Doug MacEachern [Thu, 28 Feb 2002 00:01:57 +0000 (00:01 +0000)]
mod_ssl was "leaking" on restart since mc->tTmpKeys table entries
were allocated using apr_palloc out of s->process->pool and pushed
into an apr_array_header_t.
solve the problem by moving from apr_array_header_t's to an apr_hash_t.
also add ssl_asn1_table_{set,unset} wrappers to use malloc/free so we
do not "leak" from s->process->pool.
Introduce PassPhraseDialog 'pipe' mechanism. This builds on DougM's
apr-ization of the 'tty', and changes his naming a bit so we clearly
identify the pipe-to and pipe-from the user.
This patch invokes a bidirectional piped dialog to the user.
This is the directive handling commit only, the mechanics patch will
follow. PassPhraseDialog "|/path/to/pipe" will use the bidirectional
pipe to have a 'conversation', along the lines of the tty dialog with
PassPhraseDialog 'builtin'. This is entirely different than the 'exec'
method, which simply runs once for each passphrase, and doesn't allow
for failure/retries, and certainly doesn't offer any sensible 'dialog'.
Doug MacEachern [Wed, 27 Feb 2002 03:33:38 +0000 (03:33 +0000)]
change builtin passphrase prompt to use stdout rather than stderr.
and switch to using apr_file api for portability.
stderr has already been redirected to the error_log.
rather than attempting to temporarily rehook it to the terminal,
we print the prompt to stdout before EVP_read_pw_string turns
off tty echo. which is also more portable.
Doug MacEachern [Wed, 27 Feb 2002 03:21:09 +0000 (03:21 +0000)]
changing mod_ssl to do a full startup/teardown on each restart rather
than hack to only read passphrase on 1st round startup. this change:
- fixes current segv on restarts (SHARED_MODULE is not defined)
- allows LoadModule ssl_module to be added to httpd.conf on restart
(was core dumping previously)
- allows certs/keys to be changed on restart provided key is not
encrypted or SSLPassPhraseDialog is exec. if key is encrypted and
SSLPassPhraseDialog is builtin, existing private keys will be reused
on restart (which happens currently for any type of key/dialog).
note: mod_ssl currently leaks on restart; leaks more with this change.
fixes to come.
If the file specified by SSLMutex cannot be created (because the directory does not exist for example), children will segfault on init without giving any reason that the user can figure out. This happens because the module init in the parent never checks to see if the mutex intialization succeded. This patch adds this check and a user-friendly error message.
(Justin made one formatting change to this patch.)
Submitted by: Adam Sussman <myddryn@vishnu.vidya.com>
Reviewed by: Justin Erenkrantz
What happened? 0.9.6b built just dandy without the flags... 0.9.6c won't
build for jack without these changes. Of course they don't harm 0.9.6b
builders either, unless they are outside of the states/EU/AU and find
themselves free to ignore IP considerations.
I'd really like to know _why_ 0.9.6c doesn't configure itself rationally.
Ryan Bloom [Tue, 5 Feb 2002 22:18:49 +0000 (22:18 +0000)]
Remove the install_transport_filters hook. The same function can be
acheived with the pre_connection hook. I have added the socket to the
pre_connection phase to make this possible.
Reviewed by: Bill Stoddard
Change ap_get_brigade prototype to remove *readbytes in favor of readbytes.
If you need the length, you should be using apr_brigade_length. This is
much more consistent. Of all the places that call ap_get_brigade, only
one (ap_http_filter) needs the length. This makes it now possible to
pass constants down without assigning them to a temporary variable first.
Also:
- Change proxy_ftp to use EXHAUSTIVE mode (didn't catch its -1 before)
- Fix buglet in mod_ssl that would cause it to return too much data in
some circumstances
Input filtering prototype change: Socket blocking type should be
separate from the input filter mode type.
We also no longer look at readbytes to determine the method of
filter operation. This makes the use of filters more obvious and
allows a wider range of options for input filters modes.
To start with, the new input filter modes are:
AP_MODE_READBYTES (no more than *readbytes returned)
AP_MODE_GETLINE (old *readbytes == 0 case)
AP_MODE_EATCRLF (old AP_MODE_PEEK)
AP_MODE_SPECULATIVE (will be used in a future ap_getline rewrite)
AP_MODE_EXHAUSTIVE (old *readbytes == -1 case)
AP_MODE_INIT (special case for NNTP over SSL)
The block parameter is an apr_read_type_e: APR_BLOCK_READ, APR_NONBLOCK_READ
This also allows cleanup of mod_ssl's handling in the getline case.
Reviewed by: Ryan Bloom (concept), Greg Stein (concept)
Doug MacEachern [Thu, 17 Jan 2002 05:04:54 +0000 (05:04 +0000)]
output filter optimizations:
- avoid creating a new bucket brigade for each EOS or FLUSH bucket
- do not pass FLUSH bucket since BIO_bucket_flush() already does so
if there is any data to flush.
- do not call apr_brigade_destroy(bb); since we will have either
emptied it or passed it, in which case it will be destroyed further
down the chain.
The mutex must be pool-managed, not ssl managed. We are encountering
segfaults on Win32 when the cleanup of the mutex occurs after the pool
was destroyed.
*) Split all Win32 modules [excluding the core components mod_core,
mod_so, mod_win32 and the winnt mpm] into individual loadable
modules, so the administrator may individually disable the former
compiled-in modules by simply commenting out their LoadModule
directives. [William Rowe]
*) Saved Win32 module authors and porters many future headaches, by
duplicating the appropriate .h files such as os.h into the include
directory, including in the build tree. [William Rowe]
Also noticed that version stamp resources weren't generated for proxy
modules, this too is now fixed.
Doug MacEachern [Thu, 10 Jan 2002 04:55:19 +0000 (04:55 +0000)]
mod_ssl adjustments to help with using toolkits other than OpenSSL:
Use SSL functions/macros instead of directly dereferencing SSL
structures wherever possible.
Add type-casts for the cases where functions return a generic pointer.
Add $SSL/include to configure search path.
PR:
Obtained from:
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: dougm
Doug MacEachern [Sat, 1 Dec 2001 02:11:04 +0000 (02:11 +0000)]
remove churn_output() function and calls to it.
when SSL needs to flush (e.g. during SSL_accept()) it will call BIO_flush()
which will trigger a call to bio_bucket_ctrl() -> BIO_bucket_flush().
so we only need to flush the output ourselves if we receive an EOS or
FLUSH bucket.
BIO_bucket_flush() and churn_output() had been turning up near the top
of the profile with gprof. churn_output() of course has now vanished
and BIO_bucket_flush() has dropped, being called far less than before.
Doug MacEachern [Thu, 29 Nov 2001 07:07:36 +0000 (07:07 +0000)]
the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth
is happening. so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:52:18 +0000 (06:52 +0000)]
avoid a call to X509_NAME_oneline() and ASN1_INTEGER_get() in
ssl_callback_SSLVerify_CRL() unless SSLLogLevel >= info, otherwise the
expense is unused.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:34:53 +0000 (06:34 +0000)]
get rid of ssl_log_applies() function. it does more than we need and
what should be done with a macro. it was only used once anyhow.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:27:41 +0000 (06:27 +0000)]
ssl_callback_SSLVerify() was calling (the expensive) X509_NAME_oneline()
function and free() of the return value twice each, for logging
regardless of SSLLogLevel. changed to happen only if SSLLogLevel >= trace
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 06:15:01 +0000 (06:15 +0000)]
fix for last change that removed ssl_util_getmodconfig():
go back to using s->process->pool userdata, but just to store the
global module config during startup so we only create _one_ SSLModConfigRec.
(didn't realize this function was called in both ssl_init_Module and
ssl_config_server_create)
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 05:45:48 +0000 (05:45 +0000)]
ssl_util_getmodconfig() and ssl_util_getmodconfig_ssl() show up high
in the gprof profile. there's no need for the "global" SSLModConfigRec
to live in the s->process->pool userdata table. we now just point the
SSLSrvConfigRec in each server_rec.module_config to the SSLModConfigRec
so we can access it directly which is much faster.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 29 Nov 2001 05:17:38 +0000 (05:17 +0000)]
SSL_rand() does a mutex lock/unlock with threaded MPMs, so collapse
two calls that seed pid and time into one.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:50:55 +0000 (05:50 +0000)]
calculate VHostID length at startup rather than request time.
change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary()
that uses the precalculated sc->nVHostID_length to avoid a strlen() call.
Doug MacEachern [Wed, 28 Nov 2001 05:44:50 +0000 (05:44 +0000)]
avoid calling ssl_util_vhostid() (and apr_sprintf underneath) at
request time by calling it at startup time and saving the value in the
SSLSrvConfigRec.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:05:04 +0000 (05:05 +0000)]
replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection()
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 03:15:41 +0000 (03:15 +0000)]
moving chunk of logic that deals with writing ssl data from
ssl_io_filter_Output() to a new ssl_filter_write() function.
this will make it easier to optimize how we deal with file buckets
than cannot be mmaped.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 27 Nov 2001 23:37:20 +0000 (23:37 +0000)]
implement a custom BIO which allows us to hook SSL_write directly into
an apr_bucket_brigade and use transient buckets with the SSL
malloc-ed buffer, rather than copying into a mem BIO.
also allows us to pass the brigade as data is being written
rather than buffering up the entire response in the mem BIO.
Ian Holsman [Fri, 23 Nov 2001 16:35:22 +0000 (16:35 +0000)]
Modify post_config hook so that it can return a error,
causing the server not to start.
previous method was to call exit(1) which would not fail
gracefully
PR:
Obtained from:
Submitted by:
Reviewed by: (Idea only Jeff Trawick)
Doug MacEachern [Thu, 22 Nov 2001 02:23:09 +0000 (02:23 +0000)]
optimize lookup of ssl-{unclean,accurate}-shutdown flags:
- only look through the table once, rather than 2 apr_table_gets()
- case-sensitive and use strcmp() as little as possible
- only lookup once per-connection, as the flags will not change across
keepalive requests
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 01:40:26 +0000 (01:40 +0000)]
return from ssl_callback_LogTracingState if sc->nLogLevel < SSL_LOG_INFO
else there are 5 (expensive!) calls made to ssl_var_lookup on every request
for info that will never be logged
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 00:42:35 +0000 (00:42 +0000)]
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
Doug MacEachern [Thu, 22 Nov 2001 00:25:00 +0000 (00:25 +0000)]
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 21 Nov 2001 22:58:28 +0000 (22:58 +0000)]
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Mon, 19 Nov 2001 22:37:57 +0000 (22:37 +0000)]
add input filter AP_MODE_INIT support to handshake before reading
request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Aaron Bannert [Fri, 16 Nov 2001 18:28:25 +0000 (18:28 +0000)]
Conversion from old apr_lock_t to new apr_thread_mutex_t
(only converting INTRAPROCESS locks at this time).
I don't see how this used to work, which also means I'm not entirely
sure if it works now. It really didn't look like it was allocating
the correct size before. It compiles and SSL still works in my limited
tests, but I'd appreciate a second opinion.
Ryan Bloom [Thu, 15 Nov 2001 20:55:13 +0000 (20:55 +0000)]
Fix the SSL filter logic. The SSL filter is not a network filter, because
it does not actually do the reading and writing to the network. By
moving that filter to in between CONNECTION and NETWORK filters, we ensure
that SSL is always called before the core.
Aaron Bannert [Wed, 14 Nov 2001 18:56:18 +0000 (18:56 +0000)]
Turns out this is causing problems on my linux box (libtool 1.3.5), so
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.
Doug MacEachern [Mon, 12 Nov 2001 22:01:14 +0000 (22:01 +0000)]
fix segv triggered by recent ap_lingering_close change
need to set SSLFilterRec.pssl = NULL when ssl_hook_CloseConnection is called
otherwise, ap_lingering_close -> ap_flush_conn will call ssl_io_filter_Output
which thinks it can still use the SSLFilterRec.pssl
PR:
Obtained from:
Submitted by:
Reviewed by:
It is absolutely invalid practice to test 'prot' bits to determine if a
file is readable. The only acceptable means of testing readability is to
open it for reading, due to discrepancies between permissions, DACLs and
SACLS. Even Linux hackers are gonna need to learn that lesson if they
plan to do any DOD or Gov work once DACL-enhanced Linux is adopted.
Well, now I know what the bio_is_renegotiating call was for.
Place a big-ass comment there so that whomever comes next isn't stuck
at a cryptic call that they don't understand with a dinky comment.
Hopefully, this makes sense. Someone more familiar with OpenSSL should
verify the comment.
This fix also requires the normalize call to be performed before
churn_input so that we don't enter churn_input with a 0-length ctx->b
brigade.
All httpd-test tests (except for the module/negotiation test) pass now.
This is the mod_ssl input filtering rewrite. Lots of stuff here. I also
changed some of the style issues within the filtering code to conform to
the rest of the server.
Various incarnations of this patch have been posted to dev@httpd without
feedback. Now that it passes all of the httpd-test cases (with the
exception of module/negotiation test which fails without mod_ssl anyway),
it is time to check it in.
Please review and test. We are under C-T-R rules, so I'm going to take
advantage of that and commit it now. I have tested this about as much
as I can and it seems to work from everything I can give to it.
Considering that mod_ssl was broken before this commit, this is an
improvement.
Ryan Bloom [Mon, 27 Aug 2001 06:00:51 +0000 (06:00 +0000)]
Allow mod_ssl to send back an error message if an HTTP request is sent
over an HTTPS connection. This also adds an ap_remove_input_filter
function, which should be used to remove the SSL input filter in this
case, as soon as this code is stressed a bit more.
For right now, we are sending the same message that we used to send in
mod_ssl for Apache 1.3.
projects / thirdparty / apache / httpd.git / log
