summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2007-11-25 19:55:02 +0000
committerBenedikt Boehm <hollow@gentoo.org>2007-11-25 19:55:02 +0000
commitb424c687d601f2b78e9602a124136ec23a2274d3 (patch)
tree71d1d8953c73d6254917068087342876865a1812
parentfix vhost log format; add vhostio log format (diff)
downloadapache-b424c687d601f2b78e9602a124136ec23a2274d3.tar.gz
apache-b424c687d601f2b78e9602a124136ec23a2274d3.tar.bz2
apache-b424c687d601f2b78e9602a124136ec23a2274d3.zip
fix bug in SNI patch
-rw-r--r--2.2/patches/04_all_mod_ssl_tls_sni.patch101
1 files changed, 87 insertions, 14 deletions
diff --git a/2.2/patches/04_all_mod_ssl_tls_sni.patch b/2.2/patches/04_all_mod_ssl_tls_sni.patch
index 99c9ef2..ca6a9a4 100644
--- a/2.2/patches/04_all_mod_ssl_tls_sni.patch
+++ b/2.2/patches/04_all_mod_ssl_tls_sni.patch
@@ -4,11 +4,11 @@ httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 or later
Based on a patch from the EdelKey project (http://www.edelweb.fr/EdelKey/),
which is used with permission from its author.
-Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
+Index: httpd-2.2.6/modules/ssl/ssl_engine_init.c
===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 515465)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
-@@ -156,6 +156,87 @@ static int ssl_tmp_keys_init(server_rec
+--- httpd-2.2.6.orig/modules/ssl/ssl_engine_init.c
++++ httpd-2.2.6/modules/ssl/ssl_engine_init.c
+@@ -135,6 +135,87 @@ static int ssl_tmp_keys_init(server_rec
return OK;
}
@@ -96,7 +96,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
/*
* Per-module initialization
*/
-@@ -376,6 +457,29 @@ static void ssl_init_server_check(server
+@@ -355,6 +436,29 @@ static void ssl_init_server_check(server
}
}
@@ -126,7 +126,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
static void ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
-@@ -709,6 +813,8 @@ static void ssl_init_ctx(server_rec *s,
+@@ -688,6 +792,8 @@ static void ssl_init_ctx(server_rec *s,
/* XXX: proxy support? */
ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
}
@@ -135,7 +135,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
}
static int ssl_server_import_cert(server_rec *s,
-@@ -1035,6 +1141,7 @@ void ssl_init_CheckServers(server_rec *b
+@@ -1014,6 +1120,7 @@ void ssl_init_CheckServers(server_rec *b
}
}
@@ -143,7 +143,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
/*
* Give out warnings when more than one SSL-aware virtual server uses the
* same IP:port. This doesn't work because mod_ssl then will always use
-@@ -1079,6 +1186,7 @@ void ssl_init_CheckServers(server_rec *b
+@@ -1058,6 +1165,7 @@ void ssl_init_CheckServers(server_rec *b
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
}
@@ -151,10 +151,10 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
}
#ifdef SSLC_VERSION_NUMBER
-Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
+Index: httpd-2.2.6/modules/ssl/ssl_engine_kernel.c
===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 515465)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
+--- httpd-2.2.6.orig/modules/ssl/ssl_engine_kernel.c
++++ httpd-2.2.6/modules/ssl/ssl_engine_kernel.c
@@ -231,6 +231,19 @@ int ssl_hook_Access(request_rec *r)
* the currently active one.
*/
@@ -198,10 +198,10 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
-Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
+Index: httpd-2.2.6/modules/ssl/ssl_toolkit_compat.h
===================================================================
---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 515465)
-+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy)
+--- httpd-2.2.6.orig/modules/ssl/ssl_toolkit_compat.h
++++ httpd-2.2.6/modules/ssl/ssl_toolkit_compat.h
@@ -258,6 +258,12 @@ typedef void (*modssl_popfree_fn)(char *
#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
#endif
@@ -215,3 +215,76 @@ Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
#endif /* SSL_TOOLKIT_COMPAT_H */
/** @} */
+Index: httpd-2.2.6/modules/ssl/ssl_engine_io.c
+===================================================================
+--- httpd-2.2.6.orig/modules/ssl/ssl_engine_io.c
++++ httpd-2.2.6/modules/ssl/ssl_engine_io.c
+@@ -1541,14 +1541,25 @@ int ssl_io_buffer_fill(request_rec *r)
+
+ apr_brigade_destroy(tempb);
+
+- /* Insert the filter which will supply the buffered data. */
++ /* After consuming all protocol-level input, remove all protocol-level
++ * filters. It should strictly only be necessary to remove filters
++ * at exactly ftype == AP_FTYPE_PROTOCOL, since this filter will
++ * precede all > AP_FTYPE_PROTOCOL anyway. */
++ while (r->proto_input_filters->frec->ftype < AP_FTYPE_CONNECTION) {
++ ap_remove_input_filter(r->proto_input_filters);
++ }
++
++ /* Insert the filter which will supply the buffered content. */
+ ap_add_input_filter(ssl_io_buffer, ctx, r, c);
+
+ return 0;
+ }
+
+ /* This input filter supplies the buffered request body to the caller
+- * from the brigade stored in f->ctx. */
++ * from the brigade stored in f->ctx. Note that the placement of this
++ * filter in the filter stack is important; it must be the first
++ * r->proto_input_filter; lower-typed filters will not be preserved
++ * across internal redirects (see PR 43738). */
+ static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
+ apr_bucket_brigade *bb,
+ ap_input_mode_t mode,
+@@ -1567,6 +1578,19 @@ static apr_status_t ssl_io_filter_buffer
+ return APR_ENOTIMPL;
+ }
+
++ if (APR_BRIGADE_EMPTY(ctx->bb)) {
++ /* Suprisingly (and perhaps, wrongly), the request body can be
++ * pulled from the input filter stack more than once; a
++ * handler may read it, and ap_discard_request_body() will
++ * attempt to do so again after *every* request. So input
++ * filters must be prepared to give up an EOS if invoked after
++ * initially reading the request. The HTTP_IN filter does this
++ * with its ->eos_sent flag. */
++
++ APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_eos_create(f->c->bucket_alloc));
++ return APR_SUCCESS;
++ }
++
+ if (mode == AP_MODE_READBYTES) {
+ apr_bucket *e;
+
+@@ -1621,8 +1645,9 @@ static apr_status_t ssl_io_filter_buffer
+ }
+
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c,
+- "buffered SSL brigade now exhausted; removing filter");
+- ap_remove_input_filter(f);
++ "buffered SSL brigade exhausted");
++ /* Note that the filter must *not* be removed here; it may be
++ * invoked again, see comment above. */
+ }
+
+ return APR_SUCCESS;
+@@ -1691,7 +1716,7 @@ void ssl_io_filter_register(apr_pool_t *
+ ap_register_input_filter (ssl_io_filter, ssl_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5);
+ ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
+
+- ap_register_input_filter (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
++ ap_register_input_filter (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL);
+
+ return;
+ }