You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/05/07 14:52:55 UTC
svn commit: r1593003 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_pphrase.c modules/ssl/ssl_private.h
Author: jim
Date: Wed May 7 12:52:55 2014
New Revision: 1593003
URL: http://svn.apache.org/r1593003
Log:
* mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
programs, and implement a special merging algorithm for
SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed May 7 12:52:55 2014
@@ -14,6 +14,10 @@ Changes with Apache 2.4.10
*) mod_authn_socache: Fix crash at startup in certain configurations.
PR 56371. (regression in 2.4.7) [Jan Kaluza]
+ *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
+ programs to the form used in releases up to 2.4.7, and emulate
+ a backwards-compatible behavior for existing setups. [Kaspar Brand]
+
*) mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May 7 12:52:55 2014
@@ -100,13 +100,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
- programs, and implement a special merging algorithm for
- SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7
- trunk patch: not sensible for trunk (unneeded backwards compatibility)
- 2.4.x patch: https://people.apache.org/~kbrand/mod_ssl-2.4.x-pphrase-certkeyfile-compat.diff
- +1: kbrand, jkaluza, jim
-
* mod_proxy_scgi: Support Unix sockets
httpd patch: http://svn.apache.org/r1592529
2.4.x patch: trunk patch works modulo CHANGES
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Wed May 7 12:52:55 2014
@@ -295,15 +295,15 @@ query can be done in two ways which can
<li><code>exec:/path/to/program</code>
<p>
Here an external program is configured which is called at startup for each
- encrypted Private Key file.
- For versions up to 2.4.7, it is called with two arguments (the first is
+ encrypted Private Key file. It is called with two arguments (the first is
of the form ``<code>servername:portnumber</code>'', the second is either
- ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''), which
+ ``<code>RSA</code>'', ``<code>DSA</code>'', ``<code>ECC</code>'' or an
+ integer index starting at 3 if more than three keys are configured), which
indicate for which server and algorithm it has to print the corresponding
- Pass Phrase to <code>stdout</code>.
- Starting with version 2.4.9, it is called with one argument, a string of the
+ Pass Phrase to <code>stdout</code>. In versions 2.4.8 (unreleased)
+ and 2.4.9, it is called with one argument, a string of the
form ``<code>servername:portnumber:index</code>'' (with <code>index</code>
- being a zero-based sequence number), which indicate the server, TCP port
+ being a zero-based integer number), which indicate the server, TCP port
and certificate number. The intent is that this external
program first runs security checks to make sure that the system is not
compromised by an attacker, and only when these checks were passed
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Wed May 7 12:52:55 2014
@@ -309,6 +309,34 @@ static void modssl_ctx_cfg_merge_proxy(a
cfgMergeString(pkp->ca_cert_file);
}
+static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p,
+ apr_array_header_t *base,
+ apr_array_header_t *add,
+ apr_array_header_t *mrg)
+{
+ int i;
+
+ /*
+ * pick up to CERTKEYS_IDX_MAX+1 entries from "add" (in which case they
+ * they "knock out" their corresponding entries in "base", emulating
+ * the behavior with cfgMergeString in releases up to 2.4.7)
+ */
+ for (i = 0; i < add->nelts && i <= CERTKEYS_IDX_MAX; i++) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
+ }
+
+ /* add remaining ones from "base" */
+ while (i < base->nelts) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(base, i, const char *);
+ i++;
+ }
+
+ /* and finally, append the rest of "add" (if there are any) */
+ for (i = CERTKEYS_IDX_MAX+1; i < add->nelts; i++) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
+ }
+}
+
static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
modssl_ctx_t *base,
modssl_ctx_t *add,
@@ -316,8 +344,18 @@ static void modssl_ctx_cfg_merge_server(
{
modssl_ctx_cfg_merge(p, base, add, mrg);
- cfgMergeArray(pks->cert_files);
- cfgMergeArray(pks->key_files);
+ /*
+ * For better backwards compatibility with releases up to 2.4.7,
+ * merging global and vhost-level SSLCertificateFile and
+ * SSLCertificateKeyFile directives needs special treatment.
+ * See also PR 56306 and 56353.
+ */
+ modssl_ctx_cfg_merge_certkeys_array(p, base->pks->cert_files,
+ add->pks->cert_files,
+ mrg->pks->cert_files);
+ modssl_ctx_cfg_merge_certkeys_array(p, base->pks->key_files,
+ add->pks->key_files,
+ mrg->pks->key_files);
cfgMergeString(pks->ca_name_path);
cfgMergeString(pks->ca_name_file);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c Wed May 7 12:52:55 2014
@@ -43,6 +43,12 @@ typedef struct {
const char *pkey_file;
} pphrase_cb_arg_t;
+#ifdef HAVE_ECC
+static const char *key_types[] = {"RSA", "DSA", "ECC"};
+#else
+static const char *key_types[] = {"RSA", "DSA"};
+#endif
+
/*
* Return true if the named file exists and is readable
*/
@@ -576,16 +582,29 @@ int ssl_pphrase_Handle_CB(char *buf, int
*/
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
- const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 3);
+ const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 4);
+ const char *idx = ap_strrchr_c(ppcb_arg->key_id, ':') + 1;
char *result;
+ int i;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01969)
"Init: Requesting pass phrase from dialog filter "
"program (%s)", cmd);
argv[0] = cmd;
- argv[1] = ppcb_arg->key_id;
- argv[2] = NULL;
+ argv[1] = apr_pstrndup(ppcb_arg->p, ppcb_arg->key_id,
+ idx-1 - ppcb_arg->key_id);
+ if ((i = atoi(idx)) < CERTKEYS_IDX_MAX+1) {
+ /*
+ * For compatibility with existing 2.4.x configurations, use
+ * "RSA", "DSA" and "ECC" strings for the first two/three keys
+ */
+ argv[2] = key_types[i];
+ } else {
+ /* Four and above: use the integer index */
+ argv[2] = apr_pstrdup(ppcb_arg->p, idx);
+ }
+ argv[3] = NULL;
result = ssl_util_readfilter(ppcb_arg->s, ppcb_arg->p, cmd, argv);
apr_cpystrn(buf, result, bufsize);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1593003&r1=1593002&r2=1593003&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Wed May 7 12:52:55 2014
@@ -258,6 +258,16 @@ ap_set_module_config(c->conn_config, &ss
#define DEFAULT_OCSP_TIMEOUT 10
#endif
+/*
+ * For better backwards compatibility with the SSLCertificate[Key]File
+ * and SSLPassPhraseDialog ("exec" type) directives in 2.4.7 and earlier
+ */
+#ifdef HAVE_ECC
+#define CERTKEYS_IDX_MAX 2
+#else
+#define CERTKEYS_IDX_MAX 1
+#endif
+
/**
* Define the SSL options
*/