Doug MacEachern [Mon, 19 Nov 2001 22:37:57 +0000 (22:37 +0000)]
add input filter AP_MODE_INIT support to handshake before reading
request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Aaron Bannert [Fri, 16 Nov 2001 18:28:25 +0000 (18:28 +0000)]
Conversion from old apr_lock_t to new apr_thread_mutex_t
(only converting INTRAPROCESS locks at this time).
I don't see how this used to work, which also means I'm not entirely
sure if it works now. It really didn't look like it was allocating
the correct size before. It compiles and SSL still works in my limited
tests, but I'd appreciate a second opinion.
Ryan Bloom [Thu, 15 Nov 2001 20:55:13 +0000 (20:55 +0000)]
Fix the SSL filter logic. The SSL filter is not a network filter, because
it does not actually do the reading and writing to the network. By
moving that filter to in between CONNECTION and NETWORK filters, we ensure
that SSL is always called before the core.
Aaron Bannert [Wed, 14 Nov 2001 18:56:18 +0000 (18:56 +0000)]
Turns out this is causing problems on my linux box (libtool 1.3.5), so
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.
Doug MacEachern [Mon, 12 Nov 2001 22:01:14 +0000 (22:01 +0000)]
fix segv triggered by recent ap_lingering_close change
need to set SSLFilterRec.pssl = NULL when ssl_hook_CloseConnection is called
otherwise, ap_lingering_close -> ap_flush_conn will call ssl_io_filter_Output
which thinks it can still use the SSLFilterRec.pssl
PR:
Obtained from:
Submitted by:
Reviewed by:
It is absolutely invalid practice to test 'prot' bits to determine if a
file is readable. The only acceptable means of testing readability is to
open it for reading, due to discrepancies between permissions, DACLs and
SACLS. Even Linux hackers are gonna need to learn that lesson if they
plan to do any DOD or Gov work once DACL-enhanced Linux is adopted.
Well, now I know what the bio_is_renegotiating call was for.
Place a big-ass comment there so that whomever comes next isn't stuck
at a cryptic call that they don't understand with a dinky comment.
Hopefully, this makes sense. Someone more familiar with OpenSSL should
verify the comment.
This fix also requires the normalize call to be performed before
churn_input so that we don't enter churn_input with a 0-length ctx->b
brigade.
All httpd-test tests (except for the module/negotiation test) pass now.
This is the mod_ssl input filtering rewrite. Lots of stuff here. I also
changed some of the style issues within the filtering code to conform to
the rest of the server.
Various incarnations of this patch have been posted to dev@httpd without
feedback. Now that it passes all of the httpd-test cases (with the
exception of module/negotiation test which fails without mod_ssl anyway),
it is time to check it in.
Please review and test. We are under C-T-R rules, so I'm going to take
advantage of that and commit it now. I have tested this about as much
as I can and it seems to work from everything I can give to it.
Considering that mod_ssl was broken before this commit, this is an
improvement.
Ryan Bloom [Mon, 27 Aug 2001 06:00:51 +0000 (06:00 +0000)]
Allow mod_ssl to send back an error message if an HTTP request is sent
over an HTTPS connection. This also adds an ap_remove_input_filter
function, which should be used to remove the SSL input filter in this
case, as soon as this code is stressed a bit more.
For right now, we are sending the same message that we used to send in
mod_ssl for Apache 1.3.
Doug MacEachern [Fri, 24 Aug 2001 23:25:14 +0000 (23:25 +0000)]
force OpenSSL to ignore process local-caching and to always
get/set/delete sessions using mod_ssl's callbacks
PR:
Obtained from:
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: dougm
Doug MacEachern [Fri, 24 Aug 2001 04:16:57 +0000 (04:16 +0000)]
only set the crypto locking callback if mpm is threaded
get rid of some warnings introduced by the original patch
PR:
Obtained from:
Submitted by:
Reviewed by:
Cliff Woolley [Thu, 23 Aug 2001 00:21:40 +0000 (00:21 +0000)]
Simplify the apr_read_type_e vs. ap_input_mode_t silliness. The two
are compatible (due to our early abort when PEEK mode is requested),
so we don't have to go to so much effort to convert from one to the other.
Complete the rename of the ssl_scache_status_register and
ssl_ext_proxy_register (which has yet to be renamed for it's
future location, since I'm not going further at the moment
with implementing it's functionallity, all my focus is on
the ssl_var_register arm.)
Doug MacEachern [Wed, 22 Aug 2001 21:37:15 +0000 (21:37 +0000)]
remove #if 0-ed ssl_hook_NewConnection code; was only left for reference,
no longer needed
remove #if 0-ed ssl_hook_TimeoutConnection code; ssl no longer talks directly
to the socket
PR:
Obtained from:
Submitted by: madhu
Reviewed by: dougm
Doug MacEachern [Wed, 22 Aug 2001 16:59:26 +0000 (16:59 +0000)]
rather than creating small 1024 byte buckets of output data,
create a transient bucket pointing directly to the BIO mem buff.
this makes for a dramatic increase in performance. previously,
downloading large files (2Mb-5Mb-ish) made my laptop start to
smoke from the fan spinning so fast to cool the cpu.
also, apache stylize churn_output()
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 22 Aug 2001 15:30:37 +0000 (15:30 +0000)]
destroy the brigade when we are done with it, rather than remove
one bucket at a time. prevents a problem when downloading large files.
also change ssl_io_filter_Output to apache style
and change some variable names that should make the code easier to
read/understand, e.g. pbbIn -> bb, pbktIn -> bucket
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 21 Aug 2001 05:57:13 +0000 (05:57 +0000)]
authentication/authorization hooks were backwards
make authentication hook run APR_HOOK_FIRST for FakeBasicAuth
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Mon, 20 Aug 2001 22:30:17 +0000 (22:30 +0000)]
Add the openssl/include/openssl directory to the INCLUDES variable.
This allows us to remove the openssl from the #include lines in the
mod_ssl files. This makes it easier to use a different SSL library,
with fewer changes to the mod_ssl files.
The purpose of this patch is to toggle the debugging mode (default) to
Program Database (from Program Database for Modify on the fly debugging).
The net effect of this patch is to clean up all of the irrelevant entries
associated with either the debugging or release command line switches, and
generally straighten the projects as they would be exported from VC6/SP5.
The outcome of this patch is that VC5 users -should- be able to load and
build the workspace without any errors (as they used to have no symbols
database at all, the /ZI option doesn't work, they had to use cvtdsp.pl
to toggle these to /Zi.)
Jeff Trawick [Thu, 16 Aug 2001 21:11:30 +0000 (21:11 +0000)]
check for timeout on socket read when we check for ECONNRESET and eof
previously, we'd die on an assert() (really nasty for threaded MPM) when
we hit a keepalive timeout for a browser like netscape which keeps the
connection open
Doug MacEachern [Thu, 16 Aug 2001 03:58:16 +0000 (03:58 +0000)]
enable ssl Translate, UserCheck, Access and Auth hooks
add support for renegotiation during the Access hook
this requires hooking into the read and write SSL BIOs in order to
flush data to the client and read from the filter chain
this also requires that the ssl filters become "aware" that
renegotitation is in progress so that the BIOs are left alone for
SSL_renegotiate/SSL_do_handshake in ssl_hook_Access to deal with
Doug MacEachern [Tue, 14 Aug 2001 17:03:03 +0000 (17:03 +0000)]
need to check return value of ssl_hook_process_connection
if != APR_SUCCESS the ssl connection has been shutdown
(for example client cert was revoked)
PR:
Obtained from:
Submitted by:
Reviewed by:
This patch conditionally builds against openssl 0.9.6b _if_ openssl is
unpacked and properly built (using pretty much the defaults) in the
srclib/openssl/ directory. Someday soon this needs to be more exhaustive,
but this should solve the 80% problem :)
enables the use of the ssl_var_lookup functionality in the various source
files in modules/ssl. The ap_hook_* functions are still not yet ported to
Apache 2.0 style
This patch eliminates the direct use of OS library calls (fopen and
other depreciated Apache 1.3 library utilities) from ssl_engine_pphrase.c
and ssl_util_ssl.c.
- eliminated the use of ssl_log - it used to cause seg faults during cleanup
since the conn_rec will no longer be valid.
- eliminated the "for (;;)" processing loop in ssl_io_filter_Output() -
we'll have to do that in churn_output() if required, so that any remaining
OpenSSL data (if available) is transferred before we call the
CloseConnection.
- Any remaining data in SSL should be cleaned up ideally in the
APR_BUCKET_IS_EOS() processing stage itself, as we close the SSL connection
here.
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: William Rowe
projects / thirdparty / apache / httpd.git / log
