--- httpd-2.4.4.orig/modules/ssl/mod_ssl.c +++ httpd-2.4.4/modules/ssl/mod_ssl.c @@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds SSL_CMD_SRV(PKCS7CertificateFile, TAKE1, "PKCS#7 file containing server certificate and chain" " certificates ('/path/to/file' - PEM encoded)") + SSL_CMD_ALL(RSAAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for RSA certificate " + "(`/path/to/file')") + SSL_CMD_ALL(DSAAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for DSA certificate " + "(`/path/to/file')") + SSL_CMD_ALL(ECAuthzFile, TAKE1, + "RFC 5878 Authz Extension file for EC certificate " + "(`/path/to/file')") #ifdef HAVE_TLS_SESSION_TICKETS SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, "TLS session ticket encryption/decryption key file (RFC 5077) " @@ -157,6 +166,15 @@ static const command_rec ssl_config_cmds "('some secret text')") #endif +#ifndef OPENSSL_NO_SRP + SSL_CMD_SRV(SRPVerifierFile, TAKE1, + "SRP verifier file " + "('/path/to/file' - created by srptool)") + SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1, + "SRP seed for unknown users (to avoid leaking a user's existence) " + "('some secret text')") +#endif + /* * Proxy configuration for remote SSL connections */ @@ -272,6 +290,18 @@ static const command_rec ssl_config_cmds AP_END_CMD }; +/* Implement 'modssl_run_npn_advertise_protos_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + modssl, AP, int, npn_advertise_protos_hook, + (conn_rec *connection, apr_array_header_t *protos), + (connection, protos), OK, DECLINED); + +/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + modssl, AP, int, npn_proto_negotiated_hook, + (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), + (connection, proto_name, proto_name_len), OK, DECLINED); + /* * the various processing hooks */ --- httpd-2.4.4.orig/modules/ssl/mod_ssl.h +++ httpd-2.4.4/modules/ssl/mod_ssl.h @@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); +/** The npn_advertise_protos optional hook allows other modules to add entries + * to the list of protocol names advertised by the server during the Next + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is + * given the connection and an APR array; it should push one or more char*'s + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto + * the array and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, + (conn_rec *connection, apr_array_header_t *protos)); + +/** The npn_proto_negotiated optional hook allows other modules to discover the + * name of the protocol that was chosen during the Next Protocol Negotiation + * (NPN) portion of the SSL handshake. Note that this may be the empty string + * (in which case modules should probably assume HTTP), or it may be a protocol + * that was never even advertised by the server. The hook callee is given the + * connection, a non-null-terminated string containing the protocol name, and + * the length of the string; it should do something appropriate (i.e. insert or + * remove filters) and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, + (conn_rec *connection, const char *proto_name, + apr_size_t proto_name_len)); + #endif /* __MOD_SSL_H__ */ /** @} */ --- httpd-2.4.4.orig/modules/ssl/ssl_engine_config.c +++ httpd-2.4.4/modules/ssl/ssl_engine_config.c @@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t mctx->crl_file = NULL; mctx->crl_check_mode = SSL_CRLCHECK_UNSET; + mctx->rsa_authz_file = NULL; + mctx->dsa_authz_file = NULL; + mctx->ec_authz_file = NULL; + mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_file = NULL; mctx->auth.cipher_suite = NULL; @@ -155,6 +159,12 @@ static void modssl_ctx_init(modssl_ctx_t mctx->srp_unknown_user_seed = NULL; mctx->srp_vbase = NULL; #endif + +#ifndef OPENSSL_NO_SRP + mctx->srp_vfile = NULL; + mctx->srp_unknown_user_seed = NULL; + mctx->srp_vbase = NULL; +#endif } static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, @@ -257,6 +267,10 @@ static void modssl_ctx_cfg_merge(modssl_ cfgMerge(crl_file, NULL); cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); + cfgMergeString(rsa_authz_file); + cfgMergeString(dsa_authz_file); + cfgMergeString(ec_authz_file); + cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_file); cfgMergeString(auth.cipher_suite); @@ -839,6 +853,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF return NULL; } + +const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->rsa_authz_file = arg; + + return NULL; +} + +const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->dsa_authz_file = arg; + + return NULL; +} + +const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->ec_authz_file = arg; + + return NULL; +} #ifdef HAVE_TLS_SESSION_TICKETS const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, --- httpd-2.4.4.orig/modules/ssl/ssl_engine_io.c +++ httpd-2.4.4/modules/ssl/ssl_engine_io.c @@ -28,6 +28,7 @@ core keeps dumping.'' -- Unknown */ #include "ssl_private.h" +#include "mod_ssl.h" #include "apr_date.h" /* _________________________________________________________________ @@ -297,6 +298,7 @@ typedef struct { apr_pool_t *pool; char buffer[AP_IOBUFSIZE]; ssl_filter_ctx_t *filter_ctx; + int npn_finished; /* 1 if NPN has finished, 0 otherwise */ } bio_filter_in_ctx_t; /* @@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input( APR_BRIGADE_INSERT_TAIL(bb, bucket); } +#ifdef HAVE_TLS_NPN + /* By this point, Next Protocol Negotiation (NPN) should be completed (if + * our version of OpenSSL supports it). If we haven't already, find out + * which protocol was decided upon and inform other modules by calling + * npn_proto_negotiated_hook. */ + if (!inctx->npn_finished) { + const unsigned char *next_proto = NULL; + unsigned next_proto_len = 0; + + SSL_get0_next_proto_negotiated( + inctx->ssl, &next_proto, &next_proto_len); + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, + APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", + next_proto_len, (const char*)next_proto); + modssl_run_npn_proto_negotiated_hook( + f->c, (const char*)next_proto, next_proto_len); + inctx->npn_finished = 1; + } +#endif + return APR_SUCCESS; } @@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_ inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; inctx->filter_ctx = filter_ctx; + inctx->npn_finished = 0; } /* The request_rec pointer is passed in here only to ensure that the --- httpd-2.4.4.orig/modules/ssl/ssl_engine_kernel.c +++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c @@ -29,6 +29,7 @@ time I was too famous.'' -- Unknown */ #include "ssl_private.h" +#include "mod_ssl.h" #include "util_md5.h" static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); @@ -320,6 +321,19 @@ int ssl_hook_Access(request_rec *r) return HTTP_FORBIDDEN; } +#ifndef OPENSSL_NO_SRP + /* + * Support for per-directory reconfigured SSL connection parameters + * + * We do not force any renegotiation if the user is already authenticated + * via SRP. + * + */ + if (SSL_get_srp_username(ssl)) { + return DECLINED; + } +#endif + /* * Check to see whether SSL is in use; if it's not, then no * further access control checks are relevant. (the test for @@ -1397,7 +1411,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *ssl, i return (EC_KEY *)mc->pTmpKeys[idx]; } -#endif +#endif /* OPENSSL_NO_TLSEXT */ /* * This OpenSSL callback function is called when OpenSSL --- httpd-2.4.4.orig/modules/ssl/ssl_private.h +++ httpd-2.4.4/modules/ssl/ssl_private.h @@ -139,6 +139,11 @@ #define HAVE_FIPS #endif +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ + && !defined(OPENSSL_NO_TLSEXT) +#define HAVE_TLS_NPN +#endif + #if (OPENSSL_VERSION_NUMBER >= 0x10000000) #define MODSSL_SSL_CIPHER_CONST const #define MODSSL_SSL_METHOD_CONST const @@ -194,6 +199,20 @@ #endif #endif +#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ + && OPENSSL_VERSION_NUMBER < 0x00908000L +#define OPENSSL_NO_COMP +#endif + +/* SRP support came in OpenSSL 1.0.1 */ +#ifndef OPENSSL_NO_SRP +#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB +#include +#else +#define OPENSSL_NO_SRP +#endif +#endif + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -662,6 +681,11 @@ typedef struct { SRP_VBASE *srp_vbase; #endif + /** RFC 5878 */ + const char *rsa_authz_file; + const char *dsa_authz_file; + const char *ec_authz_file; + modssl_auth_ctx_t auth; BOOL ocsp_enabled; /* true if OCSP verification enabled */ @@ -738,6 +762,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); @@ -795,6 +822,11 @@ const char *ssl_cmd_SSLSRPVerifierFile(c const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); #endif +#ifndef OPENSSL_NO_SRP +const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); +const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); +#endif + const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); /** module initialization */ @@ -840,6 +872,7 @@ int ssl_callback_ServerNameIndi int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); #endif +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); /** Session Cache Support */ void ssl_scache_init(server_rec *, apr_pool_t *); @@ -873,6 +906,9 @@ int ssl_stapling_init_cert(serv #endif #ifndef OPENSSL_NO_SRP int ssl_callback_SRPServerParams(SSL *, int *, void *); +#endif +#ifndef OPENSSL_NO_SRP +int ssl_callback_SRPServerParams(SSL *, int *, void *); #endif /** I/O */