www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

* Restore SSL dumping for OpenSSL >= 3.0.

Browse Source 
Since r1908537 BIO_set_callback_ex is used with OpenSSL >= 3.0 instead of
  BIO_set_callback to set the BIO callback. The meaning of parameters and
  their range of values in the callback function set by BIO_set_callback_ex
  has changed compared to the callback function set by BIO_set_callback
  although parameters kept their names. Accommodate for this and adjust the
  code accordingly.
  Furthermore limit the size of dumps to APR_UINT16_MAX bytes. Given the length
  of SSL records of 16k this should not have practical implications.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918880 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ruediger Pluem
2024-07-03 14:37:10 +00:00
parent fbe782e6c4
commit f49a28d75d
1 changed files with 47 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
modules/ssl/ssl_engine_io.c
View File

@@ -2308,7 +2308,7 @@ void ssl_io_filter_register(apr_pool_t *p)
#define DUMP_WIDTH 16 #define DUMP_WIDTH 16
static void ssl_io_data_dump(conn_rec *c, server_rec *s, static void ssl_io_data_dump(conn_rec *c, server_rec *s,
const char *b, long len) const char *b, int len)
{ {
char buf[256]; char buf[256];
int i, j, rows, trunc, pos; int i, j, rows, trunc, pos;
@@ -2361,11 +2361,13 @@ static void ssl_io_data_dump(conn_rec *c, server_rec *s,
} }
if (trunc > 0) if (trunc > 0)
ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s, ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
"| %04ld - <SPACES/NULS>", len + trunc); "| %04d - <SPACES/NULS>", len + trunc);
ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s, ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
"+-------------------------------------------------------------------------+"); "+-------------------------------------------------------------------------+");
} }
#define MODSSL_IO_DUMP_MAX APR_UINT16_MAX
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
static long modssl_io_cb(BIO *bio, int cmd, const char *argp, static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
size_t len, int argi, long argl, int rc, size_t len, int argi, long argl, int rc,
@@ -2379,9 +2381,9 @@ static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
conn_rec *c; conn_rec *c;
server_rec *s; server_rec *s;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
(void)len; (void)argi;
(void)processed;
#endif #endif
(void)argl;
if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL) if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL)
return rc; return rc;
@@ -2391,27 +2393,58 @@ static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
if (rc >= 0) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L
apr_size_t requested_len = len;
/*
* On OpenSSL >= 3 rc uses the meaning of the BIO_read_ex and
* BIO_write_ex functions return value and not the one of
* BIO_read and BIO_write. Hence 0 indicates an error.
*/
int ok = (rc > 0);
#else
apr_size_t requested_len = (apr_size_t)argi;
int ok = (rc >= 0);
#endif
if (ok) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
apr_size_t actual_len = *processed;
#else
apr_size_t actual_len = (apr_size_t)rc;
#endif
const char *dump = ""; const char *dump = "";
if (APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)) { if (APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)) {
if (argp != NULL) if (argp == NULL)
dump = "(BIO dump follows)";
else
dump = "(Oops, no memory buffer?)"; dump = "(Oops, no memory buffer?)";
else if (actual_len > MODSSL_IO_DUMP_MAX)
dump = "(BIO dump follows, truncated to "
APR_STRINGIFY(MODSSL_IO_DUMP_MAX) ")";
else
dump = "(BIO dump follows)";
} }
ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
"%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s", "%s: %s %" APR_SIZE_T_FMT "/%" APR_SIZE_T_FMT
" bytes %s BIO#%pp [mem: %pp] %s",
MODSSL_LIBRARY_NAME, MODSSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
(long)rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), actual_len, requested_len,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
bio, argp, dump); bio, argp, dump);
if (*dump != '\0' && argp != NULL) /*
ssl_io_data_dump(c, s, argp, rc); * *dump will only be != '\0' if
* APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)
*/
if (*dump != '\0' && argp != NULL) {
int dump_len = (actual_len >= MODSSL_IO_DUMP_MAX
? MODSSL_IO_DUMP_MAX
: actual_len);
ssl_io_data_dump(c, s, argp, dump_len);
}
} }
else { else {
ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
"%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]", "%s: I/O error, %" APR_SIZE_T_FMT
MODSSL_LIBRARY_NAME, argi, " bytes expected to %s on BIO#%pp [mem: %pp]",
MODSSL_LIBRARY_NAME, requested_len,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
bio, argp); bio, argp);
} }