configurable, by popular demand:
* modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE.
(SSLDirConfigRec): Add nRenegBufferSize field.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New
function.
(ssl_config_perdir_create, ssl_config_perdir_merge): Handle
nRenegBufferSize.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer
size as an argument rather than compile-time constant.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass
nRenegBufferSize to ssl_io_buffer_fill.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize.
PR: 39243
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@726109
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.3.1
[ When backported to 2.2.x, remove entry from this file ]
+
+ *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
+ size of the buffer used for the request-body where necessary
+ during a per-dir renegotiation. PR 39243. [Joe Orton]
*) mod_proxy_fdpass: New module to pass a client connection over to a separate
process that is reading from a unix daemon socket.
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
+ SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
+ "Configure the amount of memory that will be used for buffering the "
+ "request body if a per-location SSL renegotiation is required due to "
+ "changed access control requirements")
SSL_CMD_SRV(OCSPEnable, FLAG,
"Enable use of OCSP to verify certificate revocation (`on', `off')")
dc->szCACertificateFile = NULL;
dc->szUserName = NULL;
+ dc->nRenegBufferSize = DEFAULT_RENEG_BUFFER_SIZE;
+
return dc;
}
cfgMergeString(szCACertificateFile);
cfgMergeString(szUserName);
+ cfgMergeInt(nRenegBufferSize);
+
return mrg;
}
return NULL;
}
+const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+ SSLDirConfigRec *dc = dcfg;
+
+ dc->nRenegBufferSize = atoi(arg);
+ if (dc->nRenegBufferSize < 0) {
+ return apr_pstrcat(cmd->pool, "Invalid size for SSLRenegBufferSize: ",
+ arg, NULL);
+ }
+
+ return NULL;
+}
+
static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
const char *arg,
ssl_proto_t *options)
return status;
}
-/* 128K maximum buffer size by default. */
-#ifndef SSL_MAX_IO_BUFFER
-#define SSL_MAX_IO_BUFFER (128 * 1024)
-#endif
-
struct modssl_buffer_ctx {
apr_bucket_brigade *bb;
};
-int ssl_io_buffer_fill(request_rec *r)
+int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
{
conn_rec *c = r->connection;
struct modssl_buffer_ctx *ctx;
/* ... and a temporary brigade. */
tempb = apr_brigade_create(r->pool, c->bucket_alloc);
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "filling buffer");
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "filling buffer, max size "
+ "%" APR_SIZE_T_FMT " bytes", maxlen);
do {
apr_status_t rv;
total, eos);
/* Fail if this exceeds the maximum buffer size. */
- if (total > SSL_MAX_IO_BUFFER) {
+ if (total > maxlen) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "request body exceeds maximum size for SSL buffer");
+ "request body exceeds maximum size (%" APR_SIZE_T_FMT
+ ") for SSL buffer", maxlen);
return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
&& !r->expecting_100) {
int rv;
- /* Fill the I/O buffer with the request body if possible. */
- rv = ssl_io_buffer_fill(r);
+ if (dc->nRenegBufferSize > 0) {
+ /* Fill the I/O buffer with the request body if possible. */
+ rv = ssl_io_buffer_fill(r, dc->nRenegBufferSize);
+ }
+ else {
+ /* If the reneg buffer size is set to zero, just fail. */
+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
#define SSL_SESSION_CACHE_TIMEOUT 300
#endif
+/* Default setting for per-dir reneg buffer. */
+#ifndef DEFAULT_RENEG_BUFFER_SIZE
+#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
+#endif
+
/**
* Define the per-server SSLLogLevel constants which provide
* finer-than-debug resolution to decide if logs are to be
const char *szCACertificatePath;
const char *szCACertificateFile;
const char *szUserName;
+ apr_size_t nRenegBufferSize;
} SSLDirConfigRec;
/**
const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
-int ssl_io_buffer_fill(request_rec *r);
+int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
/** PRNG */
int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);