httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
Date Sat, 30 Nov 2013 07:44:27 GMT
Author: kbrand
Date: Sat Nov 30 07:44:27 2013
New Revision: 1546693

URL: http://svn.apache.org/r1546693
Log:
Tweaks for SSLOpenSSLConfCmd:
- use cfgMergeArray, and reduce the size of the initial array
- move SSL_CONF_cmd calls from ssl_init_ctx_protocol to
  ssl_init_server_ctx (so they are applied after ssl_init_server_certs)
- add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case
- call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx

Modified:
    httpd/httpd/trunk/docs/log-message-tags/next-number
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1546693&r1=1546692&r2=1546693&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Sat Nov 30 07:44:27 2013
@@ -1 +1 @@
-2556
+2557

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1546693&r1=1546692&r2=1546693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Nov 30 07:44:27 2013
@@ -157,7 +157,7 @@ static void modssl_ctx_init(modssl_ctx_t
     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE);
     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER);
     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
-    mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t));
+    mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
 #endif
 }
 
@@ -247,7 +247,8 @@ void *ssl_config_server_create(apr_pool_
 #define cfgMergeBool(el)    cfgMerge(el, UNSET)
 #define cfgMergeInt(el)     cfgMerge(el, UNSET)
 
-static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge(apr_pool_t *p,
+                                 modssl_ctx_t *base,
                                  modssl_ctx_t *add,
                                  modssl_ctx_t *mrg)
 {
@@ -292,29 +293,30 @@ static void modssl_ctx_cfg_merge(modssl_
 #endif
 
 #ifdef HAVE_SSL_CONF_CMD
-    apr_array_cat(mrg->ssl_ctx_param,  base->ssl_ctx_param);
-    apr_array_cat(mrg->ssl_ctx_param,  add->ssl_ctx_param);
+    cfgMergeArray(ssl_ctx_param);
 #endif
 }
 
-static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
+                                       modssl_ctx_t *base,
                                        modssl_ctx_t *add,
                                        modssl_ctx_t *mrg)
 {
-    modssl_ctx_cfg_merge(base, add, mrg);
+    modssl_ctx_cfg_merge(p, base, add, mrg);
 
     cfgMergeString(pkp->cert_file);
     cfgMergeString(pkp->cert_path);
     cfgMergeString(pkp->ca_cert_file);
 }
 
-static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
+                                        modssl_ctx_t *base,
                                         modssl_ctx_t *add,
                                         modssl_ctx_t *mrg)
 {
     int i;
 
-    modssl_ctx_cfg_merge(base, add, mrg);
+    modssl_ctx_cfg_merge(p, base, add, mrg);
 
     for (i = 0; i < SSL_AIDX_MAX; i++) {
         cfgMergeString(pks->cert_files[i]);
@@ -357,9 +359,9 @@ void *ssl_config_server_merge(apr_pool_t
     cfgMergeBool(compression);
 #endif
 
-    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+    modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
 
-    modssl_ctx_cfg_merge_server(base->server, add->server, mrg->server);
+    modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);
 
     return mrg;
 }
@@ -1809,20 +1811,23 @@ const char *ssl_cmd_SSLStaplingForceURL(
 }
 
 #endif /* HAVE_OCSP_STAPLING */
+
 #ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
 					const char *arg1, const char *arg2)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param);
     SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
-    const char *err;
     int value_type = SSL_CONF_cmd_value_type(cctx, arg1);
+    const char *err;
+    ssl_ctx_param_t *param;
+
     if (value_type == SSL_CONF_TYPE_UNKNOWN) {
         return apr_psprintf(cmd->pool,
                             "'%s': invalid OpenSSL configuration command",
                             arg1);
     }
+
     if (value_type == SSL_CONF_TYPE_FILE) {
         if ((err = ssl_cmd_check_file(cmd, &arg2)))
             return err;
@@ -1831,11 +1836,14 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cm
         if ((err = ssl_cmd_check_dir(cmd, &arg2)))
             return err;
     }
+
+    param = apr_array_push(sc->server->ssl_ctx_param);
     param->name = arg1;
     param->value = arg2;
     return NULL;
 }
 #endif
+
 #ifdef HAVE_SRP
 
 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1546693&r1=1546692&r2=1546693&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Nov 30 07:44:27 2013
@@ -535,30 +535,6 @@ static apr_status_t ssl_init_ctx_protoco
     SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #endif
 
-#ifdef HAVE_SSL_CONF_CMD
-{
-    ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts;
-    SSL_CONF_CTX *cctx = mctx->ssl_ctx_config;
-    int i;
-    SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
-    for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) {
-        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
-            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
-                         "Error SSL_CONF_cmd(\"%s\",\"%s\")",
-                         param->name, param->value);
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            return ssl_die(s);
-        }
-    }
-    if (SSL_CONF_CTX_finish(cctx) == 0) {
-            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
-                         "Error SSL_CONF_CTX_finish()");
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            return ssl_die(s);
-    }
-}
-#endif
-
 #ifdef SSL_MODE_RELEASE_BUFFERS
     /* If httpd is configured to reduce mem usage, ask openssl to do so, too */
     if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
@@ -1359,6 +1335,11 @@ static apr_status_t ssl_init_server_ctx(
                                         SSLSrvConfigRec *sc)
 {
     apr_status_t rv;
+#ifdef HAVE_SSL_CONF_CMD
+    ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts;
+    SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
+    int i;
+#endif
 
     if ((rv = ssl_init_server_check(s, p, ptemp, sc->server)) != APR_SUCCESS) {
         return rv;
@@ -1372,6 +1353,31 @@ static apr_status_t ssl_init_server_ctx(
         return rv;
     }
 
+#ifdef HAVE_SSL_CONF_CMD
+    SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
+    for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
+        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
+                         "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
+                         param->name, param->value, sc->vhost_id);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            return ssl_die(s);
+        } else {
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556)
+                         "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
+                         param->name, param->value, sc->vhost_id);
+        }
+    }
+    if (SSL_CONF_CTX_finish(cctx) == 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
+                         "SSL_CONF_CTX_finish() failed");
+            SSL_CONF_CTX_free(cctx);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            return ssl_die(s);
+    }
+    SSL_CONF_CTX_free(cctx);
+#endif
+
 #ifdef HAVE_TLS_SESSION_TICKETS
     if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
         return rv;
@@ -1643,9 +1649,6 @@ void ssl_init_Child(apr_pool_t *p, serve
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
     MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
-#ifdef HAVE_SSL_CONF_CMD
-    MODSSL_CFG_ITEM_FREE(SSL_CONF_CTX_free, mctx->ssl_ctx_config);
-#endif
 
 #ifdef HAVE_SRP
     if (mctx->srp_vbase != NULL) {



Mime
View raw message