Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5A44C10FF9 for ; Sat, 30 Nov 2013 07:44:59 +0000 (UTC) Received: (qmail 32830 invoked by uid 500); 30 Nov 2013 07:44:58 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 32629 invoked by uid 500); 30 Nov 2013 07:44:55 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 32613 invoked by uid 99); 30 Nov 2013 07:44:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Nov 2013 07:44:49 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Nov 2013 07:44:48 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 24B8123889ED; Sat, 30 Nov 2013 07:44:28 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1546693 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c Date: Sat, 30 Nov 2013 07:44:27 -0000 To: cvs@httpd.apache.org From: kbrand@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20131130074428.24B8123889ED@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: kbrand Date: Sat Nov 30 07:44:27 2013 New Revision: 1546693 URL: http://svn.apache.org/r1546693 Log: Tweaks for SSLOpenSSLConfCmd: - use cfgMergeArray, and reduce the size of the initial array - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to ssl_init_server_ctx (so they are applied after ssl_init_server_certs) - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx Modified: httpd/httpd/trunk/docs/log-message-tags/next-number httpd/httpd/trunk/modules/ssl/ssl_engine_config.c httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Modified: httpd/httpd/trunk/docs/log-message-tags/next-number URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1546693&r1=1546692&r2=1546693&view=diff ============================================================================== --- httpd/httpd/trunk/docs/log-message-tags/next-number (original) +++ httpd/httpd/trunk/docs/log-message-tags/next-number Sat Nov 30 07:44:27 2013 @@ -1 +1 @@ -2556 +2557 Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1546693&r1=1546692&r2=1546693&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Nov 30 07:44:27 2013 @@ -157,7 +157,7 @@ static void modssl_ctx_init(modssl_ctx_t SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE); SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER); SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE); - mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t)); + mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t)); #endif } @@ -247,7 +247,8 @@ void *ssl_config_server_create(apr_pool_ #define cfgMergeBool(el) cfgMerge(el, UNSET) #define cfgMergeInt(el) cfgMerge(el, UNSET) -static void modssl_ctx_cfg_merge(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { @@ -292,29 +293,30 @@ static void modssl_ctx_cfg_merge(modssl_ #endif #ifdef HAVE_SSL_CONF_CMD - apr_array_cat(mrg->ssl_ctx_param, base->ssl_ctx_param); - apr_array_cat(mrg->ssl_ctx_param, add->ssl_ctx_param); + cfgMergeArray(ssl_ctx_param); #endif } -static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { - modssl_ctx_cfg_merge(base, add, mrg); + modssl_ctx_cfg_merge(p, base, add, mrg); cfgMergeString(pkp->cert_file); cfgMergeString(pkp->cert_path); cfgMergeString(pkp->ca_cert_file); } -static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base, +static void modssl_ctx_cfg_merge_server(apr_pool_t *p, + modssl_ctx_t *base, modssl_ctx_t *add, modssl_ctx_t *mrg) { int i; - modssl_ctx_cfg_merge(base, add, mrg); + modssl_ctx_cfg_merge(p, base, add, mrg); for (i = 0; i < SSL_AIDX_MAX; i++) { cfgMergeString(pks->cert_files[i]); @@ -357,9 +359,9 @@ void *ssl_config_server_merge(apr_pool_t cfgMergeBool(compression); #endif - modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy); - modssl_ctx_cfg_merge_server(base->server, add->server, mrg->server); + modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server); return mrg; } @@ -1809,20 +1811,23 @@ const char *ssl_cmd_SSLStaplingForceURL( } #endif /* HAVE_OCSP_STAPLING */ + #ifdef HAVE_SSL_CONF_CMD const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param); SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config; - const char *err; int value_type = SSL_CONF_cmd_value_type(cctx, arg1); + const char *err; + ssl_ctx_param_t *param; + if (value_type == SSL_CONF_TYPE_UNKNOWN) { return apr_psprintf(cmd->pool, "'%s': invalid OpenSSL configuration command", arg1); } + if (value_type == SSL_CONF_TYPE_FILE) { if ((err = ssl_cmd_check_file(cmd, &arg2))) return err; @@ -1831,11 +1836,14 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cm if ((err = ssl_cmd_check_dir(cmd, &arg2))) return err; } + + param = apr_array_push(sc->server->ssl_ctx_param); param->name = arg1; param->value = arg2; return NULL; } #endif + #ifdef HAVE_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1546693&r1=1546692&r2=1546693&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Nov 30 07:44:27 2013 @@ -535,30 +535,6 @@ static apr_status_t ssl_init_ctx_protoco SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif -#ifdef HAVE_SSL_CONF_CMD -{ - ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts; - SSL_CONF_CTX *cctx = mctx->ssl_ctx_config; - int i; - SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); - for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) { - if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) - "Error SSL_CONF_cmd(\"%s\",\"%s\")", - param->name, param->value); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); - } - } - if (SSL_CONF_CTX_finish(cctx) == 0) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) - "Error SSL_CONF_CTX_finish()"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return ssl_die(s); - } -} -#endif - #ifdef SSL_MODE_RELEASE_BUFFERS /* If httpd is configured to reduce mem usage, ask openssl to do so, too */ if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED) @@ -1359,6 +1335,11 @@ static apr_status_t ssl_init_server_ctx( SSLSrvConfigRec *sc) { apr_status_t rv; +#ifdef HAVE_SSL_CONF_CMD + ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts; + SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config; + int i; +#endif if ((rv = ssl_init_server_check(s, p, ptemp, sc->server)) != APR_SUCCESS) { return rv; @@ -1372,6 +1353,31 @@ static apr_status_t ssl_init_server_ctx( return rv; } +#ifdef HAVE_SSL_CONF_CMD + SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx); + for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) { + if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) + "\"SSLOpenSSLConfCmd %s %s\" failed for %s", + param->name, param->value, sc->vhost_id); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } else { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556) + "\"SSLOpenSSLConfCmd %s %s\" applied to %s", + param->name, param->value, sc->vhost_id); + } + } + if (SSL_CONF_CTX_finish(cctx) == 0) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) + "SSL_CONF_CTX_finish() failed"); + SSL_CONF_CTX_free(cctx); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } + SSL_CONF_CTX_free(cctx); +#endif + #ifdef HAVE_TLS_SESSION_TICKETS if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) { return rv; @@ -1643,9 +1649,6 @@ void ssl_init_Child(apr_pool_t *p, serve static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx) { MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); -#ifdef HAVE_SSL_CONF_CMD - MODSSL_CFG_ITEM_FREE(SSL_CONF_CTX_free, mctx->ssl_ctx_config); -#endif #ifdef HAVE_SRP if (mctx->srp_vbase != NULL) {