You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2015/10/22 15:23:28 UTC
svn commit: r1710014 - in /httpd/httpd/trunk/modules/http2: h2_conn.c
h2_from_h1.c h2_h2.c h2_h2.h h2_io.c h2_io.h h2_mplx.c h2_response.c
h2_response.h h2_task.c
Author: icing
Date: Thu Oct 22 13:23:28 2015
New Revision: 1710014
URL: http://svn.apache.org/viewvc?rev=1710014&view=rev
Log:
mod_http2: no longer messing with mod_ssl config in slave connections, special RST_STREAM failures when 403 responses are due to prohibited TLS renegotiations
Modified:
httpd/httpd/trunk/modules/http2/h2_conn.c
httpd/httpd/trunk/modules/http2/h2_from_h1.c
httpd/httpd/trunk/modules/http2/h2_h2.c
httpd/httpd/trunk/modules/http2/h2_h2.h
httpd/httpd/trunk/modules/http2/h2_io.c
httpd/httpd/trunk/modules/http2/h2_io.h
httpd/httpd/trunk/modules/http2/h2_mplx.c
httpd/httpd/trunk/modules/http2/h2_response.c
httpd/httpd/trunk/modules/http2/h2_response.h
httpd/httpd/trunk/modules/http2/h2_task.c
Modified: httpd/httpd/trunk/modules/http2/h2_conn.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_conn.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_conn.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_conn.c Thu Oct 22 13:23:28 2015
@@ -44,7 +44,6 @@ static apr_status_t h2_session_process(h
static h2_mpm_type_t mpm_type = H2_MPM_UNKNOWN;
static module *mpm_module;
-static module *ssl_module;
static int checked;
static void check_modules(void)
@@ -65,9 +64,6 @@ static void check_modules(void)
mpm_type = H2_MPM_PREFORK;
mpm_module = m;
}
- else if (!strcmp("mod_ssl.c", m->name)) {
- ssl_module = m;
- }
}
checked = 1;
}
@@ -104,9 +100,6 @@ apr_status_t h2_conn_child_init(apr_pool
mpm_type = H2_MPM_PREFORK;
mpm_module = m;
}
- else if (!strcmp("mod_ssl.c", m->name)) {
- ssl_module = m;
- }
}
if (minw <= 0) {
@@ -422,22 +415,12 @@ apr_status_t h2_conn_setup(h2_task_env *
env->c.conn_config = ap_create_conn_config(env->pool);
env->c.notes = apr_table_make(env->pool, 5);
+ /* In order to do this in 2.4.x, we need to add a member to conn_rec */
+ env->c.master = master;
+
ap_set_module_config(env->c.conn_config, &core_module,
h2_worker_get_socket(worker));
- /* If we serve http:// requests over a TLS connection, we do
- * not want any mod_ssl vars to be visible.
- */
- if (ssl_module && (!env->scheme || strcmp("http", env->scheme))) {
- /* See #19, there is a range of SSL variables to be gotten from
- * the main connection that should be available in request handlers
- */
- void *sslcfg = ap_get_module_config(master->conn_config, ssl_module);
- if (sslcfg) {
- ap_set_module_config(env->c.conn_config, ssl_module, sslcfg);
- }
- }
-
/* This works for mpm_worker so far. Other mpm modules have
* different needs, unfortunately. The most interesting one
* being mpm_event...
Modified: httpd/httpd/trunk/modules/http2/h2_from_h1.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_from_h1.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_from_h1.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_from_h1.c Thu Oct 22 13:23:28 2015
@@ -78,9 +78,9 @@ h2_response *h2_from_h1_get_response(h2_
static apr_status_t make_h2_headers(h2_from_h1 *from_h1, request_rec *r)
{
- from_h1->response = h2_response_create(from_h1->stream_id,
- from_h1->status, from_h1->hlines,
- from_h1->pool);
+ from_h1->response = h2_response_create(from_h1->stream_id, 0,
+ from_h1->status, from_h1->hlines,
+ from_h1->pool);
if (from_h1->response == NULL) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EINVAL, r->connection,
APLOGNO(02915)
Modified: httpd/httpd/trunk/modules/http2/h2_h2.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_h2.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_h2.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_h2.c Thu Oct 22 13:23:28 2015
@@ -437,14 +437,6 @@ int h2_h2_is_tls(conn_rec *c)
return opt_ssl_is_https && opt_ssl_is_https(c);
}
-int h2_tls_disable(conn_rec *c)
-{
- if (opt_ssl_engine_disable) {
- return opt_ssl_engine_disable(c);
- }
- return 0;
-}
-
int h2_is_acceptable_connection(conn_rec *c, int require_all)
{
int is_tls = h2_h2_is_tls(c);
Modified: httpd/httpd/trunk/modules/http2/h2_h2.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_h2.h?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_h2.h (original)
+++ httpd/httpd/trunk/modules/http2/h2_h2.h Thu Oct 22 13:23:28 2015
@@ -34,6 +34,21 @@ extern const char *h2_tls_protos[];
*/
extern const char *H2_MAGIC_TOKEN;
+#define H2_ERR_NO_ERROR (0x00)
+#define H2_ERR_PROTOCOL_ERROR (0x01)
+#define H2_ERR_INTERNAL_ERROR (0x02)
+#define H2_ERR_FLOW_CONTROL_ERROR (0x03)
+#define H2_ERR_SETTINGS_TIMEOUT (0x04)
+#define H2_ERR_STREAM_CLOSED (0x05)
+#define H2_ERR_FRAME_SIZE_ERROR (0x06)
+#define H2_ERR_REFUSED_STREAM (0x07)
+#define H2_ERR_CANCEL (0x08)
+#define H2_ERR_COMPRESSION_ERROR (0x09)
+#define H2_ERR_CONNECT_ERROR (0x0a)
+#define H2_ERR_ENHANCE_YOUR_CALM (0x0b)
+#define H2_ERR_INADEQUATE_SECURITY (0x0c)
+#define H2_ERR_HTTP_1_1_REQUIRED (0x0d)
+
/*
* One time, post config intialization.
*/
@@ -43,12 +58,6 @@ apr_status_t h2_h2_init(apr_pool_t *pool
*/
int h2_h2_is_tls(conn_rec *c);
-/* Disable SSL for this connection, can only be invoked in a pre-
- * connection hook before mod_ssl.
- * @return != 0 iff disable worked
- */
-int h2_tls_disable(conn_rec *c);
-
/* Register apache hooks for h2 protocol
*/
void h2_h2_register_hooks(void);
Modified: httpd/httpd/trunk/modules/http2/h2_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_io.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_io.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_io.c Thu Oct 22 13:23:28 2015
@@ -47,6 +47,17 @@ void h2_io_destroy(h2_io *io)
h2_io_cleanup(io);
}
+void h2_io_set_response(h2_io *io, h2_response *response)
+{
+ AP_DEBUG_ASSERT(response);
+ AP_DEBUG_ASSERT(!io->response);
+ io->response = h2_response_copy(io->pool, response);
+ if (response->rst_error) {
+ h2_io_rst(io, response->rst_error);
+ }
+}
+
+
void h2_io_rst(h2_io *io, int error)
{
io->rst_error = error;
Modified: httpd/httpd/trunk/modules/http2/h2_io.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_io.h?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_io.h (original)
+++ httpd/httpd/trunk/modules/http2/h2_io.h Thu Oct 22 13:23:28 2015
@@ -61,6 +61,11 @@ h2_io *h2_io_create(int id, apr_pool_t *
void h2_io_destroy(h2_io *io);
/**
+ * Set the response of this stream.
+ */
+void h2_io_set_response(h2_io *io, struct h2_response *response);
+
+/**
* Reset the stream with the given error code.
*/
void h2_io_rst(h2_io *io, int error);
Modified: httpd/httpd/trunk/modules/http2/h2_mplx.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_mplx.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_mplx.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_mplx.c Thu Oct 22 13:23:28 2015
@@ -591,8 +591,7 @@ static apr_status_t out_open(h2_mplx *m,
m->id, stream_id, response->status);
}
- io->response = h2_response_copy(io->pool, response);
- AP_DEBUG_ASSERT(io->response);
+ h2_io_set_response(io, response);
h2_io_set_add(m->ready_ios, io);
if (bb) {
status = out_write(m, io, f, bb, iowait);
@@ -680,7 +679,7 @@ apr_status_t h2_mplx_out_close(h2_mplx *
* insert an error one so that our streams can properly
* reset.
*/
- h2_response *r = h2_response_create(stream_id,
+ h2_response *r = h2_response_create(stream_id, 0,
"500", NULL, m->pool);
status = out_open(m, stream_id, r, NULL, NULL, NULL);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, m->c,
Modified: httpd/httpd/trunk/modules/http2/h2_response.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_response.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_response.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_response.c Thu Oct 22 13:23:28 2015
@@ -25,6 +25,7 @@
#include <nghttp2/nghttp2.h>
#include "h2_private.h"
+#include "h2_h2.h"
#include "h2_util.h"
#include "h2_response.h"
@@ -41,6 +42,7 @@ static int ignore_header(const char *nam
}
h2_response *h2_response_create(int stream_id,
+ int rst_error,
const char *http_status,
apr_array_header_t *hlines,
apr_pool_t *pool)
@@ -53,7 +55,8 @@ h2_response *h2_response_create(int stre
}
response->stream_id = stream_id;
- response->status = http_status;
+ response->rst_error = rst_error;
+ response->status = http_status? http_status : "500";
response->content_length = -1;
if (hlines) {
@@ -112,6 +115,19 @@ h2_response *h2_response_rcreate(int str
response->status = apr_psprintf(pool, "%d", r->status);
response->content_length = -1;
response->rheader = header;
+
+ if (r->status == HTTP_FORBIDDEN) {
+ const char *cause = apr_table_get(r->notes, "ssl-renegotiate-forbidden");
+ if (cause) {
+ /* This request triggered a TLS renegotiation that is now allowed
+ * in HTTP/2. Tell the client that it should use HTTP/1.1 for this.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, r->status, r,
+ "h2_response(%ld-%d): renegotiate forbidden, cause: %s",
+ (long)r->connection->id, stream_id, cause);
+ response->rst_error = H2_ERR_HTTP_1_1_REQUIRED;
+ }
+ }
return response;
}
Modified: httpd/httpd/trunk/modules/http2/h2_response.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_response.h?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_response.h (original)
+++ httpd/httpd/trunk/modules/http2/h2_response.h Thu Oct 22 13:23:28 2015
@@ -26,6 +26,7 @@ typedef struct h2_ngheader {
typedef struct h2_response {
int stream_id;
+ int rst_error;
const char *status;
apr_off_t content_length;
apr_table_t *rheader;
@@ -33,9 +34,10 @@ typedef struct h2_response {
} h2_response;
h2_response *h2_response_create(int stream_id,
- const char *http_status,
- apr_array_header_t *hlines,
- apr_pool_t *pool);
+ int rst_error,
+ const char *http_status,
+ apr_array_header_t *hlines,
+ apr_pool_t *pool);
h2_response *h2_response_rcreate(int stream_id, request_rec *r,
apr_table_t *header, apr_pool_t *pool);
Modified: httpd/httpd/trunk/modules/http2/h2_task.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_task.c?rev=1710014&r1=1710013&r2=1710014&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_task.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_task.c Thu Oct 22 13:23:28 2015
@@ -121,12 +121,6 @@ static int h2_task_pre_conn(conn_rec* c,
if (h2_ctx_is_task(ctx)) {
h2_task_env *env = h2_ctx_get_task(ctx);
- /* This connection is a pseudo-connection used for a h2_task.
- * Since we read/write directly from it ourselves, we need
- * to disable a possible ssl connection filter.
- */
- h2_tls_disable(c);
-
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"h2_h2, pre_connection, found stream task");