lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity

[multiple] con hooks store ctx in con->plugin_ctx 

modules with connection level hooks now store ctx in con->plugin_ctx
This commit is contained in:
Glenn Strauss 2020-07-24 01:15:25 -04:00
parent fea5bdc873
commit 164f7600b7
6 changed files with 124 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/mod_extforward.c
View File

@ -413,10 +413,10 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
/* attempt to warn if mod_extforward is not last module loaded to hook
* handle_connection_accept. (Nice to have, but remove this check if
* it reaches too far into internals and prevents other code changes.)
* While it would be nice to check connection_handle_accept plugin slot
* While it would be nice to check handle_connection_accept plugin slot
* to make sure mod_extforward is last, that info is private to plugin.c
* so merely warn if mod_openssl is loaded after mod_extforward, though
* future modules which hook connection_handle_accept might be missed.*/
* future modules which hook handle_connection_accept might be missed.*/
if (hap_PROXY) {
uint32_t i;
for (i = 0; i < srv->srvconf.modules->used; ++i) {
@ -543,7 +543,7 @@ static const char *last_not_in_array(array *a, plugin_data *p)
static int mod_extforward_set_addr(request_st * const r, plugin_data *p, const char *addr) {
connection * const con = r->con;
sock_addr sock;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (r->conf.log_request_handling) {
log_error(r->conf.errh, __FILE__, __LINE__, "using address: %s", addr);
@ -566,7 +566,7 @@ static int mod_extforward_set_addr(request_st * const r, plugin_data *p, const c
hctx->saved_remote_addr_buf = NULL;
}
} else {
r->plugin_ctx[p->id] = hctx = handler_ctx_init();
con->plugin_ctx[p->id] = hctx = handler_ctx_init();
}
/* save old address */
if (extforward_check_proxy) {
@ -1044,7 +1044,6 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
URIHANDLER_FUNC(mod_extforward_uri_handler) {
plugin_data *p = p_d;
const buffer *forwarded = NULL;
handler_ctx *hctx = r->plugin_ctx[p->id];
int is_forwarded_header = 0;
mod_extforward_patch_config(r, p);
@ -1056,6 +1055,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
if (p->conf.hap_PROXY_ssl_client_verify) {
const data_string *ds;
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL != hctx && hctx->ssl_client_verify && NULL != hctx->env
&& NULL != (ds = (const data_string *)array_get_element_klen(hctx->env, CONST_STR_LEN("SSL_CLIENT_S_DN_CN")))) {
http_header_env_set(r,
@ -1114,7 +1114,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
REQUEST_FUNC(mod_extforward_handle_request_env) {
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx || NULL == hctx->env) return HANDLER_GO_ON;
for (uint32_t i=0; i < hctx->env->used; ++i) {
/* note: replaces values which may have been set by mod_openssl
@ -1131,11 +1131,11 @@ REQUEST_FUNC(mod_extforward_restore) {
/* XXX: should change this to not occur at request reset,
* but instead at connection reset */
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
connection * const con = r->con;
handler_ctx *hctx = con->plugin_ctx[p->id];
if (!hctx) return HANDLER_GO_ON;
connection * const con = r->con;
if (NULL != hctx->saved_network_read) {
con->network_read = hctx->saved_network_read;
hctx->saved_network_read = NULL;
@ -1152,7 +1152,7 @@ REQUEST_FUNC(mod_extforward_restore) {
if (NULL == hctx->env) {
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
con->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -1161,9 +1161,8 @@ REQUEST_FUNC(mod_extforward_restore) {
CONNECTION_FUNC(mod_extforward_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL != hctx) {
if (NULL != hctx->saved_network_read) {
con->network_read = hctx->saved_network_read;
@ -1177,7 +1176,7 @@ CONNECTION_FUNC(mod_extforward_handle_con_close)
array_free(hctx->env);
}
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
con->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -1195,7 +1194,7 @@ CONNECTION_FUNC(mod_extforward_handle_con_accept)
if (NULL == p->conf.forwarder) return HANDLER_GO_ON;
if (is_connection_trusted(con, p)) {
handler_ctx *hctx = handler_ctx_init();
r->plugin_ctx[p->id] = hctx;
con->plugin_ctx[p->id] = hctx;
hctx->saved_network_read = con->network_read;
con->network_read = mod_extforward_network_read;
}
@ -1606,10 +1605,9 @@ static int mod_extforward_hap_PROXY_v2 (connection * const con,
case PP2_TYPE_CRC32C:
#endif
case PP2_TYPE_SSL: {
request_st * const r = &con->request;
static const uint32_t zero = 0;
handler_ctx *hctx =
r->plugin_ctx[mod_extforward_plugin_data_singleton->id];
con->plugin_ctx[mod_extforward_plugin_data_singleton->id];
struct pp2_tlv_ssl *tlv_ssl =
(struct pp2_tlv_ssl *)(void *)((char *)tlv+3);
struct pp2_tlv *subtlv = tlv;

49
src/mod_gnutls.c
View File

@ -135,7 +135,7 @@ typedef struct {
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE 16384 /* DEFAULT_MAX_RECORD_SIZE */
static char *local_send_buffer;
@ -144,7 +144,6 @@ typedef struct {
gnutls_session_t ssl; /* gnutls request/connection context */
request_st *r;
connection *con;
int8_t request_env_patched;
int8_t close_notify;
uint8_t alpn;
int8_t ssl_session_ticket;
@ -153,6 +152,7 @@ typedef struct {
plugin_config conf;
unsigned int verify_status;
buffer *tmp_buf;
log_error_st *errh;
gnutls_certificate_credentials_t acme_tls_1_cred;
} handler_ctx;
@ -2201,8 +2201,9 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
static int
load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len)
load_next_chunk (chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len,
log_error_st * const errh)
{
chunk *c = cq->first;
@ -2256,7 +2257,7 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
return 0;
case FILE_CHUNK:
if (0 != chunkqueue_open_file_chunk(cq, r->conf.errh)) return -1;
if (0 != chunkqueue_open_file_chunk(cq, errh)) return -1;
{
off_t offset, toSend;
@ -2269,11 +2270,11 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
if (toSend > max_bytes) toSend = max_bytes;
if (-1 == lseek(c->file.fd, offset, SEEK_SET)) {
log_perror(r->conf.errh, __FILE__, __LINE__, "lseek");
log_perror(errh, __FILE__, __LINE__, "lseek");
return -1;
}
if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) {
log_perror(r->conf.errh, __FILE__, __LINE__, "read");
log_perror(errh, __FILE__, __LINE__, "read");
return -1;
}
@ -2389,8 +2390,7 @@ mod_gnutls_close_notify(handler_ctx *hctx);
static int
connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
gnutls_session_t ssl = hctx->ssl;
if (hctx->pending_write) {
@ -2417,12 +2417,13 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
* headers and beginning of files before uncorking.
*/
log_error_st * const errh = hctx->errh;
while (max_bytes > 0 && NULL != cq->first) {
const char *data;
size_t data_len;
int wr;
if (0 != load_next_chunk(r, cq, max_bytes, &data, &data_len)) return -1;
if (0 != load_next_chunk(cq,max_bytes,&data,&data_len,errh)) return -1;
/* gnutls_record_send() copies the data, up to max record size, but if
* (temporarily) unable to write the entire record, it is documented
@ -2482,8 +2483,7 @@ mod_gnutls_ssl_handshake (handler_ctx *hctx)
static int
connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
UNUSED(max_bytes);
@ -2546,7 +2546,8 @@ CONNECTION_FUNC(mod_gnutls_handle_con_accept)
hctx->r = r;
hctx->con = con;
hctx->tmp_buf = con->srv->tmp_buf;
r->plugin_ctx[p->id] = hctx;
hctx->errh = r->conf.errh;
con->plugin_ctx[p->id] = hctx;
plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
hctx->ssl_session_ticket = s->ssl_session_ticket;
@ -2620,9 +2621,8 @@ mod_gnutls_detach(handler_ctx *hctx)
CONNECTION_FUNC(mod_gnutls_handle_con_shut_wr)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->close_notify = -2;
@ -2661,14 +2661,13 @@ mod_gnutls_close_notify (handler_ctx *hctx)
CONNECTION_FUNC(mod_gnutls_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL != hctx) {
con->plugin_ctx[p->id] = NULL;
if (1 != hctx->close_notify)
mod_gnutls_close_notify(hctx); /*(one final try)*/
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -2876,10 +2875,11 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
REQUEST_FUNC(mod_gnutls_handle_request_env)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
/* simple flag for request_env_patched */
if (r->plugin_ctx[p->id]) return HANDLER_GO_ON;
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
if (hctx->request_env_patched) return HANDLER_GO_ON;
hctx->request_env_patched = 1;
r->plugin_ctx[p->id] = (void *)(uintptr_t)1u;
http_cgi_ssl_env(r, hctx);
if (hctx->conf.ssl_verifyclient) {
@ -2900,7 +2900,7 @@ REQUEST_FUNC(mod_gnutls_handle_uri_raw)
* is enabled with extforward.hap-PROXY = "enable", in which case the
* reverse is true: mod_extforward must be loaded after mod_gnutls */
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
mod_gnutls_patch_config(r, &hctx->conf);
@ -2915,10 +2915,7 @@ REQUEST_FUNC(mod_gnutls_handle_uri_raw)
REQUEST_FUNC(mod_gnutls_handle_request_reset)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->request_env_patched = 0;
r->plugin_ctx[p->id] = NULL; /* simple flag for request_env_patched */
return HANDLER_GO_ON;
}

14
src/mod_maxminddb.c
View File

@ -421,7 +421,8 @@ mod_maxmind_geoip2 (array * const env, const struct sockaddr * const dst_addr,
REQUEST_FUNC(mod_maxminddb_request_env_handler)
{
const sock_addr * const dst_addr = &r->con->dst_addr;
connection * const con = r->con;
const sock_addr * const dst_addr = &con->dst_addr;
const int sa_family = dst_addr->plain.sa_family;
if (sa_family != AF_INET && sa_family != AF_INET6) return HANDLER_GO_ON;
@ -431,14 +432,14 @@ REQUEST_FUNC(mod_maxminddb_request_env_handler)
/* check that mod_maxmind is activated and env fields were requested */
if (!pconf.activate || NULL == pconf.env) return HANDLER_GO_ON;
array *env = r->plugin_ctx[p->id];
array *env = con->plugin_ctx[p->id];
if (NULL == env) {
env = r->plugin_ctx[p->id] = array_init(pconf.env->used);
env = con->plugin_ctx[p->id] = array_init(pconf.env->used);
if (pconf.mmdb)
mod_maxmind_geoip2(env, (const struct sockaddr *)dst_addr, &pconf);
}
for (size_t i = 0; i < env->used; ++i) {
for (uint32_t i = 0; i < env->used; ++i) {
/* note: replaces values which may have been set by mod_openssl
* (when mod_extforward is listed after mod_openssl in server.modules)*/
data_string *ds = (data_string *)env->data[i];
@ -452,12 +453,11 @@ REQUEST_FUNC(mod_maxminddb_request_env_handler)
CONNECTION_FUNC(mod_maxminddb_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
array *env = r->plugin_ctx[p->id];
array *env = con->plugin_ctx[p->id];
if (NULL != env) {
array_free(env);
r->plugin_ctx[p->id] = NULL;
con->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;

52
src/mod_mbedtls.c
View File

@ -172,7 +172,7 @@ typedef struct {
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE MBEDTLS_SSL_MAX_CONTENT_LEN
static char *local_send_buffer;
@ -181,13 +181,13 @@ typedef struct {
mbedtls_ssl_context ssl; /* mbedtls request/connection context */
request_st *r;
connection *con;
int8_t request_env_patched;
int8_t close_notify;
unsigned short alpn;
int handshake_done;
size_t pending_write;
plugin_config conf;
buffer *tmp_buf;
log_error_st *errh;
mbedtls_pk_context *acme_tls_1_pkey;
mbedtls_x509_crt *acme_tls_1_x509;
} handler_ctx;
@ -1691,8 +1691,9 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
static int
load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len)
load_next_chunk (chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len,
log_error_st * const errh)
{
chunk *c = cq->first;
@ -1744,7 +1745,7 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
return 0;
case FILE_CHUNK:
if (0 != chunkqueue_open_file_chunk(cq, r->conf.errh)) return -1;
if (0 != chunkqueue_open_file_chunk(cq, errh)) return -1;
{
off_t offset, toSend;
@ -1757,11 +1758,11 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
if (toSend > max_bytes) toSend = max_bytes;
if (-1 == lseek(c->file.fd, offset, SEEK_SET)) {
log_perror(r->conf.errh, __FILE__, __LINE__, "lseek");
log_perror(errh, __FILE__, __LINE__, "lseek");
return -1;
}
if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) {
log_perror(r->conf.errh, __FILE__, __LINE__, "read");
log_perror(errh, __FILE__, __LINE__, "read");
return -1;
}
@ -1813,8 +1814,7 @@ mod_mbedtls_close_notify(handler_ctx *hctx);
static int
connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
mbedtls_ssl_context * const ssl = &hctx->ssl;
if (hctx->pending_write) {
@ -1838,12 +1838,13 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
const int lim = mbedtls_ssl_get_max_out_record_payload(ssl);
if (lim < 0) return mod_mbedtls_ssl_write_err(con, hctx, lim, 0);
log_error_st * const errh = hctx->errh;
while (max_bytes > 0 && NULL != cq->first) {
const char *data;
size_t data_len;
int wr;
if (0 != load_next_chunk(r, cq, max_bytes, &data, &data_len)) return -1;
if (0 != load_next_chunk(cq,max_bytes,&data,&data_len,errh)) return -1;
/* mbedtls_ssl_write() copies the data, up to max record size, but if
* (temporarily) unable to write the entire record, it is documented
@ -1992,8 +1993,7 @@ mod_mbedtls_ssl_handshake (handler_ctx *hctx)
static int
connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
int len;
char *mem = NULL;
size_t mem_len = 0;
@ -2025,6 +2025,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
if (len < 0) {
int rc = len;
request_st * const r = &con->request;
switch (rc) {
case MBEDTLS_ERR_SSL_WANT_WRITE:
con->is_writable = -1;
@ -2047,7 +2048,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
if (!hctx->conf.ssl_log_noise) return -1;
__attribute_fallthrough__
default:
elog(r->conf.errh, __FILE__, __LINE__, rc, "Reading mbedtls");
elog(hctx->errh, __FILE__, __LINE__, rc, "Reading mbedtls");
return -1;
}
} else if (len == 0) {
@ -2082,7 +2083,8 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept)
hctx->r = r;
hctx->con = con;
hctx->tmp_buf = con->srv->tmp_buf;
r->plugin_ctx[p->id] = hctx;
hctx->errh = r->conf.errh;
con->plugin_ctx[p->id] = hctx;
plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
mbedtls_ssl_init(&hctx->ssl);
@ -2137,9 +2139,8 @@ mod_mbedtls_detach(handler_ctx *hctx)
CONNECTION_FUNC(mod_mbedtls_handle_con_shut_wr)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->close_notify = -2;
@ -2179,14 +2180,13 @@ mod_mbedtls_close_notify (handler_ctx *hctx)
CONNECTION_FUNC(mod_mbedtls_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL != hctx) {
con->plugin_ctx[p->id] = NULL;
if (1 != hctx->close_notify)
mod_mbedtls_close_notify(hctx); /*(one final try)*/
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -2371,10 +2371,11 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
REQUEST_FUNC(mod_mbedtls_handle_request_env)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
/* simple flag for request_env_patched */
if (r->plugin_ctx[p->id]) return HANDLER_GO_ON;
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
if (hctx->request_env_patched) return HANDLER_GO_ON;
hctx->request_env_patched = 1;
r->plugin_ctx[p->id] = (void *)(uintptr_t)1u;
http_cgi_ssl_env(r, hctx);
if (hctx->conf.ssl_verifyclient) {
@ -2395,7 +2396,7 @@ REQUEST_FUNC(mod_mbedtls_handle_uri_raw)
* is enabled with extforward.hap-PROXY = "enable", in which case the
* reverse is true: mod_extforward must be loaded after mod_mbedtls */
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
mod_mbedtls_patch_config(r, &hctx->conf);
@ -2410,10 +2411,7 @@ REQUEST_FUNC(mod_mbedtls_handle_uri_raw)
REQUEST_FUNC(mod_mbedtls_handle_request_reset)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->request_env_patched = 0;
r->plugin_ctx[p->id] = NULL; /* simple flag for request_env_patched */
return HANDLER_GO_ON;
}

51
src/mod_nss.c
View File

@ -178,7 +178,7 @@ typedef struct {
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE 16384 /* DEFAULT_MAX_RECORD_SIZE */
static char *local_send_buffer;
@ -187,7 +187,6 @@ typedef struct {
PRFileDesc *ssl;
request_st *r;
connection *con;
int8_t request_env_patched;
int8_t close_notify;
uint8_t alpn;
int8_t ssl_session_ticket;
@ -196,6 +195,7 @@ typedef struct {
plugin_config conf;
int verify_status;
buffer *tmp_buf;
log_error_st *errh;
} handler_ctx;
@ -2032,8 +2032,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
static int
load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len)
load_next_chunk (chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len,
log_error_st * const errh)
{
chunk *c = cq->first;
@ -2085,7 +2086,7 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
return 0;
case FILE_CHUNK:
if (0 != chunkqueue_open_file_chunk(cq, r->conf.errh)) return -1;
if (0 != chunkqueue_open_file_chunk(cq, errh)) return -1;
{
off_t offset, toSend;
@ -2098,11 +2099,11 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
if (toSend > max_bytes) toSend = max_bytes;
if (-1 == lseek(c->file.fd, offset, SEEK_SET)) {
log_perror(r->conf.errh, __FILE__, __LINE__, "lseek");
log_perror(errh, __FILE__, __LINE__, "lseek");
return -1;
}
if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) {
log_perror(r->conf.errh, __FILE__, __LINE__, "read");
log_perror(errh, __FILE__, __LINE__, "read");
return -1;
}
@ -2158,7 +2159,7 @@ mod_nss_read_err(connection *con, handler_ctx *hctx)
if (!hctx->conf.ssl_log_noise) return -1;
__attribute_fallthrough__
default:
elog(hctx->r->conf.errh, __FILE__, __LINE__, __func__);
elog(hctx->errh, __FILE__, __LINE__, __func__);
return -1;
}
}
@ -2171,9 +2172,9 @@ mod_nss_close_notify(handler_ctx *hctx);
static int
connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
PRFileDesc *ssl = hctx->ssl;
log_error_st * const errh = hctx->errh;
if (0 != hctx->close_notify) return mod_nss_close_notify(hctx);
@ -2188,7 +2189,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
size_t data_len;
int wr;
if (0 != load_next_chunk(r, cq, max_bytes, &data, &data_len)) return -1;
if (0 != load_next_chunk(cq,max_bytes,&data,&data_len,errh)) return -1;
/*(if partial write occurred, expect that subsequent writes will have
* at least that much data available from load_next_chunk(), which is
@ -2242,8 +2243,7 @@ mod_nss_SSLHandshakeCallback (PRFileDesc *fd, void *arg)
static int
connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
UNUSED(max_bytes);
@ -2305,7 +2305,8 @@ CONNECTION_FUNC(mod_nss_handle_con_accept)
hctx->r = r;
hctx->con = con;
hctx->tmp_buf = con->srv->tmp_buf;
r->plugin_ctx[p->id] = hctx;
hctx->errh = r->conf.errh;
con->plugin_ctx[p->id] = hctx;
plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
hctx->ssl_session_ticket = s->ssl_session_ticket;
@ -2399,9 +2400,8 @@ mod_nss_detach(handler_ctx *hctx)
CONNECTION_FUNC(mod_nss_handle_con_shut_wr)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->close_notify = -2;
@ -2438,14 +2438,13 @@ mod_nss_close_notify (handler_ctx *hctx)
CONNECTION_FUNC(mod_nss_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL != hctx) {
con->plugin_ctx[p->id] = NULL;
if (1 != hctx->close_notify)
mod_nss_close_notify(hctx); /*(one final try)*/
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -2638,10 +2637,11 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
REQUEST_FUNC(mod_nss_handle_request_env)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
/* simple flag for request_env_patched */
if (r->plugin_ctx[p->id]) return HANDLER_GO_ON;
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
if (hctx->request_env_patched) return HANDLER_GO_ON;
hctx->request_env_patched = 1;
r->plugin_ctx[p->id] = (void *)(uintptr_t)1u;
http_cgi_ssl_env(r, hctx);
if (hctx->conf.ssl_verifyclient) {
@ -2662,7 +2662,7 @@ REQUEST_FUNC(mod_nss_handle_uri_raw)
* is enabled with extforward.hap-PROXY = "enable", in which case the
* reverse is true: mod_extforward must be loaded after mod_nss */
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
mod_nss_patch_config(r, &hctx->conf);
@ -2677,10 +2677,7 @@ REQUEST_FUNC(mod_nss_handle_uri_raw)
REQUEST_FUNC(mod_nss_handle_request_reset)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->request_env_patched = 0;
r->plugin_ctx[p->id] = NULL; /* simple flag for request_env_patched */
return HANDLER_GO_ON;
}

67
src/mod_openssl.c
View File

@ -240,7 +240,7 @@ typedef struct {
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE (16 * 1024)
static char *local_send_buffer;
@ -251,10 +251,10 @@ typedef struct {
connection *con;
short renegotiations; /* count of SSL_CB_HANDSHAKE_START */
short close_notify;
unsigned short request_env_patched;
unsigned short alpn;
plugin_config conf;
buffer *tmp_buf;
log_error_st *errh;
} handler_ctx;
@ -3518,8 +3518,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
static int
load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len)
load_next_chunk (chunkqueue * const cq, off_t max_bytes,
const char ** const data, size_t * const data_len,
log_error_st * const errh)
{
chunk *c = cq->first;
@ -3576,7 +3577,7 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
return 0;
case FILE_CHUNK:
if (0 != chunkqueue_open_file_chunk(cq, r->conf.errh)) return -1;
if (0 != chunkqueue_open_file_chunk(cq, errh)) return -1;
{
off_t offset, toSend;
@ -3589,11 +3590,11 @@ load_next_chunk (request_st * const r, chunkqueue * const cq, off_t max_bytes,
if (toSend > max_bytes) toSend = max_bytes;
if (-1 == lseek(c->file.fd, offset, SEEK_SET)) {
log_perror(r->conf.errh, __FILE__, __LINE__, "lseek");
log_perror(errh, __FILE__, __LINE__, "lseek");
return -1;
}
if (-1 == (toSend = read(c->file.fd, local_send_buffer, toSend))) {
log_perror(r->conf.errh, __FILE__, __LINE__, "read");
log_perror(errh, __FILE__, __LINE__, "read");
return -1;
}
@ -3614,9 +3615,9 @@ mod_openssl_close_notify(handler_ctx *hctx);
static int
connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
SSL *ssl = hctx->ssl;
log_error_st * const errh = hctx->errh;
if (0 != hctx->close_notify) return mod_openssl_close_notify(hctx);
@ -3627,7 +3628,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
size_t data_len;
int wr;
if (0 != load_next_chunk(r, cq, max_bytes, &data, &data_len)) return -1;
if (0 != load_next_chunk(cq,max_bytes,&data,&data_len,errh)) return -1;
/**
* SSL_write man-page
@ -3643,7 +3644,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
if (hctx->renegotiations > 1
&& hctx->conf.ssl_disable_client_renegotiation) {
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(errh, __FILE__, __LINE__,
"SSL: renegotiation initiated by client, killing connection");
return -1;
}
@ -3663,7 +3664,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
/* perhaps we have error waiting in our error-queue */
if (0 != (err = ERR_get_error())) {
do {
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(errh, __FILE__, __LINE__,
"SSL: %d %d %s",ssl_r,wr,ERR_error_string(err,NULL));
} while((err = ERR_get_error()));
} else if (wr == -1) {
@ -3673,13 +3674,13 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
case ECONNRESET:
return -2;
default:
log_perror(r->conf.errh, __FILE__, __LINE__,
log_perror(errh, __FILE__, __LINE__,
"SSL: %d %d", ssl_r, wr);
break;
}
} else {
/* neither error-queue nor errno ? */
log_perror(r->conf.errh, __FILE__, __LINE__,
log_perror(errh, __FILE__, __LINE__,
"SSL (error): %d %d", ssl_r, wr);
}
break;
@ -3692,7 +3693,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
/* fall through */
default:
while((err = ERR_get_error())) {
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(errh, __FILE__, __LINE__,
"SSL: %d %d %s", ssl_r, wr, ERR_error_string(err, NULL));
}
break;
@ -3713,8 +3714,7 @@ connection_write_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
static int
connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
{
request_st * const r = &con->request;
handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id];
handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id];
int len;
char *mem = NULL;
size_t mem_len = 0;
@ -3740,7 +3740,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
if (hctx->renegotiations > 1
&& hctx->conf.ssl_disable_client_renegotiation) {
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(hctx->errh, __FILE__, __LINE__,
"SSL: renegotiation initiated by client, killing connection");
return -1;
}
@ -3794,7 +3794,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
*/
while((ssl_err = ERR_get_error())) {
/* get all errors from the error-queue */
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(hctx->errh, __FILE__, __LINE__,
"SSL: %d %s", rc, ERR_error_string(ssl_err, NULL));
}
@ -3811,7 +3811,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
if (0==oerrno && 0==cq->bytes_in && !hctx->conf.ssl_log_noise)
break;
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(hctx->errh, __FILE__, __LINE__,
"SSL: %d %d %d %s", len, rc, oerrno, strerror(oerrno));
break;
}
@ -3847,7 +3847,7 @@ connection_read_cq_ssl (connection *con, chunkqueue *cq, off_t max_bytes)
break;
}
/* get all errors from the error-queue */
log_error(r->conf.errh, __FILE__, __LINE__,
log_error(hctx->errh, __FILE__, __LINE__,
"SSL: %d %s", rc, ERR_error_string(ssl_err, NULL));
}
break;
@ -3875,7 +3875,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept)
hctx->r = r;
hctx->con = con;
hctx->tmp_buf = con->srv->tmp_buf;
r->plugin_ctx[p->id] = hctx;
hctx->errh = r->conf.errh;
con->plugin_ctx[p->id] = hctx;
plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx;
hctx->ssl = SSL_new(s->ssl_ctx);
@ -3912,9 +3913,8 @@ mod_openssl_detach(handler_ctx *hctx)
CONNECTION_FUNC(mod_openssl_handle_con_shut_wr)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->close_notify = -2;
@ -4039,12 +4039,11 @@ mod_openssl_close_notify(handler_ctx *hctx)
CONNECTION_FUNC(mod_openssl_handle_con_close)
{
request_st * const r = &con->request;
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = con->plugin_ctx[p->id];
if (NULL != hctx) {
con->plugin_ctx[p->id] = NULL;
handler_ctx_free(hctx);
r->plugin_ctx[p->id] = NULL;
}
return HANDLER_GO_ON;
@ -4217,10 +4216,11 @@ http_cgi_ssl_env (request_st * const r, handler_ctx * const hctx)
REQUEST_FUNC(mod_openssl_handle_request_env)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
/* simple flag for request_env_patched */
if (r->plugin_ctx[p->id]) return HANDLER_GO_ON;
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
if (hctx->request_env_patched) return HANDLER_GO_ON;
hctx->request_env_patched = 1;
r->plugin_ctx[p->id] = (void *)(uintptr_t)1u;
http_cgi_ssl_env(r, hctx);
if (hctx->conf.ssl_verifyclient) {
@ -4241,7 +4241,7 @@ REQUEST_FUNC(mod_openssl_handle_uri_raw)
* is enabled with extforward.hap-PROXY = "enable", in which case the
* reverse is true: mod_extforward must be loaded after mod_openssl */
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
handler_ctx *hctx = r->con->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
mod_openssl_patch_config(r, &hctx->conf);
@ -4256,10 +4256,7 @@ REQUEST_FUNC(mod_openssl_handle_uri_raw)
REQUEST_FUNC(mod_openssl_handle_request_reset)
{
plugin_data *p = p_d;
handler_ctx *hctx = r->plugin_ctx[p->id];
if (NULL == hctx) return HANDLER_GO_ON;
hctx->request_env_patched = 0;
r->plugin_ctx[p->id] = NULL; /* simple flag for request_env_patched */
return HANDLER_GO_ON;
}