mirror of
https://github.com/apache/httpd.git
synced 2025-08-07 04:02:58 +03:00
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
The SSL dir config of proxy/backend connections is stored in r->per_dir_config but those connections have a lifetime independent of the requests they handle. So we need to allow the external ssl_engine_set() function to reset mod_ssl's dir config in between proxy requests, or the first sslconn->dc could be used after free for the next requests. mod_proxy can then reset/reinit the request config when recycling its backend connections. PR 63256. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1855646 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
4
CHANGES
4
CHANGES
@@ -1,6 +1,10 @@
|
|||||||
-*- coding: utf-8 -*-
|
-*- coding: utf-8 -*-
|
||||||
Changes with Apache 2.5.1
|
Changes with Apache 2.5.1
|
||||||
|
|
||||||
|
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
|
||||||
|
connection is recycled/reused to avoid a possible crash with some SSLProxy
|
||||||
|
configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
|
||||||
|
|
||||||
*) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata
|
*) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata
|
||||||
detection to use only the last (right-most) file extension. [Eric Covener]
|
detection to use only the last (right-most) file extension. [Eric Covener]
|
||||||
|
|
||||||
|
|||||||
@@ -1522,6 +1522,13 @@ static apr_status_t connection_cleanup(void *theconn)
|
|||||||
socket_cleanup(conn);
|
socket_cleanup(conn);
|
||||||
conn->close = 0;
|
conn->close = 0;
|
||||||
}
|
}
|
||||||
|
else if (conn->is_ssl) {
|
||||||
|
/* Unbind/reset the SSL connection dir config (sslconn->dc) from
|
||||||
|
* r->per_dir_config, r will likely get destroyed before this proxy
|
||||||
|
* conn is reused.
|
||||||
|
*/
|
||||||
|
ap_proxy_ssl_engine(conn->connection, worker->section_config, 1);
|
||||||
|
}
|
||||||
|
|
||||||
if (worker->s->hmax && worker->cp->res) {
|
if (worker->s->hmax && worker->cp->res) {
|
||||||
conn->inreslist = 1;
|
conn->inreslist = 1;
|
||||||
@@ -3238,6 +3245,12 @@ static int proxy_connection_create(const char *proxy_function,
|
|||||||
apr_bucket_alloc_t *bucket_alloc;
|
apr_bucket_alloc_t *bucket_alloc;
|
||||||
|
|
||||||
if (conn->connection) {
|
if (conn->connection) {
|
||||||
|
if (conn->is_ssl) {
|
||||||
|
/* on reuse, reinit the SSL connection dir config with the current
|
||||||
|
* r->per_dir_config, the previous one was reset on release.
|
||||||
|
*/
|
||||||
|
ap_proxy_ssl_engine(conn->connection, per_dir_config, 1);
|
||||||
|
}
|
||||||
return OK;
|
return OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -486,17 +486,31 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
|
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
|
||||||
ap_conf_vector_t *per_dir_config)
|
ap_conf_vector_t *per_dir_config,
|
||||||
|
int new_proxy)
|
||||||
{
|
{
|
||||||
SSLConnRec *sslconn = myConnConfig(c);
|
SSLConnRec *sslconn = myConnConfig(c);
|
||||||
SSLSrvConfigRec *sc;
|
|
||||||
|
|
||||||
if (sslconn) {
|
if (!sslconn) {
|
||||||
return sslconn;
|
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
|
||||||
|
|
||||||
|
sslconn->server = c->base_server;
|
||||||
|
sslconn->verify_depth = UNSET;
|
||||||
|
if (new_proxy) {
|
||||||
|
sslconn->is_proxy = 1;
|
||||||
|
sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
|
||||||
|
sslconn->cipher_suite = sc->server->auth.cipher_suite;
|
||||||
|
}
|
||||||
|
|
||||||
|
myConnConfigSet(c, sslconn);
|
||||||
}
|
}
|
||||||
|
|
||||||
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
|
/* Reinit dc in any case because it may be r->per_dir_config scoped
|
||||||
|
* and thus a caller like mod_proxy needs to update it per request.
|
||||||
|
*/
|
||||||
if (per_dir_config) {
|
if (per_dir_config) {
|
||||||
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
|
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
|
||||||
}
|
}
|
||||||
@@ -505,13 +519,6 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
|
|||||||
&ssl_module);
|
&ssl_module);
|
||||||
}
|
}
|
||||||
|
|
||||||
sslconn->server = c->base_server;
|
|
||||||
sslconn->verify_depth = UNSET;
|
|
||||||
sc = mySrvConfig(c->base_server);
|
|
||||||
sslconn->cipher_suite = sc->server->auth.cipher_suite;
|
|
||||||
|
|
||||||
myConnConfigSet(c, sslconn);
|
|
||||||
|
|
||||||
return sslconn;
|
return sslconn;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -551,8 +558,7 @@ static int ssl_engine_set(conn_rec *c,
|
|||||||
int status;
|
int status;
|
||||||
|
|
||||||
if (proxy) {
|
if (proxy) {
|
||||||
sslconn = ssl_init_connection_ctx(c, per_dir_config);
|
sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
|
||||||
sslconn->is_proxy = 1;
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
sslconn = myConnConfig(c);
|
sslconn = myConnConfig(c);
|
||||||
@@ -599,7 +605,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
|
|||||||
/*
|
/*
|
||||||
* Create or retrieve SSL context
|
* Create or retrieve SSL context
|
||||||
*/
|
*/
|
||||||
sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
|
sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL, 0);
|
||||||
server = sslconn->server;
|
server = sslconn->server;
|
||||||
sc = mySrvConfig(server);
|
sc = mySrvConfig(server);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user