Changes in / [556783e:e376ed8] in mod_gnutls

Files:

• CHANGELOG (modified) (1 diff)
• configure.ac (modified) (1 diff)
• doc/.gitignore (modified) (1 diff)
• doc/Makefile.am (modified) (3 diffs)
• doc/mod_gnutls.whatis (added)
• doc/mod_gnutls_manual.mdwn (modified) (3 diffs)
• doc/mod_gnutls_manual.yaml.in (modified) (1 diff)
• src/mod_gnutls.c (modified) (2 diffs)
• test/runtests (modified) (2 diffs)
• test/tests/00_basic/output (modified) (1 diff)
• test/tests/01_serverwide_priorities/output (modified) (1 diff)
• test/tests/03_cachetimeout_in_vhost/output (modified) (1 diff)
• test/tests/04_basic_nosni/output (modified) (1 diff)
• test/tests/06_verify_sni_a/output (modified) (1 diff)
• test/tests/07_verify_sni_b/output (modified) (1 diff)
• test/tests/08_verify_no_sni_fallback_to_first_vhost/output (modified) (1 diff)
• test/tests/10_basic_client_verification/output (modified) (1 diff)
• test/tests/14_resume_session/output (modified) (1 diff)
• test/tests/15_basic_msva/output (modified) (1 diff)
• test/tests/18_client_verification_wrong_cert/output (modified) (1 diff)
• test/tests/19_TLS_reverse_proxy/output (modified) (1 diff)
• test/tests/20_TLS_reverse_proxy_client_auth/output (modified) (1 diff)
• test/tests/21_TLS_reverse_proxy_wrong_cert/output (modified) (2 diffs)
• test/tests/22_TLS_reverse_proxy_crl_revoke/output (modified) (2 diffs)
• test/tests/23_TLS_reverse_proxy_mismatched_priorities/output (modified) (2 diffs)
• test/tests/24_pkcs11_cert/output (modified) (1 diff)
• test/tests/27_OCSP_server/output (modified) (1 diff)
• test/tests/29_force_handshake_vhost/output (modified) (1 diff)
• test/tests/30_ip_based_vhosts/output (modified) (1 diff)
• test/tests/31_vhost_SNI_serveralias_match/output (modified) (1 diff)
• test/tests/32_vhost_SNI_serveralias_mismatch/output (modified) (1 diff)
• test/tests/33_vhost_SNI_serveralias_missinghost/output (modified) (1 diff)
• test/tests/34_TLS_reverse_proxy_h2/output (modified) (1 diff)

CHANGELOG

@@ +1 @@
+** Version 0.9.1 (2019-11-29)
+- Fix possible segfault (NULL pointer dereference) on failed TLS
+  handshake. Calling ssl_var_lookup() after a failed handshake could
+  lead to GnuTLS session information functions being called on a NULL
+  session pointer, leading to segfault.
+- Remove URLs from expected error responses in the test suite. Apache
+  HTTPD removed request URLs from canned error messages to prevent
+  misleading text/links being displayed via crafted links
+  (CVE-2019-10092). Adjust the expected error responses in our tests
+  so they can pass again.
+- Test suite: Ignore "Content-Length" header of responses. Thanks to
+  Krista Karppinen!
+- Add a section about module dependencies on socache to the handbook
+- Restructure the manpage build and move it to section 5 (config
+  files)
+- Test suite: Restructure certificate directories
+
 ** Version 0.9.0 (2019-01-23)
 - Security fix: Refuse to send or receive any data over a failed TLS

configure.ac

@@ -1 @@
-AC_INIT(mod_gnutls, 0.9.0)
+AC_INIT(mod_gnutls, 0.9.1)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION

doc/.gitignore

@@ -1 +1 @@
 *.html
-*.man
+*.5
 *.pdf
 doxygen.conf

doc/Makefile.am

@@ -1 @@
-EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in
+EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in \
+        mod_gnutls.whatis
 
 if USE_PANDOC
 html_DATA = mod_gnutls_manual.html
-man3_MANS = mod_gnutls_manual.man
+man5_MANS = mod_gnutls.5
 if USE_PDFLATEX
 # pandoc && pdflatex
@@ -15 +16 @@
 endif
 
-MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS)
+MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man5_MANS)
 
 %.yaml: %.yaml.in
@@ -21 +22 @@
 
 if USE_PANDOC
-%.man: %.mdwn %.yaml
+%.5: %.whatis %_manual.mdwn %_manual.yaml
         $(PANDOC) --standalone -f markdown -t man -o $@ $^
 
 if USE_PDFLATEX
-%.pdf: %.mdwn
-        $(PANDOC) --toc -f markdown -o $@ $<
+%.pdf: %.mdwn %.yaml
+        $(PANDOC) --toc -f markdown -o $@ $^
 endif
 endif
 
-%.html: %.mdwn
+%.html: %.mdwn %.yaml
 if USE_PANDOC
-        $(PANDOC) --toc --standalone -f markdown -o $@ $<
+        $(PANDOC) --toc --standalone -f markdown -o $@ $^
 else
 if USE_MARKDOWN

doc/mod_gnutls_manual.mdwn

@@ -1 @@
-% `mod_gnutls` Manual
-
 * * * * *
 
@@ -47 +45 @@
 
     LoadModule gnutls_module modules/mod_gnutls.so
+
+Module Dependencies
+-------------------
+
+`mod_gnutls` uses the Apache HTTPD [Shared Object
+Cache](http://httpd.apache.org/docs/current/en/socache.html) to cache
+[OCSP responses for OCSP stapling](#gnutlsocspcache) and [TLS
+sessions](#gnutlscache). To use either cache you need to load a
+suitable `mod_socache_PROVIDER` module, which should be provided by
+your Apache installation.
+
+It is recommended to load at least `mod_socache_shmcb`. If that module
+is loaded `mod_gnutls` will [enable OCSP stapling by
+default](#gnutlsocspstapling), without needing any further
+configuration other than a [certificate chain](#gnutlscertificatefile)
+with OCSP support.
 
 Note on HTTP/2
@@ -327 +341 @@
 certificate, and optionally those of the issuing Certificate
 Authorities (CAs). If the file contains multiple certificates they
-should be ordered from EE to the CA closest to the root CA (or the
-root CA itself).
+must be ordered from EE to the CA closest to the root CA (or the root
+CA itself).
 
 Including at least the immediately issuing CA is highly recommended

doc/mod_gnutls_manual.yaml.in

@@ -1 +1 @@
 ---
-title: The mod_gnutls Manual
-section: 3
+title: mod_gnutls Manual
+section: 5
 header: mod_gnutls
 footer: __MOD_GNUTLS_VERSION__

src/mod_gnutls.c

@@ -3 +3 @@
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2018 Fiona Klute
+ *  Copyright 2015-2019 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -179 +179 @@
 
     /* TLS parameters are empty if there is no session */
-    if (ctxt == NULL || ctxt->c == NULL)
+    if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL)
         return NULL;
 

test/runtests

@@ -50 +50 @@
 # Compare expected/actual outputs, filtering out headers from actual
 # output that are expected to change between runs or builds (currently
-# "Date" and "Server"). The headers must be excluded in the expected
-# output.
+# "Date", "Server" and "Content-Length"). The headers must be excluded
+# in the expected output.
 #
 # Parameters:
@@ -64 +64 @@
         grep -v -P '^Date:\s.*GMT\s?$' | \
         grep -v -P '^Server:\sApache'  | \
+        grep -v -P '^Content-Length:\s\d+\s?$' | \
         tail -n "$(wc -l < ${expected})" )
 }

test/tests/00_basic/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/01_serverwide_priorities/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/03_cachetimeout_in_vhost/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/04_basic_nosni/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/06_verify_sni_a/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/07_verify_sni_b/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/08_verify_no_sni_fallback_to_first_vhost/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/10_basic_client_verification/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/14_resume_session/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/15_basic_msva/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/18_client_verification_wrong_cert/output

@@ +1 @@
+<html><head>
+<title>403 Forbidden</title>
 </head><body>
 <h1>Forbidden</h1>
-<p>You don't have permission to access /test.txt
-on this server.<br />
-</p>
+<p>You don't have permission to access this resource.</p>
 </body></html>
 - Peer has closed the GnuTLS connection

test/tests/19_TLS_reverse_proxy/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Content-Type: text/plain
 Connection: close

test/tests/20_TLS_reverse_proxy_client_auth/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Content-Type: text/plain
 Connection: close

test/tests/21_TLS_reverse_proxy_wrong_cert/output

@@ -1 +1 @@
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
@@ -11 +10 @@
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection

test/tests/22_TLS_reverse_proxy_crl_revoke/output

@@ -1 +1 @@
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
@@ -11 +10 @@
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection

test/tests/23_TLS_reverse_proxy_mismatched_priorities/output

@@ -1 +1 @@
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
@@ -11 +10 @@
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection

test/tests/24_pkcs11_cert/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/27_OCSP_server/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/29_force_handshake_vhost/output

@@ -1 +1 @@
 HTTP/1.1 421 Misdirected Request
-Content-Length: 322
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

test/tests/30_ip_based_vhosts/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/31_vhost_SNI_serveralias_match/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Connection: close
 Content-Type: text/plain

test/tests/32_vhost_SNI_serveralias_mismatch/output

@@ -1 +1 @@
 HTTP/1.1 421 Misdirected Request
-Content-Length: 322
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

test/tests/33_vhost_SNI_serveralias_missinghost/output

@@ -1 +1 @@
 HTTP/1.1 421 Misdirected Request
-Content-Length: 322
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

test/tests/34_TLS_reverse_proxy_h2/output

@@ -1 +1 @@
 Accept-Ranges: bytes
-Content-Length: 5
 Content-Type: text/plain
 Connection: close