diff --git a/CHANGES b/CHANGES index d657e5eb34..12cf3dcbbe 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Add RFC 5878 support. [Ben Laurie] + *) SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent an possible XSS for a site where untrusted users can upload files to diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 6ea367c02d..0ca336f74d 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(PKCS7CertificateFile, TAKE1, "PKCS#7 file containing server certificate and chain" " certificates ('/path/to/file' - PEM encoded)") + SSL_CMD_ALL(RSAAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for RSA certificate " + "(`/path/to/file')") + SSL_CMD_ALL(DSAAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for DSA certificate " + "(`/path/to/file')") + SSL_CMD_ALL(ECAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for EC certificate " + "(`/path/to/file')") #ifdef HAVE_TLS_SESSION_TICKETS SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, "TLS session ticket encryption/decryption key file (RFC 5077) " diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 658ef6b379..39f20f9497 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t *mctx) mctx->crl_file = NULL; mctx->crl_check_mode = SSL_CRLCHECK_UNSET; + mctx->rsa_authz_file = NULL; + mctx->dsa_authz_file = NULL; + mctx->ec_authz_file = NULL; + mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_file = NULL; mctx->auth.cipher_suite = NULL; @@ -257,6 +261,10 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, cfgMerge(crl_file, NULL); cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); + cfgMergeString(rsa_authz_file); + cfgMergeString(dsa_authz_file); + cfgMergeString(ec_authz_file); + cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_file); cfgMergeString(auth.cipher_suite); @@ -840,6 +848,54 @@ const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd, return NULL; } +const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->rsa_authz_file = arg; + + return NULL; +} + +const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->dsa_authz_file = arg; + + return NULL; +} + +const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->ec_authz_file = arg; + + return NULL; +} + #ifdef HAVE_TLS_SESSION_TICKETS const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ccc2714233..8cdc29a321 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1002,7 +1002,8 @@ static void ssl_init_ctx(server_rec *s, static int ssl_server_import_cert(server_rec *s, modssl_ctx_t *mctx, const char *id, - int idx) + int idx, + const char *authz_file) { SSLModConfigRec *mc = myModConfig(s); ssl_asn1_t *asn1; @@ -1041,6 +1042,24 @@ static int ssl_server_import_cert(server_rec *s, } #endif + if (authz_file) { +#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L + if (!SSL_CTX_use_authz_file(mctx->ssl_ctx, authz_file)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize TLS authz extension"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + ssl_die(s); + } + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Set %s authz_file to %s", + type, authz_file); +#else + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize TLS authz extension: " + "OpenSSL version too low"); + ssl_die(s); +#endif + } + mctx->pks->certs[idx] = cert; return TRUE; @@ -1223,10 +1242,13 @@ static void ssl_init_server_certs(server_rec *s, ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); #endif - have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); - have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); + have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA, + mctx->rsa_authz_file); + have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA, + mctx->dsa_authz_file); #ifndef OPENSSL_NO_EC - have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); + have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC, + mctx->ec_authz_file); #endif if (!(have_rsa || have_dsa diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index a889cac08b..63e401db52 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -667,6 +667,11 @@ typedef struct { SRP_VBASE *srp_vbase; #endif + /** RFC 5878 */ + const char *rsa_authz_file; + const char *dsa_authz_file; + const char *ec_authz_file; + modssl_auth_ctx_t auth; BOOL ocsp_enabled; /* true if OCSP verification enabled */ @@ -743,6 +748,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);