Changes in / [24c6c16:5d13786] in mod_gnutls


Ignore:
Files:
1 added
1 deleted
38 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    r24c6c16 r5d13786  
    22- Handle Unclean Shutdowns
    33- make session cache use generic apache caches
    4 
    5 ** Version 0.7.1 (2015-10-18)
    6 - Improved handling of PKCS #11 modules: mod_gnutls now loads either
    7   modules specified using GnuTLSP11Module, or the system defaults, but
    8   not both. Thanks to Nikos Mavrogiannopoulos for the report and
    9   initial patch!
    10 - Initialize variables to safe defaults during client certificate
    11   verification. Certain error code paths did not set them, but they
    12   should never be hit due to config validation. This adds another line
    13   of defense.
    14 - Enable C99 support via autoconf
    15 - Test suite improvements. Most importantly, automake now handles
    16   environment setup without any external make calls. Rules to build
    17   the certificates are included from the old test makefile. Note that
    18   the dependency on GNU make is not new (the test makefile always used
    19   GNU make syntax), it just wasn't listed explicitly.
    204
    215** Version 0.7 (2015-07-12)
  • README

    r24c6c16 r5d13786  
    2424 * GnuTLS          >= 3.1.4 <http://www.gnutls.org/> (3.2.* or newer preferred)
    2525 * Apache HTTPD    >= 2.2 <http://httpd.apache.org/> (2.4.* preferred)
    26  * autotools, GNU make, & gcc
     26 * autotools & gcc
    2727 * APR Memcache    >= 0.7.0 (Optional)
    2828 * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)
  • configure

    r24c6c16 r5d13786  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.1.
     3# Generated by GNU Autoconf 2.69 for mod_gnutls 0.7.
    44#
    55#
     
    588588PACKAGE_NAME='mod_gnutls'
    589589PACKAGE_TARNAME='mod_gnutls'
    590 PACKAGE_VERSION='0.7.1'
    591 PACKAGE_STRING='mod_gnutls 0.7.1'
     590PACKAGE_VERSION='0.7'
     591PACKAGE_STRING='mod_gnutls 0.7'
    592592PACKAGE_BUGREPORT=''
    593593PACKAGE_URL=''
     
    13791379  # This message is too long to be a string in the A/UX 3.1 sh.
    13801380  cat <<_ACEOF
    1381 \`configure' configures mod_gnutls 0.7.1 to adapt to many kinds of systems.
     1381\`configure' configures mod_gnutls 0.7 to adapt to many kinds of systems.
    13821382
    13831383Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14501450if test -n "$ac_init_help"; then
    14511451  case $ac_init_help in
    1452      short | recursive ) echo "Configuration of mod_gnutls 0.7.1:";;
     1452     short | recursive ) echo "Configuration of mod_gnutls 0.7:";;
    14531453   esac
    14541454  cat <<\_ACEOF
     
    15841584if $ac_init_version; then
    15851585  cat <<\_ACEOF
    1586 mod_gnutls configure 0.7.1
     1586mod_gnutls configure 0.7
    15871587generated by GNU Autoconf 2.69
    15881588
     
    19951995running configure, to aid debugging if configure makes a mistake.
    19961996
    1997 It was created by mod_gnutls $as_me 0.7.1, which was
     1997It was created by mod_gnutls $as_me 0.7, which was
    19981998generated by GNU Autoconf 2.69.  Invocation command line was
    19991999
     
    23612361  chmod +x config.nice
    23622362
    2363 MOD_GNUTLS_VERSION=0.7.1
     2363MOD_GNUTLS_VERSION=0.7
    23642364
    23652365
     
    25392539    NONENONEs,x,x, &&
    25402540  program_prefix=${target_alias}-
    2541 # mod_gnutls test suite requires GNU make
    25422541am__api_version='1.14'
    25432542
     
    30263025# Define the identity of the package.
    30273026 PACKAGE='mod_gnutls'
    3028  VERSION='0.7.1'
     3027 VERSION='0.7'
    30293028
    30303029
     
    41604159  am__fastdepCC_TRUE='#'
    41614160  am__fastdepCC_FALSE=
    4162 fi
    4163 
    4164 
    4165    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5
    4166 $as_echo_n "checking for $CC option to accept ISO C99... " >&6; }
    4167 if ${ac_cv_prog_cc_c99+:} false; then :
    4168   $as_echo_n "(cached) " >&6
    4169 else
    4170   ac_cv_prog_cc_c99=no
    4171 ac_save_CC=$CC
    4172 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
    4173 /* end confdefs.h.  */
    4174 #include <stdarg.h>
    4175 #include <stdbool.h>
    4176 #include <stdlib.h>
    4177 #include <wchar.h>
    4178 #include <stdio.h>
    4179 
    4180 // Check varargs macros.  These examples are taken from C99 6.10.3.5.
    4181 #define debug(...) fprintf (stderr, __VA_ARGS__)
    4182 #define showlist(...) puts (#__VA_ARGS__)
    4183 #define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__))
    4184 static void
    4185 test_varargs_macros (void)
    4186 {
    4187   int x = 1234;
    4188   int y = 5678;
    4189   debug ("Flag");
    4190   debug ("X = %d\n", x);
    4191   showlist (The first, second, and third items.);
    4192   report (x>y, "x is %d but y is %d", x, y);
    4193 }
    4194 
    4195 // Check long long types.
    4196 #define BIG64 18446744073709551615ull
    4197 #define BIG32 4294967295ul
    4198 #define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0)
    4199 #if !BIG_OK
    4200   your preprocessor is broken;
    4201 #endif
    4202 #if BIG_OK
    4203 #else
    4204   your preprocessor is broken;
    4205 #endif
    4206 static long long int bignum = -9223372036854775807LL;
    4207 static unsigned long long int ubignum = BIG64;
    4208 
    4209 struct incomplete_array
    4210 {
    4211   int datasize;
    4212   double data[];
    4213 };
    4214 
    4215 struct named_init {
    4216   int number;
    4217   const wchar_t *name;
    4218   double average;
    4219 };
    4220 
    4221 typedef const char *ccp;
    4222 
    4223 static inline int
    4224 test_restrict (ccp restrict text)
    4225 {
    4226   // See if C++-style comments work.
    4227   // Iterate through items via the restricted pointer.
    4228   // Also check for declarations in for loops.
    4229   for (unsigned int i = 0; *(text+i) != '\0'; ++i)
    4230     continue;
    4231   return 0;
    4232 }
    4233 
    4234 // Check varargs and va_copy.
    4235 static void
    4236 test_varargs (const char *format, ...)
    4237 {
    4238   va_list args;
    4239   va_start (args, format);
    4240   va_list args_copy;
    4241   va_copy (args_copy, args);
    4242 
    4243   const char *str;
    4244   int number;
    4245   float fnumber;
    4246 
    4247   while (*format)
    4248     {
    4249       switch (*format++)
    4250         {
    4251         case 's': // string
    4252           str = va_arg (args_copy, const char *);
    4253           break;
    4254         case 'd': // int
    4255           number = va_arg (args_copy, int);
    4256           break;
    4257         case 'f': // float
    4258           fnumber = va_arg (args_copy, double);
    4259           break;
    4260         default:
    4261           break;
    4262         }
    4263     }
    4264   va_end (args_copy);
    4265   va_end (args);
    4266 }
    4267 
    4268 int
    4269 main ()
    4270 {
    4271 
    4272   // Check bool.
    4273   _Bool success = false;
    4274 
    4275   // Check restrict.
    4276   if (test_restrict ("String literal") == 0)
    4277     success = true;
    4278   char *restrict newvar = "Another string";
    4279 
    4280   // Check varargs.
    4281   test_varargs ("s, d' f .", "string", 65, 34.234);
    4282   test_varargs_macros ();
    4283 
    4284   // Check flexible array members.
    4285   struct incomplete_array *ia =
    4286     malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10));
    4287   ia->datasize = 10;
    4288   for (int i = 0; i < ia->datasize; ++i)
    4289     ia->data[i] = i * 1.234;
    4290 
    4291   // Check named initializers.
    4292   struct named_init ni = {
    4293     .number = 34,
    4294     .name = L"Test wide string",
    4295     .average = 543.34343,
    4296   };
    4297 
    4298   ni.number = 58;
    4299 
    4300   int dynamic_array[ni.number];
    4301   dynamic_array[ni.number - 1] = 543;
    4302 
    4303   // work around unused variable warnings
    4304   return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
    4305           || dynamic_array[ni.number - 1] != 543);
    4306 
    4307   ;
    4308   return 0;
    4309 }
    4310 _ACEOF
    4311 for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99
    4312 do
    4313   CC="$ac_save_CC $ac_arg"
    4314   if ac_fn_c_try_compile "$LINENO"; then :
    4315   ac_cv_prog_cc_c99=$ac_arg
    4316 fi
    4317 rm -f core conftest.err conftest.$ac_objext
    4318   test "x$ac_cv_prog_cc_c99" != "xno" && break
    4319 done
    4320 rm -f conftest.$ac_ext
    4321 CC=$ac_save_CC
    4322 
    4323 fi
    4324 # AC_CACHE_VAL
    4325 case "x$ac_cv_prog_cc_c99" in
    4326   x)
    4327     { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
    4328 $as_echo "none needed" >&6; } ;;
    4329   xno)
    4330     { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
    4331 $as_echo "unsupported" >&6; } ;;
    4332   *)
    4333     CC="$CC $ac_cv_prog_cc_c99"
    4334     { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5
    4335 $as_echo "$ac_cv_prog_cc_c99" >&6; } ;;
    4336 esac
    4337 if test "x$ac_cv_prog_cc_c99" != xno; then :
    4338 
    43394161fi
    43404162
     
    1362213444# values after options handling.
    1362313445ac_log="
    13624 This file was extended by mod_gnutls $as_me 0.7.1, which was
     13446This file was extended by mod_gnutls $as_me 0.7, which was
    1362513447generated by GNU Autoconf 2.69.  Invocation command line was
    1362613448
     
    1368813510ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
    1368913511ac_cs_version="\\
    13690 mod_gnutls config.status 0.7.1
     13512mod_gnutls config.status 0.7
    1369113513configured by $0, generated by GNU Autoconf 2.69,
    1369213514  with options \\"\$ac_cs_config\\"
  • configure.ac

    r24c6c16 r5d13786  
    11dnl
    2 AC_INIT(mod_gnutls, 0.7.1)
     2AC_INIT(mod_gnutls, 0.7)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    1010AM_MAINTAINER_MODE
    1111AC_CANONICAL_TARGET
    12 # mod_gnutls test suite requires GNU make
    13 AM_INIT_AUTOMAKE([-Wno-portability])
     12AM_INIT_AUTOMAKE
    1413AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
    1514
     
    1716
    1817AC_PROG_CC
    19 AC_PROG_CC_C99
    2018AC_PROG_LD
    2119AC_PROG_INSTALL
  • doc/mod_gnutls_manual.mdwn

    r24c6c16 r5d13786  
    375375------------------
    376376
    377 Load this PKCS #11 module.
     377Load an additional PKCS #11 module.
    378378
    379379    GnuTLSP11Module PATH_TO_LIBRARY
     
    382382Context: server config
    383383
    384 Load this PKCS #11 provider module, instead of the system
    385 defaults. May occur multiple times to load multiple modules.
     384Load this PKCS #11 provider module, in addition to the system
     385defaults.
    386386
    387387`GnuTLSPIN`
  • include/mod_gnutls.h.in

    r24c6c16 r5d13786  
    115115    int non_ssl_request;
    116116
    117     /* List of PKCS #11 provider modules to load, only valid in the
     117    /* Additional PKCS #11 provider module to load, only valid in the
    118118     * base config, ignored in virtual hosts */
    119     apr_array_header_t *p11_modules;
     119    char *p11_module;
    120120
    121121    /* PIN used for PKCS #11 operations */
     
    286286int ssl_engine_disable(conn_rec *c);
    287287const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
    288                                  const int arg);
     288    const char *arg);
    289289apr_status_t mgs_cleanup_pre_config(void *data);
    290290
     
    439439
    440440const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
    441                             const int arg);
     441                            const char *arg);
    442442const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
    443443                            const char *arg);
     
    445445                            const char *arg);
    446446const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
    447                             const int arg);
     447                            const char *arg);
    448448
    449449const char *mgs_set_require_section(cmd_parms *cmd,
  • src/gnutls_config.c

    r24c6c16 r5d13786  
    642642}
    643643
    644 const char *mgs_set_tickets(cmd_parms *parms,
    645                             void *dummy __attribute__((unused)),
    646                             const int arg)
    647 {
    648     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    649         ap_get_module_config(parms->server->module_config, &gnutls_module);
    650 
    651     if (arg)
    652         sc->tickets = GNUTLS_ENABLED_TRUE;
    653     else
    654         sc->tickets = GNUTLS_ENABLED_FALSE;
     644const char *mgs_set_tickets(cmd_parms * parms, void *dummy __attribute__((unused)),
     645        const char *arg) {
     646    mgs_srvconf_rec *sc =
     647        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     648                                                 module_config,
     649                                                &gnutls_module);
     650
     651    sc->tickets = 0;
     652    if (strcasecmp("on", arg) == 0) {
     653        sc->tickets = 1;
     654    }
    655655
    656656    return NULL;
     
    826826}
    827827
    828 /*
    829  * Enable TLS proxy operation if arg is true, disable it otherwise.
    830  */
    831 const char *mgs_set_proxy_engine(cmd_parms *parms,
    832                                  void *dummy __attribute__((unused)),
    833                                  const int arg)
    834 {
     828const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy __attribute__((unused)),
     829        const char *arg) {
     830
    835831    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    836         ap_get_module_config(parms->server->module_config, &gnutls_module);
    837 
    838     if (arg)
    839         sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
    840     else
    841         sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
    842 
    843     return NULL;
    844 }
    845 
    846 /*
    847  * Enable TLS for the server/vhost if arg is true, disable it
    848  * otherwise.
    849  */
    850 const char *mgs_set_enabled(cmd_parms *parms,
    851                             void *dummy __attribute__((unused)),
    852                             const int arg)
    853 {
    854     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    855         ap_get_module_config(parms->server->module_config, &gnutls_module);
    856 
    857     if (arg)
    858         sc->enabled = GNUTLS_ENABLED_TRUE;
    859     else
    860         sc->enabled = GNUTLS_ENABLED_FALSE;
     832        ap_get_module_config(parms->server->module_config, &gnutls_module);
     833
     834    if (!strcasecmp(arg, "On")) {
     835        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
     836    } else if (!strcasecmp(arg, "Off")) {
     837        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
     838    } else {
     839        return "GnuTLSProxyEngine must be set to 'On' or 'Off'";
     840    }
     841
     842    return NULL;
     843}
     844
     845const char *mgs_set_enabled(cmd_parms * parms, void *dummy __attribute__((unused)),
     846        const char *arg) {
     847    mgs_srvconf_rec *sc =
     848        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     849                                                 module_config,
     850                                                 &gnutls_module);
     851    if (!strcasecmp(arg, "On")) {
     852        sc->enabled = GNUTLS_ENABLED_TRUE;
     853    } else if (!strcasecmp(arg, "Off")) {
     854        sc->enabled = GNUTLS_ENABLED_FALSE;
     855    } else {
     856        return "GnuTLSEnable must be set to 'On' or 'Off'";
     857    }
    861858
    862859    return NULL;
     
    952949    sc->privkey_pgp = NULL;
    953950    sc->certs_x509_chain_num = 0;
    954     sc->p11_modules = NULL;
     951    sc->p11_module = NULL;
    955952    sc->pin = NULL;
    956953    sc->priorities_str = NULL;
     
    10131010    gnutls_srvconf_merge(x509_key_file, NULL);
    10141011    gnutls_srvconf_merge(x509_ca_file, NULL);
    1015     gnutls_srvconf_merge(p11_modules, NULL);
     1012    gnutls_srvconf_merge(p11_module, NULL);
    10161013    gnutls_srvconf_merge(pin, NULL);
    10171014    gnutls_srvconf_merge(pgp_cert_file, NULL);
     
    11101107
    11111108/*
    1112  * Record PKCS #11 module to load. Note that the value is only used in
    1113  * the base config, settings in virtual hosts are ignored.
     1109 * Record additional PKCS #11 module to load. Note that the value is
     1110 * only used in the base config, settings in virtual hosts are
     1111 * ignored.
    11141112 */
    11151113const char *mgs_set_p11_module(cmd_parms * parms,
     
    11191117    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    11201118        ap_get_module_config(parms->server->module_config, &gnutls_module);
    1121     /* initialize PKCS #11 module list if necessary */
    1122     if (sc->p11_modules == NULL)
    1123         sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
    1124 
    1125     *(char **) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
    1126 
    1127     return NULL;
    1128 }
     1119    sc->p11_module = apr_pstrdup(parms->pool, arg);
     1120    return NULL;
     1121}
  • src/gnutls_hooks.c

    r24c6c16 r5d13786  
    220220static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) {
    221221
    222     int rv = 0;
     222    int rv = 0, i;
    223223    size_t data_len;
    224224
     
    242242        rv = 0;
    243243        /* read subject alternative name */
    244         for (int i = 0; !(rv < 0); i++)
    245         {
     244        for (i = 0; !(rv < 0); i++) {
    246245            data_len = 0;
    247246            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
     
    324323    }
    325324
    326     /* If GnuTLSP11Module is set, load the listed PKCS #11
    327      * modules. Otherwise system defaults will be used. */
    328     if (sc_base->p11_modules != NULL)
    329     {
    330         rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
    331         if (rv < 0)
    332         {
     325    /* Load additional PKCS #11 module, if requested */
     326    if (sc_base->p11_module != NULL)
     327    {
     328        rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
     329        if (rv != GNUTLS_E_SUCCESS)
    333330            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    334                          "GnuTLS: Initializing PKCS #11 "
     331                         "GnuTLS: Loading PKCS #11 provider module %s "
    335332                         "failed: %s (%d).",
    336                          gnutls_strerror(rv), rv);
    337         }
    338         else
    339         {
    340             for (int i = 0; i < sc_base->p11_modules->nelts; i++)
    341             {
    342                 char *p11_module =
    343                     APR_ARRAY_IDX(sc_base->p11_modules, i, char *);
    344                 rv = gnutls_pkcs11_add_provider(p11_module, NULL);
    345                 if (rv != GNUTLS_E_SUCCESS)
    346                     ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    347                                  "GnuTLS: Loading PKCS #11 provider module %s "
    348                                  "failed: %s (%d).",
    349                                  p11_module, gnutls_strerror(rv), rv);
    350             }
    351         }
     333                         sc_base->p11_module, gnutls_strerror(rv), rv);
    352334    }
    353335
     
    373355        if (sc->export_certificates_size < 0)
    374356            sc->export_certificates_size = 0;
    375         if (sc->client_verify_mode == -1)
     357        if (sc->client_verify_mode ==  -1)
    376358            sc->client_verify_mode = GNUTLS_CERT_IGNORE;
    377         if (sc->client_verify_method == mgs_cvm_unset)
     359        if (sc->client_verify_method ==  mgs_cvm_unset)
    378360            sc->client_verify_method = mgs_cvm_cartel;
    379361
     
    559541int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) {
    560542        apr_array_header_t *names;
    561         int rv = 0;
     543        int i,rv = 0;
    562544        char ** name;
    563545
     
    571553                names = s->names;
    572554                name = (char **)names->elts;
    573                 for (int i = 0; i < names->nelts; ++i)
    574         {
     555                for (i = 0; i < names->nelts; ++i) {
    575556                        if (!name[i]) { continue; }
    576557                                if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) {
     
    584565                names = s->wild_names;
    585566        name = (char **)names->elts;
    586                 for (int i = 0; i < names->nelts; ++i)
    587         {
     567                for (i = 0; i < names->nelts; ++i) {
    588568                        if (!name[i]) { continue; }
    589569                                if(apr_fnmatch(name[i], x->sni_name ,
     
    10361016    char *tmp2;
    10371017    size_t len;
    1038     int ret;
     1018    int ret, i;
    10391019
    10401020    if (r == NULL)
     
    11111091
    11121092    /* export all the alternative names (DNS, RFC822 and URI) */
    1113     for (int i = 0; !(ret < 0); i++)
    1114     {
     1093    for (i = 0; !(ret < 0); i++) {
    11151094        const char *san, *sanlabel;
    11161095        len = 0;
     
    12251204static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
    12261205    const gnutls_datum_t *cert_list;
    1227     unsigned int cert_list_size;
    1228     /* assume the certificate is invalid unless explicitly set
    1229      * otherwise */
    1230     unsigned int status = GNUTLS_CERT_INVALID;
     1206    unsigned int cert_list_size, status;
    12311207    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
    12321208    unsigned int ch_size = 0;
     
    13621338#endif
    13631339        default:
    1364             /* If this block is reached, that indicates a
    1365              * configuration error or bug in mod_gnutls (invalid value
    1366              * of ctxt->sc->client_verify_method). */
    13671340            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13681341                          "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
    13691342                          mgs_readable_cvm(ctxt->sc->client_verify_method));
    1370             rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    13711343        }
    13721344
     
    13841356#ifdef ENABLE_MSVA
    13851357        case mgs_cvm_msva:
     1358            /* need to set status and rv */
    13861359            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13871360                          "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
     
    13901363#endif
    13911364        default:
    1392             /* If this block is reached, that indicates a
    1393              * configuration error or bug in mod_gnutls (invalid value
    1394              * of ctxt->sc->client_verify_method). */
    13951365            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13961366                          "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
    13971367                          mgs_readable_cvm(ctxt->sc->client_verify_method));
    1398             rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    1399         }
    1400     }
    1401 
    1402     /* "goto exit" at the end of this block skips evaluation of the
    1403      * "status" variable */
     1368        }
     1369    }
     1370
    14041371    if (rv < 0) {
    14051372        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     
    14771444
    14781445exit:
    1479     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
    1480         for (unsigned int i = 0; i < ch_size; i++)
     1446    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
     1447        unsigned int i;
     1448        for (i = 0; i < ch_size; i++) {
    14811449            gnutls_x509_crt_deinit(cert.x509[i]);
    1482     else if (gnutls_certificate_type_get(ctxt->session) ==
    1483              GNUTLS_CRT_OPENPGP)
     1450        }
     1451    } else if (gnutls_certificate_type_get(ctxt->session) ==
     1452            GNUTLS_CRT_OPENPGP)
    14841453        gnutls_openpgp_crt_deinit(cert.pgp);
    14851454    return ret;
    1486 }
    1487 
    1488 
     1455
     1456
     1457}
    14891458
    14901459#ifdef ENABLE_MSVA
  • src/mod_gnutls.c

    r24c6c16 r5d13786  
    137137
    138138static const command_rec mgs_config_cmds[] = {
    139     AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
     139    AP_INIT_TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,
    140140    NULL,
    141141    RSRC_CONF | OR_AUTHCFG,
    142     "Enable TLS Proxy Engine"),
     142    "Enable SSL Proxy Engine"),
    143143    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
    144144    NULL,
    145145    RSRC_CONF,
    146     "Load this specific PKCS #11 provider library"),
     146    "Load this additional PKCS #11 provider library"),
    147147    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
    148148    NULL,
     
    180180    NULL,
    181181    RSRC_CONF,
    182     "TLS Server X509 Certificate file"),
     182    "SSL Server X509 Certificate file"),
    183183    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
    184184    NULL,
    185185    RSRC_CONF,
    186     "TLS Server X509 Private Key file"),
     186    "SSL Server X509 Private Key file"),
    187187    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
    188188    NULL,
    189189    RSRC_CONF,
    190     "TLS Server X509 Certificate file"),
     190    "SSL Server X509 Certificate file"),
    191191    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
    192192    NULL,
    193193    RSRC_CONF,
    194     "TLS Server X509 Private Key file"),
     194    "SSL Server X509 Private Key file"),
    195195    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
    196196    NULL,
    197197    RSRC_CONF,
    198     "TLS Server PGP Certificate file"),
     198    "SSL Server PGP Certificate file"),
    199199    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
    200200    NULL,
    201201    RSRC_CONF,
    202     "TLS Server PGP Private key file"),
     202    "SSL Server PGP Private key file"),
    203203#ifdef ENABLE_SRP
    204204    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
    205205    NULL,
    206206    RSRC_CONF,
    207     "TLS Server SRP Password Conf file"),
     207    "SSL Server SRP Password Conf file"),
    208208    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
    209209    mgs_set_srp_tpasswd_conf_file,
    210210    NULL,
    211211    RSRC_CONF,
    212     "TLS Server SRP Parameters file"),
     212    "SSL Server SRP Parameters file"),
    213213#endif
    214214    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
     
    220220    RSRC_CONF,
    221221    "Cache Configuration"),
    222     AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
     222    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
    223223    NULL,
    224224    RSRC_CONF,
     
    228228    RSRC_CONF,
    229229    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
    230     AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
     230    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
    231231    NULL,
    232232    RSRC_CONF,
  • test/Makefile.am

    r24c6c16 r5d13786  
    3131TESTS = $(dist_check_SCRIPTS)
    3232
    33 # Identities in the miniature CA, server, and client environment for
    34 # the test suite
    35 identities = server authority client imposter rogueca
    36 # Append strings after ":=" to each identity to generate a list of
    37 # necessary files
    38 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
    39         $(identities:=/secret.pgp)
    40 x509_keys = $(identities:=/secret.key)
    41 x509_certs = $(identities:=/x509.pem)
    42 x509_tokens = $(x509_certs) $(x509_keys)
    43 tokens = $(x509_tokens) $(pgp_tokens)
    44 
    45 include $(srcdir)/test_ca.mk
    46 
    4733# Test cases trying to create keys and certificates in parallel causes
    4834# race conditions. Ensure that all keys and certificates are generated
     
    5541# running at any time, so test cases actually have to wait for each
    5642# other - just not in any particular order.
    57 check_DATA = $(tokens) server/crl.pem
     43check_DATA = setup.done server/crl.pem
    5844
    59 MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
     45MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem
    6046
    6147cert_templates = authority.template.in client.template.in \
     
    6450        imposter.template server.template
    6551
    66 # Delete X.509 private keys on full clean. Note that unless you need
    67 # to generate fresh keys, the "mostlyclean" target should be
    68 # sufficient (see below).
    69 CLEANFILES = $(x509_keys)
    70 
    7152# Delete X.509 certificates and generated templates on "mostlyclean"
    7253# target. Certificates can be rebuilt without generating new key
     
    7455# (e.g. host names) without wasting entropy on new keys (which would
    7556# happen after "clean").
    76 MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
    77 
     57MOSTLYCLEANFILES += */x509.pem $(generated_templates)
    7858
    7959# Delete PGP keyrings on "mostlyclean" target. They are created from
     
    8161# one day, so regenerating them is both fast and frequently
    8262# necessary.
    83 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
    84 # GnuPG random pool, no need to regenerate on every build
    85 CLEANFILES += authority/random_seed
     63MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf
    8664
    87 # Delete lock files for test servers on "mostlyclean" target.
    88 MOSTLYCLEANFILES += *.lock
    89 
    90 # rule to build MSVA trust database
    91 if USE_MSVA
    92 msva_home = msva.gnupghome
    93 check_DATA += $(msva_home)/trustdb.gpg client.uid
    94 MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
    95 $(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
    96         mkdir -p -m 0700 $(dir $@)
    97         GNUPGHOME=$(dir $@) gpg --import < $<
    98         printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    99         GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
    100         printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
    101 endif
     65clean-local:
     66        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
    10267
    10368# SoftHSM files
    10469check_DATA += server/softhsm.db
    105 MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
     70MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf
    10671
     72# This rule can be used for any TestMakefile target not included in
     73# setup.done. The dependency on setup.done is used to avoid race
     74# conditions between multiple calls to TestMakefile for key and
     75# certificate generation. It is ignored for setup.done itself.
     76server/crl.pem server/softhsm.db setup.done: setup.done
     77        TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
     78        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
    10779
    108 check_DATA += make-test-dirs
    109 extra_dirs = logs cache outputs
    110 make-test-dirs:
    111         mkdir -p $(extra_dirs)
    112 .PHONY: make-test-dirs
    113 
    114 clean-local:
    115         -rmdir $(identities) || true
    116         -rmdir $(extra_dirs) || true
    117 if USE_MSVA
    118         -rmdir $(msva_home) || true
    119 endif
    120 
    121 # Apache configuration and data files
    12280apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    12381
    12482EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    125         runtests server-crl.template server-softhsm.conf softhsm.bash
     83        runtests server-crl.template server-softhsm.conf softhsm.bash \
     84        TestMakefile
    12685
    127 # Lockfile for the main Apache process
    128 test_lockfile = ./test.lock
    12986# Maximum wait time in seconds for flock to aquire instance lock files
    13087lock_wait = 30
    13188
    132 # port for the main Apache server
    133 TEST_PORT ?= 9932
    134 # port for MSVA in test cases that use it
    135 MSVA_PORT ?= 9933
    136 # maximum time to wait for MSVA startup
    137 TEST_MSVA_MAX_WAIT ?= 10
    138 # wait loop time for MSVA startup
    139 TEST_MSVA_WAIT ?= 0.4
    140 # seconds for the HTTP request to be sent and responded to
    141 TEST_QUERY_DELAY ?= 30
    142 
    14389AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    14490        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    145         export TEST_LOCK="$(test_lockfile)"; \
    146         export TEST_LOCK_WAIT="$(lock_wait)"; \
     91        export TEST_LOCK_WAIT=$(lock_wait); \
    14792        export TEST_HOST="$(TEST_HOST)"; \
    14893        export TEST_IP="$(TEST_IP)"; \
    149         export TEST_PORT="$(TEST_PORT)"; \
    150         export MSVA_PORT="$(MSVA_PORT)"; \
    151         export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
    152         export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    153         export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    15494        export BACKEND_HOST="$(TEST_HOST)"; \
    15595        export BACKEND_IP="$(TEST_IP)";
    156 
    157 # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
    158 # you want to manually run an Apache instance with Valgrind using the
    159 # same configuration as a test case.
    160 show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
    161 show-test-env:
    162         @echo "$${TEST_ENV}"
  • test/Makefile.in

    r24c6c16 r5d13786  
    1414
    1515@SET_MAKE@
    16 
    17 #!/usr/bin/make -f
    18 # Authors:
    19 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    20 # Thomas Klute <thomas2.klute@uni-dortmund.de>
    21 
    22 # General rules to set up a miniature CA & server & client environment
    23 # for the test suite
    2416VPATH = @srcdir@
    2517am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
     
    8880target_triplet = @target@
    8981@USE_MSVA_TRUE@am__append_1 = test-15_basic_msva.bash
    90 DIST_COMMON = $(srcdir)/test_ca.mk $(srcdir)/Makefile.in \
    91         $(srcdir)/Makefile.am $(am__dist_check_SCRIPTS_DIST) \
     82subdir = test
     83DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
     84        $(am__dist_check_SCRIPTS_DIST) \
    9285        $(top_srcdir)/config/test-driver README
    93 @USE_MSVA_TRUE@am__append_2 = $(msva_home)/trustdb.gpg client.uid
    94 @USE_MSVA_TRUE@am__append_3 = $(msva_home)/trustdb.gpg
    95 subdir = test
    9686ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
    9787am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \
     
    594584TESTS = $(dist_check_SCRIPTS)
    595585
    596 # Identities in the miniature CA, server, and client environment for
    597 # the test suite
    598 identities = server authority client imposter rogueca
    599 # Append strings after ":=" to each identity to generate a list of
    600 # necessary files
    601 pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
    602         $(identities:=/secret.pgp)
    603 
    604 x509_keys = $(identities:=/secret.key)
    605 x509_certs = $(identities:=/x509.pem)
    606 x509_tokens = $(x509_certs) $(x509_keys)
    607 tokens = $(x509_tokens) $(pgp_tokens)
    608 
    609586# Test cases trying to create keys and certificates in parallel causes
    610587# race conditions. Ensure that all keys and certificates are generated
     
    619596
    620597# SoftHSM files
    621 check_DATA = $(tokens) server/crl.pem $(am__append_2) \
    622         server/softhsm.db make-test-dirs
     598check_DATA = setup.done server/crl.pem server/softhsm.db
    623599
    624600# Delete X.509 certificates and generated templates on "mostlyclean"
     
    632608# one day, so regenerating them is both fast and frequently
    633609# necessary.
    634 
    635 # Delete lock files for test servers on "mostlyclean" target.
    636 MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem */x509.pem \
    637         $(generated_templates) *.uid */*.pgp */*.gpg */*.gpg~ \
    638         */gpg.conf authority/lock *.lock $(am__append_3) \
    639         tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
     610MOSTLYCLEANFILES = setup.done cache/* logs/* outputs/* server/crl.pem \
     611        */x509.pem $(generated_templates) */*.pgp */*.gpg */*.gpg~ \
     612        */gpg.conf tests/24_pkcs11_cert/softhsm.conf
    640613cert_templates = authority.template.in client.template.in \
    641614        imposter.template.in rogueca.template server.template.in
     
    644617        imposter.template server.template
    645618
    646 
    647 # Delete X.509 private keys on full clean. Note that unless you need
    648 # to generate fresh keys, the "mostlyclean" target should be
    649 # sufficient (see below).
    650 # GnuPG random pool, no need to regenerate on every build
    651 CLEANFILES = $(x509_keys) authority/random_seed
    652 
    653 # rule to build MSVA trust database
    654 @USE_MSVA_TRUE@msva_home = msva.gnupghome
    655 extra_dirs = logs cache outputs
    656 
    657 # Apache configuration and data files
    658619apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
    659620EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in proxy_backend.bash \
    660         runtests server-crl.template server-softhsm.conf softhsm.bash
    661 
    662 
    663 # Lockfile for the main Apache process
    664 test_lockfile = ./test.lock
     621        runtests server-crl.template server-softhsm.conf softhsm.bash \
     622        TestMakefile
     623
     624
    665625# Maximum wait time in seconds for flock to aquire instance lock files
    666626lock_wait = 30
    667627AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
    668628        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
    669         export TEST_LOCK="$(test_lockfile)"; \
    670         export TEST_LOCK_WAIT="$(lock_wait)"; \
     629        export TEST_LOCK_WAIT=$(lock_wait); \
    671630        export TEST_HOST="$(TEST_HOST)"; \
    672631        export TEST_IP="$(TEST_IP)"; \
    673         export TEST_PORT="$(TEST_PORT)"; \
    674         export MSVA_PORT="$(MSVA_PORT)"; \
    675         export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
    676         export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
    677         export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
    678632        export BACKEND_HOST="$(TEST_HOST)"; \
    679633        export BACKEND_IP="$(TEST_IP)";
     
    683637.SUFFIXES:
    684638.SUFFIXES: .log .test .test$(EXEEXT) .trs
    685 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(srcdir)/test_ca.mk $(am__configure_deps)
     639$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
    686640        @for dep in $?; do \
    687641          case '$(am__configure_deps)' in \
     
    704658            cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
    705659        esac;
    706 $(srcdir)/test_ca.mk:
    707660
    708661$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
     
    12391192
    12401193clean-generic:
    1241         -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
    12421194
    12431195distclean-generic:
     
    13311283
    13321284
    1333 %.template: $(srcdir)/%.template.in
    1334         sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
    1335 
    1336 %.uid: $(srcdir)/%.uid.in
    1337         sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
    1338 
    1339 %/secret.key:
    1340         mkdir -p $(dir $@)
    1341         chmod 0700 $(dir $@)
    1342         certtool --generate-privkey > $@
    1343 
    1344 %/secring.gpg: %.uid %/secret.key
    1345         rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
    1346         PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
    1347         printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    1348 
    1349 %/gpg.conf: %/secring.gpg
    1350         printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    1351 
    1352 %/secret.pgp: %/secring.gpg
    1353         GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    1354 
    1355 %/minimal.pgp: %/secring.gpg
    1356         GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    1357 
    1358 # Import and signing modify the shared keyring, which leads to race
    1359 # conditions with parallel make. Locking avoids this problem.
    1360 %/cert.pgp: %/minimal.pgp authority/gpg.conf
    1361         GNUPGHOME=authority flock authority/lock gpg --import $<
    1362         GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    1363         GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    1364 
    1365 # special cases for the authorities' root certs:
    1366 authority/x509.pem: authority.template authority/secret.key
    1367         certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
    1368 rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
    1369         certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
    1370 
    1371 %/cert-request: %.template %/secret.key
    1372         certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
    1373 
    1374 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
    1375         certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
    1376 
    1377 %/softhsm.db: %/x509.pem %/secret.key
    1378         SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
    1379 
    1380 # Generate CRL revoking a certain certificate. Currently used to
    1381 # revoke the server certificate and check if setting the CRL as
    1382 # GnuTLSProxyCRLFile causes the connection to the back end server to
    1383 # fail.
    1384 %/crl.pem: %/x509.pem ${srcdir}/%-crl.template
    1385         certtool --generate-crl \
    1386                 --load-ca-privkey authority/secret.key \
    1387                 --load-ca-certificate authority/x509.pem \
    1388                 --load-certificate $< \
    1389                 --template "${srcdir}/$(*)-crl.template" \
    1390                 > $@
    1391 @USE_MSVA_TRUE@$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
    1392 @USE_MSVA_TRUE@ mkdir -p -m 0700 $(dir $@)
    1393 @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < $<
    1394 @USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    1395 @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
    1396 @USE_MSVA_TRUE@ printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
    1397 make-test-dirs:
    1398         mkdir -p $(extra_dirs)
    1399 .PHONY: make-test-dirs
    1400 
    14011285clean-local:
    1402         -rmdir $(identities) || true
    1403         -rmdir $(extra_dirs) || true
    1404 @USE_MSVA_TRUE@ -rmdir $(msva_home) || true
    1405 
    1406 # port for the main Apache server
    1407 TEST_PORT ?= 9932
    1408 # port for MSVA in test cases that use it
    1409 MSVA_PORT ?= 9933
    1410 # maximum time to wait for MSVA startup
    1411 TEST_MSVA_MAX_WAIT ?= 10
    1412 # wait loop time for MSVA startup
    1413 TEST_MSVA_WAIT ?= 0.4
    1414 # seconds for the HTTP request to be sent and responded to
    1415 TEST_QUERY_DELAY ?= 30
    1416 
    1417 # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
    1418 # you want to manually run an Apache instance with Valgrind using the
    1419 # same configuration as a test case.
    1420 show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
    1421 show-test-env:
    1422         @echo "$${TEST_ENV}"
     1286        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) clean
     1287
     1288# This rule can be used for any TestMakefile target not included in
     1289# setup.done. The dependency on setup.done is used to avoid race
     1290# conditions between multiple calls to TestMakefile for key and
     1291# certificate generation. It is ignored for setup.done itself.
     1292server/crl.pem server/softhsm.db setup.done: setup.done
     1293        TEST_HOST="$(TEST_HOST)" TEST_IP="$(TEST_IP)" srcdir=$(srcdir) \
     1294        $(MAKE) -f $(srcdir)/TestMakefile $(AM_MAKEFLAGS) $@
    14231295
    14241296# Tell versions [3.59,3.63) of GNU make to not export all variables.
  • test/README

    r24c6c16 r5d13786  
    3232
    3333  TEST_HOST="localhost" TEST_IP="127.0.0.1" ./configure
    34 
    3534
    3635Adding a Test
     
    9897   possible that these tests will fail for timing
    9998   reasons. [TEST_QUERY_DELAY (seconds for the http request to be sent
    100    and responded to)]
    101 
    102 In some situations you may want to see the exact environment as
    103 configured by make, e.g. if you want to manually run an Apache
    104 instance with Valgrind using the same configuration as a test
    105 case. Use "make show-test-env" to dump AM_TESTS_ENVIRONMENT to stdout.
     99   and responded to)] and [TEST_GAP (seconds to wait between tests)]
  • test/runtests

    r24c6c16 r5d13786  
    77set -e
    88
    9 testid="${1##t-}"
    10 
    11 if [ -z "$testid" ] ; then
    12     echo -e "No test case selected.\nUsage: ${0} t-N" >&2
    13     exit 1
    14 else
    15     testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_*
     9tests="${1##t-}"
     10
     11if [ -n "${TEST_LOCK}" ]; then
     12    TEST_LOCK="$(realpath ${TEST_LOCK})"
     13    flock_cmd="flock -w ${TEST_LOCK_WAIT} ${TEST_LOCK}"
    1614fi
    1715
    1816BADVARS=0
    19 for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \
    20                  MSVA_PORT TEST_LOCK; do
     17for v in APACHE2 TEST_HOST TEST_IP TEST_PORT TEST_QUERY_DELAY TEST_GAP MSVA_PORT; do
    2118    if [ ! -v "$v" ]; then
    2219        printf "You need to set the %s environment variable\n" "$v" >&2
     
    114111    fi
    115112}
     113
     114if [ -z "$tests" ] ; then
     115    tests=${srcdir}/tests/*
     116else
     117    tests=${srcdir}/tests/"$(printf "%02d" "$tests")"_*
     118fi
    116119
    117120if [ -n "${USE_MSVA}" ]; then
     
    134137            echo "MSVA not ready yet"
    135138        fi
    136         sleep "${TEST_MSVA_WAIT}"
    137         waited=$(echo "${waited} + ${TEST_MSVA_WAIT}" | bc)
     139        sleep "${TEST_GAP}"
     140        waited=$(echo "${waited} + ${TEST_GAP}" | bc)
    138141    done
    139142
     
    147150fi
    148151
    149 # configure locking for the Apache process
    150 flock_cmd="flock -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})"
    151 
    152 t="$(realpath ${testid})"
    153 export srcdir="$(realpath ${srcdir})"
    154 export TEST_NAME="$(basename "$t")"
    155 output="outputs/${TEST_NAME}.output"
    156 rm -f "$output"
    157 
    158 if [ -e ${t}/fail.* ]; then
    159     EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
    160 else
    161     unset EXPECTED_FAILURE
    162 fi
    163 printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
    164 trap apache_down_err EXIT
    165 if [ -n "${USE_MSVA}" ]; then
    166     MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
    167                                         ${flock_cmd} \
    168                                         ${APACHE2} -f "${t}/apache.conf" -k start \
    169         || [ -e "${t}/fail.server" ]
    170 else
    171     ${flock_cmd} \
    172         ${APACHE2} -f "${t}/apache.conf" -k start \
    173         || [ -e "${t}/fail.server" ]
    174 fi
    175 
    176 # PID file for sleep command (explanation below)
    177 sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
    178 
    179 # The sleep call keeps the pipe from the subshell to gnutls-cli
    180 # open. Without it gnutls-cli would terminate as soon as sed is
    181 # done, and not wait for a response from the server, leading to
    182 # failing tests. Sending sleep to the background allows the test
    183 # case to proceed instead of waiting for it to return. The sleep
    184 # process is stopped after gnutls-cli terminates.
    185 if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
    186            run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
    187        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
    188                   >"$output";
    189 then
    190     if [ -e ${t}/fail* ]; then
    191         printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
    192         exit 1
    193     fi
    194 else
    195     if [ ! -e ${t}/fail* ]; then
    196         printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
    197         exit 1
    198     fi
    199 fi
    200 
    201 kill_by_pidfile "${sleep_pidfile}"
    202 unset sleep_pidfile
    203 
    204 if [ -e ${t}/output ] ; then
    205     diff_output_filter_headers "${t}/output" "$output" "-q"
    206 fi
    207 if [ -n "${USE_MSVA}" ]; then
    208     trap stop_msva EXIT
    209 else
    210     trap - EXIT
    211 fi
    212 ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
    213 printf "SUCCESS: %s\n" "$TEST_NAME"
     152for t in $tests; do
     153    if [ -z "${flock_cmd}" ]; then
     154        echo "Warning: no lock file set"
     155        sleep "$TEST_GAP"
     156    fi
     157    t="$(realpath ${t})"
     158    export srcdir="$(realpath ${srcdir})"
     159    export TEST_NAME="$(basename "$t")"
     160    output="outputs/${TEST_NAME}.output"
     161    rm -f "$output"
     162
     163    if [ -e ${t}/fail.* ]; then
     164        EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)"
     165    else
     166        unset EXPECTED_FAILURE
     167    fi
     168    printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
     169    trap apache_down_err EXIT
     170    if [ -n "${USE_MSVA}" ]; then
     171        MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
     172            ${flock_cmd} \
     173            ${APACHE2} -f "${t}/apache.conf" -k start \
     174            || [ -e "${t}/fail.server" ]
     175    else
     176        ${flock_cmd} \
     177            ${APACHE2} -f "${t}/apache.conf" -k start \
     178            || [ -e "${t}/fail.server" ]
     179    fi
     180
     181    # PID file for sleep command (explanation below)
     182    sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)"
     183
     184    # The sleep call keeps the pipe from the subshell to gnutls-cli
     185    # open. Without it gnutls-cli would terminate as soon as sed is
     186    # done, and not wait for a response from the server, leading to
     187    # failing tests. Sending sleep to the background allows the test
     188    # case to proceed instead of waiting for it to return. The sleep
     189    # process is stopped after gnutls-cli terminates.
     190    if (sed "s/__HOSTNAME__/${TEST_HOST}/" <${t}/input && \
     191        run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \
     192        gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \
     193        >"$output";
     194    then
     195        if [ -e ${t}/fail* ]; then
     196            printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2
     197            exit 1
     198        fi
     199    else
     200        if [ ! -e ${t}/fail* ]; then
     201            printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2
     202            exit 1
     203        fi
     204    fi
     205
     206    kill_by_pidfile "${sleep_pidfile}"
     207    unset sleep_pidfile
     208
     209    if [ -e ${t}/output ] ; then
     210        diff_output_filter_headers "${t}/output" "$output" "-q"
     211    fi
     212    if [ -n "${USE_MSVA}" ]; then
     213        trap stop_msva EXIT
     214    else
     215        trap - EXIT
     216    fi
     217    ${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ]
     218    printf "SUCCESS: %s\n" "$TEST_NAME"
     219done
    214220
    215221if [ -n "${USE_MSVA}" ]; then
  • test/test-00_basic.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-0
     2make -f $(dirname ${0})/TestMakefile t-0
  • test/test-01_serverwide_priorities.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-1
     2make -f $(dirname ${0})/TestMakefile t-1
  • test/test-02_cache_in_vhost.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-2
     2make -f $(dirname ${0})/TestMakefile t-2
  • test/test-03_cachetimeout_in_vhost.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-3
     2make -f $(dirname ${0})/TestMakefile t-3
  • test/test-04_basic_nosni.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-4
     2make -f $(dirname ${0})/TestMakefile t-4
  • test/test-05_mismatched-priorities.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-5
     2make -f $(dirname ${0})/TestMakefile t-5
  • test/test-06_verify_sni_a.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-6
     2make -f $(dirname ${0})/TestMakefile t-6
  • test/test-07_verify_sni_b.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-7
     2make -f $(dirname ${0})/TestMakefile t-7
  • test/test-08_verify_no_sni_fallback_to_first_vhost.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-8
     2make -f $(dirname ${0})/TestMakefile t-8
  • test/test-09_verify_no_sni_fails_with_wrong_order.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-9
     2make -f $(dirname ${0})/TestMakefile t-9
  • test/test-10_basic_client_verification.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-10
     2make -f $(dirname ${0})/TestMakefile t-10
  • test/test-11_basic_client_verification_fail.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-11
     2make -f $(dirname ${0})/TestMakefile t-11
  • test/test-12_cgi_variables.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-12
     2make -f $(dirname ${0})/TestMakefile t-12
  • test/test-13_cgi_variables_no_client_cert.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-13
     2make -f $(dirname ${0})/TestMakefile t-13
  • test/test-14_basic_openpgp.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-14
     2make -f $(dirname ${0})/TestMakefile t-14
  • test/test-15_basic_msva.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 USE_MSVA="yes" ${srcdir}/runtests t-15
     2USE_MSVA="yes" make -f $(dirname ${0})/TestMakefile t-15
  • test/test-16_view-status.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-16
     2make -f $(dirname ${0})/TestMakefile t-16
  • test/test-17_cgi_vars_large_cert.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-17
     2make -f $(dirname ${0})/TestMakefile t-17
  • test/test-18_client_verification_wrong_cert.bash

    r24c6c16 r5d13786  
    11#!/bin/bash
    2 ${srcdir}/runtests t-18
     2make -f $(dirname ${0})/TestMakefile t-18
  • test/test-19_TLS_reverse_proxy.bash

    r24c6c16 r5d13786  
    1414trap stop_backend EXIT
    1515
    16 ${srcdir}/runtests t-19
     16make -f $(dirname ${0})/TestMakefile t-19
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-20_TLS_reverse_proxy_client_auth.bash

    r24c6c16 r5d13786  
    1414trap stop_backend EXIT
    1515
    16 ${srcdir}/runtests t-20
     16make -f $(dirname ${0})/TestMakefile t-20
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-21_TLS_reverse_proxy_wrong_cert.bash

    r24c6c16 r5d13786  
    1414trap stop_backend EXIT
    1515
    16 ${srcdir}/runtests t-21
     16make -f $(dirname ${0})/TestMakefile t-21
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-22_TLS_reverse_proxy_crl_revoke.bash

    r24c6c16 r5d13786  
    1414trap stop_backend EXIT
    1515
    16 ${srcdir}/runtests t-22
     16make -f $(dirname ${0})/TestMakefile t-22
    1717
    1818backend_apache "${testdir}" "backend.conf" stop
  • test/test-23_TLS_reverse_proxy_mismatched_priorities.bash

    r24c6c16 r5d13786  
    1919trap stop_backend EXIT
    2020
    21 ${srcdir}/runtests t-23
     21make -f $(dirname ${0})/TestMakefile t-23
    2222
    2323backend_apache "${testdir}" "backend.conf" stop
  • test/test-24_pkcs11_cert.bash

    r24c6c16 r5d13786  
    2525set -e
    2626
    27 ${srcdir}/runtests t-24
     27make -f $(dirname ${0})/TestMakefile t-24
    2828
    2929cleanup_tmpconf
Note: See TracChangeset for help on using the changeset viewer.