Joe Orton [Fri, 21 Jun 2024 14:31:54 +0000 (14:31 +0000)]
Merge r1917578 from trunk:
On Linux use the real thread id via gettid() in error logging,
where available, rather than the (meaningless) default
pthread_self()-as-integer interpretation:
* configure.in: Define DEFAULT_LOG_TID on Linux if gettid() is available.
* server/log.c: Define DEFAULT_LOG_TID as NULL by default.
(do_errorlog_default): Use DEFAULT_LOG_TID as the argument to log_tid().
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
bio_filter_in_read): #ifdef-out reneg protection if
SSL_OP_NO_RENEGOTATION is defined.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Enable SSL_OP_NO_RENEGOTATION.
(ssl_init_ctx_callbacks): Only enable the "info" callback if
debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
modssl_set_reneg_state to set the reneg protection mode.
(ssl_hook_Access_modern): Drop manipulation of the reneg mode which
does nothing for TLSv1.3 already.
(ssl_callback_Info): Only enable reneg protection if
SSL_OP_NO_RENEGOTATION is *not* defined.
* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
mod_ssl: follow up to r1877397: fix SSL_OP_NO_RENEGOT*I*ATION typo.
Joe Orton [Mon, 17 Jun 2024 14:21:04 +0000 (14:21 +0000)]
Merge r1916863 from trunk:
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
Add experimental support for fd passing in mod_cgid. Attaches CGI
script stderr to the error log specific to the vhost, by passing the
appropriate fd over the AF_UNIX socket from the request handling
thread to the cgid server process.
* modules/generators/mod_cgid.c (sock_readhdr): New function, also
returns auxiliary control data (the stderr fd) if available.
(sock_write): Take optional aux fd argument, send it as control
data. (send_req, get_req): Adjust accordingly to pass/receive the
stderr fd.
(cgid_server): Use passed fd if available, limit the lifetime.
PR: 60692
mod_cgid: Continuation of r1862968, experimental fd passing support.
Split out CGI bucket implementation from mod_cgi and use in both
mod_cgi and mod_cgid, bringing stderr handling in mod_cgid up to par
with mod_cgi. (There is a lot of code which has been copied between
mod_cgi{,d} so there's scope for further reduction of source
duplication between the modules using this header)
* modules/generators/cgi_common.h: Copied from mod_cgi.c, removed
everything but the CGI bucket implementation with only one change:
(struct cgi_bucket_data, cgi_bucket_create, cgi_bucket_read): Take a
timeout on bucket creation, store and use on reads.
* modules/generators/mod_cgi.c [APR_FILES_AS_SOCKETS]: Include
cgi_common.h.
(cgi_handler): Pass configured timeout to CGI bucket.
* modules/generators/mod_cgid.c: Include cgi_common.h.
(log_script_err): Copy from mod_cgi.c.
(log_script): Use log_script_err.
(send_req): Take fd for stderr.
(cgid_child_errfn): Handle fd-passing case by writing error
to stderr for client to pass through ap_log_rerror.
(cgid_handler): Create pipe for stderr, pass write-end to
server via send_req, use read-end to create CGI bucket. Handle
stderr output in failure paths.
PR: 54221
* modules/generators/mod_cgid.c (sock_readhdr): Only set up control
message block when required; add some additional error handling.
* modules/generators/cgi_common.h (cgi_bucket_create):
Disable APR timeout handling here for all callers.
* modules/generators/mod_cgi.c (cgi_handler): ... drop it here.
PR: 63797
Move common (and near-identical) code for CGI response output handling
to cgi_common.h; the diff between the modules for this code was as
follows:
Change from previous: mod_cgi will now explicitly discard output when
returning HTTP_MOVED_TEMPORARILY for relative redirects (should not be
functionally different), TRACE1 logging of ap_pass_brigade failures
for mod_cgid is dropped.
* modules/generators/cgi_common.h (cgi_handle_response): New function,
factored out from mod_cgid.
(discard_script_output): Copied function from mod_cgi/d unchanged.
* modules/generator/mod_cgid.c (cgid_handler),
modules/generator/mod_cgi.c (cgi_handler): Use cgi_handle_response.
Fix build broken w/o --enable-cgid-fdpassing by r1867968:
* modules/generators/cgi_common.h: Only define CGI bucket type
if WANT_CGI_BUCKET is defined.
* modules/generators/mod_cgi.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff APR_FILES_AS_SOCKETS is defined
* modules/generators/mod_cgid.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff HAVE_CGID_FDPASSING (--enable-cgid-fdpassing).
Add comment, no functional change.
* modules/generators/cgi_common.h (cgi_handle_request): Factor out
near-identical common code from mod_cgid, mod_cgi.
* modules/generators/mod_cgid.c (cgid_handler),
modules/generators/mod_cgi.c (cgi_handler):
Adjust to use cgi_handle_request.
* modules/generators/cgi_common.h (cgi_handle_request): Catch
(unlikely) apr_bucket_read() failure when reading request.
* modules/generators/mod_cgid.c (cgid_handler): Bail immediately with
a 503 response on errors when talking to the daemon. Check the pid
returned is not zero.
* modules/generators/mod_cgid.c (get_req): Add basic sanity
checking for the structure received in the CGI daemon.
* modules/generators/mod_cgid.c (get_cgi_pid): Fix test for pid=0.
(cgid_handler): Remove duplicated test for pid=0 here added in
r1879119.
* modules/generators/cgi_common.h (cgi_handle_response): Avoid trying
to read the output brigade twice in the case of a timeout.
PR: 64709
Further re-unification of code duplicated across mod_cgi/mod_cgid into
cgi_common.h. Functional changes:
- brings the PR 61980 fix to mod_cgid as well, and
- some mod_cgid-specific APLOGNOs are dropped in favour of the
code used in the equivalent error path in mod_cgi
... otherwise no user-visible changes (intended).
* modules/generators/cgi_common.h (log_scripterror, log_script_err): Move
here from mod_cgi.
(cgi_handle_exec): Move here, renamed from mod_cgi's handle_exec.
(cgi_optfns_retrieve): New function, split out from mod_cgi's cgi_post_config.
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
* mod_md:
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_03_not_found and
test_h2_800_05_non_ws_delay_resource) due to
additional RST messages.
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_04_non_ws_resource and
test_h2_800_09b_unsupported) due to
additional RST messages.
Joe Orton [Tue, 26 Mar 2024 15:00:06 +0000 (15:00 +0000)]
Merge r1619448, r1619486, r1895552, r1894152, r1914800 from trunk:
leave a hint while scrolling through inflate() calls
mod_deflate:
- fix signed/unsigned (int/size_t) comparisons,
- add consume_buffer() to factorize code used multiple times,
- cleanup passed brigade (don't rely on next output filters to do it).
* modules/filters/mod_deflate.c (deflate_in_filter): Handle FLUSH in
the input brigade even if done inflating (ctx->done is true), but
don't try to flush the inflate stream in that case. (Caught by
Coverity)
Joe Orton [Tue, 19 Mar 2024 08:38:00 +0000 (08:38 +0000)]
Merge r1915281 from trunk:
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
This mimetypes contains 'xml', but is unfortunately not an xml file.
xml2enc processes these files (in particular, when mod_proxy_html is
used), typically resulting in them being corrupted as it seems to
attempt to perform a ISO-8859-1 to UTF-8 conversion on them.
* modules/filters/mod_xml2enc.c (xml2enc_ffunc): Restrict test for XML
types to matching "+xml".
Fix misleading crypt vs hash terminology in ht* and dbmmanage tools.
What the htpasswd, htdbm and dbmmanage tools do is hashing passwords, not
encrypting them, so fix the terminology in manpages, docs, --help, comments
and function names.
Joe Orton [Fri, 1 Mar 2024 11:10:15 +0000 (11:10 +0000)]
Merge r1916051, r1916052, r1916053, r1916055, r1916056 from trunk: [CTR for CI changes]
CI: Hopefully fix caching and artifact uploads by creating $JOBID
as a unique key for each job in the matrix, using that as the
cache key and in each artefact upload (otherwise multiple failures
uploading "error_log" overwrite each other).
CI: Enable caching for the rustls install used for mod_tls testing.
CI: Re-enable caching for *fixed* versions of apr/apr-util which
should now work correctly (since the version is in the cache key).
For 1.x branches, CLEAR_CACHE must still be used.
CI tweaks:
- don't install CPAN modules if NO_TEST_FRAMEWORK is set
- remove the workaround for mod_h2 APR build caching which
should no longer be necessary now caching is fixed
- fix capturing specific perl-framework failures with "TEST -v" mode
Fix regression in r1916055 - don't duplicate logic in _run_linux.sh
from _before_linux.sh in whether the perl-framework is used/needed.
Yann Ylavic [Thu, 22 Feb 2024 14:17:43 +0000 (14:17 +0000)]
Follow-up to r1825120:
* modules/ssl/ssl_engine_init.c (ssl_init_ca_cert_path): Since
SSL_add_file_cert_subjects_to_stack() internally replaces the
comparison callback with one equivalent to
ssl_init_FindCAList_X509NameCmp, there's no point in using that
here.
(ssl_init_FindCAList_X509NameCmp): Removed.
Merges r1825124 from https://svn.apache.org/repos/asf/httpd/httpd/trunk.
Yann Ylavic [Thu, 22 Feb 2024 14:06:46 +0000 (14:06 +0000)]
mod_ssl: Follow up to r1913815: szCryptoDevice to NULL when !MODSSL_HAVE_ENGINE_API
Latest OpenSSL versions removed the ENGINE API completely, still provide NULL
SSLModConfigRec::szCryptoDevice since it's used outside MODSSL_HAVE_ENGINE_API.
SSLModConfigRec is a private struct, so no MMN change.
* modules/ssl/ssl_private(SSLModConfigRec):
Provide szCryptoDevice (NULL) even if !MODSSL_HAVE_ENGINE_API.
Merges r1915889 from https://svn.apache.org/repos/asf/httpd/httpd/trunk.
projects / thirdparty / apache / httpd.git / log
