diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-06-10 18:01:45 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-06-10 18:02:17 -0400 |
commit | a62526d425dcbeaa1486cf685c2927afa0459e1d (patch) | |
tree | 2898f59fbdc2cf7cd9f5184706d7cc05b12df4bb | |
parent | cc9794ee5309782b5df1b782aa2e15bbd5068612 (diff) | |
download | mod_nss-a62526d425dcbeaa1486cf685c2927afa0459e1d.tar.gz mod_nss-a62526d425dcbeaa1486cf685c2927afa0459e1d.tar.xz mod_nss-a62526d425dcbeaa1486cf685c2927afa0459e1d.zip |
Add RenegBufferSize option
Control the buffer size used on a POST when SSL renegotiation is
being done. The default is 128K.
Resolves BZ 1214366
-rw-r--r-- | docs/mod_nss.html | 15 | ||||
-rw-r--r-- | mod_nss.c | 5 | ||||
-rw-r--r-- | mod_nss.h | 10 | ||||
-rw-r--r-- | nss_engine_config.c | 21 | ||||
-rw-r--r-- | nss_engine_io.c | 10 | ||||
-rw-r--r-- | nss_engine_kernel.c | 13 |
6 files changed, 67 insertions, 7 deletions
diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 052a464..e2a4fe2 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -1033,6 +1033,21 @@ components of the client certificate, the remote IP address, etc.<br> <br> <code>NSSRequire<br> </code><br> +<br> +<big><big>NSSRenegBufferSize</big></big><br> +<br> +Configure the amount of memory that will be used for buffering the +request body if a per-location SSL renegotiation is required due +to changed access control requirements. The value is in bytes. +The default is 128K. +<br> +If set to 0 then no buffering is done. +<br><br> +<span style="font-weight: bold;">Example</span><br> +<br> +<code>NSSRenegBufferSize 262144<br> +</code><br> +<br> <big><big>NSSProxyEngine</big></big><br> <br> Enables or disables mod_nss HTTPS support for mod_proxy.<br> @@ -127,6 +127,11 @@ static const command_rec nss_config_cmds[] = { SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS, "Require a boolean expression to evaluate to true for granting access" "(arbitrary complex boolean expression - see manual)") + SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1, + "Configure the amount of memory that will be used for buffering the " + "request body if a per-location SSL renegotiation is required due to " + "changed access control requirements") + /* * Proxy configuration for remote SSL connections */ @@ -143,6 +143,11 @@ ap_set_module_config(c->conn_config, &nss_module, val) #define SSL_SESSION_CACHE_SIZE 10000 #endif +/* Default setting for per-dir reneg buffer. */ +#ifndef DEFAULT_RENEG_BUFFER_SIZE +#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024) +#endif + /* * Define the SSL options */ @@ -328,6 +333,7 @@ typedef struct { const char *szCipherSuite; nss_verify_t nVerifyClient; const char *szUserName; + apr_size_t nRenegBufferSize; } SSLDirConfigRec; /* @@ -395,6 +401,8 @@ const char *nss_cmd_NSSUserName(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSOptions(cmd_parms *, void *, const char *); const char *nss_cmd_NSSRequireSSL(cmd_parms *cmd, void *dcfg); const char *nss_cmd_NSSRequire(cmd_parms *, void *, const char *); +const char *nss_cmd_NSSRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); + const char *nss_cmd_NSSProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *nss_cmd_NSSProxyProtocol(cmd_parms *, void *, const char *); @@ -455,7 +463,7 @@ char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *, const char * const *); /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request * to allow an SSL renegotiation to take place. */ -int nss_io_buffer_fill(request_rec *r); +int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen); int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix); diff --git a/nss_engine_config.c b/nss_engine_config.c index eac7f18..d1a83d4 100644 --- a/nss_engine_config.c +++ b/nss_engine_config.c @@ -240,6 +240,8 @@ void *nss_config_perdir_create(apr_pool_t *p, char *dir) { dc->szUserName = NULL; + dc->nRenegBufferSize = UNSET; + return dc; } @@ -272,6 +274,23 @@ const char *nss_cmd_NSSRequire(cmd_parms *cmd, return NULL; } +const char *nss_cmd_NSSRenegBufferSize(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLDirConfigRec *dc = dcfg; + int val; + + val = atoi(arg); + if (val < 0) { + return apr_pstrcat(cmd->pool, "Invalid size for NSSRenegBufferSize: ", + arg, NULL); + } + dc->nRenegBufferSize = val; + + return NULL; +} + void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) { SSLDirConfigRec *base = (SSLDirConfigRec *)basev; SSLDirConfigRec *add = (SSLDirConfigRec *)addv; @@ -299,6 +318,8 @@ void *nss_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) { cfgMergeString(szUserName); + cfgMergeInt(nRenegBufferSize); + return mrg; } diff --git a/nss_engine_io.c b/nss_engine_io.c index c0fc20c..6e03a11 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -929,7 +929,7 @@ struct modnss_buffer_ctx { apr_pool_t *pool; }; -int nss_io_buffer_fill(request_rec *r) +int nss_io_buffer_fill(request_rec *r, apr_size_t maxlen) { conn_rec *c = r->connection; struct modnss_buffer_ctx *ctx; @@ -945,7 +945,8 @@ int nss_io_buffer_fill(request_rec *r) /* ... and a temporary brigade. */ tempb = apr_brigade_create(r->pool, c->bucket_alloc); - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "filling buffer"); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "filling buffer, max size " + "%" APR_SIZE_T_FMT " bytes", maxlen); do { apr_status_t rv; @@ -1001,9 +1002,10 @@ int nss_io_buffer_fill(request_rec *r) total, eos); /* Fail if this exceeds the maximum buffer size. */ - if (total > SSL_MAX_IO_BUFFER) { + if (total > maxlen) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "request body exceeds maximum size for SSL buffer"); + "request body exceeds maximum size (%" APR_SIZE_T_FMT + ") for SSL buffer", maxlen); return HTTP_REQUEST_ENTITY_TOO_LARGE; } diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index 337ca67..721eedb 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -351,9 +351,18 @@ int nss_hook_Access(request_rec *r) && strcmp(apr_table_get(r->headers_in, "content-length"), "0"))) && !r->expecting_100) { int rv; + apr_size_t rsize; - /* Fill the I/O buffer with the request body if possible. */ - rv = nss_io_buffer_fill(r); + rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : + dc->nRenegBufferSize; + + if (rsize > 0) { + /* Fill the I/O buffer with the request body if possible. */ + rv = nss_io_buffer_fill(r, rsize); + } else { + /* If the reneg buffer size is set to zero, just fail. */ + rv = HTTP_REQUEST_ENTITY_TOO_LARGE; + } if (rv) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |