-------- Original-Nachricht --------
Betreff: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Datum: Wed, 09 Nov 2011 23:37:37 GMT
Von: [email protected]
Author: pquerna
Date: Wed Nov 9 23:37:37 2011
New Revision: 1200040
URL: http://svn.apache.org/viewvc?rev=1200040&view=rev
Log:
Add support for RFC 5077 TLS Session tickets. This adds two new directives:
* SSLTicketKeyFile: To store the private information for the encryption of the
ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is
used. This
enables key rotation across servers.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1200040&r1=1200039&r2=1200040&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Nov 9 23:37:37 2011
@@ -584,6 +595,62 @@ const char *ssl_cmd_SSLEngine(cmd_parms
return "Argument must be On, Off, or Optional";
}
+const char *ssl_cmd_SSLTicketKeyDefault(cmd_parms *cmd, void *dcfg, const char
*name)
+{
+#ifdef HAVE_TLSEXT_TICKETS
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->default_ticket_name = name;
+
+ return NULL;
+#else
+ return "TLS Ticket keys are not supported.";
+#endif
+}
+
+const char *ssl_cmd_SSLTicketKeyFile(cmd_parms *cmd, void *dcfg, const char
*name, const
char *path)
+{
+#ifdef HAVE_TLSEXT_TICKETS
+ apr_status_t rv;
+ apr_file_t *fp;
+ apr_size_t len;
+ char buf[TLSEXT_TICKET_KEYLEN];
+ modssl_ticket_t* ticket = NULL;
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ rv = apr_file_open(&fp, path, APR_READ|APR_BINARY,
Why not using ap_server_root_relative on path first?
+ APR_OS_DEFAULT, cmd->temp_pool);
+
+ if (rv != APR_SUCCESS) {
+ return apr_psprintf(cmd->pool,
+ "Failed to open %s: (%d) %pm",
+ path, rv,&rv);
+ }
+
+ rv = apr_file_read_full(fp,&buf[0], TLSEXT_TICKET_KEYLEN,&len);
+
+ if (rv != APR_SUCCESS) {
+ return apr_psprintf(cmd->pool,
+ "Failed to read at least 48 bytes from %s: (%d) %pm",
+ path, rv,&rv);
+ }
+
+ ticket = apr_palloc(cmd->pool, sizeof(modssl_ticket_t));
+
+ ticket->conf_name = name;
+
+ memcpy(ticket->key_name, buf, 16);
+ memcpy(ticket->hmac_secret, buf + 16, 16);
+ memcpy(ticket->aes_key, buf + 32, 16);
+
+ APR_ARRAY_PUSH(sc->tickets, modssl_ticket_t*) = ticket;
+
+ return NULL;
+#else
+ return "TLS Ticket keys are not supported.";
+#endif
+}
+
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef HAVE_FIPS
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1200040&r1=1200039&r2=1200040&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Nov 9 23:37:37 2011
@@ -2067,3 +2067,94 @@ static int ssl_find_vhost(void *serverna
return 0;
}
#endif
+
+#ifdef HAVE_TLSEXT_TICKETS
+
+#ifndef tlsext_tick_md
+#ifdef OPENSSL_NO_SHA256
+#define tlsext_tick_md EVP_sha1
+#else
+#define tlsext_tick_md EVP_sha256
+#endif
+#endif
+
+int ssl_callback_tlsext_tickets(SSL *ssl,
+ char *keyname,
+ char *iv,
+ EVP_CIPHER_CTX *cipher_ctx,
+ HMAC_CTX *hctx,
+ int mode)
+{
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = mySrvFromConn(conn);
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+
+ if (mode == 1) {
+ modssl_ticket_t* ticket = sc->default_ticket;
+
+ /* Setting up the stuff for encrypting:
+ * - keyname contains at least 16 bytes we can write to.
+ * - iv contains at least EVP_MAX_IV_LENGTH (16) bytes we can write
to.
+ * - hctx is already allocated, we just need to set the
+ * secret key via HMAC_Init_ex.
+ * - cipher_ctx is also allocated, and we need to configure
+ * the cipher and private key.
+ */
+
+ if (ticket == NULL) {
+ /* this should not happen, we always set the default
+ * ticket.
+ */
+ return -1;
+ }
+
+ memcpy(keyname, ticket->key_name, 16);
+
+ RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+
+ memcpy(iv, iv, EVP_MAX_IV_LENGTH);
What is the purpose of this operation? Source and destination are the same.
+
+ EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
+ ticket->aes_key, iv);
+
+ HMAC_Init_ex(hctx, ticket->hmac_secret, 16, tlsext_tick_md(), NULL);
+
+ return 0;
+ }
+ else if (mode == 0) {
+ /* Setup contextes for decryption, based on the keyname input */
+ int i;
+ modssl_ticket_t* ticket = NULL;
+
+ for (i = 0; i< sc->tickets->nelts; i++) {
+ modssl_ticket_t* itticket = APR_ARRAY_IDX(sc->tickets, i,
modssl_ticket_t*);
+ if (memcmp(keyname, itticket->key_name, 16) == 0) {
+ ticket = itticket;
+ break;
+ }
+ }
+
+ if (ticket == NULL) {
+ /* Ticket key not found, but no error */
+ return 0;
+ }
+
+ EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket->aes_key, iv);
+
+ HMAC_Init_ex(hctx, ticket->hmac_secret, 16, tlsext_tick_md(), NULL);
+
+ if (ticket != sc->default_ticket) {
+ /* Ticket key found, we did our stuff, but didn't use the default,
+ * re-issue a ticket with the default ticket */
+ return 2;
+ }
+ else {
+ return 1;
+ }
+ }
+
+ /* TODO: log invalid use */
+ return -1;
+}
+
+#endif
Regards
Rüdiger
