From 55fa049b9da748a3aaec3a982143888b4c4d33f0 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 24 Jan 2019 15:10:34 +0000
Subject: [PATCH] mod_http2: enable re-use of slave connections again.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1852032 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  2 +
 modules/http2/h2_conn.c         | 21 +++++-----
 modules/http2/h2_mplx.c         |  3 +-
 modules/http2/h2_task.c         |  1 -
 modules/ssl/ssl_engine_kernel.c | 74 +++++++++++++++++++++++----------
 5 files changed, 66 insertions(+), 35 deletions(-)

diff --git a/CHANGES b/CHANGES
index a83bd10ae5..6bee2dd954 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_http2: enable re-use of slave connections again. [Stefan Eissing]
+
   *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
      PR 62932 <pavel dcmsys.com>
   
diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c
index 827217d903..16b82282cc 100644
--- a/modules/http2/h2_conn.c
+++ b/modules/http2/h2_conn.c
@@ -370,17 +370,16 @@ apr_status_t h2_slave_run_pre_connection(conn_rec *slave, apr_socket_t *csd)
          * (Not necessarily in pre_connection, but later. Set it here, so it
          * is in place.) */
         slave->keepalives = 1;
-        /* We signal that this connection will be closed after the request.
-         * Which is true in that sense that we throw away all traffic data
-         * on this slave connection after each requests. Although we might
-         * reuse internal structures like memory pools.
-         * The wanted effect of this is that httpd does not try to clean up
-         * any dangling data on this connection when a request is done. Which
-         * is unneccessary on a h2 stream.
-         */
-        slave->keepalive = AP_CONN_CLOSE;
-        return ap_run_pre_connection(slave, csd);
     }
-    return APR_SUCCESS;
+    /* We signal that this connection will be closed after the request.
+     * Which is true in that sense that we throw away all traffic data
+     * on this slave connection after each requests. Although we might
+     * reuse internal structures like memory pools.
+     * The wanted effect of this is that httpd does not try to clean up
+     * any dangling data on this connection when a request is done. Which
+     * is unneccessary on a h2 stream.
+     */
+    slave->keepalive = AP_CONN_CLOSE;
+    return ap_run_pre_connection(slave, csd);
 }
 
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index 15ca108cd5..0e764f67f0 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -327,7 +327,8 @@ static int stream_destroy_iter(void *ctx, void *val)
                                && !task->rst_error);
             }
             
-            if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {
+            task->c = NULL;
+            if (reuse_slave) {
                 h2_beam_log(task->output.beam, m->c, APLOG_DEBUG, 
                             APLOGNO(03385) "h2_task_destroy, reuse slave");    
                 h2_task_destroy(task);
diff --git a/modules/http2/h2_task.c b/modules/http2/h2_task.c
index 690250f1f0..f7aa0bdcc4 100644
--- a/modules/http2/h2_task.c
+++ b/modules/http2/h2_task.c
@@ -545,7 +545,6 @@ h2_task *h2_task_create(conn_rec *slave, int stream_id,
 void h2_task_destroy(h2_task *task)
 {
     if (task->output.beam) {
-        h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");
         h2_beam_destroy(task->output.beam);
         task->output.beam = NULL;
     }
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 1570d8da64..49c46d7e3c 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2308,6 +2308,37 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
 }
 
 #ifdef HAVE_TLSEXT
+
+static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
+                                        SSL *ssl, X509 *cert, EVP_PKEY *key)
+{
+    SSLConnRec *sslcon = myConnConfig(c);
+    
+    sslcon->service_unavailable = 1;
+    if ((SSL_use_certificate(ssl, cert) < 1)) {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
+                      "Failed to configure challenge certificate %s",
+                      servername);
+        return APR_EGENERAL;
+    }
+    
+    if (!SSL_use_PrivateKey(ssl, key)) {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
+                      "error '%s' using Challenge key: %s",
+                      ERR_error_string(ERR_peek_last_error(), NULL), 
+                      servername);
+        return APR_EGENERAL;
+    }
+    
+    if (SSL_check_private_key(ssl) < 1) {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
+                      "Challenge certificate and private key %s "
+                      "do not match", servername);
+        return APR_EGENERAL;
+    }
+    return APR_SUCCESS;
+}
+  
 /*
  * This function sets the virtual host from an extended
  * client hello with a server name indication extension ("SNI", cf. RFC 6066).
@@ -2337,30 +2368,12 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
                 return APR_SUCCESS;
             }
             else if (ssl_is_challenge(c, servername, &cert, &key)) {
-            
-                sslcon->service_unavailable = 1;
-                if ((SSL_use_certificate(ssl, cert) < 1)) {
-                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
-                                  "Failed to configure challenge certificate %s",
-                                  servername);
+                /* With ACMEv1 we can have challenge connections to a unknown domains
+                 * that need to be answered with a special certificate and will
+                 * otherwise not answer any requests. */
+                if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return APR_EGENERAL;
                 }
-                
-                if (!SSL_use_PrivateKey(ssl, key)) {
-                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
-                                  "error '%s' using Challenge key: %s",
-                                  ERR_error_string(ERR_peek_last_error(), NULL), 
-                                  servername);
-                    return APR_EGENERAL;
-                }
-                
-                if (SSL_check_private_key(ssl) < 1) {
-                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
-                                  "Challenge certificate and private key %s "
-                                  "do not match", servername);
-                    return APR_EGENERAL;
-                }
-                
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
@@ -2653,6 +2666,23 @@ int ssl_callback_alpn_select(SSL *ssl,
                           proposed);
             return SSL_TLSEXT_ERR_ALERT_FATAL;
         }
+        
+        /* protocol was switched, this could be a challenge protocol such as "acme-tls/1".
+         * For that to work, we need to allow overrides to our ssl certificate. 
+         * However, exclude challenge checks on our best known traffic protocol.
+         * (http/1.1 is the default, we never switch to it anyway.)
+         */
+        if (strcmp("h2", proposed)) {
+            const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+            X509 *cert;
+            EVP_PKEY *key;
+            
+            if (ssl_is_challenge(c, servername, &cert, &key)) {
+                if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
+                    return SSL_TLSEXT_ERR_ALERT_FATAL;
+                }
+            }
+        }
     }
 
     return SSL_TLSEXT_ERR_OK;
-- 
2.50.1