Apache HTTPD
ssl_engine_io.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* _ _
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
22 * |_____|
23 * ssl_engine_io.c
24 * I/O Functions
25 */
26 /* ``MY HACK: This universe.
27 Just one little problem:
28 core keeps dumping.''
29 -- Unknown */
30#include "ssl_private.h"
31
32#include "apr_date.h"
33
34APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake,
35 (conn_rec *c,SSL *ssl),
36 (c,ssl),OK,DECLINED);
37
38/* _________________________________________________________________
39**
40** I/O Hooks
41** _________________________________________________________________
42*/
43
44/* This file is designed to be the bridge between OpenSSL and httpd.
45 * However, we really don't expect anyone (let alone ourselves) to
46 * remember what is in this file. So, first, a quick overview.
47 *
48 * In this file, you will find:
49 * - ssl_io_filter_input (Apache input filter)
50 * - ssl_io_filter_output (Apache output filter)
51 *
52 * - bio_filter_in_* (OpenSSL input filter)
53 * - bio_filter_out_* (OpenSSL output filter)
54 *
55 * The input chain is roughly:
56 *
57 * ssl_io_filter_input->ssl_io_input_read->SSL_read->...
58 * ...->bio_filter_in_read->ap_get_brigade/next-httpd-filter
59 *
60 * In mortal terminology, we do the following:
61 * - Receive a request for data to the SSL input filter
62 * - Call a helper function once we know we should perform a read
63 * - Call OpenSSL's SSL_read()
64 * - SSL_read() will then call bio_filter_in_read
65 * - bio_filter_in_read will then try to fetch data from the next httpd filter
66 * - bio_filter_in_read will flatten that data and return it to SSL_read
67 * - SSL_read will then decrypt the data
68 * - ssl_io_input_read will then receive decrypted data as a char* and
69 * ensure that there were no read errors
70 * - The char* is placed in a brigade and returned
71 *
72 * Since connection-level input filters in httpd need to be able to
73 * handle AP_MODE_GETLINE calls (namely identifying LF-terminated strings),
74 * ssl_io_input_getline which will handle this special case.
75 *
76 * Due to AP_MODE_GETLINE and AP_MODE_SPECULATIVE, we may sometimes have
77 * 'leftover' decoded data which must be setaside for the next read. That
78 * is currently handled by the char_buffer_{read|write} functions. So,
79 * ssl_io_input_read may be able to fulfill reads without invoking
80 * SSL_read().
81 *
82 * Note that the filter context of ssl_io_filter_input and bio_filter_in_*
83 * are shared as bio_filter_in_ctx_t.
84 *
85 * Note that the filter is by choice limited to reading at most
86 * AP_IOBUFSIZE (8192 bytes) per call.
87 *
88 */
89
90/* this custom BIO allows us to hook SSL_write directly into
91 * an apr_bucket_brigade and use transient buckets with the SSL
92 * malloc-ed buffer, rather than copying into a mem BIO.
93 * also allows us to pass the brigade as data is being written
94 * rather than buffering up the entire response in the mem BIO.
95 *
96 * when SSL needs to flush (e.g. SSL_accept()), it will call BIO_flush()
97 * which will trigger a call to bio_filter_out_ctrl() -> bio_filter_out_flush().
98 * so we only need to flush the output ourselves if we receive an
99 * EOS or FLUSH bucket. this was not possible with the mem BIO where we
100 * had to flush all over the place not really knowing when it was required
101 * to do so.
102 */
103
112
119
120static bio_filter_out_ctx_t *bio_filter_out_ctx_new(ssl_filter_ctx_t *filter_ctx,
121 conn_rec *c)
122{
123 bio_filter_out_ctx_t *outctx = apr_palloc(c->pool, sizeof(*outctx));
124
125 outctx->filter_ctx = filter_ctx;
126 outctx->c = c;
127 outctx->bb = apr_brigade_create(c->pool, c->bucket_alloc);
128
129 return outctx;
130}
131
132/* Pass an output brigade down the filter stack; returns 1 on success
133 * or -1 on failure. */
134static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx)
135{
136 AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(outctx->bb));
137
138 outctx->rc = ap_pass_brigade(outctx->filter_ctx->pOutputFilter->next,
139 outctx->bb);
140 /* Fail if the connection was reset: */
141 if (outctx->rc == APR_SUCCESS && outctx->c->aborted) {
142 outctx->rc = APR_ECONNRESET;
143 }
144 return (outctx->rc == APR_SUCCESS) ? 1 : -1;
145}
146
147/* Send a FLUSH bucket down the output filter stack; returns 1 on
148 * success, -1 on failure. */
149static int bio_filter_out_flush(BIO *bio)
150{
151 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
152 apr_bucket *e;
153
154 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
155 "bio_filter_out_write: flush");
156
157 AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
158
159 e = apr_bucket_flush_create(outctx->bb->bucket_alloc);
160 APR_BRIGADE_INSERT_TAIL(outctx->bb, e);
161
162 return bio_filter_out_pass(outctx);
163}
164
165static int bio_filter_create(BIO *bio)
166{
167 BIO_set_shutdown(bio, 1);
168 BIO_set_init(bio, 1);
169#if MODSSL_USE_OPENSSL_PRE_1_1_API
170 /* No setter method for OpenSSL 1.1.0 available,
171 * but I can't find any functional use of the
172 * "num" field there either.
173 */
174 bio->num = -1;
175#endif
176 BIO_set_data(bio, NULL);
177
178 return 1;
179}
180
181static int bio_filter_destroy(BIO *bio)
182{
183 if (bio == NULL) {
184 return 0;
185 }
186
187 /* nothing to free here.
188 * apache will destroy the bucket brigade for us
189 */
190 return 1;
191}
192
193static int bio_filter_out_read(BIO *bio, char *out, int outl)
194{
195 /* this is never called */
196 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
197 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
198 "BUG: %s() should not be called", "bio_filter_out_read");
199 AP_DEBUG_ASSERT(0);
200 return -1;
201}
202
203static int bio_filter_out_write(BIO *bio, const char *in, int inl)
204{
205 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
206 apr_bucket *e;
207 int need_flush;
208
209 BIO_clear_retry_flags(bio);
210
211#ifndef SSL_OP_NO_RENEGOTIATION
212 /* Abort early if the client has initiated a renegotiation. */
213 if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
214 outctx->rc = APR_ECONNABORTED;
215 return -1;
216 }
217#endif
218
219 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
220 "bio_filter_out_write: %i bytes", inl);
221
222 /* Use a transient bucket for the output data - any downstream
223 * filter must setaside if necessary. */
224 e = apr_bucket_transient_create(in, inl, outctx->bb->bucket_alloc);
225 APR_BRIGADE_INSERT_TAIL(outctx->bb, e);
226
227 /* In theory, OpenSSL should flush as necessary, but it is known
228 * not to do so correctly in some cases (< 0.9.8m; see PR 46952),
229 * or on the proxy/client side (after ssl23_client_hello(), e.g.
230 * ssl/proxy.t test suite).
231 *
232 * Historically, this flush call was performed only for an SSLv2
233 * connection or for a proxy connection. Calling _out_flush can
234 * be expensive in cases where requests/responses are pipelined,
235 * so limit the performance impact to handshake time.
236 */
237#if OPENSSL_VERSION_NUMBER < 0x0009080df
238 need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl);
239#else
240 need_flush = SSL_in_connect_init(outctx->filter_ctx->pssl);
241#endif
242 if (need_flush) {
243 e = apr_bucket_flush_create(outctx->bb->bucket_alloc);
244 APR_BRIGADE_INSERT_TAIL(outctx->bb, e);
245 }
246
247 if (bio_filter_out_pass(outctx) < 0) {
248 return -1;
249 }
250
251 return inl;
252}
253
254static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
255{
256 long ret = 1;
257 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
258
259 switch (cmd) {
260 case BIO_CTRL_RESET:
261 case BIO_CTRL_EOF:
262 case BIO_C_SET_BUF_MEM_EOF_RETURN:
263 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, outctx->c,
264 "output bio: unhandled control %d", cmd);
265 ret = 0;
266 break;
267 case BIO_CTRL_WPENDING:
268 case BIO_CTRL_PENDING:
269 case BIO_CTRL_INFO:
270 ret = 0;
271 break;
272 case BIO_CTRL_GET_CLOSE:
273 ret = (long)BIO_get_shutdown(bio);
274 break;
275 case BIO_CTRL_SET_CLOSE:
276 BIO_set_shutdown(bio, (int)num);
277 break;
278 case BIO_CTRL_FLUSH:
279 ret = bio_filter_out_flush(bio);
280 break;
281 case BIO_CTRL_DUP:
282 ret = 1;
283 break;
284 /* N/A */
285 case BIO_C_SET_BUF_MEM:
286 case BIO_C_GET_BUF_MEM_PTR:
287 /* we don't care */
288 case BIO_CTRL_PUSH:
289 case BIO_CTRL_POP:
290 default:
291 ret = 0;
292 break;
293 }
294
295 return ret;
296}
297
298static int bio_filter_out_gets(BIO *bio, char *buf, int size)
299{
300 /* this is never called */
301 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
302 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
303 "BUG: %s() should not be called", "bio_filter_out_gets");
304 AP_DEBUG_ASSERT(0);
305 return -1;
306}
307
308static int bio_filter_out_puts(BIO *bio, const char *str)
309{
310 /* this is never called */
311 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
312 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
313 "BUG: %s() should not be called", "bio_filter_out_puts");
314 AP_DEBUG_ASSERT(0);
315 return -1;
316}
317
318typedef struct {
319 int length;
320 char *value;
321} char_buffer_t;
322
336
337/*
338 * this char_buffer api might seem silly, but we don't need to copy
339 * any of this data and we need to remember the length.
340 */
341
342/* Copy up to INL bytes from the char_buffer BUFFER into IN. Note
343 * that due to the strange way this API is designed/used, the
344 * char_buffer object is used to cache a segment of inctx->buffer, and
345 * then this function called to copy (part of) that segment to the
346 * beginning of inctx->buffer. So the segments to copy cannot be
347 * presumed to be non-overlapping, and memmove must be used. */
348static int char_buffer_read(char_buffer_t *buffer, char *in, int inl)
349{
350 if (!buffer->length) {
351 return 0;
352 }
353
354 if (buffer->length > inl) {
355 /* we have enough to fill the caller's buffer */
356 memmove(in, buffer->value, inl);
357 buffer->value += inl;
358 buffer->length -= inl;
359 }
360 else {
361 /* swallow remainder of the buffer */
362 memmove(in, buffer->value, buffer->length);
363 inl = buffer->length;
364 buffer->value = NULL;
365 buffer->length = 0;
366 }
367
368 return inl;
369}
370
371static int char_buffer_write(char_buffer_t *buffer, char *in, int inl)
372{
373 buffer->value = in;
374 buffer->length = inl;
375 return inl;
376}
377
378/* This function will read from a brigade and discard the read buckets as it
379 * proceeds. It will read at most *len bytes.
380 */
381static apr_status_t brigade_consume(apr_bucket_brigade *bb,
382 apr_read_type_e block,
383 char *c, apr_size_t *len)
384{
385 apr_size_t actual = 0;
386 apr_status_t status = APR_SUCCESS;
387
388 while (!APR_BRIGADE_EMPTY(bb)) {
389 apr_bucket *b = APR_BRIGADE_FIRST(bb);
390 const char *str;
391 apr_size_t str_len;
392 apr_size_t consume;
393
394 /* Justin points out this is an http-ism that might
395 * not fit if brigade_consume is added to APR. Perhaps
396 * apr_bucket_read(eos_bucket) should return APR_EOF?
397 * Then this becomes mainline instead of a one-off.
398 */
399 if (APR_BUCKET_IS_EOS(b)) {
400 status = APR_EOF;
401 break;
402 }
403
404 /* The reason I'm not offering brigade_consume yet
405 * across to apr-util is that the following call
406 * illustrates how borked that API really is. For
407 * this sort of case (caller provided buffer) it
408 * would be much more trivial for apr_bucket_consume
409 * to do all the work that follows, based on the
410 * particular characteristics of the bucket we are
411 * consuming here.
412 */
413 status = apr_bucket_read(b, &str, &str_len, block);
414
415 if (status != APR_SUCCESS) {
416 if (APR_STATUS_IS_EOF(status)) {
417 /* This stream bucket was consumed */
418 apr_bucket_delete(b);
419 continue;
420 }
421 break;
422 }
423
424 if (str_len > 0) {
425 /* Do not block once some data has been consumed */
426 block = APR_NONBLOCK_READ;
427
428 /* Assure we don't overflow. */
429 consume = (str_len + actual > *len) ? *len - actual : str_len;
430
431 memcpy(c, str, consume);
432
433 c += consume;
434 actual += consume;
435
436 if (consume >= b->length) {
437 /* This physical bucket was consumed */
438 apr_bucket_delete(b);
439 }
440 else {
441 /* Only part of this physical bucket was consumed */
442 b->start += consume;
443 b->length -= consume;
444 }
445 }
446 else if (b->length == 0) {
447 apr_bucket_delete(b);
448 }
449
450 /* This could probably be actual == *len, but be safe from stray
451 * photons. */
452 if (actual >= *len) {
453 break;
454 }
455 }
456
457 *len = actual;
458 return status;
459}
460
461/*
462 * this is the function called by SSL_read()
463 */
464static int bio_filter_in_read(BIO *bio, char *in, int inlen)
465{
466 apr_size_t inl = inlen;
467 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
468 apr_read_type_e block = inctx->block;
469
470 inctx->rc = APR_SUCCESS;
471
472 /* OpenSSL catches this case, so should we. */
473 if (!in)
474 return 0;
475
476 BIO_clear_retry_flags(bio);
477
478#ifndef SSL_OP_NO_RENEGOTIATION
479 /* Abort early if the client has initiated a renegotiation. */
480 if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
481 inctx->rc = APR_ECONNABORTED;
482 return -1;
483 }
484#endif
485
486 if (!inctx->bb) {
487 inctx->rc = APR_EOF;
488 return -1;
489 }
490
491 if (APR_BRIGADE_EMPTY(inctx->bb)) {
492
493 inctx->rc = ap_get_brigade(inctx->f->next, inctx->bb,
494 AP_MODE_READBYTES, block,
495 inl);
496
497 /* If the read returns EAGAIN or success with an empty
498 * brigade, return an error after setting the retry flag;
499 * SSL_read() will then return -1, and SSL_get_error() will
500 * indicate SSL_ERROR_WANT_READ. */
501 if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
502 || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
503 BIO_set_retry_read(bio);
504 return -1;
505 }
506
507 if (block == APR_BLOCK_READ
508 && APR_STATUS_IS_TIMEUP(inctx->rc)
509 && APR_BRIGADE_EMPTY(inctx->bb)) {
510 /* don't give up, just return the timeout */
511 return -1;
512 }
513 if (inctx->rc != APR_SUCCESS) {
514 /* Unexpected errors discard the brigade */
515 apr_brigade_cleanup(inctx->bb);
516 inctx->bb = NULL;
517 return -1;
518 }
519 }
520
521 inctx->rc = brigade_consume(inctx->bb, block, in, &inl);
522
523 if (inctx->rc == APR_SUCCESS) {
524 return (int)inl;
525 }
526
527 if (APR_STATUS_IS_EAGAIN(inctx->rc)
528 || APR_STATUS_IS_EINTR(inctx->rc)) {
529 BIO_set_retry_read(bio);
530 return (int)inl;
531 }
532
533 /* Unexpected errors and APR_EOF clean out the brigade.
534 * Subsequent calls will return APR_EOF.
535 */
536 apr_brigade_cleanup(inctx->bb);
537 inctx->bb = NULL;
538
539 if (APR_STATUS_IS_EOF(inctx->rc) && inl) {
540 /* Provide the results of this read pass,
541 * without resetting the BIO retry_read flag
542 */
543 return (int)inl;
544 }
545
546 return -1;
547}
548
549static int bio_filter_in_write(BIO *bio, const char *in, int inl)
550{
551 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
552 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
553 "BUG: %s() should not be called", "bio_filter_in_write");
554 AP_DEBUG_ASSERT(0);
555 return -1;
556}
557
558static int bio_filter_in_puts(BIO *bio, const char *str)
559{
560 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
561 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
562 "BUG: %s() should not be called", "bio_filter_in_puts");
563 AP_DEBUG_ASSERT(0);
564 return -1;
565}
566
567static int bio_filter_in_gets(BIO *bio, char *buf, int size)
568{
569 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
570 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
571 "BUG: %s() should not be called", "bio_filter_in_gets");
572 AP_DEBUG_ASSERT(0);
573 return -1;
574}
575
576static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
577{
578 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
579 switch (cmd) {
580#ifdef BIO_CTRL_EOF
581 case BIO_CTRL_EOF:
582 return inctx->rc == APR_EOF;
583#endif
584 default:
585 break;
586 }
587 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
588 "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
589 cmd);
590 return 0;
591}
592
593#if MODSSL_USE_OPENSSL_PRE_1_1_API
594
595static BIO_METHOD bio_filter_out_method = {
596 BIO_TYPE_MEM,
597 "APR output filter",
598 bio_filter_out_write,
599 bio_filter_out_read, /* read is never called */
600 bio_filter_out_puts, /* puts is never called */
601 bio_filter_out_gets, /* gets is never called */
602 bio_filter_out_ctrl,
603 bio_filter_create,
604 bio_filter_destroy,
605 NULL
606};
607
608static BIO_METHOD bio_filter_in_method = {
609 BIO_TYPE_MEM,
610 "APR input filter",
611 bio_filter_in_write, /* write is never called */
612 bio_filter_in_read,
613 bio_filter_in_puts, /* puts is never called */
614 bio_filter_in_gets, /* gets is never called */
615 bio_filter_in_ctrl, /* ctrl is called for EOF check */
616 bio_filter_create,
617 bio_filter_destroy,
618 NULL
619};
620
621#else
622
623static BIO_METHOD *bio_filter_out_method = NULL;
624static BIO_METHOD *bio_filter_in_method = NULL;
625
626void init_bio_methods(void)
627{
628 bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
629 BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write);
630 BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */
631 BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */
632 BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */
633 BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl);
634 BIO_meth_set_create(bio_filter_out_method, &bio_filter_create);
635 BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy);
636
637 bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
638 BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */
639 BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read);
640 BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */
641 BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */
642 BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */
643 BIO_meth_set_create(bio_filter_in_method, &bio_filter_create);
644 BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy);
645}
646
647void free_bio_methods(void)
648{
649 BIO_meth_free(bio_filter_out_method);
650 BIO_meth_free(bio_filter_in_method);
651}
652#endif
653
654static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
655 char *buf,
656 apr_size_t *len)
657{
658 apr_size_t wanted = *len;
659 apr_size_t bytes = 0;
660 int rc;
661
662 *len = 0;
663
664 /* If we have something leftover from last time, try that first. */
665 if ((bytes = char_buffer_read(&inctx->cbuf, buf, wanted))) {
666 *len = bytes;
667 if (inctx->mode == AP_MODE_SPECULATIVE) {
668 /* We want to rollback this read. */
669 if (inctx->cbuf.length > 0) {
670 inctx->cbuf.value -= bytes;
671 inctx->cbuf.length += bytes;
672 } else {
673 char_buffer_write(&inctx->cbuf, buf, (int)bytes);
674 }
675 return APR_SUCCESS;
676 }
677 /* This could probably be *len == wanted, but be safe from stray
678 * photons.
679 */
680 if (*len >= wanted) {
681 return APR_SUCCESS;
682 }
683 if (inctx->mode == AP_MODE_GETLINE) {
684 if (memchr(buf, APR_ASCII_LF, *len)) {
685 return APR_SUCCESS;
686 }
687 }
688 else {
689 /* Down to a nonblock pattern as we have some data already
690 */
691 inctx->block = APR_NONBLOCK_READ;
692 }
693 }
694
695 while (1) {
696
697 if (!inctx->filter_ctx->pssl) {
698 /* Ensure a non-zero error code is returned */
699 if (inctx->rc == APR_SUCCESS) {
700 inctx->rc = APR_EGENERAL;
701 }
702 break;
703 }
704
705 /* We rely on SSL_get_error() after the read, which requires an empty
706 * error queue before the read in order to work properly.
707 */
708 ERR_clear_error();
709
710 /* SSL_read may not read because we haven't taken enough data
711 * from the stack. This is where we want to consider all of
712 * the blocking and SPECULATIVE semantics
713 */
714 rc = SSL_read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes);
715
716 if (rc > 0) {
717 *len += rc;
718 if (inctx->mode == AP_MODE_SPECULATIVE) {
719 /* We want to rollback this read. */
720 char_buffer_write(&inctx->cbuf, buf, rc);
721 }
722 return inctx->rc;
723 }
724 else /* (rc <= 0) */ {
725 int ssl_err;
726 conn_rec *c;
727 if (rc == 0) {
728 /* If EAGAIN, we will loop given a blocking read,
729 * otherwise consider ourselves at EOF.
730 */
731 if (APR_STATUS_IS_EAGAIN(inctx->rc)
732 || APR_STATUS_IS_EINTR(inctx->rc)) {
733 /* Already read something, return APR_SUCCESS instead.
734 * On win32 in particular, but perhaps on other kernels,
735 * a blocking call isn't 'always' blocking.
736 */
737 if (*len > 0) {
738 inctx->rc = APR_SUCCESS;
739 break;
740 }
741 if (inctx->block == APR_NONBLOCK_READ) {
742 break;
743 }
744 }
745 else {
746 if (*len > 0) {
747 inctx->rc = APR_SUCCESS;
748 break;
749 }
750 }
751 }
752 ssl_err = SSL_get_error(inctx->filter_ctx->pssl, rc);
753 c = (conn_rec*)SSL_get_app_data(inctx->filter_ctx->pssl);
754
755 if (ssl_err == SSL_ERROR_WANT_READ) {
756 /*
757 * If OpenSSL wants to read more, and we were nonblocking,
758 * report as an EAGAIN. Otherwise loop, pulling more
759 * data from network filter.
760 *
761 * (This is usually the case when the client forces an SSL
762 * renegotiation which is handled implicitly by OpenSSL.)
763 */
764 inctx->rc = APR_EAGAIN;
765
766 if (*len > 0) {
767 inctx->rc = APR_SUCCESS;
768 break;
769 }
770 if (inctx->block == APR_NONBLOCK_READ) {
771 break;
772 }
773 continue; /* Blocking and nothing yet? Try again. */
774 }
775 else if (ssl_err == SSL_ERROR_SYSCALL) {
776 if (APR_STATUS_IS_EAGAIN(inctx->rc)
777 || APR_STATUS_IS_EINTR(inctx->rc)) {
778 /* Already read something, return APR_SUCCESS instead. */
779 if (*len > 0) {
780 inctx->rc = APR_SUCCESS;
781 break;
782 }
783 if (inctx->block == APR_NONBLOCK_READ) {
784 break;
785 }
786 continue; /* Blocking and nothing yet? Try again. */
787 }
788 else if (APR_STATUS_IS_TIMEUP(inctx->rc)) {
789 /* just return it, the calling layer might be fine with it,
790 and we do not want to bloat the log. */
791 }
792 else {
793 ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, APLOGNO(01991)
794 "SSL input filter read failed.");
795 }
796 }
797 else if (rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN) {
798 inctx->rc = APR_EOF;
799 break;
800 }
801 else /* if (ssl_err == SSL_ERROR_SSL) */ {
802 /*
803 * Log SSL errors and any unexpected conditions.
804 */
805 ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, APLOGNO(01992)
806 "SSL library error %d reading data", ssl_err);
807 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, mySrvFromConn(c));
808
809 }
810 if (rc == 0) {
811 inctx->rc = APR_EOF;
812 break;
813 }
814 if (inctx->rc == APR_SUCCESS) {
815 inctx->rc = APR_EGENERAL;
816 }
817 break;
818 }
819 }
820 return inctx->rc;
821}
822
823/* Read a line of input from the SSL input layer into buffer BUF of
824 * length *LEN; updating *len to reflect the length of the line
825 * including the LF character. */
826static apr_status_t ssl_io_input_getline(bio_filter_in_ctx_t *inctx,
827 char *buf,
828 apr_size_t *len)
829{
830 const char *pos = NULL;
831 apr_status_t status;
832 apr_size_t tmplen = *len, buflen = *len, offset = 0;
833
834 *len = 0;
835
836 /*
837 * in most cases we get all the headers on the first SSL_read.
838 * however, in certain cases SSL_read will only get a partial
839 * chunk of the headers, so we try to read until LF is seen.
840 */
841
842 while (tmplen > 0) {
843 status = ssl_io_input_read(inctx, buf + offset, &tmplen);
844
845 if (status != APR_SUCCESS) {
846 if (APR_STATUS_IS_EAGAIN(status) && (*len > 0)) {
847 /* Save the part of the line we already got */
848 char_buffer_write(&inctx->cbuf, buf, *len);
849 }
850 return status;
851 }
852
853 *len += tmplen;
854
855 if ((pos = memchr(buf, APR_ASCII_LF, *len))) {
856 break;
857 }
858
859 offset += tmplen;
860 tmplen = buflen - offset;
861 }
862
863 if (pos) {
864 char *value;
865 int length;
866 apr_size_t bytes = pos - buf;
867
868 bytes += 1;
869 value = buf + bytes;
870 length = *len - bytes;
871
872 char_buffer_write(&inctx->cbuf, value, length);
873
874 *len = bytes;
875 }
876
877 return APR_SUCCESS;
878}
879
880
881static apr_status_t ssl_filter_write(ap_filter_t *f,
882 const char *data,
883 apr_size_t len)
884{
885 ssl_filter_ctx_t *filter_ctx = f->ctx;
886 bio_filter_out_ctx_t *outctx;
887 int res;
888
889 /* write SSL */
890 if (filter_ctx->pssl == NULL) {
891 return APR_EGENERAL;
892 }
893
894 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, f->c,
895 "ssl_filter_write: %"APR_SIZE_T_FMT" bytes", len);
896
897 /* We rely on SSL_get_error() after the write, which requires an empty error
898 * queue before the write in order to work properly.
899 */
900 ERR_clear_error();
901
902 outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
903 res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
904
905 if (res < 0) {
906 int ssl_err = SSL_get_error(filter_ctx->pssl, res);
907 conn_rec *c = (conn_rec*)SSL_get_app_data(outctx->filter_ctx->pssl);
908
909 if (ssl_err == SSL_ERROR_WANT_WRITE) {
910 /*
911 * If OpenSSL wants to write more, and we were nonblocking,
912 * report as an EAGAIN. Otherwise loop, pushing more
913 * data at the network filter.
914 *
915 * (This is usually the case when the client forces an SSL
916 * renegotiation which is handled implicitly by OpenSSL.)
917 */
918 outctx->rc = APR_EAGAIN;
919 }
920 else if (ssl_err == SSL_ERROR_WANT_READ) {
921 /*
922 * If OpenSSL wants to read during write, and we were
923 * nonblocking, set the sense explicitly to read and
924 * report as an EAGAIN.
925 *
926 * (This is usually the case when the client forces an SSL
927 * renegotiation which is handled implicitly by OpenSSL.)
928 */
929 outctx->c->cs->sense = CONN_SENSE_WANT_READ;
930 outctx->rc = APR_EAGAIN;
931 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
932 "Want read during nonblocking write");
933 }
934 else if (ssl_err == SSL_ERROR_SYSCALL) {
935 ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, APLOGNO(01993)
936 "SSL output filter write failed.");
937 }
938 else /* if (ssl_err == SSL_ERROR_SSL) */ {
939 /*
940 * Log SSL errors
941 */
942 ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, APLOGNO(01994)
943 "SSL library error %d writing data", ssl_err);
944 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, mySrvFromConn(c));
945 }
946 if (outctx->rc == APR_SUCCESS) {
947 outctx->rc = APR_EGENERAL;
948 }
949 }
950 else if ((apr_size_t)res != len) {
951 conn_rec *c = f->c;
952 char *reason = "reason unknown";
953
954 /* XXX: probably a better way to determine this */
955 if (SSL_total_renegotiations(filter_ctx->pssl)) {
956 reason = "likely due to failed renegotiation";
957 }
958
959 ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, APLOGNO(01995)
960 "failed to write %" APR_SSIZE_T_FMT
961 " of %" APR_SIZE_T_FMT " bytes (%s)",
962 len - (apr_size_t)res, len, reason);
963
964 outctx->rc = APR_EGENERAL;
965 }
966 return outctx->rc;
967}
968
969/* Just use a simple request. Any request will work for this, because
970 * we use a flag in the conn_rec->conn_vector now. The fake request just
971 * gets the request back to the Apache core so that a response can be sent.
972 * Since we use an HTTP/1.x request, we also have to inject the empty line
973 * that terminates the headers, or the core will read more data from the
974 * socket.
975 */
976#define HTTP_ON_HTTPS_PORT \
977 "GET / HTTP/1.0" CRLF
978
979#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
980 apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
981 sizeof(HTTP_ON_HTTPS_PORT) - 1, \
982 alloc)
983
984/* Custom apr_status_t error code, used when a plain HTTP request is
985 * received on an SSL port. */
986#define MODSSL_ERROR_HTTP_ON_HTTPS (APR_OS_START_USERERR + 0)
987
988/* Custom apr_status_t error code, used when the proxy cannot
989 * establish an outgoing SSL connection. */
990#define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
991
992static void ssl_io_filter_disable(SSLConnRec *sslconn,
993 bio_filter_in_ctx_t *inctx)
994{
995 SSL_free(inctx->ssl);
996 sslconn->ssl = NULL;
997 inctx->ssl = NULL;
998 inctx->filter_ctx->pssl = NULL;
999}
1000
1001static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
1002 apr_bucket_brigade *bb,
1003 apr_status_t status,
1004 int is_init)
1005{
1006 ap_filter_t *f = inctx->f;
1007 SSLConnRec *sslconn = myConnConfig(f->c);
1008 apr_bucket *bucket;
1009 int send_eos = 1;
1010
1011 switch (status) {
1012 case MODSSL_ERROR_HTTP_ON_HTTPS:
1013 /* log the situation */
1014 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, APLOGNO(01996)
1015 "SSL handshake failed: HTTP spoken on HTTPS port; "
1016 "trying to send HTML error page");
1017 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
1018
1019 ssl_io_filter_disable(sslconn, inctx);
1020 f->c->keepalive = AP_CONN_CLOSE;
1021 if (is_init) {
1022 sslconn->non_ssl_request = NON_SSL_SEND_REQLINE;
1023 return APR_EGENERAL;
1024 }
1025 sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
1026
1027 /* fake the request line */
1028 bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
1029 send_eos = 0;
1030 break;
1031
1032 case MODSSL_ERROR_BAD_GATEWAY:
1033 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, APLOGNO(01997)
1034 "SSL handshake failed: sending 502");
1035 f->c->aborted = 1;
1036 return APR_EGENERAL;
1037
1038 default:
1039 return status;
1040 }
1041
1042 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1043 if (send_eos) {
1044 bucket = apr_bucket_eos_create(f->c->bucket_alloc);
1045 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1046 }
1047 return APR_SUCCESS;
1048}
1049
1050static const char ssl_io_filter[] = "SSL/TLS Filter";
1051static const char ssl_io_buffer[] = "SSL/TLS Buffer";
1052static const char ssl_io_coalesce[] = "SSL/TLS Coalescing Filter";
1053
1054/*
1055 * Close the SSL part of the socket connection
1056 * (called immediately _before_ the socket is closed)
1057 * or called with
1058 */
1059static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,
1060 conn_rec *c, int abortive)
1061{
1062 SSL *ssl = filter_ctx->pssl;
1063 const char *type = "";
1064 SSLConnRec *sslconn = myConnConfig(c);
1065 int shutdown_type;
1066 int loglevel = APLOG_DEBUG;
1067 const char *logno;
1068
1069 if (!ssl) {
1070 return;
1071 }
1072
1073 /*
1074 * Now close the SSL layer of the connection. We've to take
1075 * the TLSv1 standard into account here:
1076 *
1077 * | 7.2.1. Closure alerts
1078 * |
1079 * | The client and the server must share knowledge that the connection is
1080 * | ending in order to avoid a truncation attack. Either party may
1081 * | initiate the exchange of closing messages.
1082 * |
1083 * | close_notify
1084 * | This message notifies the recipient that the sender will not send
1085 * | any more messages on this connection. The session becomes
1086 * | unresumable if any connection is terminated without proper
1087 * | close_notify messages with level equal to warning.
1088 * |
1089 * | Either party may initiate a close by sending a close_notify alert.
1090 * | Any data received after a closure alert is ignored.
1091 * |
1092 * | Each party is required to send a close_notify alert before closing
1093 * | the write side of the connection. It is required that the other party
1094 * | respond with a close_notify alert of its own and close down the
1095 * | connection immediately, discarding any pending writes. It is not
1096 * | required for the initiator of the close to wait for the responding
1097 * | close_notify alert before closing the read side of the connection.
1098 *
1099 * This means we've to send a close notify message, but haven't to wait
1100 * for the close notify of the client. Actually we cannot wait for the
1101 * close notify of the client because some clients (including Netscape
1102 * 4.x) don't send one, so we would hang.
1103 */
1104
1105 /*
1106 * exchange close notify messages, but allow the user
1107 * to force the type of handshake via SetEnvIf directive
1108 */
1109 if (abortive) {
1110 shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
1111 type = "abortive";
1112 logno = APLOGNO(01998);
1113 loglevel = APLOG_INFO;
1114 }
1115 else switch (sslconn->shutdown_type) {
1116 case SSL_SHUTDOWN_TYPE_UNCLEAN:
1117 /* perform no close notify handshake at all
1118 (violates the SSL/TLS standard!) */
1119 shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
1120 type = "unclean";
1121 logno = APLOGNO(01999);
1122 break;
1123 case SSL_SHUTDOWN_TYPE_ACCURATE:
1124 /* send close notify and wait for clients close notify
1125 (standard compliant, but usually causes connection hangs) */
1126 shutdown_type = 0;
1127 type = "accurate";
1128 logno = APLOGNO(02000);
1129 break;
1130 default:
1131 /*
1132 * case SSL_SHUTDOWN_TYPE_UNSET:
1133 * case SSL_SHUTDOWN_TYPE_STANDARD:
1134 */
1135 /* send close notify, but don't wait for clients close notify
1136 (standard compliant and safe, so it's the DEFAULT!) */
1137 shutdown_type = SSL_RECEIVED_SHUTDOWN;
1138 type = "standard";
1139 logno = APLOGNO(02001);
1140 break;
1141 }
1142
1143 SSL_set_shutdown(ssl, shutdown_type);
1144 modssl_smart_shutdown(ssl);
1145
1146 /* and finally log the fact that we've closed the connection */
1147 if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) {
1148 /* Intentional no APLOGNO */
1149 /* logno provides APLOGNO */
1150 ap_log_cserror(APLOG_MARK, loglevel, 0, c, mySrvFromConn(c),
1151 "%sConnection closed to child %ld with %s shutdown "
1152 "(server %s)",
1153 logno, c->id, type,
1154 ssl_util_vhostid(c->pool, mySrvFromConn(c)));
1155 }
1156
1157 /* deallocate the SSL connection */
1158 if (sslconn->client_cert) {
1159 X509_free(sslconn->client_cert);
1160 sslconn->client_cert = NULL;
1161 }
1162 SSL_free(ssl);
1163 sslconn->ssl = NULL;
1164 filter_ctx->pssl = NULL; /* so filters know we've been shutdown */
1165
1166 if (abortive) {
1167 /* prevent any further I/O */
1168 c->aborted = 1;
1169 }
1170}
1171
1172static apr_status_t ssl_io_filter_cleanup(void *data)
1173{
1174 ssl_filter_ctx_t *filter_ctx = data;
1175
1176 if (filter_ctx->pssl) {
1177 conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
1178 SSLConnRec *sslconn = myConnConfig(c);
1179
1180 SSL_free(filter_ctx->pssl);
1181 sslconn->ssl = filter_ctx->pssl = NULL;
1182 }
1183
1184 return APR_SUCCESS;
1185}
1186
1187/*
1188 * The hook is NOT registered with ap_hook_process_connection. Instead, it is
1189 * called manually from the churn () before it tries to read any data.
1190 * There is some problem if I accept conn_rec *. Still investigating..
1191 * Adv. if conn_rec * can be accepted is we can hook this function using the
1192 * ap_hook_process_connection hook.
1193 */
1194
1195/* Perform the SSL handshake (whether in client or server mode), if
1196 * necessary, for the given connection. */
1197static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
1198{
1199 conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
1200 SSLConnRec *sslconn = myConnConfig(c);
1201 SSLSrvConfigRec *sc;
1202 X509 *cert;
1203 int n;
1204 int ssl_err;
1205 long verify_result;
1206 server_rec *server;
1207
1208 if (SSL_is_init_finished(filter_ctx->pssl)) {
1209 return APR_SUCCESS;
1210 }
1211
1212 server = sslconn->server;
1213 if (c->outgoing) {
1214#ifdef HAVE_TLSEXT
1215 apr_ipsubnet_t *ip;
1216#ifdef HAVE_TLS_ALPN
1217 const char *alpn_note;
1218 apr_array_header_t *alpn_proposed = NULL;
1219 int alpn_empty_ok = 1;
1220#endif
1221#endif
1222 const char *hostname_note = apr_table_get(c->notes,
1223 "proxy-request-hostname");
1224 BOOL proxy_ssl_check_peer_ok = TRUE;
1225 int post_handshake_rc = OK;
1226 SSLDirConfigRec *dc;
1227
1228 dc = sslconn->dc;
1229 sc = mySrvConfig(server);
1230
1231#ifdef HAVE_TLSEXT
1232#ifdef HAVE_TLS_ALPN
1233 alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
1234 if (alpn_note) {
1235 char *protos, *s, *p, *last, *proto;
1236 apr_size_t len;
1237
1238 /* Transform the note into a protocol formatted byte array:
1239 * (len-byte proto-char+)*
1240 * We need the remote server to agree on one of these, unless 'http/1.1'
1241 * is also among our proposals. Because pre-ALPN remotes will speak this.
1242 */
1243 alpn_proposed = apr_array_make(c->pool, 3, sizeof(const char*));
1244 alpn_empty_ok = 0;
1245 s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1);
1246 p = apr_pstrdup(c->pool, alpn_note);
1247 while ((p = apr_strtok(p, ", ", &last))) {
1248 len = last - p - (*last? 1 : 0);
1249 if (len > 255) {
1250 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03309)
1251 "ALPN proxy protocol identifier too long: %s",
1252 p);
1253 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
1254 return APR_EGENERAL;
1255 }
1256 proto = apr_pstrndup(c->pool, p, len);
1257 APR_ARRAY_PUSH(alpn_proposed, const char*) = proto;
1258 if (!strcmp("http/1.1", proto)) {
1259 alpn_empty_ok = 1;
1260 }
1261 *s++ = (unsigned char)len;
1262 while (len--) {
1263 *s++ = *p++;
1264 }
1265 p = NULL;
1266 }
1267 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
1268 "setting alpn protos from '%s', protolen=%d",
1269 alpn_note, (int)(s - protos));
1270 if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl,
1271 (unsigned char *)protos,
1272 s - protos)) {
1273 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(03310)
1274 "error setting alpn protos from '%s'", alpn_note);
1275 ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
1276 /* If ALPN was requested and we cannot do it, we must fail */
1277 return MODSSL_ERROR_BAD_GATEWAY;
1278 }
1279 }
1280#endif /* defined HAVE_TLS_ALPN */
1281 /*
1282 * Enable SNI for backend requests. Make sure we don't do it for
1283 * pure SSLv3 connections, and also prevent IP addresses
1284 * from being included in the SNI extension. (OpenSSL would simply
1285 * pass them on, but RFC 6066 is quite clear on this: "Literal
1286 * IPv4 and IPv6 addresses are not permitted".)
1287 */
1288 if (hostname_note &&
1289#ifndef OPENSSL_NO_SSL3
1290 dc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
1291#endif
1292 apr_ipsubnet_create(&ip, hostname_note, NULL,
1293 c->pool) != APR_SUCCESS) {
1294 if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
1295 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1296 "SNI extension for SSL Proxy request set to '%s'",
1297 hostname_note);
1298 } else {
1299 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(02002)
1300 "Failed to set SNI extension for SSL Proxy "
1301 "request to '%s'", hostname_note);
1302 ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
1303 }
1304 }
1305#endif /* defined HAVE_TLSEXT */
1306
1307 if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
1308 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02003)
1309 "SSL Proxy connect failed");
1310 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1311 /* ensure that the SSL structures etc are freed, etc: */
1312 ssl_filter_io_shutdown(filter_ctx, c, 1);
1313 apr_table_setn(c->notes, "SSL_connect_rv", "err");
1314 return MODSSL_ERROR_BAD_GATEWAY;
1315 }
1316
1317 cert = SSL_get_peer_certificate(filter_ctx->pssl);
1318
1319 if (dc->proxy->ssl_check_peer_expire != FALSE) {
1320 if (!cert
1321 || (X509_cmp_current_time(
1322 X509_get_notBefore(cert)) >= 0)
1323 || (X509_cmp_current_time(
1324 X509_get_notAfter(cert)) <= 0)) {
1325 proxy_ssl_check_peer_ok = FALSE;
1326 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
1327 "SSL Proxy: Peer certificate is expired");
1328 }
1329 }
1330 if ((dc->proxy->ssl_check_peer_name != FALSE) &&
1331 ((dc->proxy->ssl_check_peer_cn != FALSE) ||
1332 (dc->proxy->ssl_check_peer_name == TRUE)) &&
1333 hostname_note) {
1334 if (!cert
1335 || modssl_X509_match_name(c->pool, cert, hostname_note,
1336 TRUE, server) == FALSE) {
1337 proxy_ssl_check_peer_ok = FALSE;
1338 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
1339 "SSL Proxy: Peer certificate does not match "
1340 "for hostname %s", hostname_note);
1341 }
1342 }
1343 else if ((dc->proxy->ssl_check_peer_cn == TRUE) &&
1344 hostname_note) {
1345 const char *hostname;
1346 int match = 0;
1347
1348 hostname = ssl_var_lookup(NULL, server, c, NULL,
1349 "SSL_CLIENT_S_DN_CN");
1350
1351 /* Do string match or simplest wildcard match if that
1352 * fails. */
1353 match = strcasecmp(hostname, hostname_note) == 0;
1354 if (!match && strncmp(hostname, "*.", 2) == 0) {
1355 const char *p = ap_strchr_c(hostname_note, '.');
1356
1357 match = p && strcasecmp(p, hostname + 1) == 0;
1358 }
1359
1360 if (!match) {
1361 proxy_ssl_check_peer_ok = FALSE;
1362 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
1363 "SSL Proxy: Peer certificate CN mismatch:"
1364 " Certificate CN: %s Requested hostname: %s",
1365 hostname, hostname_note);
1366 }
1367 }
1368
1369#ifdef HAVE_TLS_ALPN
1370 /* If we proposed ALPN protocol(s), we need to check if the server
1371 * agreed to one of them. While <https://www.rfc-editor.org/rfc/rfc7301.txt>
1372 * chapter 3.2 says the server SHALL error the handshake in such a case,
1373 * the reality is that some servers fall back to their default, e.g. http/1.1.
1374 * (we also do this right now)
1375 * We need to treat this as an error for security reasons.
1376 */
1377 if (alpn_proposed && alpn_proposed->nelts > 0) {
1378 const char *selected;
1379 unsigned int slen;
1380
1381 SSL_get0_alpn_selected(filter_ctx->pssl, (const unsigned char**)&selected, &slen);
1382 if (!selected || !slen) {
1383 /* No ALPN selection reported by the remote server. This could mean
1384 * it does not support ALPN (old server) or that it does not support
1385 * any of our proposals (Apache itself up to 2.4.48 at least did that). */
1386 if (!alpn_empty_ok) {
1387 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(10273)
1388 "SSL Proxy: Peer did not select any of our ALPN protocols [%s].",
1389 alpn_note);
1390 proxy_ssl_check_peer_ok = FALSE;
1391 }
1392 }
1393 else {
1394 const char *proto;
1395 int i, found = 0;
1396 for (i = 0; !found && i < alpn_proposed->nelts; ++i) {
1397 proto = APR_ARRAY_IDX(alpn_proposed, i, const char *);
1398 found = !strncmp(selected, proto, slen);
1399 }
1400 if (!found) {
1401 /* From a conforming peer, this should never happen,
1402 * but life always finds a way... */
1403 proto = apr_pstrndup(c->pool, selected, slen);
1404 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(10274)
1405 "SSL Proxy: Peer proposed ALPN protocol %s which is none "
1406 "of our proposals [%s].", proto, alpn_note);
1407 proxy_ssl_check_peer_ok = FALSE;
1408 }
1409 }
1410 }
1411#endif
1412
1413 if (proxy_ssl_check_peer_ok == TRUE) {
1414 /* another chance to fail */
1415 post_handshake_rc = ssl_run_proxy_post_handshake(c, filter_ctx->pssl);
1416 }
1417
1418 if (cert) {
1419 X509_free(cert);
1420 }
1421
1422 if (proxy_ssl_check_peer_ok != TRUE
1423 || (post_handshake_rc != OK && post_handshake_rc != DECLINED)) {
1424 /* ensure that the SSL structures etc are freed, etc: */
1425 ssl_filter_io_shutdown(filter_ctx, c, 1);
1426 apr_table_setn(c->notes, "SSL_connect_rv", "err");
1427 return MODSSL_ERROR_BAD_GATEWAY;
1428 }
1429
1430 apr_table_setn(c->notes, "SSL_connect_rv", "ok");
1431 return APR_SUCCESS;
1432 }
1433
1434 /* We rely on SSL_get_error() after the accept, which requires an empty
1435 * error queue before the accept in order to work properly.
1436 */
1437 ERR_clear_error();
1438
1439 if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
1440 bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
1441 BIO_get_data(filter_ctx->pbioRead);
1442 bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
1443 BIO_get_data(filter_ctx->pbioWrite);
1444 apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
1445 ssl_err = SSL_get_error(filter_ctx->pssl, n);
1446
1447 if (ssl_err == SSL_ERROR_ZERO_RETURN) {
1448 /*
1449 * The case where the connection was closed before any data
1450 * was transferred. That's not a real error and can occur
1451 * sporadically with some clients.
1452 */
1453 ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c, APLOGNO(02006)
1454 "SSL handshake stopped: connection was closed");
1455 }
1456 else if (ssl_err == SSL_ERROR_WANT_READ) {
1457 /*
1458 * This is in addition to what was present earlier. It is
1459 * borrowed from openssl_state_machine.c [mod_tls].
1460 * TBD.
1461 */
1462 outctx->rc = APR_EAGAIN;
1463 return APR_EAGAIN;
1464 }
1465 else if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL &&
1466 ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
1467 /*
1468 * The case where OpenSSL has recognized a HTTP request:
1469 * This means the client speaks plain HTTP on our HTTPS port.
1470 * ssl_io_filter_error will disable the ssl filters when it
1471 * sees this status code.
1472 */
1473 return MODSSL_ERROR_HTTP_ON_HTTPS;
1474 }
1475 else if (ssl_err == SSL_ERROR_SYSCALL) {
1476 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rc, c, APLOGNO(02007)
1477 "SSL handshake interrupted by system "
1478 "[Hint: Stop button pressed in browser?!]");
1479 }
1480 else /* if (ssl_err == SSL_ERROR_SSL) */ {
1481 /*
1482 * Log SSL errors and any unexpected conditions.
1483 */
1484 ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c, APLOGNO(02008)
1485 "SSL library error %d in handshake "
1486 "(server %s)", ssl_err,
1487 ssl_util_vhostid(c->pool, server));
1488 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1489
1490 }
1491 if (inctx->rc == APR_SUCCESS) {
1492 inctx->rc = APR_EGENERAL;
1493 }
1494
1495 ssl_filter_io_shutdown(filter_ctx, c, 1);
1496 return inctx->rc;
1497 }
1498 sc = mySrvConfig(sslconn->server);
1499
1500 /*
1501 * Check for failed client authentication
1502 */
1503 verify_result = SSL_get_verify_result(filter_ctx->pssl);
1504
1505 if ((verify_result != X509_V_OK) ||
1506 sslconn->verify_error)
1507 {
1508 if (ssl_verify_error_is_optional(verify_result) &&
1509 (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
1510 {
1511 /* leaving this log message as an error for the moment,
1512 * according to the mod_ssl docs:
1513 * "level optional_no_ca is actually against the idea
1514 * of authentication (but can be used to establish
1515 * SSL test pages, etc.)"
1516 * optional_no_ca doesn't appear to work as advertised
1517 * in 1.x
1518 */
1519 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02009)
1520 "SSL client authentication failed, "
1521 "accepting certificate based on "
1522 "\"SSLVerifyClient optional_no_ca\" "
1523 "configuration");
1524 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1525 }
1526 else {
1527 const char *error = sslconn->verify_error ?
1528 sslconn->verify_error :
1529 X509_verify_cert_error_string(verify_result);
1530
1531 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02010)
1532 "SSL client authentication failed: %s",
1533 error ? error : "unknown");
1534 ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1535
1536 ssl_filter_io_shutdown(filter_ctx, c, 1);
1537 return APR_ECONNABORTED;
1538 }
1539 }
1540
1541 /*
1542 * Remember the peer certificate's DN
1543 */
1544 if ((cert = SSL_get_peer_certificate(filter_ctx->pssl))) {
1545 if (sslconn->client_cert) {
1546 X509_free(sslconn->client_cert);
1547 }
1548 sslconn->client_cert = cert;
1549 sslconn->client_dn = NULL;
1550 }
1551
1552 /*
1553 * Make really sure that when a peer certificate
1554 * is required we really got one... (be paranoid)
1555 */
1556 if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
1557 !sslconn->client_cert)
1558 {
1559 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02011)
1560 "No acceptable peer certificate available");
1561
1562 ssl_filter_io_shutdown(filter_ctx, c, 1);
1563 return APR_ECONNABORTED;
1564 }
1565
1566 return APR_SUCCESS;
1567}
1568
1569static apr_status_t ssl_io_filter_input(ap_filter_t *f,
1570 apr_bucket_brigade *bb,
1571 ap_input_mode_t mode,
1572 apr_read_type_e block,
1573 apr_off_t readbytes)
1574{
1575 apr_status_t status;
1576 bio_filter_in_ctx_t *inctx = f->ctx;
1577 const char *start = inctx->buffer; /* start of block to return */
1578 apr_size_t len = sizeof(inctx->buffer); /* length of block to return */
1579 int is_init = (mode == AP_MODE_INIT);
1580 apr_bucket *bucket;
1581
1582 if (f->c->aborted) {
1583 /* XXX: Ok, if we aborted, we ARE at the EOS. We also have
1584 * aborted. This 'double protection' is probably redundant,
1585 * but also effective against just about anything.
1586 */
1587 bucket = apr_bucket_eos_create(f->c->bucket_alloc);
1588 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1589 return APR_ECONNABORTED;
1590 }
1591
1592 if (!inctx->ssl) {
1593 SSLConnRec *sslconn = myConnConfig(f->c);
1594 if (sslconn->non_ssl_request == NON_SSL_SEND_REQLINE) {
1595 bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
1596 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1597 if (mode != AP_MODE_SPECULATIVE) {
1598 sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
1599 }
1600 return APR_SUCCESS;
1601 }
1602 if (sslconn->non_ssl_request == NON_SSL_SEND_HDR_SEP) {
1603 bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc);
1604 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1605 if (mode != AP_MODE_SPECULATIVE) {
1606 sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG;
1607 }
1608 return APR_SUCCESS;
1609 }
1610 return ap_get_brigade(f->next, bb, mode, block, readbytes);
1611 }
1612
1613 /* XXX: we don't currently support anything other than these modes. */
1614 if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE &&
1615 mode != AP_MODE_SPECULATIVE && mode != AP_MODE_INIT) {
1616 return APR_ENOTIMPL;
1617 }
1618
1619 inctx->mode = mode;
1620 inctx->block = block;
1621
1622 /* XXX: we could actually move ssl_io_filter_handshake to an
1623 * ap_hook_process_connection but would still need to call it for
1624 * AP_MODE_INIT for protocols that may upgrade the connection
1625 * rather than have SSLEngine On configured.
1626 */
1627 if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
1628 return ssl_io_filter_error(inctx, bb, status, is_init);
1629 }
1630
1631 if (is_init) {
1632 /* protocol module needs to handshake before sending
1633 * data to client (e.g. NNTP or FTP)
1634 */
1635 return APR_SUCCESS;
1636 }
1637
1638 if (inctx->mode == AP_MODE_READBYTES ||
1639 inctx->mode == AP_MODE_SPECULATIVE) {
1640 /* Protected from truncation, readbytes < MAX_SIZE_T
1641 * FIXME: No, it's *not* protected. -- jre */
1642 if (readbytes < len) {
1643 len = (apr_size_t)readbytes;
1644 }
1645 status = ssl_io_input_read(inctx, inctx->buffer, &len);
1646 }
1647 else if (inctx->mode == AP_MODE_GETLINE) {
1648 const char *pos;
1649
1650 /* Satisfy the read directly out of the buffer if possible;
1651 * invoking ssl_io_input_getline will mean the entire buffer
1652 * is copied once (unnecessarily) for each GETLINE call. */
1653 if (inctx->cbuf.length
1654 && (pos = memchr(inctx->cbuf.value, APR_ASCII_LF,
1655 inctx->cbuf.length)) != NULL) {
1656 start = inctx->cbuf.value;
1657 len = 1 + pos - start; /* +1 to include LF */
1658 /* Buffer contents now consumed. */
1659 inctx->cbuf.value += len;
1660 inctx->cbuf.length -= len;
1661 status = APR_SUCCESS;
1662 }
1663 else {
1664 /* Otherwise fall back to the hard way. */
1665 status = ssl_io_input_getline(inctx, inctx->buffer, &len);
1666 }
1667 }
1668 else {
1669 /* We have no idea what you are talking about, so return an error. */
1670 status = APR_ENOTIMPL;
1671 }
1672
1673 /* It is possible for mod_ssl's BIO to be used outside of the
1674 * direct control of mod_ssl's input or output filter -- notably,
1675 * when mod_ssl initiates a renegotiation. Switching the BIO mode
1676 * back to "blocking" here ensures such operations don't fail with
1677 * SSL_ERROR_WANT_READ. */
1678 inctx->block = APR_BLOCK_READ;
1679
1680 /* Handle custom errors. */
1681 if (status != APR_SUCCESS) {
1682 return ssl_io_filter_error(inctx, bb, status, 0);
1683 }
1684
1685 /* Create a transient bucket out of the decrypted data. */
1686 if (len > 0) {
1687 bucket =
1688 apr_bucket_transient_create(start, len, f->c->bucket_alloc);
1689 APR_BRIGADE_INSERT_TAIL(bb, bucket);
1690 }
1691
1692 return APR_SUCCESS;
1693}
1694
1695
1696/* ssl_io_filter_output() produces one SSL/TLS record per bucket
1697 * passed down the output filter stack. This results in a high
1698 * overhead (more network packets & TLS processing) for any output
1699 * comprising many small buckets. SSI output passed through the HTTP
1700 * chunk filter, for example, may produce many brigades containing
1701 * small buckets - [chunk-size CRLF] [chunk-data] [CRLF].
1702 *
1703 * Sending HTTP response headers as a separate TLS record to the
1704 * response body also reveals information to a network observer (the
1705 * size of headers) which can be significant.
1706 *
1707 * The coalescing filter merges data buckets with the aim of producing
1708 * fewer, larger TLS records - without copying/buffering all content
1709 * and introducing unnecessary overhead.
1710 *
1711 * ### This buffering could be probably be done more comprehensively
1712 * ### in ssl_io_filter_output itself.
1713 *
1714 * ### Another possible performance optimisation in particular for the
1715 * ### [HEAP] [FILE] HTTP response case is using a brigade rather than
1716 * ### a char array to buffer; using apr_brigade_write() to append
1717 * ### will use already-allocated memory from the HEAP, reducing # of
1718 * ### copies.
1719 */
1720
1721#define COALESCE_BYTES (AP_IOBUFSIZE)
1722
1723struct coalesce_ctx {
1724 char buffer[COALESCE_BYTES];
1725 apr_size_t bytes; /* number of bytes of buffer used. */
1726};
1727
1728static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
1729 apr_bucket_brigade *bb)
1730{
1731 apr_bucket *e, *upto;
1732 apr_size_t bytes = 0;
1733 struct coalesce_ctx *ctx = f->ctx;
1734 apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */
1735 unsigned count = 0;
1736
1737 /* The brigade consists of zero-or-more small data buckets which
1738 * can be coalesced (referred to as the "prefix"), followed by the
1739 * remainder of the brigade.
1740 *
1741 * Find the last bucket - if any - of that prefix. count gives
1742 * the number of buckets in the prefix. The "prefix" must contain
1743 * only data buckets with known length, and must be of a total
1744 * size which fits into the buffer.
1745 *
1746 * N.B.: The process here could be repeated throughout the brigade
1747 * (coalesce any run of consecutive data buckets) but this would
1748 * add significant complexity, particularly to memory
1749 * management. */
1750 for (e = APR_BRIGADE_FIRST(bb);
1751 e != APR_BRIGADE_SENTINEL(bb)
1752 && !APR_BUCKET_IS_METADATA(e)
1753 && e->length != (apr_size_t)-1
1754 && e->length <= COALESCE_BYTES
1755 && (buffered + bytes + e->length) <= COALESCE_BYTES;
1756 e = APR_BUCKET_NEXT(e)) {
1757 /* don't count zero-length buckets */
1758 if (e->length) {
1759 bytes += e->length;
1760 count++;
1761 }
1762 }
1763
1764 /* If there is room remaining and the next bucket is a data
1765 * bucket, try to include it in the prefix to coalesce. For a
1766 * typical [HEAP] [FILE] HTTP response brigade, this handles
1767 * merging the headers and the start of the body into a single TLS
1768 * record. */
1769 if (bytes + buffered > 0
1770 && bytes + buffered < COALESCE_BYTES
1771 && e != APR_BRIGADE_SENTINEL(bb)
1772 && !APR_BUCKET_IS_METADATA(e)) {
1773 apr_status_t rv = APR_SUCCESS;
1774
1775 /* For an indeterminate length bucket (PIPE/CGI/...), try a
1776 * non-blocking read to have it morph into a HEAP. If the
1777 * read fails with EAGAIN, it is harmless to try a split
1778 * anyway, split is ENOTIMPL for most PIPE-like buckets. */
1779 if (e->length == (apr_size_t)-1) {
1780 const char *discard;
1781 apr_size_t ignore;
1782
1783 rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ);
1784 if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) {
1785 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232)
1786 "coalesce failed to read from %s bucket",
1787 e->type->name);
1788 return AP_FILTER_ERROR;
1789 }
1790 }
1791
1792 if (rv == APR_SUCCESS) {
1793 /* If the read above made the bucket morph, it may now fit
1794 * entirely within the buffer. Otherwise, split it so it does
1795 * fit. */
1796 if (e->length > COALESCE_BYTES
1797 || e->length + buffered + bytes > COALESCE_BYTES) {
1798 rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes));
1799 }
1800
1801 if (rv == APR_SUCCESS && e->length == 0) {
1802 /* As above, don't count in the prefix if the bucket is
1803 * now zero-length. */
1804 }
1805 else if (rv == APR_SUCCESS) {
1806 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
1807 "coalesce: adding %" APR_SIZE_T_FMT " bytes "
1808 "from split %s bucket, total %" APR_SIZE_T_FMT,
1809 e->length, e->type->name, bytes + buffered);
1810
1811 count++;
1812 bytes += e->length;
1813 e = APR_BUCKET_NEXT(e);
1814 }
1815 else if (rv != APR_ENOTIMPL) {
1816 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233)
1817 "coalesce: failed to split data bucket");
1818 return AP_FILTER_ERROR;
1819 }
1820 }
1821 }
1822
1823 /* The prefix is zero or more buckets. upto now points to the
1824 * bucket AFTER the end of the prefix, which may be the brigade
1825 * sentinel. */
1826 upto = e;
1827
1828 /* Coalesce the prefix, if any of the following are true:
1829 *
1830 * a) the prefix is more than one bucket
1831 * OR
1832 * b) the prefix is the entire brigade, which is a single bucket
1833 * AND the prefix length is smaller than the buffer size,
1834 * OR
1835 * c) the prefix is a single bucket
1836 * AND there is buffered data from a previous pass.
1837 *
1838 * The aim with (b) is to buffer a small bucket so it can be
1839 * coalesced with future invocations of this filter. e.g. three
1840 * calls each with a single 100 byte HEAP bucket should get
1841 * coalesced together. But an invocation with a 8192 byte HEAP
1842 * should pass through untouched.
1843 */
1844 if (bytes > 0
1845 && (count > 1
1846 || (upto == APR_BRIGADE_SENTINEL(bb)
1847 && bytes < COALESCE_BYTES)
1848 || (ctx && ctx->bytes > 0))) {
1849 /* If coalescing some bytes, ensure a context has been
1850 * created. */
1851 if (!ctx) {
1852 f->ctx = ctx = apr_palloc(f->c->pool, sizeof *ctx);
1853 ctx->bytes = 0;
1854 }
1855
1856 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
1857 "coalesce: have %" APR_SIZE_T_FMT " bytes, "
1858 "adding %" APR_SIZE_T_FMT " more (buckets=%u)",
1859 ctx->bytes, bytes, count);
1860
1861 /* Iterate through the prefix segment. For non-fatal errors
1862 * in this loop it is safe to break out and fall back to the
1863 * normal path of sending the buffer + remaining buckets in
1864 * brigade. */
1865 e = APR_BRIGADE_FIRST(bb);
1866 while (e != upto) {
1867 apr_size_t len;
1868 const char *data;
1869 apr_bucket *next;
1870
1871 if (APR_BUCKET_IS_METADATA(e)
1872 || e->length == (apr_size_t)-1) {
1873 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012)
1874 "unexpected %s bucket during coalesce",
1875 e->type->name);
1876 break; /* non-fatal error; break out */
1877 }
1878
1879 if (e->length) {
1880 apr_status_t rv;
1881
1882 /* A blocking read should be fine here for a
1883 * known-length data bucket, rather than the usual
1884 * non-block/flush/block. */
1885 rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
1886 if (rv) {
1887 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(02013)
1888 "coalesce failed to read from data bucket");
1889 return AP_FILTER_ERROR;
1890 }
1891
1892 /* Be paranoid. */
1893 if (len > sizeof ctx->buffer
1894 || (len + ctx->bytes > sizeof ctx->buffer)) {
1895 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02014)
1896 "unexpected coalesced bucket data length");
1897 break; /* non-fatal error; break out */
1898 }
1899
1900 memcpy(ctx->buffer + ctx->bytes, data, len);
1901 ctx->bytes += len;
1902 }
1903
1904 next = APR_BUCKET_NEXT(e);
1905 apr_bucket_delete(e);
1906 e = next;
1907 }
1908 }
1909
1910 if (APR_BRIGADE_EMPTY(bb)) {
1911 /* If the brigade is now empty, our work here is done. */
1912 return APR_SUCCESS;
1913 }
1914
1915 /* If anything remains in the brigade, it must now be passed down
1916 * the filter stack, first prepending anything that has been
1917 * coalesced. */
1918 if (ctx && ctx->bytes) {
1919 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
1920 "coalesce: passing on %" APR_SIZE_T_FMT " bytes", ctx->bytes);
1921
1922 e = apr_bucket_transient_create(ctx->buffer, ctx->bytes, bb->bucket_alloc);
1923 APR_BRIGADE_INSERT_HEAD(bb, e);
1924 ctx->bytes = 0; /* buffer now emptied. */
1925 }
1926
1927 return ap_pass_brigade(f->next, bb);
1928}
1929
1930static apr_status_t ssl_io_filter_output(ap_filter_t *f,
1931 apr_bucket_brigade *bb)
1932{
1933 apr_status_t status = APR_SUCCESS;
1934 ssl_filter_ctx_t *filter_ctx = f->ctx;
1935 bio_filter_in_ctx_t *inctx;
1936 bio_filter_out_ctx_t *outctx;
1937 apr_read_type_e rblock = APR_NONBLOCK_READ;
1938
1939 if (f->c->aborted) {
1940 apr_brigade_cleanup(bb);
1941 return APR_ECONNABORTED;
1942 }
1943
1944 if (!filter_ctx->pssl) {
1945 /* ssl_filter_io_shutdown was called */
1946 return ap_pass_brigade(f->next, bb);
1947 }
1948
1949 inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
1950 outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
1951
1952 /* When we are the writer, we must initialize the inctx
1953 * mode so that we block for any required ssl input, because
1954 * output filtering is always nonblocking.
1955 */
1956 inctx->mode = AP_MODE_READBYTES;
1957 inctx->block = APR_BLOCK_READ;
1958
1959 if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
1960 return ssl_io_filter_error(inctx, bb, status, 0);
1961 }
1962
1963 while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) {
1964 apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
1965
1966 if (APR_BUCKET_IS_METADATA(bucket)) {
1967 /* Pass through metadata buckets untouched. EOC is
1968 * special; terminate the SSL layer first. */
1969 if (AP_BUCKET_IS_EOC(bucket)) {
1970 ssl_filter_io_shutdown(filter_ctx, f->c, 0);
1971 }
1972 AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
1973
1974 /* Metadata buckets are passed one per brigade; it might
1975 * be more efficient (but also more complex) to use
1976 * outctx->bb as a true buffer and interleave these with
1977 * data buckets. */
1978 APR_BUCKET_REMOVE(bucket);
1979 APR_BRIGADE_INSERT_HEAD(outctx->bb, bucket);
1980 status = ap_pass_brigade(f->next, outctx->bb);
1981 if (status == APR_SUCCESS && f->c->aborted)
1982 status = APR_ECONNRESET;
1983 apr_brigade_cleanup(outctx->bb);
1984 }
1985 else {
1986 /* Filter a data bucket. */
1987 const char *data;
1988 apr_size_t len;
1989
1990 status = apr_bucket_read(bucket, &data, &len, rblock);
1991
1992 if (APR_STATUS_IS_EAGAIN(status)) {
1993 /* No data available: flush... */
1994 if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) {
1995 status = outctx->rc;
1996 break;
1997 }
1998 rblock = APR_BLOCK_READ;
1999 /* and try again with a blocking read. */
2000 status = APR_SUCCESS;
2001 continue;
2002 }
2003
2004 rblock = APR_NONBLOCK_READ;
2005
2006 if (!APR_STATUS_IS_EOF(status) && (status != APR_SUCCESS)) {
2007 break;
2008 }
2009
2010 status = ssl_filter_write(f, data, len);
2011 apr_bucket_delete(bucket);
2012 }
2013
2014 }
2015
2016 return status;
2017}
2018
2022
2023int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
2024{
2025 conn_rec *c = r->connection;
2026 struct modssl_buffer_ctx *ctx;
2027 apr_bucket_brigade *tempb;
2028 apr_off_t total = 0; /* total length buffered */
2029 int eos = 0; /* non-zero once EOS is seen */
2030
2031 /* Create the context which will be passed to the input filter;
2032 * containing a setaside pool and a brigade which constrain the
2033 * lifetime of the buffered data. */
2034 ctx = apr_palloc(r->pool, sizeof *ctx);
2035 ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
2036
2037 /* ... and a temporary brigade. */
2038 tempb = apr_brigade_create(r->pool, c->bucket_alloc);
2039
2040 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, c, "filling buffer, max size "
2041 "%" APR_SIZE_T_FMT " bytes", maxlen);
2042
2043 do {
2044 apr_status_t rv;
2045 apr_bucket *e, *next;
2046
2047 /* The request body is read from the protocol-level input
2048 * filters; the buffering filter will reinject it from that
2049 * level, allowing content/resource filters to run later, if
2050 * necessary. */
2051
2052 rv = ap_get_brigade(r->proto_input_filters, tempb, AP_MODE_READBYTES,
2053 APR_BLOCK_READ, 8192);
2054 if (rv) {
2055 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02015)
2056 "could not read request body for SSL buffer");
2057 return ap_map_http_request_error(rv, HTTP_INTERNAL_SERVER_ERROR);
2058 }
2059
2060 /* Iterate through the returned brigade: setaside each bucket
2061 * into the context's pool and move it into the brigade. */
2062 for (e = APR_BRIGADE_FIRST(tempb);
2063 e != APR_BRIGADE_SENTINEL(tempb) && !eos; e = next) {
2064 const char *data;
2065 apr_size_t len;
2066
2067 next = APR_BUCKET_NEXT(e);
2068
2069 if (APR_BUCKET_IS_EOS(e)) {
2070 eos = 1;
2071 } else if (!APR_BUCKET_IS_METADATA(e)) {
2072 rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
2073 if (rv != APR_SUCCESS) {
2074 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02016)
2075 "could not read bucket for SSL buffer");
2076 return HTTP_INTERNAL_SERVER_ERROR;
2077 }
2078 total += len;
2079 }
2080
2081 rv = apr_bucket_setaside(e, r->pool);
2082 if (rv != APR_SUCCESS) {
2083 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02017)
2084 "could not setaside bucket for SSL buffer");
2085 return HTTP_INTERNAL_SERVER_ERROR;
2086 }
2087
2088 APR_BUCKET_REMOVE(e);
2089 APR_BRIGADE_INSERT_TAIL(ctx->bb, e);
2090 }
2091
2092 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, c,
2093 "total of %" APR_OFF_T_FMT " bytes in buffer, eos=%d",
2094 total, eos);
2095
2096 /* Fail if this exceeds the maximum buffer size. */
2097 if (total > maxlen) {
2098 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02018)
2099 "request body exceeds maximum size (%" APR_SIZE_T_FMT
2100 ") for SSL buffer", maxlen);
2101 return HTTP_REQUEST_ENTITY_TOO_LARGE;
2102 }
2103
2104 } while (!eos);
2105
2106 apr_brigade_destroy(tempb);
2107
2108 /* After consuming all protocol-level input, remove all protocol-level
2109 * filters. It should strictly only be necessary to remove filters
2110 * at exactly ftype == AP_FTYPE_PROTOCOL, since this filter will
2111 * precede all > AP_FTYPE_PROTOCOL anyway. */
2112 while (r->proto_input_filters->frec->ftype < AP_FTYPE_CONNECTION) {
2113 ap_remove_input_filter(r->proto_input_filters);
2114 }
2115
2116 /* Insert the filter which will supply the buffered content. */
2117 ap_add_input_filter(ssl_io_buffer, ctx, r, c);
2118
2119 return 0;
2120}
2121
2122/* This input filter supplies the buffered request body to the caller
2123 * from the brigade stored in f->ctx. Note that the placement of this
2124 * filter in the filter stack is important; it must be the first
2125 * r->proto_input_filter; lower-typed filters will not be preserved
2126 * across internal redirects (see PR 43738). */
2127static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
2128 apr_bucket_brigade *bb,
2129 ap_input_mode_t mode,
2130 apr_read_type_e block,
2131 apr_off_t bytes)
2132{
2133 struct modssl_buffer_ctx *ctx = f->ctx;
2134 apr_status_t rv;
2135 apr_bucket *e, *d;
2136
2137 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
2138 "read from buffered SSL brigade, mode %d, "
2139 "%" APR_OFF_T_FMT " bytes",
2140 mode, bytes);
2141
2142 if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
2143 return APR_ENOTIMPL;
2144 }
2145
2146 if (APR_BRIGADE_EMPTY(ctx->bb)) {
2147 /* Surprisingly (and perhaps, wrongly), the request body can be
2148 * pulled from the input filter stack more than once; a
2149 * handler may read it, and ap_discard_request_body() will
2150 * attempt to do so again after *every* request. So input
2151 * filters must be prepared to give up an EOS if invoked after
2152 * initially reading the request. The HTTP_IN filter does this
2153 * with its ->eos_sent flag. */
2154
2155 APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_eos_create(f->c->bucket_alloc));
2156 return APR_SUCCESS;
2157 }
2158
2159 if (mode == AP_MODE_READBYTES) {
2160 /* Partition the buffered brigade. */
2161 rv = apr_brigade_partition(ctx->bb, bytes, &e);
2162 if (rv && rv != APR_INCOMPLETE) {
2163 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(02019)
2164 "could not partition buffered SSL brigade");
2165 ap_remove_input_filter(f);
2166 return rv;
2167 }
2168
2169 /* If the buffered brigade contains less then the requested
2170 * length, just pass it all back. */
2171 if (rv == APR_INCOMPLETE) {
2172 APR_BRIGADE_CONCAT(bb, ctx->bb);
2173 } else {
2174 d = APR_BRIGADE_FIRST(ctx->bb);
2175
2176 e = APR_BUCKET_PREV(e);
2177
2178 /* Unsplice the partitioned segment and move it into the
2179 * passed-in brigade; no convenient way to do this with
2180 * the APR_BRIGADE_* macros. */
2181 APR_RING_UNSPLICE(d, e, link);
2182 APR_RING_SPLICE_HEAD(&bb->list, d, e, apr_bucket, link);
2183
2184 APR_BRIGADE_CHECK_CONSISTENCY(bb);
2185 APR_BRIGADE_CHECK_CONSISTENCY(ctx->bb);
2186 }
2187 }
2188 else {
2189 /* Split a line into the passed-in brigade. */
2190 rv = apr_brigade_split_line(bb, ctx->bb, block, bytes);
2191
2192 if (rv) {
2193 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(02020)
2194 "could not split line from buffered SSL brigade");
2195 ap_remove_input_filter(f);
2196 return rv;
2197 }
2198 }
2199
2200 if (APR_BRIGADE_EMPTY(ctx->bb)) {
2201 e = APR_BRIGADE_LAST(bb);
2202
2203 /* Ensure that the brigade is terminated by an EOS if the
2204 * buffered request body has been entirely consumed. */
2205 if (e == APR_BRIGADE_SENTINEL(bb) || !APR_BUCKET_IS_EOS(e)) {
2206 e = apr_bucket_eos_create(f->c->bucket_alloc);
2207 APR_BRIGADE_INSERT_TAIL(bb, e);
2208 }
2209
2210 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
2211 "buffered SSL brigade exhausted");
2212 /* Note that the filter must *not* be removed here; it may be
2213 * invoked again, see comment above. */
2214 }
2215
2216 return APR_SUCCESS;
2217}
2218
2219/* The request_rec pointer is passed in here only to ensure that the
2220 * filter chain is modified correctly when doing a TLS upgrade. It
2221 * must *not* be used otherwise. */
2222static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
2223 request_rec *r, SSL *ssl)
2224{
2225 bio_filter_in_ctx_t *inctx;
2226
2227 inctx = apr_palloc(c->pool, sizeof(*inctx));
2228
2229 filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
2230
2231#if MODSSL_USE_OPENSSL_PRE_1_1_API
2232 filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
2233#else
2234 filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
2235#endif
2236 BIO_set_data(filter_ctx->pbioRead, (void *)inctx);
2237
2238 inctx->ssl = ssl;
2239 inctx->bio_out = filter_ctx->pbioWrite;
2240 inctx->f = filter_ctx->pInputFilter;
2241 inctx->rc = APR_SUCCESS;
2242 inctx->mode = AP_MODE_READBYTES;
2243 inctx->cbuf.length = 0;
2244 inctx->bb = apr_brigade_create(c->pool, c->bucket_alloc);
2245 inctx->block = APR_BLOCK_READ;
2246 inctx->pool = c->pool;
2247 inctx->filter_ctx = filter_ctx;
2248}
2249
2250/* The request_rec pointer is passed in here only to ensure that the
2251 * filter chain is modified correctly when doing a TLS upgrade. It
2252 * must *not* be used otherwise. */
2253void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl)
2254{
2255 ssl_filter_ctx_t *filter_ctx;
2256
2257 filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
2258
2259 filter_ctx->config = myConnConfig(c);
2260
2261 ap_add_output_filter(ssl_io_coalesce, NULL, r, c);
2262
2263 filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
2264 filter_ctx, r, c);
2265
2266#if MODSSL_USE_OPENSSL_PRE_1_1_API
2267 filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
2268#else
2269 filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
2270#endif
2271 BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c));
2272
2273 /* write is non blocking for the benefit of async mpm */
2274 if (c->cs) {
2275 BIO_set_nbio(filter_ctx->pbioWrite, 1);
2276 ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, c,
2277 "Enabling non-blocking writes");
2278 }
2279
2280 ssl_io_input_add_filter(filter_ctx, c, r, ssl);
2281
2282 SSL_set_bio(ssl, filter_ctx->pbioRead, filter_ctx->pbioWrite);
2283 filter_ctx->pssl = ssl;
2284
2285 apr_pool_cleanup_register(c->pool, (void*)filter_ctx,
2286 ssl_io_filter_cleanup, apr_pool_cleanup_null);
2287
2288 modssl_set_io_callbacks(ssl, c, mySrvFromConn(c));
2289
2290 return;
2291}
2292
2303
2304/* _________________________________________________________________
2305**
2306** I/O Data Debugging
2307** _________________________________________________________________
2308*/
2309
2310#define DUMP_WIDTH 16
2311
2312static void ssl_io_data_dump(conn_rec *c, server_rec *s,
2313 const char *b, int len)
2314{
2315 char buf[256];
2316 int i, j, rows, trunc, pos;
2317 unsigned char ch;
2318
2319 trunc = 0;
2320 for (; (len > 0) && ((b[len-1] == ' ') || (b[len-1] == '\0')); len--)
2321 trunc++;
2322 rows = (len / DUMP_WIDTH);
2323 if ((rows * DUMP_WIDTH) < len)
2324 rows++;
2325 ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
2326 "+-------------------------------------------------------------------------+");
2327 for (i = 0 ; i < rows; i++) {
2328#if APR_CHARSET_EBCDIC
2329 char ebcdic_text[DUMP_WIDTH];
2330 j = DUMP_WIDTH;
2331 if ((i * DUMP_WIDTH + j) > len)
2332 j = len % DUMP_WIDTH;
2333 if (j == 0)
2334 j = DUMP_WIDTH;
2335 memcpy(ebcdic_text,(char *)(b) + i * DUMP_WIDTH, j);
2336 ap_xlate_proto_from_ascii(ebcdic_text, j);
2337#endif /* APR_CHARSET_EBCDIC */
2338 pos = 0;
2339 pos += apr_snprintf(buf, sizeof(buf)-pos, "| %04x: ", i * DUMP_WIDTH);
2340 for (j = 0; j < DUMP_WIDTH; j++) {
2341 if (((i * DUMP_WIDTH) + j) >= len)
2342 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, " ");
2343 else {
2344 ch = ((unsigned char)*((char *)(b) + i * DUMP_WIDTH + j)) & 0xff;
2345 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, "%02x%c", ch , j==7 ? '-' : ' ');
2346 }
2347 }
2348 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, " ");
2349 for (j = 0; j < DUMP_WIDTH; j++) {
2350 if (((i * DUMP_WIDTH) + j) >= len)
2351 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, " ");
2352 else {
2353 ch = ((unsigned char)*((char *)(b) + i * DUMP_WIDTH + j)) & 0xff;
2354#if APR_CHARSET_EBCDIC
2355 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, "%c", (ch >= 0x20 && ch <= 0x7F) ? ebcdic_text[j] : '.');
2356#else /* APR_CHARSET_EBCDIC */
2357 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.');
2358#endif /* APR_CHARSET_EBCDIC */
2359 }
2360 }
2361 pos += apr_snprintf(buf+pos, sizeof(buf)-pos, " |");
2362 ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s, "%s", buf);
2363 }
2364 if (trunc > 0)
2365 ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
2366 "| %04d - <SPACES/NULS>", len + trunc);
2367 ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
2368 "+-------------------------------------------------------------------------+");
2369}
2370
2371#define MODSSL_IO_DUMP_MAX APR_UINT16_MAX
2372
2373#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2374static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
2375 size_t len, int argi, long argl, int rc,
2376 size_t *processed)
2377#else
2378static long modssl_io_cb(BIO *bio, int cmd, const char *argp,
2379 int argi, long argl, long rc)
2380#endif
2381{
2382 SSL *ssl;
2383 conn_rec *c;
2384 server_rec *s;
2385
2386 /* unused */
2387#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2388 (void)argi;
2389#endif
2390 (void)argl;
2391
2392 if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL)
2393 return rc;
2394 if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
2395 return rc;
2396 s = mySrvFromConn(c);
2397
2398 if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
2399 || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
2400#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2401 apr_size_t requested_len = len;
2402 /*
2403 * On OpenSSL >= 3 rc uses the meaning of the BIO_read_ex and
2404 * BIO_write_ex functions return value and not the one of
2405 * BIO_read and BIO_write. Hence 0 indicates an error.
2406 */
2407 int ok = (rc > 0);
2408#else
2409 apr_size_t requested_len = (apr_size_t)argi;
2410 int ok = (rc >= 0);
2411#endif
2412 if (ok) {
2413#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2414 apr_size_t actual_len = *processed;
2415#else
2416 apr_size_t actual_len = (apr_size_t)rc;
2417#endif
2418 const char *dump = "";
2419 if (APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)) {
2420 if (argp == NULL)
2421 dump = "(Oops, no memory buffer?)";
2422 else if (actual_len > MODSSL_IO_DUMP_MAX)
2423 dump = "(BIO dump follows, truncated to "
2424 APR_STRINGIFY(MODSSL_IO_DUMP_MAX) ")";
2425 else
2426 dump = "(BIO dump follows)";
2427 }
2428 ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
2429 "%s: %s %" APR_SIZE_T_FMT "/%" APR_SIZE_T_FMT
2430 " bytes %s BIO#%pp [mem: %pp] %s",
2431 MODSSL_LIBRARY_NAME,
2432 (cmd & BIO_CB_WRITE) ? "write" : "read",
2433 actual_len, requested_len,
2434 (cmd & BIO_CB_WRITE) ? "to" : "from",
2435 bio, argp, dump);
2436 /*
2437 * *dump will only be != '\0' if
2438 * APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)
2439 */
2440 if (*dump != '\0' && argp != NULL) {
2441 int dump_len = (actual_len >= MODSSL_IO_DUMP_MAX
2442 ? MODSSL_IO_DUMP_MAX
2443 : actual_len);
2444 ssl_io_data_dump(c, s, argp, dump_len);
2445 }
2446 }
2447 else {
2448 ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
2449 "%s: I/O error, %" APR_SIZE_T_FMT
2450 " bytes expected to %s on BIO#%pp [mem: %pp]",
2451 MODSSL_LIBRARY_NAME, requested_len,
2452 (cmd & BIO_CB_WRITE) ? "write" : "read",
2453 bio, argp);
2454 }
2455 }
2456 return rc;
2457}
2458
2459static APR_INLINE void set_bio_callback(BIO *bio, void *arg)
2460{
2461#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2462 BIO_set_callback_ex(bio, modssl_io_cb);
2463#else
2464 BIO_set_callback(bio, modssl_io_cb);
2465#endif
2466 BIO_set_callback_arg(bio, arg);
2467}
2468
2469void modssl_set_io_callbacks(SSL *ssl, conn_rec *c, server_rec *s)
2470{
2471 BIO *rbio, *wbio;
2472
2473 if (!APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE4))
2474 return;
2475
2476 rbio = SSL_get_rbio(ssl);
2477 wbio = SSL_get_wbio(ssl);
2478 if (rbio) {
2479 set_bio_callback(rbio, ssl);
2480 }
2481 if (wbio && wbio != rbio) {
2482 set_bio_callback(wbio, ssl);
2483 }
2484}
n
int n
Definition ap_regex.h:278
match
int int const char ** match
Definition ap_regex.h:279
len
const char apr_size_t len
Definition ap_regex.h:187
APR_STRINGIFY
#define APR_STRINGIFY(n)
Definition ap_release.h:62
TRUE
#define TRUE
Definition abts.h:38
FALSE
#define FALSE
Definition abts.h:35
apr_date.h
APR-UTIL date routines.
d
apr_size_t const unsigned char unsigned int unsigned int d
Definition apr_siphash.h:72
found
return found
Definition core.c:2840
hostname
const char * hostname
Definition http_config.h:1184
r
request_rec * r
Definition http_config.h:1168
AP_BUCKET_IS_EOC
#define AP_BUCKET_IS_EOC(e)
Definition http_connection.h:161
AP_FILTER_ERROR
#define AP_FILTER_ERROR
Definition httpd.h:473
AP_IOBUFSIZE
#define AP_IOBUFSIZE
Definition httpd.h:306
DECLINED
#define DECLINED
Definition httpd.h:457
OK
#define OK
Definition httpd.h:456
ap_xlate_proto_from_ascii
#define ap_xlate_proto_from_ascii(x, y)
Definition util_ebcdic.h:81
ap_remove_input_filter
void ap_remove_input_filter(ap_filter_t *f)
Definition util_filter.c:468
ap_pass_brigade
apr_status_t ap_pass_brigade(ap_filter_t *filter, apr_bucket_brigade *bucket)
Definition util_filter.c:564
ap_add_input_filter
ap_filter_t * ap_add_input_filter(const char *name, void *ctx, request_rec *r, conn_rec *c)
Definition util_filter.c:409
ap_register_output_filter
ap_filter_rec_t * ap_register_output_filter(const char *name, ap_out_filter_func filter_func, ap_init_filter_func filter_init, ap_filter_type ftype)
Definition util_filter.c:257
ap_add_output_filter
ap_filter_t * ap_add_output_filter(const char *name, void *ctx, request_rec *r, conn_rec *c)
Definition util_filter.c:427
ap_register_input_filter
apr_status_t ap_filter_rec_t * ap_register_input_filter(const char *name, ap_in_filter_func filter_func, ap_init_filter_func filter_init, ap_filter_type ftype)
Definition util_filter.c:246
ap_get_brigade
apr_status_t ap_get_brigade(ap_filter_t *filter, apr_bucket_brigade *bucket, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes)
Definition util_filter.c:546
AP_FTYPE_CONNECTION
@ AP_FTYPE_CONNECTION
Definition util_filter.h:180
AP_FTYPE_PROTOCOL
@ AP_FTYPE_PROTOCOL
Definition util_filter.h:168
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_TRACE4
#define APLOG_TRACE4
Definition http_log.h:75
APLOG_INFO
#define APLOG_INFO
Definition http_log.h:70
ap_log_rerror
#define ap_log_rerror
Definition http_log.h:454
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
APLOG_TRACE3
#define APLOG_TRACE3
Definition http_log.h:74
ap_log_cerror
#define ap_log_cerror
Definition http_log.h:498
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_WARNING
#define APLOG_WARNING
Definition http_log.h:68
APLOG_TRACE7
#define APLOG_TRACE7
Definition http_log.h:78
APLOG_TRACE1
#define APLOG_TRACE1
Definition http_log.h:72
APLOG_TRACE6
#define APLOG_TRACE6
Definition http_log.h:77
ap_log_cserror
#define ap_log_cserror
Definition http_log.h:546
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
APLOG_CS_IS_LEVEL
#define APLOG_CS_IS_LEVEL(c, s, level)
Definition http_log.h:227
buf
const unsigned char * buf
Definition util_md5.h:50
ap_map_http_request_error
int ap_map_http_request_error(apr_status_t rv, int status)
Definition http_filters.c:1580
arg
void const char * arg
Definition http_vhost.h:63
CRLF
#define CRLF
Definition httpd.h:724
APR_EAGAIN
#define APR_EAGAIN
Definition apr_errno.h:730
APR_EGENERAL
#define APR_EGENERAL
Definition apr_errno.h:313
APR_ECONNRESET
#define APR_ECONNRESET
Definition apr_errno.h:776
APR_EOF
#define APR_EOF
Definition apr_errno.h:461
APR_INCOMPLETE
#define APR_INCOMPLETE
Definition apr_errno.h:452
APR_ENOTIMPL
#define APR_ENOTIMPL
Definition apr_errno.h:476
APR_ECONNABORTED
#define APR_ECONNABORTED
Definition apr_errno.h:769
count
unsigned int count
Definition apr_md5.h:152
APR_STATUS_IS_EINTR
#define APR_STATUS_IS_EINTR(s)
Definition apr_errno.h:1281
APR_STATUS_IS_TIMEUP
#define APR_STATUS_IS_TIMEUP(s)
Definition apr_errno.h:534
APR_STATUS_IS_EAGAIN
#define APR_STATUS_IS_EAGAIN(s)
Definition apr_errno.h:1272
APR_STATUS_IS_EOF
#define APR_STATUS_IS_EOF(s)
Definition apr_errno.h:567
f
apr_file_t * f
Definition apr_buckets.h:927
APR_BUCKET_REMOVE
#define APR_BUCKET_REMOVE(e)
Definition apr_buckets.h:434
APR_BRIGADE_LAST
#define APR_BRIGADE_LAST(b)
Definition apr_buckets.h:351
APR_BUCKET_IS_METADATA
#define APR_BUCKET_IS_METADATA(e)
Definition apr_buckets.h:448
APR_BRIGADE_INSERT_TAIL
#define APR_BRIGADE_INSERT_TAIL(b, e)
Definition apr_buckets.h:369
apr_bucket_split
#define apr_bucket_split(e, point)
Definition apr_buckets.h:1109
start
apr_file_t apr_off_t start
Definition apr_buckets.h:928
APR_BRIGADE_INSERT_HEAD
#define APR_BRIGADE_INSERT_HEAD(b, e)
Definition apr_buckets.h:358
APR_BUCKET_NEXT
#define APR_BUCKET_NEXT(e)
Definition apr_buckets.h:422
apr_read_type_e
apr_read_type_e
Definition apr_buckets.h:57
e
apr_bucket * e
Definition apr_buckets.h:699
APR_BRIGADE_CONCAT
#define APR_BRIGADE_CONCAT(a, b)
Definition apr_buckets.h:380
APR_BRIGADE_EMPTY
#define APR_BRIGADE_EMPTY(b)
Definition apr_buckets.h:338
APR_BRIGADE_SENTINEL
#define APR_BRIGADE_SENTINEL(b)
Definition apr_buckets.h:331
apr_bucket_delete
#define apr_bucket_delete(e)
Definition apr_buckets.h:1016
APR_BUCKET_IS_EOS
#define APR_BUCKET_IS_EOS(e)
Definition apr_buckets.h:461
ctx
apr_brigade_flush void * ctx
Definition apr_buckets.h:802
apr_bucket_setaside
#define apr_bucket_setaside(e, p)
Definition apr_buckets.h:1097
APR_BRIGADE_FIRST
#define APR_BRIGADE_FIRST(b)
Definition apr_buckets.h:345
APR_BRIGADE_CHECK_CONSISTENCY
#define APR_BRIGADE_CHECK_CONSISTENCY(b)
Definition apr_buckets.h:304
apr_bucket_read
#define apr_bucket_read(e, str, len, block)
Definition apr_buckets.h:1089
length
int apr_off_t * length
Definition apr_buckets.h:742
APR_BUCKET_PREV
#define APR_BUCKET_PREV(e)
Definition apr_buckets.h:428
APR_BLOCK_READ
@ APR_BLOCK_READ
Definition apr_buckets.h:58
APR_NONBLOCK_READ
@ APR_NONBLOCK_READ
Definition apr_buckets.h:59
error
apr_pool_t const char apr_dbd_t const char ** error
Definition apr_dbd.h:143
res
apr_pool_t apr_dbd_t apr_dbd_results_t ** res
Definition apr_dbd.h:287
mode
apr_dbd_transaction_t int mode
Definition apr_dbd.h:261
slen
const char apr_ssize_t slen
Definition apr_encode.h:168
server
apr_memcache_server_t * server
Definition apr_memcache.h:173
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL
#define APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ns, link, ret, name, args_decl, args_use, ok, decline)
Definition apr_optional_hooks.h:90
rc
apr_redis_t * rc
Definition apr_redis.h:173
HTTP_INTERNAL_SERVER_ERROR
#define HTTP_INTERNAL_SERVER_ERROR
Definition httpd.h:535
HTTP_REQUEST_ENTITY_TOO_LARGE
#define HTTP_REQUEST_ENTITY_TOO_LARGE
Definition httpd.h:521
BIO_get_data
#define BIO_get_data(x)
Definition ssl_private.h:264
SSLLOG_MARK
#define SSLLOG_MARK
Definition ssl_private.h:1156
mySrvFromConn
#define mySrvFromConn(c)
Definition ssl_private.h:365
modssl_set_io_callbacks
void modssl_set_io_callbacks(SSL *ssl, conn_rec *c, server_rec *s)
Definition ssl_engine_io.c:2469
mySrvConfig
#define mySrvConfig(srv)
Definition ssl_private.h:358
ssl_verify_error_is_optional
#define ssl_verify_error_is_optional(errnum)
Definition ssl_private.h:466
ssl_util_vhostid
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
Definition ssl_util.c:42
X509_get_notAfter
#define X509_get_notAfter
Definition ssl_private.h:290
ssl_var_lookup
char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
Definition mod_nw_ssl.c:956
ssl_io_filter_register
void ssl_io_filter_register(apr_pool_t *p)
Definition ssl_engine_io.c:2293
myConnConfig
#define myConnConfig(c)
Definition ssl_private.h:354
BIO_set_data
#define BIO_set_data(x, v)
Definition ssl_private.h:265
ssl_log_ssl_error
void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
Definition ssl_engine_log.c:94
X509_get_notBefore
#define X509_get_notBefore
Definition ssl_private.h:287
ssl_io_filter_init
void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl)
Definition ssl_engine_io.c:2253
BIO_set_shutdown
#define BIO_set_shutdown(x, v)
Definition ssl_private.h:267
BIO_get_shutdown
#define BIO_get_shutdown(x)
Definition ssl_private.h:266
BIO_set_init
#define BIO_set_init(x, v)
Definition ssl_private.h:263
BOOL
#define BOOL
Definition ssl_private.h:81
ssl_io_buffer_fill
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
Definition ssl_engine_io.c:2023
SSL_PROTOCOL_SSLV3
#define SSL_PROTOCOL_SSLV3
Definition ssl_private.h:420
RENEG_ABORT
@ RENEG_ABORT
Definition ssl_private.h:567
SSL_CVERIFY_OPTIONAL_NO_CA
@ SSL_CVERIFY_OPTIONAL_NO_CA
Definition ssl_private.h:460
SSL_CVERIFY_REQUIRE
@ SSL_CVERIFY_REQUIRE
Definition ssl_private.h:459
SSL_SHUTDOWN_TYPE_UNCLEAN
@ SSL_SHUTDOWN_TYPE_UNCLEAN
Definition ssl_private.h:582
SSL_SHUTDOWN_TYPE_ACCURATE
@ SSL_SHUTDOWN_TYPE_ACCURATE
Definition ssl_private.h:583
MODSSL_LIBRARY_NAME
#define MODSSL_LIBRARY_NAME
Definition ssl_util_ssl.h:42
modssl_smart_shutdown
int modssl_smart_shutdown(SSL *ssl)
Definition ssl_util_ssl.c:119
ssl_run_proxy_post_handshake
int ssl_run_proxy_post_handshake(conn_rec *c, SSL *ssl)
Definition ssl_engine_io.c:36
ap_strchr_c
#define ap_strchr_c(s, c)
Definition httpd.h:2353
AP_DEBUG_ASSERT
#define AP_DEBUG_ASSERT(exp)
Definition httpd.h:2283
AP_CONN_CLOSE
@ AP_CONN_CLOSE
Definition httpd.h:1145
CONN_SENSE_WANT_READ
@ CONN_SENSE_WANT_READ
Definition httpd.h:1273
size
apr_size_t size
Definition apr_allocator.h:115
value
const char * value
Definition apr_env.h:51
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
offset
apr_seek_where_t apr_off_t * offset
Definition apr_file_io.h:689
data
void * data
Definition apr_file_io.h:832
type
int type
Definition apr_file_io.h:798
buffer
char * buffer
Definition apr_file_io.h:667
wanted
const char apr_int32_t wanted
Definition apr_file_info.h:230
memchr
void * memchr(const void *s, int c, size_t n)
Definition apr_strings.c:216
strcasecmp
int strcasecmp(const char *a, const char *b)
Definition apr_cpystrn.c:248
APR_ASCII_LF
#define APR_ASCII_LF
Definition apr_general.h:63
memmove
#define memmove(a, b, c)
Definition apr_general.h:163
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
buflen
apr_size_t buflen
Definition apr_network_io.h:778
num
apr_interval_time_t apr_int32_t * num
Definition apr_poll.h:273
b
apr_pool_t * b
Definition apr_pools.h:529
apr_pcalloc
#define apr_pcalloc(p, size)
Definition apr_pools.h:465
bytes
const void apr_size_t bytes
Definition apr_random.h:91
APR_RING_UNSPLICE
#define APR_RING_UNSPLICE(ep1, epN, link)
Definition apr_ring.h:368
APR_RING_SPLICE_HEAD
#define APR_RING_SPLICE_HEAD(hp, ep1, epN, elem, link)
Definition apr_ring.h:286
last
const char char ** last
Definition apr_strings.h:247
s
const char * s
Definition apr_strings.h:95
APR_ARRAY_PUSH
#define APR_ARRAY_PUSH(ary, type)
Definition apr_tables.h:150
APR_ARRAY_IDX
#define APR_ARRAY_IDX(ary, i, type)
Definition apr_tables.h:141
in
apr_int32_t in
Definition apr_thread_proc.h:417
cmd
apr_cmdtype_e cmd
Definition apr_thread_proc.h:495
reason
int reason
Definition apr_thread_proc.h:759
status
int int status
Definition apr_thread_proc.h:760
p
apr_pool_t * p
Definition md_event.c:32
send_eos
static apr_status_t send_eos(ap_filter_t *f)
Definition mod_charset_lite.c:387
out
static apr_file_t * out
Definition mod_info.c:85
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
ssl_io_filter_buffer
static apr_status_t ssl_io_filter_buffer(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, apr_read_type_e block, apr_off_t bytes)
Definition ssl_engine_io.c:2127
bio_filter_in_write
static int bio_filter_in_write(BIO *bio, const char *in, int inl)
Definition ssl_engine_io.c:549
MODSSL_IO_DUMP_MAX
#define MODSSL_IO_DUMP_MAX
Definition ssl_engine_io.c:2371
bio_filter_out_pass
static int bio_filter_out_pass(bio_filter_out_ctx_t *outctx)
Definition ssl_engine_io.c:134
ssl_io_filter_input
static apr_status_t ssl_io_filter_input(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes)
Definition ssl_engine_io.c:1569
MODSSL_ERROR_BAD_GATEWAY
#define MODSSL_ERROR_BAD_GATEWAY
Definition ssl_engine_io.c:990
ssl_io_filter_coalesce
static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f, apr_bucket_brigade *bb)
Definition ssl_engine_io.c:1728
ssl_io_filter_output
static apr_status_t ssl_io_filter_output(ap_filter_t *f, apr_bucket_brigade *bb)
Definition ssl_engine_io.c:1930
DUMP_WIDTH
#define DUMP_WIDTH
Definition ssl_engine_io.c:2310
HTTP_ON_HTTPS_PORT_BUCKET
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc)
Definition ssl_engine_io.c:979
bio_filter_out_write
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
Definition ssl_engine_io.c:203
bio_filter_out_puts
static int bio_filter_out_puts(BIO *bio, const char *str)
Definition ssl_engine_io.c:308
bio_filter_in_method
static BIO_METHOD bio_filter_in_method
Definition ssl_engine_io.c:608
ssl_io_filter_cleanup
static apr_status_t ssl_io_filter_cleanup(void *data)
Definition ssl_engine_io.c:1172
ssl_io_filter
static const char ssl_io_filter[]
Definition ssl_engine_io.c:1050
char_buffer_write
static int char_buffer_write(char_buffer_t *buffer, char *in, int inl)
Definition ssl_engine_io.c:371
brigade_consume
static apr_status_t brigade_consume(apr_bucket_brigade *bb, apr_read_type_e block, char *c, apr_size_t *len)
Definition ssl_engine_io.c:381
ssl_io_input_getline
static apr_status_t ssl_io_input_getline(bio_filter_in_ctx_t *inctx, char *buf, apr_size_t *len)
Definition ssl_engine_io.c:826
ssl_io_filter_disable
static void ssl_io_filter_disable(SSLConnRec *sslconn, bio_filter_in_ctx_t *inctx)
Definition ssl_engine_io.c:992
bio_filter_destroy
static int bio_filter_destroy(BIO *bio)
Definition ssl_engine_io.c:181
ssl_filter_write
static apr_status_t ssl_filter_write(ap_filter_t *f, const char *data, apr_size_t len)
Definition ssl_engine_io.c:881
bio_filter_out_read
static int bio_filter_out_read(BIO *bio, char *out, int outl)
Definition ssl_engine_io.c:193
bio_filter_out_ctx_new
static bio_filter_out_ctx_t * bio_filter_out_ctx_new(ssl_filter_ctx_t *filter_ctx, conn_rec *c)
Definition ssl_engine_io.c:120
ssl_io_input_add_filter
static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, request_rec *r, SSL *ssl)
Definition ssl_engine_io.c:2222
bio_filter_create
static int bio_filter_create(BIO *bio)
Definition ssl_engine_io.c:165
char_buffer_read
static int char_buffer_read(char_buffer_t *buffer, char *in, int inl)
Definition ssl_engine_io.c:348
modssl_io_cb
static long modssl_io_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long rc)
Definition ssl_engine_io.c:2378
bio_filter_in_ctrl
static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
Definition ssl_engine_io.c:576
ssl_filter_io_shutdown
static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, conn_rec *c, int abortive)
Definition ssl_engine_io.c:1059
bio_filter_out_method
static BIO_METHOD bio_filter_out_method
Definition ssl_engine_io.c:595
ssl_io_coalesce
static const char ssl_io_coalesce[]
Definition ssl_engine_io.c:1052
ssl_io_data_dump
static void ssl_io_data_dump(conn_rec *c, server_rec *s, const char *b, int len)
Definition ssl_engine_io.c:2312
set_bio_callback
static APR_INLINE void set_bio_callback(BIO *bio, void *arg)
Definition ssl_engine_io.c:2459
MODSSL_ERROR_HTTP_ON_HTTPS
#define MODSSL_ERROR_HTTP_ON_HTTPS
Definition ssl_engine_io.c:986
COALESCE_BYTES
#define COALESCE_BYTES
Definition ssl_engine_io.c:1721
ssl_io_input_read
static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, char *buf, apr_size_t *len)
Definition ssl_engine_io.c:654
bio_filter_in_puts
static int bio_filter_in_puts(BIO *bio, const char *str)
Definition ssl_engine_io.c:558
ssl_io_filter_handshake
static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
Definition ssl_engine_io.c:1197
ssl_io_buffer
static const char ssl_io_buffer[]
Definition ssl_engine_io.c:1051
bio_filter_in_gets
static int bio_filter_in_gets(BIO *bio, char *buf, int size)
Definition ssl_engine_io.c:567
bio_filter_out_ctrl
static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
Definition ssl_engine_io.c:254
bio_filter_out_gets
static int bio_filter_out_gets(BIO *bio, char *buf, int size)
Definition ssl_engine_io.c:298
bio_filter_out_flush
static int bio_filter_out_flush(BIO *bio)
Definition ssl_engine_io.c:149
ssl_io_filter_error
static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx, apr_bucket_brigade *bb, apr_status_t status, int is_init)
Definition ssl_engine_io.c:1001
bio_filter_in_read
static int bio_filter_in_read(BIO *bio, char *in, int inlen)
Definition ssl_engine_io.c:464
ssl_private.h
Internal interfaces private to mod_ssl.
modssl_X509_match_name
unsigned int modssl_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, unsigned int allow_wildcard, server_rec *s)
Definition ssl_util_ssl.c:390
SSLDirConfigRec::proxy
modssl_ctx_t * proxy
Definition ssl_private.h:863
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition ssl_private.h:836
ap_filter_rec_t::ftype
ap_filter_type ftype
Definition util_filter.h:243
ap_filter_t
The representation of a filter chain.
Definition util_filter.h:259
ap_filter_t::frec
ap_filter_rec_t * frec
Definition util_filter.h:263
apr_array_header_t
Definition apr_tables.h:62
apr_bucket_brigade
Definition apr_buckets.h:258
apr_bucket_brigade::bucket_alloc
apr_bucket_alloc_t * bucket_alloc
Definition apr_buckets.h:275
apr_bucket_brigade::list
struct apr_bucket_brigade::apr_bucket_list list
apr_bucket_type_t::name
const char * name
Definition apr_buckets.h:135
apr_bucket
Definition apr_buckets.h:224
apr_bucket::length
apr_size_t length
Definition apr_buckets.h:234
apr_bucket::type
const apr_bucket_type_t * type
Definition apr_buckets.h:228
apr_file_t::buffer
char * buffer
Definition apr_arch_file_io.h:113
apr_file_t::pool
apr_pool_t * pool
Definition apr_arch_file_io.h:98
apr_ipsubnet_t
Definition sockaddr.c:39
apr_pool_t
Definition apr_pools.c:562
bio_filter_in_ctx_t
Definition ssl_engine_io.c:323
bio_filter_in_ctx_t::ssl
SSL * ssl
Definition ssl_engine_io.c:324
bio_filter_in_ctx_t::f
ap_filter_t * f
Definition ssl_engine_io.c:326
bio_filter_in_ctx_t::bio_out
BIO * bio_out
Definition ssl_engine_io.c:325
bio_filter_in_ctx_t::pool
apr_pool_t * pool
Definition ssl_engine_io.c:332
bio_filter_in_ctx_t::block
apr_read_type_e block
Definition ssl_engine_io.c:329
bio_filter_in_ctx_t::mode
ap_input_mode_t mode
Definition ssl_engine_io.c:328
bio_filter_in_ctx_t::bb
apr_bucket_brigade * bb
Definition ssl_engine_io.c:330
bio_filter_in_ctx_t::rc
apr_status_t rc
Definition ssl_engine_io.c:327
bio_filter_in_ctx_t::cbuf
char_buffer_t cbuf
Definition ssl_engine_io.c:331
bio_filter_in_ctx_t::filter_ctx
ssl_filter_ctx_t * filter_ctx
Definition ssl_engine_io.c:334
bio_filter_out_ctx_t
Definition ssl_engine_io.c:113
bio_filter_out_ctx_t::bb
apr_bucket_brigade * bb
Definition ssl_engine_io.c:116
bio_filter_out_ctx_t::rc
apr_status_t rc
Definition ssl_engine_io.c:117
bio_filter_out_ctx_t::filter_ctx
ssl_filter_ctx_t * filter_ctx
Definition ssl_engine_io.c:114
bio_filter_out_ctx_t::c
conn_rec * c
Definition ssl_engine_io.c:115
char_buffer_t
Definition ssl_engine_io.c:318
char_buffer_t::length
int length
Definition ssl_engine_io.c:319
char_buffer_t::value
char * value
Definition ssl_engine_io.c:320
coalesce_ctx
Definition ssl_engine_io.c:1723
coalesce_ctx::bytes
apr_size_t bytes
Definition ssl_engine_io.c:1725
coalesce_ctx::buffer
char buffer[(8192)]
Definition ssl_engine_io.c:1724
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
modssl_auth_ctx_t::verify_mode
ssl_verify_t verify_mode
Definition ssl_private.h:727
modssl_buffer_ctx
Definition ssl_engine_io.c:2019
modssl_buffer_ctx::bb
apr_bucket_brigade * bb
Definition ssl_engine_io.c:2020
modssl_ctx_t::protocol
ssl_proto_t protocol
Definition ssl_private.h:767
modssl_ctx_t::auth
modssl_auth_ctx_t auth
Definition ssl_private.h:800
modssl_ctx_t::ssl_check_peer_cn
unsigned int ssl_check_peer_cn
Definition ssl_private.h:823
modssl_ctx_t::ssl_check_peer_expire
unsigned int ssl_check_peer_expire
Definition ssl_private.h:825
modssl_ctx_t::ssl_check_peer_name
unsigned int ssl_check_peer_name
Definition ssl_private.h:824
request_rec
A structure that represents the current request.
Definition httpd.h:845
request_rec::proto_input_filters
struct ap_filter_t * proto_input_filters
Definition httpd.h:1079
request_rec::pool
apr_pool_t * pool
Definition httpd.h:847
request_rec::connection
conn_rec * connection
Definition httpd.h:849
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
ssl_filter_ctx_t
Definition ssl_engine_io.c:104
ssl_filter_ctx_t::config
SSLConnRec * config
Definition ssl_engine_io.c:110
ssl_filter_ctx_t::pbioWrite
BIO * pbioWrite
Definition ssl_engine_io.c:107
ssl_filter_ctx_t::pssl
SSL * pssl
Definition ssl_engine_io.c:105
ssl_filter_ctx_t::pInputFilter
ap_filter_t * pInputFilter
Definition ssl_engine_io.c:108
ssl_filter_ctx_t::pbioRead
BIO * pbioRead
Definition ssl_engine_io.c:106
ssl_filter_ctx_t::pOutputFilter
ap_filter_t * pOutputFilter
Definition ssl_engine_io.c:109
str
#define str
Definition util_expr_scan.c:617
ap_input_mode_t
ap_input_mode_t
input filtering modes
Definition util_filter.h:41
AP_MODE_SPECULATIVE
@ AP_MODE_SPECULATIVE
Definition util_filter.h:53
AP_MODE_READBYTES
@ AP_MODE_READBYTES
Definition util_filter.h:43
AP_MODE_INIT
@ AP_MODE_INIT
Definition util_filter.h:62
AP_MODE_GETLINE
@ AP_MODE_GETLINE
Definition util_filter.h:48
Generated by doxygen 1.9.8