From: William A. Rowe Jr <wrowe@apache.org>
Date: Wed, 16 Jan 2019 17:06:07 +0000 (+0000)
Subject: mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
X-Git-Tag: 2.4.38~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54a725f8134079f6a5ae117f1f072c0e1de60c8c;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
Clear retry flags before aborting on client-initiated reneg.

PR: 63052
Backports: r1850946
Submitted by: Joe Orton
Reviewed by: wrowe, jorton, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851471 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index e3f54764e8c..a0692f8a420 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.38
 
+  *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
+     PR 63052 [Joe Orton]
+
   *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
      AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
   
diff --git a/STATUS b/STATUS
index 68b1473c0bb..4f7e45625dc 100644
--- a/STATUS
+++ b/STATUS
@@ -125,12 +125,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
-     Clear retry flags before aborting on client-initiated reneg. [Joe Orton]
-     PR: 63052
-     trunk patch: http://svn.apache.org/r1850946
-     2.4.x patch: svn merge -c 1850946 ^/httpd/httpd/trunk .
-     +1: wrowe, jorton, rpluem
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index b398363b1ca..6da8f10118f 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -200,18 +200,14 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
     apr_bucket *e;
     int need_flush;
 
+    BIO_clear_retry_flags(bio);
+
     /* Abort early if the client has initiated a renegotiation. */
     if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         outctx->rc = APR_ECONNABORTED;
         return -1;
     }
 
-    /* when handshaking we'll have a small number of bytes.
-     * max size SSL will pass us here is about 16k.
-     * (16413 bytes to be exact)
-     */
-    BIO_clear_retry_flags(bio);
-
     /* Use a transient bucket for the output data - any downstream
      * filter must setaside if necessary. */
     e = apr_bucket_transient_create(in, inl, outctx->bb->bucket_alloc);
@@ -458,14 +454,14 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
     if (!in)
         return 0;
 
+    BIO_clear_retry_flags(bio);
+
     /* Abort early if the client has initiated a renegotiation. */
     if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         inctx->rc = APR_ECONNABORTED;
         return -1;
     }
 
-    BIO_clear_retry_flags(bio);
-
     if (!inctx->bb) {
         inctx->rc = APR_EOF;
         return -1;