Remove unused configuration options

Specifically GnuTLSClientVerifyMethod (no point without MSVA support), and the long-deprecated and unsupported OpenPGP options.
airtower-luna · Apr 7, 2024 · 2163bd9 · 2163bd9
1 parent a86ec92
commit 2163bd9
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 69 deletions.
diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in
@@ -57,12 +57,6 @@ extern module AP_MODULE_DECLARE_DATA gnutls_module;
 /* Internal cache data, defined in gnutls_cache.h */
 typedef struct mgs_cache* mgs_cache_t;
 
-// TODO: Only one client verification method left, drop this.
-typedef enum {
-    mgs_cvm_unset,
-    mgs_cvm_cartel,
-} mgs_client_verification_method_e;
-
 
 /* Directory Configuration Record */
 typedef struct {
@@ -155,8 +149,6 @@ typedef struct {
     unsigned int ca_list_size;
 	/* Client Certificate Verification Mode */
     int client_verify_mode;
-	/* Client Certificate Verification Method */
-    mgs_client_verification_method_e client_verify_method;
 
     /* Enable OCSP stapling */
     unsigned char ocsp_staple;
@@ -309,9 +301,6 @@ const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
                                   const char *arg);
 
-const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
-                                         const char *arg);
-
 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
                                    const char *arg);
 

diff --git a/src/gnutls_config.c b/src/gnutls_config.c
@@ -613,19 +613,6 @@ const char *mgs_set_timeout(cmd_parms * parms,
     return NULL;
 }
 
-const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy __attribute__((unused)),
-        const char *arg) {
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)ap_get_module_config(parms->server->module_config, &gnutls_module);
-
-    if (strcasecmp("cartel", arg) == 0) {
-	sc->client_verify_method = mgs_cvm_cartel;
-    } else {
-	return "GnuTLSClientVerifyMethod: Invalid argument";
-    }
-
-    return NULL;
-}
-
 const char *mgs_set_client_verify(cmd_parms * parms,
                                   void *dirconf,
                                   const char *arg) {
@@ -812,7 +799,6 @@ static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p,
     sc->ca_list_size = 0;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     sc->export_certificates_size = -1;
-    sc->client_verify_method = mgs_cvm_unset;
 
     sc->proxy_x509_key_file = NULL;
     sc->proxy_x509_cert_file = NULL;
@@ -872,7 +858,6 @@ void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD)
     gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(export_certificates_size, -1);
-    gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
     gnutls_srvconf_merge(client_verify_mode, -1);
     gnutls_srvconf_merge(x509_cert_file, NULL);
 

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
@@ -108,16 +108,6 @@ static void gnutls_debug_log_all(int level, const char *str) {
 #define _gnutls_log(...)
 #endif
 
-static const char* mgs_readable_cvm(mgs_client_verification_method_e m) {
-    switch(m) {
-    case mgs_cvm_unset:
-        return "unset";
-    case mgs_cvm_cartel:
-        return "cartel";
-    }
-    return "unknown";
-}
-
 /* Pre-Configuration HOOK: Runs First */
 int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp __attribute__((unused))) {
 
@@ -647,8 +637,6 @@ int mgs_hook_post_config(apr_pool_t *pconf,
             sc->export_certificates_size = 0;
         if (sc->client_verify_mode == -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
-        if (sc->client_verify_method == mgs_cvm_unset)
-            sc->client_verify_method = mgs_cvm_cartel;
 
         // TODO: None of the stuff below needs to be done if
         // sc->enabled == GNUTLS_ENABLED_FALSE, we could just continue
@@ -1698,25 +1686,12 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
                 (cert.x509[0]));
 
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "GnuTLS: Verifying list of %d certificate(s) via method '%s'",
-                      ch_size, mgs_readable_cvm(ctxt->sc->client_verify_method));
-        switch(ctxt->sc->client_verify_method) {
-        case mgs_cvm_cartel:
-            rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
-                                             ctxt->sc->ca_list,
-                                             ctxt->sc->ca_list_size,
-                                             NULL, 0, 0, &status);
-            break;
-        default:
-            /* If this block is reached, that indicates a
-             * configuration error or bug in mod_gnutls (invalid value
-             * of ctxt->sc->client_verify_method). */
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
-                          mgs_readable_cvm(ctxt->sc->client_verify_method));
-            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
-        }
-
+                      "GnuTLS: Verifying list of %d certificate(s)",
+                      ch_size);
+        rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
+                                         ctxt->sc->ca_list,
+                                         ctxt->sc->ca_list_size,
+                                         NULL, 0, 0, &status);
     } else {
         /* Unknown certificate type */
         rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;

diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
@@ -253,8 +253,6 @@ int ssl_proxy_enable(conn_rec *c)
     return ssl_engine_set(c, NULL, 1, 1);
 }
 
-#define OPENPGP_REMOVED "OpenPGP support has been removed."
-
 static const command_rec mgs_config_cmds[] = {
     AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
     NULL,
@@ -276,10 +274,6 @@ static const command_rec mgs_config_cmds[] = {
     NULL,
     RSRC_CONF | OR_AUTHCFG,
     "Set Verification Requirements of the Client Certificate"),
-    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
-    NULL,
-    RSRC_CONF,
-    "Set Verification Method of the Client Certificate"),
     AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
     NULL,
     RSRC_CONF,
@@ -389,12 +383,6 @@ static const command_rec mgs_config_cmds[] = {
     AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
                   NULL, RSRC_CONF,
                   "Socket timeout for OCSP requests"),
-    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
-                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
-    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
-                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
-    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
-                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
     { 0 },
 };