Doug MacEachern [Wed, 28 Nov 2001 05:50:55 +0000 (05:50 +0000)]
calculate VHostID length at startup rather than request time.
change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary()
that uses the precalculated sc->nVHostID_length to avoid a strlen() call.
Doug MacEachern [Wed, 28 Nov 2001 05:44:50 +0000 (05:44 +0000)]
avoid calling ssl_util_vhostid() (and apr_sprintf underneath) at
request time by calling it at startup time and saving the value in the
SSLSrvConfigRec.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:05:04 +0000 (05:05 +0000)]
replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection()
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 03:15:41 +0000 (03:15 +0000)]
moving chunk of logic that deals with writing ssl data from
ssl_io_filter_Output() to a new ssl_filter_write() function.
this will make it easier to optimize how we deal with file buckets
than cannot be mmaped.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 27 Nov 2001 23:37:20 +0000 (23:37 +0000)]
implement a custom BIO which allows us to hook SSL_write directly into
an apr_bucket_brigade and use transient buckets with the SSL
malloc-ed buffer, rather than copying into a mem BIO.
also allows us to pass the brigade as data is being written
rather than buffering up the entire response in the mem BIO.
Ian Holsman [Fri, 23 Nov 2001 16:35:22 +0000 (16:35 +0000)]
Modify post_config hook so that it can return a error,
causing the server not to start.
previous method was to call exit(1) which would not fail
gracefully
PR:
Obtained from:
Submitted by:
Reviewed by: (Idea only Jeff Trawick)
Doug MacEachern [Thu, 22 Nov 2001 02:23:09 +0000 (02:23 +0000)]
optimize lookup of ssl-{unclean,accurate}-shutdown flags:
- only look through the table once, rather than 2 apr_table_gets()
- case-sensitive and use strcmp() as little as possible
- only lookup once per-connection, as the flags will not change across
keepalive requests
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 01:40:26 +0000 (01:40 +0000)]
return from ssl_callback_LogTracingState if sc->nLogLevel < SSL_LOG_INFO
else there are 5 (expensive!) calls made to ssl_var_lookup on every request
for info that will never be logged
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 00:42:35 +0000 (00:42 +0000)]
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
Doug MacEachern [Thu, 22 Nov 2001 00:25:00 +0000 (00:25 +0000)]
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 21 Nov 2001 22:58:28 +0000 (22:58 +0000)]
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Mon, 19 Nov 2001 22:37:57 +0000 (22:37 +0000)]
add input filter AP_MODE_INIT support to handshake before reading
request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Aaron Bannert [Fri, 16 Nov 2001 18:28:25 +0000 (18:28 +0000)]
Conversion from old apr_lock_t to new apr_thread_mutex_t
(only converting INTRAPROCESS locks at this time).
I don't see how this used to work, which also means I'm not entirely
sure if it works now. It really didn't look like it was allocating
the correct size before. It compiles and SSL still works in my limited
tests, but I'd appreciate a second opinion.
Ryan Bloom [Thu, 15 Nov 2001 20:55:13 +0000 (20:55 +0000)]
Fix the SSL filter logic. The SSL filter is not a network filter, because
it does not actually do the reading and writing to the network. By
moving that filter to in between CONNECTION and NETWORK filters, we ensure
that SSL is always called before the core.
Aaron Bannert [Wed, 14 Nov 2001 18:56:18 +0000 (18:56 +0000)]
Turns out this is causing problems on my linux box (libtool 1.3.5), so
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.
Doug MacEachern [Mon, 12 Nov 2001 22:01:14 +0000 (22:01 +0000)]
fix segv triggered by recent ap_lingering_close change
need to set SSLFilterRec.pssl = NULL when ssl_hook_CloseConnection is called
otherwise, ap_lingering_close -> ap_flush_conn will call ssl_io_filter_Output
which thinks it can still use the SSLFilterRec.pssl
PR:
Obtained from:
Submitted by:
Reviewed by:
It is absolutely invalid practice to test 'prot' bits to determine if a
file is readable. The only acceptable means of testing readability is to
open it for reading, due to discrepancies between permissions, DACLs and
SACLS. Even Linux hackers are gonna need to learn that lesson if they
plan to do any DOD or Gov work once DACL-enhanced Linux is adopted.
Well, now I know what the bio_is_renegotiating call was for.
Place a big-ass comment there so that whomever comes next isn't stuck
at a cryptic call that they don't understand with a dinky comment.
Hopefully, this makes sense. Someone more familiar with OpenSSL should
verify the comment.
This fix also requires the normalize call to be performed before
churn_input so that we don't enter churn_input with a 0-length ctx->b
brigade.
All httpd-test tests (except for the module/negotiation test) pass now.
This is the mod_ssl input filtering rewrite. Lots of stuff here. I also
changed some of the style issues within the filtering code to conform to
the rest of the server.
Various incarnations of this patch have been posted to dev@httpd without
feedback. Now that it passes all of the httpd-test cases (with the
exception of module/negotiation test which fails without mod_ssl anyway),
it is time to check it in.
Please review and test. We are under C-T-R rules, so I'm going to take
advantage of that and commit it now. I have tested this about as much
as I can and it seems to work from everything I can give to it.
Considering that mod_ssl was broken before this commit, this is an
improvement.
Ryan Bloom [Mon, 27 Aug 2001 06:00:51 +0000 (06:00 +0000)]
Allow mod_ssl to send back an error message if an HTTP request is sent
over an HTTPS connection. This also adds an ap_remove_input_filter
function, which should be used to remove the SSL input filter in this
case, as soon as this code is stressed a bit more.
For right now, we are sending the same message that we used to send in
mod_ssl for Apache 1.3.
Doug MacEachern [Fri, 24 Aug 2001 23:25:14 +0000 (23:25 +0000)]
force OpenSSL to ignore process local-caching and to always
get/set/delete sessions using mod_ssl's callbacks
PR:
Obtained from:
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: dougm
Doug MacEachern [Fri, 24 Aug 2001 04:16:57 +0000 (04:16 +0000)]
only set the crypto locking callback if mpm is threaded
get rid of some warnings introduced by the original patch
PR:
Obtained from:
Submitted by:
Reviewed by:
Cliff Woolley [Thu, 23 Aug 2001 00:21:40 +0000 (00:21 +0000)]
Simplify the apr_read_type_e vs. ap_input_mode_t silliness. The two
are compatible (due to our early abort when PEEK mode is requested),
so we don't have to go to so much effort to convert from one to the other.
Complete the rename of the ssl_scache_status_register and
ssl_ext_proxy_register (which has yet to be renamed for it's
future location, since I'm not going further at the moment
with implementing it's functionallity, all my focus is on
the ssl_var_register arm.)
Doug MacEachern [Wed, 22 Aug 2001 21:37:15 +0000 (21:37 +0000)]
remove #if 0-ed ssl_hook_NewConnection code; was only left for reference,
no longer needed
remove #if 0-ed ssl_hook_TimeoutConnection code; ssl no longer talks directly
to the socket
PR:
Obtained from:
Submitted by: madhu
Reviewed by: dougm
Doug MacEachern [Wed, 22 Aug 2001 16:59:26 +0000 (16:59 +0000)]
rather than creating small 1024 byte buckets of output data,
create a transient bucket pointing directly to the BIO mem buff.
this makes for a dramatic increase in performance. previously,
downloading large files (2Mb-5Mb-ish) made my laptop start to
smoke from the fan spinning so fast to cool the cpu.
also, apache stylize churn_output()
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 22 Aug 2001 15:30:37 +0000 (15:30 +0000)]
destroy the brigade when we are done with it, rather than remove
one bucket at a time. prevents a problem when downloading large files.
also change ssl_io_filter_Output to apache style
and change some variable names that should make the code easier to
read/understand, e.g. pbbIn -> bb, pbktIn -> bucket
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 21 Aug 2001 05:57:13 +0000 (05:57 +0000)]
authentication/authorization hooks were backwards
make authentication hook run APR_HOOK_FIRST for FakeBasicAuth
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Mon, 20 Aug 2001 22:30:17 +0000 (22:30 +0000)]
Add the openssl/include/openssl directory to the INCLUDES variable.
This allows us to remove the openssl from the #include lines in the
mod_ssl files. This makes it easier to use a different SSL library,
with fewer changes to the mod_ssl files.
The purpose of this patch is to toggle the debugging mode (default) to
Program Database (from Program Database for Modify on the fly debugging).
The net effect of this patch is to clean up all of the irrelevant entries
associated with either the debugging or release command line switches, and
generally straighten the projects as they would be exported from VC6/SP5.
The outcome of this patch is that VC5 users -should- be able to load and
build the workspace without any errors (as they used to have no symbols
database at all, the /ZI option doesn't work, they had to use cvtdsp.pl
to toggle these to /Zi.)
Jeff Trawick [Thu, 16 Aug 2001 21:11:30 +0000 (21:11 +0000)]
check for timeout on socket read when we check for ECONNRESET and eof
previously, we'd die on an assert() (really nasty for threaded MPM) when
we hit a keepalive timeout for a browser like netscape which keeps the
connection open
projects / thirdparty / apache / httpd.git / log
