You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by be...@apache.org on 2012/06/21 18:17:42 UTC
svn commit: r1352596 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_private.h
Author: ben
Date: Thu Jun 21 16:17:41 2012
New Revision: 1352596
URL: http://svn.apache.org/viewvc?rev=1352596&view=rev
Log:
RFC 5878 support.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jun 21 16:17:41 2012
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add RFC 5878 support. [Ben Laurie]
+
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Jun 21 16:17:41 2012
@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
+ SSL_CMD_ALL(RSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for RSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(DSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for DSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(ECAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for EC certificate "
+ "(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Jun 21 16:17:41 2012
@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
+ mctx->rsa_authz_file = NULL;
+ mctx->dsa_authz_file = NULL;
+ mctx->ec_authz_file = NULL;
+
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -257,6 +261,10 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
+ cfgMergeString(rsa_authz_file);
+ cfgMergeString(dsa_authz_file);
+ cfgMergeString(ec_authz_file);
+
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -840,6 +848,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF
return NULL;
}
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->rsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->dsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->ec_authz_file = arg;
+
+ return NULL;
+}
+
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
void *dcfg,
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Jun 21 16:17:41 2012
@@ -1002,7 +1002,8 @@ static void ssl_init_ctx(server_rec *s,
static int ssl_server_import_cert(server_rec *s,
modssl_ctx_t *mctx,
const char *id,
- int idx)
+ int idx,
+ const char *authz_file)
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
@@ -1041,6 +1042,24 @@ static int ssl_server_import_cert(server
}
#endif
+ if (authz_file) {
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (!SSL_CTX_use_authz_file(mctx->ssl_ctx, authz_file)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to initialize TLS authz extension");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ }
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Set %s authz_file to %s",
+ type, authz_file);
+#else
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to initialize TLS authz extension: "
+ "OpenSSL version too low");
+ ssl_die(s);
+#endif
+ }
+
mctx->pks->certs[idx] = cert;
return TRUE;
@@ -1223,10 +1242,13 @@ static void ssl_init_server_certs(server
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
#endif
- have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
- have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
+ have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA,
+ mctx->rsa_authz_file);
+ have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA,
+ mctx->dsa_authz_file);
#ifndef OPENSSL_NO_EC
- have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC,
+ mctx->ec_authz_file);
#endif
if (!(have_rsa || have_dsa
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1352596&r1=1352595&r2=1352596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Thu Jun 21 16:17:41 2012
@@ -667,6 +667,11 @@ typedef struct {
SRP_VBASE *srp_vbase;
#endif
+ /** RFC 5878 */
+ const char *rsa_authz_file;
+ const char *dsa_authz_file;
+ const char *ec_authz_file;
+
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -743,6 +748,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
Re: svn commit: r1352596 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h
Posted by Kaspar Brand <ht...@velox.ch>.
On 21.06.2012 18:17, ben@apache.org wrote:
> Author: ben
> Date: Thu Jun 21 16:17:41 2012
> New Revision: 1352596
>
> URL: http://svn.apache.org/viewvc?rev=1352596&view=rev
> Log:
> RFC 5878 support.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
Considering how things evolved since June last year, I propose to revert
this patch, for the following reasons:
- as pointed out in my backport votes (http://svn.apache.org/r1395229),
the code is still quite far from being an "implementation" of RFC 5878,
and OpenSSL itself hasn't received any updates to the code added in May 2012
- the SSL*AuthzFile directives for mod_ssl are completely undocumented
as of today, and SSL_CTX_use_authz_file uses an opaque format (which
might see further modifications, see e.g. [1])
- earlier this year it became clear that the first version of the
OpenSSL code for "RFC 5878 support" wasn't really correct [2], and
meanwhile the CT I-D has switched to using a dedicated TLS extension
[3], in any case
- Dr Steve has added support for OpenSSL's new SSL_CONF_* stuff in
December (http://svn.apache.org/r1421323 - pretty cool!), and since this
is also available in the OpenSSL_1_0_2-stable branch, it would
definitely be the way to go for adding support for "not yet recognized"
OpenSSL options to mod_ssl
Unless someone is clearly objecting (please raise your voice), I intend
to commit the attached patch in about a week.
Kaspar
[1] https://github.com/trevp/openssl_extender
[2] http://www.ietf.org/mail-archive/web/therightkey/current/msg00597.html
[3] http://www.ietf.org/rfcdiff?url2=draft-laurie-pki-sunlight-06#diff0077