diff options
| author | Brad Smith <brad@cvs.openbsd.org> | 2001-04-13 18:12:01 +0000 |
|---|---|---|
| committer | Brad Smith <brad@cvs.openbsd.org> | 2001-04-13 18:12:01 +0000 |
| commit | e8088518aa6795fb6ef3734b149d0f96987c9bac (patch) | |
| tree | 464d29d77ce97bae578120c8f940c60857f0e478 | |
| parent | 176cd6a2a5ea9b6a4efabf0893ae3b156904c713 (diff) | |
merge mod_ssl 2.8.2
--
Ok'd by: beck@
| -rw-r--r-- | usr.sbin/httpd/src/CHANGES.SSL | 44 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/Makefile.win32 | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/libssl.module | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/libssl.version | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 14 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c | 49 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 10 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c | 38 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_scache.c | 14 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c | 3 |
12 files changed, 119 insertions, 67 deletions
diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 41e5912792e..f58bcb6f345 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,50 @@ / __/ | (_) | __ |_____(_)___/ ___________________________________________ + Changes with mod_ssl 2.8.2 (03-Mar-2001 to 30-Mar-2001) + + *) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache + variant from "experimental" state to "production" by removing the + `#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means + that now `SSLSessionCache shmcb:...' is unconditionally available. + + *) Modified (only) Win32's specific function SSL_recvwithtimeout() + to use the same retry logic as SSL_writewithtimeout(). This + fixes some problems with MSIE 5.x clients. + + *) Made the mutex handling more robust by retrying the + semaphore-based operations in interrupt situations + (errno == EINTR). + + *) Also log the OpenSSL error message if the RSA temporary + key(s) cannot be generated. + + *) Mention in INSTALL document that building OpenSSL with + `no-threads' increased performance without negative side-effects + because Apache 1.3 is never multi-threaded. + + *) Fixed mod_ssl Auth handler: it now returns DECLINED instead of + OK if authentication is passed successfully to allow other modules + (usually mod_auth) to still deny the request. + + *) Allow IPC semaphore support also under Tru64 5.x. + + *) Fixed certificate DN handling under EBCDIC platforms. + + *) Try to avoid casting warnings by using "unsigned long" type + instead of "unsigned int" in the EAPI macros AP_CTX_XXXX. + + *) Make sure that the default path /usr/include is never added to + CFLAGS with an explicit -I options to avoid conflicts with vendor + include paths. + + *) Make extra sure the ssl_expr_parse.[ch] and ssl_expr_scan.c + files are not regenerated for regular users by timestamping + them in a little bit more conservative way. + + *) More fixes to configure.bat and Makefile.win32 to + make mod_ssl work again under Win32. + Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001) *) Conditionally adjusted source to build quietly also under diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 index eed4696d68b..92781c182f9 100644 --- a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 +++ b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 @@ -71,7 +71,7 @@ MOD_SSL_VERS_STR = 0.0.0 CC = cl.exe CFLAGS = /nologo /c /O2 /MD /W3 /GX /DNDEBUG /DWIN32 /D_WINDOWS /DSHARED_MODULE /DEAPI CFLAGS = $(CFLAGS) /DMOD_SSL=$(MOD_SSL_VERS_NUM) /DMOD_SSL_VERSION=\"$(MOD_SSL_VERS_STR)\" -CFLAGS = $(CFLAGS) /I..\..\include /I$(SSL_INC) +CFLAGS = $(CFLAGS) /I..\..\include /I..\..\os\win32 /I$(SSL_INC) LD = link.exe LDFLAGS = /nologo RM = del diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module index d304d86b7ea..e938d7daf13 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.module +++ b/usr.sbin/httpd/src/modules/ssl/libssl.module @@ -396,7 +396,9 @@ ConfigStart exit 1 fi fi - SSL_CFLAGS="$SSL_CFLAGS -I\$(SSL_INCDIR)" + if [ ".$SSL_INCDIR" != "./usr/include" ]; then + SSL_CFLAGS="$SSL_CFLAGS -I\$(SSL_INCDIR)" + fi # # determine location of OpenSSL libraries diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index a0f1f6d6372..20b9c387996 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.8.1-1.3.19 +mod_ssl/2.8.2-1.3.19 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 433e0224f25..8731ef9de48 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -90,9 +90,6 @@ #define SSL_EXPERIMENTAL_ENGINE #endif #endif -#ifndef SSL_EXPERIMENTAL_SHMCB_IGNORE -#define SSL_EXPERIMENTAL_SHMCB -#endif #endif /* SSL_EXPERIMENTAL */ /* @@ -291,7 +288,8 @@ __FreeBSD_version >= 300000) ||\ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) &&\ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\ - defined(SOLARIS2) || defined(__hpux) + defined(SOLARIS2) || defined(__hpux) ||\ + (defined (__digital__) && defined (__unix__)) #define SSL_CAN_USE_SEM #define SSL_HAVE_IPCSEM #include <sys/types.h> @@ -487,10 +485,8 @@ typedef enum { SSL_SCMODE_UNSET = UNSET, SSL_SCMODE_NONE = 0, SSL_SCMODE_DBM = 1, - SSL_SCMODE_SHMHT = 2 -#ifdef SSL_EXPERIMENTAL_SHMCB - ,SSL_SCMODE_SHMCB = 3 -#endif + SSL_SCMODE_SHMHT = 2, + SSL_SCMODE_SHMCB = 3 } ssl_scmode_t; /* @@ -754,7 +750,6 @@ SSL_SESSION *ssl_scache_shmht_retrieve(server_rec *, UCHAR *, int); void ssl_scache_shmht_remove(server_rec *, UCHAR *, int); void ssl_scache_shmht_expire(server_rec *); void ssl_scache_shmht_status(server_rec *, pool *, void (*)(char *, void *), void *); -#ifdef SSL_EXPERIMENTAL_SHMCB void ssl_scache_shmcb_init(server_rec *, pool *); void ssl_scache_shmcb_kill(server_rec *); BOOL ssl_scache_shmcb_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); @@ -762,7 +757,6 @@ SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *, UCHAR *, int); void ssl_scache_shmcb_remove(server_rec *, UCHAR *, int); void ssl_scache_shmcb_expire(server_rec *); void ssl_scache_shmcb_status(server_rec *, pool *, void (*)(char *, void *), void *); -#endif /* Pass Phrase Support */ void ssl_pphrase_Handle(server_rec *, pool *); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 9ec36261897..f460ac5f805 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -755,7 +755,6 @@ const char *ssl_cmd_SSLSessionCache( "size has to be < %d bytes on this platform", maxsize); } } -#ifdef SSL_EXPERIMENTAL_SHMCB else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) { if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; @@ -778,7 +777,6 @@ const char *ssl_cmd_SSLSessionCache( "size has to be < %d bytes on this platform", maxsize); } } -#endif else #ifdef SSL_VENDOR if (!ap_hook_use("ap::mod_ssl::vendor::cmd_sslsessioncache", diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c index ec5eb151990..4ba1574ca88 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c @@ -511,7 +511,7 @@ static int SSL_sendwithtimeout(BUFF *fb, const char *buf, int len) if (rv <= 0) { if (BIO_sock_should_retry(rv)) { do { - retry=0; + retry = 0; FD_ZERO(&fdset); FD_SET((unsigned int)sock, &fdset); tv.tv_usec = 0; @@ -532,7 +532,7 @@ static int SSL_sendwithtimeout(BUFF *fb, const char *buf, int len) "select claimed we could write, " "but in fact we couldn't. " "This is a bug in Windows."); - retry=1; + retry = 1; Sleep(100); } } @@ -554,6 +554,7 @@ static int SSL_recvwithtimeout(BUFF *fb, char *buf, int len) int rv; int sock = fb->fd_in; SSL *ssl; + int retry; ssl = ap_ctx_get(fb->ctx, "ssl"); @@ -566,23 +567,37 @@ static int SSL_recvwithtimeout(BUFF *fb, char *buf, int len) rv = SSL_read(ssl, buf, len); if (rv <= 0) { if (BIO_sock_should_retry(rv)) { - FD_ZERO(&fdset); - FD_SET((unsigned int)sock, &fdset); - tv.tv_usec = 0; - rv = select(FD_SETSIZE, &fdset, NULL, NULL, &tv); - if (rv == SOCKET_ERROR) - err = WSAGetLastError(); - else if (rv == 0) { - ioctlsocket(sock, FIONBIO, &iostate); - ap_check_alarm(); - WSASetLastError(WSAEWOULDBLOCK); - return (SOCKET_ERROR); - } - else { - rv = SSL_read(ssl, buf, len); + do { + retry = 0; + FD_ZERO(&fdset); + FD_SET((unsigned int)sock, &fdset); + tv.tv_usec = 0; + rv = select(FD_SETSIZE, &fdset, NULL, NULL, &tv); if (rv == SOCKET_ERROR) err = WSAGetLastError(); - } + else if (rv == 0) { + ioctlsocket(sock, FIONBIO, &iostate); + ap_check_alarm(); + WSASetLastError(WSAEWOULDBLOCK); + return (SOCKET_ERROR); + } + else { + rv = SSL_read(ssl, buf, len); + if (rv == SOCKET_ERROR) { + if (BIO_sock_should_retry(rv)) { + ap_log_error(APLOG_MARK,APLOG_DEBUG, NULL, + "select claimed we could read, " + "but in fact we couldn't. " + "This is a bug in Windows."); + retry = 1; + Sleep(100); + } + else { + err = WSAGetLastError(); + } + } + } + } while(retry); } } ioctlsocket(sock, FIONBIO, &iostate); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 8e711525a66..ca1b3f0a55c 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -800,7 +800,7 @@ int ssl_hook_Access(request_rec *r) if (dc->nVerifyDepth != UNSET) { apctx = SSL_get_app_data2(ssl); if ((vp = ap_ctx_get(apctx, "ssl::verify::depth")) != NULL) - n = AP_CTX_PTR2NUM(vp); + n = (int)AP_CTX_PTR2NUM(vp); else n = sc->nVerifyDepth; ap_ctx_set(apctx, "ssl::verify::depth", @@ -1071,10 +1071,12 @@ int ssl_hook_Access(request_rec *r) } /* - * Else access is granted... - * (except vendor handlers override) + * Else access is granted from our point of view (except vendor + * handlers override). But we have to return DECLINED here instead + * of OK, because mod_auth and other modules still might want to + * deny access. */ - rc = OK; + rc = DECLINED; #ifdef SSL_VENDOR ap_hook_use("ap::mod_ssl::vendor::access_handler", AP_HOOK_SIG2(int,ptr), AP_HOOK_DECLINE(DECLINED), diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c index ee48d78936f..146f9ce4d90 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c @@ -222,15 +222,13 @@ BOOL ssl_mutex_file_acquire(void) lock_it.l_pid = 0; /* pid not actually interesting */ while ( ((rc = fcntl(mc->nMutexFD, F_SETLKW, &lock_it)) < 0) - && (errno == EINTR) ) { - continue; - } + && (errno == EINTR) ) + ; #endif #ifdef SSL_USE_FLOCK while ( ((rc = flock(mc->nMutexFD, LOCK_EX)) < 0) - && (errno == EINTR) ) { - continue; - } + && (errno == EINTR) ) + ; #endif #endif @@ -253,10 +251,14 @@ BOOL ssl_mutex_file_release(void) unlock_it.l_type = F_UNLCK; /* unlock */ unlock_it.l_pid = 0; /* pid not actually interesting */ - rc = fcntl(mc->nMutexFD, F_SETLKW, &unlock_it); + while ( (rc = fcntl(mc->nMutexFD, F_SETLKW, &unlock_it)) < 0 + && (errno == EINTR) ) + ; #endif #ifdef SSL_USE_FLOCK - rc = flock(mc->nMutexFD, LOCK_UN); + while ( (rc = flock(mc->nMutexFD, LOCK_UN)) < 0 + && (errno == EINTR) ) + ; #endif #endif @@ -354,13 +356,18 @@ BOOL ssl_mutex_sem_acquire(void) { 0, 1, SEM_UNDO } /* increment semaphore */ }; - rc = (semop(mc->nMutexSEMID, sb, 2) == 0); + while ( (rc = semop(mc->nMutexSEMID, sb, 2)) < 0 + && (errno == EINTR) ) + ; #endif #ifdef SSL_HAVE_W32SEM - rc = (ap_acquire_mutex((mutex *)mc->nMutexSEMID) == 0); + rc = ap_acquire_mutex((mutex *)mc->nMutexSEMID); #endif #endif - return rc; + if (rc != 0) + return FALSE; + else + return TRUE; } BOOL ssl_mutex_sem_release(void) @@ -374,12 +381,17 @@ BOOL ssl_mutex_sem_release(void) { 0, -1, SEM_UNDO } /* decrements semaphore */ }; - rc = (semop(mc->nMutexSEMID, sb, 1) == 0); + while ( (rc = semop(mc->nMutexSEMID, sb, 1)) < 0 + && (errno == EINTR) ) + ; #endif #ifdef SSL_HAVE_W32SEM rc = ap_release_mutex((mutex *)mc->nMutexSEMID); #endif #endif - return rc; + if (rc != 0) + return FALSE; + else + return TRUE; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c index 56b1739b530..139c7865fec 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c @@ -79,10 +79,8 @@ void ssl_scache_init(server_rec *s, pool *p) ssl_scache_dbm_init(s, p); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_init(s, p); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_init(s, p); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_init", @@ -99,10 +97,8 @@ void ssl_scache_kill(server_rec *s) ssl_scache_dbm_kill(s); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_kill(s); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_kill(s); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_kill", @@ -120,10 +116,8 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SE rv = ssl_scache_dbm_store(s, id, idlen, expiry, sess); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) rv = ssl_scache_shmht_store(s, id, idlen, expiry, sess); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) rv = ssl_scache_shmcb_store(s, id, idlen, expiry, sess); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_store", @@ -142,10 +136,8 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen) sess = ssl_scache_dbm_retrieve(s, id, idlen); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) sess = ssl_scache_shmht_retrieve(s, id, idlen); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) sess = ssl_scache_shmcb_retrieve(s, id, idlen); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_retrieve", @@ -163,10 +155,8 @@ void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen) ssl_scache_dbm_remove(s, id, idlen); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_remove(s, id, idlen); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_remove(s, id, idlen); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_remove", @@ -183,10 +173,8 @@ void ssl_scache_status(server_rec *s, pool *p, void (*func)(char *, void *), voi ssl_scache_dbm_status(s, p, func, arg); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_status(s, p, func, arg); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_status(s, p, func, arg); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_status", @@ -204,10 +192,8 @@ void ssl_scache_expire(server_rec *s) ssl_scache_dbm_expire(s); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_expire(s); -#ifdef SSL_EXPERIMENTAL_SHMCB else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_expire(s); -#endif #ifdef SSL_VENDOR else ap_hook_use("ap::mod_ssl::vendor::scache_expire", diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c index 82edce1af70..e588f0a5d11 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c @@ -67,8 +67,6 @@ * and as a contribution to Ralf Engelschall's mod_ssl project. */ -#ifdef SSL_EXPERIMENTAL_SHMCB - /* * The shared-memory segment header can be cast to and from the * SHMCBHeader type, all other structures need to be initialised by @@ -1343,5 +1341,3 @@ end: return to_return; } -#endif /* SSL_EXPERIMENTAL_SHMCB */ - diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c index 514a14995a2..19f6bd36292 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c @@ -384,6 +384,9 @@ BOOL SSL_X509_getCN(pool *p, X509 *xs, char **cppCN) *cppCN = ap_palloc(p, xsne->value->length+1); ap_cpystrn(*cppCN, (char *)xsne->value->data, xsne->value->length+1); (*cppCN)[xsne->value->length] = NUL; +#ifdef CHARSET_EBCDIC + ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN)); +#endif return TRUE; } } |