httpd/httpd-2.4.33-sslmultiproxy.patch

From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit@cow.greyoak.com>
Date: Thu, 12 Apr 2018 14:36:28 -0400
Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch

---
 modules/ssl/mod_ssl.c         | 24 ++++++++++++++++++++++--
 modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++-
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 48d64cb..42e85a3 100644
diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/ssl/mod_ssl.c
--- httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy
+++ httpd-2.4.33/modules/ssl/mod_ssl.c
@@ -444,12 +444,19 @@
     return OK;
 }
 
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set;
+
 static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
                                            ap_conf_vector_t *per_dir_config)
 {
     SSLConnRec *sslconn = myConnConfig(c);
     SSLSrvConfigRec *sc;
 
+    if (othermod_engine_disable) {
+        othermod_engine_disable(c);
+    }
+
     if (sslconn) {
         return sslconn;
     }
@@ -508,6 +515,10 @@
 {
     SSLConnRec *sslconn;
     int status;
+
+    if (othermod_engine_set) {
+        return othermod_engine_set(c, per_dir_config, proxy, enable);
+    }
     
     if (proxy) {
         sslconn = ssl_init_connection_ctx(c, per_dir_config);
@@ -537,12 +548,18 @@
 
 static int ssl_proxy_enable(conn_rec *c)
 {
-    return ssl_engine_set(c, NULL, 1, 1);
+    if (othermod_engine_set)
+        return othermod_engine_set(c, NULL, 1, 1);
+    else
+        return ssl_engine_set(c, NULL, 1, 1);
 }
 
 static int ssl_engine_disable(conn_rec *c)
 {
-    return ssl_engine_set(c, NULL, 0, 0);
+    if (othermod_engine_set)
+        return othermod_engine_set(c, NULL, 0, 0);
+    else
+        return ssl_engine_set(c, NULL, 0, 0);
 }
 
 int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
@@ -730,6 +747,9 @@
                       APR_HOOK_MIDDLE);
 
     ssl_var_register(p);
+    
+    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+    othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
 
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/modules/ssl/ssl_engine_vars.c
--- httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy
+++ httpd-2.4.33/modules/ssl/ssl_engine_vars.c
@@ -54,6 +54,8 @@
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
 static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
 
 static SSLConnRec *ssl_get_effective_config(conn_rec *c)
 {
@@ -68,7 +70,9 @@
 static int ssl_is_https(conn_rec *c)
 {
     SSLConnRec *sslconn = ssl_get_effective_config(c);
-    return sslconn && sslconn->ssl;
+
+    return (sslconn && sslconn->ssl)
+        || (othermod_is_https && othermod_is_https(c));
 }
 
 static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
@@ -137,6 +141,9 @@
 {
     char *cp, *cp2;
 
+    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
@@ -271,6 +278,15 @@
      */
     if (result == NULL && c != NULL) {
         SSLConnRec *sslconn = ssl_get_effective_config(c);
+
+        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
+            /* For an SSL_* variable, if mod_ssl is not enabled for
+             * this connection and another SSL module is present, pass
+             * through to that module. */
+            return othermod_var_lookup(p, s, c, r, var);
+        }
+
         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
             && sslconn && sslconn->ssl)
             result = ssl_var_lookup_ssl(p, sslconn, r, var+4);
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcrit@cow.greyoak.com>`
			`Date: Thu, 12 Apr 2018 14:36:28 -0400`
			`Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch`
- mod_ssl: fix mod_nss compat patch (Rob Crittenden, #1566511) 2018-04-16 07:24:31 +00:00
			`---`
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`modules/ssl/mod_ssl.c \| 24 ++++++++++++++++++++++--`
			`modules/ssl/ssl_engine_vars.c \| 18 +++++++++++++++++-`
			`2 files changed, 39 insertions(+), 3 deletions(-)`
- mod_ssl: fix mod_nss compat patch (Rob Crittenden, #1566511) 2018-04-16 07:24:31 +00:00
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c`
			`index 48d64cb..42e85a3 100644`
			`diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/ssl/mod_ssl.c`
			`--- httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy`
			`+++ httpd-2.4.33/modules/ssl/mod_ssl.c`
			`@@ -444,12 +444,19 @@`
			`return OK;`
			`}`

			`+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;`
			`+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set;`
- mod_ssl: fix mod_nss compat patch (Rob Crittenden, #1566511) 2018-04-16 07:24:31 +00:00			`+`
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`static SSLConnRec ssl_init_connection_ctx(conn_rec c,`
			`ap_conf_vector_t *per_dir_config)`
			`{`
			`SSLConnRec *sslconn = myConnConfig(c);`
			`SSLSrvConfigRec *sc;`

			`+ if (othermod_engine_disable) {`
			`+ othermod_engine_disable(c);`
			`+ }`
- mod_ssl: fix mod_nss compat patch (Rob Crittenden, #1566511) 2018-04-16 07:24:31 +00:00			`+`
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`if (sslconn) {`
			`return sslconn;`
			`}`
			`@@ -508,6 +515,10 @@`
			`{`
			`SSLConnRec *sslconn;`
			`int status;`
- mod_ssl: fix mod_nss compat patch (Rob Crittenden, #1566511) 2018-04-16 07:24:31 +00:00			`+`
Apply sslmultiproxy patch. 2018-04-16 07:44:11 +00:00			`+ if (othermod_engine_set) {`
			`+ return othermod_engine_set(c, per_dir_config, proxy, enable);`
			`+ }`

			`if (proxy) {`
			`sslconn = ssl_init_connection_ctx(c, per_dir_config);`
			`@@ -537,12 +548,18 @@`

			`static int ssl_proxy_enable(conn_rec *c)`
			`{`
			`- return ssl_engine_set(c, NULL, 1, 1);`
			`+ if (othermod_engine_set)`
			`+ return othermod_engine_set(c, NULL, 1, 1);`
			`+ else`
			`+ return ssl_engine_set(c, NULL, 1, 1);`
			`}`

			`static int ssl_engine_disable(conn_rec *c)`
			`{`
			`- return ssl_engine_set(c, NULL, 0, 0);`
			`+ if (othermod_engine_set)`
			`+ return othermod_engine_set(c, NULL, 0, 0);`
			`+ else`
			`+ return ssl_engine_set(c, NULL, 0, 0);`
			`}`

			`int ssl_init_ssl_connection(conn_rec c, request_rec r)`
			`@@ -730,6 +747,9 @@`
			`APR_HOOK_MIDDLE);`

			`ssl_var_register(p);`
			`+`
			`+ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);`
			`+ othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);`

			`APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);`
			`APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);`
			`diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/modules/ssl/ssl_engine_vars.c`
			`--- httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy`
			`+++ httpd-2.4.33/modules/ssl/ssl_engine_vars.c`
			`@@ -54,6 +54,8 @@`
			`static void ssl_var_lookup_ssl_cipher_bits(SSL ssl, int usekeysize, int *algkeysize);`
			`static char ssl_var_lookup_ssl_version(apr_pool_t p, char *var);`
			`static char ssl_var_lookup_ssl_compress_meth(SSL ssl);`
			`+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;`
			`+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;`

			`static SSLConnRec ssl_get_effective_config(conn_rec c)`
			`{`
			`@@ -68,7 +70,9 @@`
			`static int ssl_is_https(conn_rec *c)`
			`{`
			`SSLConnRec *sslconn = ssl_get_effective_config(c);`
			`- return sslconn && sslconn->ssl;`
			`+`
			`+ return (sslconn && sslconn->ssl)`
			`+ \|\| (othermod_is_https && othermod_is_https(c));`
			`}`

			`static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;`
			`@@ -137,6 +141,9 @@`
			`{`
			`char cp, cp2;`

			`+ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);`
			`+ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);`
			`+`
			`APR_REGISTER_OPTIONAL_FN(ssl_is_https);`
			`APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);`
			`APR_REGISTER_OPTIONAL_FN(ssl_ext_list);`
			`@@ -271,6 +278,15 @@`
			`*/`
			`if (result == NULL && c != NULL) {`
			`SSLConnRec *sslconn = ssl_get_effective_config(c);`
			`+`
			`+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)`
			`+ && (!sslconn \|\| !sslconn->ssl) && othermod_var_lookup) {`
			`+ /* For an SSL_* variable, if mod_ssl is not enabled for`
			`+ * this connection and another SSL module is present, pass`
			`+ * through to that module. */`
			`+ return othermod_var_lookup(p, s, c, r, var);`
			`+ }`
			`+`
			`if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)`
			`&& sslconn && sslconn->ssl)`
			`result = ssl_var_lookup_ssl(p, sslconn, r, var+4);`