<usage>
<p>The <directive>SessionCryptoPassphrase</directive> directive specifies the key
- to be used to encrypt the contents of the session before writing the session, or
- decrypting the contents of the session after reading the session.</p>
-
+ to be used to enable symmetrical encryption on the contents of the session before
+ writing the session, or decrypting the contents of the session after reading the session.</p>
+
<p>Keys are more secure when they are long, and consist of truly random characters.
Changing the key on a server has the effect of invalidating all existing sessions.</p>
-
+
+ <p>If the <directive module="mod_session_crypto">SessionCryptoCertificateFile</directive>
+ directive is set and asymmetrical encryption is enabled instead, the
+ <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> directive
+ will be interpreted as the passphrase of the key, if the key is encrypted.</p>
+
</usage>
</directivesynopsis>
<usage>
<p>The <directive>SessionCryptoCertificateFile</directive> directive specifies the name
- of a certificate to be used to encrypt the contents of the session before writing
- the session, or decrypting the content of the session after reading the session.</p>
-
+ of a certificate to be used to asymmetrically encrypt the contents of the session before
+ writing the session, or decrypting the content of the session after reading the session.</p>
+
<p>Changing the certificate on a server has the effect of invalidating all existing
sessions.</p>
+ <p>If the key associated with this certificate is protected with a passphrase, the
+ <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> directive
+ will be interpreted as the passphrase to use to decrypt the key.</p>
+
<note type="warning"><title>Experimental</title>
<p>This directive is dependent on experimental support for assymetrical encryption
support currently available in prerelease versions of OpenSSL, and will only be
<p>Changing the certificate or key on a server has the effect of invalidating all existing
sessions.</p>
+ <p>If this key is protected with a passphrase, the
+ <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> directive
+ will be interpreted as the passphrase to use to decrypt the key.</p>
+
<note type="warning"><title>Experimental</title>
<p>This directive is dependent on experimental support for asymmetrical encryption
support currently available in prerelease versions of OpenSSL, and will only be
{
apr_status_t res;
- if (!conf->certfile_set && !conf->keyfile_set && !conf->passphrase_set) {
+ if (!conf->certfile_set && !conf->passphrase_set) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, LOG_PREFIX
"encryption not configured, "
"no passphrase or certfile/keyfile set");
if (conf->certfile_set) {
*key = APR_EVP_KEY_PUBLIC;
res = apr_evp_factory_create(f, conf->keyfile, conf->certfile, NULL,
- NULL, NULL, conf->digest, APR_EVP_FACTORY_ASYM, r->pool);
+ conf->passphrase, conf->engine, conf->digest,
+ APR_EVP_FACTORY_ASYM, r->pool);
if (APR_ENOTIMPL == res) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
"generic public/private key encryption is not supported by "
"this version of APR. session encryption not possible");
}
}
- if (conf->passphrase) {
+ else {
*key = APR_EVP_KEY_SYM;
res = apr_evp_factory_create(f, NULL, NULL, conf->cipher,
- conf->passphrase, NULL, conf->digest, APR_EVP_FACTORY_SYM, r->pool);
+ conf->passphrase, conf->engine, conf->digest,
+ APR_EVP_FACTORY_SYM, r->pool);
if (APR_ENOTIMPL == res) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
"generic symmetrical encryption is not supported by this "
session_crypto_dir_conf *conf = ap_get_module_config(r->per_dir_config,
&session_crypto_module);
+ /* by default, return an empty string */
+ *out = "";
+
/* don't attempt to encrypt an empty string, trying to do so causes a segfault */
if (!in || !*in) {
return APR_SUCCESS;
if (res) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, LOG_PREFIX
"decrypt: attempt to decrypt failed");
+ apr_evp_factory_cleanup(f);
+ apr_evp_crypt_cleanup(e);
return res;
}
*out = (char *) decrypted;
projects / thirdparty / apache / httpd.git / commitdiff
