Re: svn commit: r1855646 - in /httpd/httpd/trunk: CHANGES modules/proxy/proxy_util.c modules/ssl/mod_ssl.c

Mon, 18 Mar 2019 00:47:28 -0700 


On 03/16/2019 02:45 PM, [email protected] wrote:
> Author: ylavic
> Date: Sat Mar 16 13:45:17 2019
> New Revision: 1855646
> 
> URL: http://svn.apache.org/viewvc?rev=1855646&view=rev
> Log:
> mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.
> 
> The SSL dir config of proxy/backend connections is stored in r->per_dir_config
> but those connections have a lifetime independent of the requests they handle.
> 
> So we need to allow the external ssl_engine_set() function to reset mod_ssl's
> dir config in between proxy requests, or the first sslconn->dc could be used
> after free for the next requests.
> 
> mod_proxy can then reset/reinit the request config when recycling its backend
> connections.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/proxy/proxy_util.c
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
> 

> 
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1855646&r1=1855645&r2=1855646&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Mar 16 13:45:17 2019
> @@ -486,17 +486,31 @@ static int ssl_hook_pre_config(apr_pool_
>  }
>  
>  static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
> -                                           ap_conf_vector_t *per_dir_config)
> +                                           ap_conf_vector_t *per_dir_config,
> +                                           int new_proxy)
>  {
>      SSLConnRec *sslconn = myConnConfig(c);
> -    SSLSrvConfigRec *sc;
>  
> -    if (sslconn) {
> -        return sslconn;
> -    }
> +    if (!sslconn) {
> +        sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
>  
> -    sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
> +        sslconn->server = c->base_server;
> +        sslconn->verify_depth = UNSET;
> +        if (new_proxy) {
> +            sslconn->is_proxy = 1;
> +            sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;

Hm. sslconn->dc is not set at this point of time. This happens only later down 
below, after the new Reinit comment.

> +        }
> +        else {
> +            SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
> +            sslconn->cipher_suite = sc->server->auth.cipher_suite;
> +        }
>  
> +        myConnConfigSet(c, sslconn);
> +    }
> +
> +    /* Reinit dc in any case because it may be r->per_dir_config scoped
> +     * and thus a caller like mod_proxy needs to update it per request.
> +     */
>      if (per_dir_config) {
>          sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
>      }
> @@ -505,13 +519,6 @@ static SSLConnRec *ssl_init_connection_c
>                                             &ssl_module);
>      }
>  
> -    sslconn->server = c->base_server;
> -    sslconn->verify_depth = UNSET;
> -    sc = mySrvConfig(c->base_server);
> -    sslconn->cipher_suite = sc->server->auth.cipher_suite;
> -
> -    myConnConfigSet(c, sslconn);
> -
>      return sslconn;
>  }
>  

Regards

RĂ¼diger























					Reply via email to