www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_ssl: Calculate the MD5 digest used as the session context once per

Browse Source 
vhost at startup, rather than building it for each new connection.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
  Replace vhost_id_len field with vhost_md5.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
  sc->vhost_md5 hash here.  
   
* modules/ssl/mod_ssl.c: Fail at compile time if the
  SSL_set_session_id_context() API constraint on context length is
  violated.
  (ssl_init_ssl_connection): Use sc->vhost_md5.

* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
  after renegotiation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2020-05-04 09:23:03 +00:00
parent 37de2054b3
commit ccc38eab46
5 changed files with 14 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
modules/ssl/mod_ssl.c
View File

@@ -589,12 +589,15 @@ static int ssl_engine_disable(conn_rec *c)
return ssl_engine_set(c, NULL, 0, 0); return ssl_engine_set(c, NULL, 0, 0);
} }
#if defined(SSL_MAX_SID_CTX_LENGTH) && (APR_MD5_DIGESTSIZE * 2) > SSL_MAX_SID_CTX_LENGTH
#error APR digest length x2 exceeds SSL_MAX_SID_CTX_LENGTH
#endif
int ssl_init_ssl_connection(conn_rec *c, request_rec *r) int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{ {
SSLSrvConfigRec *sc; SSLSrvConfigRec *sc;
SSL *ssl; SSL *ssl;
SSLConnRec *sslconn; SSLConnRec *sslconn;
char *vhost_md5;
int rc; int rc;
modssl_ctx_t *mctx; modssl_ctx_t *mctx;
server_rec *server; server_rec *server;
@@ -635,14 +638,10 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
return rc; return rc;
} }
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, if (!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963) ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
"Unable to set session id context to '%s'", vhost_md5); "Unable to set session id context to '%s'",
sc->vhost_md5);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
c->aborted = 1; c->aborted = 1;

1
modules/ssl/ssl_engine_config.c
View File

@@ -209,7 +209,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
sc->mc = NULL; sc->mc = NULL;
sc->enabled = SSL_ENABLED_UNSET; sc->enabled = SSL_ENABLED_UNSET;
sc->vhost_id = NULL; /* set during module init */ sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
sc->session_cache_timeout = UNSET; sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET; sc->cipher_server_pref = UNSET;
sc->insecure_reneg = UNSET; sc->insecure_reneg = UNSET;

5
modules/ssl/ssl_engine_init.c
View File

@@ -31,6 +31,7 @@
#include "mod_ssl_openssl.h" #include "mod_ssl_openssl.h"
#include "mpm_common.h" #include "mpm_common.h"
#include "mod_md.h" #include "mod_md.h"
#include "util_md5.h"
static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *, static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *); STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
@@ -287,7 +288,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
/* Derive the vhost id only after potentially defaulting-on /* Derive the vhost id only after potentially defaulting-on
* sc->enabled since the port used may change. */ * sc->enabled since the port used may change. */
sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id = ssl_util_vhostid(p, s);
sc->vhost_id_len = strlen(sc->vhost_id); sc->vhost_md5 =
(unsigned char *)ap_md5_binary(p, (unsigned char *)sc->vhost_id,
strlen(sc->vhost_id));
/* Fix up stuff that may not have been set. If sc->enabled is /* Fix up stuff that may not have been set. If sc->enabled is
* UNSET, then SSL is disabled on this vhost. */ * UNSET, then SSL is disabled on this vhost. */

6
modules/ssl/ssl_engine_kernel.c
View File

@@ -2556,11 +2556,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
* a renegotiation. * a renegotiation.
*/ */
if (SSL_num_renegotiations(ssl) == 0) { if (SSL_num_renegotiations(ssl) == 0) {
unsigned char *sid_ctx = SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
(unsigned char *)ap_md5_binary(c->pool,
(unsigned char *)sc->vhost_id,
sc->vhost_id_len);
SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
} }
/* /*

2
modules/ssl/ssl_private.h
View File

@@ -765,7 +765,7 @@ struct SSLSrvConfigRec {
SSLModConfigRec *mc; SSLModConfigRec *mc;
ssl_enabled_t enabled; ssl_enabled_t enabled;
const char *vhost_id; const char *vhost_id;
int vhost_id_len; const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
int session_cache_timeout; int session_cache_timeout;
BOOL cipher_server_pref; BOOL cipher_server_pref;
BOOL insecure_reneg; BOOL insecure_reneg;