Doug MacEachern [Thu, 22 Nov 2001 02:23:09 +0000 (02:23 +0000)]
optimize lookup of ssl-{unclean,accurate}-shutdown flags:
- only look through the table once, rather than 2 apr_table_gets()
- case-sensitive and use strcmp() as little as possible
- only lookup once per-connection, as the flags will not change across
keepalive requests
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 01:40:26 +0000 (01:40 +0000)]
return from ssl_callback_LogTracingState if sc->nLogLevel < SSL_LOG_INFO
else there are 5 (expensive!) calls made to ssl_var_lookup on every request
for info that will never be logged
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Thu, 22 Nov 2001 00:42:35 +0000 (00:42 +0000)]
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
Doug MacEachern [Thu, 22 Nov 2001 00:25:00 +0000 (00:25 +0000)]
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
Doug MacEachern [Wed, 21 Nov 2001 22:58:28 +0000 (22:58 +0000)]
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by:
Ryan Bloom [Wed, 21 Nov 2001 18:25:40 +0000 (18:25 +0000)]
Fix a bug in our output filter buffering. If a lot of small brigades are
sent, the core will send the first 16 buckets, regardless of how much
data there is. In the pathological case, this can cause a lot of 16
byte packets. Now, if we see less than AP_MIN_BYTES, we combine
all of the buckets into a single bucket to be sent in a later packet.
This can cause a lot of memory copies, but it eases our network traffic.
Jeff Trawick [Wed, 21 Nov 2001 16:22:05 +0000 (16:22 +0000)]
when this module's resolver calls were apr-ized recently we removed
the include of specific system header files; this left the opportunity
for htons() to be undefined... do something explicit for htons() so
we don't have to worry about what apr_network_io.h brings with it
Doug MacEachern [Wed, 21 Nov 2001 03:19:13 +0000 (03:19 +0000)]
Prevent segv in ap_note_basic_auth_failure() when no AuthName is configured
PR:
Obtained from:
Submitted by: John Sterling <sterling@covalent.net>
Reviewed by: dougm
Bill Stoddard [Tue, 20 Nov 2001 21:34:18 +0000 (21:34 +0000)]
Win32: Move the call to fetch the network addresses into the accept loop
and out of the worker threads. This makes it a bit easier to implement
accept loop processing in modules outside the MPM.
Bill Stoddard [Tue, 20 Nov 2001 19:03:21 +0000 (19:03 +0000)]
Win32 bug fix:
Move call to setsockopt(SO_UPDATE_ACCEPT_CONTEXT) (to cause the accept socket
to inherit the listener attributes) to after a connection has been accepted.
This piece of code prior to this fix was just wrong; not sure why I never
saw warning messages on NT or 2000.
Jeff Trawick [Tue, 20 Nov 2001 18:27:07 +0000 (18:27 +0000)]
Get IPv6 vhosts working (again ?).
There were a couple of bogus IPv4-specific comparisons which prevented
the data structures from being built correctly in ap_fini_vhost_config().
One of these (INADDR_ANY) can be easily rewritten to work with IPv6. The
other (DEFAULT_VHOST_ADDR) isn't necessary for IPv6. Note that this is
because we don't support the various flavors of _default_ that
Apache-1.3+KAME-patch supports.
Bradley Nicholes [Mon, 19 Nov 2001 23:33:15 +0000 (23:33 +0000)]
Fixed the AWK script so that it will pick up functions that have been
declared on multiple lines such as create_connection in connection.h.
Otherwise multi-line declared functions are omitted from the export list.
Doug MacEachern [Mon, 19 Nov 2001 22:37:57 +0000 (22:37 +0000)]
add input filter AP_MODE_INIT support to handshake before reading
request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Doug MacEachern [Mon, 19 Nov 2001 22:36:20 +0000 (22:36 +0000)]
add new input filter mode AP_MODE_INIT:
allows filters such as mod_ssl to initialize a client connection
(ie handshake) before reading request data from the client.
PR:
Obtained from:
Submitted by: dougm
Reviewed by: wrowe
Bill Stoddard [Sat, 17 Nov 2001 07:54:34 +0000 (07:54 +0000)]
Externalize the functions to manage the mpm's queue of completion_contexts.
Now a module can produce to the queue of contexts that the worker threads
consume from.
Aaron Bannert [Fri, 16 Nov 2001 19:24:27 +0000 (19:24 +0000)]
My 2pfennig. I'd like to see more of a technical reason why we should
replace the tried and tested prefork MPM with the newfangled hybrid
threaded/process worker MPM (of which I am one of the more recent
contributors and evangelists).
Aaron Bannert [Fri, 16 Nov 2001 18:28:25 +0000 (18:28 +0000)]
Conversion from old apr_lock_t to new apr_thread_mutex_t
(only converting INTRAPROCESS locks at this time).
I don't see how this used to work, which also means I'm not entirely
sure if it works now. It really didn't look like it was allocating
the correct size before. It compiles and SSL still works in my limited
tests, but I'd appreciate a second opinion.
Ryan Bloom [Thu, 15 Nov 2001 20:55:13 +0000 (20:55 +0000)]
Fix the SSL filter logic. The SSL filter is not a network filter, because
it does not actually do the reading and writing to the network. By
moving that filter to in between CONNECTION and NETWORK filters, we ensure
that SSL is always called before the core.
Ryan Bloom [Thu, 15 Nov 2001 20:49:54 +0000 (20:49 +0000)]
Pull lingering close out of the pool cleanup phase. This was causing too
many bugs. Instead, it is called where it used to be called. I have
abstracted some of the logic out of the lingering close so that it gets
the socket from the connection using the core's conn_config vector. This
is in anticipation of a change to use a hook for the lingering close,
which I hope to do soon.
Ryan Bloom [Thu, 15 Nov 2001 05:05:20 +0000 (05:05 +0000)]
Fix a file descriptor leak in mod_include. When we include a
file, we use a sub-request, but we didn't destroy the sub-request
immediately, instead we waited until the original request was
done. This patch closes the sub-request as soon as the data is
done being generated.
This passes all tests in the test suite.
Submitted by: Brian Pane <bpane@pacbell.net>
Reviewed by: Ryan Bloom and Cliff Woolley
Ryan Bloom [Thu, 15 Nov 2001 04:39:55 +0000 (04:39 +0000)]
FTYPE_CONTENT - 1 isn't enough for OLD_WRITE. OLD_WRITE is a special
filter, and it MUST run absolutely first. To allow other filters a little
space to manuver, I am moving this to FTYPE_CONTENT - 10.
Submitted by: John Sterling <sterling@covalent.net>
Ryan Bloom [Wed, 14 Nov 2001 23:13:27 +0000 (23:13 +0000)]
Port the worker MPM to the new accept model. This has passed every
test in the test suite (except Limit tests). We waste a bit of space
with the listensocks array, which is the exact same as the ap_listeners
list, but we have done that for a while. I'll fix that soon.
Ryan Bloom [Wed, 14 Nov 2001 21:18:47 +0000 (21:18 +0000)]
Get the proxy module compiling again. This is a hack to get past the
current compiler errors. Basically, the core now puts the socket
in the conn_rec->conn_config vector. The proxy grabs that socket and
uses it where it used to use the client_socket field from the conn_rec.
Long-term, all of the direct socket communication needs to be removed,
and this should go through a filter stack. Short-term, this gets the
proxy working again.
I have tested http and connect, but I haven't looked at the FTP proxy,
although it does compile now.
Aaron Bannert [Wed, 14 Nov 2001 18:56:18 +0000 (18:56 +0000)]
Turns out this is causing problems on my linux box (libtool 1.3.5), so
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.