Ruediger Pluem [Tue, 16 Oct 2018 12:55:01 +0000 (12:55 +0000)]
* Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}.
The certificates and keys loaded during configuration time got lost during
runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
level and there was an SSL directive at directory level, e.g. SSLRequire.
This fixes a regression likely introduced in r1740928.
Rainer Jung [Mon, 15 Oct 2018 21:14:21 +0000 (21:14 +0000)]
SSL_read() doesn't distinguish between return value 0 and <0,
at least not for OpenSSL 1.1.1. This is documented in the man
page for SSL_read and let to h2 failures when using OpenSSL 1.1.1.
When no data could be read, our code returned EAGAIN up until
OpenSSL 1.1.0, but APR_EOF for OpenSSL 1.1.1.
Now instead check SSL_get_error() also when SSL_read() returns 0.
To keep changes small, this change should not influence behavior,
when (rc=SSL_read()):
- rc < 0
- rc == 0 && *len > 0
- rc == 0 &&
(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
inctx->block == APR_NONBLOCK_READ
Behavior changes if
- rc == 0 &&
!(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
!*len > 0
Instead of APR_EOF:
- same behavior as rc < 0 for SSL_ERROR_WANT_READ
- same behavior as rc < 0 for SSL_ERROR_SYSCALL && APR_STATUS_IS_EAGAIN(inctx->rc)
Another change is that rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN
also results in APR_EOF.
Ruediger Pluem [Mon, 15 Oct 2018 19:25:20 +0000 (19:25 +0000)]
* Ensure that aborted connections are logged as such.
Set c->aborted before apr_brigade_cleanup to have the correct status
when logging the request as apr_brigade_cleanup triggers the logging
of the request if it contains an EOR bucket.
Luca Toscano [Sat, 13 Oct 2018 12:10:49 +0000 (12:10 +0000)]
md_acme_drive.c: remove unused variable
Compiling in maintainer mode leads to a failure
due to challenges_configured initialized but
not used. Removing it seems harmless, Stefan
please let me know if this is not the case.
Stefan Eissing [Thu, 11 Oct 2018 11:22:55 +0000 (11:22 +0000)]
On the trunk:
mod_md: eliminating compiler warnings re signedness and unused. Adding a APLOG_WARNING
when the only available ACME challenge is "tls-sni-01" since Let's Encrypt will
disable that completely beginning of 2019.
Eric Covener [Wed, 10 Oct 2018 21:47:53 +0000 (21:47 +0000)]
mpm_event: avoid AH00484 with idle threads
mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
there are still idle threads available. When there are less idle threads than
MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
Stefan Eissing [Wed, 10 Oct 2018 11:35:48 +0000 (11:35 +0000)]
mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets). Addresses github issues
https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
and https://github.com/icing/mod_h2/issues/170.
Luca Toscano [Tue, 9 Oct 2018 12:29:08 +0000 (12:29 +0000)]
mod_session_cookie: avoid adding the Set-Cookie header
in both r->headers_out and r->err_headers_out
to avoid duplication.
In session_cookie_save it seems that ap_cookie_write is called
with r->headers_out and r->err_headers_out, ending up in the same
Set-Cookie header on both tables and eventually duplicated in the
HTTP response. I took Emmanuel's patch and trimmed out the bits
that remove the header only from r->err_headers_out (leaving it
to do the work on both tables) as attempt to change this bit of code
in the most conservative way as possible. Sending a commit for
a broader review.
Evgeny Kotkov [Tue, 9 Oct 2018 12:16:08 +0000 (12:16 +0000)]
mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses allowing these modules to properly set or fix-up the response
headers such as Vary or ETag.
This change follows up on r1837056 that disabled that special handling and
thus resulted in a potential violation of RFC7232, 4.1:
The server generating a 304 response MUST generate any of the following
header fields that would have been sent in a 200 (OK) response to the
same request: Cache-Control, Content-Location, Date, ETag, Expires,
and Vary.)
Joe Orton [Fri, 5 Oct 2018 12:06:27 +0000 (12:06 +0000)]
* modules/ldap/util_ldap_cache_mgr.c (util_ald_create_caches): Destroy
rather than leak caches if all three cannot be allocated (Coverity
warning). Remove unnecessary pointer.
Joe Orton [Fri, 5 Oct 2018 10:17:18 +0000 (10:17 +0000)]
* modules/slotmem/mod_slotmem_shm.c (restore_slotmem): Remove
redundant assignment (clang warning), the apr_file_eof(fp)=>APR_EOF
case assigns rv to APR_EOF and then to APR_SUCCESS after already.
Ruediger Pluem [Mon, 1 Oct 2018 18:21:18 +0000 (18:21 +0000)]
* Pickup the proxy related configuration for verify mode and verify depth and
not the configuration settings for frontend connections in case of
connections by the proxy to the backend.
* dav_stream_response processes data that has been allocated from the propdb
pool. Hence close the propdb *after* dav_stream_response which clears thei
probdb pool.
* Doing a PROPFIND on a large collection e.g. 50.000 elements can easily
consume 1 GB of memory as the subrequests and propdb pools are not
destroyed and cleared after each element was handled.
Do this now. There is one case in dav_get_props where elem->priv
lives longer then the propdb pool. In this case allocate from r->pool.
Furthermore also recycle propdb's which allows to clear the propdb's
pools instead of destroying them and creating them again.
Joe Orton [Tue, 18 Sep 2018 11:05:43 +0000 (11:05 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_check_post_client_verify):
Retrieve and set sslconn->client_cert here for both "modern" and
classic access control.
(ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
are still applied for TLSv1.3.
Joe Orton [Wed, 12 Sep 2018 15:54:24 +0000 (15:54 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
post-handshake authentication.
(ssl_init_proxy_certs): Fix proxy client cert support with
TLSv1.3, which is now crippled by default.
Follow up to r1840265: really privatize ap_filter_{recycle,adopt_brigade}().
Move ap_filter_adopt_brigade()'s declaration to "server/core.h" (private).
For ap_filter_recycle(), make it static/internal to util_filter (renamed to
recycle_dead_filters() which better fits what it does). It's now also called
unconditionally from ap_filter_input_pending() which itself is always called
after the request processing and from MPM event (as input_pending hook).
Joe Orton [Tue, 11 Sep 2018 16:01:47 +0000 (16:01 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
Joe Orton [Tue, 11 Sep 2018 12:57:36 +0000 (12:57 +0000)]
* modules/arch/unix/mod_systemd.c (systemd_pre_mpm, systemd_monitor):
Ignore sd_notify{,f} failure cases as currently recommended by the
systemd API docs.
Joe Orton [Tue, 11 Sep 2018 12:53:30 +0000 (12:53 +0000)]
* modules/arch/unix/mod_systemd.c (systemd_post_config): Fix systemd
service getting stuck reloading if "ExtendedStatus off" is
configured; regression in r1802251.
Follow up to r1840149: core input filter pending data.
Since r1840149 ap_core_input_filter() can't use use f->[priv->]bb directly, so
ap_filter_input_pending() stopped accounting for its pending data.
But ap_core_input_filter() can't (and doesn't need to) setaside its socket
bucket, so ap_filter_setaside_brigade() is not an option. This commit adds
ap_filter_adopt_brigade() which simply moves the given buckets (brigade) into
f->priv->bb, and since this is not something to be done blindly (the buckets
need to have c->pool/bucket_alloc lifetime, which is the case in the core
filter) the function is not AP_DECLAREd/exported thus can be used in core only.
With ap_filter_adopt_brigade() and ap_filter_reinstate_brigade(), the core
input is now ap_filter_input_pending() friendly.
Also, ap_filter_recycle() is no more part of the API (AP_DECLARE removed too),
there really is no point to call it outside core code. MAJOR bumped once again
because of this.
Eric Covener [Thu, 6 Sep 2018 15:24:29 +0000 (15:24 +0000)]
fix StrictHostCheck in single/non-NVH vhosts
While all VH'es are NVH'es in 2.4 and later, something special happens
once a second NVH in a set is added. This case covers the
global server config scenario as well.
util_filter: protect ap_filter_t private fields from external (ab)use.
Introduce opaque struct ap_filter_private to move ap_filter_t "pending", "bb"
and "deferred_pool" fields to the "priv" side of things.
This allows to trust values set internally (only!) in util_filter code, and
make useful assertions between the different functions calls, along with the
usual nice extensibility property.
Likewise, the private struct ap_filter_conn_ctx in conn_rec (from r1839997)
allows now to implement the new ap_acquire_brigade() and ap_release_brigade()
functions useful to get a brigade with c->pool's lifetime. They obsolete
ap_reuse_brigade_from_pool() which is replaced where previously used.
Some comments added in ap_request_core_filter() regarding the lifetime of the
data it plays with, up to EOR...
core: follow up to r1839997: some runtime optimizations.
We don't mind about cleaning up a connection filter when its pool is being
cleaned up already. For request filters, let pending_filter_cleanup() do
nothing if the given filter is not pending (anymore), which allows to save a
cleanup kill when the filter is removed.
Clear (zero) the reused filters (ap_filter_t) on reuse rather than cleanup,
then a single APR_RING_CONCAT() can be used to recycle dead_filters in a one
go.
Always call ap_filter_recycle() in ap_filter_output_pending(), even if no
filter is pending, and while at it fix s/ap_filter_recyle/ap_filter_recycle/
silly typo.
Stefan Eissing [Tue, 4 Sep 2018 08:29:11 +0000 (08:29 +0000)]
On the trunk:
mod_http2: connection IO event handling reworked. Instead of reacting on
incoming bytes, the state machine now acts on incoming frames that are
affecting it. This reduces state transitions.
core: follow up to r1839997: recycle request filters to a delayed ring first.
We want not only ap_filter_output_pending() to be able to access each pending
filter's *f after the EOR is destroyed, but also each request filter to do
the same until it returns.
So request filters are now always cleaned up into a dead_filters ring which is
merged into spare_filters only when ap_filter_recycle() is called explicitely,
that is in ap_process_request_after_handler() and ap_filter_output_pending().
The former takes care of recycling at the end of the request, with any MPM,
while the latter keeps recycling during MPM event's write completion.
core: always allocate filters (ap_filter_t) on f->c->pool.
When filters are allocated on f->r->pool, they may be destroyed any time
underneath themselves which makes it hard for them to be passed the EOR and
forward it (*f can't be dereferenced anymore when the EOR is destroyed, thus
before request filters return).
On the util_filter side, it also makes it impossible to flush pending request
filters when they have set aside the EOR, since f->bb can't be accessed after
it's passed to the f->next.
So we always use f->c->pool to allocate filters and pending brigades, and to
avoid leaks with keepalive requests (long living connections handling multiple
requests), filters and brigades are recycled with a cleanup on f->r->pool.
Recycling is done (generically) with a spare data ring (void pointers), and a
filter(s) context struct is associated with the conn_rec to maintain the rings
by connection, that is:
util_filter: split pending filters ring in two: input and output ones.
Pending input and output are now maintained separately in respectively
c->pending_input_filters and c->pending_output_filters, which improves
both performances and debug-ability.
Also, struct ap_filter_ring is made opaque, it's only used by util_filter
and this will allow us to later change it e.g. to a dual ring+apr_hash to
avoid quadratic search in ap_filter_prepare_brigade().
MMN major bumped due to the change in conn_rec (this is trunk only code
anyway for now).
Yann Ylavic [Wed, 29 Aug 2018 12:27:31 +0000 (12:27 +0000)]
MPMs: early initialize scoreboard's child generation number.
Since [mpm]_note_child_killed uses the scoreboard's generation number for
child_status hook (MPM_CHILD_EXITED), we must initialize it early (i.e. in
[mpm]_note_child_started where MPM_CHILD_STARTED is set) to avoid race
conditions on restart (e.g. storm/loop of restarts) leading to AH00546.
projects / apache / log