httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rüdiger Plüm <ruediger.pl...@vodafone.com>
Subject Fwd: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Date Thu, 10 Nov 2011 08:14:16 GMT


-------- Original-Nachricht --------
Betreff: 	svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c

modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Datum: 	Wed, 09 Nov 2011 23:37:37 GMT
Von: 	pquerna@apache.org



Author: pquerna
Date: Wed Nov  9 23:37:37 2011
New Revision: 1200040

URL: http://svn.apache.org/viewvc?rev=1200040&view=rev
Log:
Add support for RFC 5077 TLS Session tickets.  This adds two new directives:

* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used.  This
enables key rotation across servers.

Modified:
     httpd/httpd/trunk/CHANGES
     httpd/httpd/trunk/modules/ssl/mod_ssl.c
     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
     httpd/httpd/trunk/modules/ssl/ssl_private.h



Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1200040&r1=1200039&r2=1200040&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Nov  9 23:37:37 2011

@@ -584,6 +595,62 @@ const char *ssl_cmd_SSLEngine(cmd_parms
      return "Argument must be On, Off, or Optional";
  }

+const char *ssl_cmd_SSLTicketKeyDefault(cmd_parms *cmd, void *dcfg, const char *name)
+{
+#ifdef HAVE_TLSEXT_TICKETS
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->default_ticket_name = name;
+
+    return NULL;
+#else
+    return "TLS Ticket keys are not supported.";
+#endif
+}
+
+const char *ssl_cmd_SSLTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *name, const
char *path)
+{
+#ifdef HAVE_TLSEXT_TICKETS
+    apr_status_t rv;
+    apr_file_t *fp;
+    apr_size_t len;
+    char buf[TLSEXT_TICKET_KEYLEN];
+    modssl_ticket_t* ticket = NULL;
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    rv = apr_file_open(&fp, path, APR_READ|APR_BINARY,



Why not using ap_server_root_relative on path first?



+                       APR_OS_DEFAULT, cmd->temp_pool);
+
+    if (rv != APR_SUCCESS) {
+      return apr_psprintf(cmd->pool,
+                          "Failed to open %s: (%d) %pm",
+                          path, rv,&rv);
+    }
+
+    rv = apr_file_read_full(fp,&buf[0], TLSEXT_TICKET_KEYLEN,&len);
+
+    if (rv != APR_SUCCESS) {
+      return apr_psprintf(cmd->pool,
+                          "Failed to read at least 48 bytes from %s: (%d) %pm",
+                          path, rv,&rv);
+    }
+
+    ticket = apr_palloc(cmd->pool, sizeof(modssl_ticket_t));
+
+    ticket->conf_name = name;
+
+    memcpy(ticket->key_name, buf, 16);
+    memcpy(ticket->hmac_secret, buf + 16, 16);
+    memcpy(ticket->aes_key, buf + 32, 16);
+
+    APR_ARRAY_PUSH(sc->tickets, modssl_ticket_t*) = ticket;
+
+    return NULL;
+#else
+    return "TLS Ticket keys are not supported.";
+#endif
+}
+
  const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
  {
  #ifdef HAVE_FIPS

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1200040&r1=1200039&r2=1200040&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Nov  9 23:37:37 2011
@@ -2067,3 +2067,94 @@ static int ssl_find_vhost(void *serverna
      return 0;
  }
  #endif
+
+#ifdef HAVE_TLSEXT_TICKETS
+
+#ifndef tlsext_tick_md
+#ifdef OPENSSL_NO_SHA256
+#define tlsext_tick_md	EVP_sha1
+#else
+#define tlsext_tick_md	EVP_sha256
+#endif
+#endif
+
+int ssl_callback_tlsext_tickets(SSL *ssl,
+                                char *keyname,
+                                char *iv,
+                                EVP_CIPHER_CTX *cipher_ctx,
+                                HMAC_CTX *hctx,
+                                int mode)
+{
+    conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
+    server_rec *s       = mySrvFromConn(conn);
+    SSLSrvConfigRec *sc = mySrvConfig(s);
+
+    if (mode == 1) {
+        modssl_ticket_t* ticket = sc->default_ticket;
+
+        /* Setting up the stuff for encrypting:
+         *  - keyname contains at least 16 bytes we can write to.
+         *  - iv contains at least EVP_MAX_IV_LENGTH (16) bytes we can write to.
+         *  - hctx is already allocated, we just need to set the
+         *    secret key via HMAC_Init_ex.
+         *  - cipher_ctx is also allocated, and we need to configure
+         *    the cipher and private key.
+         */
+
+        if (ticket == NULL) {
+            /* this should not happen, we always set the default
+             * ticket.
+             */
+            return -1;
+        }
+
+        memcpy(keyname, ticket->key_name, 16);
+
+        RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+
+        memcpy(iv, iv, EVP_MAX_IV_LENGTH);


What is the purpose of this operation? Source and destination are the same.



+
+        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
+                           ticket->aes_key, iv);
+
+        HMAC_Init_ex(hctx, ticket->hmac_secret, 16, tlsext_tick_md(), NULL);
+
+        return 0;
+    }
+    else if (mode == 0) {
+        /* Setup contextes for decryption, based on the keyname input */
+        int i;
+        modssl_ticket_t* ticket = NULL;
+
+        for (i = 0; i<  sc->tickets->nelts; i++) {
+            modssl_ticket_t* itticket = APR_ARRAY_IDX(sc->tickets, i, modssl_ticket_t*);
+            if (memcmp(keyname, itticket->key_name, 16) == 0) {
+                ticket = itticket;
+                break;
+            }
+        }
+
+        if (ticket == NULL) {
+            /* Ticket key not found, but no error */
+            return 0;
+        }
+
+        EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket->aes_key, iv);
+
+        HMAC_Init_ex(hctx, ticket->hmac_secret, 16, tlsext_tick_md(), NULL);
+
+        if (ticket != sc->default_ticket) {
+            /* Ticket key found, we did our stuff, but didn't use the default,
+             * re-issue a ticket with the default ticket */
+            return 2;
+        }
+        else {
+            return 1;
+        }
+    }
+
+    /* TODO: log invalid use */
+    return -1;
+}
+
+#endif


Regards

Rüdiger


Mime
View raw message