Changeset 259e835 in mod_gnutls

Timestamp:

Apr 4, 2015, 4:57:10 PM (8 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream

Children:

c4a015b

Parents:

1d9cfaf (diff), c32240f (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

git-author:

Thomas Klute <thomas2.klute@…> (04/04/15 16:54:45)

git-committer:

Thomas Klute <thomas2.klute@…> (04/04/15 16:57:10)

Message:

Merge branch 'master' into new-gnutls-api

Branch 'master' at this point represents the upstream mod_gnutls
repository. Merging that first should make it easier to merge with my
changes later.

The result compiles, but OpenPGP authentication does not work.

Resolved conflicts in:

src/gnutls_config.c
src/gnutls_hooks.c

Files:

• configure.ac (modified) (3 diffs)
• src/gnutls_config.c (modified) (7 diffs)
• src/gnutls_hooks.c (modified) (13 diffs)
• src/gnutls_io.c (modified) (3 diffs)
• src/mod_gnutls.c (modified) (1 diff)
• t/Makefile (modified) (1 diff)
• t/setup (modified) (1 diff)

configure.ac

@@ -10 +10 @@
 AM_MAINTAINER_MODE
 AC_CANONICAL_TARGET
-AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
+AM_INIT_AUTOMAKE
 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
 
@@ -42 +42 @@
 fi
 
+AC_ARG_ENABLE(strict,
+       AS_HELP_STRING([--disable-strict],
+               [Avoid strict compiler warnings and errors]),
+       use_strict=$enableval, use_strict=yes)
+
+STRICT_CFLAGS=""
+if test "$use_strict" != "no"; then
+        STRICT_CFLAGS="-Wall -Werror -Wextra"
+fi
+
 AC_MSG_CHECKING([whether to enable SRP functionality])
 AC_MSG_RESULT($use_srp)
@@ -66 +76 @@
 AC_SUBST(have_apr_memcache)
 
-MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
+MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
 MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
 

src/gnutls_config.c

@@ -28 +28 @@
 #endif
 
-static int pin_callback(void *user, int attempt, const char *token_url,
-                        const char *token_label, unsigned int flags,
-                        char *pin, size_t pin_max)
+static int pin_callback(void *user, int attempt __attribute__((unused)),
+                        const char *token_url __attribute__((unused)),
+                        const char *token_label, unsigned int flags,
+                        char *pin, size_t pin_max)
 {
     mgs_srvconf_rec *sc = user;
@@ -174 +175 @@
             goto cleanup;
         }
-
 
         ret =
@@ -574 +574 @@
 
 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
+        const char *arg)
+{
     mgs_srvconf_rec *sc =
         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
@@ -839 +840 @@
 }
 
-const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
-
+const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(parms->server->module_config, &gnutls_module);
@@ -849 +850 @@
 }
 
-const char *mgs_set_pin(cmd_parms * parms, void *dummy, const char *arg)
+const char *mgs_set_pin(cmd_parms * parms, void *dummy __attribute__((unused)),
+                        const char *arg)
 {
 
@@ -860 +862 @@
 }
 
-const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, const char *arg)
+const char *mgs_set_srk_pin(cmd_parms * parms,
+                            void *dummy __attribute__((unused)),
+                            const char *arg)
 {
 
@@ -872 +876 @@
 
 static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p,
-                                                  char **err)
+                                                  char **err __attribute__((unused)))
 {
     mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));

src/gnutls_hooks.c

@@ -44 +44 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size);
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size);
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);
+static int mgs_status_hook(request_rec *r, int flags);
+#ifdef ENABLE_MSVA
 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
-static int mgs_status_hook(request_rec *r, int flags);
+#endif
 
 /* Pool Cleanup Function */
-apr_status_t mgs_cleanup_pre_config(void *data) {
+apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused))) {
         /* Free all session data */
     gnutls_free(session_ticket_key.data);
@@ -83 +85 @@
 
 /* Pre-Configuration HOOK: Runs First */
-int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp) {
+int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp __attribute__((unused))) {
 
 /* Maintainer Logging */
@@ -169 +171 @@
 
 static int cert_retrieve_fn(gnutls_session_t session,
-                            const gnutls_datum_t * req_ca_rdn, int nreqs,
-                            const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length,
-                            gnutls_pcert_st **pcerts, unsigned int *pcert_length,
+                            const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
+                            int nreqs __attribute__((unused)),
+                            const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
+                            int pk_algos_length __attribute__((unused)),
+                            gnutls_pcert_st **pcerts,
+                            unsigned int *pcert_length,
                             gnutls_privkey_t *privkey)
 {
@@ -284 +289 @@
 }
 
-int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, apr_pool_t * ptemp, server_rec * base_server) {
+int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog __attribute__((unused)), apr_pool_t * ptemp __attribute__((unused)), server_rec * base_server) {
 
     int rv;
@@ -535 +540 @@
 }
 
-static int vhost_cb(void *baton, conn_rec * conn, server_rec * s) {
+static int vhost_cb(void *baton, conn_rec * conn __attribute__((unused)), server_rec * s) {
     mgs_srvconf_rec *tsc;
     vhost_cb_rec *x = baton;
@@ -675 +680 @@
 }
 
-int mgs_hook_pre_connection(conn_rec * c, void *csd) {
+int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused))) {
     mgs_srvconf_rec *sc;
 
@@ -847 +852 @@
 #define MGS_SIDE(suffix) ((side==0) ? "SSL_SERVER" suffix : "SSL_CLIENT" suffix)
 
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size) {
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size) {
     unsigned char sbuf[64]; /* buffer to hold serials */
     char buf[AP_IOBUFSIZE];
@@ -966 +971 @@
  * to use for the PEM-encoded certificate (0 means do not export)
  */
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size) {
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) {
 
         unsigned char sbuf[64]; /* buffer to hold serials */
@@ -1282 +1287 @@
 exit:
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-        int i;
+        unsigned int i;
         for (i = 0; i < ch_size; i++) {
             gnutls_x509_crt_deinit(cert.x509[i]);
@@ -1294 +1299 @@
 }
 
+#ifdef ENABLE_MSVA
+/* this section of code is used only when trying to talk to the MSVA */
 static const char* mgs_x509_leaf_oid_from_dn(apr_pool_t *pool, const char* oid, gnutls_x509_crt_t cert) {
     int rv=GNUTLS_E_SUCCESS, i;
@@ -1330 +1337 @@
             data = apr_palloc(pool, sz);
             rv = gnutls_x509_crt_get_subject_alt_name2(cert, i, data, &sz, &thistype, NULL);
-            if (rv == target)
+            if (rv >=0 && (thistype == target))
                 return data;
         }
@@ -1337 +1344 @@
     return NULL;
 }
+
 
 /* Create a string representing a candidate User ID from an X.509
@@ -1452 +1460 @@
     return ret;
 }
-
-static int mgs_status_hook(request_rec *r, int flags)
+#endif /* ENABLE_MSVA */
+
+static int mgs_status_hook(request_rec *r, int flags __attribute__((unused)))
 {
     mgs_srvconf_rec *sc;

src/gnutls_io.c

@@ -510 +510 @@
     if (ctxt->input_mode == AP_MODE_READBYTES ||
             ctxt->input_mode == AP_MODE_SPECULATIVE) {
+        if (readbytes < 0) {
+            /* you're asking us to speculatively read a negative number of bytes! */
+            return APR_ENOTIMPL;
+        }
         /* Err. This is bad. readbytes *can* be a 64bit int! len.. is NOT */
-        if (readbytes < len) {
+        if ((apr_size_t) readbytes < len) {
             len = (apr_size_t) readbytes;
         }
@@ -573 +577 @@
 
 apr_status_t mgs_filter_output(ap_filter_t * f, apr_bucket_brigade * bb) {
-    apr_size_t ret;
+    int ret;
     mgs_handle_t *ctxt = (mgs_handle_t *) f->ctx;
     apr_status_t status = APR_SUCCESS;
@@ -672 +676 @@
                         return ctxt->output_rc;
                     }
-                } else if (ret != len) {
+                } else if ((apr_size_t)(ret) != len) {
+                    /* we know the above cast is OK because len > 0 and ret >= 0 */
                     /* Not able to send the entire bucket,
                        split it and send it again. */

src/mod_gnutls.c

@@ -20 +20 @@
 #include "mod_gnutls.h"
 
-static void gnutls_hooks(apr_pool_t * p) {
+static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
 
     /* Try Run Post-Config Hook After mod_proxy */

t/Makefile

@@ -62 +62 @@
 # special cases for the authorities' root certs:
 authority/x509.pem: authority.template authority/secret.key
-        certtool --generate-self-signed --load-privkey=authority/secret.key --template=authority.template > $@
+        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
 rogueca/x509.pem: rogueca.template rogueca/secret.key
-        certtool --generate-self-signed --load-privkey=rogueca/secret.key --template=rogueca.template > $@
+        certtool --generate-self-signed --load-privkey rogueca/secret.key --template rogueca.template > $@
 
 %/cert-request: %.template %/secret.key 
-        certtool --generate-request --load-privkey=$(dir $@)secret.key --template=$< > $@
+        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
 
 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem 
-        certtool --generate-certificate --load-ca-certificate=authority/x509.pem --load-ca-privkey=authority/secret.key --load-request=$(dir $@)cert-request --template=$< > $@
+        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
 
 msva.gnupghome/trustdb.gpg: authority/minimal.pgp client/cert.pgp

t/setup

@@ -38 +38 @@
 genkey "$PWD/client" "Test User <test0@modgnutls.test>"
 
-certtool -q --load-privkey=server/secret.key  --template=server.template > server/server.req
+certtool -q --load-privkey server/secret.key  --template server.template > server/server.req