Changeset b674e95 in mod_gnutls
- Timestamp:
- May 29, 2016, 3:38:07 PM (6 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- 94cb972
- Parents:
- efe884e (diff), 086cea9 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - git-author:
- Thomas Klute <thomas2.klute@…> (05/29/16 15:28:14)
- git-committer:
- Thomas Klute <thomas2.klute@…> (05/29/16 15:38:07)
- Files:
-
- 1 added
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
refe884e rb674e95 2 2 - Handle Unclean Shutdowns 3 3 - make session cache use generic apache caches 4 5 ** Version 0.7.5 (2016-05-28) 6 - Sunil Mohan Adapa reported retry loops during session shutdown in 7 cleanup_gnutls_session() due to gnutls_bye() incorrectly returning 8 GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session 9 errno in mgs_transport_write() fixes the problem. 10 - Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the 11 Debian package. 12 - Build system improvements that allow VPATH builds and get "make 13 distcheck" to work 4 14 5 15 ** Version 0.7.4 (2016-04-13) -
Makefile.am
refe884e rb674e95 1 AUTOMAKE_OPTIONS = foreign dist-bzip2 1 AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip 2 2 3 3 EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \ … … 8 8 NOTICE LICENSE 9 9 10 AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" 11 DISTCLEANFILES = config.nice 12 10 13 SUBDIRS = src test doc 11 14 ACLOCAL_AMFLAGS = -I m4 -
configure.ac
refe884e rb674e95 1 1 dnl 2 AC_INIT(mod_gnutls, 0.7. 4)2 AC_INIT(mod_gnutls, 0.7.5) 3 3 OOO_CONFIG_NICE(config.nice) 4 4 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION … … 14 14 AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in) 15 15 16 LT_INIT([disable-static]) 17 16 18 AC_SUBST(MOD_GNUTLS_VERSION) 17 19 … … 33 35 34 36 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls` 37 38 AC_ARG_ENABLE(vpath-install, 39 AS_HELP_STRING([--enable-vpath-install], 40 [Modify the Apache module directory provided by apxs to \ 41 follow --prefix, if necessary. Most users will not want this, \ 42 but it is required for VPATH builds including "make \ 43 distcheck".]), 44 vpath_install=$enableval, vpath_install=no) 45 AM_CONDITIONAL([ENABLE_VPATH_INSTALL], [test "$vpath_install" = "yes"]) 35 46 36 47 AC_ARG_ENABLE(srp, -
m4/apache.m4
refe884e rb674e95 39 39 40 40 AP_PREFIX="`$APXS_BIN -q prefix 2>/dev/null`" 41 AP_EXEC_PREFIX="`$APXS_BIN -q exec_prefix 2>/dev/null`" 41 42 42 43 AP_BINDIR="`$APXS_BIN -q bindir 2>/dev/null`" … … 126 127 AC_SUBST(AP_DEFS) 127 128 AC_SUBST(AP_PREFIX) 129 AC_SUBST(AP_EXEC_PREFIX) 128 130 AC_SUBST(AP_CFLAGS) 129 131 AC_SUBST(AP_CPPFLAGS) -
src/Makefile.am
refe884e rb674e95 1 CLEANFILES = .libs/libmod_gnutls *~ 1 # installation directory for Apache modules 2 if ENABLE_VPATH_INSTALL 3 apmodpkglibdir = $(subst ${AP_EXEC_PREFIX},${prefix},${AP_LIBEXECDIR}) 4 else 5 apmodpkglibdir = ${AP_LIBEXECDIR} 6 endif 2 7 3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c4 libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}5 libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR}-module -avoid-version ${MODULE_LIBS}8 mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c 9 mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} 10 mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS} 6 11 7 lib_LTLIBRARIES = libmod_gnutls.la 8 9 make_so: $(lib_LTLIBRARIES) 10 @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi 11 12 clean: 13 rm -f mod_gnutls.so 14 rm -f *.o *.lo *.la 15 rm -fr .libs 16 17 install: make_so 18 @${APXS_BIN} -i -n gnutls mod_gnutls.so 19 @echo "" 20 @echo "" 21 @echo "***********************************************" 22 @echo "" 23 @echo " Please read the manual in the doc/ directory for" 24 @echo " details on the configuration of this module" 25 @echo "" 26 @echo "***********************************************" 27 @echo "" 12 apmodpkglib_LTLIBRARIES = mod_gnutls.la -
src/gnutls_io.c
refe884e rb674e95 765 765 /** 766 766 * Pull function for GnuTLS 767 * 768 * Generic errnos used for gnutls_transport_set_errno: 769 * EIO: Unknown I/O error 770 * ECONNABORTED: Input BB does not exist (NULL) 771 * 772 * The reason we are not using APR_TO_OS_ERROR to map apr_status_t to 773 * errnos is this warning in the APR documentation: "If the statcode 774 * was not created by apr_get_os_error or APR_FROM_OS_ERROR, the 775 * results are undefined." We cannot know if this applies to any error 776 * we might encounter. 767 777 */ 768 778 ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr, … … 777 787 778 788 /* If Len = 0, we don't do anything. */ 779 if (!len || buffer == NULL) { 789 if (!len || buffer == NULL) 790 { 780 791 return 0; 781 792 } 782 if (!ctxt->input_bb) { 793 /* Input bucket brigade is missing, EOF */ 794 if (!ctxt->input_bb) 795 { 783 796 ctxt->input_rc = APR_EOF; 797 gnutls_transport_set_errno(ctxt->session, ECONNABORTED); 784 798 return -1; 785 799 } 786 800 787 if (APR_BRIGADE_EMPTY(ctxt->input_bb)) {788 801 if (APR_BRIGADE_EMPTY(ctxt->input_bb)) 802 { 789 803 rc = ap_get_brigade(ctxt->input_filter->next, 790 ctxt->input_bb, AP_MODE_READBYTES,791 ctxt->input_block, in);804 ctxt->input_bb, AP_MODE_READBYTES, 805 ctxt->input_block, in); 792 806 793 807 /* Not a problem, there was simply no data ready yet. … … 803 817 else 804 818 { 805 if (ctxt->session) 806 gnutls_transport_set_errno(ctxt->session, 807 EAI_APR_TO_RAW(ctxt->input_rc)); 819 gnutls_transport_set_errno(ctxt->session, 820 EAI_APR_TO_RAW(ctxt->input_rc)); 808 821 return -1; 809 822 } 810 823 } 811 824 812 if (rc != APR_SUCCESS) { 825 if (rc != APR_SUCCESS) 826 { 813 827 /* Unexpected errors discard the brigade */ 814 828 apr_brigade_cleanup(ctxt->input_bb); 815 829 ctxt->input_bb = NULL; 830 gnutls_transport_set_errno(ctxt->session, EIO); 816 831 return -1; 817 832 } 818 833 } 819 834 820 ctxt->input_rc = 821 brigade_consume(ctxt->input_bb, block, buffer, &len); 822 823 if (ctxt->input_rc == APR_SUCCESS){835 ctxt->input_rc = brigade_consume(ctxt->input_bb, block, buffer, &len); 836 837 if (ctxt->input_rc == APR_SUCCESS) 838 { 824 839 return (ssize_t) len; 825 840 } … … 830 845 if (len == 0) 831 846 { 832 if (ctxt->session) 833 gnutls_transport_set_errno(ctxt->session, 834 EAI_APR_TO_RAW(ctxt->input_rc)); 847 gnutls_transport_set_errno(ctxt->session, 848 EAI_APR_TO_RAW(ctxt->input_rc)); 835 849 return -1; 836 850 } … … 840 854 841 855 /* Unexpected errors and APR_EOF clean out the brigade. 842 * Subsequent calls will return APR_EOF. 843 */ 856 * Subsequent calls will return APR_EOF. */ 844 857 apr_brigade_cleanup(ctxt->input_bb); 845 858 ctxt->input_bb = NULL; 846 859 847 if (APR_STATUS_IS_EOF(ctxt->input_rc) && len) { 848 /* Provide the results of this read pass, 849 * without resetting the BIO retry_read flag 850 */ 860 if (APR_STATUS_IS_EOF(ctxt->input_rc) && len) 861 { 862 /* Some data has been received before EOF, return it. */ 851 863 return (ssize_t) len; 852 864 } 853 865 866 gnutls_transport_set_errno(ctxt->session, EIO); 854 867 return -1; 855 868 } 856 869 870 /** 871 * Push function for GnuTLS 872 * 873 * In case of unexpected errors gnutls_transport_set_errno is called 874 * with EIO. The reason we are not using APR_TO_OS_ERROR to map 875 * apr_status_t to errnos is this warning in the APR documentation: 876 * "If the statcode was not created by apr_get_os_error or 877 * APR_FROM_OS_ERROR, the results are undefined." We cannot know if 878 * this applies to any error we might encounter. 879 */ 857 880 ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr, 858 const void *buffer, size_t len) { 881 const void *buffer, size_t len) 882 { 859 883 mgs_handle_t *ctxt = ptr; 860 884 … … 869 893 APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, bucket); 870 894 871 if (write_flush(ctxt) < 0) { 895 if (write_flush(ctxt) < 0) 896 { 897 /* We encountered an error. APR_EINTR or APR_EAGAIN can be 898 * handled, treat everything else as a generic I/O error. */ 899 int err = EIO; 900 if (APR_STATUS_IS_EAGAIN(ctxt->output_rc) 901 || APR_STATUS_IS_EINTR(ctxt->output_rc)) 902 err = EAI_APR_TO_RAW(ctxt->output_rc); 903 904 gnutls_transport_set_errno(ctxt->session, err); 872 905 return -1; 873 906 } -
test/.gitignore
refe884e rb674e95 23 23 *.lock 24 24 gen_ocsp_index 25 pgpcrc 25 26 .deps -
test/Makefile.am
refe884e rb674e95 34 34 TESTS = $(dist_check_SCRIPTS) 35 35 36 check_PROGRAMS = pgpcrc 37 pgpcrc_SOURCES = pgpcrc.c 38 36 39 # build OCSP database tool 37 40 if ENABLE_OCSP_TEST 38 check_PROGRAMS = gen_ocsp_index41 check_PROGRAMS += gen_ocsp_index 39 42 gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c 40 43 noinst_HEADERS = cert_helper.h … … 53 56 # Append strings after ":=" to each identity to generate a list of 54 57 # necessary files 55 pgp_tokens = $(pgp_identities:=/ secring.gpg) $(pgp_identities:=/cert.pgp) \58 pgp_tokens = $(pgp_identities:=/cert.pgp) \ 56 59 $(pgp_identities:=/secret.pgp) 57 60 x509_keys = $(x509_identities:=/secret.key) … … 104 107 # one day, so regenerating them is both fast and frequently 105 108 # necessary. 106 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock 109 MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \ 110 authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* 107 111 # GnuPG random pool, no need to regenerate on every build 108 112 CLEANFILES += authority/random_seed … … 163 167 164 168 mostlyclean-local: clean-softhsm2-db 169 -rmdir $(pgp_identities:=/private-keys-v1.d) || true 170 if USE_MSVA 171 -rmdir $(msva_home)/private-keys-v1.d || true 172 endif 165 173 166 174 clean-local: … … 172 180 173 181 # Apache configuration and data files 174 apache_data = base_apache.conf cgi_module.conf data/* mime.types ocsp_server.conf proxy_mods.conf 175 176 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \ 177 proxy_backend.bash runtests server-crl.template softhsm.bash 182 apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \ 183 data/secret.txt data/test.txt mime.types ocsp_server.conf \ 184 proxy_mods.conf 185 186 EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \ 187 common.bash proxy_backend.bash runtests server-crl.template \ 188 softhsm.bash 178 189 179 190 # Lockfile for the main Apache process -
test/base_apache.conf
refe884e rb674e95 16 16 17 17 DocumentRoot ${srcdir}/data 18 LoadModule gnutls_module ../src/.libs/ libmod_gnutls.so18 LoadModule gnutls_module ../src/.libs/mod_gnutls.so -
test/test_ca.mk
refe884e rb674e95 20 20 mkdir -p $(dir $@) 21 21 chmod 0700 $(dir $@) 22 certtool -- generate-privkey > $@22 certtool --outfile $@ --generate-privkey 23 23 24 %/secring.gpg: %.uid %/secret.key 25 rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg 26 PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import 24 %/secret.pgp.raw: %.uid %/secret.key 25 PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ 26 27 %/secret.pgp: %/secret.pgp.raw pgpcrc 28 (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \ 29 base64 < $< && \ 30 printf -- '=' && \ 31 ./pgpcrc < $< | base64 && \ 32 printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@ 33 34 %/gpg.conf: %/secret.pgp 35 rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key 36 GNUPGHOME=$(dir $@) gpg --import $< 27 37 printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust 28 29 %/gpg.conf: %/secring.gpg30 38 printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 31 39 32 %/secret.pgp: %/secring.gpg 33 GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 34 35 %/minimal.pgp: %/secring.gpg 36 GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ 40 %/minimal.pgp: %/gpg.conf 41 if test -r $@; then rm $@; fi 42 GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 37 43 38 44 # Import and signing modify the shared keyring, which leads to race 39 45 # conditions with parallel make. Locking avoids this problem. 40 46 %/cert.pgp: %/minimal.pgp authority/gpg.conf 47 if test -r $@; then rm $@; fi 41 48 GNUPGHOME=authority $(GPG_FLOCK) gpg --import $< 42 49 GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 43 GNUPGHOME=authority gpg -- armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@50 GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 44 51 45 52 # special cases for the authorities' root certs: 46 53 authority/x509.pem: authority.template authority/secret.key 47 certtool -- generate-self-signed --load-privkey authority/secret.key --template authority.template > $@54 certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template 48 55 rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key 49 certtool -- generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@56 certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template 50 57 51 58 %/cert-request: %.template %/secret.key 52 certtool -- generate-request --load-privkey $(dir $@)secret.key --template $< > $@59 certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $< 53 60 54 61 # normal case: certificates signed by test CA 55 62 %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem 56 certtool -- generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@63 certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< 57 64 58 65 # error case: certificates signed by rogue CA 59 66 rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem 60 certtool -- generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@67 certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< 61 68 62 69 %/softhsm.conf: %/secret.key … … 84 91 %/crl.pem: %/x509.pem ${srcdir}/%-crl.template 85 92 certtool --generate-crl \ 93 --outfile $@ \ 86 94 --load-ca-privkey authority/secret.key \ 87 95 --load-ca-certificate authority/x509.pem \ 88 96 --load-certificate $< \ 89 --template "${srcdir}/$(*)-crl.template" \ 90 > $@ 97 --template "${srcdir}/$(*)-crl.template"
Note: See TracChangeset
for help on using the changeset viewer.