Re: svn commit: r1908537 - /httpd/httpd/trunk/modules/ssl/

Tue, 02 Jul 2024 01:57:31 -0700 


On 7/1/24 3:01 PM, Ruediger Pluem wrote:
> 
> 
> On 6/27/24 3:48 PM, Ruediger Pluem wrote:
>>
>>
>> On 6/27/24 12:47 PM, Yann Ylavic wrote:
>>> On Thu, Jun 27, 2024 at 12:38 PM Yann Ylavic <ylavic....@gmail.com> wrote:
>>>>
>>>> On Thu, Jun 27, 2024 at 12:07 PM Ruediger Pluem <rpl...@apache.org> wrote:
>>>>>
>>>>> How about the below? I am yet undecided if I should follow the below 
>>>>> approach to have
>>>>> two completely separate callbacks depending on the OpenSSL version or one 
>>>>> with a lot of
>>>>> #If statements in it, but as much shared code as possible. Thoughts?
>>>>
>>>> Hm, I wouldn't duplicate the whole thing depending on openssl version.
>>>>
>>>> Something like the attached maybe? modssl_io_cb() will just consider
>>>> up to APR_INT32_MAX bytes, more shouldn't happen anyway and it's more
>>>> than enough for debug logs..
>>>
>>> We could even log the real length still if it matters, see attached v2.
>>
>> Thanks. Unfortunately the meaning of rc varies depending on if we have the 
>> ex or the non ex callback.
>> This is not in the documentation but only in the OpenSSL code :-(.
>> Furthermore the processed amount of data is in *processed in the ex case 
>> whereas in the non ex case it is in
>> rc. The intended amount of data to be processed is in len in the ex case and 
>> in argi in the non ex case.
>> Hence I propose the patch below. Of course we can have a longer debate if 
>> the len parameter to ssl_io_data_dump
>> should be int or size_t :-). And yes dumping more than APR_INT32_MAX bytes 
>> to the log might be bad.
> 
> Any further comments on whether we should limit the dump to APR_INT32_MAX or 
> not? I would guess that it will not matter
> in practice, but I am still open to it.
> BTW: I guess
> 
>  int len = data_len & APR_INT32_MAX;
> 
> would be wrong. It would need to be
> 
>  int len = data_len > APR_INT32_MAX ? APR_INT32_MAX : (int)data_len;
> 
> instead.

Updated patch.

Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 1918813)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -2308,7 +2308,7 @@
 #define DUMP_WIDTH 16

 static void ssl_io_data_dump(conn_rec *c, server_rec *s,
-                             const char *b, long len)
+                             const char *b, size_t len)
 {
     char buf[256];
     int i, j, rows, trunc, pos;
@@ -2361,7 +2361,7 @@
     }
     if (trunc > 0)
         ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
-                "| %04ld - <SPACES/NULS>", len + trunc);
+                "| %04" APR_SIZE_T_FMT " - <SPACES/NULS>", len + 
(size_t)trunc);
     ap_log_cserror(APLOG_MARK, APLOG_TRACE7, 0, c, s,
             
"+-------------------------------------------------------------------------+");
 }
@@ -2379,9 +2379,9 @@
     conn_rec *c;
     server_rec *s;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-    (void)len;
-    (void)processed;
+    (void)argi;
 #endif
+    (void)argl;

     if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL)
         return rc;
@@ -2391,7 +2391,20 @@

     if (   cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
         || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define requested_len (len)
+#define actual_len (*processed)
+        /*
+         * On OpenSSL >= 3 rc uses the meaning of the BIO_read_ex and
+         * BIO_write_ex functions return value and not the one of
+         * BIO_read and BIO_write. Hence 0 indicates an error.
+         */
+        if (rc > 0) {
+#else
+#define requested_len ((size_t)argi)
+#define actual_len ((size_t)rc)
         if (rc >= 0) {
+#endif
             const char *dump = "";
             if (APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)) {
                 if (argp != NULL)
@@ -2400,23 +2413,28 @@
                     dump = "(Oops, no memory buffer?)";
             }
             ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
-                    "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
+                    "%s: %s %" APR_SIZE_T_FMT "/%" APR_SIZE_T_FMT
+                    " bytes %s BIO#%pp [mem: %pp] %s",
                     MODSSL_LIBRARY_NAME,
                     (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
-                    (long)rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? 
"to" : "from"),
+                    actual_len, requested_len,
+                    (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
                     bio, argp, dump);
             if (*dump != '\0' && argp != NULL)
-                ssl_io_data_dump(c, s, argp, rc);
+                ssl_io_data_dump(c, s, argp, actual_len);
         }
         else {
             ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
-                    "%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: 
%pp]",
-                    MODSSL_LIBRARY_NAME, argi,
+                    "%s: I/O error, %" APR_SIZE_T_FMT
+                    " bytes expected to %s on BIO#%pp [mem: %pp]",
+                    MODSSL_LIBRARY_NAME, requested_len,
                     (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
                     bio, argp);
         }
     }
     return rc;
+#undef requested_len
+#undef actual_len
 }

 static APR_INLINE void set_bio_callback(BIO *bio, void *arg)


Regards

Rüdiger























					Reply via email to