[packages/apache.git] / httpd-2.2.x-mod_ssl-sessioncaching.patch

Index: httpd-2.2.x/modules/ssl/ssl_private.h
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_private.h	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_private.h	(working copy)
@@ -395,6 +395,9 @@ typedef struct {
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     const char     *szCryptoDevice;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    ssl_enabled_t  session_tickets_enabled;
+#endif
     struct {
         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
     } rCtx;
@@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_init.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c	(working copy)
@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
         ssl_die();
     }
+
+    /*
+     * Session tickets (stateless resumption)
+     */
+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                     "Disabling TLS session ticket support");
+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
+    }
 }
 #endif
 
@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
 
     BOOL conflict = FALSE;
 
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+    unsigned char *tlsext_tick_keys = NULL;
+    long tick_keys_len;
+#endif
+
     /*
      * Give out warnings when a server has HTTPS configured
      * for the HTTP port or vice versa
@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
                          ssl_util_vhostid(p, s),
                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
         }
+
+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
+        /*
+         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
+         * the same ticket encryption parameters for every SSL_CTX (workaround
+         * for SNI+SessionTicket extension interoperability issue in these versions)
+         */
+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
+            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
+            if (!tlsext_tick_keys) {
+                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
+                                                               (-1),(NULL));
+                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
+                RAND_bytes(tlsext_tick_keys, tick_keys_len);
+            }
+            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
+                                           (tick_keys_len),(tlsext_tick_keys));
+        }
+#endif
     }
 
     /*
Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_config.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c	(working copy)
@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
     mc->szCryptoDevice         = NULL;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
+#endif
 
     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
 
@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
 #endif
 }
 
+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifndef OPENSSL_NO_TLSEXT
+    const char *err;
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+    return NULL;
+#else
+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
+           "for TLS extensions. Refer to the documentation, and build "
+           "a compatible version of OpenSSL.";
+#endif
+}
+
 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
     if (!ap_exists_config_define("DUMP_CERTS")) {
Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(working copy)
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
 #ifndef OPENSSL_NO_TLSEXT
@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
     apr_array_header_t *names;
     int i;
     SSLConnRec *sslcon;
+    char *sid_ctx;
 
     /* check ServerName */
     if (!strcasecmp(servername, s->server_hostname)) {
@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
                            SSL_CTX_get_verify_callback(ssl->ctx));
         }
+        /*
+         * Adjust the session id context. ssl_init_ssl_connection()
+         * always picks the configuration of the first vhost when
+         * calling SSL_new(), but we want to tie the session to the
+         * vhost we have just switched to. Again, we have to make sure
+         * that we're not overwriting a session id context which was
+         * possibly set in ssl_hook_Access(), before triggering
+         * a renegotation.
+         */
+        if (!SSL_num_renegotiations(ssl)) {
+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
+                                    sc->vhost_id_len);
+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
+                                       APR_MD5_DIGESTSIZE*2);
+        }
 
         /*
          * Save the found server into our SSLConnRec for later
Index: httpd-2.2.x/modules/ssl/mod_ssl.c
===================================================================
--- httpd-2.2.x/modules/ssl/mod_ssl.c	(revision 833672)
+++ httpd-2.2.x/modules/ssl/mod_ssl.c	(working copy)
@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
+                "TLS Session Ticket extension support")
 
     /*
      * Per-server context configuration directives
Commit	Line	Data
7ed09ac4 ER	1	Index: httpd-2.2.x/modules/ssl/ssl_private.h
	2	===================================================================
	3	--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672)
	4	+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy)
	5	@@ -395,6 +395,9 @@ typedef struct {
9f2f5880	6	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
	7	const char *szCryptoDevice;
	8	#endif
	9	+#ifndef OPENSSL_NO_TLSEXT
	10	+ ssl_enabled_t session_tickets_enabled;
	11	+#endif
7ed09ac4 ER	12	struct {
	13	void pV1, pV2, pV3, pV4, pV5, pV6, pV7, pV8, pV9, pV10;
	14	} rCtx;
9f2f5880	15	@@ -545,6 +548,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm
9f2f5880	16	const char ssl_cmd_SSLRenegBufferSize(cmd_parms cmd, void dcfg, const char arg);
9f2f5880	17	const char ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms cmd, void *dcfg, int flag);
2bd52d66	18	const char ssl_cmd_SSLInsecureRenegotiation(cmd_parms cmd, void *dcfg, int flag);
9f2f5880	19	+const char ssl_cmd_SSLSessionTicketExtension(cmd_parms cmd, void *cdfg, int flag);
	20
	21	const char ssl_cmd_SSLProxyEngine(cmd_parms cmd, void *dcfg, int flag);
	22	const char ssl_cmd_SSLProxyProtocol(cmd_parms , void , const char );
	23	Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
	24	===================================================================
	25	--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672)
	26	+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
	27	@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
	28	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
	29	ssl_die();
	30	}
	31	+
	32	+ /*
	33	+ * Session tickets (stateless resumption)
	34	+ */
	35	+ if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
	36	+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	37	+ "Disabling TLS session ticket support");
	38	+ SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
	39	+ }
	40	}
	41	#endif
	42
	43	@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
	44
	45	BOOL conflict = FALSE;
	46
	47	+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
	48	+ unsigned char *tlsext_tick_keys = NULL;
	49	+ long tick_keys_len;
	50	+#endif
	51	+
	52	/*
	53	* Give out warnings when a server has HTTPS configured
	54	* for the HTTP port or vice versa
	55	@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
	56	ssl_util_vhostid(p, s),
	57	DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
	58	}
	59	+
	60	+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
	61	+ /*
	62	+ * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
	63	+ * the same ticket encryption parameters for every SSL_CTX (workaround
	64	+ * for SNI+SessionTicket extension interoperability issue in these versions)
	65	+ */
	66	+ if ((sc->enabled == SSL_ENABLED_TRUE) \|\|
	67	+ (sc->enabled == SSL_ENABLED_OPTIONAL)) {
	68	+ if (!tlsext_tick_keys) {
	69	+ tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
	70	+ (-1),(NULL));
	71	+ tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
	72	+ RAND_bytes(tlsext_tick_keys, tick_keys_len);
	73	+ }
	74	+ SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
	75	+ (tick_keys_len),(tlsext_tick_keys));
	76	+ }
	77	+#endif
	78	}
	79
	80	/*
	81	Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
	82	===================================================================
83	--- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672)
84	+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy)
85	@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
86	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
87	mc->szCryptoDevice = NULL;
88	#endif
89	+#ifndef OPENSSL_NO_TLSEXT
90	+ mc->session_tickets_enabled = SSL_ENABLED_UNSET;
91	+#endif
92
93	memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
94
95	@@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh
96	#endif
97	}
98
99	+const char ssl_cmd_SSLSessionTicketExtension(cmd_parms cmd, void *dcfg, int flag)
100	+{
101	+#ifndef OPENSSL_NO_TLSEXT
102	+ const char *err;
103	+ SSLModConfigRec *mc = myModConfig(cmd->server);
104	+
105	+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
106	+ return err;
107	+ }
108	+
109	+ mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
110	+
111	+ return NULL;
112	+#else
113	+ return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
114	+ "for TLS extensions. Refer to the documentation, and build "
115	+ "a compatible version of OpenSSL.";
116	+#endif
117	+}
118	+
119	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)
120	{
121	if (!ap_exists_config_define("DUMP_CERTS")) {
122	Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
123	===================================================================
124	--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672)
125	+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
126	@@ -29,6 +29,7 @@
127	time I was too famous.''
128	-- Unknown */
129	#include "ssl_private.h"
130	+#include "util_md5.h"
131
132	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);
133	#ifndef OPENSSL_NO_TLSEXT
134	@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
135	apr_array_header_t *names;
136	int i;
137	SSLConnRec *sslcon;
138	+ char *sid_ctx;
139
140	/* check ServerName */
141	if (!strcasecmp(servername, s->server_hostname)) {
142	@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
143	SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
144	SSL_CTX_get_verify_callback(ssl->ctx));
145	}
146	+ /*
147	+ * Adjust the session id context. ssl_init_ssl_connection()
148	+ * always picks the configuration of the first vhost when
149	+ * calling SSL_new(), but we want to tie the session to the
150	+ * vhost we have just switched to. Again, we have to make sure
151	+ * that we're not overwriting a session id context which was
152	+ * possibly set in ssl_hook_Access(), before triggering
153	+ * a renegotation.
154	+ */
155	+ if (!SSL_num_renegotiations(ssl)) {
156	+ sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
157	+ sc->vhost_id_len);
158	+ SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
159	+ APR_MD5_DIGESTSIZE*2);
160	+ }
161
162	/*
163	* Save the found server into our SSLConnRec for later
7ed09ac4 ER	164	Index: httpd-2.2.x/modules/ssl/mod_ssl.c
	165	===================================================================
	166	--- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672)
	167	+++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy)
	168	@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
9f2f5880	169	SSL_CMD_SRV(RandomSeed, TAKE23,
9f2f5880	170	"SSL Pseudo Random Number Generator (PRNG) seeding source "
7ed09ac4	171	"(`startup\|connect builtin\|file:/path\|exec:/path [bytes]')")
9f2f5880	172	+ SSL_CMD_SRV(SessionTicketExtension, FLAG,
	173	+ "TLS Session Ticket extension support")
	174
	175	/*
	176	* Per-server context configuration directives