[SCM] Debian packaging for OpenSAML branch, master, updated. debian/1.1.2-1-5-g6f86fb3
Russ Allbery
rra at debian.org
Sun Jun 21 22:35:03 UTC 2009
The following commit has been merged in the master branch:
commit 9a014a36903496b33d66c47315116b36eb7d5dd3
Author: Russ Allbery <rra at debian.org>
Date: Sun Jun 21 15:24:38 2009 -0700
Fix OpenSSL negotiation with some versions of cURL
diff --git a/saml/SAMLSOAPHTTPBinding.cpp b/saml/SAMLSOAPHTTPBinding.cpp
index c030836..fe88074 100644
--- a/saml/SAMLSOAPHTTPBinding.cpp
+++ b/saml/SAMLSOAPHTTPBinding.cpp
@@ -1,6 +1,6 @@
/*
* Copyright 2001-2005 Internet2
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
@@ -29,6 +29,7 @@
#include <list>
#include <curl/curl.h>
+#include <openssl/ssl.h>
#include <xercesc/framework/MemBufInputSource.hpp>
#include <xercesc/util/Base64.hpp>
@@ -43,15 +44,15 @@ namespace {
SOAPHTTPBindingProvider(const XMLCh* binding, const DOMElement* e=NULL);
virtual ~SOAPHTTPBindingProvider();
- // SAMLBinding
+ // SAMLBinding
SAMLResponse* send(const XMLCh* endpoint, SAMLRequest& req, void* callCtx=NULL) const;
SAMLRequest* receive(void* reqContext, void* callCtx=NULL, int minorVersion=1) const;
void respond(void* respContext, SAMLResponse* response, SAMLException* e=NULL, void* callCtx=NULL) const;
-
+
// SAMLSOAPHTTPBinding
void addHook(HTTPHook* h, void* globalCtx=NULL) {m_httpHooks.push_back(pair<HTTPHook*,void*>(h,globalCtx));}
- // Handles per-call state and manipulation of CURL handle
+ // Handles per-call state and manipulation of CURL handle
struct CURLHTTPClient : virtual public HTTPClient {
CURLHTTPClient(CURL* handle) : m_handle(handle), m_headers(NULL), m_ssl_callback(NULL), m_ssl_userptr(NULL) {
m_headers=curl_slist_append(m_headers,"Content-Type: text/xml");
@@ -64,7 +65,7 @@ namespace {
bool setRequestHeader(const char* name, const char* val);
Iterator<string> getResponseHeader(const char* val) const;
bool setSSLCallback(ssl_ctx_callback_fn fn, void* userptr=NULL);
-
+
// per-call state
CURL* m_handle;
struct curl_slist* m_headers;
@@ -136,6 +137,15 @@ int curl_debug_hook(CURL* handle, curl_infotype type, char* data, size_t len, vo
// callback to invoke a caller-defined SSL callback, used because OpenSSL < 0.9.7 has no data ptr
CURLcode saml_ssl_ctx_callback(CURL* curl, void* ssl_ctx, void* userptr)
{
+ // Manually disable SSLv2 so we're not dependent on libcurl to do it.
+ // Also disable the ticket option where implemented, since this breaks a variety
+ // of servers. Newer libcurl also does this for us.
+#ifdef SSL_OP_NO_TICKET
+ SSL_CTX_set_options(reinterpret_cast<SSL_CTX*>(ssl_ctx), SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+#else
+ SSL_CTX_set_options(reinterpret_cast<SSL_CTX*>(ssl_ctx), SSL_OP_ALL|SSL_OP_NO_SSLv2);
+#endif
+
SOAPHTTPBindingProvider::CURLHTTPClient* conf = reinterpret_cast<SOAPHTTPBindingProvider::CURLHTTPClient*>(userptr);
if (conf->m_ssl_callback(ssl_ctx,conf->m_ssl_userptr))
return CURLE_OK;
@@ -147,12 +157,12 @@ class CURLPool
public:
CURLPool() : m_size(0), m_log(&Category::getInstance(SAML_LOGCAT".SAMLSOAPHTTPBinding.CURLPool")) {}
~CURLPool();
-
+
CURL* get(const char* location);
void put(const char* location, CURL* handle);
typedef map<string,vector<CURL*> > poolmap_t;
-private:
+private:
poolmap_t m_bindingMap;
list< vector<CURL*>* > m_pools;
long m_size;
@@ -175,12 +185,12 @@ CURL* CURLPool::get(const char* location)
m_log->debug("getting connection handle to %s", location);
SAMLConfig::getConfig().saml_lock();
poolmap_t::iterator i=m_bindingMap.find(location);
-
+
if (i!=m_bindingMap.end()) {
// Move this pool to the front of the list.
m_pools.remove(&(i->second));
m_pools.push_front(&(i->second));
-
+
// If a free connection exists, return it.
if (!(i->second.empty())) {
CURL* handle=i->second.back();
@@ -191,10 +201,10 @@ CURL* CURLPool::get(const char* location)
return handle;
}
}
-
+
SAMLConfig::getConfig().saml_unlock();
m_log->debug("nothing free in pool, returning new connection handle");
-
+
// Create a new connection and set non-varying options.
CURL* handle=curl_easy_init();
if (!handle)
@@ -202,7 +212,8 @@ CURL* CURLPool::get(const char* location)
curl_easy_setopt(handle,CURLOPT_NOPROGRESS,1);
curl_easy_setopt(handle,CURLOPT_NOSIGNAL,1);
curl_easy_setopt(handle,CURLOPT_FAILONERROR,1);
- curl_easy_setopt(handle,CURLOPT_SSLVERSION,CURL_SSLVERSION_SSLv3);
+ // Handle this in the callback.
+ //curl_easy_setopt(handle,CURLOPT_SSLVERSION,CURL_SSLVERSION_SSLv3);
curl_easy_setopt(handle,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!LOW:!EXPORT:!SSLv2");
curl_easy_setopt(handle,CURLOPT_SSL_VERIFYHOST,2);
curl_easy_setopt(handle,CURLOPT_HEADERFUNCTION,&curl_header_hook);
@@ -221,7 +232,7 @@ void CURLPool::put(const char* location, CURL* handle)
m_pools.push_front(&(m_bindingMap.insert(poolmap_t::value_type(location,vector<CURL*>(1,handle))).first->second));
else
i->second.push_back(handle);
-
+
CURL* killit=NULL;
if (++m_size > SAMLConfig::getConfig().conn_pool_max) {
// Kick a handle out from the back of the bus.
@@ -233,7 +244,7 @@ void CURLPool::put(const char* location, CURL* handle)
m_size--;
break;
}
-
+
// Move an empty pool up to the front so we don't keep hitting it.
m_pools.pop_back();
m_pools.push_front(corpse);
@@ -315,7 +326,7 @@ Iterator<string> SOAPHTTPBindingProvider::CURLHTTPClient::getResponseHeader(cons
map<string,vector<string> >::const_iterator i=m_response_headers.find(val);
if (i!=m_response_headers.end())
return i->second;
-
+
for (map<string,vector<string> >::const_iterator j=m_response_headers.begin(); j!=m_response_headers.end(); j++) {
#ifdef HAVE_STRCASECMP
if (!strcasecmp(j->first.c_str(),val))
@@ -367,9 +378,9 @@ SAMLResponse* SOAPHTTPBindingProvider::send(const XMLCh* endpoint, SAMLRequest&
CURL* handle=g_CURLPool->get(location.get());
if (!handle)
throw SAMLException(SAMLException::REQUESTER,"SOAPHTTPBindingProvider::send() unable to obtain a curl handle");
-
+
string inbufstring=inbuf.str();
-
+
// Setup standard per-call curl properties.
curl_easy_setopt(handle,CURLOPT_URL,location.get());
curl_easy_setopt(handle,CURLOPT_POSTFIELDS,inbufstring.c_str());
@@ -411,7 +422,7 @@ SAMLResponse* SOAPHTTPBindingProvider::send(const XMLCh* endpoint, SAMLRequest&
curl_easy_setopt(handle,CURLOPT_CAINFO,conf.ssl_calist.c_str());
else
curl_easy_setopt(handle,CURLOPT_CAINFO,NULL);
-
+
curl_easy_setopt(handle,CURLOPT_SSL_VERIFYPEER,conf.ssl_calist.empty() ? 0 : 1);
if (!conf.ssl_certfile.empty() && !conf.ssl_keyfile.empty()) {
@@ -445,7 +456,7 @@ SAMLResponse* SOAPHTTPBindingProvider::send(const XMLCh* endpoint, SAMLRequest&
log.info("sending SOAP message to %s", location.get());
CURLcode cc=curl_easy_perform(handle);
CHECK_CURL_RESP(cc);
-
+
outbufstring=outbuf.str();
// Run the incoming client-side HTTP hooks.
@@ -456,12 +467,12 @@ SAMLResponse* SOAPHTTPBindingProvider::send(const XMLCh* endpoint, SAMLRequest&
throw BindingException("SOAPHTTPBindingProvider::send() HTTP processing hook returned false, aborted incoming response");
}
}
-
+
// Interrogate the response.
char* content_type;
cc=curl_easy_getinfo(handle,CURLINFO_CONTENT_TYPE,&content_type);
CHECK_CURL_RESP(cc);
-
+
if (!content_type || !strstr(content_type,"text/xml")) {
unsigned int len;
XMLByte* b=Base64::encode(const_cast<XMLByte*>((XMLByte*)outbufstring.c_str()),outbufstring.length(),&len);
@@ -478,7 +489,7 @@ SAMLResponse* SOAPHTTPBindingProvider::send(const XMLCh* endpoint, SAMLRequest&
curl_easy_cleanup(handle);
throw;
}
-
+
DOMDocument* rdoc=NULL;
try {
// In theory, the SOAP message should be in buf. Get a parser and build the DOM.
--
Debian packaging for OpenSAML
More information about the Pkg-shibboleth-devel
mailing list