Doug MacEachern [Wed, 28 Nov 2001 05:05:04 +0000 (05:05 +0000)]
replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection()
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 05:00:34 +0000 (05:00 +0000)]
use apr_pstrndup() instead of apr_pstrdup() to avoid a strlen call in
ap_md5_binary, since we know the length of the string is always
MD5_DIGESTSIZE * 2
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 28 Nov 2001 03:15:41 +0000 (03:15 +0000)]
moving chunk of logic that deals with writing ssl data from
ssl_io_filter_Output() to a new ssl_filter_write() function.
this will make it easier to optimize how we deal with file buckets
than cannot be mmaped.
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Tue, 27 Nov 2001 23:37:20 +0000 (23:37 +0000)]
implement a custom BIO which allows us to hook SSL_write directly into
an apr_bucket_brigade and use transient buckets with the SSL
malloc-ed buffer, rather than copying into a mem BIO.
also allows us to pass the brigade as data is being written
rather than buffering up the entire response in the mem BIO.
Ian Holsman [Tue, 27 Nov 2001 22:07:09 +0000 (22:07 +0000)]
Change the magic #
as we have changed the conn_rec structure
and have change the open_log and post_config hook function
PR:
Obtained from:
Submitted by:
Reviewed by:
Brian Pane [Tue, 27 Nov 2001 08:39:02 +0000 (08:39 +0000)]
Another performance-related change to core_output_filter(): if we
get a long stream of small buckets, so that multiple concatenation
steps are required in a single pass through the brigade, re-use the
buckets from the previous temp brigade when creating the next one.
This allows us to avoid making yet another copy of the previously
concatenated data.
Brian Pane [Tue, 27 Nov 2001 06:35:29 +0000 (06:35 +0000)]
Optimization for core_output_filter: if the iovec is full,
don't try to concatenate buffers if we already have at least
8KB of data ready to send. Instead, just split the brigade
and send what's currently in the iovec.
Changes by Mladen Turk <mturk@mappingsoft.com>, with dialog touchup by
myself [I can't stand misordered dialog interfaces ;], to allow the user
to connect and disconnect remote PCs into the ApacheMonitor.
Needs other mild changes, e.g. machine\service rather than machine@service
[since @ could be part of a service/machine name, slash and backslash may
never be.] And still, the sync behavior leaves something to be desired.
Note one bug - the browse for computer actually won't browse computers,
but that can be fixed in another patch.
Jeff Trawick [Mon, 26 Nov 2001 14:38:03 +0000 (14:38 +0000)]
very minor tweaks:
. convert a comment to English
. zap an unnecessary '.' from a log message
. rearrange the setting of some variables controlling pipes and cmd-type
in the cgi process so that the differences in their values for ssi vs. cgi
can be more readily seen
Brian Pane [Mon, 26 Nov 2001 08:49:29 +0000 (08:49 +0000)]
Another fix for the core_output_filter() code that concatenates
small buckets: It's possible for the temporary brigade to
contain more than one bucket. If this happens, we need to
recover the buckets after the first from the temporary brigade
before destroying it.
Brian Pane [Mon, 26 Nov 2001 03:51:40 +0000 (03:51 +0000)]
Fix for the code in core_output_filter() that concatenates small buckets
into one big bucket...it was putting a pointer to a deleted bucket in
the iovec, so the output was corrupted.
Brian Pane [Sat, 24 Nov 2001 10:52:27 +0000 (10:52 +0000)]
short-circuit out of xbithack_handler immediately if xbithack
isn't enabled, and use strcmp instead of ap_strcmp_match for
comparing against a non-wildcard pattern
Ryan Bloom [Sat, 24 Nov 2001 00:17:01 +0000 (00:17 +0000)]
Fix the cmd command for mod_include. When we are processing
a cmd command, we do not want to use the r->filename to set
the command name. The command comes from the SSI tag. To do this,
I added a variable to the function that builds the command line
in mod_cgi. This allows the include_cmd function to specify
the command line itself.
Ian Holsman [Fri, 23 Nov 2001 23:49:24 +0000 (23:49 +0000)]
Fix post-config hook to return a int.
I left the service start/stop/restart 'exits' in there, and changed the
other ones to return HTTP_INTERNAL_SERVER_ERROR
Aaron Bannert [Fri, 23 Nov 2001 17:45:52 +0000 (17:45 +0000)]
mod_ssl is big and bulky, takes awhile to load, sometimes must wait for
entropy to be collected, and has a nasty little bug that prevents the
server from being started in non-SSL mode. This patch corrects some of
those problems, but is not intended as a workaround for the bug.
Ian Holsman [Fri, 23 Nov 2001 16:35:22 +0000 (16:35 +0000)]
Modify post_config hook so that it can return a error,
causing the server not to start.
previous method was to call exit(1) which would not fail
gracefully
PR:
Obtained from:
Submitted by:
Reviewed by: (Idea only Jeff Trawick)
Doug MacEachern [Thu, 22 Nov 2001 02:23:09 +0000 (02:23 +0000)]
optimize lookup of ssl-{unclean,accurate}-shutdown flags:
- only look through the table once, rather than 2 apr_table_gets()
- case-sensitive and use strcmp() as little as possible
- only lookup once per-connection, as the flags will not change across
keepalive requests
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 01:40:26 +0000 (01:40 +0000)]
return from ssl_callback_LogTracingState if sc->nLogLevel < SSL_LOG_INFO
else there are 5 (expensive!) calls made to ssl_var_lookup on every request
for info that will never be logged
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 00:42:35 +0000 (00:42 +0000)]
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
Doug MacEachern [Thu, 22 Nov 2001 00:25:00 +0000 (00:25 +0000)]
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 21 Nov 2001 22:58:28 +0000 (22:58 +0000)]
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Wed, 21 Nov 2001 18:25:40 +0000 (18:25 +0000)]
Fix a bug in our output filter buffering. If a lot of small brigades are
sent, the core will send the first 16 buckets, regardless of how much
data there is. In the pathological case, this can cause a lot of 16
byte packets. Now, if we see less than AP_MIN_BYTES, we combine
all of the buckets into a single bucket to be sent in a later packet.
This can cause a lot of memory copies, but it eases our network traffic.
Jeff Trawick [Wed, 21 Nov 2001 16:22:05 +0000 (16:22 +0000)]
when this module's resolver calls were apr-ized recently we removed
the include of specific system header files; this left the opportunity
for htons() to be undefined... do something explicit for htons() so
we don't have to worry about what apr_network_io.h brings with it
Doug MacEachern [Wed, 21 Nov 2001 03:19:13 +0000 (03:19 +0000)]
Prevent segv in ap_note_basic_auth_failure() when no AuthName is configured
PR:
Obtained from:
Submitted by: John Sterling <sterling@covalent.net>
Reviewed by: dougm
Bill Stoddard [Tue, 20 Nov 2001 21:34:18 +0000 (21:34 +0000)]
Win32: Move the call to fetch the network addresses into the accept loop
and out of the worker threads. This makes it a bit easier to implement
accept loop processing in modules outside the MPM.
Bill Stoddard [Tue, 20 Nov 2001 19:03:21 +0000 (19:03 +0000)]
Win32 bug fix:
Move call to setsockopt(SO_UPDATE_ACCEPT_CONTEXT) (to cause the accept socket
to inherit the listener attributes) to after a connection has been accepted.
This piece of code prior to this fix was just wrong; not sure why I never
saw warning messages on NT or 2000.
Jeff Trawick [Tue, 20 Nov 2001 18:27:07 +0000 (18:27 +0000)]
Get IPv6 vhosts working (again ?).
There were a couple of bogus IPv4-specific comparisons which prevented
the data structures from being built correctly in ap_fini_vhost_config().
One of these (INADDR_ANY) can be easily rewritten to work with IPv6. The
other (DEFAULT_VHOST_ADDR) isn't necessary for IPv6. Note that this is
because we don't support the various flavors of _default_ that
Apache-1.3+KAME-patch supports.
Bradley Nicholes [Mon, 19 Nov 2001 23:33:15 +0000 (23:33 +0000)]
Fixed the AWK script so that it will pick up functions that have been
declared on multiple lines such as create_connection in connection.h.
Otherwise multi-line declared functions are omitted from the export list.
Doug MacEachern [Mon, 19 Nov 2001 22:37:57 +0000 (22:37 +0000)]
add input filter AP_MODE_INIT support to handshake before reading
request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Doug MacEachern [Mon, 19 Nov 2001 22:36:20 +0000 (22:36 +0000)]
add new input filter mode AP_MODE_INIT:
allows filters such as mod_ssl to initialize a client connection
(ie handshake) before reading request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe