DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 SSLVerifyClient directive in location make post to PHP script impossible [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From [EMAIL PROTECTED] 2003-12-18 12:46 ------- Fixed the problem in the following way: Before the renegotiation is starting the body of the POST request will be readed via ap_get_client_block().(So content-length, chunking etc. is handeld correctly.) The data will be stored in a brigade and an input filter will be added just after the http_header_filter. That input filter has the data from it's ctx. So in any subsequent read call that input filter will be invoked and can return the stored data. P.S. Im not sure if the upload of the diff is ok, so I paste it to be sure *** mod_ssl.h.patched Thu Dec 18 13:11:48 2003 --- mod_ssl.h Thu Dec 18 13:13:19 2003 *************** *** 709,714 **** --- 709,715 ---- void ssl_io_filter_init(conn_rec *, SSL *); void ssl_io_filter_register(apr_pool_t *); long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long); + long ssl_io_suck(request_rec *); /* PRNG */ int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); *** ssl_engine_kernel.c.patched Thu Dec 18 13:11:39 2003 --- ssl_engine_kernel.c Thu Dec 18 13:15:04 2003 *************** *** 583,596 **** * * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !! */ ! if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "SSL Re-negotiation in conjunction " "with POST method not supported!\n" "hint: try SSLOptions +OptRenegotiate"); ! return HTTP_METHOD_NOT_ALLOWED; } /* * now do the renegotiation if anything was actually reconfigured --- 583,602 ---- * * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !! */ ! if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) { ! #ifdef SSL_CONSERVATIVE ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "SSL Re-negotiation in conjunction " "with POST method not supported!\n" "hint: try SSLOptions +OptRenegotiate"); ! return HTTP_METHOD_NOT_ALLOWED; + #else + if( ssl_io_suck(r) != OK) { + return HTTP_METHOD_NOT_ALLOWED; + } } + #endif /* SSL_CONSERVATIVE */ /* * now do the renegotiation if anything was actually reconfigured *** ssl_engine_io.c.patched Thu Dec 18 13:12:02 2003 --- ssl_engine_io.c Thu Dec 18 13:21:31 2003 *************** *** 897,902 **** --- 897,987 ---- } static const char ssl_io_filter[] = "SSL/TLS Filter"; + static const char ssl_buff_filter[] = "SSL/TLS Buffering Filter"; + /* + * reads the buffered data during a POST request with renegotiation + * will be registere at runtime. + * NOTE: we try to buffer the complete body. Use the attribute 'LimitRequestBody' + * preventing DOS attacks. + */ + long ssl_io_suck(request_rec *r) + { + apr_bucket *bucket; + apr_bucket_brigade *bb = apr_brigade_create(r->pool,r->connection->bucket_alloc); + + int readed = 0; + int len = 0; + int toRead= 0; + char *buffer = NULL; + char *pos = NULL; + + if(ap_setup_client_block(r,REQUEST_CHUNKED_DECHUNK) !=OK) { + return HTTP_METHOD_NOT_ALLOWED; + } + + if(!ap_should_client_block(r)) { + return OK; + } + + do { + buffer = apr_pcalloc(r->pool,HUGE_STRING_LEN); + toRead = HUGE_STRING_LEN; + + /* check malloc */ + if(buffer == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "SSL Re-negotiation in conjunction " + "with POST (buffering body failed)!\n"); + apr_brigade_destroy(bb); + return HTTP_METHOD_NOT_ALLOWED; + } + + /* fill the bucket */ + pos = buffer; + len = 0; + do { + readed = ap_get_client_block(r,pos,toRead); + + if(readed <=0) { + break; + } + + toRead -= readed; + + /* sanity */ + if(toRead<0) { + return HTTP_METHOD_NOT_ALLOWED; + } + + pos += readed; + len += readed; + } + while(toRead>0); + + /* check last read result */ + if(readed<0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "SSL Re-negotiation in conjunction " + "with POST (reading body failed)!\n"); + apr_brigade_destroy(bb); + return HTTP_METHOD_NOT_ALLOWED; + } + + /* check if we have readed everything */ + if(len == 0) { + break; + } + bucket = apr_bucket_pool_create(buffer,len,r->pool,r->connection->bucket_alloc); + + APR_BRIGADE_INSERT_TAIL(bb, bucket); + } + while(1); + + //add the ssl_buff_filter_input + ap_add_input_filter(ssl_buff_filter, bb, r, r->connection); + + return OK; + } /* * Close the SSL part of the socket connection *************** *** 1361,1366 **** --- 1446,1529 ---- return status; } + static apr_status_t ssl_buff_filter_input(ap_filter_t *f, + apr_bucket_brigade *bb, + ap_input_mode_t mode, + apr_read_type_e block, + apr_off_t readbytes) + { + apr_bucket_brigade *aa = f->ctx; + apr_status_t rv; + + if(aa && !APR_BRIGADE_EMPTY(aa)) { + + if(mode == AP_MODE_READBYTES) { + apr_bucket *b; + apr_off_t missing = readbytes; + apr_size_t len; + const char *tmp; + + while (!APR_BRIGADE_EMPTY(aa)) { + b = APR_BRIGADE_FIRST(aa); + + rv = apr_bucket_read(b, &tmp, &len, APR_BLOCK_READ); + if (rv != APR_SUCCESS) { + return rv; + } + + /* consume whole bucket */ + if(missing >= len) { + APR_BUCKET_REMOVE(b); + APR_BRIGADE_INSERT_TAIL(bb,b); + } + /* comsume only a part */ + else{ + rv = apr_bucket_split(b, missing); + if (rv != APR_SUCCESS) { + return rv; + } + + APR_BUCKET_REMOVE(b); + APR_BRIGADE_INSERT_TAIL(bb, b); + break; + } + + missing -= len; + + if (missing = 0) { + break; + } + + if(missing<0) { + return AP_FILTER_ERROR; + } + } + return APR_SUCCESS; + } + else if (mode == AP_MODE_READBYTES) { + apr_bucket_brigade *nb = apr_brigade_create(f->r->pool,f->c->bucket_alloc); + + /* split */ + rv = apr_brigade_split_line(nb,aa,block,readbytes); + if( rv != APR_SUCCESS) { + return rv; + } + + /* concatinate */ + APR_BRIGADE_CONCAT(bb,aa); + + /* remember the rest */ + f->ctx = nb; + + return APR_SUCCESS; + } + + } + + + return ap_pass_brigade(f->next, bb); + } + static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, SSL *ssl) { *************** *** 1417,1422 **** --- 1580,1586 ---- { ap_register_input_filter (ssl_io_filter, ssl_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5); ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5); + ap_register_input_filter (ssl_buff_filter, ssl_buff_filter_input, NULL, AP_FTYPE_PROTOCOL - 1); return; } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
