From: Jim Jagielski Date: Mon, 7 Dec 2015 12:28:51 +0000 (+0000) Subject: Merge r1717958 from trunk: X-Git-Tag: 2.4.18~15 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3191fdf7638d6a96d8b47061c154773c8b240f7b;p=apache Merge r1717958 from trunk: using c->master for ssl var lookups when c holds no valid SSLConnRec. Fixes PR58666. Submitted by: icing Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1718331 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5d67550a3c..dc3a215c9c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.4.18 + *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection + if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666. + [Stefan Eissing] + + *) mod_http2: connection level window for flow control is set to protocol maximum of 2GB-1, preventing window exhaustion when sending data on many streams with higher cumulative window size. diff --git a/STATUS b/STATUS index 73c5da3350..3b2bea8bfc 100644 --- a/STATUS +++ b/STATUS @@ -111,11 +111,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection - if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666. - trunk patch: http://svn.apache.org/r1717958 - 2.4.x patch: trunk works apart from CHANGES - +1: icing, ylavic, jim *) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use 'ap_pbase64decode' to simplify code. diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index e3677cc833..a6b0d0da15 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -55,9 +55,19 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algk static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); -static int ssl_is_https(conn_rec *c) +static SSLConnRec *ssl_get_effective_config(conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); + if (!(sslconn && sslconn->ssl) && c->master) { + /* use master connection if no SSL defined here */ + sslconn = myConnConfig(c->master); + } + return sslconn; +} + +static int ssl_is_https(conn_rec *c) +{ + SSLConnRec *sslconn = ssl_get_effective_config(c); return sslconn && sslconn->ssl; } @@ -75,7 +85,7 @@ static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx, static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data) { char *var = (char *)data; - SSLConnRec *sslconn = myConnConfig(ctx->c); + SSLConnRec *sslconn = ssl_get_effective_config(ctx->c); return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL; } @@ -261,11 +271,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, * Connection stuff */ if (result == NULL && c != NULL) { - SSLConnRec *sslconn = myConnConfig(c); - if (!(sslconn && sslconn->ssl) && c->master) { - /* use master connection if no SSL defined here */ - sslconn = myConnConfig(c->master); - } + SSLConnRec *sslconn = ssl_get_effective_config(c); if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) && sslconn && sslconn->ssl) result = ssl_var_lookup_ssl(p, sslconn, r, var+4); @@ -1048,7 +1054,7 @@ static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension) { - SSLConnRec *sslconn = myConnConfig(c); + SSLConnRec *sslconn = ssl_get_effective_config(c); SSL *ssl = NULL; apr_array_header_t *array = NULL; X509 *xs = NULL; @@ -1192,7 +1198,7 @@ void ssl_var_log_config_register(apr_pool_t *p) */ static const char *ssl_var_log_handler_c(request_rec *r, char *a) { - SSLConnRec *sslconn = myConnConfig(r->connection); + SSLConnRec *sslconn = ssl_get_effective_config(r->connection); char *result; if (sslconn == NULL || sslconn->ssl == NULL)