www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

RFC 5878 support.

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1352596 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ben Laurie
2012-06-21 16:17:41 +00:00
parent 17c0d7a6ad
commit d79a70a76a
5 changed files with 101 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
*) mod_ssl: Add RFC 5878 support. [Ben Laurie]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to

9
modules/ssl/mod_ssl.c
View File

@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
SSL_CMD_ALL(RSAAuthzFile, TAKE1,
"RFC 5878 Authz Extension file for RSA certificate "
"(`/path/to/file')")
SSL_CMD_ALL(DSAAuthzFile, TAKE1,
"RFC 5878 Authz Extension file for DSA certificate "
"(`/path/to/file')")
SSL_CMD_ALL(ECAuthzFile, TAKE1,
"RFC 5878 Authz Extension file for EC certificate "
"(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "

56
modules/ssl/ssl_engine_config.c
View File

@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
mctx->rsa_authz_file = NULL;
mctx->dsa_authz_file = NULL;
mctx->ec_authz_file = NULL;
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -257,6 +261,10 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
cfgMergeString(rsa_authz_file);
cfgMergeString(dsa_authz_file);
cfgMergeString(ec_authz_file);
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -840,6 +848,54 @@ const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd,
return NULL;
}
const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
sc->server->rsa_authz_file = arg;
return NULL;
}
const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
sc->server->dsa_authz_file = arg;
return NULL;
}
const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
sc->server->ec_authz_file = arg;
return NULL;
}
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
void *dcfg,

30
modules/ssl/ssl_engine_init.c
View File

@@ -1002,7 +1002,8 @@ static void ssl_init_ctx(server_rec *s,
static int ssl_server_import_cert(server_rec *s,
modssl_ctx_t *mctx,
const char *id,
int idx)
int idx,
const char *authz_file)
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
@@ -1041,6 +1042,24 @@ static int ssl_server_import_cert(server_rec *s,
}
#endif
if (authz_file) {
#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (!SSL_CTX_use_authz_file(mctx->ssl_ctx, authz_file)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to initialize TLS authz extension");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Set %s authz_file to %s",
type, authz_file);
#else
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to initialize TLS authz extension: "
"OpenSSL version too low");
ssl_die(s);
#endif
}
mctx->pks->certs[idx] = cert;
return TRUE;
@@ -1223,10 +1242,13 @@ static void ssl_init_server_certs(server_rec *s,
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
#endif
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA,
mctx->rsa_authz_file);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA,
mctx->dsa_authz_file);
#ifndef OPENSSL_NO_EC
have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC,
mctx->ec_authz_file);
#endif
if (!(have_rsa || have_dsa

8
modules/ssl/ssl_private.h
View File

@@ -667,6 +667,11 @@ typedef struct {
SRP_VBASE *srp_vbase;
#endif
/** RFC 5878 */
const char *rsa_authz_file;
const char *dsa_authz_file;
const char *ec_authz_file;
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -743,6 +748,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);