www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* Store the correct server_rec in the connection record configuration and

Browse Source 
adjust the remaining part of mod_ssl to use this server_rec instead of
  c->base_server.

  modules/ssl/ssl_private.h:
  - server_rec member to SSLConnRec struct
  - Add macros to extract data from connection_rec
    mySrvFromConn(c)
    mySrvConfigFromConn(c)
    myModConfigFromConn(c)
  modules/ssl/ssl_engine_io.c
  modules/ssl/ssl_util_ocsp.c
  modules/ssl/ssl_engine_kernel.c
  modules/ssl/mod_ssl.c
  modules/ssl/ssl_engine_log.c
  - Use the new macros to extract data fron connection_rec
    and use the server_rec stored in SSLConnRec instead of
    c->base_server whereever appropriate.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ruediger Pluem
2009-03-23 17:37:38 +00:00
parent ba2883e9b2
commit 9e39ba015a
6 changed files with 66 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
modules/ssl/mod_ssl.c
View File

@@ -290,6 +290,8 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
sslconn->server = c->base_server;
myConnConfigSet(c, sslconn);
return sslconn;
@@ -297,9 +299,10 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
int ssl_proxy_enable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLSrvConfigRec *sc;
SSLConnRec *sslconn = ssl_init_connection_ctx(c);
sc = mySrvConfig(sslconn->server);
if (!sc->proxy_enabled) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
@@ -317,10 +320,16 @@ int ssl_proxy_enable(conn_rec *c)
int ssl_engine_disable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLSrvConfigRec *sc;
SSLConnRec *sslconn;
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
sc = mySrvConfig(sslconn->server);
}
else {
sc = mySrvConfig(c->base_server);
}
if (sc->enabled == SSL_ENABLED_FALSE) {
return 0;
}
@@ -334,20 +343,23 @@ int ssl_engine_disable(conn_rec *c)
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
server_rec *server;
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
server = sslconn->server;
sc = mySrvConfig(server);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
@@ -360,7 +372,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to create a new SSL connection from the SSL "
"context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
@@ -375,7 +387,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
@@ -424,9 +436,15 @@ static apr_port_t ssl_hook_default_port(const request_rec *r)
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
sc = mySrvConfig(sslconn->server);
}
else {
sc = mySrvConfig(c->base_server);
}
/*
* Immediately stop processing if SSL is disabled for this connection
*/

27
modules/ssl/ssl_engine_io.c
View File

@@ -702,7 +702,7 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c,
"SSL library error %d reading data", ssl_err);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
}
if (inctx->rc == APR_SUCCESS) {
@@ -809,7 +809,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
"SSL library error %d writing data", ssl_err);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
}
if (outctx->rc == APR_SUCCESS) {
outctx->rc = APR_EGENERAL;
@@ -879,7 +879,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
sslconn->non_ssl_request = 1;
ssl_io_filter_disable(sslconn, f);
@@ -996,11 +996,11 @@ static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,
SSL_smart_shutdown(ssl);
/* and finally log the fact that we've closed the connection */
if (c->base_server->loglevel >= APLOG_INFO) {
if (mySrvFromConn(c)->loglevel >= APLOG_INFO) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"Connection closed to child %ld with %s shutdown "
"(server %s)",
c->id, type, ssl_util_vhostid(c->pool, c->base_server));
c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c)));
}
/* deallocate the SSL connection */
@@ -1047,21 +1047,23 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
SSLConnRec *sslconn = myConnConfig(c);
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLSrvConfigRec *sc;
X509 *cert;
int n;
int ssl_err;
long verify_result;
server_rec *server;
if (SSL_is_init_finished(filter_ctx->pssl)) {
return APR_SUCCESS;
}
server = mySrvFromConn(c);
if (sslconn->is_proxy) {
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
return MODSSL_ERROR_BAD_GATEWAY;
@@ -1118,8 +1120,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
"SSL library error %d in handshake "
"(server %s)", ssl_err,
ssl_util_vhostid(c->pool, c->base_server));
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_util_vhostid(c->pool, server));
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
}
if (inctx->rc == APR_SUCCESS) {
@@ -1129,6 +1131,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
ssl_filter_io_shutdown(filter_ctx, c, 1);
return inctx->rc;
}
sc = mySrvConfig(sslconn->server);
/*
* Check for failed client authentication
@@ -1154,7 +1157,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" "
"configuration");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
}
else {
const char *error = sslconn->verify_error ?
@@ -1164,7 +1167,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL client authentication failed: %s",
error ? error : "unknown");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
ssl_filter_io_shutdown(filter_ctx, c, 1);
return APR_ECONNABORTED;
@@ -1773,7 +1776,7 @@ long ssl_io_data_cb(BIO *bio, int cmd,
return rc;
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return rc;
s = c->base_server;
s = mySrvFromConn(c);
sc = mySrvConfig(s);
if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)

24
modules/ssl/ssl_engine_kernel.c
View File

@@ -1124,7 +1124,7 @@ int ssl_hook_Fixup(request_rec *r)
RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server);
SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
@@ -1156,7 +1156,7 @@ RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server);
SSLModConfigRec *mc = myModConfigFromConn(c);
int idx;
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
@@ -1185,7 +1185,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
server_rec *s = mySrvFromConn(conn);
request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
SSLSrvConfigRec *sc = mySrvConfig(s);
@@ -1316,7 +1316,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
{
server_rec *s = c->base_server;
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(c);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
@@ -1541,7 +1541,7 @@ static void modssl_proxy_info_log(server_rec *s,
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = c->base_server;
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
X509_NAME *ca_name, *issuer;
X509_INFO *info;
@@ -1639,7 +1639,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
long timeout = sc->session_cache_timeout;
BOOL rc;
@@ -1687,7 +1687,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
server_rec *s = mySrvFromConn(conn);
SSL_SESSION *session;
/*
@@ -1766,7 +1766,7 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc
return;
}
s = c->base_server;
s = mySrvFromConn(c);
if (!(sc = mySrvConfig(s))) {
return;
}
@@ -1882,6 +1882,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
BOOL found = FALSE;
apr_array_header_t *names;
int i;
SSLConnRec *sslcon;
/* check ServerName */
if (!strcasecmp(servername, s->server_hostname)) {
@@ -1924,7 +1925,8 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
}
/* set SSL_CTX (if matched) */
if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
@@ -1955,7 +1957,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
* cases, it also ensures that these messages are routed
* to the proper log.
*/
c->base_server = s;
sslcon->server = s;
/*
* There is one special filter callback, which is set
@@ -1964,7 +1966,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
* (and the first vhost doesn't use APLOG_DEBUG), then
* we need to set that callback here.
*/
if (c->base_server->loglevel >= APLOG_DEBUG) {
if (mySrvFromConn(c)->loglevel >= APLOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
}

2
modules/ssl/ssl_engine_log.c
View File

@@ -117,7 +117,7 @@ void ssl_log_cxerror(const char *file, int line, int level,
char *sname, *iname, *serial;
BIGNUM *bn;
if (c->base_server->loglevel < level) {
if (mySrvFromConn(c)->loglevel < level) {
/* Bail early since the rest of this function is expensive. */
return;
}

4
modules/ssl/ssl_private.h
View File

@@ -128,6 +128,9 @@ ap_set_module_config(c->conn_config, &ssl_module, val)
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
#define myModConfig(srv) (mySrvConfig((srv)))->mc
#define mySrvFromConn(c) (myConnConfig(c))->server
#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
@@ -333,6 +336,7 @@ typedef struct {
int is_proxy;
int disabled;
int non_ssl_request;
server_rec *server;
} SSLConnRec;
/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is

6
modules/ssl/ssl_util_ocsp.c
View File

@@ -82,7 +82,7 @@ static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
if (rv == APR_SUCCESS) {
/* Inherit the default I/O timeout. */
apr_socket_timeout_set(sd, c->base_server->timeout);
apr_socket_timeout_set(sd, mySrvFromConn(c)->timeout);
rv = apr_socket_connect(sd, sa);
if (rv == APR_SUCCESS) {
@@ -262,7 +262,7 @@ static OCSP_RESPONSE *read_response(apr_socket_t *sd, BIO *bio, conn_rec *c,
* bio. */
response = d2i_OCSP_RESPONSE_bio(bio, NULL);
if (response == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c));
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"failed to decode OCSP response data");
}
@@ -280,7 +280,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
bio = serialize_request(request, uri);
if (bio == NULL) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, mySrvFromConn(c));
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"could not serialize OCSP request");
return NULL;