summaryrefslogtreecommitdiffstats
path: root/contrib
diff options
context:
space:
mode:
authorpeter <peter@FreeBSD.org>2015-08-09 05:16:14 +0000
committerpeter <peter@FreeBSD.org>2015-08-09 05:16:14 +0000
commit72322b0e204dba32447a1c89e194509ed50dabe5 (patch)
tree5c531d3120046d98229bf39be31bff343171889b /contrib
parenta55265d19a911007ab0d8c1b2e261f52af585ac8 (diff)
downloadFreeBSD-src-72322b0e204dba32447a1c89e194509ed50dabe5.zip
FreeBSD-src-72322b0e204dba32447a1c89e194509ed50dabe5.tar.gz
Update serf from 1.3.7 to 1.3.8. Mostly disables sslv2 and sslv3.
Diffstat (limited to 'contrib')
-rw-r--r--contrib/serf/CHANGES8
-rw-r--r--contrib/serf/auth/auth_spnego_sspi.c4
-rw-r--r--contrib/serf/buckets/deflate_buckets.c37
-rw-r--r--contrib/serf/buckets/ssl_buckets.c2
-rw-r--r--contrib/serf/serf.h2
5 files changed, 41 insertions, 12 deletions
diff --git a/contrib/serf/CHANGES b/contrib/serf/CHANGES
index 6d39b0c..fcab2d6 100644
--- a/contrib/serf/CHANGES
+++ b/contrib/serf/CHANGES
@@ -1,10 +1,18 @@
+Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
+Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
+Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
+Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
+
+
Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
+
Serf 1.3.6 [2014-06-09, from /tags/1.3.6, r2372]
Revert r2319 from serf 1.3.5: this change was making serf call handle_response
multiple times in case of an error response, leading to unexpected behavior.
+
Serf 1.3.5 [2014-04-27, from /tags/1.3.5, r2355]
Fix issue #125: no reverse lookup during Negotiate authentication for proxies.
Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request (r2316)
diff --git a/contrib/serf/auth/auth_spnego_sspi.c b/contrib/serf/auth/auth_spnego_sspi.c
index 2f75f7a..32b719e 100644
--- a/contrib/serf/auth/auth_spnego_sspi.c
+++ b/contrib/serf/auth/auth_spnego_sspi.c
@@ -95,8 +95,8 @@ cleanup_ctx(void *data)
}
if (SecIsValidHandle(&ctx->sspi_credentials)) {
- FreeCredentialsHandle(&ctx->sspi_context);
- SecInvalidateHandle(&ctx->sspi_context);
+ FreeCredentialsHandle(&ctx->sspi_credentials);
+ SecInvalidateHandle(&ctx->sspi_credentials);
}
return APR_SUCCESS;
diff --git a/contrib/serf/buckets/deflate_buckets.c b/contrib/serf/buckets/deflate_buckets.c
index 7a8e8e4..348d70d 100644
--- a/contrib/serf/buckets/deflate_buckets.c
+++ b/contrib/serf/buckets/deflate_buckets.c
@@ -141,7 +141,6 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
const char **data, apr_size_t *len)
{
deflate_context_t *ctx = bucket->data;
- unsigned long compCRC, compLen;
apr_status_t status;
const char *private_data;
apr_size_t private_len;
@@ -186,17 +185,25 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
ctx->state++;
break;
case STATE_VERIFY:
+ {
+ unsigned long compCRC, compLen, actualLen;
+
/* Do the checksum computation. */
compCRC = getLong((unsigned char*)ctx->hdr_buffer);
if (ctx->crc != compCRC) {
return SERF_ERROR_DECOMPRESSION_FAILED;
}
compLen = getLong((unsigned char*)ctx->hdr_buffer + 4);
- if (ctx->zstream.total_out != compLen) {
+ /* The length in the trailer is module 2^32, so do the same for
+ the actual length. */
+ actualLen = ctx->zstream.total_out;
+ actualLen &= 0xFFFFFFFF;
+ if (actualLen != compLen) {
return SERF_ERROR_DECOMPRESSION_FAILED;
}
ctx->state++;
break;
+ }
case STATE_INIT:
zRC = inflateInit2(&ctx->zstream, ctx->windowSize);
if (zRC != Z_OK) {
@@ -264,10 +271,14 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
ctx->zstream.next_in = (unsigned char*)private_data;
ctx->zstream.avail_in = private_len;
}
- zRC = Z_OK;
- while (ctx->zstream.avail_in != 0) {
- /* We're full, clear out our buffer, reset, and return. */
- if (ctx->zstream.avail_out == 0) {
+
+ while (1) {
+
+ zRC = inflate(&ctx->zstream, Z_NO_FLUSH);
+
+ /* We're full or zlib requires more space. Either case, clear
+ out our buffer, reset, and return. */
+ if (zRC == Z_BUF_ERROR || ctx->zstream.avail_out == 0) {
serf_bucket_t *tmp;
ctx->zstream.next_out = ctx->buffer;
private_len = ctx->bufferSize - ctx->zstream.avail_out;
@@ -283,7 +294,6 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
ctx->zstream.avail_out = ctx->bufferSize;
break;
}
- zRC = inflate(&ctx->zstream, Z_NO_FLUSH);
if (zRC == Z_STREAM_END) {
serf_bucket_t *tmp;
@@ -330,9 +340,13 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
break;
}
+
+ /* Any other error? */
if (zRC != Z_OK) {
return SERF_ERROR_DECOMPRESSION_FAILED;
}
+
+ /* As long as zRC == Z_OK, just keep looping. */
}
/* Okay, we've inflated. Try to read. */
status = serf_bucket_read(ctx->inflate_stream, requested, data,
@@ -340,8 +354,13 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
/* Hide EOF. */
if (APR_STATUS_IS_EOF(status)) {
status = ctx->stream_status;
- /* If our stream is finished too, return SUCCESS so
- * we'll iterate one more time.
+
+ /* If the inflation wasn't finished, return APR_SUCCESS. */
+ if (zRC != Z_STREAM_END)
+ return APR_SUCCESS;
+
+ /* If our stream is finished too and all data was inflated,
+ * return SUCCESS so we'll iterate one more time.
*/
if (APR_STATUS_IS_EOF(status)) {
/* No more data to read from the stream, and everything
diff --git a/contrib/serf/buckets/ssl_buckets.c b/contrib/serf/buckets/ssl_buckets.c
index d2fe51d..579814e 100644
--- a/contrib/serf/buckets/ssl_buckets.c
+++ b/contrib/serf/buckets/ssl_buckets.c
@@ -1317,7 +1317,9 @@ static serf_ssl_context_t *ssl_init_context(serf_bucket_alloc_t *allocator)
ssl_ctx->pool = serf_bucket_allocator_get_pool(allocator);
ssl_ctx->allocator = allocator;
+ /* Use the best possible protocol version, but disable the broken SSLv2/3 */
ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
+ SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, ssl_need_client_cert);
ssl_ctx->cached_cert = 0;
diff --git a/contrib/serf/serf.h b/contrib/serf/serf.h
index f6f34a7..79504a5 100644
--- a/contrib/serf/serf.h
+++ b/contrib/serf/serf.h
@@ -1062,7 +1062,7 @@ void serf_debug__bucket_alloc_check(
/* Version info */
#define SERF_MAJOR_VERSION 1
#define SERF_MINOR_VERSION 3
-#define SERF_PATCH_VERSION 7
+#define SERF_PATCH_VERSION 8
/* Version number string */
#define SERF_VERSION_STRING APR_STRINGIFY(SERF_MAJOR_VERSION) "." \
OpenPOWER on IntegriCloud