mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-30 05:01:39 +01:00
Update serf from 1.3.7 to 1.3.8. Mostly disables sslv2 and sslv3.
This commit is contained in:
parent
a55265d19a
commit
72322b0e20
@ -1,10 +1,18 @@
|
||||
Serf 1.3.8 [2014-10-20, from /tags/1.3.8, rxxxx]
|
||||
Fix issue #152: CRC calculation error for gzipped http reponses > 4GB.
|
||||
Fix issue #153: SSPI CredHandle not freed when APR pool is destroyed.
|
||||
Fix issue #154: Disable SSLv2 and SSLv3 as both or broken.
|
||||
|
||||
|
||||
Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
|
||||
Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
|
||||
|
||||
|
||||
Serf 1.3.6 [2014-06-09, from /tags/1.3.6, r2372]
|
||||
Revert r2319 from serf 1.3.5: this change was making serf call handle_response
|
||||
multiple times in case of an error response, leading to unexpected behavior.
|
||||
|
||||
|
||||
Serf 1.3.5 [2014-04-27, from /tags/1.3.5, r2355]
|
||||
Fix issue #125: no reverse lookup during Negotiate authentication for proxies.
|
||||
Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request (r2316)
|
||||
|
@ -95,8 +95,8 @@ cleanup_ctx(void *data)
|
||||
}
|
||||
|
||||
if (SecIsValidHandle(&ctx->sspi_credentials)) {
|
||||
FreeCredentialsHandle(&ctx->sspi_context);
|
||||
SecInvalidateHandle(&ctx->sspi_context);
|
||||
FreeCredentialsHandle(&ctx->sspi_credentials);
|
||||
SecInvalidateHandle(&ctx->sspi_credentials);
|
||||
}
|
||||
|
||||
return APR_SUCCESS;
|
||||
|
@ -141,7 +141,6 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
const char **data, apr_size_t *len)
|
||||
{
|
||||
deflate_context_t *ctx = bucket->data;
|
||||
unsigned long compCRC, compLen;
|
||||
apr_status_t status;
|
||||
const char *private_data;
|
||||
apr_size_t private_len;
|
||||
@ -186,17 +185,25 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
ctx->state++;
|
||||
break;
|
||||
case STATE_VERIFY:
|
||||
{
|
||||
unsigned long compCRC, compLen, actualLen;
|
||||
|
||||
/* Do the checksum computation. */
|
||||
compCRC = getLong((unsigned char*)ctx->hdr_buffer);
|
||||
if (ctx->crc != compCRC) {
|
||||
return SERF_ERROR_DECOMPRESSION_FAILED;
|
||||
}
|
||||
compLen = getLong((unsigned char*)ctx->hdr_buffer + 4);
|
||||
if (ctx->zstream.total_out != compLen) {
|
||||
/* The length in the trailer is module 2^32, so do the same for
|
||||
the actual length. */
|
||||
actualLen = ctx->zstream.total_out;
|
||||
actualLen &= 0xFFFFFFFF;
|
||||
if (actualLen != compLen) {
|
||||
return SERF_ERROR_DECOMPRESSION_FAILED;
|
||||
}
|
||||
ctx->state++;
|
||||
break;
|
||||
}
|
||||
case STATE_INIT:
|
||||
zRC = inflateInit2(&ctx->zstream, ctx->windowSize);
|
||||
if (zRC != Z_OK) {
|
||||
@ -264,10 +271,14 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
ctx->zstream.next_in = (unsigned char*)private_data;
|
||||
ctx->zstream.avail_in = private_len;
|
||||
}
|
||||
zRC = Z_OK;
|
||||
while (ctx->zstream.avail_in != 0) {
|
||||
/* We're full, clear out our buffer, reset, and return. */
|
||||
if (ctx->zstream.avail_out == 0) {
|
||||
|
||||
while (1) {
|
||||
|
||||
zRC = inflate(&ctx->zstream, Z_NO_FLUSH);
|
||||
|
||||
/* We're full or zlib requires more space. Either case, clear
|
||||
out our buffer, reset, and return. */
|
||||
if (zRC == Z_BUF_ERROR || ctx->zstream.avail_out == 0) {
|
||||
serf_bucket_t *tmp;
|
||||
ctx->zstream.next_out = ctx->buffer;
|
||||
private_len = ctx->bufferSize - ctx->zstream.avail_out;
|
||||
@ -283,7 +294,6 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
ctx->zstream.avail_out = ctx->bufferSize;
|
||||
break;
|
||||
}
|
||||
zRC = inflate(&ctx->zstream, Z_NO_FLUSH);
|
||||
|
||||
if (zRC == Z_STREAM_END) {
|
||||
serf_bucket_t *tmp;
|
||||
@ -330,9 +340,13 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
/* Any other error? */
|
||||
if (zRC != Z_OK) {
|
||||
return SERF_ERROR_DECOMPRESSION_FAILED;
|
||||
}
|
||||
|
||||
/* As long as zRC == Z_OK, just keep looping. */
|
||||
}
|
||||
/* Okay, we've inflated. Try to read. */
|
||||
status = serf_bucket_read(ctx->inflate_stream, requested, data,
|
||||
@ -340,8 +354,13 @@ static apr_status_t serf_deflate_read(serf_bucket_t *bucket,
|
||||
/* Hide EOF. */
|
||||
if (APR_STATUS_IS_EOF(status)) {
|
||||
status = ctx->stream_status;
|
||||
/* If our stream is finished too, return SUCCESS so
|
||||
* we'll iterate one more time.
|
||||
|
||||
/* If the inflation wasn't finished, return APR_SUCCESS. */
|
||||
if (zRC != Z_STREAM_END)
|
||||
return APR_SUCCESS;
|
||||
|
||||
/* If our stream is finished too and all data was inflated,
|
||||
* return SUCCESS so we'll iterate one more time.
|
||||
*/
|
||||
if (APR_STATUS_IS_EOF(status)) {
|
||||
/* No more data to read from the stream, and everything
|
||||
|
@ -1317,7 +1317,9 @@ static serf_ssl_context_t *ssl_init_context(serf_bucket_alloc_t *allocator)
|
||||
ssl_ctx->pool = serf_bucket_allocator_get_pool(allocator);
|
||||
ssl_ctx->allocator = allocator;
|
||||
|
||||
/* Use the best possible protocol version, but disable the broken SSLv2/3 */
|
||||
ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||
|
||||
SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, ssl_need_client_cert);
|
||||
ssl_ctx->cached_cert = 0;
|
||||
|
@ -1062,7 +1062,7 @@ void serf_debug__bucket_alloc_check(
|
||||
/* Version info */
|
||||
#define SERF_MAJOR_VERSION 1
|
||||
#define SERF_MINOR_VERSION 3
|
||||
#define SERF_PATCH_VERSION 7
|
||||
#define SERF_PATCH_VERSION 8
|
||||
|
||||
/* Version number string */
|
||||
#define SERF_VERSION_STRING APR_STRINGIFY(SERF_MAJOR_VERSION) "." \
|
||||
|
Loading…
Reference in New Issue
Block a user