[OpenWrt-Devel,1/2] services/uhttpd: add Strict-Transport-Security option

Message ID 20180802091603.13980-1-fe@dev.tdt.de
State New
Delegated to: Jo-Philipp Wich
Headers show
Series
  • [OpenWrt-Devel,1/2] services/uhttpd: add Strict-Transport-Security option
Related show

Commit Message

Florian Eckert Aug. 2, 2018, 9:16 a.m.
This is a web security policy mechanism that helps to protect websites
against protocol downgrade attacks and cookie hijacking.

HSTS is an IETF standards track protocol and is specified in RFC 6797.

This patch will add the possibility to specify a max-age with the option
-P on uhttp start. If the option is set and https is enabled then force
the client with the Strict-Transport-Securtiy header for the specified
time only communicate over https for this content.

This is a follow up request from:
https://github.com/openwrt/luci/pull/1555

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 ...-Strict-Transport-Security-header-max-age.patch | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch

Patch

diff --git a/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
new file mode 100644
index 0000000000..b64b991ce3
--- /dev/null
+++ b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
@@ -0,0 +1,55 @@ 
+--- a/main.c
++++ b/main.c
+@@ -135,6 +135,7 @@ static int usage(const char *name)
+ 		"	-C file         ASN.1 server certificate file\n"
+ 		"	-K file         ASN.1 server private key file\n"
+ 		"	-q              Redirect all HTTP requests to HTTPS\n"
++		"	-P seconds      Set Strict-Transport-Security header max-age\n"
+ #endif
+ 		"	-h directory    Specify the document root, default is '.'\n"
+ 		"	-E string       Use given virtual URL as 404 error handler\n"
+@@ -232,7 +233,7 @@ int main(int argc, char **argv)
+ 	init_defaults_pre();
+ 	signal(SIGPIPE, SIG_IGN);
+ 
+-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
++	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ 		switch(ch) {
+ #ifdef HAVE_TLS
+ 		case 'C':
+@@ -247,6 +248,10 @@ int main(int argc, char **argv)
+ 			conf.tls_redirect = 1;
+ 			break;
+ 
++		case 'P':
++			conf.hsts = atoi(optarg);
++			break;
++
+ 		case 's':
+ 			n_tls++;
+ 			/* fall through */
+--- a/uhttpd.h
++++ b/uhttpd.h
+@@ -64,6 +64,7 @@ struct config {
+ 	const char *lua_prefix;
+ 	const char *ubus_prefix;
+ 	const char *ubus_socket;
++	int hsts;
+ 	int no_symlinks;
+ 	int no_dirlists;
+ 	int network_timeout;
+--- a/client.c
++++ b/client.c
+@@ -64,6 +64,12 @@ void uh_http_header(struct client *cl, i
+ 		http_versions[cl->request.version],
+ 		code, summary, conn, enc);
+ 
++	if (( cl->tls ) && ( conf.hsts > 0 )) {
++		ustream_printf(cl->us,
++				"Strict-Transport-Security: max-age=%d\r\n",
++				conf.hsts);
++	}
++
+ 	if (!r->connection_close)
+ 		ustream_printf(cl->us, "Keep-Alive: timeout=%d\r\n", conf.http_keepalive);
+