------------------------------------------------------------------------
r1931481 | brane | 2026-01-23 09:09:15 +0100 (Fri, 23 Jan 2026) | 14 lines
Do not compile the serf_spider test program if APR doesn't support threads.
* build/scons_extras.py
(CheckAPRHasThreads): New custom test function.
* SConstruct
(custom_tests): Add CheckAPRHasThreads.
(apr_has_threads): Perform the config test.
(TEST_PROGRAMS): Add serf_spider only if APR has threads.
* test/CMakeLists.txt
(serf_check_apr_has_threads): New test function.
(SIMPLE_TEST_TARGETS): Add serf_spider only if APR has threads.
* CMakeLists.txt: Add a note to the summary if APR doesn't have threads.
------------------------------------------------------------------------
r1931480 | brane | 2026-01-23 09:02:54 +0100 (Fri, 23 Jan 2026) | 8 lines
Follow up to r1931479: Ignore the asynchronous resolver tests if we don't
have an asynchronous resolver implementation.
* test/test_context.c
(test_async_connection,
async_resolve,
test_async_resolve_cancel): Return early on APR_ENOTIMPL.
------------------------------------------------------------------------
r1931479 | brane | 2026-01-23 08:24:23 +0100 (Fri, 23 Jan 2026) | 6 lines
Add missing async-resolver implementation if we have neither APR threads
nor the Unbound library available.
* src/resolve.c
(serf__create_resolve_context): Implement when !HAVE_ASYNC_RESOLVER.
------------------------------------------------------------------------
r1931478 | brane | 2026-01-23 07:38:32 +0100 (Fri, 23 Jan 2026) | 10 lines
Build and tests should work when APR doesn't support threads.
* auth/auth.c
(cleanup_user_scheme): Don't call init_authn_schemes_guard() explicitly.
* test/MockHTTPinC/MockHTTP_server.c
(run_thread): Define function only if APR supports threads.
(mhStartServer, mhStopServer): Move threading-specific local variables
inside the APR_HAS_THREADS conditional block.
------------------------------------------------------------------------
r1931320 | brane | 2026-01-14 19:13:48 +0100 (Wed, 14 Jan 2026) | 7 lines
Bump the copyright year.
A big thank you to the Founding Fathers of Serfdom for putting
the year into just this one file.
* NOTCE: Change 2025 to 2026.
------------------------------------------------------------------------
r1931293 | brane | 2026-01-13 15:14:11 +0100 (Tue, 13 Jan 2026) | 12 lines
Allow tests to only output messages from error callbacks, without
cluttering the output with low-level logging.
* test/test_serf.h
(TEST_VERBOSE): Explain what the value does.
* test/test_util.c
(setup_test_context): Register the error callback if TEST_VERBOSE > 0.
Configure console logging if TEST_VERBOSE > 1.
(test__log, test__log_nopref, test__log_skt): Require that the verbose_flag
is greater than 1 in order to log anything.
------------------------------------------------------------------------
r1931292 | brane | 2026-01-13 14:54:30 +0100 (Tue, 13 Jan 2026) | 9 lines
Fix OCSP tests on Fedora and derivatives. It turns out we were signing OCSP
responses with SHA-1, which is disabled in OpenSSL builds on those platforms.
In addition, perform three *headbang*s for not catching this when I refreshed
the test certificates to also not use SHA-1. My wall is now slightly dented.
* test/test_ssl.c
(create_ocsp_response): Use EVP_sha256() instead of EVP_sha1().
------------------------------------------------------------------------
r1931277 | brane | 2026-01-13 00:56:57 +0100 (Tue, 13 Jan 2026) | 16 lines
Add a simple test to verify error propagation through the callbacks.
Only for context and outgoing connection/requests for now, no incoming
or SSL stuff.
* serf_private.h
(serf__global_error_callback): Declare the default global error callback.
* src/error_callbacks.c
(serf__global_error_callback): Renamed from default_global_error_callback
and made public instead of static. All references updated.
* test/test_internal.c
(struct error_callback_baton,
error_cb_request_setup,
error_cb_error_callback): New; private helpers.
(test_global_error_callback): New test case.
(test_internal): Register test_global_error_callback.
------------------------------------------------------------------------
r1931219 | brane | 2026-01-10 22:12:27 +0100 (Sat, 10 Jan 2026) | 16 lines
Make SSL tests pass with LibreSSL.
* test/test_ssl.c
(test_ssl_handshake,
test_ssl_certificate_chain_all_from_server,
test_ssl_expired_server_cert,
test_ssl_future_server_cert,
test_setup_ssltunnel,
test_ssl_renegotiate,
test_ssl_ocsp_response_error_and_override,
test_ssl_server_cert_with_cn_nul_byte,
test_ssl_server_cert_with_san_nul_byt,
test_ssl_server_cert_with_cnsan_nul_byte,
test_ssl_alpn_negotiate): Tweak expected results if the symbol
LIBRESSL_VERSION_NUMBER is defined.
------------------------------------------------------------------------
r1931217 | brane | 2026-01-10 14:48:21 +0100 (Sat, 10 Jan 2026) | 7 lines
In the CMake build, show dependency versions in the summary.
* CMakeLists.txt:
- Expand the summary with dependency version numbers.
- Detect LibreSSL and annotate that in the summary.
- The use of Unbound is no longer considered experimental.
------------------------------------------------------------------------
r1931210 | brane | 2026-01-10 06:40:34 +0100 (Sat, 10 Jan 2026) | 14 lines
Remove support for APR older than 1.3.0.
* README: Add a note about dependency versions.
Also: remove the "People" heading, as it's obsolete.
* serf.h: Check APR version at compile time.
* serf_private.h
(APR_VERSION_AT_LEAST): Remove our version of this macro, user APR's.
(BROKEN_WSAPOLL): Update comment and conditions.
* src/init_once.c: Don't jump through hoops for APR-0.9.x.
* test/MockHTTPinC/MockHTTP_server.c
(BROKEN_WSAPOLL): Do as serf_private.h does.
* test/serf_get.c
(main): Remove conditional code for older APR versions.
------------------------------------------------------------------------
r1931208 | brane | 2026-01-10 04:47:38 +0100 (Sat, 10 Jan 2026) | 29 lines
Make #include directives more consistent throughout the code.
Standard and system headers go first, dependency next, then
our public headers and finally our private headers. Make the
use of #include <header> vs. #include "header" semantically
correct and consistent, too. Also:
* serf_private.h: Include serf.h because of all the typedefs.
* auth/auth.h: Remove unused include of auth_spnego.h and
include the needed serf_private.h.
* auth/auth_spnego.c: Remove headers that are alread included
in auth_spnego.h.
* buckets/allocator.c,
buckets/brotli_buckets.c,
buckets/limit_buckets.c,
buckets/socket_buckets.c: Don't include serf_private.h.
* protocols/fcgi_buckets.h,
protocols/fcgi_protocol.h,
protocols/http2_buckets.h: Do include serf_private.h.
* protocols/fcgi_protocol.c: Don't include serf_bucket_util.h.
* src/context.c,
src/deprecated.c,
src/outgoing.c,
src/pump.c: Don't include serf_bucket_util.h.
* src/inet_pton.c,
src/init_once.c,
src/syntax.c: Don't include serf.h.
* test/test_internal.c: Don't include serf_bucket_util.h.
------------------------------------------------------------------------
r1931129 | brane | 2026-01-05 19:01:26 +0100 (Mon, 05 Jan 2026) | 10 lines
Add error callbacks to the async resolver code where indicated.
* src/resolve.c
(create_resolve_context,
resolve_convert,
resolve_callback,
resolve_address_async,
run_async_resolver_loop[unbound]): Replace placeholder comments with
calls to the context error callback. Keep loggin in place.
------------------------------------------------------------------------
r1931128 | brane | 2026-01-05 17:44:26 +0100 (Mon, 05 Jan 2026) | 31 lines
[SERF-211] Finalize the asynchronouse resolver API. This adds a private
interface for waking the context from a poll, so that the resolver can
signal when results are available.
* serf.h
(serf_context_create_ex): Make the docstring a docstring.
(serf_address_resolved_t,
serf_address_resolve_async,
serf_connection_created_t,
serf_connection_create_async): Remove the experimental comments
and fix some typos in the docstrings.
* serf_private.h
(SERF_IO_WAKEUP_PIPE): New constant for the io baton type.
(serf_context_t::wakeup): New member.
(serf__context_wakeup): New prototype.
* src/context.c: Include <apr_atomic.h>
(WAKEUP_LOOPBACK, WAKEUP_FAMILY): New constants.
(serf__context_wakeup_t): New struct for the self-pinging wakeup socket.
(init_wakeup, process_wakeup): New private helper functions.
(serf__context_wakeup): Implement here.
(serf_context_create_ex): Initialize the wakeup socket.
(serf_event_trigger): Process the wakeup signal.
* src/resolve.c: Remove the experimental/todo top-level comment.
(resolve): Tweak log message.
(push_resolve_result): Wake the context when a new result is available.
(serf__process_async_resolve_results): Return immediately if the async
resolver was not properly initialized. Add debug logging.
------------------------------------------------------------------------
r1931111 | dsahlberg | 2026-01-04 22:35:26 +0100 (Sun, 04 Jan 2026) | 6 lines
Fix a fwe more cases where Brane's spell check failed to find all errors[1]
* serf.h: Fix spelling in comments. No functional change.
[1]
------------------------------------------------------------------------
r1931109 | dsahlberg | 2026-01-04 21:53:43 +0100 (Sun, 04 Jan 2026) | 15 lines
Replace version 1.4 with 1.5 in all @since docstrings.
1.4 was never released so this should make it less confusing for everyone
* serf.h,
serf_bucket_types.h,
serf_bucket_utils.h: As above
See SERF-210
Suggested by: brane
[1] https://lists.apache.org/thread/s7mznhp5hsr2x3t2p9copqczcz5g7gdg
------------------------------------------------------------------------
r1931108 | brane | 2026-01-04 19:36:06 +0100 (Sun, 04 Jan 2026) | 6 lines
Follow up to r1931058: remove an empty conditional block.
* buckets/ssl_buckets.c
(ssl_need_client_cert): Remove an #if/#endif that were left behind
after the function split.
------------------------------------------------------------------------
r1931107 | brane | 2026-01-04 18:45:33 +0100 (Sun, 04 Jan 2026) | 14 lines
Fix warnings and errors when building with LibreSSL and OpenSSL 1.1.1w.
* buckets/ssl_buckets.c
(ssl_x509_ex_data_idx): Make conditional on SERF_HAVE_OSSL_STORE_OPEN_EX.
* test/test_ssl.c
(client_cert_uri_conn_setup): Likewise, make conditional.
(SERF__OPENSSL_VERSION_PREREQ): Define this macro to expand to false if
OPENSSL_VERSION_PREREQ is not defined, otherwise make it an alias.
(test_ssl_revoked_server_cert,
test_ssl_ocsp_verify_response_no_signer): Use our new ...PREREQ macro
instead of the previous invalid usage that broke compiling with older
versions of OpenSSL.
------------------------------------------------------------------------
r1931089 | brane | 2026-01-04 11:28:45 +0100 (Sun, 04 Jan 2026) | 43 lines
Tie in SSL context error reporting with the context/connection callbacks.
* serf.h
(serf_context_error_callback_set,
serf_connection_error_callback_set,
serf_incoming_error_callback_set): Add a note about baton lifetimes.
* serf_bucket_types.h: Move the encrypt bucket declarations next to the
decrypt bucket declarations, they belong together.
(serf_bucket_ssl_encrypt_create,
serf_bucket_ssl_encrypt_context_get,
serf_bucket_ssl_decrypt_create,
serf_bucket_ssl_decrypt_context_get): Add sorely missing docstrings.
(serf_ssl_use_context_error_callback,
serf_ssl_use_connection_error_callback,
serf_ssl_use_incoming_error_callback): New prototypes.
* serf_private.h
(serf__request_ssl_error,
serf__response_ssl_error,
serf__incoming_request_ssl_error,
serf__incoming_response_ssl_error): Remove prototypes.
* src/error_callbacks.c
(serf__request_ssl_error,
serf__response_ssl_error,
serf__incoming_request_ssl_error,
serf__incoming_response_ssl_error): Remove unused functions.
* buckets/ssl_buckets.c
(serf_ssl_context_t): Add err_ctx, an error context field. Replace almost
all references to global_error_ctx with serf_ssl_context_t::err_ctx.
(ssl_init_context): Initialize err_ctx from global_error_ctx.
(serf_ssl_use_context_error_callback,
serf_ssl_use_connection_error_callback,
serf_ssl_use_incoming_error_callback): Implement here.
* test/serf_get.c: Include serf_bucket_types.h.
(conn_setup): Make new SSL contexts use the connection's error callback.
(global_error_callback,
connection_error_callback): New error callback functions.
(main): Register global and per-connection error callbacks.
------------------------------------------------------------------------
r1931058 | brane | 2026-01-02 20:26:19 +0100 (Fri, 02 Jan 2026) | 12 lines
Split the client certificate callback implementation into two functions,
one that uses OSSL_STORE and the ancient/original that reads PKCS#12 files.
* buckets/ssl_buckets.c
(ssl_read_client_cert_uri): New, conditionally present. Reads certificates
and private keys from a keystore, which can be a PKCS#12 file or an
OS-specific certificate store URI. The implementation was moved from
ssl_need_client_cert() with minor changes.
(ssl_need_client_cert): Delegate to ssl_read_client_cert_uri() first, then
continue with the file-based attempt if no certificates were found.
------------------------------------------------------------------------
r1931057 | dsahlberg | 2026-01-02 15:10:38 +0100 (Fri, 02 Jan 2026) | 5 lines
Followup to r1931047: Spellfix, no functional change
* serf_private.h
Fix spelling in a comment
------------------------------------------------------------------------
r1931056 | dsahlberg | 2026-01-02 15:10:04 +0100 (Fri, 02 Jan 2026) | 5 lines
Followup to r1927627: Spellfix, no functional change
* serf.h
Fix spelling in a comment
------------------------------------------------------------------------
r1931047 | brane | 2026-01-01 19:45:34 +0100 (Thu, 01 Jan 2026) | 54 lines
Added error callback infrastructure.
This adds three levels and four kinds of callbacks for reporting errors
from Serf: global, context-specific and (incoming or outgoing) connection
-specific. Request and response code will use their their connection's
callback, but add extra flags to indicate the source of the error message.
The SSL code in ssl_buckets.c uses an error context that callers can (or
rather "will be able to") define so that error messages get sent to
the appropriate, caller-specific callback. This part is not yet implemented
because it requires revising some of our SSL APIs.
* CMakeLists.txt: Check if <unistd.h> is available, used by tests.
(SOURCES): Add the error_callbacks.c file.
* SConstruct: Check for <unistd.h>, as above.
* serf.h: Add public error callback prototypes and constants.
Too many of them to list here individually.
* serf_bucket_types.h
(serf_ssl_error_cb_set, serf_ssl_error_cb_t): Removed, obsolete.
* serf_private.h: Add private helpers for sending error messages to
callbacks and the ssl_context infrastructure for handling errors.
(serf_context_t): Add error_callback and error_callback_baton.
(serf_incoming_t): Likewise.
(serf_connection_t): Here, too.
* buckets/ssl_buckets.c:
Update all calls to the removed ssl-specific error callback to use
the new dispatch_ssl_error.
(serf_ssl_context_t) Remove error_callback and error_baton.
(global_error_ctx): New fallback error context, sends to global callback.
(dispatch_ssl_error): New, calls an error context's dispatcher.
(log_ssl_error): Use dispatch_ssl_error().
* src/error_callbacks.c: New file. Implements all the private helpers
declared in serf_private.h, and also:
(serf_global_error_callback_set): Implement here.
* src/context.c
(serf_context_error_callback_set): Implement here.
* src/incoming.c
(serf_incoming_error_callback_set): Implement here.
* src/outgoing.c
(serf_connection_error_callback_set): Implement here.
* test/test_util.c
(isatty): Import from headers if available, otherwise fake it.
(test_error_callback): New, an error callback for the test suite.
(setup_test_context): Register test_error_callback in verbose mode.
------------------------------------------------------------------------
r1931046 | brane | 2026-01-01 18:33:48 +0100 (Thu, 01 Jan 2026) | 11 lines
Fix a bug in the client certificate loading logic. It was hidden from
view because the error that should have been reported gets thrown away
when the error callback was not defined.
* buckets/ssl_buckets.c (ssl_need_client_cert):
Add a rather caustic FIXME that the function should be split in two.
Use OSSL_STORE_open() instead of the _ex() variant because we don't
use any of the extended parameters.
When iterating over a certificate store's contents, check the EOF
condition only after attempting to read the next item.
------------------------------------------------------------------------
r1931031 | brane | 2026-01-01 12:28:58 +0100 (Thu, 01 Jan 2026) | 9 lines
In the CMake build: In some cases, using a target instead of a library
path makes a configure check fail. Make sure to use the right path to the
Brotli decoder library with both pkg-config and find_package().
* CMakeLists.txt: Tell pkg-config to look for "Brotly_Decode" and then,
similarly to the OpenSSL case, set variables that are compatible
with the results of the FindBrotli.cmake script. Use the library
path instead of the imported target in CheckFunciton().
------------------------------------------------------------------------
r1931008 | brane | 2025-12-31 17:25:52 +0100 (Wed, 31 Dec 2025) | 7 lines
Follow up to r1931007: make conditional compilation more portable.
* test/test_ssl.c
(test_ssl_revoked_server_cert): Move the #if outside of the macro
invocation, and use OPENSSL_VERSION_PREREQ for OpenSSL 3.x checks.
(test_ssl_ocsp_verify_response_no_signer): Use OPENSSL_VERSION_PREREQ.
------------------------------------------------------------------------
r1931007 | brane | 2025-12-31 16:51:41 +0100 (Wed, 31 Dec 2025) | 5 lines
Fix SSL tests with OpenSSL 3.6+.
* test/test_ssl.c (test_ssl_revoked_server_cert):
Adjust the expected output for changed error handling in OpenSSL 3.6.
------------------------------------------------------------------------
r1930991 | brane | 2025-12-31 00:59:39 +0100 (Wed, 31 Dec 2025) | 7 lines
Fix our variable naming in the CMake build. CMake's pkg-config finder
sets BROTLI_INCLUDE_DIR when searching for the Brotli libraries.
* CMakeLists.txt,
build/FindBrotli.cmake:
Use BROTLI_INCLUDE_DIR instead of BROTLI_INCLUDES.
------------------------------------------------------------------------
r1930990 | brane | 2025-12-30 22:48:26 +0100 (Tue, 30 Dec 2025) | 5 lines
Add pipeline usage debug statistics for serf_get.
* test/serf_get.c (main): Track how many requests are pending (were sent
but did not yet receive a response) there are for each active connection.
------------------------------------------------------------------------
r1930989 | brane | 2025-12-30 22:18:57 +0100 (Tue, 30 Dec 2025) | 8 lines
Make the hpack_huffman script compatible with Python 3. The
output of the updated script is exactly the same as before.
* buckets/hpack_huffman.py:
Update all print statements to print() function calls.
* .[svn:ignore]: Ignore the .ruff_cache directory.
------------------------------------------------------------------------
r1930478 | brane | 2025-12-13 03:11:51 +0100 (Sat, 13 Dec 2025) | 13 lines
Add a simple HTTP server to aid testing of authentication handlers.
Created speifically for SERF-195, but could be useful in other contexts.
Incidentally fix serf_get so that authentication works when using
multiple connections.
* test/manual/authserver.py: New.
* test/serf_get.c
(handler_baton_t): New field conn_count.
(credentials_callback): Allow as many authentication attempts
as there are concurrent connections.
(main): Initialize handler_baton_t::conn_count.
------------------------------------------------------------------------
r1930477 | brane | 2025-12-13 03:06:00 +0100 (Sat, 13 Dec 2025) | 6 lines
Don't pollute the connection pool with the cleartext password.
* auth/auth_basic.c (serf__handle_basic_auth):
Allocate the temporary Basic auth credentials in the scratch
pool which is destroyed once the authentication header is set.
------------------------------------------------------------------------
r1928721 | gstein | 2025-09-24 06:33:30 +0200 (Wed, 24 Sep 2025) | 1 line
Tweak svn:ignore for build artifacts from SCons and CMake
------------------------------------------------------------------------
r1928718 | gstein | 2025-09-24 05:53:29 +0200 (Wed, 24 Sep 2025) | 1 line
Remove draft work that will not be implemented in the near term.
------------------------------------------------------------------------
r1927654 | brane | 2025-08-07 01:47:27 +0200 (Thu, 07 Aug 2025) | 16 lines
Remove the serf_connection_create3() public function. It was added when Serf
did not have an asynchronous DNS resolver and is now functionally replaced
by serf_connection_create_async().
* serf.h
(serf_connection_create3): Removed.
(serf_connection_create,
serf_connection_create2,
serf_connection_create_async,
serf_address_resolve_async): Update the documentation.
* src/outgoing.c
(create_connection): Renamed from serf_connection_create3 and made private.
* src/resolve.c
(serf_address_resolve_async): Ignore proxy configuration, that part is
already handled by serf_connection_create_async.
------------------------------------------------------------------------
r1927634 | brane | 2025-08-06 09:52:54 +0200 (Wed, 06 Aug 2025) | 11 lines
Fix another integer narrowing warning.
* buckets/http2_frame_buckets.c
(serf__bucket_http2_frame_create): Change the max_payload_size argument
from an apr_uint32_t to an apr_size_t, because that's how we store it
in our internal data structures. Move the size check to the beginning
of the function so that we can never use a payload size that's too large.
* protocols/http2_buckets.h
(serf__bucket_http2_frame_create): Update the prototype.
------------------------------------------------------------------------
r1927633 | brane | 2025-08-06 09:45:01 +0200 (Wed, 06 Aug 2025) | 4 lines
* buckets/hpack_buckets.c
(serf__bucket_hpack_setx): Use the new serf__tolower_inplace() instead
of open-coding the same logic.
------------------------------------------------------------------------
r1927628 | brane | 2025-08-06 07:13:16 +0200 (Wed, 06 Aug 2025) | 22 lines
SERF-207: The Digest authn provider verifies received parameters.
* serf_private.h
(serf__find_token): New prototype.
* src/syntax.c
(skip_not_space): New; skips non-space characters.
(serf__find_token): New; finds a token in a space-separated list.
* auth/auth_digest.c
(serf__handle_digest_auth): Verify that incoming authn parameters are
supported: we only support the (default) MD5 hash and the "auth" qop.
* test/test_auth.c
(digest_check_parameters,
test_digest_valid_params,
test_digest_invalid_params): New test functions.
(test_auth): Register the new test cases.
* test/test_internal.c
(test_find_token): New test for serf__find_token().
(test_internal): Register the new test case.
------------------------------------------------------------------------
r1927627 | brane | 2025-08-06 06:59:43 +0200 (Wed, 06 Aug 2025) | 1 line
Merged the user-defined-authn branch to trunk.
------------------------------------------------------------------------
r1927607 | brane | 2025-08-04 12:01:39 +0200 (Mon, 04 Aug 2025) | 2 lines
* SConstruct: Add support for using the Unbound async resolver.
------------------------------------------------------------------------
r1927605 | brane | 2025-08-04 11:15:23 +0200 (Mon, 04 Aug 2025) | 9 lines
In the CMake build: Search for most dependencies with pkg-config first,
and find_package if that fails.
* CMakeLists.txt:
- Use pkg-config to look for OpenSSL, zlib, Brotli, GSSAPI and Unbound.
- Write the pkg-config file with dependencies as appropriate.
* build/FindUnbound.cmake: Remove pkg-config related parts.
* build/SerfFindPkgConfig.cmake: New.
------------------------------------------------------------------------
r1927602 | brane | 2025-08-04 07:26:05 +0200 (Mon, 04 Aug 2025) | 18 lines
Build system improvements.
* SConstruct:
- Better default values for dependency and install locations.
- Generate a valid pkg-config file on Windows, and add importand
build definitions to it (inherited from APR).
- Use the common exports generator, retire gen-def.py.
* CMakeLists.txt:
- Properly install debug info files in multi-config builds.
- Update pkg-config generation to match SConstruct.
- Show the pkg-config location in the summary.
* build/gen_def.py: Removed.
* build/serf.pc.in
(@REQUIRES@): Renamed from @PC_REQUIRES@.
(@CFLAGS@): New placeholdsr.
------------------------------------------------------------------------
r1927587 | brane | 2025-08-03 00:23:57 +0200 (Sun, 03 Aug 2025) | 16 lines
Improve the CMake build: add options to disable optional dependencies
even when they're available and found in the configuration step. Also,
always include the pkg-config file, including on Windows, where it's
now expected to be available at least with vcpkg dependencies.
* CMakeLists.txt: Always install the pkg-config file, and move the
dependency on libssl.pc and libcrypto.pc to the CMake file.
(USE_BROTLI, USE_GSSAPI, USE_UNBOUND): New configuration options.
On by default, use them to decide when to search for these
optional dependencies.
* SConstruct
(PC_REQUIRES): Add libssl and libcrypto.
* build/serf.pc.in
(Requires.private): Remove default libssl and libcrypto.
------------------------------------------------------------------------
r1927582 | brane | 2025-08-02 14:02:09 +0200 (Sat, 02 Aug 2025) | 15 lines
In the CMake build, look for Unbound. The SCons build doesn't support this
yet, it only handles the new addition to the pkg-config file template.
* CMakeLists.txt:
- Find Unbound.
- Remove the temporary hack for using Unbound in the build.
- Use the new variables from FindUnbound to generate the pkg-config file.
* SConstruct
(PC_REQUIRES): New variable, substitute it into the pkg-config file.
* build/FindUnbound.cmake: New; Find Unbound, either through pkg-config
or the old-fashioned way.
* build/SerfMacOS.cmake: Find "unbound" in Homebrew or MacPorts.
* build/serf.pc.in: Add the @PC_REQUIRES@ substitution for private
dependencies that are available through pkg-config.
------------------------------------------------------------------------
r1927581 | brane | 2025-08-02 13:06:03 +0200 (Sat, 02 Aug 2025) | 7 lines
In the CMake build, fix APR (2.x) and APR-Util with external modules.
* build/FindAPR.cmake
(APR_EXTRALIBS): Also include --ldflags for linking dependent libraries.
* build/FindAPRUtil.cmake
(APRUTIL_EXTRALIBS): Likewise.
------------------------------------------------------------------------
r1927495 | brane | 2025-07-27 18:55:29 +0200 (Sun, 27 Jul 2025) | 2 lines
* src/resolve.c: Update the todo list and comments.
------------------------------------------------------------------------
r1927494 | brane | 2025-07-27 18:39:08 +0200 (Sun, 27 Jul 2025) | 7 lines
Fix fallout from r1927493. This is what happens if one tests with IPv6
disabled and forgets about it later...
* test/test_context.c
(test_async_resolve_ipv6,
test_async_resolve_ipv64): Call the correct generic test function.
------------------------------------------------------------------------
r1927493 | brane | 2025-07-27 18:33:15 +0200 (Sun, 27 Jul 2025) | 27 lines
In the Unbound resolver, detect when the hostname is an IPv4 or IPv6 address
and interpret it without actually calling the resolver function.
* CMakeLists.txt
(SOURCES): Add src/inet_pton.c
* LICENSE, NOTICE: Update for the inet_pton code.
* serf_private.h
(serf__inet_pton4, serf__inet_pton6): Declare new prototypes.
* src/inet_pton.c: New; derived from ISC, via APR.
* src/resolve.c
(SERF__RESOLV_assert): New; conditional assertion macro.
(MAX_ADDRLEN): New.
(resolve_convert): Add a flag that tells if the result should be freed.
(resolve_finalize): Update calls to resolve_convert.
(resolve_address_async): Detect and interpret IP addresses in the host name.
* test/test_context.c
(async_resolve_callback): Renamed from async_resolve_cancel_callback.
(async_resolve,
test_async_resolve_name,
test_async_resolve_ipv4,
test_async_resolve_ipv6,
test_async_resolve_ipv64): New; tests for the async resolver.
(test_async_resolve_cancel): Use async_resolve_callback.
(test_context): Register the new tests.
------------------------------------------------------------------------
r1927485 | brane | 2025-07-26 22:11:05 +0200 (Sat, 26 Jul 2025) | 19 lines
In the Unbound resolver, finally convert the results to apr_sockaddr_t.
* src/resolve.c:
- Do not include <arpa/inet.h> or <netinet/in.h>, they're no longer used.
- Declare APR_WANT_MEMFUNC and APR_WANT_BYTEFUNC throught <apr_want.h>.
- Include <apr_strings.h>.
- Update the top-level todo list.
(INET_ADDRSTRLEN, INET6_ADDRSTRLEN): Define if not defined.
(resolve_result): Remove the 'err' member, it's no longer needed.
(unbound_resolve_task): Add 'host_port_str', copied from apr_uri_t.
(resolve_convert): New; convert struct ub_result to apr_sockaddr_t.
(resolve_finalize): Call resolve_convert and calculate the final status.
(resolve_callback): Remove resolve debug logging, now in resolve_convert.
Fix the interpretation of the return value from apr_atomic_dec32().
(resolve_address_async): Initialize unbound_resolve_task::host_port_str.
Fix the interpretation of the return value from apr_atomic_dec32().
(resolve) [thread-pool resolver]: Use APR's address stringifier in the
debug logging code.
------------------------------------------------------------------------
r1927472 | brane | 2025-07-26 01:55:47 +0200 (Sat, 26 Jul 2025) | 16 lines
Follow up to 1927464: If we're using a proxy, we don't have to resolve the
host address, so the "asynchronous" connection creation becomes synchronous.
* serf.h:
(serf_connection_create_async): update the docstring.
* src/outgoing.c
(async_conn_create): Only copy the host address if it's not null.
(serf_connection_create_async): If we have a proxy, create the connection
immediately without addres resolution.
* test/test_context.c
(test_async_connection): Renamed from test_async_resolve.
(test_async_proxy_connection): New test.
(test_context): Register test_async_proxy_connection.
------------------------------------------------------------------------
r1927465 | brane | 2025-07-25 13:32:51 +0200 (Fri, 25 Jul 2025) | 9 lines
Follow up to r1927456: the serf__resolve_result_t struct is no longer
used outside of resolve.c, so make it local there.
* serf_private.h
(serf__resolve_result_t): Removed.
* src/resolve.c
(resolve_result_t): Renamed from serf__resolve_result_t and moved here.
------------------------------------------------------------------------
r1927464 | brane | 2025-07-25 13:04:38 +0200 (Fri, 25 Jul 2025) | 17 lines
Add an asyncrhonous connection creation API. This is likely to be the most
common use of the asyncrhonous resolver.
* serf.h
(serf_connection_created_t): Callback type for serf_connection_create_async.
(serf_connection_create_async): New.
* src/outgoing.c
(async_create_baton): New; baton for asyncrhonous address resolution.
(async_conn_create): New; callback for same, actually creates the connection.
(serf_connection_create_async): Implement.
* test/test_util.c
(async_reolved_baton, address_resolved): Removed.
(conn_created): New callback.
(use_new_async_connection): Use serf_connection_create_async.
------------------------------------------------------------------------
r1927456 | brane | 2025-07-25 04:22:06 +0200 (Fri, 25 Jul 2025) | 16 lines
Get rid of the mutex that serializes access to the async resolver results.
They're a singly-linked stack, so use lockless push and clear instead.
* serf_private.h
(serf_context_t): Make the resolve_head volatile, and just a void*.
Remove resolve_guard and all the #if thread stuff.
* src/context.c
(serf_context_create_ex): Simplify the initialization for async resolving.
* src/resolve.c: Include <apr_version.h>. Update the top-level todo list.
(lock_results, unlock_results): Remove.
(apr_atomic_casptr, apr_atomic_xchgptr): Add wrapper macros for APR-1.x,
because the prototypes in that version are wrong.
(push_resolve_result): Use a lockless push to the result stack.
(serf__process_async_resolve_results): No locking, just a pointer exchange.
------------------------------------------------------------------------
r1927455 | brane | 2025-07-25 03:26:09 +0200 (Fri, 25 Jul 2025) | 14 lines
In the Unbound resolver, look for both IPv4 and IPv6 addresses.
* src/resolve.c: Update top-level docstrings and todo lists.
(serf_address_resolve_async): The context's resolve_init_status is now
independent of the availability of threads.
(RR_CLASS_IN, RR_TYPE_A, RR_TYPE_AAAA): New constants for query types.
(resolve_result): Result for each query type.
(unbound_resolve_task): Add an array of resolve_results and an atomic
counter of pendinf queries.
(resolve_finalize): New; will aggregate results after all queries are done.
(resolve_callback): Log results for one query and optionally invoke
resolve_finalize if all queries have completed.
(resolve_address_async): Launch IPv4 and IPv6 queries in parallel.
------------------------------------------------------------------------
r1927348 | dsahlberg | 2025-07-20 12:02:50 +0200 (Sun, 20 Jul 2025) | 9 lines
Revert half of r1927273, ERR_error_string isn't threadsafe so we need to make
an extra copy to local stack space.
* buckets/ssl_buckets.c
(log_ssl_error): Revert back to using ERR_error_string_n to make a copy
of the error message string.
Found by: brane/minfrin
------------------------------------------------------------------------
r1927337 | brane | 2025-07-19 21:50:15 +0200 (Sat, 19 Jul 2025) | 11 lines
Un the Unbound resolver, don't poll the resolver context unless we have
actual queries in flight.
* src/resolve.c: Reorder includes so that our headers always come last.
(resolve_context): New struct. Contains the Unbound context and a counter.
(create_resolve_context): Allocate a new resolve_context and properly
clean it up on error.
(resolve_callback): Decrement the Unbound task counter.
(resolve_address_async): Increment the Unbound task counter.
(run_async_resolver_loop): Do not poll if there are no Unbound tasks.
------------------------------------------------------------------------
r1927309 | brane | 2025-07-18 15:45:41 +0200 (Fri, 18 Jul 2025) | 13 lines
Add context-specific task cleanup when a context is destroyed.
* src/resolve.c: Update top-level TODO docstring.
(do_init_work_queue): Renamed from init_work_queue().
(init_work_queue): New; this is now the init-once entry point.
(cleanup_resolve_tasks): New, pool cleanup function.
(create_resolve_context): Call init_work_queue() and register the cleanup.
(resolve_address_async): Call init_work_queue().
* test/test_context.c
(async_resolve_cancel_callback,
test_async_resolve_cancel): New test for the early cancellation path.
(test_context): Register test_async_resolve_cancel.
------------------------------------------------------------------------
r1927308 | brane | 2025-07-18 14:47:56 +0200 (Fri, 18 Jul 2025) | 29 lines
Implement a prototype libunbound-based asynchronous resolver.
EXPERIMENTAL, does not include proper discovery of libunbound.
* CMakeLists.txt: Add some manually configurable bits to find libunbound.
Show the result in the summary.
* build/SerfGenClangd.cmake: Add the unbound include directory.
* serf_private.h
(serf_context_t):
- resolve_init_status renamed from resolve_guard_status;
- added resolve_context, which is implementation-specific.
(serf__create_resolve_context): New prototype.
* src/context.c
(serf_context_create_ex): Initialize the resolve_context and track the
status in resolve_init_status, along with the mutex status.
* src/resolve.c:
- include <unbound.h> when enabled;
- include APR_WANT_BYTEFUNC through <apr_want.h>, used for logging
resolve results. Seems to work fine on Windows/Fedora/Debian,
needs testing on various *BSDs etc.
- Add implementaiton for libunbound.
(SERF_HAVE_ASYNC_RESOLVER): Renamed from SERF_USE_ASYNC_RESOLVER. Again.
(serf__create_resolve_context): Implement here.
* test/test_context.c
(test_async_resolve): Check the status before the connection pointer,
otherwise we don't see the status in the results if the pointer is NULL.
------------------------------------------------------------------------
r1927297 | brane | 2025-07-18 00:43:22 +0200 (Fri, 18 Jul 2025) | 25 lines
Improvements to the CMake build: include the Brotli libraries in the
generated pkg-config file, and remove unnecessary parameters from the APR
and APR-Util configuration.
* CMakeLists.txt
(make_pkgconfig): Add BROTLI_COMMON_LIBRARY and BROTLI_DECODE_LIBRARY
to the private libraries section of the pkg-config file.
* build/FindAPR.cmake
(APR_INCLUDE_DIR): Renamed from APR_INCLUDES. Use the --includedir option
of apr-{1,2}-config to retreive just the APR include directory, not any
other directories that APR may use during its build.
(APR_LDFLAGS): Removed.
(APR::APR_static): Declare interface libraries in target_link_libraries().
(APR::APR): Likewise.
* build/FindAPRUtil.cmake
(APRUTIL_INCLUDE_DIR): Renamed from APRUTIL_INCLUDES. As for APR, use
the --includedir opfion of apu-1-config. In this case it can be quite
important because --includes would contain the path to the OpenSSL used
to implement apr_crypto and could conflict with the version used by Serf.
(APRUTIL_LDFLAGS): Removed.
* build/SerfGenClangd.cmake: Use APR_INCLUDE_DIR and APRUTIL_INCLUDE_DIR.
------------------------------------------------------------------------
r1927292 | brane | 2025-07-17 16:05:32 +0200 (Thu, 17 Jul 2025) | 6 lines
Make a test pass with LibreSSL and old (deprecated) OpenSSL.
* test/test_ssl.c: Include openssl/opensslv.h.
(test_ssl_ocsp_verify_response_no_signer): Expect different errors based
on the version of OpenSSL (LibreSSL declares itself as OpenSSL 2.0.0).
------------------------------------------------------------------------
r1927278 | brane | 2025-07-17 00:02:25 +0200 (Thu, 17 Jul 2025) | 9 lines
Create the context's pollset just once. It's a cosmetic change.
* src/context.c
(PLATFORM_POLLSET_METHOD): New constant. Define this based on the
BROKEN_WSAPOLL state.
(serf_context_create_ex): Remove the #ifdef when creating the pollset.
Will make it easier to add new flags or error handling or whatnot
in future.
------------------------------------------------------------------------
r1927277 | brane | 2025-07-16 23:51:42 +0200 (Wed, 16 Jul 2025) | 12 lines
Don't ignore errors when creating the context's guard mutex for
the acync resolver's result list.
* serf_private.h
(serf_context_t::resolve_guard_status): New member.
* src/context.c
(serf_context_create_ex): Recort the status from creating the mutex
in the context.
* src/resolve.c
(serf_address_resolve_async): Fail immediately if the guard mutex
in the context could not be created.
------------------------------------------------------------------------
r1927273 | dsahlberg | 2025-07-16 21:34:43 +0200 (Wed, 16 Jul 2025) | 11 lines
Followup to r1926972, tighten up the code slightly.
* buckets/ssl_buckets.c
(log_ssl_error): Skip an unnecessary copy of the error message to the stack
- the consumer anyway has to make a copy in the callback.
(ssl_need_client_cert): Decrease scope for err variable.
Review by: gstein (see GitHub PR#9)
Note from future: The change to log_ssl_error wsas reverted in r1927348.
------------------------------------------------------------------------
r1927264 | brane | 2025-07-16 11:17:19 +0200 (Wed, 16 Jul 2025) | 10 lines
Fix building of the MockHTTPinC library. We magically inherited the
OpenSSL include paths from apr-util, so everything breaks down if
apr-util doesn't support apr-crypto.
* test/MockHTTPinC/CMakeLists.txt
(mockhttpinc): Remove target_include_directories. Instead, use the same
target_link_libraries as the Serf static lib. This exposes the OpenSSL
include paths directly from the configured target instead of hoping that
apr-util was build with crypto support.
------------------------------------------------------------------------
r1927258 | brane | 2025-07-16 03:38:49 +0200 (Wed, 16 Jul 2025) | 2 lines
* src/resolve.c: Add a couple more to-do comments.
------------------------------------------------------------------------
r1927255 | dsahlberg | 2025-07-15 23:42:57 +0200 (Tue, 15 Jul 2025) | 8 lines
Document how to run the slow running tests.
(Plus an unrelated trailing whitespace trimming)
* README
(1.1.3 Running the test suite),
(1.2.4 Running the test suite): Document ENABLE_SLOW_TESTS
------------------------------------------------------------------------
r1927249 | brane | 2025-07-15 22:59:40 +0200 (Tue, 15 Jul 2025) | 32 lines
Add support fir asynchronous address resolution in Serf, making it completely
asynchronous. This was the only part of the API that would block on I/O during
normal operation. Asynchronouse address resolution is optional.
* CMakeLists.txt
(SOURCES): Add src/resolve.c.
* serf.h
(serf_address_resolved_t): New; notification callback for resolved addresses.
(serf_address_resolve_async): New; createa a new address resolution task.
* serf_private.h: Include apr_thread_mutex.h.
(serf__resolve_result_t): New; address resolution result.
(serf_context_t): Add members resolve_guard and resolve_head to collect
the results of asynchronous address resolution.
(serf__process_async_resolve_results): New.
* src/context.c
(serf_context_create_ex): Initialize resolve_guard and resolve_head.
(serf_context_prerun): Call serf__process_async_resolve_results to
gather the asynchronously resolved addresses for this context.
* src/resolve.c: New file; implements the asynchronous address resolver.
* test/test_context.c
(test_async_resolve): New test for asynchronous address resolution.
(test_context): Register it.
* test/test_serf.h
(use_new_async_connection): New prototype.
* test/test_util.c
(async_reolved_baton, address_resolved,
use_new_async_connection): Creates a new connection asynchronously.
------------------------------------------------------------------------
r1927226 | brane | 2025-07-14 15:43:46 +0200 (Mon, 14 Jul 2025) | 5 lines
Follow up to r1700062: The published Product Name in the Serf
Windows DLL should be "Apache Serf", not just "Serf".
* serf.rc: Update the ProductName attribute.
------------------------------------------------------------------------
r1927123 | brane | 2025-07-11 01:48:40 +0200 (Fri, 11 Jul 2025) | 3 lines
* test/certs/create_certs.py
(create_cert): Remove a left over type annotation.
------------------------------------------------------------------------
r1927122 | brane | 2025-07-11 01:39:50 +0200 (Fri, 11 Jul 2025) | 13 lines
Drop pyOpenSSL from the test suite certificate generator. Use the cryptography
package instead.
* test/certs/create_certs.py: Rewrite pretty much everything using the
cryptography package instead of pyOpenSSL, the latter being close to
obsolete. Keep the not-before/not-after dates the same as in the latest
generated certificates.
* test/certs/...: Regenerate certificates, PKCS12 files and revocation lists.
* test/test_ssl.c
(test_ssl_cert_certificate): Update the expected SHA-1 hash.
------------------------------------------------------------------------
r1927026 | brane | 2025-07-07 12:00:17 +0200 (Mon, 07 Jul 2025) | 1 line
* CMakeLists.txt: Show enabled slow tests in the summary.
------------------------------------------------------------------------
r1927025 | brane | 2025-07-07 11:33:37 +0200 (Mon, 07 Jul 2025) | 21 lines
Rename the testing 'batons' to make their meaning clearer.
* test/test_serf.h
(test_baton_t::user_number): Renamed from user_baton_l and changed
the type from long to apr_uint64_t.
(test_baton_t::user_status): Renamed from user_baton_s.
* test/test_buckets.c
(deflate_buckets, hold_open,
test_deflate_4GBplus_buckets): Use user_status instead of user_baton_l.
* test/test_context.c
(http_conn_setup_mock_socket,
test_aborted_connection,
test_aborted_connection_with_authn_cb,
test_reset_connection,
test_reset_connection_with_authn_cb): Use user_status instead of user_baton_s.
* test/test_server.c
(client_generate_response,
test_listen_auth_http,
test_listen_auth_http2): Use user_number instead fo user_baton_l.
------------------------------------------------------------------------
r1927015 | dsahlberg | 2025-07-06 21:38:06 +0200 (Sun, 06 Jul 2025) | 3 lines
Follow-up to 1927014, save seems to work now.
Make a whitespace change to README to trigger a new build
------------------------------------------------------------------------
r1927014 | dsahlberg | 2025-07-06 21:19:16 +0200 (Sun, 06 Jul 2025) | 4 lines
Follow-up to r1927013, we got an error message:
the `uses' attribute must be a path, a Docker image, or owner/repo@ref
So, let's try with the branch name "@main"
------------------------------------------------------------------------
r1927013 | dsahlberg | 2025-07-06 21:14:39 +0200 (Sun, 06 Jul 2025) | 5 lines
Follow-up to r1927012, we got an error message:
Unable to resolve action `apache/infrastructure-actions@v1`, unable to find
version `v1`
Let's try without explicit version. (It is there in the documentation...)
------------------------------------------------------------------------
r1927012 | dsahlberg | 2025-07-06 21:07:56 +0200 (Sun, 06 Jul 2025) | 6 lines
Follow-up to r1927011, we got an error message:
infrastructure-actions/stash/restore@v1 and infrastructure-actions/stash/save@v1
are not allowed to be used in apache/serf. Actions in this workflow must be:
within a repository that belongs to your Enterprise account
Looks like we need to specify apache/.
------------------------------------------------------------------------
r1927011 | dsahlberg | 2025-07-06 20:45:47 +0200 (Sun, 06 Jul 2025) | 7 lines
Try to save vcpkg's installed folder to speed up following runs.
Suggested by: gstein
https://lists.apache.org/thread/l8vorrc55gjd6whhh2659bgb3925mz01
(Sent to private@, but I'll add the link anyway since it doesn't really
contain any private info).
------------------------------------------------------------------------
r1926999 | brane | 2025-07-06 14:54:56 +0200 (Sun, 06 Jul 2025) | 12 lines
All GCC-like compilers were not created equal. Make sure we don't use extra
warning flags that the C compiler doesn't accept.
* build/SerfChecks.cmake:
(CheckCFlag): New macro, checks if a warning flag is acceptable.
* CMakeLists.txt: Use CheckCFlag for maintainer-mode flags.
* build/scons_extras.py
(__env_check_c_flag): New, check if a compiler flag is acceptable.
(AddEnvironmentMethods): Register it as SerfCheckCFlag.
* SConstruct: Use SerfCheckCFlag for debug-mode flags.
------------------------------------------------------------------------
r1926994 | brane | 2025-07-06 13:25:28 +0200 (Sun, 06 Jul 2025) | 10 lines
Fix two more warnings.
* buckets/headers_buckets.c
(select_value): The "unreachable" default case could did not set the value
of '*len' before returning, causing gcc to be confused. Make it a synonim
for the READ_DONE case, since there can be no other enum value here.
(serf_bucket_headers_get): Make 'value_size' an apr_size_t, since that's
how it is used; avoids narrowing conversion warnings.
------------------------------------------------------------------------
r1926988 | brane | 2025-07-06 11:52:17 +0200 (Sun, 06 Jul 2025) | 49 lines
Fix some more narrowing, unreachable-code and shadowing warnings.
* CMakeLists.txt, SConstruct: Add -Wshadow to the default warning options.
== Narrowing conversions ==
* buckets/ssl_buckets.c
(bio_bucket_read,
bio_file_read,
bio_file_write,
serf_ssl_negotiate_protocol): Cast apr_size_t values to int. All these
casts are trivially safe, because the values are either initialized from
or derived from an int, or are previously checked.
(ocsp_callback): Make 'len' a long, which is the type of the return value
from SSL_get_tlsext_status_ocsp_resp().
(ssl_decrypt): Add an int 'ssl_bufsize' with a checked conversion from
the apr_size_t 'bufsize', whos type can not be changed because it's a
callback type parameter.
(ssl_encrypt): The 'interim_len' is initializef from an int, so it may
as well be an int, too.
(serf_ssl_ocsp_request_t): Change 'der_request_size' to an int. It is
initialized from an int and never changed, and used in contexts that
expect an int.
(serf_ssl_ocsp_request_imp): Change 'der_request_size' and 'der_id_size'
to int, for similar reasons. The apr_base64 code uses int sizes, not
apr_size_t sizes.
== Unreachable code ==
* buckets/ssl_buckets.c
(serf_ssl_set_hostname): Return APR_ENOTIMPL from an #else branch of the
#ifdef. While not strictly necessary, it avoids confusion.
(serf_ssl_check_cert_status_request): Likewise.
(serf_ssl_use_compression): Likewise. Before this change it returned
APR_EGENERAL, but APR_ENOTIMPL is more appropriate.
== Variable shadowing ==
* buckets/ssl_buckets.c
(ssl_need_client_cert): Rename 'c' to 'x509'. It was shadowed by another
'c' of the same type, at line 1706. This was not actually a bug, since
'x509' is only initialized after 'c' goes out of scope, but it's still
confusing. Also shows why one shouldn't write 1000-line functions.
* test/serf_get.c (main),
test/serf_httpd.c (main): Remove second declarations of 'status'.
------------------------------------------------------------------------
r1926984 | brane | 2025-07-06 03:56:20 +0200 (Sun, 06 Jul 2025) | 6 lines
Follow up to r1926878: Get the generated .clangd back on track.
* build/SerfGenClangd.cmake: Don't look at CMAKE_C_FLAGS any more, since we
don't update that in CMakeLists.txt. Use SERF_C_DEFINES, SERF_C_WARNINGS
and APR_CFLAGS instead. Also remove duplicates from the include paths.
------------------------------------------------------------------------
r1926983 | brane | 2025-07-06 03:10:52 +0200 (Sun, 06 Jul 2025) | 5 lines
In the CMake build, include APR's --cflags for MockHTTP.
* test/MockHTTPinC/CMakeLists.txt
(mockhttpinc): Include ${APR_CFLAGS} in target_compile_options.
------------------------------------------------------------------------
r1926976 | brane | 2025-07-05 17:46:06 +0200 (Sat, 05 Jul 2025) | 17 lines
Fix some more integer narrowing warnings.
* buckets/deflate_buckets.c
(serf_deflate_refill): Narrow our apr_size_t to Zlib stream's uInt, then
use the already-converted value to compute the crc32.
In two other places, change the type of the private_len variable, which
was unnecessarily declared as an apr_size_t.
* test/CuTest.c
(CuStrCopy, CuStringAppend, CuStringInsert): Cast strlen(...) to int.
* test/test_serf.h
(struct test_baton_t): Add an apr_status_t user baton.
(test/test_context.c): Use the new user status baton for APR status codes.
* test/mock_buckets.c
(next_action): Cast strlen(...) to the expected int.
(test_basic_mock_bucket): Use CuAsertUIntEquals to avoid narrowing.
------------------------------------------------------------------------
r1926972 | minfrin | 2025-07-05 11:47:32 +0200 (Sat, 05 Jul 2025) | 34 lines
Add support for SSL error handling
- Allow the registration of an optional callback using
serf_ssl_error_cb_set().
- If the callback is registered, return a fixed string describing the
error as created by the underlying crypto library.
- Handle the error when a PKCS12 file cannot be opened, remove an infinite
loop.
- Client side SSL certificate errors now cause the client side to abort the
connection. Previously no certificate was silently sent, and the error was
access denied from the server.
Example:
[minfrin@rocky9 subversion]$ svn info https://svn.example.com/svn/example/core/
svn: E170013: Unable to connect to a repository at URL 'https://svn.example.com/svn/example/core'
svn: E120170: TLS: error:0308010C:digital envelope routines::unsupported
svn: E120170: TLS: could not parse PKCS12: /home/minfrin/.my-cert.p12
* serf_bucket_types.h
(serf_ssl_error_cb_set): Allow the registration of an optional callback to
which error strings will be sent.
* buckets/ssl_buckets.c
(serf_ssl_context_t): Add error_callback.
(log_ssl_error): Trigger error callback.
(status_from_ssl_error): Support SSL_ERROR_WANT_X509_LOOKUP.
(ssl_need_client_cert): Trigger callback with error explanation, remove an
infinite loop when the PKCS12 file cannot be opened.
(serf_ssl_error_cb_set): New function.
(ssl_new_session): Init the callback.
------------------------------------------------------------------------
r1926968 | brane | 2025-07-05 08:42:39 +0200 (Sat, 05 Jul 2025) | 8 lines
SERF-196: Fix typo in range comparison.
* buckets/deflate_buckets.c
(serf_deflate_destroy_and_data): Include STATE_COMPRESS_FINISH in the
valid states, otherwise we never call deflateEnd() when the bucket
is destroyed in the middle of compression.
------------------------------------------------------------------------
r1926967 | brane | 2025-07-05 07:35:41 +0200 (Sat, 05 Jul 2025) | 8 lines
Remove an unused variable and document why we ignore a possible error.
* buckets/hpack_buckets.c
(handle_read_entry_and_clear): Remove the 'status' variable. Change the
type of 'own_key' and 'own_val' from 'char' to 'bool'; it makes
a strange kind of sense to use a semantically appropriate type.
Document why we can ignore the return value from hpack_table_get.
------------------------------------------------------------------------
r1926966 | brane | 2025-07-05 07:20:44 +0200 (Sat, 05 Jul 2025) | 6 lines
Follow up to r1926950: Fix a missing error check.
* buckets/ssl_buckets.c
(ssl_pass_cb): Remove the unused 'status' variable and instead check the
return value from ctx->cert_pw_callback.
------------------------------------------------------------------------
r1926953 | brane | 2025-07-04 15:50:29 +0200 (Fri, 04 Jul 2025) | 6 lines
SCons flags are sometimes tuples, not strings. For example,
-isystem /usr/includ/krb5 gets converted to a tuple. This breaks
CCFLAGS filtering in some cases.
* SConstruct: Use the first member of a non-string flag as the flag name.
------------------------------------------------------------------------
r1926951 | brane | 2025-07-04 14:19:11 +0200 (Fri, 04 Jul 2025) | 9 lines
It says on the tin to use the DEBUG configure flag to "Enable debugging
info and strict compile warnings". Make it so.
* CMakeLists.txt: If DEBUG is set, also set SERF_MAINTAINER_MODE.
* SConstruct: If DEBUG is set, also enable additional warnings; and,
by default, silence all warings from the MockHTTP build.
(SHOW_MOCKHTTP_WARNINGS): New constant; set to True to show
warnings from MockHTTP anyway.
------------------------------------------------------------------------
r1926950 | minfrin | 2025-07-04 13:20:00 +0200 (Fri, 04 Jul 2025) | 21 lines
Support OpenSSL3 providers / cert store URLs
- Add serf_ssl_cert_uri_set(), a callback to set the URL of a certificate store.
- Use the OSSL_STORE API from OpenSSL to read certificates and keys. Certs and
keys are read from a URL instead of a file path. The default URL scheme is
file:.
- Keep fallback support for the existing serf_ssl_client_cert_provider_set()
callback, which reads exclusively from a local PKCS12 file.
- Support full intermediate certificate handling. Previously whatever was in the
PKCS12 file was blindly passed to the the server on the assumption the
administrator had pre-done the work constructing the certificate chain. Now we
make no assumption as to the size of the certificate store, if a Windows
personal certificate store of a MacOS keychain is used, we search for the most
appropriate leaf certificate that matches what is requested by the server.
- Update test cases to handle both URIs and PKCS12 files.
------------------------------------------------------------------------
r1926944 | brane | 2025-07-03 16:48:12 +0200 (Thu, 03 Jul 2025) | 3 lines
* SConstruct: Fix the generated pkg-config file with insisted that Serf
required the brotlienc library instead of brotlidec.
------------------------------------------------------------------------
r1926943 | brane | 2025-07-03 16:46:29 +0200 (Thu, 03 Jul 2025) | 8 lines
As in the CMake build, the SCons build now also builds MockHTTP separately
and disables OpenSSL deprecated API wrappers for everything else.
* SConstruct: Define OPENSSL_NO_DEPRECATED in the top-level construction
environment. After cloning the test environment, branch off another
just for MockHTTP, adjust its flags and build a static library.
Then, link test_all with that new static library.
------------------------------------------------------------------------
r1926942 | dsahlberg | 2025-07-03 16:39:47 +0200 (Thu, 03 Jul 2025) | 1 line
Improve consistency in the description of running the unittests under CMake
------------------------------------------------------------------------
r1926938 | brane | 2025-07-03 13:16:48 +0200 (Thu, 03 Jul 2025) | 6 lines
SERF-149: In the SCons build, inherid LD_LIBRARY_PATH from the environment
for running the tests.
* SConstruct: Lookg for LD_LIBRARY_PATH in the environment, and expand
construction environment variables om LIBPATH.
------------------------------------------------------------------------
r1926937 | brane | 2025-07-03 13:02:37 +0200 (Thu, 03 Jul 2025) | 10 lines
In the SCons build, run unit tests separately by test suite.
* test/test_all.c: Reorder includes, putting system headers first.
(main): Add a new flag -L that prints just the names of the test
suites without details about the tests.
* build/check.py: Call 'test_all -L' to get the list of test suites, then
invok each one of them separately. Don't exit after the first failure.
(print_exception): Common handler for CalledProcessError exceptions.
------------------------------------------------------------------------
r1926936 | brane | 2025-07-03 12:31:21 +0200 (Thu, 03 Jul 2025) | 6 lines
Follow up to r1926930: use a better way to filter CFLAGS.
* SConstruct:
(filter_cflags): New; replaces readconfig as a filter for env.ParseCondig().
(unsubstable): Reanamed from unsubst.
------------------------------------------------------------------------
r1926932 | brane | 2025-07-03 10:36:09 +0200 (Thu, 03 Jul 2025) | 5 lines
in the SCons build, generate a relocatable pkgconfig file.
* SConstruct: When generating the .pc file, use paths relative to
${pcfiledir} and ${prefix} for the prefix and libdir, respectively.
------------------------------------------------------------------------
r1926930 | brane | 2025-07-03 08:22:33 +0200 (Thu, 03 Jul 2025) | 9 lines
SERF-206: Filter out all optimization, debugging and warning options from
the output of apr-{1,2}-config and apu-1-condig. CMake was almost there,
leaving only the warning options; SCons did no filtering at all.
* SConstruct: Filter the flags before sending them to env.ParseConfig.
(readconfig): New, does the filtering.
* build/FindAPR.cmake: Also filter -Wfoo from --cppflags and --cflags.
------------------------------------------------------------------------
r1926922 | brane | 2025-07-03 00:05:52 +0200 (Thu, 03 Jul 2025) | 3 lines
* CMakeLists.txt (make_pkgconfig): Use list(JOIN) instead of constructin
a string in a loop.
------------------------------------------------------------------------
r1926921 | brane | 2025-07-02 23:58:48 +0200 (Wed, 02 Jul 2025) | 6 lines
In the CMake build, make the generated pkgconfig file relocatable.
* CMakeLists.txt
(SERF_PC_FILE): New, the name of the pkg-config file.
(make_pkgconfig): Make the prefix relative to ${pcfiledir}.
------------------------------------------------------------------------
...