Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
Committed something with explanations (hopefully) in r1812193. Does it sound good? On Thu, Oct 12, 2017 at 3:54 AM, William A Rowe Jrwrote: > I will review again tomorrow. > > My jump-around idea was to check against all of the bits in not dir loc > file, and if the module's MMN minor is too early, treat the section > as if that bit is set. > > > > On Oct 11, 2017 16:13, "Yann Ylavic" wrote: > > On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic wrote: >> On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic >> wrote: >>> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic >>> wrote: Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd instead check for: > +|| (((forbidden & NOT_IN_PROXY) > + || (forbidden & NOT_IN_DIR_LOC_FILE) == > NOT_IN_DIR_LOC_FILE > + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) > +&& ((found = ...) > +|| ...))) ? >>> >>> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should >>> hack in ap_check_cmd_context() too, but you probably see the idea... >> >> Actually, I think the correct fix, even for 2.5/trunk, is something >> for the attached patch. >> WDYT? > > Sorry, spoke^R patched too soon, this v2 is more correct I guess. > >
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
I will review again tomorrow. My jump-around idea was to check against all of the bits in not dir loc file, and if the module's MMN minor is too early, treat the section as if that bit is set. On Oct 11, 2017 16:13, "Yann Ylavic"wrote: On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic wrote: > On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic wrote: >> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic wrote: >>> >>> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd >>> instead check for: +|| (((forbidden & NOT_IN_PROXY) + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) +&& ((found = ...) +|| ...))) >>> ? >> >> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should >> hack in ap_check_cmd_context() too, but you probably see the idea... > > Actually, I think the correct fix, even for 2.5/trunk, is something > for the attached patch. > WDYT? Sorry, spoke^R patched too soon, this v2 is more correct I guess.
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavicwrote: > On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic wrote: >> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic wrote: >>> >>> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd >>> instead check for: +|| (((forbidden & NOT_IN_PROXY) + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) +&& ((found = ...) +|| ...))) >>> ? >> >> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should >> hack in ap_check_cmd_context() too, but you probably see the idea... > > Actually, I think the correct fix, even for 2.5/trunk, is something > for the attached patch. > WDYT? Sorry, spoke^R patched too soon, this v2 is more correct I guess. Index: include/http_config.h === --- include/http_config.h (revision 1811703) +++ include/http_config.h (working copy) @@ -950,10 +950,12 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_ #define NOT_IN_FILES 0x10 /**< Forbidden in Files or If*/ #define NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */ #define NOT_IN_PROXY 0x40 /**< Forbidden in Proxy */ +/** Forbidden in Directory/Location/FilesIf*/ +#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES) /** Forbidden in Directory/Location/FilesIfProxy*/ -#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY) +#define NOT_IN_DIR_LOC_FILE_PROXY (NOT_IN_DIR_LOC_FILE|NOT_IN_PROXY) /** Forbidden in VirtualHost/Limit/Directory/Location/Files/IfProxy*/ -#define GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE) +#define GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE_PROXY) /** @} */ Index: server/core.c === --- server/core.c (revision 1811703) +++ server/core.c (working copy) @@ -1323,7 +1323,9 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_ || (found = find_parent(cmd->directive, " directive, " directive, " directive, " directive, " pool, cmd->cmd->name, gt,
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavicwrote: > On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic wrote: >> >> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd >> instead check for: >>> +|| (((forbidden & NOT_IN_PROXY) >>> + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE >>> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) >>> +&& ((found = ...) >>> +|| ...))) >> ? > > Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should > hack in ap_check_cmd_context() too, but you probably see the idea... Actually, I think the correct fix, even for 2.5/trunk, is something for the attached patch. WDYT? Index: include/http_config.h === --- include/http_config.h (revision 1811703) +++ include/http_config.h (working copy) @@ -950,10 +950,12 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_ #define NOT_IN_FILES 0x10 /**< Forbidden in Files or If*/ #define NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */ #define NOT_IN_PROXY 0x40 /**< Forbidden in Proxy */ +/** Forbidden in Directory/Location/FilesIf*/ +#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES) /** Forbidden in Directory/Location/FilesIfProxy*/ -#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY) +#define NOT_IN_DIR_LOC_FILE_PROXY (NOT_IN_DIR_LOC_FILE|NOT_IN_PROXY) /** Forbidden in VirtualHost/Limit/Directory/Location/Files/IfProxy*/ -#define GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE) +#define GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE_PROXY) /** @} */ Index: server/core.c === --- server/core.c (revision 1811703) +++ server/core.c (working copy) @@ -1323,7 +1323,9 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_ || (found = find_parent(cmd->directive, " directive, " directive, " directive, " directive, " pool, cmd->cmd->name, gt,
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavicwrote: > > Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd > instead check for: >> +|| (((forbidden & NOT_IN_PROXY) >> + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE >> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) >> +&& ((found = ...) >> +|| ...))) > ? Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should hack in ap_check_cmd_context() too, but you probably see the idea...
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Wed, Oct 11, 2017 at 5:15 PM, William A Rowe Jrwrote: >> >> +#define NOT_IN_PROXY 0x40 /**< Forbidden in Proxy */ >> +/** Forbidden in >> Directory/Location/FilesIfProxy*/ >> +#define NOT_IN_DIR_LOC_FILE >> (NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY) >> +/** Forbidden in >> VirtualHost/Limit/Directory/Location/Files/IfProxy*/ >> #define GLOBAL_ONLY >> (NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE) > > Reviewing this in much more depth yesterday ... this doesn't seem > to be a minor MMN bump, so would not be backportable without some > extra heavy lifting on 2.4 interop. > > A module previously compiled against 2.4 would not carry the newly > correct definition of NOT_IN_DIR_LOC_FILE because all previously > compiled modules are missing the 0x40 bit, right? Hmm, right I suppose. So provided a user updates core to 2.4.thispatch but does not recompile some modules using NOT_IN_DIR_LOC_FILE or GLOBAL_ONLY against it (which is valid), then the new core would allow such defined directives in +|| ((forbidden & NOT_IN_PROXY) > +&& ((found = find_parent(..., " +|| (found = find_parent(..., " return apr_pstrcat(cmd->pool, cmd->cmd->name, gt, > " cannot occur within ", found->directive, > "> section", NULL); wouldn't match. Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd instead check for: > +|| (((forbidden & NOT_IN_PROXY) > + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE > + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY) > +&& ((found = ...) > +|| ...))) ? ISTM that it's strictly equivalent, without the compatibility caveat. Does it work for you? > > That would be the definition of an MMN major bump, previously > compiled modules require recompilation. Yeah, we don't want that in 2.4.x, but SSLProxy* directives per sections yes :) At least I am, and will try ;)
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Mon, Apr 25, 2016 at 7:04 PM,wrote: > Author: ylavic > Date: Tue Apr 26 00:04:57 2016 > New Revision: 1740928 > > URL: http://svn.apache.org/viewvc?rev=1740928=rev > Log: > mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, > allowing different TLS configurations per backend. > > > Modified: httpd/httpd/trunk/CHANGES > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev= > 1740928=1740927=1740928=diff > > == > --- httpd/httpd/trunk/CHANGES [utf-8] (original) > +++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 26 00:04:57 2016 > @@ -1,6 +1,9 @@ > -*- coding: > utf-8 -*- > Changes with Apache 2.5.0 > > + *) mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, > + allowing different TLS configurations per backend. [Yann Ylavic] > + >*) mod_http2: eliminating h2_io instances for streams, reducing memory > pools and footprint. [Stefan Eissing] > > > Modified: httpd/httpd/trunk/include/http_config.h > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ > http_config.h?rev=1740928=1740927=1740928=diff > > == > --- httpd/httpd/trunk/include/http_config.h (original) > +++ httpd/httpd/trunk/include/http_config.h Tue Apr 26 00:04:57 2016 > @@ -249,6 +249,8 @@ struct command_struct { > #define NONFATAL_UNKNOWN 1024/* Unrecognised directive */ > #define NONFATAL_ALL (NONFATAL_OVERRIDE|NONFATAL_UNKNOWN) > > +#define PROXY_CONF 2048 /**< *.conf inside Proxy only */ > + > /** this directive can be placed anywhere */ > #define OR_ALL (OR_LIMIT|OR_OPTIONS|OR_FILEINFO|OR_AUTHCFG|OR_INDEXES) > > @@ -923,9 +925,10 @@ AP_DECLARE(const char *) ap_check_cmd_co > #define NOT_IN_LOCATION0x08 /**< Forbidden in Location */ > #define NOT_IN_FILES 0x10 /**< Forbidden in Files or > If*/ > #define NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */ > -/** Forbidden in Directory/Location/Files > If*/ > -#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_ > LOCATION|NOT_IN_FILES) > -/** Forbidden in VirtualHost/Limit/Directory/ > Location/Files/If */ > +#define NOT_IN_PROXY 0x40 /**< Forbidden in Proxy */ > +/** Forbidden in Directory/Location/Files > IfProxy*/ > +#define NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_ > LOCATION|NOT_IN_FILES|NOT_IN_PROXY) > +/** Forbidden in VirtualHost/Limit/Directory/ > Location/Files/IfProxy*/ > #define GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_ > LIMIT|NOT_IN_DIR_LOC_FILE) > > /** @} */ > Reviewing this in much more depth yesterday ... this doesn't seem to be a minor MMN bump, so would not be backportable without some extra heavy lifting on 2.4 interop. A module previously compiled against 2.4 would not carry the newly correct definition of NOT_IN_DIR_LOC_FILE because all previously compiled modules are missing the 0x40 bit, right? That would be the definition of an MMN major bump, previously compiled modules require recompilation.
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Fri, Aug 19, 2016 at 5:49 PM, William A Rowe Jrwrote: > Additional issues since this patch in our maintainer mode... > > httpd-2.x/modules/ssl/ssl_engine_config.c: In function > 'ssl_cmd_SSLVerifyClient': > httpd-2.x/modules/ssl/ssl_engine_config.c:1083:27: warning: 'mode' may be > used uninitialized in this function [-Wmaybe-uninitialized] > dc->nVerifyClient = mode; >^ > httpd-2.x/modules/ssl/ssl_engine_config.c: In function > 'ssl_cmd_SSLProxyVerify': > httpd-2.x/modules/ssl/ssl_engine_config.c:1463:33: warning: 'mode' may be > used uninitialized in this function [-Wmaybe-uninitialized] > dc->proxy->auth.verify_mode = mode; > ^ > You might assert that ssl_cmd_verify_parse always populates the third arg > except in case of error, you didn't satisfy the compiler of this fact ;-) How couldn't it figure out that apr_pstrcat() never returns NULL? Clever compilers should really read all the docs :) Anyway, "fixed" in r1756976, thanks!
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
Additional issues since this patch in our maintainer mode... httpd-2.x/modules/ssl/ssl_engine_config.c: In function 'ssl_cmd_SSLVerifyClient': httpd-2.x/modules/ssl/ssl_engine_config.c:1083:27: warning: 'mode' may be used uninitialized in this function [-Wmaybe-uninitialized] dc->nVerifyClient = mode; ^ httpd-2.x/modules/ssl/ssl_engine_config.c: In function 'ssl_cmd_SSLProxyVerify': httpd-2.x/modules/ssl/ssl_engine_config.c:1463:33: warning: 'mode' may be used uninitialized in this function [-Wmaybe-uninitialized] dc->proxy->auth.verify_mode = mode; ^ You might assert that ssl_cmd_verify_parse always populates the third arg except in case of error, you didn't satisfy the compiler of this fact ;-) On Tue, Apr 26, 2016 at 4:46 AM, Yann Ylavicwrote: > On Tue, Apr 26, 2016 at 11:00 AM, Ruediger Pluem > wrote: > > > > On 04/26/2016 02:04 AM, yla...@apache.org wrote: > >> static int ssl_hook_pre_connection(conn_rec *c, void *csd) > >> { > >> - > >> SSLSrvConfigRec *sc; > >> SSLConnRec *sslconn = myConnConfig(c); > >> > >> -if (sslconn) { > >> -sc = mySrvConfig(sslconn->server); > >> -} > >> -else { > >> -sc = mySrvConfig(c->base_server); > >> -} > >> /* > >> * Immediately stop processing if SSL is disabled for this > connection > >> */ > >> -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || > >> - (sslconn && sslconn->is_proxy > >> -{ > >> +if (ssl_engine_status(c, sslconn) != OK) { > >> return DECLINED; > >> } > >> > >> -/* > >> - * Create SSL context > >> - */ > >> -if (!sslconn) { > >> -sslconn = ssl_init_connection_ctx(c); > >> +if (sslconn) { > >> +sc = mySrvConfig(sslconn->server); > >> } > >> - > >> -if (sslconn->disabled) { > >> -return DECLINED; > >> +else { > >> +sc = mySrvConfig(c->base_server); > >> } > > > > We have a change in behaviour here. We no longer guarantee that we have > an sslconn created and connected to c if SSL is > > enabled. Is this intended? > > Actually ssl_init_connection_ctx(c) is done by > ssl_init_ssl_connection() called just below (on return). > > Regards, > Yann. >
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On Tue, Apr 26, 2016 at 11:00 AM, Ruediger Pluemwrote: > > On 04/26/2016 02:04 AM, yla...@apache.org wrote: >> static int ssl_hook_pre_connection(conn_rec *c, void *csd) >> { >> - >> SSLSrvConfigRec *sc; >> SSLConnRec *sslconn = myConnConfig(c); >> >> -if (sslconn) { >> -sc = mySrvConfig(sslconn->server); >> -} >> -else { >> -sc = mySrvConfig(c->base_server); >> -} >> /* >> * Immediately stop processing if SSL is disabled for this connection >> */ >> -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || >> - (sslconn && sslconn->is_proxy >> -{ >> +if (ssl_engine_status(c, sslconn) != OK) { >> return DECLINED; >> } >> >> -/* >> - * Create SSL context >> - */ >> -if (!sslconn) { >> -sslconn = ssl_init_connection_ctx(c); >> +if (sslconn) { >> +sc = mySrvConfig(sslconn->server); >> } >> - >> -if (sslconn->disabled) { >> -return DECLINED; >> +else { >> +sc = mySrvConfig(c->base_server); >> } > > We have a change in behaviour here. We no longer guarantee that we have an > sslconn created and connected to c if SSL is > enabled. Is this intended? Actually ssl_init_connection_ctx(c) is done by ssl_init_ssl_connection() called just below (on return). Regards, Yann.
Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/
On 04/26/2016 02:04 AM, yla...@apache.org wrote: > Author: ylavic > Date: Tue Apr 26 00:04:57 2016 > New Revision: 1740928 > > URL: http://svn.apache.org/viewvc?rev=1740928=rev > Log: > mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, > allowing different TLS configurations per backend. > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/include/http_config.h > httpd/httpd/trunk/modules/http2/h2_h2.c > httpd/httpd/trunk/modules/http2/mod_proxy_http2.c > httpd/httpd/trunk/modules/proxy/mod_proxy.c > httpd/httpd/trunk/modules/proxy/mod_proxy.h > httpd/httpd/trunk/modules/proxy/mod_proxy_connect.c > httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c > httpd/httpd/trunk/modules/proxy/mod_proxy_http.c > httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c > httpd/httpd/trunk/modules/proxy/proxy_util.c > httpd/httpd/trunk/modules/ssl/mod_ssl.c > httpd/httpd/trunk/modules/ssl/mod_ssl.h > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > httpd/httpd/trunk/modules/ssl/ssl_engine_io.c > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > httpd/httpd/trunk/modules/ssl/ssl_private.h > httpd/httpd/trunk/server/config.c > httpd/httpd/trunk/server/core.c > > Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1740928=1740927=1740928=diff > == > --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) > +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Apr 26 00:04:57 2016 > @@ -561,34 +605,21 @@ static apr_port_t ssl_hook_default_port( > > static int ssl_hook_pre_connection(conn_rec *c, void *csd) > { > - > SSLSrvConfigRec *sc; > SSLConnRec *sslconn = myConnConfig(c); > > -if (sslconn) { > -sc = mySrvConfig(sslconn->server); > -} > -else { > -sc = mySrvConfig(c->base_server); > -} > /* > * Immediately stop processing if SSL is disabled for this connection > */ > -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || > - (sslconn && sslconn->is_proxy > -{ > +if (ssl_engine_status(c, sslconn) != OK) { > return DECLINED; > } > > -/* > - * Create SSL context > - */ > -if (!sslconn) { > -sslconn = ssl_init_connection_ctx(c); > +if (sslconn) { > +sc = mySrvConfig(sslconn->server); > } > - > -if (sslconn->disabled) { > -return DECLINED; > +else { > +sc = mySrvConfig(c->base_server); > } We have a change in behaviour here. We no longer guarantee that we have an sslconn created and connected to c if SSL is enabled. Is this intended? > > /* Regards RĂ¼diger