From patchwork Thu Aug 2 09:16:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Eckert X-Patchwork-Id: 952654 X-Patchwork-Delegate: jow@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=dev.tdt.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="DuAgk9rN"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41h4Lc0JvWz9s2g for ; Thu, 2 Aug 2018 19:16:56 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id: Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=gkFVpEuVCAvfb1ISsq7vaFxU47qGqHGT8NmCqAZA76k=; b=DuAgk9rNU+s5Vc xiKkxV32BJTErwfqDNawej3a48JF++yOm0Dh5obtUozQEzxJZpfE46EZ24lC2D5daI3sMVN1rh2e0 y+6XElcIjI6fI95C6TaX7hz0zQOEFDay/p2O8eYELLNnXFMtwW78efC8NUW1HH9TtcJzpSoupI9Az nKr37q9/vY4q7CLCqWnZ8GLXDwYJz9PaQ00v0mV6fa4WDdYr8foMwY8IcGjB58Kz2Mxo8l/bkEr62 K18l/DIamhVGnL4JQmKSFnaekZclppF3sPe9N+cvP64uTfka8QKXpa9Tr/m8Ia0+FNbunWOyYXvM3 e2DBCvE15iDB1qcjnjig==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fl9j0-0001MV-H0; Thu, 02 Aug 2018 09:16:50 +0000 Received: from ms.tdt.de ([195.243.126.94] helo=mail.dev.tdt.de) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fl9iZ-0000or-1n for openwrt-devel@lists.openwrt.org; Thu, 02 Aug 2018 09:16:25 +0000 Received: from feckert01.dev.tdt.de (unknown [10.2.3.40]) by mail.dev.tdt.de (Postfix) with ESMTPSA id A32CD2003E; Thu, 2 Aug 2018 09:16:08 +0000 (UTC) From: Florian Eckert To: openwrt-devel@lists.openwrt.org Date: Thu, 2 Aug 2018 11:16:02 +0200 Message-Id: <20180802091603.13980-1-fe@dev.tdt.de> X-Mailer: git-send-email 2.11.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.dev.tdt.de X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180802_021623_256277_FD5FD50D X-CRM114-Status: GOOD ( 12.17 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- Subject: [OpenWrt-Devel] [PATCH 1/2] services/uhttpd: add Strict-Transport-Security option X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eckert.Florian@googlemail.com MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. HSTS is an IETF standards track protocol and is specified in RFC 6797. This patch will add the possibility to specify a max-age with the option -P on uhttp start. If the option is set and https is enabled then force the client with the Strict-Transport-Securtiy header for the specified time only communicate over https for this content. This is a follow up request from: https://github.com/openwrt/luci/pull/1555 Signed-off-by: Florian Eckert --- ...-Strict-Transport-Security-header-max-age.patch | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch diff --git a/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch new file mode 100644 index 0000000000..b64b991ce3 --- /dev/null +++ b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch @@ -0,0 +1,55 @@ +--- a/main.c ++++ b/main.c +@@ -135,6 +135,7 @@ static int usage(const char *name) + " -C file ASN.1 server certificate file\n" + " -K file ASN.1 server private key file\n" + " -q Redirect all HTTP requests to HTTPS\n" ++ " -P seconds Set Strict-Transport-Security header max-age\n" + #endif + " -h directory Specify the document root, default is '.'\n" + " -E string Use given virtual URL as 404 error handler\n" +@@ -232,7 +233,7 @@ int main(int argc, char **argv) + init_defaults_pre(); + signal(SIGPIPE, SIG_IGN); + +- while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { ++ while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) { + switch(ch) { + #ifdef HAVE_TLS + case 'C': +@@ -247,6 +248,10 @@ int main(int argc, char **argv) + conf.tls_redirect = 1; + break; + ++ case 'P': ++ conf.hsts = atoi(optarg); ++ break; ++ + case 's': + n_tls++; + /* fall through */ +--- a/uhttpd.h ++++ b/uhttpd.h +@@ -64,6 +64,7 @@ struct config { + const char *lua_prefix; + const char *ubus_prefix; + const char *ubus_socket; ++ int hsts; + int no_symlinks; + int no_dirlists; + int network_timeout; +--- a/client.c ++++ b/client.c +@@ -64,6 +64,12 @@ void uh_http_header(struct client *cl, i + http_versions[cl->request.version], + code, summary, conn, enc); + ++ if (( cl->tls ) && ( conf.hsts > 0 )) { ++ ustream_printf(cl->us, ++ "Strict-Transport-Security: max-age=%d\r\n", ++ conf.hsts); ++ } ++ + if (!r->connection_close) + ustream_printf(cl->us, "Keep-Alive: timeout=%d\r\n", conf.http_keepalive); +