From patchwork Thu Aug  2 09:16:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Eckert <fe@dev.tdt.de>
X-Patchwork-Id: 952654
X-Patchwork-Delegate: jow@openwrt.org
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=dev.tdt.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="DuAgk9rN";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41h4Lc0JvWz9s2g
	for <incoming@patchwork.ozlabs.org>;
	Thu,  2 Aug 2018 19:16:56 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id:
	Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=gkFVpEuVCAvfb1ISsq7vaFxU47qGqHGT8NmCqAZA76k=;
	b=DuAgk9rNU+s5Vc
	xiKkxV32BJTErwfqDNawej3a48JF++yOm0Dh5obtUozQEzxJZpfE46EZ24lC2D5daI3sMVN1rh2e0
	y+6XElcIjI6fI95C6TaX7hz0zQOEFDay/p2O8eYELLNnXFMtwW78efC8NUW1HH9TtcJzpSoupI9Az
	nKr37q9/vY4q7CLCqWnZ8GLXDwYJz9PaQ00v0mV6fa4WDdYr8foMwY8IcGjB58Kz2Mxo8l/bkEr62
	K18l/DIamhVGnL4JQmKSFnaekZclppF3sPe9N+cvP64uTfka8QKXpa9Tr/m8Ia0+FNbunWOyYXvM3
	e2DBCvE15iDB1qcjnjig==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fl9j0-0001MV-H0; Thu, 02 Aug 2018 09:16:50 +0000
Received: from ms.tdt.de ([195.243.126.94] helo=mail.dev.tdt.de)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fl9iZ-0000or-1n
	for openwrt-devel@lists.openwrt.org; Thu, 02 Aug 2018 09:16:25 +0000
Received: from feckert01.dev.tdt.de (unknown [10.2.3.40])
	by mail.dev.tdt.de (Postfix) with ESMTPSA id A32CD2003E;
	Thu,  2 Aug 2018 09:16:08 +0000 (UTC)
From: Florian Eckert <fe@dev.tdt.de>
To: openwrt-devel@lists.openwrt.org
Date: Thu,  2 Aug 2018 11:16:02 +0200
Message-Id: <20180802091603.13980-1-fe@dev.tdt.de>
X-Mailer: git-send-email 2.11.0
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.dev.tdt.de
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180802_021623_256277_FD5FD50D 
X-CRM114-Status: GOOD (  12.17  )
X-Spam-Score: 0.0 (/)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (0.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
Subject: [OpenWrt-Devel] [PATCH 1/2] services/uhttpd: add
	Strict-Transport-Security option
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Eckert.Florian@googlemail.com
MIME-Version: 1.0
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

This is a web security policy mechanism that helps to protect websites
against protocol downgrade attacks and cookie hijacking.

HSTS is an IETF standards track protocol and is specified in RFC 6797.

This patch will add the possibility to specify a max-age with the option
-P on uhttp start. If the option is set and https is enabled then force
the client with the Strict-Transport-Securtiy header for the specified
time only communicate over https for this content.

This is a follow up request from:
https://github.com/openwrt/luci/pull/1555

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 ...-Strict-Transport-Security-header-max-age.patch | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch

diff --git a/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
new file mode 100644
index 0000000000..b64b991ce3
--- /dev/null
+++ b/package/network/services/uhttpd/patches/0005-make-uhttpd-configurable-to-send-Strict-Transport-Security-header-max-age.patch
@@ -0,0 +1,55 @@
+--- a/main.c
++++ b/main.c
+@@ -135,6 +135,7 @@ static int usage(const char *name)
+ 		"	-C file         ASN.1 server certificate file\n"
+ 		"	-K file         ASN.1 server private key file\n"
+ 		"	-q              Redirect all HTTP requests to HTTPS\n"
++		"	-P seconds      Set Strict-Transport-Security header max-age\n"
+ #endif
+ 		"	-h directory    Specify the document root, default is '.'\n"
+ 		"	-E string       Use given virtual URL as 404 error handler\n"
+@@ -232,7 +233,7 @@ int main(int argc, char **argv)
+ 	init_defaults_pre();
+ 	signal(SIGPIPE, SIG_IGN);
+ 
+-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
++	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+ 		switch(ch) {
+ #ifdef HAVE_TLS
+ 		case 'C':
+@@ -247,6 +248,10 @@ int main(int argc, char **argv)
+ 			conf.tls_redirect = 1;
+ 			break;
+ 
++		case 'P':
++			conf.hsts = atoi(optarg);
++			break;
++
+ 		case 's':
+ 			n_tls++;
+ 			/* fall through */
+--- a/uhttpd.h
++++ b/uhttpd.h
+@@ -64,6 +64,7 @@ struct config {
+ 	const char *lua_prefix;
+ 	const char *ubus_prefix;
+ 	const char *ubus_socket;
++	int hsts;
+ 	int no_symlinks;
+ 	int no_dirlists;
+ 	int network_timeout;
+--- a/client.c
++++ b/client.c
+@@ -64,6 +64,12 @@ void uh_http_header(struct client *cl, i
+ 		http_versions[cl->request.version],
+ 		code, summary, conn, enc);
+ 
++	if (( cl->tls ) && ( conf.hsts > 0 )) {
++		ustream_printf(cl->us,
++				"Strict-Transport-Security: max-age=%d\r\n",
++				conf.hsts);
++	}
++
+ 	if (!r->connection_close)
+ 		ustream_printf(cl->us, "Keep-Alive: timeout=%d\r\n", conf.http_keepalive);
+