From 8f46969f8e692aa943c53f451b64a670e9622560 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Wed, 30 Nov 2011 16:56:50 +0000 Subject: [PATCH] mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that the administrator can hide the keys from the configuration. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1208517 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_session_crypto.xml | 30 +++++++++++++++++++++++ modules/session/mod_session_crypto.c | 34 ++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/docs/manual/mod/mod_session_crypto.xml b/docs/manual/mod/mod_session_crypto.xml index 8752391961..0edfd96fea 100644 --- a/docs/manual/mod/mod_session_crypto.xml +++ b/docs/manual/mod/mod_session_crypto.xml @@ -163,6 +163,36 @@ + +SessionCryptoPassphraseFile +File containing keys used to encrypt the session +SessionCryptoPassphraseFile filename +none +server config +virtual host +directory + +Available in Apache 2.3.0 and later + + +

The SessionCryptoPassphraseFile directive specifies the + name of a configuration file containing the keys to use for encrypting or decrypting + the session, specified one per line. The file is read on server start, and a graceful + restart will be necessary for httpd to pick up changes to the keys.

+ +

Unlike the SessionCryptoPassphrase directive, the keys are + not exposed within the httpd configuration and can be hidden by protecting the file + appropriately.

+ +

Multiple keys can be specified in order to support key rotation. The first key + listed will be used for encryption, while all keys listed will be attempted for + decryption. To rotate keys across multiple servers over a period of time, add a new + secret to the end of the list, and once rolled out completely to all servers, remove + the first key from the start of the list.

+ + + + SessionCryptoCipher The crypto cipher to be used to encrypt the session diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c index a85cdae6aa..f3947c910d 100644 --- a/modules/session/mod_session_crypto.c +++ b/modules/session/mod_session_crypto.c @@ -549,6 +549,38 @@ static const char *set_crypto_passphrase(cmd_parms * cmd, void *config, const ch return NULL; } +static const char *set_crypto_passphrase_file(cmd_parms *cmd, void *config, + const char *filename) +{ + char buffer[MAX_STRING_LEN]; + char *arg; + const char *args; + ap_configfile_t *file; + apr_status_t rv; + + filename = ap_server_root_relative(cmd->temp_pool, filename); + rv = ap_pcfg_openfile(&file, cmd->temp_pool, filename); + if (rv != APR_SUCCESS) { + return apr_psprintf(cmd->pool, "%s: Could not open file %s: %s", + cmd->cmd->name, filename, + apr_strerror(rv, buffer, sizeof(buffer))); + } + + while (!(ap_cfg_getline(buffer, sizeof(buffer), file))) { + args = buffer; + while (*(arg = ap_getword_conf(cmd->temp_pool, &args)) != '\0') { + if (*arg == '#' || *arg == 0) { + break; + } + set_crypto_passphrase(cmd, config, arg); + } + } + + ap_cfg_closefile(file); + + return NULL; +} + static const char *set_crypto_cipher(cmd_parms * cmd, void *config, const char *cipher) { session_crypto_dir_conf *dconf = (session_crypto_dir_conf *) config; @@ -563,6 +595,8 @@ static const command_rec session_crypto_cmds[] = { AP_INIT_ITERATE("SessionCryptoPassphrase", set_crypto_passphrase, NULL, RSRC_CONF|OR_AUTHCFG, "The passphrase(s) used to encrypt the session. First will be used for encryption, all phrases will be accepted for decryption"), + AP_INIT_TAKE1("SessionCryptoPassphraseFile", set_crypto_passphrase_file, NULL, RSRC_CONF|ACCESS_CONF, + "File containing passphrase(s) used to encrypt the session, one per line. First will be used for encryption, all phrases will be accepted for decryption"), AP_INIT_TAKE1("SessionCryptoCipher", set_crypto_cipher, NULL, RSRC_CONF|OR_AUTHCFG, "The underlying crypto cipher to use"), AP_INIT_RAW_ARGS("SessionCryptoDriver", set_crypto_driver, NULL, RSRC_CONF, -- 2.40.0