Chris Pick | 28 Oct 00:18 2012

Method to require SSL dependency

Is there an equivalent of NEON_NEED_XML_PARSER for SSL?
If I'm bundling neon with a program that uses ssl functionality, is
there any other way to require it?

My current setup:
$ cat configure.ac
#                                               -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.

AC_PREREQ(2.62)
AC_INIT([test], [1.0], [neon@...])
AM_INIT_AUTOMAKE([-Wall -Werror foreign])
AC_CONFIG_SRCDIR([src/test.c])
AC_CONFIG_HEADERS([config.h])

# Checks for programs.
AC_PROG_CC

# Checks for libraries.
NEON_VPATH_BUNDLED([${srcdir}/neon-0.29.6], [neon-0.29.6], [
NEON_NORMAL_BUILD
])

# Checks for header files.
AC_CHECK_HEADERS([stdlib.h])

# Checks for typedefs, structures, and compiler characteristics.

# Checks for library functions.

(Continue reading)

Mat Booth | 27 Oct 15:44 2012

Re: Hi , question about your post on mailing list

On 25 October 2012 10:48, Robert Gdula <robert.gdula@...> wrote:
> Hi, I've found on the mailing list, that you try to compile neon library
> with mingw32 on windows, maybe you have already compile library to share
> with me, I'm trying almost 2 days without success.
>
> Best regards,
>
> Robert Gdula

Indeed. Have you tried the patch that I sent to the mailing list? It
can be found here:

http://people.apache.org/~mbooth/01-mingw-macro.win.patch

I'm afraid I don't currently have access to a Windows machine to test
it on. These were the commands I issued to build it (cross-compiled to
mingw from within the cygwin environment):

./autogen.sh
# Need some configure "help" on Windows
echo "ne_cv_libsfor_RSA_new='-lcrypto'" >> config.cache
echo "ne_cv_libsfor_SSL_library_init='-lssl'" >> config.cache
echo "lt_cv_deplibs_check_method='pass_all'" >> config.cache
echo "ne_cv_fmt_off64_t=lld" >> config.cache
LDFLAGS="$LDFLAGS -lssl -lcrypto" \
  ./configure --enable-shared --with-expat --disable-nls \
  --with-ssl=openssl --with-zlib --without-gssapi \
  -C --host=i686-pc-mingw32

This assumes of course that you already have zlib, expat and openssl
(Continue reading)

Marco Maggi | 30 Sep 08:35 2012
Picon

wrong return value in ne_set_request_body_fd documentation

The    manual    page    says   the    return    value    of
"ne_set_request_body_fd()"  is  "int",   but  it  is  "void"
instead.
--

-- 
Marco Maggi

Marco Maggi | 30 Sep 08:50 2012
Picon

on the status of the documentation

Ciao,

  I see that there are a number of undocumented functions in
the header files; can someone  tell me the current status of
the  documentation?    Should  the  undocumented   funcs  be
documented?  Manpages and XML?  Manpages or XML?

TIA
--

-- 
Marco Maggi

Bartosz Brachaczek | 26 Sep 23:35 2012
Picon

Failing SSL automatic tests

Hello,

Some SSL automatic test fail on my machine:

- With openssl-1.0.1c:
  * ssl::simple_sslv2 (server process terminated abnormally: FAIL (1));
  * ssl::pkcs11 (server process terminated abnormally: FAIL (1));
  * ssl::pkcs11_dsa (server process terminated abnormally: FAIL (1)) (just for
    the record, it's already marked as failing).

- With gnutls-3.0.23 and 3.1.1:
  * ssl::fail_ca_notyetvalid (verification flags were 17 not 16) -- it seems
    strange to me, as NE_SSL_BADCHAIN | NE_SSL_NOTYETVALID is reported, but
    only NE_SSL_BADCHAIN is expected, despite the test name;
  * ssl::fail_ca_expired (verification flags were 18 not 16) -- ditto, only
    NE_SSL_EXPIRED instead of NE_SSL_NOTYETVALID;
  * ssl::pkcs11 (segmentation fault) -- the test is probably broken (fails
    with openssl too) but the crash is somewhere deep in gnutls internals, so
    it's likely a gnutls bug and it should be reported upstream.

- With gnutls-2.12.20 the same as with gnutls-3.0.23, plus the following:
  * ssl::cc_provided_dnames (dname count was 10 not 5)
  * ssl::fail_expired (no error in verification callback; error string: SSL
    handshake failed: Secure connection truncated)
  * ssl::fail_notvalid (no error in verification callback; error string: SSL
    handshake failed: Secure connection truncated)

- And, as a bonus, with gnutls-3.1.2 a whole bunch of tests fail, starting
  from ssl::simple:
      line 227: HTTP error:
(Continue reading)

b.brachaczek | 26 Sep 23:21 2012
Picon

[PATCH] GnuTLS 3 support

Hello,

I prepared a patch which makes neon from trunk compile and not regress in the 
test suite when compiled with gnutls-3 as the ssl backend. (Actually there are 
3 tests that fail with gnutls-2.12.18 and 2.12.20 while they pass with 
gnutls-3.0.23 and 3.1.1). I'm attaching it.

Bartosz Brachaczek
Index: macros/neon.m4
===================================================================
--- macros/neon.m4	(revision 1895)
+++ macros/neon.m4	(working copy)
 <at>  <at>  -989,12 +989,13  <at>  <at> 
    # Check for functions in later releases
    NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
                   gnutls_sign_callback_set \
+                  gnutls_certificate_get_issuer \
                   gnutls_certificate_get_x509_cas \
-                  gnutls_certificate_verify_peers2])
+                  gnutls_x509_crt_sign2])

-   # fail if gnutls_certificate_verify_peers2 is not found
-   if test x${ac_cv_func_gnutls_certificate_verify_peers2} != xyes; then
-       AC_MSG_ERROR([GnuTLS version predates gnutls_certificate_verify_peers2, newer version required])
+   # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
+   if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
+       AC_MSG_ERROR([GnuTLS version predates gnutls_x509_crt_sign2, newer version required (at least 1.2.0)])
    fi

(Continue reading)

Brad Smith | 3 Sep 21:34 2012

[PATCH] Fix autoconf bindtextdomain() test on OpenBSD

The following diff fixes the bindtextdomain() test on OpenBSD to properly
be able to detect the presence of libintl (gettext) which requires NE_SEARCH_LIBS
to try also linking libintl with libiconv.

Index: macros/neon.m4
===================================================================
--- macros/neon.m4	(revision 1895)
+++ macros/neon.m4	(working copy)
 <at>  <at>  -1188,7 +1188,7  <at>  <at> 
   # presume that dgettext() is available if bindtextdomain() is...
   # checking for dgettext() itself is awkward because gcc has a 
   # builtin of that function, which confuses AC_CHECK_FUNCS et al.
-  NE_SEARCH_LIBS(bindtextdomain, intl,,[enable_nls=no])
+  NE_SEARCH_LIBS(bindtextdomain, intl, -liconv,[enable_nls=no])
   NE_CHECK_FUNCS(bind_textdomain_codeset)
 fi

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Brad Smith | 3 Sep 20:30 2012

[PATCH] Fix implicit declaration of writev(2) in ne_socket.c

The following diff fixes an implicit declaration warning for writev(2) in
ne_socket.c.

Index: src/ne_socket.c
===================================================================
--- src/ne_socket.c	(revision 1895)
+++ src/ne_socket.c	(working copy)
 <at>  <at>  -27,6 +27,7  <at>  <at> 
 #include "config.h"

 #include <sys/types.h>
+#include <sys/uio.h> /* writev(2) */
 #ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>
 #endif

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Vlad Grachov | 5 Jul 15:14 2012
Picon

minor bugfix: ne_socket.c: errno -> ne_errno

Hi all!

There's an error in ne_socket.c that hides the error string under Windows. Instead of errno neon-specific ne_errno should be used where it is about sockets. That's because the socket errors are retrieved using WSAGetLastError API call under windows and it's completely different from RTL errno. In neon there's a #define about it: ne_errno that points to errno in case of *nix and to WSAGetLastError in case of windows.

I've attached a patch that fixes the behavior. Here's the patch text for convenience:

diff -rupN neon-0.29.6/src/ne_socket.c neon-0.29.6_mod/src/ne_socket.c
--- neon-0.29.6/src/ne_socket.c Sat Oct  9 22:07:17 2010
+++ neon-0.29.6_mod/src/ne_socket.c Wed Jul  4 23:21:33 2012
<at> <at> -1241,7 +1241,7 <at> <at> static int timed_connect(ne_socket *sock
         ret = raw_connect(fd, sa, salen);
         
         if (ret < 0) {
-            set_strerror(sock, errno);
+            set_strerror(sock, ne_errno);
             ret = NE_SOCK_ERROR;
         }
     }
<at> <at> -1428,7 +1428,7 <at> <at> int ne_sock_connect(ne_socket *sock,
                         ia_family(sock->laddr) == ia_family(addr))) {
         ret = do_bind(fd, ia_family(addr), sock->laddr, sock->lport);
         if (ret < 0) {
-            int errnum = errno;
+            int errnum = ne_errno;
             ne_close(fd);
             set_strerror(sock, errnum);
             return NE_SOCK_ERROR;

Best regards, Vlad.

Attachment (neon_errno.patch): application/octet-stream, 1163 bytes
Marc Girod | 28 Jun 11:51 2012
Picon

Suggestion for minor enhancement to build instructions

Hello,

I had to read the configure code to understand how to convince it to
build neon using expat from a non-standard directory.

In the end, I gave (hope this is correct--at least it did build):

--with-expat --with-libs=/vobs/cello/cade_A_tools_utils/expat

This not consistent with what I did with zlib:

--with-zlib=/vobs/cello/cade_A_tools_utils/zlib

nor with openssl:

LDFLAGS=-L/vobs/cello/cade_struct/lib
--with-ssl=openssl

In fact, I am not sure where openssl was finally taken from...
It may have been available in an older version from some other path...

The expat case relies upon the fact that 'include' and 'lib'
directories are found under the root given.

I hope these comments are useful.
Thanks,
Marc

Nathanael Rensen | 28 Jun 07:36 2012

Patch: Reset SSPI context after failed request

Purpose: Avoid authentication failures that can occur due to the SSPI
state machine not being reset when authentication succeeds but the
HTTP request fails.

Background: A typical HTTP request using Negotiate/Kerberos
authentication as described in RFC 4559 runs as follows:

    C: GET dir/index.html

    S: HTTP/1.1 401 Unauthorized
    S: WWW-Authenticate: Negotiate

    C: GET dir/index.html
    C: Authorization: Negotiate a87421000492aa874209af8bc028

    S: HTTP/1.1 200 Success
    S: WWW-Authenticate: Negotiate ade0234568a4209af8bc0280289eca

Prior to receiving the HTTP 200 response the neon SSPI state machine
has the "continueNeeded" flag set to 1 to indicate that another token
from the server is required to complete the authentication. If the
authentication succeeds but the HTTP request fails the web server may
respond with some failure code other than 401, 407 (e.g. 403, 404,
500, etc). In this case the neon SSPI state machine does not get reset
and the next request within this session fails authentication.

I can produce this scenario using the svn.exe client attempting to
list a non existent directory (e.g. svn.exe list
https://server.domain/source/does/not/exist). This shows up in the
neon log as follows:

    Running post_send hooks
    ah_post_send (#1), code is 404 (want 401), WWW-Authenticate is
Negotiate <token>
    Request ends, status 404 class 4xx, error line:
    404 Not Found
    Running destroy hooks.
    Request ends.

At this point the sspiContext->continueNeeded flag remains set to 1.
The next request within the same session receives a 401 response with
no token and fails as follows:

    Running post_send hooks
    ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate
    auth: Got challenge (code 401).
    auth: Got 'Negotiate' challenge.
    auth: Trying Negotiate challenge...
    auth: SSPI challenge.
    sspi: Expected a token from server.
    auth: No challenges accepted.
    Request ends, status 401 class 4xx, error line:
    Could not authenticate to server: could not parse challenge
    Running destroy hooks.
    Request ends.

The SSPI state machine is expecting a token from the server, but that
token is not passed to the SSPI state machine leaving it in an
uncompleted state. In some cases the final token may not even be
received from the web server (e.g. 500 failure).

In my test case the subversion client reports a misleading error
"authorization failed: Could not authenticate to server: could not
parse challenge".

Implementation: The ah_post_send() function currently resets the SSPI
state machine in the case of a successful request:

    #ifdef HAVE_SSPI
       /* Clear the SSPI context after successfull authentication. */
       if ((status->klass == 2 || status->klass == 3) && sess->sspi_context) {
            ne_sspi_clear_context(sess->sspi_context);
        }
    #endif

The patch extends this to reset the SSPI state machine in any case
other than a 401 or 407 response:

    #ifdef HAVE_SSPI
        /* Clear the SSPI context at the end of the authentication cycle
    	 * (whether the request is successful or not). */
        if (status->code != 401 && status->code != 407 && sess->sspi_context) {
            ne_sspi_clear_context(sess->sspi_context);
        }
    #endif

The ne_sspi_clear_context() is also modified so that the
"continueNeeded" flag is reset.

With this patch applied, the neon log for the previous scenario becomes:

    Running post_send hooks
    ah_post_send (#0), code is 404 (want 401), WWW-Authenticate is
Negotiate <token>
    Request ends, status 404 class 4xx, error line:
    404 Not Found
    Running destroy hooks.
    Request ends.

    ...

    Running post_send hooks
    ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate
    auth: Got challenge (code 401).
    auth: Got 'Negotiate' challenge.
    auth: Trying Negotiate challenge...
    auth: SSPI challenge.
    sspi: Created context with SPN <spn>
    auth: SSPI challenge <token>
    auth: Accepted Negotiate challenge.

The error reported by the subversion client now becomes: "Could not
list all targets because some targets don't exist".

Testing: I have tested this patch with the subversion client
authenticating against apache web server via mod_auth_kerb. I am
hoping someone would be willing to test this against IIS.

Thanks,

Nathanael
Attachment (neon-reset.diff): application/octet-stream, 1082 bytes

Gmane