b3155b9e3b06b20030ec6c16d98f8dabf12ead9cianh

b3155b9e3b06b20030ec6c16d98f8dabf12ead9cianh#define CORE_PRIVATE

b3155b9e3b06b20030ec6c16d98f8dabf12ead9cianh

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "mod_session.h"

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "apu_version.h"

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "apr_base64.h" /* for apr_base64_decode et al */

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "apr_ssl.h" /* for apr_*_encrypt et al */

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "apr_lib.h"

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "apr_strings.h"

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh#include "http_log.h"

ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh

b999f6ba2a266bf9a92687f31bb7e76021ac5891ianh#define LOG_PREFIX "mod_session_crypto: "

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe#define DEFAULT_CIPHER "AES256"

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe#define DEFAULT_DIGEST "SHA"

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowemodule AP_MODULE_DECLARE_DATA session_crypto_module;

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe

b999f6ba2a266bf9a92687f31bb7e76021ac5891ianhtypedef struct {

2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe const char *passphrase;

b999f6ba2a266bf9a92687f31bb7e76021ac5891ianh int passphrase_set;

7d7931c1f4d46b041ad2ad6fdb9499289063611eianh const char *certfile;

1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb int certfile_set;

b9b69856aec9ea58ea1b1e5aff669e8eaf2ebce4rbb const char *keyfile;

b9b69856aec9ea58ea1b1e5aff669e8eaf2ebce4rbb int keyfile_set;

b9b69856aec9ea58ea1b1e5aff669e8eaf2ebce4rbb const char *cipher;

1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb int cipher_set;

1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb const char *digest;

1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb int digest_set;

7d7931c1f4d46b041ad2ad6fdb9499289063611eianh const char *engine;

1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb int engine_set;

68bcde9c52e9e749482df2800dbdff09559115e0chuck} session_crypto_dir_conf;

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)

0c233c76f21b358f4a0d81e0f956339ca727c14cchuckstatic apr_status_t crypt_init(request_rec * r, apr_evp_factory_t ** f, apr_evp_crypt_key_e * key, session_crypto_dir_conf * conf)

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck{

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_status_t res;

53c2eb831bfe47860e3f5ec9190b15cb92f15181chuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck if (!conf->certfile_set && !conf->keyfile_set && !conf->passphrase_set) {

53c2eb831bfe47860e3f5ec9190b15cb92f15181chuck ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, LOG_PREFIX

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski "encryption not configured, "

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski "no passphrase or certfile/keyfile set");

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski return APR_EGENERAL;

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski }

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski /* set up */

c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski if (conf->certfile_set) {

4f7dd0949d92462a8adc31eee8aff266eea55204chuck *key = APR_EVP_KEY_PUBLIC;

4f7dd0949d92462a8adc31eee8aff266eea55204chuck res = apr_evp_factory_create(f, conf->keyfile, conf->certfile, NULL,

4f7dd0949d92462a8adc31eee8aff266eea55204chuck NULL, NULL, conf->digest, APR_EVP_FACTORY_ASYM, r->pool);

4f7dd0949d92462a8adc31eee8aff266eea55204chuck if (APR_ENOTIMPL == res) {

4f7dd0949d92462a8adc31eee8aff266eea55204chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck "generic public/private key encryption is not supported by "

75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck "this version of APR. session encryption not possible");

75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck }

4f7dd0949d92462a8adc31eee8aff266eea55204chuck }

75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck if (conf->passphrase) {

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck *key = APR_EVP_KEY_SYM;

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck res = apr_evp_factory_create(f, NULL, NULL, conf->cipher,

68bcde9c52e9e749482df2800dbdff09559115e0chuck conf->passphrase, NULL, conf->digest, APR_EVP_FACTORY_SYM, r->pool);

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_ENOTIMPL == res) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "generic symmetrical encryption is not supported by this "

68bcde9c52e9e749482df2800dbdff09559115e0chuck "version of APR. session encryption not possible");

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_STATUS_IS_ENOCIPHER(res)) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "the cipher '%s' was not found", conf->cipher);

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_STATUS_IS_ENODIGEST(res)) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "the digest '%s' was not found", conf->digest);

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_STATUS_IS_ENOCERT(res)) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "the public and private key could not be extracted from "

68bcde9c52e9e749482df2800dbdff09559115e0chuck "the certificates");

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_STATUS_IS_ENOENGINE(res)) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "the engine '%s' was not found", conf->engine);

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_SUCCESS != res) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "encryption could not be configured. Please check the "

68bcde9c52e9e749482df2800dbdff09559115e0chuck "certificates and/or passphrase as appropriate");

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_cleanup(*f);

68bcde9c52e9e749482df2800dbdff09559115e0chuck return APR_EGENERAL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck return APR_SUCCESS;

68bcde9c52e9e749482df2800dbdff09559115e0chuck}

68bcde9c52e9e749482df2800dbdff09559115e0chuck#endif

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuckstatic apr_status_t encrypt_string(request_rec * r, const char *in, char **out)

68bcde9c52e9e749482df2800dbdff09559115e0chuck{

68bcde9c52e9e749482df2800dbdff09559115e0chuck#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_status_t res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_t *f = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_t *e = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_key_e key;

68bcde9c52e9e749482df2800dbdff09559115e0chuck unsigned char *encrypt = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_size_t encryptlen, tlen;

68bcde9c52e9e749482df2800dbdff09559115e0chuck char *base64;

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,

68bcde9c52e9e749482df2800dbdff09559115e0chuck &session_crypto_module);

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck /* don't attempt to encrypt an empty string, trying to do so causes a segfault */

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (!in || !*in) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck return APR_SUCCESS;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck res = crypt_init(r, &f, &key, conf);

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (res != APR_SUCCESS) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck res = apr_evp_crypt_init(f, &e, APR_EVP_ENCRYPT, key, r->pool);

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_SUCCESS != res) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "encryption could be configured but not initialised");

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_cleanup(f);

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck /* encrypt the given string */

68bcde9c52e9e749482df2800dbdff09559115e0chuck res = apr_evp_crypt(e, &encrypt, &encryptlen, (unsigned char *) in, strlen(in));

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_SUCCESS != res) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "attempt to encrypt failed");

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck apr_evp_factory_cleanup(f);

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck apr_evp_crypt_cleanup(e);

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck res = apr_evp_crypt_finish(e, encrypt + encryptlen, &tlen);

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (APR_SUCCESS != res) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "attempt to finish the encryption failed");

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_cleanup(f);

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_cleanup(e);

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

68bcde9c52e9e749482df2800dbdff09559115e0chuck encryptlen += tlen;

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck /* base64 encode the result */

68bcde9c52e9e749482df2800dbdff09559115e0chuck base64 = apr_pcalloc(r->pool, apr_base64_encode_len(encryptlen + 1) * sizeof(char));

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_base64_encode(base64, (const char *) encrypt, encryptlen);

68bcde9c52e9e749482df2800dbdff09559115e0chuck *out = base64;

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck /* clean up afterwards */

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_cleanup(f);

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_cleanup(e);

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck#else

68bcde9c52e9e749482df2800dbdff09559115e0chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "crypto is not supported by APR on this platform");

68bcde9c52e9e749482df2800dbdff09559115e0chuck return APR_ENOTIMPL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck#endif

68bcde9c52e9e749482df2800dbdff09559115e0chuck}

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuckstatic apr_status_t decrypt_string(request_rec * r, const char *in, char **out)

68bcde9c52e9e749482df2800dbdff09559115e0chuck{

68bcde9c52e9e749482df2800dbdff09559115e0chuck#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_status_t res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_factory_t *f = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_t *e = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_evp_crypt_key_e key;

68bcde9c52e9e749482df2800dbdff09559115e0chuck unsigned char *decrypted = NULL;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_size_t decryptedlen, tlen;

68bcde9c52e9e749482df2800dbdff09559115e0chuck apr_size_t decodedlen;

68bcde9c52e9e749482df2800dbdff09559115e0chuck char *decoded;

68bcde9c52e9e749482df2800dbdff09559115e0chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,

68bcde9c52e9e749482df2800dbdff09559115e0chuck &session_crypto_module);

68bcde9c52e9e749482df2800dbdff09559115e0chuck

0c233c76f21b358f4a0d81e0f956339ca727c14cchuck res = crypt_init(r, &f, &key, conf);

68bcde9c52e9e749482df2800dbdff09559115e0chuck if (res != APR_SUCCESS) {

68bcde9c52e9e749482df2800dbdff09559115e0chuck return res;

4f7dd0949d92462a8adc31eee8aff266eea55204chuck }

4f7dd0949d92462a8adc31eee8aff266eea55204chuck

68bcde9c52e9e749482df2800dbdff09559115e0chuck res = apr_evp_crypt_init(f, &e, APR_EVP_DECRYPT, key, r->pool);

4f7dd0949d92462a8adc31eee8aff266eea55204chuck if (APR_SUCCESS != res) {

4f7dd0949d92462a8adc31eee8aff266eea55204chuck ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

68bcde9c52e9e749482df2800dbdff09559115e0chuck "decryption could be configured but not initialised");

4f7dd0949d92462a8adc31eee8aff266eea55204chuck apr_evp_factory_cleanup(f);

4f7dd0949d92462a8adc31eee8aff266eea55204chuck return res;

68bcde9c52e9e749482df2800dbdff09559115e0chuck }

/* strip base64 from the string */

decoded = apr_palloc(r->pool, apr_base64_decode_len(in));

decodedlen = apr_base64_decode(decoded, in);

decoded[decodedlen] = '\0';

/* decrypt the given string */

res = apr_evp_crypt(e, &decrypted, &decryptedlen, (unsigned char *) decoded, decodedlen);

if (res) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

"decrypt: attempt to decrypt failed");

return res;

}

*out = (char *) decrypted;

res = apr_evp_crypt_finish(e, decrypted + decryptedlen, &tlen);

if (APR_SUCCESS != res) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

"attempt to finish the decryption failed");

apr_evp_factory_cleanup(f);

apr_evp_crypt_cleanup(e);

return res;

}

decryptedlen += tlen;

decrypted[decryptedlen] = 0;

return APR_SUCCESS;

#else

ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_ENOTIMPL, r, LOG_PREFIX

"crypto is not supported by APR on this platform");

return APR_ENOTIMPL;

#endif

}

AP_DECLARE(int) ap_session_crypto_encode(request_rec * r, session_rec * z)

{

char *encoded = NULL;

apr_status_t res;

session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,

&session_crypto_module);

if (conf->passphrase_set || conf->certfile_set) {

res = encrypt_string(r, z->encoded, &encoded);

if (res != OK) {

ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, LOG_PREFIX

"encrypt session failed");

return res;

}

z->encoded = encoded;

}

return OK;

}

AP_DECLARE(int) ap_session_crypto_decode(request_rec * r, session_rec * z)

{

char *encoded = NULL;

apr_status_t res;

session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,

&session_crypto_module);

if ((conf->passphrase_set || conf->certfile_set) && z->encoded) {

res = decrypt_string(r, z->encoded, &encoded);

if (res != APR_SUCCESS) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX

"decrypt session failed, wrong passphrase?");

return res;

}

z->encoded = encoded;

}

return OK;

}

static void *create_session_crypto_dir_config(apr_pool_t * p, char *dummy)

{

session_crypto_dir_conf *new =

(session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));

/* default cipher AES256-SHA */

new->cipher = DEFAULT_CIPHER;

new->cipher_set = 1;

new->digest = DEFAULT_DIGEST;

new->digest_set = 1;

/* initialise SSL */

apr_ssl_init();

return (void *) new;

}

static void *merge_session_crypto_dir_config(apr_pool_t * p, void *basev, void *addv)

{

session_crypto_dir_conf *new = (session_crypto_dir_conf *) apr_pcalloc(p, sizeof(session_crypto_dir_conf));

session_crypto_dir_conf *add = (session_crypto_dir_conf *) addv;

session_crypto_dir_conf *base = (session_crypto_dir_conf *) basev;

new->passphrase = (add->passphrase_set == 0) ? base->passphrase : add->passphrase;

new->passphrase_set = add->passphrase_set || base->passphrase_set;

new->certfile = (add->certfile_set == 0) ? base->certfile : add->certfile;

new->certfile_set = add->certfile_set || base->certfile_set;

new->keyfile = (add->keyfile_set == 0) ? base->keyfile : add->keyfile;

new->keyfile_set = add->keyfile_set || base->keyfile_set;

new->cipher = (add->cipher_set == 0) ? base->cipher : add->cipher;

new->cipher_set = add->cipher_set || base->cipher_set;

new->digest = (add->digest_set == 0) ? base->digest : add->digest;

new->digest_set = add->digest_set || base->digest_set;

new->engine = (add->engine_set == 0) ? base->engine : add->engine;

new->engine_set = add->engine_set || base->engine_set;

return new;

}

static const char *check_file(cmd_parms * cmd, const char **file)

{

apr_finfo_t finfo;

const char *filepath = ap_server_root_relative(cmd->pool, *file);

if (!filepath) {

return apr_pstrcat(cmd->pool, cmd->directive->directive,

": Invalid file path ", *file, NULL);

}

if (apr_stat(&finfo, filepath,

APR_FINFO_TYPE | APR_FINFO_SIZE, cmd->pool) != 0 ||

finfo.filetype != APR_REG || finfo.size <= 0) {

return apr_pstrcat(cmd->pool, cmd->directive->directive,

": File empty or missing ", *file, NULL);

}

*file = filepath;

return NULL;

}

static const char *set_crypto_passphrase(cmd_parms * cmd, void *config, const char *passphrase)

{

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->passphrase = passphrase;

conf->passphrase_set = 1;

return NULL;

}

static const char *set_crypto_certificate_file(cmd_parms * cmd, void *config, const char *file)

{

const char *res = check_file(cmd, &file);

if (!res) {

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->certfile = file;

conf->certfile_set = 1;

}

return res;

}

static const char *set_crypto_certificate_keyfile(cmd_parms * cmd, void *config, const char *file)

{

const char *res = check_file(cmd, &file);

if (!res) {

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->keyfile = file;

conf->keyfile_set = 1;

}

return res;

}

static const char *set_crypto_cipher(cmd_parms * cmd, void *config, const char *cipher)

{

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->cipher = cipher;

conf->cipher_set = 1;

return NULL;

}

static const char *set_crypto_digest(cmd_parms * cmd, void *config, const char *digest)

{

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->digest = digest;

conf->digest_set = 1;

return NULL;

}

static const char *set_crypto_engine(cmd_parms * cmd, void *config, const char *engine)

{

session_crypto_dir_conf *conf = (session_crypto_dir_conf *) config;

conf->engine = engine;

conf->engine_set = 1;

return NULL;

}

static const command_rec session_crypto_cmds[] =

{

AP_INIT_TAKE1("SessionCryptoPassphrase", set_crypto_passphrase, NULL, RSRC_CONF|OR_AUTHCFG,

"The passphrase used to encrypt cookies"),

AP_INIT_TAKE1("SessionCryptoCertificateFile", set_crypto_certificate_file, NULL, RSRC_CONF|OR_AUTHCFG,

"The name of a certificate whose public key will be used to encrypt cookies"),

AP_INIT_TAKE1("SessionCryptoCertificateKeyFile", set_crypto_certificate_keyfile, NULL, RSRC_CONF|OR_AUTHCFG,

"The name of a private key which will be used to decrypt cookies"),

AP_INIT_TAKE1("SessionCryptoCipher", set_crypto_cipher, NULL, RSRC_CONF|OR_AUTHCFG,

"The cipher used to encrypt cookies. Defaults to " DEFAULT_CIPHER),

AP_INIT_TAKE1("SessionCryptoDigest", set_crypto_digest, NULL, RSRC_CONF|OR_AUTHCFG,

"The digest used to encrypt cookies. Defaults to " DEFAULT_DIGEST),

AP_INIT_TAKE1("SessionCryptoEngine", set_crypto_engine, NULL, RSRC_CONF|OR_AUTHCFG,

"The optional engine used to encrypt cookies, if supported by the underlying crypto "

"toolkit"),

{NULL}

};

static void register_hooks(apr_pool_t * p)

{

ap_hook_session_encode(ap_session_crypto_encode, NULL, NULL, APR_HOOK_LAST);

ap_hook_session_decode(ap_session_crypto_decode, NULL, NULL, APR_HOOK_FIRST);

}

module AP_MODULE_DECLARE_DATA session_crypto_module =

{

STANDARD20_MODULE_STUFF,

create_session_crypto_dir_config, /* dir config creater */

merge_session_crypto_dir_config, /* dir merger --- default is to

NULL, /* server config */

NULL, /* merge server config */

session_crypto_cmds, /* command apr_table_t */

register_hooks /* register hooks */

};