Merge branch 'tmp-fix-cert-release' into 'master'

configure: refuse to compile with known dependency issues

Closes #152

See merge request ocserv/ocserv!83

.gitlab-ci.yml

@@ -6,6 +6,7 @@ variables:
   BUILD_IMAGES_PROJECT: ocserv/build-images
   DEBIAN_BUILD: buildenv-debian-stretch
   FEDORA_BUILD: buildenv-fedora
+  UBUNTU_BUILD: buildenv-ubuntu
   CENTOS7_BUILD: buildenv-centos7
   CENTOS6_BUILD: buildenv-centos6
 
@@ -26,6 +27,25 @@ Build/Debian:
       - ./*.log
       - ./tests/*.log
 
+Build/Ubuntu:
+  stage: testing
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
+  script:
+  - git submodule update --init && autoreconf -fvi
+  - "! ./configure"
+  - ./configure --without-nuttcp-tests --with-broken-gnutls --without-docker-tests
+  - make -j$(nproc) && make check -j$(nproc)
+  tags:
+  - shared
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - ./*.log
+      - ./tests/*.log
+
 Build/Centos7:
   stage: testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD

NEWS

@@ -1,3 +1,9 @@
+* Version 0.12.1 (unreleased)
+- Reject compilation on systems which have gnutls with a broken
+  gnutls_certificate_set_key(). Provide --with-broken-gnutls option
+  which work-arounds the issues at the cost of a memory leak.
+
+
 * Version 0.12.0 (released 2018-04-22)
 - Allow DTLS stream to come from different IP from TLS stream.
   There are situations where internet providers send the UDP 

configure.ac

@@ -52,6 +52,25 @@ AC_C_BIGENDIAN
 PKG_CHECK_MODULES([LIBNETTLE], [nettle >= 2.7])
 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
 
+AC_ARG_WITH(broken-gnutls,
+  AS_HELP_STRING([--with-broken-gnutls], [allow the use of gnutls versions which have known bugs]),
+  skip_test_for_gnutls=$withval,
+  skip_test_for_gnutls=no)
+
+if test "$skip_test_for_gnutls" = "no";then
+  if $PKG_CONFIG --max-version=3.5.4 gnutls;then
+    if $PKG_CONFIG --atleast-version=3.3.99 gnutls || $PKG_CONFIG --max-version=3.3.24 gnutls; then
+	AC_MSG_ERROR([[***
+*** a broken version of gnutls was found; please update to the latest version of a supported
+*** gnutls branch (e.g. as 3.3.x, 3.5.x, or 3.6.x), or compile with --with-broken-gnutls
+***]])
+    fi
+  fi
+else
+  AC_DEFINE([GNUTLS_BROKEN_CERTIFICATE_SET_KEY], [1],
+	    [gnutls has a broken gnutls_certificate_set_key()])
+fi
+
 if ! $PKG_CONFIG --atleast-version=3.0 nettle; then
 	AC_DEFINE([NETTLE_OLD_BASE64_API], [1],
 		  [nettle uses the pre-3.x base64 API])

src/tlslib.c

@@ -537,8 +537,11 @@ void tls_vhost_init(struct vhost_cfg_st *vhost)
 
 void tls_vhost_deinit(struct vhost_cfg_st *vhost)
 {
+#ifndef GNUTLS_BROKEN_CERTIFICATE_SET_KEY
 	if (vhost->creds.xcred != NULL)
 		gnutls_certificate_free_credentials(vhost->creds.xcred);
+#endif
+
 	if (vhost->creds.pskcred != NULL)
 		gnutls_psk_free_server_credentials(vhost->creds.pskcred);
 	if (vhost->creds.cprio != NULL)
@@ -942,8 +945,10 @@ void tls_load_files(main_server_st *s, struct vhost_cfg_st *vhost)
 
 	vhost->params_last_access = time(0);
 
+#ifndef GNUTLS_BROKEN_CERTIFICATE_SET_KEY
 	if (vhost->creds.xcred != NULL)
 		gnutls_certificate_free_credentials(vhost->creds.xcred);
+#endif
 
 	ret = gnutls_certificate_allocate_credentials(&vhost->creds.xcred);
 	GNUTLS_FATAL_ERR(ret);