Fix memory leak in mod_ssl from internal SSL library allocations
  within SSL_get_peer_certificate and X509_get_pubkey.

Submitted by:	Zvi Har'El <rl@math.technion.ac.il>
Reviewed by:	Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97344 13f79535-47bb-0310-9956-ffa450edef68

  Close several small leaks in SSL.

Submitted by: Zvi Har'El <rl@math.technion.ac.il>
Reviewed by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97340 13f79535-47bb-0310-9956-ffa450edef68

  Outch.  No freeing consts.  Fortunately, the fn's return code isn't const.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97315 13f79535-47bb-0310-9956-ffa450edef68

Submitted by:	Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:	Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97308 13f79535-47bb-0310-9956-ffa450edef68

memory which has been previously allocated inside OpenSSL.
Such memory should be freed with OPENSSL_free(), not with free().

Submitted by: Nadav Har'El <nyh@math.technion.ac.il>,
              Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:  Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97307 13f79535-47bb-0310-9956-ffa450edef68

Submitted by:   Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:	Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97298 13f79535-47bb-0310-9956-ffa450edef68

(and allow 8192 to be valid). Secondly, this missplaced else
made the size part (8192) non-optional for shm:
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97281 13f79535-47bb-0310-9956-ffa450edef68

which has the overloaded '%p' format (not ANSI).

PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97252 13f79535-47bb-0310-9956-ffa450edef68

and it was included in a commit that shouldn't have touched these files.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97201 13f79535-47bb-0310-9956-ffa450edef68

Also, uncomment a line of code that the last commit should have uncommented.
Randall found this line and the fix, but I forgot to uncomment this line
along with the fix.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97179 13f79535-47bb-0310-9956-ffa450edef68

could lead to an infinite loop.

PR:                     12705
Diagnosis submitted by: amund.elstad@ergo.no (Amund Elstad)
Coded by:               Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97048 13f79535-47bb-0310-9956-ffa450edef68

/me wonders why we have generated content in CVS.    :-(


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97039 13f79535-47bb-0310-9956-ffa450edef68

network write.  All other status codes result in c->aborted being set,
which allows the logs to note that the connection was aborted.  Previous
to this patch, if the network cable was unplugged on the client, the server
would get APR_ETIMEUP, but we wouldn't note that the connection was
aborted.

Submitted by:	Ryan Morgan <rmorgan@covalent.net>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97038 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97002 13f79535-47bb-0310-9956-ffa450edef68

This matches what Apache 1.3 does.  Also add documentation for
this feature.

PR:	9299
Submitted by:	Jay Ball <jay@veggiespam.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@97001 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@96818 13f79535-47bb-0310-9956-ffa450edef68

  Small fixes for SSLC


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@96477 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@96262 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@96261 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@96098 13f79535-47bb-0310-9956-ffa450edef68

  Changes for deprecated apr_is_fnmatch


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95976 13f79535-47bb-0310-9956-ffa450edef68

users and groups.  It doesn't pass requests between child processes yet.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95918 13f79535-47bb-0310-9956-ffa450edef68

arbitrary code before the handlers are invoked.

This resolves an issue with incorrect 304s on If-Modified-Since mod_include
requests since ap_meets_conditions() is not aware that this is a dynamic
request and it is not possible to satisfy 304 for these requests (unless
xbithack full is on, of course).  When mod_include runs as a filter, it is
too late to set any flag since the handler is responsible for calling
ap_meets_conditions(), which it should do before generating any data.

If a module doesn't need to run such arbitrary code, it can just pass NULL
as the argument and all is well.

PR:	9673
Reviewed by:	Ryan Bloom and others


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95906 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95835 13f79535-47bb-0310-9956-ffa450edef68

  These emits occur mainline, outside of the pphrase_callback, so we never
  opened readtty or writetty.  But they are absolute failures, nothing the
  user could do to deal with them.  They are logged in the ssl vhost's error
  log.

  In this case, I forgot my SSLCertificateKeyFile, so the server never
  tried the callback.  writetty wasn't initialized, so we segfaulted.

  This segfault is due to misconfig, not to the dialog with the user.
  This is the easiest fix (easier to read, too), but we shouldn't need
  to worry too much that the release is tagged.  If we retag, fine, then
  grab it, but it only addresses a config problem.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95734 13f79535-47bb-0310-9956-ffa450edef68

Reported by:  Paul J. Reder
Submitted by: Ryan Bloom


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95604 13f79535-47bb-0310-9956-ffa450edef68

using the value of SSL_get_peer_certificate(ssl) to verify as it will
have been removed from the chain before it was put in the cache.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95603 13f79535-47bb-0310-9956-ffa450edef68

Obtained from:
Submitted by:
Reviewed by:
allow POST method over SSL when per-directory client cert
authentication is used with 'SSLOptions +OptRenegotiate' enabled
and a client cert was found in the ssl session cache.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95602 13f79535-47bb-0310-9956-ffa450edef68

Obtained from:
Submitted by:
Reviewed by:
'SSLOptions +OptRengotiate' will use client cert in from the ssl
session cache when there is no cert chain in the cache.  prior to
the fix this situation would result in a FORBIDDEN response and
error message "Cannot find peer certificate chain"


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95601 13f79535-47bb-0310-9956-ffa450edef68

to return an error rather than exiting directly


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95567 13f79535-47bb-0310-9956-ffa450edef68

questions about shmcb:

"Feel free to buzz me on shmcb matters to as/when you like - my time
 may be limited right now but I will certainly reply as best I can to
 anything that comes up."

Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95550 13f79535-47bb-0310-9956-ffa450edef68

  cvs up/diff gets pretty hard to track with vc7 builds.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95524 13f79535-47bb-0310-9956-ffa450edef68

redirecting (.*) will allow an SSL protected page to be viewed
without SSL.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95501 13f79535-47bb-0310-9956-ffa450edef68

  The only remaining question ... are nested or strictly unnested locks
  expected by OpenSSL?  Right now I've left it as _DEFAULT for the platform
  preference.  Very simple code really - the server_rec was superfluous.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95497 13f79535-47bb-0310-9956-ffa450edef68

Not only should it just say "can't do that on win32," which is after all
the bottom line, it was spitting out openssl error messages which were
totally useless.  Eg:

[30/May/2002 17:31:17 05760] [error] Init: PassPhraseDialog BuiltIn not
supported in server private key from file
F:/Apache/Apache2/conf/ssl/secure.key (OpenSSL library error follows)
[30/May/2002 17:31:17 05760] [error] OpenSSL: error:0D084069:asn1
encoding routines:d2i_ASN1_SET:bad tag
[30/May/2002 17:31:17 05760] [error] OpenSSL: error:0D09D082:asn1
encoding routines:d2i_RSAPrivateKey:parsing
[30/May/2002 17:31:17 05760] [error] OpenSSL: error:0D09B00D:asn1
encoding routines:d2i_PrivateKey:ASN1 lib

Which is essentially saying "OpenSSL couldn't read your private key because
it was encrypted, and we can't get the passphrase the way you asked us to
on this platform."


Brought to my attention by the inquiry of:  Chris Hsiang <chsiang@ivivos.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95415 13f79535-47bb-0310-9956-ffa450edef68

  Based on DougM's feedback to the list...


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95408 13f79535-47bb-0310-9956-ffa450edef68

  Apparently Roy missed this comment.  Rephrase as a seperate paragraph
  to more clearly split credit for OpenSSL from credit for mod_ssl.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95407 13f79535-47bb-0310-9956-ffa450edef68

  Split out the LAYOUT


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95406 13f79535-47bb-0310-9956-ffa450edef68

  As we find the right places for this content, move them out in bits


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95405 13f79535-47bb-0310-9956-ffa450edef68

  All rather stale.  Any new/remaining issues should be moved to CHANGES
  in the present tense, as opposed to the "Future port to 2.0".  Heh


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@95389 13f79535-47bb-0310-9956-ffa450edef68