Mailing List Archive

svn commit: r1890605 - in /httpd/httpd/trunk: changes-entries/ docs/log-message-tags/ include/ modules/proxy/ modules/ssl/ server/
Author: icing
Date: Tue Jun 8 14:37:44 2021
New Revision: 1890605

URL: http://svn.apache.org/viewvc?rev=1890605&view=rev
Log:
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.

Added:
httpd/httpd/trunk/changes-entries/ssl_proxy.txt
Modified:
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/include/http_ssl.h
httpd/httpd/trunk/include/httpd.h
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c
httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
httpd/httpd/trunk/server/ssl.c

Added: httpd/httpd/trunk/changes-entries/ssl_proxy.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/ssl_proxy.txt?rev=1890605&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/ssl_proxy.txt (added)
+++ httpd/httpd/trunk/changes-entries/ssl_proxy.txt Tue Jun 8 14:37:44 2021
@@ -0,0 +1,16 @@
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
\ No newline at end of file

Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Tue Jun 8 14:37:44 2021
@@ -1 +1 @@
-10272
+10273

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Tue Jun 8 14:37:44 2021
@@ -672,12 +672,13 @@
* 20210506.0 (2.5.1-dev) Add ap_proxy_tunnel_conn_get_read() and
* ap_proxy_tunnel_conn_get_transferred() change
* ap_proxy_transfer_between_connections() sent to apr_off_t *.
+ * 20210531.0 (2.5.1-dev) add conn_rec->outgoing and ap_ssl_bind_outgoing()
*/

#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */

#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20210506
+#define MODULE_MAGIC_NUMBER_MAJOR 20210531
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */


Modified: httpd/httpd/trunk/include/http_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_ssl.h?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_ssl.h (original)
+++ httpd/httpd/trunk/include/http_ssl.h Tue Jun 8 14:37:44 2021
@@ -34,6 +34,8 @@
extern "C" {
#endif

+struct ap_conf_vector_t;
+
/**
* This hook allows modules that manage SSL connection to register their
* inquiry function for checking if a connection is using SSL from them.
@@ -50,6 +52,40 @@ AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(con
AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c);

/**
+ * This hook declares a connection to be outgoing and the configuration that applies to it.
+ * This hook can be called several times in the lifetime of an outgoing connection, e.g.
+ * when it is re-used in different request contexts. It will at least be called after the
+ * connection was created and before the pre-connection hooks is invoked.
+ * All outgoing-connection hooks are run until one returns something other than ok or decline.
+ * if enable_ssl != 0, a hook that sets up SSL for the connection needs to return DONE.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param enable_ssl If != 0, the SSL protocol should be enabled for this connection.
+ * @return OK or DECLINED, DONE when ssl was enabled
+ */
+AP_DECLARE_HOOK(int, ssl_bind_outgoing,
+ (conn_rec *c, struct ap_conf_vector_t *dir_conf, int enable_ssl))
+
+/**
+ * Assures the connection is marked as outgoing and invokes the ssl_bind_outgoing hook.
+ * This may be called several times on an outgoing connection with varying dir_conf
+ * values. require_ssl is not allowed to change on the same connection.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param require_ssl != 0 iff this connection needs to be secured by SSL/TLS protocol.
+ * @return OK iff ssl was required and is enabled, DECLINED otherwise
+ */
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int require_ssl);
+
+/**
+ * Return != 0 iff handlers/hooks for outgoing connections are registered.
+ */
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void);
+
+/**
* This hook allows modules to look up SSL related variables for a
* server/connection/request, depending on what they inquire. Some
* variables will only be available for a connection/request, for example.

Modified: httpd/httpd/trunk/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/include/httpd.h (original)
+++ httpd/httpd/trunk/include/httpd.h Tue Jun 8 14:37:44 2021
@@ -1289,6 +1289,8 @@ struct conn_rec {

/** The minimum level of filter type to allow setaside buckets */
int async_filter;
+
+ int outgoing;
};

struct conn_slave_rec {

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy.c Tue Jun 8 14:37:44 2021
@@ -3136,20 +3136,15 @@ PROXY_DECLARE(int) ap_proxy_ssl_enable(c
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_enable) {
- return c ? proxy_ssl_enable(c) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 1) == OK;
}

PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c)
{
- if (proxy_ssl_disable) {
- return proxy_ssl_disable(c);
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 0) == OK;
}

PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c,
@@ -3160,20 +3155,10 @@ PROXY_DECLARE(int) ap_proxy_ssl_engine(c
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_engine) {
- return c ? proxy_ssl_engine(c, per_dir_config, 1, enable) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- if (!per_dir_config) {
- if (enable) {
- return ap_proxy_ssl_enable(c);
- }
- else {
- return ap_proxy_ssl_disable(c);
- }
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
}

PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c)

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c Tue Jun 8 14:37:44 2021
@@ -20,6 +20,7 @@
#if APR_HAS_THREADS
#include "apr_thread_pool.h"
#endif
+#include "http_ssl.h"

module AP_MODULE_DECLARE_DATA proxy_hcheck_module;

@@ -605,7 +606,7 @@ static int hc_get_backend(const char *pr
(*backend)->addr = hc->cp->addr;
(*backend)->hostname = hc->s->hostname_ex;
if (strcmp(hc->s->scheme, "https") == 0 || strcmp(hc->s->scheme, "wss") == 0 ) {
- if (!ap_proxy_ssl_enable(NULL)) {
+ if (!ap_ssl_has_outgoing_handlers()) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ctx->s, APLOGNO(03252)
"mod_ssl not configured?");
return !OK;

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c Tue Jun 8 14:37:44 2021
@@ -1909,7 +1909,7 @@ static int proxy_http_handler(request_re
"HTTP: declining URL %s", url);
return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
}
- if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
+ if (is_ssl && !ap_ssl_has_outgoing_handlers()) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
"HTTP: declining URL %s (mod_ssl not configured?)", url);
return DECLINED;

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Jun 8 14:37:44 2021
@@ -469,7 +469,7 @@ static int ssl_hook_pre_config(apr_pool_

static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
ap_conf_vector_t *per_dir_config,
- int new_proxy)
+ int reinit)
{
SSLConnRec *sslconn = myConnConfig(c);
int need_setup = 0;
@@ -485,7 +485,7 @@ static SSLConnRec *ssl_init_connection_c
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
need_setup = 1;
}
- else if (!new_proxy) {
+ else if (!reinit) {
return sslconn;
}

@@ -503,8 +503,7 @@ static SSLConnRec *ssl_init_connection_c
if (need_setup) {
sslconn->server = c->base_server;
sslconn->verify_depth = UNSET;
- if (new_proxy) {
- sslconn->is_proxy = 1;
+ if (c->outgoing) {
sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
}
else {
@@ -524,10 +523,11 @@ static int ssl_engine_status(conn_rec *c
return DECLINED;
}
if (sslconn) {
+ /* This connection has already been configured. Check what applies. */
if (sslconn->disabled) {
return SUSPENDED;
}
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
if (!sslconn->dc->proxy_enabled) {
return DECLINED;
}
@@ -539,53 +539,41 @@ static int ssl_engine_status(conn_rec *c
}
}
else {
- if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
+ /* we decline by default for outgoing connections and for incoming
+ * where the base_server is not enabled. */
+ if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
return DECLINED;
}
}
return OK;
}

-static int ssl_engine_set(conn_rec *c,
- ap_conf_vector_t *per_dir_config,
- int proxy, int enable)
+static int ssl_hook_ssl_bind_outgoing(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int enable_ssl)
{
SSLConnRec *sslconn;
int status;
-
- if (proxy) {
- sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
- }
- else {
- sslconn = myConnConfig(c);
- }

+ sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
status = ssl_engine_status(c, sslconn);
-
- if (proxy && status == DECLINED) {
- if (enable) {
+ if (enable_ssl) {
+ if (status != OK) {
SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
+ sslconn->disabled = 1;
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272)
+ "SSL Proxy requested for %s but not enabled for us.",
+ sc->vhost_id);
+ }
+ else {
+ sslconn->disabled = 0;
+ return OK;
}
- sslconn->disabled = 1;
}
- else if (sslconn) {
- sslconn->disabled = !enable;
+ else {
+ sslconn->disabled = 1;
}
-
- return status != DECLINED;
-}
-
-static int ssl_proxy_enable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 1, 1);
-}
-
-static int ssl_engine_disable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 0, 0);
+ return DECLINED;
}

#if defined(SSL_MAX_SID_CTX_LENGTH) && (APR_MD5_DIGESTSIZE * 2) > SSL_MAX_SID_CTX_LENGTH
@@ -612,9 +600,9 @@ int ssl_init_ssl_connection(conn_rec *c,
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
- sslconn->is_proxy ? "Proxy: " : "Server: ");
+ c->outgoing ? "Proxy: " : "Server: ");

- mctx = myCtxConfig(sslconn, sc);
+ mctx = myConnCtxConfig(c, sc);

/*
* Create a new SSL connection with the configured server SSL context and
@@ -632,7 +620,7 @@ int ssl_init_ssl_connection(conn_rec *c,
return DECLINED; /* XXX */
}

- rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+ rc = ssl_run_pre_handshake(c, ssl, c->outgoing ? 1 : 0);
if (rc != OK && rc != DECLINED) {
return rc;
}
@@ -760,10 +748,7 @@ static void ssl_register_hooks(apr_pool_
APR_HOOK_MIDDLE);

ssl_var_register(p);
-
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+ ap_hook_ssl_bind_outgoing (ssl_hook_ssl_bind_outgoing, NULL, NULL, APR_HOOK_MIDDLE);

ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
AUTHZ_PROVIDER_VERSION,

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Tue Jun 8 14:37:44 2021
@@ -1245,7 +1245,7 @@ static apr_status_t ssl_io_filter_handsh
}

server = sslconn->server;
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
#ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip;
#endif

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Jun 8 14:37:44 2021
@@ -1768,7 +1768,7 @@ int ssl_callback_SSLVerify(int ok, X509_
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(conn);
SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc;
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;

/* Get verify ingredients */
@@ -1792,7 +1792,7 @@ int ssl_callback_SSLVerify(int ok, X509_
* Check for optionally acceptable non-verifiable issuer situation
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
verify = dc->proxy->auth.verify_mode;
}
else {
@@ -1904,7 +1904,7 @@ int ssl_callback_SSLVerify(int ok, X509_
* Finally check the depth of the certificate verification
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
depth = dc->proxy->auth.verify_depth;
}
else {
@@ -2300,7 +2300,7 @@ void ssl_callback_Info(const SSL *ssl, i
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if (!sslconn->is_proxy &&
+ if (!c->outgoing &&
(where & SSL_CB_HANDSHAKE_START) &&
sslconn->reneg_state == RENEG_REJECT) {
sslconn->reneg_state = RENEG_ABORT;
@@ -2543,7 +2543,7 @@ static int ssl_find_vhost(void *serverna
* Don't switch the protocol if none is configured for this vhost,
* the default in this case is still the base server's SSLProtocol.
*/
- if (myCtxConfig(sslcon, sc)->protocol_set) {
+ if (myConnCtxConfig(c, sc)->protocol_set) {
SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
}
@@ -2629,8 +2629,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(c);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(c, sc);
modssl_ticket_key_t *ticket_key = mctx->ticket_key;

if (mode == 1) {

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Tue Jun 8 14:37:44 2021
@@ -64,10 +64,10 @@ static const SSLConnRec *ssl_get_effecti
return sslconn;
}

-static int ssl_is_https(conn_rec *c)
+static int ssl_conn_is_ssl(conn_rec *c)
{
const SSLConnRec *sslconn = ssl_get_effective_config(c);
- return sslconn && sslconn->ssl;
+ return (sslconn && sslconn->ssl)? OK : DECLINED;
}

/* Returns certificate data, either PEM encoded if 'pem' is non-zero,
@@ -244,7 +244,7 @@ void ssl_var_register(apr_pool_t *p)
{
char *cp, *cp2;

- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ ap_hook_ssl_conn_is_ssl(ssl_conn_is_ssl, NULL, NULL, APR_HOOK_MIDDLE);
APR_REGISTER_OPTIONAL_FN(ssl_get_tls_cb);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
APR_REGISTER_OPTIONAL_FN(ssl_ext_list);

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Jun 8 14:37:44 2021
@@ -315,8 +315,8 @@ APLOG_USE_MODULE(ssl);
((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
#define myDirConfig(req) \
((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
-#define myCtxConfig(sslconn, sc) \
- (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
+#define myConnCtxConfig(c, sc) \
+ (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server)
#define myModConfig(srv) mySrvConfig((srv))->mc
#define mySrvFromConn(c) myConnConfig(c)->server
#define myDirConfigFromConn(c) myConnConfig(c)->dc
@@ -538,7 +538,6 @@ typedef struct {
const char *verify_info;
const char *verify_error;
int verify_depth;
- int is_proxy;
int disabled;
enum {
NON_SSL_OK = 0, /* is SSL request, or error handling completed */

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Tue Jun 8 14:37:44 2021
@@ -798,8 +798,7 @@ static int stapling_cb(SSL *ssl, void *a
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(conn);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
UCHAR idx[SHA_DIGEST_LENGTH];
ocsp_resp resp;
certinfo *cinf = NULL;

Modified: httpd/httpd/trunk/server/ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/ssl.c?rev=1890605&r1=1890604&r2=1890605&view=diff
==============================================================================
--- httpd/httpd/trunk/server/ssl.c (original)
+++ httpd/httpd/trunk/server/ssl.c Tue Jun 8 14:37:44 2021
@@ -32,6 +32,7 @@
#include "ap_config.h"
#include "httpd.h"
#include "http_core.h"
+#include "http_connection.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_ssl.h"
@@ -58,10 +59,20 @@ APR_HOOK_STRUCT(
APR_HOOK_LINK(ssl_answer_challenge)
APR_HOOK_LINK(ssl_ocsp_prime_hook)
APR_HOOK_LINK(ssl_ocsp_get_resp_hook)
+ APR_HOOK_LINK(ssl_bind_outgoing)
)

APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https;
+APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *module_ssl_proxy_enable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *module_ssl_engine_disable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+ ap_conf_vector_t *,
+ int proxy, int enable));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *module_ssl_engine_set;
+

static int ssl_is_https(conn_rec *c)
{
@@ -79,6 +90,77 @@ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_
return r;
}

+static int ssl_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
+{
+ if (proxy) {
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
+ }
+ else if (module_ssl_engine_set) {
+ return module_ssl_engine_set(c, per_dir_config, 0, enable);
+ }
+ else if (enable && module_ssl_proxy_enable) {
+ return module_ssl_proxy_enable(c);
+ }
+ else if (!enable && module_ssl_engine_disable) {
+ return module_ssl_engine_disable(c);
+ }
+ return 0;
+}
+
+static int ssl_proxy_enable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 1);
+}
+
+static int ssl_engine_disable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 0);
+}
+
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int enable_ssl)
+{
+ int rv, enabled = 0;
+
+ c->outgoing = 1;
+ rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl);
+ enabled = (rv == OK);
+ if (enable_ssl && !enabled) {
+ /* the hooks did not take over. Is there an old skool optional that will? */
+ if (module_ssl_engine_set) {
+ enabled = module_ssl_engine_set(c, dir_conf, 1, 1);
+ }
+ else if (module_ssl_proxy_enable) {
+ enabled = module_ssl_proxy_enable(c);
+ }
+ }
+ else {
+ /* !enable_ssl || enabled
+ * any existing optional funcs need to not enable here */
+ if (module_ssl_engine_set) {
+ module_ssl_engine_set(c, dir_conf, 1, 0);
+ }
+ else if (module_ssl_engine_disable) {
+ module_ssl_engine_disable(c);
+ }
+ }
+ if (enable_ssl && !enabled) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0,
+ c, APLOGNO(01961) " failed to enable ssl support "
+ "[Hint: if using mod_ssl, see SSLProxyEngine]");
+ return DECLINED;
+ }
+ return OK;
+}
+
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void)
+{
+ return (_hooks.link_ssl_bind_outgoing && _hooks.link_ssl_bind_outgoing->nelts > 0)
+ || module_ssl_engine_set || module_ssl_proxy_enable;
+}
+
APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup,
(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
@@ -123,6 +205,13 @@ AP_DECLARE(void) ap_setup_ssl_optional_f
module_ssl_var_lookup = (fn_ssl_var_lookup
&& fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL;
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ module_ssl_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ module_ssl_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ module_ssl_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
}

AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p,
@@ -186,3 +275,5 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocs
(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata),
(s, c, id, id_len, cb, userdata), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,ssl_bind_outgoing,(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl),
+ (c, dir_conf, require_ssl), DECLINED)