* modules/ssl/ssl_private.h:
Add conn_rec and server_rec args to modssl_set_io_callbacks().
* modules/ssl/ssl_engine_io.c(modssl_set_io_callbacks):
Don't set modssl_io_cb for log levels below TRACE4.
* modules/ssl/ssl_engine_io.c(ssl_io_filter_init),
modules/ssl/ssl_engine_kernel.c(ssl_find_vhost):
Call modssl_set_io_callbacks() unconditionally.
* modules/ssl/ssl_engine_io.c(modssl_io_cb):
While at it, (cmd & BIO_CB_WRITE) is enough to differentiate a
write from read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918883 13f79535-47bb-0310-9956-ffa450edef68
Since r1908537 BIO_set_callback_ex is used with OpenSSL >= 3.0 instead of
BIO_set_callback to set the BIO callback. The meaning of parameters and
their range of values in the callback function set by BIO_set_callback_ex
has changed compared to the callback function set by BIO_set_callback
although parameters kept their names. Accommodate for this and adjust the
code accordingly.
Furthermore limit the size of dumps to APR_UINT16_MAX bytes. Given the length
of SSL records of 16k this should not have practical implications.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918880 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
Drop noop functions for BIO methods mod_ssl doesn't implement.
OpenSSL handles missing BIO methods internally in BIO_xxxx() wrappers.
Consistently log at TRACE4 unhandled _ctrl commands, but note
these are not a "BUG" as in the previous log message.
PR: 66028
Github: closes#316
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900309 13f79535-47bb-0310-9956-ffa450edef68
to stabilize CI tests again. Previous revision of trunk has been copied
to branches/trunk-ssl-handshake-unblocking to make those into a PR where
changes can be discussed and tested separately.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897760 13f79535-47bb-0310-9956-ffa450edef68
even in blocking BIO cases. Set guards so that an async MPM is not accessed
at this point. There is no need to set non blocking, mod_ssl's BIO already
knows how to do this.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897356 13f79535-47bb-0310-9956-ffa450edef68
sure the sense is correctly specified in response to SSL_ERROR_WANT_READ
and SSL_ERROR_WANT_WRITE so we don't poll for the wrong case.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897353 13f79535-47bb-0310-9956-ffa450edef68
CONN_STATE_READ_REQUEST_LINE phase, in addition to the existing
CONN_STATE_WRITE_COMPLETION phase. Update mod_ssl to perform non blocking
TLS handshakes.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897281 13f79535-47bb-0310-9956-ffa450edef68
assert for unexpected control commands, matching bio_filter_out_ctrl
which also ignores such invocations. Fixes core dumps in debug
builds with OpenSSL 3.0.0 which triggers this via the
BIO_get_ktls_recv() call on the SSL bio, aka
BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...);
See: 105af0ad92/ssl/record/rec_layer_s3.c (L274)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895774 13f79535-47bb-0310-9956-ffa450edef68
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_coalesce() now uses apr_brigade_write() to save its retained data
in a heap bucket, and ap_filter_{setaside,reinstate}_brigade() to declare them
to the output filters' write completion mechanism.
This prevents MPM event to miss them when it enters write completion state, and
will allow the tunneling loop of mod_proxy to flush them in a following commit
too.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889938 13f79535-47bb-0310-9956-ffa450edef68
Instead of using a temp buffer for each byte or char written, and calling
strlen over and over again to find the place where to copy this buffer,
write directly at the correct place in the final buffer, and take advantage
of 'apr_snprintf' returning the number of bytes copied.
This looks like a hot path when running the test framework (because of TRACE7), so it could be slighly useful in this use case :)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880500 13f79535-47bb-0310-9956-ffa450edef68
The purpose of ap_filter_output_pending() is to flush pending data, so
ssl_io_filter_coalesce() should honor that.
This allows mod_proxy to not care about mod_ssl coalescing filters when
tunneling between connections.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879416 13f79535-47bb-0310-9956-ffa450edef68
a) constify return value and variable name passed-in
b) require that pool argument is non-NULL
c) add gcc warning attributes for NULL arguments or ignored result.
This allows removal of inefficient internal duplication of constant
strings which was necessary only to allow non-const char *, and
removal of unsafe casts to/from const in various places.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Assume pool is
non-NULL; return constant and remove apr_pstrdup of constant
result string. Also constify variable name.
(ssl_var_lookup_*): Update to return const char * and avoid
duplication where now possible.
* modules/ssl/mod_ssl.h: Update ssl_var_lookup() optional function
API description and add GCC warning attributes as per private API.
* modules/ssl/ssl_engine_init.c (ssl_add_version_components): Adjust
for const return value.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Pass c->pool
to ssl_var_lookup.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass r->pool to
ssl_var_lookup, expect const return and dup the string since r->user
is char *.
(log_tracing_state): Pass c->pool to ssl_var_lookup.
* modules/http2/h2_h2.c (h2_is_acceptable_connection): Assume
return value of ssl_var_lookup is const.
Github: closes#120
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877475 13f79535-47bb-0310-9956-ffa450edef68
block client-initiated renegotiation with TLSv1.2 and earlier.
* modules/ssl/ssl_private.h: Define modssl_reneg_state enum,
modssl_set_reneg_state function.
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
bio_filter_in_read): #ifdef-out reneg protection if
SSL_OP_NO_RENEGOTATION is defined.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Enable SSL_OP_NO_RENEGOTATION.
(ssl_init_ctx_callbacks): Only enable the "info" callback if
debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
modssl_set_reneg_state to set the reneg protection mode.
(ssl_hook_Access_modern): Drop manipulation of the reneg mode which
does nothing for TLSv1.3 already.
(ssl_callback_Info): Only enable reneg protection if
SSL_OP_NO_RENEGOTATION is *not* defined.
* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877397 13f79535-47bb-0310-9956-ffa450edef68
Wrappers around deprecated API:
* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
* ERR_peek_error_line_data() => modssl_ERR_peek_error_data(),
* DH_bits(dh) => BN_num_bits(DH_get0_p(dh)).
Provide a compatible version of ssl_callback_SessionTicket() which does not
use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
EVP_MAC_CTX_set_params() respectively. This requires adapting struct
modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
created once at load time still.
The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
of SSL_CTX_set_tlsext_ticket_key_cb().
Since BIO_eof() may now be called openssl-3 state machine, the never-called
assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
log an error, yet the return value is changed from -1 to 0 which is the usual
unhandled value.
Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
change though, neither breakage to 1.x.x API.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1876934 13f79535-47bb-0310-9956-ffa450edef68
to logic, comments and debugging:
- allow buffering up to exactly COALESCE_BYTES rather than COALESCE_BYTES-1.
- put bucket type name in logging output
- do not coalesce a single-bucket prefix of length equal to the
buffer size (which would be a pointless memory copy).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1876037 13f79535-47bb-0310-9956-ffa450edef68
where apr_bucket_read fails with an error and hence our current bucket
remains the morphing bucket and is not replaced with a 'data' bucket.
If the error is not EAGAINi, error out with an AP_FILTER_ERROR,
otherwise just do not consider the morphing bucket that has no data for
coalesce.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1876014 13f79535-47bb-0310-9956-ffa450edef68
headers in a separate TLS record to the response body in some cases.
* modules/ssl/ssl_engine_io.c:
Increase size of coalesce buffer to AP_IOBUFSIZE (8Kb).
(ssl_io_filter_coalesce): Try harder to fill the prefix which
gets coalesced, including a read&split of a morphing bucket type
Github: closes#106
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875871 13f79535-47bb-0310-9956-ffa450edef68
This function now now handles SSL reuse as well as the "proxy-request-hostname"
note (SNI), so let's also call it unconditionnaly in all proxy modules.
On the mod_ssl side, since this note has the lifetime of the connection, don't
reset/unset it during handshake (ssl_io_filter_handshake).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1859422 13f79535-47bb-0310-9956-ffa450edef68
Actually *len can be > 0 here, at least without a change I'm working on but now
think should be discussed first probably. Anyway r1844928 alone is broken, just
rollback for now.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1845064 13f79535-47bb-0310-9956-ffa450edef68
at least not for OpenSSL 1.1.1. This is documented in the man
page for SSL_read and let to h2 failures when using OpenSSL 1.1.1.
When no data could be read, our code returned EAGAIN up until
OpenSSL 1.1.0, but APR_EOF for OpenSSL 1.1.1.
Now instead check SSL_get_error() also when SSL_read() returns 0.
To keep changes small, this change should not influence behavior,
when (rc=SSL_read()):
- rc < 0
- rc == 0 && *len > 0
- rc == 0 &&
(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
inctx->block == APR_NONBLOCK_READ
Behavior changes if
- rc == 0 &&
!(APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) &&
!*len > 0
Instead of APR_EOF:
- same behavior as rc < 0 for SSL_ERROR_WANT_READ
- same behavior as rc < 0 for SSL_ERROR_SYSCALL && APR_STATUS_IS_EAGAIN(inctx->rc)
Another change is that rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN
also results in APR_EOF.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1843954 13f79535-47bb-0310-9956-ffa450edef68
When filters are allocated on f->r->pool, they may be destroyed any time
underneath themselves which makes it hard for them to be passed the EOR and
forward it (*f can't be dereferenced anymore when the EOR is destroyed, thus
before request filters return).
On the util_filter side, it also makes it impossible to flush pending request
filters when they have set aside the EOR, since f->bb can't be accessed after
it's passed to the f->next.
So we always use f->c->pool to allocate filters and pending brigades, and to
avoid leaks with keepalive requests (long living connections handling multiple
requests), filters and brigades are recycled with a cleanup on f->r->pool.
Recycling is done (generically) with a spare data ring (void pointers), and a
filter(s) context struct is associated with the conn_rec to maintain the rings
by connection, that is:
struct ap_filter_conn_ctx {
struct ap_filter_ring *pending_input_filters;
struct ap_filter_ring *pending_output_filters;
struct ap_filter_spare_ring *spare_containers,
*spare_brigades,
*spare_filters,
*spare_flushes;
int flushing;
};
MMN major bumped (again).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1839997 13f79535-47bb-0310-9956-ffa450edef68
Make the SSL filters chain return an error when the handshake fails with an
origin server. It can then be caught by mod_proxy to fail with 502.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1839442 13f79535-47bb-0310-9956-ffa450edef68
The core output filter used to determine first if it needed to block before
trying to send its data (including set aside ones), and if so it did call
send_brigade_blocking().
This can be avoided by making send_brigade_nonblocking() send as much data as
possible (nonblocking), and only if data remain check whether they should be
flushed (blocking), according to the same ap_filter_reinstate_brigade()
heuristics but afterward.
This allows both to simplify the code (axe send_brigade_blocking and some
duplicated logic) and optimize sends since send_brigade_nonblocking() is now
given all the buckets so it can make use of scatter/gather (iovec) or NOPUSH
option with the whole picture.
When sendfile is available and/or with fine tuning of FlushMaxThreshold (and
ReadBufferSize) from r1836032, one can now take advantage of modern network
speeds and bandwidth.
This commit also adds some APLOG_TRACE6 messages for outputed bytes (including
at mod_ssl level since splitting happens there when it's active).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836237 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().
PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1769332 13f79535-47bb-0310-9956-ffa450edef68
such that disabling either disables both, and that enabling either will
trigger the more comprehensive SSLProxyCheckPeerName behavior.
Only a single configuration remains to enable the legacy behavior, which
is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.
Changes to the proxy config directives leads us to a different 2.4 fix...
https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1746647 13f79535-47bb-0310-9956-ffa450edef68
