Changeset 300ae82 in mod_gnutls


Ignore:
Timestamp:
Apr 16, 2018, 8:42:39 PM (5 weeks ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports
Children:
8982265
Parents:
639ce77 (diff), f5342b1 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.8.3' into debian/master

Upstream version 0.8.3

Files:
4 added
1 deleted
38 edited
1 moved

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r639ce77 r300ae82  
     1** Version 0.8.3 (2017-10-20)
     2- Use GnuTLS' default DH parameters by default
     3- Handle long Server Name Indication data and gracefully ignore
     4  unknown SNI types
     5- Send SNI for proxy connections
     6- Deprecate OpenPGP support like GnuTLS did (will be removed
     7  completely in a future release)
     8- Do not announce session ticket support for proxy connections
     9- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI)
     10- Test suite: Simplify handling of proxy backend servers and OCSP
     11  responders
     12- Test suite: stability/compatibility fixes
     13
    114** Version 0.8.2 (2017-01-08)
    215- Test suite: Ensure CRLF line ends in HTTP headers
  • configure.ac

    r639ce77 r300ae82  
    1 dnl
    2 AC_INIT(mod_gnutls, 0.8.2)
     1AC_INIT(mod_gnutls, 0.8.3)
    32OOO_CONFIG_NICE(config.nice)
    43MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    6564STRICT_CFLAGS=""
    6665if test "$use_strict" != "no"; then
    67         STRICT_CFLAGS="-Wall -Werror -Wextra"
     66        STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations"
    6867fi
    6968
     
    8483        AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1],
    8584              [flock_works="yes"], [flock_works="no"])
     85        AC_MSG_RESULT([$flock_works])
     86        # Old versions of flock do not support --verbose. They fail
     87        # without executing the command but still return 0. Check for
     88        # this behavior by testing if the rm command was executed.
     89        AC_MSG_CHECKING([whether ${FLOCK} supports --verbose])
     90        testfile="$(mktemp)"
     91        AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \
     92                        >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"],
     93              [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"],
     94              [flock_verbose="no"; rm "${testfile}"])
     95        AC_MSG_RESULT([$flock_verbose])
    8696        rm "${lockfile}"
    87         AC_MSG_RESULT([$flock_works])
    8897      ],
    8998      [flock_works="no"])
     
    143152# and test specific PID files if using namespaces, defaults otherwise.
    144153AS_IF([test "$use_netns" = "yes"],
    145       [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],
    146       [MUTEX_TYPE="default"; PID_AFFIX=""])
    147 AC_SUBST(MUTEX_TYPE)
     154      [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"],
     155      [MUTEX_CONF=""; PID_AFFIX=""])
     156AC_SUBST(MUTEX_CONF)
    148157AC_SUBST(PID_AFFIX)
    149 AM_SUBST_NOTMAKE(MUTEX_TYPE)
     158AM_SUBST_NOTMAKE(MUTEX_CONF)
    150159AM_SUBST_NOTMAKE(PID_AFFIX)
    151160
     
    234243AM_SUBST_NOTMAKE(TEST_IP)
    235244
     245: ${TEST_LOCK_WAIT:="30"}
     246: ${TEST_QUERY_TIMEOUT:="30"}
     247AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \
     248                             Apache instances in the test suite, or the \
     249                             previous instance to remove its PID file if \
     250                             flock is not used. Default is 30.])
     251AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \
     252                                 sent using gnutls-cli in the test suite. \
     253                                 Default is 30.])
     254
    236255dnl Allow user to set SoftHSM PKCS #11 module
    237256AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \
     
    247266# Available extra ports, tests can "Define" variables of the listed
    248267# names in their apache.conf to enable them.
    249 for j in TEST_HTTP_PORT OCSP_PORT; do
     268for j in TEST_HTTP_PORT; do
    250269LISTEN_LIST="${LISTEN_LIST}
    251270<IfDefine ${j}>"
     
    272291AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
    273292                        doc/Makefile doc/doxygen.conf include/mod_gnutls.h \
    274                         test/proxy_backend.conf \
     293                        test/proxy_backend.conf test/ocsp_server.conf \
    275294                        test/apache-conf/listen.conf \
    276295                        test/apache-conf/netns.conf])
     
    283302echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
    284303echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
     304echo "   * CFLAGS for GnuTLS:           ${LIBGNUTLS_CFLAGS}"
     305echo "   * LDFLAGS for GnuTLS:  ${LIBGNUTLS_LIBS}"
    285306echo "   * SRP Authentication:  ${use_srp}"
    286307echo "   * MSVA Client Verification:    ${use_msva}"
  • doc/mod_gnutls_manual.mdwn

    r639ce77 r300ae82  
    178178### GnuTLSDHFile
    179179
    180 Set to the PKCS \#3 encoded Diffie Hellman parameters
     180Use the provided PKCS \#3 encoded Diffie-Hellman parameters
    181181
    182182    GnuTLSDHFile FILEPATH
     
    185185Context: server config, virtual host
    186186
    187 Takes an absolute or relative path to a PKCS \#3 encoded DH
    188 parameters.Those are used when the DHE key exchange method is enabled.
    189 You can generate this file using `certtool --generate-dh-params --bits
    190 2048`.  If not set `mod_gnutls` will use the included parameters.
     187By default, `mod_gnutls` uses the DH parameters included with GnuTLS
     188corresponding to the security level of the configured private keys if
     189compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as
     190defined in RFC 7919, Appendix A.1 otherwise.
     191
     192If you need to use different DH parameters, you can provide a PEM file
     193containing them in PKCS \#3 encoding using this option. Please see the
     194"[Parameter
     195generation](https://gnutls.org/manual/html_node/Parameter-generation.html)"
     196section of the GnuTLS documentation for a short discussion of the
     197security implications.
    191198
    192199### GnuTLSPriorities
     
    353360OpenPGP Certificate Authentication
    354361----------------------------------
     362
     363*Warning:* OpenPGP support has been deprecated in GnuTLS since version
     3643.5.9 and will be removed completely. Consequently, OpenPGP support in
     365`mod_gnutls` is deprecated as well and will be removed in a future
     366release.
    355367
    356368### GnuTLSPGPCertificateFile
     
    721733
    722734`mod_gnutls` supports "Server Name Indication", as specified in
    723 RFC 3546. This allows hosting many TLS websites with a single IP
    724 address. All recent browsers support this standard. Here is an
    725 example using SNI:
     735[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). This
     736allows hosting many TLS websites with a single IP address. All recent
     737browsers support this standard. Here is an example using SNI:
    726738
    727739     # Load the module into Apache.
     
    889901-----------------
    890902
    891 The SSL or TLS cipher suite name
     903The distinguished name of the issuer of the client's certificate in
     904RFC2253 format.
    892905
    893906`SSL_CLIENT_S_AN%`
  • include/mod_gnutls.h.in

    r639ce77 r300ae82  
    285285apr_status_t apr_signal_block(int signum);
    286286
    287  /* Proxy Support */
     287/* Proxy Support */
     288/** mod_proxy adds a note with this key to the connection->notes table
     289 * for client connections */
     290#define PROXY_SNI_NOTE "proxy-request-hostname"
    288291/* An optional function which returns non-zero if the given connection
    289292is using SSL/TLS. */
     
    424427                            const int arg);
    425428
    426 const char *mgs_set_require_section(cmd_parms *cmd,
    427                                     void *mconfig, const char *arg);
    428429void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
    429430void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
     
    432433
    433434void *mgs_config_dir_create(apr_pool_t *p, char *dir);
    434 
    435 const char *mgs_set_require_bytecode(cmd_parms *cmd,
    436                                     void *mconfig, const char *arg);
    437435
    438436mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
  • src/gnutls_config.c

    r639ce77 r300ae82  
    8484}
    8585
    86 /* 2048-bit group parameters from SRP specification */
    87 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
    88         "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
    89         "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
    90         "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
    91         "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
    92         "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
    93         "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
    94         "-----END DH PARAMETERS-----\n";
    95 
    96 /*
    97  * Clean up the various GnuTLS data structures allocated from
     86
     87
     88/**
     89 * Clean up the various GnuTLS data structures allocated by
    9890 * mgs_load_files()
    9991 */
     
    254246#endif
    255247
    256     if (sc->dh_params == NULL)
    257     {
    258         ret = gnutls_dh_params_init(&sc->dh_params);
    259         if (ret < 0) {
    260             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    261                          "GnuTLS: Failed to initialize"
    262                          ": (%d) %s", ret, gnutls_strerror(ret));
    263             ret = -1;
    264             goto cleanup;
    265         }
    266 
    267         /* Load DH parameters */
    268         if (sc->dh_file)
     248    /* Load user provided DH parameters, if any */
     249    if (sc->dh_file)
     250    {
     251        if (sc->dh_params == NULL)
    269252        {
    270             if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
     253            ret = gnutls_dh_params_init(&sc->dh_params);
     254            if (ret < 0) {
    271255                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    272                              "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
     256                             "GnuTLS: Failed to initialize"
     257                             ": (%d) %s", ret, gnutls_strerror(ret));
    273258                ret = -1;
    274259                goto cleanup;
    275260            }
    276 
    277             ret =
    278                 gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
    279                                               GNUTLS_X509_FMT_PEM);
    280             if (ret < 0) {
    281                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    282                              "GnuTLS: Failed to Import "
    283                              "DH params '%s': (%d) %s", sc->dh_file, ret,
    284                              gnutls_strerror(ret));
    285                 ret = -1;
    286                 goto cleanup;
    287             }
    288         } else {
    289             gnutls_datum_t pdata = {
    290                 (void *) static_dh_params,
    291                 sizeof(static_dh_params)
    292             };
    293 
    294             ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
    295             if (ret < 0) {
    296                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    297                              "GnuTLS: Unable to generate or load DH Params: (%d) %s",
    298                              ret, gnutls_strerror(ret));
    299                 ret = -1;
    300                 goto cleanup;
    301             }
     261        }
     262
     263        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
     264            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     265                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
     266            ret = -1;
     267            goto cleanup;
     268        }
     269
     270        ret =
     271            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
     272                                          GNUTLS_X509_FMT_PEM);
     273        if (ret < 0) {
     274            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     275                         "GnuTLS: Failed to Import "
     276                         "DH params '%s': (%d) %s", sc->dh_file, ret,
     277                         gnutls_strerror(ret));
     278            ret = -1;
     279            goto cleanup;
    302280        }
    303281    }
     
    11091087    sc->priorities = NULL;
    11101088    sc->dh_params = NULL;
     1089    sc->dh_file = NULL;
    11111090    sc->ca_list = NULL;
    11121091    sc->ca_list_size = 0;
  • src/gnutls_hooks.c

    r639ce77 r300ae82  
    44 *  Copyright 2011 Dash Shendy
    55 *  Copyright 2013-2014 Daniel Kahn Gillmor
    6  *  Copyright 2015-2016 Thomas Klute
     6 *  Copyright 2015-2017 Thomas Klute
    77 *
    88 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    7070    session_ticket_key.data = NULL;
    7171    session_ticket_key.size = 0;
    72         /* Deinitialize GnuTLS Library */
    73     gnutls_global_deinit();
    7472    return APR_SUCCESS;
    7573}
     
    118116    }
    119117
    120         /* Initialize GnuTLS Library */
    121     ret = gnutls_global_init();
    122     if (ret < 0) {
    123                 ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret));
    124                 return DONE;
    125     }
    126 
    127118        /* Generate a Session Key */
    128119    ret = gnutls_session_ticket_key_generate(&session_ticket_key);
     
    143134}
    144135
    145 static int mgs_select_virtual_server_cb(gnutls_session_t session) {
    146 
    147     mgs_handle_t *ctxt = NULL;
    148     mgs_srvconf_rec *tsc = NULL;
     136/**
     137 * Post client hello function for GnuTLS, used to configure the TLS
     138 * server based on virtual host configuration. Uses SNI to select the
     139 * virtual host if available.
     140 *
     141 * @param session the TLS session
     142 *
     143 * @return zero or a GnuTLS error code, as required by GnuTLS hook
     144 * definition
     145 */
     146static int mgs_select_virtual_server_cb(gnutls_session_t session)
     147{
    149148    int ret = 0;
    150 
    151     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    152 
    153     ctxt = gnutls_transport_get_ptr(session);
    154 
    155     /* find the virtual server */
    156     tsc = mgs_find_sni_server(session);
    157 
    158     if (tsc != NULL) {
    159         // Found a TLS vhost based on the SNI from the client; use it instead.
     149    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
     150
     151    /* try to find a virtual host */
     152    mgs_srvconf_rec *tsc = mgs_find_sni_server(session);
     153    if (tsc != NULL)
     154    {
     155        /* Found a TLS vhost based on the SNI, configure the
     156         * connection context. */
    160157        ctxt->sc = tsc;
    161158        }
     
    186183     * negotiation.
    187184     */
    188 
    189185    ret = gnutls_priority_set(session, ctxt->sc->priorities);
     186
    190187    /* actually it shouldn't fail since we have checked at startup */
    191188    return ret;
    192 
    193189}
    194190
     
    313309}
    314310
     311
     312
     313#if GNUTLS_VERSION_NUMBER >= 0x030506
     314#define HAVE_KNOWN_DH_GROUPS 1
     315#endif
     316#ifdef HAVE_KNOWN_DH_GROUPS
     317/**
     318 * Try to estimate a GnuTLS security parameter based on the given
     319 * private key. Any errors are logged.
     320 *
     321 * @param s The `server_rec` to use for logging
     322 *
     323 * @param key The private key to use
     324 *
     325 * @return `gnutls_sec_param_t` as returned by
     326 * `gnutls_pk_bits_to_sec_param` for the key properties, or
     327 * GNUTLS_SEC_PARAM_UNKNOWN in case of error
     328 */
     329static gnutls_sec_param_t sec_param_from_privkey(server_rec *server,
     330                                                 gnutls_privkey_t key)
     331{
     332    unsigned int bits = 0;
     333    int pk_algo = gnutls_privkey_get_pk_algorithm(key, &bits);
     334    if (pk_algo < 0)
     335    {
     336        ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server,
     337                     "%s: Could not get private key parameters: %s (%d)",
     338                     __func__, gnutls_strerror(pk_algo), pk_algo);
     339        return GNUTLS_SEC_PARAM_UNKNOWN;
     340    }
     341    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
     342}
     343#else
     344/** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
     345 * the default DH group if mod_gnutls is compiled agains a GnuTLS
     346 * version that does not provide known DH groups based on security
     347 * parameters (before 3.5.6). */
     348static const char FFDHE2048_PKCS3[] =
     349    "-----BEGIN DH PARAMETERS-----\n"
     350    "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
     351    "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
     352    "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
     353    "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
     354    "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
     355    "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
     356    "-----END DH PARAMETERS-----\n";
     357const gnutls_datum_t default_dh_params = {
     358    (void *) FFDHE2048_PKCS3,
     359    sizeof(FFDHE2048_PKCS3)
     360};
     361#endif
     362
     363
     364
     365/**
     366 * Configure the default DH groups to use for the given server. When
     367 * compiled against GnuTLS version 3.5.6 or newer the known DH group
     368 * matching the GnuTLS security parameter estimated from the private
     369 * key is used. Otherwise the ffdhe2048 DH group as defined in RFC
     370 * 7919, Appendix A.1 is the default.
     371 *
     372 * @param server the host to configure
     373 *
     374 * @return `OK` on success, `HTTP_UNAUTHORIZED` otherwise
     375 */
     376static int set_default_dh_param(server_rec *server)
     377{
     378    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     379        ap_get_module_config(server->module_config, &gnutls_module);
     380
     381#ifdef HAVE_KNOWN_DH_GROUPS
     382    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
     383    if (sc->privkey_x509)
     384    {
     385        seclevel = sec_param_from_privkey(server, sc->privkey_x509);
     386        ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, server,
     387                     "%s: GnuTLS security param estimated based on "
     388                     "private key '%s': %s",
     389                     __func__, sc->x509_key_file,
     390                     gnutls_sec_param_get_name(seclevel));
     391    }
     392
     393    if (seclevel == GNUTLS_SEC_PARAM_UNKNOWN)
     394        seclevel = GNUTLS_SEC_PARAM_MEDIUM;
     395    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server,
     396                 "%s: Setting DH params for security level '%s'.",
     397                 __func__, gnutls_sec_param_get_name(seclevel));
     398
     399    int ret = gnutls_certificate_set_known_dh_params(sc->certs, seclevel);
     400    if (ret < 0)
     401    {
     402        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
     403                     "%s: setting known DH params failed: %s (%d)",
     404                     __func__, gnutls_strerror(ret), ret);
     405        return HTTP_UNAUTHORIZED;
     406    }
     407    ret = gnutls_anon_set_server_known_dh_params(sc->anon_creds, seclevel);
     408    if (ret < 0)
     409    {
     410        ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server,
     411                     "%s: setting known DH params failed: %s (%d)",
     412                     __func__, gnutls_strerror(ret), ret);
     413        return HTTP_UNAUTHORIZED;
     414    }
     415#else
     416    int ret = gnutls_dh_params_init(&sc->dh_params);
     417    if (ret < 0)
     418    {
     419        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     420                     "%s: Failed to initialize DH params structure: "
     421                     "%s (%d)", __func__, gnutls_strerror(ret), ret);
     422        return HTTP_UNAUTHORIZED;
     423    }
     424    ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
     425                                        GNUTLS_X509_FMT_PEM);
     426    if (ret < 0)
     427    {
     428        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
     429                     "%s: Failed to import default DH params: %s (%d)",
     430                     __func__, gnutls_strerror(ret), ret);
     431        return HTTP_UNAUTHORIZED;
     432    }
     433
     434    gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
     435    gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
     436#endif
     437
     438    return OK;
     439}
     440
     441
     442
    315443/**
    316444 * Post config hook.
     
    328456    int rv;
    329457    server_rec *s;
    330     gnutls_dh_params_t dh_params = NULL;
    331458    mgs_srvconf_rec *sc;
    332459    mgs_srvconf_rec *sc_base;
     
    359486                                    base_server, pconf, 0);
    360487        if (rv != APR_SUCCESS)
    361         {
    362             ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server,
    363                          "Failed to create mutex '" MGS_OCSP_MUTEX_NAME
    364                          "'.");
    365             return HTTP_INTERNAL_SERVER_ERROR;
    366         }
     488            return rv;
    367489    }
    368490
     
    443565        }
    444566
    445         /* Check if DH params have been set per host */
     567        /* Set host DH params from user configuration or defaults */
    446568        if (sc->dh_params != NULL) {
    447569            gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
    448570            gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
    449         } else if (dh_params) {
    450             gnutls_certificate_set_dh_params(sc->certs, dh_params);
    451             gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
     571        } else {
     572            rv = set_default_dh_param(s);
     573            if (rv != OK)
     574                return rv;
    452575        }
    453576
     
    484607        }
    485608
     609        /* If OpenPGP support is already disabled in the loaded GnuTLS
     610         * library startup will fail if the configuration tries to
     611         * load PGP credentials. Otherwise warn affected users about
     612         * deprecation. */
     613        if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file)
     614            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
     615                         "Host '%s:%d' is configured to use OpenPGP auth. "
     616                         "OpenPGP support has been deprecated in GnuTLS "
     617                         "since version 3.5.9 and will be removed from "
     618                         "mod_gnutls in a future release.",
     619                         s->server_hostname, s->port);
     620
    486621        if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    487622            rv = -1;
     
    606741}
    607742
    608 #define MAX_HOST_LEN 255
     743/**
     744 * Default buffer size for SNI data, including the terminating NULL
     745 * byte. The size matches what gnutls-cli uses initially.
     746 */
     747#define DEFAULT_SNI_HOST_LEN 256
    609748
    610749typedef struct {
     
    699838}
    700839
     840/**
     841 * Get SNI data from GnuTLS (if any) and search for a matching virtual
     842 * host configuration. This method is called from the post client
     843 * hello function.
     844 *
     845 * @param session the GnuTLS session
     846 *
     847 * @return either the matching mod_gnutls server config, or `NULL`
     848 */
    701849mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
    702850{
    703     int rv;
     851    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
     852
     853    char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN);
     854    size_t sni_len = DEFAULT_SNI_HOST_LEN;
    704855    unsigned int sni_type;
    705     size_t data_len = MAX_HOST_LEN;
    706     char sni_name[MAX_HOST_LEN];
    707     mgs_handle_t *ctxt;
    708     vhost_cb_rec cbx;
    709 
    710     if (session == NULL)
     856
     857    /* Search for a DNS SNI element. Note that RFC 6066 prohibits more
     858     * than one server name per type. */
     859    int sni_index = -1;
     860    int rv = 0;
     861    do {
     862        /* The sni_index is incremented before each use, so if the
     863         * loop terminates with a type match we will have the right
     864         * one stored. */
     865        rv = gnutls_server_name_get(session, sni_name,
     866                                    &sni_len, &sni_type, ++sni_index);
     867        if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
     868        {
     869            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
     870                          "%s: no DNS SNI found (last index: %d).",
     871                          __func__, sni_index);
     872            return NULL;
     873        }
     874    } while (sni_type != GNUTLS_NAME_DNS);
     875    /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside
     876     * the loop above returns, so if we reach this point we have a DNS
     877     * SNI at the current index. */
     878
     879    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER)
     880    {
     881        /* Allocate a new buffer of the right size and retry */
     882        sni_name = apr_palloc(ctxt->c->pool, sni_len);
     883        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
     884                      "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT
     885                      " bytes.", __func__, sni_len);
     886        rv = gnutls_server_name_get(session, sni_name,
     887                                    &sni_len, &sni_type, sni_index);
     888    }
     889
     890    /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR
     891     * can occur here, but a catch all is safer and no more
     892     * complicated. */
     893    if (rv != GNUTLS_E_SUCCESS)
     894    {
     895        ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c,
     896                      "%s: error while getting SNI DNS data: '%s' (%d).",
     897                      __func__, gnutls_strerror(rv), rv);
    711898        return NULL;
    712 
    713     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    714     ctxt = gnutls_transport_get_ptr(session);
    715 
    716     rv = gnutls_server_name_get(ctxt->session, sni_name,
    717             &data_len, &sni_type, 0);
    718 
    719     if (rv != 0) {
    720         return NULL;
    721     }
    722 
    723     if (sni_type != GNUTLS_NAME_DNS) {
    724         ap_log_cerror(APLOG_MARK, APLOG_CRIT, 0, ctxt->c,
    725                       "GnuTLS: Unknown type '%d' for SNI: '%s'",
    726                       sni_type, sni_name);
    727         return NULL;
    728     }
    729 
    730     /**
    731      * Code in the Core already sets up the c->base_server as the base
    732      * for this IP/Port combo.  Trust that the core did the 'right' thing.
    733      */
    734     cbx.ctxt = ctxt;
    735     cbx.sc = NULL;
    736     cbx.sni_name = sni_name;
    737 
     899    }
     900
     901    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
     902                  "%s: client requested server '%s'.",
     903                  __func__, sni_name);
     904
     905    /* Search for vhosts matching connection parameters and the
     906     * SNI. If a match is found, cbx.sc will contain the mod_gnutls
     907     * server config for the vhost. */
     908    vhost_cb_rec cbx = {
     909        .ctxt = ctxt,
     910        .sc = NULL,
     911        .sni_name = sni_name
     912    };
    738913    rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
    739914    if (rv == 1) {
     
    824999            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    8251000                          "gnutls_init for proxy connection failed: %s (%d)",
    826                           gnutls_strerror(err), err);
    827         err = gnutls_session_ticket_enable_client(ctxt->session);
    828         if (err != GNUTLS_E_SUCCESS)
    829             ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    830                           "gnutls_session_ticket_enable_client failed: %s (%d)",
    8311001                          gnutls_strerror(err), err);
    8321002    }
     
    17911961    /* Get peer hostname from a note left by mod_proxy */
    17921962    const char *peer_hostname =
    1793         apr_table_get(ctxt->c->notes, "proxy-request-hostname");
     1963        apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
    17941964    if (peer_hostname == NULL)
    17951965        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
    1796                       "%s: proxy-request-hostname is NULL, cannot check "
     1966                      "%s: " PROXY_SNI_NOTE " NULL, cannot check "
    17971967                      "peer's hostname", __func__);
    17981968
  • src/gnutls_io.c

    r639ce77 r300ae82  
    33 *  Copyright 2008 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2016 Thomas Klute
     5 *  Copyright 2015-2017 Thomas Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    395395    }
    396396
     397    /* Enable SNI for proxy connections */
     398    if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
     399    {
     400        /* Get peer hostname from note left by mod_proxy */
     401        const char *peer_hostname =
     402            apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
     403        /* Used only as target for apr_ipsubnet_create() */
     404        apr_ipsubnet_t *probe;
     405        /* Check if the note is present (!= NULL) and NOT an IP
     406         * address */
     407        if ((peer_hostname) != NULL
     408            && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
     409                != APR_SUCCESS))
     410        {
     411            ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
     412                                         peer_hostname, strlen(peer_hostname));
     413            if (ret != GNUTLS_E_SUCCESS)
     414                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
     415                              "Could not set SNI '%s' for proxy connection: "
     416                              "%s (%d)",
     417                              peer_hostname, gnutls_strerror(ret), ret);
     418        }
     419    }
     420
    397421tryagain:
    398422    do {
     
    446470        /* all done with the handshake */
    447471        ctxt->status = 1;
    448         /* If the session was resumed, we did not set the correct
    449          * server_rec in ctxt->sc.  Go Find it. (ick!)
    450          */
    451         if (gnutls_session_is_resumed(ctxt->session)) {
    452             mgs_srvconf_rec *sc;
    453             sc = mgs_find_sni_server(ctxt->session);
    454             if (sc) {
    455                 ctxt->sc = sc;
    456             }
     472        if (gnutls_session_is_resumed(ctxt->session))
     473        {
     474            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     475                          "%s: TLS session resumed.", __func__);
    457476        }
    458477        return GNUTLS_E_SUCCESS;
  • test/Makefile.am

    r639ce77 r300ae82  
    3232        test-27_OCSP_server.bash
    3333
     34TEST_EXTENSIONS = .bash
    3435TESTS = $(dist_check_SCRIPTS)
    3536
    36 check_PROGRAMS = pgpcrc
     37check_PROGRAMS = pgpcrc gnutls_openpgp_support
    3738pgpcrc_SOURCES = pgpcrc.c
     39gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
     40gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
     41gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
    3842
    3943# build OCSP database tool
     
    4145check_PROGRAMS += gen_ocsp_index
    4246gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
     47gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
    4348gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
    4449noinst_HEADERS = cert_helper.h
     
    109114# necessary.
    110115MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
    111         authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
     116        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \
     117        authority/tofu.db
    112118# GnuPG random pool, no need to regenerate on every build
    113119CLEANFILES += authority/random_seed
     120
     121# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
     122# identity) while creating the PGP certificates. This target is called
     123# by both "check-local" and "mostlyclean-local": The former because
     124# agent processes are started while preparing for "check" and are no
     125# longer needed afterwards, the latter to make sure they are gone
     126# along with their certificates.
     127stop-gnupg-agent:
     128        for id in $(pgp_identities) $(msva_home); do \
     129                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
     130        done
     131
     132check-local: stop-gnupg-agent
    114133
    115134# Delete lock files for test servers on "mostlyclean" target.
     
    124143        mkdir -p -m 0700 $(dir $@)
    125144        GNUPGHOME=$(dir $@) gpg --import < $<
    126         printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
     145        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    127146        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
    128147        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
     
    171190        mkdir -p $(extra_dirs)
    172191
    173 .PHONY: make-test-dirs clean-softhsm2-db
    174 
    175 mostlyclean-local: clean-softhsm2-db
     192.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
     193
     194
     195mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
    176196        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
    177197if USE_MSVA
     
    179199endif
    180200
     201# Delete test data directories, and wait for test services to
     202# exit. The reason for the wait is that Apache instances may take some
     203# time to exit and delete their PID files. Occasionally some PID files
     204# where still around during "distcheck" runs by the time the target
     205# checked if the build directory was really empty after "distclean",
     206# breaking the build. Delaying "clean-local" until PID files are gone
     207# avoids this issue, and the timeout will expose actually unclean
     208# stops.
    181209clean-local:
    182210        -rmdir $(identities) || true
     
    185213        -rmdir $(msva_home) || true
    186214endif
     215        wait=0; \
     216        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
     217                wait=$$(($$wait + 1)); \
     218                echo "waiting for test services to exit ($$wait seconds)"; \
     219                sleep 1; \
     220        done
    187221
    188222# Apache configuration and data files
    189223apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
    190         data/secret.txt data/test.txt mime.types ocsp_server.conf \
     224        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
    191225        proxy_mods.conf
    192226
    193227EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
    194         common.bash proxy_backend.bash runtests server-crl.template \
     228        apache_service.bash common.bash runtests server-crl.template \
    195229        softhsm.bash
    196230
     
    199233# Lockfile for the proxy backend Apache process (if any)
    200234backend_lockfile = ./backend.lock
    201 # Maximum wait time in seconds for flock to aquire instance lock
    202 # files, or Apache to remove its PID file
    203 lock_wait = 30
     235# Lockfile for the OCSP server Apache process (if any)
     236ocsp_lockfile = ./ocsp.lock
    204237
    205238# port for the main Apache server
     
    207240# port for MSVA in test cases that use it
    208241MSVA_PORT ?= 9933
    209 # port for OCSP server (Apache vhost if enabled)
     242# port for TLS proxy backend server
     243BACKEND_PORT ?= 9934
     244# port for the OCSP responder
    210245if ENABLE_OCSP_TEST
    211246OCSP_PORT ?= 9936
    212247endif
    213248# maximum time to wait for MSVA startup (milliseconds)
    214 TEST_MSVA_MAX_WAIT ?= 10000
     249TEST_SERVICE_MAX_WAIT ?= 10000
    215250# wait loop time for MSVA startup (milliseconds)
    216 TEST_MSVA_WAIT ?= 400
    217 # seconds for the HTTP request to be sent and responded to
    218 TEST_QUERY_DELAY ?= 30
     251TEST_SERVICE_WAIT ?= 400
    219252
    220253AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
    221254        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
    222         export TEST_LOCK_WAIT="$(lock_wait)"; \
     255        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
    223256        export TEST_HOST="@TEST_HOST@"; \
    224257        export TEST_PORT="$(TEST_PORT)"; \
    225258        export MSVA_PORT="$(MSVA_PORT)"; \
    226         export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
    227         export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    228         export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
     259        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
     260        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
     261        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
    229262        export BACKEND_HOST="@TEST_HOST@"; \
     263        export BACKEND_PORT="$(BACKEND_PORT)"; \
    230264        export HTTP_CLI="@HTTP_CLI@";
    231265
     
    245279        export USE_TEST_NAMESPACE=1;
    246280endif
    247 # Without flock tests must not run in parallel. Otherwise set lock files.
     281# Without flock tests must not run in parallel, and PID files are used
     282# to prevent conflicts between server instances. Otherwise set lock
     283# files for flock.
    248284if DISABLE_FLOCK
     285AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
     286        export BACKEND_LOCK="backend.pid"; \
     287        export OCSP_LOCK="ocsp.pid";
    249288.NOTPARALLEL:
    250289else
    251290AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
    252291        export TEST_LOCK="$(test_lockfile)"; \
    253         export BACKEND_LOCK="$(backend_lockfile)";
     292        export BACKEND_LOCK="$(backend_lockfile)"; \
     293        export OCSP_LOCK="$(ocsp_lockfile)";
    254294endif
    255295
  • test/README

    r639ce77 r300ae82  
    130130 * If a machine is particularly slow or under heavy load, it's
    131131   possible that these tests will fail for timing
    132    reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent
    133    and responded to)]
     132   reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in
     133   seconds)]
    134134
    135135The first two of these issues are avoided when the tests are isolated
  • test/apache-conf/netns.conf.in

    r639ce77 r300ae82  
    11# This file contains options that are different depending on whether
    22# tests use namespaces or not.
    3 Mutex   @MUTEX_TYPE@    default
     3@MUTEX_CONF@
    44PidFile apache2@PID_AFFIX@.pid
  • test/base_apache.conf

    r639ce77 r300ae82  
    11ServerRoot ${PWD}
     2DefaultRuntimeDir cache/
    23
    34LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • test/common.bash

    r639ce77 r300ae82  
    1515        sleep 1
    1616    done
     17}
     18
     19
     20
     21# Usage: verbose_log [...]
     22#
     23# If VERBOSE is not empty, write a log message prefixed with the name
     24# of the calling function. The function is defined to a no-op
     25# otherwise.
     26if [ -n "${VERBOSE}" ]; then
     27    function verbose_log
     28    {
     29        echo "${FUNCNAME[1]}: ${@}"
     30    }
     31else
     32    function verbose_log
     33    {
     34        return
     35    }
     36fi
     37
     38
     39
     40# Usage: wait_ready COMMAND [TIMEOUT] [STEP]
     41#
     42# Wait until COMMAND terminates with success (zero exit code), or
     43# until the TIMEOUT (in milliseconds) expires. TIMEOUT defaults to
     44# $TEST_SERVICE_MAX_WAIT if unset. A TIMEOUT of zero means to try
     45# once.
     46#
     47# COMMAND is retried every STEP milliseconds, the default is
     48# $TEST_SERVICE_WAIT. Note that the last try may happen a little after
     49# TIMEOUT expires if STEP does not evenly divide it.
     50function wait_ready
     51{
     52    local command="${1}"
     53    if [ -z "${2}" ]; then
     54        local -i timeout="${TEST_SERVICE_MAX_WAIT}"
     55    else
     56        local -i timeout="${2}"
     57    fi
     58    local -i step="${3}"
     59    [ ${step} -gt 0 ] || step="${TEST_SERVICE_WAIT}"
     60    # convert step to seconds because that's what "sleep" needs
     61    local sec_step="$((${step} / 1000)).$((${step} % 1000))"
     62
     63    verbose_log "Waiting for \"${command}\" ..."
     64    local -i waited=0
     65    until eval "${command}"; do
     66        if [ "${waited}" -ge "${timeout}" ]; then
     67            echo "${FUNCNAME[0]}: Timed out waiting for \"${command}\"" \
     68                 "to succeed (waited ${waited} ms)." >&2
     69            return 1
     70        fi
     71        waited=$((waited + step));
     72        sleep "${sec_step}"
     73        verbose_log "waiting (${waited} ms)"
     74    done
     75    verbose_log "done (waited ${waited} ms)"
    1776}
    1877
  • test/ocsp_server.conf.in

    r639ce77 r300ae82  
     1Define  OCSP_PORT       ${OCSP_PORT}
     2Define  TEST_PORT       ${OCSP_PORT}
     3
     4Include ${srcdir}/base_apache.conf
     5
    16Include         ${srcdir}/cgi_module.conf
    27LoadModule      env_module              ${AP_LIBEXECDIR}/mod_env.so
    38LoadModule      rewrite_module          ${AP_LIBEXECDIR}/mod_rewrite.so
     9
     10# separate log and PID file
     11CustomLog       logs/${TEST_NAME}.ocsp.access.log combined
     12ErrorLog        logs/${TEST_NAME}.ocsp.error.log
     13PidFile         ocsp@PID_AFFIX@.pid
     14
    415<IfDefine !OCSP_INDEX>
    516        # Default index file, define OCSP_INDEX in the test specific
  • test/proxy_backend.conf.in

    r639ce77 r300ae82  
     1# redefine TEST_PORT before loading the base config
     2Define  TEST_PORT       ${BACKEND_PORT}
     3Include ${srcdir}/base_apache.conf
     4
    15# common options for proxy backend servers
    26CustomLog       logs/${TEST_NAME}.backend.access.log combined
  • test/runtests

    r639ce77 r300ae82  
    77set -e
    88. ${srcdir}/common.bash
     9. ${srcdir}/apache_service.bash
    910netns_reexec ${@}
    1011
     
    1718    testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
    1819fi
     20testdir="$(realpath ${testid})"
    1921
    2022BADVARS=0
    21 for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
     23for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_SERVICE_WAIT \
    2224                 MSVA_PORT; do
    2325    if [ ! -v "$v" ]; then
     
    3436function pinpoint_error()
    3537{
    36     echo "${1} failed at line ${2}!" >&2
    37 }
    38 trap 'pinpoint_error ${BASH_SOURCE} ${LINENO}' ERR
     38    echo "Command \"${BASH_COMMAND}\" failed. Call trace:" >&2
     39    local stack=0
     40    while caller $((stack++)) >&2; do true; done
     41}
     42trap 'pinpoint_error' ERR
    3943
    4044function stop_msva()
     
    8993        if [ -n "${pid}" ] && ps -p "${pid}"; then
    9094            kill "${pid}"
     95        else
     96            echo "No running process with PID ${pid} (${pidfile})."
    9197        fi
    9298        rm "${pidfile}"
     
    96102function apache_down_err() {
    97103    printf "FAILURE: %s\n" "$TEST_NAME"
    98     ${APACHE2} -f "${t}/apache.conf" -k stop || true
     104    ${APACHE2} -f "${testdir}/apache.conf" -k stop || true
    99105    if [ -e output ]; then
    100106        printf "\ngnutls-cli outputs:\n"
    101107        diff_output_filter_headers "output" "$output" || true
     108    fi
     109
     110    if [ -r "${testdir}/backend.conf" ]; then
     111        apache_service "${testdir}" "backend.conf" stop || true
     112    fi
     113
     114    if [ -r "${testdir}/ocsp.conf" ]; then
     115        apache_service "${testdir}" "ocsp.conf" stop || true
    102116    fi
    103117
     
    123137
    124138    printf "TESTING: initial MSVA verification\n"
    125     # set to 0 if MSVA is up
    126     ret=1
    127139    export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
    128140
    129     # convert TEST_MSVA_WAIT to seconds because that's what "sleep" expects
    130     TEST_MSVA_SLEEP="$((${TEST_MSVA_WAIT} / 1000)).$((${TEST_MSVA_WAIT} % 1000))"
    131     # wait at most TEST_MSVA_MAX_WAIT milliseconds for MSVA to get ready
    132     waited=0
    133     until [ ${ret} -eq 0 ] \
    134               || [ ${waited} -ge ${TEST_MSVA_MAX_WAIT} ]; do
    135         if msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem
    136         then
    137             ret=0
    138         else
    139             echo "MSVA not ready yet"
    140         fi
    141         sleep "${TEST_MSVA_SLEEP}"
    142         waited=$((${waited} + ${TEST_MSVA_WAIT}))
    143     done
    144 
     141    msva_test_cmd="msva-query-agent https \"$(cat client.uid)\" x509pem client < client/x509.pem"
    145142    # check if MSVA is up, fail if not
    146     if [ ${ret} -eq 0 ]; then
     143    if wait_ready "${msva_test_cmd}"; then
    147144        printf "\nSUCCESS: initial MSVA verification\n"
    148145    else
     
    152149fi
    153150
    154 TEST_PID="apache2.pid"
    155151# configure locking for the Apache process
    156152if [ -n "${USE_TEST_NAMESPACE}" ]; then
    157153    echo "Using namespaces to isolate tests, no need for locking."
    158154    flock_cmd=""
    159 elif [ -n "${TEST_LOCK}" ]; then
     155elif [ -n "${FLOCK}" ]; then
    160156    flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
    161157else
    162158    echo "Locking disabled, using wait based on Apache PID file."
    163     wait_pid_gone "${TEST_PID}"
     159    wait_pid_gone "${TEST_LOCK}"
    164160    flock_cmd=""
    165161fi
    166162
    167 t="$(realpath ${testid})"
    168163export srcdir="$(realpath ${srcdir})"
    169 export TEST_NAME="$(basename "$t")"
     164export TEST_NAME="$(basename "${testdir}")"
    170165output="outputs/${TEST_NAME}.output"
    171166rm -f "$output"
    172167
    173 if [ -e ${t}/fail.* ]; then
     168if [ -e ${testdir}/fail.* ]; then
    174169    EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
    175170else
     
    179174trap apache_down_err EXIT
    180175if [ -n "${USE_MSVA}" ]; then
    181     MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
    182                                         ${flock_cmd} \
    183                                         ${APACHE2} -f "${t}/apache.conf" -k start \
    184         || [ -e "${t}/fail.server" ]
    185 else
    186     ${flock_cmd} \
    187         ${APACHE2} -f "${t}/apache.conf" -k start \
    188         || [ -e "${t}/fail.server" ]
     176    export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT"
     177fi
     178
     179# If VERBOSE is enabled, log the HTTPD build configuration
     180if [ -n "${VERBOSE}" ]; then
     181    ${APACHE2} -f "${srcdir}/base_apache.conf" -V
     182fi
     183
     184# Start OCSP responder, if configured
     185if [ -r "${testdir}/ocsp.conf" ]; then
     186    apache_service "${testdir}" "ocsp.conf" start "${OCSP_LOCK}"
     187    CHECK_OCSP_SERVER="true"
     188    if [ -n "${VERBOSE}" ]; then
     189        echo "OCSP index for the test CA:"
     190        cat authority/ocsp_index.txt
     191    fi
     192fi
     193
     194# Start proxy backend server, if configured
     195if [ -r "${testdir}/backend.conf" ]; then
     196    apache_service "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
     197fi
     198
     199if ! ${flock_cmd} ${APACHE2} -f "${testdir}/apache.conf" -k start; then
     200    if [ -e "${testdir}/fail.server" ]; then
     201        echo "Apache HTTPD failed to start as expected."
     202        exit 0
     203    else
     204        echo "Apache HTTPD unexpectedly failed to start."
     205        exit 1
     206    fi
    189207fi
    190208
     
    195213    fi
    196214    echo "---- Testing OCSP server ----"
    197     ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}
     215    wait_ready "ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}"
    198216    echo "---- OCSP test done ----"
    199217fi
     
    212230# end with CRLF as required by RFC 7230, Section 3.1.1 regardless of
    213231# the line ends in the input file.
    214 if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t}/input && \
    215            run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    216        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
     232if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${testdir}/input && \
     233           run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \
     234       gnutls-cli -p "${TEST_PORT}" $(cat ${testdir}/gnutls-cli.args) "${TEST_HOST}" \
    217235       | tee "$output" && test "${PIPESTATUS[1]}" -eq 0;
    218236then
    219     if [ -e ${t}/fail* ]; then
    220         printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
     237    if [ -e ${testdir}/fail* ]; then
     238        printf "%s should have failed but succeeded\n" "$(basename "$testdir")" >&2
    221239        exit 1
    222240    fi
    223241else
    224     if [ ! -e ${t}/fail* ]; then
    225         printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
     242    if [ ! -e ${testdir}/fail* ]; then
     243        printf "%s should have succeeded but failed\n" "$(basename "$testdir")" >&2
    226244        exit 1
    227245    fi
     
    231249unset sleep_pidfile
    232250
    233 if [ -e ${t}/output ] ; then
    234     diff_output_filter_headers "${t}/output" "$output" >&2
     251if [ -e ${testdir}/output ] ; then
     252    diff_output_filter_headers "${testdir}/output" "$output" >&2
    235253fi
    236254if [ -n "${USE_MSVA}" ]; then
     
    239257    trap - EXIT
    240258fi
    241 ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
     259${APACHE2} -f "${testdir}/apache.conf" -k stop || [ -e ${testdir}/fail.server ]
    242260printf "SUCCESS: %s\n" "$TEST_NAME"
     261
     262if [ -r "${testdir}/backend.conf" ]; then
     263    apache_service "${testdir}" "backend.conf" stop || true
     264fi
     265
     266if [ -r "${testdir}/ocsp.conf" ]; then
     267    apache_service "${testdir}" "ocsp.conf" stop || true
     268fi
    243269
    244270if [ -n "${USE_MSVA}" ]; then
  • test/test-14_basic_openpgp.bash

    r639ce77 r300ae82  
    11#!/bin/bash
     2./gnutls_openpgp_support || exit $?
    23${srcdir}/runtests t-14
  • test/test-19_TLS_reverse_proxy.bash

    r639ce77 r300ae82  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/19_TLS_reverse_proxy"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-19
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r639ce77 r300ae82  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-20
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r639ce77 r300ae82  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-21
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r639ce77 r300ae82  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"
    9 . $(dirname ${0})/proxy_backend.bash
    10 
    11 function stop_backend
    12 {
    13     backend_apache "${testdir}" "backend.conf" stop
    14 }
    15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    16 trap stop_backend EXIT
    17 
    182${srcdir}/runtests t-22
    19 
    20 backend_apache "${testdir}" "backend.conf" stop
    21 trap - EXIT
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r639ce77 r300ae82  
    11#!/bin/bash
    2 
    3 set -e
    4 : ${srcdir:="."}
    5 . ${srcdir}/common.bash
    6 netns_reexec ${@}
    7 
    8 testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"
    9 . $(dirname ${0})/proxy_backend.bash
    102
    113# This test checks if server and proxy priorities are applied
     
    135# back end server is configured not to use TLS 1.2. The proxy request
    146# must fail and the client must receive an error message to pass.
    15 
    16 function stop_backend
    17 {
    18     backend_apache "${testdir}" "backend.conf" stop
    19 }
    20 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"
    21 trap stop_backend EXIT
    22 
    237${srcdir}/runtests t-23
    24 
    25 backend_apache "${testdir}" "backend.conf" stop
    26 trap - EXIT
  • test/test-26_redirect_HTTP_to_HTTPS.bash

    r639ce77 r300ae82  
    1111testdir="${srcdir}/tests/26_redirect_HTTP_to_HTTPS"
    1212TEST_NAME="$(basename ${testdir})"
    13 . $(dirname ${0})/proxy_backend.bash
     13. $(dirname ${0})/apache_service.bash
    1414
    1515: ${TEST_HTTP_PORT:="9935"}
     
    1717
    1818# "Proxy backend" functions are used to start the only instance needed
    19 # here without "runtests". We have to override BACKEND_PID and
    20 # BACKEND_PORT to make them match what a runtests-based test would
    21 # use.
    22 export BACKEND_PID="apache2.pid"
     19# here without "runtests". We have to override BACKEND_PORT to make it
     20# match what a runtests-based test would use.
    2321export BACKEND_PORT="${TEST_PORT}"
    2422function stop_backend
    2523{
    26     backend_apache "${testdir}" "apache.conf" stop
     24    apache_service "${testdir}" "apache.conf" stop
    2725}
    28 backend_apache "${testdir}" "apache.conf" start "${TEST_LOCK}"
     26apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}"
    2927trap stop_backend EXIT
    3028
     
    4846grep "Current TLS session: (TLS" "${output}"
    4947
    50 backend_apache "${testdir}" "apache.conf" stop
     48apache_service "${testdir}" "apache.conf" stop
    5149trap - EXIT
  • test/test-27_OCSP_server.bash

    r639ce77 r300ae82  
    44# Skip if OCSP tests are not enabled
    55[ -n "${OCSP_PORT}" ] || exit 77
    6 
    7 # trigger OCSP server test in the runtests script
    8 export CHECK_OCSP_SERVER="true"
    9 echo "OCSP index for the test CA:"
    10 cat authority/ocsp_index.txt
    116
    127${srcdir}/runtests t-27
  • test/test_ca.mk

    r639ce77 r300ae82  
    4848%/cert.pgp: %/minimal.pgp authority/minimal.pgp
    4949        if test -r $@; then rm $@; fi
    50         GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
    51         GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    52         GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     50        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
     51        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
     52        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    5353
    5454# special cases for the authorities' root certs:
  • test/tests/06_verify_sni_a/apache.conf

    r639ce77 r300ae82  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75<VirtualHost _default_:${TEST_PORT}>
  • test/tests/07_verify_sni_b/apache.conf

    r639ce77 r300ae82  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75# trying in a different order from 06_verify_sni_a
  • test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf

    r639ce77 r300ae82  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75<VirtualHost _default_:${TEST_PORT}>
  • test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf

    r639ce77 r300ae82  
    22
    33GnuTLSCache dbm cache/gnutls_cache
    4 
    5 NameVirtualHost _default_:${TEST_PORT}
    64
    75# In this order, clients with no SNI should get the imposter's key
  • test/tests/12_cgi_variables/apache.conf

    r639ce77 r300ae82  
    1313 GnuTLSCertificateFile server/x509.pem
    1414 GnuTLSKeyFile server/secret.key
     15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem
    1516 GnuTLSPriorities NORMAL
    1617 GnuTLSClientCAFile authority/x509.pem
  • test/tests/12_cgi_variables/output

    r639ce77 r300ae82  
    88RFC822NAME:test0@modgnutls.test
    99
    10 DH prime bits: 2048
     10DH prime bits: 3072
    1111- Peer has closed the GnuTLS connection
  • test/tests/17_cgi_vars_large_cert/apache.conf

    r639ce77 r300ae82  
    1313 GnuTLSCertificateFile server/x509.pem
    1414 GnuTLSKeyFile server/secret.key
     15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem
    1516 GnuTLSPriorities NORMAL
    1617 GnuTLSClientCAFile authority/x509.pem
  • test/tests/17_cgi_vars_large_cert/output

    r639ce77 r300ae82  
    88RFC822NAME:test0@modgnutls.test
    99
    10 DH prime bits: 2048
     10DH prime bits: 3072
    1111- Peer has closed the GnuTLS connection
  • test/tests/19_TLS_reverse_proxy/backend.conf

    r639ce77 r300ae82  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/20_TLS_reverse_proxy_client_auth/backend.conf

    r639ce77 r300ae82  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf

    r639ce77 r300ae82  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf

    r639ce77 r300ae82  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf

    r639ce77 r300ae82  
    1 Include ${srcdir}/base_apache.conf
    2 Include proxy_backend.conf
     1Include ${PWD}/proxy_backend.conf
    32
    43GnuTLSCache dbm cache/gnutls_cache
  • test/tests/27_OCSP_server/apache.conf

    r639ce77 r300ae82  
    1 Define  OCSP_PORT       ${OCSP_PORT}
    2 
    31Include ${srcdir}/base_apache.conf
    4 Include ${srcdir}/ocsp_server.conf
    5 GnuTLSCache dbm cache/gnutls_cache
     2GnuTLSCache dbm cache/gnutls_cache_${TEST_NAME}
    63
    74<VirtualHost _default_:${TEST_PORT}>
  • test/tests/Makefile.am

    r639ce77 r300ae82  
    2727        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
    2828        26_redirect_HTTP_to_HTTPS/apache.conf \
    29         27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output
     29        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output
Note: See TracChangeset for help on using the changeset viewer.