Changeset b674e95 in mod_gnutls


Ignore:
Timestamp:
May 29, 2016, 3:38:07 PM (23 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, master, upstream
Children:
94cb972
Parents:
efe884e (diff), 086cea9 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
git-author:
Thomas Klute <thomas2.klute@…> (05/29/16 15:28:14)
git-committer:
Thomas Klute <thomas2.klute@…> (05/29/16 15:38:07)
Message:

Merge version 0.7.5 into ocsp branch

Files:
1 added
10 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    refe884e rb674e95  
    22- Handle Unclean Shutdowns
    33- make session cache use generic apache caches
     4
     5** Version 0.7.5 (2016-05-28)
     6- Sunil Mohan Adapa reported retry loops during session shutdown in
     7  cleanup_gnutls_session() due to gnutls_bye() incorrectly returning
     8  GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN. Setting the GnuTLS session
     9  errno in mgs_transport_write() fixes the problem.
     10- Import Daniel Kahn Gillmor's patches for GnuPG v2 support from the
     11  Debian package.
     12- Build system improvements that allow VPATH builds and get "make
     13  distcheck" to work
    414
    515** Version 0.7.4 (2016-04-13)
  • Makefile.am

    refe884e rb674e95  
    1 AUTOMAKE_OPTIONS = foreign dist-bzip2
     1AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip
    22
    33EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \
     
    88                NOTICE LICENSE
    99
     10AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install"
     11DISTCLEANFILES = config.nice
     12
    1013SUBDIRS = src test doc
    1114ACLOCAL_AMFLAGS = -I m4
  • configure.ac

    refe884e rb674e95  
    11dnl
    2 AC_INIT(mod_gnutls, 0.7.4)
     2AC_INIT(mod_gnutls, 0.7.5)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    1414AM_CONFIG_HEADER(include/mod_gnutls_config.h:config.in)
    1515
     16LT_INIT([disable-static])
     17
    1618AC_SUBST(MOD_GNUTLS_VERSION)
    1719
     
    3335
    3436LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`
     37
     38AC_ARG_ENABLE(vpath-install,
     39       AS_HELP_STRING([--enable-vpath-install],
     40               [Modify the Apache module directory provided by apxs to \
     41               follow --prefix, if necessary. Most users will not want this, \
     42               but it is required for VPATH builds including "make \
     43               distcheck".]),
     44       vpath_install=$enableval, vpath_install=no)
     45AM_CONDITIONAL([ENABLE_VPATH_INSTALL], [test "$vpath_install" = "yes"])
    3546
    3647AC_ARG_ENABLE(srp,
  • m4/apache.m4

    refe884e rb674e95  
    3939
    4040        AP_PREFIX="`$APXS_BIN -q prefix 2>/dev/null`"
     41        AP_EXEC_PREFIX="`$APXS_BIN -q exec_prefix 2>/dev/null`"
    4142
    4243        AP_BINDIR="`$APXS_BIN -q bindir 2>/dev/null`"
     
    126127        AC_SUBST(AP_DEFS)
    127128        AC_SUBST(AP_PREFIX)
     129        AC_SUBST(AP_EXEC_PREFIX)
    128130        AC_SUBST(AP_CFLAGS)
    129131        AC_SUBST(AP_CPPFLAGS)
  • src/Makefile.am

    refe884e rb674e95  
    1 CLEANFILES = .libs/libmod_gnutls *~
     1# installation directory for Apache modules
     2if ENABLE_VPATH_INSTALL
     3apmodpkglibdir = $(subst ${AP_EXEC_PREFIX},${prefix},${AP_LIBEXECDIR})
     4else
     5apmodpkglibdir = ${AP_LIBEXECDIR}
     6endif
    27
    3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
    4 libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
    5 libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS}
     8mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
     9mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
     10mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
    611
    7 lib_LTLIBRARIES = libmod_gnutls.la
    8 
    9 make_so: $(lib_LTLIBRARIES)
    10         @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi
    11 
    12 clean:
    13         rm -f mod_gnutls.so
    14         rm -f *.o *.lo *.la
    15         rm -fr .libs
    16 
    17 install: make_so
    18         @${APXS_BIN} -i -n gnutls mod_gnutls.so
    19         @echo ""
    20         @echo ""
    21         @echo "***********************************************"
    22         @echo ""
    23         @echo "  Please read the manual in the doc/ directory for"
    24         @echo "  details on the configuration of this module"
    25         @echo ""
    26         @echo "***********************************************"
    27         @echo ""
     12apmodpkglib_LTLIBRARIES = mod_gnutls.la
  • src/gnutls_io.c

    refe884e rb674e95  
    765765/**
    766766 * Pull function for GnuTLS
     767 *
     768 * Generic errnos used for gnutls_transport_set_errno:
     769 * EIO: Unknown I/O error
     770 * ECONNABORTED: Input BB does not exist (NULL)
     771 *
     772 * The reason we are not using APR_TO_OS_ERROR to map apr_status_t to
     773 * errnos is this warning in the APR documentation: "If the statcode
     774 * was not created by apr_get_os_error or APR_FROM_OS_ERROR, the
     775 * results are undefined." We cannot know if this applies to any error
     776 * we might encounter.
    767777 */
    768778ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
     
    777787
    778788    /* If Len = 0, we don't do anything. */
    779     if (!len || buffer == NULL) {
     789    if (!len || buffer == NULL)
     790    {
    780791        return 0;
    781792    }
    782     if (!ctxt->input_bb) {
     793    /* Input bucket brigade is missing, EOF */
     794    if (!ctxt->input_bb)
     795    {
    783796        ctxt->input_rc = APR_EOF;
     797        gnutls_transport_set_errno(ctxt->session, ECONNABORTED);
    784798        return -1;
    785799    }
    786800
    787     if (APR_BRIGADE_EMPTY(ctxt->input_bb)) {
    788 
     801    if (APR_BRIGADE_EMPTY(ctxt->input_bb))
     802    {
    789803        rc = ap_get_brigade(ctxt->input_filter->next,
    790                 ctxt->input_bb, AP_MODE_READBYTES,
    791                 ctxt->input_block, in);
     804                            ctxt->input_bb, AP_MODE_READBYTES,
     805                            ctxt->input_block, in);
    792806
    793807        /* Not a problem, there was simply no data ready yet.
     
    803817            else
    804818            {
    805                 if (ctxt->session)
    806                     gnutls_transport_set_errno(ctxt->session,
    807                                                EAI_APR_TO_RAW(ctxt->input_rc));
     819                gnutls_transport_set_errno(ctxt->session,
     820                                           EAI_APR_TO_RAW(ctxt->input_rc));
    808821                return -1;
    809822            }
    810823        }
    811824
    812         if (rc != APR_SUCCESS) {
     825        if (rc != APR_SUCCESS)
     826        {
    813827            /* Unexpected errors discard the brigade */
    814828            apr_brigade_cleanup(ctxt->input_bb);
    815829            ctxt->input_bb = NULL;
     830            gnutls_transport_set_errno(ctxt->session, EIO);
    816831            return -1;
    817832        }
    818833    }
    819834
    820     ctxt->input_rc =
    821             brigade_consume(ctxt->input_bb, block, buffer, &len);
    822 
    823     if (ctxt->input_rc == APR_SUCCESS) {
     835    ctxt->input_rc = brigade_consume(ctxt->input_bb, block, buffer, &len);
     836
     837    if (ctxt->input_rc == APR_SUCCESS)
     838    {
    824839        return (ssize_t) len;
    825840    }
     
    830845        if (len == 0)
    831846        {
    832             if (ctxt->session)
    833                 gnutls_transport_set_errno(ctxt->session,
    834                                            EAI_APR_TO_RAW(ctxt->input_rc));
     847            gnutls_transport_set_errno(ctxt->session,
     848                                       EAI_APR_TO_RAW(ctxt->input_rc));
    835849            return -1;
    836850        }
     
    840854
    841855    /* Unexpected errors and APR_EOF clean out the brigade.
    842      * Subsequent calls will return APR_EOF.
    843      */
     856     * Subsequent calls will return APR_EOF. */
    844857    apr_brigade_cleanup(ctxt->input_bb);
    845858    ctxt->input_bb = NULL;
    846859
    847     if (APR_STATUS_IS_EOF(ctxt->input_rc) && len) {
    848         /* Provide the results of this read pass,
    849          * without resetting the BIO retry_read flag
    850          */
     860    if (APR_STATUS_IS_EOF(ctxt->input_rc) && len)
     861    {
     862        /* Some data has been received before EOF, return it. */
    851863        return (ssize_t) len;
    852864    }
    853865
     866    gnutls_transport_set_errno(ctxt->session, EIO);
    854867    return -1;
    855868}
    856869
     870/**
     871 * Push function for GnuTLS
     872 *
     873 * In case of unexpected errors gnutls_transport_set_errno is called
     874 * with EIO.  The reason we are not using APR_TO_OS_ERROR to map
     875 * apr_status_t to errnos is this warning in the APR documentation:
     876 * "If the statcode was not created by apr_get_os_error or
     877 * APR_FROM_OS_ERROR, the results are undefined." We cannot know if
     878 * this applies to any error we might encounter.
     879 */
    857880ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
    858         const void *buffer, size_t len) {
     881                            const void *buffer, size_t len)
     882{
    859883    mgs_handle_t *ctxt = ptr;
    860884
     
    869893    APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, bucket);
    870894
    871     if (write_flush(ctxt) < 0) {
     895    if (write_flush(ctxt) < 0)
     896    {
     897        /* We encountered an error. APR_EINTR or APR_EAGAIN can be
     898         * handled, treat everything else as a generic I/O error. */
     899        int err = EIO;
     900        if (APR_STATUS_IS_EAGAIN(ctxt->output_rc)
     901            || APR_STATUS_IS_EINTR(ctxt->output_rc))
     902            err = EAI_APR_TO_RAW(ctxt->output_rc);
     903
     904        gnutls_transport_set_errno(ctxt->session, err);
    872905        return -1;
    873906    }
  • test/.gitignore

    refe884e rb674e95  
    2323*.lock
    2424gen_ocsp_index
     25pgpcrc
    2526.deps
  • test/Makefile.am

    refe884e rb674e95  
    3434TESTS = $(dist_check_SCRIPTS)
    3535
     36check_PROGRAMS = pgpcrc
     37pgpcrc_SOURCES = pgpcrc.c
     38
    3639# build OCSP database tool
    3740if ENABLE_OCSP_TEST
    38 check_PROGRAMS = gen_ocsp_index
     41check_PROGRAMS += gen_ocsp_index
    3942gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
    4043noinst_HEADERS = cert_helper.h
     
    5356# Append strings after ":=" to each identity to generate a list of
    5457# necessary files
    55 pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
     58pgp_tokens = $(pgp_identities:=/cert.pgp) \
    5659        $(pgp_identities:=/secret.pgp)
    5760x509_keys = $(x509_identities:=/secret.key)
     
    104107# one day, so regenerating them is both fast and frequently
    105108# necessary.
    106 MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
     109MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \
     110        authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/*
    107111# GnuPG random pool, no need to regenerate on every build
    108112CLEANFILES += authority/random_seed
     
    163167
    164168mostlyclean-local: clean-softhsm2-db
     169        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
     170if USE_MSVA
     171        -rmdir $(msva_home)/private-keys-v1.d || true
     172endif
    165173
    166174clean-local:
     
    172180
    173181# Apache configuration and data files
    174 apache_data = base_apache.conf cgi_module.conf data/* mime.types ocsp_server.conf proxy_mods.conf
    175 
    176 EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
    177         proxy_backend.bash runtests server-crl.template softhsm.bash
     182apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
     183        data/secret.txt data/test.txt mime.types ocsp_server.conf \
     184        proxy_mods.conf
     185
     186EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
     187        common.bash proxy_backend.bash runtests server-crl.template \
     188        softhsm.bash
    178189
    179190# Lockfile for the main Apache process
  • test/base_apache.conf

    refe884e rb674e95  
    1616
    1717DocumentRoot ${srcdir}/data
    18 LoadModule gnutls_module ../src/.libs/libmod_gnutls.so
     18LoadModule gnutls_module ../src/.libs/mod_gnutls.so
  • test/test_ca.mk

    refe884e rb674e95  
    2020        mkdir -p $(dir $@)
    2121        chmod 0700 $(dir $@)
    22         certtool --generate-privkey > $@
     22        certtool --outfile $@ --generate-privkey
    2323
    24 %/secring.gpg: %.uid %/secret.key
    25         rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
    26         PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
     24%/secret.pgp.raw: %.uid %/secret.key
     25        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
     26
     27%/secret.pgp: %/secret.pgp.raw pgpcrc
     28        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
     29        base64 < $< && \
     30        printf -- '=' && \
     31        ./pgpcrc < $< | base64 && \
     32        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
     33
     34%/gpg.conf: %/secret.pgp
     35        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
     36        GNUPGHOME=$(dir $@) gpg --import $<
    2737        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
    28 
    29 %/gpg.conf: %/secring.gpg
    3038        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    3139
    32 %/secret.pgp: %/secring.gpg
    33         GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
    34 
    35 %/minimal.pgp: %/secring.gpg
    36         GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     40%/minimal.pgp: %/gpg.conf
     41        if test -r $@; then rm $@; fi
     42        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    3743
    3844# Import and signing modify the shared keyring, which leads to race
    3945# conditions with parallel make. Locking avoids this problem.
    4046%/cert.pgp: %/minimal.pgp authority/gpg.conf
     47        if test -r $@; then rm $@; fi
    4148        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
    4249        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    43         GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
     50        GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
    4451
    4552# special cases for the authorities' root certs:
    4653authority/x509.pem: authority.template authority/secret.key
    47         certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
     54        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
    4855rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
    49         certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
     56        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
    5057
    5158%/cert-request: %.template %/secret.key
    52         certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
     59        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
    5360
    5461# normal case: certificates signed by test CA
    5562%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
    56         certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
     63        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
    5764
    5865# error case: certificates signed by rogue CA
    5966rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
    60         certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
     67        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
    6168
    6269%/softhsm.conf: %/secret.key
     
    8491%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
    8592        certtool --generate-crl \
     93                --outfile $@ \
    8694                --load-ca-privkey authority/secret.key \
    8795                --load-ca-certificate authority/x509.pem \
    8896                --load-certificate $< \
    89                 --template "${srcdir}/$(*)-crl.template" \
    90                 > $@
     97                --template "${srcdir}/$(*)-crl.template"
Note: See TracChangeset for help on using the changeset viewer.