You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2019/03/16 13:45:17 UTC
svn commit: r1855646 - in /httpd/httpd/trunk: CHANGES
modules/proxy/proxy_util.c modules/ssl/mod_ssl.c
Author: ylavic
Date: Sat Mar 16 13:45:17 2019
New Revision: 1855646
URL: http://svn.apache.org/viewvc?rev=1855646&view=rev
Log:
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
The SSL dir config of proxy/backend connections is stored in r->per_dir_config
but those connections have a lifetime independent of the requests they handle.
So we need to allow the external ssl_engine_set() function to reset mod_ssl's
dir config in between proxy requests, or the first sslconn->dc could be used
after free for the next requests.
mod_proxy can then reset/reinit the request config when recycling its backend
connections.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/proxy_util.c
httpd/httpd/trunk/modules/ssl/mod_ssl.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1855646&r1=1855645&r2=1855646&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Mar 16 13:45:17 2019
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
*) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata
detection to use only the last (right-most) file extension. [Eric Covener]
Modified: httpd/httpd/trunk/modules/proxy/proxy_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/proxy_util.c?rev=1855646&r1=1855645&r2=1855646&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/proxy_util.c (original)
+++ httpd/httpd/trunk/modules/proxy/proxy_util.c Sat Mar 16 13:45:17 2019
@@ -1522,6 +1522,13 @@ static apr_status_t connection_cleanup(v
socket_cleanup(conn);
conn->close = 0;
}
+ else if (conn->is_ssl) {
+ /* Unbind/reset the SSL connection dir config (sslconn->dc) from
+ * r->per_dir_config, r will likely get destroyed before this proxy
+ * conn is reused.
+ */
+ ap_proxy_ssl_engine(conn->connection, worker->section_config, 1);
+ }
if (worker->s->hmax && worker->cp->res) {
conn->inreslist = 1;
@@ -3238,6 +3245,12 @@ static int proxy_connection_create(const
apr_bucket_alloc_t *bucket_alloc;
if (conn->connection) {
+ if (conn->is_ssl) {
+ /* on reuse, reinit the SSL connection dir config with the current
+ * r->per_dir_config, the previous one was reset on release.
+ */
+ ap_proxy_ssl_engine(conn->connection, per_dir_config, 1);
+ }
return OK;
}
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1855646&r1=1855645&r2=1855646&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Mar 16 13:45:17 2019
@@ -486,17 +486,31 @@ static int ssl_hook_pre_config(apr_pool_
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
- ap_conf_vector_t *per_dir_config)
+ ap_conf_vector_t *per_dir_config,
+ int new_proxy)
{
SSLConnRec *sslconn = myConnConfig(c);
- SSLSrvConfigRec *sc;
- if (sslconn) {
- return sslconn;
- }
+ if (!sslconn) {
+ sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
- sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+ sslconn->server = c->base_server;
+ sslconn->verify_depth = UNSET;
+ if (new_proxy) {
+ sslconn->is_proxy = 1;
+ sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
+ }
+ else {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ sslconn->cipher_suite = sc->server->auth.cipher_suite;
+ }
+ myConnConfigSet(c, sslconn);
+ }
+
+ /* Reinit dc in any case because it may be r->per_dir_config scoped
+ * and thus a caller like mod_proxy needs to update it per request.
+ */
if (per_dir_config) {
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
}
@@ -505,13 +519,6 @@ static SSLConnRec *ssl_init_connection_c
&ssl_module);
}
- sslconn->server = c->base_server;
- sslconn->verify_depth = UNSET;
- sc = mySrvConfig(c->base_server);
- sslconn->cipher_suite = sc->server->auth.cipher_suite;
-
- myConnConfigSet(c, sslconn);
-
return sslconn;
}
@@ -551,8 +558,7 @@ static int ssl_engine_set(conn_rec *c,
int status;
if (proxy) {
- sslconn = ssl_init_connection_ctx(c, per_dir_config);
- sslconn->is_proxy = 1;
+ sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
}
else {
sslconn = myConnConfig(c);
@@ -599,7 +605,7 @@ int ssl_init_ssl_connection(conn_rec *c,
/*
* Create or retrieve SSL context
*/
- sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
+ sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL, 0);
server = sslconn->server;
sc = mySrvConfig(server);
Re: svn commit: r1855646 - in /httpd/httpd/trunk: CHANGES
modules/proxy/proxy_util.c modules/ssl/mod_ssl.c
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Mar 18, 2019 at 10:20 AM Ruediger Pluem <rp...@apache.org> wrote:
>
> >
> > Hm. sslconn->dc is not set at this point of time. This happens only later down below, after the new Reinit comment.
>
> Hopefully solved in r1855748. Please have a look.
Thanks Rüdiger for catching and fixing this, I just added a backport
proposal including it.
Regards,
Yann.
Re: svn commit: r1855646 - in /httpd/httpd/trunk: CHANGES
modules/proxy/proxy_util.c modules/ssl/mod_ssl.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 03/18/2019 08:47 AM, Ruediger Pluem wrote:
>
>
> On 03/16/2019 02:45 PM, ylavic@apache.org wrote:
>> Author: ylavic
>> Date: Sat Mar 16 13:45:17 2019
>> New Revision: 1855646
>>
>> URL: http://svn.apache.org/viewvc?rev=1855646&view=rev
>> Log:
>> mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
>>
>> The SSL dir config of proxy/backend connections is stored in r->per_dir_config
>> but those connections have a lifetime independent of the requests they handle.
>>
>> So we need to allow the external ssl_engine_set() function to reset mod_ssl's
>> dir config in between proxy requests, or the first sslconn->dc could be used
>> after free for the next requests.
>>
>> mod_proxy can then reset/reinit the request config when recycling its backend
>> connections.
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/proxy/proxy_util.c
>> httpd/httpd/trunk/modules/ssl/mod_ssl.c
>>
>
>>
>> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1855646&r1=1855645&r2=1855646&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Mar 16 13:45:17 2019
>> @@ -486,17 +486,31 @@ static int ssl_hook_pre_config(apr_pool_
>> }
>>
>> static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
>> - ap_conf_vector_t *per_dir_config)
>> + ap_conf_vector_t *per_dir_config,
>> + int new_proxy)
>> {
>> SSLConnRec *sslconn = myConnConfig(c);
>> - SSLSrvConfigRec *sc;
>>
>> - if (sslconn) {
>> - return sslconn;
>> - }
>> + if (!sslconn) {
>> + sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
>>
>> - sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
>> + sslconn->server = c->base_server;
>> + sslconn->verify_depth = UNSET;
>> + if (new_proxy) {
>> + sslconn->is_proxy = 1;
>> + sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
>
> Hm. sslconn->dc is not set at this point of time. This happens only later down below, after the new Reinit comment.
Hopefully solved in r1855748. Please have a look.
Regards
Rüdiger
Re: svn commit: r1855646 - in /httpd/httpd/trunk: CHANGES
modules/proxy/proxy_util.c modules/ssl/mod_ssl.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 03/16/2019 02:45 PM, ylavic@apache.org wrote:
> Author: ylavic
> Date: Sat Mar 16 13:45:17 2019
> New Revision: 1855646
>
> URL: http://svn.apache.org/viewvc?rev=1855646&view=rev
> Log:
> mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
>
> The SSL dir config of proxy/backend connections is stored in r->per_dir_config
> but those connections have a lifetime independent of the requests they handle.
>
> So we need to allow the external ssl_engine_set() function to reset mod_ssl's
> dir config in between proxy requests, or the first sslconn->dc could be used
> after free for the next requests.
>
> mod_proxy can then reset/reinit the request config when recycling its backend
> connections.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/proxy/proxy_util.c
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
>
>
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1855646&r1=1855645&r2=1855646&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Mar 16 13:45:17 2019
> @@ -486,17 +486,31 @@ static int ssl_hook_pre_config(apr_pool_
> }
>
> static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
> - ap_conf_vector_t *per_dir_config)
> + ap_conf_vector_t *per_dir_config,
> + int new_proxy)
> {
> SSLConnRec *sslconn = myConnConfig(c);
> - SSLSrvConfigRec *sc;
>
> - if (sslconn) {
> - return sslconn;
> - }
> + if (!sslconn) {
> + sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
>
> - sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
> + sslconn->server = c->base_server;
> + sslconn->verify_depth = UNSET;
> + if (new_proxy) {
> + sslconn->is_proxy = 1;
> + sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
Hm. sslconn->dc is not set at this point of time. This happens only later down below, after the new Reinit comment.
> + }
> + else {
> + SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
> + sslconn->cipher_suite = sc->server->auth.cipher_suite;
> + }
>
> + myConnConfigSet(c, sslconn);
> + }
> +
> + /* Reinit dc in any case because it may be r->per_dir_config scoped
> + * and thus a caller like mod_proxy needs to update it per request.
> + */
> if (per_dir_config) {
> sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
> }
> @@ -505,13 +519,6 @@ static SSLConnRec *ssl_init_connection_c
> &ssl_module);
> }
>
> - sslconn->server = c->base_server;
> - sslconn->verify_depth = UNSET;
> - sc = mySrvConfig(c->base_server);
> - sslconn->cipher_suite = sc->server->auth.cipher_suite;
> -
> - myConnConfigSet(c, sslconn);
> -
> return sslconn;
> }
>
Regards
Rüdiger