httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r644751 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_session_crypto.xml modules/session/config.m4 modules/session/mod_session_crypto.c
Date Sat, 05 Apr 2008 21:18:11 GMT


On 04/04/2008 06:11 PM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Fri Apr  4 09:11:31 2008
> New Revision: 644751
> 
> URL: http://svn.apache.org/viewvc?rev=644751&view=rev
> Log:
> mod_session_crypto: Add a session encoding implementation capable
> of encrypting and decrypting sessions wherever they may be stored.
> Introduces a level of privacy when sessions are stored on the
> browser.
> 
> Added:
>     httpd/httpd/trunk/docs/manual/mod/mod_session_crypto.xml
>     httpd/httpd/trunk/modules/session/mod_session_crypto.c
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/session/config.m4
> 

> Added: httpd/httpd/trunk/modules/session/mod_session_crypto.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_crypto.c?rev=644751&view=auto
> ==============================================================================
> --- httpd/httpd/trunk/modules/session/mod_session_crypto.c (added)
> +++ httpd/httpd/trunk/modules/session/mod_session_crypto.c Fri Apr  4 09:11:31 2008
> @@ -0,0 +1,468 @@
> +/* Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements.  See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License.  You may obtain a copy of the License at
> + *
> + *     http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +
> +#define CORE_PRIVATE
> +
> +#include "mod_session.h"
> +#include "apu_version.h"
> +#include "apr_base64.h"                /* for apr_base64_decode et al */
> +#include "apr_ssl.h"                /* for apr_*_encrypt et al */
> +#include "apr_lib.h"
> +#include "apr_strings.h"
> +#include "http_log.h"
> +
> +#define LOG_PREFIX "mod_session_crypto: "
> +#define DEFAULT_CIPHER "AES256"
> +#define DEFAULT_DIGEST "SHA"
> +
> +module AP_MODULE_DECLARE_DATA session_crypto_module;
> +
> +/**
> + * Structure to carry the per-dir session config.
> + */
> +typedef struct {
> +    const char *passphrase;
> +    int passphrase_set;
> +    const char *certfile;
> +    int certfile_set;
> +    const char *keyfile;
> +    int keyfile_set;
> +    const char *cipher;
> +    int cipher_set;
> +    const char *digest;
> +    int digest_set;
> +    const char *engine;
> +    int engine_set;
> +} session_crypto_dir_conf;
> +
> +/**
> + * Initialise the encryption as per the current config.
> + *
> + * Returns APR_SUCCESS if successful.
> + */
> +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION
>= 3)
> +static apr_status_t crypt_init(request_rec * r, apr_evp_factory_t ** f, apr_evp_crypt_key_e
* key, session_crypto_dir_conf * conf)
> +{
> +    apr_status_t res;
> +
> +    if (!conf->certfile_set && !conf->keyfile_set && !conf->passphrase_set)
{
> +        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, LOG_PREFIX
> +                      "encryption not configured, "
> +                      "no passphrase or certfile/keyfile set");
> +        return APR_EGENERAL;
> +    }
> +
> +    /* set up */
> +    if (conf->certfile_set) {
> +        *key = APR_EVP_KEY_PUBLIC;
> +        res = apr_evp_factory_create(f, conf->keyfile, conf->certfile, NULL,
> +                   NULL, NULL, conf->digest, APR_EVP_FACTORY_ASYM, r->pool);

How do you know that a conf->keyfile was set?

> +        if (APR_ENOTIMPL == res) {
> +            ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                "generic public/private key encryption is not supported by "
> +                    "this version of APR. session encryption not possible");
> +        }
> +    }
> +    if (conf->passphrase) {
> +        *key = APR_EVP_KEY_SYM;
> +        res = apr_evp_factory_create(f, NULL, NULL, conf->cipher,
> +        conf->passphrase, NULL, conf->digest, APR_EVP_FACTORY_SYM, r->pool);

Hm. Why not supplying conf->engine if set?
According to the documentation of APR-UTIL the passphrase parameter is used for assymetrical
encryption (I assume to decrypt the private key). So why passing it along here?
And what happens above if the private key is password protected?


> +        if (APR_ENOTIMPL == res) {
> +            ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                  "generic symmetrical encryption is not supported by this "
> +                          "version of APR. session encryption not possible");
> +        }
> +    }
> +    if (APR_STATUS_IS_ENOCIPHER(res)) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "the cipher '%s' was not found", conf->cipher);
> +    }
> +    if (APR_STATUS_IS_ENODIGEST(res)) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "the digest '%s' was not found", conf->digest);
> +    }
> +    if (APR_STATUS_IS_ENOCERT(res)) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                   "the public and private key could not be extracted from "
> +                      "the certificates");
> +    }
> +    if (APR_STATUS_IS_ENOENGINE(res)) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "the engine '%s' was not found", conf->engine);
> +    }
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "encryption could not be configured. Please check the "
> +                      "certificates and/or passphrase as appropriate");
> +        apr_evp_factory_cleanup(*f);
> +        return APR_EGENERAL;
> +    }
> +
> +    return APR_SUCCESS;
> +}
> +#endif
> +
> +/**
> + * Encrypt the string given as per the current config.
> + *
> + * Returns APR_SUCCESS if successful.
> + */
> +static apr_status_t encrypt_string(request_rec * r, const char *in, char **out)
> +{
> +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION
>= 3)
> +    apr_status_t res;
> +    apr_evp_factory_t *f = NULL;
> +    apr_evp_crypt_t *e = NULL;
> +    apr_evp_crypt_key_e key;
> +    unsigned char *encrypt = NULL;
> +    apr_size_t encryptlen, tlen;
> +    char *base64;
> +
> +    session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
> +                                                    &session_crypto_module);
> +
> +    /* don't attempt to encrypt an empty string, trying to do so causes a segfault */
> +    if (!in || !*in) {
> +        return APR_SUCCESS;

But should we set *out to something meaningful like "" or NULL?

> +    }
> +
> +    res = crypt_init(r, &f, &key, conf);
> +    if (res != APR_SUCCESS) {
> +        return res;
> +    }
> +
> +    res = apr_evp_crypt_init(f, &e, APR_EVP_ENCRYPT, key, r->pool);
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "encryption could be configured but not initialised");
> +        apr_evp_factory_cleanup(f);
> +        return res;
> +    }
> +
> +    /* encrypt the given string */
> +    res = apr_evp_crypt(e, &encrypt, &encryptlen, (unsigned char *) in, strlen(in));
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "attempt to encrypt failed");
> +        apr_evp_factory_cleanup(f);
> +        apr_evp_crypt_cleanup(e);
> +        return res;
> +    }
> +    res = apr_evp_crypt_finish(e, encrypt + encryptlen, &tlen);
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "attempt to finish the encryption failed");
> +        apr_evp_factory_cleanup(f);
> +        apr_evp_crypt_cleanup(e);
> +        return res;
> +    }
> +    encryptlen += tlen;
> +
> +    /* base64 encode the result */
> +    base64 = apr_pcalloc(r->pool, apr_base64_encode_len(encryptlen + 1) * sizeof(char));
> +    apr_base64_encode(base64, (const char *) encrypt, encryptlen);
> +    *out = base64;
> +
> +    /* clean up afterwards */
> +    apr_evp_factory_cleanup(f);
> +    apr_evp_crypt_cleanup(e);
> +
> +    return res;
> +
> +#else
> +    ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX
> +                  "crypto is not supported by APR on this platform");
> +    return APR_ENOTIMPL;
> +#endif
> +}
> +
> +/**
> + * Decrypt the string given as per the current config.
> + *
> + * Returns APR_SUCCESS if successful.
> + */
> +static apr_status_t decrypt_string(request_rec * r, const char *in, char **out)
> +{
> +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION
>= 3)
> +    apr_status_t res;
> +    apr_evp_factory_t *f = NULL;
> +    apr_evp_crypt_t *e = NULL;
> +    apr_evp_crypt_key_e key;
> +    unsigned char *decrypted = NULL;
> +    apr_size_t decryptedlen, tlen;
> +    apr_size_t decodedlen;
> +    char *decoded;
> +
> +    session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
> +                                                    &session_crypto_module);
> +
> +    res = crypt_init(r, &f, &key, conf);
> +    if (res != APR_SUCCESS) {
> +        return res;
> +    }
> +
> +    res = apr_evp_crypt_init(f, &e, APR_EVP_DECRYPT, key, r->pool);
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "decryption could be configured but not initialised");
> +        apr_evp_factory_cleanup(f);
> +        return res;
> +    }
> +
> +    /* strip base64 from the string */
> +    decoded = apr_palloc(r->pool, apr_base64_decode_len(in));
> +    decodedlen = apr_base64_decode(decoded, in);
> +    decoded[decodedlen] = '\0';
> +
> +    /* decrypt the given string */
> +    res = apr_evp_crypt(e, &decrypted, &decryptedlen, (unsigned char *) decoded,
decodedlen);
> +    if (res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "decrypt: attempt to decrypt failed");
> +        return res;

Don't we need to cleanup the factory here?
Don't we need to call apr_evp_crypt_cleanup in this case?

> +    }
> +    *out = (char *) decrypted;
> +
> +    res = apr_evp_crypt_finish(e, decrypted + decryptedlen, &tlen);
> +    if (APR_SUCCESS != res) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                      "attempt to finish the decryption failed");
> +        apr_evp_factory_cleanup(f);
> +        apr_evp_crypt_cleanup(e);
> +        return res;
> +    }
> +    decryptedlen += tlen;
> +    decrypted[decryptedlen] = 0;
> +
> +    return APR_SUCCESS;
> +
> +#else
> +    ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX
> +                  "crypto is not supported by APR on this platform");
> +    return APR_ENOTIMPL;
> +#endif
> +}
> +
> +
> +/**
> + * Crypto encoding for the session.
> + *
> + * @param r The request pointer.
> + * @param z A pointer to where the session will be written.
> + */
> +AP_DECLARE(int) ap_session_crypto_encode(request_rec * r, session_rec * z)
> +{
> +
> +    char *encoded = NULL;
> +    apr_status_t res;
> +    session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
> +                                                    &session_crypto_module);
> +
> +    if (conf->passphrase_set || conf->certfile_set) {
> +        res = encrypt_string(r, z->encoded, &encoded);

Why not supplying conf to encrypt_string / decrypt_string?

> +        if (res != OK) {
> +            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, LOG_PREFIX
> +                          "encrypt session failed");
> +            return res;
> +        }
> +        z->encoded = encoded;
> +    }
> +
> +    return OK;
> +
> +}
> +
> +/**
> + * Crypto decoding for the session.
> + *
> + * @param r The request pointer.
> + * @param z A pointer to where the session will be written.
> + */
> +AP_DECLARE(int) ap_session_crypto_decode(request_rec * r, session_rec * z)
> +{
> +
> +    char *encoded = NULL;
> +    apr_status_t res;
> +    session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
> +                                                    &session_crypto_module);
> +
> +    if ((conf->passphrase_set || conf->certfile_set) && z->encoded)
{
> +        res = decrypt_string(r, z->encoded, &encoded);
> +        if (res != APR_SUCCESS) {
> +            ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
> +                          "decrypt session failed, wrong passphrase?");
> +            return res;
> +        }
> +        z->encoded = encoded;
> +    }
> +
> +    return OK;
> +
> +}
> +
> +
> +
> +
> +static void *create_session_crypto_dir_config(apr_pool_t * p, char *dummy)
> +{
> +    session_crypto_dir_conf *new =
> +    (session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));
> +
> +    /* default cipher AES256-SHA */
> +    new->cipher = DEFAULT_CIPHER;
> +    new->cipher_set = 1;

This seems wrong to me. By this the cipher is set to the default value every
you do NOT set it. Even if it was set differently in an enclosing container.

> +
> +    new->digest = DEFAULT_DIGEST;

See above.

> +    new->digest_set = 1;
> +
> +    /* initialise SSL */
> +    apr_ssl_init();

Do we need to call this over and over again each we create a dir_config?

> +
> +    return (void *) new;
> +}
> +
> +static void *merge_session_crypto_dir_config(apr_pool_t * p, void *basev, void *addv)
> +{
> +    session_crypto_dir_conf *new = (session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));
> +    session_crypto_dir_conf *add = (session_crypto_dir_conf *) addv;
> +    session_crypto_dir_conf *base = (session_crypto_dir_conf *) basev;
> +
> +    new->passphrase = (add->passphrase_set == 0) ? base->passphrase : add->passphrase;
> +    new->passphrase_set = add->passphrase_set || base->passphrase_set;
> +    new->certfile = (add->certfile_set == 0) ? base->certfile : add->certfile;
> +    new->certfile_set = add->certfile_set || base->certfile_set;
> +    new->keyfile = (add->keyfile_set == 0) ? base->keyfile : add->keyfile;
> +    new->keyfile_set = add->keyfile_set || base->keyfile_set;
> +    new->cipher = (add->cipher_set == 0) ? base->cipher : add->cipher;
> +    new->cipher_set = add->cipher_set || base->cipher_set;
> +    new->digest = (add->digest_set == 0) ? base->digest : add->digest;
> +    new->digest_set = add->digest_set || base->digest_set;
> +    new->engine = (add->engine_set == 0) ? base->engine : add->engine;
> +    new->engine_set = add->engine_set || base->engine_set;
> +
> +    return new;
> +}
> +

Regards

RĂ¼diger




Mime
View raw message