ssl_engine_io.c

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merge r1859371, r1859422 from trunk:

mod_proxy/ssl: Proxy SSL client certificate

configuration and other proxy SSL configurations

broken inside <Proxy> context.

PR 63430

Triggered by r1855646+r1855748.

Patch from rpluem (proxy) and ylavic (ssl).

Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users.

This function now now handles SSL reuse as well as the "proxy-request-hostname"

note (SNI), so let's also call it unconditionnaly in all proxy modules.

On the mod_ssl side, since this note has the lifetime of the connection, don't

reset/unset it during handshake (ssl_io_filter_handshake).

Submitted by: rjung, ylavic

Reviewed by: rjung, rpluem, ylavic

  1. … 10 more files in changeset.
synch 2.4.x with trunk.

When r1729208 has been backported in 2.4.x (see r1743576), a coment has been missed in the backport proposal and has never reached 2.4.x.

Add it now, in order to synch a bit the 2 branches.

mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)

Clear retry flags before aborting on client-initiated reneg.

PR: 63052

Backports: r1850946

Submitted by: Joe Orton

Reviewed by: wrowe, jorton, rpluem

  1. … 3 more files in changeset.
mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake()'

This messes-up error handling performed in 'ssl_io_filter_error()'

+1: ylavic, jim, minfrin

  1. … 2 more files in changeset.
*) mod_ssl: Handle SSL_read() return code 0 similarly to <0. It is needed

when using OpenSSL 1.1.1 and should not harm for versions before

1.1.1.

Without the patch for 1.1.1 a 0 byte read no longer results in

EAGAIN but instead in APR_EOF which leads to HTTP/2 failures.

For the changelog: Fix HTTP/2 failures when using OpenSSL 1.1.1.

trunk patch: http://svn.apache.org/r1843954

2.4.x patch: svn merge -c 1843954 ^/httpd/httpd/trunk .

+1: rjung, druggeri, rpluem

  1. … 2 more files in changeset.
Merge r1418761, r1418765, r1510295, r1757147, r1805163, r1818924, r1827374, r1831772, r1832351, r1832951, r1815004 from trunk:

Don't claim "BIO dump follows" if it is not logged due to log level config.

make ssl_io_data_dump respect per-conn loglevel

add high trace level log messages for debugging buffering and write completion

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SessionTicket): Fail

if RAND_bytes() fails; possible per API, although not in practice

with the OpenSSL implementation.

Fix typo in log message.

ap_add_common_vars(): use apr_pstrmemdup().

This avoids a transient replacement/restore of '?' by '\0' in r->filename.

Use 'ap_request_has_body()' instead of duplicating its implemenation.

The logic in 'ap_request_has_body()' is:

has_body = (!r->header_only

&& (r->kept_body

|| apr_table_get(r->headers_in, "Transfer-Encoding")

|| ( (cls = apr_table_get(r->headers_in, "Content-Length"))

&& (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)

&& (!*estr)

&& (cl > 0) )

)

);

So the test is slighly different from the original code. (but this looks fine to me)

This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.

While at it, move the test '!r->expecting_100' a few lines above because it is cheap.

PR62368: Print the unparsed URI in AH03454

... to include r->args and get otherwise get as close to possible to

what came in over the wire.

Submitted By: Hank Ibell <hwibell gmail.com>

Committed By: covener

All error handling paths of this function call 'apr_brigade_destroy()' , except this one.

So add it here too.

Probably spotted with the help of the Coccinelle software (Thx Julia for the patch and for Coccinelle)

See PR 53016

* modules/proxy/proxy_util.c (ap_proxy_share_worker): Skip creating subpool

for debugging unless debug-level logging is enabled. No functional change.

mod_watchdog: Correct some log messages and fix

compiler warning

"'rv' may be used uninitialized in this function".

Follow up to r1722154.

Submitted by: sf, jorton, jorton, ylavic, jailletc36, covener, jailletc36, jorton, rjung

Reviewed by: jailletc36, jim, jorton

  1. … 10 more files in changeset.
  1. … 30 more files in changeset.
Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

  1. … 10 more files in changeset.
SECURITY: CVE-2017-3169 (cve.mitre.org)

mod_ssl may dereference a NULL pointer when third-party modules call

ap_hook_process_connection() during an HTTP request to an HTTPS port.

Merge r1796343 from trunk:

mod_ssl: fix ctx passed to ssl_io_filter_error()

Consistently pass the expected bio_filter_in_ctx_t

to ssl_io_filter_error().

Submitted by: ylavic, covener

Reviewed by: covener, ylavic, jim

  1. … 3 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1769332 from trunk:

ssl: clear the error queue before SSL_read/write/accept()

If other modules or libraries do not clear the OpenSSL error queue after

a failed operation, other code that relies on SSL_get_error() -- in

particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will

malfunction later on. To prevent this, explicitly clear the error queue

before calls like SSL_read/write/accept().

PR: 60223

Submitted by: Paul Spangler <paul.spangler ni.com>

Submitted by: jchampion

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1756038 from trunk:

Fix spelling in comments and text files.

No functional change.

PR 59990

Submitted by: rjung

Reviewed/backported by: jim

  1. … 72 more files in changeset.
Correct the behavior and interaction between SSLProxyCheckPeer[CN|Name],

such that disabling either disables both, and that enabling either will

trigger the more comprehensive SSLProxyCheckPeerName behavior.

Only a single configuration remains to enable the legacy behavior, which

is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.

Changes to the proxy config directives leads us to a different 2.4 fix...

https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch

Backports: 1746647

Reviewed by: wrowe, icing, rpluem

  1. … 4 more files in changeset.
Revert 1746645, was sitting in the wrong tree, mea culpa...
  1. … 1 more file in changeset.
Correct the behavior and interaction between SSLProxyCheckPeer[CN|Name],

such that disabling either disables both, and that enabling either will

trigger the more comprehensive SSLProxyCheckPeerName behavior.

Only a single configuration remains to enable the legacy behavior, which

is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.

Major refactoring leads us to an alternate implementation for 2.4.21;

https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch

  1. … 1 more file in changeset.
Merge r1729208, r1735668, r1735931, r1735935, r1735942 from trunk:

let proxy handler forward ALPN protocol strings for ssl proxy connections

Remove leftover comment

APLOGNO update for mod_proxy_http2

fix APLOGNO at wrong place, me stupid

h2_proxy_session: fill in missing APLOGNO()s.

Submitted by: icing, jailletc36, icing, icing, ylavic

Reviewed/backported by: jim

  1. … 6 more files in changeset.
Merge r1587607, r1588868 from trunk:

mod_ssl: Add hooks to allow other modules to perform processing at

several stages of initialization and connection handling. See

mod_ssl_openssl.h.

This is enough to allow implementation of Certificate Transparency

outside of mod_ssl.

Initialize post_handshake_rc for case where a failure has

already occurred (doesn't change execution but avoids warning

with some levels of gcc).

Pointed out by: kbrand

Submitted by: trawick

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Follow up to r1727393: add missing (voted) change from trunk's r1723284.
  1. … 1 more file in changeset.
Merge r1725485 from trunk:

Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

Submitted by: rjung

Reviewed/backported by: jim

  1. … 34 more files in changeset.
Merge r1725940 from trunk:

handling TIMEUP on SSL inputs by allowing later retries

Submitted by: icing

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1726888 from trunk:

Fix some duplicate definitions

Submitted by: mrumph

Reviewed/backported by: jim

  1. … 2 more files in changeset.
backport of r1723122,1723143
  1. … 3 more files in changeset.
Merge r1719967 from trunk:

mod_ssl: fix build with openssl < 0.9.8m (missing semicolon).

Reported by: Petr Gajdos <pgajdos suse.cz>

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1708107, r1709587, r1709602, r1709995, r1710231, r1710419, r1710572, r1710583, r1715023 from trunk:

mod_ssl: performing protocol switch directly after ALPN selection, mod_http2: connection hook inits network filters to force TLS handshake, reads input only if H2Direct explicitly enabled, changes H2Direct default to off even for cleartext connections

new ap_is_allowed_protocol() for testing configured protocols, added H2Upgrade on/off directive, changed H2Direct default back to on when h2c is in Protocols

moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl

mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection

announce protocol choices on first request

fixing compilation issue for older platform

disabling protocol upgrades on slave connections

first request on master connection only reports more preferred protocols in Upgrade header

mod_ssl: follow up to r1709602.

Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to

process_connection hook (r1709602) along with H2Direct speculative read.

Submitted by: icing, ylavic

Reviewed/backported by: jim

  1. … 11 more files in changeset.
Merge r1705194, r1705823, r1705826, r1705828, r1705833, r1706275, r1707230, r1707231 from trunk:

mod_ssl: forward EOR (only) brigades to the core_output_filter().

mod_ssl: don't FLUSH output (blocking) on read.

This defeats deferred write (and pipelining), eg. check_pipeline() is not

expecting the pipe to be flushed under it.

So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions

are known to not handle all the cases, so we keep flushing with those).

mod_ssl: follow up to r1705823.

Oups, every #if needs a #endif...

mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),

the core output filter needs them.

Proposed by: jorton

mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.

Add CHANGES entry, and restore ap_process_request_after_handler()'s comment

as prior to r1705194 (the change makes no sense now).

mod_ssl: follow up to r1705823.

We still need to flush in the middle of a SSL/TLS handshake.

mod_ssl: follow up to r1705823.

Flush SSL/TLS handshake data when writing (instead of before reading),

and only when necessary (openssl < 0.9.8m or proxy/client side).

mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
merge r1703952 from trunk

Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 8 more files in changeset.
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,

r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,

r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand

Reviewed by: ylavic, jorton

mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 13 more files in changeset.
Follow up to r1705672.

Backport changes that somehow missed the backport process.

  1. … 4 more files in changeset.
Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk:

adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse

proxy configuration, a remote attacker could send a carefully crafted

request which could crash a server process, resulting in denial of

service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for

reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):

Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code

for clients requesting a hostname on a reused connection whose SNI (from the

TLS handshake) does not match.

PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:

https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>

Reviewed by: ylavic

c89

Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows

final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic

Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing

Reviewed/backported by: jim

  1. … 16 more files in changeset.
Backport r1690137.

Doc and comment fix only

  1. … 11 more files in changeset.