On the ocsp-verification branch: Sync with trunk up to r1830691.
git-svn-id: https://svn.apache.org/repos/asf/serf/branches/ocsp-verification@1830692 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/SConstruct b/SConstruct
index 68fda78..c314ede 100644
--- a/SConstruct
+++ b/SConstruct
@@ -115,6 +115,9 @@
BoolVariable('DISABLE_LOGGING',
"Disable the logging framework at compile time",
False),
+ BoolVariable('ENABLE_SLOW_TESTS',
+ "Enable long-running unit tests",
+ False),
RawListVariable('CC', "Command name or path of the C compiler", None),
RawListVariable('CFLAGS', "Extra flags for the C compiler (space-separated)",
None),
@@ -460,10 +463,20 @@
env.Append(CPPDEFINES=['SERF_NO_SSL_BIO_WRAPPERS'])
if not conf.CheckFunc('X509_STORE_get0_param'):
env.Append(CPPDEFINES=['SERF_NO_SSL_X509_STORE_WRAPPERS'])
+if not conf.CheckFunc('X509_get0_notBefore'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_NOTBEFORE'])
+if not conf.CheckFunc('X509_get0_notAfter'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_NOTAFTER'])
+if not conf.CheckFunc('X509_STORE_CTX_get0_chain'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_CHAIN'])
if conf.CheckFunc('CRYPTO_set_locking_callback'):
env.Append(CPPDEFINES=['SERF_HAVE_SSL_LOCKING_CALLBACKS'])
if conf.CheckFunc('OPENSSL_malloc_init', '#include <openssl/crypto.h>'):
env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_MALLOC_INIT'])
+if conf.CheckFunc('SSL_library_init', '#include <openssl/crypto.h>'):
+ env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_SSL_LIBRARY_INIT'])
+if conf.CheckFunc('OpenSSL_version_num', '#include <openssl/crypto.h>'):
+ env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_VERSION_NUM'])
if conf.CheckFunc('SSL_set_alpn_protos'):
env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_ALPN'])
if conf.CheckType('OSSL_HANDSHAKE_STATE', '#include <openssl/ssl.h>'):
@@ -560,6 +573,10 @@
tenv = env.Clone()
+# Check if long-running tests should be enabled
+if tenv.get('ENABLE_SLOW_TESTS', None):
+ tenv.Append(CPPDEFINES=['SERF_TEST_DEFLATE_4GBPLUS_BUCKETS'])
+
# MockHTTP requires C99 standard, so use it for the test suite.
cflags = tenv['CFLAGS']
tenv.Replace(CFLAGS = [f.replace('-std=c89', '-std=c99') for f in cflags])
diff --git a/buckets/ssl_buckets.c b/buckets/ssl_buckets.c
index 2a3b586..fdf880f 100644
--- a/buckets/ssl_buckets.c
+++ b/buckets/ssl_buckets.c
@@ -53,6 +53,18 @@
#define X509_STORE_get0_param(store) ((store)->param)
#endif
+#ifdef SERF_NO_SSL_X509_GET0_NOTBEFORE
+#define X509_get0_notBefore(cert) (X509_get_notBefore(cert))
+#endif
+
+#ifdef SERF_NO_SSL_X509_GET0_NOTAFTER
+#define X509_get0_notAfter(cert) (X509_get_notAfter(cert))
+#endif
+
+#ifdef SERF_NO_SSL_X509_GET0_CHAIN
+#define X509_STORE_CTX_get0_chain(store) (X509_STORE_CTX_get_chain(store))
+#endif
+
/*
* Here's an overview of the SSL bucket's relationship to OpenSSL and serf.
@@ -864,10 +876,10 @@
failures |= SERF_SSL_CERT_INVALID_HOST;
/* Check certificate expiry dates. */
- if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) {
+ if (X509_cmp_current_time(X509_get0_notBefore(server_cert)) >= 0) {
failures |= SERF_SSL_CERT_NOTYETVALID;
}
- else if (X509_cmp_current_time(X509_get_notAfter(server_cert)) <= 0) {
+ else if (X509_cmp_current_time(X509_get0_notAfter(server_cert)) <= 0) {
failures |= SERF_SSL_CERT_EXPIRED;
}
@@ -907,7 +919,7 @@
apr_pool_create(&subpool, ctx->pool);
/* Borrow the chain to pass to the callback. */
- chain = X509_STORE_CTX_get_chain(store_ctx);
+ chain = X509_STORE_CTX_get0_chain(store_ctx);
/* If the chain can't be retrieved, just pass the current
certificate. */
@@ -1453,7 +1465,11 @@
#ifdef SERF_LOGGING_ENABLED
/* Warn when compile-time and run-time version of OpenSSL differ in
major/minor version number. */
+#ifdef SERF_HAVE_OPENSSL_VERSION_NUM
+ unsigned long libver = OpenSSL_version_num();
+#else
long libver = SSLeay();
+#endif
if ((libver ^ OPENSSL_VERSION_NUMBER) & 0xFFF00000) {
serf__log(LOGLVL_WARNING, LOGCOMP_SSL, __FILE__, NULL,
@@ -1468,10 +1484,12 @@
#else
CRYPTO_malloc_init();
#endif
+#ifdef SERF_HAVE_OPENSSL_SSL_LIBRARY_INIT
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
+#endif
#if APR_HAS_THREADS && defined(SERF_HAVE_SSL_LOCKING_CALLBACKS)
numlocks = CRYPTO_num_locks();
@@ -2348,18 +2366,18 @@
/* set expiry dates */
bio = BIO_new(BIO_s_mem());
if (bio) {
- ASN1_TIME *notBefore, *notAfter;
+ const ASN1_TIME *notBefore, *notAfter;
char buf[256];
memset (buf, 0, sizeof (buf));
- notBefore = X509_get_notBefore(cert->ssl_cert);
+ notBefore = X509_get0_notBefore(cert->ssl_cert);
if (ASN1_TIME_print(bio, notBefore)) {
BIO_read(bio, buf, 255);
apr_hash_set(tgt, "notBefore", APR_HASH_KEY_STRING,
apr_pstrdup(pool, buf));
}
memset (buf, 0, sizeof (buf));
- notAfter = X509_get_notAfter(cert->ssl_cert);
+ notAfter = X509_get0_notAfter(cert->ssl_cert);
if (ASN1_TIME_print(bio, notAfter)) {
BIO_read(bio, buf, 255);
apr_hash_set(tgt, "notAfter", APR_HASH_KEY_STRING,
diff --git a/test/test_buckets.c b/test/test_buckets.c
index fe58200..a427bf1 100644
--- a/test/test_buckets.c
+++ b/test/test_buckets.c
@@ -2089,6 +2089,7 @@
return defbkt;
}
+#ifdef SERF_TEST_DEFLATE_4GBPLUS_BUCKETS
/* Test for issue #152: the trailers of gzipped data only store the 4 most
significant bytes of the length, so when the compressed data is >4GB
we can't just compare actual length with expected length. */
@@ -2125,6 +2126,7 @@
}
#endif
+ printf("\n");
actual_size = 0;
for (i = 0; i < NR_OF_LOOPS; i++) {
const char *data;
@@ -2132,8 +2134,11 @@
apr_size_t read_len;
apr_status_t status;
- if (i % 1000 == 0)
- printf("%d\n", i);
+ if (i % 1000 == 0) {
+ printf("\rtest_deflate_4GBplus_buckets: %d of %d",
+ i, NR_OF_LOOPS);
+ fflush(stdout);
+ }
status = apr_generate_random_bytes(uncompressed, BUFSIZE);
CuAssertIntEquals(tc, APR_SUCCESS, status);
@@ -2166,6 +2171,7 @@
actual_size += read_len;
}
+ printf("\n");
put_32bit(&gzip_trailer[0], unc_crc);
put_32bit(&gzip_trailer[4], unc_length);
@@ -2193,6 +2199,7 @@
#undef NR_OF_LOOPS
#undef BUFSIZE
}
+#endif /* SERF_TEST_DEFLATE_4GBPLUS_BUCKETS */
/* Basic test for serf_linebuf_fetch(). */
static void test_linebuf_fetch_crlf(CuTest *tc)
@@ -3348,7 +3355,7 @@
SUITE_ADD_TEST(suite, test_brotli_decompress_bucket_garbage_at_end);
SUITE_ADD_TEST(suite, test_brotli_decompress_response_body);
}
-#if 0
+#ifdef SERF_TEST_DEFLATE_4GBPLUS_BUCKETS
/* This test for issue #152 takes a lot of time generating 4GB+ of random
data so it's disabled by default. */
SUITE_ADD_TEST(suite, test_deflate_4GBplus_buckets);