Joe Orton [Thu, 16 Apr 2020 18:22:43 +0000 (18:22 +0000)]
* server/mpm/prefork/prefork.c (prefork_pre_config): Use pconf as
passed to the hook with ap_fatal_signal_child_setup, since
prefork.c's pconf "global" is not set until the (later) open_logs
hook, and if built as a DSO it may be reset inbetween.
Joe Orton [Thu, 16 Apr 2020 17:55:48 +0000 (17:55 +0000)]
* modules/core/mod_watchdog.c (wd_worker): Fix crashes snuck into
r1876599 where a destroyed pool was reused. Rename the "ctx"
variable to reflect its purpose. Also tweak the pool tags.
Joe Orton [Tue, 14 Apr 2020 12:37:17 +0000 (12:37 +0000)]
* modules/core/mod_watchdog.c: Switch to simpler logic to avoid the
thread cleanup running before the thread has started, avoiding
mutex operations which both have undefined behaviour:
a) double-locking an UNNESTED (non-recursive) mutex twice in the parent
b) unlocking a mutex in the spawned thread which was locked by the parent
(wd_startup, wd_worker_cleanup, wd_worker): Use a boolean to ensure
the cleanup does nothing if the thread wasn't started, drop the mutex.
Joe Orton [Thu, 2 Apr 2020 08:54:29 +0000 (08:54 +0000)]
* modules/ssl/ssl_engine_io.c (ssl_io_filter_coalesce): Further tweaks
to logic, comments and debugging:
- allow buffering up to exactly COALESCE_BYTES rather than COALESCE_BYTES-1.
- put bucket type name in logging output
- do not coalesce a single-bucket prefix of length equal to the
buffer size (which would be a pointless memory copy).
core: add r->flushed flag and set it when the response is sent.
By setting EOR->r->flushed in the core output filter, allow one to determine at
log_transaction hook time whether the request has been fully flushed through
the network, or not (network issue, filter error, n-th pipelined resposne...).
Introduce the ap_bucket_eor_request() helper to get the request bound to an EOR
bucket, and uses it in ap_core_output_filter() to mark the EOR's request just
before destroying it, after all the previous buckets have been sent.
While at it, rename the request_rec* member of struct ap_bucket_eor from "data"
to "r", which makes the code clearer (not to be confused with b->data).
Finally, add CustomLog format %F, showing "F" or "-" depending on r->flushed,
for admins to figure out for each request.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_coalesce): Handle the case
where apr_bucket_read fails with an error and hence our current bucket
remains the morphing bucket and is not replaced with a 'data' bucket.
If the error is not EAGAINi, error out with an AP_FILTER_ERROR,
otherwise just do not consider the morphing bucket that has no data for
coalesce.
Yann Ylavic [Tue, 31 Mar 2020 16:22:53 +0000 (16:22 +0000)]
core: handle morphing buckets setaside/reinstate and kill request core filter.
The purpose of ap_request_core_filter() is not clear, it seems to prevent
potential morphing buckets to go through AP_FTYPE_CONNECTION filters which
would fail to set them aside (ENOTIMPL), and read them (unbounded) in memory.
This patch allows ap_filter_setaside_brigade() to set morphing buckets aside
by simply moving them, assuming they have the correct lifetime (either until
some further EOR, or the connection lifetime, or whatever). IOW, the module is
responsible for sending morphing buckets whose lifetime needs not be changed
by the connection filters.
Now since morphing buckets consume no memory until (apr_bucket_)read, like FILE
buckets, we don't account for them in flush_max_threshold either. This changes
ap_filter_reinstate_brigade() to only account for in-memory and EOR buckets to
flush_upto.
Also, since the EOR bucket is sent only to c->output_filters once the request
is processed, when all the filters < AP_FTYPE_CONNECTION have done their job
and stopped retaining data (after the EOS bucket, if ever), we prevent misuse
of ap_filter_{setaside,reinstate}_brigade() outside connection filters by
returning ENOTIMPL. This is not the right API for request filters as of now.
Finally, ap_request_core_filter() and co can be removed.
Joe Orton [Mon, 30 Mar 2020 13:18:29 +0000 (13:18 +0000)]
* modules/ssl/ssl_engine_io.c: (ssl_io_filter_coalesce): Handle the
case of a bucket which morphs to a bucket short enough to fit within
the buffer without needing to split.
Joe Orton [Mon, 30 Mar 2020 09:17:35 +0000 (09:17 +0000)]
mod_ssl: Extend the coalescing filter to avoid sending HTTP response
headers in a separate TLS record to the response body in some cases.
* modules/ssl/ssl_engine_io.c:
Increase size of coalesce buffer to AP_IOBUFSIZE (8Kb).
(ssl_io_filter_coalesce): Try harder to fill the prefix which
gets coalesced, including a read&split of a morphing bucket type
Add some compatibility notes for new directives in 2.4.42.
Add some missing <module> and <directive> to improve navigation and style.
Fix the format of some <default>
Add some placeholders for the MDCertificateCheck and MDActivationDelay directives. (new in 2.4.42)
Joe Orton [Thu, 26 Mar 2020 11:03:54 +0000 (11:03 +0000)]
* modules/ssl/ssl_private.h: Define X509_up_ref and EVP_PKEY_up_ref
for OpenSSL < 1.1.
* modules/ssl/ssl_engine_kernel.c (modssl_set_cert_info):
* modules/ssl/ssl_util_stapling.c (stapling_get_issuer):
Use the above macros for all OpenSSL versions.
Rainer Jung [Mon, 23 Mar 2020 13:33:22 +0000 (13:33 +0000)]
Fix compilation breakage with OpenSSL 1.1.0 up to 1.1.0f.
SSL_CTX_get_min_proto_version() and
SSL_CTX_get_max_proto_version() were only introduced in
1.1.0g.
Joe Orton [Mon, 23 Mar 2020 12:08:01 +0000 (12:08 +0000)]
Better define conditions for skipping tests on 2.4.x or non-2.4.x.
Use YAML anchors and references to avoid copy&pasting, hopefully
the syntax remains reasonably readable.
Joe Orton [Fri, 20 Mar 2020 11:36:27 +0000 (11:36 +0000)]
Test exclsion doesn't work since "tag !~" matches when tag is undefined.
Exclude tests from 2.4.x by explicitly matching against master. Will
have to revisit this for 2.5.x.
Ruediger Pluem [Wed, 18 Mar 2020 11:31:20 +0000 (11:31 +0000)]
* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send
out an OCSP response that can't be parsed.
If the crypto/ASN library can't parse a response as 'basic OCSP'
even if it leads with a OCSP successful status, then don't pass it
to the client. There is nothing to say at all it isn't just garbage.
And if other types of messages are standardized they can be added.
Certificate Revoked Responder messages don't belong to 'error' class.
When the server receives one, it MUST be passed on to the client.
And stored for the normal period of basic responses.
Also don't log an error each time it is retrieved from cache,
only once when it is retrieved from the OCSP responder.
Ruediger Pluem [Wed, 18 Mar 2020 10:53:06 +0000 (10:53 +0000)]
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Clear any
possible returned buckets in the brigade in the error case. As we want to
close the connection anyway there is no sensible content we could still
sent and hence doing the needed life time transformation of the buckets
would be a waste.
Joe Orton [Fri, 13 Mar 2020 14:34:18 +0000 (14:34 +0000)]
* server/log.c (ap_log_pid): Use a temporary file, then rename once
successfully written; also add error checking. Avoids startup
failures if a previous httpd invocation crashed while writing the
pidfile.
Joe Orton [Wed, 4 Mar 2020 08:23:55 +0000 (08:23 +0000)]
Update docs. The expr_string.t failure has not been seen since
the workaround was added AFAICT. The async filter bug
is still breaking the tests regularly. [skip ci].
Stefan Eissing [Mon, 2 Mar 2020 10:42:30 +0000 (10:42 +0000)]
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
projects / thirdparty / apache / httpd.git / log
