From 9e39ba015a082b125649ee2012c0e90ed8b42c66 Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Mon, 23 Mar 2009 17:37:38 +0000 Subject: [PATCH] * Store the correct server_rec in the connection record configuration and adjust the remaining part of mod_ssl to use this server_rec instead of c->base_server. modules/ssl/ssl_private.h: - server_rec member to SSLConnRec struct - Add macros to extract data from connection_rec mySrvFromConn(c) mySrvConfigFromConn(c) myModConfigFromConn(c) modules/ssl/ssl_engine_io.c modules/ssl/ssl_util_ocsp.c modules/ssl/ssl_engine_kernel.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_log.c - Use the new macros to extract data fron connection_rec and use the server_rec stored in SSLConnRec instead of c->base_server whereever appropriate. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 42 +++++++++++++++++++++++---------- modules/ssl/ssl_engine_io.c | 27 +++++++++++---------- modules/ssl/ssl_engine_kernel.c | 24 ++++++++++--------- modules/ssl/ssl_engine_log.c | 2 +- modules/ssl/ssl_private.h | 4 ++++ modules/ssl/ssl_util_ocsp.c | 6 ++--- 6 files changed, 66 insertions(+), 39 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index ee6615a31f..9483619237 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -290,6 +290,8 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); + sslconn->server = c->base_server; + myConnConfigSet(c, sslconn); return sslconn; @@ -297,9 +299,10 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) int ssl_proxy_enable(conn_rec *c) { - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + SSLSrvConfigRec *sc; SSLConnRec *sslconn = ssl_init_connection_ctx(c); + sc = mySrvConfig(sslconn->server); if (!sc->proxy_enabled) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, @@ -317,10 +320,16 @@ int ssl_proxy_enable(conn_rec *c) int ssl_engine_disable(conn_rec *c) { - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + SSLSrvConfigRec *sc; - SSLConnRec *sslconn; + SSLConnRec *sslconn = myConnConfig(c); + if (sslconn) { + sc = mySrvConfig(sslconn->server); + } + else { + sc = mySrvConfig(c->base_server); + } if (sc->enabled == SSL_ENABLED_FALSE) { return 0; } @@ -334,20 +343,23 @@ int ssl_engine_disable(conn_rec *c) int ssl_init_ssl_connection(conn_rec *c, request_rec *r) { - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + SSLSrvConfigRec *sc; SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); char *vhost_md5; modssl_ctx_t *mctx; - - /* - * Seed the Pseudo Random Number Generator (PRNG) - */ - ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); + server_rec *server; if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } + server = sslconn->server; + sc = mySrvConfig(server); + + /* + * Seed the Pseudo Random Number Generator (PRNG) + */ + ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); mctx = sslconn->is_proxy ? sc->proxy : sc->server; @@ -360,7 +372,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to create a new SSL connection from the SSL " "context"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; @@ -375,7 +387,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to set session id context to `%s'", vhost_md5); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; @@ -424,9 +436,15 @@ static apr_port_t ssl_hook_default_port(const request_rec *r) static int ssl_hook_pre_connection(conn_rec *c, void *csd) { - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + SSLSrvConfigRec *sc; SSLConnRec *sslconn = myConnConfig(c); + if (sslconn) { + sc = mySrvConfig(sslconn->server); + } + else { + sc = mySrvConfig(c->base_server); + } /* * Immediately stop processing if SSL is disabled for this connection */ diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index bd5ff896a2..8e2754f345 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -702,7 +702,7 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, */ ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, "SSL library error %d reading data", ssl_err); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); } if (inctx->rc == APR_SUCCESS) { @@ -809,7 +809,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, */ ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, "SSL library error %d writing data", ssl_err); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); } if (outctx->rc == APR_SUCCESS) { outctx->rc = APR_EGENERAL; @@ -879,7 +879,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, "SSL handshake failed: HTTP spoken on HTTPS port; " "trying to send HTML error page"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server); sslconn->non_ssl_request = 1; ssl_io_filter_disable(sslconn, f); @@ -996,11 +996,11 @@ static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, SSL_smart_shutdown(ssl); /* and finally log the fact that we've closed the connection */ - if (c->base_server->loglevel >= APLOG_INFO) { + if (mySrvFromConn(c)->loglevel >= APLOG_INFO) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "Connection closed to child %ld with %s shutdown " "(server %s)", - c->id, type, ssl_util_vhostid(c->pool, c->base_server)); + c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c))); } /* deallocate the SSL connection */ @@ -1047,21 +1047,23 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) { conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl); SSLConnRec *sslconn = myConnConfig(c); - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + SSLSrvConfigRec *sc; X509 *cert; int n; int ssl_err; long verify_result; + server_rec *server; if (SSL_is_init_finished(filter_ctx->pssl)) { return APR_SUCCESS; } + server = mySrvFromConn(c); if (sslconn->is_proxy) { if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); return MODSSL_ERROR_BAD_GATEWAY; @@ -1118,8 +1120,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c, "SSL library error %d in handshake " "(server %s)", ssl_err, - ssl_util_vhostid(c->pool, c->base_server)); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_util_vhostid(c->pool, server)); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); } if (inctx->rc == APR_SUCCESS) { @@ -1129,6 +1131,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) ssl_filter_io_shutdown(filter_ctx, c, 1); return inctx->rc; } + sc = mySrvConfig(sslconn->server); /* * Check for failed client authentication @@ -1154,7 +1157,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) "accepting certificate based on " "\"SSLVerifyClient optional_no_ca\" " "configuration"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); } else { const char *error = sslconn->verify_error ? @@ -1164,7 +1167,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL client authentication failed: %s", error ? error : "unknown"); - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); ssl_filter_io_shutdown(filter_ctx, c, 1); return APR_ECONNABORTED; @@ -1773,7 +1776,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, return rc; if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) return rc; - s = c->base_server; + s = mySrvFromConn(c); sc = mySrvConfig(s); if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 83a035c83a..6a63e74486 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1124,7 +1124,7 @@ int ssl_hook_Fixup(request_rec *r) RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); - SSLModConfigRec *mc = myModConfig(c->base_server); + SSLModConfigRec *mc = myModConfigFromConn(c); int idx; ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, @@ -1156,7 +1156,7 @@ RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); - SSLModConfigRec *mc = myModConfig(c->base_server); + SSLModConfigRec *mc = myModConfigFromConn(c); int idx; ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, @@ -1185,7 +1185,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); - server_rec *s = conn->base_server; + server_rec *s = mySrvFromConn(conn); request_rec *r = (request_rec *)SSL_get_app_data2(ssl); SSLSrvConfigRec *sc = mySrvConfig(s); @@ -1316,7 +1316,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) { - server_rec *s = c->base_server; + server_rec *s = mySrvFromConn(c); SSLSrvConfigRec *sc = mySrvConfig(s); SSLConnRec *sslconn = myConnConfig(c); modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); @@ -1541,7 +1541,7 @@ static void modssl_proxy_info_log(server_rec *s, int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); - server_rec *s = c->base_server; + server_rec *s = mySrvFromConn(c); SSLSrvConfigRec *sc = mySrvConfig(s); X509_NAME *ca_name, *issuer; X509_INFO *info; @@ -1639,7 +1639,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) { /* Get Apache context back through OpenSSL context */ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); - server_rec *s = conn->base_server; + server_rec *s = mySrvFromConn(conn); SSLSrvConfigRec *sc = mySrvConfig(s); long timeout = sc->session_cache_timeout; BOOL rc; @@ -1687,7 +1687,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, { /* Get Apache context back through OpenSSL context */ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); - server_rec *s = conn->base_server; + server_rec *s = mySrvFromConn(conn); SSL_SESSION *session; /* @@ -1766,7 +1766,7 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc return; } - s = c->base_server; + s = mySrvFromConn(c); if (!(sc = mySrvConfig(s))) { return; } @@ -1882,6 +1882,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) BOOL found = FALSE; apr_array_header_t *names; int i; + SSLConnRec *sslcon; /* check ServerName */ if (!strcasecmp(servername, s->server_hostname)) { @@ -1924,7 +1925,8 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) } /* set SSL_CTX (if matched) */ - if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && + sslcon = myConnConfig(c); + if (found && (ssl = sslcon->ssl) && (sc = mySrvConfig(s))) { SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); /* @@ -1955,7 +1957,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) * cases, it also ensures that these messages are routed * to the proper log. */ - c->base_server = s; + sslcon->server = s; /* * There is one special filter callback, which is set @@ -1964,7 +1966,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) * (and the first vhost doesn't use APLOG_DEBUG), then * we need to set that callback here. */ - if (c->base_server->loglevel >= APLOG_DEBUG) { + if (mySrvFromConn(c)->loglevel >= APLOG_DEBUG) { BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); } diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 2e3d221423..c3575bb0b2 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -117,7 +117,7 @@ void ssl_log_cxerror(const char *file, int line, int level, char *sname, *iname, *serial; BIGNUM *bn; - if (c->base_server->loglevel < level) { + if (mySrvFromConn(c)->loglevel < level) { /* Bail early since the rest of this function is expensive. */ return; } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index d8ded93750..4400cd25dd 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -128,6 +128,9 @@ ap_set_module_config(c->conn_config, &ssl_module, val) #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) #define myModConfig(srv) (mySrvConfig((srv)))->mc +#define mySrvFromConn(c) (myConnConfig(c))->server +#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) +#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) #define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num) @@ -333,6 +336,7 @@ typedef struct { int is_proxy; int disabled; int non_ssl_request; + server_rec *server; } SSLConnRec; /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index 3461c91890..214bacc6fa 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -82,7 +82,7 @@ static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p); if (rv == APR_SUCCESS) { /* Inherit the default I/O timeout. */ - apr_socket_timeout_set(sd, c->base_server->timeout); + apr_socket_timeout_set(sd, mySrvFromConn(c)->timeout); rv = apr_socket_connect(sd, sa); if (rv == APR_SUCCESS) { @@ -262,7 +262,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c, * bio. */ response = d2i_OCSP_RESPONSE_bio(bio, NULL); if (response == NULL) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c)); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "failed to decode OCSP response data"); } @@ -280,7 +280,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, bio = serialize_request(request, uri); if (bio == NULL) { - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c)); ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "could not serialize OCSP request"); return NULL; -- 2.40.0