On Thu, Jun 18, 2015 at 11:46:13PM +1000, David Gwynne wrote:
> this adds the current signify pub key for base to the httpd Server
> version header.
>
> as you say, the keys are small. this could help distribute it widely.
>
> here's an example of what it looks like:
>
> dlg@mild ~$ curl -I http://es45/
> HTTP/1.1 200 OK
> Connection: keep-alive
> Content-Length: 2259
> Content-Type: text/html
> Date: Thu, 18 Jun 2015 13:45:29 GMT
> Last-Modified: Thu, 06 Feb 2014 04:12:39 GMT
> Server: OpenBSD httpd 5.7
> RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
>
> just an idea...
>
There is a good point in solving the distribution problem, but I don't
think it fits in httpd by default. And it kind of defeats the purpose
if it is not on by default. And people tend to turn off the version
string in their web servers - it is unnecessary information leakage
(unlike sshd, were the version is needed for all kinds of compat
checks). Speaking about sshd, I guess we wouldn't include it in the
server greeting:
$ nc 127.0.0.1 22
SSH-2.0-OpenSSH_6.8 RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
So probably not.
Reyk
> Index: Makefile
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/Makefile,v
> retrieving revision 1.27
> diff -u -p -r1.27 Makefile
> --- Makefile 23 Feb 2015 10:39:10 -0000 1.27
> +++ Makefile 18 Jun 2015 13:41:45 -0000
> @@ -1,9 +1,13 @@
> # $OpenBSD: Makefile,v 1.27 2015/02/23 10:39:10 reyk Exp $
>
> +httpd_version.c: ../../etc/signify/openbsd-${OSrev}-base.pub
> + sh ${.CURDIR}/httpd_version.sh ${OSREV} $> $@
> +
> PROG= httpd
> SRCS= parse.y
> SRCS+= config.c control.c httpd.c log.c logger.c proc.c
> SRCS+= server.c server_http.c server_file.c server_fcgi.c
> +SRCS+= httpd_version.c
> MAN= httpd.8 httpd.conf.5
>
> LDADD= -levent -ltls -lssl -lcrypto -lutil
> @@ -14,6 +18,6 @@ CFLAGS+= -Wstrict-prototypes -Wmissing-p
> CFLAGS+= -Wmissing-declarations
> CFLAGS+= -Wshadow -Wpointer-arith
> CFLAGS+= -Wsign-compare
> -CLEANFILES+= y.tab.h
> +CLEANFILES+= y.tab.h httpd_version.c
>
> .include <bsd.prog.mk>
> Index: httpd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
> retrieving revision 1.35
> diff -u -p -r1.35 httpd.c
> --- httpd.c 23 Feb 2015 18:43:18 -0000 1.35
> +++ httpd.c 18 Jun 2015 13:41:45 -0000
> @@ -959,7 +959,7 @@ accept_reserve(int sockfd, struct sockad
> }
>
> struct kv *
> -kv_add(struct kvtree *keys, char *key, char *value)
> +kv_add(struct kvtree *keys, const char *key, const char *value)
> {
> struct kv *kv, *oldkv;
>
> Index: httpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.82
> diff -u -p -r1.82 httpd.h
> --- httpd.h 15 Mar 2015 22:08:45 -0000 1.82
> +++ httpd.h 18 Jun 2015 13:41:45 -0000
> @@ -35,10 +35,12 @@
> #include <imsg.h>
> #include <tls.h>
>
> +extern const char httpd_version[];
> +#define HTTPD_SERVERNAME httpd_version
> +
> #define CONF_FILE "/etc/httpd.conf"
> #define HTTPD_SOCKET "/var/run/httpd.sock"
> #define HTTPD_USER "www"
> -#define HTTPD_SERVERNAME "OpenBSD httpd"
> #define HTTPD_DOCROOT "/htdocs"
> #define HTTPD_INDEX "index.html"
> #define HTTPD_FCGI_SOCKET "/run/slowcgi.sock"
> @@ -602,7 +604,7 @@ struct in6_addr *prefixlen2mask6(u_int8_
> u_int32_t prefixlen2mask(u_int8_t);
> int accept_reserve(int, struct sockaddr *, socklen_t *, int,
> volatile int *);
> -struct kv *kv_add(struct kvtree *, char *, char *);
> +struct kv *kv_add(struct kvtree *, const char *, const char *);
> int kv_set(struct kv *, char *, ...);
> int kv_setkey(struct kv *, char *, ...);
> void kv_delete(struct kvtree *, struct kv *);
> Index: httpd_version.sh
> ===================================================================
> RCS file: httpd_version.sh
> diff -N httpd_version.sh
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ httpd_version.sh 18 Jun 2015 13:41:45 -0000
> @@ -0,0 +1,4 @@
> +#!/bin/sh
> +
> +VERSION=`tail -n1 "$2"`
> +echo const char httpd_version[] = \"OpenBSD httpd $1 $VERSION\"\; > "$3"
>
--
