ssl_engine_io.c

Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users.

This function now now handles SSL reuse as well as the "proxy-request-hostname"

note (SNI), so let's also call it unconditionnaly in all proxy modules.

On the mod_ssl side, since this note has the lifetime of the connection, don't

reset/unset it during handshake (ssl_io_filter_handshake).

  1. … 6 more files in changeset.
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,

bio_filter_in_read): Clear retry flags before aborting

on client-initiated reneg.

PR: 63052

Revert r1844928 and follow up r1844942.

Actually *len can be > 0 here, at least without a change I'm working on but now

think should be discussed first probably. Anyway r1844928 alone is broken, just

rollback for now.

mod_ssl: follow up to r1844928: revert an unintentional change.

mod_ssl: axe dead code.

No functional change, we never get there when *len > 0.

mod_ssl: follow up to r1844779: fix rollback in char_buffer_consume().

This needs the same bucket insertion code as in char_buffer_write(), so define

a new char_buffer_insert() helper.

mod_ssl: bind buffered data to filter's pending data.

Otherwise they are not considered by ap_filter_input_pending() and pipelining

is not detected (MPM event times out).

SSL_read() doesn't distinguish between return value 0 and <0,

at least not for OpenSSL 1.1.1. This is documented in the man

page for SSL_read and let to h2 failures when using OpenSSL 1.1.1.

When no data could be read, our code returned EAGAIN up until

OpenSSL 1.1.0, but APR_EOF for OpenSSL 1.1.1.

Now instead check SSL_get_error() also when SSL_read() returns 0.

To keep changes small, this change should not influence behavior,

when (rc=SSL_read()):

- rc < 0

- rc == 0 && *len > 0

- rc == 0 &&

(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&

inctx->block == APR_NONBLOCK_READ

Behavior changes if

- rc == 0 &&

!(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&

!*len > 0

Instead of APR_EOF:

- same behavior as rc < 0 for SSL_ERROR_WANT_READ

- same behavior as rc < 0 for SSL_ERROR_SYSCALL && APR_STATUS_IS_EAGAIN(inctx->rc)

Another change is that rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN

also results in APR_EOF.

core: always allocate filters (ap_filter_t) on f->c->pool.

When filters are allocated on f->r->pool, they may be destroyed any time

underneath themselves which makes it hard for them to be passed the EOR and

forward it (*f can't be dereferenced anymore when the EOR is destroyed, thus

before request filters return).

On the util_filter side, it also makes it impossible to flush pending request

filters when they have set aside the EOR, since f->bb can't be accessed after

it's passed to the f->next.

So we always use f->c->pool to allocate filters and pending brigades, and to

avoid leaks with keepalive requests (long living connections handling multiple

requests), filters and brigades are recycled with a cleanup on f->r->pool.

Recycling is done (generically) with a spare data ring (void pointers), and a

filter(s) context struct is associated with the conn_rec to maintain the rings

by connection, that is:

struct ap_filter_conn_ctx {

struct ap_filter_ring *pending_input_filters;

struct ap_filter_ring *pending_output_filters;

struct ap_filter_spare_ring *spare_containers,

*spare_brigades,

*spare_filters,

*spare_flushes;

int flushing;

};

MMN major bumped (again).

  1. … 7 more files in changeset.
mod_proxy: follow up to r1645529: 502 in case of SSL handshake failure.

Make the SSL filters chain return an error when the handshake fails with an

origin server. It can then be caught by mod_proxy to fail with 502.

core: core output filter optimizations.

The core output filter used to determine first if it needed to block before

trying to send its data (including set aside ones), and if so it did call

send_brigade_blocking().

This can be avoided by making send_brigade_nonblocking() send as much data as

possible (nonblocking), and only if data remain check whether they should be

flushed (blocking), according to the same ap_filter_reinstate_brigade()

heuristics but afterward.

This allows both to simplify the code (axe send_brigade_blocking and some

duplicated logic) and optimize sends since send_brigade_nonblocking() is now

given all the buckets so it can make use of scatter/gather (iovec) or NOPUSH

option with the whole picture.

When sendfile is available and/or with fine tuning of FlushMaxThreshold (and

ReadBufferSize) from r1836032, one can now take advantage of modern network

speeds and bandwidth.

This commit also adds some APLOG_TRACE6 messages for outputed bytes (including

at mod_ssl level since splitting happens there when it's active).

  1. … 2 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
mod_ssl: fix ctx passed to ssl_io_filter_error()

Consistently pass the expected bio_filter_in_ctx_t

to ssl_io_filter_error().

Submitted By: Yann Ylavic

CVEID: CVE-2017-3169

  1. … 1 more file in changeset.
mod_ssl: don't depend on the next output filters to cleanup the passed out

brigades.

ssl: clear the error queue before SSL_read/write/accept()

If other modules or libraries do not clear the OpenSSL error queue after

a failed operation, other code that relies on SSL_get_error() -- in

particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will

malfunction later on. To prevent this, explicitly clear the error queue

before calls like SSL_read/write/accept().

PR: 60223

Submitted by: Paul Spangler <paul.spangler ni.com>

Fix spelling in comments and text files.

No functional change.

PR 59990

  1. … 69 more files in changeset.
Correct the behavior and interaction between SSLProxyCheckPeer[CN|Name],

such that disabling either disables both, and that enabling either will

trigger the more comprehensive SSLProxyCheckPeerName behavior.

Only a single configuration remains to enable the legacy behavior, which

is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.

Changes to the proxy config directives leads us to a different 2.4 fix...

https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch

  1. … 1 more file in changeset.
mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

allowing per backend TLS configuration.

  1. … 19 more files in changeset.
Support for OpenSSL 1.1.0:

- BIO was made opaque after OpenSSL 1.1.0pre4.

  1. … 2 more files in changeset.
mod_ssl: follow up to r1729208: add missing APLOGNO()s.
  1. … 1 more file in changeset.
apr_strtok minor invocation change to maybe what everyone is used to
* Fix compiler warning of unused variable
let proxy handler forward ALPN protocol strings for ssl proxy connections
  1. … 1 more file in changeset.
Fix some duplicate definitions
handling TIMEUP on SSL inputs by allowing later retries
  1. … 1 more file in changeset.
Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

  1. … 34 more files in changeset.
mod_ssl: follow up to r1723122, r1723143.

s/endb/upto/ in ssl_io_filter_coalesce() and update CHANGES to

include r1723143.

  1. … 1 more file in changeset.
mod_ssl: follow up to r1723122.

Coalesce when (subsequent brigade's) data bucket is not last (likely followed

by FLUSH or EOS) but we have buffered data already.

mod_ssl: Avoid one TLS record (application data) fragmentation by including

the last suitable bucket when coalescing.

  1. … 1 more file in changeset.
mod_ssl: fix build with openssl < 0.9.8m (missing semicolon).

Reported by: Petr Gajdos <pgajdos suse.cz>