You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/03/23 18:37:39 UTC
svn commit: r757463 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c
ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c ssl_private.h
ssl_util_ocsp.c
Author: rpluem
Date: Mon Mar 23 17:37:38 2009
New Revision: 757463
URL: http://svn.apache.org/viewvc?rev=757463&view=rev
Log:
* Store the correct server_rec in the connection record configuration and
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Mon Mar 23 17:37:38 2009
@@ -290,6 +290,8 @@
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+ sslconn->server = c->base_server;
+
myConnConfigSet(c, sslconn);
return sslconn;
@@ -297,9 +299,10 @@
int ssl_proxy_enable(conn_rec *c)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
SSLConnRec *sslconn = ssl_init_connection_ctx(c);
+ sc = mySrvConfig(sslconn->server);
if (!sc->proxy_enabled) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
@@ -317,10 +320,16 @@
int ssl_engine_disable(conn_rec *c)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
- SSLConnRec *sslconn;
+ SSLConnRec *sslconn = myConnConfig(c);
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
+ }
+ else {
+ sc = mySrvConfig(c->base_server);
+ }
if (sc->enabled == SSL_ENABLED_FALSE) {
return 0;
}
@@ -334,20 +343,23 @@
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
-
- /*
- * Seed the Pseudo Random Number Generator (PRNG)
- */
- ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
+ server_rec *server;
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
+ server = sslconn->server;
+ sc = mySrvConfig(server);
+
+ /*
+ * Seed the Pseudo Random Number Generator (PRNG)
+ */
+ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
@@ -360,7 +372,7 @@
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to create a new SSL connection from the SSL "
"context");
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
@@ -375,7 +387,7 @@
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to set session id context to `%s'", vhost_md5);
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
@@ -424,9 +436,15 @@
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
+ }
+ else {
+ sc = mySrvConfig(c->base_server);
+ }
/*
* Immediately stop processing if SSL is disabled for this connection
*/
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Mon Mar 23 17:37:38 2009
@@ -702,7 +702,7 @@
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c,
"SSL library error %d reading data", ssl_err);
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
}
if (inctx->rc == APR_SUCCESS) {
@@ -809,7 +809,7 @@
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
"SSL library error %d writing data", ssl_err);
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
}
if (outctx->rc == APR_SUCCESS) {
outctx->rc = APR_EGENERAL;
@@ -879,7 +879,7 @@
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
sslconn->non_ssl_request = 1;
ssl_io_filter_disable(sslconn, f);
@@ -996,11 +996,11 @@
SSL_smart_shutdown(ssl);
/* and finally log the fact that we've closed the connection */
- if (c->base_server->loglevel >= APLOG_INFO) {
+ if (mySrvFromConn(c)->loglevel >= APLOG_INFO) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"Connection closed to child %ld with %s shutdown "
"(server %s)",
- c->id, type, ssl_util_vhostid(c->pool, c->base_server));
+ c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c)));
}
/* deallocate the SSL connection */
@@ -1047,21 +1047,23 @@
{
conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
SSLConnRec *sslconn = myConnConfig(c);
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
X509 *cert;
int n;
int ssl_err;
long verify_result;
+ server_rec *server;
if (SSL_is_init_finished(filter_ctx->pssl)) {
return APR_SUCCESS;
}
+ server = mySrvFromConn(c);
if (sslconn->is_proxy) {
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
return MODSSL_ERROR_BAD_GATEWAY;
@@ -1118,8 +1120,8 @@
ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
"SSL library error %d in handshake "
"(server %s)", ssl_err,
- ssl_util_vhostid(c->pool, c->base_server));
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_util_vhostid(c->pool, server));
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
}
if (inctx->rc == APR_SUCCESS) {
@@ -1129,6 +1131,7 @@
ssl_filter_io_shutdown(filter_ctx, c, 1);
return inctx->rc;
}
+ sc = mySrvConfig(sslconn->server);
/*
* Check for failed client authentication
@@ -1154,7 +1157,7 @@
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" "
"configuration");
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
}
else {
const char *error = sslconn->verify_error ?
@@ -1164,7 +1167,7 @@
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL client authentication failed: %s",
error ? error : "unknown");
- ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
ssl_filter_io_shutdown(filter_ctx, c, 1);
return APR_ECONNABORTED;
@@ -1773,7 +1776,7 @@
return rc;
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return rc;
- s = c->base_server;
+ s = mySrvFromConn(c);
sc = mySrvConfig(s);
if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 17:37:38 2009
@@ -1124,7 +1124,7 @@
RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- SSLModConfigRec *mc = myModConfig(c->base_server);
+ SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
@@ -1156,7 +1156,7 @@
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- SSLModConfigRec *mc = myModConfig(c->base_server);
+ SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
@@ -1185,7 +1185,7 @@
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
- server_rec *s = conn->base_server;
+ server_rec *s = mySrvFromConn(conn);
request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
SSLSrvConfigRec *sc = mySrvConfig(s);
@@ -1316,7 +1316,7 @@
int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
{
- server_rec *s = c->base_server;
+ server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(c);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
@@ -1541,7 +1541,7 @@
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- server_rec *s = c->base_server;
+ server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
X509_NAME *ca_name, *issuer;
X509_INFO *info;
@@ -1639,7 +1639,7 @@
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
- server_rec *s = conn->base_server;
+ server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
long timeout = sc->session_cache_timeout;
BOOL rc;
@@ -1687,7 +1687,7 @@
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
- server_rec *s = conn->base_server;
+ server_rec *s = mySrvFromConn(conn);
SSL_SESSION *session;
/*
@@ -1766,7 +1766,7 @@
return;
}
- s = c->base_server;
+ s = mySrvFromConn(c);
if (!(sc = mySrvConfig(s))) {
return;
}
@@ -1882,6 +1882,7 @@
BOOL found = FALSE;
apr_array_header_t *names;
int i;
+ SSLConnRec *sslcon;
/* check ServerName */
if (!strcasecmp(servername, s->server_hostname)) {
@@ -1924,7 +1925,8 @@
}
/* set SSL_CTX (if matched) */
- if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
+ sslcon = myConnConfig(c);
+ if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
@@ -1955,7 +1957,7 @@
* cases, it also ensures that these messages are routed
* to the proper log.
*/
- c->base_server = s;
+ sslcon->server = s;
/*
* There is one special filter callback, which is set
@@ -1964,7 +1966,7 @@
* (and the first vhost doesn't use APLOG_DEBUG), then
* we need to set that callback here.
*/
- if (c->base_server->loglevel >= APLOG_DEBUG) {
+ if (mySrvFromConn(c)->loglevel >= APLOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Mon Mar 23 17:37:38 2009
@@ -117,7 +117,7 @@
char *sname, *iname, *serial;
BIGNUM *bn;
- if (c->base_server->loglevel < level) {
+ if (mySrvFromConn(c)->loglevel < level) {
/* Bail early since the rest of this function is expensive. */
return;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Mar 23 17:37:38 2009
@@ -128,6 +128,9 @@
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
#define myModConfig(srv) (mySrvConfig((srv)))->mc
+#define mySrvFromConn(c) (myConnConfig(c))->server
+#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
+#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
@@ -333,6 +336,7 @@
int is_proxy;
int disabled;
int non_ssl_request;
+ server_rec *server;
} SSLConnRec;
/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=757463&r1=757462&r2=757463&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Mon Mar 23 17:37:38 2009
@@ -82,7 +82,7 @@
rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
if (rv == APR_SUCCESS) {
/* Inherit the default I/O timeout. */
- apr_socket_timeout_set(sd, c->base_server->timeout);
+ apr_socket_timeout_set(sd, mySrvFromConn(c)->timeout);
rv = apr_socket_connect(sd, sa);
if (rv == APR_SUCCESS) {
@@ -262,7 +262,7 @@
* bio. */
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c));
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
@@ -280,7 +280,7 @@
bio = serialize_request(request, uri);
if (bio == NULL) {
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c));
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"could not serialize OCSP request");
return NULL;