mod_ssl: Calculate the MD5 digest used as the session context once per

vhost at startup, rather than building it for each new connection.

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
  Replace vhost_id_len field with vhost_md5.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
  sc->vhost_md5 hash here.  
   
* modules/ssl/mod_ssl.c: Fail at compile time if the
  SSL_set_session_id_context() API constraint on context length is
  violated.
  (ssl_init_ssl_connection): Use sc->vhost_md5.

* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
  after renegotiation.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 14 insertions, 17 deletions

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index d5189341f1..2b9a27f201 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -589,12 +589,15 @@ static int ssl_engine_disable(conn_rec *c)
     return ssl_engine_set(c, NULL, 0, 0);
 }
 
+#if defined(SSL_MAX_SID_CTX_LENGTH) && (APR_MD5_DIGESTSIZE * 2) > SSL_MAX_SID_CTX_LENGTH
+#error APR digest length x2 exceeds SSL_MAX_SID_CTX_LENGTH
+#endif
+
 int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
 {
     SSLSrvConfigRec *sc;
     SSL *ssl;
     SSLConnRec *sslconn;
-    char *vhost_md5;
     int rc;
     modssl_ctx_t *mctx;
     server_rec *server;
@@ -635,14 +638,10 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
         return rc;
     }
 
-    vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
-                              sc->vhost_id_len);
-
-    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
-                                    APR_MD5_DIGESTSIZE*2))
-    {
+    if (!SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2)) {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
-                      "Unable to set session id context to '%s'", vhost_md5);
+                      "Unable to set session id context to '%s'",
+                      sc->vhost_md5);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
 
         c->aborted = 1;
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index f3d1e4a427..b0faf55b82 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -209,7 +209,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
     sc->mc                     = NULL;
     sc->enabled                = SSL_ENABLED_UNSET;
     sc->vhost_id               = NULL;  /* set during module init */
-    sc->vhost_id_len           = 0;     /* set during module init */
     sc->session_cache_timeout  = UNSET;
     sc->cipher_server_pref     = UNSET;
     sc->insecure_reneg         = UNSET;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 46330601f6..3ebad301d2 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -31,6 +31,7 @@
 #include "mod_ssl_openssl.h"
 #include "mpm_common.h"
 #include "mod_md.h"
+#include "util_md5.h"
 
 static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
                                           STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
@@ -287,8 +288,10 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
         /* Derive the vhost id only after potentially defaulting-on
          * sc->enabled since the port used may change. */
         sc->vhost_id = ssl_util_vhostid(p, s);
-        sc->vhost_id_len = strlen(sc->vhost_id);
-        
+        sc->vhost_md5 =
+            (unsigned char *)ap_md5_binary(p, (unsigned char *)sc->vhost_id,
+                                           strlen(sc->vhost_id));
+
         /* Fix up stuff that may not have been set.  If sc->enabled is
          * UNSET, then SSL is disabled on this vhost.  */
         if (sc->enabled == SSL_ENABLED_UNSET) {
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 9787ae345e..7c1811ea17 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2556,11 +2556,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
          * a renegotiation.
          */
         if (SSL_num_renegotiations(ssl) == 0) {
-            unsigned char *sid_ctx =
-                (unsigned char *)ap_md5_binary(c->pool,
-                                               (unsigned char *)sc->vhost_id,
-                                               sc->vhost_id_len);
-            SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
+            SSL_set_session_id_context(ssl, sc->vhost_md5, APR_MD5_DIGESTSIZE*2);
         }
 
         /*
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 779129e24b..e5c8c0ccc5 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -765,7 +765,7 @@ struct SSLSrvConfigRec {
     SSLModConfigRec *mc;
     ssl_enabled_t    enabled;
     const char      *vhost_id;
-    int              vhost_id_len;
+    const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
     int              session_cache_timeout;
     BOOL             cipher_server_pref;
     BOOL             insecure_reneg;