diff -pruN 0.8.2-3/aclocal.m4 0.9.0-1/aclocal.m4 --- 0.8.2-3/aclocal.m4 2017-01-08 14:08:01.000000000 +0000 +++ 0.9.0-1/aclocal.m4 2019-01-23 20:15:46.000000000 +0000 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.15 -*- Autoconf -*- +# generated automatically by aclocal 1.16.1 -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -296,7 +296,7 @@ AS_VAR_COPY([$1], [pkg_cv_][$1]) AS_VAR_IF([$1], [""], [$5], [$4])dnl ])dnl PKG_CHECK_VAR -# Copyright (C) 2002-2014 Free Software Foundation, Inc. +# Copyright (C) 2002-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -308,10 +308,10 @@ AS_VAR_IF([$1], [""], [$5], [$4])dnl # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.15' +[am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.15], [], +m4_if([$1], [1.16.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -327,14 +327,14 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.15])dnl +[AM_AUTOMAKE_VERSION([1.16.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -386,7 +386,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2014 Free Software Foundation, Inc. +# Copyright (C) 1997-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -417,7 +417,7 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -608,13 +608,12 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. - # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], @@ -622,49 +621,41 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. - case $CONFIG_FILES in - *\'*) eval set x "$CONFIG_FILES" ;; - *) set x $CONFIG_FILES ;; - esac + # TODO: see whether this extra hack can be removed once we start + # requiring Autoconf 2.70 or later. + AS_CASE([$CONFIG_FILES], + [*\'*], [eval set x "$CONFIG_FILES"], + [*], [set x $CONFIG_FILES]) shift - for mf + # Used to flag and report bootstrapping failures. + am_rc=0 + for am_mf do # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named 'Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # Grep'ing the whole file is not good either: AIX grep has a line + am_mf=`AS_ECHO(["$am_mf"]) | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile which includes + # dependency-tracking related rules and includes. + # Grep'ing the whole file directly is not great: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. - if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then - dirpart=`AS_DIRNAME("$mf")` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running 'make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "$am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`AS_DIRNAME(["$file"])` - AS_MKDIR_P([$dirpart/$fdir]) - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" - done + sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \ + || continue + am_dirpart=`AS_DIRNAME(["$am_mf"])` + am_filepart=`AS_BASENAME(["$am_mf"])` + AM_RUN_LOG([cd "$am_dirpart" \ + && sed -e '/# am--include-marker/d' "$am_filepart" \ + | $MAKE -f - am--depfiles]) || am_rc=$? done + if test $am_rc -ne 0; then + AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments + for automatic dependency tracking. Try re-running configure with the + '--disable-dependency-tracking' option to at least be able to build + the package (albeit without support for automatic dependency tracking).]) + fi + AS_UNSET([am_dirpart]) + AS_UNSET([am_filepart]) + AS_UNSET([am_mf]) + AS_UNSET([am_rc]) + rm -f conftest-deps.mk } ])# _AM_OUTPUT_DEPENDENCY_COMMANDS @@ -673,18 +664,17 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS # ----------------------------- # This macro should only be invoked once -- use via AC_REQUIRE. # -# This code is only required when automatic dependency tracking -# is enabled. FIXME. This creates each '.P' file that we will -# need in order to bootstrap the dependency handling code. +# This code is only required when automatic dependency tracking is enabled. +# This creates each '.Po' and '.Plo' makefile fragment that we'll need in +# order to bootstrap the dependency handling code. AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], [AC_CONFIG_COMMANDS([depfiles], [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], - [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) -]) + [AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}"])]) # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -771,8 +761,8 @@ AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: -# -# +# +# AC_SUBST([mkdir_p], ['$(MKDIR_P)']) # We need awk for the "check" target (and possibly the TAP driver). The # system "awk" is bad on some platforms. @@ -839,7 +829,7 @@ END Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation -that behaves properly: . +that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM @@ -881,7 +871,7 @@ for _am_header in $config_headers :; do done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -902,7 +892,7 @@ if test x"${install_sh+set}" != xset; th fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2014 Free Software Foundation, Inc. +# Copyright (C) 2003-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -924,7 +914,7 @@ AC_SUBST([am__leading_dot])]) # Add --enable-maintainer-mode option to configure. -*- Autoconf -*- # From Jim Meyering -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -959,7 +949,7 @@ AC_MSG_CHECKING([whether to enable maint # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -967,49 +957,42 @@ AC_MSG_CHECKING([whether to enable maint # AM_MAKE_INCLUDE() # ----------------- -# Check to see how make treats includes. +# Check whether make has an 'include' directive that can support all +# the idioms we need for our automatic dependency tracking code. AC_DEFUN([AM_MAKE_INCLUDE], -[am_make=${MAKE-make} -cat > confinc << 'END' +[AC_MSG_CHECKING([whether ${MAKE-make} supports the include directive]) +cat > confinc.mk << 'END' am__doit: - @echo this is the am__doit target + @echo this is the am__doit target >confinc.out .PHONY: am__doit END -# If we don't find an include directive, just comment out the code. -AC_MSG_CHECKING([for style of include used by $am_make]) am__include="#" am__quote= -_am_result=none -# First try GNU make style include. -echo "include confinc" > confmf -# Ignore all kinds of additional output from 'make'. -case `$am_make -s -f confmf 2> /dev/null` in #( -*the\ am__doit\ target*) - am__include=include - am__quote= - _am_result=GNU - ;; -esac -# Now try BSD make style include. -if test "$am__include" = "#"; then - echo '.include "confinc"' > confmf - case `$am_make -s -f confmf 2> /dev/null` in #( - *the\ am__doit\ target*) - am__include=.include - am__quote="\"" - _am_result=BSD - ;; - esac -fi -AC_SUBST([am__include]) -AC_SUBST([am__quote]) -AC_MSG_RESULT([$_am_result]) -rm -f confinc confmf -]) +# BSD make does it like this. +echo '.include "confinc.mk" # ignored' > confmf.BSD +# Other make implementations (GNU, Solaris 10, AIX) do it like this. +echo 'include confinc.mk # ignored' > confmf.GNU +_am_result=no +for s in GNU BSD; do + AM_RUN_LOG([${MAKE-make} -f confmf.$s && cat confinc.out]) + AS_CASE([$?:`cat confinc.out 2>/dev/null`], + ['0:this is the am__doit target'], + [AS_CASE([$s], + [BSD], [am__include='.include' am__quote='"'], + [am__include='include' am__quote=''])]) + if test "$am__include" != "#"; then + _am_result="yes ($s style)" + break + fi +done +rm -f confinc.* confmf.* +AC_MSG_RESULT([${_am_result}]) +AC_SUBST([am__include])]) +AC_SUBST([am__quote])]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2014 Free Software Foundation, Inc. +# Copyright (C) 1997-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1050,7 +1033,7 @@ fi # Obsolete and "removed" macros, that must however still report explicit # error messages when used, to smooth transition. # -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1077,7 +1060,7 @@ AU_DEFUN([fp_C_PROTOTYPES], [AM_C_PROTOT # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1106,7 +1089,7 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1153,7 +1136,7 @@ AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1172,7 +1155,7 @@ AC_DEFUN([AM_RUN_LOG], # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1253,7 +1236,7 @@ AC_CONFIG_COMMANDS_PRE( rm -f conftest.file ]) -# Copyright (C) 2009-2014 Free Software Foundation, Inc. +# Copyright (C) 2009-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1313,7 +1296,7 @@ AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2014 Free Software Foundation, Inc. +# Copyright (C) 2001-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1341,7 +1324,7 @@ fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2014 Free Software Foundation, Inc. +# Copyright (C) 2006-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1360,7 +1343,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_ # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2014 Free Software Foundation, Inc. +# Copyright (C) 2004-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1493,7 +1476,6 @@ AC_SUBST([am__untar]) m4_include([m4/apache.m4]) m4_include([m4/apache_test.m4]) -m4_include([m4/apr_memcache.m4]) m4_include([m4/ax_prog_doxygen.m4]) m4_include([m4/libtool.m4]) m4_include([m4/ltoptions.m4]) diff -pruN 0.8.2-3/CHANGELOG 0.9.0-1/CHANGELOG --- 0.8.2-3/CHANGELOG 2017-01-08 13:58:47.000000000 +0000 +++ 0.9.0-1/CHANGELOG 2019-01-23 07:46:40.000000000 +0000 @@ -1,3 +1,60 @@ +** Version 0.9.0 (2019-01-23) +- Security fix: Refuse to send or receive any data over a failed TLS + connection (commit 72b669eae8c45dda1850e8e5b30a97c918357b51). The + previous behavior could lead to requests on reverse proxy TLS + connections being sent in plain text, and might have allowed faking + requests in plain text. +- Security fix: Reject HTTP requests if they try to access virtual + hosts that do not match their TLS connections (commit + de3fad3c12f53cdbf082ad675e4b10f521a02811). Additionally check if SNI + and Host header match. Thanks to Krista Karppinen for contributing + tests! +- OCSP stapling is now enabled by default, if possible. OCSP responses + are updated regularly and stored in a cache separate from the + session cache. The OCSP cache uses mod_socache_shmcb by default + (if the module is loaded, no other configuration required). +- Session tickets are now enabled by default if using GnuTLS 3.6.4 or + newer. GnuTLS 3.6.4 introduced automatic rotation for the used key, + and TLS 1.3 takes care of other reasons not to use tickets while + requiring them for session resumption. Note that there is currently + no mechanism to synchronize ticket keys across a cluster of servers. +- The internal cache implementation has been replaced with + mod_socache. Users may need to update their GnuTLSCache settings and + load the appropriate socache modules. +- ALPN (required for HTTP/2) now works correctly with different + "Protocols" directives between virtual hosts if building with GnuTLS + 3.6.3 or newer. Older versions require identical "Protocols" + directives for overlapping virtual hosts. Thanks to Vincent Tamet + for the bug report! +- ALPN is now supported for proxy connections, making HTTP/2 proxy + connections using mod_proxy_http2 possible. +- GnuTLSPriorities is optional now and defaults to "NORMAL" if + missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is + enabled). +- The manual is now built as a manual page, too, if pandoc is + available. +- OpenPGP support has been removed. +- Don't require pem2openpgp for tests when building without MSVA + support. + +** Version 0.8.4 (2018-04-13) +- Support Apache HTTPD 2.4.33 API for proxy TLS connections +- Support TLS for HTTP/2 connections with mod_http2 +- Fix configuration of OCSP stapling callback + +** Version 0.8.3 (2017-10-20) +- Use GnuTLS' default DH parameters by default +- Handle long Server Name Indication data and gracefully ignore + unknown SNI types +- Send SNI for proxy connections +- Deprecate OpenPGP support like GnuTLS did (will be removed + completely in a future release) +- Do not announce session ticket support for proxy connections +- Minor documentation updates (SSL_CLIENT_I_DN, reference for SNI) +- Test suite: Simplify handling of proxy backend servers and OCSP + responders +- Test suite: stability/compatibility fixes + ** Version 0.8.2 (2017-01-08) - Test suite: Ensure CRLF line ends in HTTP headers - Test suite, gen_ocsp_index.c: Handle serial as fixed order byte array diff -pruN 0.8.2-3/config/compile 0.9.0-1/config/compile --- 0.8.2-3/config/compile 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/config/compile 2019-01-23 20:15:47.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ scriptversion=2012-10-14.11; # UTC # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -255,7 +255,8 @@ EOF echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -339,9 +340,9 @@ exit $ret # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -pruN 0.8.2-3/config/config.guess 0.9.0-1/config/config.guess --- 0.8.2-3/config/config.guess 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/config/config.guess 2019-01-23 20:15:47.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2016-04-02' +timestamp='2018-02-24' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-04-02' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -27,7 +27,7 @@ timestamp='2016-04-02' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -39,7 +39,7 @@ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2016 Free Software Foundation, Inc. +Copyright 1992-2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -107,9 +107,9 @@ trap "rm -f \$tmpfiles 2>/dev/null; rmdi dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; + ,,) echo "int x;" > "$dummy.c" ; for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then + if ($c -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; @@ -132,14 +132,14 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` | UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "${UNAME_SYSTEM}" in +case "$UNAME_SYSTEM" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu - eval $set_cc_for_build - cat <<-EOF > $dummy.c + eval "$set_cc_for_build" + cat <<-EOF > "$dummy.c" #include #if defined(__UCLIBC__) LIBC=uclibc @@ -149,13 +149,20 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + + # If ldd exists, use it to detect musl libc. + if command -v ldd >/dev/null && \ + ldd --version 2>&1 | grep -q ^musl + then + LIBC=musl + fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in +case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -169,27 +176,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ - /sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || \ + "/sbin/$sysctl" 2>/dev/null || \ + "/usr/sbin/$sysctl" 2>/dev/null || \ echo unknown)` - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; earmv*) - arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` - endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` - machine=${arch}${endian}-unknown + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine="${arch}${endian}"-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + *) machine="$UNAME_MACHINE_ARCH"-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. - case "${UNAME_MACHINE_ARCH}" in - arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build + # to ELF recently (or will in the future) and ABI. + case "$UNAME_MACHINE_ARCH" in + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval "$set_cc_for_build" if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then @@ -205,10 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ ;; esac # Determine ABI tags. - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' - abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` ;; esac # The OS release @@ -216,46 +226,55 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in + case "$UNAME_VERSION" in Debian*) release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}${abi}" + echo "$machine-${os}${release}${abi}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE" exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE" exit ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE" + exit ;; + *:MidnightBSD:*:*) + echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE" exit ;; *:ekkoBSD:*:*) - echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE" exit ;; *:SolidBSD:*:*) - echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE" exit ;; macppc:MirBSD:*:*) - echo powerpc-unknown-mirbsd${UNAME_RELEASE} + echo powerpc-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:MirBSD:*:*) - echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:Sortix:*:*) - echo ${UNAME_MACHINE}-unknown-sortix + echo "$UNAME_MACHINE"-unknown-sortix exit ;; + *:Redox:*:*) + echo "$UNAME_MACHINE"-unknown-redox + exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -307,28 +326,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`" # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos + echo "$UNAME_MACHINE"-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos + echo "$UNAME_MACHINE"-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition @@ -340,7 +350,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} + echo arm-acorn-riscix"$UNAME_RELEASE" exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos @@ -367,19 +377,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) - echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) - echo i386-pc-auroraux${UNAME_RELEASE} + echo i386-pc-auroraux"$UNAME_RELEASE" exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - eval $set_cc_for_build + eval "$set_cc_for_build" SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. @@ -392,13 +402,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ SUN_ARCH=x86_64 fi fi - echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in @@ -407,25 +417,25 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`" exit ;; sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" ;; sun4) - echo sparc-sun-sunos${UNAME_RELEASE} + echo sparc-sun-sunos"$UNAME_RELEASE" ;; esac exit ;; aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} + echo sparc-auspex-sunos"$UNAME_RELEASE" exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not @@ -436,44 +446,44 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} + echo m68k-milan-mint"$UNAME_RELEASE" exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} + echo m68k-hades-mint"$UNAME_RELEASE" exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} + echo m68k-unknown-mint"$UNAME_RELEASE" exit ;; m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} + echo m68k-apple-machten"$UNAME_RELEASE" exit ;; powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} + echo powerpc-apple-machten"$UNAME_RELEASE" exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} + echo mips-dec-ultrix"$UNAME_RELEASE" exit ;; VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} + echo vax-dec-ultrix"$UNAME_RELEASE" exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} + echo clipper-intergraph-clix"$UNAME_RELEASE" exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + eval "$set_cc_for_build" + sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { @@ -482,23 +492,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && - dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && - SYSTEM_NAME=`$dummy $dummyarg` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } - echo mips-mips-riscos${UNAME_RELEASE} + echo mips-mips-riscos"$UNAME_RELEASE" exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax @@ -524,17 +534,17 @@ EOF AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ] then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] + if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \ + [ "$TARGET_BINARY_INTERFACE"x = x ] then - echo m88k-dg-dgux${UNAME_RELEASE} + echo m88k-dg-dgux"$UNAME_RELEASE" else - echo m88k-dg-dguxbcs${UNAME_RELEASE} + echo m88k-dg-dguxbcs"$UNAME_RELEASE" fi else - echo i586-dg-dgux${UNAME_RELEASE} + echo i586-dg-dgux"$UNAME_RELEASE" fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) @@ -551,7 +561,7 @@ EOF echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`" exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id @@ -563,14 +573,14 @@ EOF if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV" exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + eval "$set_cc_for_build" + sed 's/^ //' << EOF > "$dummy.c" #include main() @@ -581,7 +591,7 @@ EOF exit(0); } EOF - if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then echo "$SYSTEM_NAME" else @@ -595,7 +605,7 @@ EOF exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc @@ -604,18 +614,18 @@ EOF IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} + echo "$IBM_ARCH"-ibm-aix"$IBM_REV" exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + echo romp-ibm-bsd"$UNAME_RELEASE" # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx @@ -630,28 +640,28 @@ EOF echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + case "$UNAME_MACHINE" in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in + case "$sc_cpu_version" in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in + case "$sc_kernel_bits" in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + if [ "$HP_ARCH" = "" ]; then + eval "$set_cc_for_build" + sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include @@ -684,13 +694,13 @@ EOF exit (0); } EOF - (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = hppa2.0w ] + if [ "$HP_ARCH" = hppa2.0w ] then - eval $set_cc_for_build + eval "$set_cc_for_build" # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -709,15 +719,15 @@ EOF HP_ARCH=hppa64 fi fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} + echo "$HP_ARCH"-hp-hpux"$HPUX_REV" exit ;; ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux"$HPUX_REV" exit ;; 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + eval "$set_cc_for_build" + sed 's/^ //' << EOF > "$dummy.c" #include int main () @@ -742,11 +752,11 @@ EOF exit (0); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -755,7 +765,7 @@ EOF *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -763,9 +773,9 @@ EOF exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk + echo "$UNAME_MACHINE"-unknown-osf1mk else - echo ${UNAME_MACHINE}-unknown-osf1 + echo "$UNAME_MACHINE"-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) @@ -790,127 +800,109 @@ EOF echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) - echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE" exit ;; sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} + echo sparc-unknown-bsdi"$UNAME_RELEASE" exit ;; *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE" exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` - case ${UNAME_PROCESSOR} in + case "$UNAME_PROCESSOR" in amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) - echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; esac + echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin + echo "$UNAME_MACHINE"-pc-cygwin exit ;; *:MINGW64*:*) - echo ${UNAME_MACHINE}-pc-mingw64 + echo "$UNAME_MACHINE"-pc-mingw64 exit ;; *:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 + echo "$UNAME_MACHINE"-pc-mingw32 exit ;; *:MSYS*:*) - echo ${UNAME_MACHINE}-pc-msys - exit ;; - i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + echo "$UNAME_MACHINE"-pc-msys exit ;; i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 + echo "$UNAME_MACHINE"-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case "$UNAME_MACHINE" in x86) - echo i586-pc-interix${UNAME_RELEASE} + echo i586-pc-interix"$UNAME_RELEASE" exit ;; authenticamd | genuineintel | EM64T) - echo x86_64-unknown-interix${UNAME_RELEASE} + echo x86_64-unknown-interix"$UNAME_RELEASE" exit ;; IA64) - echo ia64-unknown-interix${UNAME_RELEASE} + echo ia64-unknown-interix"$UNAME_RELEASE" exit ;; esac ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit ;; - 8664:Windows_NT:*) - echo x86_64-pc-mks - exit ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit ;; i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin + echo "$UNAME_MACHINE"-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin - exit ;; prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`" exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC" exit ;; i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix + echo "$UNAME_MACHINE"-pc-minix exit ;; aarch64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in @@ -924,63 +916,63 @@ EOF esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arc:Linux:*:* | arceb:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arm*:Linux:*:*) - eval $set_cc_for_build + eval "$set_cc_for_build" if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi else - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; cris:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; crisv32:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; e2k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; frv:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; hexagon:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; k1om:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; mips:Linux:*:* | mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + eval "$set_cc_for_build" + sed 's/^ //' << EOF > "$dummy.c" #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el @@ -994,64 +986,74 @@ EOF #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU'`" + test "x$CPU" != x && { echo "$CPU-unknown-linux-$LIBC"; exit; } ;; + mips64el:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" + exit ;; openrisc*:Linux:*:*) - echo or1k-unknown-linux-${LIBC} + echo or1k-unknown-linux-"$LIBC" exit ;; or32:Linux:*:* | or1k*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-${LIBC} + echo sparc-unknown-linux-"$LIBC" exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-${LIBC} + echo hppa64-unknown-linux-"$LIBC" exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; - PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; - *) echo hppa-unknown-linux-${LIBC} ;; + PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;; + PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;; + *) echo hppa-unknown-linux-"$LIBC" ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-${LIBC} + echo powerpc64-unknown-linux-"$LIBC" exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-${LIBC} + echo powerpc-unknown-linux-"$LIBC" exit ;; ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-${LIBC} + echo powerpc64le-unknown-linux-"$LIBC" exit ;; ppcle:Linux:*:*) - echo powerpcle-unknown-linux-${LIBC} + echo powerpcle-unknown-linux-"$LIBC" + exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + echo "$UNAME_MACHINE"-ibm-linux-"$LIBC" exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-${LIBC} + echo "$UNAME_MACHINE"-dec-linux-"$LIBC" exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + if objdump -f /bin/sh | grep -q elf32-x86-64; then + echo "$UNAME_MACHINE"-pc-linux-"$LIBC"x32 + else + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" + fi exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1065,34 +1067,34 @@ EOF # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION" exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx + echo "$UNAME_MACHINE"-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + echo "$UNAME_MACHINE"-unknown-stop exit ;; i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + echo "$UNAME_MACHINE"-unknown-atheos exit ;; i*86:syllable:*:*) - echo ${UNAME_MACHINE}-pc-syllable + echo "$UNAME_MACHINE"-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} + echo i386-unknown-lynxos"$UNAME_RELEASE" exit ;; i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp + echo "$UNAME_MACHINE"-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL" fi exit ;; i*86:*:5:[678]*) @@ -1102,12 +1104,12 @@ EOF *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}{$UNAME_VERSION}" exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 @@ -1117,9 +1119,9 @@ EOF && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv32 + echo "$UNAME_MACHINE"-pc-sysv32 fi exit ;; pc:*:*:*) @@ -1139,9 +1141,9 @@ EOF exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + echo i860-unknown-sysv"$UNAME_RELEASE" # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) @@ -1161,9 +1163,9 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; @@ -1172,28 +1174,28 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} + echo m68k-unknown-lynxos"$UNAME_RELEASE" exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} + echo sparc-unknown-lynxos"$UNAME_RELEASE" exit ;; rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} + echo rs6000-unknown-lynxos"$UNAME_RELEASE" exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} + echo powerpc-unknown-lynxos"$UNAME_RELEASE" exit ;; SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} + echo mips-dde-sysv"$UNAME_RELEASE" exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 @@ -1204,7 +1206,7 @@ EOF *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 + echo "$UNAME_MACHINE"-sni-sysv4 else echo ns32k-sni-sysv fi @@ -1224,23 +1226,23 @@ EOF exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. - echo ${UNAME_MACHINE}-stratus-vos + echo "$UNAME_MACHINE"-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} + echo m68k-apple-aux"$UNAME_RELEASE" exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv"$UNAME_RELEASE" else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv"$UNAME_RELEASE" fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. @@ -1259,49 +1261,56 @@ EOF echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} + echo sx4-nec-superux"$UNAME_RELEASE" exit ;; SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} + echo sx5-nec-superux"$UNAME_RELEASE" exit ;; SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} + echo sx6-nec-superux"$UNAME_RELEASE" exit ;; SX-7:SUPER-UX:*:*) - echo sx7-nec-superux${UNAME_RELEASE} + echo sx7-nec-superux"$UNAME_RELEASE" exit ;; SX-8:SUPER-UX:*:*) - echo sx8-nec-superux${UNAME_RELEASE} + echo sx8-nec-superux"$UNAME_RELEASE" exit ;; SX-8R:SUPER-UX:*:*) - echo sx8r-nec-superux${UNAME_RELEASE} + echo sx8r-nec-superux"$UNAME_RELEASE" exit ;; SX-ACE:SUPER-UX:*:*) - echo sxace-nec-superux${UNAME_RELEASE} + echo sxace-nec-superux"$UNAME_RELEASE" exit ;; Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} + echo powerpc-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval $set_cc_for_build + eval "$set_cc_for_build" if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if test "`echo "$UNAME_RELEASE" | sed -e 's/\..*//'`" -le 10 ; then if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub @@ -1312,7 +1321,7 @@ EOF # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE" exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` @@ -1320,19 +1329,25 @@ EOF UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE" exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; - NEO-?:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk${UNAME_RELEASE} + NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk"$UNAME_RELEASE" exit ;; NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} + echo nse-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk"$UNAME_RELEASE" exit ;; - NSR-?:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} + NSV-*:NONSTOP_KERNEL:*:*) + echo nsv-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk"$UNAME_RELEASE" exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux @@ -1341,7 +1356,7 @@ EOF echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE" exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 @@ -1352,7 +1367,7 @@ EOF else UNAME_MACHINE="$cputype" fi - echo ${UNAME_MACHINE}-unknown-plan9 + echo "$UNAME_MACHINE"-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 @@ -1373,14 +1388,14 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux"$UNAME_RELEASE" exit ;; *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "${UNAME_MACHINE}" in + case "$UNAME_MACHINE" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; @@ -1389,37 +1404,48 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` + echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`" exit ;; i*86:rdos:*:*) - echo ${UNAME_MACHINE}-pc-rdos + echo "$UNAME_MACHINE"-pc-rdos exit ;; i*86:AROS:*:*) - echo ${UNAME_MACHINE}-pc-aros + echo "$UNAME_MACHINE"-pc-aros exit ;; x86_64:VMkernel:*:*) - echo ${UNAME_MACHINE}-unknown-esx + echo "$UNAME_MACHINE"-unknown-esx exit ;; amd64:Isilon\ OneFS:*:*) echo x86_64-unknown-onefs exit ;; esac +echo "$0: unable to guess system type" >&2 + +case "$UNAME_MACHINE:$UNAME_SYSTEM" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp @@ -1438,16 +1464,16 @@ hostinfo = `(hostinfo) 2>/ /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" EOF exit 1 # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'write-file-functions 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff -pruN 0.8.2-3/config/config.sub 0.9.0-1/config/config.sub --- 0.8.2-3/config/config.sub 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/config/config.sub 2019-01-23 20:15:47.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2016-03-30' +timestamp='2018-02-22' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-03-30' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -33,7 +33,7 @@ timestamp='2016-03-30' # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -57,7 +57,7 @@ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIA Canonicalize a configuration name. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -67,7 +67,7 @@ Report bugs and patches to &2 + echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. @@ -387,7 +385,7 @@ case $basic_machine in | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ + | i*86-* | i860-* | i960-* | ia16-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ @@ -428,6 +426,7 @@ case $basic_machine in | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ | pyramid-* \ | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ @@ -444,6 +443,7 @@ case $basic_machine in | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | visium-* \ + | wasm32-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ @@ -457,7 +457,7 @@ case $basic_machine in # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) - basic_machine=i386-unknown + basic_machine=i386-pc os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) @@ -491,7 +491,7 @@ case $basic_machine in basic_machine=x86_64-pc ;; amd64-*) - basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=x86_64-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl @@ -536,7 +536,7 @@ case $basic_machine in os=-linux ;; blackfin-*) - basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=bfin-`echo "$basic_machine" | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) @@ -544,13 +544,13 @@ case $basic_machine in os=-cnk ;; c54x-*) - basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=tic54x-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; c55x-*) - basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=tic55x-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; c6x-*) - basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=tic6x-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray @@ -639,10 +639,18 @@ case $basic_machine in basic_machine=rs6000-bull os=-bosx ;; - dpx2* | dpx2*-bull) + dpx2*) basic_machine=m68k-bull os=-sysv3 ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'` + os=$os"spe" + ;; ebmon29k) basic_machine=a29k-amd os=-ebmon @@ -732,9 +740,6 @@ case $basic_machine in hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; - hppa-next) - os=-nextstep3 - ;; hppaosf) basic_machine=hppa1.1-hp os=-osf @@ -747,26 +752,26 @@ case $basic_machine in basic_machine=i370-ibm ;; i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; - i386-vsta | vsta) + vsta) basic_machine=i386-unknown os=-vsta ;; @@ -785,19 +790,16 @@ case $basic_machine in os=-sysv ;; leon-*|leon[3-9]-*) - basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'` + basic_machine=sparc-`echo "$basic_machine" | sed 's/-.*//'` ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) - basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=m68k-`echo "$basic_machine" | sed 's/^[^-]*-//'` os=-linux ;; - m88k-omron*) - basic_machine=m88k-omron - ;; magnum | m3230) basic_machine=mips-mips os=-sysv @@ -829,10 +831,10 @@ case $basic_machine in os=-mint ;; mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'` ;; mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k @@ -851,7 +853,7 @@ case $basic_machine in os=-msdos ;; ms1-*) - basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + basic_machine=`echo "$basic_machine" | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc @@ -893,7 +895,7 @@ case $basic_machine in basic_machine=v70-nec os=-sysv ;; - next | m*-next ) + next | m*-next) basic_machine=m68k-next case $os in -nextstep* ) @@ -938,6 +940,12 @@ case $basic_machine in nsr-tandem) basic_machine=nsr-tandem ;; + nsv-tandem) + basic_machine=nsv-tandem + ;; + nsx-tandem) + basic_machine=nsx-tandem + ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf @@ -970,7 +978,7 @@ case $basic_machine in os=-linux ;; parisc-*) - basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=hppa-`echo "$basic_machine" | sed 's/^[^-]*-//'` os=-linux ;; pbd) @@ -986,7 +994,7 @@ case $basic_machine in basic_machine=i386-pc ;; pc98-*) - basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=i386-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc @@ -1001,16 +1009,16 @@ case $basic_machine in basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=i586-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; pentium4-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=i786-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould @@ -1020,23 +1028,23 @@ case $basic_machine in ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; - ppcle | powerpclittle | ppc-le | powerpc-little) + ppcle | powerpclittle) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=powerpcle-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc64-*) basic_machine=powerpc64-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) + ppc64le | powerpc64little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=powerpc64le-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm @@ -1090,17 +1098,10 @@ case $basic_machine in sequent) basic_machine=i386-sequent ;; - sh) - basic_machine=sh-hitachi - os=-hms - ;; sh5el) basic_machine=sh5le-unknown ;; - sh64) - basic_machine=sh64-unknown - ;; - sparclite-wrs | simso-wrs) + simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; @@ -1119,7 +1120,7 @@ case $basic_machine in os=-sysv4 ;; strongarm-* | thumb-*) - basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + basic_machine=arm-`echo "$basic_machine" | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun @@ -1241,6 +1242,9 @@ case $basic_machine in basic_machine=hppa1.1-winbond os=-proelf ;; + x64) + basic_machine=x86_64-pc + ;; xbox) basic_machine=i686-pc os=-mingw32 @@ -1249,20 +1253,12 @@ case $basic_machine in basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) - basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + basic_machine=`echo "$basic_machine" | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; - z8k-*-coff) - basic_machine=z8k-unknown - os=-sim - ;; - z80-*-coff) - basic_machine=z80-unknown - os=-sim - ;; none) basic_machine=none-none os=-none @@ -1291,10 +1287,6 @@ case $basic_machine in vax) basic_machine=vax-dec ;; - pdp10) - # there are many clones, so DEC is not a safe bet - basic_machine=pdp10-unknown - ;; pdp11) basic_machine=pdp11-dec ;; @@ -1304,9 +1296,6 @@ case $basic_machine in sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; - sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) - basic_machine=sparc-sun - ;; cydra) basic_machine=cydra-cydrome ;; @@ -1326,7 +1315,7 @@ case $basic_machine in # Make sure to match an already-canonicalized machine name. ;; *) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2 exit 1 ;; esac @@ -1334,10 +1323,10 @@ esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + basic_machine=`echo "$basic_machine" | sed 's/digital.*/dec/'` ;; *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + basic_machine=`echo "$basic_machine" | sed 's/commodore.*/cbm/'` ;; *) ;; @@ -1348,8 +1337,8 @@ esac if [ x"$os" != x"" ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. + # First match some system type aliases that might get confused + # with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux @@ -1360,18 +1349,19 @@ case $os in -solaris) os=-solaris2 ;; - -svr4*) - os=-sysv4 - ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; - # First accept the basic system types. + # es1800 is here to avoid being matched by es* (a different OS) + -es1800*) + os=-ose + ;; + # Now accept the basic system types. # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. + # Each alternative MUST end in a * to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ @@ -1381,25 +1371,26 @@ case $os in | -aos* | -aros* | -cloudabi* | -sortix* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -hiux* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ + | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -morphos* | -superux* | -rtmk* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ - | -onefs* | -tirtos*) + | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox* | -bme* \ + | -midnightbsd*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1416,12 +1407,12 @@ case $os in -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ + -sim | -xray | -os68k* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) - os=`echo $os | sed -e 's|mac|macos|'` + os=`echo "$os" | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc @@ -1430,10 +1421,10 @@ case $os in os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` + os=`echo "$os" | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` + os=`echo "$os" | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition @@ -1444,12 +1435,6 @@ case $os in -wince*) os=-wince ;; - -osfrose*) - os=-osfrose - ;; - -osf*) - os=-osf - ;; -utek*) os=-bsd ;; @@ -1474,7 +1459,7 @@ case $os in -nova*) os=-rtmk-nova ;; - -ns2 ) + -ns2) os=-nextstep2 ;; -nsk*) @@ -1496,7 +1481,7 @@ case $os in -oss*) os=-sysv3 ;; - -svr4) + -svr4*) os=-sysv4 ;; -svr3) @@ -1511,24 +1496,28 @@ case $os in -ose*) os=-ose ;; - -es1800*) - os=-ose - ;; - -xenix) - os=-xenix - ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; - -aros*) - os=-aros - ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; + -pikeos*) + # Until real need of OS specific support for + # particular features comes up, bare metal + # configurations are quite functional. + case $basic_machine in + arm*) + os=-eabi + ;; + *) + os=-elf + ;; + esac + ;; -nacl*) ;; -ios) @@ -1538,7 +1527,7 @@ case $os in *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + echo Invalid configuration \`"$1"\': system \`"$os"\' not recognized 1>&2 exit 1 ;; esac @@ -1628,12 +1617,12 @@ case $basic_machine in sparc-* | *-sun) os=-sunos4.1.1 ;; + pru-*) + os=-elf + ;; *-be) os=-beos ;; - *-haiku) - os=-haiku - ;; *-ibm) os=-aix ;; @@ -1673,7 +1662,7 @@ case $basic_machine in m88k-omron*) os=-luna ;; - *-next ) + *-next) os=-nextstep ;; *-sequent) @@ -1688,9 +1677,6 @@ case $basic_machine in i370-*) os=-mvs ;; - *-next) - os=-nextstep3 - ;; *-gould) os=-sysv ;; @@ -1800,15 +1786,15 @@ case $basic_machine in vendor=stratus ;; esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + basic_machine=`echo "$basic_machine" | sed "s/unknown/$vendor/"` ;; esac -echo $basic_machine$os +echo "$basic_machine$os" exit # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'write-file-functions 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff -pruN 0.8.2-3/config/depcomp 0.9.0-1/config/depcomp --- 0.8.2-3/config/depcomp 2017-01-08 14:08:06.000000000 +0000 +++ 0.9.0-1/config/depcomp 2019-01-23 20:15:48.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2013-05-30.07; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ scriptversion=2013-05-30.07; # UTC # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -783,9 +783,9 @@ exit 0 # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -pruN 0.8.2-3/config/install-sh 0.9.0-1/config/install-sh --- 0.8.2-3/config/install-sh 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/config/install-sh 2019-01-23 20:15:47.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2014-09-12.12; # UTC +scriptversion=2018-03-11.20; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -271,15 +271,18 @@ do fi dst=$dst_arg - # If destination is a directory, append the input filename; won't work - # if double slashes aren't ignored. + # If destination is a directory, append the input filename. if test -d "$dst"; then if test "$is_target_a_directory" = never; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst - dst=$dstdir/`basename "$src"` + dstbase=`basename "$src"` + case $dst in + */) dst=$dst$dstbase;; + *) dst=$dst/$dstbase;; + esac dstdir_status=0 else dstdir=`dirname "$dst"` @@ -288,6 +291,11 @@ do fi fi + case $dstdir in + */) dstdirslash=$dstdir;; + *) dstdirslash=$dstdir/;; + esac + obsolete_mkdir_used=false if test $dstdir_status != 0; then @@ -324,14 +332,16 @@ do # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) - # $RANDOM is not portable (e.g. dash); use it when possible to - # lower collision chance + # Note that $RANDOM variable is not portable (e.g. dash); Use it + # here however when possible just to lower collision chance. tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - # As "mkdir -p" follows symlinks and we work in /tmp possibly; so - # create the $tmpdir first (and fail if unsuccessful) to make sure - # that nobody tries to guess the $tmpdir name. + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p' feature. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 @@ -434,8 +444,8 @@ do else # Make a couple of temp file names in the proper directory. - dsttmp=$dstdir/_inst.$$_ - rmtmp=$dstdir/_rm.$$_ + dsttmp=${dstdirslash}_inst.$$_ + rmtmp=${dstdirslash}_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 @@ -500,9 +510,9 @@ do done # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -pruN 0.8.2-3/config/ltmain.sh 0.9.0-1/config/ltmain.sh --- 0.8.2-3/config/ltmain.sh 2017-01-08 14:07:40.000000000 +0000 +++ 0.9.0-1/config/ltmain.sh 2019-01-23 20:15:43.000000000 +0000 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-1" +VERSION="2.4.6 Debian-2.4.6-4" package_revision=2.4.6 @@ -64,7 +64,7 @@ package_revision=2.4.6 # libraries, which are installed to $pkgauxdir. # Set a version string for this script. -scriptversion=2015-01-20.17; # UTC +scriptversion=2015-10-12.13; # UTC # General shell script boiler plate, and helper functions. # Written by Gary V. Vaughan, 2004 @@ -580,16 +580,16 @@ if test yes = "$_G_HAVE_PLUSEQ_OP"; then { $debug_cmd - func_quote_for_eval "$2" - eval "$1+=\\ \$func_quote_for_eval_result" + func_quote_arg pretty "$2" + eval "$1+=\\ \$func_quote_arg_result" }' else func_append_quoted () { $debug_cmd - func_quote_for_eval "$2" - eval "$1=\$$1\\ \$func_quote_for_eval_result" + func_quote_arg pretty "$2" + eval "$1=\$$1\\ \$func_quote_arg_result" } fi @@ -1091,85 +1091,181 @@ func_relative_path () } -# func_quote_for_eval ARG... -# -------------------------- -# Aesthetically quote ARGs to be evaled later. -# This function returns two values: -# i) func_quote_for_eval_result -# double-quoted, suitable for a subsequent eval -# ii) func_quote_for_eval_unquoted_result -# has all characters that are still active within double -# quotes backslashified. -func_quote_for_eval () +# func_quote_portable EVAL ARG +# ---------------------------- +# Internal function to portably implement func_quote_arg. Note that we still +# keep attention to performance here so we as much as possible try to avoid +# calling sed binary (so far O(N) complexity as long as func_append is O(1)). +func_quote_portable () { $debug_cmd - func_quote_for_eval_unquoted_result= - func_quote_for_eval_result= - while test 0 -lt $#; do - case $1 in - *[\\\`\"\$]*) - _G_unquoted_arg=`printf '%s\n' "$1" |$SED "$sed_quote_subst"` ;; - *) - _G_unquoted_arg=$1 ;; - esac - if test -n "$func_quote_for_eval_unquoted_result"; then - func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg" - else - func_append func_quote_for_eval_unquoted_result "$_G_unquoted_arg" + func_quote_portable_result=$2 + + # one-time-loop (easy break) + while true + do + if $1; then + func_quote_portable_result=`$ECHO "$2" | $SED \ + -e "$sed_double_quote_subst" -e "$sed_double_backslash"` + break fi - case $_G_unquoted_arg in - # Double-quote args containing shell metacharacters to delay - # word splitting, command substitution and variable expansion - # for a subsequent eval. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - _G_quoted_arg=\"$_G_unquoted_arg\" + # Quote for eval. + case $func_quote_portable_result in + *[\\\`\"\$]*) + case $func_quote_portable_result in + *[\[\*\?]*) + func_quote_portable_result=`$ECHO "$func_quote_portable_result" | $SED "$sed_quote_subst"` + break + ;; + esac + + func_quote_portable_old_IFS=$IFS + for _G_char in '\' '`' '"' '$' + do + # STATE($1) PREV($2) SEPARATOR($3) + set start "" "" + func_quote_portable_result=dummy"$_G_char$func_quote_portable_result$_G_char"dummy + IFS=$_G_char + for _G_part in $func_quote_portable_result + do + case $1 in + quote) + func_append func_quote_portable_result "$3$2" + set quote "$_G_part" "\\$_G_char" + ;; + start) + set first "" "" + func_quote_portable_result= + ;; + first) + set quote "$_G_part" "" + ;; + esac + done + done + IFS=$func_quote_portable_old_IFS ;; - *) - _G_quoted_arg=$_G_unquoted_arg - ;; + *) ;; esac - - if test -n "$func_quote_for_eval_result"; then - func_append func_quote_for_eval_result " $_G_quoted_arg" - else - func_append func_quote_for_eval_result "$_G_quoted_arg" - fi - shift + break done + + func_quote_portable_unquoted_result=$func_quote_portable_result + case $func_quote_portable_result in + # double-quote args containing shell metacharacters to delay + # word splitting, command substitution and variable expansion + # for a subsequent eval. + # many bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + func_quote_portable_result=\"$func_quote_portable_result\" + ;; + esac } -# func_quote_for_expand ARG -# ------------------------- -# Aesthetically quote ARG to be evaled later; same as above, -# but do not quote variable references. -func_quote_for_expand () -{ - $debug_cmd +# func_quotefast_eval ARG +# ----------------------- +# Quote one ARG (internal). This is equivalent to 'func_quote_arg eval ARG', +# but optimized for speed. Result is stored in $func_quotefast_eval. +if test xyes = `(x=; printf -v x %q yes; echo x"$x") 2>/dev/null`; then + func_quotefast_eval () + { + printf -v func_quotefast_eval_result %q "$1" + } +else + func_quotefast_eval () + { + func_quote_portable false "$1" + func_quotefast_eval_result=$func_quote_portable_result + } +fi - case $1 in - *[\\\`\"]*) - _G_arg=`$ECHO "$1" | $SED \ - -e "$sed_double_quote_subst" -e "$sed_double_backslash"` ;; - *) - _G_arg=$1 ;; + +# func_quote_arg MODEs ARG +# ------------------------ +# Quote one ARG to be evaled later. MODEs argument may contain zero ore more +# specifiers listed below separated by ',' character. This function returns two +# values: +# i) func_quote_arg_result +# double-quoted (when needed), suitable for a subsequent eval +# ii) func_quote_arg_unquoted_result +# has all characters that are still active within double +# quotes backslashified. Available only if 'unquoted' is specified. +# +# Available modes: +# ---------------- +# 'eval' (default) +# - escape shell special characters +# 'expand' +# - the same as 'eval'; but do not quote variable references +# 'pretty' +# - request aesthetic output, i.e. '"a b"' instead of 'a\ b'. This might +# later used in func_quote to get output like: 'echo "a b"' instead of +# 'echo a\ b'. This is slower than default on some shells. +# 'unquoted' +# - produce also $func_quote_arg_unquoted_result which does not contain +# wrapping double-quotes. +# +# Examples for 'func_quote_arg pretty,unquoted string': +# +# string | *_result | *_unquoted_result +# ------------+-----------------------+------------------- +# " | \" | \" +# a b | "a b" | a b +# "a b" | "\"a b\"" | \"a b\" +# * | "*" | * +# z="${x-$y}" | "z=\"\${x-\$y}\"" | z=\"\${x-\$y}\" +# +# Examples for 'func_quote_arg pretty,unquoted,expand string': +# +# string | *_result | *_unquoted_result +# --------------+---------------------+-------------------- +# z="${x-$y}" | "z=\"${x-$y}\"" | z=\"${x-$y}\" +func_quote_arg () +{ + _G_quote_expand=false + case ,$1, in + *,expand,*) + _G_quote_expand=: + ;; esac - case $_G_arg in - # Double-quote args containing shell metacharacters to delay - # word splitting and command substitution for a subsequent eval. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - _G_arg=\"$_G_arg\" + case ,$1, in + *,pretty,*|*,expand,*|*,unquoted,*) + func_quote_portable $_G_quote_expand "$2" + func_quote_arg_result=$func_quote_portable_result + func_quote_arg_unquoted_result=$func_quote_portable_unquoted_result + ;; + *) + # Faster quote-for-eval for some shells. + func_quotefast_eval "$2" + func_quote_arg_result=$func_quotefast_eval_result ;; esac +} + - func_quote_for_expand_result=$_G_arg +# func_quote MODEs ARGs... +# ------------------------ +# Quote all ARGs to be evaled later and join them into single command. See +# func_quote_arg's description for more info. +func_quote () +{ + $debug_cmd + _G_func_quote_mode=$1 ; shift + func_quote_result= + while test 0 -lt $#; do + func_quote_arg "$_G_func_quote_mode" "$1" + if test -n "$func_quote_result"; then + func_append func_quote_result " $func_quote_arg_result" + else + func_append func_quote_result "$func_quote_arg_result" + fi + shift + done } @@ -1215,8 +1311,8 @@ func_show_eval () _G_cmd=$1 _G_fail_exp=${2-':'} - func_quote_for_expand "$_G_cmd" - eval "func_notquiet $func_quote_for_expand_result" + func_quote_arg pretty,expand "$_G_cmd" + eval "func_notquiet $func_quote_arg_result" $opt_dry_run || { eval "$_G_cmd" @@ -1241,8 +1337,8 @@ func_show_eval_locale () _G_fail_exp=${2-':'} $opt_quiet || { - func_quote_for_expand "$_G_cmd" - eval "func_echo $func_quote_for_expand_result" + func_quote_arg expand,pretty "$_G_cmd" + eval "func_echo $func_quote_arg_result" } $opt_dry_run || { @@ -1370,7 +1466,7 @@ func_lt_ver () #! /bin/sh # Set a version string for this script. -scriptversion=2014-01-07.03; # UTC +scriptversion=2015-10-12.13; # UTC # A portable, pluggable option parser for Bourne shell. # Written by Gary V. Vaughan, 2010 @@ -1530,6 +1626,8 @@ func_run_hooks () { $debug_cmd + _G_rc_run_hooks=false + case " $hookable_fns " in *" $1 "*) ;; *) func_fatal_error "'$1' does not support hook funcions.n" ;; @@ -1538,16 +1636,16 @@ func_run_hooks () eval _G_hook_fns=\$$1_hooks; shift for _G_hook in $_G_hook_fns; do - eval $_G_hook '"$@"' - - # store returned options list back into positional - # parameters for next 'cmd' execution. - eval _G_hook_result=\$${_G_hook}_result - eval set dummy "$_G_hook_result"; shift + if eval $_G_hook '"$@"'; then + # store returned options list back into positional + # parameters for next 'cmd' execution. + eval _G_hook_result=\$${_G_hook}_result + eval set dummy "$_G_hook_result"; shift + _G_rc_run_hooks=: + fi done - func_quote_for_eval ${1+"$@"} - func_run_hooks_result=$func_quote_for_eval_result + $_G_rc_run_hooks && func_run_hooks_result=$_G_hook_result } @@ -1557,10 +1655,16 @@ func_run_hooks () ## --------------- ## # In order to add your own option parsing hooks, you must accept the -# full positional parameter list in your hook function, remove any -# options that you action, and then pass back the remaining unprocessed +# full positional parameter list in your hook function, you may remove/edit +# any options that you action, and then pass back the remaining unprocessed # options in '_result', escaped suitably for -# 'eval'. Like this: +# 'eval'. In this case you also must return $EXIT_SUCCESS to let the +# hook's caller know that it should pay attention to +# '_result'. Returning $EXIT_FAILURE signalizes that +# arguments are left untouched by the hook and therefore caller will ignore the +# result variable. +# +# Like this: # # my_options_prep () # { @@ -1570,9 +1674,11 @@ func_run_hooks () # usage_message=$usage_message' # -s, --silent don'\''t print informational messages # ' -# -# func_quote_for_eval ${1+"$@"} -# my_options_prep_result=$func_quote_for_eval_result +# # No change in '$@' (ignored completely by this hook). There is +# # no need to do the equivalent (but slower) action: +# # func_quote eval ${1+"$@"} +# # my_options_prep_result=$func_quote_result +# false # } # func_add_hook func_options_prep my_options_prep # @@ -1581,25 +1687,37 @@ func_run_hooks () # { # $debug_cmd # +# args_changed=false +# # # Note that for efficiency, we parse as many options as we can # # recognise in a loop before passing the remainder back to the # # caller on the first unrecognised argument we encounter. # while test $# -gt 0; do # opt=$1; shift # case $opt in -# --silent|-s) opt_silent=: ;; +# --silent|-s) opt_silent=: +# args_changed=: +# ;; # # Separate non-argument short options: # -s*) func_split_short_opt "$_G_opt" # set dummy "$func_split_short_opt_name" \ # "-$func_split_short_opt_arg" ${1+"$@"} # shift +# args_changed=: # ;; -# *) set dummy "$_G_opt" "$*"; shift; break ;; +# *) # Make sure the first unrecognised option "$_G_opt" +# # is added back to "$@", we could need that later +# # if $args_changed is true. +# set dummy "$_G_opt" ${1+"$@"}; shift; break ;; # esac # done # -# func_quote_for_eval ${1+"$@"} -# my_silent_option_result=$func_quote_for_eval_result +# if $args_changed; then +# func_quote eval ${1+"$@"} +# my_silent_option_result=$func_quote_result +# fi +# +# $args_changed # } # func_add_hook func_parse_options my_silent_option # @@ -1611,16 +1729,32 @@ func_run_hooks () # $opt_silent && $opt_verbose && func_fatal_help "\ # '--silent' and '--verbose' options are mutually exclusive." # -# func_quote_for_eval ${1+"$@"} -# my_option_validation_result=$func_quote_for_eval_result +# false # } # func_add_hook func_validate_options my_option_validation # -# You'll alse need to manually amend $usage_message to reflect the extra +# You'll also need to manually amend $usage_message to reflect the extra # options you parse. It's preferable to append if you can, so that # multiple option parsing hooks can be added safely. +# func_options_finish [ARG]... +# ---------------------------- +# Finishing the option parse loop (call 'func_options' hooks ATM). +func_options_finish () +{ + $debug_cmd + + _G_func_options_finish_exit=false + if func_run_hooks func_options ${1+"$@"}; then + func_options_finish_result=$func_run_hooks_result + _G_func_options_finish_exit=: + fi + + $_G_func_options_finish_exit +} + + # func_options [ARG]... # --------------------- # All the functions called inside func_options are hookable. See the @@ -1630,17 +1764,28 @@ func_options () { $debug_cmd - func_options_prep ${1+"$@"} - eval func_parse_options \ - ${func_options_prep_result+"$func_options_prep_result"} - eval func_validate_options \ - ${func_parse_options_result+"$func_parse_options_result"} + _G_rc_options=false - eval func_run_hooks func_options \ - ${func_validate_options_result+"$func_validate_options_result"} + for my_func in options_prep parse_options validate_options options_finish + do + if eval func_$my_func '${1+"$@"}'; then + eval _G_res_var='$'"func_${my_func}_result" + eval set dummy "$_G_res_var" ; shift + _G_rc_options=: + fi + done + + # Save modified positional parameters for caller. As a top-level + # options-parser function we always need to set the 'func_options_result' + # variable (regardless the $_G_rc_options value). + if $_G_rc_options; then + func_options_result=$_G_res_var + else + func_quote eval ${1+"$@"} + func_options_result=$func_quote_result + fi - # save modified positional parameters for caller - func_options_result=$func_run_hooks_result + $_G_rc_options } @@ -1649,9 +1794,9 @@ func_options () # All initialisations required before starting the option parse loop. # Note that when calling hook functions, we pass through the list of # positional parameters. If a hook function modifies that list, and -# needs to propogate that back to rest of this script, then the complete +# needs to propagate that back to rest of this script, then the complete # modified list must be put in 'func_run_hooks_result' before -# returning. +# returning $EXIT_SUCCESS (otherwise $EXIT_FAILURE is returned). func_hookable func_options_prep func_options_prep () { @@ -1661,10 +1806,14 @@ func_options_prep () opt_verbose=false opt_warning_types= - func_run_hooks func_options_prep ${1+"$@"} + _G_rc_options_prep=false + if func_run_hooks func_options_prep ${1+"$@"}; then + _G_rc_options_prep=: + # save modified positional parameters for caller + func_options_prep_result=$func_run_hooks_result + fi - # save modified positional parameters for caller - func_options_prep_result=$func_run_hooks_result + $_G_rc_options_prep } @@ -1678,18 +1827,20 @@ func_parse_options () func_parse_options_result= + _G_rc_parse_options=false # this just eases exit handling while test $# -gt 0; do # Defer to hook functions for initial option parsing, so they # get priority in the event of reusing an option name. - func_run_hooks func_parse_options ${1+"$@"} - - # Adjust func_parse_options positional parameters to match - eval set dummy "$func_run_hooks_result"; shift + if func_run_hooks func_parse_options ${1+"$@"}; then + eval set dummy "$func_run_hooks_result"; shift + _G_rc_parse_options=: + fi # Break out of the loop if we already parsed every option. test $# -gt 0 || break + _G_match_parse_options=: _G_opt=$1 shift case $_G_opt in @@ -1704,7 +1855,10 @@ func_parse_options () ;; --warnings|--warning|-W) - test $# = 0 && func_missing_arg $_G_opt && break + if test $# = 0 && func_missing_arg $_G_opt; then + _G_rc_parse_options=: + break + fi case " $warning_categories $1" in *" $1 "*) # trailing space prevents matching last $1 above @@ -1757,15 +1911,25 @@ func_parse_options () shift ;; - --) break ;; + --) _G_rc_parse_options=: ; break ;; -*) func_fatal_help "unrecognised option: '$_G_opt'" ;; - *) set dummy "$_G_opt" ${1+"$@"}; shift; break ;; + *) set dummy "$_G_opt" ${1+"$@"}; shift + _G_match_parse_options=false + break + ;; esac + + $_G_match_parse_options && _G_rc_parse_options=: done - # save modified positional parameters for caller - func_quote_for_eval ${1+"$@"} - func_parse_options_result=$func_quote_for_eval_result + + if $_G_rc_parse_options; then + # save modified positional parameters for caller + func_quote eval ${1+"$@"} + func_parse_options_result=$func_quote_result + fi + + $_G_rc_parse_options } @@ -1778,16 +1942,21 @@ func_validate_options () { $debug_cmd + _G_rc_validate_options=false + # Display all warnings if -W was not given. test -n "$opt_warning_types" || opt_warning_types=" $warning_categories" - func_run_hooks func_validate_options ${1+"$@"} + if func_run_hooks func_validate_options ${1+"$@"}; then + # save modified positional parameters for caller + func_validate_options_result=$func_run_hooks_result + _G_rc_validate_options=: + fi # Bail if the options were screwed! $exit_cmd $EXIT_FAILURE - # save modified positional parameters for caller - func_validate_options_result=$func_run_hooks_result + $_G_rc_validate_options } @@ -1977,7 +2146,7 @@ func_version () # End: # Set a version string. -scriptversion='(GNU libtool) 2.4.6 Debian-2.4.6-1' +scriptversion='(GNU libtool) 2.4.6' # func_echo ARG... @@ -2068,7 +2237,7 @@ include the following information: compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion + version: $progname $scriptversion Debian-2.4.6-4 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -2270,6 +2439,8 @@ libtool_options_prep () nonopt= preserve_args= + _G_rc_lt_options_prep=: + # Shorthand for --mode=foo, only valid as the first argument case $1 in clean|clea|cle|cl) @@ -2293,11 +2464,18 @@ libtool_options_prep () uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) shift; set dummy --mode uninstall ${1+"$@"}; shift ;; + *) + _G_rc_lt_options_prep=false + ;; esac - # Pass back the list of options. - func_quote_for_eval ${1+"$@"} - libtool_options_prep_result=$func_quote_for_eval_result + if $_G_rc_lt_options_prep; then + # Pass back the list of options. + func_quote eval ${1+"$@"} + libtool_options_prep_result=$func_quote_result + fi + + $_G_rc_lt_options_prep } func_add_hook func_options_prep libtool_options_prep @@ -2309,9 +2487,12 @@ libtool_parse_options () { $debug_cmd + _G_rc_lt_parse_options=false + # Perform our own loop to consume as many options as possible in # each iteration. while test $# -gt 0; do + _G_match_lt_parse_options=: _G_opt=$1 shift case $_G_opt in @@ -2386,15 +2567,22 @@ libtool_parse_options () func_append preserve_args " $_G_opt" ;; - # An option not handled by this hook function: - *) set dummy "$_G_opt" ${1+"$@"}; shift; break ;; + # An option not handled by this hook function: + *) set dummy "$_G_opt" ${1+"$@"} ; shift + _G_match_lt_parse_options=false + break + ;; esac + $_G_match_lt_parse_options && _G_rc_lt_parse_options=: done + if $_G_rc_lt_parse_options; then + # save modified positional parameters for caller + func_quote eval ${1+"$@"} + libtool_parse_options_result=$func_quote_result + fi - # save modified positional parameters for caller - func_quote_for_eval ${1+"$@"} - libtool_parse_options_result=$func_quote_for_eval_result + $_G_rc_lt_parse_options } func_add_hook func_parse_options libtool_parse_options @@ -2451,8 +2639,8 @@ libtool_validate_options () } # Pass back the unparsed argument list - func_quote_for_eval ${1+"$@"} - libtool_validate_options_result=$func_quote_for_eval_result + func_quote eval ${1+"$@"} + libtool_validate_options_result=$func_quote_result } func_add_hook func_validate_options libtool_validate_options @@ -3418,8 +3606,8 @@ func_mode_compile () esac done - func_quote_for_eval "$libobj" - test "X$libobj" != "X$func_quote_for_eval_result" \ + func_quote_arg pretty "$libobj" + test "X$libobj" != "X$func_quote_arg_result" \ && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ && func_warning "libobj name '$libobj' may not contain shell special characters." func_dirname_and_basename "$obj" "/" "" @@ -3492,8 +3680,8 @@ compiler." func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 srcfile=$func_to_tool_file_result - func_quote_for_eval "$srcfile" - qsrcfile=$func_quote_for_eval_result + func_quote_arg pretty "$srcfile" + qsrcfile=$func_quote_arg_result # Only build a PIC object if we are building libtool libraries. if test yes = "$build_libtool_libs"; then @@ -4096,8 +4284,8 @@ func_mode_install () case $nonopt in *shtool*) :;; *) false;; esac then # Aesthetically quote it. - func_quote_for_eval "$nonopt" - install_prog="$func_quote_for_eval_result " + func_quote_arg pretty "$nonopt" + install_prog="$func_quote_arg_result " arg=$1 shift else @@ -4107,8 +4295,8 @@ func_mode_install () # The real first argument should be the name of the installation program. # Aesthetically quote it. - func_quote_for_eval "$arg" - func_append install_prog "$func_quote_for_eval_result" + func_quote_arg pretty "$arg" + func_append install_prog "$func_quote_arg_result" install_shared_prog=$install_prog case " $install_prog " in *[\\\ /]cp\ *) install_cp=: ;; @@ -4165,12 +4353,12 @@ func_mode_install () esac # Aesthetically quote the argument. - func_quote_for_eval "$arg" - func_append install_prog " $func_quote_for_eval_result" + func_quote_arg pretty "$arg" + func_append install_prog " $func_quote_arg_result" if test -n "$arg2"; then - func_quote_for_eval "$arg2" + func_quote_arg pretty "$arg2" fi - func_append install_shared_prog " $func_quote_for_eval_result" + func_append install_shared_prog " $func_quote_arg_result" done test -z "$install_prog" && \ @@ -4181,8 +4369,8 @@ func_mode_install () if test -n "$install_override_mode" && $no_mode; then if $install_cp; then :; else - func_quote_for_eval "$install_override_mode" - func_append install_shared_prog " -m $func_quote_for_eval_result" + func_quote_arg pretty "$install_override_mode" + func_append install_shared_prog " -m $func_quote_arg_result" fi fi @@ -4478,8 +4666,8 @@ func_mode_install () relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` $opt_quiet || { - func_quote_for_expand "$relink_command" - eval "func_echo $func_quote_for_expand_result" + func_quote_arg expand,pretty "$relink_command" + eval "func_echo $func_quote_arg_result" } if eval "$relink_command"; then : else @@ -5258,7 +5446,8 @@ else if test \"\$libtool_execute_magic\" != \"$magic\"; then file=\"\$0\"" - qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` + func_quote_arg pretty "$ECHO" + qECHO=$func_quote_arg_result $ECHO "\ # A function that is used when there is no print builtin or printf. @@ -5268,7 +5457,7 @@ func_fallback_echo () \$1 _LTECHO_EOF' } - ECHO=\"$qECHO\" + ECHO=$qECHO fi # Very basic option parsing. These options are (a) specific to @@ -6611,9 +6800,9 @@ func_mode_link () while test "$#" -gt 0; do arg=$1 shift - func_quote_for_eval "$arg" - qarg=$func_quote_for_eval_unquoted_result - func_append libtool_args " $func_quote_for_eval_result" + func_quote_arg pretty,unquoted "$arg" + qarg=$func_quote_arg_unquoted_result + func_append libtool_args " $func_quote_arg_result" # If the previous option needs an argument, assign it. if test -n "$prev"; then @@ -7211,9 +7400,9 @@ func_mode_link () save_ifs=$IFS; IFS=, for flag in $args; do IFS=$save_ifs - func_quote_for_eval "$flag" - func_append arg " $func_quote_for_eval_result" - func_append compiler_flags " $func_quote_for_eval_result" + func_quote_arg pretty "$flag" + func_append arg " $func_quote_arg_result" + func_append compiler_flags " $func_quote_arg_result" done IFS=$save_ifs func_stripname ' ' '' "$arg" @@ -7227,10 +7416,10 @@ func_mode_link () save_ifs=$IFS; IFS=, for flag in $args; do IFS=$save_ifs - func_quote_for_eval "$flag" - func_append arg " $wl$func_quote_for_eval_result" - func_append compiler_flags " $wl$func_quote_for_eval_result" - func_append linker_flags " $func_quote_for_eval_result" + func_quote_arg pretty "$flag" + func_append arg " $wl$func_quote_arg_result" + func_append compiler_flags " $wl$func_quote_arg_result" + func_append linker_flags " $func_quote_arg_result" done IFS=$save_ifs func_stripname ' ' '' "$arg" @@ -7254,8 +7443,8 @@ func_mode_link () # -msg_* for osf cc -msg_*) - func_quote_for_eval "$arg" - arg=$func_quote_for_eval_result + func_quote_arg pretty "$arg" + arg=$func_quote_arg_result ;; # Flags to be passed through unchanged, with rationale: @@ -7279,8 +7468,8 @@ func_mode_link () -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ -specs=*|-fsanitize=*) - func_quote_for_eval "$arg" - arg=$func_quote_for_eval_result + func_quote_arg pretty "$arg" + arg=$func_quote_arg_result func_append compile_command " $arg" func_append finalize_command " $arg" func_append compiler_flags " $arg" @@ -7301,15 +7490,15 @@ func_mode_link () continue else # Otherwise treat like 'Some other compiler flag' below - func_quote_for_eval "$arg" - arg=$func_quote_for_eval_result + func_quote_arg pretty "$arg" + arg=$func_quote_arg_result fi ;; # Some other compiler flag. -* | +*) - func_quote_for_eval "$arg" - arg=$func_quote_for_eval_result + func_quote_arg pretty "$arg" + arg=$func_quote_arg_result ;; *.$objext) @@ -7429,8 +7618,8 @@ func_mode_link () *) # Unknown arguments in both finalize_command and compile_command need # to be aesthetically quoted because they are evaled later. - func_quote_for_eval "$arg" - arg=$func_quote_for_eval_result + func_quote_arg pretty "$arg" + arg=$func_quote_arg_result ;; esac # arg @@ -9942,8 +10131,8 @@ EOF for cmd in $concat_cmds; do IFS=$save_ifs $opt_quiet || { - func_quote_for_expand "$cmd" - eval "func_echo $func_quote_for_expand_result" + func_quote_arg expand,pretty "$cmd" + eval "func_echo $func_quote_arg_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? @@ -10036,8 +10225,8 @@ EOF eval cmd=\"$cmd\" IFS=$save_ifs $opt_quiet || { - func_quote_for_expand "$cmd" - eval "func_echo $func_quote_for_expand_result" + func_quote_arg expand,pretty "$cmd" + eval "func_echo $func_quote_arg_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? @@ -10511,12 +10700,12 @@ EOF elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else - func_quote_for_eval "$var_value" - relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + func_quote_arg pretty "$var_value" + relink_command="$var=$func_quote_arg_result; export $var; $relink_command" fi done - relink_command="(cd `pwd`; $relink_command)" - relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + func_quote_arg pretty,unquoted "(cd `pwd`; $relink_command)" + relink_command=$func_quote_arg_unquoted_result fi # Only actually do things if not in dry run mode. @@ -10756,13 +10945,14 @@ EOF elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else - func_quote_for_eval "$var_value" - relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + func_quote_arg pretty,unquoted "$var_value" + relink_command="$var=$func_quote_arg_unquoted_result; export $var; $relink_command" fi done # Quote the link command for shipping. relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + func_quote_arg pretty,unquoted "$relink_command" + relink_command=$func_quote_arg_unquoted_result if test yes = "$hardcode_automatic"; then relink_command= fi diff -pruN 0.8.2-3/config/missing 0.9.0-1/config/missing --- 0.8.2-3/config/missing 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/config/missing 2019-01-23 20:15:47.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ scriptversion=2013-10-28.13; # UTC # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ else exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,9 +207,9 @@ give_advice "$1" | sed -e '1s/^/WARNING: exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -pruN 0.8.2-3/config/test-driver 0.9.0-1/config/test-driver --- 0.8.2-3/config/test-driver 2017-01-08 14:08:06.000000000 +0000 +++ 0.9.0-1/config/test-driver 2019-01-23 20:15:48.000000000 +0000 @@ -1,9 +1,9 @@ #! /bin/sh # test-driver - basic testsuite driver script. -scriptversion=2013-07-13.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2014 Free Software Foundation, Inc. +# Copyright (C) 2011-2018 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ scriptversion=2013-07-13.22; # UTC # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -140,9 +140,9 @@ echo ":copy-in-global-log: $gcopy" >> $t # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -pruN 0.8.2-3/configure 0.9.0-1/configure --- 0.8.2-3/configure 2017-01-08 14:08:03.000000000 +0000 +++ 0.9.0-1/configure 2019-01-23 20:15:47.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mod_gnutls 0.8.2. +# Generated by GNU Autoconf 2.69 for mod_gnutls 0.9.0. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -647,8 +647,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='mod_gnutls' PACKAGE_TARNAME='mod_gnutls' -PACKAGE_VERSION='0.8.2' -PACKAGE_STRING='mod_gnutls 0.8.2' +PACKAGE_VERSION='0.9.0' +PACKAGE_STRING='mod_gnutls 0.9.0' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -734,6 +734,8 @@ DX_CONFIG DX_PROJECT LISTEN_LIST SOFTHSM_LIB +TEST_QUERY_TIMEOUT +TEST_LOCK_WAIT TEST_IP TEST_HOST MODULE_LIBS @@ -757,14 +759,10 @@ USE_PANDOC_TRUE MARKDOWN PDFLATEX PANDOC -have_apr_memcache -APR_MEMCACHE_CFLAGS -APR_MEMCACHE_LIBS -APR_UTIL_CONF USE_MSVA_FALSE USE_MSVA_TRUE PID_AFFIX -MUTEX_TYPE +MUTEX_CONF ENABLE_NETNS_FALSE ENABLE_NETNS_TRUE UNSHARE @@ -774,6 +772,8 @@ OPENSSL DISABLE_FLOCK_FALSE DISABLE_FLOCK_TRUE FLOCK +EXPECT_EARLY_SNI +ENABLE_EARLY_SNI ENABLE_VPATH_INSTALL_FALSE ENABLE_VPATH_INSTALL_TRUE LIBGNUTLS_LIBS @@ -836,7 +836,6 @@ am__nodep AMDEPBACKSLASH AMDEP_FALSE AMDEP_TRUE -am__quote am__include DEPDIR OBJEXT @@ -928,7 +927,8 @@ PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR -SHELL' +SHELL +am__quote' ac_subst_files='' ac_user_opts=' enable_option_checking @@ -946,13 +946,13 @@ with_sysroot enable_libtool_lock with_apxs enable_apachetest +with_gnutls_dev enable_vpath_install enable_srp enable_strict enable_flock enable_test_namespaces enable_msva -with_apu_config enable_doxygen_doc enable_doxygen_dot enable_doxygen_man @@ -981,6 +981,8 @@ LIBGNUTLS_CFLAGS LIBGNUTLS_LIBS TEST_HOST TEST_IP +TEST_LOCK_WAIT +TEST_QUERY_TIMEOUT SOFTHSM_LIB DOXYGEN_PAPER_SIZE' @@ -1533,7 +1535,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_gnutls 0.8.2 to adapt to many kinds of systems. +\`configure' configures mod_gnutls 0.9.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1605,7 +1607,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_gnutls 0.8.2:";; + short | recursive ) echo "Configuration of mod_gnutls 0.9.0:";; esac cat <<\_ACEOF @@ -1639,8 +1641,8 @@ Optional Features: --disable-flock Disable use of flock during tests (some exotic architectures don't support it) --disable-test-namespaces - Disable use of network namespaces to run tests in - parallel (some architectures might not support it) + Disable use of namespaces for tests (limits + parallelization) --enable-msva enable Monkeysphere client certificate verification --disable-doxygen-doc don't generate any doxygen documentation --disable-doxygen-dot don't generate graphics for doxygen documentation @@ -1652,7 +1654,7 @@ Optional Features: file --disable-doxygen-html don't generate doxygen plain HTML documentation --enable-doxygen-ps generate doxygen PostScript documentation - --disable-doxygen-pdf don't generate doxygen PDF documentation + --enable-doxygen-pdf generate doxygen PDF documentation Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1666,8 +1668,9 @@ Optional Packages: --with-sysroot[=DIR] Search for dependent libraries within DIR (or the compiler's sysroot if not specified). --with-apxs=PATH Path to apxs - --with-apu-config=PATH Path to APR Utility Library config tool - (apu-1-config) + --with-gnutls-dev=DIR Use GnuTLS libraries from a development (git) tree. + Use this if you want to test mod_gnutls with the + latest GnuTLS code. Some influential environment variables: CC C compiler command @@ -1695,6 +1698,13 @@ Some influential environment variables: TEST_IP List of IP addresses to use for server instances started by "make check". The default is "[::1] 127.0.0.1". Note that IPv6 addresses must be enclosed in square brackets. + TEST_LOCK_WAIT + Timeout in seconds to acquire locks for Apache instances in the + test suite, or the previous instance to remove its PID file if + flock is not used. Default is 30. + TEST_QUERY_TIMEOUT + Timeout in seconds for HTTPS requests sent using gnutls-cli in + the test suite. Default is 30. SOFTHSM_LIB Absolute path of the SoftHSM PKCS #11 module to use. By default the test suite will search common library paths. DOXYGEN_PAPER_SIZE @@ -1766,7 +1776,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_gnutls configure 0.8.2 +mod_gnutls configure 0.9.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2177,7 +2187,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_gnutls $as_me 0.8.2, which was +It was created by mod_gnutls $as_me 0.9.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2543,7 +2553,7 @@ EOF echo '"$@"' >> config.nice chmod +x config.nice -MOD_GNUTLS_VERSION=0.8.2 +MOD_GNUTLS_VERSION=0.9.0 ac_aux_dir= @@ -2722,7 +2732,7 @@ test -n "$target_alias" && NONENONEs,x,x, && program_prefix=${target_alias}- # mod_gnutls test suite requires GNU make -am__api_version='1.15' +am__api_version='1.16' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or @@ -3208,7 +3218,7 @@ fi # Define the identity of the package. PACKAGE='mod_gnutls' - VERSION='0.8.2' + VERSION='0.9.0' cat >>confdefs.h <<_ACEOF @@ -3238,8 +3248,8 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}ma # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: -# -# +# +# mkdir_p='$(MKDIR_P)' # We need awk for the "check" target (and possibly the TAP driver). The @@ -3290,7 +3300,7 @@ END Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation -that behaves properly: . +that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM @@ -3402,45 +3412,45 @@ DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" - -am_make=${MAKE-make} -cat > confinc << 'END' +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} supports the include directive" >&5 +$as_echo_n "checking whether ${MAKE-make} supports the include directive... " >&6; } +cat > confinc.mk << 'END' am__doit: - @echo this is the am__doit target + @echo this is the am__doit target >confinc.out .PHONY: am__doit END -# If we don't find an include directive, just comment out the code. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 -$as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= -_am_result=none -# First try GNU make style include. -echo "include confinc" > confmf -# Ignore all kinds of additional output from 'make'. -case `$am_make -s -f confmf 2> /dev/null` in #( -*the\ am__doit\ target*) - am__include=include - am__quote= - _am_result=GNU - ;; -esac -# Now try BSD make style include. -if test "$am__include" = "#"; then - echo '.include "confinc"' > confmf - case `$am_make -s -f confmf 2> /dev/null` in #( - *the\ am__doit\ target*) - am__include=.include - am__quote="\"" - _am_result=BSD +# BSD make does it like this. +echo '.include "confinc.mk" # ignored' > confmf.BSD +# Other make implementations (GNU, Solaris 10, AIX) do it like this. +echo 'include confinc.mk # ignored' > confmf.GNU +_am_result=no +for s in GNU BSD; do + { echo "$as_me:$LINENO: ${MAKE-make} -f confmf.$s && cat confinc.out" >&5 + (${MAKE-make} -f confmf.$s && cat confinc.out) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + case $?:`cat confinc.out 2>/dev/null` in #( + '0:this is the am__doit target') : + case $s in #( + BSD) : + am__include='.include' am__quote='"' ;; #( + *) : + am__include='include' am__quote='' ;; +esac ;; #( + *) : ;; - esac -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 -$as_echo "$_am_result" >&6; } -rm -f confinc confmf +esac + if test "$am__include" != "#"; then + _am_result="yes ($s style)" + break + fi +done +rm -f confinc.* confmf.* +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${_am_result}" >&5 +$as_echo "${_am_result}" >&6; } # Check whether --enable-dependency-tracking was given. if test "${enable_dependency_tracking+set}" = set; then : @@ -13377,7 +13387,7 @@ with_gnu_ld=$lt_cv_prog_gnu_ld -AP_VERSION=2.4.0 +AP_VERSION=2.4.17 # Check whether --with-apxs was given. if test "${with_apxs+set}" = set; then : @@ -13831,6 +13841,22 @@ fi +# Check whether --with-gnutls-dev was given. +if test "${with_gnutls_dev+set}" = set; then : + withval=$with_gnutls_dev; + if test -d "${with_gnutls_dev}" ; then : + + LIBGNUTLS_CFLAGS="-I${with_gnutls_dev}/lib/includes" + LIBGNUTLS_LIBS="-lgnutls -L${with_gnutls_dev}/lib/.libs -R${with_gnutls_dev}/lib/.libs" + +else + as_fn_error $? "--with-gnutls-dev=DIR requires a directory!" "$LINENO" 5 +fi + +fi + + + @@ -14128,10 +14154,81 @@ else fi -SRP_CFLAGS="" +GNUTLS_FEAT_CFLAGS="" if test "$use_srp" != "no"; then - SRP_CFLAGS="-DENABLE_SRP=1" + GNUTLS_FEAT_CFLAGS="-DENABLE_SRP=1" +fi + +# check if the available GnuTLS library supports raw extension parsing +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gnutls_ext_raw_parse" >&5 +$as_echo_n "checking for library containing gnutls_ext_raw_parse... " >&6; } +if ${ac_cv_search_gnutls_ext_raw_parse+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char gnutls_ext_raw_parse (); +int +main () +{ +return gnutls_ext_raw_parse (); + ; + return 0; +} +_ACEOF +for ac_lib in '' gnutls; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_gnutls_ext_raw_parse=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_gnutls_ext_raw_parse+:} false; then : + break +fi +done +if ${ac_cv_search_gnutls_ext_raw_parse+:} false; then : + +else + ac_cv_search_gnutls_ext_raw_parse=no fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gnutls_ext_raw_parse" >&5 +$as_echo "$ac_cv_search_gnutls_ext_raw_parse" >&6; } +ac_res=$ac_cv_search_gnutls_ext_raw_parse +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + early_sni="yes" +else + early_sni="no" +fi + +if test "$early_sni" != "no"; then + ENABLE_EARLY_SNI=1 + # This is for the test server configuration + EXPECT_EARLY_SNI="Define EXPECT_EARLY_SNI" +else + ENABLE_EARLY_SNI=0 + EXPECT_EARLY_SNI="" +fi + + + # Check whether --enable-strict was given. if test "${enable_strict+set}" = set; then : @@ -14143,7 +14240,7 @@ fi STRICT_CFLAGS="" if test "$use_strict" != "no"; then - STRICT_CFLAGS="-Wall -Werror -Wextra" + STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable SRP functionality" >&5 @@ -14210,9 +14307,23 @@ $as_echo_n "checking whether ${FLOCK} su else flock_works="no" fi - rm "${lockfile}" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $flock_works" >&5 $as_echo "$flock_works" >&6; } + # Old versions of flock do not support --verbose. They fail + # without executing the command but still return 0. Check for + # this behavior by testing if the rm command was executed. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${FLOCK} supports --verbose" >&5 +$as_echo_n "checking whether ${FLOCK} supports --verbose... " >&6; } + testfile="$(mktemp)" + if ${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \ + >&5 2>&1; test ! -e "${testfile}"; then : + flock_verbose="yes"; FLOCK="${FLOCK} --verbose" +else + flock_verbose="no"; rm "${testfile}" +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $flock_verbose" >&5 +$as_echo "$flock_verbose" >&6; } + rm "${lockfile}" else flock_works="no" @@ -14313,8 +14424,8 @@ else fi -# Check if "unshare" is available and has permission to create network -# and user namespaces +# Check if "unshare" is available and has permission to create +# network, IPC, and user namespaces # Extract the first word of "unshare", so it can be a program name with args. set dummy unshare; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 @@ -14358,9 +14469,9 @@ fi if test "${UNSHARE}" != "no"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for permission to create network and user namespaces" >&5 -$as_echo_n "checking for permission to create network and user namespaces... " >&6; } - if ${UNSHARE} --net -r /bin/sh -c \ + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for permission to use namespaces" >&5 +$as_echo_n "checking for permission to use namespaces... " >&6; } + if ${UNSHARE} --net --ipc -r /bin/sh -c \ "ip link set up lo && ip addr show" >&5 2>&1; then : unshare_works="yes" else @@ -14390,9 +14501,9 @@ fi # Adjust Apache configuration for tests accordingly: Use pthread mutex # and test specific PID files if using namespaces, defaults otherwise. if test "$use_netns" = "yes"; then : - MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}" + MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}" else - MUTEX_TYPE="default"; PID_AFFIX="" + MUTEX_CONF=""; PID_AFFIX="" fi @@ -14497,140 +14608,6 @@ $as_echo_n "checking whether to enable M { $as_echo "$as_me:${as_lineno-$LINENO}: result: $use_msva" >&5 $as_echo "$use_msva" >&6; } -have_apr_memcache=0 - - -# Check whether --with-apu-config was given. -if test "${with_apu_config+set}" = set; then : - withval=$with_apu_config; apr_util_config="$withval" -fi - - - - -save_CFLAGS=$CFLAGS -save_LDFLAGS=$LDFLAGS - -if test -z "$apr_util_config"; then - for ac_prog in apu-1-config -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_APR_UTIL_CONF+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $APR_UTIL_CONF in - [\\/]* | ?:[\\/]*) - ac_cv_path_APR_UTIL_CONF="$APR_UTIL_CONF" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -as_dummy="$PATH:/usr/sbin" -for as_dir in $as_dummy -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_APR_UTIL_CONF="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -APR_UTIL_CONF=$ac_cv_path_APR_UTIL_CONF -if test -n "$APR_UTIL_CONF"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $APR_UTIL_CONF" >&5 -$as_echo "$APR_UTIL_CONF" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$APR_UTIL_CONF" && break -done -test -n "$APR_UTIL_CONF" || APR_UTIL_CONF="no" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: using apu-1-config path set by user: $apr_util_config" >&5 -$as_echo "$as_me: using apu-1-config path set by user: $apr_util_config" >&6;} - APR_UTIL_CONF="$apr_util_config" -fi - -CFLAGS="`$APR_UTIL_CONF --includes` $CFLAGS" -LDFLAGS="`$APR_UTIL_CONF --link-ld` $LDFLAGS" - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for apr_memcache_create in -laprutil-1" >&5 -$as_echo_n "checking for apr_memcache_create in -laprutil-1... " >&6; } -if ${ac_cv_lib_aprutil_1_apr_memcache_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-laprutil-1 $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char apr_memcache_create (); -int -main () -{ -return apr_memcache_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_aprutil_1_apr_memcache_create=yes -else - ac_cv_lib_aprutil_1_apr_memcache_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_aprutil_1_apr_memcache_create" >&5 -$as_echo "$ac_cv_lib_aprutil_1_apr_memcache_create" >&6; } -if test "x$ac_cv_lib_aprutil_1_apr_memcache_create" = xyes; then : - - APR_MEMCACHE_LIBS="`$APR_UTIL_CONF --link-ld`" - APR_MEMCACHE_CFLAGS="`$APR_UTIL_CONF --includes`" - - -fi - - -CFLAGS=$save_CFLAGS -LDFLAGS=$save_LDFLAGS - - - - -if test -z "${APR_MEMCACHE_LIBS}"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: *** memcache library not found." >&5 -$as_echo "$as_me: *** memcache library not found." >&6;} - have_apr_memcache=0 -else - { $as_echo "$as_me:${as_lineno-$LINENO}: using '${APR_MEMCACHE_LIBS}' for memcache" >&5 -$as_echo "$as_me: using '${APR_MEMCACHE_LIBS}' for memcache" >&6;} - have_apr_memcache=1 -fi - - - # Building documentation requires pandoc, which in turn needs pdflatex # to build PDF output. build_doc=no @@ -14718,9 +14695,9 @@ fi if test "$PDFLATEX" != "no"; then - build_doc=yes + build_doc="html, manual page, pdf" else - build_doc="html only" + build_doc="html, manual page" fi else # Extract the first word of "markdown", so it can be a program name with args. @@ -14897,8 +14874,8 @@ done test -n "$HTTP_CLI" || HTTP_CLI="no" -MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}" -MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}" +MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}" +MODULE_LIBS="${LIBGNUTLS_LIBS}" for ac_prog in softhsm2-util softhsm do @@ -14999,6 +14976,10 @@ fi +: ${TEST_LOCK_WAIT:="30"} +: ${TEST_QUERY_TIMEOUT:="30"} + + @@ -15009,7 +14990,7 @@ Listen ${i}:\${TEST_PORT}" done # Available extra ports, tests can "Define" variables of the listed # names in their apache.conf to enable them. -for j in TEST_HTTP_PORT OCSP_PORT; do +for j in TEST_HTTP_PORT; do LISTEN_LIST="${LISTEN_LIST} " for i in ${TEST_IP}; do @@ -16411,7 +16392,7 @@ esac else -DX_FLAG_pdf=1 +DX_FLAG_pdf=0 test "$DX_FLAG_doc" = "1" || DX_FLAG_pdf=0 @@ -16990,7 +16971,7 @@ DX_RULES="${DX_SNIPPET_doc}" #echo DX_ENV=$DX_ENV -ac_config_files="$ac_config_files Makefile src/Makefile test/Makefile test/tests/Makefile doc/Makefile doc/doxygen.conf include/mod_gnutls.h test/proxy_backend.conf test/apache-conf/listen.conf test/apache-conf/netns.conf" +ac_config_files="$ac_config_files Makefile src/Makefile test/Makefile test/tests/Makefile doc/Makefile doc/doxygen.conf include/mod_gnutls.h test/proxy_backend.conf test/ocsp_server.conf test/apache-conf/early_sni.conf test/apache-conf/listen.conf test/apache-conf/netns.conf" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -17573,7 +17554,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_gnutls $as_me 0.8.2, which was +This file was extended by mod_gnutls $as_me 0.9.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17639,7 +17620,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mod_gnutls config.status 0.8.2 +mod_gnutls config.status 0.9.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -17758,7 +17739,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ # # INIT-COMMANDS # -AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" +AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}" # The HP-UX ksh and POSIX shell print the target directory to stdout @@ -18062,6 +18043,8 @@ do "doc/doxygen.conf") CONFIG_FILES="$CONFIG_FILES doc/doxygen.conf" ;; "include/mod_gnutls.h") CONFIG_FILES="$CONFIG_FILES include/mod_gnutls.h" ;; "test/proxy_backend.conf") CONFIG_FILES="$CONFIG_FILES test/proxy_backend.conf" ;; + "test/ocsp_server.conf") CONFIG_FILES="$CONFIG_FILES test/ocsp_server.conf" ;; + "test/apache-conf/early_sni.conf") CONFIG_FILES="$CONFIG_FILES test/apache-conf/early_sni.conf" ;; "test/apache-conf/listen.conf") CONFIG_FILES="$CONFIG_FILES test/apache-conf/listen.conf" ;; "test/apache-conf/netns.conf") CONFIG_FILES="$CONFIG_FILES test/apache-conf/netns.conf" ;; @@ -18663,29 +18646,35 @@ $as_echo "$as_me: executing $ac_file com # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. - case $CONFIG_FILES in - *\'*) eval set x "$CONFIG_FILES" ;; - *) set x $CONFIG_FILES ;; - esac + # TODO: see whether this extra hack can be removed once we start + # requiring Autoconf 2.70 or later. + case $CONFIG_FILES in #( + *\'*) : + eval set x "$CONFIG_FILES" ;; #( + *) : + set x $CONFIG_FILES ;; #( + *) : + ;; +esac shift - for mf + # Used to flag and report bootstrapping failures. + am_rc=0 + for am_mf do # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named 'Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # Grep'ing the whole file is not good either: AIX grep has a line + am_mf=`$as_echo "$am_mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile which includes + # dependency-tracking related rules and includes. + # Grep'ing the whole file directly is not great: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. - if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then - dirpart=`$as_dirname -- "$mf" || -$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$mf" : 'X\(//\)[^/]' \| \ - X"$mf" : 'X\(//\)$' \| \ - X"$mf" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$mf" | + sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \ + || continue + am_dirpart=`$as_dirname -- "$am_mf" || +$as_expr X"$am_mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$am_mf" : 'X\(//\)[^/]' \| \ + X"$am_mf" : 'X\(//\)$' \| \ + X"$am_mf" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$am_mf" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q @@ -18703,53 +18692,48 @@ $as_echo X"$mf" | q } s/.*/./; q'` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running 'make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "$am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`$as_dirname -- "$file" || -$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$file" : 'X\(//\)[^/]' \| \ - X"$file" : 'X\(//\)$' \| \ - X"$file" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ + am_filepart=`$as_basename -- "$am_mf" || +$as_expr X/"$am_mf" : '.*/\([^/][^/]*\)/*$' \| \ + X"$am_mf" : 'X\(//\)$' \| \ + X"$am_mf" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$am_mf" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } - /^X\(\/\/\)$/{ + /^X\/\(\/\/\)$/{ s//\1/ q } - /^X\(\/\).*/{ + /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` - as_dir=$dirpart/$fdir; as_fn_mkdir_p - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" - done + { echo "$as_me:$LINENO: cd "$am_dirpart" \ + && sed -e '/# am--include-marker/d' "$am_filepart" \ + | $MAKE -f - am--depfiles" >&5 + (cd "$am_dirpart" \ + && sed -e '/# am--include-marker/d' "$am_filepart" \ + | $MAKE -f - am--depfiles) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } || am_rc=$? done + if test $am_rc -ne 0; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "Something went wrong bootstrapping makefile fragments + for automatic dependency tracking. Try re-running configure with the + '--disable-dependency-tracking' option to at least be able to build + the package (albeit without support for automatic dependency tracking). +See \`config.log' for more details" "$LINENO" 5; } + fi + { am_dirpart=; unset am_dirpart;} + { am_filepart=; unset am_filepart;} + { am_mf=; unset am_mf;} + { am_rc=; unset am_rc;} + rm -f conftest-deps.mk } ;; "libtool":C) @@ -19339,8 +19323,11 @@ echo "" echo " * mod_gnutls version: ${MOD_GNUTLS_VERSION}" echo " * Apache Modules directory: ${AP_LIBEXECDIR}" echo " * GnuTLS Library version: ${LIBGNUTLS_VERSION}" +echo " * CFLAGS for GnuTLS: ${LIBGNUTLS_CFLAGS}" +echo " * LDFLAGS for GnuTLS: ${LIBGNUTLS_LIBS}" echo " * SRP Authentication: ${use_srp}" echo " * MSVA Client Verification: ${use_msva}" +echo " * Early SNI: ${early_sni}" echo " * Build documentation: ${build_doc}" echo "" echo "---" diff -pruN 0.8.2-3/configure.ac 0.9.0-1/configure.ac --- 0.8.2-3/configure.ac 2017-01-08 13:57:48.000000000 +0000 +++ 0.9.0-1/configure.ac 2019-01-22 07:39:06.000000000 +0000 @@ -1,5 +1,4 @@ -dnl -AC_INIT(mod_gnutls, 0.8.2) +AC_INIT(mod_gnutls, 0.9.0) OOO_CONFIG_NICE(config.nice) MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION AC_PREREQ(2.53) @@ -25,12 +24,27 @@ AC_PROG_LIBTOOL AC_CONFIG_MACRO_DIR([m4]) -AP_VERSION=2.4.0 +AP_VERSION=2.4.17 CHECK_APACHE(,$AP_VERSION, :,:, AC_MSG_ERROR([*** Apache version $AP_VERSION not found!]) ) +dnl Maybe use the binaries for tests, too? +AC_ARG_WITH([gnutls-dev], + AS_HELP_STRING([--with-gnutls-dev=DIR], + [Use GnuTLS libraries from a development (git) tree. Use \ + this if you want to test mod_gnutls with the latest \ + GnuTLS code.]), + [ + AS_IF([test -d "${with_gnutls_dev}" ], + [ + LIBGNUTLS_CFLAGS="-I${with_gnutls_dev}/lib/includes" + LIBGNUTLS_LIBS="-lgnutls -L${with_gnutls_dev}/lib/.libs -R${with_gnutls_dev}/lib/.libs" + ], + [AC_MSG_ERROR([--with-gnutls-dev=DIR requires a directory!])]) + ], []) + PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0]) LIBGNUTLS_VERSION=`pkg-config --modversion gnutls` @@ -52,10 +66,25 @@ AC_ARG_ENABLE(srp, # check if the available GnuTLS library supports SRP AC_SEARCH_LIBS([gnutls_srp_server_get_username], [gnutls], [], [use_srp="no"]) -SRP_CFLAGS="" +GNUTLS_FEAT_CFLAGS="" if test "$use_srp" != "no"; then - SRP_CFLAGS="-DENABLE_SRP=1" + GNUTLS_FEAT_CFLAGS="-DENABLE_SRP=1" +fi + +# check if the available GnuTLS library supports raw extension parsing +AC_SEARCH_LIBS([gnutls_ext_raw_parse], [gnutls], [early_sni="yes"], + [early_sni="no"]) +if test "$early_sni" != "no"; then + ENABLE_EARLY_SNI=1 + # This is for the test server configuration + EXPECT_EARLY_SNI="Define EXPECT_EARLY_SNI" +else + ENABLE_EARLY_SNI=0 + EXPECT_EARLY_SNI="" fi +AC_SUBST(ENABLE_EARLY_SNI) +AC_SUBST(EXPECT_EARLY_SNI) +AM_SUBST_NOTMAKE(EXPECT_EARLY_SNI) AC_ARG_ENABLE(strict, AS_HELP_STRING([--disable-strict], @@ -64,7 +93,7 @@ AC_ARG_ENABLE(strict, STRICT_CFLAGS="" if test "$use_strict" != "no"; then - STRICT_CFLAGS="-Wall -Werror -Wextra" + STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations" fi AC_MSG_CHECKING([whether to enable SRP functionality]) @@ -83,8 +112,18 @@ AS_IF([test "${FLOCK}" != "no"], lockfile="$(mktemp)" AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1], [flock_works="yes"], [flock_works="no"]) - rm "${lockfile}" AC_MSG_RESULT([$flock_works]) + # Old versions of flock do not support --verbose. They fail + # without executing the command but still return 0. Check for + # this behavior by testing if the rm command was executed. + AC_MSG_CHECKING([whether ${FLOCK} supports --verbose]) + testfile="$(mktemp)" + AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \ + >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"], + [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"], + [flock_verbose="no"; rm "${testfile}"]) + AC_MSG_RESULT([$flock_verbose]) + rm "${lockfile}" ], [flock_works="no"]) # disable flock if requested by user or it doesn't support timeout @@ -117,18 +156,17 @@ AM_CONDITIONAL([ENABLE_OCSP_TEST], [test dnl Enable test namespaces? Default is "yes". AC_ARG_ENABLE(test-namespaces, - AS_HELP_STRING([--disable-test-namespaces], [Disable use of network \ - namespaces to run tests in parallel (some architectures might not \ - support it)]), + AS_HELP_STRING([--disable-test-namespaces], [Disable use of \ + namespaces for tests (limits parallelization)]), [use_netns=$enableval], [use_netns=yes]) -# Check if "unshare" is available and has permission to create network -# and user namespaces +# Check if "unshare" is available and has permission to create +# network, IPC, and user namespaces AC_PATH_PROG([UNSHARE], [unshare], [no]) AS_IF([test "${UNSHARE}" != "no"], [ - AC_MSG_CHECKING([for permission to create network and user namespaces]) - AS_IF([${UNSHARE} --net -r /bin/sh -c \ + AC_MSG_CHECKING([for permission to use namespaces]) + AS_IF([${UNSHARE} --net --ipc -r /bin/sh -c \ "ip link set up lo && ip addr show" >&AS_MESSAGE_LOG_FD 2>&1], [unshare_works="yes"], [unshare_works="no"]) AC_MSG_RESULT([$unshare_works]) @@ -142,11 +180,11 @@ AM_CONDITIONAL([ENABLE_NETNS], [test "$u # Adjust Apache configuration for tests accordingly: Use pthread mutex # and test specific PID files if using namespaces, defaults otherwise. AS_IF([test "$use_netns" = "yes"], - [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"], - [MUTEX_TYPE="default"; PID_AFFIX=""]) -AC_SUBST(MUTEX_TYPE) + [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"], + [MUTEX_CONF=""; PID_AFFIX=""]) +AC_SUBST(MUTEX_CONF) AC_SUBST(PID_AFFIX) -AM_SUBST_NOTMAKE(MUTEX_TYPE) +AM_SUBST_NOTMAKE(MUTEX_CONF) AM_SUBST_NOTMAKE(PID_AFFIX) AC_ARG_ENABLE(msva, @@ -167,10 +205,6 @@ fi AC_MSG_CHECKING([whether to enable MSVA functionality]) AC_MSG_RESULT($use_msva) -have_apr_memcache=0 -CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0]) -AC_SUBST(have_apr_memcache) - # Building documentation requires pandoc, which in turn needs pdflatex # to build PDF output. build_doc=no @@ -178,9 +212,9 @@ AC_PATH_PROG([PANDOC], [pandoc], [no]) if test "$PANDOC" != "no"; then AC_PATH_PROG([PDFLATEX], [pdflatex], [no]) if test "$PDFLATEX" != "no"; then - build_doc=yes + build_doc="html, manual page, pdf" else - build_doc="html only" + build_doc="html, manual page" fi else AC_PATH_PROG([MARKDOWN], [markdown], [no]) @@ -203,8 +237,8 @@ fi AC_PATH_PROGS([HTTP_CLI], [curl wget], [no]) -MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}" -MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}" +MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}" +MODULE_LIBS="${LIBGNUTLS_LIBS}" AC_PATH_PROGS([SOFTHSM], [softhsm2-util softhsm], [no]) if test "${SOFTHSM}" != "no"; then @@ -231,7 +265,16 @@ AC_ARG_VAR([TEST_IP], [List of IP addres started by "make check". The default is \ "[::1] 127.0.0.1". Note that IPv6 addresses must be \ enclosed in square brackets.]) -AM_SUBST_NOTMAKE(TEST_IP) + +: ${TEST_LOCK_WAIT:="30"} +: ${TEST_QUERY_TIMEOUT:="30"} +AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \ + Apache instances in the test suite, or the \ + previous instance to remove its PID file if \ + flock is not used. Default is 30.]) +AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \ + sent using gnutls-cli in the test suite. \ + Default is 30.]) dnl Allow user to set SoftHSM PKCS #11 module AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \ @@ -246,7 +289,7 @@ Listen ${i}:\${TEST_PORT}" done # Available extra ports, tests can "Define" variables of the listed # names in their apache.conf to enable them. -for j in TEST_HTTP_PORT OCSP_PORT; do +for j in TEST_HTTP_PORT; do LISTEN_LIST="${LISTEN_LIST} " for i in ${TEST_IP}; do @@ -265,13 +308,14 @@ DX_HTML_FEATURE(ON) DX_MAN_FEATURE(OFF) DX_RTF_FEATURE(OFF) DX_XML_FEATURE(OFF) -DX_PDF_FEATURE(ON) +DX_PDF_FEATURE(OFF) DX_PS_FEATURE(OFF) DX_INIT_DOXYGEN([mod_gnutls], [doc/doxygen.conf], [doc/api]) AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \ doc/Makefile doc/doxygen.conf include/mod_gnutls.h \ - test/proxy_backend.conf \ + test/proxy_backend.conf test/ocsp_server.conf \ + test/apache-conf/early_sni.conf \ test/apache-conf/listen.conf \ test/apache-conf/netns.conf]) AC_OUTPUT @@ -282,8 +326,11 @@ echo "" echo " * mod_gnutls version: ${MOD_GNUTLS_VERSION}" echo " * Apache Modules directory: ${AP_LIBEXECDIR}" echo " * GnuTLS Library version: ${LIBGNUTLS_VERSION}" +echo " * CFLAGS for GnuTLS: ${LIBGNUTLS_CFLAGS}" +echo " * LDFLAGS for GnuTLS: ${LIBGNUTLS_LIBS}" echo " * SRP Authentication: ${use_srp}" echo " * MSVA Client Verification: ${use_msva}" +echo " * Early SNI: ${early_sni}" echo " * Build documentation: ${build_doc}" echo "" echo "---" diff -pruN 0.8.2-3/debian/changelog 0.9.0-1/debian/changelog --- 0.8.2-3/debian/changelog 2017-03-12 11:37:18.000000000 +0000 +++ 0.9.0-1/debian/changelog 2019-02-08 21:27:06.000000000 +0000 @@ -1,3 +1,46 @@ +mod-gnutls (0.9.0-1) unstable; urgency=medium + + [ Fiona Klute ] + * New upstream version + - drops OpenPGP support (Closes: #917584) + - background OCSP stapling + * Drop 0001-Fix-test-16-view-status-by-changing-priority-string.patch + * Update Standards-Version and Description fields + * Disable building PDF documentation (Closes: #917582) + + -- Daniel Kahn Gillmor Fri, 08 Feb 2019 16:27:06 -0500 + +mod-gnutls (0.8.4-2) unstable; urgency=medium + + [ Sunil Mohan Adapa ] + * Avoid deprecated ciphersuites in test suite (Closes: #907008) + + [ Daniel Kahn Gillmor ] + * Standards-Version: bump to 4.2.1 (no changes needed) + + -- Daniel Kahn Gillmor Fri, 21 Sep 2018 09:42:29 -0400 + +mod-gnutls (0.8.4-1) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * New upstream signing key. + * moving to PEP-14 branch naming + + [ Thomas Klute ] + * Remove all patches, they have been included in 0.8.3 + * Fix lintian warning priority-extra-is-replaced-by-priority-optional + + [ Daniel Kahn Gillmor ] + * Standards-Version: bump to 4.1.4 (no changes needed) + * move to debhelper 11 + * Rules-Requires-Root: no + * fixup dh 11 transition + * d/changelog: strip trailing whitespace + * d/copyright: update URLs, authorship information + * ship NOTICE file as required by Apache 2.0 license + + -- Daniel Kahn Gillmor Mon, 16 Apr 2018 18:00:55 -0700 + mod-gnutls (0.8.2-3) unstable; urgency=medium [ Thomas Klute ] @@ -48,7 +91,7 @@ mod-gnutls (0.7.5-2) unstable; urgency=m mod-gnutls (0.7.5-1) unstable; urgency=medium - * new upstream release (Closes: #825654) + * new upstream release (Closes: #825654) * drop patches already applied upstream. -- Daniel Kahn Gillmor Tue, 31 May 2016 14:10:44 -0400 @@ -122,7 +165,7 @@ mod-gnutls (0.6-1.4) unstable; urgency=l mod-gnutls (0.6-1.3) unstable; urgency=medium * Non-maintainer upload. - * Fix "GnuTLSClientVerify require is ignored", check server wide + * Fix "GnuTLSClientVerify require is ignored", check server wide GnuTLSClientVerify if not set for directory (Closes: #578663) -- Thomas Klute Fri, 20 Feb 2015 19:01:54 +0100 diff -pruN 0.8.2-3/debian/compat 0.9.0-1/debian/compat --- 0.8.2-3/debian/compat 2017-01-02 21:57:59.000000000 +0000 +++ 0.9.0-1/debian/compat 2018-04-17 00:46:23.000000000 +0000 @@ -1 +1 @@ -10 +11 diff -pruN 0.8.2-3/debian/control 0.9.0-1/debian/control --- 0.8.2-3/debian/control 2017-03-12 11:37:18.000000000 +0000 +++ 0.9.0-1/debian/control 2019-02-08 21:25:17.000000000 +0000 @@ -1,14 +1,13 @@ Source: mod-gnutls Section: httpd -Priority: extra +Priority: optional Maintainer: Daniel Kahn Gillmor Build-Depends: apache2-bin , apache2-dev, curl | wget , - debhelper (>= 10~), + debhelper (>= 11~), dh-apache2, - dh-autoreconf, dpkg-dev (>= 1.17.14), gnutls-bin , libapr1-dev, @@ -23,20 +22,21 @@ Build-Depends: pkg-config, procps , softhsm2 | softhsm , -Standards-Version: 3.9.8 +Standards-Version: 4.3.0 Homepage: https://mod.gnutls.org/ -Vcs-Git: https://mod.gnutls.org/git/mod_gnutls -b debian +Vcs-Git: https://mod.gnutls.org/git/mod_gnutls -b debian/master Vcs-Browser: https://mod.gnutls.org/browser/mod_gnutls +Rules-Requires-Root: no Package: libapache2-mod-gnutls Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, -Description: Apache module for SSL and TLS encryption with GnuTLS +Description: Apache module for TLS encryption with GnuTLS mod_gnutls provides TLS encryption using the GnuTLS library. It's similar in purpose to mod_ssl, but doesn't use OpenSSL, and provides some additional features: + * Background OCSP stapling, * PKCS #11 access to server keys and certificates, - * OpenPGP authentication, and * using Monkeysphere for client certificate validation. diff -pruN 0.8.2-3/debian/copyright 0.9.0-1/debian/copyright --- 0.8.2-3/debian/copyright 2017-01-02 21:57:59.000000000 +0000 +++ 0.9.0-1/debian/copyright 2018-04-17 01:00:43.000000000 +0000 @@ -1,14 +1,18 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mod_gnutls -Source: http://www.outoforder.cc/projects/apache/mod_gnutls/ +Source: https://mod.gnutls.org/ Files: * Copyright: 2004-2005 Paul Querna 2007, 2008 Nikos Mavrogiannopoulos + 2013-2015 Daniel Kahn Gillmor + 2015-2018 Thomas Klute + 2018 Fiona Klute License: Apache-2.0 Files: debian/* Copyright: 2007 Jack Bates + 2013-2018 Daniel Kahn Gillmor License: Apache-2.0 License: Apache-2.0 diff -pruN 0.8.2-3/debian/gbp.conf 0.9.0-1/debian/gbp.conf --- 0.8.2-3/debian/gbp.conf 2017-01-02 21:57:59.000000000 +0000 +++ 0.9.0-1/debian/gbp.conf 2018-09-21 13:39:14.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian +debian-branch = debian/master upstream-vcs-tag = mod_gnutls/%(version)s [buildpackage] diff -pruN 0.8.2-3/debian/libapache2-mod-gnutls.docs 0.9.0-1/debian/libapache2-mod-gnutls.docs --- 0.8.2-3/debian/libapache2-mod-gnutls.docs 2017-01-02 21:57:59.000000000 +0000 +++ 0.9.0-1/debian/libapache2-mod-gnutls.docs 2018-04-17 01:00:43.000000000 +0000 @@ -1,2 +1,3 @@ +NOTICE README doc/mod_gnutls_manual.html diff -pruN 0.8.2-3/debian/patches/0001-Never-build-PDF-documentation.patch 0.9.0-1/debian/patches/0001-Never-build-PDF-documentation.patch --- 0.8.2-3/debian/patches/0001-Never-build-PDF-documentation.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/debian/patches/0001-Never-build-PDF-documentation.patch 2019-02-08 21:25:17.000000000 +0000 @@ -0,0 +1,23 @@ +From: Fiona Klute +Date: Wed, 30 Jan 2019 08:33:30 +0100 +Subject: Never build PDF documentation + +It's not installed anyway, and breaks the build if pdflatex is +available but fonts used by pandoc are missing. +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 48febcf..4082777 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -210,7 +210,7 @@ AC_MSG_RESULT($use_msva) + build_doc=no + AC_PATH_PROG([PANDOC], [pandoc], [no]) + if test "$PANDOC" != "no"; then +- AC_PATH_PROG([PDFLATEX], [pdflatex], [no]) ++ PDFLATEX="no" + if test "$PDFLATEX" != "no"; then + build_doc="html, manual page, pdf" + else diff -pruN 0.8.2-3/debian/patches/0001-Test-suite-Do-not-continue-test-case-if-Apache-insta.patch 0.9.0-1/debian/patches/0001-Test-suite-Do-not-continue-test-case-if-Apache-insta.patch --- 0.8.2-3/debian/patches/0001-Test-suite-Do-not-continue-test-case-if-Apache-insta.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0001-Test-suite-Do-not-continue-test-case-if-Apache-insta.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -From: Thomas Klute -Date: Sun, 22 Jan 2017 18:45:57 +0100 -Subject: Test suite: Do not continue test case if Apache instance fails to - start - -On systems where namespaces aren't available, test cases in which -Apache HTTPD is expected not to start would sometimes fail when -running in parallel. The reason was a possible timing issue, where an -Apache instance for another test case might start before gnutls-cli is -run, and the TLS connection would unexpectedly succeed by connecting -to it. - -Not attempting the TLS connection if HTTPD failed avoids this problem, -and also (slightly) speeds up tests. - -(cherry picked from commit d39ea185bc141f880f49a68d77c1413c88fc7120) ---- - test/runtests | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/test/runtests b/test/runtests -index a253686..d530bf8 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -178,14 +178,16 @@ fi - printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE" - trap apache_down_err EXIT - if [ -n "${USE_MSVA}" ]; then -- MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \ -- ${flock_cmd} \ -- ${APACHE2} -f "${t}/apache.conf" -k start \ -- || [ -e "${t}/fail.server" ] --else -- ${flock_cmd} \ -- ${APACHE2} -f "${t}/apache.conf" -k start \ -- || [ -e "${t}/fail.server" ] -+ export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" -+fi -+if ! ${flock_cmd} ${APACHE2} -f "${t}/apache.conf" -k start; then -+ if [ -e "${t}/fail.server" ]; then -+ echo "Apache HTTPD failed to start as expected." -+ exit 0 -+ else -+ echo "Apache HTTPD unexpectedly failed to start." -+ exit 1 -+ fi - fi - - # check OCSP server diff -pruN 0.8.2-3/debian/patches/0002-Test-suite-Run-flock-with-verbose-to-log-timeouts.patch 0.9.0-1/debian/patches/0002-Test-suite-Run-flock-with-verbose-to-log-timeouts.patch --- 0.8.2-3/debian/patches/0002-Test-suite-Run-flock-with-verbose-to-log-timeouts.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0002-Test-suite-Run-flock-with-verbose-to-log-timeouts.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -From: Thomas Klute -Date: Mon, 6 Feb 2017 15:49:50 +0100 -Subject: Test suite: Run flock with "--verbose" to log timeouts - ---- - test/proxy_backend.bash | 2 +- - test/runtests | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/test/proxy_backend.bash b/test/proxy_backend.bash -index c2d8507..5b1bafe 100644 ---- a/test/proxy_backend.bash -+++ b/test/proxy_backend.bash -@@ -37,7 +37,7 @@ function backend_apache - "locking." - flock_cmd="" - elif [ -n "${lockfile}" ]; then -- flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}" -+ flock_cmd="${FLOCK} --verbose -w ${TEST_LOCK_WAIT} ${lockfile}" - else - echo "Locking disabled, using wait based on proxy PID file." - wait_pid_gone "${BACKEND_PID}" -diff --git a/test/runtests b/test/runtests -index d530bf8..0020fb4 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -157,7 +157,7 @@ if [ -n "${USE_TEST_NAMESPACE}" ]; then - echo "Using namespaces to isolate tests, no need for locking." - flock_cmd="" - elif [ -n "${TEST_LOCK}" ]; then -- flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" -+ flock_cmd="${FLOCK} --verbose -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" - else - echo "Locking disabled, using wait based on Apache PID file." - wait_pid_gone "${TEST_PID}" diff -pruN 0.8.2-3/debian/patches/0003-Test-suite-Log-if-a-process-to-be-stopped-by-PID-fil.patch 0.9.0-1/debian/patches/0003-Test-suite-Log-if-a-process-to-be-stopped-by-PID-fil.patch --- 0.8.2-3/debian/patches/0003-Test-suite-Log-if-a-process-to-be-stopped-by-PID-fil.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0003-Test-suite-Log-if-a-process-to-be-stopped-by-PID-fil.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -From: Thomas Klute -Date: Mon, 6 Feb 2017 17:11:47 +0100 -Subject: Test suite: Log if a process to be stopped by PID file is not running - -The runtests script calls "sleep ${TEST_QUERY_DELAY}" to keep the -input pipeline for gnutls-cli open, effectively creating a timeout of -TEST_QUERY_DELAY seconds for the HTTPS request. Normally the sleep -process is killed after the request completes to avoid stalling the -test suite. The sleep process no longer running at that point -indicates that the request timed out. ---- - test/runtests | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/test/runtests b/test/runtests -index 0020fb4..9e98b8d 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -88,6 +88,8 @@ function kill_by_pidfile() - local pid=$(cat "${pidfile}") - if [ -n "${pid}" ] && ps -p "${pid}"; then - kill "${pid}" -+ else -+ echo "No running process with PID ${pid} (${pidfile})." - fi - rm "${pidfile}" - fi diff -pruN 0.8.2-3/debian/patches/0004-Test-suite-Make-timeouts-for-server-locks-and-HTTPS-.patch 0.9.0-1/debian/patches/0004-Test-suite-Make-timeouts-for-server-locks-and-HTTPS-.patch --- 0.8.2-3/debian/patches/0004-Test-suite-Make-timeouts-for-server-locks-and-HTTPS-.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0004-Test-suite-Make-timeouts-for-server-locks-and-HTTPS-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,107 +0,0 @@ -From: Thomas Klute -Date: Mon, 6 Feb 2017 18:05:25 +0100 -Subject: Test suite: Make timeouts for server locks and HTTPS requests - configurable - -If TEST_LOCK_WAIT or TEST_QUERY_TIMEOUT are provided at configure -time, their values are stored and used instead of the default. ---- - configure.ac | 10 ++++++++++ - test/Makefile.am | 9 ++------- - test/README | 4 ++-- - test/runtests | 4 ++-- - 4 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/configure.ac b/configure.ac -index e9c455e..0577435 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -233,6 +233,16 @@ AC_ARG_VAR([TEST_IP], [List of IP addresses to use for server instances \ - enclosed in square brackets.]) - AM_SUBST_NOTMAKE(TEST_IP) - -+: ${TEST_LOCK_WAIT:="30"} -+: ${TEST_QUERY_TIMEOUT:="30"} -+AC_ARG_VAR([TEST_LOCK_WAIT], [Timeout in seconds to acquire locks for \ -+ Apache instances in the test suite, or the \ -+ previous instance to remove its PID file if \ -+ flock is not used. Default is 30.]) -+AC_ARG_VAR([TEST_QUERY_TIMEOUT], [Timeout in seconds for HTTPS requests \ -+ sent using gnutls-cli in the test suite. \ -+ Default is 30.]) -+ - dnl Allow user to set SoftHSM PKCS #11 module - AC_ARG_VAR([SOFTHSM_LIB], [Absolute path of the SoftHSM PKCS @%:@11 module to \ - use. By default the test suite will search common \ -diff --git a/test/Makefile.am b/test/Makefile.am -index affe15c..9fa9c84 100644 ---- a/test/Makefile.am -+++ b/test/Makefile.am -@@ -198,9 +198,6 @@ EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \ - test_lockfile = ./test.lock - # Lockfile for the proxy backend Apache process (if any) - backend_lockfile = ./backend.lock --# Maximum wait time in seconds for flock to aquire instance lock --# files, or Apache to remove its PID file --lock_wait = 30 - - # port for the main Apache server - TEST_PORT ?= 9932 -@@ -214,18 +211,16 @@ endif - TEST_MSVA_MAX_WAIT ?= 10000 - # wait loop time for MSVA startup (milliseconds) - TEST_MSVA_WAIT ?= 400 --# seconds for the HTTP request to be sent and responded to --TEST_QUERY_DELAY ?= 30 - - AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \ - export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \ -- export TEST_LOCK_WAIT="$(lock_wait)"; \ -+ export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \ - export TEST_HOST="@TEST_HOST@"; \ - export TEST_PORT="$(TEST_PORT)"; \ - export MSVA_PORT="$(MSVA_PORT)"; \ - export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \ - export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \ -- export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \ -+ export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \ - export BACKEND_HOST="@TEST_HOST@"; \ - export HTTP_CLI="@HTTP_CLI@"; - -diff --git a/test/README b/test/README -index c49b7db..b377125 100644 ---- a/test/README -+++ b/test/README -@@ -129,8 +129,8 @@ on your expected setup (along with the variables that can be passed to - - * If a machine is particularly slow or under heavy load, it's - possible that these tests will fail for timing -- reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent -- and responded to)] -+ reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in -+ seconds)] - - The first two of these issues are avoided when the tests are isolated - using network namespaces, which is the default (see "Implementation" -diff --git a/test/runtests b/test/runtests -index 9e98b8d..718b27f 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -18,7 +18,7 @@ else - fi - - BADVARS=0 --for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \ -+for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_MSVA_WAIT \ - MSVA_PORT; do - if [ ! -v "$v" ]; then - printf "You need to set the %s environment variable\n" "$v" >&2 -@@ -216,7 +216,7 @@ sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)" - # end with CRLF as required by RFC 7230, Section 3.1.1 regardless of - # the line ends in the input file. - if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t}/input && \ -- run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \ -+ run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \ - gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \ - | tee "$output" && test "${PIPESTATUS[1]}" -eq 0; - then diff -pruN 0.8.2-3/debian/patches/0005-Check-if-flock-supports-verbose.patch 0.9.0-1/debian/patches/0005-Check-if-flock-supports-verbose.patch --- 0.8.2-3/debian/patches/0005-Check-if-flock-supports-verbose.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0005-Check-if-flock-supports-verbose.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ -From: Thomas Klute -Date: Wed, 8 Feb 2017 13:27:17 +0100 -Subject: Check if flock supports --verbose - -Some old versions of flock do not support the --verbose option, namely -the one in Debian Jessie. Check for support at configure time and -enable the option only if available. ---- - configure.ac | 12 +++++++++++- - test/proxy_backend.bash | 2 +- - test/runtests | 2 +- - 3 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 0577435..425f2b8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -83,8 +83,18 @@ AS_IF([test "${FLOCK}" != "no"], - lockfile="$(mktemp)" - AS_IF([${FLOCK} --timeout 1 ${lockfile} true >&AS_MESSAGE_LOG_FD 2>&1], - [flock_works="yes"], [flock_works="no"]) -- rm "${lockfile}" - AC_MSG_RESULT([$flock_works]) -+ # Old versions of flock do not support --verbose. They fail -+ # without executing the command but still return 0. Check for -+ # this behavior by testing if the rm command was executed. -+ AC_MSG_CHECKING([whether ${FLOCK} supports --verbose]) -+ testfile="$(mktemp)" -+ AS_IF([${FLOCK} --verbose --timeout 1 ${lockfile} rm "${testfile}" \ -+ >&AS_MESSAGE_LOG_FD 2>&1; test ! -e "${testfile}"], -+ [flock_verbose="yes"; FLOCK="${FLOCK} --verbose"], -+ [flock_verbose="no"; rm "${testfile}"]) -+ AC_MSG_RESULT([$flock_verbose]) -+ rm "${lockfile}" - ], - [flock_works="no"]) - # disable flock if requested by user or it doesn't support timeout -diff --git a/test/proxy_backend.bash b/test/proxy_backend.bash -index 5b1bafe..c2d8507 100644 ---- a/test/proxy_backend.bash -+++ b/test/proxy_backend.bash -@@ -37,7 +37,7 @@ function backend_apache - "locking." - flock_cmd="" - elif [ -n "${lockfile}" ]; then -- flock_cmd="${FLOCK} --verbose -w ${TEST_LOCK_WAIT} ${lockfile}" -+ flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}" - else - echo "Locking disabled, using wait based on proxy PID file." - wait_pid_gone "${BACKEND_PID}" -diff --git a/test/runtests b/test/runtests -index 718b27f..c1ff135 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -159,7 +159,7 @@ if [ -n "${USE_TEST_NAMESPACE}" ]; then - echo "Using namespaces to isolate tests, no need for locking." - flock_cmd="" - elif [ -n "${TEST_LOCK}" ]; then -- flock_cmd="${FLOCK} --verbose -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" -+ flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" - else - echo "Locking disabled, using wait based on Apache PID file." - wait_pid_gone "${TEST_PID}" diff -pruN 0.8.2-3/debian/patches/0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch 0.9.0-1/debian/patches/0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch --- 0.8.2-3/debian/patches/0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -From: Thomas Klute -Date: Sun, 12 Feb 2017 13:24:54 +0100 -Subject: Test suite: Do not explicitly set the mutex type to "default" - -The setting can cause trouble when the mutex type "default" is file -based and its definition includes a path that the build process cannot -write to. This problem caused the Debian build to fail on hurd-i386, -where "default" resolved to "file:/var/run/apache2/" according to the -build log. - -According to the HTTPD documentation a run-time file directory -relative to ServerRoot is used absent an explicit setting, and the -ServerRoot defined in test/base_apache.conf must be writable for the -test suite anyway. ---- - configure.ac | 8 ++++---- - test/apache-conf/netns.conf.in | 2 +- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 425f2b8..cc3e8ae 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -152,11 +152,11 @@ AM_CONDITIONAL([ENABLE_NETNS], [test "$use_netns" != "no"]) - # Adjust Apache configuration for tests accordingly: Use pthread mutex - # and test specific PID files if using namespaces, defaults otherwise. - AS_IF([test "$use_netns" = "yes"], -- [MUTEX_TYPE="pthread"; PID_AFFIX="-\${TEST_NAME}"], -- [MUTEX_TYPE="default"; PID_AFFIX=""]) --AC_SUBST(MUTEX_TYPE) -+ [MUTEX_CONF="Mutex pthread default"; PID_AFFIX="-\${TEST_NAME}"], -+ [MUTEX_CONF=""; PID_AFFIX=""]) -+AC_SUBST(MUTEX_CONF) - AC_SUBST(PID_AFFIX) --AM_SUBST_NOTMAKE(MUTEX_TYPE) -+AM_SUBST_NOTMAKE(MUTEX_CONF) - AM_SUBST_NOTMAKE(PID_AFFIX) - - AC_ARG_ENABLE(msva, -diff --git a/test/apache-conf/netns.conf.in b/test/apache-conf/netns.conf.in -index 2439337..005d48f 100644 ---- a/test/apache-conf/netns.conf.in -+++ b/test/apache-conf/netns.conf.in -@@ -1,4 +1,4 @@ - # This file contains options that are different depending on whether - # tests use namespaces or not. --Mutex @MUTEX_TYPE@ default -+@MUTEX_CONF@ - PidFile apache2@PID_AFFIX@.pid diff -pruN 0.8.2-3/debian/patches/0007-Do-not-treat-warnings-about-deprecated-declarations-.patch 0.9.0-1/debian/patches/0007-Do-not-treat-warnings-about-deprecated-declarations-.patch --- 0.8.2-3/debian/patches/0007-Do-not-treat-warnings-about-deprecated-declarations-.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0007-Do-not-treat-warnings-about-deprecated-declarations-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -From: Thomas Klute -Date: Sun, 19 Feb 2017 18:57:56 +0100 -Subject: Do not treat warnings about deprecated declarations as errors - -GnuTLS has declared OpenPGP support as deprecated in version -3.5.9. Treating deprecation warnings as errors causes the build to -fail with this version, so exempt them from "-Werror" until OpenPGP -support is removed from mod_gnutls. ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index cc3e8ae..3335773 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -64,7 +64,7 @@ AC_ARG_ENABLE(strict, - - STRICT_CFLAGS="" - if test "$use_strict" != "no"; then -- STRICT_CFLAGS="-Wall -Werror -Wextra" -+ STRICT_CFLAGS="-Wall -Werror -Wextra -Wno-error=deprecated-declarations" - fi - - AC_MSG_CHECKING([whether to enable SRP functionality]) diff -pruN 0.8.2-3/debian/patches/0008-Wait-for-OCSP-server-to-become-available.patch 0.9.0-1/debian/patches/0008-Wait-for-OCSP-server-to-become-available.patch --- 0.8.2-3/debian/patches/0008-Wait-for-OCSP-server-to-become-available.patch 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/0008-Wait-for-OCSP-server-to-become-available.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -From: Thomas Klute -Date: Tue, 28 Feb 2017 21:01:17 +0100 -Subject: Wait for OCSP server to become available - ---- - test/runtests | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/test/runtests b/test/runtests -index c1ff135..e7b10ed 100755 ---- a/test/runtests -+++ b/test/runtests -@@ -198,7 +198,12 @@ if [ -n "${CHECK_OCSP_SERVER}" ]; then - store_ocsp="--outfile ${OCSP_RESPONSE_FILE}" - fi - echo "---- Testing OCSP server ----" -- ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp} -+ waited=0 -+ until ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp} \ -+ || [ ${waited} -ge 20 ]; do -+ sleep 1 -+ waited=$((${waited} + 1)) -+ done - echo "---- OCSP test done ----" - fi - diff -pruN 0.8.2-3/debian/patches/series 0.9.0-1/debian/patches/series --- 0.8.2-3/debian/patches/series 2017-03-12 11:35:37.000000000 +0000 +++ 0.9.0-1/debian/patches/series 2019-02-08 21:25:17.000000000 +0000 @@ -1,8 +1 @@ -0001-Test-suite-Do-not-continue-test-case-if-Apache-insta.patch -0002-Test-suite-Run-flock-with-verbose-to-log-timeouts.patch -0003-Test-suite-Log-if-a-process-to-be-stopped-by-PID-fil.patch -0004-Test-suite-Make-timeouts-for-server-locks-and-HTTPS-.patch -0005-Check-if-flock-supports-verbose.patch -0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch -0007-Do-not-treat-warnings-about-deprecated-declarations-.patch -0008-Wait-for-OCSP-server-to-become-available.patch +0001-Never-build-PDF-documentation.patch diff -pruN 0.8.2-3/debian/rules 0.9.0-1/debian/rules --- 0.8.2-3/debian/rules 2017-03-12 11:35:24.000000000 +0000 +++ 0.9.0-1/debian/rules 2018-04-17 01:00:43.000000000 +0000 @@ -3,7 +3,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: - dh $@ --with apache2,autoreconf + dh $@ --with apache2 override_dh_auto_configure: if [ "$(DEB_HOST_ARCH_OS)" = "linux" ]; then \ diff -pruN 0.8.2-3/debian/upstream/signing-key.asc 0.9.0-1/debian/upstream/signing-key.asc --- 0.8.2-3/debian/upstream/signing-key.asc 2017-01-02 21:57:59.000000000 +0000 +++ 0.9.0-1/debian/upstream/signing-key.asc 2018-04-17 00:39:18.000000000 +0000 @@ -1,52 +1,51 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 -mQINBFKUfmkBEADFfWwqw+gcGu3h5vdM0wAUQrd+GDjV5XC+5HicuRn2ZnOlUc0E -4LBs/WCTLMTYosayOiUMp9NjOlydzS31X8bhL44I54hH29jYHbeACE6W2nVmb/kd -WWDc2u5+8ariK2m9dtpYQf8rEAfwPFLsOVfGvmNpIfc8tgbizLOmJsmdFPE50RjC -mfQTw72tH/b3napUw/n5T+8plkL9dFl7YD93QIUDIXH7mRSJEbKbMP2Xn+uAs5+M -nAI+VkIF2QR8JueM5vQME0RlZBtUmqNS2R0D9CDBjhYv4CeTtIGnWZw6O+grpxhw -dca5MhcdEXQVhXc/deVj5U5g+pMrvIjN43fwNH8RmrvrXDo4RHlXI8nSCeKkGpJp -kVD/x0clPh8lvfMSMI8Z0IRj70F3VzxmZqtcblPhrSCvaRxCF0IJSvLZaIPY7lmA -GGSEjFt31sE1qU9372Hwm2eWVgHmT7SCFn81PWSfJARgVzAlA/P0iSwu+wINCtMP -UspQ/BudUI3f3AL6KiRAzO3PbWPJdCEiwiHIBwiolvA9BshkG12LvimoxK2wr8PP -GdkQfZ6AT09lDPFRgJpzYtrVphJBYy1H2aY3Zd/j3QPMo68ffZDMJLShy76/6LnU -+h5kOmt3vb3y31ZdkLljKi8eqqWYRx0bJ8xi+RR6TJEI2dHngiYzEjHRIwARAQAB -tCxUaG9tYXMgS2x1dGUgPHRob21hczIua2x1dGVAdW5pLWRvcnRtdW5kLmRlPokC -PgQTAQgAKAIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlTnGmIFCQYVAvkA -CgkQYUWcUod2jFMixA//eExA1Z+7kE9Aa+ghivwOaKzVzki/BUwzpxggSrdSeuWJ -WK3i8y2UpL4ZvAYmPfTFtfG0DsSEU1B2AgsCJLmockSd2yYlGloDk+osyEJ/8H2R -kedfEKKBbczdl/J/buKKO3Zsv15PtVvpR8Zddo+jRwkkcH669he+ztzHB3x8dSKF -e3TxkSliWhww5EKL3LaE271B52y7uYJB7FZV7f/4voOo3TPWSpfGKdf2Jg3wMD80 -3CwElx9qAR8p4MYRt76QFjHDw7rCdGoLqz7Iddd0omC2zi6mHfg0uNT6vcGLbZDB -jmBaj2nZHe0z9G32Jc6mrykbj742u928sHg/L/HfLn2z/Hxg8ZgTn5jfskkhxuay -Xo20OKCSTMNuH/fF9C02pccxMClOSWr3OXa2HY0MZy3hXIe2afGQJtpfrfIr6nCm -uYQGW6SMTHMj+URJQT0g8OI/qHb2oNPIkdgOwnoyFKtZqp8Wzd7iUtWl7Ug7+Xic -7vI/5uFFY8Zh2mD/Tl9EwDhtVfObNCa65Av7lLAABi+sE9rPMZSYICd7kjR7SwDM -qfevCQnwrcwM2MB8XTXKDTp+UwdpIm6JfIhcHpEzhA4qMCfl+uo5Lpv1yK5RyPPQ -aPoSqkt1STBSqipHYhdkT3V7DhOPswqhi8sZx3jgcJDkl/p5CTaQCpT66Z0SBz+5 -Ag0EUpR+aQEQANENbtv7tuyDGGfxHxhCQHvZDEXgt2HyzywCICzDRNRcMB+PcOat -etbZpR9SCZ0NqAlXGtr1nmAYaqi4hn9URuU6XQ94U8dj182Fy00dv33pnPFXb+/m -XwN9UBRLGfo55z0JPhbLHc9M4qOYe84YkyerrsCWz/xJkDEal1u9TQ8DAVcu2brI -xoubaFJjt0a2fVU3x0m/rOX9n2ydR0gnK4Lkgl3mlMY2vDNgmHWyj5ehWbFa44lK -osn1zN5vMDthNbs24efsN7ex9YP4DsDoMWSHN3/WL/cHkH4MvhG4790MK8MIbBxX -PHH7IhFhbYm/WXxuKpbahq6mpwNs+6WfA5PwVfJ6T5xu4i2JWNTP+53toJ82YMLS -XAs54KV2jAeDDxTQ6jPxu4ArIsG2Gy2fplS/wc3BpG0wVvRCWD42qgy1TAucv3Jc -MVEMmM1KuxoJcs66P5kAJ4PFhw78MYuKFMjJQPgsCc8ONdfrzErpZ/o0iiHRbnDu -Fw23bKtAsYYqzp5cDaszNEgpuU3WchieHTTT7ajhWJhQsjhfZfEalpGEXfqBmDmj -s+qrFVIsDXiGGSi4URZoGIjaOPrmxmuYJ0yBeBxmCRJ9pIwGScBGxZ/KD54L1UPs -uDzVvyRRM8vZXlYD4m1TPP6hJrM8X+XUC7aM9NhHpx4WtnAFCzreGAtHABEBAAGJ -AiUEGAEIAA8CGwwFAlTnGmkFCQYVAwAACgkQYUWcUod2jFOjHg//Qg1cyXCm0Xqu -tDweG8OTAli3cNqOkjoslZqszw0IjKY+Z4OVELZt+O0tvcUEfxRNiF/FrIzqrHzX -UxN2brBzkMVDqte/pGWdK+ctWD+mr3A7W0FixDPsccBx79TPX8HK/bEcM4vt1sHW -3lTBEu5QXc/gBmD2qNAHvGPm+08c8Um5JP+oJlhtKUVpZy/N8QeAJTAUWMX+XZkt -wWEB/pvm6+dMpUOr1wIjZFht+CDv8aZXZjVtyB/acANSP0tBe+6VmOmiiN2yOGum -nsR/PRTw0qP5z1CHfLru2Zcm/m5+pNHa/Rch3nTvQwLWm7cLjY5mbBoC3x/o690P -9tzeZrBUKfz+DQRjJIGVukXPn2nkExLvdTTRs075EGeAlkB7qwvdINCvVKT9OTdn -xQpSd0g+20Kry2b08UTXYl4eF1lbkE4Dq8Nvn3SfEeQ8JerXPrbTq3MTD2tu/oMJ -RMyLaj8rVJzBLg2LnptPQmy37TOVU0A2ZEA5aOcbMyrvm9xxNsmOFFJvFtIjucof -9XplA/GN33nm+0WJTIsTS2D4oQVspDSnPApsRAsMbbmlvBj9i97jrP515zpaTZ+r -bp6x+p0B73b5NLcCs1a/ny7Lz5NHj9+OIEPXZcJBXfHQkiOb1aJxJbNJzb6Duumo -MYYSCx0f+qOiCCD01SNtk3kFZMov5b4= -=0+oJ +mQINBFrLsicBEADA7Px5KipL9zM7AVkZ6/U4QaWQyxhqim6MX88TxZ6KnqFiTSme +vecEWblsppqPES8FiSl+M00Xe5icsLsi4mkBujgbuSDiugjNyqeOH5iqtg69xTd/ +r5DRMqt0K93GzmIj7ipWA+fomAMyX9FK3cHLBgoSLeb+Qj28W1cH94NGmpKtBxCk +KfT+mjWvYUEwVdviMymdCAJjIabr/QJ3KVZ7UPWr29IJ9Dv+SwW7VRjhXVQ5IwSB +MDaTnzDOUILTxnHptB9ojn7t6bFhub9wxWXJQCsNkp+nUDESRwBeNLm4G5D3NFYV +Tg4qOQYLI/k/H1N3NEgaDuZ81NfhQJTIFVx+h0eTpjuQ4vATShJWea6N7ilLlyw7 +K81uuQoFB6VcG5hlAQWMejuHI4UBb+35r7fIFsy95ZwjxKqEQVS8P7lBKoihXpjc +xRZiynx/Gm2nXm9ZmY3fG0fuLp9PQK9SpM9gQr/nbqguBoRoiBzONM9Hpnxibwqg +skVKzunZOXZeqyPNTC63wYcQXhidWxB9s+pBHP9FR+qht//8ivI29aTukrj3WWSU +Q2S9ejpSyELLhPT9/gbeDzP0dYdSBiQjfd5AYHcMYQ0fSG9Tb1GyMsvh4OhTY7Qw +Dz+1zT3xEzB0I1wpKu6m20C7nriWnJTCwXE6XMX7xViv6h8ev+uUHLoMEwARAQAB +tCBGaW9uYSBLbHV0ZSA8ZmlvbmEua2x1dGVAZ214LmRlPokCPQQTAQgAJwUCWsuy +JwIbIwUJCWYBgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDupybOISNaWCFo +EACempPzb74rjbfMC4vOUxejTE/3IEgKAVnW8qQs70ZXygOxuntAVeItsV6eSegE +gLhtF4yzo4ciGdu6Bis8uZzyUDR/lX6wtjBxZ8bssjChlMPh1SHHm/7/7O25Sxkf +TWXm3qi0/rSnO9d9qznHc8DTlMKl7qcD7UxkLZZX+ckznHS5i/CqI+xMMgGf3U7x +F+fLqZHJQKKsci4pDsDGtRgPBfj0m0LnnK8rvBysyGQyIzl7s6DF5Sx77kQNNQRo +SZknKd1rjqJHizXrqUDZBSXo4dCCntpaiV31yxBkU8GPKDC9Rruj46NWTHvctXdc +H6FBkZTu2mViirN9krUiqKYHDsNGNJEYdqNKiZzVZJoJUDW1WsfmI/44ez6Uam6O +r94AS+zw741MsIc6RJBIoLIceb3vMS1NdO866Y3gnq0kbM+rpvhgCms6gaL2dQF2 +6xh5uEsrZl7bzZv1v/j1Vcg0MNe/9QXJUU47bsRdv7hA2fMgUIkekLuPWEPqiY+F +bCXs42l4ts4NUZnMHsaQz7i/VqN5cNZgrb/6dsKFrKzezGxWmgZzx+Nkkl57RorG +Pxq6UzJDFKpWNkodLcwlR3Nyj8GInrHlS2XOZJQCDiPDO9CC0q5c+5VKQi/yh58o +a5xoGyGgyn/pUtcArrlf6iy2s4By0Znr6VCjU9LIzslyyLkCDQRay7InARAAsoF8 +Kwip/tQp9dztkCJ2w/ThrDIjDX7oVoQpIDqTgam43VaipSI9yM0NfCWQ8C98Hdip +/3f0OWBVI76oT3IxAtmcSnl1dyR8+ggthsUtT2pNvhMGOS24ab9DUNsXIqg0JGZ/ +4Q/qBrShuEuvhiW6O5xGDZJTJ8uoQDkO7KfYLmi8tOg42HnYIGv0qSNCD4tCToCI +kTwOGmAlQEk1WIODVSivNwfsq6MZaE2X69Fa+BiyxOc47EURp9YYoHIXn2DEUltj +1lOfb2Ttko01ouWITWmaQWvseXSL17oO4wZHYR2HyJcxp+p8yr96IlaBKbzf8q/5 +l4I7pAtySwfz8PUY2bdMoKutg4e+moVFjtoWUOr6Z0mFwcfLO/OELbInHpQpSkP7 +Gd9kolF6TCcuUAZXsK3JxBb4aiRanmtIDxfMvpohFPVKSLNa1MLvs6N4hy+M/+6h +vVpXh9VdhTvBCgQKZ07Yz9sgqzEB7eou3vN/a1LENWop1/dHRVZATNz6fF7b9ypV +sTzvratE3TNf2/7ELxheUy+cbtVrHQB1AM3qzt3/iWq4/gC6V5TNUnc5XDprPU7s +ByxvU8J3i9khh6/VqjHrmhwBVHPyGUSWQuR43jUC3ntQn4mtWswHQMIcQ7hzEgus +k8wOI2CnCfUN1B8l/NqhP7haloXV41qfMjWzmmcAEQEAAYkCJQQYAQgADwUCWsuy +JwIbDAUJCWYBgAAKCRDupybOISNaWNA8D/9ghh/YeFM4NbmgAotTaR7slNdtsTgy +gdwKC92IJfIpfHioBEIaZCasWnglZlNrVaVTtDjTn0iPX0kvQTty3dp/wZS8SjpK +0W8LXHOLR8aRvKKPmRhOat8z9x4svvEeONDaEVBeeP6DTGJhh43iKHkwUqWRXv3i +gE5GmgicE4r3dhFaMRhY+NZ56e9+881GjQ1Nzq55LyNqvJsq8gr5BBTvStgcNfdG +D5wrMmz3MB+MoRCnXa8Ac+pQ2Rlvu6iVUFOMYlMry0r+GSFROomR/Y3N0QXjLhbZ +Nj52RUr+kq+Hti3SVHB/g7GTNifDkbyswvxzFbEtAzj2c9dlMYFYft+NNArwKSmA +2AokaJBH7/7qVHqawbS/lQqSTs8xhp28XL/IpFu8FZ5lz7TAQPUX/jvjQI1llWrD +dnv00zMXZ2Ze4okjyAIlaw9nWmCBUESWuRfOcWT20EpfzpQawaYOU9ZXJ4Y9P7e1 +FQ/JoWK0mSZH7Zq7iTS296XqutbE7iJDpAkL6V/ssDHlWp6mV2dzxrpObPUiYeRe +c0kvPwJ7omd/qnqB8DWAWSCmfjQziE/CELCIEqBaQx3PJHy1yKgVyGWvU0x0YW55 +hqw8XmiqzgiCPrXt6IwePcEBWcSPGHsUz6FhIiqG/XjiCaal+sNwh8H8xgmknOPX +u3pdVU2euYjt4g== +=k9n6 -----END PGP PUBLIC KEY BLOCK----- diff -pruN 0.8.2-3/doc/doxygen.conf.in 0.9.0-1/doc/doxygen.conf.in --- 0.8.2-3/doc/doxygen.conf.in 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/doc/doxygen.conf.in 2018-11-28 15:32:27.000000000 +0000 @@ -1997,7 +1997,7 @@ ENABLE_PREPROCESSING = YES # The default value is: NO. # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. -MACRO_EXPANSION = NO +MACRO_EXPANSION = YES # If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then # the macro expansion is limited to the macros specified with the PREDEFINED and @@ -2005,7 +2005,7 @@ MACRO_EXPANSION = NO # The default value is: NO. # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. -EXPAND_ONLY_PREDEF = NO +EXPAND_ONLY_PREDEF = YES # If the SEARCH_INCLUDES tag is set to YES, the include files in the # INCLUDE_PATH will be searched if a #include is found. @@ -2037,7 +2037,8 @@ INCLUDE_FILE_PATTERNS = # recursively expanded use the := operator instead of the = operator. # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. -PREDEFINED = HAVE_APR_MEMCACHE=@have_apr_memcache@ +PREDEFINED = ENABLE_EARLY_SNI \ + __attribute__(x)= # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this # tag can be used to specify a list of macro names that should be expanded. The diff -pruN 0.8.2-3/doc/Makefile.am 0.9.0-1/doc/Makefile.am --- 0.8.2-3/doc/Makefile.am 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/doc/Makefile.am 2018-11-28 15:32:27.000000000 +0000 @@ -1,7 +1,8 @@ -EXTRA_DIST = mod_gnutls_manual.mdwn +EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in if USE_PANDOC html_DATA = mod_gnutls_manual.html +man3_MANS = mod_gnutls_manual.man if USE_PDFLATEX # pandoc && pdflatex pdf_DATA = mod_gnutls_manual.pdf @@ -13,10 +14,22 @@ html_DATA = mod_gnutls_manual.html endif endif -MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) +MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS) -# pdf_DATA will be empty if pandoc isn't available -$(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn +%.yaml: %.yaml.in + sed -e s/__MOD_GNUTLS_VERSION__/@MOD_GNUTLS_VERSION@/ < $< > $@ + +if USE_PANDOC +%.man: %.mdwn %.yaml + $(PANDOC) --standalone -f markdown -t man -o $@ $^ + +if USE_PDFLATEX +%.pdf: %.mdwn + $(PANDOC) --toc -f markdown -o $@ $< +endif +endif + +%.html: %.mdwn if USE_PANDOC $(PANDOC) --toc --standalone -f markdown -o $@ $< else diff -pruN 0.8.2-3/doc/Makefile.in 0.9.0-1/doc/Makefile.in --- 0.8.2-3/doc/Makefile.in 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/doc/Makefile.in 2019-01-23 20:15:47.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -93,7 +93,6 @@ subdir = doc ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ $(top_srcdir)/m4/apache_test.m4 \ - $(top_srcdir)/m4/apr_memcache.m4 \ $(top_srcdir)/m4/ax_prog_doxygen.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ @@ -152,7 +151,11 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(htmldir)" "$(DESTDIR)$(pdfdir)" +man3dir = $(mandir)/man3 +am__installdirs = "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(htmldir)" \ + "$(DESTDIR)$(pdfdir)" +NROFF = nroff +MANS = $(man3_MANS) DATA = $(html_DATA) $(pdf_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/doxygen.conf.in @@ -167,9 +170,6 @@ APR_INCLUDES = @APR_INCLUDES@ APR_LDFLAGS = @APR_LDFLAGS@ APR_LIBS = @APR_LIBS@ APR_LIBTOOL = @APR_LIBTOOL@ -APR_MEMCACHE_CFLAGS = @APR_MEMCACHE_CFLAGS@ -APR_MEMCACHE_LIBS = @APR_MEMCACHE_LIBS@ -APR_UTIL_CONF = @APR_UTIL_CONF@ APU_INCLUDES = @APU_INCLUDES@ APU_LDFLAGS = @APU_LDFLAGS@ APU_LIBS = @APU_LIBS@ @@ -233,6 +233,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ENABLE_EARLY_SNI = @ENABLE_EARLY_SNI@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FLOCK = @FLOCK@ @@ -292,6 +293,9 @@ SOFTHSM_LIB = @SOFTHSM_LIB@ SOFTHSM_MAJOR_VERSION = @SOFTHSM_MAJOR_VERSION@ STRIP = @STRIP@ TEST_HOST = @TEST_HOST@ +TEST_IP = @TEST_IP@ +TEST_LOCK_WAIT = @TEST_LOCK_WAIT@ +TEST_QUERY_TIMEOUT = @TEST_QUERY_TIMEOUT@ UNSHARE = @UNSHARE@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -318,7 +322,6 @@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_apr_memcache = @have_apr_memcache@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -352,13 +355,14 @@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -EXTRA_DIST = mod_gnutls_manual.mdwn +EXTRA_DIST = mod_gnutls_manual.mdwn mod_gnutls_manual.yaml.in # !pandoc && markdown @USE_MARKDOWN_TRUE@@USE_PANDOC_FALSE@html_DATA = mod_gnutls_manual.html @USE_PANDOC_TRUE@html_DATA = mod_gnutls_manual.html +@USE_PANDOC_TRUE@man3_MANS = mod_gnutls_manual.man # pandoc && pdflatex @USE_PANDOC_TRUE@@USE_PDFLATEX_TRUE@pdf_DATA = mod_gnutls_manual.pdf -MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) +MOSTLYCLEANFILES = $(html_DATA) $(pdf_DATA) $(man3_MANS) all: all-am .SUFFIXES: @@ -379,8 +383,8 @@ Makefile: $(srcdir)/Makefile.in $(top_bu *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -399,6 +403,47 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-man3: $(man3_MANS) + @$(NORMAL_INSTALL) + @list1='$(man3_MANS)'; \ + list2=''; \ + test -n "$(man3dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man3dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man3dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.3[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \ + done; } + +uninstall-man3: + @$(NORMAL_UNINSTALL) + @list='$(man3_MANS)'; test -n "$(man3dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man3dir)'; $(am__uninstall_files_from_dir) install-htmlDATA: $(html_DATA) @$(NORMAL_INSTALL) @list='$(html_DATA)'; test -n "$(htmldir)" || list=; \ @@ -448,7 +493,10 @@ ctags CTAGS: cscope cscopelist: -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -480,9 +528,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(DATA) +all-am: Makefile $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(htmldir)" "$(DESTDIR)$(pdfdir)"; do \ + for dir in "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(htmldir)" "$(DESTDIR)$(pdfdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -536,7 +584,7 @@ info: info-am info-am: -install-data-am: install-htmlDATA install-pdfDATA +install-data-am: install-htmlDATA install-man install-pdfDATA install-dvi: install-dvi-am @@ -552,7 +600,7 @@ install-info: install-info-am install-info-am: -install-man: +install-man: install-man3 install-pdf: install-pdf-am @@ -580,7 +628,9 @@ ps: ps-am ps-am: -uninstall-am: uninstall-htmlDATA uninstall-pdfDATA +uninstall-am: uninstall-htmlDATA uninstall-man uninstall-pdfDATA + +uninstall-man: uninstall-man3 .MAKE: install-am install-strip @@ -590,18 +640,27 @@ uninstall-am: uninstall-htmlDATA uninsta install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-htmlDATA install-info install-info-am \ - install-man install-pdf install-pdf-am install-pdfDATA \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ + install-man install-man3 install-pdf install-pdf-am \ + install-pdfDATA install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am uninstall-htmlDATA uninstall-pdfDATA + uninstall-am uninstall-htmlDATA uninstall-man uninstall-man3 \ + uninstall-pdfDATA .PRECIOUS: Makefile -# pdf_DATA will be empty if pandoc isn't available -$(html_DATA) $(pdf_DATA): mod_gnutls_manual.mdwn +%.yaml: %.yaml.in + sed -e s/__MOD_GNUTLS_VERSION__/@MOD_GNUTLS_VERSION@/ < $< > $@ + +@USE_PANDOC_TRUE@%.man: %.mdwn %.yaml +@USE_PANDOC_TRUE@ $(PANDOC) --standalone -f markdown -t man -o $@ $^ + +@USE_PANDOC_TRUE@@USE_PDFLATEX_TRUE@%.pdf: %.mdwn +@USE_PANDOC_TRUE@@USE_PDFLATEX_TRUE@ $(PANDOC) --toc -f markdown -o $@ $< + +%.html: %.mdwn @USE_PANDOC_TRUE@ $(PANDOC) --toc --standalone -f markdown -o $@ $< @USE_MARKDOWN_TRUE@@USE_PANDOC_FALSE@ $(MARKDOWN) $< > $@ diff -pruN 0.8.2-3/doc/mod_gnutls_manual.mdwn 0.9.0-1/doc/mod_gnutls_manual.mdwn --- 0.8.2-3/doc/mod_gnutls_manual.mdwn 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/doc/mod_gnutls_manual.mdwn 2019-01-22 18:05:43.000000000 +0000 @@ -3,9 +3,9 @@ * * * * * `mod_gnutls` is a module for the Apache web server that provides HTTPS -(HTTP over Transport Layer Security (TLS) or the older Secure Sockets -Layer (SSL)) using the GnuTLS library. More information about the -module can be found at [the project's website](https://mod.gnutls.org/). +(HTTP over Transport Layer Security (TLS)) using the GnuTLS library. +More information about the module can be found at +[the project's website](https://mod.gnutls.org/). * * * * * @@ -47,6 +47,27 @@ and restart Apache: LoadModule gnutls_module modules/mod_gnutls.so +Note on HTTP/2 +-------------- + +HTTP/2 is supported with `mod_gnutls`. However, full support requires +compiling with GnuTLS 3.6.3 or later. When using lower versions all +virtual hosts using `mod_gnutls` with overlapping IP/port combinations +need to use identical `Protocols` directives for protocol negotiation +to work correctly. + +The technical reason is that using HTTP/2 requires ALPN (Application +Layer Protocol Negotiation) to be set up before GnuTLS parses the TLS +ClientHello message, but earlier hooks cannot use +`gnutls_server_name_get()` to retrieve SNI (Server Name Indication) +data for virtual host selection. Because of this `mod_gnutls` provides +its own early SNI parser, which requires the `gnutls_ext_raw_parse()` +function introduced in GnuTLS 3.6.3 to retrieve the extension data in +a *pre* client hello hook. + +During build `./configure` will report "Early SNI: yes" if your +version of GnuTLS is new enough. + * * * * * Configuration Directives @@ -70,45 +91,56 @@ This directive enables SSL/TLS Encryptio Configure TLS Session Cache - GnuTLSCache [dbm|gdbm|memcache|none] [PATH|SERVERLIST|-] + GnuTLSCache (shmcb|dbm|memcache|...|none)[:PARAMETERS] Default: `GnuTLSCache none`\ Context: server config -This directive configures the TLS Session Cache for `mod_gnutls`. -This could be shared between machines of different architectures. If a -DBM cache is used, access is serialized using the `gnutls-cache` -mutex. Which DBM types are available is part of the APR (Apache -Portable Runtime) compile time configuration. - -`dbm` (Requires Berkeley DBM) -: Uses the Berkeley DB backend of APR DBM to cache TLS Session - data. - - The argument is a relative or absolute path to be used as - the DBM Cache file. This is compatible with most operating - systems. +This directive configures the TLS Session Cache for `mod_gnutls`. This +could be shared between machines of different architectures. If the +selected cache implementation is not thread-safe, access is serialized +using the `gnutls-cache` mutex. + +Which cache implementations are available depends on your Apache +installation and configuration, `mod_gnutls` can use any socache +provider. In general you will need to load a `mod_socache_PROVIDER` +module. Common options are described below, please check the Apache +HTTPD documentation for details on available providers and their +configuration. + +`shmcb` +: Uses a shared memory segment. This is a high performance local + cache. The parameter is a relative or absolute path to be used if + the local shared memory implementation requires one, followed by + the cache size in bytes enclosed in parentheses. + + Example: `shmcb:cache/gnutls_cache(65536)` + +`dbm` +: Uses a DBM cache file. The parameter is a relative or absolute + path to be used as the DBM cache file. -`gdbm` (Requires GDBM) -: Uses the GDBM backend of APR DBM to cache TLS Session data. - - The argument is a relative or absolute path to be used as the DBM - Cache file. + Example: `dbm:cache/gnutls_cache` `memcache` -: Uses memcached server(s) to cache TLS Session data. +: Uses memcached server(s) to cache TLS session data. The parameter + is a comma separated list of servers (host:port). This can be used + to share a session cache between all servers in a cluster. - The argument is a space separated list of servers. If no port - number is supplied, the default of 11211 is used. This can be - used to share a session cache between all servers in a cluster. + Example: `memcache:memcache.example.com:12345,memcache2.example.com:12345` `none` -: Turns off all caching of TLS Sessions. +: Turns off all caching of TLS sessions. - This can significantly reduce the performance of `mod_gnutls` since - even followup connections by a client must renegotiate parameters - instead of reusing old ones. This is the default, since it - requires no configuration. + This can significantly reduce the performance of `mod_gnutls` + since even followup connections by a client must renegotiate + parameters instead of reusing old ones. This is the default, since + it requires no configuration. + + Session tickets are an alternative to using a session cache, + please see `GnuTLSSessionTickets`. Note that for TLS 1.3 GnuTLS + supports resumption using session tickets only as of version + 3.6.4. ### GnuTLSCacheTimeout @@ -117,11 +149,9 @@ Timeout for TLS Session Cache expiration GnuTLSCacheTimeout SECONDS Default: `GnuTLSCacheTimeout 300`\ -Context: server config +Context: server config, virtual host -Sets the timeout for TLS Session Cache entries expiration. This value -is also used for OCSP responses if they do not contain a `nextUpdate` -time. +Sets the expiration timeout for cached TLS sessions. ### GnuTLSSessionTickets @@ -129,23 +159,26 @@ Enable Session Tickets for the server GnuTLSSessionTickets [on|off] -Default: `off`\ +Default: `on` with GnuTLS 3.6.4 and newer, `off` otherwise\ Context: server config, virtual host -To avoid storing data for TLS session resumption the server can -provide clients with tickets, to use on return. Tickets are an -alternative to using a session cache, mostly used for busy servers -with limited storage. For a pool of servers this option is not -recommended since the tickets are bound to the issuing server only. +Session tickets allow TLS session resumption without session state +stored on the server, using encrypted tickets provided to the clients +instead. Tickets are an alternative to using a session cache, and +currently the only session resumption mechanism in TLS 1.3. For a pool +of servers this option is not recommended since the tickets are bound +to the issuing server only. If this option is set in the global configuration, virtual hosts without a `GnuTLSSessionTickets` setting will use the global setting. -*Warning:* Currently the master key that protects the tickets is -generated only on server start, and there is no mechanism to roll over -the key. If session tickets are enabled it is highly recommened to -restart the server regularly to protect past sessions in case an -attacker gains access to server memory. +*Warning:* With GnuTLS version before 3.6.4 the master key that +protects the tickets is generated only on server start, and there is +no mechanism to roll over the key. If session tickets are enabled it +is highly recommended to restart the server regularly to protect past +sessions in case an attacker gains access to server memory. GnuTLS +3.6.4 introduced an automatic TOTP-based key rollover, so this warning +does not apply any more and tickets are enabled by default. ### GnuTLSClientVerify @@ -177,17 +210,24 @@ re-negotiation. ### GnuTLSDHFile -Set to the PKCS \#3 encoded Diffie Hellman parameters +Use the provided PKCS \#3 encoded Diffie-Hellman parameters GnuTLSDHFile FILEPATH Default: *none*\ Context: server config, virtual host -Takes an absolute or relative path to a PKCS \#3 encoded DH -parameters.Those are used when the DHE key exchange method is enabled. -You can generate this file using `certtool --generate-dh-params --bits -2048`. If not set `mod_gnutls` will use the included parameters. +By default, `mod_gnutls` uses the DH parameters included with GnuTLS +corresponding to the security level of the configured private keys if +compiled with GnuTLS 3.5.6 or newer, and the ffdhe2048 DH group as +defined in RFC 7919, Appendix A.1 otherwise. + +If you need to use different DH parameters, you can provide a PEM file +containing them in PKCS \#3 encoding using this option. Please see the +"[Parameter +generation](https://gnutls.org/manual/html_node/Parameter-generation.html)" +section of the GnuTLS documentation for a short discussion of the +security implications. ### GnuTLSPriorities @@ -196,41 +236,15 @@ MACs and compression methods GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N -Default: *none*\ +Default: `NORMAL`\ Context: server config, virtual host -Takes a colon separated list of protocol version, ciphers, key -exchange methods message authentication codes, and compression methods -to enable. The allowed keywords are specified in the -`gnutls_priority_init()` function of GnuTLS. - -Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings) -for details. A few commonly used sets are listed below, note that -their exact meaning may change with GnuTLS versions. - -`PERFORMANCE` -: A list with all the secure cipher combinations sorted in terms of - performance. - -`NORMAL` -: A list with all the secure cipher combinations sorted - with respect to security margin (subjective term). - -`SECURE128` -: A list with all the secure cipher suites that offer a security level - of 128-bit or more. - -`PFS` -: Only cipher suites offering perfect forward secrecy (ECDHE and DHE), - sorted by security margin. - -You can add or remove algorithms using the `+` and `!` prefixes -respectively. For example, in order to use the `NORMAL` set but -disable TLS 1.0 and 1.1 you can use the string -`NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`. +Sets the allowed protocol version(s), ciphers, key exchange methods, +message authentication codes, and other TLS parameters for the server. +The parameter is a GnuTLS priority string as described in the +[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html). -You can find a list of all supported Ciphers, Versions, MACs, etc. by -running `gnutls-cli --list`. +For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`. ### GnuTLSP11Module @@ -281,14 +295,14 @@ Context: server config, virtual host This directive configures exporting the full certificates of the server and the client to CGI scripts via the `SSL_SERVER_CERT` and `SSL_CLIENT_CERT` environment variables. The exported certificates -will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the -size given. The type of the certificate will be exported in -`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`. +will be PEM-encoded, limited to the given size. The type of the +certificate will be exported in `SSL_SERVER_CERT_TYPE` and +`SSL_CLIENT_CERT_TYPE`. SIZE should be an integer number of bytes, or may be written with a trailing `K` to indicate kibibytes. `off` means the same thing as `0`, in which case the certificates will not be exported to the -environment. `on` is an alias for `16K`. If a non-zero size is +environment. `on` is an alias for `16K`. If a non-zero size is specified for this directive, but a certificate is too large to fit in the buffer, then the corresponding environment variable will contain the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`. @@ -301,21 +315,30 @@ X.509 Certificate Authentication ### GnuTLSCertificateFile -Set to the PEM Encoded Server Certificate +Set the PEM encoded server certificate or certificate chain GnuTLSCertificateFile FILEPATH Default: *none*\ Context: server config, virtual host -Takes an absolute or relative path to a PEM-encoded X.509 certificate to -use as this Server's End Entity (EE) certificate. If you need to supply -certificates for intermediate Certificate Authorities (iCAs), they -should be listed in sequence in the file, from EE to the iCA closest to -the root CA. Optionally, you can also include the root CA's certificate -as the last certificate in the list. +FILEPATH is an absolute or relative path to a file containing the +PEM-encoded X.509 certificate to use as this Server's End Entity (EE) +certificate, and optionally those of the issuing Certificate +Authorities (CAs). If the file contains multiple certificates they +should be ordered from EE to the CA closest to the root CA (or the +root CA itself). + +Including at least the immediately issuing CA is highly recommended +because it is required for OCSP stapling. + +Since version 0.7 this can be a PKCS #11 URL instead of a file. + +On Linux and other Unix-like systems you can create the file with a +command like this (assuming "CA 1" issued the server certificate and +has been issued by "Root CA" itself): -Since version 0.7 this can be a PKCS #11 URL. + $ cat server.pem ca-1.pem root-ca.pem >server-chain.pem ### GnuTLSKeyFile @@ -350,51 +373,6 @@ Takes an absolute or relative path to a as a Certificate Authority with Client Certificate Authentication. This file may contain a list of trusted authorities. -OpenPGP Certificate Authentication ----------------------------------- - -### GnuTLSPGPCertificateFile - -Set to a base64 Encoded Server OpenPGP Certificate - - GnuTLSPGPCertificateFile FILEPATH - -Default: *none*\ -Context: server config, virtual host - -Takes an absolute or relative path to a base64 Encoded OpenPGP -Certificate to use as this Server's Certificate. - -### GnuTLSPGPKeyFile - -Set to the Server OpenPGP Secret Key - - GnuTLSPGPKeyFile FILEPATH - -Default: *none*\ -Context: server config, virtual host - -Takes an absolute or relative path to the Server Private Key. This key -cannot currently be password protected. - -**Security Warning:**\ - This private key must be protected. It is read while Apache is still -running as root, and does not need to be readable by the nobody or -apache user. - -### GnuTLSPGPKeyringFile - -Set to a base64 Encoded key ring - - GnuTLSPGPKeyringFile FILEPATH - -Default: *none*\ -Context: server config, virtual host - -Takes an absolute or relative path to a base64 Encoded Certificate -list (key ring) to use as a means of verification of Client -Certificates. This file should contain a list of trusted signers. - SRP Authentication ------------------ @@ -518,13 +496,14 @@ methods for proxy connections GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N -Default: *none*\ +Default: `NORMAL`\ Context: server config, virtual host -This option is used to set the allowed ciphers, key exchange -algorithms, MACs and compression methods for proxy connections. It -takes the same parameters as `GnuTLSPriorities`. Required if -`GnuTLSProxyEngine` is `On`. +Sets the allowed protocol version(s), ciphers, key exchange methods, +message authentication codes, and other TLS parameters for TLS proxy +connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS +priority string as described in the +[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html). OCSP Stapling Configuration --------------------------- @@ -535,26 +514,92 @@ Enable OCSP stapling for this (virtual) GnuTLSOCSPStapling [On|Off] -Default: *off*\ +Default: *on* if requirements are met, *off* otherwise\ Context: server config, virtual host OCSP stapling, formally known as the TLS Certificate Status Request -extension, allows the server to provide the client with an OCSP -response for its certificate during the handshake. This way the client -does not have to send an OCSP request to the CA to check the -certificate status, which offers privacy and performance advantages. +extension, allows the server to provide the client with a cached OCSP +response for its certificate during the handshake. With OCSP stapling +the client does not have to send an OCSP request to the issuer CA to +check the certificate status, which offers privacy and performance +advantages, and avoids the security issue of how to handle errors that +prevent the client from getting a response. Using OCSP stapling has a few requirements: -* Caching OCSP responses requires a cache, so `GnuTLSCache` must not - be `none`. * `GnuTLSCertificateFile` must contain the issuer CA certificate in addition to the server certificate so responses can be verified. -* The certificate must either contain an OCSP access URI using HTTP, - or `GnuTLSOCSPResponseFile` must be set. +* The server certificate must either contain an OCSP access URI using + HTTP, or `GnuTLSOCSPResponseFile` must be set. +* Caching OCSP responses requires a cache to store responses. If + `mod_socache_shmcb` is loaded `mod_gnutls` can set up the cache + automatically without additional configuration, see + `GnuTLSOCSPCache`. + +Stapling is activated by default if these requirements are met. If +`GnuTLSOCSPStapling` is explicitly set to `on` unmet requirements are +an error. OCSP cache updates are serialized using the `gnutls-ocsp` mutex. +### GnuTLSOCSPCache + +OCSP stapling cache configuration + + GnuTLSOCSPCache (shmcb|memcache|...|none)[:PARAMETERS] + +Default: `shmcb:gnutls_ocsp_cache`\ +Context: server config + +This directive configures the OCSP stapling cache, and uses the same +syntax as `GnuTLSOCSPCache`. Please check there for details. + +The default should be reasonable for most servers and requires +[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html) +to be loaded. Servers with very many virtual hosts may need to +increase the default cache size via the parameters string, those with +few virtual hosts and memory constraints could save a few KB by reducing +it. Note that `mod_socache_dbm` has a size constraint for entries that +is generally too small for OCSP responses. + +If the selected cache implementation is not thread-safe, access +is serialized using the `gnutls-ocsp-cache` mutex. + +### GnuTLSOCSPAutoRefresh + +Regularly refresh cached OCSP response independent of TLS handshakes? + + GnuTLSOCSPAutoRefresh [On|Off] + +Default: *on*\ +Context: server config, virtual host + +By default `mod_gnutls` will regularly refresh the cached OCSP +response for hosts that have OCSP stapling enabled, regardless of +whether it is used. This has advantages over updating the OCSP +response only if a TLS handshake needs it: + +* Updating the cached response before it expires can hide short + unavailability of the OCSP responder, if a repeated request is + successful before the cache expires (see below). + +* Handshakes are not slowed down by fetching responses. + +The interval to the next request is determined as follows: After a +successful OCSP request the next one is scheduled for a random period +between `GnuTLSOCSPFuzzTime` and half of it before +`GnuTLSOCSPCacheTimeout` expires. For example, if the cache timeout is +3600 seconds and the fuzz time 600 seconds, the next request will be +sent after 3000 to 3300 seconds. If the validity period of the +response expires before then, the selected interval is halved until it +is smaller than the time until expiry. If an OCSP request fails, it is +retried after `GnuTLSOCSPFailureTimeout`. + +Regularly updating the OCSP cache requires `mod_watchdog`, +`mod_gnutls` will fall back to updating the OCSP cache during +handshakes if `mod_watchdog` is not available or this option is set to +`Off`. + ### GnuTLSOCSPCheckNonce Check the nonce in OCSP responses? @@ -628,6 +673,20 @@ responder. A shorter value increases the one means that stapling will remain disabled for longer after a failed request. +### GnuTLSOCSPFuzzTime + +Update the cached OCSP response up to this time before the cache expires + + GnuTLSOCSPFuzzTime SECONDS + +Default: *larger of GnuTLSOCSPCacheTimeout / 8 and GnuTLSOCSPFailureTimeout \* 2*\ +Context: server config, virtual host + +Refreshing the cached response before it expires hides short OCSP +responder unavailability. See `GnuTLSOCSPAutoRefresh` for how this +value is used, using at least twice `GnuTLSOCSPFailureTimeout` is +recommended. + ### GnuTLSOCSPSocketTimeout Timeout for TCP sockets used to send OCSP requests @@ -653,145 +712,163 @@ time. Configuration Examples ====================== -Simple Standard TLS Example ---------------------------- +Minimal Example +--------------- + +A minimal server configuration using mod_gnutls might look like this +(other than the default setup): -The following is an example of simple TLS hosting, using one IP -Addresses for each virtual host. + # Load mod_gnutls into Apache. + LoadModule gnutls_module modules/mod_gnutls.so + + Listen 192.0.2.1:443 + + + # Standard virtual host stuff + DocumentRoot /www/site1.example.com/html + ServerName site1.example.com:443 + + # Minimal mod_gnutls setup: enable, and set credentials + GnuTLSEnable on + GnuTLSCertificateFile conf/tls/site1_cert_chain.pem + GnuTLSKeyFile conf/tls/site1_key.pem + + +This gives you an HTTPS site using the GnuTLS `NORMAL` set of +ciphersuites. OCSP stapling will be enabled if the server certificate +contains an OCSP URI, `conf/tls/site1_cert_chain.pem` contains the +issuer certificate in addition to the server's, and +[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html) +is loaded. With Gnutls 3.6.4 or newer session tickets are enabled, +too. + +Virtual Hosts with Server Name Indication +----------------------------------------- + +`mod_gnutls` supports Server Name Indication (SNI), as specified in +[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). +This allows hosting many TLS websites with a single IP address, you +can just add virtual host configurations. All recent browsers support +this standard. Here is an example using SNI: # Load the module into Apache. LoadModule gnutls_module modules/mod_gnutls.so - GnuTLSCache gdbm /var/cache/www-tls-cache - GnuTLSCacheTimeout 500 + # This example server uses session tickets, no cache. + GnuTLSSessionTickets on - # Without SNI you need one IP Address per-site. - Listen 192.0.2.1:443 - Listen 192.0.2.2:443 - Listen 192.0.2.3:443 - Listen 192.0.2.4:443 + # SNI allows hosting multiple sites using one IP address. This + # could also be 'Listen *:443', just like '*:80' is common for + # non-HTTPS + Listen 198.51.100.1:443 - + GnuTLSEnable on - GnuTLSPriorities SECURE128 DocumentRoot /www/site1.example.com/html ServerName site1.example.com:443 GnuTLSCertificateFile conf/tls/site1.crt GnuTLSKeyFile conf/tls/site1.key - - # This virtual host enables SRP authentication + GnuTLSEnable on - GnuTLSPriorities NORMAL:+SRP DocumentRoot /www/site2.example.com/html ServerName site2.example.com:443 - GnuTLSSRPPasswdFile conf/tls/tpasswd.site2 - GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf + GnuTLSCertificateFile conf/tls/site2.crt + GnuTLSKeyFile conf/tls/site2.key - - # This server enables SRP, OpenPGP and X.509 authentication. + GnuTLSEnable on - GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS:+CTYPE-OPENPGP DocumentRoot /www/site3.example.com/html ServerName site3.example.com:443 GnuTLSCertificateFile conf/tls/site3.crt GnuTLSKeyFile conf/tls/site3.key - GnuTLSClientVerify ignore - GnuTLSPGPCertificateFile conf/tls/site3.pub.asc - GnuTLSPGPKeyFile conf/tls/site3.sec.asc - GnuTLSSRPPasswdFile conf/tls/tpasswd.site3 - GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf - - - - GnuTLSEnable on - # %COMPAT disables some security features to enable maximum - # compatibility with clients. Don't use this if you need strong - # security. - GnuTLSPriorities NORMAL:%COMPAT - DocumentRoot /www/site4.example.com/html - ServerName site4.example.com:443 - GnuTLSCertificateFile conf/tls/site4.crt - GnuTLSKeyFile conf/tls/site4.key + # Enable HTTP/2. With GnuTLS before version 3.6.3 all + # virtual hosts in this example would have to share this + # directive to work correctly. + Protocols h2 http/1.1 -Server Name Indication Example ------------------------------- +Virtual Hosts without SNI +------------------------- -`mod_gnutls` supports "Server Name Indication", as specified in -RFC 3546. This allows hosting many TLS websites with a single IP -address. All recent browsers support this standard. Here is an -example using SNI: +If you need to support clients that do not use SNI, you have to use a +unique IP address/port combination for each virtual host. In this +example all virtual hosts use the default port for HTTPS (443) and +different IP addresses. # Load the module into Apache. LoadModule gnutls_module modules/mod_gnutls.so + # This example server uses a session cache. + GnuTLSCache dbm:/var/cache/www-tls-cache + GnuTLSCacheTimeout 1200 + + # Without SNI you need one IP Address per site. The IP addresses + # are listed separately for clarity, you could also use "Listen 443" + # to use that port on all available IP addresses. + Listen 192.0.2.1:443 + Listen 192.0.2.2:443 + Listen 192.0.2.3:443 - # SNI allows hosting multiple sites using one IP address. This - # could also be 'Listen *:443', just like '*:80' is common for - # non-HTTPS - Listen 198.51.100.1:443 - - + GnuTLSEnable on - GnuTLSSessionTickets on - GnuTLSPriorities NORMAL + GnuTLSPriorities SECURE128 DocumentRoot /www/site1.example.com/html ServerName site1.example.com:443 GnuTLSCertificateFile conf/tls/site1.crt GnuTLSKeyFile conf/tls/site1.key - + + # This virtual host enables SRP authentication GnuTLSEnable on - GnuTLSPriorities NORMAL + GnuTLSPriorities NORMAL:+SRP DocumentRoot /www/site2.example.com/html ServerName site2.example.com:443 - GnuTLSCertificateFile conf/tls/site2.crt - GnuTLSKeyFile conf/tls/site2.key + GnuTLSSRPPasswdFile conf/tls/tpasswd.site2 + GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site2.conf - + + # This server enables SRP and X.509 authentication. GnuTLSEnable on - GnuTLSPriorities NORMAL + GnuTLSPriorities NORMAL:+SRP:+SRP-RSA:+SRP-DSS DocumentRoot /www/site3.example.com/html ServerName site3.example.com:443 GnuTLSCertificateFile conf/tls/site3.crt GnuTLSKeyFile conf/tls/site3.key - - - - GnuTLSEnable on - GnuTLSPriorities NORMAL - DocumentRoot /www/site4.example.com/html - ServerName site4.example.com:443 - GnuTLSCertificateFile conf/tls/site4.crt - GnuTLSKeyFile conf/tls/site4.key + GnuTLSClientVerify ignore + GnuTLSSRPPasswdFile conf/tls/tpasswd.site3 + GnuTLSSRPPasswdConfFile conf/tls/tpasswd.site3.conf OCSP Stapling Example --------------------- -This example uses an X.509 server certificate. The server will fetch -OCSP responses from the responder listed in the certificate and store -them im a memcached cache shared with another server. +This is an example with a customized OCSP stapling configuration. What +is a resonable cache timeout varies depending on how long your CA's +OCSP responses are valid. Some CAs provide responses that are valid +for multiple days, in that case timeout and fuzz time could be +significantly larger. # Load the module into Apache. LoadModule gnutls_module modules/mod_gnutls.so - GnuTLSCache memcache "192.0.2.1:11211 192.0.2.2:11211" - GnuTLSCacheTimeout 600 + # A 64K cache is more than enough for one response + GnuTLSOCSPCache shmcb:ocsp_cache(65536) Listen 192.0.2.1:443 - GnuTLSEnable On - GnuTLSPriorities NORMAL - DocumentRoot /www/site1.example.com/html - ServerName site1.example.com:443 - GnuTLSCertificateFile conf/tls/site1.crt - GnuTLSKeyFile conf/tls/site1.key - GnuTLSPriorities NORMAL - GnuTLSOCSPStapling On + GnuTLSEnable On + DocumentRoot /www/site1.example.com/html + ServerName site1.example.com:443 + GnuTLSCertificateFile conf/tls/site1_cert_chain.pem + GnuTLSKeyFile conf/tls/site1_key.pem + GnuTLSOCSPStapling On + # The cached OCSP response is kept for up to 4 hours, + # with updates scheduled every 3 to 3.5 hours. + GnuTLSOCSPCacheTimeout 21600 + GnuTLSOCSPFuzzTime 3600 * * * * * @@ -888,7 +965,8 @@ The distinguished name of client's certi `SSL_CLIENT_I_DN` ----------------- -The SSL or TLS cipher suite name +The distinguished name of the issuer of the client's certificate in +RFC2253 format. `SSL_CLIENT_S_AN%` ------------------ @@ -924,21 +1002,21 @@ The public key algorithm in server's cer `SSL_SERVER_CERT` ------------------ -The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate -(see the `GnuTLSExportCertificates` directive). +The PEM-encoded (X.509) server certificate (see the +`GnuTLSExportCertificates` directive). `SSL_SERVER_CERT_TYPE` ---------------------- -The certificate type can be `X.509` or `OPENPGP`. +The certificate type will be `X.509`. `SSL_CLIENT_CERT` ------------------ -The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate -(see the `GnuTLSExportCertificates` directive). +PEM-encoded (X.509) client certificate, if any (see the +`GnuTLSExportCertificates` directive). `SSL_CLIENT_CERT_TYPE` ---------------------- -The certificate type can be `X.509` or `OPENPGP`. +The certificate type will be `X.509`, if any. diff -pruN 0.8.2-3/doc/mod_gnutls_manual.yaml.in 0.9.0-1/doc/mod_gnutls_manual.yaml.in --- 0.8.2-3/doc/mod_gnutls_manual.yaml.in 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/doc/mod_gnutls_manual.yaml.in 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,6 @@ +--- +title: The mod_gnutls Manual +section: 3 +header: mod_gnutls +footer: __MOD_GNUTLS_VERSION__ +... diff -pruN 0.8.2-3/include/mod_gnutls.h.in 0.9.0-1/include/mod_gnutls.h.in --- 0.8.2-3/include/mod_gnutls.h.in 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/include/mod_gnutls.h.in 2019-01-05 17:28:56.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright 2004-2005 Paul Querna * Copyright 2014 Nikos Mavrogiannopoulos - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,21 +25,16 @@ #include "http_core.h" #include "http_log.h" #include "apr_buckets.h" -#include "apr_strings.h" #include "apr_tables.h" #include "ap_release.h" -#include "apr_fnmatch.h" /* GnuTLS Library Headers */ #include #include -#include #include #ifndef __mod_gnutls_h_inc #define __mod_gnutls_h_inc -#define HAVE_APR_MEMCACHE @have_apr_memcache@ - extern module AP_MODULE_DECLARE_DATA gnutls_module; /* IO Filter names */ @@ -55,20 +50,14 @@ extern module AP_MODULE_DECLARE_DATA gnu /* Module Debug Mode */ #define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@ -/* mod_gnutls Cache Types */ -typedef enum { - /* No Cache */ - mgs_cache_none, - /* Use Old Berkley DB */ - mgs_cache_dbm, - /* Use Gnu's version of Berkley DB */ - mgs_cache_gdbm, -#if HAVE_APR_MEMCACHE - /* Use Memcache */ - mgs_cache_memcache, +/* Compile support for early SNI? */ +#if @ENABLE_EARLY_SNI@ == 1 +#define ENABLE_EARLY_SNI #endif - mgs_cache_unset -} mgs_cache_e; + +/** Name of the module-wide singleton watchdog */ +#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_" + /* Internal cache data, defined in gnutls_cache.h */ typedef struct mgs_cache* mgs_cache_t; @@ -92,18 +81,17 @@ typedef struct mgs_ocsp_data* mgs_ocsp_d /* The maximum number of certificates to send in a chain */ #define MAX_CHAIN_SIZE 8 -/* The maximum number of SANs to read from a x509 certificate */ -#define MAX_CERT_SAN 5 -/* Server Configuration Record */ +/** Server Configuration Record */ typedef struct { + /** Server this mod_gnutls configuration is for */ + server_rec* s; + /* --- Configuration values --- */ /* Is the module enabled? */ int enabled; /* Is mod_proxy enabled? */ int proxy_enabled; - /* A Plain HTTP request */ - int non_ssl_request; /* List of PKCS #11 provider modules to load, only valid in the * base config, ignored in virtual hosts */ @@ -119,10 +107,6 @@ typedef struct { char *x509_key_file; char *x509_ca_file; - char *pgp_cert_file; - char *pgp_key_file; - char *pgp_ring_file; - char *dh_file; char *priorities_str; @@ -133,17 +117,14 @@ typedef struct { /* Cache timeout value */ int cache_timeout; - /* Chose Cache Type */ - mgs_cache_e cache_type; - const char* cache_config; + /* Enable cache */ + unsigned char cache_enable : 2; /* Internal cache data */ mgs_cache_t cache; /* GnuTLS uses Session Tickets */ int tickets; - /* --- Things initialized at _child_init --- */ - /* x509 Certificate Structure */ gnutls_certificate_credentials_t certs; /* x509 credentials for proxy connections */ @@ -163,10 +144,6 @@ typedef struct { /* Anonymous Client Certificate Structure, used for proxy * connections */ gnutls_anon_client_credentials_t anon_client_creds; - /* Current x509 Certificate CN [Common Name] */ - char* cert_cn; - /* Current x509 Certificate SAN [Subject Alternate Name]s*/ - char* cert_san[MAX_CERT_SAN]; /* An x509 Certificate Chain */ gnutls_pcert_st *certs_x509_chain; gnutls_x509_crt_t *certs_x509_crt_chain; @@ -176,20 +153,6 @@ typedef struct { /* Current x509 Certificate Private Key */ gnutls_privkey_t privkey_x509; - /* OpenPGP Certificate */ - gnutls_pcert_st *cert_pgp; - gnutls_openpgp_crt_t *cert_crt_pgp; - - /* OpenPGP Certificate Private Key */ - gnutls_privkey_t privkey_pgp; -#if GNUTLS_VERSION_NUMBER < 0x030312 - /* Internal structure for the OpenPGP private key, used in the - * workaround for a bug in gnutls_privkey_import_openpgp_raw that - * frees memory that is still needed. DO NOT USE for any other - * purpose. */ - gnutls_openpgp_privkey_t privkey_pgp_internal; -#endif - /* Export full certificates to CGI environment: */ int export_certificates_size; /* GnuTLS Priorities */ @@ -198,19 +161,17 @@ typedef struct { gnutls_dh_params_t dh_params; /* A list of CA Certificates */ gnutls_x509_crt_t *ca_list; - /* OpenPGP Key Ring */ - gnutls_openpgp_keyring_t pgp_list; /* CA Certificate list size */ unsigned int ca_list_size; /* Client Certificate Verification Mode */ int client_verify_mode; /* Client Certificate Verification Method */ mgs_client_verification_method_e client_verify_method; - /* Last Cache timestamp */ - apr_time_t last_cache_check; /* Enable OCSP stapling */ unsigned char ocsp_staple; + /* Automatically refresh cached OCSP response? */ + unsigned char ocsp_auto_refresh; /* Check nonce in OCSP responses? */ unsigned char ocsp_check_nonce; /* Read OCSP response for stapling from this file instead of @@ -220,13 +181,26 @@ typedef struct { mgs_ocsp_data_t ocsp; /* Mutex to prevent parallel OCSP requests */ apr_global_mutex_t *ocsp_mutex; + /* Internal OCSP cache data */ + mgs_cache_t ocsp_cache; /* Cache timeout for OCSP responses. Note that the nextUpdate * field of the response takes precedence if shorter. */ apr_interval_time_t ocsp_cache_time; /* If an OCSP request fails wait this long before trying again. */ apr_interval_time_t ocsp_failure_timeout; + /** How long before a cached OCSP response expires should it be + * updated? During configuration parsing this is set to the + * maximum, during post configuration the value will be set to + * half that. After each update the interval to for the next one + * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time * + * RANDOM` with `0 <= RANDOM <= 1`. */ + apr_interval_time_t ocsp_fuzz_time; /* Socket timeout for OCSP requests */ apr_interval_time_t ocsp_socket_timeout; + + /** This module's singleton watchdog, used for async OCSP cache + * updates. */ + struct mgs_watchdog *singleton_wd; } mgs_srvconf_rec; /* Character Buffer */ @@ -235,7 +209,7 @@ typedef struct { char *value; } mgs_char_buffer_t; -/* GnuTLS Handle */ +/** GnuTLS connection handle */ typedef struct { /* Server configuration record */ mgs_srvconf_rec *sc; @@ -247,6 +221,8 @@ typedef struct { int is_proxy; /* GnuTLS Session handle */ gnutls_session_t session; + /** Server name requested via SNI if any, or NULL. */ + const char *sni_name; /* module input status */ apr_status_t input_rc; /* Input filter */ @@ -273,7 +249,8 @@ typedef struct { apr_size_t output_blen; /* Output length */ apr_size_t output_length; - /* General Status */ + /** Connection status: 0 before (re-)handshake, 1 when up, -1 on + * error (checks use status < 0 or status > 0) */ int status; } mgs_handle_t; @@ -284,16 +261,28 @@ typedef struct { /* apr_signal_block() for blocking SIGPIPE */ apr_status_t apr_signal_block(int signum); - /* Proxy Support */ +/* Proxy Support */ /* An optional function which returns non-zero if the given connection is using SSL/TLS. */ APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); +/* The ssl_var_lookup() optional function retrieves SSL environment + * variables. */ +APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, + (apr_pool_t *, server_rec *, + conn_rec *, request_rec *, + char *)); /* The ssl_proxy_enable() and ssl_engine_disable() optional functions * are used by mod_proxy to enable use of SSL for outgoing * connections. */ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, + ap_conf_vector_t *, + int proxy, int enable)); +mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c); int ssl_is_https(conn_rec *c); +char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, + request_rec *r, char *var); int ssl_proxy_enable(conn_rec *c); int ssl_engine_disable(conn_rec *c); const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, @@ -382,15 +371,6 @@ const char *mgs_set_cert_file(cmd_parms const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg); -const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy, - const char *arg); - -const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, - const char *arg); - -const char *mgs_set_cache(cmd_parms * parms, void *dummy, - const char *type, const char* arg); - const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg); const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, @@ -411,9 +391,6 @@ const char *mgs_set_pin(cmd_parms * parm const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, const char *arg); -const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, - const char *arg); - const char *mgs_set_enabled(cmd_parms * parms, void *dummy, const int arg); const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, @@ -423,8 +400,6 @@ const char *mgs_set_priorities(cmd_parms const char *mgs_set_tickets(cmd_parms * parms, void *dummy, const int arg); -const char *mgs_set_require_section(cmd_parms *cmd, - void *mconfig, const char *arg); void *mgs_config_server_create(apr_pool_t * p, server_rec * s); void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD); @@ -432,11 +407,6 @@ void *mgs_config_dir_merge(apr_pool_t *p void *mgs_config_dir_create(apr_pool_t *p, char *dir); -const char *mgs_set_require_bytecode(cmd_parms *cmd, - void *mconfig, const char *arg); - -mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session); - const char *mgs_store_cred_path(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg); @@ -459,8 +429,13 @@ apr_port_t mgs_hook_default_port(const r int mgs_hook_pre_connection(conn_rec * c, void *csd); +int mgs_hook_process_connection(conn_rec* c); + int mgs_hook_fixups(request_rec *r); +/** Post request hook, checks if TLS connection and vhost match */ +int mgs_req_vhost_check(request_rec *r); + int mgs_hook_authz(request_rec *r); #endif /* __mod_gnutls_h_inc */ diff -pruN 0.8.2-3/m4/apr_memcache.m4 0.9.0-1/m4/apr_memcache.m4 --- 0.8.2-3/m4/apr_memcache.m4 2016-01-28 00:03:03.000000000 +0000 +++ 0.9.0-1/m4/apr_memcache.m4 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -dnl Check for memcache client libraries -dnl CHECK_APR_MEMCACHE(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]) -dnl Sets: -dnl APR_MEMCACHE_LIBS -dnl APR_MEMCACHE_CFLAGS -AC_DEFUN([CHECK_APR_MEMCACHE], -[dnl - -AC_ARG_WITH( - [apu-config], - [AC_HELP_STRING([--with-apu-config=PATH],[Path to APR Utility Library config tool (apu-1-config)])], - [apr_util_config="$withval"], - []) - -AC_LIBTOOL_SYS_DYNAMIC_LINKER - -save_CFLAGS=$CFLAGS -save_LDFLAGS=$LDFLAGS - -dnl # If path to apu-1-config hasn't been set explicitly, try to find it -if test -z "$apr_util_config"; then - AC_PATH_PROGS([APR_UTIL_CONF], [apu-1-config], [no], [$PATH:/usr/sbin]) -else - AC_MSG_NOTICE([using apu-1-config path set by user: $apr_util_config]) - APR_UTIL_CONF="$apr_util_config" -fi - -CFLAGS="`$APR_UTIL_CONF --includes` $CFLAGS" -LDFLAGS="`$APR_UTIL_CONF --link-ld` $LDFLAGS" - -AC_CHECK_LIB( - aprutil-1, - apr_memcache_create, - [ - APR_MEMCACHE_LIBS="`$APR_UTIL_CONF --link-ld`" - APR_MEMCACHE_CFLAGS="`$APR_UTIL_CONF --includes`" - ] -) - -CFLAGS=$save_CFLAGS -LDFLAGS=$save_LDFLAGS - -AC_SUBST(APR_MEMCACHE_LIBS) -AC_SUBST(APR_MEMCACHE_CFLAGS) - -if test -z "${APR_MEMCACHE_LIBS}"; then - AC_MSG_NOTICE([*** memcache library not found.]) - ifelse([$2], , AC_MSG_ERROR([memcache library is required]), $2) -else - AC_MSG_NOTICE([using '${APR_MEMCACHE_LIBS}' for memcache]) - ifelse([$1], , , $1) -fi -]) diff -pruN 0.8.2-3/m4/libtool.m4 0.9.0-1/m4/libtool.m4 --- 0.8.2-3/m4/libtool.m4 2017-01-08 14:07:40.000000000 +0000 +++ 0.9.0-1/m4/libtool.m4 2019-01-23 20:15:43.000000000 +0000 @@ -6438,7 +6438,7 @@ if test yes != "$_lt_caught_CXX_error"; # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else GXX=no @@ -6813,7 +6813,7 @@ if test yes != "$_lt_caught_CXX_error"; # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -6878,7 +6878,7 @@ if test yes != "$_lt_caught_CXX_error"; # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -7217,7 +7217,7 @@ if test yes != "$_lt_caught_CXX_error"; # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # FIXME: insert proper C++ library support @@ -7301,7 +7301,7 @@ if test yes != "$_lt_caught_CXX_error"; # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # g++ 2.7 appears to require '-G' NOT '-shared' on this # platform. @@ -7312,7 +7312,7 @@ if test yes != "$_lt_caught_CXX_error"; # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir' diff -pruN 0.8.2-3/Makefile.am 0.9.0-1/Makefile.am --- 0.8.2-3/Makefile.am 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/Makefile.am 2018-12-12 20:54:54.000000000 +0000 @@ -1,13 +1,13 @@ AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \ - m4/apr_memcache.m4 \ m4/apache_test.m4 \ include/mod_gnutls.h.in \ README CHANGELOG \ NOTICE LICENSE -AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" +AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" \ + "SOFTHSM_LIB='$(SOFTHSM_LIB)'" DISTCLEANFILES = config.nice MOSTLYCLEANFILES = $(DX_CLEANFILES) diff -pruN 0.8.2-3/Makefile.in 0.9.0-1/Makefile.in --- 0.8.2-3/Makefile.in 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/Makefile.in 2019-01-23 20:15:47.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -92,7 +92,6 @@ subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ $(top_srcdir)/m4/apache_test.m4 \ - $(top_srcdir)/m4/apr_memcache.m4 \ $(top_srcdir)/m4/ax_prog_doxygen.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ @@ -106,7 +105,8 @@ am__CONFIG_DISTCLEAN_FILES = config.stat configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/include/mod_gnutls_config.h -CONFIG_CLEAN_FILES = include/mod_gnutls.h test/apache-conf/listen.conf \ +CONFIG_CLEAN_FILES = include/mod_gnutls.h \ + test/apache-conf/early_sni.conf test/apache-conf/listen.conf \ test/apache-conf/netns.conf CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) @@ -143,7 +143,7 @@ am__recursive_targets = \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ - cscope distdir dist dist-all distcheck + cscope distdir distdir-am dist dist-all distcheck am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ $(LISP)config.in # Read a list of newline-separated strings from the standard input, @@ -172,6 +172,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/config/install-sh $(top_srcdir)/config/ltmain.sh \ $(top_srcdir)/config/missing \ $(top_srcdir)/include/mod_gnutls.h.in \ + $(top_srcdir)/test/apache-conf/early_sni.conf.in \ $(top_srcdir)/test/apache-conf/listen.conf.in \ $(top_srcdir)/test/apache-conf/netns.conf.in README \ config/compile config/config.guess config/config.sub \ @@ -228,9 +229,6 @@ APR_INCLUDES = @APR_INCLUDES@ APR_LDFLAGS = @APR_LDFLAGS@ APR_LIBS = @APR_LIBS@ APR_LIBTOOL = @APR_LIBTOOL@ -APR_MEMCACHE_CFLAGS = @APR_MEMCACHE_CFLAGS@ -APR_MEMCACHE_LIBS = @APR_MEMCACHE_LIBS@ -APR_UTIL_CONF = @APR_UTIL_CONF@ APU_INCLUDES = @APU_INCLUDES@ APU_LDFLAGS = @APU_LDFLAGS@ APU_LIBS = @APU_LIBS@ @@ -294,6 +292,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ENABLE_EARLY_SNI = @ENABLE_EARLY_SNI@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FLOCK = @FLOCK@ @@ -353,6 +352,9 @@ SOFTHSM_LIB = @SOFTHSM_LIB@ SOFTHSM_MAJOR_VERSION = @SOFTHSM_MAJOR_VERSION@ STRIP = @STRIP@ TEST_HOST = @TEST_HOST@ +TEST_IP = @TEST_IP@ +TEST_LOCK_WAIT = @TEST_LOCK_WAIT@ +TEST_QUERY_TIMEOUT = @TEST_QUERY_TIMEOUT@ UNSHARE = @UNSHARE@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -379,7 +381,6 @@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_apr_memcache = @have_apr_memcache@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -415,13 +416,14 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign dist-bzip2 no-dist-gzip EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 \ - m4/apr_memcache.m4 \ m4/apache_test.m4 \ include/mod_gnutls.h.in \ README CHANGELOG \ NOTICE LICENSE -AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" +AM_DISTCHECK_CONFIGURE_FLAGS = "--enable-vpath-install" \ + "SOFTHSM_LIB='$(SOFTHSM_LIB)'" + DISTCLEANFILES = config.nice MOSTLYCLEANFILES = $(DX_CLEANFILES) SUBDIRS = src test doc @@ -450,8 +452,8 @@ Makefile: $(srcdir)/Makefile.in $(top_bu echo ' $(SHELL) ./config.status'; \ $(SHELL) ./config.status;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -479,6 +481,8 @@ distclean-hdr: -rm -f include/mod_gnutls_config.h include/stamp-h1 include/mod_gnutls.h: $(top_builddir)/config.status $(top_srcdir)/include/mod_gnutls.h.in cd $(top_builddir) && $(SHELL) ./config.status $@ +test/apache-conf/early_sni.conf: $(top_builddir)/config.status $(top_srcdir)/test/apache-conf/early_sni.conf.in + cd $(top_builddir) && $(SHELL) ./config.status $@ test/apache-conf/listen.conf: $(top_builddir)/config.status $(top_srcdir)/test/apache-conf/listen.conf.in cd $(top_builddir) && $(SHELL) ./config.status $@ test/apache-conf/netns.conf: $(top_builddir)/config.status $(top_srcdir)/test/apache-conf/netns.conf.in @@ -599,7 +603,10 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) $(am__remove_distdir) test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @@ -664,7 +671,7 @@ distdir: $(DISTFILES) ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz + tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 @@ -689,7 +696,7 @@ dist-shar: distdir @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 - shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz + shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir @@ -707,7 +714,7 @@ dist dist-all: distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ @@ -717,7 +724,7 @@ distcheck: dist *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac diff -pruN 0.8.2-3/README 0.9.0-1/README --- 0.8.2-3/README 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/README 2018-04-19 18:01:35.000000000 +0000 @@ -9,7 +9,7 @@ Mailing List: Lead Maintainer: - Thomas Klute + Fiona Klute Past maintainers and other contributors: @@ -22,7 +22,7 @@ Prerequisites ------------- * GnuTLS >= 3.3 (3.4 or newer recommended) - * Apache HTTPD >= 2.4 + * Apache HTTPD >= 2.4.17 * autotools, GNU make, & GCC * libmsv >= 0.1 (Optional, enable with ./configure --enable-msva) * pandoc (for documentation, optional) diff -pruN 0.8.2-3/src/gnutls_cache.c 0.9.0-1/src/gnutls_cache.c --- 0.8.2-3/src/gnutls_cache.c 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_cache.c 2018-11-28 05:37:07.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright 2004-2005 Paul Querna * Copyright 2008 Nikos Mavrogiannopoulos * Copyright 2011 Dash Shendy - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,55 +20,35 @@ /** * @file gnutls_cache.c * - * The signatures of the `(dbm|mc)_cache_...()` functions may be a bit - * confusing: "store" and "expire" take a server_rec, "fetch" an - * mgs_handle_t, and "delete" the `void*` required for a - * `gnutls_db_remove_func`. The first two have matching `..._session` - * functions to fit their respective GnuTLS session cache signatures. - * - * This is because "store", "expire" (dbm only), and "fetch" are also - * needed for the OCSP cache. Their `..._session` variants have been - * created to take care of the session cache specific parts, mainly - * calculating the DB key from the session ID. They have to match the - * appropriate GnuTLS DB function signatures. - * - * Additionally, there are the `mc_cache_(store|fetch)_generic()` - * functions. They exist because memcached requires string keys while - * DBM accepts binary keys, and provide wrappers to turn binary keys - * into hex strings with a `mod_gnutls:` prefix. - * - * To update cached OCSP responses independent of client connections, - * "store" and "expire" have to work without a connection context. On - * the other hand "fetch" does not need to do that, because cached - * OCSP responses will be retrieved for use in client connections. + * This file contains the cache implementation used for session + * caching and OCSP stapling. The `socache_*_session` functions + * implement the GnuTLS session cache API using the configured cache, + * using mgs_cache_store() and mgs_cache_fetch() as appropriate (see + * gnutls_cache.h). */ #include "gnutls_cache.h" #include "mod_gnutls.h" #include "gnutls_config.h" +#include "gnutls_ocsp.h" -#if HAVE_APR_MEMCACHE -#include "apr_memcache.h" -#endif - -#include "apr_dbm.h" +#include +#include +#include #include - -#include "ap_mpm.h" #include -#include -#include - -#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE) -#include "unixd.h" -#endif - /** Default session cache timeout */ #define MGS_DEFAULT_CACHE_TIMEOUT 300 -/** Prefix for keys used with a memcached cache */ -#define MC_TAG "mod_gnutls:" +/** Session cache name */ +#define MGS_SESSION_CACHE_NAME "gnutls_session" + +/** Default type for OCSP cache */ +#define DEFAULT_OCSP_CACHE_TYPE "shmcb" +/** Default config string for OCSP cache */ +#define DEFAULT_OCSP_CACHE_CONF "gnutls_ocsp_cache" + /** Maximum length of the hex string representation of a GnuTLS * session ID: two characters per byte, plus one more for `\0` */ #if GNUTLS_VERSION_NUMBER >= 0x030400 @@ -77,16 +57,12 @@ #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1) #endif -#if MODULE_MAGIC_NUMBER_MAJOR < 20081201 -#define ap_unixd_config unixd_config -#endif - #ifdef APLOG_USE_MODULE APLOG_USE_MODULE(gnutls); #endif /** - * Turn a GnuTLS session ID into the key format we use with DBM + * Turn a GnuTLS session ID into the key format we use for * caches. Name the Session ID as `server:port.SessionID` to disallow * resuming sessions on different servers. * @@ -128,659 +104,438 @@ char *mgs_time2sz(time_t in_time, char * return str; } -#if HAVE_APR_MEMCACHE -/** - * Turn a GnuTLS session ID into the key format we use with memcached - * caches. Name the Session ID as `server:port.SessionID` to disallow - * resuming sessions on different servers. - * - * @return `0` on success, `-1` on failure - */ -static char *mgs_session_id2mc(conn_rec * c, unsigned char *id, int idlen) -{ - char sz[GNUTLS_SESSION_ID_STRING_LEN]; - apr_status_t rv = apr_escape_hex(sz, id, idlen, 0, NULL); - if (rv != APR_SUCCESS) - return NULL; - - return apr_psprintf(c->pool, MC_TAG "%s:%d.%s", - c->base_server->server_hostname, - c->base_server->port, sz); -} - -/** - * GnuTLS Session Cache using libmemcached - * - */ - -/* The underlying apr_memcache system is thread safe... woohoo */ -static apr_memcache_t *mc; - -static int mc_cache_child_init(apr_pool_t * p, server_rec * s, - mgs_srvconf_rec * sc) { - apr_status_t rv = APR_SUCCESS; - int thread_limit = 0; - int nservers = 0; - char *cache_config; - char *split; - char *tok; - - ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit); - - /* Find all the servers in the first run to get a total count */ - cache_config = apr_pstrdup(p, sc->cache_config); - split = apr_strtok(cache_config, " ", &tok); - while (split) { - nservers++; - split = apr_strtok(NULL, " ", &tok); - } - - rv = apr_memcache_create(p, nservers, 0, &mc); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to create Memcache object of size '%d'.", - nservers); - return rv; - } - - /* Now add each server to the memcache */ - cache_config = apr_pstrdup(p, sc->cache_config); - split = apr_strtok(cache_config, " ", &tok); - while (split) { - apr_memcache_server_t *st; - char *host_str; - char *scope_id; - apr_port_t port; - - rv = apr_parse_addr_port(&host_str, &scope_id, &port, - split, p); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to parse server: '%s'", split); - return rv; - } - - if (host_str == NULL) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to parse server, " - "no hostname specified: '%s'", split); - return rv; - } - if (port == 0) { - port = 11211; /* default port */ - } - - /* Should Max Conns be (thread_limit / nservers) ? */ - rv = apr_memcache_server_create(p, - host_str, port, - 0, - 1, thread_limit, 600, &st); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to create server: %s:%d", - host_str, port); - return rv; - } - - rv = apr_memcache_add_server(mc, st); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "Failed to add server: %s:%d", - host_str, port); - return rv; - } - - split = apr_strtok(NULL, " ", &tok); - } - return rv; -} - -static int mc_cache_store(server_rec *s, const char *key, - gnutls_datum_t data, apr_uint32_t timeout) +int mgs_cache_store(mgs_cache_t cache, server_rec *server, + gnutls_datum_t key, gnutls_datum_t data, + apr_time_t expiry) { - apr_status_t rv = apr_memcache_set(mc, key, (char *) data.data, - data.size, timeout, 0); + apr_pool_t *spool; + apr_pool_create(&spool, NULL); + + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_lock(cache->mutex); + apr_status_t rv = cache->prov->store(cache->socache, server, + key.data, key.size, + expiry, + data.data, data.size, + spool); + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_unlock(cache->mutex); if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, - "error storing key '%s' with %d bytes of data", - key, data.size); + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, server, + "error storing in cache '%s:%s'", + cache->prov->name, cache->config); + apr_pool_destroy(spool); return -1; } + ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server, + "stored %u bytes of data (%u byte key) in cache '%s:%s'", + data.size, key.size, + cache->prov->name, cache->config); + apr_pool_destroy(spool); return 0; } -static int mc_cache_store_generic(server_rec *s, gnutls_datum_t key, - gnutls_datum_t data, apr_time_t expiry) -{ - apr_uint32_t timeout = apr_time_sec(expiry - apr_time_now()); - - apr_pool_t *p; - apr_pool_create(&p, NULL); - - const char *hex = apr_pescape_hex(p, key.data, key.size, 1); - if (hex == NULL) - { - apr_pool_destroy(p); - return -1; - } - const char *strkey = apr_psprintf(p, MC_TAG "%s", hex); - int ret = mc_cache_store(s, strkey, data, timeout); - - apr_pool_destroy(p); - return ret; -} - -static int mc_cache_store_session(void *baton, gnutls_datum_t key, - gnutls_datum_t data) +/** + * Store function for the GnuTLS session cache, see + * gnutls_db_set_store_function(). + * + * @param baton mgs_handle_t for the connection, as set via + * gnutls_db_set_ptr() + * + * @param key object key to store + * + * @param data the object to store + * + * @return `0` in case of success, `-1` in case of failure + */ +static int socache_store_session(void *baton, gnutls_datum_t key, + gnutls_datum_t data) { mgs_handle_t *ctxt = baton; + gnutls_datum_t dbmkey; - const char *strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); - if (!strkey) + if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) return -1; - apr_uint32_t timeout = apr_time_sec(ctxt->sc->cache_timeout); + apr_time_t expiry = apr_time_now() + ctxt->sc->cache_timeout; - return mc_cache_store(ctxt->c->base_server, strkey, data, timeout); + return mgs_cache_store(ctxt->sc->cache, ctxt->c->base_server, + dbmkey, data, expiry); } -static gnutls_datum_t mc_cache_fetch(conn_rec *c, const char *key) + + +/** 8K is the maximum size accepted when receiving OCSP responses, + * sessions cache entries should be much smaller. The buffer is + * reallocated to actual size after fetching, so memory waste is + * minimal and temporary. */ +#define SOCACHE_FETCH_BUF_SIZE (8 * 1024) + +gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, + gnutls_datum_t key, apr_pool_t *pool) { - apr_status_t rv = APR_SUCCESS; - char *value; - apr_size_t value_len; gnutls_datum_t data = {NULL, 0}; + data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE); + if (data.data == NULL) + return data; + data.size = SOCACHE_FETCH_BUF_SIZE; - rv = apr_memcache_getp(mc, c->pool, key, &value, &value_len, NULL); + apr_pool_t *spool; + apr_pool_create(&spool, pool); + + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_lock(cache->mutex); + apr_status_t rv = cache->prov->retrieve(cache->socache, server, + key.data, key.size, + data.data, &data.size, + spool); + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_unlock(cache->mutex); if (rv != APR_SUCCESS) { -#if MOD_GNUTLS_DEBUG - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, - "error fetching key '%s'", - key); -#endif - return data; + /* APR_NOTFOUND means there's no such object. */ + if (rv == APR_NOTFOUND) + ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server, + "requested entry not found in cache '%s:%s'.", + cache->prov->name, cache->config); + else + ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server, + "error fetching from cache '%s:%s'", + cache->prov->name, cache->config); + /* free unused buffer */ + gnutls_free(data.data); + data.data = NULL; + data.size = 0; } - - /* TODO: Eliminate this memcpy. gnutls-- */ - data.data = gnutls_malloc(value_len); - if (data.data == NULL) - return data; - - data.size = value_len; - memcpy(data.data, value, value_len); + else + { + ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server, + "fetched %u bytes from cache '%s:%s'", + data.size, cache->prov->name, cache->config); + + /* Realloc buffer to data.size. Data size must be less than or + * equal to the initial buffer size, so this REALLY should not + * fail. */ + data.data = gnutls_realloc(data.data, data.size); + if (__builtin_expect(data.data == NULL, 0)) + { + ap_log_error(APLOG_MARK, APLOG_CRIT, APR_ENOMEM, server, + "%s: Could not realloc fetch buffer to data size!", + __func__); + data.size = 0; + } + } + apr_pool_destroy(spool); return data; } -static gnutls_datum_t mc_cache_fetch_generic(mgs_handle_t *ctxt, - gnutls_datum_t key) -{ - gnutls_datum_t data = {NULL, 0}; - const char *hex = apr_pescape_hex(ctxt->c->pool, key.data, key.size, 1); - if (hex == NULL) - return data; - const char *strkey = apr_psprintf(ctxt->c->pool, MC_TAG "%s", hex); - return mc_cache_fetch(ctxt->c, strkey); -} -static gnutls_datum_t mc_cache_fetch_session(void *baton, gnutls_datum_t key) +/** + * Fetch function for the GnuTLS session cache, see + * gnutls_db_set_retrieve_function(). + * + * *Warning*: The `data` element of the returned `gnutls_datum_t` is + * allocated using `gnutls_malloc()` for compatibility with the GnuTLS + * session caching API, and must be released using `gnutls_free()`. + * + * @param baton mgs_handle_t for the connection, as set via + * gnutls_db_set_ptr() + * + * @param key object key to fetch + * + * @return the requested cache entry, or `{NULL, 0}` + */ +static gnutls_datum_t socache_fetch_session(void *baton, gnutls_datum_t key) { - mgs_handle_t *ctxt = baton; gnutls_datum_t data = {NULL, 0}; + gnutls_datum_t dbmkey; + mgs_handle_t *ctxt = baton; - const char *strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); - if (!strkey) + if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) return data; - return mc_cache_fetch(ctxt->c, strkey); + return mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server, + dbmkey, ctxt->c->pool); } -static int mc_cache_delete(void *baton, gnutls_datum_t key) { - apr_status_t rv = APR_SUCCESS; + + +/** + * Remove function for the GnuTLS session cache, see + * gnutls_db_set_remove_function(). + * + * @param baton mgs_handle_t for the connection, as set via + * gnutls_db_set_ptr() + * + * @param key object key to remove + * + * @return `0` in case of success, `-1` in case of failure + */ +static int socache_delete_session(void *baton, gnutls_datum_t key) +{ + gnutls_datum_t tmpkey; mgs_handle_t *ctxt = baton; - char *strkey = NULL; - strkey = mgs_session_id2mc(ctxt->c, key.data, key.size); - if (!strkey) + if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &tmpkey) < 0) return -1; - rv = apr_memcache_delete(mc, strkey, 0); + if (ctxt->sc->cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_lock(ctxt->sc->cache->mutex); + apr_status_t rv = ctxt->sc->cache->prov->remove(ctxt->sc->cache->socache, + ctxt->c->base_server, + key.data, key.size, + ctxt->c->pool); + if (ctxt->sc->cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_unlock(ctxt->sc->cache->mutex); if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, + ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, ctxt->c->base_server, - "error deleting key '%s'", - strkey); + "error deleting from cache '%s:%s'", + ctxt->sc->cache->prov->name, ctxt->sc->cache->config); return -1; } - return 0; } -#endif /* have_apr_memcache */ - -static const char *db_type(mgs_srvconf_rec * sc) { - if (sc->cache_type == mgs_cache_gdbm) - return "gdbm"; - else - return "db"; -} - -#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) - -static void dbm_cache_expire(server_rec *s) -{ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(s->module_config, &gnutls_module); - - apr_status_t rv; - apr_dbm_t *dbm; - apr_datum_t dbmkey; - apr_datum_t dbmval; - apr_time_t dtime; - apr_pool_t *spool; - int total, deleted; - - apr_time_t now = apr_time_now(); - - if (now - sc->last_cache_check < (sc->cache_timeout) / 2) - return; - - sc->last_cache_check = now; - - apr_pool_create(&spool, NULL); - - total = 0; - deleted = 0; - apr_global_mutex_lock(sc->cache->mutex); - rv = apr_dbm_open_ex(&dbm, db_type(sc), - sc->cache_config, APR_DBM_RWCREATE, - SSL_DBM_FILE_MODE, spool); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, - "error opening cache '%s'", - sc->cache_config); - apr_global_mutex_unlock(sc->cache->mutex); - apr_pool_destroy(spool); - return; +const char *mgs_cache_inst_config(mgs_cache_t *cache, server_rec *server, + const char* type, const char* config, + apr_pool_t *pconf, apr_pool_t *ptemp) +{ + /* Allocate cache structure, will be assigned to *cache after + * successful configuration. */ + mgs_cache_t c = apr_pcalloc(pconf, sizeof(struct mgs_cache)); + if (c == NULL) + return "Could not allocate memory for cache configuration!"; + + /* Find the right socache provider */ + c->prov = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP, + type, + AP_SOCACHE_PROVIDER_VERSION); + if (c->prov == NULL) + { + return apr_psprintf(ptemp, + "Could not find socache provider '%s', please " + "make sure that the provider name is valid and " + "the appropriate module is loaded (maybe " + "mod_socache_%s.so?).", + type, type); } - apr_dbm_firstkey(dbm, &dbmkey); - while (dbmkey.dptr != NULL) { - apr_dbm_fetch(dbm, dbmkey, &dbmval); - if (dbmval.dptr != NULL - && dbmval.dsize >= sizeof (apr_time_t)) { - memcpy(&dtime, dbmval.dptr, sizeof (apr_time_t)); - - if (now >= dtime) { - apr_dbm_delete(dbm, dbmkey); - deleted++; - } - apr_dbm_freedatum(dbm, dbmval); - } else { - apr_dbm_delete(dbm, dbmkey); - deleted++; - } - total++; - apr_dbm_nextkey(dbm, &dbmkey); - } - apr_dbm_close(dbm); + /* shmcb works fine with NULL, but make sure there's a valid (if + * empty) string for logging */ + if (config != NULL) + c->config = apr_pstrdup(pconf, config); + else + c->config = ""; - rv = apr_global_mutex_unlock(sc->cache->mutex); + /* Create and configure the cache instance. */ + const char *err = c->prov->create(&c->socache, c->config, ptemp, pconf); + if (err != NULL) + { + return apr_psprintf(ptemp, + "Creating cache '%s:%s' failed: %s", + c->prov->name, c->config, err); + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server, + "%s: Socache '%s:%s' created.", + __func__, c->prov->name, c->config); - ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, - "Cleaned up cache '%s'. Deleted %d and left %d", - sc->cache_config, deleted, total - deleted); + /* assign configured cache structure to server */ + *cache = c; - apr_pool_destroy(spool); - - return; + return NULL; } -static gnutls_datum_t dbm_cache_fetch(mgs_handle_t *ctxt, gnutls_datum_t key) -{ - gnutls_datum_t data = {NULL, 0}; - apr_dbm_t *dbm; - apr_datum_t dbmkey = {(char*) key.data, key.size}; - apr_datum_t dbmval; - apr_time_t expiry = 0; - apr_status_t rv; - - /* check if it is time for cache expiration */ - dbm_cache_expire(ctxt->c->base_server); - - apr_global_mutex_lock(ctxt->sc->cache->mutex); - - rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc), - ctxt->sc->cache_config, APR_DBM_READONLY, - SSL_DBM_FILE_MODE, ctxt->c->pool); - if (rv != APR_SUCCESS) { - ap_log_cerror(APLOG_MARK, APLOG_NOTICE, rv, ctxt->c, - "error opening cache '%s'", - ctxt->sc->cache_config); - apr_global_mutex_unlock(ctxt->sc->cache->mutex); - return data; - } - - rv = apr_dbm_fetch(dbm, dbmkey, &dbmval); - - if (rv != APR_SUCCESS) - goto close_db; - if (dbmval.dptr == NULL || dbmval.dsize <= sizeof (apr_time_t)) - goto cleanup; - data.size = dbmval.dsize - sizeof (apr_time_t); - /* get data expiration tag */ - expiry = *((apr_time_t *) dbmval.dptr); - - data.data = gnutls_malloc(data.size); - if (data.data == NULL) - { - data.size = 0; - goto cleanup; - } - - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, rv, ctxt->c, - "fetched %" APR_SIZE_T_FMT " bytes from cache", - dbmval.dsize); - - memcpy(data.data, dbmval.dptr + sizeof (apr_time_t), data.size); - - cleanup: - apr_dbm_freedatum(dbm, dbmval); - close_db: - apr_dbm_close(dbm); - apr_global_mutex_unlock(ctxt->sc->cache->mutex); +/** + * This function is supposed to be called during post_config to + * initialize mutex and socache instance associated with an + * mgs_cache_t. + * + * @param cache the mod_gnutls cache structure + * + * @param cache_name name for socache initialization + * + * @param mutex_name name to pass to ap_global_mutex_create(), must + * have been registered during pre_config. + * + * @param server server for logging purposes + * + * @param pconf memory pool for server configuration + */ +static apr_status_t mgs_cache_inst_init(mgs_cache_t cache, + const char *cache_name, + const char *mutex_name, + server_rec *server, + apr_pool_t *pconf) +{ + apr_status_t rv = APR_SUCCESS; - /* cache entry might have expired since last cache cleanup */ - if (expiry != 0 && expiry < apr_time_now()) + if (cache->mutex == NULL) { - gnutls_free(data.data); - data.data = NULL; - data.size = 0; - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, - "dropped expired cache data"); + rv = ap_global_mutex_create(&cache->mutex, NULL, + mutex_name, + NULL, server, pconf, 0); + ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, server, + "%s: create mutex", __func__); + if (rv != APR_SUCCESS) + return rv; } - return data; + rv = cache->prov->init(cache->socache, cache_name, NULL, server, pconf); + if (rv != APR_SUCCESS) + ap_log_error(APLOG_MARK, APLOG_CRIT, rv, server, + "Initializing cache '%s:%s' failed!", + cache->prov->name, cache->config); + else + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, server, + "%s: socache '%s:%s' initialized.", __func__, + cache->prov->name, cache->config); + return rv; } -static gnutls_datum_t dbm_cache_fetch_session(void *baton, gnutls_datum_t key) -{ - gnutls_datum_t data = {NULL, 0}; - gnutls_datum_t dbmkey; - mgs_handle_t *ctxt = baton; - if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) - return data; - return dbm_cache_fetch(ctxt, dbmkey); -} - -static int dbm_cache_store(server_rec *s, gnutls_datum_t key, - gnutls_datum_t data, apr_time_t expiry) +static apr_status_t cleanup_socache(void *data) { + server_rec *s = data; mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); - - apr_dbm_t *dbm; - apr_datum_t dbmkey = {(char*) key.data, key.size}; - apr_datum_t dbmval; - apr_status_t rv; - apr_pool_t *spool; - - /* check if it is time for cache expiration */ - dbm_cache_expire(s); - - apr_pool_create(&spool, NULL); - - /* create DBM value */ - dbmval.dsize = data.size + sizeof (apr_time_t); - dbmval.dptr = (char *) apr_palloc(spool, dbmval.dsize); - - /* prepend expiration time */ - memcpy((char *) dbmval.dptr, &expiry, sizeof (apr_time_t)); - memcpy((char *) dbmval.dptr + sizeof (apr_time_t), - data.data, data.size); - - apr_global_mutex_lock(sc->cache->mutex); - - rv = apr_dbm_open_ex(&dbm, db_type(sc), - sc->cache_config, APR_DBM_RWCREATE, - SSL_DBM_FILE_MODE, spool); - if (rv != APR_SUCCESS) + if (sc->cache) { - ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, s, - "error opening cache '%s'", - sc->cache_config); - apr_global_mutex_unlock(sc->cache->mutex); - apr_pool_destroy(spool); - return -1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s, + "Cleaning up session cache '%s:%s'", + sc->cache->prov->name, sc->cache->config); + sc->cache->prov->destroy(sc->cache->socache, s); } - - rv = apr_dbm_store(dbm, dbmkey, dbmval); - if (rv != APR_SUCCESS) + if (sc->ocsp_cache) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, - "error storing in cache '%s'", - sc->cache_config); - apr_dbm_close(dbm); - apr_global_mutex_unlock(sc->cache->mutex); - apr_pool_destroy(spool); - return -1; + ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s, + "Cleaning up OCSP cache '%s:%s'", + sc->ocsp_cache->prov->name, sc->ocsp_cache->config); + sc->ocsp_cache->prov->destroy(sc->ocsp_cache->socache, s); } - - apr_dbm_close(dbm); - apr_global_mutex_unlock(sc->cache->mutex); - - ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, - "stored %" APR_SIZE_T_FMT " bytes of data (%" - APR_SIZE_T_FMT " byte key) in cache '%s'", - dbmval.dsize, dbmkey.dsize, sc->cache_config); - - apr_pool_destroy(spool); - - return 0; + return APR_SUCCESS; } -static int dbm_cache_store_session(void *baton, gnutls_datum_t key, - gnutls_datum_t data) -{ - mgs_handle_t *ctxt = baton; - gnutls_datum_t dbmkey; - if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &dbmkey) < 0) - return -1; - - apr_time_t expiry = apr_time_now() + ctxt->sc->cache_timeout; - return dbm_cache_store(ctxt->c->base_server, dbmkey, data, expiry); -} - -static int dbm_cache_delete(void *baton, gnutls_datum_t key) +int mgs_cache_post_config(apr_pool_t *pconf, apr_pool_t *ptemp, + server_rec *s, mgs_srvconf_rec *sc) { - apr_dbm_t *dbm; - gnutls_datum_t tmpkey; - mgs_handle_t *ctxt = baton; - apr_status_t rv; - - if (mgs_session_id2dbm(ctxt->c, key.data, key.size, &tmpkey) < 0) - return -1; - apr_datum_t dbmkey = {(char*) tmpkey.data, tmpkey.size}; - - apr_global_mutex_lock(ctxt->sc->cache->mutex); - - rv = apr_dbm_open_ex(&dbm, db_type(ctxt->sc), - ctxt->sc->cache_config, APR_DBM_RWCREATE, - SSL_DBM_FILE_MODE, ctxt->c->pool); - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, - ctxt->c->base_server, - "error opening cache '%s'", - ctxt->sc->cache_config); - apr_global_mutex_unlock(ctxt->sc->cache->mutex); - return -1; - } - - rv = apr_dbm_delete(dbm, dbmkey); + apr_status_t rv = APR_SUCCESS; - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, - ctxt->c->base_server, - "error deleting from cache '%s'", - ctxt->sc->cache_config); - apr_dbm_close(dbm); - apr_global_mutex_unlock(ctxt->sc->cache->mutex); - return -1; + /* If the OCSP cache is unconfigured initialize it with + * defaults. */ + if (sc->ocsp_cache == NULL) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, + "%s: OCSP cache unconfigured, using '%s:%s'.", __func__, + DEFAULT_OCSP_CACHE_TYPE, DEFAULT_OCSP_CACHE_CONF); + const char *err = mgs_cache_inst_config(&sc->ocsp_cache, s, + DEFAULT_OCSP_CACHE_TYPE, + DEFAULT_OCSP_CACHE_CONF, + pconf, ptemp); + if (err != NULL) + ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, + "%s: Configuring default OCSP cache '%s:%s' failed, " + "make sure that mod_socache_%s is loaded.", __func__, + DEFAULT_OCSP_CACHE_TYPE, DEFAULT_OCSP_CACHE_CONF, + DEFAULT_OCSP_CACHE_TYPE); + } + + /* Initialize the OCSP cache first so it's not skipped if the + * session cache is disabled. */ + if (sc->ocsp_cache != NULL) + { + /* TODO: Maybe initialize only if explicitly enabled OR at + * least one (virtual) host has OCSP enabled? */ + rv = mgs_cache_inst_init(sc->ocsp_cache, MGS_OCSP_CACHE_NAME, + MGS_OCSP_CACHE_MUTEX_NAME, s, pconf); + if (rv != APR_SUCCESS) + return HTTP_INSUFFICIENT_STORAGE; } - apr_dbm_close(dbm); - apr_global_mutex_unlock(ctxt->sc->cache->mutex); - - return 0; -} - -static int dbm_cache_post_config(apr_pool_t * p, server_rec * s, - mgs_srvconf_rec * sc) { - apr_status_t rv; - apr_dbm_t *dbm; - const char *path1; - const char *path2; - - rv = apr_dbm_open_ex(&dbm, db_type(sc), sc->cache_config, - APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, p); - - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, - "GnuTLS: Cannot create DBM Cache at `%s'", - sc->cache_config); - return rv; - } - - apr_dbm_close(dbm); - - apr_dbm_get_usednames_ex(p, db_type(sc), sc->cache_config, &path1, - &path2); - - /* The Following Code takes logic directly from mod_ssl's DBM Cache */ -#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE) - /* Running as Root */ - if (path1 && geteuid() == 0) { - if (0 != chown(path1, ap_unixd_config.user_id, -1)) - ap_log_error(APLOG_MARK, APLOG_NOTICE, -1, s, - "GnuTLS: could not chown cache path1 `%s' to uid %d (errno: %d)", - path1, ap_unixd_config.user_id, errno); - if (path2 != NULL) { - if (0 != chown(path2, ap_unixd_config.user_id, -1)) - ap_log_error(APLOG_MARK, APLOG_NOTICE, -1, s, - "GnuTLS: could not chown cache path2 `%s' to uid %d (errno: %d)", - path2, ap_unixd_config.user_id, errno); - } + /* GnuTLSCache was never explicitly set or is disabled: */ + if (sc->cache_enable == GNUTLS_ENABLED_UNSET + || sc->cache_enable == GNUTLS_ENABLED_FALSE) + { + sc->cache_enable = GNUTLS_ENABLED_FALSE; + /* Cache disabled, done. */ + return APR_SUCCESS; } -#endif - - return rv; -} - -int mgs_cache_post_config(apr_pool_t * p, server_rec * s, - mgs_srvconf_rec * sc) { - - /* if GnuTLSCache was never explicitly set: */ - if (sc->cache_type == mgs_cache_unset) - sc->cache_type = mgs_cache_none; /* if GnuTLSCacheTimeout was never explicitly set: */ if (sc->cache_timeout == MGS_TIMEOUT_UNSET) sc->cache_timeout = apr_time_from_sec(MGS_DEFAULT_CACHE_TIMEOUT); - /* initialize mutex only once */ - if (sc->cache == NULL) - { - sc->cache = apr_palloc(p, sizeof(struct mgs_cache)); - apr_status_t rv = ap_global_mutex_create(&sc->cache->mutex, NULL, - MGS_CACHE_MUTEX_NAME, - NULL, s, p, 0); - if (rv != APR_SUCCESS) - return rv; - } + rv = mgs_cache_inst_init(sc->cache, MGS_SESSION_CACHE_NAME, + MGS_CACHE_MUTEX_NAME, s, pconf); + if (rv != APR_SUCCESS) + return HTTP_INSUFFICIENT_STORAGE; - if (sc->cache_type == mgs_cache_dbm || sc->cache_type == mgs_cache_gdbm) - { - sc->cache->store = dbm_cache_store; - sc->cache->fetch = dbm_cache_fetch; - return dbm_cache_post_config(p, s, sc); - } -#if HAVE_APR_MEMCACHE - else if (sc->cache_type == mgs_cache_memcache) - { - sc->cache->store = mc_cache_store_generic; - sc->cache->fetch = mc_cache_fetch_generic; - } -#endif + apr_pool_pre_cleanup_register(pconf, s, cleanup_socache); return APR_SUCCESS; } -int mgs_cache_child_init(apr_pool_t * p, - server_rec * s, - mgs_srvconf_rec * sc) +int mgs_cache_child_init(apr_pool_t *p, server_rec *server, + mgs_cache_t cache, const char *mutex_name) { /* reinit cache mutex */ - const char *lockfile = apr_global_mutex_lockfile(sc->cache->mutex); - apr_status_t rv = apr_global_mutex_child_init(&sc->cache->mutex, + const char *lockfile = apr_global_mutex_lockfile(cache->mutex); + apr_status_t rv = apr_global_mutex_child_init(&cache->mutex, lockfile, p); if (rv != APR_SUCCESS) - ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, - "Failed to reinit mutex '%s'", MGS_CACHE_MUTEX_NAME); + ap_log_error(APLOG_MARK, APLOG_EMERG, rv, server, + "Failed to reinit mutex '%s'", mutex_name); - if (sc->cache_type == mgs_cache_dbm - || sc->cache_type == mgs_cache_gdbm) { - return 0; - } -#if HAVE_APR_MEMCACHE - else if (sc->cache_type == mgs_cache_memcache) { - return mc_cache_child_init(p, s, sc); - } -#endif - return 0; + return rv; } -#include - -int mgs_cache_session_init(mgs_handle_t * ctxt) { - if (ctxt->sc->cache_type == mgs_cache_dbm - || ctxt->sc->cache_type == mgs_cache_gdbm) { - gnutls_db_set_retrieve_function(ctxt->session, - dbm_cache_fetch_session); - gnutls_db_set_remove_function(ctxt->session, - dbm_cache_delete); - gnutls_db_set_store_function(ctxt->session, - dbm_cache_store_session); - gnutls_db_set_ptr(ctxt->session, ctxt); - } -#if HAVE_APR_MEMCACHE - else if (ctxt->sc->cache_type == mgs_cache_memcache) { +int mgs_cache_session_init(mgs_handle_t * ctxt) +{ + if (ctxt->sc->cache_enable) + { gnutls_db_set_retrieve_function(ctxt->session, - mc_cache_fetch_session); + socache_fetch_session); gnutls_db_set_remove_function(ctxt->session, - mc_cache_delete); + socache_delete_session); gnutls_db_set_store_function(ctxt->session, - mc_cache_store_session); + socache_store_session); gnutls_db_set_ptr(ctxt->session, ctxt); } -#endif - return 0; } + + + +int mgs_cache_status(mgs_cache_t cache, const char *header_title, + request_rec *r, int flags) +{ + if (!(flags & AP_STATUS_SHORT)) + ap_rprintf(r, "

%s:

\n", header_title); + else + ap_rprintf(r, "%s:\n", header_title); + + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_lock(cache->mutex); + cache->prov->status(cache->socache, r, flags); + if (cache->prov->flags & AP_SOCACHE_FLAG_NOTMPSAFE) + apr_global_mutex_unlock(cache->mutex); + + return OK; +} diff -pruN 0.8.2-3/src/gnutls_cache.h 0.9.0-1/src/gnutls_cache.h --- 0.8.2-3/src/gnutls_cache.h 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_cache.h 2018-11-02 10:55:39.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright 2004-2005 Paul Querna * Copyright 2014 Nikos Mavrogiannopoulos - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,22 +27,53 @@ #include "mod_gnutls.h" #include +#include /** Name of the mod_gnutls cache access mutex, for use with Apache's * `Mutex` directive */ #define MGS_CACHE_MUTEX_NAME "gnutls-cache" /** + * Configure a cache instance + * + * This function is supposed to be called during config and + * initializes an mgs_cache_t by finding the named socache provider + * and creating a cache instance with the given configuration. Note + * that the socache instance is only created, not initialized, which + * is supposed to happen during post_config. + * + * @param cache pointer to the mgs_cache_t, will be assigned only if + * configuration succeeds + * + * @param server associated server for logging purposes + * + * @param type socache provider type + * + * @param config configuration string for the socache provider, may be + * `NULL` if the provider accepts an empty configuration + * + * @param pconf configuration memory pool, used to store cache + * configuration + * + * @param ptemp temporary memory pool + */ +const char *mgs_cache_inst_config(mgs_cache_t *cache, server_rec *server, + const char* type, const char* config, + apr_pool_t *pconf, apr_pool_t *ptemp); + +/** * Initialize the internal cache configuration structure. This * function is called after the configuration file(s) have been * parsed. * - * @param p configuration memory pool + * @param pconf configuration memory pool + * @param ptemp temporary memory pool * @param s default server of the Apache configuration, head of the * server list * @param sc mod_gnutls data associated with `s` */ -int mgs_cache_post_config(apr_pool_t *p, server_rec *s, mgs_srvconf_rec *sc); +int mgs_cache_post_config(apr_pool_t *pconf, apr_pool_t *ptemp, + server_rec *s, mgs_srvconf_rec *sc); /** * (Re-)Initialize the cache in a child process after forking. @@ -50,9 +81,12 @@ int mgs_cache_post_config(apr_pool_t *p, * @param p child memory pool provided by Apache * @param s default server of the Apache configuration, head of the * server list - * @param sc mod_gnutls data associated with `s` + * @param cache the cache to reinit + * @param mutex_name name of the mutex associated with the cache for + * logging purposes */ -int mgs_cache_child_init(apr_pool_t *p, server_rec *s, mgs_srvconf_rec *sc); +int mgs_cache_child_init(apr_pool_t *p, server_rec *server, + mgs_cache_t cache, const char *mutex_name); /** * Set up caching for the given TLS session. @@ -78,8 +112,9 @@ int mgs_cache_session_init(mgs_handle_t char *mgs_time2sz(time_t t, char *str, int strsize); /** - * Generic store function for the mod_gnutls object cache. + * Store function for the mod_gnutls object caches. * + * @param cache the cache to store the entry in * @param s server associated with the cache entry * @param key key for the cache entry * @param data data to be cached @@ -87,33 +122,61 @@ char *mgs_time2sz(time_t t, char *str, i * * @return `-1` on error, `0` on success */ -typedef int (*cache_store_func)(server_rec *s, gnutls_datum_t key, - gnutls_datum_t data, apr_time_t expiry); +int mgs_cache_store(mgs_cache_t cache, server_rec *server, gnutls_datum_t key, + gnutls_datum_t data, apr_time_t expiry); + /** - * Generic fetch function for the mod_gnutls object cache. + * Fetch function for the mod_gnutls object caches. * * *Warning*: The `data` element of the returned `gnutls_datum_t` is * allocated using `gnutls_malloc()` for compatibility with the GnuTLS * session caching API, and must be released using `gnutls_free()`. * - * @param ctxt mod_gnutls session context for the request + * @param cache the cache to fetch from + * + * @param server server context for the request + * * @param key key for the cache entry to be fetched * + * @param pool pool to allocate the response and other temporary + * memory from + * * @return the requested cache entry, or `{NULL, 0}` */ -typedef gnutls_datum_t (*cache_fetch_func)(mgs_handle_t *ctxt, - gnutls_datum_t key); +gnutls_datum_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server, + gnutls_datum_t key, apr_pool_t *pool); + /** * Internal cache configuration structure */ struct mgs_cache { - /** Store function for this cache */ - cache_store_func store; - /** Fetch function for this cache */ - cache_fetch_func fetch; + /** Socache provider to use for this cache */ + const ap_socache_provider_t *prov; + /** The actual socache instance */ + ap_socache_instance_t *socache; + /** Cache configuration string (as passed to the socache create + * function, for logging) */ + const char *config; /** Mutex for cache access (used only if the cache type is not * thread-safe) */ apr_global_mutex_t *mutex; }; +/** + * Write cache status to a mod_status report + * + * @param cache the cache to report on + * + * @param header_title string to prefix the report with to distinguish + * caches + * + * @param r status output is added to the response for this request + * + * @param flags request flags, used to toggle "short status" mode + * + * @return request status, currently always `OK` + */ +int mgs_cache_status(mgs_cache_t cache, const char *header_title, + request_rec *r, int flags); + #endif /** __MOD_GNUTLS_CACHE_H__ */ diff -pruN 0.8.2-3/src/gnutls_config.c 0.9.0-1/src/gnutls_config.c --- 0.8.2-3/src/gnutls_config.c 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_config.c 2018-11-28 05:37:07.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright 2004-2005 Paul Querna * Copyright 2008, 2014 Nikos Mavrogiannopoulos * Copyright 2011 Dash Shendy - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,10 +17,13 @@ * limitations under the License. */ +#include "gnutls_cache.h" #include "gnutls_config.h" #include "mod_gnutls.h" #include "gnutls_ocsp.h" + #include "apr_lib.h" +#include #include #define INIT_CA_SIZE 128 @@ -83,18 +86,10 @@ static int load_datum_from_file(apr_pool return 0; } -/* 2048-bit group parameters from SRP specification */ -const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" - "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" - "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" - "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" - "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" - "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" - "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" - "-----END DH PARAMETERS-----\n"; -/* - * Clean up the various GnuTLS data structures allocated from + +/** + * Clean up the various GnuTLS data structures allocated by * mgs_load_files() */ static apr_status_t mgs_pool_free_credentials(void *arg) @@ -149,31 +144,10 @@ static apr_status_t mgs_pool_free_creden sc->ca_list = NULL; } - if (sc->cert_pgp) - { - gnutls_pcert_deinit(&sc->cert_pgp[0]); - sc->cert_pgp = NULL; - gnutls_openpgp_crt_deinit(sc->cert_crt_pgp[0]); - sc->cert_crt_pgp = NULL; - } - - if (sc->privkey_pgp) - { - gnutls_privkey_deinit(sc->privkey_pgp); - sc->privkey_pgp = NULL; -#if GNUTLS_VERSION_NUMBER < 0x030312 - gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal); - sc->privkey_pgp_internal = NULL; -#endif - } - - if (sc->pgp_list) - { - gnutls_openpgp_keyring_deinit(sc->pgp_list); - sc->pgp_list = NULL; - } - - if (sc->priorities) + /* Deinit server priorities only if set from + * sc->priorities_str. Otherwise the server is using the default + * global priority cache, which must not be deinitialized here. */ + if (sc->priorities_str && sc->priorities) { gnutls_priority_deinit(sc->priorities); sc->priorities = NULL; @@ -253,52 +227,38 @@ int mgs_load_files(apr_pool_t *pconf, ap } #endif - if (sc->dh_params == NULL) + /* Load user provided DH parameters, if any */ + if (sc->dh_file) { - ret = gnutls_dh_params_init(&sc->dh_params); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to initialize" - ": (%d) %s", ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - /* Load DH parameters */ - if (sc->dh_file) + if (sc->dh_params == NULL) { - if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); - ret = -1; - goto cleanup; - } - - ret = - gnutls_dh_params_import_pkcs3(sc->dh_params, &data, - GNUTLS_X509_FMT_PEM); + ret = gnutls_dh_params_init(&sc->dh_params); if (ret < 0) { ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Import " - "DH params '%s': (%d) %s", sc->dh_file, ret, - gnutls_strerror(ret)); + "GnuTLS: Failed to initialize" + ": (%d) %s", ret, gnutls_strerror(ret)); ret = -1; goto cleanup; } - } else { - gnutls_datum_t pdata = { - (void *) static_dh_params, - sizeof(static_dh_params) - }; + } - ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Unable to generate or load DH Params: (%d) %s", - ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } + if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); + ret = -1; + goto cleanup; + } + + ret = + gnutls_dh_params_import_pkcs3(sc->dh_params, &data, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "GnuTLS: Failed to Import " + "DH params '%s': (%d) %s", sc->dh_file, ret, + gnutls_strerror(ret)); + ret = -1; + goto cleanup; } } @@ -474,161 +434,6 @@ int mgs_load_files(apr_pool_t *pconf, ap } } - if (sc->pgp_cert_file && sc->cert_pgp == NULL) - { - sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0])); - sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0])); - - if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Error Reading " "Certificate '%s'", - sc->pgp_cert_file); - ret = -1; - goto cleanup; - } - - ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Init " - "PGP Certificate: (%d) %s", ret, - gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data, - GNUTLS_OPENPGP_FMT_BASE64); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Import " - "PGP Certificate: (%d) %s", ret, - gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - ret = gnutls_pcert_import_openpgp(sc->cert_pgp, - sc->cert_crt_pgp[0], 0); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Import " - "PGP pCertificate: (%d) %s", ret, - gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - } - - /* Load the PGP key file */ - if (sc->pgp_key_file && sc->privkey_pgp == NULL) - { - if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Error Reading " "Private Key '%s'", - sc->pgp_key_file); - ret = -1; - goto cleanup; - } - - ret = gnutls_privkey_init(&sc->privkey_pgp); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to initialize" - ": (%d) %s", ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - -#if GNUTLS_VERSION_NUMBER < 0x030312 - /* GnuTLS versions before 3.3.12 contain a bug in - * gnutls_privkey_import_openpgp_raw which frees data that is - * accessed when the key is used, leading to segfault. Loading - * the key into a gnutls_openpgp_privkey_t and then assigning - * it to the gnutls_privkey_t works around the bug, hence this - * chain of gnutls_openpgp_privkey_init, - * gnutls_openpgp_privkey_import and - * gnutls_privkey_import_openpgp. */ - ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal); - if (ret != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to initialize " - "PGP Private Key '%s': (%d) %s", - sc->pgp_key_file, ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data, - GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); - if (ret != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Import " - "PGP Private Key '%s': (%d) %s", - sc->pgp_key_file, ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - ret = gnutls_privkey_import_openpgp(sc->privkey_pgp, - sc->privkey_pgp_internal, 0); - if (ret != 0) - { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to assign PGP Private Key '%s' " - "to gnutls_privkey_t structure: (%d) %s", - sc->pgp_key_file, ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } -#else - ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data, - GNUTLS_OPENPGP_FMT_BASE64, - NULL, NULL); - if (ret != 0) - { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to Import " - "PGP Private Key '%s': (%d) %s", - sc->pgp_key_file, ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } -#endif - } - - /* Load the keyring file */ - if (sc->pgp_ring_file && sc->pgp_list == NULL) - { - if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Error Reading " "Keyring File '%s'", - sc->pgp_ring_file); - ret = -1; - goto cleanup; - } - - ret = gnutls_openpgp_keyring_init(&sc->pgp_list); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to initialize" - "keyring: (%d) %s", ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data, - GNUTLS_OPENPGP_FMT_BASE64); - if (ret < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Failed to load " - "Keyring File '%s': (%d) %s", sc->pgp_ring_file, - ret, gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - } - if (sc->priorities_str && sc->priorities == NULL) { const char *err; @@ -736,31 +541,6 @@ const char *mgs_set_key_file(cmd_parms * return NULL; } -const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)), - const char *arg) -{ - mgs_srvconf_rec *sc = - (mgs_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - - sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg); - - return NULL; -} - -const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)), - const char *arg) { - mgs_srvconf_rec *sc = - (mgs_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - - sc->pgp_key_file = ap_server_root_relative(parms->pool, arg); - - return NULL; -} - const char *mgs_set_tickets(cmd_parms *parms, void *dummy __attribute__((unused)), const int arg) @@ -805,45 +585,64 @@ const char *mgs_set_srp_tpasswd_conf_fil #endif -const char *mgs_set_cache(cmd_parms * parms, void *dummy __attribute__((unused)), - const char *type, const char *arg) { +const char *mgs_set_cache(cmd_parms * parms, + void *dummy __attribute__((unused)), + const char *type, const char *arg) +{ const char *err; mgs_srvconf_rec *sc = - ap_get_module_config(parms->server->module_config, - &gnutls_module); - if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { - return err; + ap_get_module_config(parms->server->module_config, + &gnutls_module); + if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) + return err; + + unsigned char enable = GNUTLS_ENABLED_TRUE; + /* none: disable cache */ + if (strcasecmp("none", type) == 0) + enable = GNUTLS_ENABLED_FALSE; + + /* Try to split socache "type:config" style configuration */ + const char* sep = ap_strchr_c(type, ':'); + if (sep) + { + type = apr_pstrmemdup(parms->temp_pool, type, sep - type); + if (arg != NULL) + { + /* No mixing of socache style and legacy config! */ + return "GnuTLSCache appears to have a mod_socache style " + "type:config value, but there is a second parameter!"; + } + arg = ++sep; } - if (strcasecmp("none", type) == 0) { - sc->cache_type = mgs_cache_none; - sc->cache_config = NULL; - return NULL; - } else if (strcasecmp("dbm", type) == 0) { - sc->cache_type = mgs_cache_dbm; - } else if (strcasecmp("gdbm", type) == 0) { - sc->cache_type = mgs_cache_gdbm; - } -#if HAVE_APR_MEMCACHE - else if (strcasecmp("memcache", type) == 0) { - sc->cache_type = mgs_cache_memcache; - } -#endif - else { - return "Invalid Type for GnuTLSCache!"; + mgs_cache_t *cache = NULL; + /* parms->directive->directive contains the directive string */ + if (!strcasecmp(parms->directive->directive, "GnuTLSCache")) + { + if (enable == GNUTLS_ENABLED_FALSE) + { + sc->cache_enable = GNUTLS_ENABLED_FALSE; + return NULL; + } + sc->cache_enable = GNUTLS_ENABLED_TRUE; + cache = &sc->cache; } - - if (arg == NULL) - return "Invalid argument 2 for GnuTLSCache!"; - - if (sc->cache_type == mgs_cache_dbm - || sc->cache_type == mgs_cache_gdbm) { - sc->cache_config = ap_server_root_relative(parms->pool, arg); - } else { - sc->cache_config = apr_pstrdup(parms->pool, arg); + else if (!strcasecmp(parms->directive->directive, "GnuTLSOCSPCache")) + { + if (enable == GNUTLS_ENABLED_FALSE) + return "\"GnuTLSOCSPCache none\" is invalid, use " + "\"GnuTLSOCSPStapling off\" if you want to disable " + "OCSP stapling."; + cache = &sc->ocsp_cache; } + else + return apr_psprintf(parms->temp_pool, "Internal Error: %s " + "called for unknown directive %s", + __func__, parms->directive->directive); - return NULL; + return mgs_cache_inst_config(cache, parms->server, + type, arg, + parms->pool, parms->temp_pool); } const char *mgs_set_timeout(cmd_parms * parms, @@ -859,21 +658,19 @@ const char *mgs_set_timeout(cmd_parms * mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); - if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout")) - { - const char *err; - if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) - return err; + if (!strcasecmp(parms->directive->directive, "GnuTLSCacheTimeout")) sc->cache_timeout = apr_time_from_sec(argint); - } - else if (!apr_strnatcasecmp(parms->directive->directive, - "GnuTLSOCSPCacheTimeout")) + else if (!strcasecmp(parms->directive->directive, + "GnuTLSOCSPCacheTimeout")) sc->ocsp_cache_time = apr_time_from_sec(argint); - else if (!apr_strnatcasecmp(parms->directive->directive, - "GnuTLSOCSPFailureTimeout")) + else if (!strcasecmp(parms->directive->directive, + "GnuTLSOCSPFailureTimeout")) sc->ocsp_failure_timeout = apr_time_from_sec(argint); - else if (!apr_strnatcasecmp(parms->directive->directive, - "GnuTLSOCSPSocketTimeout")) + else if (!strcasecmp(parms->directive->directive, + "GnuTLSOCSPFuzzTime")) + sc->ocsp_fuzz_time = apr_time_from_sec(argint); + else if (!strcasecmp(parms->directive->directive, + "GnuTLSOCSPSocketTimeout")) sc->ocsp_socket_timeout = apr_time_from_sec(argint); else /* Can't happen unless there's a serious bug in mod_gnutls or Apache */ @@ -945,18 +742,6 @@ const char *mgs_set_client_ca_file(cmd_p return NULL; } -const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)), - const char *arg) { - mgs_srvconf_rec *sc = - (mgs_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - - sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg); - - return NULL; -} - /* * Enable TLS proxy operation if arg is true, disable it otherwise. */ @@ -1092,22 +877,14 @@ static mgs_srvconf_rec *_mgs_config_serv sc->p11_modules = NULL; sc->pin = NULL; - sc->cert_pgp = NULL; - sc->cert_crt_pgp = NULL; - sc->privkey_pgp = NULL; -#if GNUTLS_VERSION_NUMBER < 0x030312 - sc->privkey_pgp_internal = NULL; -#endif - sc->pgp_list = NULL; - sc->priorities_str = NULL; sc->cache_timeout = MGS_TIMEOUT_UNSET; - sc->cache_type = mgs_cache_unset; - sc->cache_config = NULL; + sc->cache_enable = GNUTLS_ENABLED_UNSET; sc->cache = NULL; sc->tickets = GNUTLS_ENABLED_UNSET; sc->priorities = NULL; sc->dh_params = NULL; + sc->dh_file = NULL; sc->ca_list = NULL; sc->ca_list_size = 0; sc->proxy_enabled = GNUTLS_ENABLED_UNSET; @@ -1125,13 +902,18 @@ static mgs_srvconf_rec *_mgs_config_serv sc->proxy_x509_tl = NULL; sc->ocsp_staple = GNUTLS_ENABLED_UNSET; + sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET; sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET; sc->ocsp_response_file = NULL; sc->ocsp_mutex = NULL; + sc->ocsp_cache = NULL; sc->ocsp_cache_time = MGS_TIMEOUT_UNSET; sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET; + sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET; sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET; + sc->singleton_wd = NULL; + /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ sc->client_verify_mode = -1; @@ -1153,7 +935,6 @@ void *mgs_config_server_create(apr_pool_ void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD) { - int i; char *err = NULL; mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE; mgs_srvconf_rec *add = (mgs_srvconf_rec *) ADD; @@ -1175,11 +956,9 @@ void *mgs_config_server_merge(apr_pool_t gnutls_srvconf_merge(x509_ca_file, NULL); gnutls_srvconf_merge(p11_modules, NULL); gnutls_srvconf_merge(pin, NULL); - gnutls_srvconf_merge(pgp_cert_file, NULL); - gnutls_srvconf_merge(pgp_key_file, NULL); - gnutls_srvconf_merge(pgp_ring_file, NULL); gnutls_srvconf_merge(dh_file, NULL); gnutls_srvconf_merge(priorities_str, NULL); + gnutls_srvconf_merge(cache_timeout, MGS_TIMEOUT_UNSET); gnutls_srvconf_merge(proxy_x509_key_file, NULL); gnutls_srvconf_merge(proxy_x509_cert_file, NULL); @@ -1189,17 +968,16 @@ void *mgs_config_server_merge(apr_pool_t gnutls_srvconf_merge(proxy_priorities, NULL); gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET); + gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET); gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET); gnutls_srvconf_assign(ocsp_response_file); gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET); gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET); + gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET); gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET); gnutls_srvconf_assign(ca_list); gnutls_srvconf_assign(ca_list_size); - gnutls_srvconf_assign(cert_pgp); - gnutls_srvconf_assign(cert_crt_pgp); - gnutls_srvconf_assign(pgp_list); gnutls_srvconf_assign(certs); gnutls_srvconf_assign(anon_creds); gnutls_srvconf_assign(srp_creds); @@ -1207,12 +985,6 @@ void *mgs_config_server_merge(apr_pool_t gnutls_srvconf_assign(certs_x509_crt_chain); gnutls_srvconf_assign(certs_x509_chain_num); - /* how do these get transferred cleanly before the data from ADD - * goes away? */ - gnutls_srvconf_assign(cert_cn); - for (i = 0; i < MAX_CERT_SAN; i++) - gnutls_srvconf_assign(cert_san[i]); - return sc; } diff -pruN 0.8.2-3/src/gnutls_config.h 0.9.0-1/src/gnutls_config.h --- 0.8.2-3/src/gnutls_config.h 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_config.h 2018-12-17 17:56:49.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016 Thomas Klute + * Copyright 2016-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,4 +26,7 @@ /* TODO: move configuration related function definitions from * mod_gnutls.h.in over here */ +const char *mgs_set_cache(cmd_parms * parms, void *dummy, + const char *type, const char* arg); + #endif /* __MOD_GNUTLS_CONFIG_H__ */ diff -pruN 0.8.2-3/src/gnutls_hooks.c 0.9.0-1/src/gnutls_hooks.c --- 0.8.2-3/src/gnutls_hooks.c 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_hooks.c 2019-01-22 07:21:54.000000000 +0000 @@ -3,7 +3,7 @@ * Copyright 2008, 2014 Nikos Mavrogiannopoulos * Copyright 2011 Dash Shendy * Copyright 2013-2014 Daniel Kahn Gillmor - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2019 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,12 +20,21 @@ #include "mod_gnutls.h" #include "gnutls_cache.h" +#include "gnutls_config.h" #include "gnutls_ocsp.h" +#include "gnutls_proxy.h" +#include "gnutls_sni.h" +#include "gnutls_util.h" +#include "gnutls_watchdog.h" + #include "http_vhost.h" #include "ap_mpm.h" -#include "mod_status.h" +#include #include #include +/* This provides strcmp and related functions */ +#define APR_WANT_STRFUNC +#include #ifdef ENABLE_MSVA #include @@ -48,16 +57,16 @@ static apr_file_t *debug_log_fp; * regular key rotation. */ static gnutls_datum_t session_ticket_key = {NULL, 0}; + + static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); -/* use side==0 for server and side==1 for client */ +/** use side==0 for server and side==1 for client */ static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size); -static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size); +mgs_srvconf_rec* mgs_find_sni_server(mgs_handle_t *ctxt); static int mgs_status_hook(request_rec *r, int flags); #ifdef ENABLE_MSVA static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert); #endif -static int load_proxy_x509_credentials(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s) - __attribute__((nonnull)); /* Pool Cleanup Function */ apr_status_t mgs_cleanup_pre_config(void *data __attribute__((unused))) @@ -69,8 +78,9 @@ apr_status_t mgs_cleanup_pre_config(void gnutls_free(session_ticket_key.data); session_ticket_key.data = NULL; session_ticket_key.size = 0; - /* Deinitialize GnuTLS Library */ - gnutls_global_deinit(); + + /* Deinit default priority setting */ + mgs_default_priority_deinit(); return APR_SUCCESS; } @@ -117,13 +127,6 @@ int mgs_hook_pre_config(apr_pool_t * pco return DONE; } - /* Initialize GnuTLS Library */ - ret = gnutls_global_init(); - if (ret < 0) { - ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_global_init: %s", gnutls_strerror(ret)); - return DONE; - } - /* Generate a Session Key */ ret = gnutls_session_ticket_key_generate(&session_ticket_key); if (ret < 0) { @@ -131,10 +134,22 @@ int mgs_hook_pre_config(apr_pool_t * pco return DONE; } + /* Initialize default priority setting */ + ret = mgs_default_priority_init(); + if (ret < 0) + { + ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, + "gnutls_priority_init failed for default '%s': %s (%d)", + MGS_DEFAULT_PRIORITY, gnutls_strerror(ret), ret); + return DONE; + } + AP_OPTIONAL_HOOK(status_hook, mgs_status_hook, NULL, NULL, APR_HOOK_MIDDLE); ap_mutex_register(pconf, MGS_CACHE_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0); ap_mutex_register(pconf, MGS_OCSP_MUTEX_NAME, NULL, APR_LOCK_DEFAULT, 0); + ap_mutex_register(pconf, MGS_OCSP_CACHE_MUTEX_NAME, NULL, + APR_LOCK_DEFAULT, 0); /* Register a pool clean-up function */ apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null); @@ -142,54 +157,229 @@ int mgs_hook_pre_config(apr_pool_t * pco return OK; } -static int mgs_select_virtual_server_cb(gnutls_session_t session) { - mgs_handle_t *ctxt = NULL; - mgs_srvconf_rec *tsc = NULL; - int ret = 0; - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); +/** + * Get the list of available protocols for this connection and add it + * to the GnuTLS session. Must run before the client hello function. + */ +static void prepare_alpn_proposals(mgs_handle_t *ctxt) +{ + /* Check if any protocol upgrades are available + * + * The "report_all" parameter to ap_get_protocol_upgrades() is 0 + * (report only more preferable protocols) because setting it to 1 + * doesn't actually report ALL protocols, but only all except the + * current one. This way we can at least list the current one as + * available by appending it without potentially negotiating a + * less preferred protocol. */ + const apr_array_header_t *pupgrades = NULL; + apr_status_t ret = + ap_get_protocol_upgrades(ctxt->c, NULL, ctxt->sc->s, + /*report_all*/ 0, &pupgrades); + if (ret != APR_SUCCESS) + { + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, + "%s: ap_get_protocol_upgrades() failed, " + "cannot configure ALPN!", __func__); + return; + } - ctxt = gnutls_transport_get_ptr(session); + if (pupgrades == NULL || pupgrades->nelts == 0) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c, + "%s: No protocol upgrades available.", __func__); + return; + } - /* find the virtual server */ - tsc = mgs_find_sni_server(session); + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c, + "%s: Found %d protocol upgrade(s) for ALPN: %s", + __func__, pupgrades->nelts, + apr_array_pstrcat(ctxt->c->pool, pupgrades, ',')); + gnutls_datum_t *alpn_protos = + mgs_str_array_to_datum_array(pupgrades, + ctxt->c->pool, + pupgrades->nelts + 1); + + /* Add the current (default) protocol at the end of the list */ + alpn_protos[pupgrades->nelts].data = + (void*) apr_pstrdup(ctxt->c->pool, ap_get_protocol(ctxt->c)); + alpn_protos[pupgrades->nelts].size = + strlen((char*) alpn_protos[pupgrades->nelts].data); + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c, + "%s: Adding current protocol %s to ALPN set.", + __func__, alpn_protos[pupgrades->nelts].data); + + gnutls_alpn_set_protocols(ctxt->session, + alpn_protos, + pupgrades->nelts, + GNUTLS_ALPN_SERVER_PRECEDENCE); +} - if (tsc != NULL) { - // Found a TLS vhost based on the SNI from the client; use it instead. - ctxt->sc = tsc; - } - gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode); - /* Set x509 credentials */ - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); - /* Set Anon credentials */ - gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds); +/** + * Check if ALPN selected any protocol upgrade, try to switch if so. + */ +static int process_alpn_result(mgs_handle_t *ctxt) +{ + int ret = 0; + gnutls_datum_t alpn_proto; + ret = gnutls_alpn_get_selected_protocol(ctxt->session, &alpn_proto); + if (ret != GNUTLS_E_SUCCESS) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: No ALPN result: %s (%d)", + __func__, gnutls_strerror(ret), ret); + return GNUTLS_E_SUCCESS; + } + + apr_array_header_t *client_protos = + apr_array_make(ctxt->c->pool, 1, sizeof(char *)); + /* apr_pstrndup to ensure that the protocol is null terminated */ + APR_ARRAY_PUSH(client_protos, char *) = + apr_pstrndup(ctxt->c->pool, (char*) alpn_proto.data, alpn_proto.size); + const char *selected = + ap_select_protocol(ctxt->c, NULL, ctxt->sc->s, client_protos); + + /* ap_select_protocol() will return NULL if none of the ALPN + * proposals matched. GnuTLS negotiated alpn_proto based on the + * list provided by the server, but the vhost might have changed + * based on SNI. Apache seems to adjust the proposal list to avoid + * such issues though. + * + * GnuTLS will return a fatal "no_application_protocol" alert as + * required by RFC 7301 if the post client hello function returns + * GNUTLS_E_NO_APPLICATION_PROTOCOL. */ + if (!selected) + { + ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, + "%s: ap_select_protocol() returned NULL! Please " + "make sure any overlapping vhosts have the same " + "protocols available.", + __func__); + return GNUTLS_E_NO_APPLICATION_PROTOCOL; + } + + if (strcmp(selected, ap_get_protocol(ctxt->c)) == 0) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: Already using protocol '%s', nothing to do.", + __func__, selected); + return GNUTLS_E_SUCCESS; + } - if (ctxt->sc->ocsp_staple) + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c, + "%s: Switching protocol to '%s' based on ALPN.", + __func__, selected); + apr_status_t status = ap_switch_protocol(ctxt->c, NULL, + ctxt->sc->s, + selected); + if (status != APR_SUCCESS) { - gnutls_certificate_set_ocsp_status_request_function(ctxt->sc->certs, - mgs_get_ocsp_response, - ctxt); + ap_log_cerror(APLOG_MARK, APLOG_ERR, status, ctxt->c, + "%s: Protocol switch to '%s' failed!", + __func__, selected); + return GNUTLS_E_NO_APPLICATION_PROTOCOL; } + /* ALPN done! */ + return GNUTLS_E_SUCCESS; +} + + + +/** + * (Re-)Load credentials and priorities for the connection. This is + * meant to be called after virtual host selection in the pre or post + * client hello hook. + */ +static int reload_session_credentials(mgs_handle_t *ctxt) +{ + int ret = 0; + + gnutls_certificate_server_set_request(ctxt->session, + ctxt->sc->client_verify_mode); + + /* Set x509 credentials */ + gnutls_credentials_set(ctxt->session, + GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); + /* Set Anon credentials */ + gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, + ctxt->sc->anon_creds); #ifdef ENABLE_SRP /* Set SRP credentials */ if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) { - gnutls_credentials_set(session, GNUTLS_CRD_SRP, ctxt->sc->srp_creds); + gnutls_credentials_set(ctxt->session, GNUTLS_CRD_SRP, + ctxt->sc->srp_creds); } #endif - /* update the priorities - to avoid negotiating a ciphersuite that is not + /* Enable session tickets */ + if (session_ticket_key.data != NULL && + ctxt->sc->tickets == GNUTLS_ENABLED_TRUE) + { + ret = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); + if (ret != GNUTLS_E_SUCCESS) + ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, + "gnutls_session_ticket_enable_server failed: %s (%d)", + gnutls_strerror(ret), ret); + } + + /* Update the priorities - to avoid negotiating a ciphersuite that is not * enabled on this virtual server. Note that here we ignore the version - * negotiation. - */ + * negotiation. */ + ret = gnutls_priority_set(ctxt->session, ctxt->sc->priorities); - ret = gnutls_priority_set(session, ctxt->sc->priorities); - /* actually it shouldn't fail since we have checked at startup */ return ret; +} + + +/** + * Post client hello hook function for GnuTLS. This function has two + * purposes: Firstly, it acts as a fallback for early_sni_hook(), by + * parsing SNI and selecting a virtual host based on it if + * necessary. Secondly, it calls ALPN processing. + * + * @param session the TLS session + * + * @return zero or a GnuTLS error code, as required by GnuTLS hook + * definition + */ +static int post_client_hello_hook(gnutls_session_t session) +{ + int ret = 0; + mgs_handle_t *ctxt = gnutls_session_get_ptr(session); + + /* If ctxt->sni_name is set at this point the early_sni_hook() + * function ran, found an SNI server name, selected a virtual + * host, and set up credentials, so we don't need to do that + * again. Otherwise try again, to cover GnuTLS versions < 3.6.3 + * and pick up future extensions to gnutls_server_name_get(). */ + if (ctxt->sni_name == NULL) + { + /* try to find a virtual host */ + mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt); + if (tsc != NULL) + { + /* Found a TLS vhost based on the SNI, configure the + * connection context. */ + ctxt->sc = tsc; + } + + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: Loading credentials in post client hello hook", + __func__); + reload_session_credentials(ctxt); + } + + ret = process_alpn_result(ctxt); + if (ret != GNUTLS_E_SUCCESS) + return ret; + + /* actually it shouldn't fail since we have checked at startup */ + return ret; } static int cert_retrieve_fn(gnutls_session_t session, @@ -218,100 +408,144 @@ static int cert_retrieve_fn(gnutls_sessi *pcert_length = ctxt->sc->certs_x509_chain_num; *privkey = ctxt->sc->privkey_x509; return 0; - } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) { - // OPENPGP CERTIFICATE - *pcerts = ctxt->sc->cert_pgp; - *pcert_length = 1; - *privkey = ctxt->sc->privkey_pgp; - return 0; } else { // UNKNOWN CERTIFICATE return -1; } } -/* Read the common name or the alternative name of the certificate. - * We only support a single name per certificate. - * - * Returns negative on error. - */ -static int read_crt_cn(server_rec * s, apr_pool_t * p, gnutls_x509_crt_t cert, char **cert_cn) { - - int rv = 0; - size_t data_len; - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); - *cert_cn = NULL; - - data_len = 0; - rv = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, NULL, &data_len); - - if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) { - *cert_cn = apr_palloc(p, data_len); - rv = gnutls_x509_crt_get_dn_by_oid(cert, - GNUTLS_OID_X520_COMMON_NAME, - 0, 0, *cert_cn, - &data_len); - } else { /* No CN return subject alternative name */ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "No common name found in certificate for '%s:%d'. Looking for subject alternative name...", - s->server_hostname, s->port); - rv = 0; - /* read subject alternative name */ - for (int i = 0; !(rv < 0); i++) - { - data_len = 0; - rv = gnutls_x509_crt_get_subject_alt_name(cert, i, - NULL, - &data_len, - NULL); - - if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER - && data_len > 1) { - /* FIXME: not very efficient. What if we have several alt names - * before DNSName? - */ - *cert_cn = apr_palloc(p, data_len + 1); - - rv = gnutls_x509_crt_get_subject_alt_name - (cert, i, *cert_cn, &data_len, NULL); - (*cert_cn)[data_len] = 0; - - if (rv == GNUTLS_SAN_DNSNAME) - break; - } - } +#if GNUTLS_VERSION_NUMBER >= 0x030506 +#define HAVE_KNOWN_DH_GROUPS 1 +#endif +#ifdef HAVE_KNOWN_DH_GROUPS +/** + * Try to estimate a GnuTLS security parameter based on the given + * private key. Any errors are logged. + * + * @param s The `server_rec` to use for logging + * + * @param key The private key to use + * + * @return `gnutls_sec_param_t` as returned by + * `gnutls_pk_bits_to_sec_param` for the key properties, or + * GNUTLS_SEC_PARAM_UNKNOWN in case of error + */ +static gnutls_sec_param_t sec_param_from_privkey(server_rec *server, + gnutls_privkey_t key) +{ + unsigned int bits = 0; + int pk_algo = gnutls_privkey_get_pk_algorithm(key, &bits); + if (pk_algo < 0) + { + ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server, + "%s: Could not get private key parameters: %s (%d)", + __func__, gnutls_strerror(pk_algo), pk_algo); + return GNUTLS_SEC_PARAM_UNKNOWN; } - - return rv; + return gnutls_pk_bits_to_sec_param(pk_algo, bits); } +#else +/** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is + * the default DH group if mod_gnutls is compiled agains a GnuTLS + * version that does not provide known DH groups based on security + * parameters (before 3.5.6). */ +static const char FFDHE2048_PKCS3[] = + "-----BEGIN DH PARAMETERS-----\n" + "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" + "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" + "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" + "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" + "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" + "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n" + "-----END DH PARAMETERS-----\n"; +const gnutls_datum_t default_dh_params = { + (void *) FFDHE2048_PKCS3, + sizeof(FFDHE2048_PKCS3) +}; +#endif -static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p, - gnutls_openpgp_crt_t cert, char **cert_cn) { - int rv = 0; - size_t data_len; - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); - *cert_cn = NULL; - - data_len = 0; - rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len); +/** + * Configure the default DH groups to use for the given server. When + * compiled against GnuTLS version 3.5.6 or newer the known DH group + * matching the GnuTLS security parameter estimated from the private + * key is used. Otherwise the ffdhe2048 DH group as defined in RFC + * 7919, Appendix A.1 is the default. + * + * @param server the host to configure + * + * @return `OK` on success, `HTTP_UNAUTHORIZED` otherwise + */ +static int set_default_dh_param(server_rec *server) +{ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(server->module_config, &gnutls_module); - if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) { - *cert_cn = apr_palloc(p, data_len); - rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn, - &data_len); - } else { /* No CN return subject alternative name */ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "No name found in PGP certificate for '%s:%d'.", - s->server_hostname, s->port); +#ifdef HAVE_KNOWN_DH_GROUPS + gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN; + if (sc->privkey_x509) + { + seclevel = sec_param_from_privkey(server, sc->privkey_x509); + ap_log_error(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, server, + "%s: GnuTLS security param estimated based on " + "private key '%s': %s", + __func__, sc->x509_key_file, + gnutls_sec_param_get_name(seclevel)); + } + + if (seclevel == GNUTLS_SEC_PARAM_UNKNOWN) + seclevel = GNUTLS_SEC_PARAM_MEDIUM; + ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server, + "%s: Setting DH params for security level '%s'.", + __func__, gnutls_sec_param_get_name(seclevel)); + + int ret = gnutls_certificate_set_known_dh_params(sc->certs, seclevel); + if (ret < 0) + { + ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server, + "%s: setting known DH params failed: %s (%d)", + __func__, gnutls_strerror(ret), ret); + return HTTP_UNAUTHORIZED; + } + ret = gnutls_anon_set_server_known_dh_params(sc->anon_creds, seclevel); + if (ret < 0) + { + ap_log_error(APLOG_MARK, APLOG_EMERG, APR_EGENERAL, server, + "%s: setting known DH params failed: %s (%d)", + __func__, gnutls_strerror(ret), ret); + return HTTP_UNAUTHORIZED; + } +#else + int ret = gnutls_dh_params_init(&sc->dh_params); + if (ret < 0) + { + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, + "%s: Failed to initialize DH params structure: " + "%s (%d)", __func__, gnutls_strerror(ret), ret); + return HTTP_UNAUTHORIZED; + } + ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + { + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, + "%s: Failed to import default DH params: %s (%d)", + __func__, gnutls_strerror(ret), ret); + return HTTP_UNAUTHORIZED; } - return rv; + gnutls_certificate_set_dh_params(sc->certs, sc->dh_params); + gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); +#endif + + return OK; } + + /** * Post config hook. * @@ -327,7 +561,6 @@ int mgs_hook_post_config(apr_pool_t *pco { int rv; server_rec *s; - gnutls_dh_params_t dh_params = NULL; mgs_srvconf_rec *sc; mgs_srvconf_rec *sc_base; void *data = NULL; @@ -344,7 +577,7 @@ int mgs_hook_post_config(apr_pool_t *pco sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); - rv = mgs_cache_post_config(pconf, s, sc_base); + rv = mgs_cache_post_config(pconf, ptemp, s, sc_base); if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, @@ -358,12 +591,7 @@ int mgs_hook_post_config(apr_pool_t *pco MGS_OCSP_MUTEX_NAME, NULL, base_server, pconf, 0); if (rv != APR_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, base_server, - "Failed to create mutex '" MGS_OCSP_MUTEX_NAME - "'."); - return HTTP_INTERNAL_SERVER_ERROR; - } + return rv; } /* If GnuTLSP11Module is set, load the listed PKCS #11 @@ -386,47 +614,44 @@ int mgs_hook_post_config(apr_pool_t *pco APR_ARRAY_IDX(sc_base->p11_modules, i, char *); rv = gnutls_pkcs11_add_provider(p11_module, NULL); if (rv != GNUTLS_E_SUCCESS) - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, s, "GnuTLS: Loading PKCS #11 provider module %s " "failed: %s (%d).", p11_module, gnutls_strerror(rv), rv); + else + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: PKCS #11 provider module %s loaded.", + __func__, p11_module); } } } + sc_base->singleton_wd = + mgs_new_singleton_watchdog(base_server, MGS_SINGLETON_WATCHDOG, pconf); + for (s = base_server; s; s = s->next) { sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); - sc->cache_type = sc_base->cache_type; - sc->cache_config = sc_base->cache_config; - sc->cache_timeout = sc_base->cache_timeout; + sc->s = s; + sc->cache_enable = sc_base->cache_enable; sc->cache = sc_base->cache; + if (sc->cache_timeout == MGS_TIMEOUT_UNSET) + sc->cache_timeout = sc_base->cache_timeout; + sc->ocsp_cache = sc_base->ocsp_cache; - rv = mgs_load_files(pconf, ptemp, s); - if (rv != 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Loading required files failed." - " Shutting Down."); - return HTTP_NOT_FOUND; - } - - if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET) - sc->ocsp_staple = GNUTLS_ENABLED_FALSE; - - sc->ocsp_mutex = sc_base->ocsp_mutex; - /* init OCSP configuration if OCSP is enabled for this host */ - if (sc->ocsp_staple) - { - rv = mgs_ocsp_post_config_server(pconf, ptemp, s); - if (rv != OK && rv != DECLINED) - return rv; - } + sc->singleton_wd = sc_base->singleton_wd; /* defaults for unset values: */ if (sc->enabled == GNUTLS_ENABLED_UNSET) sc->enabled = GNUTLS_ENABLED_FALSE; if (sc->tickets == GNUTLS_ENABLED_UNSET) - sc->tickets = GNUTLS_ENABLED_FALSE; + { + /* GnuTLS 3.6.4 introduced automatic master key rotation */ + if (gnutls_check_version_numeric(3, 6, 4)) + sc->tickets = GNUTLS_ENABLED_TRUE; + else + sc->tickets = GNUTLS_ENABLED_FALSE; + } if (sc->export_certificates_size < 0) sc->export_certificates_size = 0; if (sc->client_verify_mode == -1) @@ -434,21 +659,75 @@ int mgs_hook_post_config(apr_pool_t *pco if (sc->client_verify_method == mgs_cvm_unset) sc->client_verify_method = mgs_cvm_cartel; + // TODO: None of the stuff below needs to be done if + // sc->enabled == GNUTLS_ENABLED_FALSE, we could just continue + // to the next host. + + /* Load certificates and stuff (includes parsing priority) */ + rv = mgs_load_files(pconf, ptemp, s); + if (rv != 0) { + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "%s: Loading credentials failed!", __func__); + return HTTP_NOT_FOUND; + } + + sc->ocsp_mutex = sc_base->ocsp_mutex; + /* init OCSP configuration unless explicitly disabled */ + if (sc->enabled && sc->ocsp_staple != GNUTLS_ENABLED_FALSE) + { + const char *err = mgs_ocsp_configure_stapling(pconf, ptemp, s); + if (err != NULL) + { + /* If OCSP stapling is enabled only by default ignore + * error and disable stapling */ + if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET) + { + ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, + "Cannnot enable OCSP stapling for " + "host '%s:%d': %s", + s->server_hostname, s->addrs->host_port, err); + sc->ocsp_staple = GNUTLS_ENABLED_FALSE; + } + /* If OCSP stapling is explicitly enabled this is a + * critical error. */ + else + { + ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s, + "OCSP stapling configuration failed for " + "host '%s:%d': %s", + s->server_hostname, s->addrs->host_port, err); + return HTTP_INTERNAL_SERVER_ERROR; + } + } + else + { + /* Might already be set */ + sc->ocsp_staple = GNUTLS_ENABLED_TRUE; + /* Set up stapling */ + rv = mgs_ocsp_enable_stapling(pconf, ptemp, s); + if (rv != OK && rv != DECLINED) + return rv; + } + } + /* Check if the priorities have been set */ if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!", - s->server_hostname, s->port); - return HTTP_NOT_ACCEPTABLE; + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "No GnuTLSPriorities directive for host '%s:%d', " + "using default '%s'.", + s->server_hostname, s->addrs->host_port, + MGS_DEFAULT_PRIORITY); + sc->priorities = mgs_get_default_prio(); } - /* Check if DH params have been set per host */ + /* Set host DH params from user configuration or defaults */ if (sc->dh_params != NULL) { gnutls_certificate_set_dh_params(sc->certs, sc->dh_params); gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); - } else if (dh_params) { - gnutls_certificate_set_dh_params(sc->certs, dh_params); - gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); + } else { + rv = set_default_dh_param(s); + if (rv != OK) + return rv; } /* The call after this comment is a workaround for bug in @@ -467,40 +746,21 @@ int mgs_hook_post_config(apr_pool_t *pco gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn); if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) && - sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { + sc->enabled == GNUTLS_ENABLED_TRUE) { ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, "GnuTLS: Host '%s:%d' is missing a Certificate File!", - s->server_hostname, s->port); + s->server_hostname, s->addrs->host_port); return HTTP_UNAUTHORIZED; } if (sc->enabled == GNUTLS_ENABLED_TRUE && - ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) || - (sc->cert_crt_pgp != NULL && sc->privkey_pgp == NULL))) + (sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL)) { ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, "GnuTLS: Host '%s:%d' is missing a Private Key File!", - s->server_hostname, s->port); + s->server_hostname, s->addrs->host_port); return HTTP_UNAUTHORIZED; } - if (sc->enabled == GNUTLS_ENABLED_TRUE) { - rv = -1; - if (sc->certs_x509_chain_num > 0) { - rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn); - } - if (rv < 0 && sc->cert_pgp != NULL) { - rv = read_pgpcrt_cn(s, pconf, sc->cert_crt_pgp[0], &sc->cert_cn); - } - - if (rv < 0) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "GnuTLS: Cannot find a certificate for host '%s:%d'!", - s->server_hostname, s->port); - sc->cert_cn = NULL; - continue; - } - } - if (sc->enabled == GNUTLS_ENABLED_TRUE && sc->proxy_enabled == GNUTLS_ENABLED_TRUE && load_proxy_x509_credentials(pconf, ptemp, s) != APR_SUCCESS) @@ -508,7 +768,7 @@ int mgs_hook_post_config(apr_pool_t *pco ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, "%s: loading proxy credentials for host " "'%s:%d' failed, exiting!", - __func__, s->server_hostname, s->port); + __func__, s->server_hostname, s->addrs->host_port); return HTTP_PROXY_AUTHENTICATION_REQUIRED; } } @@ -545,15 +805,24 @@ void mgs_hook_child_init(apr_pool_t *p, exit(-1); } - if (sc->cache_type != mgs_cache_none) { - rv = mgs_cache_child_init(p, s, sc); - if (rv != APR_SUCCESS) { + if (sc->cache_enable == GNUTLS_ENABLED_TRUE) + { + rv = mgs_cache_child_init(p, s, sc->cache, MGS_CACHE_MUTEX_NAME); + if (rv != APR_SUCCESS) ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, - "GnuTLS: Failed to run Cache Init"); - } + "Child init for session cache failed!"); } - /* reinit OCSP mutex */ + if (sc->ocsp_cache != NULL) + { + rv = mgs_cache_child_init(p, s, sc->ocsp_cache, + MGS_OCSP_CACHE_MUTEX_NAME); + if (rv != APR_SUCCESS) + ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, + "Child init for OCSP cache failed!"); + } + + /* reinit OCSP request mutex */ const char *lockfile = apr_global_mutex_lockfile(sc->ocsp_mutex); rv = apr_global_mutex_child_init(&sc->ocsp_mutex, lockfile, p); if (rv != APR_SUCCESS) @@ -605,7 +874,7 @@ apr_port_t mgs_hook_default_port(const r return 443; } -#define MAX_HOST_LEN 255 + typedef struct { mgs_handle_t *ctxt; @@ -625,46 +894,46 @@ typedef struct { */ int check_server_aliases(vhost_cb_rec *x, server_rec * s, mgs_srvconf_rec *tsc) { - apr_array_header_t *names; - int rv = 0; - char ** name; - - /* Check ServerName First! */ - if(apr_strnatcasecmp(x->sni_name, s->server_hostname) == 0) { - // We have a match, save this server configuration - x->sc = tsc; - rv = 1; - /* Check any ServerAlias directives */ - } else if(s->names->nelts) { - names = s->names; - name = (char **)names->elts; - for (int i = 0; i < names->nelts; ++i) + apr_array_header_t *names; + int rv = 0; + char ** name; + + /* Check ServerName First! */ + if (strcasecmp(x->sni_name, s->server_hostname) == 0) { + // We have a match, save this server configuration + x->sc = tsc; + rv = 1; + /* Check any ServerAlias directives */ + } else if(s->names->nelts) { + names = s->names; + name = (char **) names->elts; + for (int i = 0; i < names->nelts; ++i) { - if (!name[i]) { continue; } - if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) { - // We have a match, save this server configuration - x->sc = tsc; - rv = 1; - } - } - /* Wild any ServerAlias Directives */ - } else if(s->wild_names->nelts) { - names = s->wild_names; - name = (char **)names->elts; - for (int i = 0; i < names->nelts; ++i) + if (!name[i]) + continue; + if (strcasecmp(x->sni_name, name[i]) == 0) + { + // We have a match, save this server configuration + x->sc = tsc; + rv = 1; + } + } + /* ServerAlias directives may contain wildcards, check those last. */ + } else if(s->wild_names->nelts) { + names = s->wild_names; + name = (char **) names->elts; + for (int i = 0; i < names->nelts; ++i) { - if (!name[i]) { continue; } - if(apr_fnmatch(name[i], x->sni_name , - APR_FNM_CASE_BLIND| - APR_FNM_PERIOD| - APR_FNM_PATHNAME| - APR_FNM_NOESCAPE) == APR_SUCCESS) { - x->sc = tsc; - rv = 1; - } - } - } - return rv; + if (!name[i]) + continue; + if (ap_strcasecmp_match(x->sni_name, name[i]) == 0) + { + x->sc = tsc; + rv = 1; + } + } + } + return rv; } static int vhost_cb(void *baton, conn_rec *conn, server_rec * s) @@ -677,7 +946,7 @@ static int vhost_cb(void *baton, conn_re tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); - if (tsc->enabled != GNUTLS_ENABLED_TRUE || tsc->cert_cn == NULL) { + if (tsc->enabled != GNUTLS_ENABLED_TRUE) { return 0; } @@ -698,49 +967,121 @@ static int vhost_cb(void *baton, conn_re return check_server_aliases(x, s, tsc); } -mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) +/** + * Get SNI data from GnuTLS (if any) and search for a matching virtual + * host configuration. This method is called from the post client + * hello function. + * + * @param ctxt the mod_gnutls connection handle + * + * @return either the matching mod_gnutls server config, or `NULL` + */ +mgs_srvconf_rec *mgs_find_sni_server(mgs_handle_t *ctxt) { - int rv; - unsigned int sni_type; - size_t data_len = MAX_HOST_LEN; - char sni_name[MAX_HOST_LEN]; - mgs_handle_t *ctxt; - vhost_cb_rec cbx; + if (ctxt->sni_name == NULL) + { + const char *sni_name = mgs_server_name_get(ctxt); + if (sni_name != NULL) + ctxt->sni_name = sni_name; + else + return NULL; + } - if (session == NULL) - return NULL; + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: client requested server '%s'.", + __func__, ctxt->sni_name); + + /* Search for vhosts matching connection parameters and the + * SNI. If a match is found, cbx.sc will contain the mod_gnutls + * server config for the vhost. */ + vhost_cb_rec cbx = { + .ctxt = ctxt, + .sc = NULL, + .sni_name = ctxt->sni_name + }; + int rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx); + if (rv == 1) { + return cbx.sc; + } + return NULL; +} - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); - ctxt = gnutls_transport_get_ptr(session); - rv = gnutls_server_name_get(ctxt->session, sni_name, - &data_len, &sni_type, 0); - if (rv != 0) { - return NULL; - } +#ifdef ENABLE_EARLY_SNI +/** + * Pre client hello hook function for GnuTLS that implements early SNI + * processing using `gnutls_ext_raw_parse()` (available since GnuTLS + * 3.6.3). Reading the SNI (if any) before GnuTLS processes the client + * hello allows loading virtual host settings that cannot be changed + * in the post client hello hook, including ALPN proposals (required + * for HTTP/2 support using the `Protocols` directive). In addition to + * ALPN this function configures the server credentials. + * + * The function signature is required by the GnuTLS API. + * + * @param session the current session + * @param htype handshake message type + * @param when hook position relative to GnuTLS processing + * @param incoming true if the message is incoming, for client hello + * that means the hook is running on the server + * @param msg raw message data + * + * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code + */ +static int early_sni_hook(gnutls_session_t session, + unsigned int htype, + unsigned when, + unsigned int incoming, + const gnutls_datum_t *msg) +{ + if (!incoming) + return 0; - if (sni_type != GNUTLS_NAME_DNS) { - ap_log_cerror(APLOG_MARK, APLOG_CRIT, 0, ctxt->c, - "GnuTLS: Unknown type '%d' for SNI: '%s'", - sni_type, sni_name); - return NULL; + mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session); + + /* This is a hook for pre client hello ONLY! */ + if (htype != GNUTLS_HANDSHAKE_CLIENT_HELLO || when != GNUTLS_HOOK_PRE) + { + ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EINVAL, ctxt->c, + "%s called outside pre client hello hook, this " + "indicates a programming error!", + __func__); + return GNUTLS_E_SELF_TEST_ERROR; } - /** - * Code in the Core already sets up the c->base_server as the base - * for this IP/Port combo. Trust that the core did the 'right' thing. - */ - cbx.ctxt = ctxt; - cbx.sc = NULL; - cbx.sni_name = sni_name; + int ret = gnutls_ext_raw_parse(session, mgs_sni_ext_hook, msg, + GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); + if (ret == 0 && ctxt->sni_name != NULL) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s found SNI name: '%s'", + __func__, ctxt->sni_name); - rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx); - if (rv == 1) { - return cbx.sc; + /* try to find a virtual host for that name */ + mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt); + if (tsc != NULL) + { + /* Found a TLS vhost based on the SNI, configure the + * connection context. */ + ctxt->sc = tsc; + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c, + "%s: Selected virtual host %s from early SNI, " + "connection server is %s.", + __func__, ctxt->sc->s->server_hostname, + ctxt->c->base_server->server_hostname); + } } - return NULL; + + reload_session_credentials(ctxt); + + prepare_alpn_proposals(ctxt); + + return ret; } +#endif + + /** * This function is intended as a cleanup handler for connections @@ -788,23 +1129,11 @@ static apr_status_t cleanup_gnutls_sessi static void create_gnutls_handle(conn_rec * c) { - /* Get mod_gnutls server configuration */ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); /* Get connection specific configuration */ - mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) - { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); - ctxt->is_proxy = GNUTLS_ENABLED_FALSE; - } + mgs_handle_t *ctxt = init_gnutls_ctxt(c); ctxt->enabled = GNUTLS_ENABLED_TRUE; - ctxt->c = c; - ctxt->sc = sc; ctxt->status = 0; ctxt->input_rc = APR_SUCCESS; ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc); @@ -824,11 +1153,6 @@ static void create_gnutls_handle(conn_re ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_init for proxy connection failed: %s (%d)", gnutls_strerror(err), err); - err = gnutls_session_ticket_enable_client(ctxt->session); - if (err != GNUTLS_E_SUCCESS) - ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, - "gnutls_session_ticket_enable_client failed: %s (%d)", - gnutls_strerror(err), err); } else { @@ -838,16 +1162,6 @@ static void create_gnutls_handle(conn_re ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_init for server side failed: %s (%d)", gnutls_strerror(err), err); - /* Initialize Session Tickets */ - if (session_ticket_key.data != NULL && - ctxt->sc->tickets == GNUTLS_ENABLED_TRUE) - { - err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); - if (err != GNUTLS_E_SUCCESS) - ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, - "gnutls_session_ticket_enable_server failed: %s (%d)", - gnutls_strerror(err), err); - } } /* Ensure TLS session resources are released when the connection @@ -855,19 +1169,31 @@ static void create_gnutls_handle(conn_re apr_pool_pre_cleanup_register(c->pool, ctxt, cleanup_gnutls_session); /* Set Default Priority */ - err = gnutls_priority_set_direct(ctxt->session, "NORMAL", NULL); + err = gnutls_priority_set(ctxt->session, mgs_get_default_prio()); if (err != GNUTLS_E_SUCCESS) - ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_priority_set_direct failed!"); - /* Set Handshake function */ + ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, + "gnutls_priority_set failed!"); + +#ifdef ENABLE_EARLY_SNI + /* Pre-handshake hook, EXPERIMENTAL */ + gnutls_handshake_set_hook_function(ctxt->session, + GNUTLS_HANDSHAKE_CLIENT_HELLO, + GNUTLS_HOOK_PRE, early_sni_hook); +#else + prepare_alpn_proposals(ctxt); +#endif + + /* Post client hello hook (called after GnuTLS has parsed it) */ gnutls_handshake_set_post_client_hello_function(ctxt->session, - mgs_select_virtual_server_cb); + post_client_hello_hook); /* Set GnuTLS user pointer, so we can access the module session * context in GnuTLS callbacks */ gnutls_session_set_ptr(ctxt->session, ctxt); - /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb - * will load appropriate credentials during handshake. However, + /* If mod_gnutls is the TLS server, early_sni_hook (or + * post_client_hello_hook, if early SNI is not available) will + * load appropriate credentials during the handshake. However, * when handling a proxy backend connection, mod_gnutls acts as * TLS client and credentials must be loaded here. */ if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE) @@ -907,12 +1233,20 @@ int mgs_hook_pre_connection(conn_rec * c { _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); + if (c->master) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, + "%s declined secondary connection", __func__); + return DECLINED; + } + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config, &gnutls_module); mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); - if ((sc && (!sc->enabled)) || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE)) + if ((sc && (!sc->enabled)) + || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE)) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection", __func__); @@ -923,6 +1257,83 @@ int mgs_hook_pre_connection(conn_rec * c return OK; } + + +/** + * process_connection hook: Do a zero byte read to trigger the + * handshake. Doesn't change anything for traditional protocols that + * just do reads, but HTTP/2 needs the TLS handshake and ALPN to + * happen before its process_connection hook runs. + */ +int mgs_hook_process_connection(conn_rec* c) +{ + mgs_handle_t *ctxt = (mgs_handle_t *) + ap_get_module_config(c->conn_config, &gnutls_module); + + if ((ctxt != NULL) && (ctxt->enabled == GNUTLS_ENABLED_TRUE)) + { + /* This connection is supposed to use TLS. Give the filters a + * kick with a zero byte read to trigger the handshake. */ + apr_bucket_brigade* temp = + apr_brigade_create(c->pool, c->bucket_alloc); + ap_get_brigade(c->input_filters, temp, + AP_MODE_INIT, APR_BLOCK_READ, 0); + apr_brigade_destroy(temp); + } + return DECLINED; +} + + + +/* Post request hook, checks if TLS connection and vhost match */ +int mgs_req_vhost_check(request_rec *r) +{ + /* mod_gnutls server record for the request vhost */ + mgs_srvconf_rec *r_sc = (mgs_srvconf_rec *) + ap_get_module_config(r->server->module_config, &gnutls_module); + mgs_handle_t *ctxt = get_effective_gnutls_ctxt(r->connection); + + /* Nothing to check for non-TLS and outgoing proxy connections */ + if (ctxt == NULL || !ctxt->enabled || ctxt->is_proxy) + return DECLINED; + + if (ctxt->sc != r_sc) + { + ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, ctxt->c, + "%s: Mismatch between handshake and request servers!", + __func__); + return HTTP_MISDIRECTED_REQUEST; + } + + if (!ctxt->sni_name) + return DECLINED; + + /* Got an SNI name, so verify it matches. */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: Checking request hostname against SNI name '%s'.", + __func__, ctxt->sni_name); + + if (!r->hostname) + { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, r->connection, + "Client requested '%s' via SNI, but provided " + "no hostname in HTTP request!", ctxt->sni_name); + return HTTP_MISDIRECTED_REQUEST; + } + + if (strcasecmp(r->hostname, ctxt->sni_name) != 0) + { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, r->connection, + "Client requested '%s' via SNI, but '%s' in " + "the HTTP request!", ctxt->sni_name, r->hostname); + return HTTP_MISDIRECTED_REQUEST; + } + + return DECLINED; +} + + + int mgs_hook_fixups(request_rec * r) { unsigned char sbuf[GNUTLS_MAX_SESSION_ID]; const char *tmp; @@ -936,8 +1347,7 @@ int mgs_hook_fixups(request_rec * r) { _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); apr_table_t *env = r->subprocess_env; - ctxt = ap_get_module_config(r->connection->conn_config, - &gnutls_module); + ctxt = get_effective_gnutls_ctxt(r->connection); if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL) { @@ -961,8 +1371,13 @@ int mgs_hook_fixups(request_rec * r) { gnutls_cipher_get(ctxt->session), gnutls_mac_get(ctxt->session))); +#if GNUTLS_VERSION_NUMBER >= 0x030600 + /* Compression support has been removed since GnuTLS 3.6.0 */ + apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL"); +#else apr_table_setn(env, "SSL_COMPRESS_METHOD", gnutls_compression_get_name(gnutls_compression_get(ctxt->session))); +#endif #ifdef ENABLE_SRP if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) { @@ -998,9 +1413,8 @@ int mgs_hook_fixups(request_rec * r) { apr_pescape_hex(r->pool, sbuf, len, 0)); if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { - mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size); - } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { - mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size); + mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, + ctxt->sc->export_certificates_size); } return rv; @@ -1017,9 +1431,7 @@ int mgs_hook_authz(request_rec * r) { dc = ap_get_module_config(r->per_dir_config, &gnutls_module); _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); - ctxt = - ap_get_module_config(r->connection->conn_config, - &gnutls_module); + ctxt = get_effective_gnutls_ctxt(r->connection); if (!ctxt || ctxt->session == NULL) { return DECLINED; @@ -1197,82 +1609,6 @@ static void mgs_add_common_cert_vars(req } -/* @param side 0: server, 1: client - * - * @param export_cert_size (int) maximum size for environment variable - * to use for the PEM-encoded certificate (0 means do not export) - */ -static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) { - - unsigned char sbuf[64]; /* buffer to hold serials */ - char buf[AP_IOBUFSIZE]; - const char *tmp; - size_t len; - int ret; - - if (r == NULL) - return; - - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); - apr_table_t *env = r->subprocess_env; - - if (export_cert_size > 0) { - len = 0; - ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - if (len >= export_cert_size) { - apr_table_setn(env, MGS_SIDE("_CERT"), - "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED"); - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: Failed to export too-large OpenPGP certificate to environment"); - } else { - char* cert_buf = apr_palloc(r->pool, len + 1); - if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) { - cert_buf[len] = 0; - apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf); - } else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "GnuTLS: failed to export OpenPGP certificate"); - } - } - } else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, - "GnuTLS: dazed and confused about OpenPGP certificate size"); - } - } - - len = sizeof (buf); - gnutls_openpgp_crt_get_name(cert, 0, buf, &len); - apr_table_setn(env, MGS_SIDE("_NAME"), apr_pstrmemdup(r->pool, buf, len)); - - len = sizeof (sbuf); - gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len); - apr_table_setn(env, MGS_SIDE("_FINGERPRINT"), - apr_pescape_hex(r->pool, sbuf, len, 0)); - - ret = gnutls_openpgp_crt_get_version(cert); - if (ret > 0) - apr_table_setn(env, MGS_SIDE("_M_VERSION"), - apr_psprintf(r->pool, "%u", ret)); - - apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "OPENPGP"); - - tmp = - mgs_time2sz(gnutls_openpgp_crt_get_expiration_time - (cert), buf, sizeof (buf)); - apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp)); - - tmp = - mgs_time2sz(gnutls_openpgp_crt_get_creation_time - (cert), buf, sizeof (buf)); - apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp)); - - ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL); - if (ret >= 0) { - apr_table_setn(env, MGS_SIDE("_A_KEY"), gnutls_pk_algorithm_get_name(ret)); - } - -} /* TODO: Allow client sending a X.509 certificate chain */ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) { @@ -1284,9 +1620,9 @@ static int mgs_cert_verify(request_rec * int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; unsigned int ch_size = 0; + // TODO: union no longer needed here after removing its "pgp" component. union { gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; - gnutls_openpgp_crt_t pgp; } cert; apr_time_t expiration_time, cur_time; @@ -1337,18 +1673,6 @@ static int mgs_cert_verify(request_rec * break; } } - } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { - if (cert_list_size > 1) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: Failed to Verify Peer: " - "Chained Client Certificates are not supported."); - return HTTP_FORBIDDEN; - } - - gnutls_openpgp_crt_init(&cert.pgp); - rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - } else return HTTP_FORBIDDEN; @@ -1424,32 +1748,8 @@ static int mgs_cert_verify(request_rec * } } else { - apr_time_ansi_put(&expiration_time, - gnutls_openpgp_crt_get_expiration_time - (cert.pgp)); - - switch(ctxt->sc->client_verify_method) { - case mgs_cvm_cartel: - rv = gnutls_openpgp_crt_verify_ring(cert.pgp, - ctxt->sc->pgp_list, 0, - &status); - break; -#ifdef ENABLE_MSVA - case mgs_cvm_msva: - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: OpenPGP verification via MSVA is not yet implemented"); - rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; - break; -#endif - default: - /* If this block is reached, that indicates a - * configuration error or bug in mod_gnutls (invalid value - * of ctxt->sc->client_verify_method). */ - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported", - mgs_readable_cvm(ctxt->sc->client_verify_method)); - rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; - } + /* Unknown certificate type */ + rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; } /* "goto exit" at the end of this block skips evaluation of the @@ -1460,7 +1760,7 @@ static int mgs_cert_verify(request_rec * rv, gnutls_strerror(rv)); if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND) ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r, - "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?"); + "GnuTLS: No certificate was found for verification. Did you set the GnuTLSClientCAFile directive?"); ret = HTTP_FORBIDDEN; goto exit; } @@ -1501,10 +1801,7 @@ static int mgs_cert_verify(request_rec * "GnuTLS: Peer Certificate is revoked."); } - if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) - mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size); - else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) - mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size); + mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size); { /* days remaining */ @@ -1532,9 +1829,7 @@ exit: if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) for (unsigned int i = 0; i < ch_size; i++) gnutls_x509_crt_deinit(cert.x509[i]); - else if (gnutls_certificate_type_get(ctxt->session) == - GNUTLS_CRT_OPENPGP) - gnutls_openpgp_crt_deinit(cert.pgp); + return ret; } @@ -1594,11 +1889,6 @@ static const char* mgs_x509_first_type_f * certificate, but doesn't tell us (in any other way) who they are * trying to authenticate as. - * TODO: we might need another parallel for OpenPGP, but for that it's - * much simpler: we can just assume that the first User ID marked as - * "primary" (or the first User ID, period) is the identity the user - * is trying to present as. - * one complaint might be "but the user wanted to be another identity, * which is also in the certificate (e.g. in a SubjectAltName)" * However, given that any user can regenerate their own X.509 @@ -1749,8 +2039,7 @@ static int mgs_status_hook(request_rec * if (sc->enabled != GNUTLS_ENABLED_FALSE) { - mgs_handle_t* ctxt = - ap_get_module_config(r->connection->conn_config, &gnutls_module); + mgs_handle_t* ctxt = get_effective_gnutls_ctxt(r->connection); if (ctxt && ctxt->session != NULL) { char* s_info = gnutls_session_get_desc(ctxt->session); @@ -1769,269 +2058,10 @@ static int mgs_status_hook(request_rec * if (!(flags & AP_STATUS_SHORT)) ap_rputs("\n", r); - return OK; -} - - - -/* - * Callback to check the server certificate for proxy HTTPS - * connections, to be used with - * gnutls_certificate_set_verify_function. - - * Returns: 0 if certificate check was successful (certificate - * trusted), non-zero otherwise (error during check or untrusted - * certificate). - */ -static int gtls_check_server_cert(gnutls_session_t session) -{ - mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session); - unsigned int status; - - /* Get peer hostname from a note left by mod_proxy */ - const char *peer_hostname = - apr_table_get(ctxt->c->notes, "proxy-request-hostname"); - if (peer_hostname == NULL) - ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, - "%s: proxy-request-hostname is NULL, cannot check " - "peer's hostname", __func__); - - /* Verify certificate, including hostname match. Should - * peer_hostname be NULL for some reason, the name is not - * checked. */ - int err = gnutls_certificate_verify_peers3(session, peer_hostname, - &status); - if (err != GNUTLS_E_SUCCESS) - { - ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c, - "%s: server certificate check failed: %s (%d)", - __func__, gnutls_strerror(err), err); - return err; - } - - if (status == 0) - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, - "%s: server certificate is trusted.", - __func__); - else - { - gnutls_datum_t out; - /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy - * certs 0: according to function API, the last argument - * should be 0 */ - err = gnutls_certificate_verification_status_print(status, - GNUTLS_CRT_X509, - &out, 0); - if (err != GNUTLS_E_SUCCESS) - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c, - "%s: server verify print failed: %s (%d)", - __func__, gnutls_strerror(err), err); - else - ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, - "%s: %s", - __func__, out.data); - gnutls_free(out.data); - } - - return status; -} - + if (sc->ocsp_cache) + mgs_cache_status(sc->ocsp_cache, "GnuTLS OCSP Cache", r, flags); + if (sc->cache_enable) + mgs_cache_status(sc->cache, "GnuTLS Session Cache", r, flags); - -static apr_status_t cleanup_proxy_x509_credentials(void *arg) -{ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg; - - if (sc->proxy_x509_creds) - { - /* This implicitly releases the associated trust list - * sc->proxy_x509_tl, too. */ - gnutls_certificate_free_credentials(sc->proxy_x509_creds); - sc->proxy_x509_creds = NULL; - sc->proxy_x509_tl = NULL; - } - - if (sc->anon_client_creds) - { - gnutls_anon_free_client_credentials(sc->anon_client_creds); - sc->anon_client_creds = NULL; - } - - if (sc->proxy_priorities) - { - gnutls_priority_deinit(sc->proxy_priorities); - sc->proxy_priorities = NULL; - } - - return APR_SUCCESS; -} - - - -static apr_status_t load_proxy_x509_credentials(apr_pool_t *pconf, - apr_pool_t *ptemp, - server_rec *s) -{ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(s->module_config, &gnutls_module); - - if (sc == NULL) - return APR_EGENERAL; - - apr_status_t ret = APR_EINIT; - int err = GNUTLS_E_SUCCESS; - - /* Cleanup function for the GnuTLS structures allocated below */ - apr_pool_cleanup_register(pconf, sc, cleanup_proxy_x509_credentials, - apr_pool_cleanup_null); - - /* Function pool, gets destroyed before exit. */ - apr_pool_t *pool; - ret = apr_pool_create(&pool, ptemp); - if (ret != APR_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_ERR, ret, s, - "%s: failed to allocate function memory pool.", __func__); - return ret; - } - - /* allocate credentials structures */ - err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds); - if (err != GNUTLS_E_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: Failed to initialize proxy credentials: (%d) %s", - __func__, err, gnutls_strerror(err)); - return APR_EGENERAL; - } - err = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds); - if (err != GNUTLS_E_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: Failed to initialize anon credentials for proxy: " - "(%d) %s", __func__, err, gnutls_strerror(err)); - return APR_EGENERAL; - } - - /* Check if the proxy priorities have been set, fail immediately - * if not */ - if (sc->proxy_priorities_str == NULL) - { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, - "Host '%s:%d' is missing the GnuTLSProxyPriorities " - "directive!", - s->server_hostname, s->port); - return APR_EGENERAL; - } - /* parse proxy priorities */ - const char *err_pos = NULL; - err = gnutls_priority_init(&sc->proxy_priorities, - sc->proxy_priorities_str, &err_pos); - if (err != GNUTLS_E_SUCCESS) - { - if (ret == GNUTLS_E_INVALID_REQUEST) - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: Syntax error parsing proxy priorities " - "string at: %s", - __func__, err_pos); - else - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Error setting proxy priorities: %s (%d)", - gnutls_strerror(err), err); - ret = APR_EGENERAL; - } - - /* load certificate and key for client auth, if configured */ - if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file) - { - char* cert_file = ap_server_root_relative(pool, - sc->proxy_x509_cert_file); - char* key_file = ap_server_root_relative(pool, - sc->proxy_x509_key_file); - err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds, - cert_file, - key_file, - GNUTLS_X509_FMT_PEM); - if (err != GNUTLS_E_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: loading proxy client credentials failed: %s (%d)", - __func__, gnutls_strerror(err), err); - ret = APR_EGENERAL; - } - } - else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file) - { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s: proxy key file not set!", __func__); - ret = APR_EGENERAL; - } - else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file) - { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s: proxy certificate file not set!", __func__); - ret = APR_EGENERAL; - } - else - /* if both key and cert are NULL, client auth is not used */ - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "%s: no client credentials for proxy", __func__); - - /* must be set if the server certificate is to be checked */ - if (sc->proxy_x509_ca_file) - { - /* initialize the trust list */ - err = gnutls_x509_trust_list_init(&sc->proxy_x509_tl, 0); - if (err != GNUTLS_E_SUCCESS) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: gnutls_x509_trust_list_init failed: %s (%d)", - __func__, gnutls_strerror(err), err); - ret = APR_EGENERAL; - } - - char* ca_file = ap_server_root_relative(pool, - sc->proxy_x509_ca_file); - /* if no CRL is used, sc->proxy_x509_crl_file is NULL */ - char* crl_file = NULL; - if (sc->proxy_x509_crl_file) - crl_file = ap_server_root_relative(pool, - sc->proxy_x509_crl_file); - - /* returns number of loaded elements */ - err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl, - ca_file, - crl_file, - GNUTLS_X509_FMT_PEM, - 0 /* tl_flags */, - 0 /* tl_vflags */); - if (err > 0) - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "%s: proxy CA trust list: %d structures loaded", - __func__, err); - else if (err == 0) - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s: proxy CA trust list is empty (%d)", - __func__, err); - else /* err < 0 */ - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "%s: error loading proxy CA trust list: %s (%d)", - __func__, gnutls_strerror(err), err); - ret = APR_EGENERAL; - } - - /* attach trust list to credentials */ - gnutls_certificate_set_trust_list(sc->proxy_x509_creds, - sc->proxy_x509_tl, 0); - } - else - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s: no CA trust list for proxy connections, " - "TLS connections will fail!", __func__); - - gnutls_certificate_set_verify_function(sc->proxy_x509_creds, - gtls_check_server_cert); - apr_pool_destroy(pool); - return ret; + return OK; } diff -pruN 0.8.2-3/src/gnutls_io.c 0.9.0-1/src/gnutls_io.c --- 0.8.2-3/src/gnutls_io.c 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_io.c 2019-01-05 17:28:56.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright 2004-2005 Paul Querna * Copyright 2008 Nikos Mavrogiannopoulos * Copyright 2011 Dash Shendy - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2019 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ */ #include "mod_gnutls.h" +#include "gnutls_proxy.h" #ifdef APLOG_USE_MODULE APLOG_USE_MODULE(gnutls); @@ -65,11 +66,7 @@ static apr_status_t gnutls_io_filter_err ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, "GnuTLS handshake failed: HTTP spoken on HTTPS port; " "trying to send HTML error page"); - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(f->c->base_server->module_config, - &gnutls_module); ctxt->status = -1; - sc->non_ssl_request = 1; /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); @@ -245,13 +242,9 @@ static apr_status_t gnutls_io_input_read while (1) { + /* Note: The pull function sets ctxt->input_rc */ rc = gnutls_record_recv(ctxt->session, buf + bytes, wanted - bytes); - if (rc == GNUTLS_E_INTERRUPTED) - ctxt->input_rc = APR_EINTR; - else if (rc == GNUTLS_E_AGAIN) - ctxt->input_rc = APR_EAGAIN; - if (rc > 0) { *len += rc; if (ctxt->input_mode == AP_MODE_SPECULATIVE) { @@ -261,33 +254,29 @@ static apr_status_t gnutls_io_input_read } return ctxt->input_rc; } else if (rc == 0) { - /* If EAGAIN, we will loop given a blocking read, - * otherwise consider ourselves at EOF. - */ - if (APR_STATUS_IS_EAGAIN(ctxt->input_rc) - || APR_STATUS_IS_EINTR(ctxt->input_rc)) { - /* Already read something, return APR_SUCCESS instead. - * On win32 in particular, but perhaps on other kernels, - * a blocking call isn't 'always' blocking. - */ - if (*len > 0) { - ctxt->input_rc = APR_SUCCESS; - break; - } - if (ctxt->input_block == APR_NONBLOCK_READ) { - break; - } + /* EOF, return code depends on whether we still have data + * to return. */ + if (*len > 0) { + ctxt->input_rc = APR_SUCCESS; } else { - if (*len > 0) { - ctxt->input_rc = APR_SUCCESS; - } else { - ctxt->input_rc = APR_EOF; - } - break; + ctxt->input_rc = APR_EOF; } + break; } else { /* (rc < 0) */ - if (rc == GNUTLS_E_REHANDSHAKE) { + if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, ctxt->input_rc, ctxt->c, + "%s: looping recv after '%s' (%d)", + __func__, gnutls_strerror(rc), rc); + /* For a blocking read, loop and try again + * immediately. Otherwise just notify the caller. */ + if (ctxt->input_block != APR_NONBLOCK_READ) + continue; + else + ctxt->input_rc = + (rc == GNUTLS_E_AGAIN ? APR_EAGAIN : APR_EINTR); + } else if (rc == GNUTLS_E_REHANDSHAKE) { /* A client has asked for a new Hankshake. Currently, we don't do it */ ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->input_rc, @@ -394,6 +383,10 @@ static int gnutls_do_handshake(mgs_handl return -1; } + /* Enable SNI and ALPN for proxy connections */ + if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE) + mgs_set_proxy_handshake_ext(ctxt); + tryagain: do { ret = gnutls_handshake(ctxt->session); @@ -445,15 +438,10 @@ tryagain: } else { /* all done with the handshake */ ctxt->status = 1; - /* If the session was resumed, we did not set the correct - * server_rec in ctxt->sc. Go Find it. (ick!) - */ - if (gnutls_session_is_resumed(ctxt->session)) { - mgs_srvconf_rec *sc; - sc = mgs_find_sni_server(ctxt->session); - if (sc) { - ctxt->sc = sc; - } + if (gnutls_session_is_resumed(ctxt->session)) + { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c, + "%s: TLS session resumed.", __func__); } return GNUTLS_E_SUCCESS; } @@ -547,10 +535,15 @@ apr_status_t mgs_filter_input(ap_filter_ __func__, IS_PROXY_STR(ctxt)); } - if (ctxt->status < 0) { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, - "%s %s: ap_get_brigade", __func__, IS_PROXY_STR(ctxt)); - return ap_get_brigade(f->next, bb, mode, block, readbytes); + if (ctxt->status < 0) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c, + "%s: %sconnection failed, cannot provide data!", + __func__, IS_PROXY_STR(ctxt)); + apr_bucket *bucket = + apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, bucket); + return APR_ECONNABORTED; } /* XXX: we don't currently support anything other than these modes. */ @@ -688,10 +681,27 @@ apr_status_t mgs_filter_output(ap_filter ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, "%s: TLS %sconnection opened.", __func__, IS_PROXY_STR(ctxt)); + else if (ctxt->is_proxy) + { + /* If mod_proxy receives an error while trying to send its + * request it sends an "invalid request" error to the + * client. By pretending we could send the request + * mod_proxy continues its processing and sends a proper + * "proxy error" message when there's no response to read. */ + apr_bucket *bucket = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, bucket); + return APR_SUCCESS; + } + /* No final else here, the "ctxt->status < 0" check below will + * catch that. */ } - if (ctxt->status < 0) { - return ap_pass_brigade(f->next, bb); + if (ctxt->status < 0) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c, + "%s: %sconnection failed, refusing to send.", + __func__, IS_PROXY_STR(ctxt)); + return APR_ECONNABORTED; } while (!APR_BRIGADE_EMPTY(bb)) { @@ -844,21 +854,32 @@ ssize_t mgs_transport_read(gnutls_transp || (rc == APR_SUCCESS && APR_BRIGADE_EMPTY(ctxt->input_bb))) { - if (APR_STATUS_IS_EOF(ctxt->input_rc)) - { - return 0; - } - else - { - gnutls_transport_set_errno(ctxt->session, - EAI_APR_TO_RAW(ctxt->input_rc)); - return -1; - } + /* Turning APR_SUCCESS into APR_EINTR isn't ideal, but + * it's the best matching error code for "didn't get data, + * but read didn't permanently fail either." */ + ctxt->input_rc = (rc != APR_SUCCESS ? rc : APR_EINTR); + gnutls_transport_set_errno(ctxt->session, + EAI_APR_TO_RAW(ctxt->input_rc)); + return -1; + } + + /* Blocking ap_get_brigade() can return a timeout status, + * sometimes after a very short time. "Don't give up, just + * return the timeout" is what mod_ssl does. */ + if (ctxt->input_block == APR_BLOCK_READ + && APR_STATUS_IS_TIMEUP(rc) + && APR_BRIGADE_EMPTY(ctxt->input_bb)) + { + ctxt->input_rc = rc; + gnutls_transport_set_errno(ctxt->session, EAGAIN); + return -1; } if (rc != APR_SUCCESS) { /* Unexpected errors discard the brigade */ + ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, ctxt->c, + "%s: Unexpected error!", __func__); apr_brigade_cleanup(ctxt->input_bb); ctxt->input_bb = NULL; gnutls_transport_set_errno(ctxt->session, EIO); diff -pruN 0.8.2-3/src/gnutls_ocsp.c 0.9.0-1/src/gnutls_ocsp.c --- 0.8.2-3/src/gnutls_ocsp.c 2017-01-08 14:16:07.000000000 +0000 +++ 0.9.0-1/src/gnutls_ocsp.c 2018-09-30 20:59:29.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016 Thomas Klute + * Copyright 2016-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,11 +19,14 @@ #include "gnutls_cache.h" #include "gnutls_config.h" #include "gnutls_util.h" +#include "gnutls_watchdog.h" #include #include #include +#include #include +#include #include #ifdef APLOG_USE_MODULE @@ -88,6 +91,23 @@ const char *mgs_ocsp_stapling_enable(cmd +const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, + void *dummy __attribute__((unused)), + const int arg) +{ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(parms->server->module_config, &gnutls_module); + + if (arg) + sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE; + else + sc->ocsp_auto_refresh = GNUTLS_ENABLED_FALSE; + + return NULL; +} + + + const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, void *dummy __attribute__((unused)), const int arg) @@ -593,12 +613,24 @@ static apr_status_t do_ocsp_request(apr_ -apr_status_t mgs_cache_ocsp_response(server_rec *s) +/** + * Get a fresh OCSP response and put it into the cache. + * + * @param s server that needs a new response + * + * @param cache_expiry If not `NULL`, this `apr_time_t` will be set to + * the expiration time of the cache entry. Remains unchanged on + * failure. + * + * @return APR_SUCCESS or an APR error code + */ +static apr_status_t mgs_cache_ocsp_response(server_rec *s, + apr_time_t *cache_expiry) { mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); - if (sc->cache == NULL) + if (sc->ocsp_cache == NULL) { /* OCSP caching requires a cache. */ return APR_ENOTIMPL; @@ -690,7 +722,8 @@ apr_status_t mgs_cache_ocsp_response(ser expiry = next_update; } - int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry); + int r = mgs_cache_store(sc->ocsp_cache, s, + sc->ocsp->fingerprint, resp, expiry); /* destroy pool, and original copy of the OCSP response with it */ apr_pool_destroy(tmp); if (r != 0) @@ -699,18 +732,26 @@ apr_status_t mgs_cache_ocsp_response(ser "Storing OCSP response in cache failed."); return APR_EGENERAL; } + + if (cache_expiry != NULL) + *cache_expiry = expiry; return APR_SUCCESS; } -/* +/** * Retries after failed OCSP requests must be rate limited. If the * responder is overloaded or buggy we don't want to add too much more * load, and if a MITM is messing with requests a repetition loop - * might end up being a self-inflicted denial of service. + * might end up being a self-inflicted denial of service. This + * function writes a specially formed entry to the cache to indicate a + * recent failure. + * + * @param s the server for which an OCSP request failed + * @param timeout lifetime of the cache entry */ -void mgs_cache_ocsp_failure(server_rec *s) +static void mgs_cache_ocsp_failure(server_rec *s, apr_interval_time_t timeout) { mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); @@ -720,15 +761,10 @@ void mgs_cache_ocsp_failure(server_rec * .data = &c, .size = sizeof(c) }; - apr_time_t expiry = apr_time_now() + sc->ocsp_failure_timeout; + apr_time_t expiry = apr_time_now() + timeout; - char date_str[APR_RFC822_DATE_LEN]; - apr_rfc822_date(date_str, expiry); - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "OCSP request for %s failed, next try after %s.", - s->server_hostname, date_str); - - int r = sc->cache->store(s, sc->ocsp->fingerprint, dummy, expiry); + int r = mgs_cache_store(sc->ocsp_cache, s, + sc->ocsp->fingerprint, dummy, expiry); if (r != 0) ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s, "Caching OCSP failure failed."); @@ -736,19 +772,23 @@ void mgs_cache_ocsp_failure(server_rec * -int mgs_get_ocsp_response(gnutls_session_t session __attribute__((unused)), - void *ptr, +int mgs_get_ocsp_response(gnutls_session_t session, + void *ptr __attribute__((unused)), gnutls_datum_t *ocsp_response) { - mgs_handle_t *ctxt = (mgs_handle_t *) ptr; - if (!ctxt->sc->ocsp_staple || ctxt->sc->cache == NULL) + mgs_handle_t *ctxt = gnutls_session_get_ptr(session); + mgs_srvconf_rec *sc = ctxt->sc; + + if (!sc->ocsp_staple || sc->ocsp_cache == NULL) { /* OCSP must be enabled and caching requires a cache. */ return GNUTLS_E_NO_CERTIFICATE_STATUS; } - *ocsp_response = ctxt->sc->cache->fetch(ctxt, - ctxt->sc->ocsp->fingerprint); + *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache, + ctxt->c->base_server, + ctxt->sc->ocsp->fingerprint, + ctxt->c->pool); if (ocsp_response->size == 0) { ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c, @@ -774,21 +814,23 @@ int mgs_get_ocsp_response(gnutls_session ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c, "No valid OCSP response in cache, trying to update."); - apr_status_t rv = apr_global_mutex_trylock(ctxt->sc->ocsp_mutex); + apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex); if (APR_STATUS_IS_EBUSY(rv)) { /* Another thread is currently holding the mutex, wait. */ - apr_global_mutex_lock(ctxt->sc->ocsp_mutex); + apr_global_mutex_lock(sc->ocsp_mutex); /* Check if this other thread updated the response we need. It * would be better to have a vhost specific mutex, but at the * moment there's no good way to integrate that with the * Apache Mutex directive. */ - *ocsp_response = ctxt->sc->cache->fetch(ctxt, - ctxt->sc->ocsp->fingerprint); + *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache, + ctxt->c->base_server, + ctxt->sc->ocsp->fingerprint, + ctxt->c->pool); if (ocsp_response->size > 0) { /* Got a valid response now, unlock mutex and return. */ - apr_global_mutex_unlock(ctxt->sc->ocsp_mutex); + apr_global_mutex_unlock(sc->ocsp_mutex); return GNUTLS_E_SUCCESS; } else @@ -798,21 +840,24 @@ int mgs_get_ocsp_response(gnutls_session } } - rv = mgs_cache_ocsp_response(ctxt->c->base_server); + rv = mgs_cache_ocsp_response(ctxt->c->base_server, NULL); if (rv != APR_SUCCESS) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, ctxt->c, "Caching a fresh OCSP response failed"); /* cache failure to rate limit retries */ - mgs_cache_ocsp_failure(ctxt->c->base_server); - apr_global_mutex_unlock(ctxt->sc->ocsp_mutex); + mgs_cache_ocsp_failure(ctxt->c->base_server, + ctxt->sc->ocsp_failure_timeout); + apr_global_mutex_unlock(sc->ocsp_mutex); goto fail_cleanup; } - apr_global_mutex_unlock(ctxt->sc->ocsp_mutex); + apr_global_mutex_unlock(sc->ocsp_mutex); /* retry reading from cache */ - *ocsp_response = ctxt->sc->cache->fetch(ctxt, - ctxt->sc->ocsp->fingerprint); + *ocsp_response = mgs_cache_fetch(ctxt->sc->ocsp_cache, + ctxt->c->base_server, + ctxt->sc->ocsp->fingerprint, + ctxt->c->pool); if (ocsp_response->size == 0) { ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c, @@ -905,29 +950,194 @@ apr_uri_t * mgs_cert_get_ocsp_uri(apr_po +/** The maximum random fuzz base (half the maximum fuzz) that will not + * overflow. The permitted values are limited to whatever will not + * make an `apr_interval_time_t` variable overflow when multiplied + * with `APR_UINT16_MAX`. With apr_interval_time_t being a 64 bit + * signed integer the maximum fuzz interval is about 4.5 years, which + * should be more than plenty. */ +#define MAX_FUZZ_BASE (APR_INT64_MAX / APR_UINT16_MAX) + +/** + * Perform an asynchronous OCSP cache update. This is a callback for + * mod_watchdog, so the API is fixed. + * + * @param state watchdog state (starting/running/stopping) + * @param data callback data, contains the server_rec + * @param pool temporary callback pool destroyed after the call + * @return always `APR_SUCCESS` as required by the mod_watchdog API to + * indicate that the callback should be called again + */ +static apr_status_t mgs_async_ocsp_update(int state, + void *data, + apr_pool_t *pool) +{ + /* If the server is stopping there's no need to do an OCSP + * update. */ + if (state == AP_WATCHDOG_STATE_STOPPING) + return APR_SUCCESS; + + server_rec *server = (server_rec *) data; + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(server->module_config, &gnutls_module); + apr_time_t expiry = 0; + + /* Holding the mutex should help avoiding simultaneous synchronous + * and asynchronous OCSP requests in some edge cases: during + * startup if there's an early request, and if OCSP requests fail + * repeatedly until the cached response expires and a synchronous + * update is triggered before a failure cache entry is + * created. Usually there should be a good OCSP response in the + * cache and the mutex is never touched in + * mgs_get_ocsp_response. */ + apr_global_mutex_lock(sc->ocsp_mutex); + apr_status_t rv = mgs_cache_ocsp_response(server, &expiry); + + apr_interval_time_t next_interval; + if (rv != APR_SUCCESS) + next_interval = sc->ocsp_failure_timeout; + else + { + apr_uint16_t random_bytes; + int res = gnutls_rnd(GNUTLS_RND_NONCE, &random_bytes, + sizeof(random_bytes)); + if (__builtin_expect(res < 0, 0)) + { + /* Shouldn't ever happen, because a working random number + * generator is required for establishing TLS sessions. */ + random_bytes = (apr_uint16_t) apr_time_now(); + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, server, + "Error getting random number for fuzzy update " + "interval: %s Falling back on truncated time.", + gnutls_strerror(res)); + } + + /* Choose the fuzz interval for the next update between + * `sc->ocsp_fuzz_time` and twice that. */ + apr_interval_time_t fuzz = sc->ocsp_fuzz_time + + (sc->ocsp_fuzz_time * random_bytes / APR_UINT16_MAX); + + /* With an extremly short timeout or weird nextUpdate value + * next_interval <= 0 might happen. Use the failure timeout to + * avoid endlessly repeating updates. */ + next_interval = expiry - apr_time_now(); + if (next_interval <= 0) + { + next_interval = sc->ocsp_failure_timeout; + ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server, + "OCSP cache expiration time of the response for " + "%s:%d is in the past, repeating after failure " + "timeout (GnuTLSOCSPFailureTimeout).", + server->server_hostname, server->addrs->host_port); + } + + /* It's possible to compare maximum fuzz and configured OCSP + * cache timeout at configuration time, but the interval until + * the nextUpdate value expires (or the failure timeout + * fallback above) might be shorter. Make sure that we don't + * end up with a negative interval. */ + while (fuzz > next_interval) + fuzz /= 2; + next_interval -= fuzz; + } + + sc->singleton_wd->set_callback_interval(sc->singleton_wd->wd, + next_interval, + server, mgs_async_ocsp_update); + + ap_log_error(APLOG_MARK, rv == APR_SUCCESS ? APLOG_DEBUG : APLOG_WARNING, + rv, server, + "Async OCSP update %s for %s:%d, next update in " + "%" APR_TIME_T_FMT " seconds.", + rv == APR_SUCCESS ? "done" : "failed", + server->server_hostname, server->addrs->host_port, + apr_time_sec(next_interval)); + + /* Check if there's still a response in the cache. If not, add a + * failure entry. If there already is a failure entry, refresh + * it. The lifetime of such entries is twice the error timeout to + * make sure they do not expire before the next scheduled + * update. */ + if (rv != APR_SUCCESS) + { + const gnutls_datum_t ocsp_response = + mgs_cache_fetch(sc->ocsp_cache, server, + sc->ocsp->fingerprint, pool); + + if (ocsp_response.size == 0 || + ((ocsp_response.size == sizeof(unsigned char)) && + (*((unsigned char *) ocsp_response.data) == + OCSP_FAILURE_CACHE_DATA))) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, server, + "Caching OCSP request failure for %s:%d.", + server->server_hostname, server->addrs->host_port); + mgs_cache_ocsp_failure(server, sc->ocsp_failure_timeout * 2); + } + + /* Get rid of the response, if any */ + if (ocsp_response.size != 0) + gnutls_free(ocsp_response.data); + } + apr_global_mutex_unlock(sc->ocsp_mutex); + + return APR_SUCCESS; +} + + + +const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, + apr_pool_t *ptemp __attribute__((unused)), + server_rec *server) +{ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(server->module_config, &gnutls_module); + + if (sc->certs_x509_chain_num < 2) + return "No issuer (CA) certificate available, cannot enable " + "stapling. Please add it to the GnuTLSCertificateFile."; + + mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data)); + + ocsp->uri = mgs_cert_get_ocsp_uri(pconf, + sc->certs_x509_crt_chain[0]); + if (ocsp->uri == NULL && sc->ocsp_response_file == NULL) + return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile " + "setting, cannot configure OCSP stapling."; + + if (sc->ocsp_cache == NULL) + return "No OCSP response cache available, please check " + "the GnuTLSOCSPCache setting."; + + sc->ocsp = ocsp; + return NULL; +} + + + /* * Like in the general post_config hook the HTTP status codes for * errors are just for fun. What matters is "neither OK nor DECLINED" * to denote an error. */ -int mgs_ocsp_post_config_server(apr_pool_t *pconf, - apr_pool_t *ptemp __attribute__((unused)), - server_rec *server) +int mgs_ocsp_enable_stapling(apr_pool_t *pconf, + apr_pool_t *ptemp __attribute__((unused)), + server_rec *server) { mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(server->module_config, &gnutls_module); - - if (sc->certs_x509_chain_num < 2) + if (sc->ocsp == NULL) { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, - "OCSP stapling is enabled but no CA certificate " - "available for %s:%d, make sure it is included in " - "GnuTLSCertificateFile!", - server->server_hostname, server->addrs->host_port); - return HTTP_NOT_FOUND; + ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, server, + "CRITICAL ERROR: %s called with uninitialized OCSP " + "data structure. This indicates a bug in mod_gnutls.", + __func__); + return HTTP_INTERNAL_SERVER_ERROR; } /* set default values for unset parameters */ + if (sc->ocsp_auto_refresh == GNUTLS_ENABLED_UNSET) + sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE; if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET) sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE; if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET) @@ -936,30 +1146,40 @@ int mgs_ocsp_post_config_server(apr_pool sc->ocsp_failure_timeout = apr_time_from_sec(MGS_OCSP_FAILURE_TIMEOUT); if (sc->ocsp_socket_timeout == MGS_TIMEOUT_UNSET) sc->ocsp_socket_timeout = apr_time_from_sec(MGS_OCSP_SOCKET_TIMEOUT); + /* Base fuzz is half the configured maximum, the actual fuzz is + * between the maximum and half that. The default maximum is + * sc->ocsp_cache_time / 8, or twice the failure timeout, + * whichever is larger (so the default guarantees at least one + * retry before the cache entry expires).*/ + if (sc->ocsp_fuzz_time == MGS_TIMEOUT_UNSET) + { + sc->ocsp_fuzz_time = sc->ocsp_cache_time / 16; + if (sc->ocsp_fuzz_time < sc->ocsp_failure_timeout) + sc->ocsp_fuzz_time = sc->ocsp_failure_timeout; + } + else + sc->ocsp_fuzz_time = sc->ocsp_fuzz_time / 2; - sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data)); + /* This really shouldn't happen considering MAX_FUZZ_BASE is about + * 4.5 years, but better safe than sorry. */ + if (sc->ocsp_fuzz_time > MAX_FUZZ_BASE) + { + ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server, + "%s: Maximum fuzz time is too large, maximum " + "supported value is %" APR_INT64_T_FMT " seconds", + __func__, apr_time_sec(MAX_FUZZ_BASE) * 2); + return HTTP_INTERNAL_SERVER_ERROR; + } sc->ocsp->fingerprint = mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]); if (sc->ocsp->fingerprint.data == NULL) return HTTP_INTERNAL_SERVER_ERROR; - sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf, - sc->certs_x509_crt_chain[0]); - if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL) - { - ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, - "OCSP stapling is enabled for for %s:%d, but there is " - "neither an OCSP URI in the certificate nor a " - "GnuTLSOCSPResponseFile setting for this host!", - server->server_hostname, server->addrs->host_port); - return HTTP_NOT_FOUND; - } - sc->ocsp->trust = apr_palloc(pconf, sizeof(gnutls_x509_trust_list_t)); - /* Only the direct issuer may sign the OCSP response or an OCSP - * signer. */ + /* Only the direct issuer may sign the OCSP response or an OCSP + * signer. */ int ret = mgs_create_ocsp_trust_list(sc->ocsp->trust, &(sc->certs_x509_crt_chain[1]), 1); @@ -975,5 +1195,31 @@ int mgs_ocsp_post_config_server(apr_pool mgs_cleanup_trust_list, apr_pool_cleanup_null); + /* enable status request callback */ + gnutls_certificate_set_ocsp_status_request_function(sc->certs, + mgs_get_ocsp_response, + sc); + + /* The watchdog structure may be NULL if mod_watchdog is + * unavailable. */ + if (sc->singleton_wd != NULL + && sc->ocsp_auto_refresh == GNUTLS_ENABLED_TRUE) + { + apr_status_t rv = + sc->singleton_wd->register_callback(sc->singleton_wd->wd, + sc->ocsp_cache_time, + server, mgs_async_ocsp_update); + if (rv == APR_SUCCESS) + ap_log_error(APLOG_MARK, APLOG_INFO, rv, server, + "Enabled async OCSP update via watchdog " + "for %s:%d", + server->server_hostname, server->addrs->host_port); + else + ap_log_error(APLOG_MARK, APLOG_WARNING, rv, server, + "Enabling async OCSP update via watchdog " + "for %s:%d failed!", + server->server_hostname, server->addrs->host_port); + } + return OK; } diff -pruN 0.8.2-3/src/gnutls_ocsp.h 0.9.0-1/src/gnutls_ocsp.h --- 0.8.2-3/src/gnutls_ocsp.h 2017-01-08 14:16:07.000000000 +0000 +++ 0.9.0-1/src/gnutls_ocsp.h 2018-09-30 20:59:29.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016 Thomas Klute + * Copyright 2016-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,8 @@ #include "http_config.h" #define MGS_OCSP_MUTEX_NAME "gnutls-ocsp" +#define MGS_OCSP_CACHE_MUTEX_NAME "gnutls-ocsp-cache" +#define MGS_OCSP_CACHE_NAME "gnutls_ocsp" /** Default OCSP response cache timeout in seconds */ #define MGS_OCSP_CACHE_TIMEOUT 3600 @@ -53,6 +55,10 @@ const char *mgs_ocsp_stapling_enable(cmd void *dummy __attribute__((unused)), const int arg); +const char *mgs_set_ocsp_auto_refresh(cmd_parms *parms, + void *dummy __attribute__((unused)), + const int arg); + const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, void *dummy __attribute__((unused)), const int arg); @@ -91,15 +97,29 @@ int mgs_create_ocsp_trust_list(gnutls_x5 apr_status_t mgs_cleanup_trust_list(void *data); /** - * Initialize server config for OCSP, supposed to be called in the - * post_config hook for each server where OCSP stapling is enabled, - * after certificates have been loaded. + * Try to generate the OCSP stapling configuration for a (virtual) + * host. This function must be called in the post_config hook after + * certificates have been loaded. This method does not actually enable + * stapling, it only prepares the configuration. The reason for + * splitting these tasks is that configuration failure may be ignored + * if stapling is not explicitly enabled but only opportunistically. + * + * @return `NULL` on success, a string describing why configuration + * failed otherwise (static or allocated from ptemp) + */ +const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, + server_rec *server); + +/** + * Enable OCSP stapling for a (virtual) host. Must be called in the + * post_config hook after mgs_ocsp_configure_stapling has returned + * successfully for that host. * * @return OK or DECLINED on success, any other value on error (like - * the post_config hook itself) + * the post_config hook) */ -int mgs_ocsp_post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp, - server_rec *server); +int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, + server_rec *server); int mgs_get_ocsp_response(gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response); diff -pruN 0.8.2-3/src/gnutls_proxy.c 0.9.0-1/src/gnutls_proxy.c --- 0.8.2-3/src/gnutls_proxy.c 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_proxy.c 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,387 @@ +/* + * Copyright 2015-2019 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mod_gnutls.h" +#include "gnutls_proxy.h" +#include "gnutls_util.h" + +#include +#include + +/* + * Callback to check the server certificate for proxy HTTPS + * connections, to be used with + * gnutls_certificate_set_verify_function. + + * Returns: 0 if certificate check was successful (certificate + * trusted), non-zero otherwise (error during check or untrusted + * certificate). + */ +static int gtls_check_server_cert(gnutls_session_t session) +{ + mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session); + unsigned int status; + + /* Get peer hostname from a note left by mod_proxy */ + const char *peer_hostname = + apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE); + if (peer_hostname == NULL) + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, + "%s: " PROXY_SNI_NOTE " NULL, cannot check " + "peer's hostname", __func__); + + /* Verify certificate, including hostname match. Should + * peer_hostname be NULL for some reason, the name is not + * checked. */ + int err = gnutls_certificate_verify_peers3(session, peer_hostname, + &status); + if (err != GNUTLS_E_SUCCESS) + { + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c, + "%s: server certificate check failed: %s (%d)", + __func__, gnutls_strerror(err), err); + return err; + } + + if (status == 0) + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, + "%s: server certificate is trusted.", + __func__); + else + { + gnutls_datum_t out; + /* GNUTLS_CRT_X509: ATM, only X509 is supported for proxy + * certs 0: according to function API, the last argument + * should be 0 */ + err = gnutls_certificate_verification_status_print(status, + GNUTLS_CRT_X509, + &out, 0); + if (err != GNUTLS_E_SUCCESS) + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c, + "%s: server verify print failed: %s (%d)", + __func__, gnutls_strerror(err), err); + else + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c, + "%s: %s", + __func__, out.data); + gnutls_free(out.data); + } + + return status; +} + + + +static apr_status_t cleanup_proxy_x509_credentials(void *arg) +{ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) arg; + + if (sc->proxy_x509_creds) + { + /* This implicitly releases the associated trust list + * sc->proxy_x509_tl, too. */ + gnutls_certificate_free_credentials(sc->proxy_x509_creds); + sc->proxy_x509_creds = NULL; + sc->proxy_x509_tl = NULL; + } + + if (sc->anon_client_creds) + { + gnutls_anon_free_client_credentials(sc->anon_client_creds); + sc->anon_client_creds = NULL; + } + + /* Deinit proxy priorities only if set from + * sc->proxy_priorities_str. Otherwise the server is using the + * default global priority cache, which must not be deinitialized + * here. */ + if (sc->proxy_priorities_str && sc->proxy_priorities) + { + gnutls_priority_deinit(sc->proxy_priorities); + sc->proxy_priorities = NULL; + } + + return APR_SUCCESS; +} + + + +apr_status_t load_proxy_x509_credentials(apr_pool_t *pconf, + apr_pool_t *ptemp, + server_rec *s) +{ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(s->module_config, &gnutls_module); + + if (sc == NULL) + return APR_EGENERAL; + + apr_status_t ret = APR_EINIT; + int err = GNUTLS_E_SUCCESS; + + /* Cleanup function for the GnuTLS structures allocated below */ + apr_pool_cleanup_register(pconf, sc, cleanup_proxy_x509_credentials, + apr_pool_cleanup_null); + + /* Function pool, gets destroyed before exit. */ + apr_pool_t *pool; + ret = apr_pool_create(&pool, ptemp); + if (ret != APR_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, ret, s, + "%s: failed to allocate function memory pool.", __func__); + return ret; + } + + /* allocate credentials structures */ + err = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds); + if (err != GNUTLS_E_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: Failed to initialize proxy credentials: (%d) %s", + __func__, err, gnutls_strerror(err)); + return APR_EGENERAL; + } + err = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds); + if (err != GNUTLS_E_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: Failed to initialize anon credentials for proxy: " + "(%d) %s", __func__, err, gnutls_strerror(err)); + return APR_EGENERAL; + } + + /* Check if the proxy priorities have been set, fail immediately + * if not */ + if (sc->proxy_priorities_str == NULL) + { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "No GnuTLSProxyPriorities directive for host '%s:%d', " + "using default '%s'.", + s->server_hostname, s->addrs->host_port, + MGS_DEFAULT_PRIORITY); + sc->proxy_priorities = mgs_get_default_prio(); + } + else + { + /* parse proxy priorities */ + const char *err_pos = NULL; + err = gnutls_priority_init(&sc->proxy_priorities, + sc->proxy_priorities_str, &err_pos); + if (err != GNUTLS_E_SUCCESS) + { + if (ret == GNUTLS_E_INVALID_REQUEST) + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: Syntax error parsing proxy priorities " + "string at: %s", + __func__, err_pos); + else + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Error setting proxy priorities: %s (%d)", + gnutls_strerror(err), err); + ret = APR_EGENERAL; + } + } + + /* load certificate and key for client auth, if configured */ + if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file) + { + char* cert_file = ap_server_root_relative(pool, + sc->proxy_x509_cert_file); + char* key_file = ap_server_root_relative(pool, + sc->proxy_x509_key_file); + err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds, + cert_file, + key_file, + GNUTLS_X509_FMT_PEM); + if (err != GNUTLS_E_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: loading proxy client credentials failed: %s (%d)", + __func__, gnutls_strerror(err), err); + ret = APR_EGENERAL; + } + } + else if (!sc->proxy_x509_key_file && sc->proxy_x509_cert_file) + { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: proxy key file not set!", __func__); + ret = APR_EGENERAL; + } + else if (!sc->proxy_x509_cert_file && sc->proxy_x509_key_file) + { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: proxy certificate file not set!", __func__); + ret = APR_EGENERAL; + } + else + /* if both key and cert are NULL, client auth is not used */ + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, + "%s: no client credentials for proxy", __func__); + + /* must be set if the server certificate is to be checked */ + if (sc->proxy_x509_ca_file) + { + /* initialize the trust list */ + err = gnutls_x509_trust_list_init(&sc->proxy_x509_tl, 0); + if (err != GNUTLS_E_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: gnutls_x509_trust_list_init failed: %s (%d)", + __func__, gnutls_strerror(err), err); + ret = APR_EGENERAL; + } + + char* ca_file = ap_server_root_relative(pool, + sc->proxy_x509_ca_file); + /* if no CRL is used, sc->proxy_x509_crl_file is NULL */ + char* crl_file = NULL; + if (sc->proxy_x509_crl_file) + crl_file = ap_server_root_relative(pool, + sc->proxy_x509_crl_file); + + /* returns number of loaded elements */ + err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl, + ca_file, + crl_file, + GNUTLS_X509_FMT_PEM, + 0 /* tl_flags */, + 0 /* tl_vflags */); + if (err > 0) + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "%s: proxy CA trust list: %d structures loaded", + __func__, err); + else if (err == 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: proxy CA trust list is empty (%d)", + __func__, err); + else /* err < 0 */ + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "%s: error loading proxy CA trust list: %s (%d)", + __func__, gnutls_strerror(err), err); + ret = APR_EGENERAL; + } + + /* attach trust list to credentials */ + gnutls_certificate_set_trust_list(sc->proxy_x509_creds, + sc->proxy_x509_tl, 0); + } + else + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%s: no CA trust list for proxy connections, " + "TLS connections will fail!", __func__); + + gnutls_certificate_set_verify_function(sc->proxy_x509_creds, + gtls_check_server_cert); + apr_pool_destroy(pool); + return ret; +} + + + +static void proxy_conn_set_sni(mgs_handle_t *ctxt) +{ + /* Get peer hostname from note left by mod_proxy */ + const char *peer_hostname = + apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE); + /* Used only as target for apr_ipsubnet_create() */ + apr_ipsubnet_t *probe; + /* Check if the note is present (!= NULL) and NOT an IP + * address */ + if ((peer_hostname) != NULL + && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool) + != APR_SUCCESS)) + { + int ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS, + peer_hostname, strlen(peer_hostname)); + if (ret != GNUTLS_E_SUCCESS) + ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c, + "Could not set SNI '%s' for proxy connection: " + "%s (%d)", + peer_hostname, gnutls_strerror(ret), ret); + } +} + + + +/** Initial size for the APR array storing ALPN protocol + * names. Currently only mod_proxy_http2 uses ALPN for proxy + * connections and proposes "h2" exclusively. This provides enough + * room without additional allocation even if an HTTP/1.1 fallback + * should be added while still being small. */ +#define INIT_ALPN_ARR_SIZE 2 + +/** + * Set ALPN proposals for a proxy handshake based on the note from the + * proxy module (see `PROXY_SNI_NOTE`). The note is expected to + * contain a string, multiple protocol names can be separated by "," + * or " ", or a combination of them. + * + * @param ctxt the mod_gnutls connection handle + */ +static void proxy_conn_set_alpn(mgs_handle_t *ctxt) +{ + const char *proxy_alpn = + apr_table_get(ctxt->c->notes, PROXY_ALPN_NOTE); + if (proxy_alpn == NULL) + return; + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: proxy module ALPN note is '%s', " + "length %" APR_SIZE_T_FMT ".", + __func__, proxy_alpn, strlen(proxy_alpn)); + + apr_array_header_t* protocols = + apr_array_make(ctxt->c->pool, INIT_ALPN_ARR_SIZE, + sizeof(const char *)); + + /* mod_ssl tokenizes the note by "," or " " to allow multiple + * protocols. We need to copy the note because apr_strtok() + * modifies the string to make each token NULL terminated. On the + * plus side that means we do not need to copy individual + * tokens. */ + char *tok = apr_pstrdup(ctxt->c->pool, proxy_alpn); + /* state for apr_strtok, pointer to character following current + * token */ + char *last = NULL; + while ((tok = apr_strtok(tok, ", ", &last))) + { + APR_ARRAY_PUSH(protocols, const char *) = tok; + tok = NULL; + } + + gnutls_datum_t* alpn_protos = + mgs_str_array_to_datum_array(protocols, + ctxt->c->pool, + protocols->nelts); + int ret = gnutls_alpn_set_protocols(ctxt->session, + alpn_protos, + protocols->nelts, + 0 /* flags */); + if (ret != GNUTLS_E_SUCCESS) + ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c, + "Could not set ALPN proposals for proxy " + "connection: %s (%d)", + gnutls_strerror(ret), ret); +} + + + +void mgs_set_proxy_handshake_ext(mgs_handle_t *ctxt) +{ + proxy_conn_set_sni(ctxt); + proxy_conn_set_alpn(ctxt); +} diff -pruN 0.8.2-3/src/gnutls_proxy.h 0.9.0-1/src/gnutls_proxy.h --- 0.8.2-3/src/gnutls_proxy.h 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_proxy.h 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,44 @@ +/* + * Copyright 2015-2018 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __MOD_GNUTLS_PROXY_H__ +#define __MOD_GNUTLS_PROXY_H__ + +#include +#include +#include + +/** proxy modules may add a note with this key to the + * connection->notes table for client connections to indicate the + * server hostname */ +#define PROXY_SNI_NOTE "proxy-request-hostname" + +/** proxy modules may add a note with this key to the connection->notes + * table for client connections to indicate supported protocols */ +#define PROXY_ALPN_NOTE "proxy-request-alpn-protos" + +apr_status_t load_proxy_x509_credentials(apr_pool_t *pconf, + apr_pool_t *ptemp, + server_rec *s) + __attribute__((nonnull)); + +/** + * Configure extensions for the TLS handshake on proxy connections, + * currently SNI and ALPN. + */ +void mgs_set_proxy_handshake_ext(mgs_handle_t * ctxt); + +#endif /* __MOD_GNUTLS_PROXY_H__ */ diff -pruN 0.8.2-3/src/gnutls_sni.c 0.9.0-1/src/gnutls_sni.c --- 0.8.2-3/src/gnutls_sni.c 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_sni.c 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1,224 @@ +/* + * Copyright 2018 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mod_gnutls.h" + +#include +#include +#include +#include +#include + +/** Defined in https://tools.ietf.org/html/rfc6066#section-1.1 */ +#define EXT_ID_SERVER_NAME 0 +/** "host_name" type as defined in + * https://tools.ietf.org/html/rfc6066#section-3 */ +#define SERVER_NAME_TYPE_DNS 0 +/** size of type and length field for each ServerName as defined in + * https://tools.ietf.org/html/rfc6066#section-3 */ +#define SERVER_NAME_HDR_SIZE (sizeof(uint16_t) + sizeof(uint8_t)) + +/** + * Read a 16 bit unsigned int in network byte order from the data, + * and return the value in host byte order. + */ +static inline uint16_t read_uint16(const unsigned char *data) +{ + uint16_t u; + memcpy(&u, data, sizeof(uint16_t)); +#if APR_IS_BIGENDIAN == 0 + u = bswap_16(u); +#endif + return u; +} + +/** + * Check if the string contains only alphanumeric characters, `-`, and + * `.`. APR port of GnuTLS' _gnutls_dnsname_is_valid() (from + * lib/str.h). + * + * @param str the string to check + * @param size length of the input string (must not include any + * terminating null byte) + * + * @return `1` if the string is a valid DNS name, `0` otherwise + */ +static inline int is_valid_dnsname(const unsigned char *str, unsigned int size) +{ + for (unsigned int i = 0; i < size; i++) + { + if (!(apr_isalnum(str[i]) || str[i] == '-' || str[i] == '.')) + return 0; + } + return 1; +} + +/** + * Callback for gnutls_ext_raw_parse(), checks if the extension is a + * Server Name Indication, and tries to parse it if so. In case of + * success the requested hostname is stored in the mod_gnutls session + * context. + * + * See [RFC 6066 Sec. 3](https://tools.ietf.org/html/rfc6066#section-3) + * for the definition of the SNI data structure. The function + * signature is defined by the GnuTLS API. + * + * @param ctx must be the `gnutls_session_t` for the current + * connection + * @param tls_id TLS extension ID + * @param data the extension data + * @param size length of the extension data (bytes) + * + * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code + */ +int mgs_sni_ext_hook(void *ctx, unsigned tls_id, + const unsigned char *data, unsigned size) +{ + const char *name = NULL; + + gnutls_session_t session = (gnutls_session_t) ctx; + mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session); + + if (tls_id == EXT_ID_SERVER_NAME) + { + /* + * This is SNI extension data. GnuTLS does the following (see + * _gnutls_server_name_recv_params() in lib/ext/server_name.c): + * + * Verify that total length lines up with received data size + * + * Iterate over type/size pairs, if type == 0 it's a DNS + * name. Ignore any other type. + * + * Verify a DNS name using _gnutls_dnsname_is_valid() (from + * lib/str.h) + * + * In case of any issue with sizes: + * return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + * + * In case of invalid data: + * return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + */ + + /* Read position for parsing */ + unsigned int pos = 0; + + /* Size of the ServerNameList (2 bytes) */ + if (size < sizeof(uint16_t)) + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + uint16_t list_len = read_uint16(data); + pos += sizeof(uint16_t); + + if (pos + list_len != size) + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + + while (pos + SERVER_NAME_HDR_SIZE <= size) + { + /* NameType (one byte) */ + uint8_t type = *(data + pos); + pos += sizeof(uint8_t); + /* Size of the ServerName (2 bytes) */ + uint16_t name_len = read_uint16(data + pos); + pos += sizeof(uint16_t); + + if (pos + name_len > size) + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + + if (type == SERVER_NAME_TYPE_DNS) + { + if (!is_valid_dnsname(data + pos, name_len)) + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + /* Without APR pools this would require a target + * buffer or malloc/free */ + name = apr_pstrndup(ctxt->c->pool, + (const char *) data + pos, + name_len); + /* We don't handle any other ServerName types, ignore + * whatever follows */ + break; + } + pos += name_len; + } + } + + if (name != NULL) + { + /* Assign to session context */ + ctxt->sni_name = name; + } + return GNUTLS_E_SUCCESS; +} + + + +/** + * Default buffer size for SNI data, including the terminating NULL + * byte. The size matches what gnutls-cli uses initially. + */ +#define DEFAULT_SNI_HOST_LEN 256 + +const char* mgs_server_name_get(mgs_handle_t *ctxt) +{ + char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN); + size_t sni_len = DEFAULT_SNI_HOST_LEN; + unsigned int sni_type; + + /* Search for a DNS SNI element. Note that RFC 6066 prohibits more + * than one server name per type. */ + int sni_index = -1; + int rv = 0; + do { + /* The sni_index is incremented before each use, so if the + * loop terminates with a type match we will have the right + * one stored. */ + rv = gnutls_server_name_get(ctxt->session, sni_name, + &sni_len, &sni_type, ++sni_index); + if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c, + "%s: no DNS SNI found (last index: %d).", + __func__, sni_index); + return NULL; + } + } while (sni_type != GNUTLS_NAME_DNS); + /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside + * the loop above returns, so if we reach this point we have a DNS + * SNI at the current index. */ + + if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + /* Allocate a new buffer of the right size and retry */ + sni_name = apr_palloc(ctxt->c->pool, sni_len); + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c, + "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT + " bytes.", __func__, sni_len); + rv = gnutls_server_name_get(ctxt->session, sni_name, + &sni_len, &sni_type, sni_index); + } + + /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR + * can occur here, but a catch all is safer and no more + * complicated. */ + if (rv != GNUTLS_E_SUCCESS) + { + ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c, + "%s: error while getting SNI DNS data: '%s' (%d).", + __func__, gnutls_strerror(rv), rv); + return NULL; + } + + return sni_name; +} diff -pruN 0.8.2-3/src/gnutls_sni.h 0.9.0-1/src/gnutls_sni.h --- 0.8.2-3/src/gnutls_sni.h 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_sni.h 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1,37 @@ +/* + * Copyright 2018 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __MOD_GNUTLS_SNI_H__ +#define __MOD_GNUTLS_SNI_H__ + +int mgs_sni_ext_hook(void *ctx, unsigned tls_id, + const unsigned char *data, unsigned size); + + +/** + * Wrapper for gnutls_server_name_get(): Retrieve SNI data from the + * TLS session associated with the connection, store it in a string + * allocated from the connection pool. + * + * Note that `ctxt->sni_name` is not automatically updated. + * + * @param ctxt the connection to read from + * + * @return the requested server name, or NULL. + */ +const char* mgs_server_name_get(mgs_handle_t *ctxt); + +#endif /* __MOD_GNUTLS_SNI_H__ */ diff -pruN 0.8.2-3/src/gnutls_util.c 0.9.0-1/src/gnutls_util.c --- 0.8.2-3/src/gnutls_util.c 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_util.c 2019-01-05 17:28:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016 Thomas Klute + * Copyright 2016-2019 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,14 @@ #include + +/** Compiled version of MGS_DEFAULT_PRIORITY, must be initialized + * using mgs_default_priority_init() in the pre_config hook and + * deinitialized in the matching pool cleanup hook. */ +static gnutls_priority_t default_prio; + + + const char* http_post_header(apr_pool_t *p, apr_uri_t *uri, const char *content_type, const char *accept, apr_size_t size) @@ -125,3 +133,67 @@ apr_status_t datum_from_file(apr_pool_t return rv; } + + + +mgs_handle_t *init_gnutls_ctxt(conn_rec *c) +{ + mgs_handle_t *ctxt = (mgs_handle_t *) + ap_get_module_config(c->conn_config, &gnutls_module); + if (ctxt == NULL) + { + ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); + ap_set_module_config(c->conn_config, &gnutls_module, ctxt); + + /* Get mod_gnutls server configuration */ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(c->base_server->module_config, + &gnutls_module); + + /* Set up connection and server references */ + ctxt->c = c; + ctxt->sc = sc; + /* Default, unconditionally changed in proxy setup functions */ + ctxt->is_proxy = GNUTLS_ENABLED_FALSE; + /* Other default values */ + ctxt->sni_name = NULL; + } + return ctxt; +} + + + +int mgs_default_priority_init() +{ + return gnutls_priority_init(&default_prio, MGS_DEFAULT_PRIORITY, NULL); +} + + + +gnutls_priority_t mgs_get_default_prio() +{ + return default_prio; +} + + + +void mgs_default_priority_deinit() +{ + gnutls_priority_deinit(default_prio); +} + + + +gnutls_datum_t * mgs_str_array_to_datum_array(const apr_array_header_t *src, + apr_pool_t *pool, + const int min_elements) +{ + int num = min_elements > src->nelts ? min_elements : src->nelts; + gnutls_datum_t *dest = apr_palloc(pool, num * sizeof(gnutls_datum_t)); + for (int i = 0; i < src->nelts; i++) + { + dest[i].data = (void *) APR_ARRAY_IDX(src, i, char *); + dest[i].size = strlen(APR_ARRAY_IDX(src, i, char *)); + } + return dest; +} diff -pruN 0.8.2-3/src/gnutls_util.h 0.9.0-1/src/gnutls_util.h --- 0.8.2-3/src/gnutls_util.h 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/gnutls_util.h 2019-01-05 17:28:56.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2016 Thomas Klute + * Copyright 2016-2019 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,10 +20,14 @@ #include #include #include +#include "mod_gnutls.h" #ifndef __MOD_GNUTLS_UTIL_H__ #define __MOD_GNUTLS_UTIL_H__ +/** Default GnuTLS priority string for mod_gnutls */ +#define MGS_DEFAULT_PRIORITY "NORMAL" + /** maximum allowed length of one header line */ #define HTTP_HDR_LINE_MAX 1024 @@ -66,4 +70,45 @@ apr_status_t datum_from_file(apr_pool_t gnutls_datum_t *datum) __attribute__((nonnull)); +/** + * Allocate the connection configuration structure if necessary, set + * some defaults. + */ +mgs_handle_t *init_gnutls_ctxt(conn_rec *c); + +/** + * Initialize the global default priorities, must be called by the + * pre_config hook + * + * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code + */ +int mgs_default_priority_init(); + +/** + * Get the global default priorities + */ +gnutls_priority_t mgs_get_default_prio(); + +/** + * Deinitialize the global default priorities, must be in the cleanup + * hook of the pre_config pool. + */ +void mgs_default_priority_deinit(); + +/** + * Create a shallow copy of an APR array of `char *` into a new array + * of gnutls_datum_t, filling `size` via `strlen()`. "Shallow copy" + * means that the strings themselves are not copied, just the pointers + * to them. + * + * @param src array to copy + * @param pool allocate memory for the new array + * @param min_elements allocate room for at least this many elements + * + * @return pointer to the first element of the new array + */ +gnutls_datum_t * mgs_str_array_to_datum_array(const apr_array_header_t *src, + apr_pool_t *pool, + const int min_elements); + #endif /* __MOD_GNUTLS_UTIL_H__ */ diff -pruN 0.8.2-3/src/gnutls_watchdog.c 0.9.0-1/src/gnutls_watchdog.c --- 0.8.2-3/src/gnutls_watchdog.c 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_watchdog.c 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,70 @@ +/* + * Copyright 2018 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "gnutls_watchdog.h" + +#include +#include + + +struct mgs_watchdog* mgs_new_singleton_watchdog(server_rec *s, char *name, + apr_pool_t* p) +{ + APR_OPTIONAL_FN_TYPE(ap_watchdog_get_instance) *inst_fn = + APR_RETRIEVE_OPTIONAL_FN(ap_watchdog_get_instance); + APR_OPTIONAL_FN_TYPE(ap_watchdog_register_callback) *reg_callback_fn = + APR_RETRIEVE_OPTIONAL_FN(ap_watchdog_register_callback); + APR_OPTIONAL_FN_TYPE(ap_watchdog_set_callback_interval) *mod_callback_fn = + APR_RETRIEVE_OPTIONAL_FN(ap_watchdog_set_callback_interval); + + /* Check if all functions are available */ + if (inst_fn == NULL || reg_callback_fn == NULL || mod_callback_fn == NULL) + { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_EGENERAL, s, + "Could not retrieve watchdog functions, has " + "mod_watchdog been loaded?"); + return NULL; + } + + apr_pool_t *wd_pool; + apr_status_t rv = apr_pool_create(&wd_pool, p); + if (rv != APR_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "Creating pool for watchdog instance failed!"); + return NULL; + } + + struct mgs_watchdog *w = apr_palloc(wd_pool, sizeof(struct mgs_watchdog)); + + w->get_instance = inst_fn; + w->register_callback = reg_callback_fn; + w->set_callback_interval = mod_callback_fn; + + /* 0 -> run in child process, 1 -> singleton watchdog */ + rv = w->get_instance(&w->wd, name, 0, 1, wd_pool); + if (rv != APR_SUCCESS) + { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "Retrieving watchdog instance '%s' failed!", name); + apr_pool_destroy(wd_pool); + return NULL; + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, + "watchdog init for %s", name); + return w; +} diff -pruN 0.8.2-3/src/gnutls_watchdog.h 0.9.0-1/src/gnutls_watchdog.h --- 0.8.2-3/src/gnutls_watchdog.h 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/src/gnutls_watchdog.h 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,46 @@ +/* + * Copyright 2018 Fiona Klute + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __MOD_GNUTLS_WATCHDOG_H__ +#define __MOD_GNUTLS_WATCHDOG_H__ + +#include +#include + +/** + * Watchdog object including functions + */ +struct mgs_watchdog { + APR_OPTIONAL_FN_TYPE(ap_watchdog_get_instance) *get_instance; + APR_OPTIONAL_FN_TYPE(ap_watchdog_register_callback) *register_callback; + APR_OPTIONAL_FN_TYPE(ap_watchdog_set_callback_interval) *set_callback_interval; + ap_watchdog_t *wd; +}; + +/** + * Creates a new mgs_watchdog structure and initializes the + * included `apr_watchdog_t` with the named singleton watchdog. + * + * @param s server reference for logging + * @param name watchdog name + * @param p memory pool for the watchdog + * + * @return pointer to the new mgs_watchdog, or `NULL` on error + */ +struct mgs_watchdog* mgs_new_singleton_watchdog(server_rec *s, char *name, + apr_pool_t *p); + +#endif /* __MOD_GNUTLS_WATCHDOG_H__ */ diff -pruN 0.8.2-3/src/Makefile.am 0.9.0-1/src/Makefile.am --- 0.8.2-3/src/Makefile.am 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/src/Makefile.am 2019-01-05 17:28:56.000000000 +0000 @@ -6,9 +6,11 @@ apmodpkglibdir = ${AP_LIBEXECDIR} endif mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \ - gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_util.c + gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_proxy.c \ + gnutls_sni.c gnutls_util.c gnutls_watchdog.c mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS} -noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_util.h +noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h \ + gnutls_proxy.h gnutls_sni.h gnutls_util.h gnutls_watchdog.h apmodpkglib_LTLIBRARIES = mod_gnutls.la diff -pruN 0.8.2-3/src/Makefile.in 0.9.0-1/src/Makefile.in --- 0.8.2-3/src/Makefile.in 2017-01-08 14:08:05.000000000 +0000 +++ 0.9.0-1/src/Makefile.in 2019-01-23 20:15:48.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -94,7 +94,6 @@ subdir = src ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ $(top_srcdir)/m4/apache_test.m4 \ - $(top_srcdir)/m4/apr_memcache.m4 \ $(top_srcdir)/m4/ax_prog_doxygen.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ @@ -141,7 +140,9 @@ mod_gnutls_la_LIBADD = am_mod_gnutls_la_OBJECTS = mod_gnutls_la-mod_gnutls.lo \ mod_gnutls_la-gnutls_io.lo mod_gnutls_la-gnutls_cache.lo \ mod_gnutls_la-gnutls_config.lo mod_gnutls_la-gnutls_hooks.lo \ - mod_gnutls_la-gnutls_ocsp.lo mod_gnutls_la-gnutls_util.lo + mod_gnutls_la-gnutls_ocsp.lo mod_gnutls_la-gnutls_proxy.lo \ + mod_gnutls_la-gnutls_sni.lo mod_gnutls_la-gnutls_util.lo \ + mod_gnutls_la-gnutls_watchdog.lo mod_gnutls_la_OBJECTS = $(am_mod_gnutls_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -164,7 +165,17 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/config/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/mod_gnutls_la-gnutls_cache.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_config.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_hooks.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_io.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_ocsp.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_proxy.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_sni.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_util.Plo \ + ./$(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Plo \ + ./$(DEPDIR)/mod_gnutls_la-mod_gnutls.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -223,9 +234,6 @@ APR_INCLUDES = @APR_INCLUDES@ APR_LDFLAGS = @APR_LDFLAGS@ APR_LIBS = @APR_LIBS@ APR_LIBTOOL = @APR_LIBTOOL@ -APR_MEMCACHE_CFLAGS = @APR_MEMCACHE_CFLAGS@ -APR_MEMCACHE_LIBS = @APR_MEMCACHE_LIBS@ -APR_UTIL_CONF = @APR_UTIL_CONF@ APU_INCLUDES = @APU_INCLUDES@ APU_LDFLAGS = @APU_LDFLAGS@ APU_LIBS = @APU_LIBS@ @@ -289,6 +297,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ENABLE_EARLY_SNI = @ENABLE_EARLY_SNI@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FLOCK = @FLOCK@ @@ -348,6 +357,9 @@ SOFTHSM_LIB = @SOFTHSM_LIB@ SOFTHSM_MAJOR_VERSION = @SOFTHSM_MAJOR_VERSION@ STRIP = @STRIP@ TEST_HOST = @TEST_HOST@ +TEST_IP = @TEST_IP@ +TEST_LOCK_WAIT = @TEST_LOCK_WAIT@ +TEST_QUERY_TIMEOUT = @TEST_QUERY_TIMEOUT@ UNSHARE = @UNSHARE@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -374,7 +386,6 @@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_apr_memcache = @have_apr_memcache@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -413,11 +424,14 @@ top_srcdir = @top_srcdir@ # installation directory for Apache modules @ENABLE_VPATH_INSTALL_TRUE@apmodpkglibdir = $(subst ${AP_EXEC_PREFIX},${prefix},${AP_LIBEXECDIR}) mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \ - gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_util.c + gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_proxy.c \ + gnutls_sni.c gnutls_util.c gnutls_watchdog.c mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS} -noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_util.h +noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h \ + gnutls_proxy.h gnutls_sni.h gnutls_util.h gnutls_watchdog.h + apmodpkglib_LTLIBRARIES = mod_gnutls.la all: all-am @@ -440,8 +454,8 @@ Makefile: $(srcdir)/Makefile.in $(top_bu *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -497,13 +511,22 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_cache.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_config.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_hooks.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_io.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_ocsp.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_util.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-mod_gnutls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_cache.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_config.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_hooks.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_io.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_ocsp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_proxy.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_sni.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_util.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_gnutls_la-mod_gnutls.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -568,6 +591,20 @@ mod_gnutls_la-gnutls_ocsp.lo: gnutls_ocs @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -c -o mod_gnutls_la-gnutls_ocsp.lo `test -f 'gnutls_ocsp.c' || echo '$(srcdir)/'`gnutls_ocsp.c +mod_gnutls_la-gnutls_proxy.lo: gnutls_proxy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -MT mod_gnutls_la-gnutls_proxy.lo -MD -MP -MF $(DEPDIR)/mod_gnutls_la-gnutls_proxy.Tpo -c -o mod_gnutls_la-gnutls_proxy.lo `test -f 'gnutls_proxy.c' || echo '$(srcdir)/'`gnutls_proxy.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mod_gnutls_la-gnutls_proxy.Tpo $(DEPDIR)/mod_gnutls_la-gnutls_proxy.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gnutls_proxy.c' object='mod_gnutls_la-gnutls_proxy.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -c -o mod_gnutls_la-gnutls_proxy.lo `test -f 'gnutls_proxy.c' || echo '$(srcdir)/'`gnutls_proxy.c + +mod_gnutls_la-gnutls_sni.lo: gnutls_sni.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -MT mod_gnutls_la-gnutls_sni.lo -MD -MP -MF $(DEPDIR)/mod_gnutls_la-gnutls_sni.Tpo -c -o mod_gnutls_la-gnutls_sni.lo `test -f 'gnutls_sni.c' || echo '$(srcdir)/'`gnutls_sni.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mod_gnutls_la-gnutls_sni.Tpo $(DEPDIR)/mod_gnutls_la-gnutls_sni.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gnutls_sni.c' object='mod_gnutls_la-gnutls_sni.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -c -o mod_gnutls_la-gnutls_sni.lo `test -f 'gnutls_sni.c' || echo '$(srcdir)/'`gnutls_sni.c + mod_gnutls_la-gnutls_util.lo: gnutls_util.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -MT mod_gnutls_la-gnutls_util.lo -MD -MP -MF $(DEPDIR)/mod_gnutls_la-gnutls_util.Tpo -c -o mod_gnutls_la-gnutls_util.lo `test -f 'gnutls_util.c' || echo '$(srcdir)/'`gnutls_util.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mod_gnutls_la-gnutls_util.Tpo $(DEPDIR)/mod_gnutls_la-gnutls_util.Plo @@ -575,6 +612,13 @@ mod_gnutls_la-gnutls_util.lo: gnutls_uti @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -c -o mod_gnutls_la-gnutls_util.lo `test -f 'gnutls_util.c' || echo '$(srcdir)/'`gnutls_util.c +mod_gnutls_la-gnutls_watchdog.lo: gnutls_watchdog.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -MT mod_gnutls_la-gnutls_watchdog.lo -MD -MP -MF $(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Tpo -c -o mod_gnutls_la-gnutls_watchdog.lo `test -f 'gnutls_watchdog.c' || echo '$(srcdir)/'`gnutls_watchdog.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Tpo $(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gnutls_watchdog.c' object='mod_gnutls_la-gnutls_watchdog.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(mod_gnutls_la_CFLAGS) $(CFLAGS) -c -o mod_gnutls_la-gnutls_watchdog.lo `test -f 'gnutls_watchdog.c' || echo '$(srcdir)/'`gnutls_watchdog.c + mostlyclean-libtool: -rm -f *.lo @@ -633,7 +677,10 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -706,7 +753,16 @@ clean-am: clean-apmodpkglibLTLIBRARIES c mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_cache.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_config.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_hooks.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_io.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_ocsp.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_proxy.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_sni.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_util.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-mod_gnutls.Plo -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -752,7 +808,16 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_cache.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_config.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_hooks.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_io.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_ocsp.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_proxy.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_sni.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_util.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-gnutls_watchdog.Plo + -rm -f ./$(DEPDIR)/mod_gnutls_la-mod_gnutls.Plo -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -773,7 +838,7 @@ uninstall-am: uninstall-apmodpkglibLTLIB .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-apmodpkglibLTLIBRARIES clean-generic clean-libtool \ cscopelist-am ctags ctags-am distclean distclean-compile \ distclean-generic distclean-libtool distclean-tags distdir dvi \ diff -pruN 0.8.2-3/src/mod_gnutls.c 0.9.0-1/src/mod_gnutls.c --- 0.8.2-3/src/mod_gnutls.c 2017-01-08 14:16:07.000000000 +0000 +++ 0.9.0-1/src/mod_gnutls.c 2018-11-28 05:37:07.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright 2004-2005 Paul Querna * Copyright 2008, 2014 Nikos Mavrogiannopoulos * Copyright 2011 Dash Shendy - * Copyright 2015-2016 Thomas Klute + * Copyright 2015-2018 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,30 +18,51 @@ */ #include "mod_gnutls.h" +#include "gnutls_config.h" #include "gnutls_ocsp.h" +#include "gnutls_util.h" + +#include #ifdef APLOG_USE_MODULE APLOG_USE_MODULE(gnutls); #endif +int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *dir_conf __attribute__((unused)), + int proxy, int enable); + +#define MOD_HTTP2 "mod_http2.c" +#define MOD_WATCHDOG "mod_watchdog.c" +static const char * const mod_proxy[] = { "mod_proxy.c", NULL }; +static const char * const mod_http2[] = { MOD_HTTP2, NULL }; +static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL }; + static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) { - /* Try Run Post-Config Hook After mod_proxy */ - static const char * const aszPre[] = { "mod_proxy.c", NULL }; - ap_hook_post_config(mgs_hook_post_config, aszPre, NULL, - APR_HOOK_REALLY_LAST); + /* Watchdog callbacks must be configured before post_config of + * mod_watchdog runs, or the watchdog won't be started. Similarly, + * our child_init hook must run before mod_watchdog's because our + * watchdog threads are started there and need some child-specific + * resources. */ + static const char * const post_conf_succ[] = + { MOD_HTTP2, MOD_WATCHDOG, NULL }; + ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ, + APR_HOOK_MIDDLE); /* HTTP Scheme Hook */ ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE); /* Default Port Hook */ ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE); /* Pre-Connect Hook */ - ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, + ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL, APR_HOOK_MIDDLE); + ap_hook_process_connection(mgs_hook_process_connection, + NULL, mod_http2, APR_HOOK_MIDDLE); /* Pre-Config Hook */ ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE); /* Child-Init Hook */ - ap_hook_child_init(mgs_hook_child_init, NULL, NULL, + ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog, APR_HOOK_MIDDLE); /* Authentication Hook */ ap_hook_access_checker(mgs_hook_authz, NULL, NULL, @@ -49,6 +70,9 @@ static void gnutls_hooks(apr_pool_t * p /* Fixups Hook */ ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST); + /* Request hook: Check if TLS connection and request host match */ + ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE); + /* TODO: HTTP Upgrade Filter */ /* ap_register_output_filter ("UPGRADE_FILTER", * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); @@ -64,9 +88,34 @@ static void gnutls_hooks(apr_pool_t * p /* mod_proxy calls these functions */ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_set); /* mod_rewrite calls this function to detect HTTPS */ APR_REGISTER_OPTIONAL_FN(ssl_is_https); + /* some modules look up TLS-related variables */ + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); +} + + + +/** + * Get the connection context, resolving to a master connection if + * any. + * + * @param c the connection handle + * + * @return mod_gnutls session context, might be `NULL` + */ +mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c) +{ + mgs_handle_t *ctxt = (mgs_handle_t *) + ap_get_module_config(c->conn_config, &gnutls_module); + if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL)) + { + ctxt = (mgs_handle_t *) + ap_get_module_config(c->master->conn_config, &gnutls_module); + } + return ctxt; } @@ -79,10 +128,9 @@ static void gnutls_hooks(apr_pool_t * p */ int ssl_is_https(conn_rec *c) { + mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c); mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config, &gnutls_module); - mgs_handle_t *ctxt = (mgs_handle_t *) - ap_get_module_config(c->conn_config, &gnutls_module); if(sc->enabled == GNUTLS_ENABLED_FALSE || ctxt == NULL @@ -97,59 +145,115 @@ int ssl_is_https(conn_rec *c) -int ssl_engine_disable(conn_rec *c) +/** + * Return variables describing the current TLS session (if any). + * + * mod_ssl doc for this function: "This function must remain safe to + * use for a non-SSL connection." mod_http2 uses it to check if an + * acceptable TLS session is used. + */ +char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)), + conn_rec *c, request_rec *r, char *var) { - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - if(sc->enabled == GNUTLS_ENABLED_FALSE) { - return 1; + /* + * When no pool is given try to find one + */ + if (p == NULL) { + if (r != NULL) + p = r->pool; + else if (c != NULL) + p = c->pool; + else + return NULL; } - /* disable TLS for this connection */ - mgs_handle_t *ctxt = (mgs_handle_t *) - ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) + if (strcmp(var, "HTTPS") == 0) { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); + if (c != NULL && ssl_is_https(c)) + return "on"; + else + return "off"; } - ctxt->enabled = GNUTLS_ENABLED_FALSE; - ctxt->is_proxy = GNUTLS_ENABLED_TRUE; - if (c->input_filters) - ap_remove_input_filter(c->input_filters); - if (c->output_filters) - ap_remove_output_filter(c->output_filters); + mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c); - return 1; + /* TLS parameters are empty if there is no session */ + if (ctxt == NULL || ctxt->c == NULL) + return NULL; + + if (strcmp(var, "SSL_PROTOCOL") == 0) + return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session))); + + if (strcmp(var, "SSL_CIPHER") == 0) + return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session), + gnutls_cipher_get(ctxt->session), + gnutls_mac_get(ctxt->session))); + + /* mod_ssl supports a LOT more variables */ + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c, + "unsupported variable requested: '%s'", + var); + + return NULL; } -int ssl_proxy_enable(conn_rec *c) + + +/** + * In Apache versions from 2.4.33 mod_proxy uses this function to set + * up its client connections. Note that mod_gnutls does not (yet) + * implement per directory configuration for such connections. + * + * @param c the connection + * @param dir_conf per directory configuration, unused for now + * @param proxy Is this a proxy connection? + * @param enable Should TLS be enabled on this connection? + * + * @param `true` (1) if successful, `false` (0) otherwise + */ +int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *dir_conf __attribute__((unused)), + int proxy, int enable) { - /* check if TLS proxy support is enabled */ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE) + mgs_handle_t *ctxt = init_gnutls_ctxt(c); + + /* If TLS proxy has been requested, check if support is enabled + * for the server */ + if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE)) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "%s: mod_proxy requested TLS proxy, but not enabled " - "for %s", __func__, sc->cert_cn); + "for %s:%d", __func__, + ctxt->c->base_server->server_hostname, + ctxt->c->base_server->addrs->host_port); return 0; } - /* enable TLS for this connection */ - mgs_handle_t *ctxt = (mgs_handle_t *) - ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) - { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); - } - ctxt->enabled = GNUTLS_ENABLED_TRUE; - ctxt->is_proxy = GNUTLS_ENABLED_TRUE; + if (proxy) + ctxt->is_proxy = GNUTLS_ENABLED_TRUE; + else + ctxt->is_proxy = GNUTLS_ENABLED_FALSE; + + if (enable) + ctxt->enabled = GNUTLS_ENABLED_TRUE; + else + ctxt->enabled = GNUTLS_ENABLED_FALSE; + return 1; } +int ssl_engine_disable(conn_rec *c) +{ + return ssl_engine_set(c, NULL, 0, 0); +} + +int ssl_proxy_enable(conn_rec *c) +{ + return ssl_engine_set(c, NULL, 1, 1); +} + +#define OPENPGP_REMOVED "OpenPGP support has been removed." + static const command_rec mgs_config_cmds[] = { AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine, NULL, @@ -183,10 +287,6 @@ static const command_rec mgs_config_cmds NULL, RSRC_CONF, "Set the CA File to verify Client Certificates"), - AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file, - NULL, - RSRC_CONF, - "Set the Keyring File to verify Client Certificates"), AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file, NULL, RSRC_CONF, @@ -207,14 +307,6 @@ static const command_rec mgs_config_cmds NULL, RSRC_CONF, "TLS Server X509 Private Key file"), - AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file, - NULL, - RSRC_CONF, - "TLS Server PGP Certificate file"), - AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file, - NULL, - RSRC_CONF, - "TLS Server PGP Private key file"), #ifdef ENABLE_SRP AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file, NULL, @@ -233,7 +325,7 @@ static const command_rec mgs_config_cmds AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache, NULL, RSRC_CONF, - "Cache Configuration"), + "Session Cache Configuration"), AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets, NULL, RSRC_CONF, @@ -275,6 +367,14 @@ static const command_rec mgs_config_cmds AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable, NULL, RSRC_CONF, "Enable OCSP stapling"), + AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh, + NULL, RSRC_CONF, + "Regularly refresh cached OCSP response independent " + "of TLS handshakes?"), + AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache, + NULL, + RSRC_CONF, + "OCSP Cache Configuration"), AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce, NULL, RSRC_CONF, "Check nonce in OCSP responses?"), @@ -290,9 +390,19 @@ static const command_rec mgs_config_cmds NULL, RSRC_CONF, "Wait this many seconds before retrying a failed OCSP " "request"), + AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout, + NULL, RSRC_CONF, + "Update cached OCSP response up to this many seconds " + "before it expires, if GnuTLSOCSPAutoRefresh is enabled."), AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout, NULL, RSRC_CONF, "Socket timeout for OCSP requests"), + AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile", + ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), + AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile", + ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), + AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile", + ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), #ifdef __clang__ /* Workaround for this clang bug: * https://llvm.org/bugs/show_bug.cgi?id=21689 */ diff -pruN 0.8.2-3/test/apache-conf/early_sni.conf.in 0.9.0-1/test/apache-conf/early_sni.conf.in --- 0.8.2-3/test/apache-conf/early_sni.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/apache-conf/early_sni.conf.in 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1 @@ +@EXPECT_EARLY_SNI@ diff -pruN 0.8.2-3/test/apache-conf/netns.conf.in 0.9.0-1/test/apache-conf/netns.conf.in --- 0.8.2-3/test/apache-conf/netns.conf.in 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/apache-conf/netns.conf.in 2017-10-25 05:29:56.000000000 +0000 @@ -1,4 +1,4 @@ # This file contains options that are different depending on whether # tests use namespaces or not. -Mutex @MUTEX_TYPE@ default +@MUTEX_CONF@ PidFile apache2@PID_AFFIX@.pid diff -pruN 0.8.2-3/test/apache_service.bash 0.9.0-1/test/apache_service.bash --- 0.8.2-3/test/apache_service.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/apache_service.bash 2018-04-19 18:01:35.000000000 +0000 @@ -0,0 +1,45 @@ +#!/bin/bash + +set -e +. ${srcdir}/common.bash + +function apache_service +{ + # needed for start and stop + local dir="${1}" + local conf="${2}" + local action="${3}" + # Needed only for start. The "lockfile" parameter is used as flock + # lock file or PID file to watch depending on whether FLOCK is + # set. + local lockfile="${4}" + + TEST_NAME="$(basename "${dir}")" + ( + export TEST_NAME + export srcdir="$(realpath ${srcdir})" + local flock_cmd="" + case ${action} in + start) + if [ -n "${USE_TEST_NAMESPACE}" ]; then + echo "Using namespaces to isolate tests, no need for" \ + "locking." + elif [ -n "${FLOCK}" ]; then + flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}" + else + echo "Locking disabled, using wait based on proxy PID file." + wait_pid_gone "${lockfile}" + fi + ${flock_cmd} \ + ${APACHE2} -f "$(realpath ${dir}/${conf})" -k start || return 1 + ;; + stop) + ${APACHE2} -f "$(realpath ${dir}/${conf})" -k stop || return 1 + ;; + *) + echo "${FUNCNAME[0]}: Invalid action \"${action}\"." >&2 + exit 1 + ;; + esac + ) +} diff -pruN 0.8.2-3/test/base_apache.conf 0.9.0-1/test/base_apache.conf --- 0.8.2-3/test/base_apache.conf 2016-12-20 22:01:18.000000000 +0000 +++ 0.9.0-1/test/base_apache.conf 2018-10-17 05:39:14.000000000 +0000 @@ -1,7 +1,12 @@ ServerRoot ${PWD} +DefaultRuntimeDir cache/ LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined -CustomLog logs/${TEST_NAME}.access.log combined + + # Proxy backend servers have their own access log, prevent + # them from writing to the default one. + CustomLog logs/${TEST_NAME}.access.log combined + ErrorLog logs/${TEST_NAME}.error.log HostnameLookups Off KeepAlive Off @@ -10,6 +15,10 @@ LoadModule mpm_worker_module ${AP_LIBEXE LoadModule authn_core_module ${AP_LIBEXECDIR}/mod_authn_core.so LoadModule authz_core_module ${AP_LIBEXECDIR}/mod_authz_core.so LoadModule mime_module ${AP_LIBEXECDIR}/mod_mime.so + +LoadModule socache_shmcb_module ${AP_LIBEXECDIR}/mod_socache_shmcb.so +Define DEFAULT_CACHE shmcb:cache/gnutls_cache_${TEST_NAME}(65536) + TypesConfig ${srcdir}/mime.types Include apache-conf/*.conf diff -pruN 0.8.2-3/test/cert_helper.c 0.9.0-1/test/cert_helper.c --- 0.8.2-3/test/cert_helper.c 2016-06-20 19:29:18.000000000 +0000 +++ 0.9.0-1/test/cert_helper.c 2018-04-19 18:01:35.000000000 +0000 @@ -1,7 +1,7 @@ /** * Helper functions for certificate handling in the mod_gnutls test suite * - * Copyright 2016 Thomas Klute + * Copyright 2016 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); you * may not use this file except in compliance with the License. You diff -pruN 0.8.2-3/test/cert_helper.h 0.9.0-1/test/cert_helper.h --- 0.8.2-3/test/cert_helper.h 2016-06-20 19:29:18.000000000 +0000 +++ 0.9.0-1/test/cert_helper.h 2018-04-19 18:01:35.000000000 +0000 @@ -1,7 +1,7 @@ /** * Helper functions for certificate handling in the mod_gnutls test suite * - * Copyright 2016 Thomas Klute + * Copyright 2016 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); you * may not use this file except in compliance with the License. You diff -pruN 0.8.2-3/test/common.bash 0.9.0-1/test/common.bash --- 0.8.2-3/test/common.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/common.bash 2018-12-12 20:54:54.000000000 +0000 @@ -18,6 +18,65 @@ function wait_pid_gone +# Usage: verbose_log [...] +# +# If VERBOSE is not empty, write a log message prefixed with the name +# of the calling function. The function is defined to a no-op +# otherwise. +if [ -n "${VERBOSE}" ]; then + function verbose_log + { + echo "${FUNCNAME[1]}: ${@}" + } +else + function verbose_log + { + return + } +fi + + + +# Usage: wait_ready COMMAND [TIMEOUT] [STEP] +# +# Wait until COMMAND terminates with success (zero exit code), or +# until the TIMEOUT (in milliseconds) expires. TIMEOUT defaults to +# $TEST_SERVICE_MAX_WAIT if unset. A TIMEOUT of zero means to try +# once. +# +# COMMAND is retried every STEP milliseconds, the default is +# $TEST_SERVICE_WAIT. Note that the last try may happen a little after +# TIMEOUT expires if STEP does not evenly divide it. +function wait_ready +{ + local command="${1}" + if [ -z "${2}" ]; then + local -i timeout="${TEST_SERVICE_MAX_WAIT}" + else + local -i timeout="${2}" + fi + local -i step="${3}" + [ ${step} -gt 0 ] || step="${TEST_SERVICE_WAIT}" + # convert step to seconds because that's what "sleep" needs + local sec_step="$((${step} / 1000)).$((${step} % 1000))" + + verbose_log "Waiting for \"${command}\" ..." + local -i waited=0 + until eval "${command}"; do + if [ "${waited}" -ge "${timeout}" ]; then + echo "${FUNCNAME[0]}: Timed out waiting for \"${command}\"" \ + "to succeed (waited ${waited} ms)." >&2 + return 1 + fi + waited=$((waited + step)); + sleep "${sec_step}" + verbose_log "waiting (${waited} ms)" + done + verbose_log "done (waited ${waited} ms)" +} + + + # Usage: netns_reexec ${@} # # If USE_TEST_NAMESPACE is set and MGS_NETNS_ACTIVE is not, exec the @@ -36,8 +95,33 @@ function wait_pid_gone function netns_reexec { if [ -n "${USE_TEST_NAMESPACE}" ] && [ -z "${MGS_NETNS_ACTIVE}" ]; then - exec "${UNSHARE}" --net -r /bin/bash -c \ + exec "${UNSHARE}" --net --ipc -r /bin/bash -c \ "export MGS_NETNS_ACTIVE=1; ip link set up lo; exec ${UNSHARE} --user ${0} ${@}" fi return 0 } + +# Usage: require_gnutls_cli ${REQUIRED_VERSION_NUMBER} || exit ${ERROR_CODE} +# Require the gnutls-cli binary to be of a given version or newer. +# Return error code 1 if older, 2 if not found. +function require_gnutls_cli +{ + local required_version=(${1//./ }) + + if [[ $(gnutls-cli --version) =~ gnutls-cli[[:space:]]([[:digit:]]+)\.([[:digit:]]+)\.([[:digit:]]+) ]] + then + for i in {0..2} + do + if [ ${BASH_REMATCH[i+1]} -gt ${required_version[i]} ] + then + break; + elif [ ${BASH_REMATCH[i+1]} -lt ${required_version[i]} ] + then + return 1 + fi + done + return 0 + else + return 2 + fi +} diff -pruN 0.8.2-3/test/data/dump.cgi 0.9.0-1/test/data/dump.cgi --- 0.8.2-3/test/data/dump.cgi 2016-02-11 17:17:27.000000000 +0000 +++ 0.9.0-1/test/data/dump.cgi 2018-10-24 05:52:22.000000000 +0000 @@ -11,5 +11,4 @@ $SSL_CLIENT_VERIFY ----SubjectAltName:---- $SSL_CLIENT_S_AN0 -DH prime bits: $SSL_DH_PRIME_BITS EOF diff -pruN 0.8.2-3/test/data/ocsp.cgi 0.9.0-1/test/data/ocsp.cgi --- 0.8.2-3/test/data/ocsp.cgi 2017-01-08 01:57:04.000000000 +0000 +++ 0.9.0-1/test/data/ocsp.cgi 2018-04-19 18:01:35.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/bash # CGI wrapper to use "openssl ocsp" as a simple OCSP responder # -# Copyright 2016 Thomas Klute +# Copyright 2016 Fiona Klute # # Licensed under the Apache License, Version 2.0 (the "License"); you # may not use this file except in compliance with the License. You diff -pruN 0.8.2-3/test/ffdhe3072.pem 0.9.0-1/test/ffdhe3072.pem --- 0.8.2-3/test/ffdhe3072.pem 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/ffdhe3072.pem 2018-04-19 18:01:35.000000000 +0000 @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgECAgIBFA== +-----END DH PARAMETERS----- diff -pruN 0.8.2-3/test/gen_ocsp_index.c 0.9.0-1/test/gen_ocsp_index.c --- 0.8.2-3/test/gen_ocsp_index.c 2017-01-08 04:50:14.000000000 +0000 +++ 0.9.0-1/test/gen_ocsp_index.c 2018-04-19 18:01:35.000000000 +0000 @@ -4,7 +4,7 @@ * NOTE: This is a tool for setting up the test environment. At the * moment, all certificates are marked as valid. * - * Copyright 2016 Thomas Klute + * Copyright 2016 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); you * may not use this file except in compliance with the License. You diff -pruN 0.8.2-3/test/imposter.uid.in 0.9.0-1/test/imposter.uid.in --- 0.8.2-3/test/imposter.uid.in 2015-11-02 21:32:08.000000000 +0000 +++ 0.9.0-1/test/imposter.uid.in 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -https://imposter.example diff -pruN 0.8.2-3/test/Makefile.am 0.9.0-1/test/Makefile.am --- 0.8.2-3/test/Makefile.am 2016-06-20 19:29:18.000000000 +0000 +++ 0.9.0-1/test/Makefile.am 2019-01-20 21:01:45.000000000 +0000 @@ -14,7 +14,7 @@ dist_check_SCRIPTS = test-00_basic.bash test-11_basic_client_verification_fail.bash \ test-12_cgi_variables.bash \ test-13_cgi_variables_no_client_cert.bash \ - test-14_basic_openpgp.bash + test-14_resume_session.bash if USE_MSVA dist_check_SCRIPTS += test-15_basic_msva.bash endif @@ -29,8 +29,16 @@ dist_check_SCRIPTS += test-16_view-statu test-24_pkcs11_cert.bash \ test-25_Disable_TLS_1.0.bash \ test-26_redirect_HTTP_to_HTTPS.bash \ - test-27_OCSP_server.bash + test-27_OCSP_server.bash \ + test-28_HTTP2_support.bash \ + test-29_force_handshake_vhost.bash \ + test-30_ip_based_vhosts.bash \ + test-31_vhost_SNI_serveralias_match.bash \ + test-32_vhost_SNI_serveralias_mismatch.bash \ + test-33_vhost_SNI_serveralias_missinghost.bash \ + test-34_TLS_reverse_proxy_h2.bash +TEST_EXTENSIONS = .bash TESTS = $(dist_check_SCRIPTS) check_PROGRAMS = pgpcrc @@ -40,15 +48,16 @@ pgpcrc_SOURCES = pgpcrc.c if ENABLE_OCSP_TEST check_PROGRAMS += gen_ocsp_index gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c +gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS) gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS) noinst_HEADERS = cert_helper.h endif # Identities in the miniature CA, server, and client environment for # the test suite -shared_identities = server authority client imposter rogueca +shared_identities = authority client pgp_identities = $(shared_identities) -x509_only_identities = rogueclient +x509_only_identities = server rogueca imposter rogueclient if ENABLE_OCSP_TEST x509_only_identities += ocsp-responder endif @@ -61,7 +70,10 @@ pgp_tokens = $(pgp_identities:=/cert.pgp x509_keys = $(x509_identities:=/secret.key) x509_certs = $(x509_identities:=/x509.pem) x509_tokens = $(x509_certs) $(x509_keys) -tokens = $(x509_tokens) $(pgp_tokens) +tokens = $(x509_tokens) +if USE_MSVA +tokens += $(pgp_tokens) +endif if !DISABLE_FLOCK # flock command for write access to the authority keyring @@ -108,10 +120,24 @@ MOSTLYCLEANFILES += */x509.pem $(generat # one day, so regenerating them is both fast and frequently # necessary. MOSTLYCLEANFILES += */*.pgp */*.pgp.raw */*.gpg */*.gpg~ */gpg.conf \ - authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* + authority/lock */*.kbx */*.kbx~ */S.gpg-agent */private-keys-v1.d/* \ + authority/tofu.db # GnuPG random pool, no need to regenerate on every build CLEANFILES += authority/random_seed +# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP +# identity) while creating the PGP certificates. This target is called +# by both "check-local" and "mostlyclean-local": The former because +# agent processes are started while preparing for "check" and are no +# longer needed afterwards, the latter to make sure they are gone +# along with their certificates. +stop-gnupg-agent: + for id in $(pgp_identities) $(msva_home); do \ + GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \ + done + +check-local: stop-gnupg-agent + # Delete lock files for test servers on "mostlyclean" target. MOSTLYCLEANFILES += *.lock @@ -123,7 +149,7 @@ MOSTLYCLEANFILES += $(msva_home)/trustdb $(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp mkdir -p -m 0700 $(dir $@) GNUPGHOME=$(dir $@) gpg --import < $< - printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust + printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf endif @@ -170,63 +196,80 @@ extra_dirs = logs cache outputs make-test-dirs: mkdir -p $(extra_dirs) -.PHONY: make-test-dirs clean-softhsm2-db +.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent + -mostlyclean-local: clean-softhsm2-db +mostlyclean-local: clean-softhsm2-db stop-gnupg-agent -rmdir $(pgp_identities:=/private-keys-v1.d) || true if USE_MSVA -rmdir $(msva_home)/private-keys-v1.d || true endif +# Delete test data directories, and wait for test services to +# exit. The reason for the wait is that Apache instances may take some +# time to exit and delete their PID files. Occasionally some PID files +# where still around during "distcheck" runs by the time the target +# checked if the build directory was really empty after "distclean", +# breaking the build. Delaying "clean-local" until PID files are gone +# avoids this issue, and the timeout will expose actually unclean +# stops. clean-local: -rmdir $(identities) || true -rmdir $(extra_dirs) || true if USE_MSVA -rmdir $(msva_home) || true endif + wait=0; \ + while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \ + wait=$$(($$wait + 1)); \ + echo "waiting for test services to exit ($$wait seconds)"; \ + sleep 1; \ + done # Apache configuration and data files apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \ - data/secret.txt data/test.txt mime.types ocsp_server.conf \ + data/secret.txt data/test.txt ffdhe3072.pem mime.types \ proxy_mods.conf EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \ - common.bash proxy_backend.bash runtests server-crl.template \ + apache_service.bash common.bash runtests server-crl.template \ softhsm.bash # Lockfile for the main Apache process test_lockfile = ./test.lock # Lockfile for the proxy backend Apache process (if any) backend_lockfile = ./backend.lock -# Maximum wait time in seconds for flock to aquire instance lock -# files, or Apache to remove its PID file -lock_wait = 30 +# Lockfile for the OCSP server Apache process (if any) +ocsp_lockfile = ./ocsp.lock # port for the main Apache server TEST_PORT ?= 9932 # port for MSVA in test cases that use it MSVA_PORT ?= 9933 -# port for OCSP server (Apache vhost if enabled) +# port for TLS proxy backend server +BACKEND_PORT ?= 9934 +# port for the OCSP responder if ENABLE_OCSP_TEST OCSP_PORT ?= 9936 +OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/ endif # maximum time to wait for MSVA startup (milliseconds) -TEST_MSVA_MAX_WAIT ?= 10000 +TEST_SERVICE_MAX_WAIT ?= 10000 # wait loop time for MSVA startup (milliseconds) -TEST_MSVA_WAIT ?= 400 -# seconds for the HTTP request to be sent and responded to -TEST_QUERY_DELAY ?= 30 +TEST_SERVICE_WAIT ?= 400 AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \ export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \ - export TEST_LOCK_WAIT="$(lock_wait)"; \ + export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \ + export TEST_IP="@TEST_IP@"; \ export TEST_HOST="@TEST_HOST@"; \ export TEST_PORT="$(TEST_PORT)"; \ export MSVA_PORT="$(MSVA_PORT)"; \ - export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \ - export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \ - export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \ + export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \ + export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \ + export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \ export BACKEND_HOST="@TEST_HOST@"; \ + export BACKEND_PORT="$(BACKEND_PORT)"; \ export HTTP_CLI="@HTTP_CLI@"; if HAVE_SOFTHSM @@ -244,13 +287,19 @@ if ENABLE_NETNS AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \ export USE_TEST_NAMESPACE=1; endif -# Without flock tests must not run in parallel. Otherwise set lock files. +# Without flock tests must not run in parallel, and PID files are used +# to prevent conflicts between server instances. Otherwise set lock +# files for flock. if DISABLE_FLOCK +AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \ + export BACKEND_LOCK="backend.pid"; \ + export OCSP_LOCK="ocsp.pid"; .NOTPARALLEL: else AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \ export TEST_LOCK="$(test_lockfile)"; \ - export BACKEND_LOCK="$(backend_lockfile)"; + export BACKEND_LOCK="$(backend_lockfile)"; \ + export OCSP_LOCK="$(ocsp_lockfile)"; endif # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if diff -pruN 0.8.2-3/test/Makefile.in 0.9.0-1/test/Makefile.in --- 0.8.2-3/test/Makefile.in 2017-01-08 14:08:06.000000000 +0000 +++ 0.9.0-1/test/Makefile.in 2019-01-23 20:15:48.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -17,7 +17,7 @@ #!/usr/bin/make -f # Authors: # Daniel Kahn Gillmor -# Thomas Klute +# Fiona Klute # General rules to set up a miniature CA & server & client environment # for the test suite @@ -103,38 +103,46 @@ check_PROGRAMS = pgpcrc$(EXEEXT) $(am__E # build OCSP database tool @ENABLE_OCSP_TEST_TRUE@am__append_2 = gen_ocsp_index @ENABLE_OCSP_TEST_TRUE@am__append_3 = ocsp-responder -@USE_MSVA_TRUE@am__append_4 = $(msva_home)/trustdb.gpg client.uid -@USE_MSVA_TRUE@am__append_5 = $(msva_home)/trustdb.gpg +@USE_MSVA_TRUE@am__append_4 = $(pgp_tokens) +@USE_MSVA_TRUE@am__append_5 = $(msva_home)/trustdb.gpg client.uid +@USE_MSVA_TRUE@am__append_6 = $(msva_home)/trustdb.gpg # rules to build OCSP database # build certificate chain file for server -@ENABLE_OCSP_TEST_TRUE@am__append_6 = authority/ocsp_index.txt \ -@ENABLE_OCSP_TEST_TRUE@ server/x509-chain.pem @ENABLE_OCSP_TEST_TRUE@am__append_7 = authority/ocsp_index.txt \ +@ENABLE_OCSP_TEST_TRUE@ server/x509-chain.pem +@ENABLE_OCSP_TEST_TRUE@am__append_8 = authority/ocsp_index.txt \ @ENABLE_OCSP_TEST_TRUE@ authority/ocsp_index.txt.attr \ @ENABLE_OCSP_TEST_TRUE@ server/x509-chain.pem -@HAVE_SOFTHSM1_TRUE@am__append_8 = $(SOFTHSM_TOKEN) -@HAVE_SOFTHSM2_TRUE@am__append_9 = $(SOFTHSM2_TOKEN) -@HAVE_SOFTHSM_TRUE@am__append_10 = export SOFTHSM="@SOFTHSM@"; \ +@HAVE_SOFTHSM1_TRUE@am__append_9 = $(SOFTHSM_TOKEN) +@HAVE_SOFTHSM2_TRUE@am__append_10 = $(SOFTHSM2_TOKEN) +@HAVE_SOFTHSM_TRUE@am__append_11 = export SOFTHSM="@SOFTHSM@"; \ @HAVE_SOFTHSM_TRUE@ export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \ @HAVE_SOFTHSM_TRUE@ export SOFTHSM_LIB="@SOFTHSM_LIB@" -@ENABLE_OCSP_TEST_TRUE@am__append_11 = export OPENSSL="@OPENSSL@"; \ +@ENABLE_OCSP_TEST_TRUE@am__append_12 = export OPENSSL="@OPENSSL@"; \ @ENABLE_OCSP_TEST_TRUE@ export OCSP_PORT="$(OCSP_PORT)"; -@ENABLE_NETNS_TRUE@am__append_12 = export UNSHARE="@UNSHARE@"; \ +@ENABLE_NETNS_TRUE@am__append_13 = export UNSHARE="@UNSHARE@"; \ @ENABLE_NETNS_TRUE@ export USE_TEST_NAMESPACE=1; -@DISABLE_FLOCK_FALSE@am__append_13 = export FLOCK="@FLOCK@"; \ +# Without flock tests must not run in parallel, and PID files are used +# to prevent conflicts between server instances. Otherwise set lock +# files for flock. +@DISABLE_FLOCK_TRUE@am__append_14 = export TEST_LOCK="apache2.pid"; \ +@DISABLE_FLOCK_TRUE@ export BACKEND_LOCK="backend.pid"; \ +@DISABLE_FLOCK_TRUE@ export OCSP_LOCK="ocsp.pid"; + +@DISABLE_FLOCK_FALSE@am__append_15 = export FLOCK="@FLOCK@"; \ @DISABLE_FLOCK_FALSE@ export TEST_LOCK="$(test_lockfile)"; \ -@DISABLE_FLOCK_FALSE@ export BACKEND_LOCK="$(backend_lockfile)"; +@DISABLE_FLOCK_FALSE@ export BACKEND_LOCK="$(backend_lockfile)"; \ +@DISABLE_FLOCK_FALSE@ export OCSP_LOCK="$(ocsp_lockfile)"; subdir = test ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ $(top_srcdir)/m4/apache_test.m4 \ - $(top_srcdir)/m4/apr_memcache.m4 \ $(top_srcdir)/m4/ax_prog_doxygen.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ @@ -146,13 +154,12 @@ DIST_COMMON = $(srcdir)/Makefile.am $(am $(am__noinst_HEADERS_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/include/mod_gnutls_config.h -CONFIG_CLEAN_FILES = proxy_backend.conf +CONFIG_CLEAN_FILES = proxy_backend.conf ocsp_server.conf CONFIG_CLEAN_VPATH_FILES = @ENABLE_OCSP_TEST_TRUE@am__EXEEXT_1 = gen_ocsp_index$(EXEEXT) am__gen_ocsp_index_SOURCES_DIST = gen_ocsp_index.c cert_helper.c -@ENABLE_OCSP_TEST_TRUE@am_gen_ocsp_index_OBJECTS = \ -@ENABLE_OCSP_TEST_TRUE@ gen_ocsp_index.$(OBJEXT) \ -@ENABLE_OCSP_TEST_TRUE@ cert_helper.$(OBJEXT) +@ENABLE_OCSP_TEST_TRUE@am_gen_ocsp_index_OBJECTS = gen_ocsp_index-gen_ocsp_index.$(OBJEXT) \ +@ENABLE_OCSP_TEST_TRUE@ gen_ocsp_index-cert_helper.$(OBJEXT) gen_ocsp_index_OBJECTS = $(am_gen_ocsp_index_OBJECTS) gen_ocsp_index_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) @@ -161,8 +168,8 @@ am__v_lt_0 = --silent am__v_lt_1 = gen_ocsp_index_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(gen_ocsp_index_LDFLAGS) $(LDFLAGS) -o \ - $@ + $(gen_ocsp_index_CFLAGS) $(CFLAGS) $(gen_ocsp_index_LDFLAGS) \ + $(LDFLAGS) -o $@ am_pgpcrc_OBJECTS = pgpcrc.$(OBJEXT) pgpcrc_OBJECTS = $(am_pgpcrc_OBJECTS) pgpcrc_LDADD = $(LDADD) @@ -177,7 +184,7 @@ am__dist_check_SCRIPTS_DIST = test-00_ba test-11_basic_client_verification_fail.bash \ test-12_cgi_variables.bash \ test-13_cgi_variables_no_client_cert.bash \ - test-14_basic_openpgp.bash test-15_basic_msva.bash \ + test-14_resume_session.bash test-15_basic_msva.bash \ test-16_view-status.bash test-17_cgi_vars_large_cert.bash \ test-18_client_verification_wrong_cert.bash \ test-19_TLS_reverse_proxy.bash \ @@ -186,7 +193,13 @@ am__dist_check_SCRIPTS_DIST = test-00_ba test-22_TLS_reverse_proxy_crl_revoke.bash \ test-23_TLS_reverse_proxy_mismatched_priorities.bash \ test-24_pkcs11_cert.bash test-25_Disable_TLS_1.0.bash \ - test-26_redirect_HTTP_to_HTTPS.bash test-27_OCSP_server.bash + test-26_redirect_HTTP_to_HTTPS.bash test-27_OCSP_server.bash \ + test-28_HTTP2_support.bash test-29_force_handshake_vhost.bash \ + test-30_ip_based_vhosts.bash \ + test-31_vhost_SNI_serveralias_match.bash \ + test-32_vhost_SNI_serveralias_mismatch.bash \ + test-33_vhost_SNI_serveralias_missinghost.bash \ + test-34_TLS_reverse_proxy_h2.bash AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -201,7 +214,10 @@ am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/config/depcomp -am__depfiles_maybe = depfiles +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/gen_ocsp_index-cert_helper.Po \ + ./$(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po \ + ./$(DEPDIR)/pgpcrc.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -245,7 +261,7 @@ am__recursive_targets = \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ - check recheck distdir + check recheck distdir distdir-am am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -449,9 +465,12 @@ am__set_TESTS_bases = \ bases=`echo $$bases` RECHECK_LOGS = $(TEST_LOGS) TEST_SUITE_LOG = test-suite.log -TEST_EXTENSIONS = @EXEEXT@ .test -LOG_DRIVER = $(SHELL) $(top_srcdir)/config/test-driver -LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.bash.log=.log) +BASH_LOG_DRIVER = $(SHELL) $(top_srcdir)/config/test-driver +BASH_LOG_COMPILE = $(BASH_LOG_COMPILER) $(AM_BASH_LOG_FLAGS) \ + $(BASH_LOG_FLAGS) am__set_b = \ case '$@' in \ */*) \ @@ -462,14 +481,8 @@ am__set_b = \ *) \ b='$*';; \ esac -am__test_logs1 = $(TESTS:=.log) -am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) -TEST_LOGS = $(am__test_logs2:.test.log=.log) -TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/config/test-driver -TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ - $(TEST_LOG_FLAGS) DIST_SUBDIRS = $(SUBDIRS) -am__DIST_COMMON = $(srcdir)/Makefile.in \ +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/ocsp_server.conf.in \ $(srcdir)/proxy_backend.conf.in $(srcdir)/test_ca.mk \ $(top_srcdir)/config/depcomp $(top_srcdir)/config/test-driver \ README @@ -509,9 +522,6 @@ APR_INCLUDES = @APR_INCLUDES@ APR_LDFLAGS = @APR_LDFLAGS@ APR_LIBS = @APR_LIBS@ APR_LIBTOOL = @APR_LIBTOOL@ -APR_MEMCACHE_CFLAGS = @APR_MEMCACHE_CFLAGS@ -APR_MEMCACHE_LIBS = @APR_MEMCACHE_LIBS@ -APR_UTIL_CONF = @APR_UTIL_CONF@ APU_INCLUDES = @APU_INCLUDES@ APU_LDFLAGS = @APU_LDFLAGS@ APU_LIBS = @APU_LIBS@ @@ -575,6 +585,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ENABLE_EARLY_SNI = @ENABLE_EARLY_SNI@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FLOCK = @FLOCK@ @@ -634,6 +645,9 @@ SOFTHSM_LIB = @SOFTHSM_LIB@ SOFTHSM_MAJOR_VERSION = @SOFTHSM_MAJOR_VERSION@ STRIP = @STRIP@ TEST_HOST = @TEST_HOST@ +TEST_IP = @TEST_IP@ +TEST_LOCK_WAIT = @TEST_LOCK_WAIT@ +TEST_QUERY_TIMEOUT = @TEST_QUERY_TIMEOUT@ UNSHARE = @UNSHARE@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -660,7 +674,6 @@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_apr_memcache = @have_apr_memcache@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -706,7 +719,7 @@ dist_check_SCRIPTS = test-00_basic.bash test-11_basic_client_verification_fail.bash \ test-12_cgi_variables.bash \ test-13_cgi_variables_no_client_cert.bash \ - test-14_basic_openpgp.bash $(am__append_1) \ + test-14_resume_session.bash $(am__append_1) \ test-16_view-status.bash test-17_cgi_vars_large_cert.bash \ test-18_client_verification_wrong_cert.bash \ test-19_TLS_reverse_proxy.bash \ @@ -715,18 +728,27 @@ dist_check_SCRIPTS = test-00_basic.bash test-22_TLS_reverse_proxy_crl_revoke.bash \ test-23_TLS_reverse_proxy_mismatched_priorities.bash \ test-24_pkcs11_cert.bash test-25_Disable_TLS_1.0.bash \ - test-26_redirect_HTTP_to_HTTPS.bash test-27_OCSP_server.bash + test-26_redirect_HTTP_to_HTTPS.bash test-27_OCSP_server.bash \ + test-28_HTTP2_support.bash test-29_force_handshake_vhost.bash \ + test-30_ip_based_vhosts.bash \ + test-31_vhost_SNI_serveralias_match.bash \ + test-32_vhost_SNI_serveralias_mismatch.bash \ + test-33_vhost_SNI_serveralias_missinghost.bash \ + test-34_TLS_reverse_proxy_h2.bash +TEST_EXTENSIONS = .bash TESTS = $(dist_check_SCRIPTS) pgpcrc_SOURCES = pgpcrc.c @ENABLE_OCSP_TEST_TRUE@gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c +@ENABLE_OCSP_TEST_TRUE@gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS) @ENABLE_OCSP_TEST_TRUE@gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS) @ENABLE_OCSP_TEST_TRUE@noinst_HEADERS = cert_helper.h # Identities in the miniature CA, server, and client environment for # the test suite -shared_identities = server authority client imposter rogueca +shared_identities = authority client pgp_identities = $(shared_identities) -x509_only_identities = rogueclient $(am__append_3) +x509_only_identities = server rogueca imposter rogueclient \ + $(am__append_3) x509_identities = $(shared_identities) $(x509_only_identities) identities = $(shared_identities) $(x509_only_identities) # Append strings after ":=" to each identity to generate a list of @@ -737,7 +759,7 @@ pgp_tokens = $(pgp_identities:=/cert.pgp x509_keys = $(x509_identities:=/secret.key) x509_certs = $(x509_identities:=/x509.pem) x509_tokens = $(x509_certs) $(x509_keys) -tokens = $(x509_tokens) $(pgp_tokens) +tokens = $(x509_tokens) $(am__append_4) # flock command for write access to the authority keyring @DISABLE_FLOCK_FALSE@GPG_FLOCK = @FLOCK@ authority/lock @@ -752,8 +774,8 @@ tokens = $(x509_tokens) $(pgp_tokens) # one Apache instance (possibly plus a proxy back end instance) is # running at any time, so test cases actually have to wait for each # other - just not in any particular order. -check_DATA = $(tokens) server/crl.pem $(am__append_4) $(am__append_6) \ - $(am__append_8) $(am__append_9) make-test-dirs +check_DATA = $(tokens) server/crl.pem $(am__append_5) $(am__append_7) \ + $(am__append_9) $(am__append_10) make-test-dirs # Delete X.509 certificates and generated templates on "mostlyclean" # target. Certificates can be rebuilt without generating new key @@ -773,8 +795,8 @@ check_DATA = $(tokens) server/crl.pem $( MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem */x509.pem \ $(generated_templates) *.uid */*.pgp */*.pgp.raw */*.gpg \ */*.gpg~ */gpg.conf authority/lock */*.kbx */*.kbx~ \ - */S.gpg-agent */private-keys-v1.d/* *.lock $(am__append_5) \ - $(am__append_7) $(SOFTHSM_TOKEN) + */S.gpg-agent */private-keys-v1.d/* authority/tofu.db *.lock \ + $(am__append_6) $(am__append_8) $(SOFTHSM_TOKEN) cert_templates = authority.template.in client.template.in \ imposter.template.in ocsp-responder.template rogueca.template \ rogueclient.template.in server.template.in @@ -800,11 +822,11 @@ extra_dirs = logs cache outputs # Apache configuration and data files apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \ - data/secret.txt data/test.txt mime.types ocsp_server.conf \ + data/secret.txt data/test.txt ffdhe3072.pem mime.types \ proxy_mods.conf EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \ - common.bash proxy_backend.bash runtests server-crl.template \ + apache_service.bash common.bash runtests server-crl.template \ softhsm.bash @@ -812,24 +834,25 @@ EXTRA_DIST = $(apache_data) $(cert_templ test_lockfile = ./test.lock # Lockfile for the proxy backend Apache process (if any) backend_lockfile = ./backend.lock -# Maximum wait time in seconds for flock to aquire instance lock -# files, or Apache to remove its PID file -lock_wait = 30 +# Lockfile for the OCSP server Apache process (if any) +ocsp_lockfile = ./ocsp.lock +@ENABLE_OCSP_TEST_TRUE@OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/ AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; export \ AP_LIBEXECDIR=@AP_LIBEXECDIR@; export \ - TEST_LOCK_WAIT="$(lock_wait)"; export TEST_HOST="@TEST_HOST@"; \ - export TEST_PORT="$(TEST_PORT)"; export \ - MSVA_PORT="$(MSVA_PORT)"; export \ - TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; export \ - TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; export \ - TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; export \ - BACKEND_HOST="@TEST_HOST@"; export HTTP_CLI="@HTTP_CLI@"; \ - $(am__append_10) $(am__append_11) $(am__append_12) \ - $(am__append_13) + TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; export TEST_IP="@TEST_IP@"; \ + export TEST_HOST="@TEST_HOST@"; export \ + TEST_PORT="$(TEST_PORT)"; export MSVA_PORT="$(MSVA_PORT)"; \ + export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \ + export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; export \ + TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; export \ + BACKEND_HOST="@TEST_HOST@"; export \ + BACKEND_PORT="$(BACKEND_PORT)"; export HTTP_CLI="@HTTP_CLI@"; \ + $(am__append_11) $(am__append_12) $(am__append_13) \ + $(am__append_14) $(am__append_15) all: all-recursive .SUFFIXES: -.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs +.SUFFIXES: .bash .bash$(EXEEXT) .c .lo .log .o .obj .trs $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(srcdir)/test_ca.mk $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -847,8 +870,8 @@ Makefile: $(srcdir)/Makefile.in $(top_bu *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(srcdir)/test_ca.mk $(am__empty): @@ -862,6 +885,8 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $( $(am__aclocal_m4_deps): proxy_backend.conf: $(top_builddir)/config.status $(srcdir)/proxy_backend.conf.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +ocsp_server.conf: $(top_builddir)/config.status $(srcdir)/ocsp_server.conf.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ clean-checkPROGRAMS: @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ @@ -886,9 +911,15 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_helper.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ocsp_index.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgpcrc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ocsp_index-cert_helper.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgpcrc.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -911,6 +942,34 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +gen_ocsp_index-gen_ocsp_index.o: gen_ocsp_index.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -MT gen_ocsp_index-gen_ocsp_index.o -MD -MP -MF $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Tpo -c -o gen_ocsp_index-gen_ocsp_index.o `test -f 'gen_ocsp_index.c' || echo '$(srcdir)/'`gen_ocsp_index.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Tpo $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_ocsp_index.c' object='gen_ocsp_index-gen_ocsp_index.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -c -o gen_ocsp_index-gen_ocsp_index.o `test -f 'gen_ocsp_index.c' || echo '$(srcdir)/'`gen_ocsp_index.c + +gen_ocsp_index-gen_ocsp_index.obj: gen_ocsp_index.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -MT gen_ocsp_index-gen_ocsp_index.obj -MD -MP -MF $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Tpo -c -o gen_ocsp_index-gen_ocsp_index.obj `if test -f 'gen_ocsp_index.c'; then $(CYGPATH_W) 'gen_ocsp_index.c'; else $(CYGPATH_W) '$(srcdir)/gen_ocsp_index.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Tpo $(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_ocsp_index.c' object='gen_ocsp_index-gen_ocsp_index.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -c -o gen_ocsp_index-gen_ocsp_index.obj `if test -f 'gen_ocsp_index.c'; then $(CYGPATH_W) 'gen_ocsp_index.c'; else $(CYGPATH_W) '$(srcdir)/gen_ocsp_index.c'; fi` + +gen_ocsp_index-cert_helper.o: cert_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -MT gen_ocsp_index-cert_helper.o -MD -MP -MF $(DEPDIR)/gen_ocsp_index-cert_helper.Tpo -c -o gen_ocsp_index-cert_helper.o `test -f 'cert_helper.c' || echo '$(srcdir)/'`cert_helper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_ocsp_index-cert_helper.Tpo $(DEPDIR)/gen_ocsp_index-cert_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cert_helper.c' object='gen_ocsp_index-cert_helper.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -c -o gen_ocsp_index-cert_helper.o `test -f 'cert_helper.c' || echo '$(srcdir)/'`cert_helper.c + +gen_ocsp_index-cert_helper.obj: cert_helper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -MT gen_ocsp_index-cert_helper.obj -MD -MP -MF $(DEPDIR)/gen_ocsp_index-cert_helper.Tpo -c -o gen_ocsp_index-cert_helper.obj `if test -f 'cert_helper.c'; then $(CYGPATH_W) 'cert_helper.c'; else $(CYGPATH_W) '$(srcdir)/cert_helper.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_ocsp_index-cert_helper.Tpo $(DEPDIR)/gen_ocsp_index-cert_helper.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='cert_helper.c' object='gen_ocsp_index-cert_helper.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_ocsp_index_CFLAGS) $(CFLAGS) -c -o gen_ocsp_index-cert_helper.obj `if test -f 'cert_helper.c'; then $(CYGPATH_W) 'cert_helper.c'; else $(CYGPATH_W) '$(srcdir)/cert_helper.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -1136,7 +1195,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) fi; \ $$success || exit 1 -check-TESTS: +check-TESTS: $(check_PROGRAMS) $(dist_check_SCRIPTS) $(check_DATA) @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) @@ -1157,218 +1216,25 @@ recheck: all $(check_PROGRAMS) $(dist_ch am__force_recheck=am--force-recheck \ TEST_LOGS="$$log_list"; \ exit $$? -test-00_basic.bash.log: test-00_basic.bash - @p='test-00_basic.bash'; \ - b='test-00_basic.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-01_serverwide_priorities.bash.log: test-01_serverwide_priorities.bash - @p='test-01_serverwide_priorities.bash'; \ - b='test-01_serverwide_priorities.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-02_cache_in_vhost.bash.log: test-02_cache_in_vhost.bash - @p='test-02_cache_in_vhost.bash'; \ - b='test-02_cache_in_vhost.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-03_cachetimeout_in_vhost.bash.log: test-03_cachetimeout_in_vhost.bash - @p='test-03_cachetimeout_in_vhost.bash'; \ - b='test-03_cachetimeout_in_vhost.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-04_basic_nosni.bash.log: test-04_basic_nosni.bash - @p='test-04_basic_nosni.bash'; \ - b='test-04_basic_nosni.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-05_mismatched-priorities.bash.log: test-05_mismatched-priorities.bash - @p='test-05_mismatched-priorities.bash'; \ - b='test-05_mismatched-priorities.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-06_verify_sni_a.bash.log: test-06_verify_sni_a.bash - @p='test-06_verify_sni_a.bash'; \ - b='test-06_verify_sni_a.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-07_verify_sni_b.bash.log: test-07_verify_sni_b.bash - @p='test-07_verify_sni_b.bash'; \ - b='test-07_verify_sni_b.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-08_verify_no_sni_fallback_to_first_vhost.bash.log: test-08_verify_no_sni_fallback_to_first_vhost.bash - @p='test-08_verify_no_sni_fallback_to_first_vhost.bash'; \ - b='test-08_verify_no_sni_fallback_to_first_vhost.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-09_verify_no_sni_fails_with_wrong_order.bash.log: test-09_verify_no_sni_fails_with_wrong_order.bash - @p='test-09_verify_no_sni_fails_with_wrong_order.bash'; \ - b='test-09_verify_no_sni_fails_with_wrong_order.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-10_basic_client_verification.bash.log: test-10_basic_client_verification.bash - @p='test-10_basic_client_verification.bash'; \ - b='test-10_basic_client_verification.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-11_basic_client_verification_fail.bash.log: test-11_basic_client_verification_fail.bash - @p='test-11_basic_client_verification_fail.bash'; \ - b='test-11_basic_client_verification_fail.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-12_cgi_variables.bash.log: test-12_cgi_variables.bash - @p='test-12_cgi_variables.bash'; \ - b='test-12_cgi_variables.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-13_cgi_variables_no_client_cert.bash.log: test-13_cgi_variables_no_client_cert.bash - @p='test-13_cgi_variables_no_client_cert.bash'; \ - b='test-13_cgi_variables_no_client_cert.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-14_basic_openpgp.bash.log: test-14_basic_openpgp.bash - @p='test-14_basic_openpgp.bash'; \ - b='test-14_basic_openpgp.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-15_basic_msva.bash.log: test-15_basic_msva.bash - @p='test-15_basic_msva.bash'; \ - b='test-15_basic_msva.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-16_view-status.bash.log: test-16_view-status.bash - @p='test-16_view-status.bash'; \ - b='test-16_view-status.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-17_cgi_vars_large_cert.bash.log: test-17_cgi_vars_large_cert.bash - @p='test-17_cgi_vars_large_cert.bash'; \ - b='test-17_cgi_vars_large_cert.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-18_client_verification_wrong_cert.bash.log: test-18_client_verification_wrong_cert.bash - @p='test-18_client_verification_wrong_cert.bash'; \ - b='test-18_client_verification_wrong_cert.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-19_TLS_reverse_proxy.bash.log: test-19_TLS_reverse_proxy.bash - @p='test-19_TLS_reverse_proxy.bash'; \ - b='test-19_TLS_reverse_proxy.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-20_TLS_reverse_proxy_client_auth.bash.log: test-20_TLS_reverse_proxy_client_auth.bash - @p='test-20_TLS_reverse_proxy_client_auth.bash'; \ - b='test-20_TLS_reverse_proxy_client_auth.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-21_TLS_reverse_proxy_wrong_cert.bash.log: test-21_TLS_reverse_proxy_wrong_cert.bash - @p='test-21_TLS_reverse_proxy_wrong_cert.bash'; \ - b='test-21_TLS_reverse_proxy_wrong_cert.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-22_TLS_reverse_proxy_crl_revoke.bash.log: test-22_TLS_reverse_proxy_crl_revoke.bash - @p='test-22_TLS_reverse_proxy_crl_revoke.bash'; \ - b='test-22_TLS_reverse_proxy_crl_revoke.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-23_TLS_reverse_proxy_mismatched_priorities.bash.log: test-23_TLS_reverse_proxy_mismatched_priorities.bash - @p='test-23_TLS_reverse_proxy_mismatched_priorities.bash'; \ - b='test-23_TLS_reverse_proxy_mismatched_priorities.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-24_pkcs11_cert.bash.log: test-24_pkcs11_cert.bash - @p='test-24_pkcs11_cert.bash'; \ - b='test-24_pkcs11_cert.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-25_Disable_TLS_1.0.bash.log: test-25_Disable_TLS_1.0.bash - @p='test-25_Disable_TLS_1.0.bash'; \ - b='test-25_Disable_TLS_1.0.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-26_redirect_HTTP_to_HTTPS.bash.log: test-26_redirect_HTTP_to_HTTPS.bash - @p='test-26_redirect_HTTP_to_HTTPS.bash'; \ - b='test-26_redirect_HTTP_to_HTTPS.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -test-27_OCSP_server.bash.log: test-27_OCSP_server.bash - @p='test-27_OCSP_server.bash'; \ - b='test-27_OCSP_server.bash'; \ - $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ - --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ - "$$tst" $(AM_TESTS_FD_REDIRECT) -.test.log: +.bash.log: @p='$<'; \ $(am__set_b); \ - $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + $(am__check_pre) $(BASH_LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ - $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + $(am__common_driver_flags) $(AM_BASH_LOG_DRIVER_FLAGS) $(BASH_LOG_DRIVER_FLAGS) -- $(BASH_LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) -@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@.bash$(EXEEXT).log: @am__EXEEXT_TRUE@ @p='$<'; \ @am__EXEEXT_TRUE@ $(am__set_b); \ -@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(BASH_LOG_DRIVER) --test-name "$$f" \ @am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ -@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_BASH_LOG_DRIVER_FLAGS) $(BASH_LOG_DRIVER_FLAGS) -- $(BASH_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -1426,7 +1292,7 @@ distdir: $(DISTFILES) check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) \ $(dist_check_SCRIPTS) $(check_DATA) - $(MAKE) $(AM_MAKEFLAGS) check-TESTS + $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local check: check-recursive all-am: Makefile $(HEADERS) installdirs: installdirs-recursive @@ -1472,7 +1338,9 @@ clean-am: clean-checkPROGRAMS clean-gene mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/gen_ocsp_index-cert_helper.Po + -rm -f ./$(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po + -rm -f ./$(DEPDIR)/pgpcrc.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1518,7 +1386,9 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) + -rm -f ./$(DEPDIR)/gen_ocsp_index-cert_helper.Po + -rm -f ./$(DEPDIR)/gen_ocsp_index-gen_ocsp_index.Po + -rm -f ./$(DEPDIR)/pgpcrc.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -1539,30 +1409,32 @@ uninstall-am: .MAKE: $(am__recursive_targets) check-am install-am install-strip -.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ - check-TESTS check-am clean clean-checkPROGRAMS clean-generic \ - clean-libtool clean-local cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool mostlyclean-local pdf \ - pdf-am ps ps-am recheck tags tags-am uninstall uninstall-am +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ + am--depfiles check check-TESTS check-am check-local clean \ + clean-checkPROGRAMS clean-generic clean-libtool clean-local \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + mostlyclean-local pdf pdf-am ps ps-am recheck tags tags-am \ + uninstall uninstall-am .PRECIOUS: Makefile %.template: $(srcdir)/%.template.in sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ - if test -n "$(OCSP_PORT)"; then \ - sed -i -e 's/^### ocsp/ocsp/' \ - -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \ - fi + sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@ + for i in $(patsubst [%],%,$(TEST_IP)); do \ + IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \ + done; \ + sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@ %.uid: $(srcdir)/%.uid.in sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ @@ -1572,8 +1444,10 @@ uninstall-am: chmod 0700 $(dir $@) certtool --outfile $@ --generate-privkey +.PRECIOUS: %/secret.key + %/secret.pgp.raw: %.uid %/secret.key - PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ + PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ %/secret.pgp: %/secret.pgp.raw pgpcrc (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \ @@ -1598,9 +1472,9 @@ uninstall-am: # */cert.pgp avoids having to lock for all */minimal.pgp, too. %/cert.pgp: %/minimal.pgp authority/minimal.pgp if test -r $@; then rm $@; fi - GNUPGHOME=authority $(GPG_FLOCK) gpg --import $< - GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" - GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $< + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" # special cases for the authorities' root certs: authority/x509.pem: authority.template authority/secret.key @@ -1632,6 +1506,7 @@ rogue%/x509.pem: rogue%.template rogue%/ echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@ %/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf + rm -rf $@ mkdir -p $@ SOFTHSM="$(SOFTHSM)" \ SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \ @@ -1648,10 +1523,23 @@ rogue%/x509.pem: rogue%.template rogue%/ --load-ca-certificate authority/x509.pem \ --load-certificate $< \ --template "${srcdir}/$(*)-crl.template" + +# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP +# identity) while creating the PGP certificates. This target is called +# by both "check-local" and "mostlyclean-local": The former because +# agent processes are started while preparing for "check" and are no +# longer needed afterwards, the latter to make sure they are gone +# along with their certificates. +stop-gnupg-agent: + for id in $(pgp_identities) $(msva_home); do \ + GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \ + done + +check-local: stop-gnupg-agent @USE_MSVA_TRUE@$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp @USE_MSVA_TRUE@ mkdir -p -m 0700 $(dir $@) @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < $< -@USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust +@USE_MSVA_TRUE@ printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust @USE_MSVA_TRUE@ GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp @USE_MSVA_TRUE@ printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf @ENABLE_OCSP_TEST_TRUE@authority/ocsp_index.txt: $(x509_tokens) gen_ocsp_index authority/ocsp_index.txt.attr @@ -1667,30 +1555,43 @@ clean-softhsm2-db: make-test-dirs: mkdir -p $(extra_dirs) -.PHONY: make-test-dirs clean-softhsm2-db +.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent -mostlyclean-local: clean-softhsm2-db +mostlyclean-local: clean-softhsm2-db stop-gnupg-agent -rmdir $(pgp_identities:=/private-keys-v1.d) || true @USE_MSVA_TRUE@ -rmdir $(msva_home)/private-keys-v1.d || true +# Delete test data directories, and wait for test services to +# exit. The reason for the wait is that Apache instances may take some +# time to exit and delete their PID files. Occasionally some PID files +# where still around during "distcheck" runs by the time the target +# checked if the build directory was really empty after "distclean", +# breaking the build. Delaying "clean-local" until PID files are gone +# avoids this issue, and the timeout will expose actually unclean +# stops. clean-local: -rmdir $(identities) || true -rmdir $(extra_dirs) || true @USE_MSVA_TRUE@ -rmdir $(msva_home) || true + wait=0; \ + while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \ + wait=$$(($$wait + 1)); \ + echo "waiting for test services to exit ($$wait seconds)"; \ + sleep 1; \ + done # port for the main Apache server TEST_PORT ?= 9932 # port for MSVA in test cases that use it MSVA_PORT ?= 9933 -# port for OCSP server (Apache vhost if enabled) +# port for TLS proxy backend server +BACKEND_PORT ?= 9934 +# port for the OCSP responder @ENABLE_OCSP_TEST_TRUE@OCSP_PORT ?= 9936 # maximum time to wait for MSVA startup (milliseconds) -TEST_MSVA_MAX_WAIT ?= 10000 +TEST_SERVICE_MAX_WAIT ?= 10000 # wait loop time for MSVA startup (milliseconds) -TEST_MSVA_WAIT ?= 400 -# seconds for the HTTP request to be sent and responded to -TEST_QUERY_DELAY ?= 30 -# Without flock tests must not run in parallel. Otherwise set lock files. +TEST_SERVICE_WAIT ?= 400 @DISABLE_FLOCK_TRUE@.NOTPARALLEL: # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if diff -pruN 0.8.2-3/test/ocsp_server.conf 0.9.0-1/test/ocsp_server.conf --- 0.8.2-3/test/ocsp_server.conf 2017-01-08 02:05:38.000000000 +0000 +++ 0.9.0-1/test/ocsp_server.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -Include ${srcdir}/cgi_module.conf -LoadModule env_module ${AP_LIBEXECDIR}/mod_env.so -LoadModule rewrite_module ${AP_LIBEXECDIR}/mod_rewrite.so - - # Default index file, define OCSP_INDEX in the test specific - # config to override - Define OCSP_INDEX ${PWD}/authority/ocsp_index.txt - - - - RewriteEngine On - RewriteRule ^/ocsp(.*) /ocsp.cgi$1 [L] - - # Some clients seem to have trouble with chunked - # encoding, so force HTTP/1.0 for now. - SetEnv downgrade-1.0 - # certificates and key for ocsp.cgi - SetEnv CA_CERT ${PWD}/authority/x509.pem - SetEnv OCSP_INDEX ${OCSP_INDEX} - SetEnv OCSP_CERT ${PWD}/ocsp-responder/x509.pem - SetEnv OCSP_KEY ${PWD}/ocsp-responder/secret.key - - # Pass OPENSSL variable to CGI script if set - SetEnv OPENSSL ${OPENSSL} - - - - Options +ExecCGI - - diff -pruN 0.8.2-3/test/ocsp_server.conf.in 0.9.0-1/test/ocsp_server.conf.in --- 0.8.2-3/test/ocsp_server.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/ocsp_server.conf.in 2018-04-19 18:01:35.000000000 +0000 @@ -0,0 +1,41 @@ +Define OCSP_PORT ${OCSP_PORT} +Define TEST_PORT ${OCSP_PORT} + +Include ${srcdir}/base_apache.conf + +Include ${srcdir}/cgi_module.conf +LoadModule env_module ${AP_LIBEXECDIR}/mod_env.so +LoadModule rewrite_module ${AP_LIBEXECDIR}/mod_rewrite.so + +# separate log and PID file +CustomLog logs/${TEST_NAME}.ocsp.access.log combined +ErrorLog logs/${TEST_NAME}.ocsp.error.log +PidFile ocsp@PID_AFFIX@.pid + + + # Default index file, define OCSP_INDEX in the test specific + # config to override + Define OCSP_INDEX ${PWD}/authority/ocsp_index.txt + + + + RewriteEngine On + RewriteRule ^/ocsp(.*) /ocsp.cgi$1 [L] + + # Some clients seem to have trouble with chunked + # encoding, so force HTTP/1.0 for now. + SetEnv downgrade-1.0 + # certificates and key for ocsp.cgi + SetEnv CA_CERT ${PWD}/authority/x509.pem + SetEnv OCSP_INDEX ${OCSP_INDEX} + SetEnv OCSP_CERT ${PWD}/ocsp-responder/x509.pem + SetEnv OCSP_KEY ${PWD}/ocsp-responder/secret.key + + # Pass OPENSSL variable to CGI script if set + SetEnv OPENSSL ${OPENSSL} + + + + Options +ExecCGI + + diff -pruN 0.8.2-3/test/proxy_backend.bash 0.9.0-1/test/proxy_backend.bash --- 0.8.2-3/test/proxy_backend.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/proxy_backend.bash 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ -#!/bin/bash - -set -e -. ${srcdir}/common.bash - -if [ -z "${BACKEND_HOST}" ]; then - export BACKEND_HOST="localhost" -fi -if [ -z "${BACKEND_IP}" ]; then - export BACKEND_IP="::1" -fi -if [ -z "${BACKEND_PORT}" ]; then - export BACKEND_PORT="9934" -fi -: ${BACKEND_PID:="backend.pid"} -: ${srcdir:="."} -: ${APACHE2:="apache2"} -: ${TEST_LOCK_WAIT:="30"} - -function backend_apache -{ - dir="${1}" - conf="${2}" - action="${3}" - lockfile="${4}" - - TEST_NAME="$(basename "${dir}")" - ( - export TEST_NAME - export TEST_IP="${BACKEND_IP}" - export TEST_PORT="${BACKEND_PORT}" - export srcdir="$(realpath ${srcdir})" - case $action in - start) - if [ -n "${USE_TEST_NAMESPACE}" ]; then - echo "Using namespaces to isolate tests, no need for" \ - "locking." - flock_cmd="" - elif [ -n "${lockfile}" ]; then - flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} ${lockfile}" - else - echo "Locking disabled, using wait based on proxy PID file." - wait_pid_gone "${BACKEND_PID}" - flock_cmd="" - fi - ${flock_cmd} \ - ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k start || return 1 - ;; - stop) - ${APACHE2} -f "$(realpath ${testdir}/${conf})" -k stop || return 1 - ;; - esac - ) -} diff -pruN 0.8.2-3/test/proxy_backend.conf.in 0.9.0-1/test/proxy_backend.conf.in --- 0.8.2-3/test/proxy_backend.conf.in 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/proxy_backend.conf.in 2018-09-30 20:59:29.000000000 +0000 @@ -1,3 +1,9 @@ +# redefine TEST_PORT before loading the base config +Define TEST_PORT ${BACKEND_PORT} +Include ${srcdir}/base_apache.conf + +Define BACKEND_CACHE shmcb:cache/gnutls_cache_${TEST_NAME}_backend(65536) + # common options for proxy backend servers CustomLog logs/${TEST_NAME}.backend.access.log combined ErrorLog logs/${TEST_NAME}.backend.error.log diff -pruN 0.8.2-3/test/README 0.9.0-1/test/README --- 0.8.2-3/test/README 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/README 2018-04-19 18:01:35.000000000 +0000 @@ -2,7 +2,7 @@ Unit Tests for Apache's mod_gnutls ================================== Authors: Daniel Kahn Gillmor - Thomas Klute + Fiona Klute There are a lot of ways that a TLS-capable web server can go wrong. I want to at least test for some basic/common configurations. @@ -129,8 +129,8 @@ on your expected setup (along with the v * If a machine is particularly slow or under heavy load, it's possible that these tests will fail for timing - reasons. [TEST_QUERY_DELAY (seconds for the HTTP request to be sent - and responded to)] + reasons. [TEST_QUERY_TIMEOUT (timeout for the HTTPS request in + seconds)] The first two of these issues are avoided when the tests are isolated using network namespaces, which is the default (see "Implementation" diff -pruN 0.8.2-3/test/rogueca.uid.in 0.9.0-1/test/rogueca.uid.in --- 0.8.2-3/test/rogueca.uid.in 2015-11-02 21:32:08.000000000 +0000 +++ 0.9.0-1/test/rogueca.uid.in 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -Rogue Certificate Authority diff -pruN 0.8.2-3/test/runtests 0.9.0-1/test/runtests --- 0.8.2-3/test/runtests 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/test/runtests 2018-11-02 10:55:39.000000000 +0000 @@ -2,10 +2,11 @@ # Authors: # Daniel Kahn Gillmor -# Thomas Klute +# Fiona Klute set -e . ${srcdir}/common.bash +. ${srcdir}/apache_service.bash netns_reexec ${@} testid="${1##t-}" @@ -16,9 +17,10 @@ if [ -z "$testid" ] ; then else testid=${srcdir}/tests/"$(printf "%02d" "$testid")"_* fi +testdir="$(realpath ${testid})" BADVARS=0 -for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_DELAY TEST_MSVA_WAIT \ +for v in APACHE2 TEST_HOST TEST_PORT TEST_QUERY_TIMEOUT TEST_SERVICE_WAIT \ MSVA_PORT; do if [ ! -v "$v" ]; then printf "You need to set the %s environment variable\n" "$v" >&2 @@ -33,9 +35,11 @@ fi # write script file and line to stderr on error function pinpoint_error() { - echo "${1} failed at line ${2}!" >&2 + echo "Command \"${BASH_COMMAND}\" failed. Call trace:" >&2 + local stack=0 + while caller $((stack++)) >&2; do true; done } -trap 'pinpoint_error ${BASH_SOURCE} ${LINENO}' ERR +trap 'pinpoint_error' ERR function stop_msva() { @@ -88,6 +92,8 @@ function kill_by_pidfile() local pid=$(cat "${pidfile}") if [ -n "${pid}" ] && ps -p "${pid}"; then kill "${pid}" + else + echo "No running process with PID ${pid} (${pidfile})." fi rm "${pidfile}" fi @@ -95,12 +101,20 @@ function kill_by_pidfile() function apache_down_err() { printf "FAILURE: %s\n" "$TEST_NAME" - ${APACHE2} -f "${t}/apache.conf" -k stop || true + ${APACHE2} -f "${testdir}/apache.conf" -k stop || true if [ -e output ]; then printf "\ngnutls-cli outputs:\n" diff_output_filter_headers "output" "$output" || true fi + if [ -r "${testdir}/backend.conf" ]; then + apache_service "${testdir}" "backend.conf" stop || true + fi + + if [ -r "${testdir}/ocsp.conf" ]; then + apache_service "${testdir}" "ocsp.conf" stop || true + fi + if [ -n "${sleep_pidfile}" ]; then kill_by_pidfile "${sleep_pidfile}" fi @@ -122,28 +136,11 @@ if [ -n "${USE_MSVA}" ]; then trap stop_msva EXIT printf "TESTING: initial MSVA verification\n" - # set to 0 if MSVA is up - ret=1 export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" - # convert TEST_MSVA_WAIT to seconds because that's what "sleep" expects - TEST_MSVA_SLEEP="$((${TEST_MSVA_WAIT} / 1000)).$((${TEST_MSVA_WAIT} % 1000))" - # wait at most TEST_MSVA_MAX_WAIT milliseconds for MSVA to get ready - waited=0 - until [ ${ret} -eq 0 ] \ - || [ ${waited} -ge ${TEST_MSVA_MAX_WAIT} ]; do - if msva-query-agent https "$(cat client.uid)" x509pem client < client/x509.pem - then - ret=0 - else - echo "MSVA not ready yet" - fi - sleep "${TEST_MSVA_SLEEP}" - waited=$((${waited} + ${TEST_MSVA_WAIT})) - done - + msva_test_cmd="msva-query-agent https \"$(cat client.uid)\" x509pem client < client/x509.pem" # check if MSVA is up, fail if not - if [ ${ret} -eq 0 ]; then + if wait_ready "${msva_test_cmd}"; then printf "\nSUCCESS: initial MSVA verification\n" else printf "\nFAIL: initial MSVA verification\n" @@ -151,26 +148,24 @@ if [ -n "${USE_MSVA}" ]; then fi fi -TEST_PID="apache2.pid" # configure locking for the Apache process if [ -n "${USE_TEST_NAMESPACE}" ]; then echo "Using namespaces to isolate tests, no need for locking." flock_cmd="" -elif [ -n "${TEST_LOCK}" ]; then +elif [ -n "${FLOCK}" ]; then flock_cmd="${FLOCK} -w ${TEST_LOCK_WAIT} $(realpath ${TEST_LOCK})" else echo "Locking disabled, using wait based on Apache PID file." - wait_pid_gone "${TEST_PID}" + wait_pid_gone "${TEST_LOCK}" flock_cmd="" fi -t="$(realpath ${testid})" export srcdir="$(realpath ${srcdir})" -export TEST_NAME="$(basename "$t")" +export TEST_NAME="$(basename "${testdir}")" output="outputs/${TEST_NAME}.output" rm -f "$output" -if [ -e ${t}/fail.* ]; then +if [ -e ${testdir}/fail.* ]; then EXPECTED_FAILURE="$(printf " (expected: %s)" fail.*)" else unset EXPECTED_FAILURE @@ -178,14 +173,37 @@ fi printf "TESTING: %s%s\n" "$TEST_NAME" "$EXPECTED_FAILURE" trap apache_down_err EXIT if [ -n "${USE_MSVA}" ]; then - MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" \ - ${flock_cmd} \ - ${APACHE2} -f "${t}/apache.conf" -k start \ - || [ -e "${t}/fail.server" ] -else - ${flock_cmd} \ - ${APACHE2} -f "${t}/apache.conf" -k start \ - || [ -e "${t}/fail.server" ] + export MONKEYSPHERE_VALIDATION_AGENT_SOCKET="http://127.0.0.1:$MSVA_PORT" +fi + +# If VERBOSE is enabled, log the HTTPD build configuration +if [ -n "${VERBOSE}" ]; then + ${APACHE2} -f "${srcdir}/base_apache.conf" -V +fi + +# Start OCSP responder, if configured +if [ -r "${testdir}/ocsp.conf" ]; then + apache_service "${testdir}" "ocsp.conf" start "${OCSP_LOCK}" + CHECK_OCSP_SERVER="true" + if [ -n "${VERBOSE}" ]; then + echo "OCSP index for the test CA:" + cat authority/ocsp_index.txt + fi +fi + +# Start proxy backend server, if configured +if [ -r "${testdir}/backend.conf" ]; then + apache_service "${testdir}" "backend.conf" start "${BACKEND_LOCK}" +fi + +if ! ${flock_cmd} ${APACHE2} -f "${testdir}/apache.conf" -k start; then + if [ -e "${testdir}/fail.server" ]; then + echo "Apache HTTPD failed to start as expected." + exit 0 + else + echo "Apache HTTPD unexpectedly failed to start." + exit 1 + fi fi # check OCSP server @@ -194,10 +212,16 @@ if [ -n "${CHECK_OCSP_SERVER}" ]; then store_ocsp="--outfile ${OCSP_RESPONSE_FILE}" fi echo "---- Testing OCSP server ----" - ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp} + wait_ready "ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}" echo "---- OCSP test done ----" fi +if [ -n "${TARGET_IP}" ]; then + TARGET="${TARGET_IP}" +else + TARGET="${TEST_HOST}" +fi + # PID file for sleep command (explanation below) sleep_pidfile="$(mktemp mod_gnutls_test-XXXXXX.pid)" @@ -211,18 +235,18 @@ sleep_pidfile="$(mktemp mod_gnutls_test- # The line end manipulation in sed guarantees that all header lines # end with CRLF as required by RFC 7230, Section 3.1.1 regardless of # the line ends in the input file. -if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${t}/input && \ - run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_DELAY}" &) | \ - gnutls-cli -p "${TEST_PORT}" $(cat ${t}/gnutls-cli.args) "${TEST_HOST}" \ +if (sed -r "s/__HOSTNAME__/${TEST_HOST}/;s/\r?$/\r/" <${testdir}/input && \ + run_with_pidfile "${sleep_pidfile}" sleep "${TEST_QUERY_TIMEOUT}" &) | \ + gnutls-cli -p "${TEST_PORT}" $(cat ${testdir}/gnutls-cli.args) "${TARGET}" \ | tee "$output" && test "${PIPESTATUS[1]}" -eq 0; then - if [ -e ${t}/fail* ]; then - printf "%s should have failed but succeeded\n" "$(basename "$t")" >&2 + if [ -e ${testdir}/fail* ]; then + printf "%s should have failed but succeeded\n" "$(basename "$testdir")" >&2 exit 1 fi else - if [ ! -e ${t}/fail* ]; then - printf "%s should have succeeded but failed\n" "$(basename "$t")" >&2 + if [ ! -e ${testdir}/fail* ]; then + printf "%s should have succeeded but failed\n" "$(basename "$testdir")" >&2 exit 1 fi fi @@ -230,17 +254,25 @@ fi kill_by_pidfile "${sleep_pidfile}" unset sleep_pidfile -if [ -e ${t}/output ] ; then - diff_output_filter_headers "${t}/output" "$output" >&2 +if [ -e ${testdir}/output ] ; then + diff_output_filter_headers "${testdir}/output" "$output" >&2 fi if [ -n "${USE_MSVA}" ]; then trap stop_msva EXIT else trap - EXIT fi -${APACHE2} -f "${t}/apache.conf" -k stop || [ -e ${t}/fail.server ] +${APACHE2} -f "${testdir}/apache.conf" -k stop || [ -e ${testdir}/fail.server ] printf "SUCCESS: %s\n" "$TEST_NAME" +if [ -r "${testdir}/backend.conf" ]; then + apache_service "${testdir}" "backend.conf" stop || true +fi + +if [ -r "${testdir}/ocsp.conf" ]; then + apache_service "${testdir}" "ocsp.conf" stop || true +fi + if [ -n "${USE_MSVA}" ]; then stop_msva # Without explicitly resetting the trap function, it would be diff -pruN 0.8.2-3/test/server.template.in 0.9.0-1/test/server.template.in --- 0.8.2-3/test/server.template.in 2017-01-08 13:35:54.000000000 +0000 +++ 0.9.0-1/test/server.template.in 2018-11-28 15:15:59.000000000 +0000 @@ -4,4 +4,5 @@ tls_www_server signing_key encryption_key dns_name="__HOSTNAME__" -### ocsp_uri=http://__HOSTNAME__:__OCSP_PORT__/ocsp/ +__OCSP_URI__ +__IP_ADDRESSES__ diff -pruN 0.8.2-3/test/server.uid.in 0.9.0-1/test/server.uid.in --- 0.8.2-3/test/server.uid.in 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/server.uid.in 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -__HOSTNAME__ diff -pruN 0.8.2-3/test/test-14_basic_openpgp.bash 0.9.0-1/test/test-14_basic_openpgp.bash --- 0.8.2-3/test/test-14_basic_openpgp.bash 2015-11-23 22:59:45.000000000 +0000 +++ 0.9.0-1/test/test-14_basic_openpgp.bash 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -#!/bin/bash -${srcdir}/runtests t-14 diff -pruN 0.8.2-3/test/test-14_resume_session.bash 0.9.0-1/test/test-14_resume_session.bash --- 0.8.2-3/test/test-14_resume_session.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-14_resume_session.bash 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,11 @@ +#!/bin/bash +set -e +${srcdir}/runtests t-14 + +t="$(basename ${0} .bash)" +output="outputs/${t#test-}.output" +echo "Checking if the session was resumed successfully..." +# NOTE: The "Resume Handshake was completed" message appears after the +# second handshake is complete, whether the session has been resumed +# or not. The following message is required! +grep "This is a resumed session" "${output}" diff -pruN 0.8.2-3/test/test-16_view-status.bash 0.9.0-1/test/test-16_view-status.bash --- 0.8.2-3/test/test-16_view-status.bash 2015-11-23 22:59:45.000000000 +0000 +++ 0.9.0-1/test/test-16_view-status.bash 2018-09-30 20:59:29.000000000 +0000 @@ -1,2 +1,21 @@ #!/bin/bash +set -e ${srcdir}/runtests t-16 + +# expected output file +output="outputs/16_view-status.output" +# get the cipher suite reported by gnutls-cli +cli_suite="$(grep -o -P '(?<=^-\sDescription:\s).*$' "${output}")" || true +# extract cipher suite from the server status output +status_suite="$(grep -o -P '(?<=^Current TLS session:\s).*$' "${output}")" \ + || true + +echo +if [[ -n "${cli_suite}" && "${status_suite}" = "${cli_suite}" ]]; then + echo "Server and client report matching cipher suite: ${status_suite}" +else + echo "ERROR: Cipher suites mismatching or missing!" + echo "Server: '${status_suite}'" + echo "Client: '${cli_suite}'" + exit 1 +fi diff -pruN 0.8.2-3/test/test-19_TLS_reverse_proxy.bash 0.9.0-1/test/test-19_TLS_reverse_proxy.bash --- 0.8.2-3/test/test-19_TLS_reverse_proxy.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-19_TLS_reverse_proxy.bash 2018-04-19 18:01:35.000000000 +0000 @@ -1,21 +1,2 @@ #!/bin/bash - -set -e -: ${srcdir:="."} -. ${srcdir}/common.bash -netns_reexec ${@} - -testdir="${srcdir}/tests/19_TLS_reverse_proxy" -. $(dirname ${0})/proxy_backend.bash - -function stop_backend -{ - backend_apache "${testdir}" "backend.conf" stop -} -backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}" -trap stop_backend EXIT - ${srcdir}/runtests t-19 - -backend_apache "${testdir}" "backend.conf" stop -trap - EXIT diff -pruN 0.8.2-3/test/test-20_TLS_reverse_proxy_client_auth.bash 0.9.0-1/test/test-20_TLS_reverse_proxy_client_auth.bash --- 0.8.2-3/test/test-20_TLS_reverse_proxy_client_auth.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-20_TLS_reverse_proxy_client_auth.bash 2018-04-19 18:01:35.000000000 +0000 @@ -1,21 +1,2 @@ #!/bin/bash - -set -e -: ${srcdir:="."} -. ${srcdir}/common.bash -netns_reexec ${@} - -testdir="${srcdir}/tests/20_TLS_reverse_proxy_client_auth" -. $(dirname ${0})/proxy_backend.bash - -function stop_backend -{ - backend_apache "${testdir}" "backend.conf" stop -} -backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}" -trap stop_backend EXIT - ${srcdir}/runtests t-20 - -backend_apache "${testdir}" "backend.conf" stop -trap - EXIT diff -pruN 0.8.2-3/test/test-21_TLS_reverse_proxy_wrong_cert.bash 0.9.0-1/test/test-21_TLS_reverse_proxy_wrong_cert.bash --- 0.8.2-3/test/test-21_TLS_reverse_proxy_wrong_cert.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-21_TLS_reverse_proxy_wrong_cert.bash 2018-04-19 18:01:35.000000000 +0000 @@ -1,21 +1,2 @@ #!/bin/bash - -set -e -: ${srcdir:="."} -. ${srcdir}/common.bash -netns_reexec ${@} - -testdir="${srcdir}/tests/21_TLS_reverse_proxy_wrong_cert" -. $(dirname ${0})/proxy_backend.bash - -function stop_backend -{ - backend_apache "${testdir}" "backend.conf" stop -} -backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}" -trap stop_backend EXIT - ${srcdir}/runtests t-21 - -backend_apache "${testdir}" "backend.conf" stop -trap - EXIT diff -pruN 0.8.2-3/test/test-22_TLS_reverse_proxy_crl_revoke.bash 0.9.0-1/test/test-22_TLS_reverse_proxy_crl_revoke.bash --- 0.8.2-3/test/test-22_TLS_reverse_proxy_crl_revoke.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-22_TLS_reverse_proxy_crl_revoke.bash 2018-04-19 18:01:35.000000000 +0000 @@ -1,21 +1,2 @@ #!/bin/bash - -set -e -: ${srcdir:="."} -. ${srcdir}/common.bash -netns_reexec ${@} - -testdir="${srcdir}/tests/22_TLS_reverse_proxy_crl_revoke" -. $(dirname ${0})/proxy_backend.bash - -function stop_backend -{ - backend_apache "${testdir}" "backend.conf" stop -} -backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}" -trap stop_backend EXIT - ${srcdir}/runtests t-22 - -backend_apache "${testdir}" "backend.conf" stop -trap - EXIT diff -pruN 0.8.2-3/test/test-23_TLS_reverse_proxy_mismatched_priorities.bash 0.9.0-1/test/test-23_TLS_reverse_proxy_mismatched_priorities.bash --- 0.8.2-3/test/test-23_TLS_reverse_proxy_mismatched_priorities.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-23_TLS_reverse_proxy_mismatched_priorities.bash 2018-04-19 18:01:35.000000000 +0000 @@ -1,26 +1,7 @@ #!/bin/bash -set -e -: ${srcdir:="."} -. ${srcdir}/common.bash -netns_reexec ${@} - -testdir="${srcdir}/tests/23_TLS_reverse_proxy_mismatched_priorities" -. $(dirname ${0})/proxy_backend.bash - # This test checks if server and proxy priorities are applied # properly. The proxy server requries a TLS 1.2 connection, but the # back end server is configured not to use TLS 1.2. The proxy request # must fail and the client must receive an error message to pass. - -function stop_backend -{ - backend_apache "${testdir}" "backend.conf" stop -} -backend_apache "${testdir}" "backend.conf" start "${BACKEND_LOCK}" -trap stop_backend EXIT - ${srcdir}/runtests t-23 - -backend_apache "${testdir}" "backend.conf" stop -trap - EXIT diff -pruN 0.8.2-3/test/test-26_redirect_HTTP_to_HTTPS.bash 0.9.0-1/test/test-26_redirect_HTTP_to_HTTPS.bash --- 0.8.2-3/test/test-26_redirect_HTTP_to_HTTPS.bash 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/test-26_redirect_HTTP_to_HTTPS.bash 2018-04-19 18:01:35.000000000 +0000 @@ -10,23 +10,17 @@ netns_reexec ${@} testdir="${srcdir}/tests/26_redirect_HTTP_to_HTTPS" TEST_NAME="$(basename ${testdir})" -. $(dirname ${0})/proxy_backend.bash +. $(dirname ${0})/apache_service.bash : ${TEST_HTTP_PORT:="9935"} export TEST_HTTP_PORT -# "Proxy backend" functions are used to start the only instance needed -# here without "runtests". We have to override BACKEND_PID and -# BACKEND_PORT to make them match what a runtests-based test would -# use. -export BACKEND_PID="apache2.pid" -export BACKEND_PORT="${TEST_PORT}" -function stop_backend +function stop_server { - backend_apache "${testdir}" "apache.conf" stop + apache_service "${testdir}" "apache.conf" stop } -backend_apache "${testdir}" "apache.conf" start "${TEST_LOCK}" -trap stop_backend EXIT +apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}" +trap stop_server EXIT output="outputs/${TEST_NAME}.output" rm -f "$output" @@ -47,5 +41,5 @@ fi # used ciphersuite. grep "Current TLS session: (TLS" "${output}" -backend_apache "${testdir}" "apache.conf" stop +stop_server trap - EXIT diff -pruN 0.8.2-3/test/test-27_OCSP_server.bash 0.9.0-1/test/test-27_OCSP_server.bash --- 0.8.2-3/test/test-27_OCSP_server.bash 2017-01-03 20:47:45.000000000 +0000 +++ 0.9.0-1/test/test-27_OCSP_server.bash 2018-04-19 18:01:35.000000000 +0000 @@ -4,11 +4,6 @@ # Skip if OCSP tests are not enabled [ -n "${OCSP_PORT}" ] || exit 77 -# trigger OCSP server test in the runtests script -export CHECK_OCSP_SERVER="true" -echo "OCSP index for the test CA:" -cat authority/ocsp_index.txt - ${srcdir}/runtests t-27 ret=${?} diff -pruN 0.8.2-3/test/test-28_HTTP2_support.bash 0.9.0-1/test/test-28_HTTP2_support.bash --- 0.8.2-3/test/test-28_HTTP2_support.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-28_HTTP2_support.bash 2018-04-19 18:01:35.000000000 +0000 @@ -0,0 +1,44 @@ +#!/bin/bash +# +# Check if HTTP/2 connections using mod_gnutls and mod_http2 work + +set -e +: ${srcdir:="."} +. ${srcdir}/common.bash +netns_reexec ${@} + +testdir="${srcdir}/tests/28_HTTP2_support" +TEST_NAME="$(basename ${testdir})" +. $(dirname ${0})/apache_service.bash + +if [ ! -r ${AP_LIBEXECDIR}/mod_http2.so ]; then + echo "mod_http2.so not found, skipping." 2>&1 + exit 77 +elif [ "$(basename ${HTTP_CLI})" != "curl" ] \ + || ! ${HTTP_CLI} -V | grep -P '\sHTTP2($|\s)'; then + echo "Curl not found or does not support HTTP/2, skipping." 2>&1 + exit 77 +fi + +function stop_server +{ + apache_service "${testdir}" "apache.conf" stop +} +apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}" +trap stop_server EXIT + +output="outputs/${TEST_NAME}.output" +header="outputs/${TEST_NAME}.header" +rm -f "${output}" "${header}" + +URL="https://${TEST_HOST}:${TEST_PORT}/status?auto" +${HTTP_CLI} --http2 --location --verbose --cacert authority/x509.pem \ + --dump-header "${header}" --output "${output}" "${URL}" + +echo "Checking for HTTP/2 in logged header:" +grep "HTTP/2 200" "${header}" +echo "Checking for TLS session status:" +grep "Current TLS session: (TLS" "${output}" + +apache_service "${testdir}" "apache.conf" stop +trap - EXIT diff -pruN 0.8.2-3/test/test-29_force_handshake_vhost.bash 0.9.0-1/test/test-29_force_handshake_vhost.bash --- 0.8.2-3/test/test-29_force_handshake_vhost.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-29_force_handshake_vhost.bash 2018-11-02 10:55:39.000000000 +0000 @@ -0,0 +1,2 @@ +#!/bin/bash +${srcdir}/runtests t-29 diff -pruN 0.8.2-3/test/test-30_ip_based_vhosts.bash 0.9.0-1/test/test-30_ip_based_vhosts.bash --- 0.8.2-3/test/test-30_ip_based_vhosts.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-30_ip_based_vhosts.bash 2018-11-02 10:55:39.000000000 +0000 @@ -0,0 +1,23 @@ +#!/bin/bash + +# Parse TEST_IP into an array +declare -a addrs=(${TEST_IP}) +if [ ${#addrs[@]} -lt 2 ]; then + echo "This test needs two or more IP addresses in TEST_IP," \ + "check ./configure options!" + exit 77 +fi + +# The two virtual hosts have different IPs, so we can check if +# selection without SNI works correctly. The request will go to the +# second one. +export VHOST1_IP="${addrs[0]}" +export VHOST2_IP="${addrs[1]}" + +# gnutls-cli expects IPv6 addresses without enclosing brackets, remove +# them +TARGET_IP="${VHOST2_IP#\[}" +TARGET_IP="${TARGET_IP%\]}" +export TARGET_IP + +${srcdir}/runtests t-30 diff -pruN 0.8.2-3/test/test-31_vhost_SNI_serveralias_match.bash 0.9.0-1/test/test-31_vhost_SNI_serveralias_match.bash --- 0.8.2-3/test/test-31_vhost_SNI_serveralias_match.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-31_vhost_SNI_serveralias_match.bash 2018-12-12 20:54:54.000000000 +0000 @@ -0,0 +1,7 @@ +#!/bin/bash +set -e +: ${srcdir:="."} +. ${srcdir}/common.bash + +require_gnutls_cli 3.5.12 || (echo "Using --sni-hostname requires gnutls-cli version 3.5.12 or newer"; exit 77) +${srcdir}/runtests t-31 diff -pruN 0.8.2-3/test/test-32_vhost_SNI_serveralias_mismatch.bash 0.9.0-1/test/test-32_vhost_SNI_serveralias_mismatch.bash --- 0.8.2-3/test/test-32_vhost_SNI_serveralias_mismatch.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-32_vhost_SNI_serveralias_mismatch.bash 2018-12-12 20:54:54.000000000 +0000 @@ -0,0 +1,7 @@ +#!/bin/bash +set -e +: ${srcdir:="."} +. ${srcdir}/common.bash + +require_gnutls_cli 3.5.12 || (echo "Using --sni-hostname requires gnutls-cli version 3.5.12 or newer"; exit 77) +${srcdir}/runtests t-32 diff -pruN 0.8.2-3/test/test-33_vhost_SNI_serveralias_missinghost.bash 0.9.0-1/test/test-33_vhost_SNI_serveralias_missinghost.bash --- 0.8.2-3/test/test-33_vhost_SNI_serveralias_missinghost.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-33_vhost_SNI_serveralias_missinghost.bash 2018-12-12 20:54:54.000000000 +0000 @@ -0,0 +1,7 @@ +#!/bin/bash +set -e +: ${srcdir:="."} +. ${srcdir}/common.bash + +require_gnutls_cli 3.5.12 || (echo "Using --sni-hostname requires gnutls-cli version 3.5.12 or newer"; exit 77) +${srcdir}/runtests t-33 diff -pruN 0.8.2-3/test/test-34_TLS_reverse_proxy_h2.bash 0.9.0-1/test/test-34_TLS_reverse_proxy_h2.bash --- 0.8.2-3/test/test-34_TLS_reverse_proxy_h2.bash 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/test-34_TLS_reverse_proxy_h2.bash 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,8 @@ +#!/bin/bash +for mod in mod_http2.so mod_proxy_http2.so; do + if [ ! -r "${AP_LIBEXECDIR}/${mod}" ]; then + echo "${mod} not found, skipping." 2>&1 + exit 77 + fi +done +${srcdir}/runtests t-34 diff -pruN 0.8.2-3/test/test_ca.mk 0.9.0-1/test/test_ca.mk --- 0.8.2-3/test/test_ca.mk 2016-06-20 19:29:18.000000000 +0000 +++ 0.9.0-1/test/test_ca.mk 2018-12-12 20:54:54.000000000 +0000 @@ -1,17 +1,18 @@ #!/usr/bin/make -f # Authors: # Daniel Kahn Gillmor -# Thomas Klute +# Fiona Klute # General rules to set up a miniature CA & server & client environment # for the test suite %.template: $(srcdir)/%.template.in sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ - if test -n "$(OCSP_PORT)"; then \ - sed -i -e 's/^### ocsp/ocsp/' \ - -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \ - fi + sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@ + for i in $(patsubst [%],%,$(TEST_IP)); do \ + IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \ + done; \ + sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@ %.uid: $(srcdir)/%.uid.in sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ @@ -21,8 +22,10 @@ chmod 0700 $(dir $@) certtool --outfile $@ --generate-privkey +.PRECIOUS: %/secret.key + %/secret.pgp.raw: %.uid %/secret.key - PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ + PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ %/secret.pgp: %/secret.pgp.raw pgpcrc (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \ @@ -47,9 +50,9 @@ # */cert.pgp avoids having to lock for all */minimal.pgp, too. %/cert.pgp: %/minimal.pgp authority/minimal.pgp if test -r $@; then rm $@; fi - GNUPGHOME=authority $(GPG_FLOCK) gpg --import $< - GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" - GNUPGHOME=authority $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $< + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" + GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" # special cases for the authorities' root certs: authority/x509.pem: authority.template authority/secret.key @@ -81,6 +84,7 @@ rogue%/x509.pem: rogue%.template rogue%/ echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@ %/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf + rm -rf $@ mkdir -p $@ SOFTHSM="$(SOFTHSM)" \ SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \ diff -pruN 0.8.2-3/test/tests/00_basic/apache.conf 0.9.0-1/test/tests/00_basic/apache.conf --- 0.8.2-3/test/tests/00_basic/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/00_basic/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,11 +1,10 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key - GnuTLSPriorities NORMAL diff -pruN 0.8.2-3/test/tests/01_serverwide_priorities/apache.conf 0.9.0-1/test/tests/01_serverwide_priorities/apache.conf --- 0.8.2-3/test/tests/01_serverwide_priorities/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/01_serverwide_priorities/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} GnuTLSPriorities NORMAL diff -pruN 0.8.2-3/test/tests/02_cache_in_vhost/apache.conf 0.9.0-1/test/tests/02_cache_in_vhost/apache.conf --- 0.8.2-3/test/tests/02_cache_in_vhost/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/02_cache_in_vhost/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -2,7 +2,7 @@ Include ${srcdir}/base_apache.conf # Cache configuration not allowed in here: - GnuTLSCache dbm cache/gnutls_cache + GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} GnuTLSEnable On GnuTLSCertificateFile server/x509.pem diff -pruN 0.8.2-3/test/tests/03_cachetimeout_in_vhost/apache.conf 0.9.0-1/test/tests/03_cachetimeout_in_vhost/apache.conf --- 0.8.2-3/test/tests/03_cachetimeout_in_vhost/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/03_cachetimeout_in_vhost/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf +GnuTLSCache ${DEFAULT_CACHE} - # Cache configuration not allowed in here: GnuTLSCacheTimeout 200 ServerName ${TEST_HOST} GnuTLSEnable On diff -pruN 0.8.2-3/test/tests/03_cachetimeout_in_vhost/output 0.9.0-1/test/tests/03_cachetimeout_in_vhost/output --- 0.8.2-3/test/tests/03_cachetimeout_in_vhost/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/03_cachetimeout_in_vhost/output 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,7 @@ +Accept-Ranges: bytes +Content-Length: 5 +Connection: close +Content-Type: text/plain + +test +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/04_basic_nosni/apache.conf 0.9.0-1/test/tests/04_basic_nosni/apache.conf --- 0.8.2-3/test/tests/04_basic_nosni/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/04_basic_nosni/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/05_mismatched-priorities/apache.conf 0.9.0-1/test/tests/05_mismatched-priorities/apache.conf --- 0.8.2-3/test/tests/05_mismatched-priorities/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/05_mismatched-priorities/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/06_verify_sni_a/apache.conf 0.9.0-1/test/tests/06_verify_sni_a/apache.conf --- 0.8.2-3/test/tests/06_verify_sni_a/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/06_verify_sni_a/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,8 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache - -NameVirtualHost _default_:${TEST_PORT} +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/07_verify_sni_b/apache.conf 0.9.0-1/test/tests/07_verify_sni_b/apache.conf --- 0.8.2-3/test/tests/07_verify_sni_b/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/07_verify_sni_b/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,8 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache - -NameVirtualHost _default_:${TEST_PORT} +GnuTLSCache ${DEFAULT_CACHE} # trying in a different order from 06_verify_sni_a diff -pruN 0.8.2-3/test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf 0.9.0-1/test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf --- 0.8.2-3/test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/08_verify_no_sni_fallback_to_first_vhost/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,8 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache - -NameVirtualHost _default_:${TEST_PORT} +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf 0.9.0-1/test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf --- 0.8.2-3/test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/09_verify_no_sni_fails_with_wrong_order/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,8 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache - -NameVirtualHost _default_:${TEST_PORT} +GnuTLSCache ${DEFAULT_CACHE} # In this order, clients with no SNI should get the imposter's key diff -pruN 0.8.2-3/test/tests/10_basic_client_verification/apache.conf 0.9.0-1/test/tests/10_basic_client_verification/apache.conf --- 0.8.2-3/test/tests/10_basic_client_verification/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/10_basic_client_verification/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/11_basic_client_verification_fail/apache.conf 0.9.0-1/test/tests/11_basic_client_verification_fail/apache.conf --- 0.8.2-3/test/tests/11_basic_client_verification_fail/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/11_basic_client_verification_fail/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/12_cgi_variables/apache.conf 0.9.0-1/test/tests/12_cgi_variables/apache.conf --- 0.8.2-3/test/tests/12_cgi_variables/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/12_cgi_variables/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/cgi_module.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} Options +ExecCGI @@ -12,6 +12,7 @@ GnuTLSCache dbm cache/gnutls_cache GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key + GnuTLSDHFile ${srcdir}/ffdhe3072.pem GnuTLSPriorities NORMAL GnuTLSClientCAFile authority/x509.pem GnuTLSClientVerify request diff -pruN 0.8.2-3/test/tests/12_cgi_variables/output 0.9.0-1/test/tests/12_cgi_variables/output --- 0.8.2-3/test/tests/12_cgi_variables/output 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/tests/12_cgi_variables/output 2018-09-30 20:59:29.000000000 +0000 @@ -7,5 +7,4 @@ SUCCESS ----SubjectAltName:---- RFC822NAME:test0@modgnutls.test -DH prime bits: 2048 - Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/13_cgi_variables_no_client_cert/apache.conf 0.9.0-1/test/tests/13_cgi_variables_no_client_cert/apache.conf --- 0.8.2-3/test/tests/13_cgi_variables_no_client_cert/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/13_cgi_variables_no_client_cert/apache.conf 2018-10-24 17:13:34.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/cgi_module.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} Options +ExecCGI diff -pruN 0.8.2-3/test/tests/13_cgi_variables_no_client_cert/output 0.9.0-1/test/tests/13_cgi_variables_no_client_cert/output --- 0.8.2-3/test/tests/13_cgi_variables_no_client_cert/output 2016-02-11 17:17:40.000000000 +0000 +++ 0.9.0-1/test/tests/13_cgi_variables_no_client_cert/output 2018-10-24 05:52:09.000000000 +0000 @@ -10,5 +10,4 @@ NONE ----SubjectAltName:---- -DH prime bits: - Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/14_basic_openpgp/apache.conf 0.9.0-1/test/tests/14_basic_openpgp/apache.conf --- 0.8.2-3/test/tests/14_basic_openpgp/apache.conf 2016-06-12 23:23:16.000000000 +0000 +++ 0.9.0-1/test/tests/14_basic_openpgp/apache.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -Include ${srcdir}/base_apache.conf - -GnuTLSCache dbm cache/gnutls_cache - - - ServerName ${TEST_HOST} - GnuTLSEnable On - GnuTLSPGPCertificateFile server/cert.pgp - GnuTLSPGPKeyFile server/secret.pgp - GnuTLSPriorities NORMAL:+CTYPE-OPENPGP - diff -pruN 0.8.2-3/test/tests/14_basic_openpgp/gnutls-cli.args 0.9.0-1/test/tests/14_basic_openpgp/gnutls-cli.args --- 0.8.2-3/test/tests/14_basic_openpgp/gnutls-cli.args 2016-06-13 17:23:33.000000000 +0000 +++ 0.9.0-1/test/tests/14_basic_openpgp/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ ---pgpkeyring=authority/cert.pgp ---priority=NORMAL:-CTYPE-X509:+CTYPE-OPENPGP:+CTYPE-X509 diff -pruN 0.8.2-3/test/tests/14_basic_openpgp/input 0.9.0-1/test/tests/14_basic_openpgp/input --- 0.8.2-3/test/tests/14_basic_openpgp/input 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/tests/14_basic_openpgp/input 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -GET /test.txt HTTP/1.1 -Host: __HOSTNAME__ - diff -pruN 0.8.2-3/test/tests/14_basic_openpgp/output 0.9.0-1/test/tests/14_basic_openpgp/output --- 0.8.2-3/test/tests/14_basic_openpgp/output 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/tests/14_basic_openpgp/output 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -Accept-Ranges: bytes -Content-Length: 5 -Connection: close -Content-Type: text/plain - -test -- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/14_resume_session/apache.conf 0.9.0-1/test/tests/14_resume_session/apache.conf --- 0.8.2-3/test/tests/14_resume_session/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/14_resume_session/apache.conf 2018-10-02 16:55:15.000000000 +0000 @@ -0,0 +1,12 @@ +Include ${srcdir}/base_apache.conf + +GnuTLSCache ${DEFAULT_CACHE} +GnuTLSSessionTickets on + + + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + GnuTLSPriorities NORMAL + diff -pruN 0.8.2-3/test/tests/14_resume_session/gnutls-cli.args 0.9.0-1/test/tests/14_resume_session/gnutls-cli.args --- 0.8.2-3/test/tests/14_resume_session/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/14_resume_session/gnutls-cli.args 2018-10-02 16:48:29.000000000 +0000 @@ -0,0 +1,3 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL +--resume diff -pruN 0.8.2-3/test/tests/14_resume_session/input 0.9.0-1/test/tests/14_resume_session/input --- 0.8.2-3/test/tests/14_resume_session/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/14_resume_session/input 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,3 @@ +GET /test.txt HTTP/1.1 +Host: __HOSTNAME__ + diff -pruN 0.8.2-3/test/tests/14_resume_session/output 0.9.0-1/test/tests/14_resume_session/output --- 0.8.2-3/test/tests/14_resume_session/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/14_resume_session/output 2018-09-30 20:59:29.000000000 +0000 @@ -0,0 +1,7 @@ +Accept-Ranges: bytes +Content-Length: 5 +Connection: close +Content-Type: text/plain + +test +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/15_basic_msva/apache.conf 0.9.0-1/test/tests/15_basic_msva/apache.conf --- 0.8.2-3/test/tests/15_basic_msva/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/15_basic_msva/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/16_view-status/apache.conf 0.9.0-1/test/tests/16_view-status/apache.conf --- 0.8.2-3/test/tests/16_view-status/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/16_view-status/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -6,7 +6,7 @@ LoadModule status_module ${AP_LIBEXECDIR ExtendedStatus On -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/16_view-status/gnutls-cli.args 0.9.0-1/test/tests/16_view-status/gnutls-cli.args --- 0.8.2-3/test/tests/16_view-status/gnutls-cli.args 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/16_view-status/gnutls-cli.args 2018-09-30 20:59:29.000000000 +0000 @@ -1,2 +1,2 @@ --x509cafile=authority/x509.pem ---priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256 +--priority=NORMAL diff -pruN 0.8.2-3/test/tests/16_view-status/input 0.9.0-1/test/tests/16_view-status/input --- 0.8.2-3/test/tests/16_view-status/input 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/tests/16_view-status/input 2018-09-30 20:59:29.000000000 +0000 @@ -1,3 +1,3 @@ -GET /status HTTP/1.0 -Host: __HOSTNAME__ - +GET /status?auto HTTP/1.0 +Host: __HOSTNAME__ + diff -pruN 0.8.2-3/test/tests/16_view-status/output 0.9.0-1/test/tests/16_view-status/output --- 0.8.2-3/test/tests/16_view-status/output 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/16_view-status/output 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -
Using TLS:
yes
-
Current TLS session:
(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
- - -- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/17_cgi_vars_large_cert/apache.conf 0.9.0-1/test/tests/17_cgi_vars_large_cert/apache.conf --- 0.8.2-3/test/tests/17_cgi_vars_large_cert/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/17_cgi_vars_large_cert/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/cgi_module.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} Options +ExecCGI @@ -12,6 +12,7 @@ GnuTLSCache dbm cache/gnutls_cache GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key + GnuTLSDHFile ${srcdir}/ffdhe3072.pem GnuTLSPriorities NORMAL GnuTLSClientCAFile authority/x509.pem GnuTLSClientVerify request diff -pruN 0.8.2-3/test/tests/17_cgi_vars_large_cert/output 0.9.0-1/test/tests/17_cgi_vars_large_cert/output --- 0.8.2-3/test/tests/17_cgi_vars_large_cert/output 2015-11-02 21:32:09.000000000 +0000 +++ 0.9.0-1/test/tests/17_cgi_vars_large_cert/output 2018-09-30 20:59:29.000000000 +0000 @@ -7,5 +7,4 @@ SUCCESS ----SubjectAltName:---- RFC822NAME:test0@modgnutls.test -DH prime bits: 2048 - Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/18_client_verification_wrong_cert/apache.conf 0.9.0-1/test/tests/18_client_verification_wrong_cert/apache.conf --- 0.8.2-3/test/tests/18_client_verification_wrong_cert/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/18_client_verification_wrong_cert/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/19_TLS_reverse_proxy/apache.conf 0.9.0-1/test/tests/19_TLS_reverse_proxy/apache.conf --- 0.8.2-3/test/tests/19_TLS_reverse_proxy/apache.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/19_TLS_reverse_proxy/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,18 +1,16 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/proxy_mods.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key - GnuTLSPriorities NORMAL GnuTLSProxyEngine On GnuTLSProxyCAFile authority/x509.pem - GnuTLSProxyPriorities NORMAL ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ diff -pruN 0.8.2-3/test/tests/19_TLS_reverse_proxy/backend.conf 0.9.0-1/test/tests/19_TLS_reverse_proxy/backend.conf --- 0.8.2-3/test/tests/19_TLS_reverse_proxy/backend.conf 2016-06-01 19:46:40.000000000 +0000 +++ 0.9.0-1/test/tests/19_TLS_reverse_proxy/backend.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,12 +1,10 @@ -Include ${srcdir}/base_apache.conf -Include proxy_backend.conf +Include ${PWD}/proxy_backend.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${BACKEND_CACHE} ServerName ${BACKEND_HOST} GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key - GnuTLSPriorities NORMAL diff -pruN 0.8.2-3/test/tests/20_TLS_reverse_proxy_client_auth/apache.conf 0.9.0-1/test/tests/20_TLS_reverse_proxy_client_auth/apache.conf --- 0.8.2-3/test/tests/20_TLS_reverse_proxy_client_auth/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/20_TLS_reverse_proxy_client_auth/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/proxy_mods.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/20_TLS_reverse_proxy_client_auth/backend.conf 0.9.0-1/test/tests/20_TLS_reverse_proxy_client_auth/backend.conf --- 0.8.2-3/test/tests/20_TLS_reverse_proxy_client_auth/backend.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/20_TLS_reverse_proxy_client_auth/backend.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,6 @@ -Include ${srcdir}/base_apache.conf -Include proxy_backend.conf +Include ${PWD}/proxy_backend.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${BACKEND_CACHE} ServerName ${BACKEND_HOST} diff -pruN 0.8.2-3/test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf 0.9.0-1/test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf --- 0.8.2-3/test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/proxy_mods.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf 0.9.0-1/test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf --- 0.8.2-3/test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/21_TLS_reverse_proxy_wrong_cert/backend.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,6 @@ -Include ${srcdir}/base_apache.conf -Include proxy_backend.conf +Include ${PWD}/proxy_backend.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${BACKEND_CACHE} ServerName ${BACKEND_HOST} diff -pruN 0.8.2-3/test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf 0.9.0-1/test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf --- 0.8.2-3/test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/proxy_mods.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf 0.9.0-1/test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf --- 0.8.2-3/test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/22_TLS_reverse_proxy_crl_revoke/backend.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,6 @@ -Include ${srcdir}/base_apache.conf -Include proxy_backend.conf +Include ${PWD}/proxy_backend.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${BACKEND_CACHE} ServerName ${BACKEND_HOST} diff -pruN 0.8.2-3/test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf 0.9.0-1/test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf --- 0.8.2-3/test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,7 +1,7 @@ Include ${srcdir}/base_apache.conf Include ${srcdir}/proxy_mods.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} @@ -12,7 +12,7 @@ GnuTLSCache dbm cache/gnutls_cache GnuTLSProxyEngine On GnuTLSProxyCAFile authority/x509.pem - GnuTLSProxyPriorities NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 + GnuTLSProxyPriorities NORMAL:-CIPHER-ALL:+AES-256-GCM ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ diff -pruN 0.8.2-3/test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf 0.9.0-1/test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf --- 0.8.2-3/test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,12 +1,11 @@ -Include ${srcdir}/base_apache.conf -Include proxy_backend.conf +Include ${PWD}/proxy_backend.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${BACKEND_CACHE} ServerName ${BACKEND_HOST} GnuTLSEnable On GnuTLSCertificateFile server/x509.pem GnuTLSKeyFile server/secret.key - GnuTLSPriorities NORMAL:-VERS-TLS1.2 + GnuTLSPriorities NORMAL:-AES-256-GCM diff -pruN 0.8.2-3/test/tests/24_pkcs11_cert/apache.conf 0.9.0-1/test/tests/24_pkcs11_cert/apache.conf --- 0.8.2-3/test/tests/24_pkcs11_cert/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/24_pkcs11_cert/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} GnuTLSP11Module ${SOFTHSM_LIB} diff -pruN 0.8.2-3/test/tests/25_Disable_TLS_1.0/apache.conf 0.9.0-1/test/tests/25_Disable_TLS_1.0/apache.conf --- 0.8.2-3/test/tests/25_Disable_TLS_1.0/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/25_Disable_TLS_1.0/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,6 +1,6 @@ Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} ServerName ${TEST_HOST} diff -pruN 0.8.2-3/test/tests/25_Disable_TLS_1.0/gnutls-cli.args 0.9.0-1/test/tests/25_Disable_TLS_1.0/gnutls-cli.args --- 0.8.2-3/test/tests/25_Disable_TLS_1.0/gnutls-cli.args 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/25_Disable_TLS_1.0/gnutls-cli.args 2018-09-30 20:59:29.000000000 +0000 @@ -1,2 +1,2 @@ --x509cafile=authority/x509.pem ---priority=NORMAL:-VERS-TLS1.2:-VERS-TLS1.1 +--priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 diff -pruN 0.8.2-3/test/tests/26_redirect_HTTP_to_HTTPS/apache.conf 0.9.0-1/test/tests/26_redirect_HTTP_to_HTTPS/apache.conf --- 0.8.2-3/test/tests/26_redirect_HTTP_to_HTTPS/apache.conf 2016-06-01 19:46:41.000000000 +0000 +++ 0.9.0-1/test/tests/26_redirect_HTTP_to_HTTPS/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -2,7 +2,7 @@ Define TEST_HTTP_PORT ${TEST_HTTP_PORT} Include ${srcdir}/base_apache.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} # mod_status offers an easy way to check if we were actually # redirected to HTTPS diff -pruN 0.8.2-3/test/tests/27_OCSP_server/apache.conf 0.9.0-1/test/tests/27_OCSP_server/apache.conf --- 0.8.2-3/test/tests/27_OCSP_server/apache.conf 2016-12-25 18:36:37.000000000 +0000 +++ 0.9.0-1/test/tests/27_OCSP_server/apache.conf 2018-09-30 20:59:29.000000000 +0000 @@ -1,13 +1,15 @@ -Define OCSP_PORT ${OCSP_PORT} - Include ${srcdir}/base_apache.conf -Include ${srcdir}/ocsp_server.conf -GnuTLSCache dbm cache/gnutls_cache +GnuTLSCache ${DEFAULT_CACHE} + +# Leave GnuTLSOCSPCache unconfigured so the default shmcb cache is +# used +#GnuTLSOCSPCache shmcb ServerName ${TEST_HOST} GnuTLSEnable On - GnuTLSOCSPStapling On + # Enabled by default + #GnuTLSOCSPStapling On GnuTLSOCSPCacheTimeout 60 GnuTLSCertificateFile server/x509-chain.pem GnuTLSKeyFile server/secret.key diff -pruN 0.8.2-3/test/tests/27_OCSP_server/ocsp.conf 0.9.0-1/test/tests/27_OCSP_server/ocsp.conf --- 0.8.2-3/test/tests/27_OCSP_server/ocsp.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/27_OCSP_server/ocsp.conf 2018-04-19 18:01:35.000000000 +0000 @@ -0,0 +1 @@ +Include ${PWD}/ocsp_server.conf diff -pruN 0.8.2-3/test/tests/28_HTTP2_support/apache.conf 0.9.0-1/test/tests/28_HTTP2_support/apache.conf --- 0.8.2-3/test/tests/28_HTTP2_support/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/28_HTTP2_support/apache.conf 2018-12-12 18:32:22.000000000 +0000 @@ -0,0 +1,30 @@ +Include ${srcdir}/base_apache.conf +GnuTLSCache ${DEFAULT_CACHE} + +LoadModule http2_module ${AP_LIBEXECDIR}/mod_http2.so + +LoadModule status_module ${AP_LIBEXECDIR}/mod_status.so + + SetHandler server-status + + + +# Different ALPN settings on the same port work only with early SNI + + # No "Protocols" directive, HTTP/1.1 only + ServerName vhost.example.com + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + GnuTLSPriorities NORMAL + + + + + Protocols h2 http/1.1 + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + GnuTLSPriorities NORMAL + diff -pruN 0.8.2-3/test/tests/29_force_handshake_vhost/apache.conf 0.9.0-1/test/tests/29_force_handshake_vhost/apache.conf --- 0.8.2-3/test/tests/29_force_handshake_vhost/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/29_force_handshake_vhost/apache.conf 2018-11-03 11:44:05.000000000 +0000 @@ -0,0 +1,22 @@ +Include ${srcdir}/base_apache.conf +Include ${srcdir}/cgi_module.conf + +GnuTLSCache ${DEFAULT_CACHE} + + + ServerName vhost.example.com + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + + + Options +ExecCGI + + + + + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + diff -pruN 0.8.2-3/test/tests/29_force_handshake_vhost/gnutls-cli.args 0.9.0-1/test/tests/29_force_handshake_vhost/gnutls-cli.args --- 0.8.2-3/test/tests/29_force_handshake_vhost/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/29_force_handshake_vhost/gnutls-cli.args 2018-11-03 11:44:05.000000000 +0000 @@ -0,0 +1,2 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL diff -pruN 0.8.2-3/test/tests/29_force_handshake_vhost/input 0.9.0-1/test/tests/29_force_handshake_vhost/input --- 0.8.2-3/test/tests/29_force_handshake_vhost/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/29_force_handshake_vhost/input 2018-11-03 11:43:53.000000000 +0000 @@ -0,0 +1,3 @@ +GET /dump.cgi HTTP/1.1 +Host: vhost.example.com + diff -pruN 0.8.2-3/test/tests/29_force_handshake_vhost/output 0.9.0-1/test/tests/29_force_handshake_vhost/output --- 0.8.2-3/test/tests/29_force_handshake_vhost/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/29_force_handshake_vhost/output 2018-11-02 10:55:39.000000000 +0000 @@ -0,0 +1,16 @@ +HTTP/1.1 421 Misdirected Request +Content-Length: 322 +Connection: close +Content-Type: text/html; charset=iso-8859-1 + + + +421 Misdirected Request + +

Misdirected Request

+

The client needs a new connection for this +request as the requested host name does not match +the Server Name Indication (SNI) in use for this +connection.

+ +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/30_ip_based_vhosts/apache.conf 0.9.0-1/test/tests/30_ip_based_vhosts/apache.conf --- 0.8.2-3/test/tests/30_ip_based_vhosts/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/30_ip_based_vhosts/apache.conf 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1,24 @@ +Include ${srcdir}/base_apache.conf + +GnuTLSCache ${DEFAULT_CACHE} + +LoadModule rewrite_module ${AP_LIBEXECDIR}/mod_rewrite.so + + + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + + + + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + + # Use mod_rewrite to set up a path that will work only on this + # virtual host + RewriteEngine On + RewriteRule "^/vhost/test\.txt$" "/test.txt" [PT] + diff -pruN 0.8.2-3/test/tests/30_ip_based_vhosts/gnutls-cli.args 0.9.0-1/test/tests/30_ip_based_vhosts/gnutls-cli.args --- 0.8.2-3/test/tests/30_ip_based_vhosts/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/30_ip_based_vhosts/gnutls-cli.args 2018-11-03 11:41:26.000000000 +0000 @@ -0,0 +1,2 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL diff -pruN 0.8.2-3/test/tests/30_ip_based_vhosts/input 0.9.0-1/test/tests/30_ip_based_vhosts/input --- 0.8.2-3/test/tests/30_ip_based_vhosts/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/30_ip_based_vhosts/input 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1,3 @@ +GET /vhost/test.txt HTTP/1.1 +Host: __HOSTNAME__ + diff -pruN 0.8.2-3/test/tests/30_ip_based_vhosts/output 0.9.0-1/test/tests/30_ip_based_vhosts/output --- 0.8.2-3/test/tests/30_ip_based_vhosts/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/30_ip_based_vhosts/output 2018-11-28 05:37:07.000000000 +0000 @@ -0,0 +1,7 @@ +Accept-Ranges: bytes +Content-Length: 5 +Connection: close +Content-Type: text/plain + +test +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/apache.conf 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/apache.conf --- 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/apache.conf 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,18 @@ +Include ${srcdir}/base_apache.conf + +GnuTLSCache ${DEFAULT_CACHE} + + + ServerName vhost.example.com + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + + + + ServerName ${TEST_HOST} + ServerAlias *.virtual.host + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + diff -pruN 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/gnutls-cli.args 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/gnutls-cli.args --- 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/gnutls-cli.args 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,3 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL +--sni-hostname=example.virtual.host diff -pruN 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/input 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/input --- 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/input 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,3 @@ +GET /test.txt HTTP/1.1 +Host: example.virtual.host + diff -pruN 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/output 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/output --- 0.8.2-3/test/tests/31_vhost_SNI_serveralias_match/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/31_vhost_SNI_serveralias_match/output 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,7 @@ +Accept-Ranges: bytes +Content-Length: 5 +Connection: close +Content-Type: text/plain + +test +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/apache.conf 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/apache.conf --- 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/apache.conf 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,11 @@ +Include ${srcdir}/base_apache.conf + +GnuTLSCache ${DEFAULT_CACHE} + + + ServerName ${TEST_HOST} + ServerAlias *.virtual.host + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + diff -pruN 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/gnutls-cli.args --- 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,3 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL +--sni-hostname=example.virtual.host diff -pruN 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/input 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/input --- 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/input 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,3 @@ +GET /test.txt HTTP/1.1 +Host: mismatched.virtual.host + diff -pruN 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/output 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/output --- 0.8.2-3/test/tests/32_vhost_SNI_serveralias_mismatch/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/32_vhost_SNI_serveralias_mismatch/output 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,16 @@ +HTTP/1.1 421 Misdirected Request +Content-Length: 322 +Connection: close +Content-Type: text/html; charset=iso-8859-1 + + + +421 Misdirected Request + +

Misdirected Request

+

The client needs a new connection for this +request as the requested host name does not match +the Server Name Indication (SNI) in use for this +connection.

+ +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/apache.conf 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/apache.conf --- 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/apache.conf 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,11 @@ +Include ${srcdir}/base_apache.conf + +GnuTLSCache ${DEFAULT_CACHE} + + + ServerName ${TEST_HOST} + ServerAlias *.virtual.host + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + diff -pruN 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/gnutls-cli.args --- 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,3 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL +--sni-hostname=example.virtual.host diff -pruN 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/input 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/input --- 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/input 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,2 @@ +GET /test.txt HTTP/1.0 + diff -pruN 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/output 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/output --- 0.8.2-3/test/tests/33_vhost_SNI_serveralias_missinghost/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/33_vhost_SNI_serveralias_missinghost/output 2018-11-28 15:32:27.000000000 +0000 @@ -0,0 +1,16 @@ +HTTP/1.1 421 Misdirected Request +Content-Length: 322 +Connection: close +Content-Type: text/html; charset=iso-8859-1 + + + +421 Misdirected Request + +

Misdirected Request

+

The client needs a new connection for this +request as the requested host name does not match +the Server Name Indication (SNI) in use for this +connection.

+ +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/apache.conf 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/apache.conf --- 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/apache.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/apache.conf 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,18 @@ +Include ${srcdir}/base_apache.conf +Include ${srcdir}/proxy_mods.conf + +LoadModule proxy_http2_module ${AP_LIBEXECDIR}/mod_proxy_http2.so + +GnuTLSCache ${DEFAULT_CACHE} + + + ServerName ${TEST_HOST} + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + + GnuTLSProxyEngine On + GnuTLSProxyCAFile authority/x509.pem + ProxyPass /proxy/ h2://${BACKEND_HOST}:${BACKEND_PORT}/ + ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ + diff -pruN 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/backend.conf 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/backend.conf --- 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/backend.conf 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/backend.conf 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,13 @@ +Include ${PWD}/proxy_backend.conf + +LoadModule http2_module ${AP_LIBEXECDIR}/mod_http2.so + +GnuTLSCache ${BACKEND_CACHE} + + + ServerName ${BACKEND_HOST} + Protocols h2 http/1.1 + GnuTLSEnable On + GnuTLSCertificateFile server/x509.pem + GnuTLSKeyFile server/secret.key + diff -pruN 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args --- 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,2 @@ +--x509cafile=authority/x509.pem +--priority=NORMAL diff -pruN 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/input 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/input --- 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/input 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/input 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,3 @@ +GET /proxy/test.txt HTTP/1.1 +Host: __HOSTNAME__ + diff -pruN 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/output 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/output --- 0.8.2-3/test/tests/34_TLS_reverse_proxy_h2/output 1970-01-01 00:00:00.000000000 +0000 +++ 0.9.0-1/test/tests/34_TLS_reverse_proxy_h2/output 2019-01-05 17:28:56.000000000 +0000 @@ -0,0 +1,7 @@ +Accept-Ranges: bytes +Content-Length: 5 +Content-Type: text/plain +Connection: close + +test +- Peer has closed the GnuTLS connection diff -pruN 0.8.2-3/test/tests/Makefile.am 0.9.0-1/test/tests/Makefile.am --- 0.8.2-3/test/tests/Makefile.am 2016-06-20 19:29:18.000000000 +0000 +++ 0.9.0-1/test/tests/Makefile.am 2019-01-05 17:28:56.000000000 +0000 @@ -2,7 +2,7 @@ EXTRA_DIST = \ 00_basic/apache.conf 00_basic/gnutls-cli.args 00_basic/input 00_basic/output \ 01_serverwide_priorities/apache.conf 01_serverwide_priorities/gnutls-cli.args 01_serverwide_priorities/input 01_serverwide_priorities/output \ 02_cache_in_vhost/apache.conf 02_cache_in_vhost/fail.server 02_cache_in_vhost/gnutls-cli.args 02_cache_in_vhost/input \ - 03_cachetimeout_in_vhost/apache.conf 03_cachetimeout_in_vhost/fail.server 03_cachetimeout_in_vhost/gnutls-cli.args 03_cachetimeout_in_vhost/input \ + 03_cachetimeout_in_vhost/apache.conf 03_cachetimeout_in_vhost/gnutls-cli.args 03_cachetimeout_in_vhost/input 03_cachetimeout_in_vhost/output \ 04_basic_nosni/apache.conf 04_basic_nosni/gnutls-cli.args 04_basic_nosni/input 04_basic_nosni/output \ 05_mismatched-priorities/apache.conf 05_mismatched-priorities/fail.client 05_mismatched-priorities/gnutls-cli.args 05_mismatched-priorities/input \ 06_verify_sni_a/apache.conf 06_verify_sni_a/gnutls-cli.args 06_verify_sni_a/input 06_verify_sni_a/output \ @@ -13,9 +13,9 @@ EXTRA_DIST = \ 11_basic_client_verification_fail/apache.conf 11_basic_client_verification_fail/fail.client 11_basic_client_verification_fail/gnutls-cli.args 11_basic_client_verification_fail/input \ 12_cgi_variables/apache.conf 12_cgi_variables/gnutls-cli.args 12_cgi_variables/input 12_cgi_variables/output \ 13_cgi_variables_no_client_cert/apache.conf 13_cgi_variables_no_client_cert/gnutls-cli.args 13_cgi_variables_no_client_cert/input 13_cgi_variables_no_client_cert/output \ - 14_basic_openpgp/apache.conf 14_basic_openpgp/gnutls-cli.args 14_basic_openpgp/input 14_basic_openpgp/output \ + 14_resume_session/apache.conf 14_resume_session/gnutls-cli.args 14_resume_session/input 14_resume_session/output \ 15_basic_msva/apache.conf 15_basic_msva/gnutls-cli.args 15_basic_msva/input 15_basic_msva/output \ - 16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input 16_view-status/output \ + 16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input \ 17_cgi_vars_large_cert/apache.conf 17_cgi_vars_large_cert/gnutls-cli.args 17_cgi_vars_large_cert/input 17_cgi_vars_large_cert/output \ 18_client_verification_wrong_cert/apache.conf 18_client_verification_wrong_cert/gnutls-cli.args 18_client_verification_wrong_cert/input 18_client_verification_wrong_cert/output \ 19_TLS_reverse_proxy/apache.conf 19_TLS_reverse_proxy/backend.conf 19_TLS_reverse_proxy/gnutls-cli.args 19_TLS_reverse_proxy/input 19_TLS_reverse_proxy/output \ @@ -26,4 +26,11 @@ EXTRA_DIST = \ 24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \ 25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \ 26_redirect_HTTP_to_HTTPS/apache.conf \ - 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output + 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output \ + 28_HTTP2_support/apache.conf \ + 29_force_handshake_vhost/apache.conf 29_force_handshake_vhost/gnutls-cli.args 29_force_handshake_vhost/input 29_force_handshake_vhost/output \ + 30_ip_based_vhosts/apache.conf 30_ip_based_vhosts/gnutls-cli.args 30_ip_based_vhosts/input 30_ip_based_vhosts/output 31_vhost_SNI_serveralias_match \ + 31_vhost_SNI_serveralias_match/gnutls-cli.args 31_vhost_SNI_serveralias_match/input 31_vhost_SNI_serveralias_match/apache.conf 31_vhost_SNI_serveralias_match/output \ + 32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 32_vhost_SNI_serveralias_mismatch/input 32_vhost_SNI_serveralias_mismatch/apache.conf 32_vhost_SNI_serveralias_mismatch/output \ + 33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 33_vhost_SNI_serveralias_missinghost/input 33_vhost_SNI_serveralias_missinghost/apache.conf 33_vhost_SNI_serveralias_missinghost/output \ + 34_TLS_reverse_proxy_h2/apache.conf 34_TLS_reverse_proxy_h2/backend.conf 34_TLS_reverse_proxy_h2/gnutls-cli.args 34_TLS_reverse_proxy_h2/input 34_TLS_reverse_proxy_h2/output diff -pruN 0.8.2-3/test/tests/Makefile.in 0.9.0-1/test/tests/Makefile.in --- 0.8.2-3/test/tests/Makefile.in 2017-01-08 14:08:06.000000000 +0000 +++ 0.9.0-1/test/tests/Makefile.in 2019-01-23 20:15:48.000000000 +0000 @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.16.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2018 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -92,7 +92,6 @@ subdir = test/tests ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \ $(top_srcdir)/m4/apache_test.m4 \ - $(top_srcdir)/m4/apr_memcache.m4 \ $(top_srcdir)/m4/ax_prog_doxygen.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ @@ -137,9 +136,6 @@ APR_INCLUDES = @APR_INCLUDES@ APR_LDFLAGS = @APR_LDFLAGS@ APR_LIBS = @APR_LIBS@ APR_LIBTOOL = @APR_LIBTOOL@ -APR_MEMCACHE_CFLAGS = @APR_MEMCACHE_CFLAGS@ -APR_MEMCACHE_LIBS = @APR_MEMCACHE_LIBS@ -APR_UTIL_CONF = @APR_UTIL_CONF@ APU_INCLUDES = @APU_INCLUDES@ APU_LDFLAGS = @APU_LDFLAGS@ APU_LIBS = @APU_LIBS@ @@ -203,6 +199,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ENABLE_EARLY_SNI = @ENABLE_EARLY_SNI@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FLOCK = @FLOCK@ @@ -262,6 +259,9 @@ SOFTHSM_LIB = @SOFTHSM_LIB@ SOFTHSM_MAJOR_VERSION = @SOFTHSM_MAJOR_VERSION@ STRIP = @STRIP@ TEST_HOST = @TEST_HOST@ +TEST_IP = @TEST_IP@ +TEST_LOCK_WAIT = @TEST_LOCK_WAIT@ +TEST_QUERY_TIMEOUT = @TEST_QUERY_TIMEOUT@ UNSHARE = @UNSHARE@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -288,7 +288,6 @@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_apr_memcache = @have_apr_memcache@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -326,7 +325,7 @@ EXTRA_DIST = \ 00_basic/apache.conf 00_basic/gnutls-cli.args 00_basic/input 00_basic/output \ 01_serverwide_priorities/apache.conf 01_serverwide_priorities/gnutls-cli.args 01_serverwide_priorities/input 01_serverwide_priorities/output \ 02_cache_in_vhost/apache.conf 02_cache_in_vhost/fail.server 02_cache_in_vhost/gnutls-cli.args 02_cache_in_vhost/input \ - 03_cachetimeout_in_vhost/apache.conf 03_cachetimeout_in_vhost/fail.server 03_cachetimeout_in_vhost/gnutls-cli.args 03_cachetimeout_in_vhost/input \ + 03_cachetimeout_in_vhost/apache.conf 03_cachetimeout_in_vhost/gnutls-cli.args 03_cachetimeout_in_vhost/input 03_cachetimeout_in_vhost/output \ 04_basic_nosni/apache.conf 04_basic_nosni/gnutls-cli.args 04_basic_nosni/input 04_basic_nosni/output \ 05_mismatched-priorities/apache.conf 05_mismatched-priorities/fail.client 05_mismatched-priorities/gnutls-cli.args 05_mismatched-priorities/input \ 06_verify_sni_a/apache.conf 06_verify_sni_a/gnutls-cli.args 06_verify_sni_a/input 06_verify_sni_a/output \ @@ -337,9 +336,9 @@ EXTRA_DIST = \ 11_basic_client_verification_fail/apache.conf 11_basic_client_verification_fail/fail.client 11_basic_client_verification_fail/gnutls-cli.args 11_basic_client_verification_fail/input \ 12_cgi_variables/apache.conf 12_cgi_variables/gnutls-cli.args 12_cgi_variables/input 12_cgi_variables/output \ 13_cgi_variables_no_client_cert/apache.conf 13_cgi_variables_no_client_cert/gnutls-cli.args 13_cgi_variables_no_client_cert/input 13_cgi_variables_no_client_cert/output \ - 14_basic_openpgp/apache.conf 14_basic_openpgp/gnutls-cli.args 14_basic_openpgp/input 14_basic_openpgp/output \ + 14_resume_session/apache.conf 14_resume_session/gnutls-cli.args 14_resume_session/input 14_resume_session/output \ 15_basic_msva/apache.conf 15_basic_msva/gnutls-cli.args 15_basic_msva/input 15_basic_msva/output \ - 16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input 16_view-status/output \ + 16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input \ 17_cgi_vars_large_cert/apache.conf 17_cgi_vars_large_cert/gnutls-cli.args 17_cgi_vars_large_cert/input 17_cgi_vars_large_cert/output \ 18_client_verification_wrong_cert/apache.conf 18_client_verification_wrong_cert/gnutls-cli.args 18_client_verification_wrong_cert/input 18_client_verification_wrong_cert/output \ 19_TLS_reverse_proxy/apache.conf 19_TLS_reverse_proxy/backend.conf 19_TLS_reverse_proxy/gnutls-cli.args 19_TLS_reverse_proxy/input 19_TLS_reverse_proxy/output \ @@ -350,7 +349,14 @@ EXTRA_DIST = \ 24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \ 25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \ 26_redirect_HTTP_to_HTTPS/apache.conf \ - 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output + 27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output \ + 28_HTTP2_support/apache.conf \ + 29_force_handshake_vhost/apache.conf 29_force_handshake_vhost/gnutls-cli.args 29_force_handshake_vhost/input 29_force_handshake_vhost/output \ + 30_ip_based_vhosts/apache.conf 30_ip_based_vhosts/gnutls-cli.args 30_ip_based_vhosts/input 30_ip_based_vhosts/output 31_vhost_SNI_serveralias_match \ + 31_vhost_SNI_serveralias_match/gnutls-cli.args 31_vhost_SNI_serveralias_match/input 31_vhost_SNI_serveralias_match/apache.conf 31_vhost_SNI_serveralias_match/output \ + 32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 32_vhost_SNI_serveralias_mismatch/input 32_vhost_SNI_serveralias_mismatch/apache.conf 32_vhost_SNI_serveralias_mismatch/output \ + 33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 33_vhost_SNI_serveralias_missinghost/input 33_vhost_SNI_serveralias_missinghost/apache.conf 33_vhost_SNI_serveralias_missinghost/output \ + 34_TLS_reverse_proxy_h2/apache.conf 34_TLS_reverse_proxy_h2/backend.conf 34_TLS_reverse_proxy_h2/gnutls-cli.args 34_TLS_reverse_proxy_h2/input 34_TLS_reverse_proxy_h2/output all: all-am @@ -372,8 +378,8 @@ Makefile: $(srcdir)/Makefile.in $(top_bu *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) @@ -397,7 +403,10 @@ ctags CTAGS: cscope cscopelist: -distdir: $(DISTFILES) +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \