Changeset f5342b1 in mod_gnutls
- Timestamp:
- Apr 16, 2018, 8:42:39 PM (5 years ago)
- Branches:
- debian/master, debian/stretch-backports, upstream
- Children:
- 300ae82, f4ac9ccd
- Parents:
- e105d3e (diff), 2a912c3 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - Files:
-
- 4 added
- 1 deleted
- 38 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
CHANGELOG
re105d3e rf5342b1 1 ** Version 0.8.3 (2017-10-20) 2 - Use GnuTLS' default DH parameters by default 3 - Handle long Server Name Indication data and gracefully ignore 4 unknown SNI types 5 - Send SNI for proxy connections 6 - Deprecate OpenPGP support like GnuTLS did (will be removed 7 completely in a future release) 8 - Do not announce session ticket support for proxy connections 9 - Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI) 10 - Test suite: Simplify handling of proxy backend servers and OCSP 11 responders 12 - Test suite: stability/compatibility fixes 13 1 14 ** Version 0.8.2 (2017-01-08) 2 15 - Test suite: Ensure CRLF line ends in HTTP headers -
configure.ac
re105d3e rf5342b1 1 dnl 2 AC_INIT(mod_gnutls, 0.8.2) 1 AC_INIT(mod_gnutls, 0.8.3) 3 2 OOO_CONFIG_NICE(config.nice) 4 3 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION … … 65 64 STRICT_CFLAGS="" 66 65 if test "$use_strict" != "no"; then 67 STRICT_CFLAGS="-Wall -Werror -Wextra"66 STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations" 68 67 fi 69 68 … … 84 83 AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1], 85 84 [flock_works="yes"], [flock_works="no"]) 85 AC_MSG_RESULT([$flock_works]) 86 # Old versions of flock do not support --verbose. They fail 87 # without executing the command but still return 0. Check for 88 # this behavior by testing if the rm command was executed. 89 AC_MSG_CHECKING([whether ${FLOCK} supports --verbose]) 90 testfile="$(mktemp)" 91 AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \ 92 >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"], 93 [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"], 94 [flock_verbose="no"; rm "${testfile}"]) 95 AC_MSG_RESULT([$flock_verbose]) 86 96 rm "${lockfile}" 87 AC_MSG_RESULT([$flock_works])88 97 ], 89 98 [flock_works="no"]) … … 143 152 # and test specific PID files if using namespaces, defaults otherwise. 144 153 AS_IF([test "$use_netns" = "yes"], 145 [MUTEX_ TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"],146 [MUTEX_ TYPE="default"; PID_AFFIX=""])147 AC_SUBST(MUTEX_ TYPE)154 [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"], 155 [MUTEX_CONF=""; PID_AFFIX=""]) 156 AC_SUBST(MUTEX_CONF) 148 157 AC_SUBST(PID_AFFIX) 149 AM_SUBST_NOTMAKE(MUTEX_ TYPE)158 AM_SUBST_NOTMAKE(MUTEX_CONF) 150 159 AM_SUBST_NOTMAKE(PID_AFFIX) 151 160 … … 234 243 AM_SUBST_NOTMAKE(TEST_IP) 235 244 245 : ${TEST_LOCK_WAIT:="30"} 246 : ${TEST_QUERY_TIMEOUT:="30"} 247 AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \ 248 Apache instances in the test suite, or the \ 249 previous instance to remove its PID file if \ 250 flock is not used. Default is 30.]) 251 AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \ 252 sent using gnutls-cli in the test suite. \ 253 Default is 30.]) 254 236 255 dnl Allow user to set SoftHSM PKCS #11 module 237 256 AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \ … … 247 266 # Available extra ports, tests can "Define" variables of the listed 248 267 # names in their apache.conf to enable them. 249 for j in TEST_HTTP_PORT OCSP_PORT; do268 for j in TEST_HTTP_PORT; do 250 269 LISTEN_LIST="${LISTEN_LIST} 251 270 <IfDefine ${j}>" … … 272 291 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \ 273 292 doc/Makefile doc/doxygen.conf include/mod_gnutls.h \ 274 test/proxy_backend.conf \293 test/proxy_backend.conf test/ocsp_server.conf \ 275 294 test/apache-conf/listen.conf \ 276 295 test/apache-conf/netns.conf]) … … 283 302 echo " * Apache Modules directory: ${AP_LIBEXECDIR}" 284 303 echo " * GnuTLS Library version: ${LIBGNUTLS_VERSION}" 304 echo " * CFLAGS for GnuTLS: ${LIBGNUTLS_CFLAGS}" 305 echo " * LDFLAGS for GnuTLS: ${LIBGNUTLS_LIBS}" 285 306 echo " * SRP Authentication: ${use_srp}" 286 307 echo " * MSVA Client Verification: ${use_msva}" -
doc/mod_gnutls_manual.mdwn
re105d3e rf5342b1 178 178 ### GnuTLSDHFile 179 179 180 Set to the PKCS \#3 encoded DiffieHellman parameters180 Use the provided PKCS \#3 encoded Diffie-Hellman parameters 181 181 182 182 GnuTLSDHFile FILEPATH … … 185 185 Context: server config, virtual host 186 186 187 Takes an absolute or relative path to a PKCS \#3 encoded DH 188 parameters.Those are used when the DHE key exchange method is enabled. 189 You can generate this file using `certtool --generate-dh-params --bits 190 2048`. If not set `mod_gnutls` will use the included parameters. 187 By default, `mod_gnutls` uses the DH parameters included with GnuTLS 188 corresponding to the security level of the configured private keys if 189 compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as 190 defined in RFC 7919, Appendix A.1 otherwise. 191 192 If you need to use different DH parameters, you can provide a PEM file 193 containing them in PKCS \#3 encoding using this option. Please see the 194 "[Parameter 195 generation](https://gnutls.org/manual/html_node/Parameter-generation.html)" 196 section of the GnuTLS documentation for a short discussion of the 197 security implications. 191 198 192 199 ### GnuTLSPriorities … … 353 360 OpenPGP Certificate Authentication 354 361 ---------------------------------- 362 363 *Warning:* OpenPGP support has been deprecated in GnuTLS since version 364 3.5.9 and will be removed completely. Consequently, OpenPGP support in 365 `mod_gnutls` is deprecated as well and will be removed in a future 366 release. 355 367 356 368 ### GnuTLSPGPCertificateFile … … 721 733 722 734 `mod_gnutls` supports "Server Name Indication", as specified in 723 RFC 3546. This allows hosting many TLS websites with a single IP 724 a ddress. All recent browsers support this standard. Here is an725 example using SNI:735 [RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). This 736 allows hosting many TLS websites with a single IP address. All recent 737 browsers support this standard. Here is an example using SNI: 726 738 727 739 # Load the module into Apache. … … 889 901 ----------------- 890 902 891 The SSL or TLS cipher suite name 903 The distinguished name of the issuer of the client's certificate in 904 RFC2253 format. 892 905 893 906 `SSL_CLIENT_S_AN%` -
include/mod_gnutls.h.in
re105d3e rf5342b1 285 285 apr_status_t apr_signal_block(int signum); 286 286 287 /* Proxy Support */ 287 /* Proxy Support */ 288 /** mod_proxy adds a note with this key to the connection->notes table 289 * for client connections */ 290 #define PROXY_SNI_NOTE "proxy-request-hostname" 288 291 /* An optional function which returns non-zero if the given connection 289 292 is using SSL/TLS. */ … … 424 427 const int arg); 425 428 426 const char *mgs_set_require_section(cmd_parms *cmd,427 void *mconfig, const char *arg);428 429 void *mgs_config_server_create(apr_pool_t * p, server_rec * s); 429 430 void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD); … … 432 433 433 434 void *mgs_config_dir_create(apr_pool_t *p, char *dir); 434 435 const char *mgs_set_require_bytecode(cmd_parms *cmd,436 void *mconfig, const char *arg);437 435 438 436 mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session); -
src/gnutls_config.c
re105d3e rf5342b1 84 84 } 85 85 86 /* 2048-bit group parameters from SRP specification */ 87 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 88 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 89 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 90 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 91 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 92 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 93 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 94 "-----END DH PARAMETERS-----\n"; 95 96 /* 97 * Clean up the various GnuTLS data structures allocated from 86 87 88 /** 89 * Clean up the various GnuTLS data structures allocated by 98 90 * mgs_load_files() 99 91 */ … … 254 246 #endif 255 247 256 if (sc->dh_params == NULL) 257 { 258 ret = gnutls_dh_params_init(&sc->dh_params); 259 if (ret < 0) { 260 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 261 "GnuTLS: Failed to initialize" 262 ": (%d) %s", ret, gnutls_strerror(ret)); 263 ret = -1; 264 goto cleanup; 265 } 266 267 /* Load DH parameters */ 268 if (sc->dh_file) 248 /* Load user provided DH parameters, if any */ 249 if (sc->dh_file) 250 { 251 if (sc->dh_params == NULL) 269 252 { 270 if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { 253 ret = gnutls_dh_params_init(&sc->dh_params); 254 if (ret < 0) { 271 255 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 272 "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); 256 "GnuTLS: Failed to initialize" 257 ": (%d) %s", ret, gnutls_strerror(ret)); 273 258 ret = -1; 274 259 goto cleanup; 275 260 } 276 277 ret = 278 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 279 GNUTLS_X509_FMT_PEM); 280 if (ret < 0) { 281 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 282 "GnuTLS: Failed to Import " 283 "DH params '%s': (%d) %s", sc->dh_file, ret, 284 gnutls_strerror(ret)); 285 ret = -1; 286 goto cleanup; 287 } 288 } else { 289 gnutls_datum_t pdata = { 290 (void *) static_dh_params, 291 sizeof(static_dh_params) 292 }; 293 294 ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM); 295 if (ret < 0) { 296 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 297 "GnuTLS: Unable to generate or load DH Params: (%d) %s", 298 ret, gnutls_strerror(ret)); 299 ret = -1; 300 goto cleanup; 301 } 261 } 262 263 if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { 264 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 265 "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); 266 ret = -1; 267 goto cleanup; 268 } 269 270 ret = 271 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 272 GNUTLS_X509_FMT_PEM); 273 if (ret < 0) { 274 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 275 "GnuTLS: Failed to Import " 276 "DH params '%s': (%d) %s", sc->dh_file, ret, 277 gnutls_strerror(ret)); 278 ret = -1; 279 goto cleanup; 302 280 } 303 281 } … … 1109 1087 sc->priorities = NULL; 1110 1088 sc->dh_params = NULL; 1089 sc->dh_file = NULL; 1111 1090 sc->ca_list = NULL; 1112 1091 sc->ca_list_size = 0; -
src/gnutls_hooks.c
re105d3e rf5342b1 4 4 * Copyright 2011 Dash Shendy 5 5 * Copyright 2013-2014 Daniel Kahn Gillmor 6 * Copyright 2015-201 6Thomas Klute6 * Copyright 2015-2017 Thomas Klute 7 7 * 8 8 * Licensed under the Apache License, Version 2.0 (the "License"); … … 70 70 session_ticket_key.data = NULL; 71 71 session_ticket_key.size = 0; 72 /* Deinitialize GnuTLS Library */73 gnutls_global_deinit();74 72 return APR_SUCCESS; 75 73 } … … 118 116 } 119 117 120 /* Initialize GnuTLS Library */121 ret = gnutls_global_init();122 if (ret < 0) {123 ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret));124 return DONE;125 }126 127 118 /* Generate a Session Key */ 128 119 ret = gnutls_session_ticket_key_generate(&session_ticket_key); … … 143 134 } 144 135 145 static int mgs_select_virtual_server_cb(gnutls_session_t session) { 146 147 mgs_handle_t *ctxt = NULL; 148 mgs_srvconf_rec *tsc = NULL; 136 /** 137 * Post client hello function for GnuTLS, used to configure the TLS 138 * server based on virtual host configuration. Uses SNI to select the 139 * virtual host if available. 140 * 141 * @param session the TLS session 142 * 143 * @return zero or a GnuTLS error code, as required by GnuTLS hook 144 * definition 145 */ 146 static int mgs_select_virtual_server_cb(gnutls_session_t session) 147 { 149 148 int ret = 0; 150 151 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 152 153 ctxt = gnutls_transport_get_ptr(session); 154 155 /* find the virtual server */ 156 tsc = mgs_find_sni_server(session); 157 158 if (tsc != NULL) { 159 // Found a TLS vhost based on the SNI from the client; use it instead. 149 mgs_handle_t *ctxt = gnutls_session_get_ptr(session); 150 151 /* try to find a virtual host */ 152 mgs_srvconf_rec *tsc = mgs_find_sni_server(session); 153 if (tsc != NULL) 154 { 155 /* Found a TLS vhost based on the SNI, configure the 156 * connection context. */ 160 157 ctxt->sc = tsc; 161 158 } … … 186 183 * negotiation. 187 184 */ 188 189 185 ret = gnutls_priority_set(session, ctxt->sc->priorities); 186 190 187 /* actually it shouldn't fail since we have checked at startup */ 191 188 return ret; 192 193 189 } 194 190 … … 313 309 } 314 310 311 312 313 #if GNUTLS_VERSION_NUMBER >= 0x030506 314 #define HAVE_KNOWN_DH_GROUPS 1 315 #endif 316 #ifdef HAVE_KNOWN_DH_GROUPS 317 /** 318 * Try to estimate a GnuTLS security parameter based on the given 319 * private key. Any errors are logged. 320 * 321 * @param s The `server_rec` to use for logging 322 * 323 * @param key The private key to use 324 * 325 * @return `gnutls_sec_param_t` as returned by 326 * `gnutls_pk_bits_to_sec_param` for the key properties, or 327 * GNUTLS_SEC_PARAM_UNKNOWN in case of error 328 */ 329 static gnutls_sec_param_t sec_param_from_privkey(server_rec *server, 330 gnutls_privkey_t key) 331 { 332 unsigned int bits = 0; 333 int pk_algo = gnutls_privkey_get_pk_algorithm(key, &bits); 334 if (pk_algo < 0) 335 { 336 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server, 337 "%s: Could not get private key parameters: %s (%d)", 338 __func__, gnutls_strerror(pk_algo), pk_algo); 339 return GNUTLS_SEC_PARAM_UNKNOWN; 340 } 341 return gnutls_pk_bits_to_sec_param(pk_algo, bits); 342 } 343 #else 344 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is 345 * the default DH group if mod_gnutls is compiled agains a GnuTLS 346 * version that does not provide known DH groups based on security 347 * parameters (before 3.5.6). */ 348 static const char FFDHE2048_PKCS3[] = 349 "-----BEGIN DH PARAMETERS-----\n" 350 "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" 351 "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" 352 "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" 353 "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" 354 "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" 355 "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n" 356 "-----END DH PARAMETERS-----\n"; 357 const gnutls_datum_t default_dh_params = { 358 (void *) FFDHE2048_PKCS3, 359 sizeof(FFDHE2048_PKCS3) 360 }; 361 #endif 362 363 364 365 /** 366 * Configure the default DH groups to use for the given server. When 367 * compiled against GnuTLS version 3.5.6 or newer the known DH group 368 * matching the GnuTLS security parameter estimated from the private 369 * key is used. Otherwise the ffdhe2048 DH group as defined in RFC 370 * 7919, Appendix A.1 is the default. 371 * 372 * @param server the host to configure 373 * 374 * @return `OK` on success, `HTTP_UNAUTHORIZED` otherwise 375 */ 376 static int set_default_dh_param(server_rec *server) 377 { 378 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 379 ap_get_module_config(server->module_config, &gnutls_module); 380 381 #ifdef HAVE_KNOWN_DH_GROUPS 382 gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN; 383 if (sc->privkey_x509) 384 { 385 seclevel = sec_param_from_privkey(server, sc->privkey_x509); 386 ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, server, 387 "%s: GnuTLS security param estimated based on " 388 "private key '%s': %s", 389 __func__, sc->x509_key_file, 390 gnutls_sec_param_get_name(seclevel)); 391 } 392 393 if (seclevel == GNUTLS_SEC_PARAM_UNKNOWN) 394 seclevel = GNUTLS_SEC_PARAM_MEDIUM; 395 ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server, 396 "%s: Setting DH params for security level '%s'.", 397 __func__, gnutls_sec_param_get_name(seclevel)); 398 399 int ret = gnutls_certificate_set_known_dh_params(sc->certs, seclevel); 400 if (ret < 0) 401 { 402 ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server, 403 "%s: setting known DH params failed: %s (%d)", 404 __func__, gnutls_strerror(ret), ret); 405 return HTTP_UNAUTHORIZED; 406 } 407 ret = gnutls_anon_set_server_known_dh_params(sc->anon_creds, seclevel); 408 if (ret < 0) 409 { 410 ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server, 411 "%s: setting known DH params failed: %s (%d)", 412 __func__, gnutls_strerror(ret), ret); 413 return HTTP_UNAUTHORIZED; 414 } 415 #else 416 int ret = gnutls_dh_params_init(&sc->dh_params); 417 if (ret < 0) 418 { 419 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, 420 "%s: Failed to initialize DH params structure: " 421 "%s (%d)", __func__, gnutls_strerror(ret), ret); 422 return HTTP_UNAUTHORIZED; 423 } 424 ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params, 425 GNUTLS_X509_FMT_PEM); 426 if (ret < 0) 427 { 428 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, 429 "%s: Failed to import default DH params: %s (%d)", 430 __func__, gnutls_strerror(ret), ret); 431 return HTTP_UNAUTHORIZED; 432 } 433 434 gnutls_certificate_set_dh_params(sc->certs, sc->dh_params); 435 gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); 436 #endif 437 438 return OK; 439 } 440 441 442 315 443 /** 316 444 * Post config hook. … … 328 456 int rv; 329 457 server_rec *s; 330 gnutls_dh_params_t dh_params = NULL;331 458 mgs_srvconf_rec *sc; 332 459 mgs_srvconf_rec *sc_base; … … 359 486 base_server, pconf, 0); 360 487 if (rv != APR_SUCCESS) 361 { 362 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server, 363 "Failed to create mutex '" MGS_OCSP_MUTEX_NAME 364 "'."); 365 return HTTP_INTERNAL_SERVER_ERROR; 366 } 488 return rv; 367 489 } 368 490 … … 443 565 } 444 566 445 /* Check if DH params have been set per host*/567 /* Set host DH params from user configuration or defaults */ 446 568 if (sc->dh_params != NULL) { 447 569 gnutls_certificate_set_dh_params(sc->certs, sc->dh_params); 448 570 gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); 449 } else if (dh_params) { 450 gnutls_certificate_set_dh_params(sc->certs, dh_params); 451 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 571 } else { 572 rv = set_default_dh_param(s); 573 if (rv != OK) 574 return rv; 452 575 } 453 576 … … 484 607 } 485 608 609 /* If OpenPGP support is already disabled in the loaded GnuTLS 610 * library startup will fail if the configuration tries to 611 * load PGP credentials. Otherwise warn affected users about 612 * deprecation. */ 613 if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file) 614 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 615 "Host '%s:%d' is configured to use OpenPGP auth. " 616 "OpenPGP support has been deprecated in GnuTLS " 617 "since version 3.5.9 and will be removed from " 618 "mod_gnutls in a future release.", 619 s->server_hostname, s->port); 620 486 621 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 487 622 rv = -1; … … 606 741 } 607 742 608 #define MAX_HOST_LEN 255 743 /** 744 * Default buffer size for SNI data, including the terminating NULL 745 * byte. The size matches what gnutls-cli uses initially. 746 */ 747 #define DEFAULT_SNI_HOST_LEN 256 609 748 610 749 typedef struct { … … 699 838 } 700 839 840 /** 841 * Get SNI data from GnuTLS (if any) and search for a matching virtual 842 * host configuration. This method is called from the post client 843 * hello function. 844 * 845 * @param session the GnuTLS session 846 * 847 * @return either the matching mod_gnutls server config, or `NULL` 848 */ 701 849 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) 702 850 { 703 int rv; 851 mgs_handle_t *ctxt = gnutls_session_get_ptr(session); 852 853 char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN); 854 size_t sni_len = DEFAULT_SNI_HOST_LEN; 704 855 unsigned int sni_type; 705 size_t data_len = MAX_HOST_LEN; 706 char sni_name[MAX_HOST_LEN]; 707 mgs_handle_t *ctxt; 708 vhost_cb_rec cbx; 709 710 if (session == NULL) 856 857 /* Search for a DNS SNI element. Note that RFC 6066 prohibits more 858 * than one server name per type. */ 859 int sni_index = -1; 860 int rv = 0; 861 do { 862 /* The sni_index is incremented before each use, so if the 863 * loop terminates with a type match we will have the right 864 * one stored. */ 865 rv = gnutls_server_name_get(session, sni_name, 866 &sni_len, &sni_type, ++sni_index); 867 if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) 868 { 869 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c, 870 "%s: no DNS SNI found (last index: %d).", 871 __func__, sni_index); 872 return NULL; 873 } 874 } while (sni_type != GNUTLS_NAME_DNS); 875 /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside 876 * the loop above returns, so if we reach this point we have a DNS 877 * SNI at the current index. */ 878 879 if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER) 880 { 881 /* Allocate a new buffer of the right size and retry */ 882 sni_name = apr_palloc(ctxt->c->pool, sni_len); 883 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, 884 "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT 885 " bytes.", __func__, sni_len); 886 rv = gnutls_server_name_get(session, sni_name, 887 &sni_len, &sni_type, sni_index); 888 } 889 890 /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR 891 * can occur here, but a catch all is safer and no more 892 * complicated. */ 893 if (rv != GNUTLS_E_SUCCESS) 894 { 895 ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c, 896 "%s: error while getting SNI DNS data: '%s' (%d).", 897 __func__, gnutls_strerror(rv), rv); 711 898 return NULL; 712 713 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 714 ctxt = gnutls_transport_get_ptr(session); 715 716 rv = gnutls_server_name_get(ctxt->session, sni_name, 717 &data_len, &sni_type, 0); 718 719 if (rv != 0) { 720 return NULL; 721 } 722 723 if (sni_type != GNUTLS_NAME_DNS) { 724 ap_log_cerror(APLOG_MARK, APLOG_CRIT, 0, ctxt->c, 725 "GnuTLS: Unknown type '%d' for SNI: '%s'", 726 sni_type, sni_name); 727 return NULL; 728 } 729 730 /** 731 * Code in the Core already sets up the c->base_server as the base 732 * for this IP/Port combo. Trust that the core did the 'right' thing. 733 */ 734 cbx.ctxt = ctxt; 735 cbx.sc = NULL; 736 cbx.sni_name = sni_name; 737 899 } 900 901 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, 902 "%s: client requested server '%s'.", 903 __func__, sni_name); 904 905 /* Search for vhosts matching connection parameters and the 906 * SNI. If a match is found, cbx.sc will contain the mod_gnutls 907 * server config for the vhost. */ 908 vhost_cb_rec cbx = { 909 .ctxt = ctxt, 910 .sc = NULL, 911 .sni_name = sni_name 912 }; 738 913 rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx); 739 914 if (rv == 1) { … … 824 999 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 825 1000 "gnutls_init for proxy connection failed: %s (%d)", 826 gnutls_strerror(err), err);827 err = gnutls_session_ticket_enable_client(ctxt->session);828 if (err != GNUTLS_E_SUCCESS)829 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,830 "gnutls_session_ticket_enable_client failed: %s (%d)",831 1001 gnutls_strerror(err), err); 832 1002 } … … 1791 1961 /* Get peer hostname from a note left by mod_proxy */ 1792 1962 const char *peer_hostname = 1793 apr_table_get(ctxt->c->notes, "proxy-request-hostname");1963 apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE); 1794 1964 if (peer_hostname == NULL) 1795 1965 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, 1796 "%s: proxy-request-hostname isNULL, cannot check "1966 "%s: " PROXY_SNI_NOTE " NULL, cannot check " 1797 1967 "peer's hostname", __func__); 1798 1968 -
src/gnutls_io.c
re105d3e rf5342b1 3 3 * Copyright 2008 Nikos Mavrogiannopoulos 4 4 * Copyright 2011 Dash Shendy 5 * Copyright 2015-201 6Thomas Klute5 * Copyright 2015-2017 Thomas Klute 6 6 * 7 7 * Licensed under the Apache License, Version 2.0 (the "License"); … … 395 395 } 396 396 397 /* Enable SNI for proxy connections */ 398 if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE) 399 { 400 /* Get peer hostname from note left by mod_proxy */ 401 const char *peer_hostname = 402 apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE); 403 /* Used only as target for apr_ipsubnet_create() */ 404 apr_ipsubnet_t *probe; 405 /* Check if the note is present (!= NULL) and NOT an IP 406 * address */ 407 if ((peer_hostname) != NULL 408 && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool) 409 != APR_SUCCESS)) 410 { 411 ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS, 412 peer_hostname, strlen(peer_hostname)); 413 if (ret != GNUTLS_E_SUCCESS) 414 ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c, 415 "Could not set SNI '%s' for proxy connection: " 416 "%s (%d)", 417 peer_hostname, gnutls_strerror(ret), ret); 418 } 419 } 420 397 421 tryagain: 398 422 do { … … 446 470 /* all done with the handshake */ 447 471 ctxt->status = 1; 448 /* If the session was resumed, we did not set the correct 449 * server_rec in ctxt->sc. Go Find it. (ick!) 450 */ 451 if (gnutls_session_is_resumed(ctxt->session)) { 452 mgs_srvconf_rec *sc; 453 sc = mgs_find_sni_server(ctxt->session); 454 if (sc) { 455 ctxt->sc = sc; 456 } 472 if (gnutls_session_is_resumed(ctxt->session)) 473 { 474 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c, 475 "%s: TLS session resumed.", __func__); 457 476 } 458 477 return GNUTLS_E_SUCCESS; -
test/Makefile.am
re105d3e rf5342b1 32 32 test-27_OCSP_server.bash 33 33 34 TEST_EXTENSIONS = .bash 34 35 TESTS = $(dist_check_SCRIPTS) 35 36 36 check_PROGRAMS = pgpcrc 37 check_PROGRAMS = pgpcrc gnutls_openpgp_support 37 38 pgpcrc_SOURCES = pgpcrc.c 39 gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c 40 gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS) 41 gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS) 38 42 39 43 # build OCSP database tool … … 41 45 check_PROGRAMS += gen_ocsp_index 42 46 gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c 47 gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS) 43 48 gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS) 44 49 noinst_HEADERS = cert_helper.h … … 109 114 # necessary. 110 115 MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \ 111 authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* 116 authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \ 117 authority/tofu.db 112 118 # GnuPG random pool, no need to regenerate on every build 113 119 CLEANFILES += authority/random_seed 120 121 # GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP 122 # identity) while creating the PGP certificates. This target is called 123 # by both "check-local" and "mostlyclean-local": The former because 124 # agent processes are started while preparing for "check" and are no 125 # longer needed afterwards, the latter to make sure they are gone 126 # along with their certificates. 127 stop-gnupg-agent: 128 for id in $(pgp_identities) $(msva_home); do \ 129 GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \ 130 done 131 132 check-local: stop-gnupg-agent 114 133 115 134 # Delete lock files for test servers on "mostlyclean" target. … … 124 143 mkdir -p -m 0700 $(dir $@) 125 144 GNUPGHOME=$(dir $@) gpg --import < $< 126 printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust145 printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust 127 146 GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp 128 147 printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf … … 171 190 mkdir -p $(extra_dirs) 172 191 173 .PHONY: make-test-dirs clean-softhsm2-db 174 175 mostlyclean-local: clean-softhsm2-db 192 .PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent 193 194 195 mostlyclean-local: clean-softhsm2-db stop-gnupg-agent 176 196 -rmdir $(pgp_identities:=/private-keys-v1.d) || true 177 197 if USE_MSVA … … 179 199 endif 180 200 201 # Delete test data directories, and wait for test services to 202 # exit. The reason for the wait is that Apache instances may take some 203 # time to exit and delete their PID files. Occasionally some PID files 204 # where still around during "distcheck" runs by the time the target 205 # checked if the build directory was really empty after "distclean", 206 # breaking the build. Delaying "clean-local" until PID files are gone 207 # avoids this issue, and the timeout will expose actually unclean 208 # stops. 181 209 clean-local: 182 210 -rmdir $(identities) || true … … 185 213 -rmdir $(msva_home) || true 186 214 endif 215 wait=0; \ 216 while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \ 217 wait=$$(($$wait + 1)); \ 218 echo "waiting for test services to exit ($$wait seconds)"; \ 219 sleep 1; \ 220 done 187 221 188 222 # Apache configuration and data files 189 223 apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \ 190 data/secret.txt data/test.txt mime.types ocsp_server.conf\224 data/secret.txt data/test.txt ffdhe3072.pem mime.types \ 191 225 proxy_mods.conf 192 226 193 227 EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \ 194 common.bash proxy_backend.bash runtests server-crl.template \228 apache_service.bash common.bash runtests server-crl.template \ 195 229 softhsm.bash 196 230 … … 199 233 # Lockfile for the proxy backend Apache process (if any) 200 234 backend_lockfile = ./backend.lock 201 # Maximum wait time in seconds for flock to aquire instance lock 202 # files, or Apache to remove its PID file 203 lock_wait = 30 235 # Lockfile for the OCSP server Apache process (if any) 236 ocsp_lockfile = ./ocsp.lock 204 237 205 238 # port for the main Apache server … … 207 240 # port for MSVA in test cases that use it 208 241 MSVA_PORT ?= 9933 209 # port for OCSP server (Apache vhost if enabled) 242 # port for TLS proxy backend server 243 BACKEND_PORT ?= 9934 244 # port for the OCSP responder 210 245 if ENABLE_OCSP_TEST 211 246 OCSP_PORT ?= 9936 212 247 endif 213 248 # maximum time to wait for MSVA startup (milliseconds) 214 TEST_ MSVA_MAX_WAIT ?= 10000249 TEST_SERVICE_MAX_WAIT ?= 10000 215 250 # wait loop time for MSVA startup (milliseconds) 216 TEST_MSVA_WAIT ?= 400 217 # seconds for the HTTP request to be sent and responded to 218 TEST_QUERY_DELAY ?= 30 251 TEST_SERVICE_WAIT ?= 400 219 252 220 253 AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \ 221 254 export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \ 222 export TEST_LOCK_WAIT=" $(lock_wait)"; \255 export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \ 223 256 export TEST_HOST="@TEST_HOST@"; \ 224 257 export TEST_PORT="$(TEST_PORT)"; \ 225 258 export MSVA_PORT="$(MSVA_PORT)"; \ 226 export TEST_ MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \227 export TEST_ MSVA_WAIT="$(TEST_MSVA_WAIT)"; \228 export TEST_QUERY_ DELAY="$(TEST_QUERY_DELAY)"; \259 export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \ 260 export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \ 261 export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \ 229 262 export BACKEND_HOST="@TEST_HOST@"; \ 263 export BACKEND_PORT="$(BACKEND_PORT)"; \ 230 264 export HTTP_CLI="@HTTP_CLI@"; 231 265 … … 245 279 export USE_TEST_NAMESPACE=1; 246 280 endif 247 # Without flock tests must not run in parallel. Otherwise set lock files. 281 # Without flock tests must not run in parallel, and PID files are used 282 # to prevent conflicts between server instances. Otherwise set lock 283 # files for flock. 248 284 if DISABLE_FLOCK 285 AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \ 286 export BACKEND_LOCK="backend.pid"; \ 287 export OCSP_LOCK="ocsp.pid"; 249 288 .NOTPARALLEL: 250 289 else 251 290 AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \ 252 291 export TEST_LOCK="$(test_lockfile)"; \ 253 export BACKEND_LOCK="$(backend_lockfile)"; 292 export BACKEND_LOCK="$(backend_lockfile)"; \ 293 export OCSP_LOCK="$(ocsp_lockfile)"; 254 294 endif 255 295 -
test/README
re105d3e rf5342b1 130 130 * If a machine is particularly slow or under heavy load, it's 131 131 possible that these tests will fail for timing 132 reasons. [TEST_QUERY_ DELAY (seconds for the HTTP request to be sent133 and responded to)]132 reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in 133 seconds)] 134 134 135 135 The first two of these issues are avoided when the tests are isolated -
test/apache-conf/netns.conf.in
re105d3e rf5342b1 1 1 # This file contains options that are different depending on whether 2 2 # tests use namespaces or not. 3 Mutex @MUTEX_TYPE@ default 3 @MUTEX_CONF@ 4 4 PidFile apache2@PID_AFFIX@.pid -
test/base_apache.conf
re105d3e rf5342b1 1 1 ServerRoot ${PWD} 2 DefaultRuntimeDir cache/ 2 3 3 4 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined -
test/common.bash
re105d3e rf5342b1 15 15 sleep 1 16 16 done 17 } 18 19 20 21 # Usage: verbose_log [...] 22 # 23 # If VERBOSE is not empty, write a log message prefixed with the name 24 # of the calling function. The function is defined to a no-op 25 # otherwise. 26 if [ -n "${VERBOSE}" ]; then 27 function verbose_log 28 { 29 echo "${FUNCNAME[1]}: ${@}" 30 } 31 else 32 function verbose_log 33 { 34 return 35 } 36 fi 37 38 39 40 # Usage: wait_ready COMMAND [TIMEOUT] [STEP] 41 # 42 # Wait until COMMAND terminates with success (zero exit code), or 43 # until the TIMEOUT (in milliseconds) expires. TIMEOUT defaults to 44 # $TEST_SERVICE_MAX_WAIT if unset. A TIMEOUT of zero means to try 45 # once. 46 # 47 # COMMAND is retried every STEP milliseconds, the default is 48 # $TEST_SERVICE_WAIT. Note that the last try may happen a little after 49 # TIMEOUT expires if STEP does not evenly divide it. 50 function wait_ready 51 { 52 local command="${1}" 53 if [ -z "${2}" ]; then 54 local -i timeout="${TEST_SERVICE_MAX_WAIT}" 55 else 56 local -i timeout="${2}" 57 fi 58 local -i step="${3}" 59 [ ${step} -gt 0 ] || step="${TEST_SERVICE_WAIT}" 60 # convert step to seconds because that's what "sleep" needs 61 local sec_step="$((${step} / 1000)).$((${step} % 1000))" 62 63 verbose_log "Waiting for \"${command}\" ..." 64 local -i waited=0 65 until eval "${command}"; do 66 if [ "${waited}" -ge "${timeout}" ]; then 67 echo "${FUNCNAME[0]}: Timed out waiting for \"${command}\"" \ 68 "to succeed (waited ${waited} ms)." >&2 69 return 1 70 fi 71 waited=$((waited + step)); 72 sleep "${sec_step}" 73 verbose_log "waiting (${waited} ms)" 74 done 75 verbose_log "done (waited ${waited} ms)" 17 76 } 18 77 -
test/ocsp_server.conf.in
re105d3e rf5342b1 1 Define OCSP_PORT ${OCSP_PORT} 2 Define TEST_PORT ${OCSP_PORT} 3 4 Include ${srcdir}/base_apache.conf 5 1 6 Include ${srcdir}/cgi_module.conf 2 7 LoadModule env_module ${AP_LIBEXECDIR}/mod_env.so 3 8 LoadModule rewrite_module ${AP_LIBEXECDIR}/mod_rewrite.so 9 10 # separate log and PID file 11 CustomLog logs/${TEST_NAME}.ocsp.access.log combined 12 ErrorLog logs/${TEST_NAME}.ocsp.error.log 13 PidFile ocsp@PID_AFFIX@.pid 14 4 15 <IfDefine !OCSP_INDEX> 5 16 # Default index file, define OCSP_INDEX in the test specific -
test/proxy_backend.conf.in
re105d3e rf5342b1 1 # redefine TEST_PORT before loading the base config 2 Define TEST_PORT ${BACKEND_PORT} 3 Include ${srcdir}/base_apache.conf 4 1 5 # common options for proxy backend servers 2 6 CustomLog logs/${TEST_NAME}.backend.access.log combined -
test/runtests
re105d3e rf5342b1 7 7 set -e 8 8 . ${srcdir}/common.bash 9 . ${srcdir}/apache_service.bash 9 10 netns_reexec ${@} 10 11 … … 17 18 testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_* 18 19 fi 20 testdir="$(realpath ${testid})" 19 21 20 22 BADVARS=0 21 for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_ DELAY TEST_MSVA_WAIT \23 for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_SERVICE_WAIT \ 22 24 MSVA_PORT; do 23 25 if [ ! -v "$v" ]; then … … 34 36 function pinpoint_error() 35 37 { 36 echo "${1} failed at line ${2}!" >&2 37 } 38 trap 'pinpoint_error ${BASH_SOURCE} ${LINENO}' ERR 38 echo "Command \"${BASH_COMMAND}\" failed. Call trace:" >&2 39 local stack=0 40 while caller $((stack++)) >&2; do true; done 41 } 42 trap 'pinpoint_error' ERR 39 43 40 44 function stop_msva() … … 89 93 if [ -n "${pid}" ] && ps -p "${pid}"; then 90 94 kill "${pid}" 95 else 96 echo "No running process with PID ${pid} (${pidfile})." 91 97 fi 92 98 rm "${pidfile}" … … 96 102 function apache_down_err() { 97 103 printf "FAILURE: %s\n" "$TEST_NAME" 98 ${APACHE2} -f "${t }/apache.conf" -k stop || true104 ${APACHE2} -f "${testdir}/apache.conf" -k stop || true 99 105 if [ -e output ]; then 100 106 printf "\ngnutls-cli outputs:\n" 101 107 diff_output_filter_headers "output" "$output" || true 108 fi 109 110 if [ -r "${testdir}/backend.conf" ]; then 111 apache_service "${testdir}" "backend.conf" stop || true 112 fi 113 114 if [ -r "${testdir}/ocsp.conf" ]; then 115 apache_service "${testdir}" "ocsp.conf" stop || true 102 116 fi 103 117 … … 123 137 124 138 printf "TESTING: initial MSVA verification\n" 125 # set to 0 if MSVA is up126 ret=1127 139 export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" 128 140 129 # convert TEST_MSVA_WAIT to seconds because that's what "sleep" expects 130 TEST_MSVA_SLEEP="$((${TEST_MSVA_WAIT} / 1000)).$((${TEST_MSVA_WAIT} % 1000))" 131 # wait at most TEST_MSVA_MAX_WAIT milliseconds for MSVA to get ready 132 waited=0 133 until [ ${ret} -eq 0 ] \ 134 || [ ${waited} -ge ${TEST_MSVA_MAX_WAIT} ]; do 135 if msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem 136 then 137 ret=0 138 else 139 echo "MSVA not ready yet" 140 fi 141 sleep "${TEST_MSVA_SLEEP}" 142 waited=$((${waited} + ${TEST_MSVA_WAIT})) 143 done 144 141 msva_test_cmd="msva-query-agent https \"$(cat client.uid)\" x509pem client < client/x509.pem" 145 142 # check if MSVA is up, fail if not 146 if [ ${ret} -eq 0 ]; then143 if wait_ready "${msva_test_cmd}"; then 147 144 printf "\nSUCCESS: initial MSVA verification\n" 148 145 else … … 152 149 fi 153 150 154 TEST_PID="apache2.pid"155 151 # configure locking for the Apache process 156 152 if [ -n "${USE_TEST_NAMESPACE}" ]; then 157 153 echo "Using namespaces to isolate tests, no need for locking." 158 154 flock_cmd="" 159 elif [ -n "${ TEST_LOCK}" ]; then155 elif [ -n "${FLOCK}" ]; then 160 156 flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" 161 157 else 162 158 echo "Locking disabled, using wait based on Apache PID file." 163 wait_pid_gone "${TEST_ PID}"159 wait_pid_gone "${TEST_LOCK}" 164 160 flock_cmd="" 165 161 fi 166 162 167 t="$(realpath ${testid})"168 163 export srcdir="$(realpath ${srcdir})" 169 export TEST_NAME="$(basename "$ t")"164 export TEST_NAME="$(basename "${testdir}")" 170 165 output="outputs/${TEST_NAME}.output" 171 166 rm -f "$output" 172 167 173 if [ -e ${t }/fail.* ]; then168 if [ -e ${testdir}/fail.* ]; then 174 169 EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)" 175 170 else … … 179 174 trap apache_down_err EXIT 180 175 if [ -n "${USE_MSVA}" ]; then 181 MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \ 182 ${flock_cmd} \ 183 ${APACHE2} -f "${t}/apache.conf" -k start \ 184 || [ -e "${t}/fail.server" ] 185 else 186 ${flock_cmd} \ 187 ${APACHE2} -f "${t}/apache.conf" -k start \ 188 || [ -e "${t}/fail.server" ] 176 export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" 177 fi 178 179 # If VERBOSE is enabled, log the HTTPD build configuration 180 if [ -n "${VERBOSE}" ]; then 181 ${APACHE2} -f "${srcdir}/base_apache.conf" -V 182 fi 183 184 # Start OCSP responder, if configured 185 if [ -r "${testdir}/ocsp.conf" ]; then 186 apache_service "${testdir}" "ocsp.conf" start "${OCSP_LOCK}" 187 CHECK_OCSP_SERVER="true" 188 if [ -n "${VERBOSE}" ]; then 189 echo "OCSP index for the test CA:" 190 cat authority/ocsp_index.txt 191 fi 192 fi 193 194 # Start proxy backend server, if configured 195 if [ -r "${testdir}/backend.conf" ]; then 196 apache_service "${testdir}" "backend.conf" start "${BACKEND_LOCK}" 197 fi 198 199 if ! ${flock_cmd} ${APACHE2} -f "${testdir}/apache.conf" -k start; then 200 if [ -e "${testdir}/fail.server" ]; then 201 echo "Apache HTTPD failed to start as expected." 202 exit 0 203 else 204 echo "Apache HTTPD unexpectedly failed to start." 205 exit 1 206 fi 189 207 fi 190 208 … … 195 213 fi 196 214 echo "---- Testing OCSP server ----" 197 ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}215 wait_ready "ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}" 198 216 echo "---- OCSP test done ----" 199 217 fi … … 212 230 # end with CRLF as required by RFC 7230, Section 3.1.1 regardless of 213 231 # the line ends in the input file. 214 if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t }/input && \215 run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_ DELAY}" &) | \216 gnutls-cli -p "${TEST_PORT}" $(cat ${t }/gnutls-cli.args) "${TEST_HOST}" \232 if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${testdir}/input && \ 233 run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \ 234 gnutls-cli -p "${TEST_PORT}" $(cat ${testdir}/gnutls-cli.args) "${TEST_HOST}" \ 217 235 | tee "$output" && test "${PIPESTATUS[1]}" -eq 0; 218 236 then 219 if [ -e ${t }/fail* ]; then220 printf "%s should have failed but succeeded\n" "$(basename "$t ")" >&2237 if [ -e ${testdir}/fail* ]; then 238 printf "%s should have failed but succeeded\n" "$(basename "$testdir")" >&2 221 239 exit 1 222 240 fi 223 241 else 224 if [ ! -e ${t }/fail* ]; then225 printf "%s should have succeeded but failed\n" "$(basename "$t ")" >&2242 if [ ! -e ${testdir}/fail* ]; then 243 printf "%s should have succeeded but failed\n" "$(basename "$testdir")" >&2 226 244 exit 1 227 245 fi … … 231 249 unset sleep_pidfile 232 250 233 if [ -e ${t }/output ] ; then234 diff_output_filter_headers "${t }/output" "$output" >&2251 if [ -e ${testdir}/output ] ; then 252 diff_output_filter_headers "${testdir}/output" "$output" >&2 235 253 fi 236 254 if [ -n "${USE_MSVA}" ]; then … … 239 257 trap - EXIT 240 258 fi 241 ${APACHE2} -f "${t }/apache.conf" -k stop || [ -e ${t}/fail.server ]259 ${APACHE2} -f "${testdir}/apache.conf" -k stop || [ -e ${testdir}/fail.server ] 242 260 printf "SUCCESS: %s\n" "$TEST_NAME" 261 262 if [ -r "${testdir}/backend.conf" ]; then 263 apache_service "${testdir}" "backend.conf" stop || true 264 fi 265 266 if [ -r "${testdir}/ocsp.conf" ]; then 267 apache_service "${testdir}" "ocsp.conf" stop || true 268 fi 243 269 244 270 if [ -n "${USE_MSVA}" ]; then -
test/test-14_basic_openpgp.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 ./gnutls_openpgp_support || exit $? 2 3 ${srcdir}/runtests t-14 -
test/test-19_TLS_reverse_proxy.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 3 set -e4 : ${srcdir:="."}5 . ${srcdir}/common.bash6 netns_reexec ${@}7 8 testdir="${srcdir}/tests/19_TLS_reverse_proxy"9 . $(dirname ${0})/proxy_backend.bash10 11 function stop_backend12 {13 backend_apache "${testdir}" "backend.conf" stop14 }15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"16 trap stop_backend EXIT17 18 2 ${srcdir}/runtests t-19 19 20 backend_apache "${testdir}" "backend.conf" stop21 trap - EXIT -
test/test-20_TLS_reverse_proxy_client_auth.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 3 set -e4 : ${srcdir:="."}5 . ${srcdir}/common.bash6 netns_reexec ${@}7 8 testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth"9 . $(dirname ${0})/proxy_backend.bash10 11 function stop_backend12 {13 backend_apache "${testdir}" "backend.conf" stop14 }15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"16 trap stop_backend EXIT17 18 2 ${srcdir}/runtests t-20 19 20 backend_apache "${testdir}" "backend.conf" stop21 trap - EXIT -
test/test-21_TLS_reverse_proxy_wrong_cert.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 3 set -e4 : ${srcdir:="."}5 . ${srcdir}/common.bash6 netns_reexec ${@}7 8 testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert"9 . $(dirname ${0})/proxy_backend.bash10 11 function stop_backend12 {13 backend_apache "${testdir}" "backend.conf" stop14 }15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"16 trap stop_backend EXIT17 18 2 ${srcdir}/runtests t-21 19 20 backend_apache "${testdir}" "backend.conf" stop21 trap - EXIT -
test/test-22_TLS_reverse_proxy_crl_revoke.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 3 set -e4 : ${srcdir:="."}5 . ${srcdir}/common.bash6 netns_reexec ${@}7 8 testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke"9 . $(dirname ${0})/proxy_backend.bash10 11 function stop_backend12 {13 backend_apache "${testdir}" "backend.conf" stop14 }15 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"16 trap stop_backend EXIT17 18 2 ${srcdir}/runtests t-22 19 20 backend_apache "${testdir}" "backend.conf" stop21 trap - EXIT -
test/test-23_TLS_reverse_proxy_mismatched_priorities.bash
re105d3e rf5342b1 1 1 #!/bin/bash 2 3 set -e4 : ${srcdir:="."}5 . ${srcdir}/common.bash6 netns_reexec ${@}7 8 testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities"9 . $(dirname ${0})/proxy_backend.bash10 2 11 3 # This test checks if server and proxy priorities are applied … … 13 5 # back end server is configured not to use TLS 1.2. The proxy request 14 6 # must fail and the client must receive an error message to pass. 15 16 function stop_backend17 {18 backend_apache "${testdir}" "backend.conf" stop19 }20 backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}"21 trap stop_backend EXIT22 23 7 ${srcdir}/runtests t-23 24 25 backend_apache "${testdir}" "backend.conf" stop26 trap - EXIT -
test/test-26_redirect_HTTP_to_HTTPS.bash
re105d3e rf5342b1 11 11 testdir="${srcdir}/tests/26_redirect_HTTP_to_HTTPS" 12 12 TEST_NAME="$(basename ${testdir})" 13 . $(dirname ${0})/ proxy_backend.bash13 . $(dirname ${0})/apache_service.bash 14 14 15 15 : ${TEST_HTTP_PORT:="9935"} … … 17 17 18 18 # "Proxy backend" functions are used to start the only instance needed 19 # here without "runtests". We have to override BACKEND_PID and 20 # BACKEND_PORT to make them match what a runtests-based test would 21 # use. 22 export BACKEND_PID="apache2.pid" 19 # here without "runtests". We have to override BACKEND_PORT to make it 20 # match what a runtests-based test would use. 23 21 export BACKEND_PORT="${TEST_PORT}" 24 22 function stop_backend 25 23 { 26 backend_apache "${testdir}" "apache.conf" stop24 apache_service "${testdir}" "apache.conf" stop 27 25 } 28 backend_apache "${testdir}" "apache.conf" start "${TEST_LOCK}"26 apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}" 29 27 trap stop_backend EXIT 30 28 … … 48 46 grep "Current TLS session: (TLS" "${output}" 49 47 50 backend_apache "${testdir}" "apache.conf" stop48 apache_service "${testdir}" "apache.conf" stop 51 49 trap - EXIT -
test/test-27_OCSP_server.bash
re105d3e rf5342b1 4 4 # Skip if OCSP tests are not enabled 5 5 [ -n "${OCSP_PORT}" ] || exit 77 6 7 # trigger OCSP server test in the runtests script8 export CHECK_OCSP_SERVER="true"9 echo "OCSP index for the test CA:"10 cat authority/ocsp_index.txt11 6 12 7 ${srcdir}/runtests t-27 -
test/test_ca.mk
re105d3e rf5342b1 48 48 %/cert.pgp: %/minimal.pgp authority/minimal.pgp 49 49 if test -r $@; then rm $@; fi 50 GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<51 GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"52 GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"50 GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $< 51 GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 52 GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" 53 53 54 54 # special cases for the authorities' root certs: -
test/tests/06_verify_sni_a/apache.conf
re105d3e rf5342b1 2 2 3 3 GnuTLSCache dbm cache/gnutls_cache 4 5 NameVirtualHost _default_:${TEST_PORT}6 4 7 5 <VirtualHost _default_:${TEST_PORT}> -
test/tests/07_verify_sni_b/apache.conf
re105d3e rf5342b1 2 2 3 3 GnuTLSCache dbm cache/gnutls_cache 4 5 NameVirtualHost _default_:${TEST_PORT}6 4 7 5 # trying in a different order from 06_verify_sni_a -
test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf
re105d3e rf5342b1 2 2 3 3 GnuTLSCache dbm cache/gnutls_cache 4 5 NameVirtualHost _default_:${TEST_PORT}6 4 7 5 <VirtualHost _default_:${TEST_PORT}> -
test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf
re105d3e rf5342b1 2 2 3 3 GnuTLSCache dbm cache/gnutls_cache 4 5 NameVirtualHost _default_:${TEST_PORT}6 4 7 5 # In this order, clients with no SNI should get the imposter's key -
test/tests/12_cgi_variables/apache.conf
re105d3e rf5342b1 13 13 GnuTLSCertificateFile server/x509.pem 14 14 GnuTLSKeyFile server/secret.key 15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem 15 16 GnuTLSPriorities NORMAL 16 17 GnuTLSClientCAFile authority/x509.pem -
test/tests/12_cgi_variables/output
re105d3e rf5342b1 8 8 RFC822NAME:test0@modgnutls.test 9 9 10 DH prime bits: 204810 DH prime bits: 3072 11 11 - Peer has closed the GnuTLS connection -
test/tests/17_cgi_vars_large_cert/apache.conf
re105d3e rf5342b1 13 13 GnuTLSCertificateFile server/x509.pem 14 14 GnuTLSKeyFile server/secret.key 15 GnuTLSDHFile ${srcdir}/ffdhe3072.pem 15 16 GnuTLSPriorities NORMAL 16 17 GnuTLSClientCAFile authority/x509.pem -
test/tests/17_cgi_vars_large_cert/output
re105d3e rf5342b1 8 8 RFC822NAME:test0@modgnutls.test 9 9 10 DH prime bits: 204810 DH prime bits: 3072 11 11 - Peer has closed the GnuTLS connection -
test/tests/19_TLS_reverse_proxy/backend.conf
re105d3e rf5342b1 1 Include ${srcdir}/base_apache.conf 2 Include proxy_backend.conf 1 Include ${PWD}/proxy_backend.conf 3 2 4 3 GnuTLSCache dbm cache/gnutls_cache -
test/tests/20_TLS_reverse_proxy_client_auth/backend.conf
re105d3e rf5342b1 1 Include ${srcdir}/base_apache.conf 2 Include proxy_backend.conf 1 Include ${PWD}/proxy_backend.conf 3 2 4 3 GnuTLSCache dbm cache/gnutls_cache -
test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf
re105d3e rf5342b1 1 Include ${srcdir}/base_apache.conf 2 Include proxy_backend.conf 1 Include ${PWD}/proxy_backend.conf 3 2 4 3 GnuTLSCache dbm cache/gnutls_cache -
test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf
re105d3e rf5342b1 1 Include ${srcdir}/base_apache.conf 2 Include proxy_backend.conf 1 Include ${PWD}/proxy_backend.conf 3 2 4 3 GnuTLSCache dbm cache/gnutls_cache -
test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf
re105d3e rf5342b1 1 Include ${srcdir}/base_apache.conf 2 Include proxy_backend.conf 1 Include ${PWD}/proxy_backend.conf 3 2 4 3 GnuTLSCache dbm cache/gnutls_cache -
test/tests/27_OCSP_server/apache.conf
re105d3e rf5342b1 1 Define OCSP_PORT ${OCSP_PORT}2 3 1 Include ${srcdir}/base_apache.conf 4 Include ${srcdir}/ocsp_server.conf 5 GnuTLSCache dbm cache/gnutls_cache 2 GnuTLSCache dbm cache/gnutls_cache_${TEST_NAME} 6 3 7 4 <VirtualHost _default_:${TEST_PORT}> -
test/tests/Makefile.am
re105d3e rf5342b1 27 27 25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \ 28 28 26_redirect_HTTP_to_HTTPS/apache.conf \ 29 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/o utput29 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output
Note: See TracChangeset
for help on using the changeset viewer.