,
     RSRC_CONF,

test/Makefile.am

@@ -31 +31 @@
 TESTS = $(dist_check_SCRIPTS)
 
+# Identities in the miniature CA, server, and client environment for
+# the test suite
+identities = server authority client imposter rogueca
+# Append strings after ":=" to each identity to generate a list of
+# necessary files
+pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
+        $(identities:=/secret.pgp)
+x509_keys = $(identities:=/secret.key)
+x509_certs = $(identities:=/x509.pem)
+x509_tokens = $(x509_certs) $(x509_keys)
+tokens = $(x509_tokens) $(pgp_tokens)
+
+include $(srcdir)/test_ca.mk
+
 # Test cases trying to create keys and certificates in parallel causes
 # race conditions. Ensure that all keys and certificates are generated
@@ -41 +55 @@
 # running at any time, so test cases actually have to wait for each
 # other - just not in any particular order.
-check_DATA = setup.done server/crl.pem
+check_DATA = $(tokens) server/crl.pem
 
-MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem
+MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
 
 cert_templates = authority.template.in client.template.in \
@@ -50 +64 @@
         imposter.template server.template
 
+# Delete X.509 private keys on full clean. Note that unless you need
+# to generate fresh keys, the "mostlyclean" target should be
+# sufficient (see below).
+CLEANFILES = $(x509_keys)
+
 # Delete X.509 certificates and generated templates on "mostlyclean"
 # target. Certificates can be rebuilt without generating new key
@@ -55 +74 @@
 # (e.g. host names) without wasting entropy on new keys (which would
 # happen after "clean").
-MOSTLYCLEANFILES += */x509.pem $(generated_templates)
+MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
+
 
 # Delete PGP keyrings on "mostlyclean" target. They are created from
@@ -61 +81 @@
 # one day, so regenerating them is both fast and frequently
 # necessary.
-MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf
+MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
+# GnuPG random pool, no need to regenerate on every build
+CLEANFILES += authority/random_seed
 
-clean-local:
-        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
+# Delete lock files for test servers on "mostlyclean" target.
+MOSTLYCLEANFILES += *.lock
+
+# rule to build MSVA trust database
+if USE_MSVA
+msva_home = msva.gnupghome
+check_DATA += $(msva_home)/trustdb.gpg client.uid
+MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
+$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
+        mkdir -p -m 0700 $(dir $@)
+        GNUPGHOME=$(dir $@) gpg --import < $<
+        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
+        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
+        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
+endif
 
 # SoftHSM files
 check_DATA += server/softhsm.db
-MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf
+MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
 
-# This rule can be used for any TestMakefile target not included in
-# setup.done. The dependency on setup.done is used to avoid race
-# conditions between multiple calls to TestMakefile for key and
-# certificate generation. It is ignored for setup.done itself.
-server/crl.pem server/softhsm.db setup.done: setup.done
-        TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
-        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
 
+check_DATA += make-test-dirs
+extra_dirs = logs cache outputs
+make-test-dirs:
+        mkdir -p $(extra_dirs)
+.PHONY: make-test-dirs
+
+clean-local:
+        -rmdir $(identities) || true
+        -rmdir $(extra_dirs) || true
+if USE_MSVA
+        -rmdir $(msva_home) || true
+endif
+
+# Apache configuration and data files
 apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
 
 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
-        runtests server-crl.template server-softhsm.conf softhsm.bash \
-        TestMakefile
+        runtests server-crl.template server-softhsm.conf softhsm.bash
 
+# Lockfile for the main Apache process
+test_lockfile = ./test.lock
 # Maximum wait time in seconds for flock to aquire instance lock files
 lock_wait = 30
 
+# port for the main Apache server
+TEST_PORT ?= 9932
+# port for MSVA in test cases that use it
+MSVA_PORT ?= 9933
+# maximum time to wait for MSVA startup
+TEST_MSVA_MAX_WAIT ?= 10
+# wait loop time for MSVA startup
+TEST_MSVA_WAIT ?= 0.4
+# seconds for the HTTP request to be sent and responded to
+TEST_QUERY_DELAY ?= 30
+
 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
         export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
-        export TEST_LOCK_WAIT=$(lock_wait); \
+        export TEST_LOCK="$(test_lockfile)"; \
+        export TEST_LOCK_WAIT="$(lock_wait)"; \
         export TEST_HOST="$(TEST_HOST)"; \
         export TEST_IP="$(TEST_IP)"; \
+        export TEST_PORT="$(TEST_PORT)"; \
+        export MSVA_PORT="$(MSVA_PORT)"; \
+        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
+        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
+        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
         export BACKEND_HOST="$(TEST_HOST)"; \
         export BACKEND_IP="$(TEST_IP)";
+
+# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
+# you want to manually run an Apache instance with Valgrind using the
+# same configuration as a test case.
+show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
+show-test-env:
+        @echo "$${TEST_ENV}"

test/Makefile.in

@@ -14 +14 @@
 
 @SET_MAKE@
+
+#!/usr/bin/make -f
+# Authors:
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Thomas Klute <thomas2.klute@uni-dortmund.de>
+
+# General rules to set up a miniature CA & server & client environment
+# for the test suite
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
@@ -80 +88 @@
 target_triplet = @target@
 @USE_MSVA_TRUE@am__append_1 = test-15_basic_msva.bash
+DIST_COMMON = $(srcdir)/test_ca.mk $(srcdir)/Makefile.in \
+        $(srcdir)/Makefile.am $(am__dist_check_SCRIPTS_DIST) \
+        $(top_srcdir)/config/test-driver README
+@USE_MSVA_TRUE@am__append_2 = $(msva_home)/trustdb.gpg client.uid
+@USE_MSVA_TRUE@am__append_3 = $(msva_home)/trustdb.gpg
 subdir = test
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-        $(am__dist_check_SCRIPTS_DIST) \
-        $(top_srcdir)/config/test-driver README
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \
@@ -584 +594 @@
 TESTS = $(dist_check_SCRIPTS)
 
+# Identities in the miniature CA, server, and client environment for
+# the test suite
+identities = server authority client imposter rogueca
+# Append strings after ":=" to each identity to generate a list of
+# necessary files
+pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
+        $(identities:=/secret.pgp)
+
+x509_keys = $(identities:=/secret.key)
+x509_certs = $(identities:=/x509.pem)
+x509_tokens = $(x509_certs) $(x509_keys)
+tokens = $(x509_tokens) $(pgp_tokens)
+
 # Test cases trying to create keys and certificates in parallel causes
 # race conditions. Ensure that all keys and certificates are generated
@@ -596 +619 @@
 
 # SoftHSM files
-check_DATA = setup.done server/crl.pem server/softhsm.db
+check_DATA = $(tokens) server/crl.pem $(am__append_2) \
+        server/softhsm.db make-test-dirs
 
 # Delete X.509 certificates and generated templates on "mostlyclean"
@@ -608 +632 @@
 # one day, so regenerating them is both fast and frequently
 # necessary.
-MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem \
-        */x509.pem $(generated_templates) */*.pgp */*.gpg */*.gpg~ \
-        */gpg.conf tests/24_pkcs11_cert/softhsm.conf
+
+# Delete lock files for test servers on "mostlyclean" target.
+MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem */x509.pem \
+        $(generated_templates) *.uid */*.pgp */*.gpg */*.gpg~ \
+        */gpg.conf authority/lock *.lock $(am__append_3) \
+        tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
 cert_templates = authority.template.in client.template.in \
         imposter.template.in rogueca.template server.template.in
@@ -617 +644 @@
         imposter.template server.template
 
+
+# Delete X.509 private keys on full clean. Note that unless you need
+# to generate fresh keys, the "mostlyclean" target should be
+# sufficient (see below).
+# GnuPG random pool, no need to regenerate on every build
+CLEANFILES = $(x509_keys) authority/random_seed
+
+# rule to build MSVA trust database
+@USE_MSVA_TRUE@msva_home = msva.gnupghome
+extra_dirs = logs cache outputs
+
+# Apache configuration and data files
 apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
-        runtests server-crl.template server-softhsm.conf softhsm.bash \
-        TestMakefile
-
-
+        runtests server-crl.template server-softhsm.conf softhsm.bash
+
+
+# Lockfile for the main Apache process
+test_lockfile = ./test.lock
 # Maximum wait time in seconds for flock to aquire instance lock files
 lock_wait = 30
 AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
         export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
-        export TEST_LOCK_WAIT=$(lock_wait); \
+        export TEST_LOCK="$(test_lockfile)"; \
+        export TEST_LOCK_WAIT="$(lock_wait)"; \
         export TEST_HOST="$(TEST_HOST)"; \
         export TEST_IP="$(TEST_IP)"; \
+        export TEST_PORT="$(TEST_PORT)"; \
+        export MSVA_PORT="$(MSVA_PORT)"; \
+        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
+        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
+        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
         export BACKEND_HOST="$(TEST_HOST)"; \
         export BACKEND_IP="$(TEST_IP)";
@@ -637 +683 @@
 .SUFFIXES:
 .SUFFIXES: .log .test .test$(EXEEXT) .trs
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(srcdir)/test_ca.mk $(am__configure_deps)
         @for dep in $?; do \
           case '$(am__configure_deps)' in \
@@ -658 +704 @@
             cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
         esac;
+$(srcdir)/test_ca.mk:
 
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
@@ -1192 +1239 @@
 
 clean-generic:
+        -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
@@ -1283 +1331 @@
 
 
+%.template: $(srcdir)/%.template.in
+        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
+
+%.uid: $(srcdir)/%.uid.in
+        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
+
+%/secret.key:
+        mkdir -p $(dir $@)
+        chmod 0700 $(dir $@)
+        certtool --generate-privkey > $@
+
+%/secring.gpg: %.uid %/secret.key
+        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
+        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
+        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
+
+%/gpg.conf: %/secring.gpg
+        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+
+%/secret.pgp: %/secring.gpg
+        GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+
+%/minimal.pgp: %/secring.gpg
+        GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+
+# Import and signing modify the shared keyring, which leads to race
+# conditions with parallel make. Locking avoids this problem.
+%/cert.pgp: %/minimal.pgp authority/gpg.conf
+        GNUPGHOME=authority flock authority/lock gpg --import $<
+        GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
+        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+
+# special cases for the authorities' root certs:
+authority/x509.pem: authority.template authority/secret.key
+        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
+rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
+        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
+
+%/cert-request: %.template %/secret.key 
+        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
+
+%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem 
+        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
+
+%/softhsm.db: %/x509.pem %/secret.key
+        SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
+
+# Generate CRL revoking a certain certificate. Currently used to
+# revoke the server certificate and check if setting the CRL as
+# GnuTLSProxyCRLFile causes the connection to the back end server to
+# fail.
+%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
+        certtool --generate-crl \
+                --load-ca-privkey authority/secret.key \
+                --load-ca-certificate authority/x509.pem \
+                --load-certificate $< \
+                --template "${srcdir}/$(*)-crl.template" \
+                > $@
+@USE_MSVA_TRUE@$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
+@USE_MSVA_TRUE@ mkdir -p -m 0700 $(dir $@)
+@USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < $<
+@USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
+@USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
+@USE_MSVA_TRUE@ printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
+make-test-dirs:
+        mkdir -p $(extra_dirs)
+.PHONY: make-test-dirs
+
 clean-local:
-        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
-
-# This rule can be used for any TestMakefile target not included in
-# setup.done. The dependency on setup.done is used to avoid race
-# conditions between multiple calls to TestMakefile for key and
-# certificate generation. It is ignored for setup.done itself.
-server/crl.pem server/softhsm.db setup.done: setup.done
-        TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
-        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
+        -rmdir $(identities) || true
+        -rmdir $(extra_dirs) || true
+@USE_MSVA_TRUE@ -rmdir $(msva_home) || true
+
+# port for the main Apache server
+TEST_PORT ?= 9932
+# port for MSVA in test cases that use it
+MSVA_PORT ?= 9933
+# maximum time to wait for MSVA startup
+TEST_MSVA_MAX_WAIT ?= 10
+# wait loop time for MSVA startup
+TEST_MSVA_WAIT ?= 0.4
+# seconds for the HTTP request to be sent and responded to
+TEST_QUERY_DELAY ?= 30
+
+# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
+# you want to manually run an Apache instance with Valgrind using the
+# same configuration as a test case.
+show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
+show-test-env:
+        @echo "$${TEST_ENV}"
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.

test/README

@@ -32 +32 @@
 
   TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
+
 
 Adding a Test
@@ -97 +98 @@
    possible that these tests will fail for timing
    reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
-   and responded to)] and [TEST_GAP (seconds to wait between tests)]
+   and responded to)]
+
+In some situations you may want to see the exact environment as
+configured by make, e.g. if you want to manually run an Apache
+instance with Valgrind using the same configuration as a test
+case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.

test/runtests

@@ -7 +7 @@
 set -e
 
-tests="${1##t-}"
-
-if [ -n "${TEST_LOCK}" ]; then
-    TEST_LOCK="$(realpath ${TEST_LOCK})"
-    flock_cmd="flock -w ${TEST_LOCK_WAIT} ${TEST_LOCK}"
+testid="${1##t-}"
+
+if [ -z "$testid" ] ; then
+    echo -e "No test case selected.\nUsage: ${0} t-N" >&2
+    exit 1
+else
+    testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
 fi
 
 BADVARS=0
-for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_GAP MSVA_PORT; do
+for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
+                 MSVA_PORT TEST_LOCK; do
     if [ ! -v "$v" ]; then
         printf "You need to set the %s environment variable\n" "$v" >&2
@@ -111 +114 @@
     fi
 }
-
-if [ -z "$tests" ] ; then
-    tests=${srcdir}/tests/*
-else
-    tests=${srcdir}/tests/"$(printf "%02d" "$tests")"_*
-fi
 
 if [ -n "${USE_MSVA}" ]; then
@@ -137 +134 @@
             echo "MSVA not ready yet"
         fi
-        sleep "${TEST_GAP}"
-        waited=$(echo "${waited} + ${TEST_GAP}" | bc)
+        sleep "${TEST_MSVA_WAIT}"
+        waited=$(echo "${waited} + ${TEST_MSVA_WAIT}" | bc)
     done
 
@@ -150 +147 @@
 fi
 
-for t in $tests; do
-    if [ -z "${flock_cmd}" ]; then
-        echo "Warning: no lock file set"
-        sleep "$TEST_GAP"
-    fi
-    t="$(realpath ${t})"
-    export srcdir="$(realpath ${srcdir})"
-    export TEST_NAME="$(basename "$t")"
-    output="outputs/${TEST_NAME}.output"
-    rm -f "$output"
-
-    if [ -e ${t}/fail.* ]; then
-        EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
-    else
-        unset EXPECTED_FAILURE
-    fi
-    printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
-    trap apache_down_err EXIT
-    if [ -n "${USE_MSVA}" ]; then
-        MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
-            ${flock_cmd} \
-            ${APACHE2} -f "${t}/apache.conf" -k start \
-            || [ -e "${t}/fail.server" ]
-    else
-        ${flock_cmd} \
-            ${APACHE2} -f "${t}/apache.conf" -k start \
-            || [ -e "${t}/fail.server" ]
-    fi
-
-    # PID file for sleep command (explanation below)
-    sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
-
-    # The sleep call keeps the pipe from the subshell to gnutls-cli
-    # open. Without it gnutls-cli would terminate as soon as sed is
-    # done, and not wait for a response from the server, leading to
-    # failing tests. Sending sleep to the background allows the test
-    # case to proceed instead of waiting for it to return. The sleep
-    # process is stopped after gnutls-cli terminates.
-    if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
-        run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
-        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
-        >"$output";
-    then
-        if [ -e ${t}/fail* ]; then
-            printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
-            exit 1
-        fi
-    else
-        if [ ! -e ${t}/fail* ]; then
-            printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
-            exit 1
-        fi
-    fi
-
-    kill_by_pidfile "${sleep_pidfile}"
-    unset sleep_pidfile
-
-    if [ -e ${t}/output ] ; then
-        diff_output_filter_headers "${t}/output" "$output" "-q"
-    fi
-    if [ -n "${USE_MSVA}" ]; then
-        trap stop_msva EXIT
-    else
-        trap - EXIT
-    fi
-    ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
-    printf "SUCCESS: %s\n" "$TEST_NAME"
-done
+# configure locking for the Apache process
+flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
+
+t="$(realpath ${testid})"
+export srcdir="$(realpath ${srcdir})"
+export TEST_NAME="$(basename "$t")"
+output="outputs/${TEST_NAME}.output"
+rm -f "$output"
+
+if [ -e ${t}/fail.* ]; then
+    EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
+else
+    unset EXPECTED_FAILURE
+fi
+printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
+trap apache_down_err EXIT
+if [ -n "${USE_MSVA}" ]; then
+    MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
+                                        ${flock_cmd} \
+                                        ${APACHE2} -f "${t}/apache.conf" -k start \
+        || [ -e "${t}/fail.server" ]
+else
+    ${flock_cmd} \
+        ${APACHE2} -f "${t}/apache.conf" -k start \
+        || [ -e "${t}/fail.server" ]
+fi
+
+# PID file for sleep command (explanation below)
+sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
+
+# The sleep call keeps the pipe from the subshell to gnutls-cli
+# open. Without it gnutls-cli would terminate as soon as sed is
+# done, and not wait for a response from the server, leading to
+# failing tests. Sending sleep to the background allows the test
+# case to proceed instead of waiting for it to return. The sleep
+# process is stopped after gnutls-cli terminates.
+if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
+           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
+       gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
+                  >"$output";
+then
+    if [ -e ${t}/fail* ]; then
+        printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
+        exit 1
+    fi
+else
+    if [ ! -e ${t}/fail* ]; then
+        printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
+        exit 1
+    fi
+fi
+
+kill_by_pidfile "${sleep_pidfile}"
+unset sleep_pidfile
+
+if [ -e ${t}/output ] ; then
+    diff_output_filter_headers "${t}/output" "$output" "-q"
+fi
+if [ -n "${USE_MSVA}" ]; then
+    trap stop_msva EXIT
+else
+    trap - EXIT
+fi
+${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
+printf "SUCCESS: %s\n" "$TEST_NAME"
 
 if [ -n "${USE_MSVA}" ]; then

test/test-00_basic.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-0
+${srcdir}/runtests t-0

test/test-01_serverwide_priorities.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-1
+${srcdir}/runtests t-1

test/test-02_cache_in_vhost.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-2
+${srcdir}/runtests t-2

test/test-03_cachetimeout_in_vhost.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-3
+${srcdir}/runtests t-3

test/test-04_basic_nosni.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-4
+${srcdir}/runtests t-4

test/test-05_mismatched-priorities.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-5
+${srcdir}/runtests t-5

test/test-06_verify_sni_a.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-6
+${srcdir}/runtests t-6

test/test-07_verify_sni_b.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-7
+${srcdir}/runtests t-7

test/test-08_verify_no_sni_fallback_to_first_vhost.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-8
+${srcdir}/runtests t-8

test/test-09_verify_no_sni_fails_with_wrong_order.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-9
+${srcdir}/runtests t-9

test/test-10_basic_client_verification.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-10
+${srcdir}/runtests t-10

test/test-11_basic_client_verification_fail.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-11
+${srcdir}/runtests t-11

test/test-12_cgi_variables.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-12
+${srcdir}/runtests t-12

test/test-13_cgi_variables_no_client_cert.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-13
+${srcdir}/runtests t-13

test/test-14_basic_openpgp.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-14
+${srcdir}/runtests t-14

test/test-15_basic_msva.bash

@@ -1 +1 @@
 #!/bin/bash
-USE_MSVA="yes" make -f $(dirname ${0})/TestMakefile t-15
+USE_MSVA="yes" ${srcdir}/runtests t-15

test/test-16_view-status.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-16
+${srcdir}/runtests t-16

test/test-17_cgi_vars_large_cert.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-17
+${srcdir}/runtests t-17

test/test-18_client_verification_wrong_cert.bash

@@ -1 +1 @@
 #!/bin/bash
-make -f $(dirname ${0})/TestMakefile t-18
+${srcdir}/runtests t-18

test/test-19_TLS_reverse_proxy.bash

@@ -14 +14 @@
 trap stop_backend EXIT
 
-make -f $(dirname ${0})/TestMakefile t-19
+${srcdir}/runtests t-19
 
 backend_apache "${testdir}" "backend.conf" stop

test/test-20_TLS_reverse_proxy_client_auth.bash

@@ -14 +14 @@
 trap stop_backend EXIT
 
-make -f $(dirname ${0})/TestMakefile t-20
+${srcdir}/runtests t-20
 
 backend_apache "${testdir}" "backend.conf" stop

test/test-21_TLS_reverse_proxy_wrong_cert.bash

@@ -14 +14 @@
 trap stop_backend EXIT
 
-make -f $(dirname ${0})/TestMakefile t-21
+${srcdir}/runtests t-21
 
 backend_apache "${testdir}" "backend.conf" stop

test/test-22_TLS_reverse_proxy_crl_revoke.bash

@@ -14 +14 @@
 trap stop_backend EXIT
 
-make -f $(dirname ${0})/TestMakefile t-22
+${srcdir}/runtests t-22
 
 backend_apache "${testdir}" "backend.conf" stop

test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

@@ -19 +19 @@
 trap stop_backend EXIT
 
-make -f $(dirname ${0})/TestMakefile t-23
+${srcdir}/runtests t-23
 
 backend_apache "${testdir}" "backend.conf" stop

test/test-24_pkcs11_cert.bash

@@ -25 +25 @@
 set -e
 
-make -f $(dirname ${0})/TestMakefile t-24
+${srcdir}/runtests t-24
 
 cleanup_tmpconf

test/test_ca.mk

@@ -1 +1 @@
 #!/usr/bin/make -f
+# Authors:
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+# Thomas Klute <thomas2.klute@uni-dortmund.de>
 
-# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-
-# run these tests to ensure that mod_gnutls can handle a range of
-# simple configuration choices.
-
-export srcdir ?= .
-# If the Apache binary is not set, try to find apache2 in default PATH
-# (should only happen when the test script is run manually)
-export APACHE2 ?= apache2
-
-export TEST_HOST ?= localhost
-export TEST_IP ?= ::1
-# chosen at random:
-export TEST_PORT ?= 9932
-export MSVA_PORT ?= 9933
-
-export TEST_GAP ?= 0.4
-export TEST_MSVA_MAX_WAIT ?= 10
-export TEST_QUERY_DELAY ?= 30
-export TEST_LOCK_WAIT ?= 30
-
-TEST_LOCK := ./test.lock
-
-all: setup.done
-        TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests
-
-t-%: setup.done
-        TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests $@
-
-
-
-
-
-### for setting up a little miniature CA + server + client environment:
-identities := server authority client imposter rogueca
-tokens := x509.pem secring.gpg secret.key cert.pgp secret.pgp
-all_tokens := $(foreach id,$(identities),$(foreach token,$(tokens),$(id)/$(token)))
+# General rules to set up a miniature CA & server & client environment
+# for the test suite
 
 %.template: $(srcdir)/%.template.in
@@ -97 +65 @@
                 --template "${srcdir}/$(*)-crl.template" \
                 > $@
-
-msva.gnupghome/trustdb.gpg: authority/minimal.pgp client/cert.pgp
-        mkdir -p -m 0700 $(dir $@)
-        GNUPGHOME=$(dir $@) gpg --import < $<
-        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
-        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
-        printf "keyserver does-not-exist.example\n" > msva.gnupghome/gpg.conf
-
-
-setup.done: $(all_tokens) msva.gnupghome/trustdb.gpg client.uid
-        mkdir -p logs cache outputs
-        touch setup.done
-
-
-clean:
-        rm -rf server client authority logs cache outputs setup.done \
-        server.template imposter.template msva.gnupghome \
-        */*.pgp */*.gpg */*.gpg~ */*.pem */*.key authority.template \
-        client.template client.uid server.uid *.lock tests/*/*.pem
-        rmdir imposter rogueca || true
-
-.PHONY: all clean