From owner-svn-src-all@FreeBSD.ORG Sat Feb 22 18:55:52 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F14AFAB; Sat, 22 Feb 2014 18:55:52 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 18BAF12EF; Sat, 22 Feb 2014 18:55:52 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1MItqrU097365; Sat, 22 Feb 2014 18:55:52 GMT (envelope-from peter@svn.freebsd.org) Received: (from peter@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1MIto4x097347; Sat, 22 Feb 2014 18:55:50 GMT (envelope-from peter@svn.freebsd.org) Message-Id: <201402221855.s1MIto4x097347@svn.freebsd.org> From: Peter Wemm Date: Sat, 22 Feb 2014 18:55:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r262339 - in stable/10/contrib/serf: . auth buckets build X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 18:55:52 -0000 Author: peter Date: Sat Feb 22 18:55:49 2014 New Revision: 262339 URL: http://svnweb.freebsd.org/changeset/base/262339 Log: MFC r262324: serf 1.3.4 - improve SSL handling with svn-1.8.8 and other speedups and quality of life fixes. Modified: stable/10/contrib/serf/CHANGES stable/10/contrib/serf/README stable/10/contrib/serf/SConstruct stable/10/contrib/serf/auth/auth.c stable/10/contrib/serf/auth/auth.h stable/10/contrib/serf/auth/auth_basic.c stable/10/contrib/serf/auth/auth_digest.c stable/10/contrib/serf/auth/auth_spnego.c stable/10/contrib/serf/auth/auth_spnego.h stable/10/contrib/serf/auth/auth_spnego_gss.c stable/10/contrib/serf/auth/auth_spnego_sspi.c stable/10/contrib/serf/buckets/headers_buckets.c stable/10/contrib/serf/buckets/response_buckets.c stable/10/contrib/serf/buckets/socket_buckets.c stable/10/contrib/serf/buckets/ssl_buckets.c stable/10/contrib/serf/build/check.py stable/10/contrib/serf/build/gen_def.py stable/10/contrib/serf/build/serf.pc.in stable/10/contrib/serf/context.c stable/10/contrib/serf/outgoing.c stable/10/contrib/serf/serf.h stable/10/contrib/serf/serf_private.h stable/10/contrib/serf/ssltunnel.c Directory Properties: stable/10/ (props changed) Modified: stable/10/contrib/serf/CHANGES ============================================================================== --- stable/10/contrib/serf/CHANGES Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/CHANGES Sat Feb 22 18:55:49 2014 (r262339) @@ -1,4 +1,59 @@ -Serf 1.3.0 [2013-07-23, from /tags/1.3.0] +Serf 1.3.4 [2014-02-08, from /tags/1.3.4, rxxxx] + Fix issue #119: Endless loop during ssl tunnel setup with Negotiate authn + Fix issue #123: Can't setup ssl tunnel which sends Connection close header + Fix a race condition when initializing OpenSSL from multiple threads (r2263) + Fix issue #138: Incorrect pkg-config file when GSSAPI isn't configured + + +Serf 1.3.3 [2013-12-09, from /tags/1.3.3, r2242] + Fix issue 129: Try more addresses of multihomed servers + Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE correctly (r2225) + Return APR_TIMEUP from poll() to enable detecting connection timeouts (r2183) + + +Serf 1.3.2 [2013-10-04, from /tags/1.3.2, r2195] + Fix issue 130: HTTP headers should be treated case-insensitively + Fix issue 126: Compilation breaks with Codewarrior compiler + Fix crash during cleanup of SSL buckets in apr_terminate() (r2145) + Fix Windows build: Also export functions with capital letters in .def file + Fix host header when url contains a username or password (r2170) + Ensure less TCP package fragmentation on Windows (r2145) + Handle authentication for responses to HEAD requests (r2178,-9) + Improve serf_get: add option to add request headers, allow url with query, + allow HEAD requests (r2143,r2175,-6) + Improve RFC conformance: don't expect body for certain responses (r2011,-2) + Do not invoke progress callback when no data was received (r2144) + And more test suite fixes and build warning cleanups + SCons-related fixes: + Fix build when GSSAPI not in default include path (2155) + Fix OpenBSD build: always map all LIBPATH entries into RPATH (r2156) + Checksum generation in Windows shared libraries for release builds (2162) + Mac OS X: Use MAJOR version only in dylib install name (r2161) + Use both MAJOR and MINOR version for the shared library name (2163) + Fix the .pc file when installing serf in a non-default LIBDIR (r2191) + + +Serf 1.3.1 [2013-08-15, from /tags/1.3.1, r2138] + Fix issue 77: Endless loop if server doesn't accept Negotiate authentication. + Fix issue 114: ssl/tls renegotiation fails + Fix issue 120: error with ssl tunnel over proxy with KeepAlive off and + Basic authentication. + Fixed bugs with authentication (r2057,2115,2118) + SCons-related fixes: + Fix issue 111: add flag to set custom library path + Fix issue 112: add soname + Fix issue 113: add gssapi libs in the serf pc file + Fix issue 115: Setting RPATH on Solaris broken in SConstruct + Fix issue 116: scons check should return non-zero exit staths + Fix issue 121: make CFLAGS, LIBS, LINKFLAGS and CPPFLAGS take a space- + separated list of flags. + Fix issue 122: make scons PREFIX create the folder if it doesn't exist + Mac OS X: Fix scons --install-sandbox + Solaris: Fix build with cc, don't use unsupported compiler flags + Require SCons version 2.3.0 or higher now (for the soname support). + + +Serf 1.3.0 [2013-07-23, from /tags/1.3.0, r2074] Fix issue 83: use PATH rather than URI within an ssltunnel (r1952) Fix issue 108: improved error reporting from the underlying socket (r1951) NEW: Switch to the SCons build system; retire serfmake, serf.mak, autotools Modified: stable/10/contrib/serf/README ============================================================================== --- stable/10/contrib/serf/README Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/README Sat Feb 22 18:55:49 2014 (r262339) @@ -18,14 +18,14 @@ kept to a minimum to provide high perfor 1.1. SCons build system -serf uses SCons 2.x for its build system. If it is not installed on +serf uses SCons 2.3 for its build system. If it is not installed on your system, then you can install it onto your system. If you do not have permissions, then you can download and install the "local" version into your home directory. When installed privately, simply create a symlink for 'scons' in your PATH to /path/to/scons/scons.py. Fetch the scons-local package: - http://prdownloads.sourceforge.net/scons/scons-local-2.0.1.tar.gz + http://prdownloads.sourceforge.net/scons/scons-local-2.3.0.tar.gz 1.2 Building serf @@ -54,6 +54,12 @@ distinct directory from the source), you $ scons -Y /path/to/serf/source +If you plan to install the library on a system that uses different +paths for architecture dependent files, specify LIBDIR. LIBDIR defaults +to /usr/local/lib otherwise. Example for a 64 bit GNU/Linux system: + +$ scons PREFIX=/usr/ LIBDIR=/usr/lib64 + At any point, the current settings can be examined: $ scons --help @@ -74,6 +80,13 @@ specified on the install command line: $ scons PREFIX=/some/path install +Distribution package maintainers regulary install to a buildroot, and +would normally use something like below in their build systems, with +placeholders for the specific paths: + +$ scons PREFIX=/usr/ LIBDIR=/usr/lib64 +$ scons install --install-sandbox=/path/to/buildroot + 1.4 Cleaning up the build Modified: stable/10/contrib/serf/SConstruct ============================================================================== --- stable/10/contrib/serf/SConstruct Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/SConstruct Sat Feb 22 18:55:49 2014 (r262339) @@ -19,6 +19,8 @@ import sys import os import re +EnsureSConsVersion(2,3,0) + HEADER_FILES = ['serf.h', 'serf_bucket_types.h', 'serf_bucket_util.h', @@ -34,23 +36,35 @@ def _converter(val): if val == 'none': val = [] else: - val = val.split(',') + val = val.split(' ') return val def RawListVariable(key, help, default): """ The input parameters describe a 'raw string list' option. This class - accepts a comma separated list and converts it to a space separated - list. + accepts a space-separated string and converts it to a list. """ return (key, '%s' % (help), default, None, lambda val: _converter(val)) +# Custom path validator, creates directory when a specified option is set. +# To be used to ensure a PREFIX directory is only created when installing. +def createPathIsDirCreateWithTarget(target): + def my_validator(key, val, env): + build_targets = (map(str, BUILD_TARGETS)) + if target in build_targets: + return PathVariable.PathIsDirCreate(key, val, env) + else: + return PathVariable.PathAccept(key, val, env) + return my_validator + # default directories if sys.platform == 'win32': + default_incdir='..' default_libdir='..' default_prefix='Debug' else: - default_libdir='/usr' + default_incdir='/usr' + default_libdir='$PREFIX/lib' default_prefix='/usr/local' opts = Variables(files=[SAVED_CONFIG]) @@ -58,22 +72,26 @@ opts.AddVariables( PathVariable('PREFIX', 'Directory to install under', default_prefix, - PathVariable.PathIsDir), + createPathIsDirCreateWithTarget('install')), + PathVariable('LIBDIR', + 'Directory to install architecture dependent libraries under', + default_libdir, + createPathIsDirCreateWithTarget('install')), PathVariable('APR', "Path to apr-1-config, or to APR's install area", - default_libdir, + default_incdir, PathVariable.PathAccept), PathVariable('APU', "Path to apu-1-config, or to APR's install area", - default_libdir, + default_incdir, PathVariable.PathAccept), PathVariable('OPENSSL', "Path to OpenSSL's install area", - default_libdir, + default_incdir, PathVariable.PathIsDir), PathVariable('ZLIB', "Path to zlib's install area", - default_libdir, + default_incdir, PathVariable.PathIsDir), PathVariable('GSSAPI', "Path to GSSAPI's install area", @@ -86,14 +104,14 @@ opts.AddVariables( "Enable using a static compiled APR", False), RawListVariable('CC', "Command name or path of the C compiler", None), - RawListVariable('CFLAGS', "Extra flags for the C compiler (comma separated)", + RawListVariable('CFLAGS', "Extra flags for the C compiler (space-separated)", None), RawListVariable('LIBS', "Extra libraries passed to the linker, " - "e.g. -l (comma separated)", None), - RawListVariable('LINKFLAGS', "Extra flags for the linker (comma separated)", + "e.g. \"-l -l\" (space separated)", None), + RawListVariable('LINKFLAGS', "Extra flags for the linker (space-separated)", None), RawListVariable('CPPFLAGS', "Extra flags for the C preprocessor " - "(comma separated)", None), + "(space separated)", None), ) if sys.platform == 'win32': @@ -146,6 +164,8 @@ match = re.search('SERF_MAJOR_VERSION ([ re.DOTALL) MAJOR, MINOR, PATCH = [int(x) for x in match.groups()] env.Append(MAJOR=str(MAJOR)) +env.Append(MINOR=str(MINOR)) +env.Append(PATCH=str(PATCH)) # Calling external programs is okay if we're not cleaning or printing help. # (cleaning: no sense in fetching information; help: we may not know where @@ -181,10 +201,18 @@ opts.Save(SAVED_CONFIG, env) # PLATFORM-SPECIFIC BUILD TWEAKS thisdir = os.getcwd() -libdir = '$PREFIX/lib' +libdir = '$LIBDIR' incdir = '$PREFIX/include/serf-$MAJOR' -LIBNAME = 'libserf-${MAJOR}' +# This version string is used in the dynamic library name, and for Mac OS X also +# for the current_version and compatibility_version options in the .dylib +# +# Unfortunately we can't set the .dylib compatibility_version option separately +# from current_version, so don't use the PATCH level to avoid that build and +# runtime patch levels have to be identical. +env['SHLIBVERSION'] = '%d.%d.%d' % (MAJOR, MINOR, 0) + +LIBNAME = 'libserf-%d' % (MAJOR,) if sys.platform != 'win32': LIBNAMESTATIC = LIBNAME else: @@ -196,23 +224,17 @@ env.Append(RPATH=libdir, if sys.platform == 'darwin': # linkflags.append('-Wl,-install_name,@executable_path/%s.dylib' % (LIBNAME,)) env.Append(LINKFLAGS='-Wl,-install_name,%s/%s.dylib' % (thisdir, LIBNAME,)) - # 'man ld' says positive non-zero for the first number, so we add one. - # Mac's interpretation of compatibility is the same as our MINOR version. - env.Append(LINKFLAGS='-Wl,-compatibility_version,%d' % (MINOR+1,)) - env.Append(LINKFLAGS='-Wl,-current_version,%d.%d' % (MINOR+1, PATCH,)) if sys.platform != 'win32': ### gcc only. figure out appropriate test / better way to check these ### flags, and check for gcc. env.Append(CFLAGS='-std=c89') - env.Append(CCFLAGS=[ - '-Wdeclaration-after-statement', - '-Wmissing-prototypes', - ]) - ### -Wall is not available on Solaris + ### These warnings are not available on Solaris if sys.platform != 'sunos5': - env.Append(CCFLAGS='-Wall') + env.Append(CCFLAGS=['-Wdeclaration-after-statement', + '-Wmissing-prototypes', + '-Wall']) if debug: env.Append(CCFLAGS='-g') @@ -239,6 +261,7 @@ else: # Optimize for speed, use DLL runtime env.Append(CCFLAGS=['/O2', '/MD']) env.Append(CPPDEFINES='NDEBUG') + env.Append(LINKFLAGS='/RELEASE') # PLAN THE BUILD SHARED_SOURCES = [] @@ -334,28 +357,32 @@ else: # If build with gssapi, get its information and define SERF_HAVE_GSSAPI if gssapi and CALLOUT_OKAY: - env.ParseConfig('$GSSAPI --libs gssapi') + env.ParseConfig('$GSSAPI --cflags gssapi') + def parse_libs(env, cmd, unique=1): + env['GSSAPI_LIBS'] = cmd.strip() + return env.MergeFlags(cmd, unique) + env.ParseConfig('$GSSAPI --libs gssapi', parse_libs) env.Append(CPPDEFINES='SERF_HAVE_GSSAPI') if sys.platform == 'win32': env.Append(CPPDEFINES=['SERF_HAVE_SSPI']) -# On Solaris, the -R values that APR describes never make it into actual +# On some systems, the -R values that APR describes never make it into actual # RPATH flags. We'll manually map all directories in LIBPATH into new # flags to set RPATH values. -if sys.platform == 'sunos5': - for d in env['LIBPATH']: - env.Append(RPATH=d) +for d in env['LIBPATH']: + env.Append(RPATH=':'+d) # Set up the construction of serf-*.pc -# TODO: add gssapi libs pkgconfig = env.Textfile('serf-%d.pc' % (MAJOR,), env.File('build/serf.pc.in'), SUBST_DICT = { '@MAJOR@': str(MAJOR), '@PREFIX@': '$PREFIX', + '@LIBDIR@': '$LIBDIR', '@INCLUDE_SUBDIR@': 'serf-%d' % (MAJOR,), '@VERSION@': '%d.%d.%d' % (MAJOR, MINOR, PATCH), - '@LIBS@': '%s %s -lz' % (apu_libs, apr_libs), + '@LIBS@': '%s %s %s -lz' % (apu_libs, apr_libs, + env.get('GSSAPI_LIBS', '')), }) env.Default(lib_static, lib_shared, pkgconfig) @@ -371,16 +398,22 @@ if CALLOUT_OKAY: # INSTALLATION STUFF install_static = env.Install(libdir, lib_static) -install_shared = env.Install(libdir, lib_shared) +install_shared = env.InstallVersionedLib(libdir, lib_shared) if sys.platform == 'darwin': + # Change the shared library install name (id) to its final name and location. + # Notes: + # If --install-sandbox= is specified, install_shared_path will point + # to a path in the sandbox. We can't use that path because the sandbox is + # only a temporary location. The id should be the final target path. + # Also, we shouldn't use the complete version number for id, as that'll + # make applications depend on the exact major.minor.patch version of serf. + install_shared_path = install_shared[0].abspath + target_install_shared_path = os.path.join(libdir, '%s.dylib' % LIBNAME) env.AddPostAction(install_shared, ('install_name_tool -id %s %s' - % (install_shared_path, + % (target_install_shared_path, install_shared_path))) - ### construct shared lib symlinks. this also means install the lib - ### as libserf-2.1.0.0.dylib, then add the symlinks. - ### note: see InstallAs env.Alias('install-lib', [install_static, install_shared, ]) Modified: stable/10/contrib/serf/auth/auth.c ============================================================================== --- stable/10/contrib/serf/auth/auth.c Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth.c Sat Feb 22 18:55:49 2014 (r262339) @@ -23,7 +23,8 @@ #include static apr_status_t -default_auth_response_handler(peer_t peer, +default_auth_response_handler(const serf__authn_scheme_t *scheme, + peer_t peer, int code, serf_connection_t *conn, serf_request_t *request, @@ -151,6 +152,17 @@ static int handle_auth_headers(int code, if (!auth_hdr) continue; + if (code == 401) { + authn_info = serf__get_authn_info_for_server(conn); + } else { + authn_info = &ctx->proxy_authn_info; + } + + if (authn_info->failed_authn_types & scheme->type) { + /* Skip this authn type since we already tried it before. */ + continue; + } + /* Found a matching scheme */ status = APR_SUCCESS; @@ -159,11 +171,6 @@ static int handle_auth_headers(int code, serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, "... matched: %s\n", scheme->name); - if (code == 401) { - authn_info = serf__get_authn_info_for_server(conn); - } else { - authn_info = &ctx->proxy_authn_info; - } /* If this is the first time we use this scheme on this context and/or this connection, make sure to initialize the authentication handler first. */ @@ -198,6 +205,12 @@ static int handle_auth_headers(int code, */ serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, "%s authentication failed.\n", scheme->name); + + /* Clear per-request auth_baton when switching to next auth scheme. */ + request->auth_baton = NULL; + + /* Remember failed auth types to skip in future. */ + authn_info->failed_authn_types |= scheme->type; } return status; @@ -221,7 +234,7 @@ static int store_header_in_dict(void *ba char *auth_name, *c; /* We're only interested in xxxx-Authenticate headers. */ - if (strcmp(key, ab->header) != 0) + if (strcasecmp(key, ab->header) != 0) return 0; /* Extract the authentication scheme name. */ @@ -378,16 +391,16 @@ apr_status_t serf__handle_auth_response( authn_info = serf__get_authn_info_for_server(conn); if (authn_info->scheme) { validate_resp = authn_info->scheme->validate_response_func; - resp_status = validate_resp(HOST, sl.code, conn, request, response, - pool); + resp_status = validate_resp(authn_info->scheme, HOST, sl.code, + conn, request, response, pool); } /* Validate the response proxy authn headers. */ authn_info = &ctx->proxy_authn_info; if (!resp_status && authn_info->scheme) { validate_resp = authn_info->scheme->validate_response_func; - resp_status = validate_resp(PROXY, sl.code, conn, request, response, - pool); + resp_status = validate_resp(authn_info->scheme, PROXY, sl.code, + conn, request, response, pool); } if (resp_status) { Modified: stable/10/contrib/serf/auth/auth.h ============================================================================== --- stable/10/contrib/serf/auth/auth.h Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth.h Sat Feb 22 18:55:49 2014 (r262339) @@ -78,7 +78,8 @@ apr_status_t serf__setup_request_digest_ const char *method, const char *uri, serf_bucket_t *hdrs_bkt); -apr_status_t serf__validate_response_digest_auth(peer_t peer, +apr_status_t serf__validate_response_digest_auth(const serf__authn_scheme_t *scheme, + peer_t peer, int code, serf_connection_t *conn, serf_request_t *request, @@ -108,7 +109,8 @@ apr_status_t serf__setup_request_spnego_ const char *method, const char *uri, serf_bucket_t *hdrs_bkt); -apr_status_t serf__validate_response_spnego_auth(peer_t peer, +apr_status_t serf__validate_response_spnego_auth(const serf__authn_scheme_t *scheme, + peer_t peer, int code, serf_connection_t *conn, serf_request_t *request, Modified: stable/10/contrib/serf/auth/auth_basic.c ============================================================================== --- stable/10/contrib/serf/auth/auth_basic.c Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth_basic.c Sat Feb 22 18:55:49 2014 (r262339) @@ -48,7 +48,7 @@ serf__handle_basic_auth(int code, apr_status_t status; apr_pool_t *cred_pool; char *username, *password, *realm_name; - const char *eq, *realm; + const char *eq, *realm = NULL; /* Can't do Basic authentication if there's no callback to get username & password. */ Modified: stable/10/contrib/serf/auth/auth_digest.c ============================================================================== --- stable/10/contrib/serf/auth/auth_digest.c Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth_digest.c Sat Feb 22 18:55:49 2014 (r262339) @@ -96,8 +96,9 @@ random_cnonce(apr_pool_t *pool) return hex_encode((unsigned char*)buf, pool); } -static const char * -build_digest_ha1(const char *username, +static apr_status_t +build_digest_ha1(const char **out_ha1, + const char *username, const char *password, const char *realm_name, apr_pool_t *pool) @@ -113,12 +114,17 @@ build_digest_ha1(const char *username, realm_name, password); status = apr_md5(ha1, tmp, strlen(tmp)); + if (status) + return status; + + *out_ha1 = hex_encode(ha1, pool); - return hex_encode(ha1, pool); + return APR_SUCCESS; } -static const char * -build_digest_ha2(const char *uri, +static apr_status_t +build_digest_ha2(const char **out_ha2, + const char *uri, const char *method, const char *qop, apr_pool_t *pool) @@ -134,17 +140,21 @@ build_digest_ha2(const char *uri, method, uri); status = apr_md5(ha2, tmp, strlen(tmp)); + if (status) + return status; - return hex_encode(ha2, pool); + *out_ha2 = hex_encode(ha2, pool); + + return APR_SUCCESS; } else { /* TODO: auth-int isn't supported! */ + return APR_ENOTIMPL; } - - return NULL; } -static const char * -build_auth_header(digest_authn_info_t *digest_info, +static apr_status_t +build_auth_header(const char **out_header, + digest_authn_info_t *digest_info, const char *path, const char *method, apr_pool_t *pool) @@ -156,7 +166,9 @@ build_auth_header(digest_authn_info_t *d const char *response_hdr_hex; apr_status_t status; - ha2 = build_digest_ha2(path, method, digest_info->qop, pool); + status = build_digest_ha2(&ha2, path, method, digest_info->qop, pool); + if (status) + return status; hdr = apr_psprintf(pool, "Digest realm=\"%s\"," @@ -194,6 +206,9 @@ build_auth_header(digest_authn_info_t *d } status = apr_md5(response_hdr, response, strlen(response)); + if (status) + return status; + response_hdr_hex = hex_encode(response_hdr, pool); hdr = apr_psprintf(pool, "%s, response=\"%s\"", hdr, response_hdr_hex); @@ -207,7 +222,9 @@ build_auth_header(digest_authn_info_t *d digest_info->algorithm); } - return hdr; + *out_header = hdr; + + return APR_SUCCESS; } apr_status_t @@ -330,8 +347,8 @@ serf__handle_digest_auth(int code, digest_info->username = apr_pstrdup(digest_info->pool, username); digest_info->digest_nc++; - digest_info->ha1 = build_digest_ha1(username, password, digest_info->realm, - digest_info->pool); + status = build_digest_ha1(&digest_info->ha1, username, password, + digest_info->realm, digest_info->pool); apr_pool_destroy(cred_pool); @@ -339,7 +356,7 @@ serf__handle_digest_auth(int code, likes. */ serf_connection_set_max_outstanding_requests(conn, 0); - return APR_SUCCESS; + return status; } apr_status_t @@ -387,7 +404,7 @@ serf__setup_request_digest_auth(peer_t p serf_context_t *ctx = conn->ctx; serf__authn_info_t *authn_info; digest_authn_info_t *digest_info; - apr_status_t status = APR_SUCCESS; + apr_status_t status; if (peer == HOST) { authn_info = serf__get_authn_info_for_server(conn); @@ -421,8 +438,10 @@ serf__setup_request_digest_auth(peer_t p /* Build a new Authorization header. */ digest_info->header = (peer == HOST) ? "Authorization" : "Proxy-Authorization"; - value = build_auth_header(digest_info, path, method, - conn->pool); + status = build_auth_header(&value, digest_info, path, method, + conn->pool); + if (status) + return status; serf_bucket_headers_setn(hdrs_bkt, digest_info->header, value); @@ -431,14 +450,15 @@ serf__setup_request_digest_auth(peer_t p /* Store the uri of this request on the serf_request_t object, to make it available when validating the Authentication-Info header of the matching response. */ - request->auth_baton = path; + request->auth_baton = (void *)path; } - return status; + return APR_SUCCESS; } apr_status_t -serf__validate_response_digest_auth(peer_t peer, +serf__validate_response_digest_auth(const serf__authn_scheme_t *scheme, + peer_t peer, int code, serf_connection_t *conn, serf_request_t *request, @@ -453,6 +473,7 @@ serf__validate_response_digest_auth(peer const char *nc_str = NULL; serf_bucket_t *hdrs; serf_context_t *ctx = conn->ctx; + apr_status_t status; hdrs = serf_bucket_response_get_headers(response); @@ -516,7 +537,10 @@ serf__validate_response_digest_auth(peer } digest_info = authn_info->baton; - ha2 = build_digest_ha2(req_uri, "", qop, pool); + status = build_digest_ha2(&ha2, req_uri, "", qop, pool); + if (status) + return status; + tmp = apr_psprintf(pool, "%s:%s:%s:%s:%s:%s", digest_info->ha1, digest_info->nonce, nc_str, digest_info->cnonce, digest_info->qop, ha2); Modified: stable/10/contrib/serf/auth/auth_spnego.c ============================================================================== --- stable/10/contrib/serf/auth/auth_spnego.c Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth_spnego.c Sat Feb 22 18:55:49 2014 (r262339) @@ -181,7 +181,8 @@ typedef struct claim to be. The session key can only be used with the HTTP service on the target host. */ static apr_status_t -gss_api_get_credentials(char *token, apr_size_t token_len, +gss_api_get_credentials(serf_connection_t *conn, + char *token, apr_size_t token_len, const char *hostname, const char **buf, apr_size_t *buf_len, gss_authn_info_t *gss_info) @@ -202,6 +203,7 @@ gss_api_get_credentials(char *token, apr /* Establish a security context to the server. */ status = serf__spnego_init_sec_context( + conn, gss_info->gss_ctx, KRB_HTTP_SERVICE, hostname, &input_buf, @@ -212,7 +214,11 @@ gss_api_get_credentials(char *token, apr switch(status) { case APR_SUCCESS: - gss_info->state = gss_api_auth_completed; + if (output_buf.length == 0) { + gss_info->state = gss_api_auth_completed; + } else { + gss_info->state = gss_api_auth_in_progress; + } break; case APR_EAGAIN: gss_info->state = gss_api_auth_in_progress; @@ -242,6 +248,7 @@ do_auth(peer_t peer, int code, gss_authn_info_t *gss_info, serf_connection_t *conn, + serf_request_t *request, const char *auth_hdr, apr_pool_t *pool) { @@ -306,6 +313,14 @@ do_auth(peer_t peer, break; } + if (request->auth_baton && !token) { + /* We provided token with this request, but server responded with empty + authentication header. This means server rejected our credentials. + XXX: Probably we need separate error code for this case like + SERF_ERROR_AUTHN_CREDS_REJECTED? */ + return SERF_ERROR_AUTHN_FAILED; + } + /* If the server didn't provide us with a token, start with a new initial step in the SPNEGO authentication. */ if (!token) { @@ -314,14 +329,16 @@ do_auth(peer_t peer, } if (peer == HOST) { - status = gss_api_get_credentials(token, token_len, + status = gss_api_get_credentials(conn, + token, token_len, conn->host_info.hostname, &tmp, &tmp_len, gss_info); } else { char *proxy_host; apr_getnameinfo(&proxy_host, conn->ctx->proxy_address, 0); - status = gss_api_get_credentials(token, token_len, proxy_host, + status = gss_api_get_credentials(conn, + token, token_len, proxy_host, &tmp, &tmp_len, gss_info); } @@ -357,24 +374,32 @@ serf__init_spnego_connection(const serf_ serf_connection_t *conn, apr_pool_t *pool) { - gss_authn_info_t *gss_info; - apr_status_t status; - - gss_info = apr_pcalloc(conn->pool, sizeof(*gss_info)); - gss_info->pool = conn->pool; - gss_info->state = gss_api_auth_not_started; - gss_info->pstate = pstate_init; - status = serf__spnego_create_sec_context(&gss_info->gss_ctx, scheme, - gss_info->pool, pool); - - if (status) { - return status; - } + serf_context_t *ctx = conn->ctx; + serf__authn_info_t *authn_info; + gss_authn_info_t *gss_info = NULL; + /* For proxy authentication, reuse the gss context for all connections. + For server authentication, create a new gss context per connection. */ if (code == 401) { - conn->authn_baton = gss_info; + authn_info = &conn->authn_info; } else { - conn->proxy_authn_baton = gss_info; + authn_info = &ctx->proxy_authn_info; + } + gss_info = authn_info->baton; + + if (!gss_info) { + apr_status_t status; + + gss_info = apr_pcalloc(conn->pool, sizeof(*gss_info)); + gss_info->pool = conn->pool; + gss_info->state = gss_api_auth_not_started; + gss_info->pstate = pstate_init; + status = serf__spnego_create_sec_context(&gss_info->gss_ctx, scheme, + gss_info->pool, pool); + if (status) { + return status; + } + authn_info->baton = gss_info; } /* Make serf send the initial requests one by one */ @@ -397,13 +422,15 @@ serf__handle_spnego_auth(int code, apr_pool_t *pool) { serf_connection_t *conn = request->conn; - gss_authn_info_t *gss_info = (code == 401) ? conn->authn_baton : - conn->proxy_authn_baton; + serf_context_t *ctx = conn->ctx; + gss_authn_info_t *gss_info = (code == 401) ? conn->authn_info.baton : + ctx->proxy_authn_info.baton; return do_auth(code == 401 ? HOST : PROXY, code, gss_info, request->conn, + request, auth_hdr, pool); } @@ -418,8 +445,9 @@ serf__setup_request_spnego_auth(peer_t p const char *uri, serf_bucket_t *hdrs_bkt) { - gss_authn_info_t *gss_info = (peer == HOST) ? conn->authn_baton : - conn->proxy_authn_baton; + serf_context_t *ctx = conn->ctx; + gss_authn_info_t *gss_info = (peer == HOST) ? conn->authn_info.baton : + ctx->proxy_authn_info.baton; /* If we have an ongoing authentication handshake, the handler of the previous response will have created the authn headers for this request @@ -431,6 +459,10 @@ serf__setup_request_spnego_auth(peer_t p serf_bucket_headers_setn(hdrs_bkt, gss_info->header, gss_info->value); + /* Remember that we're using this request for authentication + handshake. */ + request->auth_baton = (void*) TRUE; + /* We should send each token only once. */ gss_info->header = NULL; gss_info->value = NULL; @@ -469,6 +501,7 @@ serf__setup_request_spnego_auth(peer_t p code, gss_info, conn, + request, 0l, /* no response authn header */ conn->pool); if (status) @@ -476,6 +509,11 @@ serf__setup_request_spnego_auth(peer_t p serf_bucket_headers_setn(hdrs_bkt, gss_info->header, gss_info->value); + + /* Remember that we're using this request for authentication + handshake. */ + request->auth_baton = (void*) TRUE; + /* We should send each token only once. */ gss_info->header = NULL; gss_info->value = NULL; @@ -486,19 +524,70 @@ serf__setup_request_spnego_auth(peer_t p return APR_SUCCESS; } +/** + * Baton passed to the get_auth_header callback function. + */ +typedef struct { + const char *hdr_name; + const char *auth_name; + const char *hdr_value; + apr_pool_t *pool; +} get_auth_header_baton_t; + +static int +get_auth_header_cb(void *baton, + const char *key, + const char *header) +{ + get_auth_header_baton_t *b = baton; + + /* We're only interested in xxxx-Authenticate headers. */ + if (strcasecmp(key, b->hdr_name) != 0) + return 0; + + /* Check if header value starts with interesting auth name. */ + if (strncmp(header, b->auth_name, strlen(b->auth_name)) == 0) { + /* Save interesting header value and stop iteration. */ + b->hdr_value = apr_pstrdup(b->pool, header); + return 1; + } + + return 0; +} + +static const char * +get_auth_header(serf_bucket_t *hdrs, + const char *hdr_name, + const char *auth_name, + apr_pool_t *pool) +{ + get_auth_header_baton_t b; + + b.auth_name = hdr_name; + b.hdr_name = auth_name; + b.hdr_value = NULL; + b.pool = pool; + + serf_bucket_headers_do(hdrs, get_auth_header_cb, &b); + + return b.hdr_value; +} + /* Function is called when 2xx responses are received. Normally we don't * have to do anything, except for the first response after the * authentication handshake. This specific response includes authentication * data which should be validated by the client (mutual authentication). */ apr_status_t -serf__validate_response_spnego_auth(peer_t peer, +serf__validate_response_spnego_auth(const serf__authn_scheme_t *scheme, + peer_t peer, int code, serf_connection_t *conn, serf_request_t *request, serf_bucket_t *response, apr_pool_t *pool) { + serf_context_t *ctx = conn->ctx; gss_authn_info_t *gss_info; const char *auth_hdr_name; @@ -511,10 +600,10 @@ serf__validate_response_spnego_auth(peer "Validate Negotiate response header.\n"); if (peer == HOST) { - gss_info = conn->authn_baton; + gss_info = conn->authn_info.baton; auth_hdr_name = "WWW-Authenticate"; } else { - gss_info = conn->proxy_authn_baton; + gss_info = ctx->proxy_authn_info.baton; auth_hdr_name = "Proxy-Authenticate"; } @@ -524,11 +613,23 @@ serf__validate_response_spnego_auth(peer apr_status_t status; hdrs = serf_bucket_response_get_headers(response); - auth_hdr_val = serf_bucket_headers_get(hdrs, auth_hdr_name); + auth_hdr_val = get_auth_header(hdrs, auth_hdr_name, scheme->name, + pool); - status = do_auth(peer, code, gss_info, conn, auth_hdr_val, pool); - if (status) - return status; + if (auth_hdr_val) { + status = do_auth(peer, code, gss_info, conn, request, auth_hdr_val, + pool); + if (status) { + return status; + } + } else { + /* No Authenticate headers, nothing to validate: authentication + completed.*/ + gss_info->state = gss_api_auth_completed; + + serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, + "SPNEGO handshake completed.\n"); + } } if (gss_info->state == gss_api_auth_completed) { Modified: stable/10/contrib/serf/auth/auth_spnego.h ============================================================================== --- stable/10/contrib/serf/auth/auth_spnego.h Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth_spnego.h Sat Feb 22 18:55:49 2014 (r262339) @@ -88,14 +88,15 @@ serf__spnego_create_sec_context(serf__sp * Other returns values indicates error. */ apr_status_t -serf__spnego_init_sec_context(serf__spnego_context_t *ctx, - const char *service, - const char *hostname, - serf__spnego_buffer_t *input_buf, - serf__spnego_buffer_t *output_buf, - apr_pool_t *result_pool, - apr_pool_t *scratch_pool - ); +serf__spnego_init_sec_context(serf_connection_t *conn, + serf__spnego_context_t *ctx, + const char *service, + const char *hostname, + serf__spnego_buffer_t *input_buf, + serf__spnego_buffer_t *output_buf, + apr_pool_t *result_pool, + apr_pool_t *scratch_pool + ); /* * Reset a previously created security context so we can start with a new one. Modified: stable/10/contrib/serf/auth/auth_spnego_gss.c ============================================================================== --- stable/10/contrib/serf/auth/auth_spnego_gss.c Sat Feb 22 18:53:42 2014 (r262338) +++ stable/10/contrib/serf/auth/auth_spnego_gss.c Sat Feb 22 18:55:49 2014 (r262339) @@ -43,7 +43,7 @@ struct serf__spnego_context_t }; static void -log_error(int verbose_flag, const char *filename, +log_error(int verbose_flag, apr_socket_t *skt, serf__spnego_context_t *ctx, OM_uint32 err_maj_stat, OM_uint32 err_min_stat, @@ -70,7 +70,7 @@ log_error(int verbose_flag, const char * &stat_buff); } - serf__log(verbose_flag, filename, + serf__log_skt(verbose_flag, __FILE__, skt, "%s (%x,%d): %s\n", msg, err_maj_stat, err_min_stat, stat_buff.value); } @@ -89,7 +89,7 @@ cleanup_ctx(void *data) gss_maj_stat = gss_delete_sec_context(&gss_min_stat, &ctx->gss_ctx, GSS_C_NO_BUFFER); if(GSS_ERROR(gss_maj_stat)) { - log_error(AUTH_VERBOSE, __FILE__, ctx, + log_error(AUTH_VERBOSE, NULL, ctx, gss_maj_stat, gss_min_stat, "Error cleaning up GSS security context"); return SERF_ERROR_AUTHN_FAILED; @@ -146,7 +146,8 @@ serf__spnego_reset_sec_context(serf__spn } apr_status_t -serf__spnego_init_sec_context(serf__spnego_context_t *ctx, +serf__spnego_init_sec_context(serf_connection_t *conn, + serf__spnego_context_t *ctx, const char *service, const char *hostname, serf__spnego_buffer_t *input_buf, *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***