|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _ _
|
|
Packit |
90a5c9 |
* _ __ ___ ___ __| | ___ ___| | mod_ssl
|
|
Packit |
90a5c9 |
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
|
|
Packit |
90a5c9 |
* | | | | | | (_) | (_| | \__ \__ \ |
|
|
Packit |
90a5c9 |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
|
|
Packit |
90a5c9 |
* |_____|
|
|
Packit |
90a5c9 |
* ssl_engine_pphrase.c
|
|
Packit |
90a5c9 |
* Pass Phrase Dialog
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
/* ``Treat your password like your
|
|
Packit |
90a5c9 |
toothbrush. Don't let anybody
|
|
Packit |
90a5c9 |
else use it, and get a new one
|
|
Packit |
90a5c9 |
every six months.''
|
|
Packit |
90a5c9 |
-- Clifford Stoll */
|
|
Packit |
90a5c9 |
#include "ssl_private.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
typedef struct {
|
|
Packit |
90a5c9 |
server_rec *s;
|
|
Packit |
90a5c9 |
apr_pool_t *p;
|
|
Packit |
90a5c9 |
apr_array_header_t *aPassPhrase;
|
|
Packit |
90a5c9 |
int nPassPhraseCur;
|
|
Packit |
90a5c9 |
char *cpPassPhraseCur;
|
|
Packit |
90a5c9 |
int nPassPhraseDialog;
|
|
Packit |
90a5c9 |
int nPassPhraseDialogCur;
|
|
Packit |
90a5c9 |
BOOL bPassPhraseDialogOnce;
|
|
Packit |
90a5c9 |
const char *key_id;
|
|
Packit |
90a5c9 |
const char *pkey_file;
|
|
Packit |
90a5c9 |
} pphrase_cb_arg_t;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#ifdef HAVE_ECC
|
|
Packit |
90a5c9 |
static const char *key_types[] = {"RSA", "DSA", "ECC"};
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
static const char *key_types[] = {"RSA", "DSA"};
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Return true if the named file exists and is readable
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_status_t exists_and_readable(const char *fname, apr_pool_t *pool,
|
|
Packit |
90a5c9 |
apr_time_t *mtime)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_status_t stat;
|
|
Packit |
90a5c9 |
apr_finfo_t sbuf;
|
|
Packit |
90a5c9 |
apr_file_t *fd;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((stat = apr_stat(&sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS)
|
|
Packit |
90a5c9 |
return stat;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sbuf.filetype != APR_REG)
|
|
Packit |
90a5c9 |
return APR_EGENERAL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if ((stat = apr_file_open(&fd, fname, APR_READ, 0, pool)) != APR_SUCCESS)
|
|
Packit |
90a5c9 |
return stat;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (mtime) {
|
|
Packit |
90a5c9 |
*mtime = sbuf.mtime;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_file_close(fd);
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* reuse vhost keys for asn1 tables where keys are allocated out
|
|
Packit |
90a5c9 |
* of s->process->pool to prevent "leaking" each time we format
|
|
Packit |
90a5c9 |
* a vhost key. since the key is stored in a table with lifetime
|
|
Packit |
90a5c9 |
* of s->process->pool, the key needs to have the same lifetime.
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* XXX: probably seems silly to use a hash table with keys and values
|
|
Packit |
90a5c9 |
* being the same, but it is easier than doing a linear search
|
|
Packit |
90a5c9 |
* and will make it easier to remove keys if needed in the future.
|
|
Packit |
90a5c9 |
* also have the problem with apr_array_header_t that if we
|
|
Packit |
90a5c9 |
* underestimate the number of vhost keys when we apr_array_make(),
|
|
Packit |
90a5c9 |
* the array will get resized when we push past the initial number
|
|
Packit |
90a5c9 |
* of elts. this resizing in the s->process->pool means "leaking"
|
|
Packit |
90a5c9 |
* since apr_array_push() will apr_alloc arr->nalloc * 2 elts,
|
|
Packit |
90a5c9 |
* leaving the original arr->elts to waste.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char *asn1_table_vhost_key(SSLModConfigRec *mc, apr_pool_t *p,
|
|
Packit |
90a5c9 |
const char *id, int i)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* 'p' pool used here is cleared on restarts (or sooner) */
|
|
Packit |
90a5c9 |
char *key = apr_psprintf(p, "%s:%d", id, i);
|
|
Packit |
90a5c9 |
void *keyptr = apr_hash_get(mc->tVHostKeys, key,
|
|
Packit |
90a5c9 |
APR_HASH_KEY_STRING);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!keyptr) {
|
|
Packit |
90a5c9 |
/* make a copy out of s->process->pool */
|
|
Packit |
90a5c9 |
keyptr = apr_pstrdup(mc->pPool, key);
|
|
Packit |
90a5c9 |
apr_hash_set(mc->tVHostKeys, keyptr,
|
|
Packit |
90a5c9 |
APR_HASH_KEY_STRING, keyptr);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return (char *)keyptr;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* _________________________________________________________________
|
|
Packit |
90a5c9 |
**
|
|
Packit |
90a5c9 |
** Pass Phrase and Private Key Handling
|
|
Packit |
90a5c9 |
** _________________________________________________________________
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#define BUILTIN_DIALOG_BACKOFF 2
|
|
Packit |
90a5c9 |
#define BUILTIN_DIALOG_RETRIES 5
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_file_t *writetty = NULL;
|
|
Packit |
90a5c9 |
static apr_file_t *readtty = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int ssl_pphrase_Handle_CB(char *, int, int, void *);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static char *pphrase_array_get(apr_array_header_t *arr, int idx)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if ((idx < 0) || (idx >= arr->nelts)) {
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return ((char **)arr->elts)[idx];
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx,
|
|
Packit |
90a5c9 |
const char *pkey_file,
|
|
Packit |
90a5c9 |
apr_array_header_t **pphrases)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
SSLModConfigRec *mc = myModConfig(s);
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc = mySrvConfig(s);
|
|
Packit |
90a5c9 |
const char *key_id = asn1_table_vhost_key(mc, p, sc->vhost_id, idx);
|
|
Packit |
90a5c9 |
EVP_PKEY *pPrivateKey = NULL;
|
|
Packit |
90a5c9 |
ssl_asn1_t *asn1;
|
|
Packit |
90a5c9 |
int nPassPhrase = (*pphrases)->nelts;
|
|
Packit |
90a5c9 |
int nPassPhraseRetry = 0;
|
|
Packit |
90a5c9 |
apr_time_t pkey_mtime = 0;
|
|
Packit |
90a5c9 |
apr_status_t rv;
|
|
Packit |
90a5c9 |
pphrase_cb_arg_t ppcb_arg;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!pkey_file) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02573)
|
|
Packit |
90a5c9 |
"Init: No private key specified for %s", key_id);
|
|
Packit |
90a5c9 |
return ssl_die(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if ((rv = exists_and_readable(pkey_file, p, &pkey_mtime))
|
|
Packit |
90a5c9 |
!= APR_SUCCESS ) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02574)
|
|
Packit |
90a5c9 |
"Init: Can't open server private key file %s", pkey_file);
|
|
Packit |
90a5c9 |
return ssl_die(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ppcb_arg.s = s;
|
|
Packit |
90a5c9 |
ppcb_arg.p = p;
|
|
Packit |
90a5c9 |
ppcb_arg.aPassPhrase = *pphrases;
|
|
Packit |
90a5c9 |
ppcb_arg.nPassPhraseCur = 0;
|
|
Packit |
90a5c9 |
ppcb_arg.cpPassPhraseCur = NULL;
|
|
Packit |
90a5c9 |
ppcb_arg.nPassPhraseDialog = 0;
|
|
Packit |
90a5c9 |
ppcb_arg.nPassPhraseDialogCur = 0;
|
|
Packit |
90a5c9 |
ppcb_arg.bPassPhraseDialogOnce = TRUE;
|
|
Packit |
90a5c9 |
ppcb_arg.key_id = key_id;
|
|
Packit |
90a5c9 |
ppcb_arg.pkey_file = pkey_file;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* if the private key is encrypted and SSLPassPhraseDialog
|
|
Packit |
90a5c9 |
* is configured to "builtin" it isn't possible to prompt for
|
|
Packit |
90a5c9 |
* a password after httpd has detached from the tty.
|
|
Packit |
90a5c9 |
* in this case if we already have a private key and the
|
|
Packit |
90a5c9 |
* file name/mtime hasn't changed, then reuse the existing key.
|
|
Packit |
90a5c9 |
* we also reuse existing private keys that were encrypted for
|
|
Packit |
90a5c9 |
* exec: and pipe: dialogs to minimize chances to snoop the
|
|
Packit |
90a5c9 |
* password. that and pipe: dialogs might prompt the user
|
|
Packit |
90a5c9 |
* for password, which on win32 for example could happen 4
|
|
Packit |
90a5c9 |
* times at startup. twice for each child and twice within
|
|
Packit |
90a5c9 |
* each since apache "restarts itself" on startup.
|
|
Packit |
90a5c9 |
* of course this will not work for the builtin dialog if
|
|
Packit |
90a5c9 |
* the server was started without LoadModule ssl_module
|
|
Packit |
90a5c9 |
* configured, then restarted with it configured.
|
|
Packit |
90a5c9 |
* but we fall through with a chance of success if the key
|
|
Packit |
90a5c9 |
* is not encrypted or can be handled via exec or pipe dialog.
|
|
Packit |
90a5c9 |
* and in the case of fallthrough, pkey_mtime and isatty()
|
|
Packit |
90a5c9 |
* are used to give a better idea as to what failed.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (pkey_mtime) {
|
|
Packit |
90a5c9 |
ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
|
|
Packit |
90a5c9 |
if (asn1 && (asn1->source_mtime == pkey_mtime)) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02575)
|
|
Packit |
90a5c9 |
"Reusing existing private key from %s on restart",
|
|
Packit |
90a5c9 |
ppcb_arg.pkey_file);
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02576)
|
|
Packit |
90a5c9 |
"Attempting to load encrypted (?) private key %s", key_id);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (;;) {
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Try to read the private key file with the help of
|
|
Packit |
90a5c9 |
* the callback function which serves the pass
|
|
Packit |
90a5c9 |
* phrases to OpenSSL
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ppcb_arg.cpPassPhraseCur = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Ensure that the error stack is empty; some SSL
|
|
Packit |
90a5c9 |
* functions will fail spuriously if the error stack
|
|
Packit |
90a5c9 |
* is not empty. */
|
|
Packit |
90a5c9 |
ERR_clear_error();
|
|
Packit |
90a5c9 |
|
|
Packit |
70c855 |
pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file,
|
|
Packit |
70c855 |
ssl_pphrase_Handle_CB, &ppcb_arg);
|
|
Packit |
70c855 |
/* If the private key was successfully read, nothing more to
|
|
Packit |
70c855 |
do here. */
|
|
Packit |
70c855 |
if (pPrivateKey != NULL)
|
|
Packit |
70c855 |
break;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* when we have more remembered pass phrases
|
|
Packit |
90a5c9 |
* try to reuse these first.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ppcb_arg.nPassPhraseCur < nPassPhrase) {
|
|
Packit |
90a5c9 |
ppcb_arg.nPassPhraseCur++;
|
|
Packit |
90a5c9 |
continue;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* else it's not readable and we have no more
|
|
Packit |
90a5c9 |
* remembered pass phrases. Then this has to mean
|
|
Packit |
90a5c9 |
* that the callback function popped up the dialog
|
|
Packit |
90a5c9 |
* but a wrong pass phrase was entered. We give the
|
|
Packit |
90a5c9 |
* user (but not the dialog program) a few more
|
|
Packit |
90a5c9 |
* chances...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
#ifndef WIN32
|
|
Packit |
90a5c9 |
if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
|
Packit |
90a5c9 |
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
&& ppcb_arg.cpPassPhraseCur != NULL
|
|
Packit |
90a5c9 |
&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect "
|
|
Packit |
90a5c9 |
"(%d more retr%s permitted).\n",
|
|
Packit |
90a5c9 |
(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry),
|
|
Packit |
90a5c9 |
(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry) == 1 ? "y" : "ies");
|
|
Packit |
90a5c9 |
nPassPhraseRetry++;
|
|
Packit |
90a5c9 |
if (nPassPhraseRetry > BUILTIN_DIALOG_BACKOFF)
|
|
Packit |
90a5c9 |
apr_sleep((nPassPhraseRetry-BUILTIN_DIALOG_BACKOFF)
|
|
Packit |
90a5c9 |
* 5 * APR_USEC_PER_SEC);
|
|
Packit |
90a5c9 |
continue;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#ifdef WIN32
|
|
Packit |
90a5c9 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02577)
|
|
Packit |
90a5c9 |
"Init: SSLPassPhraseDialog builtin is not "
|
|
Packit |
90a5c9 |
"supported on Win32 (key file "
|
|
Packit |
90a5c9 |
"%s)", ppcb_arg.pkey_file);
|
|
Packit |
90a5c9 |
return ssl_die(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#endif /* WIN32 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Ok, anything else now means a fatal error.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ppcb_arg.cpPassPhraseCur == NULL) {
|
|
Packit |
90a5c9 |
if (ppcb_arg.nPassPhraseDialogCur && pkey_mtime &&
|
|
Packit |
90a5c9 |
!isatty(fileno(stdout))) /* XXX: apr_isatty() */
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0,
|
|
Packit |
90a5c9 |
s, APLOGNO(02578)
|
|
Packit |
90a5c9 |
"Init: Unable to read pass phrase "
|
|
Packit |
90a5c9 |
"[Hint: key introduced or changed "
|
|
Packit |
90a5c9 |
"before restart?]");
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0,
|
|
Packit |
90a5c9 |
s, APLOGNO(02579) "Init: Private key not found");
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (writetty) {
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "**Stopped\n");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02580)
|
|
Packit |
90a5c9 |
"Init: Pass phrase incorrect for key %s",
|
|
Packit |
90a5c9 |
key_id);
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (writetty) {
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "**Stopped\n");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return ssl_die(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (pPrivateKey == NULL) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02581)
|
|
Packit |
90a5c9 |
"Init: Unable to read server private key from file %s",
|
|
Packit |
90a5c9 |
ppcb_arg.pkey_file);
|
|
Packit |
90a5c9 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
90a5c9 |
return ssl_die(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Log the type of reading
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ppcb_arg.nPassPhraseDialogCur == 0) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02582)
|
|
Packit |
90a5c9 |
"unencrypted %s private key - pass phrase not "
|
|
Packit |
90a5c9 |
"required", key_id);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
if (ppcb_arg.cpPassPhraseCur != NULL) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
|
|
Packit |
90a5c9 |
s, APLOGNO(02583)
|
|
Packit |
90a5c9 |
"encrypted %s private key - pass phrase "
|
|
Packit |
90a5c9 |
"requested", key_id);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
|
|
Packit |
90a5c9 |
s, APLOGNO(02584)
|
|
Packit |
90a5c9 |
"encrypted %s private key - pass phrase"
|
|
Packit |
90a5c9 |
" reused", key_id);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Ok, when we have one more pass phrase store it
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ppcb_arg.cpPassPhraseCur != NULL) {
|
|
Packit |
90a5c9 |
*(const char **)apr_array_push(ppcb_arg.aPassPhrase) =
|
|
Packit |
90a5c9 |
ppcb_arg.cpPassPhraseCur;
|
|
Packit |
90a5c9 |
nPassPhrase++;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
70c855 |
/* Cache the private key in the global module configuration so it
|
|
Packit |
70c855 |
* can be used after subsequent reloads. */
|
|
Packit |
70c855 |
asn1 = ssl_asn1_table_set(mc->tPrivateKey, key_id, pPrivateKey);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (ppcb_arg.nPassPhraseDialogCur != 0) {
|
|
Packit |
90a5c9 |
/* remember mtime of encrypted keys */
|
|
Packit |
90a5c9 |
asn1->source_mtime = pkey_mtime;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Free the private key structure
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
EVP_PKEY_free(pPrivateKey);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Let the user know when we're successful.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if ((ppcb_arg.nPassPhraseDialog > 0) &&
|
|
Packit |
90a5c9 |
(ppcb_arg.cpPassPhraseCur != NULL)) {
|
|
Packit |
90a5c9 |
if (writetty) {
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "\n"
|
|
Packit |
90a5c9 |
"OK: Pass Phrase Dialog successful.\n");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Close the pipes if they were opened
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (readtty) {
|
|
Packit |
90a5c9 |
apr_file_close(readtty);
|
|
Packit |
90a5c9 |
apr_file_close(writetty);
|
|
Packit |
90a5c9 |
readtty = writetty = NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_status_t ssl_pipe_child_create(apr_pool_t *p, const char *progname)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* Child process code for 'ErrorLog "|..."';
|
|
Packit |
90a5c9 |
* may want a common framework for this, since I expect it will
|
|
Packit |
90a5c9 |
* be common for other foo-loggers to want this sort of thing...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_status_t rc;
|
|
Packit |
90a5c9 |
apr_procattr_t *procattr;
|
|
Packit |
90a5c9 |
apr_proc_t *procnew;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (((rc = apr_procattr_create(&procattr, p)) == APR_SUCCESS) &&
|
|
Packit |
90a5c9 |
((rc = apr_procattr_io_set(procattr,
|
|
Packit |
90a5c9 |
APR_FULL_BLOCK,
|
|
Packit |
90a5c9 |
APR_FULL_BLOCK,
|
|
Packit |
90a5c9 |
APR_NO_PIPE)) == APR_SUCCESS)) {
|
|
Packit |
90a5c9 |
char **args;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_tokenize_to_argv(progname, &args, p);
|
|
Packit |
90a5c9 |
procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
|
|
Packit |
90a5c9 |
rc = apr_proc_create(procnew, args[0], (const char * const *)args,
|
|
Packit |
90a5c9 |
NULL, procattr, p);
|
|
Packit |
90a5c9 |
if (rc == APR_SUCCESS) {
|
|
Packit |
90a5c9 |
/* XXX: not sure if we aught to...
|
|
Packit |
90a5c9 |
* apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
writetty = procnew->in;
|
|
Packit |
90a5c9 |
readtty = procnew->out;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return rc;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_status_t rc;
|
|
Packit |
90a5c9 |
char *p;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_file_puts(prompt, writetty);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
buf[0]='\0';
|
|
Packit |
90a5c9 |
rc = apr_file_gets(buf, length, readtty);
|
|
Packit |
90a5c9 |
apr_file_puts(APR_EOL_STR, writetty);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (rc != APR_SUCCESS || apr_file_eof(readtty)) {
|
|
Packit |
90a5c9 |
memset(buf, 0, length);
|
|
Packit |
90a5c9 |
return 1; /* failure */
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if ((p = strchr(buf, '\n')) != NULL) {
|
|
Packit |
90a5c9 |
*p = '\0';
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#ifdef WIN32
|
|
Packit |
90a5c9 |
/* XXX: apr_sometest */
|
|
Packit |
90a5c9 |
if ((p = strchr(buf, '\r')) != NULL) {
|
|
Packit |
90a5c9 |
*p = '\0';
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
pphrase_cb_arg_t *ppcb_arg = (pphrase_cb_arg_t *)srv;
|
|
Packit |
90a5c9 |
SSLSrvConfigRec *sc = mySrvConfig(ppcb_arg->s);
|
|
Packit |
90a5c9 |
char *cpp;
|
|
Packit |
90a5c9 |
int len = -1;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ppcb_arg->nPassPhraseDialog++;
|
|
Packit |
90a5c9 |
ppcb_arg->nPassPhraseDialogCur++;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* When remembered pass phrases are available use them...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if ((cpp = pphrase_array_get(ppcb_arg->aPassPhrase,
|
|
Packit |
90a5c9 |
ppcb_arg->nPassPhraseCur)) != NULL) {
|
|
Packit |
90a5c9 |
apr_cpystrn(buf, cpp, bufsize);
|
|
Packit |
90a5c9 |
len = strlen(buf);
|
|
Packit |
90a5c9 |
return len;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Builtin or Pipe dialog
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
|
Packit |
90a5c9 |
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
90a5c9 |
char *prompt;
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
90a5c9 |
if (!readtty) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s,
|
|
Packit |
90a5c9 |
APLOGNO(01965)
|
|
Packit |
90a5c9 |
"Init: Creating pass phrase dialog pipe child "
|
|
Packit |
90a5c9 |
"'%s'", sc->server->pphrase_dialog_path);
|
|
Packit |
90a5c9 |
if (ssl_pipe_child_create(ppcb_arg->p,
|
|
Packit |
90a5c9 |
sc->server->pphrase_dialog_path)
|
|
Packit |
90a5c9 |
!= APR_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb_arg->s,
|
|
Packit |
90a5c9 |
APLOGNO(01966)
|
|
Packit |
90a5c9 |
"Init: Failed to create pass phrase pipe '%s'",
|
|
Packit |
90a5c9 |
sc->server->pphrase_dialog_path);
|
|
Packit |
90a5c9 |
PEMerr(PEM_F_PEM_DEF_CALLBACK,
|
|
Packit |
90a5c9 |
PEM_R_PROBLEMS_GETTING_PASSWORD);
|
|
Packit |
90a5c9 |
memset(buf, 0, (unsigned int)bufsize);
|
|
Packit |
90a5c9 |
return (-1);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01967)
|
|
Packit |
90a5c9 |
"Init: Requesting pass phrase via piped dialog");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
|
|
Packit |
90a5c9 |
#ifdef WIN32
|
|
Packit |
90a5c9 |
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
|
|
Packit |
90a5c9 |
memset(buf, 0, (unsigned int)bufsize);
|
|
Packit |
90a5c9 |
return (-1);
|
|
Packit |
90a5c9 |
#else
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* stderr has already been redirected to the error_log.
|
|
Packit |
90a5c9 |
* rather than attempting to temporarily rehook it to the terminal,
|
|
Packit |
90a5c9 |
* we print the prompt to stdout before EVP_read_pw_string turns
|
|
Packit |
90a5c9 |
* off tty echo
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_file_open_stdout(&writetty, ppcb_arg->p);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01968)
|
|
Packit |
90a5c9 |
"Init: Requesting pass phrase via builtin terminal "
|
|
Packit |
90a5c9 |
"dialog");
|
|
Packit |
90a5c9 |
#endif
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* The first time display a header to inform the user about what
|
|
Packit |
90a5c9 |
* program he actually speaks to, which module is responsible for
|
|
Packit |
90a5c9 |
* this terminal dialog and why to the hell he has to enter
|
|
Packit |
90a5c9 |
* something...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
if (ppcb_arg->nPassPhraseDialog == 1) {
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "%s mod_ssl (Pass Phrase Dialog)\n",
|
|
Packit |
90a5c9 |
AP_SERVER_BASEVERSION);
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Some of your private key files are encrypted for security reasons.\n");
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "In order to read them you have to provide the pass phrases.\n");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (ppcb_arg->bPassPhraseDialogOnce) {
|
|
Packit |
90a5c9 |
ppcb_arg->bPassPhraseDialogOnce = FALSE;
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "\n");
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Private key %s (%s)\n",
|
|
Packit |
90a5c9 |
ppcb_arg->key_id, ppcb_arg->pkey_file);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Emulate the OpenSSL internal pass phrase dialog
|
|
Packit |
90a5c9 |
* (see crypto/pem/pem_lib.c:def_callback() for details)
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
prompt = "Enter pass phrase:";
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (;;) {
|
|
Packit |
90a5c9 |
apr_file_puts(prompt, writetty);
|
|
Packit |
90a5c9 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
90a5c9 |
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
|
|
Packit |
90a5c9 |
i = EVP_read_pw_string(buf, bufsize, "", FALSE);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
if (i != 0) {
|
|
Packit |
90a5c9 |
PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
|
|
Packit |
90a5c9 |
memset(buf, 0, (unsigned int)bufsize);
|
|
Packit |
90a5c9 |
return (-1);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
len = strlen(buf);
|
|
Packit |
90a5c9 |
if (len < 1)
|
|
Packit |
90a5c9 |
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase empty (needs to be at least 1 character).\n");
|
|
Packit |
90a5c9 |
else
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Filter program
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
|
|
Packit |
90a5c9 |
const char *cmd = sc->server->pphrase_dialog_path;
|
|
Packit |
90a5c9 |
const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 4);
|
|
Packit |
90a5c9 |
const char *idx = ap_strrchr_c(ppcb_arg->key_id, ':') + 1;
|
|
Packit |
90a5c9 |
char *result;
|
|
Packit |
90a5c9 |
int i;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01969)
|
|
Packit |
90a5c9 |
"Init: Requesting pass phrase from dialog filter "
|
|
Packit |
90a5c9 |
"program (%s)", cmd);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
argv[0] = cmd;
|
|
Packit |
90a5c9 |
argv[1] = apr_pstrndup(ppcb_arg->p, ppcb_arg->key_id,
|
|
Packit |
90a5c9 |
idx-1 - ppcb_arg->key_id);
|
|
Packit |
90a5c9 |
if ((i = atoi(idx)) < CERTKEYS_IDX_MAX+1) {
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* For compatibility with existing 2.4.x configurations, use
|
|
Packit |
90a5c9 |
* "RSA", "DSA" and "ECC" strings for the first two/three keys
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
argv[2] = key_types[i];
|
|
Packit |
90a5c9 |
} else {
|
|
Packit |
90a5c9 |
/* Four and above: use the integer index */
|
|
Packit |
90a5c9 |
argv[2] = apr_pstrdup(ppcb_arg->p, idx);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
argv[3] = NULL;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
result = ssl_util_readfilter(ppcb_arg->s, ppcb_arg->p, cmd, argv);
|
|
Packit |
90a5c9 |
apr_cpystrn(buf, result, bufsize);
|
|
Packit |
90a5c9 |
len = strlen(buf);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Ok, we now have the pass phrase, so give it back
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
ppcb_arg->cpPassPhraseCur = apr_pstrdup(ppcb_arg->p, buf);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* And return its length to OpenSSL...
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
return (len);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/* OpenSSL UI implementation for passphrase entry; largely duplicated
|
|
Packit |
70c855 |
* from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
|
|
Packit |
70c855 |
* worth trying to shift pphrase handling over to the UI API
|
|
Packit |
70c855 |
* completely. */
|
|
Packit |
70c855 |
static int passphrase_ui_open(UI *ui)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
|
|
Packit |
70c855 |
SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
ppcb->nPassPhraseDialog++;
|
|
Packit |
70c855 |
ppcb->nPassPhraseDialogCur++;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Builtin or Pipe dialog
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
|
Packit |
70c855 |
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
70c855 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
70c855 |
if (!readtty) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s,
|
|
Packit |
70c855 |
APLOGNO(10143)
|
|
Packit |
70c855 |
"Init: Creating pass phrase dialog pipe child "
|
|
Packit |
70c855 |
"'%s'", sc->server->pphrase_dialog_path);
|
|
Packit |
70c855 |
if (ssl_pipe_child_create(ppcb->p,
|
|
Packit |
70c855 |
sc->server->pphrase_dialog_path)
|
|
Packit |
70c855 |
!= APR_SUCCESS) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s,
|
|
Packit |
70c855 |
APLOGNO(10144)
|
|
Packit |
70c855 |
"Init: Failed to create pass phrase pipe '%s'",
|
|
Packit |
70c855 |
sc->server->pphrase_dialog_path);
|
|
Packit |
70c855 |
return 0;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10145)
|
|
Packit |
70c855 |
"Init: Requesting pass phrase via piped dialog");
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
|
|
Packit |
70c855 |
#ifdef WIN32
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ppcb->s, APLOGNO(10146)
|
|
Packit |
70c855 |
"Init: Failed to create pass phrase pipe '%s'",
|
|
Packit |
70c855 |
sc->server->pphrase_dialog_path);
|
|
Packit |
70c855 |
return 0;
|
|
Packit |
70c855 |
#else
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* stderr has already been redirected to the error_log.
|
|
Packit |
70c855 |
* rather than attempting to temporarily rehook it to the terminal,
|
|
Packit |
70c855 |
* we print the prompt to stdout before EVP_read_pw_string turns
|
|
Packit |
70c855 |
* off tty echo
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
apr_file_open_stdout(&writetty, ppcb->p);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10147)
|
|
Packit |
70c855 |
"Init: Requesting pass phrase via builtin terminal "
|
|
Packit |
70c855 |
"dialog");
|
|
Packit |
70c855 |
#endif
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* The first time display a header to inform the user about what
|
|
Packit |
70c855 |
* program he actually speaks to, which module is responsible for
|
|
Packit |
70c855 |
* this terminal dialog and why to the hell he has to enter
|
|
Packit |
70c855 |
* something...
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
if (ppcb->nPassPhraseDialog == 1) {
|
|
Packit |
70c855 |
apr_file_printf(writetty, "%s mod_ssl (Pass Phrase Dialog)\n",
|
|
Packit |
70c855 |
AP_SERVER_BASEVERSION);
|
|
Packit |
70c855 |
apr_file_printf(writetty,
|
|
Packit |
70c855 |
"A pass phrase is required to access the private key.\n");
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
if (ppcb->bPassPhraseDialogOnce) {
|
|
Packit |
70c855 |
ppcb->bPassPhraseDialogOnce = FALSE;
|
|
Packit |
70c855 |
apr_file_printf(writetty, "\n");
|
|
Packit |
70c855 |
apr_file_printf(writetty, "Private key %s (%s)\n",
|
|
Packit |
70c855 |
ppcb->key_id, ppcb->pkey_file);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
return 1;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
static int passphrase_ui_read(UI *ui, UI_STRING *uis)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
|
|
Packit |
70c855 |
SSLSrvConfigRec *sc = mySrvConfig(ppcb->s);
|
|
Packit |
70c855 |
const char *prompt;
|
|
Packit |
70c855 |
int i;
|
|
Packit |
70c855 |
int bufsize;
|
|
Packit |
70c855 |
int len;
|
|
Packit |
70c855 |
char *buf;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
prompt = UI_get0_output_string(uis);
|
|
Packit |
70c855 |
if (prompt == NULL) {
|
|
Packit |
70c855 |
prompt = "Enter pass phrase:";
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Get the maximum expected size and allocate the buffer
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
bufsize = UI_get_result_maxsize(uis);
|
|
Packit |
70c855 |
buf = apr_pcalloc(ppcb->p, bufsize);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
|
Packit |
70c855 |
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Get the pass phrase through a callback.
|
|
Packit |
70c855 |
* Empty input is not accepted.
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
for (;;) {
|
|
Packit |
70c855 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
70c855 |
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
|
|
Packit |
70c855 |
i = EVP_read_pw_string(buf, bufsize, "", FALSE);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
if (i != 0) {
|
|
Packit |
70c855 |
OPENSSL_cleanse(buf, bufsize);
|
|
Packit |
70c855 |
return 0;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
len = strlen(buf);
|
|
Packit |
70c855 |
if (len < 1){
|
|
Packit |
70c855 |
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase"
|
|
Packit |
70c855 |
"empty (needs to be at least 1 character).\n");
|
|
Packit |
70c855 |
apr_file_puts(prompt, writetty);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
else {
|
|
Packit |
70c855 |
break;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Filter program
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
|
|
Packit |
70c855 |
const char *cmd = sc->server->pphrase_dialog_path;
|
|
Packit |
70c855 |
const char **argv = apr_palloc(ppcb->p, sizeof(char *) * 3);
|
|
Packit |
70c855 |
char *result;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb->s, APLOGNO(10148)
|
|
Packit |
70c855 |
"Init: Requesting pass phrase from dialog filter "
|
|
Packit |
70c855 |
"program (%s)", cmd);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
argv[0] = cmd;
|
|
Packit |
70c855 |
argv[1] = ppcb->key_id;
|
|
Packit |
70c855 |
argv[2] = NULL;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
result = ssl_util_readfilter(ppcb->s, ppcb->p, cmd, argv);
|
|
Packit |
70c855 |
apr_cpystrn(buf, result, bufsize);
|
|
Packit |
70c855 |
len = strlen(buf);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Ok, we now have the pass phrase, so give it back
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
ppcb->cpPassPhraseCur = apr_pstrdup(ppcb->p, buf);
|
|
Packit |
70c855 |
UI_set_result(ui, uis, buf);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
/* Clear sensitive data. */
|
|
Packit |
70c855 |
OPENSSL_cleanse(buf, bufsize);
|
|
Packit |
70c855 |
return 1;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
static int passphrase_ui_write(UI *ui, UI_STRING *uis)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
pphrase_cb_arg_t *ppcb = UI_get0_user_data(ui);
|
|
Packit |
70c855 |
SSLSrvConfigRec *sc;
|
|
Packit |
70c855 |
const char *prompt;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
sc = mySrvConfig(ppcb->s);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
|
Packit |
70c855 |
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|
Packit |
70c855 |
prompt = UI_get0_output_string(uis);
|
|
Packit |
70c855 |
apr_file_puts(prompt, writetty);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
return 1;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
static int passphrase_ui_close(UI *ui)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
/*
|
|
Packit |
70c855 |
* Close the pipes if they were opened
|
|
Packit |
70c855 |
*/
|
|
Packit |
70c855 |
if (readtty) {
|
|
Packit |
70c855 |
apr_file_close(readtty);
|
|
Packit |
70c855 |
apr_file_close(writetty);
|
|
Packit |
70c855 |
readtty = writetty = NULL;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
return 1;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
static apr_status_t pp_ui_method_cleanup(void *uip)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
UI_METHOD *uim = uip;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
UI_destroy_method(uim);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
return APR_SUCCESS;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
static UI_METHOD *get_passphrase_ui(apr_pool_t *p)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
UI_METHOD *ui_method = UI_create_method("Passphrase UI");
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
UI_method_set_opener(ui_method, passphrase_ui_open);
|
|
Packit |
70c855 |
UI_method_set_reader(ui_method, passphrase_ui_read);
|
|
Packit |
70c855 |
UI_method_set_writer(ui_method, passphrase_ui_write);
|
|
Packit |
70c855 |
UI_method_set_closer(ui_method, passphrase_ui_close);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
apr_pool_cleanup_register(p, ui_method, pp_ui_method_cleanup,
|
|
Packit |
70c855 |
pp_ui_method_cleanup);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
return ui_method;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
|
|
Packit |
70c855 |
const char *vhostid,
|
|
Packit |
70c855 |
const char *certid, const char *keyid,
|
|
Packit |
70c855 |
X509 **pubkey, EVP_PKEY **privkey)
|
|
Packit |
70c855 |
{
|
|
Packit |
70c855 |
const char *c, *scheme;
|
|
Packit |
70c855 |
ENGINE *e;
|
|
Packit |
70c855 |
UI_METHOD *ui_method = get_passphrase_ui(p);
|
|
Packit |
70c855 |
pphrase_cb_arg_t ppcb;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
memset(&ppcb, 0, sizeof ppcb);
|
|
Packit |
70c855 |
ppcb.s = s;
|
|
Packit |
70c855 |
ppcb.p = p;
|
|
Packit |
70c855 |
ppcb.bPassPhraseDialogOnce = TRUE;
|
|
Packit |
70c855 |
ppcb.key_id = vhostid;
|
|
Packit |
70c855 |
ppcb.pkey_file = keyid;
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
c = ap_strchr_c(keyid, ':');
|
|
Packit |
70c855 |
if (!c || c == keyid) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
|
|
Packit |
70c855 |
"Init: Unrecognized private key identifier `%s'",
|
|
Packit |
70c855 |
keyid);
|
|
Packit |
70c855 |
return ssl_die(s);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
scheme = apr_pstrmemdup(p, keyid, c - keyid);
|
|
Packit |
70c855 |
if (!(e = ENGINE_by_id(scheme))) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
|
|
Packit |
70c855 |
"Init: Failed to load engine for private key %s",
|
|
Packit |
70c855 |
keyid);
|
|
Packit |
70c855 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
70c855 |
return ssl_die(s);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (!ENGINE_init(e)) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10149)
|
|
Packit |
70c855 |
"Init: Failed to initialize engine %s for private key %s",
|
|
Packit |
70c855 |
scheme, keyid);
|
|
Packit |
70c855 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
70c855 |
return ssl_die(s);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
|
|
Packit |
70c855 |
"Init: Initialized engine %s for private key %s",
|
|
Packit |
70c855 |
scheme, keyid);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (APLOGdebug(s)) {
|
|
Packit |
70c855 |
ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (certid) {
|
|
Packit |
70c855 |
struct {
|
|
Packit |
70c855 |
const char *cert_id;
|
|
Packit |
70c855 |
X509 *cert;
|
|
Packit |
70c855 |
} params = { certid, NULL };
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
if (!ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10136)
|
|
Packit |
70c855 |
"Init: Unable to get the certificate");
|
|
Packit |
70c855 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
70c855 |
return ssl_die(s);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
*pubkey = params.cert;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
*privkey = ENGINE_load_private_key(e, keyid, ui_method, &ppcb);
|
|
Packit |
70c855 |
if (*privkey == NULL) {
|
|
Packit |
70c855 |
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10133)
|
|
Packit |
70c855 |
"Init: Unable to get the private key");
|
|
Packit |
70c855 |
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
|
Packit |
70c855 |
return ssl_die(s);
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
ENGINE_finish(e);
|
|
Packit |
70c855 |
ENGINE_free(e);
|
|
Packit |
70c855 |
|
|
Packit |
70c855 |
return APR_SUCCESS;
|
|
Packit |
70c855 |
}
|
|
Packit |
70c855 |
#endif
|