Changeset 7921dc7 in mod_gnutls

Timestamp:

Apr 22, 2018, 1:04:41 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master, proxy-ticket

Children:

0470e44

Parents:

2246a84

git-author:

Fiona Klute <fiona.klute@…> (04/18/18 04:38:36)

git-committer:

Fiona Klute <fiona.klute@…> (04/22/18 13:04:41)

Message:

Remove OpenPGP authentication

OpenPGP authentication was removed from GnuTLS a while ago, follow suit.

Files:

• include/mod_gnutls.h.in (modified) (6 diffs)
• src/gnutls_config.c (modified) (7 diffs)
• src/gnutls_hooks.c (modified) (16 diffs)
• src/mod_gnutls.c (modified) (4 diffs)
• test/Makefile.am (modified) (2 diffs)
• test/gnutls_openpgp_support.c (deleted)
• test/test-14_basic_openpgp.bash (modified) (1 diff)
• test/tests/14_basic_openpgp/apache.conf (deleted)
• test/tests/14_basic_openpgp/gnutls-cli.args (deleted)
• test/tests/14_basic_openpgp/input (deleted)
• test/tests/14_basic_openpgp/output (deleted)
• test/tests/Makefile.am (modified) (1 diff)

include/mod_gnutls.h.in

@@ -33 +33 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/abstract.h>
-#include <gnutls/openpgp.h>
 #include <gnutls/x509.h>
 
@@ -123 +122 @@
     char *x509_key_file;
     char *x509_ca_file;
-
-    char *pgp_cert_file;
-    char *pgp_key_file;
-    char *pgp_ring_file;
 
     char *dh_file;
@@ -179 +174 @@
     gnutls_privkey_t privkey_x509;
 
-        /* OpenPGP Certificate */
-    gnutls_pcert_st *cert_pgp;
-    gnutls_openpgp_crt_t *cert_crt_pgp;
-
-        /* OpenPGP Certificate Private Key */
-    gnutls_privkey_t privkey_pgp;
-#if GNUTLS_VERSION_NUMBER < 0x030312
-    /* Internal structure for the OpenPGP private key, used in the
-     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
-     * frees memory that is still needed. DO NOT USE for any other
-     * purpose. */
-    gnutls_openpgp_privkey_t privkey_pgp_internal;
-#endif
-
     /* Export full certificates to CGI environment: */
     int export_certificates_size;
@@ -201 +182 @@
         /* A list of CA Certificates */
     gnutls_x509_crt_t *ca_list;
-        /* OpenPGP Key Ring */
-    gnutls_openpgp_keyring_t pgp_list;
         /* CA Certificate list size */
     unsigned int ca_list_size;
@@ -413 +392 @@
                              const char *arg);
 
-const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
-                                        const char *arg);
-
-const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
-                             const char *arg);
-
 const char *mgs_set_cache(cmd_parms * parms, void *dummy,
                           const char *type, const char* arg);
@@ -440 +413 @@
 
 const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
-                                   const char *arg);
-
-const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
                                    const char *arg);
 

src/gnutls_config.c

@@ -142 +142 @@
     }
 
-    if (sc->cert_pgp)
-    {
-        gnutls_pcert_deinit(&sc->cert_pgp[0]);
-        sc->cert_pgp = NULL;
-        gnutls_openpgp_crt_deinit(sc->cert_crt_pgp[0]);
-        sc->cert_crt_pgp = NULL;
-    }
-
-    if (sc->privkey_pgp)
-    {
-        gnutls_privkey_deinit(sc->privkey_pgp);
-        sc->privkey_pgp = NULL;
-#if GNUTLS_VERSION_NUMBER < 0x030312
-        gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal);
-        sc->privkey_pgp_internal = NULL;
-#endif
-    }
-
-    if (sc->pgp_list)
-    {
-        gnutls_openpgp_keyring_deinit(sc->pgp_list);
-        sc->pgp_list = NULL;
-    }
-
     if (sc->priorities)
     {
@@ -453 +429 @@
     }
 
-    if (sc->pgp_cert_file && sc->cert_pgp == NULL)
-    {
-        sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0]));
-        sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0]));
-
-        if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Error Reading " "Certificate '%s'",
-                         sc->pgp_cert_file);
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to Init "
-                         "PGP Certificate: (%d) %s", ret,
-                         gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
-                                        GNUTLS_OPENPGP_FMT_BASE64);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to Import "
-                         "PGP Certificate: (%d) %s", ret,
-                         gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_pcert_import_openpgp(sc->cert_pgp,
-                                          sc->cert_crt_pgp[0], 0);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to Import "
-                         "PGP pCertificate: (%d) %s", ret,
-                         gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-    }
-
-    /* Load the PGP key file */
-    if (sc->pgp_key_file && sc->privkey_pgp == NULL)
-    {
-        if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Error Reading " "Private Key '%s'",
-                         sc->pgp_key_file);
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_privkey_init(&sc->privkey_pgp);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to initialize"
-                         ": (%d) %s", ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-#if GNUTLS_VERSION_NUMBER < 0x030312
-        /* GnuTLS versions before 3.3.12 contain a bug in
-         * gnutls_privkey_import_openpgp_raw which frees data that is
-         * accessed when the key is used, leading to segfault. Loading
-         * the key into a gnutls_openpgp_privkey_t and then assigning
-         * it to the gnutls_privkey_t works around the bug, hence this
-         * chain of gnutls_openpgp_privkey_init,
-         * gnutls_openpgp_privkey_import and
-         * gnutls_privkey_import_openpgp. */
-        ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
-        if (ret != 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to initialize "
-                         "PGP Private Key '%s': (%d) %s",
-                         sc->pgp_key_file, ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,
-                                            GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
-        if (ret != 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to Import "
-                         "PGP Private Key '%s': (%d) %s",
-                         sc->pgp_key_file, ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,
-                                            sc->privkey_pgp_internal, 0);
-        if (ret != 0)
-        {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to assign PGP Private Key '%s' "
-                         "to gnutls_privkey_t structure: (%d) %s",
-                         sc->pgp_key_file, ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-#else
-        ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
-                                                GNUTLS_OPENPGP_FMT_BASE64,
-                                                NULL, NULL);
-        if (ret != 0)
-        {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to Import "
-                         "PGP Private Key '%s': (%d) %s",
-                         sc->pgp_key_file, ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-#endif
-    }
-
-    /* Load the keyring file */
-    if (sc->pgp_ring_file && sc->pgp_list == NULL)
-    {
-        if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Error Reading " "Keyring File '%s'",
-                         sc->pgp_ring_file);
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to initialize"
-                         "keyring: (%d) %s", ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-
-        ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
-                                            GNUTLS_OPENPGP_FMT_BASE64);
-        if (ret < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                         "GnuTLS: Failed to load "
-                         "Keyring File '%s': (%d) %s", sc->pgp_ring_file,
-                         ret, gnutls_strerror(ret));
-            ret = -1;
-            goto cleanup;
-        }
-    }
-
     if (sc->priorities_str && sc->priorities == NULL)
     {
@@ -711 +532 @@
 
     sc->x509_key_file = apr_pstrdup(parms->pool, arg);
-
-    return NULL;
-}
-
-const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg);
-
-    return NULL;
-}
-
-const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    sc->pgp_key_file = ap_server_root_relative(parms->pool, arg);
 
     return NULL;
@@ -923 +719 @@
 
     sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
-
-    return NULL;
-}
-
-const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg);
 
     return NULL;
@@ -1074 +858 @@
     sc->pin = NULL;
 
-    sc->cert_pgp = NULL;
-    sc->cert_crt_pgp = NULL;
-    sc->privkey_pgp = NULL;
-#if GNUTLS_VERSION_NUMBER < 0x030312
-    sc->privkey_pgp_internal = NULL;
-#endif
-    sc->pgp_list = NULL;
-
     sc->priorities_str = NULL;
     sc->cache_timeout = MGS_TIMEOUT_UNSET;
@@ -1162 +938 @@
     gnutls_srvconf_merge(p11_modules, NULL);
     gnutls_srvconf_merge(pin, NULL);
-    gnutls_srvconf_merge(pgp_cert_file, NULL);
-    gnutls_srvconf_merge(pgp_key_file, NULL);
-    gnutls_srvconf_merge(pgp_ring_file, NULL);
     gnutls_srvconf_merge(dh_file, NULL);
     gnutls_srvconf_merge(priorities_str, NULL);
@@ -1186 +959 @@
     gnutls_srvconf_assign(ca_list);
     gnutls_srvconf_assign(ca_list_size);
-    gnutls_srvconf_assign(cert_pgp);
-    gnutls_srvconf_assign(cert_crt_pgp);
-    gnutls_srvconf_assign(pgp_list);
     gnutls_srvconf_assign(certs);
     gnutls_srvconf_assign(anon_creds);

src/gnutls_hooks.c

@@ -55 +55 @@
 /* use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);
 static int mgs_status_hook(request_rec *r, int flags);
 #ifdef ENABLE_MSVA
@@ -352 +351 @@
         *privkey = ctxt->sc->privkey_x509;
         return 0;
-    } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
-                // OPENPGP CERTIFICATE
-        *pcerts = ctxt->sc->cert_pgp;
-        *pcert_length = 1;
-        *privkey = ctxt->sc->privkey_pgp;
-        return 0;
     } else {
                 // UNKNOWN CERTIFICATE
@@ -416 +409 @@
             }
         }
-    }
-
-    return rv;
-}
-
-static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
-        gnutls_openpgp_crt_t cert, char **cert_cn) {
-    int rv = 0;
-    size_t data_len;
-
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    *cert_cn = NULL;
-
-    data_len = 0;
-    rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
-
-    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
-        *cert_cn = apr_palloc(p, data_len);
-        rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
-                &data_len);
-    } else { /* No CN return subject alternative name */
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
-                "No name found in PGP certificate for '%s:%d'.",
-                s->server_hostname, s->port);
     }
 
@@ -732 +700 @@
 
         if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
-            sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            sc->enabled == GNUTLS_ENABLED_TRUE) {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                                                 "GnuTLS: Host '%s:%d' is missing a Certificate File!",
@@ -739 +707 @@
         }
         if (sc->enabled == GNUTLS_ENABLED_TRUE &&
-            ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
-             (sc->cert_crt_pgp != NULL && sc->privkey_pgp == NULL)))
+            (sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL))
         {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
@@ -748 +715 @@
         }
 
-        /* If OpenPGP support is already disabled in the loaded GnuTLS
-         * library startup will fail if the configuration tries to
-         * load PGP credentials. Otherwise warn affected users about
-         * deprecation. */
-        if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file)
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                         "Host '%s:%d' is configured to use OpenPGP auth. "
-                         "OpenPGP support has been deprecated in GnuTLS "
-                         "since version 3.5.9 and will be removed from "
-                         "mod_gnutls in a future release.",
-                         s->server_hostname, s->port);
-
         if (sc->enabled == GNUTLS_ENABLED_TRUE) {
             rv = -1;
@@ -765 +720 @@
                 rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn);
             }
-            if (rv < 0 && sc->cert_pgp != NULL) {
-                rv = read_pgpcrt_cn(s, pconf, sc->cert_crt_pgp[0], &sc->cert_cn);
-                        }
 
             if (rv < 0) {
@@ -1335 +1287 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-        mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size);
-    } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
-        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size);
+        mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0,
+                                 ctxt->sc->export_certificates_size);
     }
 
@@ -1532 +1483 @@
 
 
-/* @param side 0: server, 1: client
- *
- * @param export_cert_size (int) maximum size for environment variable
- * to use for the PEM-encoded certificate (0 means do not export)
- */
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) {
-
-        unsigned char sbuf[64]; /* buffer to hold serials */
-    char buf[AP_IOBUFSIZE];
-    const char *tmp;
-    size_t len;
-    int ret;
-
-    if (r == NULL)
-        return;
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    apr_table_t *env = r->subprocess_env;
-
-    if (export_cert_size > 0) {
-        len = 0;
-        ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len);
-        if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
-            if (len >= export_cert_size) {
-                apr_table_setn(env, MGS_SIDE("_CERT"),
-                               "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
-                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                              "GnuTLS: Failed to export too-large OpenPGP certificate to environment");
-            } else {
-                char* cert_buf = apr_palloc(r->pool, len + 1);
-                if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) {
-                    cert_buf[len] = 0;
-                    apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf);
-                } else {
-                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-                                  "GnuTLS: failed to export OpenPGP certificate");
-                }
-            }
-        } else {
-            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-                          "GnuTLS: dazed and confused about OpenPGP certificate size");
-        }
-    }
-
-    len = sizeof (buf);
-    gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
-    apr_table_setn(env, MGS_SIDE("_NAME"), apr_pstrmemdup(r->pool, buf, len));
-
-    len = sizeof (sbuf);
-    gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
-    apr_table_setn(env, MGS_SIDE("_FINGERPRINT"),
-                   apr_pescape_hex(r->pool, sbuf, len, 0));
-
-    ret = gnutls_openpgp_crt_get_version(cert);
-    if (ret > 0)
-        apr_table_setn(env, MGS_SIDE("_M_VERSION"),
-                       apr_psprintf(r->pool, "%u", ret));
-
-    apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "OPENPGP");
-
-    tmp =
-            mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
-            (cert), buf, sizeof (buf));
-    apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp));
-
-    tmp =
-            mgs_time2sz(gnutls_openpgp_crt_get_creation_time
-            (cert), buf, sizeof (buf));
-    apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp));
-
-    ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
-    if (ret >= 0) {
-        apr_table_setn(env, MGS_SIDE("_A_KEY"), gnutls_pk_algorithm_get_name(ret));
-    }
-
-}
 
 /* TODO: Allow client sending a X.509 certificate chain */
@@ -1619 +1494 @@
     unsigned int ch_size = 0;
 
+    // TODO: union no longer needed here after removing its "pgp" component.
     union {
         gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
-        gnutls_openpgp_crt_t pgp;
     } cert;
     apr_time_t expiration_time, cur_time;
@@ -1672 +1547 @@
             }
         }
-    } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
-        if (cert_list_size > 1) {
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "GnuTLS: Failed to Verify Peer: "
-                    "Chained Client Certificates are not supported.");
-            return HTTP_FORBIDDEN;
-        }
-
-        gnutls_openpgp_crt_init(&cert.pgp);
-        rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
-                GNUTLS_OPENPGP_FMT_RAW);
-
     } else
         return HTTP_FORBIDDEN;
@@ -1759 +1622 @@
 
     } else {
-        apr_time_ansi_put(&expiration_time,
-                gnutls_openpgp_crt_get_expiration_time
-                (cert.pgp));
-
-        switch(ctxt->sc->client_verify_method) {
-        case mgs_cvm_cartel:
-            rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
-                                                ctxt->sc->pgp_list, 0,
-                                                &status);
-            break;
-#ifdef ENABLE_MSVA
-        case mgs_cvm_msva:
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
-            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
-            break;
-#endif
-        default:
-            /* If this block is reached, that indicates a
-             * configuration error or bug in mod_gnutls (invalid value
-             * of ctxt->sc->client_verify_method). */
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
-                          mgs_readable_cvm(ctxt->sc->client_verify_method));
-            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
-        }
+        /* Unknown certificate type */
+        rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
     }
 
@@ -1795 +1634 @@
         if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
             ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
-                "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
+                "GnuTLS: No certificate was found for verification. Did you set the GnuTLSClientCAFile directive?");
         ret = HTTP_FORBIDDEN;
         goto exit;
@@ -1836 +1675 @@
     }
 
-    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
-        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
-    else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
-        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size);
+    mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
 
     {
@@ -1867 +1703 @@
         for (unsigned int i = 0; i < ch_size; i++)
             gnutls_x509_crt_deinit(cert.x509[i]);
-    else if (gnutls_certificate_type_get(ctxt->session) ==
-             GNUTLS_CRT_OPENPGP)
-        gnutls_openpgp_crt_deinit(cert.pgp);
+
     return ret;
 }
@@ -1928 +1762 @@
  * certificate, but doesn't tell us (in any other way) who they are
  * trying to authenticate as.
-
- * TODO: we might need another parallel for OpenPGP, but for that it's
- * much simpler: we can just assume that the first User ID marked as
- * "primary" (or the first User ID, period) is the identity the user
- * is trying to present as.
 
  * one complaint might be "but the user wanted to be another identity,

src/mod_gnutls.c

@@ -245 +245 @@
 }
 
+#define OPENPGP_REMOVED "OpenPGP support has been removed."
+
 static const command_rec mgs_config_cmds[] = {
     AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
@@ -278 +280 @@
     RSRC_CONF,
     "Set the CA File to verify Client Certificates"),
-    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
-    NULL,
-    RSRC_CONF,
-    "Set the Keyring File to verify Client Certificates"),
     AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
     NULL,
@@ -302 +300 @@
     RSRC_CONF,
     "TLS Server X509 Private Key file"),
-    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
-    NULL,
-    RSRC_CONF,
-    "TLS Server PGP Certificate file"),
-    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
-    NULL,
-    RSRC_CONF,
-    "TLS Server PGP Private key file"),
 #ifdef ENABLE_SRP
     AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
@@ -396 +386 @@
                   NULL, RSRC_CONF,
                   "Socket timeout for OCSP requests"),
+    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
+                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
+    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
+                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
+    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
+                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
 #ifdef __clang__
     /* Workaround for this clang bug:

test/Makefile.am

@@ -36 +36 @@
 TESTS = $(dist_check_SCRIPTS)
 
-check_PROGRAMS = pgpcrc gnutls_openpgp_support
+check_PROGRAMS = pgpcrc
 pgpcrc_SOURCES = pgpcrc.c
-gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
-gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
-gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
 
 # build OCSP database tool
@@ -53 +50 @@
 # Identities in the miniature CA, server, and client environment for
 # the test suite
-shared_identities = server authority client imposter rogueca
+shared_identities = authority client
 pgp_identities = $(shared_identities)
-x509_only_identities = rogueclient
+x509_only_identities = server rogueca imposter rogueclient
 if ENABLE_OCSP_TEST
 x509_only_identities += ocsp-responder

test/test-14_basic_openpgp.bash

@@ -1 +1 @@
 #!/bin/bash
-./gnutls_openpgp_support || exit $?
-${srcdir}/runtests t-14
+echo "OpenPGP support has been removed, skipping." 2>&1
+exit 77

test/tests/Makefile.am

@@ -14 +14 @@
         12_cgi_variables/apache.conf 12_cgi_variables/gnutls-cli.args 12_cgi_variables/input 12_cgi_variables/output \
         13_cgi_variables_no_client_cert/apache.conf 13_cgi_variables_no_client_cert/gnutls-cli.args 13_cgi_variables_no_client_cert/input 13_cgi_variables_no_client_cert/output \
-        14_basic_openpgp/apache.conf 14_basic_openpgp/gnutls-cli.args 14_basic_openpgp/input 14_basic_openpgp/output \
         15_basic_msva/apache.conf 15_basic_msva/gnutls-cli.args 15_basic_msva/input 15_basic_msva/output \
         16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input 16_view-status/output \