mod_ssl: Use retained data API for storing private keys across reloads.

Allocate SSLModConfigRec from pconf rather than the process pool. * modules/ssl/ssl_private.h: Add modssl_retained_data_t structure and move private key storage here from SSLModConfigRec. Add retained pointer to SSLModConfigRec. * modules/ssl/ssl_engine_config.c (ssl_config_global_create): Take pool argument; allocate SSLModConfigRec from there and initialize mc->retained. SSLModConfigRec no longer cached for the process lifetime. (ssl_init_Module): Sanity check that sc->mc is correct. (ssl_init_server_certs): Use private keys from mc->retained. * modules/ssl/ssl_engine_pphrase.c (privkey_vhost_keyid): Rename from asn1_table_vhost_key and update to use the retained structure. (ssl_load_encrypted_pkey): Update for above. * modules/ssl/ssl_engine_init.c (ssl_init_Module): Remove (apparently) redundant call to ssl_config_global_create and add debug asserts to validate that is safe. Github: closes #119 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877345 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2020-05-04 08:32:23 +00:00
parent dd3b1ab98b
commit 31dfb9b476
4 changed files with 69 additions and 77 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -226,6 +226,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    apr_status_t rv;
    apr_array_header_t *pphrases;

+    AP_DEBUG_ASSERT(mc);
+
    if (SSLeay() < MODSSL_LIBRARY_VERSION) {
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
                     "Init: this version of mod_ssl was compiled against "
@@ -250,7 +252,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    /*
     * Any init round fixes the global config
     */
-    ssl_config_global_create(base_server); /* just to avoid problems */
    ssl_config_global_fix(mc);

    /*
@@ -260,6 +261,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    for (s = base_server; s; s = s->next) {
        sc = mySrvConfig(s);

+        AP_DEBUG_ASSERT(sc->mc == mc);
+
        if (sc->server) {
            sc->server->sc = sc;
        }
@@ -1441,7 +1444,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
            /* perhaps it's an encrypted private key, so try again */
            ssl_load_encrypted_pkey(s, ptemp, i, keyfile, &pphrases);

-            if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id)) ||
+            if (!(asn1 = ssl_asn1_table_get(mc->retained->privkeys, key_id)) ||
                !(ptr = asn1->cpData) ||
                !(pkey = d2i_AutoPrivateKey(NULL, &ptr, asn1->nData)) ||
                (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1)) {