From 52892853876baf38c79a8a3612894dd3fb2a047b Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sat, 30 Nov 2013 07:44:27 +0000 Subject: [PATCH] Tweaks for SSLOpenSSLConfCmd: - use cfgMergeArray, and reduce the size of the initial array - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to ssl_init_server_ctx (so they are applied after ssl_init_server_certs) - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1546693 13f79535-47bb-0310-9956-ffa450edef68 --- docs/log-message-tags/next-number | 2 +- modules/ssl/ssl_engine_config.c | 32 ++++++++++------- modules/ssl/ssl_engine_init.c | 57 ++++++++++++++++--------------- 3 files changed, 51 insertions(+), 40 deletions(-) diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index d765d59d62..45f69301fb 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2556 +2557 diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index a1e050efdb..4a01ef0d63 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -157,7 +157,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE); SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER); SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE); - mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t)); + mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t)); #endif } @@ -247,7 +247,8 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s) #define cfgMergeBool(el) cfgMerge(el, UNSET) #define cfgMergeInt(el) cfgMerge(el, UNSET) -static void modssl_ctx_cfg_merge(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { @@ -292,29 +293,30 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, #endif #ifdef HAVE_SSL_CONF_CMD - apr_array_cat(mrg->ssl_ctx_param, base->ssl_ctx_param); - apr_array_cat(mrg->ssl_ctx_param, add->ssl_ctx_param); + cfgMergeArray(ssl_ctx_param); #endif } -static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { - modssl_ctx_cfg_merge(base, add, mrg); + modssl_ctx_cfg_merge(p, base, add, mrg); cfgMergeString(pkp->cert_file); cfgMergeString(pkp->cert_path); cfgMergeString(pkp->ca_cert_file); } -static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge_server(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { int i; - modssl_ctx_cfg_merge(base, add, mrg); + modssl_ctx_cfg_merge(p, base, add, mrg); for (i = 0; i < SSL_AIDX_MAX; i++) { cfgMergeString(pks->cert_files[i]); @@ -357,9 +359,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMergeBool(compression); #endif - modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy); - modssl_ctx_cfg_merge_server(base->server, add->server, mrg->server); + modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server); return mrg; } @@ -1809,20 +1811,23 @@ const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg, } #endif /* HAVE_OCSP_STAPLING */ + #ifdef HAVE_SSL_CONF_CMD const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param); SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config; - const char *err; int value_type = SSL_CONF_cmd_value_type(cctx, arg1); + const char *err; + ssl_ctx_param_t *param; + if (value_type == SSL_CONF_TYPE_UNKNOWN) { return apr_psprintf(cmd->pool, "'%s': invalid OpenSSL configuration command", arg1); } + if (value_type == SSL_CONF_TYPE_FILE) { if ((err = ssl_cmd_check_file(cmd, &arg2))) return err; @@ -1831,11 +1836,14 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, if ((err = ssl_cmd_check_dir(cmd, &arg2))) return err; } + + param = apr_array_push(sc->server->ssl_ctx_param); param->name = arg1; param->value = arg2; return NULL; } #endif + #ifdef HAVE_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 563e533d93..9e066217d0 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -535,30 +535,6 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif -#ifdef HAVE_SSL_CONF_CMD -{ - ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts; - SSL_CONF_CTX *cctx = mctx->ssl_ctx_config; - int i; - SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); - for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) { - if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) - "Error SSL_CONF_cmd(\"%s\",\"%s\")", - param->name, param->value); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); - } - } - if (SSL_CONF_CTX_finish(cctx) == 0) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) - "Error SSL_CONF_CTX_finish()"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); - } -} -#endif - #ifdef SSL_MODE_RELEASE_BUFFERS /* If httpd is configured to reduce mem usage, ask openssl to do so, too */ if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED) @@ -1359,6 +1335,11 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, SSLSrvConfigRec *sc) { apr_status_t rv; +#ifdef HAVE_SSL_CONF_CMD + ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts; + SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config; + int i; +#endif if ((rv = ssl_init_server_check(s, p, ptemp, sc->server)) != APR_SUCCESS) { return rv; @@ -1372,6 +1353,31 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, return rv; } +#ifdef HAVE_SSL_CONF_CMD + SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx); + for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) { + if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) + "\"SSLOpenSSLConfCmd %s %s\" failed for %s", + param->name, param->value, sc->vhost_id); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } else { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556) + "\"SSLOpenSSLConfCmd %s %s\" applied to %s", + param->name, param->value, sc->vhost_id); + } + } + if (SSL_CONF_CTX_finish(cctx) == 0) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) + "SSL_CONF_CTX_finish() failed"); + SSL_CONF_CTX_free(cctx); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } + SSL_CONF_CTX_free(cctx); +#endif + #ifdef HAVE_TLS_SESSION_TICKETS if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) { return rv; @@ -1643,9 +1649,6 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s) static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx) { MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); -#ifdef HAVE_SSL_CONF_CMD - MODSSL_CFG_ITEM_FREE(SSL_CONF_CTX_free, mctx->ssl_ctx_config); -#endif #ifdef HAVE_SRP if (mctx->srp_vbase != NULL) { -- 2.40.0