You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2019/11/21 15:51:32 UTC

svn commit: r1870095 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Author: jorton
Date: Thu Nov 21 15:51:32 2019
New Revision: 1870095

URL: http://svn.apache.org/viewvc?rev=1870095&view=rev
Log:
Buffer HTTP request bodies for TLSv1.3 PHA in the same way as for
TLSv<1.3 renegotiation.

* modules/ssl/ssl_engine_kernel.c (fill_reneg_buffer): Factor
  out...
  (ssl_hook_Access_classic): ... from here.
  (ssl_hook_Access_modern): Use it here too.

Github: closes #75

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1870095&r1=1870094&r2=1870095&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Nov 21 15:51:32 2019
@@ -114,6 +114,45 @@ static int has_buffered_data(request_rec
     return result;
 }
 
+/* If a renegotiation is required for the location, and the request
+ * includes a message body (and the client has not requested a "100
+ * Continue" response), then the client will be streaming the request
+ * body over the wire already.  In that case, it is not possible to
+ * stop and perform a new SSL handshake immediately; once the SSL
+ * library moves to the "accept" state, it will reject the SSL packets
+ * which the client is sending for the request body.
+ *
+ * To allow authentication to complete in the hook, the solution used
+ * here is to fill a (bounded) buffer with the request body, and then
+ * to reinject that request body later.
+ *
+ * This function is called to fill the renegotiation buffer for the
+ * location as required, or fail.  Returns zero on success or HTTP_
+ * error code on failure.
+ */
+static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
+{
+    int rv;
+    apr_size_t rsize;
+
+    /* ### this is HTTP/1.1 specific, special case for protocol? */
+    if (r->expecting_100 || !ap_request_has_body(r)) {
+        return 0;
+    }
+
+    rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize;
+    if (rsize > 0) {
+        /* Fill the I/O buffer with the request body if possible. */
+        rv = ssl_io_buffer_fill(r, rsize);
+    }
+    else {
+        /* If the reneg buffer size is set to zero, just fail. */
+        rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
+    }
+
+    return rv;
+}
+
 #ifdef HAVE_TLSEXT
 static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
 {
@@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(reque
         }
     }
 
-    /* If a renegotiation is now required for this location, and the
-     * request includes a message body (and the client has not
-     * requested a "100 Continue" response), then the client will be
-     * streaming the request body over the wire already.  In that
-     * case, it is not possible to stop and perform a new SSL
-     * handshake immediately; once the SSL library moves to the
-     * "accept" state, it will reject the SSL packets which the client
-     * is sending for the request body.
-     *
-     * To allow authentication to complete in this auth hook, the
-     * solution used here is to fill a (bounded) buffer with the
-     * request body, and then to reinject that request body later.
-     */
-    if (renegotiate && !renegotiate_quick
-        && !r->expecting_100
-        && ap_request_has_body(r)) {
-        int rv;
-        apr_size_t rsize;
-
-        rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
-                                                dc->nRenegBufferSize;
-        if (rsize > 0) {
-            /* Fill the I/O buffer with the request body if possible. */
-            rv = ssl_io_buffer_fill(r, rsize);
-        }
-        else {
-            /* If the reneg buffer size is set to zero, just fail. */
-            rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
-        }
-
-        if (rv) {
+    /* Fill reneg buffer if required. */
+    if (renegotiate && !renegotiate_quick) {
+        rc = fill_reneg_buffer(r, dc);
+        if (rc) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)
                           "could not buffer message body to allow "
                           "SSL renegotiation to proceed");
-            return rv;
+            return rc;
         }
     }
 
@@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(reques
             }
         }
 
+        /* Fill reneg buffer if required. */
+        if (change_vmode) {
+            rc = fill_reneg_buffer(r, dc);
+            if (rc) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+                              "could not buffer message body to allow "
+                              "TLS Post-Handshake Authentication to proceed");
+                return rc;
+            }
+        }
+
         if (change_vmode) {
             char peekbuf[1];

Re: svn commit: r1870095 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Posted by Joe Orton <jo...@redhat.com>.
On Mon, Aug 17, 2020 at 02:07:33PM +0200, Ruediger Pluem wrote:
> On 11/21/19 4:51 PM, jorton@apache.org wrote:
> > Author: jorton
> > Date: Thu Nov 21 15:51:32 2019
> > New Revision: 1870095
> > 
> > URL: http://svn.apache.org/viewvc?rev=1870095&view=rev
...
> > @@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(reques
> >              }
> >          }
> >  
> > +        /* Fill reneg buffer if required. */
> > +        if (change_vmode) {
> 
> Why can't we put this block below the
> 
> if (change_vmode)
> 
> a few lines below?

Good question, thanks for the review.  No good reason, and moving the 
call after the r->connection->master test is presumably better.  Done in 
r1880927.

Regards, Joe

Re: svn commit: r1870095 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Posted by Ruediger Pluem <rp...@apache.org>.

On 11/21/19 4:51 PM, jorton@apache.org wrote:
> Author: jorton
> Date: Thu Nov 21 15:51:32 2019
> New Revision: 1870095
> 
> URL: http://svn.apache.org/viewvc?rev=1870095&view=rev
> Log:
> Buffer HTTP request bodies for TLSv1.3 PHA in the same way as for
> TLSv<1.3 renegotiation.
> 
> * modules/ssl/ssl_engine_kernel.c (fill_reneg_buffer): Factor
>   out...
>   (ssl_hook_Access_classic): ... from here.
>   (ssl_hook_Access_modern): Use it here too.
> 
> Github: closes #75
> 
> Modified:
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1870095&r1=1870094&r2=1870095&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Nov 21 15:51:32 2019

> @@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(reques
>              }
>          }
>  
> +        /* Fill reneg buffer if required. */
> +        if (change_vmode) {

Why can't we put this block below the

if (change_vmode)

a few lines below?

> +            rc = fill_reneg_buffer(r, dc);
> +            if (rc) {
> +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
> +                              "could not buffer message body to allow "
> +                              "TLS Post-Handshake Authentication to proceed");
> +                return rc;
> +            }
> +        }
> +
>          if (change_vmode) {
>              char peekbuf[1];

Regards

RĂ¼diger