</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SessionCryptoPassphraseFile</name>
+<description>File containing keys used to encrypt the session</description>
+<syntax>SessionCryptoPassphraseFile <var>filename</var></syntax>
+<default>none</default>
+<contextlist><context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+ <p>The <directive>SessionCryptoPassphraseFile</directive> directive specifies the
+ name of a configuration file containing the keys to use for encrypting or decrypting
+ the session, specified one per line. The file is read on server start, and a graceful
+ restart will be necessary for httpd to pick up changes to the keys.</p>
+
+ <p>Unlike the <directive>SessionCryptoPassphrase</directive> directive, the keys are
+ not exposed within the httpd configuration and can be hidden by protecting the file
+ appropriately.</p>
+
+ <p>Multiple keys can be specified in order to support key rotation. The first key
+ listed will be used for encryption, while all keys listed will be attempted for
+ decryption. To rotate keys across multiple servers over a period of time, add a new
+ secret to the end of the list, and once rolled out completely to all servers, remove
+ the first key from the start of the list.</p>
+
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SessionCryptoCipher</name>
<description>The crypto cipher to be used to encrypt the session</description>
return NULL;
}
+static const char *set_crypto_passphrase_file(cmd_parms *cmd, void *config,
+ const char *filename)
+{
+ char buffer[MAX_STRING_LEN];
+ char *arg;
+ const char *args;
+ ap_configfile_t *file;
+ apr_status_t rv;
+
+ filename = ap_server_root_relative(cmd->temp_pool, filename);
+ rv = ap_pcfg_openfile(&file, cmd->temp_pool, filename);
+ if (rv != APR_SUCCESS) {
+ return apr_psprintf(cmd->pool, "%s: Could not open file %s: %s",
+ cmd->cmd->name, filename,
+ apr_strerror(rv, buffer, sizeof(buffer)));
+ }
+
+ while (!(ap_cfg_getline(buffer, sizeof(buffer), file))) {
+ args = buffer;
+ while (*(arg = ap_getword_conf(cmd->temp_pool, &args)) != '\0') {
+ if (*arg == '#' || *arg == 0) {
+ break;
+ }
+ set_crypto_passphrase(cmd, config, arg);
+ }
+ }
+
+ ap_cfg_closefile(file);
+
+ return NULL;
+}
+
static const char *set_crypto_cipher(cmd_parms * cmd, void *config, const char *cipher)
{
session_crypto_dir_conf *dconf = (session_crypto_dir_conf *) config;
{
AP_INIT_ITERATE("SessionCryptoPassphrase", set_crypto_passphrase, NULL, RSRC_CONF|OR_AUTHCFG,
"The passphrase(s) used to encrypt the session. First will be used for encryption, all phrases will be accepted for decryption"),
+ AP_INIT_TAKE1("SessionCryptoPassphraseFile", set_crypto_passphrase_file, NULL, RSRC_CONF|ACCESS_CONF,
+ "File containing passphrase(s) used to encrypt the session, one per line. First will be used for encryption, all phrases will be accepted for decryption"),
AP_INIT_TAKE1("SessionCryptoCipher", set_crypto_cipher, NULL, RSRC_CONF|OR_AUTHCFG,
"The underlying crypto cipher to use"),
AP_INIT_RAW_ARGS("SessionCryptoDriver", set_crypto_driver, NULL, RSRC_CONF,
projects / apache / commitdiff