|
|
|
@ -240,7 +240,7 @@ typedef struct {
|
|
|
|
|
|
|
|
|
|
static int ssl_is_init; |
|
|
|
|
/* need assigned p->id for deep access of module handler_ctx for connection
|
|
|
|
|
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */ |
|
|
|
|
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */ |
|
|
|
|
static plugin_data *plugin_data_singleton; |
|
|
|
|
#define LOCAL_SEND_BUFSIZE (16 * 1024) |
|
|
|
|
static char *local_send_buffer; |
|
|
|
@ -251,10 +251,10 @@ typedef struct {
|
|
|
|
|
connection *con; |
|
|
|
|
short renegotiations; /* count of SSL_CB_HANDSHAKE_START */ |
|
|
|
|
short close_notify; |
|
|
|
|
unsigned short request_env_patched; |
|
|
|
|
unsigned short alpn; |
|
|
|
|
plugin_config conf; |
|
|
|
|
buffer *tmp_buf; |
|
|
|
|
log_error_st *errh; |
|
|
|
|
} handler_ctx; |
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -3518,8 +3518,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int |
|
|
|
|
load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes, |
|
|
|
|
const char ** const data, size_t * const data_len) |
|
|
|
|
load_next_chunk (chunkqueue * const cq, off_t max_bytes, |
|
|
|
|
const char ** const data, size_t * const data_len, |
|
|
|
|
log_error_st * const errh) |
|
|
|
|
{ |
|
|
|
|
chunk *c = cq->first; |
|
|
|
|
|
|
|
|
@ -3576,7 +3577,7 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
|
|
|
|
|
return 0; |
|
|
|
|
|
|
|
|
|
case FILE_CHUNK: |
|
|
|
|
if (0 != chunkqueue_open_file_chunk(cq, r->conf.errh)) return -1; |
|
|
|
|
if (0 != chunkqueue_open_file_chunk(cq, errh)) return -1; |
|
|
|
|
|
|
|
|
|
{ |
|
|
|
|
off_t offset, toSend; |
|
|
|
@ -3589,11 +3590,11 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
|
|
|
|
|
if (toSend > max_bytes) toSend = max_bytes; |
|
|
|
|
|
|
|
|
|
if (-1 == lseek(c->file.fd, offset, SEEK_SET)) { |
|
|
|
|
log_perror(r->conf.errh, __FILE__, __LINE__, "lseek"); |
|
|
|
|
log_perror(errh, __FILE__, __LINE__, "lseek"); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) { |
|
|
|
|
log_perror(r->conf.errh, __FILE__, __LINE__, "read"); |
|
|
|
|
log_perror(errh, __FILE__, __LINE__, "read"); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
@ -3614,9 +3615,9 @@ mod_openssl_close_notify(handler_ctx *hctx);
|
|
|
|
|
static int |
|
|
|
|
connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes) |
|
|
|
|
{ |
|
|
|
|
request_st * const r = &con->request; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; |
|
|
|
|
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; |
|
|
|
|
SSL *ssl = hctx->ssl; |
|
|
|
|
log_error_st * const errh = hctx->errh; |
|
|
|
|
|
|
|
|
|
if (0 != hctx->close_notify) return mod_openssl_close_notify(hctx); |
|
|
|
|
|
|
|
|
@ -3627,7 +3628,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
size_t data_len; |
|
|
|
|
int wr; |
|
|
|
|
|
|
|
|
|
if (0 != load_next_chunk(r, cq, max_bytes, &data, &data_len)) return -1; |
|
|
|
|
if (0 != load_next_chunk(cq,max_bytes,&data,&data_len,errh)) return -1; |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* SSL_write man-page |
|
|
|
@ -3643,7 +3644,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
|
|
|
|
|
if (hctx->renegotiations > 1 |
|
|
|
|
&& hctx->conf.ssl_disable_client_renegotiation) { |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: renegotiation initiated by client, killing connection"); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
@ -3663,7 +3664,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
/* perhaps we have error waiting in our error-queue */ |
|
|
|
|
if (0 != (err = ERR_get_error())) { |
|
|
|
|
do { |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %d %s",ssl_r,wr,ERR_error_string(err,NULL)); |
|
|
|
|
} while((err = ERR_get_error())); |
|
|
|
|
} else if (wr == -1) { |
|
|
|
@ -3673,13 +3674,13 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
case ECONNRESET: |
|
|
|
|
return -2; |
|
|
|
|
default: |
|
|
|
|
log_perror(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_perror(errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %d", ssl_r, wr); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
} else { |
|
|
|
|
/* neither error-queue nor errno ? */ |
|
|
|
|
log_perror(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_perror(errh, __FILE__, __LINE__, |
|
|
|
|
"SSL (error): %d %d", ssl_r, wr); |
|
|
|
|
} |
|
|
|
|
break; |
|
|
|
@ -3692,7 +3693,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
/* fall through */ |
|
|
|
|
default: |
|
|
|
|
while((err = ERR_get_error())) { |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %d %s", ssl_r, wr, ERR_error_string(err, NULL)); |
|
|
|
|
} |
|
|
|
|
break; |
|
|
|
@ -3713,8 +3714,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
static int |
|
|
|
|
connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes) |
|
|
|
|
{ |
|
|
|
|
request_st * const r = &con->request; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; |
|
|
|
|
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; |
|
|
|
|
int len; |
|
|
|
|
char *mem = NULL; |
|
|
|
|
size_t mem_len = 0; |
|
|
|
@ -3740,7 +3740,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
|
|
|
|
|
if (hctx->renegotiations > 1 |
|
|
|
|
&& hctx->conf.ssl_disable_client_renegotiation) { |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(hctx->errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: renegotiation initiated by client, killing connection"); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
@ -3794,7 +3794,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
*/ |
|
|
|
|
while((ssl_err = ERR_get_error())) { |
|
|
|
|
/* get all errors from the error-queue */ |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(hctx->errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %s", rc, ERR_error_string(ssl_err, NULL)); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
@ -3811,7 +3811,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
if (0==oerrno && 0==cq->bytes_in && !hctx->conf.ssl_log_noise) |
|
|
|
|
break; |
|
|
|
|
|
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(hctx->errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %d %d %s", len, rc, oerrno, strerror(oerrno)); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
@ -3847,7 +3847,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
|
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
/* get all errors from the error-queue */ |
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__, |
|
|
|
|
log_error(hctx->errh, __FILE__, __LINE__, |
|
|
|
|
"SSL: %d %s", rc, ERR_error_string(ssl_err, NULL)); |
|
|
|
|
} |
|
|
|
|
break; |
|
|
|
@ -3875,7 +3875,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept)
|
|
|
|
|
hctx->r = r; |
|
|
|
|
hctx->con = con; |
|
|
|
|
hctx->tmp_buf = con->srv->tmp_buf; |
|
|
|
|
r->plugin_ctx[p->id] = hctx; |
|
|
|
|
hctx->errh = r->conf.errh; |
|
|
|
|
con->plugin_ctx[p->id] = hctx; |
|
|
|
|
|
|
|
|
|
plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx; |
|
|
|
|
hctx->ssl = SSL_new(s->ssl_ctx); |
|
|
|
@ -3912,9 +3913,8 @@ mod_openssl_detach(handler_ctx *hctx)
|
|
|
|
|
|
|
|
|
|
CONNECTION_FUNC(mod_openssl_handle_con_shut_wr) |
|
|
|
|
{ |
|
|
|
|
request_st * const r = &con->request; |
|
|
|
|
plugin_data *p = p_d; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[p->id]; |
|
|
|
|
handler_ctx *hctx = con->plugin_ctx[p->id]; |
|
|
|
|
if (NULL == hctx) return HANDLER_GO_ON; |
|
|
|
|
|
|
|
|
|
hctx->close_notify = -2; |
|
|
|
@ -4039,12 +4039,11 @@ mod_openssl_close_notify(handler_ctx *hctx)
|
|
|
|
|
|
|
|
|
|
CONNECTION_FUNC(mod_openssl_handle_con_close) |
|
|
|
|
{ |
|
|
|
|
request_st * const r = &con->request; |
|
|
|
|
plugin_data *p = p_d; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[p->id]; |
|
|
|
|
handler_ctx *hctx = con->plugin_ctx[p->id]; |
|
|
|
|
if (NULL != hctx) { |
|
|
|
|
con->plugin_ctx[p->id] = NULL; |
|
|
|
|
handler_ctx_free(hctx); |
|
|
|
|
r->plugin_ctx[p->id] = NULL; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON; |
|
|
|
@ -4217,10 +4216,11 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
|
|
|
|
|
REQUEST_FUNC(mod_openssl_handle_request_env) |
|
|
|
|
{ |
|
|
|
|
plugin_data *p = p_d; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[p->id]; |
|
|
|
|
/* simple flag for request_env_patched */ |
|
|
|
|
if (r->plugin_ctx[p->id]) return HANDLER_GO_ON; |
|
|
|
|
handler_ctx *hctx = r->con->plugin_ctx[p->id]; |
|
|
|
|
if (NULL == hctx) return HANDLER_GO_ON; |
|
|
|
|
if (hctx->request_env_patched) return HANDLER_GO_ON; |
|
|
|
|
hctx->request_env_patched = 1; |
|
|
|
|
r->plugin_ctx[p->id] = (void *)(uintptr_t)1u; |
|
|
|
|
|
|
|
|
|
http_cgi_ssl_env(r, hctx); |
|
|
|
|
if (hctx->conf.ssl_verifyclient) { |
|
|
|
@ -4241,7 +4241,7 @@ REQUEST_FUNC(mod_openssl_handle_uri_raw)
|
|
|
|
|
* is enabled with extforward.hap-PROXY = "enable", in which case the |
|
|
|
|
* reverse is true: mod_extforward must be loaded after mod_openssl */ |
|
|
|
|
plugin_data *p = p_d; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[p->id]; |
|
|
|
|
handler_ctx *hctx = r->con->plugin_ctx[p->id]; |
|
|
|
|
if (NULL == hctx) return HANDLER_GO_ON; |
|
|
|
|
|
|
|
|
|
mod_openssl_patch_config(r, &hctx->conf); |
|
|
|
@ -4256,10 +4256,7 @@ REQUEST_FUNC(mod_openssl_handle_uri_raw)
|
|
|
|
|
REQUEST_FUNC(mod_openssl_handle_request_reset) |
|
|
|
|
{ |
|
|
|
|
plugin_data *p = p_d; |
|
|
|
|
handler_ctx *hctx = r->plugin_ctx[p->id]; |
|
|
|
|
if (NULL == hctx) return HANDLER_GO_ON; |
|
|
|
|
|
|
|
|
|
hctx->request_env_patched = 0; |
|
|
|
|
r->plugin_ctx[p->id] = NULL; /* simple flag for request_env_patched */ |
|
|
|
|
return HANDLER_GO_ON; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|