Blame SOURCES/mod_http2-1.15.7-CVE-2020-9490.patch

ffed06
From b8a8c5061eada0ce3339b24ba1d587134552bc0c Mon Sep 17 00:00:00 2001
ffed06
From: Stefan Eissing <stefan.eissing@greenbytes.de>
ffed06
Date: Wed, 29 Jul 2020 14:41:38 +0200
ffed06
Subject: [PATCH]  * Removing support for abandoned draft of http-wg regarding
ffed06
 cache-digests.
ffed06
ffed06
---
ffed06
ffed06
diff --git a/mod_http2/h2_push.c b/mod_http2/h2_push.c
ffed06
index 4a70674..8ae0b49 100644
ffed06
--- a/mod_http2/h2_push.c
ffed06
+++ b/mod_http2/h2_push.c
ffed06
@@ -464,33 +464,6 @@ apr_array_header_t *h2_push_collect(apr_pool_t *p, const h2_request *req,
ffed06
     return NULL;
ffed06
 }
ffed06
 
ffed06
-/*******************************************************************************
ffed06
- * push diary 
ffed06
- *
ffed06
- * - The push diary keeps track of resources already PUSHed via HTTP/2 on this
ffed06
- *   connection. It records a hash value from the absolute URL of the resource
ffed06
- *   pushed.
ffed06
- * - Lacking openssl, it uses 'apr_hashfunc_default' for the value
ffed06
- * - with openssl, it uses SHA256 to calculate the hash value
ffed06
- * - whatever the method to generate the hash, the diary keeps a maximum of 64
ffed06
- *   bits per hash, limiting the memory consumption to about 
ffed06
- *      H2PushDiarySize * 8 
ffed06
- *   bytes. Entries are sorted by most recently used and oldest entries are
ffed06
- *   forgotten first.
ffed06
- * - Clients can initialize/replace the push diary by sending a 'Cache-Digest'
ffed06
- *   header. Currently, this is the base64url encoded value of the cache digest
ffed06
- *   as specified in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
ffed06
- *   This draft can be expected to evolve and the definition of the header
ffed06
- *   will be added there and refined.
ffed06
- * - The cache digest header is a Golomb Coded Set of hash values, but it may
ffed06
- *   limit the amount of bits per hash value even further. For a good description
ffed06
- *   of GCS, read here:
ffed06
- *      http://giovanni.bajo.it/post/47119962313/golomb-coded-sets-smaller-than-bloom-filters
ffed06
- * - The means that the push diary might be initialized with hash values of much
ffed06
- *   less than 64 bits, leading to more false positives, but smaller digest size.
ffed06
- ******************************************************************************/
ffed06
- 
ffed06
- 
ffed06
 #define GCSLOG_LEVEL   APLOG_TRACE1
ffed06
 
ffed06
 typedef struct h2_push_diary_entry {
ffed06
@@ -618,38 +591,48 @@ static int h2_push_diary_find(h2_push_diary *diary, apr_uint64_t hash)
ffed06
     return -1;
ffed06
 }
ffed06
 
ffed06
-static h2_push_diary_entry *move_to_last(h2_push_diary *diary, apr_size_t idx)
ffed06
+static void move_to_last(h2_push_diary *diary, apr_size_t idx)
ffed06
 {
ffed06
     h2_push_diary_entry *entries = (h2_push_diary_entry*)diary->entries->elts;
ffed06
     h2_push_diary_entry e;
ffed06
-    apr_size_t lastidx = (apr_size_t)diary->entries->nelts;
ffed06
+    int lastidx;
ffed06
     
ffed06
+    /* Move an existing entry to the last place */
ffed06
+    if (diary->entries->nelts <= 0)
ffed06
+        return;
ffed06
+
ffed06
     /* move entry[idx] to the end */
ffed06
-    if (idx+1 < lastidx) {
ffed06
+    lastidx = diary->entries->nelts - 1;
ffed06
+    if (idx < lastidx) {
ffed06
         e =  entries[idx];
ffed06
-        memmove(entries+idx, entries+idx+1, sizeof(e) * (lastidx - idx));
ffed06
+        memmove(entries+idx, entries+idx+1, sizeof(h2_push_diary_entry) * (lastidx - idx));
ffed06
         entries[lastidx] = e;
ffed06
     }
ffed06
-    return &entries[lastidx];
ffed06
 }
ffed06
 
ffed06
-static void h2_push_diary_append(h2_push_diary *diary, h2_push_diary_entry *e)
ffed06
+static void remove_first(h2_push_diary *diary)
ffed06
 {
ffed06
-    h2_push_diary_entry *ne;
ffed06
+    h2_push_diary_entry *entries = (h2_push_diary_entry*)diary->entries->elts;
ffed06
+    int lastidx;
ffed06
     
ffed06
-    if (diary->entries->nelts < diary->N) {
ffed06
-        /* append a new diary entry at the end */
ffed06
-        APR_ARRAY_PUSH(diary->entries, h2_push_diary_entry) = *e;
ffed06
-        ne = &APR_ARRAY_IDX(diary->entries, diary->entries->nelts-1, h2_push_diary_entry);
ffed06
+    /* move remaining entries to index 0 */
ffed06
+    lastidx = diary->entries->nelts - 1;
ffed06
+    if (lastidx > 0) {
ffed06
+        --diary->entries->nelts;
ffed06
+        memmove(entries, entries+1, sizeof(h2_push_diary_entry) * diary->entries->nelts);
ffed06
     }
ffed06
-    else {
ffed06
-        /* replace content with new digest. keeps memory usage constant once diary is full */
ffed06
-        ne = move_to_last(diary, 0);
ffed06
-        *ne = *e;
ffed06
+}
ffed06
+
ffed06
+static void h2_push_diary_append(h2_push_diary *diary, h2_push_diary_entry *e)
ffed06
+{
ffed06
+    while (diary->entries->nelts >= diary->N) {
ffed06
+        remove_first(diary);
ffed06
     }
ffed06
+    /* append a new diary entry at the end */
ffed06
+    APR_ARRAY_PUSH(diary->entries, h2_push_diary_entry) = *e;
ffed06
     /* Intentional no APLOGNO */
ffed06
     ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, diary->entries->pool,
ffed06
-                  "push_diary_append: %"APR_UINT64_T_HEX_FMT, ne->hash);
ffed06
+                  "push_diary_append: %"APR_UINT64_T_HEX_FMT, e->hash);
ffed06
 }
ffed06
 
ffed06
 apr_array_header_t *h2_push_diary_update(h2_session *session, apr_array_header_t *pushes)
ffed06
@@ -692,30 +675,12 @@ apr_array_header_t *h2_push_collect_update(h2_stream *stream,
ffed06
                                            const struct h2_request *req, 
ffed06
                                            const struct h2_headers *res)
ffed06
 {
ffed06
-    h2_session *session = stream->session;
ffed06
-    const char *cache_digest = apr_table_get(req->headers, "Cache-Digest");
ffed06
     apr_array_header_t *pushes;
ffed06
-    apr_status_t status;
ffed06
     
ffed06
-    if (cache_digest && session->push_diary) {
ffed06
-        status = h2_push_diary_digest64_set(session->push_diary, req->authority, 
ffed06
-                                            cache_digest, stream->pool);
ffed06
-        if (status != APR_SUCCESS) {
ffed06
-            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, session->c,
ffed06
-                          H2_SSSN_LOG(APLOGNO(03057), session,
ffed06
-                          "push diary set from Cache-Digest: %s"), cache_digest);
ffed06
-        }
ffed06
-    }
ffed06
     pushes = h2_push_collect(stream->pool, req, stream->push_policy, res);
ffed06
     return h2_push_diary_update(stream->session, pushes);
ffed06
 }
ffed06
 
ffed06
-static apr_int32_t h2_log2inv(unsigned char log2)
ffed06
-{
ffed06
-    return log2? (1 << log2) : 1;
ffed06
-}
ffed06
-
ffed06
-
ffed06
 typedef struct {
ffed06
     h2_push_diary *diary;
ffed06
     unsigned char log2p;
ffed06
@@ -830,11 +795,6 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *pool,
ffed06
     apr_size_t hash_count;
ffed06
     
ffed06
     nelts = diary->entries->nelts;
ffed06
-    
ffed06
-    if ((apr_uint32_t)nelts > APR_UINT32_MAX) {
ffed06
-        /* should not happen */
ffed06
-        return APR_ENOTIMPL;
ffed06
-    }
ffed06
     N = ceil_power_of_2(nelts);
ffed06
     log2n = h2_log2(N);
ffed06
     
ffed06
@@ -896,166 +856,3 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *pool,
ffed06
     return APR_SUCCESS;
ffed06
 }
ffed06
 
ffed06
-typedef struct {
ffed06
-    h2_push_diary *diary;
ffed06
-    apr_pool_t *pool;
ffed06
-    unsigned char log2p;
ffed06
-    const unsigned char *data;
ffed06
-    apr_size_t datalen;
ffed06
-    apr_size_t offset;
ffed06
-    unsigned int bit;
ffed06
-    apr_uint64_t last_val;
ffed06
-} gset_decoder;
ffed06
-
ffed06
-static int gset_decode_next_bit(gset_decoder *decoder)
ffed06
-{
ffed06
-    if (++decoder->bit >= 8) {
ffed06
-        if (++decoder->offset >= decoder->datalen) {
ffed06
-            return -1;
ffed06
-        }
ffed06
-        decoder->bit = 0;
ffed06
-    }
ffed06
-    return (decoder->data[decoder->offset] & cbit_mask[decoder->bit])? 1 : 0;
ffed06
-}
ffed06
-
ffed06
-static apr_status_t gset_decode_next(gset_decoder *decoder, apr_uint64_t *phash)
ffed06
-{
ffed06
-    apr_uint64_t flex = 0, fixed = 0, delta;
ffed06
-    int i;
ffed06
-    
ffed06
-    /* read 1 bits until we encounter 0, then read log2n(diary-P) bits.
ffed06
-     * On a malformed bit-string, this will not fail, but produce results
ffed06
-     * which are pbly too large. Luckily, the diary will modulo the hash.
ffed06
-     */
ffed06
-    while (1) {
ffed06
-        int bit = gset_decode_next_bit(decoder);
ffed06
-        if (bit == -1) {
ffed06
-            return APR_EINVAL;
ffed06
-        }
ffed06
-        if (!bit) {
ffed06
-            break;
ffed06
-        }
ffed06
-        ++flex;
ffed06
-    }
ffed06
-    
ffed06
-    for (i = 0; i < decoder->log2p; ++i) {
ffed06
-        int bit = gset_decode_next_bit(decoder);
ffed06
-        if (bit == -1) {
ffed06
-            return APR_EINVAL;
ffed06
-        }
ffed06
-        fixed = (fixed << 1) | bit;
ffed06
-    }
ffed06
-    
ffed06
-    delta = (flex << decoder->log2p) | fixed;
ffed06
-    *phash = delta + decoder->last_val;
ffed06
-    decoder->last_val = *phash;
ffed06
-    
ffed06
-    /* Intentional no APLOGNO */
ffed06
-    ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, decoder->pool,
ffed06
-                  "h2_push_diary_digest_dec: val=%"APR_UINT64_T_HEX_FMT", delta=%"
ffed06
-                  APR_UINT64_T_HEX_FMT", flex=%d, fixed=%"APR_UINT64_T_HEX_FMT, 
ffed06
-                  *phash, delta, (int)flex, fixed);
ffed06
-                  
ffed06
-    return APR_SUCCESS;
ffed06
-}
ffed06
-
ffed06
-/**
ffed06
- * Initialize the push diary by a cache digest as described in 
ffed06
- * https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
ffed06
- * .
ffed06
- * @param diary the diary to set the digest into
ffed06
- * @param data the binary cache digest
ffed06
- * @param len the length of the cache digest
ffed06
- * @return APR_EINVAL if digest was not successfully parsed
ffed06
- */
ffed06
-apr_status_t h2_push_diary_digest_set(h2_push_diary *diary, const char *authority, 
ffed06
-                                      const char *data, apr_size_t len)
ffed06
-{
ffed06
-    gset_decoder decoder;
ffed06
-    unsigned char log2n, log2p;
ffed06
-    int N, i;
ffed06
-    apr_pool_t *pool = diary->entries->pool;
ffed06
-    h2_push_diary_entry e;
ffed06
-    apr_status_t status = APR_SUCCESS;
ffed06
-    
ffed06
-    if (len < 2) {
ffed06
-        /* at least this should be there */
ffed06
-        return APR_EINVAL;
ffed06
-    }
ffed06
-    log2n = data[0];
ffed06
-    log2p = data[1];
ffed06
-    diary->mask_bits = log2n + log2p;
ffed06
-    if (diary->mask_bits > 64) {
ffed06
-        /* cannot handle */
ffed06
-        return APR_ENOTIMPL;
ffed06
-    }
ffed06
-    
ffed06
-    /* whatever is in the digest, it replaces the diary entries */
ffed06
-    apr_array_clear(diary->entries);
ffed06
-    if (!authority || !strcmp("*", authority)) {
ffed06
-        diary->authority = NULL;
ffed06
-    }
ffed06
-    else if (!diary->authority || strcmp(diary->authority, authority)) {
ffed06
-        diary->authority = apr_pstrdup(diary->entries->pool, authority);
ffed06
-    }
ffed06
-
ffed06
-    N = h2_log2inv(log2n + log2p);
ffed06
-
ffed06
-    decoder.diary    = diary;
ffed06
-    decoder.pool     = pool;
ffed06
-    decoder.log2p    = log2p;
ffed06
-    decoder.data     = (const unsigned char*)data;
ffed06
-    decoder.datalen  = len;
ffed06
-    decoder.offset   = 1;
ffed06
-    decoder.bit      = 8;
ffed06
-    decoder.last_val = 0;
ffed06
-    
ffed06
-    diary->N = N;
ffed06
-    /* Determine effective N we use for storage */
ffed06
-    if (!N) {
ffed06
-        /* a totally empty cache digest. someone tells us that she has no
ffed06
-         * entries in the cache at all. Use our own preferences for N+mask 
ffed06
-         */
ffed06
-        diary->N = diary->NMax;
ffed06
-        return APR_SUCCESS;
ffed06
-    }
ffed06
-    else if (N > diary->NMax) {
ffed06
-        /* Store not more than diary is configured to hold. We open us up
ffed06
-         * to DOS attacks otherwise. */
ffed06
-        diary->N = diary->NMax;
ffed06
-    }
ffed06
-    
ffed06
-    /* Intentional no APLOGNO */
ffed06
-    ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
ffed06
-                  "h2_push_diary_digest_set: N=%d, log2n=%d, "
ffed06
-                  "diary->mask_bits=%d, dec.log2p=%d", 
ffed06
-                  (int)diary->N, (int)log2n, diary->mask_bits, 
ffed06
-                  (int)decoder.log2p);
ffed06
-                  
ffed06
-    for (i = 0; i < diary->N; ++i) {
ffed06
-        if (gset_decode_next(&decoder, &e.hash) != APR_SUCCESS) {
ffed06
-            /* the data may have less than N values */
ffed06
-            break;
ffed06
-        }
ffed06
-        h2_push_diary_append(diary, &e);
ffed06
-    }
ffed06
-    
ffed06
-    /* Intentional no APLOGNO */
ffed06
-    ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
ffed06
-                  "h2_push_diary_digest_set: diary now with %d entries, mask_bits=%d", 
ffed06
-                  (int)diary->entries->nelts, diary->mask_bits);
ffed06
-    return status;
ffed06
-}
ffed06
-
ffed06
-apr_status_t h2_push_diary_digest64_set(h2_push_diary *diary, const char *authority, 
ffed06
-                                        const char *data64url, apr_pool_t *pool)
ffed06
-{
ffed06
-    const char *data;
ffed06
-    apr_size_t len = h2_util_base64url_decode(&data, data64url, pool);
ffed06
-    /* Intentional no APLOGNO */
ffed06
-    ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
ffed06
-                  "h2_push_diary_digest64_set: digest=%s, dlen=%d", 
ffed06
-                  data64url, (int)len);
ffed06
-    return h2_push_diary_digest_set(diary, authority, data, len);
ffed06
-}
ffed06
-
ffed06
diff --git a/mod_http2/h2_push.h b/mod_http2/h2_push.h
ffed06
index 0533853..5dc189f 100644
ffed06
--- a/mod_http2/h2_push.h
ffed06
+++ b/mod_http2/h2_push.h
ffed06
@@ -35,6 +35,44 @@ typedef enum {
ffed06
     H2_PUSH_DIGEST_SHA256
ffed06
 } h2_push_digest_type;
ffed06
 
ffed06
+/*******************************************************************************
ffed06
+ * push diary 
ffed06
+ *
ffed06
+ * - The push diary keeps track of resources already PUSHed via HTTP/2 on this
ffed06
+ *   connection. It records a hash value from the absolute URL of the resource
ffed06
+ *   pushed.
ffed06
+ * - Lacking openssl, 
ffed06
+ * - with openssl, it uses SHA256 to calculate the hash value, otherwise it
ffed06
+ *   falls back to apr_hashfunc_default()
ffed06
+ * - whatever the method to generate the hash, the diary keeps a maximum of 64
ffed06
+ *   bits per hash, limiting the memory consumption to about 
ffed06
+ *      H2PushDiarySize * 8 
ffed06
+ *   bytes. Entries are sorted by most recently used and oldest entries are
ffed06
+ *   forgotten first.
ffed06
+ * - While useful by itself to avoid duplicated PUSHes on the same connection,
ffed06
+ *   the original idea was that clients provided a 'Cache-Digest' header with
ffed06
+ *   the values of *their own* cached resources. This was described in
ffed06
+ *   <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/> 
ffed06
+ *   and some subsequent revisions that tweaked values but kept the overall idea.
ffed06
+ * - The draft was abandoned by the IETF http-wg, as support from major clients,
ffed06
+ *   e.g. browsers, was lacking for various reasons.
ffed06
+ * - For these reasons, mod_h2 abandoned its support for client supplied values
ffed06
+ *   but keeps the diary. It seems to provide value for applications using PUSH,
ffed06
+ *   is configurable in size and defaults to a very moderate amount of memory
ffed06
+ *   used.
ffed06
+ * - The cache digest header is a Golomb Coded Set of hash values, but it may
ffed06
+ *   limit the amount of bits per hash value even further. For a good description
ffed06
+ *   of GCS, read here:
ffed06
+ *   <http://giovanni.bajo.it/post/47119962313/golomb-coded-sets-smaller-than-bloom-filters>
ffed06
+ ******************************************************************************/
ffed06
+ 
ffed06
+ 
ffed06
+/*
ffed06
+ * The push diary is based on the abandoned draft 
ffed06
+ * <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>
ffed06
+ * that describes how to use golomb filters.
ffed06
+ */
ffed06
+
ffed06
 typedef struct h2_push_diary h2_push_diary;
ffed06
 
ffed06
 typedef void h2_push_digest_calc(h2_push_diary *diary, apr_uint64_t *phash, h2_push *push);
ffed06
@@ -101,20 +139,4 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *p,
ffed06
                                       int maxP, const char *authority, 
ffed06
                                       const char **pdata, apr_size_t *plen);
ffed06
 
ffed06
-/**
ffed06
- * Initialize the push diary by a cache digest as described in 
ffed06
- * https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
ffed06
- * .
ffed06
- * @param diary the diary to set the digest into
ffed06
- * @param authority the authority to set the data for
ffed06
- * @param data the binary cache digest
ffed06
- * @param len the length of the cache digest
ffed06
- * @return APR_EINVAL if digest was not successfully parsed
ffed06
- */
ffed06
-apr_status_t h2_push_diary_digest_set(h2_push_diary *diary, const char *authority, 
ffed06
-                                      const char *data, apr_size_t len);
ffed06
-
ffed06
-apr_status_t h2_push_diary_digest64_set(h2_push_diary *diary, const char *authority, 
ffed06
-                                        const char *data64url, apr_pool_t *pool);
ffed06
-
ffed06
 #endif /* defined(__mod_h2__h2_push__) */