From 094145bf541d520cd372034b7c287b5199f7c23d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 30 Apr 2018 17:40:36 +0200 Subject: [PATCH] configure: refuse to compile with known dependency issues In particular require gnutls 3.5.5 which fixes cleanups in gnutls_certificate_set_key(), or a recent version of the 3.3.x branch. When forced to use a broken version work-around issues (at the cost of a memory leak). Resolves #152 Signed-off-by: Nikos Mavrogiannopoulos --- .gitlab-ci.yml | 20 ++++++++++++++++++++ NEWS | 6 ++++++ configure.ac | 19 +++++++++++++++++++ src/tlslib.c | 5 +++++ 4 files changed, 50 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c42ffba7..975e4d24 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,6 +6,7 @@ variables: BUILD_IMAGES_PROJECT: ocserv/build-images DEBIAN_BUILD: buildenv-debian-stretch FEDORA_BUILD: buildenv-fedora + UBUNTU_BUILD: buildenv-ubuntu CENTOS7_BUILD: buildenv-centos7 CENTOS6_BUILD: buildenv-centos6 @@ -26,6 +27,25 @@ Build/Debian: - ./*.log - ./tests/*.log +Build/Ubuntu: + stage: testing + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD + script: + - git submodule update --init && autoreconf -fvi + - "! ./configure" + - ./configure --without-nuttcp-tests --with-broken-gnutls --without-docker-tests + - make -j$(nproc) && make check -j$(nproc) + tags: + - shared + except: + - tags + artifacts: + expire_in: 1 week + when: on_failure + paths: + - ./*.log + - ./tests/*.log + Build/Centos7: stage: testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD diff --git a/NEWS b/NEWS index 1c61aaf9..a80e3005 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +* Version 0.12.1 (unreleased) +- Reject compilation on systems which have gnutls with a broken + gnutls_certificate_set_key(). Provide --with-broken-gnutls option + which work-arounds the issues at the cost of a memory leak. + + * Version 0.12.0 (released 2018-04-22) - Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP diff --git a/configure.ac b/configure.ac index 95a8e4ec..237bf87d 100644 --- a/configure.ac +++ b/configure.ac @@ -52,6 +52,25 @@ AC_C_BIGENDIAN PKG_CHECK_MODULES([LIBNETTLE], [nettle >= 2.7]) PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0]) +AC_ARG_WITH(broken-gnutls, + AS_HELP_STRING([--with-broken-gnutls], [allow the use of gnutls versions which have known bugs]), + skip_test_for_gnutls=$withval, + skip_test_for_gnutls=no) + +if test "$skip_test_for_gnutls" = "no";then + if $PKG_CONFIG --max-version=3.5.4 gnutls;then + if $PKG_CONFIG --atleast-version=3.3.99 gnutls || $PKG_CONFIG --max-version=3.3.24 gnutls; then + AC_MSG_ERROR([[*** +*** a broken version of gnutls was found; please update to the latest version of a supported +*** gnutls branch (e.g. as 3.3.x, 3.5.x, or 3.6.x), or compile with --with-broken-gnutls +***]]) + fi + fi +else + AC_DEFINE([GNUTLS_BROKEN_CERTIFICATE_SET_KEY], [1], + [gnutls has a broken gnutls_certificate_set_key()]) +fi + if ! $PKG_CONFIG --atleast-version=3.0 nettle; then AC_DEFINE([NETTLE_OLD_BASE64_API], [1], [nettle uses the pre-3.x base64 API]) diff --git a/src/tlslib.c b/src/tlslib.c index 9603bec4..904a2869 100644 --- a/src/tlslib.c +++ b/src/tlslib.c @@ -537,8 +537,11 @@ void tls_vhost_init(struct vhost_cfg_st *vhost) void tls_vhost_deinit(struct vhost_cfg_st *vhost) { +#ifndef GNUTLS_BROKEN_CERTIFICATE_SET_KEY if (vhost->creds.xcred != NULL) gnutls_certificate_free_credentials(vhost->creds.xcred); +#endif + if (vhost->creds.pskcred != NULL) gnutls_psk_free_server_credentials(vhost->creds.pskcred); if (vhost->creds.cprio != NULL) @@ -942,8 +945,10 @@ void tls_load_files(main_server_st *s, struct vhost_cfg_st *vhost) vhost->params_last_access = time(0); +#ifndef GNUTLS_BROKEN_CERTIFICATE_SET_KEY if (vhost->creds.xcred != NULL) gnutls_certificate_free_credentials(vhost->creds.xcred); +#endif ret = gnutls_certificate_allocate_credentials(&vhost->creds.xcred); GNUTLS_FATAL_ERR(ret);