diff --git a/docs/manual/mod/allmodules.xml b/docs/manual/mod/allmodules.xml index 2149c706744..5b22541b0c9 100644 --- a/docs/manual/mod/allmodules.xml +++ b/docs/manual/mod/allmodules.xml @@ -100,6 +100,7 @@ mod_proxy_scgi.xml mod_proxy_uwsgi.xml mod_proxy_wstunnel.xml + mod_random.xml mod_ratelimit.xml mod_reflector.xml mod_remoteip.xml diff --git a/docs/manual/mod/mod_random.xml b/docs/manual/mod/mod_random.xml new file mode 100644 index 00000000000..66c16b5ce6f --- /dev/null +++ b/docs/manual/mod/mod_random.xml @@ -0,0 +1,670 @@ + + + + + + + + + +mod_random + +Cryptographically secure random token generation + +Extension +mod_random.c +random_module + + +

This module generates cryptographically secure random tokens and + injects them into environment variables and/or HTTP response headers + for each request. It is designed for security-critical applications + that require unpredictable, high-entropy tokens.

+ +

Common use cases include CSRF (Cross-Site Request Forgery) protection, + request identifiers for logging and tracing, nonces for Content Security + Policy headers, and one-time tokens for various security mechanisms.

+ +

The module uses the system's cryptographically secure pseudo-random + number generator (CSPRNG) via apr_generate_random_bytes(), + providing 128 bits of entropy by default (16 bytes). It supports multiple + output formats (base64, hex, base64url, custom alphabet), optional + timestamp inclusion, TTL-based caching for performance, and HMAC-SHA256 + token signing with metadata.

+ + +mod_unique_id +mod_ssl +Environment Variables + +
+Features + +
+ +
+Security Considerations +

Cryptographic Strength: The module uses + apr_generate_random_bytes() which provides cryptographically + secure random data from the operating system's entropy source. The default + 128-bit entropy ensures negligible collision probability.

+ +

Not Guaranteed Unique: While collision probability is + extremely low with sufficient entropy, tokens are not guaranteed to be + globally unique. For guaranteed unique identifiers, use + mod_unique_id instead.

+ +

Token Validation: When using + RandomEncodeMetadata with + RandomSigningKey, tokens + include an HMAC-SHA256 signature that can be validated to ensure integrity + and detect tampering.

+ +

Cache Security: Cached tokens (via + RandomTTL) are stored in + memory and protected by thread-safe mutexes. The module handles clock + backward scenarios (NTP corrections) by invalidating affected cache entries.

+
+ +
+Usage Examples + + Basic CSRF Token + +<Location "/secure"> + RandomAddToken CSRF_TOKEN +</Location> + + + +

This generates a base64-encoded 16-byte token in the + CSRF_TOKEN environment variable for all requests to + /secure.

+ + Token in HTTP Header + +<Location "/api"> + RandomLength 32 + RandomFormat base64url + RandomAddToken CSRF_TOKEN header=X-CSRF-Token +</Location> + + + +

This generates a 32-byte base64url token and outputs it both to the + CSRF_TOKEN environment variable and the + X-CSRF-Token HTTP response header.

+ + Cached Token with TTL + +<Location "/forms"> + RandomTTL 300 + RandomAddToken FORM_TOKEN +</Location> + + + +

This generates a token that is cached for 5 minutes (300 seconds), + reducing CPU overhead for frequently accessed resources.

+ + Signed Token with Expiry + +<Location "/payments"> + RandomEncodeMetadata On + RandomExpiry 3600 + RandomSigningKey "your-secret-hmac-key-here" + RandomAddToken PAYMENT_TOKEN +</Location> + + + +

This generates a token that includes expiry metadata and an HMAC-SHA256 + signature, allowing server-side validation of token age and integrity.

+ + Custom Alphabet Token + +<Location "/codes"> + RandomFormat custom + RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" + RandomAlphabetGrouping 4 + RandomLength 16 + RandomAddToken PROMO_CODE +</Location> + + + +

This generates a human-readable token using a custom alphabet + (excluding confusing characters like 0/O, 1/I/L) with grouping every + 4 characters for readability.

+ + Using with mod_headers for CSP Nonce + +<Location "/app"> + RandomLength 16 + RandomFormat base64url + RandomAddToken CSP_NONCE header=X-CSP-Nonce + Header set Content-Security-Policy "script-src 'nonce-%{CSP_NONCE}e';" +</Location> + + + +

This generates a unique nonce for Content Security Policy and includes + it both in the CSP header and as a custom header for client-side access.

+ + Request ID for Logging and Tracing + +<Location "/"> + RandomLength 16 + RandomFormat hex + RandomAddToken REQUEST_ID header=X-Request-ID + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{REQUEST_ID}e" combined_with_id + CustomLog logs/access_log combined_with_id +</Location> + + + +

This generates a unique request ID that is sent to the client via + the X-Request-ID header and logged for request tracing and debugging.

+ + Multiple Tokens with mod_headers + +<Location "/secure-api"> + # CSRF token for form protection + RandomAddToken CSRF_TOKEN header=X-CSRF-Token + + # Request ID for tracing + RandomFormat base64url + RandomAddToken REQUEST_ID header=X-Request-ID + + # Session nonce with expiry + RandomEncodeMetadata On + RandomExpiry 1800 + RandomSigningKey "your-hmac-secret-key" + RandomAddToken SESSION_NONCE header=X-Session-Nonce +</Location> + + + +

This demonstrates using multiple tokens with different configurations + for various security purposes in a single location.

+
+ + +RandomAddToken +Add a random token to the request +RandomAddToken var-name [key=value ...] + +server config +virtual host +directory +.htaccess + +All + + +

This directive creates a random token and stores it in the specified + environment variable. Optional parameters can override global defaults + for this specific token.

+ +

The var-name parameter is required and + specifies the environment variable name where the token will be stored. + Additional optional parameters can be specified as key=value + pairs:

+ +
+
length=N
+
Token length in bytes (1-1024). Overrides + RandomLength.
+ +
format=format
+
Output format: base64, hex, + base64url, or custom. Overrides + RandomFormat.
+ +
header=name
+
HTTP response header name to output the token.
+ +
timestamp=on|off
+
Include Unix timestamp prefix. Overrides + RandomIncludeTimestamp.
+ +
prefix=string
+
Custom prefix. Overrides + RandomPrefix.
+ +
suffix=string
+
Custom suffix. Overrides + RandomSuffix.
+ +
ttl=seconds
+
Cache TTL in seconds (0-86400). Overrides + RandomTTL.
+
+ + Example + +# Simple token +RandomAddToken MY_TOKEN + +# Token with custom parameters +RandomAddToken API_TOKEN length=32 format=hex header=X-API-Token + +# Multiple tokens +RandomAddToken CSRF_TOKEN +RandomAddToken REQUEST_ID format=base64url + + + +

Note: Up to 50 tokens can be defined per configuration + context to prevent DoS attacks via excessive configuration.

+ + + + +RandomLength +Default token length in bytes +RandomLength bytes +RandomLength 16 + +server config +virtual host +directory +.htaccess + +All + + +

Sets the default number of random bytes to generate for tokens. + Valid range is 1-1024 bytes.

+ +

The default of 16 bytes provides 128 bits of entropy, which is + sufficient for most security applications. Larger values provide more + entropy but result in longer encoded tokens.

+ + Example + +# 256-bit entropy +RandomLength 32 + + + + + + +RandomFormat +Default token output format +RandomFormat base64|hex|base64url|custom +RandomFormat base64 + +server config +virtual host +directory +.htaccess + +All + + +

Sets the default encoding format for tokens:

+ +
+
base64
+
Standard base64 encoding (RFC 4648). Output contains A-Z, a-z, + 0-9, +, /, and = padding. Good for general use.
+ +
hex
+
Hexadecimal encoding (0-9, a-f). Output is twice the byte length. + Good for debugging and readability.
+ +
base64url
+
URL-safe base64 (RFC 4648). Uses - and _ instead of + and /, + no padding. Ideal for URLs and HTTP headers.
+ +
custom
+
Custom alphabet encoding. Requires + RandomAlphabet. + Good for human-readable tokens.
+
+ + Example + +RandomFormat base64url + + + + + + +RandomIncludeTimestamp +Include timestamp prefix in tokens +RandomIncludeTimestamp On|Off +RandomIncludeTimestamp Off + +server config +virtual host +directory +.htaccess + +All + + +

When enabled, prepends the current Unix timestamp (seconds since epoch) + to the token, separated by a hyphen.

+ +

This is useful for debugging, log correlation, or approximate age + verification without cryptographic metadata.

+ + Example + +RandomIncludeTimestamp On +# Generates tokens like: 1701234567-Ab3dEf... + + + +

Note: For precise expiry validation with cryptographic + verification, use RandomEncodeMetadata + instead.

+ + + + +RandomPrefix +Default prefix for all tokens +RandomPrefix string + +server config +virtual host +directory +.htaccess + +All + + +

Adds a fixed prefix to all generated tokens. Useful for token + identification or versioning.

+ + Example + +RandomPrefix "csrf_" +# Generates tokens like: csrf_Ab3dEf... + + + + + + +RandomSuffix +Default suffix for all tokens +RandomSuffix string + +server config +virtual host +directory +.htaccess + +All + + +

Adds a fixed suffix to all generated tokens. Useful for token + versioning or format identification.

+ + Example + +RandomSuffix "_v2" +# Generates tokens like: Ab3dEf..._v2 + + + + + + +RandomTTL +Cache TTL for tokens in seconds +RandomTTL seconds +RandomTTL 0 + +server config +virtual host +directory +.htaccess + +All + + +

Enables token caching with the specified time-to-live in seconds. + Valid range is 0-86400 (24 hours). A value of 0 disables caching.

+ +

Caching reduces CPU overhead and entropy consumption for frequently + accessed resources. Each token has its own cache protected by a mutex + for thread safety.

+ +

The module handles clock backward scenarios (NTP corrections) by + automatically invalidating affected cache entries.

+ + Example + +# Cache tokens for 5 minutes +RandomTTL 300 + + + +

Security Note: Cached tokens are reused for all + requests within the TTL period. For per-request uniqueness, keep TTL at 0.

+ + + + +RandomOnlyFor +Generate tokens only for matching URL patterns +RandomOnlyFor regex + +server config +virtual host +directory +.htaccess + +All + + +

Conditionally generates tokens only when the request URI matches the + specified extended regular expression (POSIX ERE).

+ +

This is useful for fine-grained control over token generation, + such as limiting to specific API endpoints.

+ + Example + +<Location "/api"> + # Only generate for /api/v1/* endpoints + RandomOnlyFor "^/api/v1/" + RandomAddToken API_TOKEN +</Location> + + + + + + +RandomAlphabet +Custom character set for custom format +RandomAlphabet characters + +server config +virtual host +directory +.htaccess + +All + + +

Defines a custom alphabet for custom format encoding. + Required when RandomFormat + is set to custom.

+ +

The alphabet must contain at least 2 unique characters and no more + than 256. Duplicate characters are rejected.

+ + Example + +# Crockford's Base32 (human-readable, no ambiguous characters) +RandomFormat custom +RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" + + + +

Note: Alphabets that are not powers of 2 in size + may introduce slight bias in character distribution.

+ + + + +RandomAlphabetGrouping +Group custom alphabet output every N characters +RandomAlphabetGrouping N +RandomAlphabetGrouping 0 + +server config +virtual host +directory +.htaccess + +All + + +

When using custom format, inserts a hyphen separator + every N characters for improved readability. Valid range is + 0-128. A value of 0 disables grouping.

+ + Example + +RandomFormat custom +RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" +RandomAlphabetGrouping 4 +# Generates tokens like: A3D5-7K9M-P2Q8-... + + + + + + +RandomEncodeMetadata +Encode expiry metadata into tokens +RandomEncodeMetadata On|Off +RandomEncodeMetadata Off + +server config +virtual host +directory +.htaccess + +All + + +

When enabled, encodes expiry timestamp and optional HMAC-SHA256 + signature into the token. Requires + RandomExpiry to be set + greater than 0.

+ +

If RandomSigningKey is + configured, the token includes an HMAC-SHA256 signature that can be + validated to ensure integrity.

+ +

Token format: expiry:random:signature (with signature) + or expiry:random (without signature).

+ + Example + +RandomEncodeMetadata On +RandomExpiry 3600 +RandomSigningKey "your-secret-key" + + + + + + +RandomExpiry +Token expiration time in seconds +RandomExpiry seconds +RandomExpiry 0 + +server config +virtual host +directory +.htaccess + +All + + +

Sets the token expiration time in seconds when using + RandomEncodeMetadata. + Valid range is 0-31536000 (1 year). A value of 0 means no expiry.

+ + Example + +# 1-hour expiry +RandomExpiry 3600 + + + + + + +RandomSigningKey +HMAC-SHA256 signing key for token validation +RandomSigningKey key + +server config +virtual host +directory +.htaccess + +All + + +

Sets the secret key used for HMAC-SHA256 signature generation when + RandomEncodeMetadata is + enabled.

+ +

The key should be a strong, random string. It must be kept secret + and should be the same across all servers that need to validate tokens.

+ + Example + +RandomSigningKey "your-secret-hmac-key-change-this" + + + +

Security Warning: Store the signing key securely. + Consider using environment variables or include files with restricted + permissions instead of hardcoding it in the main configuration.

+ + + + diff --git a/docs/manual/mod/mod_random.xml.fr b/docs/manual/mod/mod_random.xml.fr new file mode 100644 index 00000000000..2f3718de3c7 --- /dev/null +++ b/docs/manual/mod/mod_random.xml.fr @@ -0,0 +1,688 @@ + + + + + + + + + + +mod_random + +Génération de jetons aléatoires cryptographiquement sécurisés + +Extension +mod_random.c +random_module + + +

Ce module génère des jetons aléatoires cryptographiquement + sécurisés et les injecte dans les variables d'environnement et/ou + les en-têtes de réponse HTTP pour chaque requête. Il est conçu + pour les applications critiques en matière de sécurité qui + nécessitent des jetons imprévisibles à haute entropie.

+ +

Les cas d'utilisation courants incluent la protection CSRF (Cross-Site + Request Forgery), les identifiants de requête pour la journalisation et + le traçage, les nonces pour les en-têtes Content Security Policy, + et les jetons à usage unique pour divers mécanismes de sécurité.

+ +

Le module utilise le générateur de nombres pseudo-aléatoires + cryptographiquement sécurisé (CSPRNG) du système via + apr_generate_random_bytes(), fournissant 128 bits d'entropie + par défaut (16 octets). Il supporte plusieurs formats de sortie (base64, + hex, base64url, alphabet personnalisé), l'inclusion optionnelle d'horodatage, + la mise en cache basée sur TTL pour les performances, et la signature de + jetons HMAC-SHA256 avec métadonnées.

+ + +mod_unique_id +mod_ssl +Variables d'environnement + +
+Fonctionnalités + +
+ +
+Considérations de sécurité +

Robustesse cryptographique : Le module utilise + apr_generate_random_bytes() qui fournit des données + aléatoires cryptographiquement sécurisées à partir de la + source d'entropie du système d'exploitation. L'entropie par défaut de + 128 bits garantit une probabilité de collision négligeable.

+ +

Unicité non garantie : Bien que la probabilité de + collision soit extrêmement faible avec une entropie suffisante, les jetons + ne sont pas garantis d'être globalement uniques. Pour des identifiants + uniques garantis, utilisez mod_unique_id à la place.

+ +

Validation de jetons : Lors de l'utilisation de + RandomEncodeMetadata avec + RandomSigningKey, les jetons + incluent une signature HMAC-SHA256 qui peut être validée pour assurer + l'intégrité et détecter les falsifications.

+ +

Sécurité du cache : Les jetons en cache (via + RandomTTL) sont stockés en + mémoire et protégés par des mutex sécurisés pour les threads. + Le module gère les scénarios de recul d'horloge (corrections NTP) en + invalidant les entrées de cache affectées.

+
+ +
+Exemples d'utilisation + + Jeton CSRF basique + +<Location "/secure"> + RandomAddToken CSRF_TOKEN +</Location> + + + +

Ceci génère un jeton de 16 octets encodé en base64 dans la + variable d'environnement CSRF_TOKEN pour toutes les requêtes + vers /secure.

+ + Jeton dans un en-tête HTTP + +<Location "/api"> + RandomLength 32 + RandomFormat base64url + RandomAddToken CSRF_TOKEN header=X-CSRF-Token +</Location> + + + +

Ceci génère un jeton de 32 octets en base64url et l'envoie à la + fois dans la variable d'environnement CSRF_TOKEN et dans + l'en-tête de réponse HTTP X-CSRF-Token.

+ + Jeton en cache avec TTL + +<Location "/forms"> + RandomTTL 300 + RandomAddToken FORM_TOKEN +</Location> + + + +

Ceci génère un jeton qui est mis en cache pendant 5 minutes + (300 secondes), réduisant la charge CPU pour les ressources fréquemment + accédées.

+ + Jeton signé avec expiration + +<Location "/payments"> + RandomEncodeMetadata On + RandomExpiry 3600 + RandomSigningKey "votre-clé-secrète-hmac-ici" + RandomAddToken PAYMENT_TOKEN +</Location> + + + +

Ceci génère un jeton qui inclut des métadonnées d'expiration et + une signature HMAC-SHA256, permettant la validation côté serveur de l'âge + et de l'intégrité du jeton.

+ + Jeton avec alphabet personnalisé + +<Location "/codes"> + RandomFormat custom + RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" + RandomAlphabetGrouping 4 + RandomLength 16 + RandomAddToken PROMO_CODE +</Location> + + + +

Ceci génère un jeton lisible par l'homme en utilisant un alphabet + personnalisé (évitant les caractères ambigus comme 0/O, 1/I/L) avec + groupement tous les 4 caractères pour améliorer la lisibilité.

+ + Utilisation avec mod_headers pour CSP Nonce + +<Location "/app"> + RandomLength 16 + RandomFormat base64url + RandomAddToken CSP_NONCE header=X-CSP-Nonce + Header set Content-Security-Policy "script-src 'nonce-%{CSP_NONCE}e';" +</Location> + + + +

Ceci génère un nonce unique pour la Content Security Policy et l'inclut + à la fois dans l'en-tête CSP et comme en-tête personnalisé pour accès + côté client.

+ + ID de requête pour journalisation et traçage + +<Location "/"> + RandomLength 16 + RandomFormat hex + RandomAddToken REQUEST_ID header=X-Request-ID + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{REQUEST_ID}e" combined_with_id + CustomLog logs/access_log combined_with_id +</Location> + + + +

Ceci génère un identifiant de requête unique envoyé au client via + l'en-tête X-Request-ID et journalisé pour le traçage et le débogage.

+ + Jetons multiples avec mod_headers + +<Location "/secure-api"> + # Jeton CSRF pour protection des formulaires + RandomAddToken CSRF_TOKEN header=X-CSRF-Token + + # ID de requête pour traçage + RandomFormat base64url + RandomAddToken REQUEST_ID header=X-Request-ID + + # Nonce de session avec expiration + RandomEncodeMetadata On + RandomExpiry 1800 + RandomSigningKey "votre-clé-secrète-hmac" + RandomAddToken SESSION_NONCE header=X-Session-Nonce +</Location> + + + +

Ceci démontre l'utilisation de jetons multiples avec différentes + configurations pour divers objectifs de sécurité dans un seul emplacement.

+
+ + +RandomAddToken +Ajoute un jeton aléatoire à la requête +RandomAddToken nom-var [clé=valeur ...] + +server config +virtual host +directory +.htaccess + +All + + +

Cette directive crée un jeton aléatoire et le stocke dans la variable + d'environnement spécifiée. Des paramètres optionnels peuvent remplacer + les valeurs par défaut globales pour ce jeton spécifique.

+ +

Le paramètre nom-var est obligatoire et + spécifie le nom de la variable d'environnement où le jeton sera stocké. + Des paramètres optionnels supplémentaires peuvent être spécifiés + sous forme de paires clé=valeur :

+ +
+
length=N
+
Longueur du jeton en octets (1-1024). Remplace + RandomLength.
+ +
format=format
+
Format de sortie : base64, hex, + base64url, ou custom. Remplace + RandomFormat.
+ +
header=nom
+
Nom de l'en-tête de réponse HTTP pour sortir le jeton.
+ +
timestamp=on|off
+
Inclure un préfixe d'horodatage Unix. Remplace + RandomIncludeTimestamp.
+ +
prefix=chaîne
+
Préfixe personnalisé. Remplace + RandomPrefix.
+ +
suffix=chaîne
+
Suffixe personnalisé. Remplace + RandomSuffix.
+ +
ttl=secondes
+
TTL du cache en secondes (0-86400). Remplace + RandomTTL.
+
+ + Exemple + +# Jeton simple +RandomAddToken MY_TOKEN + +# Jeton avec paramètres personnalisés +RandomAddToken API_TOKEN length=32 format=hex header=X-API-Token + +# Jetons multiples +RandomAddToken CSRF_TOKEN +RandomAddToken REQUEST_ID format=base64url + + + +

Note : Jusqu'à 50 jetons peuvent être définis par + contexte de configuration pour prévenir les attaques DoS via une + configuration excessive.

+ + + + +RandomLength +Longueur par défaut du jeton en octets +RandomLength octets +RandomLength 16 + +server config +virtual host +directory +.htaccess + +All + + +

Définit le nombre par défaut d'octets aléatoires à générer pour + les jetons. La plage valide est de 1 à 1024 octets.

+ +

La valeur par défaut de 16 octets fournit 128 bits d'entropie, ce qui + est suffisant pour la plupart des applications de sécurité. Des valeurs + plus grandes fournissent plus d'entropie mais résultent en jetons encodés + plus longs.

+ + Exemple + +# Entropie de 256 bits +RandomLength 32 + + + + + + +RandomFormat +Format de sortie par défaut du jeton +RandomFormat base64|hex|base64url|custom +RandomFormat base64 + +server config +virtual host +directory +.htaccess + +All + + +

Définit le format d'encodage par défaut pour les jetons :

+ +
+
base64
+
Encodage base64 standard (RFC 4648). La sortie contient A-Z, a-z, + 0-9, +, /, et padding =. Bon pour usage général.
+ +
hex
+
Encodage hexadécimal (0-9, a-f). La sortie fait deux fois la + longueur en octets. Bon pour le débogage et la lisibilité.
+ +
base64url
+
Base64 sécurisé pour URL (RFC 4648). Utilise - et _ au lieu de + + et /, sans padding. Idéal pour URLs et en-têtes HTTP.
+ +
custom
+
Encodage avec alphabet personnalisé. Nécessite + RandomAlphabet. + Bon pour jetons lisibles par l'homme.
+
+ + Exemple + +RandomFormat base64url + + + + + + +RandomIncludeTimestamp +Inclure un préfixe d'horodatage dans les jetons +RandomIncludeTimestamp On|Off +RandomIncludeTimestamp Off + +server config +virtual host +directory +.htaccess + +All + + +

Lorsqu'activé, ajoute l'horodatage Unix actuel (secondes depuis epoch) + au début du jeton, séparé par un trait d'union.

+ +

Ceci est utile pour le débogage, la corrélation des journaux, ou la + vérification approximative de l'âge sans métadonnées cryptographiques.

+ + Exemple + +RandomIncludeTimestamp On +# Génère des jetons comme : 1701234567-Ab3dEf... + + + +

Note : Pour une validation d'expiration précise avec + vérification cryptographique, utilisez + RandomEncodeMetadata à la place.

+ + + + +RandomPrefix +Préfixe par défaut pour tous les jetons +RandomPrefix chaîne + +server config +virtual host +directory +.htaccess + +All + + +

Ajoute un préfixe fixe à tous les jetons générés. Utile pour + l'identification ou le versioning des jetons.

+ + Exemple + +RandomPrefix "csrf_" +# Génère des jetons comme : csrf_Ab3dEf... + + + + + + +RandomSuffix +Suffixe par défaut pour tous les jetons +RandomSuffix chaîne + +server config +virtual host +directory +.htaccess + +All + + +

Ajoute un suffixe fixe à tous les jetons générés. Utile pour le + versioning ou l'identification du format des jetons.

+ + Exemple + +RandomSuffix "_v2" +# Génère des jetons comme : Ab3dEf..._v2 + + + + + + +RandomTTL +TTL du cache pour les jetons en secondes +RandomTTL secondes +RandomTTL 0 + +server config +virtual host +directory +.htaccess + +All + + +

Active la mise en cache des jetons avec le temps de vie spécifié en + secondes. La plage valide est 0-86400 (24 heures). Une valeur de 0 + désactive la mise en cache.

+ +

La mise en cache réduit la charge CPU et la consommation d'entropie + pour les ressources fréquemment accédées. Chaque jeton a son propre cache + protégé par un mutex pour la sécurité des threads.

+ +

Le module gère les scénarios de recul d'horloge (corrections NTP) en + invalidant automatiquement les entrées de cache affectées.

+ + Exemple + +# Mettre en cache les jetons pendant 5 minutes +RandomTTL 300 + + + +

Note de sécurité : Les jetons en cache sont réutilisés + pour toutes les requêtes pendant la période TTL. Pour une unicité par + requête, conservez TTL à 0.

+ + + + +RandomOnlyFor +Générer des jetons uniquement pour les motifs d'URL correspondants +RandomOnlyFor regex + +server config +virtual host +directory +.htaccess + +All + + +

Génère conditionnellement des jetons uniquement lorsque l'URI de la + requête correspond à l'expression régulière étendue spécifiée (POSIX ERE).

+ +

Ceci est utile pour un contrôle fin de la génération de jetons, comme + limiter à des points de terminaison API spécifiques.

+ + Exemple + +<Location "/api"> + # Générer uniquement pour les points de terminaison /api/v1/* + RandomOnlyFor "^/api/v1/" + RandomAddToken API_TOKEN +</Location> + + + + + + +RandomAlphabet +Jeu de caractères personnalisé pour format custom +RandomAlphabet caractères + +server config +virtual host +directory +.htaccess + +All + + +

Définit un alphabet personnalisé pour l'encodage au format + custom. Requis lorsque + RandomFormat est défini sur + custom.

+ +

L'alphabet doit contenir au moins 2 caractères uniques et pas plus de + 256. Les caractères en double sont rejetés.

+ + Exemple + +# Base32 de Crockford (lisible, sans caractères ambigus) +RandomFormat custom +RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" + + + +

Note : Les alphabets dont la taille n'est pas une + puissance de 2 peuvent introduire un léger biais dans la distribution + des caractères.

+ + + + +RandomAlphabetGrouping +Grouper la sortie de l'alphabet personnalisé tous les N caractères +RandomAlphabetGrouping N +RandomAlphabetGrouping 0 + +server config +virtual host +directory +.htaccess + +All + + +

Lors de l'utilisation du format custom, insère un séparateur + trait d'union tous les N caractères pour améliorer la lisibilité. + La plage valide est 0-128. Une valeur de 0 désactive le groupement.

+ + Exemple + +RandomFormat custom +RandomAlphabet "0123456789ABCDEFGHJKMNPQRSTVWXYZ" +RandomAlphabetGrouping 4 +# Génère des jetons comme : A3D5-7K9M-P2Q8-... + + + + + + +RandomEncodeMetadata +Encoder les métadonnées d'expiration dans les jetons +RandomEncodeMetadata On|Off +RandomEncodeMetadata Off + +server config +virtual host +directory +.htaccess + +All + + +

Lorsqu'activé, encode l'horodatage d'expiration et la signature + HMAC-SHA256 optionnelle dans le jeton. Nécessite que + RandomExpiry soit défini + supérieur à 0.

+ +

Si RandomSigningKey est + configuré, le jeton inclut une signature HMAC-SHA256 qui peut être + validée pour assurer l'intégrité.

+ +

Format du jeton : expiration:aléatoire:signature + (avec signature) ou expiration:aléatoire (sans signature).

+ + Exemple + +RandomEncodeMetadata On +RandomExpiry 3600 +RandomSigningKey "votre-clé-secrète" + + + + + + +RandomExpiry +Temps d'expiration du jeton en secondes +RandomExpiry secondes +RandomExpiry 0 + +server config +virtual host +directory +.htaccess + +All + + +

Définit le temps d'expiration du jeton en secondes lors de l'utilisation + de RandomEncodeMetadata. + La plage valide est 0-31536000 (1 an). Une valeur de 0 signifie pas + d'expiration.

+ + Exemple + +# Expiration de 1 heure +RandomExpiry 3600 + + + + + + +RandomSigningKey +Clé de signature HMAC-SHA256 pour validation de jetons +RandomSigningKey clé + +server config +virtual host +directory +.htaccess + +All + + +

Définit la clé secrète utilisée pour la génération de signature + HMAC-SHA256 lorsque + RandomEncodeMetadata est activé.

+ +

La clé doit être une chaîne forte et aléatoire. Elle doit être + gardée secrète et doit être identique sur tous les serveurs qui doivent + valider les jetons.

+ + Exemple + +RandomSigningKey "votre-clé-secrète-hmac-à-changer" + + + +

Avertissement de sécurité : Stockez la clé de + signature de manière sécurisée. Envisagez d'utiliser des variables + d'environnement ou des fichiers inclus avec permissions restreintes au + lieu de la coder en dur dans la configuration principale.

+ + + + diff --git a/docs/manual/mod/mod_random.xml.meta b/docs/manual/mod/mod_random.xml.meta new file mode 100644 index 00000000000..578bd47cda1 --- /dev/null +++ b/docs/manual/mod/mod_random.xml.meta @@ -0,0 +1,13 @@ + + + + + mod_random + /mod/ + .. + + + en + fr + + diff --git a/modules/random/INSTALL b/modules/random/INSTALL new file mode 100644 index 00000000000..ef9e3b448bc --- /dev/null +++ b/modules/random/INSTALL @@ -0,0 +1,135 @@ +INSTALLATION INSTRUCTIONS FOR mod_random +========================================= + +REQUIREMENTS +------------ +- Apache HTTP Server 2.4.x source tree +- OpenSSL development libraries (libssl-dev) +- APR (Apache Portable Runtime) - included with Apache +- C compiler (gcc or clang) + +BUILDING WITH APACHE +-------------------- + +1. Place mod_random in Apache modules directory: + $ cd /path/to/httpd/source + $ ls modules/random/ + # Should see: mod_random.c, config.m4, Makefile.in, etc. + +2. Regenerate Apache configuration: + $ cd /path/to/httpd/source + $ ./buildconf + + This will scan all modules (including mod_random) and regenerate + the configure script. + +3. Configure Apache with mod_random enabled: + $ ./configure --enable-random [other options] + + Options: + --enable-random Build mod_random as shared module (default) + --enable-random=yes Build mod_random as shared module + --enable-random=no Do not build mod_random + --enable-random=shared Build as shared .so (DSO) + --enable-random=static Build statically into httpd + +4. Build Apache: + $ make + +5. Install Apache (optional): + $ sudo make install + +VERIFYING INSTALLATION +---------------------- + +1. Check if module was built: + $ ls modules/random/.libs/ + # Should see: mod_random.so (or .la files) + +2. Check if module can be loaded: + $ /path/to/httpd -l + # For static build, mod_random should be listed + + $ /path/to/httpd -M | grep random + # For shared build with LoadModule directive: + random_module (shared) + +ENABLING THE MODULE +------------------- + +For shared module builds, add to httpd.conf: + + LoadModule random_module modules/mod_random.so + +Or use apxs: + + $ apxs -i -a -c mod_random.c [other .c files] + +BASIC CONFIGURATION +------------------- + +Add to httpd.conf or .htaccess: + + + RandomLength 32 + RandomFormat base64url + RandomAddToken CSRF_TOKEN header=X-CSRF-Token + + +TESTING +------- + +1. Start Apache: + $ /path/to/httpd -k start + +2. Make a request: + $ curl -v http://localhost/secure + # Check for X-CSRF-Token header in response + +3. Check logs for any errors: + $ tail -f /path/to/apache/logs/error_log + +REBUILDING AFTER CHANGES +------------------------- + +If you modify mod_random source: + +1. Rebuild only mod_random: + $ cd modules/random + $ make + +2. Or rebuild all of Apache: + $ cd /path/to/httpd/source + $ make + +3. Restart Apache to load new version: + $ /path/to/httpd -k restart + +TROUBLESHOOTING +--------------- + +Problem: "configure: error: OpenSSL not found" +Solution: Install OpenSSL development libraries: + $ sudo apt-get install libssl-dev # Debian/Ubuntu + $ sudo yum install openssl-devel # RedHat/CentOS + +Problem: "mod_random.so: undefined symbol: HMAC" +Solution: Ensure OpenSSL libraries are linked: + Check that config.m4 includes: APR_ADDTO(MOD_RANDOM_LDADD, [$OPENSSL_LIBS]) + +Problem: Module loads but directives not recognized +Solution: Ensure module is loaded before use: + Check LoadModule directive comes before configuration directives + +Problem: ./buildconf fails +Solution: Install autoconf and libtool: + $ sudo apt-get install autoconf libtool + +UNINSTALLING +------------ + +1. Remove LoadModule directive from httpd.conf +2. Restart Apache +3. (Optional) Remove mod_random.so from modules directory + +For more information, see README file. diff --git a/modules/random/Makefile.in b/modules/random/Makefile.in new file mode 100644 index 00000000000..7c5c149d852 --- /dev/null +++ b/modules/random/Makefile.in @@ -0,0 +1,3 @@ +# a modules Makefile has no explicit targets -- they will be defined by +# whatever modules are enabled. just grab special.mk to deal with this. +include $(top_srcdir)/build/special.mk diff --git a/modules/random/README b/modules/random/README new file mode 100644 index 00000000000..6c2e811a7f6 --- /dev/null +++ b/modules/random/README @@ -0,0 +1,79 @@ +mod_random - Cryptographically Secure Random Token Generation Module +====================================================================== + +PURPOSE +------- +Generates cryptographically secure random strings and injects them into +environment variables and/or HTTP headers for each HTTP request. + +FEATURES +-------- +- CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) +- Multiple output formats: base64, hex, base64url, custom alphabet +- HMAC-SHA256 token signing with metadata +- TTL-based caching for performance +- Thread-safe with per-token mutex +- Pattern-based URL filtering +- Prefix/suffix support +- Timestamp inclusion +- Multiple tokens per request + +USE CASES +--------- +- CSRF (Cross-Site Request Forgery) tokens +- Request IDs for logging/tracing +- Nonces for Content Security Policy +- One-time tokens +- Session identifiers + +SECURITY +-------- +- Uses apr_generate_random_bytes() for entropy +- Default 128 bits of entropy (16 bytes) +- HMAC-SHA256 signatures via OpenSSL +- DoS protection via configurable limits +- Clock backward handling (NTP corrections) + +DEPENDENCIES +------------ +- OpenSSL (libssl, libcrypto) +- APR (Apache Portable Runtime) + +CONFIGURATION DIRECTIVES +------------------------- +RandomLength - Token length in bytes (1-1024, default: 16) +RandomFormat - Output format: base64|hex|base64url|custom +RandomIncludeTimestamp - Add timestamp prefix (On|Off) +RandomPrefix - Prefix for all tokens +RandomSuffix - Suffix for all tokens +RandomTTL - Cache TTL in seconds (0-86400) +RandomOnlyFor - URL pattern regex filter +RandomAlphabet - Custom character set +RandomAlphabetGrouping - Group custom output every N chars +RandomExpiry - Token expiration time (0-31536000) +RandomEncodeMetadata - Encode expiry metadata (On|Off) +RandomSigningKey - HMAC-SHA256 signing key +RandomAddToken - Add token: VAR_NAME [key=value ...] + +EXAMPLE +------- + + # Generate CSRF token with 32-byte entropy + RandomLength 32 + RandomFormat base64url + RandomTTL 300 + RandomAddToken CSRF_TOKEN header=X-CSRF-Token + + +AUTHOR +------ +Developed using Apache module best practices and security standards. + +LICENSE +------- +See Apache License 2.0 + +MORE INFORMATION +---------------- +For detailed documentation, configuration examples, and API reference, +see the module source code and test suite. diff --git a/modules/random/config.m4 b/modules/random/config.m4 new file mode 100644 index 00000000000..06324627408 --- /dev/null +++ b/modules/random/config.m4 @@ -0,0 +1,35 @@ +dnl Licensed to the Apache Software Foundation (ASF) under one or more +dnl contributor license agreements. See the NOTICE file distributed with +dnl this work for additional information regarding copyright ownership. +dnl The ASF licenses this file to You under the Apache License, Version 2.0 + +APACHE_MODPATH_INIT(random) + +dnl mod_random - Cryptographically secure random token generation module +dnl Uses OpenSSL for HMAC-SHA256 signatures +random_objs="dnl +mod_random.lo dnl +mod_random_config.lo dnl +mod_random_encode.lo dnl +mod_random_crypto.lo dnl +mod_random_token.lo" + +dnl Hook module into Autoconf (--enable-random option) +APACHE_MODULE(random, [Cryptographically secure random token generation], $random_objs, , most, [ + APACHE_CHECK_OPENSSL + if test "$ac_cv_openssl" = "yes" ; then + if test "x$enable_random" = "xshared"; then + # Export only the module structure symbol + APR_ADDTO(MOD_RANDOM_LDADD, [-export-symbols-regex random_module]) + fi + APR_ADDTO(MOD_RANDOM_LDADD, [$OPENSSL_LIBS]) + APR_ADDTO(INCLUDES, [$OPENSSL_INCLUDES]) + else + enable_random=no + fi +]) + +dnl Ensure other modules can pick up mod_random.h if needed +APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) + +APACHE_MODPATH_FINISH diff --git a/modules/random/mod_random.c b/modules/random/mod_random.c new file mode 100644 index 00000000000..71a7b059278 --- /dev/null +++ b/modules/random/mod_random.c @@ -0,0 +1,112 @@ +/* + * mod_random - Apache module for generating cryptographically secure random tokens + * + * Purpose: + * Generates cryptographically secure random strings and injects them into + * environment variables and/or HTTP headers for each HTTP request. + * + * Use cases: + * - CSRF tokens + * - Request IDs for logging/tracing (non-unique, probabilistic) + * - Nonces for security headers (CSP, etc.) + * - One-time tokens + * + * Security notes: + * - Uses CSPRNG (apr_generate_random_bytes) + * - NOT guaranteed unique - collision probability exists but is negligible + * - Default 16 bytes = 128 bits of entropy + * - For guaranteed unique IDs, use mod_unique_id instead + */ + +#include "mod_random.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" + +/* Forward declaration */ +extern module AP_MODULE_DECLARE_DATA random_module; + +/* Request hook - generate and inject random tokens */ +static int random_fixups(request_rec *r) +{ + random_config *cfg; + char *final_token; + int final_length; + random_format_t final_format; + int final_include_timestamp; + int final_ttl; + random_token_spec *spec; + + if (r->main) { + return DECLINED; + } + + cfg = ap_get_module_config(r->per_dir_config, &random_module); + if (!cfg) { + return DECLINED; + } + + /* No tokens configured - nothing to do */ + if (!cfg->token_specs) { + return DECLINED; + } + + /* Apply defaults for token generation */ + final_length = (cfg->length != RANDOM_LENGTH_UNSET) ? cfg->length : RANDOM_LENGTH_DEFAULT; + final_format = (cfg->format != RANDOM_FORMAT_UNSET) ? cfg->format : RANDOM_FORMAT_BASE64; + final_include_timestamp = (cfg->include_timestamp != RANDOM_ENABLED_UNSET) ? cfg->include_timestamp : 0; + final_ttl = (cfg->ttl_seconds != RANDOM_TTL_UNSET) ? cfg->ttl_seconds : 0; + + /* Check URL pattern if configured */ + if (cfg->url_pattern) { + if (ap_regexec(cfg->url_pattern, r->uri, 0, NULL, 0) != 0) { + return DECLINED; /* Pattern doesn't match */ + } + } + + /* Generate all configured tokens */ + for (spec = cfg->token_specs; spec; spec = spec->next) { + final_token = random_generate_token_from_spec(r, cfg, spec, + final_length, final_format, + final_include_timestamp, + cfg->prefix, cfg->suffix, + final_ttl, + &spec->cached_token, &spec->cache_time, + spec->cache_mutex, spec->pool); + + /* Check if token generation failed (CSPRNG error) */ + if (!final_token) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_random: Failed to generate token for %s - skipping", + spec->var_name); + continue; /* Skip this token but try to generate others */ + } + + /* Set environment variable */ + apr_table_set(r->subprocess_env, spec->var_name, final_token); + + /* Set HTTP header if configured */ + if (spec->header_name) { + apr_table_set(r->headers_out, spec->header_name, final_token); + } + } + + return DECLINED; +} + +/* Register hooks */ +static void random_register_hooks(apr_pool_t *p) +{ + ap_hook_fixups(random_fixups, NULL, NULL, APR_HOOK_MIDDLE); +} + +/* Module declaration */ +module AP_MODULE_DECLARE_DATA random_module = { + STANDARD20_MODULE_STUFF, + random_create_config, + random_merge_config, + NULL, + NULL, + random_directives, + random_register_hooks +}; diff --git a/modules/random/mod_random.h b/modules/random/mod_random.h new file mode 100644 index 00000000000..af6df56fc2e --- /dev/null +++ b/modules/random/mod_random.h @@ -0,0 +1,46 @@ +/* + * mod_random.h - Public API declarations + */ + +#ifndef MOD_RANDOM_H +#define MOD_RANDOM_H + +#include "httpd.h" +#include "http_config.h" +#include "apr_pools.h" +#include "mod_random_types.h" + +/* Module declaration */ +extern module AP_MODULE_DECLARE_DATA random_module; + +/* Configuration functions (mod_random_config.c) */ +void *random_create_config(apr_pool_t *pool, char *dir); +void *random_merge_config(apr_pool_t *pool, void *base, void *override); +extern const command_rec random_directives[]; + +/* Encoding functions (mod_random_encode.c) */ +char *random_encode_hex(apr_pool_t *pool, const unsigned char *data, int length); +char *random_encode_base64url(apr_pool_t *pool, const char *data, int length); +char *random_encode_custom_alphabet(apr_pool_t *pool, const unsigned char *data, + int length, const char *alphabet, int grouping); +char *random_generate_string_ex(apr_pool_t *pool, int length, random_format_t format, + const char *alphabet, int grouping); +char *random_generate_string(apr_pool_t *pool, int length, random_format_t format); + +/* Crypto functions (mod_random_crypto.c) */ +void random_hmac_sha256(apr_pool_t *pool, const char *key, apr_size_t key_len, + const char *data, apr_size_t data_len, unsigned char *digest); +char *random_encode_with_metadata(apr_pool_t *pool, const char *token, + int expiry_seconds, const char *signing_key); + +/* Token generation (mod_random_token.c) */ +char *random_generate_token_from_spec(request_rec *r, const random_config *cfg, + const random_token_spec *spec, + int default_length, random_format_t default_format, + int default_timestamp, + const char *default_prefix, const char *default_suffix, + int default_ttl, + char **cached_token, apr_time_t *cache_time, + apr_thread_mutex_t *cache_mutex, apr_pool_t *cache_pool); + +#endif /* MOD_RANDOM_H */ diff --git a/modules/random/mod_random_config.c b/modules/random/mod_random_config.c new file mode 100644 index 00000000000..cefa6d9a78a --- /dev/null +++ b/modules/random/mod_random_config.c @@ -0,0 +1,456 @@ +/* + * mod_random_config.c - Configuration directives and handlers + */ + +#include "mod_random.h" +#include "apr_strings.h" +#include "apr_thread_mutex.h" +#include "ap_regex.h" +#include +#include + +/* Helper function to copy a token spec to a new pool */ +static random_token_spec *copy_token_spec(apr_pool_t *pool, random_token_spec *src) +{ + random_token_spec *new_spec = apr_pcalloc(pool, sizeof(random_token_spec)); + + new_spec->var_name = src->var_name; + new_spec->length = src->length; + new_spec->format = src->format; + new_spec->header_name = src->header_name; + new_spec->include_timestamp = src->include_timestamp; + new_spec->prefix = src->prefix; + new_spec->suffix = src->suffix; + new_spec->ttl_seconds = src->ttl_seconds; + new_spec->cached_token = NULL; /* Don't inherit cache */ + new_spec->cache_time = 0; + new_spec->pool = pool; + new_spec->next = NULL; + + /* Thread-safe cache requires mutex - verify creation succeeded */ + if (apr_thread_mutex_create(&new_spec->cache_mutex, + APR_THREAD_MUTEX_DEFAULT, pool) != APR_SUCCESS) { + /* Mutex creation failed - disable caching for this token */ + new_spec->cache_mutex = NULL; + } + + return new_spec; +} + +/* Create per-directory configuration */ +void *random_create_config(apr_pool_t *pool, char *dir) +{ + random_config *cfg = apr_pcalloc(pool, sizeof(random_config)); + + /* Default values for RandomAddToken */ + cfg->length = RANDOM_LENGTH_UNSET; + cfg->format = RANDOM_FORMAT_UNSET; + cfg->include_timestamp = RANDOM_ENABLED_UNSET; + cfg->prefix = NULL; + cfg->suffix = NULL; + cfg->ttl_seconds = RANDOM_TTL_UNSET; + + /* Global settings */ + cfg->url_pattern = NULL; + cfg->pool = pool; + cfg->token_specs = NULL; + + /* Custom alphabet settings */ + cfg->custom_alphabet = NULL; + cfg->alphabet_grouping = RANDOM_GROUPING_UNSET; + + /* Metadata encoding settings */ + cfg->expiry_seconds = RANDOM_EXPIRY_UNSET; + cfg->encode_metadata = RANDOM_ENABLED_UNSET; + cfg->signing_key = NULL; + + return cfg; +} + +/* Merge configurations (parent < child) */ +void *random_merge_config(apr_pool_t *pool, void *base, void *override) +{ + random_config *parent = (random_config *)base; + random_config *child = (random_config *)override; + random_config *merged = apr_pcalloc(pool, sizeof(random_config)); + random_token_spec *spec, *new_spec, *last_spec = NULL; + + /* Child settings take precedence if explicitly set, otherwise inherit from parent */ + merged->length = (child->length != RANDOM_LENGTH_UNSET) ? child->length : parent->length; + merged->format = (child->format != RANDOM_FORMAT_UNSET) ? child->format : parent->format; + merged->include_timestamp = (child->include_timestamp != RANDOM_ENABLED_UNSET) ? child->include_timestamp : parent->include_timestamp; + merged->prefix = child->prefix ? child->prefix : parent->prefix; + merged->suffix = child->suffix ? child->suffix : parent->suffix; + merged->ttl_seconds = (child->ttl_seconds != RANDOM_TTL_UNSET) ? child->ttl_seconds : parent->ttl_seconds; + + /* Global settings */ + merged->url_pattern = child->url_pattern ? child->url_pattern : parent->url_pattern; + merged->pool = pool; + + /* Custom alphabet settings */ + merged->custom_alphabet = child->custom_alphabet ? child->custom_alphabet : parent->custom_alphabet; + merged->alphabet_grouping = (child->alphabet_grouping != RANDOM_GROUPING_UNSET) ? child->alphabet_grouping : parent->alphabet_grouping; + + /* Metadata encoding settings */ + merged->expiry_seconds = (child->expiry_seconds != RANDOM_EXPIRY_UNSET) ? child->expiry_seconds : parent->expiry_seconds; + merged->encode_metadata = (child->encode_metadata != RANDOM_ENABLED_UNSET) ? child->encode_metadata : parent->encode_metadata; + merged->signing_key = child->signing_key ? child->signing_key : parent->signing_key; + + /* Merge token specs: inherit parent's tokens, then add child's tokens */ + merged->token_specs = NULL; + int token_count = 0; + + /* Copy parent's token specs */ + for (spec = parent->token_specs; spec; spec = spec->next) { + /* Enforce RANDOM_MAX_TOKENS limit to prevent DoS via config merge */ + if (token_count >= RANDOM_MAX_TOKENS) { + break; /* Silently skip excess tokens - logged at server startup */ + } + + new_spec = copy_token_spec(pool, spec); + + if (!merged->token_specs) { + merged->token_specs = new_spec; + } else { + last_spec->next = new_spec; + } + last_spec = new_spec; + token_count++; + } + + /* Append child's token specs */ + for (spec = child->token_specs; spec; spec = spec->next) { + /* Enforce RANDOM_MAX_TOKENS limit to prevent DoS via config merge */ + if (token_count >= RANDOM_MAX_TOKENS) { + break; /* Silently skip excess tokens - logged at server startup */ + } + + new_spec = copy_token_spec(pool, spec); + + if (!merged->token_specs) { + merged->token_specs = new_spec; + } else { + last_spec->next = new_spec; + } + last_spec = new_spec; + token_count++; + } + + return merged; +} + +/* Directive handlers */ +static const char *set_random_length(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + char *endptr; + long length = strtol(arg, &endptr, 10); + + if (*endptr != '\0' || length < RANDOM_LENGTH_MIN || length > RANDOM_LENGTH_MAX) { + return apr_psprintf(cmd->pool, "RandomLength must be between %d and %d", + RANDOM_LENGTH_MIN, RANDOM_LENGTH_MAX); + } + + config->length = (int)length; + return NULL; +} + +static const char *set_random_format(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + + if (strcasecmp(arg, "base64") == 0) { + config->format = RANDOM_FORMAT_BASE64; + } else if (strcasecmp(arg, "hex") == 0) { + config->format = RANDOM_FORMAT_HEX; + } else if (strcasecmp(arg, "base64url") == 0) { + config->format = RANDOM_FORMAT_BASE64URL; + } else if (strcasecmp(arg, "custom") == 0) { + config->format = RANDOM_FORMAT_CUSTOM; + } else { + return "RandomFormat must be one of: base64, hex, base64url, custom"; + } + + return NULL; +} + +static const char *set_random_timestamp(cmd_parms *cmd, void *cfg, int flag) +{ + random_config *config = (random_config *)cfg; + config->include_timestamp = flag; + return NULL; +} + +static const char *set_random_prefix(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + config->prefix = apr_pstrdup(cmd->pool, arg); + return NULL; +} + +static const char *set_random_suffix(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + config->suffix = apr_pstrdup(cmd->pool, arg); + return NULL; +} + +static const char *set_random_pattern(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + config->url_pattern = ap_pregcomp(cmd->pool, arg, AP_REG_EXTENDED); + + if (!config->url_pattern) { + return apr_psprintf(cmd->pool, "RandomOnlyFor: Invalid regex pattern '%s'", arg); + } + + return NULL; +} + +static const char *set_random_ttl(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + char *endptr; + long ttl = strtol(arg, &endptr, 10); + + if (*endptr != '\0' || ttl < 0 || ttl > RANDOM_TTL_MAX_SECONDS) { + return apr_psprintf(cmd->pool, "RandomTTL must be between 0 and %d seconds (24 hours)", RANDOM_TTL_MAX_SECONDS); + } + + config->ttl_seconds = (int)ttl; + return NULL; +} + +static const char *set_random_alphabet(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + int len, i; + unsigned char seen[256] = {0}; + + if (!arg || !*arg) { + return "RandomAlphabet: alphabet cannot be empty"; + } + + len = strlen(arg); + if (len < RANDOM_ALPHABET_MIN_SIZE) { + return apr_psprintf(cmd->pool, "RandomAlphabet: alphabet must contain at least %d characters", RANDOM_ALPHABET_MIN_SIZE); + } + + if (len > RANDOM_ALPHABET_MAX_SIZE) { + return apr_psprintf(cmd->pool, "RandomAlphabet: alphabet too long (max %d characters)", RANDOM_ALPHABET_MAX_SIZE); + } + + /* Check for duplicate characters */ + for (i = 0; i < len; i++) { + unsigned char c = (unsigned char)arg[i]; + if (seen[c]) { + return apr_psprintf(cmd->pool, + "RandomAlphabet: duplicate character '%c' at position %d", arg[i], i); + } + seen[c] = 1; + } + + config->custom_alphabet = apr_pstrdup(cmd->pool, arg); + return NULL; +} + +static const char *set_alphabet_grouping(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + char *endptr; + long grouping = strtol(arg, &endptr, 10); + + if (*endptr != '\0' || grouping < 0 || grouping > RANDOM_GROUPING_MAX) { + return apr_psprintf(cmd->pool, "RandomAlphabetGrouping must be between 0 and %d (0 = no grouping)", RANDOM_GROUPING_MAX); + } + + config->alphabet_grouping = (int)grouping; + return NULL; +} + +static const char *set_random_expiry(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + char *endptr; + long expiry = strtol(arg, &endptr, 10); + + if (*endptr != '\0' || expiry < 0 || expiry > RANDOM_EXPIRY_MAX_SECONDS) { + return apr_psprintf(cmd->pool, "RandomExpiry must be between 0 and %d seconds (1 year)", RANDOM_EXPIRY_MAX_SECONDS); + } + + config->expiry_seconds = (int)expiry; + return NULL; +} + +static const char *set_encode_metadata(cmd_parms *cmd, void *cfg, int flag) +{ + random_config *config = (random_config *)cfg; + config->encode_metadata = flag; + return NULL; +} + +static const char *set_signing_key(cmd_parms *cmd, void *cfg, const char *arg) +{ + random_config *config = (random_config *)cfg; + + if (!arg || !*arg) { + return "RandomSigningKey: key cannot be empty"; + } + + config->signing_key = apr_pstrdup(cmd->pool, arg); + return NULL; +} + +static const char *add_random_token(cmd_parms *cmd, void *cfg, const char *args) +{ + random_config *config = (random_config *)cfg; + random_token_spec *spec, *last_spec; + char *token, *key, *value, *args_copy, *var_name; + char *endptr; + long num_val; + int token_count = 0; + + if (!args || !*args) { + return "RandomAddToken: variable name is required"; + } + + /* Count existing tokens to enforce limit */ + for (spec = config->token_specs; spec; spec = spec->next) { + token_count++; + } + + if (token_count >= RANDOM_MAX_TOKENS) { + return apr_psprintf(cmd->pool, + "RandomAddToken: maximum number of tokens (%d) exceeded", RANDOM_MAX_TOKENS); + } + + /* Parse arguments: first token is variable name, rest are key=value pairs */ + args_copy = apr_pstrdup(cmd->pool, args); + var_name = apr_strtok(args_copy, " \t", &args_copy); + + if (!var_name || !*var_name) { + return "RandomAddToken: variable name is required"; + } + + /* Create new token spec with defaults */ + spec = apr_pcalloc(cmd->pool, sizeof(random_token_spec)); + spec->var_name = apr_pstrdup(cmd->pool, var_name); + spec->length = RANDOM_LENGTH_UNSET; + spec->format = RANDOM_FORMAT_UNSET; + spec->header_name = NULL; + spec->include_timestamp = RANDOM_ENABLED_UNSET; + spec->prefix = NULL; + spec->suffix = NULL; + spec->ttl_seconds = RANDOM_TTL_UNSET; + spec->cached_token = NULL; + spec->cache_time = 0; + spec->pool = cmd->pool; + spec->next = NULL; + + /* Create mutex for this token's cache protection (thread-safe) */ + if (apr_thread_mutex_create(&spec->cache_mutex, APR_THREAD_MUTEX_DEFAULT, cmd->pool) != APR_SUCCESS) { + /* Mutex creation failed - disable caching for this token */ + spec->cache_mutex = NULL; + } + + /* Parse optional key=value arguments */ + token = apr_strtok(NULL, " \t", &args_copy); + while (token) { + key = token; + value = strchr(token, '='); + if (!value) { + return apr_psprintf(cmd->pool, "RandomAddToken: invalid argument '%s' (expected key=value)", token); + } + *value++ = '\0'; + + if (strcasecmp(key, "length") == 0) { + num_val = strtol(value, &endptr, 10); + if (*endptr != '\0' || num_val < RANDOM_LENGTH_MIN || num_val > RANDOM_LENGTH_MAX) { + return apr_psprintf(cmd->pool, "RandomAddToken: invalid length %ld (must be %d-%d)", + num_val, RANDOM_LENGTH_MIN, RANDOM_LENGTH_MAX); + } + spec->length = (int)num_val; + } else if (strcasecmp(key, "format") == 0) { + if (strcasecmp(value, "base64") == 0) { + spec->format = RANDOM_FORMAT_BASE64; + } else if (strcasecmp(value, "hex") == 0) { + spec->format = RANDOM_FORMAT_HEX; + } else if (strcasecmp(value, "base64url") == 0) { + spec->format = RANDOM_FORMAT_BASE64URL; + } else if (strcasecmp(value, "custom") == 0) { + spec->format = RANDOM_FORMAT_CUSTOM; + } else { + return apr_psprintf(cmd->pool, "RandomAddToken: invalid format '%s' (must be base64, hex, base64url, or custom)", value); + } + } else if (strcasecmp(key, "header") == 0) { + spec->header_name = apr_pstrdup(cmd->pool, value); + } else if (strcasecmp(key, "timestamp") == 0) { + if (strcasecmp(value, "on") == 0 || strcasecmp(value, "1") == 0) { + spec->include_timestamp = 1; + } else if (strcasecmp(value, "off") == 0 || strcasecmp(value, "0") == 0) { + spec->include_timestamp = 0; + } else { + return apr_psprintf(cmd->pool, "RandomAddToken: invalid timestamp value '%s' (must be on/off)", value); + } + } else if (strcasecmp(key, "prefix") == 0) { + spec->prefix = apr_pstrdup(cmd->pool, value); + } else if (strcasecmp(key, "suffix") == 0) { + spec->suffix = apr_pstrdup(cmd->pool, value); + } else if (strcasecmp(key, "ttl") == 0) { + num_val = strtol(value, &endptr, 10); + if (*endptr != '\0' || num_val < 0 || num_val > RANDOM_TTL_MAX_SECONDS) { + return apr_psprintf(cmd->pool, "RandomAddToken: invalid ttl %ld (must be 0-%d)", + num_val, RANDOM_TTL_MAX_SECONDS); + } + spec->ttl_seconds = (int)num_val; + } else { + return apr_psprintf(cmd->pool, "RandomAddToken: unknown parameter '%s'", key); + } + + token = apr_strtok(NULL, " \t", &args_copy); + } + + /* Add to end of linked list */ + if (!config->token_specs) { + config->token_specs = spec; + } else { + last_spec = config->token_specs; + while (last_spec->next) { + last_spec = last_spec->next; + } + last_spec->next = spec; + } + + return NULL; +} + +/* Configuration directives table */ +const command_rec random_directives[] = { + AP_INIT_TAKE1("RandomLength", set_random_length, NULL, OR_ALL, + "Default token length in bytes for RandomAddToken (default: 16)"), + AP_INIT_TAKE1("RandomFormat", set_random_format, NULL, OR_ALL, + "Default output format for RandomAddToken: base64, hex, base64url, custom (default: base64)"), + AP_INIT_FLAG("RandomIncludeTimestamp", set_random_timestamp, NULL, OR_ALL, + "Default timestamp inclusion for RandomAddToken (default: Off)"), + AP_INIT_TAKE1("RandomPrefix", set_random_prefix, NULL, OR_ALL, + "Default prefix for all tokens (optional)"), + AP_INIT_TAKE1("RandomSuffix", set_random_suffix, NULL, OR_ALL, + "Default suffix for all tokens (optional)"), + AP_INIT_TAKE1("RandomOnlyFor", set_random_pattern, NULL, OR_ALL, + "Regex pattern to match URLs for conditional token generation (optional)"), + AP_INIT_TAKE1("RandomTTL", set_random_ttl, NULL, OR_ALL, + "Default cache TTL for RandomAddToken in seconds (0-86400, default: 0 = no cache)"), + AP_INIT_TAKE1("RandomAlphabet", set_random_alphabet, NULL, OR_ALL, + "Set custom character set for 'custom' format (e.g., '0123456789ABCDEFGHJKMNPQRSTVWXYZ')"), + AP_INIT_TAKE1("RandomAlphabetGrouping", set_alphabet_grouping, NULL, OR_ALL, + "Group custom alphabet output every N characters with '-' (0 = no grouping)"), + AP_INIT_TAKE1("RandomExpiry", set_random_expiry, NULL, OR_ALL, + "Set token expiration time in seconds (0-31536000, requires RandomEncodeMetadata On)"), + AP_INIT_FLAG("RandomEncodeMetadata", set_encode_metadata, NULL, OR_ALL, + "Encode expiry metadata into token (requires RandomExpiry > 0)"), + AP_INIT_TAKE1("RandomSigningKey", set_signing_key, NULL, OR_ALL, + "Set HMAC-SHA256 signing key for token validation (optional, for metadata mode)"), + AP_INIT_RAW_ARGS("RandomAddToken", add_random_token, NULL, OR_ALL, + "Add a token with custom configuration: RandomAddToken VAR_NAME [key=value ...]"), + {NULL} +}; diff --git a/modules/random/mod_random_crypto.c b/modules/random/mod_random_crypto.c new file mode 100644 index 00000000000..08d2071a988 --- /dev/null +++ b/modules/random/mod_random_crypto.c @@ -0,0 +1,60 @@ +/* + * mod_random_crypto.c - HMAC-SHA256 and metadata encoding functions + */ + +#include "mod_random.h" +#include "apr_strings.h" +#include +#include +#include + +#define HMAC_SHA256_DIGESTSIZE 32 + +/* HMAC-SHA256 implementation using OpenSSL */ +void random_hmac_sha256(apr_pool_t *pool, const char *key, apr_size_t key_len, + const char *data, apr_size_t data_len, unsigned char *digest) +{ + unsigned int digest_len = 0; + + /* Use OpenSSL HMAC with SHA256 */ + HMAC(EVP_sha256(), + key, (int)key_len, + (const unsigned char *)data, (int)data_len, + digest, &digest_len); +} + +/* Encode token with metadata (expiry timestamp) and optional HMAC-SHA256 signature */ +char *random_encode_with_metadata(apr_pool_t *pool, const char *token, + int expiry_seconds, const char *signing_key) +{ + apr_time_t now; + time_t now_sec, expiry_time; + char *payload, *final_token; + unsigned char hmac_digest[HMAC_SHA256_DIGESTSIZE]; + char *hmac_hex; + + now = apr_time_now(); + now_sec = apr_time_sec(now); + expiry_time = now_sec + expiry_seconds; + + if (signing_key && *signing_key) { + /* Format: expiry:token:signature */ + /* Create payload for signing */ + payload = apr_psprintf(pool, "%ld:%s", (long)expiry_time, token); + + /* Generate HMAC-SHA256 signature */ + random_hmac_sha256(pool, signing_key, strlen(signing_key), + payload, strlen(payload), hmac_digest); + + /* Convert HMAC to hex */ + hmac_hex = random_encode_hex(pool, hmac_digest, HMAC_SHA256_DIGESTSIZE); + + /* Final token with signature */ + final_token = apr_psprintf(pool, "%ld:%s:%s", (long)expiry_time, token, hmac_hex); + } else { + /* Format: expiry:token (no signature) */ + final_token = apr_psprintf(pool, "%ld:%s", (long)expiry_time, token); + } + + return final_token; +} diff --git a/modules/random/mod_random_encode.c b/modules/random/mod_random_encode.c new file mode 100644 index 00000000000..3eee8d3a556 --- /dev/null +++ b/modules/random/mod_random_encode.c @@ -0,0 +1,178 @@ +/* + * mod_random_encode.c - Encoding functions (hex, base64, base64url, custom alphabet) + */ + +#include "mod_random.h" +#include "apr_base64.h" +#include "apr_strings.h" +#include + +/* Encode binary data to hexadecimal string */ +char *random_encode_hex(apr_pool_t *pool, const unsigned char *data, int length) +{ + static const char hex_chars[] = "0123456789abcdef"; + char *hex_string; + int i; + + hex_string = apr_palloc(pool, length * 2 + 1); + for (i = 0; i < length; i++) { + hex_string[i * 2] = hex_chars[(data[i] >> 4) & 0x0F]; + hex_string[i * 2 + 1] = hex_chars[data[i] & 0x0F]; + } + hex_string[length * 2] = '\0'; + + return hex_string; +} + +/* Encode to base64url (URL-safe base64 without padding) */ +char *random_encode_base64url(apr_pool_t *pool, const char *data, int length) +{ + char *base64_string; + char *p; + int encoded_len; + + encoded_len = apr_base64_encode_len(length); + base64_string = apr_palloc(pool, encoded_len); + apr_base64_encode(base64_string, data, length); + + /* Convert to base64url: replace + with -, / with _, remove = padding */ + for (p = base64_string; *p; p++) { + if (*p == '+') *p = '-'; + else if (*p == '/') *p = '_'; + else if (*p == '=') { + *p = '\0'; + break; + } + } + + return base64_string; +} + +/* Encode using custom alphabet with optional grouping */ +char *random_encode_custom_alphabet(apr_pool_t *pool, const unsigned char *data, int length, + const char *alphabet, int grouping) +{ + int alphabet_len, max_output_len, i, pos; + char *result, *p, *end; + unsigned long long value; /* Use 64-bit to prevent overflow */ + int bits_available, bits_needed; + + if (!alphabet || !*alphabet) { + /* Fallback to hex if no alphabet */ + return random_encode_hex(pool, data, length); + } + + alphabet_len = strlen(alphabet); + if (alphabet_len < 2) { + return random_encode_hex(pool, data, length); + } + + /* Calculate bits per character based on alphabet size */ + bits_needed = 0; + while ((1 << bits_needed) < alphabet_len) { + bits_needed++; + } + + /* Allocate maximum possible output length to prevent overflow */ + /* Worst case: (bytes * 8 / bits_per_char) + grouping separators + flush + null */ + max_output_len = ((length * 8) / bits_needed) + (length * 2) + 10; + if (grouping > 0) { + max_output_len += (max_output_len / grouping) + 10; + } + result = apr_palloc(pool, max_output_len); + p = result; + end = result + max_output_len - 1; /* Reserve space for null terminator */ + + /* Encode bytes using custom alphabet */ + value = 0; + bits_available = 0; + pos = 0; + + for (i = 0; i < length; i++) { + value = (value << 8) | data[i]; + bits_available += 8; + + while (bits_available >= bits_needed) { + unsigned int index; + + /* Ensure we don't overflow buffer */ + if (p >= end - 2) { /* Reserve space for separator and null */ + *p = '\0'; + return result; + } + + bits_available -= bits_needed; + index = (value >> bits_available) & ((1 << bits_needed) - 1); + + if (index < (unsigned int)alphabet_len) { + *p++ = alphabet[index]; + pos++; + + /* Add grouping separator if needed */ + if (grouping > 0 && pos % grouping == 0 && i < length - 1 && p < end - 1) { + *p++ = '-'; + } + } + } + } + + /* Flush remaining bits if any */ + if (bits_available > 0 && p < end) { + unsigned int index = (value << (bits_needed - bits_available)) & ((1 << bits_needed) - 1); + if (index < (unsigned int)alphabet_len) { + *p++ = alphabet[index]; + } + } + + *p = '\0'; + return result; +} + +/* Generate random string with specified format (extended version) */ +char *random_generate_string_ex(apr_pool_t *pool, int length, random_format_t format, + const char *alphabet, int grouping) +{ + unsigned char *random_bytes; + char *result; + int encoded_len; + apr_status_t rv; + + random_bytes = apr_palloc(pool, length); + + /* CRITICAL: Verify CSPRNG succeeded - security depends on this */ + rv = apr_generate_random_bytes(random_bytes, length); + if (rv != APR_SUCCESS) { + /* CSPRNG failed - this is a critical system error + * Return NULL to signal failure - caller must handle this */ + return NULL; + } + + switch (format) { + case RANDOM_FORMAT_HEX: + result = random_encode_hex(pool, random_bytes, length); + break; + + case RANDOM_FORMAT_BASE64URL: + result = random_encode_base64url(pool, (char *)random_bytes, length); + break; + + case RANDOM_FORMAT_CUSTOM: + result = random_encode_custom_alphabet(pool, random_bytes, length, alphabet, grouping); + break; + + case RANDOM_FORMAT_BASE64: + default: + encoded_len = apr_base64_encode_len(length); + result = apr_palloc(pool, encoded_len); + apr_base64_encode(result, (char *)random_bytes, length); + break; + } + + return result; +} + +/* Generate random string with specified format (simple version) */ +char *random_generate_string(apr_pool_t *pool, int length, random_format_t format) +{ + return random_generate_string_ex(pool, length, format, NULL, 0); +} diff --git a/modules/random/mod_random_token.c b/modules/random/mod_random_token.c new file mode 100644 index 00000000000..aa44dfbadcb --- /dev/null +++ b/modules/random/mod_random_token.c @@ -0,0 +1,237 @@ +/* + * mod_random_token.c - Token generation with caching and metadata + */ + +#include "mod_random.h" +#include "apr_time.h" +#include "apr_thread_mutex.h" +#include "apr_strings.h" +#include "http_log.h" + +/** + * Generate a token based on spec and defaults, with optional caching + * + * @param r Request record (required, must not be NULL) + * @param cfg Configuration (required, must not be NULL) + * @param spec Token specification (optional, can be NULL) + * @param default_* Default values to use if spec is NULL or unset + * @param cached_token Pointer to cached token string (for TTL caching) + * @param cache_time Pointer to cache timestamp + * @param cache_mutex Mutex for thread-safe cache access + * @param cache_pool Pool for cache allocation (must persist across requests) + * + * @return Generated token string, or NULL on critical error (CSPRNG failure) + * + * Thread-safety: This function is thread-safe when called with valid mutex. + * The cache is protected by mutex locks during read/write operations. + */ +char *random_generate_token_from_spec(request_rec *r, const random_config *cfg, + const random_token_spec *spec, + int default_length, random_format_t default_format, + int default_timestamp, + const char *default_prefix, const char *default_suffix, + int default_ttl, + char **cached_token, apr_time_t *cache_time, + apr_thread_mutex_t *cache_mutex, apr_pool_t *cache_pool) +{ + char *random_string, *final_token; + int use_cached = 0; + apr_time_t now = 0; /* Initialize to 0, will be set when needed */ + int final_length, final_timestamp, final_ttl; + random_format_t final_format; + const char *final_prefix, *final_suffix; + + /* CRITICAL: Validate required parameters */ + if (!r) { + /* Cannot log without request - this is a programming error */ + return NULL; + } + if (!cfg) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_random: CRITICAL - NULL config passed to token generator"); + return NULL; + } + + /* Apply spec values or use defaults */ + final_length = (spec && spec->length != RANDOM_LENGTH_UNSET) ? spec->length : default_length; + final_format = (spec && spec->format != RANDOM_FORMAT_UNSET) ? spec->format : default_format; + final_timestamp = (spec && spec->include_timestamp != RANDOM_ENABLED_UNSET) ? spec->include_timestamp : default_timestamp; + final_prefix = (spec && spec->prefix) ? spec->prefix : default_prefix; + final_suffix = (spec && spec->suffix) ? spec->suffix : default_suffix; + final_ttl = (spec && spec->ttl_seconds != RANDOM_TTL_UNSET) ? spec->ttl_seconds : default_ttl; + + /* Defensive validation: ensure token length is within bounds */ + if (final_length < RANDOM_LENGTH_MIN || final_length > RANDOM_LENGTH_MAX) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Invalid token length %d, using default %d", + final_length, RANDOM_LENGTH_DEFAULT); + final_length = RANDOM_LENGTH_DEFAULT; + } + + /* Defensive validation: ensure format is valid */ + if (final_format < RANDOM_FORMAT_BASE64 || final_format > RANDOM_FORMAT_CUSTOM) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Invalid format %d, using BASE64", + (int)final_format); + final_format = RANDOM_FORMAT_BASE64; + } + + /* Defensive validation: ensure TTL is within bounds */ + if (final_ttl < 0 && final_ttl != RANDOM_TTL_UNSET) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Invalid TTL %d (negative), disabling cache", + final_ttl); + final_ttl = 0; /* Disable caching */ + } else if (final_ttl > RANDOM_TTL_MAX_SECONDS) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: TTL %d exceeds maximum %d, clamping to max", + final_ttl, RANDOM_TTL_MAX_SECONDS); + final_ttl = RANDOM_TTL_MAX_SECONDS; + } + + /* Get current time once for cache check, timestamp, and cache update */ + if (final_ttl > 0 || final_timestamp) { + now = apr_time_now(); + } + + /* Check TTL cache with thread-safe mutex protection */ + if (final_ttl > 0 && cache_mutex && cached_token && cache_time && cache_pool) { + apr_status_t rv = apr_thread_mutex_lock(cache_mutex); + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "mod_random: Failed to lock cache mutex - skipping cache read"); + /* Continue without cache - safer than risking race condition */ + } else { + if (*cached_token) { + /* Use time_t for clearer semantics - elapsed is in seconds */ + time_t elapsed = (time_t)apr_time_sec(now - *cache_time); + + /* Handle clock going backwards (NTP correction, manual change) */ + if (elapsed < 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: System clock went backwards, invalidating cache"); + *cached_token = NULL; + *cache_time = 0; + } else if (elapsed < final_ttl) { + /* Valid cache hit - duplicate to request pool BEFORE unlock + * to prevent race condition where another thread could invalidate cache */ + final_token = apr_pstrdup(r->pool, *cached_token); + use_cached = 1; + } + } + apr_thread_mutex_unlock(cache_mutex); + + /* If cache was valid, we're done - return immediately */ + if (use_cached) { + return final_token; + } + } + } + + /* Generate new token (cache miss or not enabled) */ + { + int final_alphabet_grouping; + int final_expiry_seconds; + int final_encode_metadata; + + /* Apply defaults for alphabet grouping and metadata encoding */ + final_alphabet_grouping = (cfg->alphabet_grouping != RANDOM_GROUPING_UNSET) ? cfg->alphabet_grouping : 0; + final_expiry_seconds = (cfg->expiry_seconds != RANDOM_EXPIRY_UNSET) ? cfg->expiry_seconds : 0; + final_encode_metadata = (cfg->encode_metadata != RANDOM_ENABLED_UNSET) ? cfg->encode_metadata : 0; + + /* Validate alphabet_grouping */ + if (final_alphabet_grouping < 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Invalid alphabet grouping %d (negative), disabling grouping", + final_alphabet_grouping); + final_alphabet_grouping = 0; + } else if (final_alphabet_grouping > RANDOM_GROUPING_MAX) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Alphabet grouping %d exceeds maximum %d, clamping to max", + final_alphabet_grouping, RANDOM_GROUPING_MAX); + final_alphabet_grouping = RANDOM_GROUPING_MAX; + } + + /* Validate expiry_seconds if metadata encoding is enabled */ + if (final_expiry_seconds < 0 && final_expiry_seconds != RANDOM_EXPIRY_UNSET) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Invalid expiry %d (negative), disabling metadata encoding", + final_expiry_seconds); + final_expiry_seconds = 0; + } else if (final_expiry_seconds > RANDOM_EXPIRY_MAX_SECONDS) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Expiry %d exceeds maximum %d, clamping to max", + final_expiry_seconds, RANDOM_EXPIRY_MAX_SECONDS); + final_expiry_seconds = RANDOM_EXPIRY_MAX_SECONDS; + } + + /* Validate custom alphabet if CUSTOM format is selected */ + if (final_format == RANDOM_FORMAT_CUSTOM && !cfg->custom_alphabet) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: CUSTOM format requires alphabet, falling back to BASE64"); + final_format = RANDOM_FORMAT_BASE64; + } + + /* Generate random string with specified format */ + random_string = random_generate_string_ex(r->pool, final_length, final_format, + cfg->custom_alphabet, final_alphabet_grouping); + + /* CRITICAL: Check if CSPRNG failed */ + if (!random_string) { + ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, + "mod_random: CRITICAL - Failed to generate random bytes. " + "This is a system error - cryptographic token generation failed."); + return NULL; + } + + /* Add timestamp if requested (reuse 'now' already calculated above) */ + if (final_timestamp) { + time_t timestamp = apr_time_sec(now); + random_string = apr_psprintf(r->pool, "%ld-%s", (long)timestamp, random_string); + } + + /* Encode metadata with expiry and signature if requested */ + if (final_encode_metadata && final_expiry_seconds > 0 && cfg->signing_key) { + char *encoded = random_encode_with_metadata(r->pool, random_string, + final_expiry_seconds, cfg->signing_key); + if (!encoded) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_random: Failed to encode metadata, using plain token"); + /* Continue with unencoded token - safer than failing completely */ + } else { + random_string = encoded; + } + } else if (final_encode_metadata && final_expiry_seconds > 0 && !cfg->signing_key) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "mod_random: Metadata encoding requested but no signing key configured - skipping"); + } + + /* Add prefix/suffix if configured - single allocation for efficiency */ + if (final_prefix || final_suffix) { + final_token = apr_psprintf(r->pool, "%s%s%s", + final_prefix ? final_prefix : "", + random_string, + final_suffix ? final_suffix : ""); + } else { + final_token = random_string; + } + + /* Update cache if TTL is enabled - use provided pool and mutex */ + if (final_ttl > 0 && cache_mutex && cached_token && cache_time && cache_pool) { + apr_status_t rv = apr_thread_mutex_lock(cache_mutex); + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "mod_random: Failed to lock cache mutex - skipping cache write"); + /* Continue without caching - token still valid for this request */ + } else { + *cached_token = apr_pstrdup(cache_pool, final_token); + /* Reuse 'now' from line 86 instead of calling apr_time_now() again + * This ensures cache_time reflects when token generation started */ + *cache_time = now; + apr_thread_mutex_unlock(cache_mutex); + } + } + } + + return final_token; +} diff --git a/modules/random/mod_random_types.h b/modules/random/mod_random_types.h new file mode 100644 index 00000000000..fa48949c282 --- /dev/null +++ b/modules/random/mod_random_types.h @@ -0,0 +1,83 @@ +/* + * mod_random_types.h - Type definitions and constants + */ + +#ifndef MOD_RANDOM_TYPES_H +#define MOD_RANDOM_TYPES_H + +#include "apr_time.h" +#include "apr_thread_mutex.h" +#include "ap_regex.h" + +/* Configuration constants */ +#define RANDOM_LENGTH_DEFAULT 16 /* 128 bits of entropy */ +#define RANDOM_LENGTH_MIN 1 /* Minimum allowed length */ +#define RANDOM_LENGTH_MAX 1024 /* Maximum to prevent DoS */ + +/* Sentinel values (unset/not configured) */ +#define RANDOM_LENGTH_UNSET -1 /* Sentinel: length not configured */ +#define RANDOM_ENABLED_UNSET -1 /* Sentinel: boolean not configured */ +#define RANDOM_FORMAT_UNSET -1 /* Sentinel: format not configured */ +#define RANDOM_GROUPING_UNSET -1 /* Sentinel: grouping not configured */ +#define RANDOM_EXPIRY_UNSET -1 /* Sentinel: expiry not configured */ +#define RANDOM_TTL_UNSET -1 /* Sentinel: TTL not configured */ + +/* Limits to prevent DoS */ +#define RANDOM_MAX_TOKENS 50 /* Maximum tokens per context */ +#define RANDOM_TTL_MAX_SECONDS 86400 /* 24 hours */ +#define RANDOM_EXPIRY_MAX_SECONDS 31536000 /* 1 year */ +#define RANDOM_ALPHABET_MAX_SIZE 256 /* Maximum alphabet size */ +#define RANDOM_ALPHABET_MIN_SIZE 2 /* Minimum alphabet size */ +#define RANDOM_GROUPING_MAX 128 /* Maximum grouping size */ + +/* Output format types */ +typedef enum { + RANDOM_FORMAT_BASE64 = 0, + RANDOM_FORMAT_HEX = 1, + RANDOM_FORMAT_BASE64URL = 2, + RANDOM_FORMAT_CUSTOM = 3 +} random_format_t; + +/* Individual token specification */ +typedef struct random_token_spec { + char *var_name; /* Environment variable name (required) */ + int length; /* Bytes of random data */ + random_format_t format; /* Output format */ + char *header_name; /* Optional HTTP header */ + int include_timestamp; /* Include timestamp prefix */ + char *prefix; /* Optional prefix */ + char *suffix; /* Optional suffix */ + int ttl_seconds; /* Cache TTL */ + char *cached_token; /* Cached token value */ + apr_time_t cache_time; /* Cache timestamp */ + apr_thread_mutex_t *cache_mutex; /* Mutex to protect this token's cache */ + apr_pool_t *pool; /* Pool for cache allocation */ + struct random_token_spec *next; /* Linked list next */ +} random_token_spec; + +/* Main configuration structure */ +typedef struct { + /* Default values for RandomAddToken */ + int length; /* Default token length in bytes */ + random_format_t format; /* Default output format */ + int include_timestamp; /* Default timestamp inclusion */ + char *prefix; /* Default prefix for all tokens */ + char *suffix; /* Default suffix for all tokens */ + int ttl_seconds; /* Default cache TTL */ + + /* Global settings */ + ap_regex_t *url_pattern; /* URL pattern filter (RandomOnlyFor) */ + apr_pool_t *pool; /* Pool for this config */ + random_token_spec *token_specs; /* Linked list of token specifications */ + + /* Custom alphabet settings (for RANDOM_FORMAT_CUSTOM) */ + char *custom_alphabet; /* Custom character set */ + int alphabet_grouping; /* Group size (0=no grouping) */ + + /* Metadata encoding settings */ + int expiry_seconds; /* Token expiration time (0=no expiry) */ + int encode_metadata; /* Enable metadata encoding */ + char *signing_key; /* HMAC signing key for validation */ +} random_config; + +#endif /* MOD_RANDOM_TYPES_H */