{
bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
apr_bucket *e;
+ int need_flush;
/* Abort early if the client has initiated a renegotiation. */
if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
e = apr_bucket_transient_create(in, inl, outctx->bb->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(outctx->bb, e);
+ /* In theory, OpenSSL should flush as necessary, but it is known
+ * not to do so correctly in some cases (< 0.9.8m; see PR 46952),
+ * or on the proxy/client side (after ssl23_client_hello(), e.g.
+ * ssl/proxy.t test suite).
+ *
+ * Historically, this flush call was performed only for an SSLv2
+ * connection or for a proxy connection. Calling _out_flush can
+ * be expensive in cases where requests/reponses are pipelined,
+ * so limit the performance impact to handshake time.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x0009080df
+ need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl)
+#else
+ need_flush = SSL_in_connect_init(outctx->filter_ctx->pssl);
+#endif
+ if (need_flush) {
+ e = apr_bucket_flush_create(outctx->bb->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(outctx->bb, e);
+ }
+
if (bio_filter_out_pass(outctx) < 0) {
return -1;
}
return -1;
}
- /* In theory, OpenSSL should flush as necessary, but it is known
- * not to do so correctly in some cases; see PR 46952.
- *
- * Historically, this flush call was performed only for an SSLv2
- * connection or for a proxy connection. Calling _out_flush
- * should be very cheap in cases where it is unnecessary (and no
- * output is buffered) so the performance impact of doing it
- * unconditionally should be minimal.
- */
- if (bio_filter_out_flush(inctx->bio_out) < 0) {
- bio_filter_out_ctx_t *outctx = inctx->bio_out->ptr;
- inctx->rc = outctx->rc;
- return -1;
- }
-
BIO_clear_retry_flags(bio);
if (!inctx->bb) {
return ssl_io_filter_error(f, bb, status);
}
- while (!APR_BRIGADE_EMPTY(bb)) {
+ while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) {
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
- /* If it is a flush or EOS, we need to pass this down.
- * These types do not require translation by OpenSSL.
- */
- if (APR_BUCKET_IS_EOS(bucket) || APR_BUCKET_IS_FLUSH(bucket)) {
- if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) {
- status = outctx->rc;
- break;
- }
-
- if (APR_BUCKET_IS_EOS(bucket)) {
- /*
- * By definition, nothing can come after EOS.
- * which also means we can pass the rest of this brigade
- * without creating a new one since it only contains the
- * EOS bucket.
- */
-
- if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) {
- return status;
- }
- break;
- }
- else {
- /* bio_filter_out_flush() already passed down a flush bucket
- * if there was any data to be flushed.
- */
- apr_bucket_delete(bucket);
+ if (APR_BUCKET_IS_METADATA(bucket)) {
+ /* Pass through metadata buckets untouched. EOC is
+ * special; terminate the SSL layer first. */
+ if (AP_BUCKET_IS_EOC(bucket)) {
+ ssl_filter_io_shutdown(filter_ctx, f->c, 0);
}
- }
- else if (AP_BUCKET_IS_EOC(bucket)) {
- /* The EOC bucket indicates connection closure, so SSL
- * shutdown must now be performed. */
- ssl_filter_io_shutdown(filter_ctx, f->c, 0);
- if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) {
- return status;
- }
- break;
+ AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
+
+ /* Metadata buckets are passed one per brigade; it might
+ * be more efficient (but also more complex) to use
+ * outctx->bb as a true buffer and interleave these with
+ * data buckets. */
+ APR_BUCKET_REMOVE(bucket);
+ APR_BRIGADE_INSERT_HEAD(outctx->bb, bucket);
+ status = ap_pass_brigade(f->next, outctx->bb);
+ if (status == APR_SUCCESS && f->c->aborted)
+ status = APR_ECONNRESET;
+ apr_brigade_cleanup(outctx->bb);
}
else {
- /* filter output */
+ /* Filter a data bucket. */
const char *data;
apr_size_t len;
break;
}
rblock = APR_BLOCK_READ;
- continue; /* and try again with a blocking read. */
+ /* and try again with a blocking read. */
+ status = APR_SUCCESS;
+ continue;
}
rblock = APR_NONBLOCK_READ;
status = ssl_filter_write(f, data, len);
apr_bucket_delete(bucket);
-
- if (status != APR_SUCCESS) {
- break;
- }
}
+
}
return status;
projects / thirdparty / apache / httpd.git / commitdiff
