Changeset b674e95 in mod_gnutls

Timestamp:

May 29, 2016, 3:38:07 PM (5 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream

Children:

94cb972

Parents:

efe884e (diff), 086cea9 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

git-author:

Thomas Klute <thomas2.klute@…> (05/29/16 15:28:14)

git-committer:

Thomas Klute <thomas2.klute@…> (05/29/16 15:38:07)

Message:

Merge version 0.7.5 into ocsp branch

Files:

• CHANGELOG (modified) (1 diff)
• Makefile.am (modified) (2 diffs)
• configure.ac (modified) (3 diffs)
• m4/apache.m4 (modified) (2 diffs)
• src/Makefile.am (modified) (1 diff)
• src/gnutls_io.c (modified) (6 diffs)
• test/.gitignore (modified) (1 diff)
• test/Makefile.am (modified) (5 diffs)
• test/base_apache.conf (modified) (1 diff)
• test/pgpcrc.c (added)
• test/test_ca.mk (modified) (2 diffs)

CHANGELOG

@@ -2 +2 @@
 - Handle Unclean Shutdowns
 - make session cache use generic apache caches
+
+** Version 0.7.5 (2016-05-28)
+- Sunil Mohan Adapa reported retry loops during session shutdown in
+  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
+  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
+  errno in mgs_transport_write() fixes the problem.
+- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
+  Debian package.
+- Build system improvements that allow VPATH builds and get "make
+  distcheck" to work
 
 ** Version 0.7.4 (2016-04-13)

Makefile.am

@@ -1 @@
-AUTOMAKE_OPTIONS = foreign dist-bzip2
+AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip
 
 EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \
@@ -8 +8 @@
                 NOTICE LICENSE
 
+AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install"
+DISTCLEANFILES = config.nice
+
 SUBDIRS = src test doc
 ACLOCAL_AMFLAGS = -I m4

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.7.4)
+AC_INIT(mod_gnutls, 0.7.5)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -14 +14 @@
 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
 
+LT_INIT([disable-static])
+
 AC_SUBST(MOD_GNUTLS_VERSION)
 
@@ -33 +35 @@
 
 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`
+
+AC_ARG_ENABLE(vpath-install,
+       AS_HELP_STRING([--enable-vpath-install],
+               [Modify the Apache module directory provided by apxs to \
+               follow --prefix, if necessary. Most users will not want this, \
+               but it is required for VPATH builds including "make \
+               distcheck".]),
+       vpath_install=$enableval, vpath_install=no)
+AM_CONDITIONAL([ENABLE_VPATH_INSTALL], [test "$vpath_install" = "yes"])
 
 AC_ARG_ENABLE(srp,

m4/apache.m4

@@ -39 +39 @@
 
         AP_PREFIX="`$APXS_BIN -q prefix 2>/dev/null`"
+        AP_EXEC_PREFIX="`$APXS_BIN -q exec_prefix 2>/dev/null`"
 
         AP_BINDIR="`$APXS_BIN -q bindir 2>/dev/null`"
@@ -126 +127 @@
         AC_SUBST(AP_DEFS)
         AC_SUBST(AP_PREFIX)
+        AC_SUBST(AP_EXEC_PREFIX)
         AC_SUBST(AP_CFLAGS)
         AC_SUBST(AP_CPPFLAGS)

src/Makefile.am

@@ -1 @@
-CLEANFILES = .libs/libmod_gnutls *~
+# installation directory for Apache modules
+if ENABLE_VPATH_INSTALL
+apmodpkglibdir = $(subst ${AP_EXEC_PREFIX},${prefix},${AP_LIBEXECDIR})
+else
+apmodpkglibdir = ${AP_LIBEXECDIR}
+endif
 
-libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
-libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
-libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS}
+mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
+mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
+mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
 
-lib_LTLIBRARIES = libmod_gnutls.la
-
-make_so: $(lib_LTLIBRARIES)
-        @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi
-
-clean:
-        rm -f mod_gnutls.so
-        rm -f *.o *.lo *.la
-        rm -fr .libs
-
-install: make_so
-        @${APXS_BIN} -i -n gnutls mod_gnutls.so
-        @echo ""
-        @echo ""
-        @echo "***********************************************"
-        @echo ""
-        @echo "  Please read the manual in the doc/ directory for"
-        @echo "  details on the configuration of this module"
-        @echo ""
-        @echo "***********************************************"
-        @echo ""
+apmodpkglib_LTLIBRARIES = mod_gnutls.la

src/gnutls_io.c

@@ -765 +765 @@
 /**
  * Pull function for GnuTLS
+ *
+ * Generic errnos used for gnutls_transport_set_errno:
+ * EIO: Unknown I/O error
+ * ECONNABORTED: Input BB does not exist (NULL)
+ *
+ * The reason we are not using APR_TO_OS_ERROR to map apr_status_t to
+ * errnos is this warning in the APR documentation: "If the statcode
+ * was not created by apr_get_os_error or APR_FROM_OS_ERROR, the
+ * results are undefined." We cannot know if this applies to any error
+ * we might encounter.
  */
 ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
@@ -777 +787 @@
 
     /* If Len = 0, we don't do anything. */
-    if (!len || buffer == NULL) {
+    if (!len || buffer == NULL)
+    {
         return 0;
     }
-    if (!ctxt->input_bb) {
+    /* Input bucket brigade is missing, EOF */
+    if (!ctxt->input_bb)
+    {
         ctxt->input_rc = APR_EOF;
+        gnutls_transport_set_errno(ctxt->session, ECONNABORTED);
         return -1;
     }
 
-    if (APR_BRIGADE_EMPTY(ctxt->input_bb)) {
-
+    if (APR_BRIGADE_EMPTY(ctxt->input_bb))
+    {
         rc = ap_get_brigade(ctxt->input_filter->next,
-                ctxt->input_bb, AP_MODE_READBYTES,
-                ctxt->input_block, in);
+                            ctxt->input_bb, AP_MODE_READBYTES,
+                            ctxt->input_block, in);
 
         /* Not a problem, there was simply no data ready yet.
@@ -803 +817 @@
             else
             {
-                if (ctxt->session)
-                    gnutls_transport_set_errno(ctxt->session,
-                                               EAI_APR_TO_RAW(ctxt->input_rc));
+                gnutls_transport_set_errno(ctxt->session,
+                                           EAI_APR_TO_RAW(ctxt->input_rc));
                 return -1;
             }
         }
 
-        if (rc != APR_SUCCESS) {
+        if (rc != APR_SUCCESS)
+        {
             /* Unexpected errors discard the brigade */
             apr_brigade_cleanup(ctxt->input_bb);
             ctxt->input_bb = NULL;
+            gnutls_transport_set_errno(ctxt->session, EIO);
             return -1;
         }
     }
 
-    ctxt->input_rc =
-            brigade_consume(ctxt->input_bb, block, buffer, &len);
-
-    if (ctxt->input_rc == APR_SUCCESS) {
+    ctxt->input_rc = brigade_consume(ctxt->input_bb, block, buffer, &len);
+
+    if (ctxt->input_rc == APR_SUCCESS)
+    {
         return (ssize_t) len;
     }
@@ -830 +845 @@
         if (len == 0)
         {
-            if (ctxt->session)
-                gnutls_transport_set_errno(ctxt->session,
-                                           EAI_APR_TO_RAW(ctxt->input_rc));
+            gnutls_transport_set_errno(ctxt->session,
+                                       EAI_APR_TO_RAW(ctxt->input_rc));
             return -1;
         }
@@ -840 +854 @@
 
     /* Unexpected errors and APR_EOF clean out the brigade.
-     * Subsequent calls will return APR_EOF.
-     */
+     * Subsequent calls will return APR_EOF. */
     apr_brigade_cleanup(ctxt->input_bb);
     ctxt->input_bb = NULL;
 
-    if (APR_STATUS_IS_EOF(ctxt->input_rc) && len) {
-        /* Provide the results of this read pass,
-         * without resetting the BIO retry_read flag
-         */
+    if (APR_STATUS_IS_EOF(ctxt->input_rc) && len)
+    {
+        /* Some data has been received before EOF, return it. */
         return (ssize_t) len;
     }
 
+    gnutls_transport_set_errno(ctxt->session, EIO);
     return -1;
 }
 
+/**
+ * Push function for GnuTLS
+ *
+ * In case of unexpected errors gnutls_transport_set_errno is called
+ * with EIO.  The reason we are not using APR_TO_OS_ERROR to map
+ * apr_status_t to errnos is this warning in the APR documentation:
+ * "If the statcode was not created by apr_get_os_error or
+ * APR_FROM_OS_ERROR, the results are undefined." We cannot know if
+ * this applies to any error we might encounter.
+ */
 ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
-        const void *buffer, size_t len) {
+                            const void *buffer, size_t len)
+{
     mgs_handle_t *ctxt = ptr;
 
@@ -869 +893 @@
     APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, bucket);
 
-    if (write_flush(ctxt) < 0) {
+    if (write_flush(ctxt) < 0)
+    {
+        /* We encountered an error. APR_EINTR or APR_EAGAIN can be
+         * handled, treat everything else as a generic I/O error. */
+        int err = EIO;
+        if (APR_STATUS_IS_EAGAIN(ctxt->output_rc)
+            || APR_STATUS_IS_EINTR(ctxt->output_rc))
+            err = EAI_APR_TO_RAW(ctxt->output_rc);
+
+        gnutls_transport_set_errno(ctxt->session, err);
         return -1;
     }

test/.gitignore

@@ -23 +23 @@
 *.lock
 gen_ocsp_index
+pgpcrc
 .deps

test/Makefile.am

@@ -34 +34 @@
 TESTS = $(dist_check_SCRIPTS)
 
+check_PROGRAMS = pgpcrc
+pgpcrc_SOURCES = pgpcrc.c
+
 # build OCSP database tool
 if ENABLE_OCSP_TEST
-check_PROGRAMS = gen_ocsp_index
+check_PROGRAMS += gen_ocsp_index
 gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
 noinst_HEADERS = cert_helper.h
@@ -53 +56 @@
 # Append strings after ":=" to each identity to generate a list of
 # necessary files
-pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
+pgp_tokens = $(pgp_identities:=/cert.pgp) \
         $(pgp_identities:=/secret.pgp)
 x509_keys = $(x509_identities:=/secret.key)
@@ -104 +107 @@
 # one day, so regenerating them is both fast and frequently
 # necessary.
-MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
+MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
+        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
 # GnuPG random pool, no need to regenerate on every build
 CLEANFILES += authority/random_seed
@@ -163 +167 @@
 
 mostlyclean-local: clean-softhsm2-db
+        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
+if USE_MSVA
+        -rmdir $(msva_home)/private-keys-v1.d || true
+endif
 
 clean-local:
@@ -172 +180 @@
 
 # Apache configuration and data files
-apache_data = base_apache.conf cgi_module.conf data/* mime.types ocsp_server.conf proxy_mods.conf
-
-EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
-        proxy_backend.bash runtests server-crl.template softhsm.bash
+apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
+        data/secret.txt data/test.txt mime.types ocsp_server.conf \
+        proxy_mods.conf
+
+EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
+        common.bash proxy_backend.bash runtests server-crl.template \
+        softhsm.bash
 
 # Lockfile for the main Apache process

test/base_apache.conf

@@ -16 +16 @@
 
 DocumentRoot ${srcdir}/data
-LoadModule gnutls_module ../src/.libs/libmod_gnutls.so
+LoadModule gnutls_module ../src/.libs/mod_gnutls.so

test/test_ca.mk

@@ -20 +20 @@
         mkdir -p $(dir $@)
         chmod 0700 $(dir $@)
-        certtool --generate-privkey > $@
+        certtool --outfile $@ --generate-privkey
 
-%/secring.gpg: %.uid %/secret.key
-        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
-        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
+%/secret.pgp.raw: %.uid %/secret.key
+        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
+
+%/secret.pgp: %/secret.pgp.raw pgpcrc
+        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
+        base64 < $< && \
+        printf -- '=' && \
+        ./pgpcrc < $< | base64 && \
+        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
+
+%/gpg.conf: %/secret.pgp
+        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
+        GNUPGHOME=$(dir $@) gpg --import $<
         printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
-
-%/gpg.conf: %/secring.gpg
         printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
 
-%/secret.pgp: %/secring.gpg
-        GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
-
-%/minimal.pgp: %/secring.gpg
-        GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+%/minimal.pgp: %/gpg.conf
+        if test -r $@; then rm $@; fi
+        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
 
 # Import and signing modify the shared keyring, which leads to race
 # conditions with parallel make. Locking avoids this problem.
 %/cert.pgp: %/minimal.pgp authority/gpg.conf
+        if test -r $@; then rm $@; fi
         GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
         GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
-        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
+        GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
 
 # special cases for the authorities' root certs:
 authority/x509.pem: authority.template authority/secret.key
-        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
+        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
 rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
-        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
+        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
 
 %/cert-request: %.template %/secret.key
-        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
+        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
 
 # normal case: certificates signed by test CA
 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
-        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
+        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
 
 # error case: certificates signed by rogue CA
 rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
-        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
+        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
 
 %/softhsm.conf: %/secret.key
@@ -84 +91 @@
 %/crl.pem: %/x509.pem ${srcdir}/%-crl.template
         certtool --generate-crl \
+                --outfile $@ \
                 --load-ca-privkey authority/secret.key \
                 --load-ca-certificate authority/x509.pem \
                 --load-certificate $< \
-                --template "${srcdir}/$(*)-crl.template" \
-                > $@
+                --template "${srcdir}/$(*)-crl.template"