Date: Fri, 2 Aug 2013 19:21:47 +0000 (UTC) From: Peter Wemm <peter@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r253895 - in head: contrib/serf contrib/serf/auth contrib/serf/buckets contrib/serf/build usr.bin/svn/lib/libserf Message-ID: <201308021921.r72JLlLp072113@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: peter Date: Fri Aug 2 19:21:46 2013 New Revision: 253895 URL: http://svnweb.freebsd.org/changeset/base/253895 Log: Update serf 1.2.1 -> 1.3.0 for svn Added: head/contrib/serf/SConstruct - copied unchanged from r253894, vendor/serf/dist/SConstruct head/contrib/serf/auth/auth_spnego.c - copied unchanged from r253894, vendor/serf/dist/auth/auth_spnego.c head/contrib/serf/auth/auth_spnego.h - copied unchanged from r253894, vendor/serf/dist/auth/auth_spnego.h head/contrib/serf/auth/auth_spnego_gss.c - copied unchanged from r253894, vendor/serf/dist/auth/auth_spnego_gss.c head/contrib/serf/auth/auth_spnego_sspi.c - copied unchanged from r253894, vendor/serf/dist/auth/auth_spnego_sspi.c head/contrib/serf/build/check.py - copied unchanged from r253894, vendor/serf/dist/build/check.py head/contrib/serf/build/serf.pc.in - copied unchanged from r253894, vendor/serf/dist/build/serf.pc.in Deleted: head/contrib/serf/Makefile.in head/contrib/serf/auth/auth_kerb.c head/contrib/serf/auth/auth_kerb.h head/contrib/serf/auth/auth_kerb_gss.c head/contrib/serf/auth/auth_kerb_sspi.c head/contrib/serf/build/apr_common.m4 head/contrib/serf/build/config.guess head/contrib/serf/build/config.sub head/contrib/serf/build/find_apr.m4 head/contrib/serf/build/find_apu.m4 head/contrib/serf/build/get-version.sh head/contrib/serf/build/install.sh head/contrib/serf/build/serf.def head/contrib/serf/buildconf head/contrib/serf/config.layout head/contrib/serf/configure head/contrib/serf/configure.in head/contrib/serf/serf.mak head/contrib/serf/serf.pc.in head/contrib/serf/serfmake Modified: head/contrib/serf/CHANGES head/contrib/serf/README head/contrib/serf/auth/auth.c head/contrib/serf/auth/auth.h head/contrib/serf/auth/auth_basic.c head/contrib/serf/auth/auth_digest.c head/contrib/serf/buckets/aggregate_buckets.c head/contrib/serf/buckets/buckets.c head/contrib/serf/buckets/dechunk_buckets.c head/contrib/serf/buckets/headers_buckets.c head/contrib/serf/buckets/limit_buckets.c head/contrib/serf/buckets/request_buckets.c head/contrib/serf/buckets/response_buckets.c head/contrib/serf/buckets/simple_buckets.c head/contrib/serf/buckets/ssl_buckets.c head/contrib/serf/build/gen_def.py head/contrib/serf/context.c head/contrib/serf/incoming.c head/contrib/serf/outgoing.c head/contrib/serf/serf.h head/contrib/serf/serf_bucket_types.h head/contrib/serf/serf_bucket_util.h head/contrib/serf/serf_private.h head/contrib/serf/ssltunnel.c head/usr.bin/svn/lib/libserf/Makefile Directory Properties: head/contrib/serf/ (props changed) Modified: head/contrib/serf/CHANGES ============================================================================== --- head/contrib/serf/CHANGES Fri Aug 2 19:14:25 2013 (r253894) +++ head/contrib/serf/CHANGES Fri Aug 2 19:21:46 2013 (r253895) @@ -1,4 +1,20 @@ -Serf 1.2.1 [2013-06-03, from /tags/1.2.1] +Serf 1.3.0 [2013-07-23, from /tags/1.3.0] + Fix issue 83: use PATH rather than URI within an ssltunnel (r1952) + Fix issue 108: improved error reporting from the underlying socket (r1951) + NEW: Switch to the SCons build system; retire serfmake, serf.mak, autotools + Improved Basic and Digest authentication: + - remember credentials on a per-server basis + - properly manage authentication realms + - continue functioning when a server sets KeepAlive: off + Windows: add support for NTLM authentication + Improved 2617 compliance: always use strongest authentication (r1968,1971) + Fixed bugs with proxy authentication and SSL tunneling through a proxy + Fixed bugs the response parser (r2032,r2036) + SSL connection performance improvements + Huge expansion of the test suite + + +Serf 1.2.1 [2013-06-03, from /tags/1.2.1, r1906] Fix issue 95: add gssapi switches to configure (r1864, r1900) Fix issue 97: skip mmap bucket if APR_HAS_MMAP is undefined (r1877) Fix issue 100: building against an old Windows Platform SDK (r1881) @@ -19,7 +35,7 @@ Serf 1.2.0 [2013-02-22, from /tags/1.2.0 Fixed issue 93: cleanup-after-fork interferes with parent (r1714) Fixed most of issue 89: Support REAL SPNEGO authentication Enable Negotiate/Kerberos support for proxy servers. - Return error when C-L, chunked, gzip encoded response bodies where + Return error when C-L, chunked, gzip encoded response bodies were truncated (due to aborted connection) (r1688) Add a logging mechanism that can be enabled at compile-time. Don't lookup server address if a proxy was configured. (r1706) Modified: head/contrib/serf/README ============================================================================== --- head/contrib/serf/README Fri Aug 2 19:14:25 2013 (r253894) +++ head/contrib/serf/README Fri Aug 2 19:21:46 2013 (r253895) @@ -14,25 +14,67 @@ kept to a minimum to provide high perfor ---- -Quick guide for the impatient +1. INSTALL - (Unix) - % ./configure - % make - % make install +1.1. SCons build system ----- +serf uses SCons 2.x for its build system. If it is not installed on +your system, then you can install it onto your system. If you do not +have permissions, then you can download and install the "local" +version into your home directory. When installed privately, simply +create a symlink for 'scons' in your PATH to /path/to/scons/scons.py. + +Fetch the scons-local package: + http://prdownloads.sourceforge.net/scons/scons-local-2.0.1.tar.gz + + +1.2 Building serf + +To build serf: + +$ scons APR=/path/to/apr APU=/path/to/apu OPENSSL=/openssl/base PREFIX=/path/to/prefix + +The switches are recorded into .saved_config, so they only need to be +specified the first time scons is run. + +PREFIX should specify where serf should be installed. PREFIX defaults to +/usr/local. + +The default for the other three switches (APR, APU, OPENSSL) is /usr. + +The build system looks for apr-1-config at $APR/bin/apr-1-config, or +the path should indicate apr-1-config itself. Similarly for the path +to apu-1-config. + +OPENSSL should specify the root of the install (eg. /opt/local). The +includes will be found OPENSSL/include and libraries at OPENSSL/lib. + +If you wish to use VPATH-style builds (where objects are created in a +distinct directory from the source), you can use: + +$ scons -Y /path/to/serf/source + +At any point, the current settings can be examined: + +$ scons --help + + +1.3 Running the test suite + +$ scons check + + +1.4 Installing serf -Building serf from a Subversion checkout (non-packaged releases) +$ scons install -We suggest that you try out 'serfmake'. +Note that the PREFIX variable should have been specified in a previous +invocation of scons (and saved into .saved_config), or it can be +specified on the install command line: - % ./serfmake --prefix=/usr/local/serf --with-apr=/usr/local/apr install +$ scons PREFIX=/some/path install -If you want to use the autoconf build system and are using a Subversion -checkout, you need to run buildconf and have APR and APR-util sources handy. - % ./buildconf --with-apr=/path/to/apr --with-apr-util=/path/to/apr-util - (By default, buildconf will look in . and ../ for apr and apr-util.) +1.4 Cleaning up the build -Then, you can use ./configure, make, etc. +$ scons -c Copied: head/contrib/serf/SConstruct (from r253894, vendor/serf/dist/SConstruct) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/contrib/serf/SConstruct Fri Aug 2 19:21:46 2013 (r253895, copy of r253894, vendor/serf/dist/SConstruct) @@ -0,0 +1,438 @@ +# -*- python -*- +# +# Copyright 2011-2012 Justin Erenkrantz and Greg Stein +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +import sys +import os +import re + +HEADER_FILES = ['serf.h', + 'serf_bucket_types.h', + 'serf_bucket_util.h', + ] + +# where we save the configuration variables +SAVED_CONFIG = '.saved_config' + +# Variable class that does no validation on the input +def _converter(val): + """ + """ + if val == 'none': + val = [] + else: + val = val.split(',') + return val + +def RawListVariable(key, help, default): + """ + The input parameters describe a 'raw string list' option. This class + accepts a comma separated list and converts it to a space separated + list. + """ + return (key, '%s' % (help), default, None, lambda val: _converter(val)) + +# default directories +if sys.platform == 'win32': + default_libdir='..' + default_prefix='Debug' +else: + default_libdir='/usr' + default_prefix='/usr/local' + +opts = Variables(files=[SAVED_CONFIG]) +opts.AddVariables( + PathVariable('PREFIX', + 'Directory to install under', + default_prefix, + PathVariable.PathIsDir), + PathVariable('APR', + "Path to apr-1-config, or to APR's install area", + default_libdir, + PathVariable.PathAccept), + PathVariable('APU', + "Path to apu-1-config, or to APR's install area", + default_libdir, + PathVariable.PathAccept), + PathVariable('OPENSSL', + "Path to OpenSSL's install area", + default_libdir, + PathVariable.PathIsDir), + PathVariable('ZLIB', + "Path to zlib's install area", + default_libdir, + PathVariable.PathIsDir), + PathVariable('GSSAPI', + "Path to GSSAPI's install area", + None, + None), + BoolVariable('DEBUG', + "Enable debugging info and strict compile warnings", + False), + BoolVariable('APR_STATIC', + "Enable using a static compiled APR", + False), + RawListVariable('CC', "Command name or path of the C compiler", None), + RawListVariable('CFLAGS', "Extra flags for the C compiler (comma separated)", + None), + RawListVariable('LIBS', "Extra libraries passed to the linker, " + "e.g. -l<library> (comma separated)", None), + RawListVariable('LINKFLAGS', "Extra flags for the linker (comma separated)", + None), + RawListVariable('CPPFLAGS', "Extra flags for the C preprocessor " + "(comma separated)", None), + ) + +if sys.platform == 'win32': + opts.AddVariables( + # By default SCons builds for the host platform on Windows, when using + # a supported compiler (E.g. VS2010/VS2012). Allow overriding + + # Note that Scons 1.3 only supports this on Windows and only when + # constructing Environment(). Later changes to TARGET_ARCH are ignored + EnumVariable('TARGET_ARCH', + "Platform to build for (x86|x64|win32|x86_64)", + 'x86', + allowed_values=('x86', 'x86_64', 'ia64'), + map={'X86' : 'x86', + 'win32': 'x86', + 'Win32': 'x86', + 'x64' : 'x86_64', + 'X64' : 'x86_64' + }), + + EnumVariable('MSVC_VERSION', + "Visual C++ to use for building (E.g. 11.0, 9.0)", + None, + allowed_values=('12.0', '11.0', '10.0', '9.0', '8.0', '6.0') + ), + + # We always documented that we handle an install layout, but in fact we + # hardcoded source layouts. Allow disabling this behavior. + # ### Fix default? + BoolVariable('SOURCE_LAYOUT', + "Assume a source layout instead of install layout", + True), + ) + +env = Environment(variables=opts, + tools=('default', 'textfile',), + CPPPATH=['.', ], + ) + +env.Append(BUILDERS = { + 'GenDef' : + Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET', + suffix='.def', src_suffix='.h') + }) + +match = re.search('SERF_MAJOR_VERSION ([0-9]+).*' + 'SERF_MINOR_VERSION ([0-9]+).*' + 'SERF_PATCH_VERSION ([0-9]+)', + env.File('serf.h').get_contents(), + re.DOTALL) +MAJOR, MINOR, PATCH = [int(x) for x in match.groups()] +env.Append(MAJOR=str(MAJOR)) + +# Calling external programs is okay if we're not cleaning or printing help. +# (cleaning: no sense in fetching information; help: we may not know where +# they are) +CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help')) + + +# HANDLING OF OPTION VARIABLES + +unknown = opts.UnknownVariables() +if unknown: + print 'Unknown variables:', ', '.join(unknown.keys()) + Exit(1) + +apr = str(env['APR']) +apu = str(env['APU']) +zlib = str(env['ZLIB']) +gssapi = env.get('GSSAPI', None) + +if gssapi and os.path.isdir(gssapi): + krb5_config = os.path.join(gssapi, 'bin', 'krb5-config') + if os.path.isfile(krb5_config): + gssapi = krb5_config + env['GSSAPI'] = krb5_config + +debug = env.get('DEBUG', None) +aprstatic = env.get('APR_STATIC', None) + +Help(opts.GenerateHelpText(env)) +opts.Save(SAVED_CONFIG, env) + + +# PLATFORM-SPECIFIC BUILD TWEAKS + +thisdir = os.getcwd() +libdir = '$PREFIX/lib' +incdir = '$PREFIX/include/serf-$MAJOR' + +LIBNAME = 'libserf-${MAJOR}' +if sys.platform != 'win32': + LIBNAMESTATIC = LIBNAME +else: + LIBNAMESTATIC = 'serf-${MAJOR}' + +env.Append(RPATH=libdir, + PDB='${TARGET.filebase}.pdb') + +if sys.platform == 'darwin': +# linkflags.append('-Wl,-install_name,@executable_path/%s.dylib' % (LIBNAME,)) + env.Append(LINKFLAGS='-Wl,-install_name,%s/%s.dylib' % (thisdir, LIBNAME,)) + # 'man ld' says positive non-zero for the first number, so we add one. + # Mac's interpretation of compatibility is the same as our MINOR version. + env.Append(LINKFLAGS='-Wl,-compatibility_version,%d' % (MINOR+1,)) + env.Append(LINKFLAGS='-Wl,-current_version,%d.%d' % (MINOR+1, PATCH,)) + +if sys.platform != 'win32': + ### gcc only. figure out appropriate test / better way to check these + ### flags, and check for gcc. + env.Append(CFLAGS='-std=c89') + env.Append(CCFLAGS=[ + '-Wdeclaration-after-statement', + '-Wmissing-prototypes', + ]) + + ### -Wall is not available on Solaris + if sys.platform != 'sunos5': + env.Append(CCFLAGS='-Wall') + + if debug: + env.Append(CCFLAGS='-g') + env.Append(CPPDEFINES=['DEBUG', '_DEBUG']) + else: + env.Append(CCFLAGS='-O2') + env.Append(CPPDEFINES='NDEBUG') + + ### works for Mac OS. probably needs to change + env.Append(LIBS=['ssl', 'crypto', 'z', ]) + + if sys.platform == 'sunos5': + env.Append(LIBS='m') +else: + # Warning level 4, no unused argument warnings + env.Append(CCFLAGS=['/W4', '/wd4100']) + + # Choose runtime and optimization + if debug: + # Disable optimizations for debugging, use debug DLL runtime + env.Append(CCFLAGS=['/Od', '/MDd']) + env.Append(CPPDEFINES=['DEBUG', '_DEBUG']) + else: + # Optimize for speed, use DLL runtime + env.Append(CCFLAGS=['/O2', '/MD']) + env.Append(CPPDEFINES='NDEBUG') + +# PLAN THE BUILD +SHARED_SOURCES = [] +if sys.platform == 'win32': + env.GenDef(['serf.h','serf_bucket_types.h', 'serf_bucket_util.h']) + SHARED_SOURCES.append(['serf.def']) + +SOURCES = Glob('*.c') + Glob('buckets/*.c') + Glob('auth/*.c') + +lib_static = env.StaticLibrary(LIBNAMESTATIC, SOURCES) +lib_shared = env.SharedLibrary(LIBNAME, SOURCES + SHARED_SOURCES) + +if aprstatic: + env.Append(CPPDEFINES=['APR_DECLARE_STATIC', 'APU_DECLARE_STATIC']) + +if sys.platform == 'win32': + env.Append(LIBS=['user32.lib', 'advapi32.lib', 'gdi32.lib', 'ws2_32.lib', + 'crypt32.lib', 'mswsock.lib', 'rpcrt4.lib', 'secur32.lib']) + + # Get apr/apu information into our build + env.Append(CPPDEFINES=['WIN32','WIN32_LEAN_AND_MEAN','NOUSER', + 'NOGDI', 'NONLS','NOCRYPT']) + + if env.get('TARGET_ARCH', None) == 'x86_64': + env.Append(CPPDEFINES=['WIN64']) + + if aprstatic: + apr_libs='apr-1.lib' + apu_libs='aprutil-1.lib' + else: + apr_libs='libapr-1.lib' + apu_libs='libaprutil-1.lib' + + env.Append(LIBS=[apr_libs, apu_libs]) + if not env.get('SOURCE_LAYOUT', None): + env.Append(LIBPATH=['$APR/lib', '$APU/lib'], + CPPPATH=['$APR/include/apr-1', '$APU/include/apr-1']) + elif aprstatic: + env.Append(LIBPATH=['$APR/LibR','$APU/LibR'], + CPPPATH=['$APR/include', '$APU/include']) + else: + env.Append(LIBPATH=['$APR/Release','$APU/Release'], + CPPPATH=['$APR/include', '$APU/include']) + + # zlib + env.Append(LIBS='zlib.lib') + if not env.get('SOURCE_LAYOUT', None): + env.Append(CPPPATH='$ZLIB/include', + LIBPATH='$ZLIB/lib') + else: + env.Append(CPPPATH='$ZLIB', + LIBPATH='$ZLIB') + + # openssl + env.Append(LIBS=['libeay32.lib', 'ssleay32.lib']) + if not env.get('SOURCE_LAYOUT', None): + env.Append(CPPPATH='$OPENSSL/include/openssl', + LIBPATH='$OPENSSL/lib') + elif 0: # opensslstatic: + env.Append(CPPPATH='$OPENSSL/inc32', + LIBPATH='$OPENSSL/out32') + else: + env.Append(CPPPATH='$OPENSSL/inc32', + LIBPATH='$OPENSSL/out32dll') +else: + if os.path.isdir(apr): + apr = os.path.join(apr, 'bin', 'apr-1-config') + env['APR'] = apr + if os.path.isdir(apu): + apu = os.path.join(apu, 'bin', 'apu-1-config') + env['APU'] = apu + + ### we should use --cc, but that is giving some scons error about an implict + ### dependency upon gcc. probably ParseConfig doesn't know what to do with + ### the apr-1-config output + if CALLOUT_OKAY: + env.ParseConfig('$APR --cflags --cppflags --ldflags --includes' + ' --link-ld --libs') + env.ParseConfig('$APU --ldflags --includes --link-ld --libs') + + ### there is probably a better way to run/capture output. + ### env.ParseConfig() may be handy for getting this stuff into the build + if CALLOUT_OKAY: + apr_libs = os.popen(env.subst('$APR --link-libtool --libs')).read().strip() + apu_libs = os.popen(env.subst('$APU --link-libtool --libs')).read().strip() + else: + apr_libs = '' + apu_libs = '' + + env.Append(CPPPATH='$OPENSSL/include') + env.Append(LIBPATH='$OPENSSL/lib') + + +# If build with gssapi, get its information and define SERF_HAVE_GSSAPI +if gssapi and CALLOUT_OKAY: + env.ParseConfig('$GSSAPI --libs gssapi') + env.Append(CPPDEFINES='SERF_HAVE_GSSAPI') +if sys.platform == 'win32': + env.Append(CPPDEFINES=['SERF_HAVE_SSPI']) + +# On Solaris, the -R values that APR describes never make it into actual +# RPATH flags. We'll manually map all directories in LIBPATH into new +# flags to set RPATH values. +if sys.platform == 'sunos5': + for d in env['LIBPATH']: + env.Append(RPATH=d) + +# Set up the construction of serf-*.pc +# TODO: add gssapi libs +pkgconfig = env.Textfile('serf-%d.pc' % (MAJOR,), + env.File('build/serf.pc.in'), + SUBST_DICT = { + '@MAJOR@': str(MAJOR), + '@PREFIX@': '$PREFIX', + '@INCLUDE_SUBDIR@': 'serf-%d' % (MAJOR,), + '@VERSION@': '%d.%d.%d' % (MAJOR, MINOR, PATCH), + '@LIBS@': '%s %s -lz' % (apu_libs, apr_libs), + }) + +env.Default(lib_static, lib_shared, pkgconfig) + +if CALLOUT_OKAY: + conf = Configure(env) + + ### some configuration stuffs + + env = conf.Finish() + + +# INSTALLATION STUFF + +install_static = env.Install(libdir, lib_static) +install_shared = env.Install(libdir, lib_shared) + +if sys.platform == 'darwin': + install_shared_path = install_shared[0].abspath + env.AddPostAction(install_shared, ('install_name_tool -id %s %s' + % (install_shared_path, + install_shared_path))) + ### construct shared lib symlinks. this also means install the lib + ### as libserf-2.1.0.0.dylib, then add the symlinks. + ### note: see InstallAs + +env.Alias('install-lib', [install_static, install_shared, + ]) +env.Alias('install-inc', env.Install(incdir, HEADER_FILES)) +env.Alias('install-pc', env.Install(os.path.join(libdir, 'pkgconfig'), + pkgconfig)) +env.Alias('install', ['install-lib', 'install-inc', 'install-pc', ]) + + +# TESTS +### make move to a separate scons file in the test/ subdir? + +tenv = env.Clone() + +TEST_PROGRAMS = [ 'serf_get', 'serf_response', 'serf_request', 'serf_spider', + 'test_all', 'serf_bwtp' ] +if sys.platform == 'win32': + TEST_EXES = [ os.path.join('test', '%s.exe' % (prog)) for prog in TEST_PROGRAMS ] +else: + TEST_EXES = [ os.path.join('test', '%s' % (prog)) for prog in TEST_PROGRAMS ] + +env.AlwaysBuild(env.Alias('check', TEST_EXES, sys.executable + ' build/check.py', + ENV={'PATH' : os.environ['PATH']})) + +# Find the (dynamic) library in this directory +tenv.Replace(RPATH=thisdir) +tenv.Prepend(LIBS=[LIBNAMESTATIC, ], + LIBPATH=[thisdir, ]) + +testall_files = [ + 'test/test_all.c', + 'test/CuTest.c', + 'test/test_util.c', + 'test/test_context.c', + 'test/test_buckets.c', + 'test/test_auth.c', + 'test/mock_buckets.c', + 'test/test_ssl.c', + 'test/server/test_server.c', + 'test/server/test_sslserver.c', + ] + +for proggie in TEST_EXES: + if 'test_all' in proggie: + tenv.Program(proggie, testall_files ) + else: + tenv.Program(target = proggie, source = [proggie.replace('.exe','') + '.c']) + + +# HANDLE CLEANING + +if env.GetOption('clean'): + # When we're cleaning, we want the dependency tree to include "everything" + # that could be built. Thus, include all of the tests. + env.Default('check') Modified: head/contrib/serf/auth/auth.c ============================================================================== --- head/contrib/serf/auth/auth.c Fri Aug 2 19:14:25 2013 (r253894) +++ head/contrib/serf/auth/auth.c Fri Aug 2 19:21:46 2013 (r253895) @@ -20,6 +20,7 @@ #include <apr.h> #include <apr_base64.h> #include <apr_strings.h> +#include <apr_lib.h> static apr_status_t default_auth_response_handler(peer_t peer, @@ -32,30 +33,42 @@ default_auth_response_handler(peer_t pee return APR_SUCCESS; } +/* These authentication schemes are in order of decreasing security, the topmost + scheme will be used first when the server supports it. + + Each set of handlers should support both server (401) and proxy (407) + authentication. + + Use lower case for the scheme names to enable case insensitive matching. + */ static const serf__authn_scheme_t serf_authn_schemes[] = { +#ifdef SERF_HAVE_SPNEGO { - 401, - "Basic", - SERF_AUTHN_BASIC, - serf__init_basic, - serf__init_basic_connection, - serf__handle_basic_auth, - serf__setup_request_basic_auth, - default_auth_response_handler, + "Negotiate", + "negotiate", + SERF_AUTHN_NEGOTIATE, + serf__init_spnego, + serf__init_spnego_connection, + serf__handle_spnego_auth, + serf__setup_request_spnego_auth, + serf__validate_response_spnego_auth, }, +#ifdef WIN32 { - 407, - "Basic", - SERF_AUTHN_BASIC, - serf__init_basic, - serf__init_basic_connection, - serf__handle_basic_auth, - serf__setup_request_basic_auth, - default_auth_response_handler, + "NTLM", + "ntlm", + SERF_AUTHN_NTLM, + serf__init_spnego, + serf__init_spnego_connection, + serf__handle_spnego_auth, + serf__setup_request_spnego_auth, + serf__validate_response_spnego_auth, }, +#endif /* #ifdef WIN32 */ +#endif /* SERF_HAVE_SPNEGO */ { - 401, "Digest", + "digest", SERF_AUTHN_DIGEST, serf__init_digest, serf__init_digest_connection, @@ -64,37 +77,15 @@ static const serf__authn_scheme_t serf_a serf__validate_response_digest_auth, }, { - 407, - "Digest", - SERF_AUTHN_DIGEST, - serf__init_digest, - serf__init_digest_connection, - serf__handle_digest_auth, - serf__setup_request_digest_auth, - serf__validate_response_digest_auth, - }, -#ifdef SERF_HAVE_KERB - { - 401, - "Negotiate", - SERF_AUTHN_NEGOTIATE, - serf__init_kerb, - serf__init_kerb_connection, - serf__handle_kerb_auth, - serf__setup_request_kerb_auth, - serf__validate_response_kerb_auth, - }, - { - 407, - "Negotiate", - SERF_AUTHN_NEGOTIATE, - serf__init_kerb, - serf__init_kerb_connection, - serf__handle_kerb_auth, - serf__setup_request_kerb_auth, - serf__validate_response_kerb_auth, + "Basic", + "basic", + SERF_AUTHN_BASIC, + serf__init_basic, + serf__init_basic_connection, + serf__handle_basic_auth, + serf__setup_request_basic_auth, + default_auth_response_handler, }, -#endif /* ADD NEW AUTHENTICATION IMPLEMENTATIONS HERE (as they're written) */ /* sentinel */ @@ -102,21 +93,6 @@ static const serf__authn_scheme_t serf_a }; -/** - * Baton passed to the response header callback function - */ -typedef struct { - int code; - apr_status_t status; - const char *header; - serf_request_t *request; - serf_bucket_t *response; - void *baton; - apr_pool_t *pool; - const serf__authn_scheme_t *scheme; - const char *last_scheme_name; -} auth_baton_t; - /* Reads and discards all bytes in the response body. */ static apr_status_t discard_body(serf_bucket_t *response) { @@ -142,99 +118,128 @@ static apr_status_t discard_body(serf_bu * * Returns a non-0 value of a matching handler was found. */ -static int handle_auth_header(void *baton, - const char *key, - const char *header) +static int handle_auth_headers(int code, + void *baton, + apr_hash_t *hdrs, + serf_request_t *request, + serf_bucket_t *response, + apr_pool_t *pool) { - auth_baton_t *ab = baton; - int scheme_found = FALSE; - const char *auth_name; - const char *auth_attr; - const serf__authn_scheme_t *scheme = NULL; - serf_connection_t *conn = ab->request->conn; + const serf__authn_scheme_t *scheme; + serf_connection_t *conn = request->conn; serf_context_t *ctx = conn->ctx; + apr_status_t status; - /* We're only interested in xxxx-Authenticate headers. */ - if (strcmp(key, ab->header) != 0) - return 0; - - /* Extract the authentication scheme name, and prepare for reading - the attributes. */ - auth_attr = strchr(header, ' '); - if (auth_attr) { - auth_name = apr_pstrmemdup(ab->pool, header, auth_attr - header); - ++auth_attr; - } - else - auth_name = header; - - ab->last_scheme_name = auth_name; + status = SERF_ERROR_AUTHN_NOT_SUPPORTED; /* Find the matching authentication handler. Note that we don't reuse the auth scheme stored in the context, as that may have changed. (ex. fallback from ntlm to basic.) */ - for (scheme = serf_authn_schemes; scheme->code != 0; ++scheme) { - if (! (ab->code == scheme->code && - ctx->authn_types & scheme->type)) + for (scheme = serf_authn_schemes; scheme->name != 0; ++scheme) { + const char *auth_hdr; + serf__auth_handler_func_t handler; + serf__authn_info_t *authn_info; + + if (! (ctx->authn_types & scheme->type)) continue; serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, "Client supports: %s\n", scheme->name); - if (strcmp(auth_name, scheme->name) == 0) { - serf__auth_handler_func_t handler = scheme->handle_func; - apr_status_t status = 0; - - serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, - "... matched: %s\n", scheme->name); - /* If this is the first time we use this scheme on this connection, - make sure to initialize the authentication handler first. */ - if (ab->code == 401 && ctx->authn_info.scheme != scheme) { - status = scheme->init_ctx_func(ab->code, ctx, ctx->pool); - if (!status) { - status = scheme->init_conn_func(ab->code, conn, conn->pool); - - if (!status) - ctx->authn_info.scheme = scheme; - else - ctx->authn_info.scheme = NULL; - } - } - else if (ab->code == 407 && ctx->proxy_authn_info.scheme != scheme) { - status = scheme->init_ctx_func(ab->code, ctx, ctx->pool); - if (!status) { - status = scheme->init_conn_func(ab->code, conn, conn->pool); - - if (!status) - ctx->proxy_authn_info.scheme = scheme; - else - ctx->proxy_authn_info.scheme = NULL; - } - } + auth_hdr = apr_hash_get(hdrs, scheme->key, APR_HASH_KEY_STRING); + + if (!auth_hdr) + continue; + + /* Found a matching scheme */ + status = APR_SUCCESS; + + handler = scheme->handle_func; + + serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, + "... matched: %s\n", scheme->name); + + if (code == 401) { + authn_info = serf__get_authn_info_for_server(conn); + } else { + authn_info = &ctx->proxy_authn_info; + } + /* If this is the first time we use this scheme on this context and/or + this connection, make sure to initialize the authentication handler + first. */ + if (authn_info->scheme != scheme) { + status = scheme->init_ctx_func(code, ctx, ctx->pool); if (!status) { - scheme_found = TRUE; - ab->scheme = scheme; - status = handler(ab->code, ab->request, ab->response, - header, auth_attr, ab->baton, ctx->pool); + status = scheme->init_conn_func(scheme, code, conn, + conn->pool); + if (!status) + authn_info->scheme = scheme; + else + authn_info->scheme = NULL; } + } - /* If the authentication fails, cache the error for now. Try the - next available scheme. If there's none raise the error. */ - if (status) { - scheme_found = FALSE; - scheme = NULL; + if (!status) { + const char *auth_attr = strchr(auth_hdr, ' '); + if (auth_attr) { + auth_attr++; } - /* Let the caller now if the authentication setup was succesful - or not. */ - ab->status = status; - break; + status = handler(code, request, response, + auth_hdr, auth_attr, baton, ctx->pool); } + + if (status == APR_SUCCESS) + break; + + /* No success authenticating with this scheme, try the next. + If no more authn schemes are found the status of this scheme will be + returned. + */ + serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt, + "%s authentication failed.\n", scheme->name); } - /* If a matching scheme handler was found, we can stop iterating - over the response headers - so return a non-0 value. */ - return scheme_found; + return status; +} + +/** + * Baton passed to the store_header_in_dict callback function + */ +typedef struct { + const char *header; + apr_pool_t *pool; + apr_hash_t *hdrs; +} auth_baton_t; + +static int store_header_in_dict(void *baton, + const char *key, + const char *header) +{ + auth_baton_t *ab = baton; + const char *auth_attr; + char *auth_name, *c; + + /* We're only interested in xxxx-Authenticate headers. */ + if (strcmp(key, ab->header) != 0) + return 0; + + /* Extract the authentication scheme name. */ + auth_attr = strchr(header, ' '); + if (auth_attr) { + auth_name = apr_pstrmemdup(ab->pool, header, auth_attr - header); + } + else + auth_name = apr_pstrmemdup(ab->pool, header, strlen(header)); + + /* Convert scheme name to lower case to enable case insensitive matching. */ + for (c = auth_name; *c != '\0'; c++) + *c = (char)apr_tolower(*c); + + apr_hash_set(ab->hdrs, auth_name, APR_HASH_KEY_STRING, + apr_pstrdup(ab->pool, header)); + + return 0; } /* Dispatch authentication handling. This function matches the possible @@ -252,11 +257,7 @@ static apr_status_t dispatch_auth(int co auth_baton_t ab = { 0 }; const char *auth_hdr; - ab.code = code; - ab.status = APR_SUCCESS; - ab.request = request; - ab.response = response; - ab.baton = baton; + ab.hdrs = apr_hash_make(pool); ab.pool = pool; /* Before iterating over all authn headers, check if there are any. */ @@ -275,8 +276,8 @@ static apr_status_t dispatch_auth(int co "%s authz required. Response header(s): %s\n", code == 401 ? "Server" : "Proxy", auth_hdr); - /* Iterate over all headers. Try to find a matching authentication scheme - handler. + + /* Store all WWW- or Proxy-Authenticate headers in a dictionary. Note: it is possible to have multiple Authentication: headers. We do not want to combine them (per normal header combination rules) as that @@ -285,15 +286,13 @@ static apr_status_t dispatch_auth(int co work with. */ serf_bucket_headers_do(hdrs, - handle_auth_header, + store_header_in_dict, &ab); - if (ab.status != APR_SUCCESS) - return ab.status; - if (!ab.scheme || ab.scheme->name == NULL) { - /* No matching authentication found. */ - return SERF_ERROR_AUTHN_NOT_SUPPORTED; - } + /* Iterate over all authentication schemes, in order of decreasing + security. Try to find a authentication schema the server support. */ + return handle_auth_headers(code, baton, ab.hdrs, + request, response, pool); } return APR_SUCCESS; @@ -356,28 +355,41 @@ apr_status_t serf__handle_auth_response( /* Requeue the request with the necessary auth headers. */ /* ### Application doesn't know about this request! */ - serf_connection_priority_request_create(request->conn, - request->setup, - request->setup_baton); + if (request->ssltunnel) { + serf__ssltunnel_request_create(request->conn, + request->setup, + request->setup_baton); + } else { + serf_connection_priority_request_create(request->conn, + request->setup, + request->setup_baton); + } return APR_EOF; } else { - /* Validate the response authn headers if needed. */ serf__validate_response_func_t validate_resp; serf_connection_t *conn = request->conn; serf_context_t *ctx = conn->ctx; + serf__authn_info_t *authn_info; apr_status_t resp_status = APR_SUCCESS; - - if (ctx->authn_info.scheme) { - validate_resp = ctx->authn_info.scheme->validate_response_func; + + + /* Validate the response server authn headers. */ + authn_info = serf__get_authn_info_for_server(conn); + if (authn_info->scheme) { + validate_resp = authn_info->scheme->validate_response_func; resp_status = validate_resp(HOST, sl.code, conn, request, response, pool); } - if (!resp_status && ctx->proxy_authn_info.scheme) { - validate_resp = ctx->proxy_authn_info.scheme->validate_response_func; + + /* Validate the response proxy authn headers. */ + authn_info = &ctx->proxy_authn_info; + if (!resp_status && authn_info->scheme) { + validate_resp = authn_info->scheme->validate_response_func; resp_status = validate_resp(PROXY, sl.code, conn, request, response, pool); } + if (resp_status) { /* If there was an error in the final step of the authentication, consider the reponse body as invalid and discard it. */ @@ -419,3 +431,42 @@ void serf__encode_auth_header(const char apr_base64_encode(ptr, data, data_len); } + +const char *serf__construct_realm(peer_t peer, *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308021921.r72JLlLp072113>