Changeset c4a015b in mod_gnutls


Ignore:
Timestamp:
Apr 4, 2015, 5:03:43 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
01b5d85
Parents:
259e835 (diff), 9a06bbd (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge branch 'split-testsuite' into new-gnutls-api

OpenPGP support is still broken, but this will make testing a lot
easier.

Files:
20 added
2 deleted
6 edited
92 moved

Legend:

Unmodified
Added
Removed
  • Makefile.am

    r259e835 rc4a015b  
    88                NOTICE LICENSE autogen.sh
    99
    10 SUBDIRS = src
     10SUBDIRS = src test
    1111ACLOCAL_AMFLAGS = -I m4
    12 TESTS = run_tests.sh
  • README

    r259e835 rc4a015b  
    1717  Nikos Mavrogiannopoulos <nmav at gnutls.org>
    1818  Dash Shendy <neuromancer at dash.za.net>
     19  Thomas Klute <thomas2.klute@uni-dortmund.de>
    1920
    2021Prerequisites
  • configure.ac

    r259e835 rc4a015b  
    5959               [enable Monkeysphere client certificate verification]),
    6060       use_msva=$enableval, use_msva=no)
     61AM_CONDITIONAL([USE_MSVA], [test "$use_msva" = "$enableval"])
    6162
    6263MSVA_CFLAGS=""
     
    8283AC_SUBST(MODULE_LIBS)
    8384
    84 AC_CONFIG_FILES([Makefile src/Makefile include/mod_gnutls.h])
     85AC_CONFIG_FILES([Makefile src/Makefile test/Makefile include/mod_gnutls.h])
    8586AC_OUTPUT
    8687
  • include/mod_gnutls.h.in

    r259e835 rc4a015b  
    203203        /* Connection record */
    204204    conn_rec* c;
     205        /* Is TLS enabled for this connection? */
     206    int enabled;
    205207        /* GnuTLS Session handle */
    206208    gnutls_session_t session;
  • src/gnutls_hooks.c

    r259e835 rc4a015b  
    632632}
    633633
    634 static void create_gnutls_handle(conn_rec * c) {
    635     mgs_handle_t *ctxt;
    636     /* Get mod_gnutls Configuration Record */
    637     mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
    638             ap_get_module_config(c->base_server->module_config,&gnutls_module);
    639 
    640     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    641     ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     634static void create_gnutls_handle(conn_rec * c)
     635{
     636    /* Get mod_gnutls server configuration */
     637    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     638            ap_get_module_config(c->base_server->module_config, &gnutls_module);
     639
     640    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     641
     642    /* Get connection specific configuration */
     643    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     644    if (ctxt == NULL)
     645    {
     646        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     647        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     648        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     649    }
     650    ctxt->enabled = GNUTLS_ENABLED_TRUE;
    642651    ctxt->c = c;
    643652    ctxt->sc = sc;
     
    650659    ctxt->output_blen = 0;
    651660    ctxt->output_length = 0;
     661
    652662    /* Initialize GnuTLS Library */
    653     gnutls_init(&ctxt->session, GNUTLS_SERVER);
     663    int err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
     664    if (err != GNUTLS_E_SUCCESS)
     665        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_init failed!");
    654666    /* Initialize Session Tickets */
    655667    if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
    656         gnutls_session_ticket_enable_server(ctxt->session,&session_ticket_key);
     668        err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
     669        if (err != GNUTLS_E_SUCCESS)
     670            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_session_ticket_enable_server failed!");
    657671    }
    658672
    659673    /* Set Default Priority */
    660         gnutls_priority_set_direct (ctxt->session, "NORMAL", NULL);
     674        err = gnutls_priority_set_direct(ctxt->session, "NORMAL", NULL);
     675    if (err != GNUTLS_E_SUCCESS)
     676        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_priority_set_direct failed!");
    661677    /* Set Handshake function */
    662678    gnutls_handshake_set_post_client_hello_function(ctxt->session,
     
    665681    mgs_cache_session_init(ctxt);
    666682
    667     /* Set this config for this connection */
    668     ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    669683    /* Set pull, push & ptr functions */
    670684    gnutls_transport_set_pull_function(ctxt->session,
     
    680694}
    681695
    682 int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused))) {
    683     mgs_srvconf_rec *sc;
    684 
    685     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    686 
    687     sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
    688             &gnutls_module);
    689 
    690     if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
     696int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused)))
     697{
     698    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     699
     700    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     701        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     702    mgs_handle_t *ctxt = (mgs_handle_t *)
     703        ap_get_module_config(c->conn_config, &gnutls_module);
     704
     705    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
     706        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
     707    {
     708        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
     709                      __func__);
    691710        return DECLINED;
    692711    }
     
    710729    apr_table_t *env = r->subprocess_env;
    711730
    712     ctxt =
    713             ap_get_module_config(r->connection->conn_config,
    714             &gnutls_module);
    715 
    716     if (!ctxt || ctxt->session == NULL) {
     731    ctxt = ap_get_module_config(r->connection->conn_config,
     732                                &gnutls_module);
     733
     734    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
     735    {
     736        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
    717737        return DECLINED;
    718738    }
  • src/mod_gnutls.c

    r259e835 rc4a015b  
    2020#include "mod_gnutls.h"
    2121
    22 static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
    23 
     22#ifdef APLOG_USE_MODULE
     23APLOG_USE_MODULE(gnutls);
     24#endif
     25
     26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
     27{
    2428    /* Try Run Post-Config Hook After mod_proxy */
    2529    static const char * const aszPre[] = { "mod_proxy.c", NULL };
     
    7579}
    7680
    77 int ssl_engine_disable(conn_rec *c) {
     81int ssl_engine_disable(conn_rec *c)
     82{
    7883    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    79             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     84        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    8085    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    8186        return 1;
    8287    }
    83     ap_remove_input_filter(c->input_filters);
    84     ap_remove_input_filter(c->output_filters);
    85     mgs_cleanup_pre_config(c->pool);
    86     sc->enabled = 0;
     88
     89    /* disable TLS for this connection */
     90    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     91    if (ctxt == NULL)
     92    {
     93        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     94        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     95        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     96    }
     97    ctxt->enabled = GNUTLS_ENABLED_FALSE;
     98
     99    if (c->input_filters)
     100        ap_remove_input_filter(c->input_filters);
     101    if (c->output_filters)
     102        ap_remove_output_filter(c->output_filters);
     103
    87104    return 1;
    88105}
     
    91108    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    92109            ap_get_module_config(c->base_server->module_config, &gnutls_module);
    93     sc->proxy_enabled = 1;
    94     sc->enabled = 0;
     110    sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
     111    sc->enabled = GNUTLS_ENABLED_FALSE;
    95112    return 1;
    96113}
  • test/.gitignore

    r259e835 rc4a015b  
    1414authority.template
    1515msva.gnupghome
     16*.log
     17*.trs
     18test.lock
  • test/README

    r259e835 rc4a015b  
    1111=================
    1212
    13 from the top level of the source, just run:
     13from the top level of the source, or from test/ (where this README is),
     14just run:
    1415
    1516 make check
    1617
    17 from t/ (where this README is), just run:
     18from test/ you can also run specific tests (identified by number) with:
    1819
    19  make
    20 
    21 also from t/ you can also run specific tests (identified by number)
    22 with:
    23 
    24  make t-3
     20 make -f TestMakefile t-3
    2521
    2622This should be handy when you're just trying to experiment with a new
     
    3329Please add more tests!
    3430
    35 The simplest way to add a test is (from t/):
     31The simplest way to add a test is (from test/):
    3632
    3733 ./newtest
    3834
    39 This will prompt you for a simple name for the test and then copy a starting
    40 set of files from tests/00_basic.
     35This will prompt you for a simple name for the test and then copy a
     36starting set of files from tests/00_basic, and create a script which
     37you can add to TESTS in Makefile.am when your test is ready for
     38inclusion in the test suite.
    4139
    4240
     
    4442==============
    4543
    46 Each test consists of a directory in t/tests/, which will cause the
     44Each test consists of a directory in test/tests/, which will cause the
    4745test suite to spin up an isolated apache instance and try to connect
    4846to it with gnutls-cli and make a simple HTTP 1.1 request.
  • test/TestMakefile

    r259e835 rc4a015b  
    1515export TEST_QUERY_DELAY ?= 2
    1616
     17TEST_LOCK := ./test.lock
     18
    1719all: setup.done
    18         ./runtests
     20        TEST_LOCK=$(TEST_LOCK) ./runtests
    1921
    2022t-%: setup.done
    21         ./runtests $@
     23        TEST_LOCK=$(TEST_LOCK) ./runtests $@
    2224
    2325
     
    8789clean:
    8890        rm -rf server client authority logs cache outputs setup.done server.template msva.gnupghome \
    89          */*.pgp */*.gpg */*.pem */*.key authority.template client.template server.uid
     91         */*.pgp */*.gpg */*.gpg~ */*.pem */*.key authority.template client.template server.uid
     92        rmdir imposter rogueca
    9093
    9194.PHONY: all clean
  • test/runtests

    r259e835 rc4a015b  
    66
    77tests="${1##t-}"
     8
     9if [ -n "${TEST_LOCK}" ]; then
     10    TEST_LOCK="$(realpath ${TEST_LOCK})"
     11    flock_cmd="flock -w 10 ${TEST_LOCK}"
     12fi
    813
    914BADVARS=0
     
    2025
    2126if [ . != "$(dirname "$0")" ]; then
    22     printf "You should only run this mod-gnutls test suite from the t/ directory of the mod_gnutls source.\n" >&2
     27    printf "You should only run this mod-gnutls test suite from the test/ directory of the mod_gnutls source.\n" >&2
    2328    exit 1
    2429fi
     
    3742    printf "\nApache error logs:\n"
    3843    tail "../../logs/${TEST_NAME}.error.log"
    39     stop_msva
     44    if [ -n "${USE_MSVA}" ]; then
     45        stop_msva
     46    fi
    4047}
    4148
     
    4653fi
    4754
    48 GNUPGHOME=$(pwd)/msva.gnupghome MSVA_KEYSERVER_POLICY=never monkeysphere-validation-agent &
     55if [ -n "${USE_MSVA}" ]; then
     56    GNUPGHOME=$(pwd)/msva.gnupghome MSVA_KEYSERVER_POLICY=never monkeysphere-validation-agent &
     57    trap stop_msva EXIT
    4958
    50 trap stop_msva EXIT
     59    sleep "$TEST_GAP"
    5160
    52 sleep "$TEST_GAP"
     61    printf "TESTING: initial MSVA verification\n"
     62    MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem
     63    printf "\nSUCCESS: initial MSVA verification\n"
     64fi
    5365
    54 printf "TESTING: initial MSVA verification\n"
    55 MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem 
    56 printf "\nSUCCESS: initial MSVA verification\n"
    57 
    58 for t in $tests; do
    59     sleep "$TEST_GAP"
     66for t in $tests; do
     67    if [ -z "${flock_cmd}" ]; then
     68        echo "Warning: no lock file set"
     69        sleep "$TEST_GAP"
     70    fi
    6071    export TEST_NAME="$(basename "$t")"
    6172    output="../../outputs/${TEST_NAME}.output"
     
    6980    printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE"
    7081    trap apache_down_err EXIT
    71     MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" /usr/sbin/apache2 -f "$(pwd)/apache.conf" -k start || [ -e fail.server ]
     82    if [ -n "${USE_MSVA}" ]; then
     83        ${flock_cmd} \
     84            MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \
     85            /usr/sbin/apache2 -f "$(pwd)/apache.conf" -k start \
     86            || [ -e fail.server ]
     87    else
     88        ${flock_cmd} \
     89            /usr/sbin/apache2 -f "$(pwd)/apache.conf" -k start \
     90            || [ -e fail.server ]
     91    fi
    7292
    7393    if (sed "s/__HOSTNAME__/${TEST_HOST}/" < ./input && sleep "$TEST_QUERY_DELAY") | \
     
    88108    fi
    89109    /usr/sbin/apache2 -f "$(pwd)/apache.conf" -k stop || [ -e fail.server ]
    90     trap stop_msva EXIT
     110    if [ -n "${USE_MSVA}" ]; then
     111        trap stop_msva EXIT
     112    else
     113        trap - EXIT
     114    fi
    91115    printf "SUCCESS: %s\n" "$TEST_NAME"
    92116    cd ../..
    93117done
    94118
    95 stop_msva
     119if [ -n "${USE_MSVA}" ]; then
     120    stop_msva
     121fi
  • test/setup

    r259e835 rc4a015b  
    1313
    1414if [ . != "$(dirname "$0")" ]; then
    15     printf "You should only run this mod-gnutls test suite from the t/ directory of the mod_gnutls source.\n" >&2
     15    printf "You should only run this mod-gnutls test suite from the test/ directory of the mod_gnutls source.\n" >&2
    1616    exit 1
    1717fi
Note: See TracChangeset for help on using the changeset viewer.