fd896e2068ad7e50aed66ac18c3720ea7ff2619fChristian Maeder

9744c7d9fa61d255d5e73beec7edc3499522e9e2Till Mossakowski /* ``Treat your password like your

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder#include "ssl_private.h"

fd896e2068ad7e50aed66ac18c3720ea7ff2619fChristian Maeder

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maederstatic apr_status_t exists_and_readable(char *fname, apr_pool_t *pool, apr_time_t *mtime)

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder{

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder apr_status_t stat;

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder apr_finfo_t sbuf;

967e5f3c25249c779575864692935627004d3f9eChristian Maeder apr_file_t *fd;

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder if ((stat = apr_stat(&sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS)

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder return stat;

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder if (sbuf.filetype != APR_REG)

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder return APR_EGENERAL;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder if ((stat = apr_file_open(&fd, fname, APR_READ, 0, pool)) != APR_SUCCESS)

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder return stat;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder if (mtime) {

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder *mtime = sbuf.mtime;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder }

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder apr_file_close(fd);

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder return APR_SUCCESS;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder}

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maederstatic char *asn1_table_vhost_key(SSLModConfigRec *mc, apr_pool_t *p,

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder char *id, char *an)

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder{

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder /* 'p' pool used here is cleared on restarts (or sooner) */

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder char *key = apr_psprintf(p, "%s:%s", id, an);

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder void *keyptr = apr_hash_get(mc->tVHostKeys, key,

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder APR_HASH_KEY_STRING);

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder if (!keyptr) {

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder /* make a copy out of s->process->pool */

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder keyptr = apr_pstrdup(mc->pPool, key);

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder apr_hash_set(mc->tVHostKeys, keyptr,

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder APR_HASH_KEY_STRING, keyptr);

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder }

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder return (char *)keyptr;

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder}

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder#define BUILTIN_DIALOG_BACKOFF 2

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder#define BUILTIN_DIALOG_RETRIES 5

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maederstatic apr_file_t *writetty = NULL;

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maederstatic apr_file_t *readtty = NULL;

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maeder

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maederstatic server_rec *ssl_pphrase_server_rec = NULL;

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maeder

adee28c3eb7bb0b9bb045d26ee6d35e19cf39053Christian Maeder#ifdef SSLC_VERSION_NUMBER

967e5f3c25249c779575864692935627004d3f9eChristian Maederint ssl_pphrase_Handle_CB(char *, int, int);

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder#else

967e5f3c25249c779575864692935627004d3f9eChristian Maederint ssl_pphrase_Handle_CB(char *, int, int, void *);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder#endif

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maederstatic char *pphrase_array_get(apr_array_header_t *arr, int idx)

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder{

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder if ((idx < 0) || (idx >= arr->nelts)) {

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder return NULL;

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder }

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder return ((char **)arr->elts)[idx];

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder}

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maederstatic void pphrase_array_clear(apr_array_header_t *arr)

967e5f3c25249c779575864692935627004d3f9eChristian Maeder{

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder if (arr->nelts > 0) {

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder memset(arr->elts, 0, arr->elt_size * arr->nelts);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder }

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder arr->nelts = 0;

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder}

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maedervoid ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder{

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder SSLModConfigRec *mc = myModConfig(s);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder SSLSrvConfigRec *sc;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder server_rec *pServ;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder char *cpVHostID;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder char szPath[MAX_STRING_LEN];

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder EVP_PKEY *pPrivateKey;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder ssl_asn1_t *asn1;

bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski unsigned char *ucp;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder long int length;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder X509 *pX509Cert;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder BOOL bReadable;

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder apr_array_header_t *aPassPhrase;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder int nPassPhrase;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder int nPassPhraseCur;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder char *cpPassPhraseCur;

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder int nPassPhraseRetry;

bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski int nPassPhraseDialog;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder int nPassPhraseDialogCur;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder BOOL bPassPhraseDialogOnce;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder char **cpp;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder int i, j;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder ssl_algo_t algoCert, algoKey, at;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder char *an;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder char *cp;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder apr_time_t pkey_mtime = 0;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder apr_status_t rv;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder /*

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder aPassPhrase = apr_array_make(p, 2, sizeof(char *));

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder nPassPhrase = 0;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder nPassPhraseDialog = 0;

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder /*

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder for (pServ = s; pServ != NULL; pServ = pServ->next) {

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder sc = mySrvConfig(pServ);

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder if (!sc->enabled)

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder continue;

dea4c92f0c061d589c542d0640a18dab36dfbb46Christian Maeder

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder cpVHostID = ssl_util_vhostid(p, pServ);

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder ap_log_error(APLOG_MARK, APLOG_INFO, 0, pServ,

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder "Loading certificate & private key of SSL-aware server");

0a8ea95bcf0e3f84fed0b725c049ec2a956a4a28Christian Maeder

7a879b08ae0ca30006f9be887a73212b07f10204Christian Maeder /*

967e5f3c25249c779575864692935627004d3f9eChristian Maeder if (sc->server->pks->cert_files[0] == NULL

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder && sc->server->pkcs7 == NULL) {

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ,

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder "Server should be SSL-aware but has no certificate "

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder "configured [Hint: SSLCertificateFile] (%s:%d)",

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder pServ->defn_name, pServ->defn_line_number);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder ssl_die();

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder }

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder algoCert = SSL_ALGO_UNKNOWN;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder algoKey = SSL_ALGO_UNKNOWN;

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder for (i = 0, j = 0; i < SSL_AIDX_MAX

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder && (sc->server->pks->cert_files[i] != NULL

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder || sc->server->pkcs7); i++) {

967e5f3c25249c779575864692935627004d3f9eChristian Maeder if (sc->server->pkcs7) {

967e5f3c25249c779575864692935627004d3f9eChristian Maeder STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder sc->server->pkcs7);

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder pX509Cert = sk_X509_value(certs, 0);

09eef8548cd62d787cf3a6535f9eae10592eec89Christian Maeder i = SSL_AIDX_MAX;

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder } else {

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder apr_cpystrn(szPath, sc->server->pks->cert_files[i],

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder sizeof(szPath));

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder if ((rv = exists_and_readable(szPath, p, NULL))

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder != APR_SUCCESS) {

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder "Init: Can't open server certificate file %s",

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder szPath);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ssl_die();

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder }

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder "Init: Unable to read server certificate from"

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder " file %s", szPath);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ssl_die();

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder }

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder }

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder /*

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder at = ssl_util_algotypeof(pX509Cert, NULL);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder an = ssl_util_algotypestr(at);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder if (algoCert & at) {

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder "Init: Multiple %s server certificates not "

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder "allowed", an);

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

967e5f3c25249c779575864692935627004d3f9eChristian Maeder ssl_die();

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder }

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder algoCert |= at;

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder

83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder /*

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder cp = asn1_table_vhost_key(mc, p, cpVHostID, an);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder length = i2d_X509(pX509Cert, NULL);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder ucp = ssl_asn1_table_set(mc->tPublicCert, cp, length);

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder (void)i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder /*

dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder X509_free(pX509Cert);

/*

if (sc->server->pks->key_files[j] != NULL)

apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));

/*

myCtxVarSet(mc, 1, pServ);

myCtxVarSet(mc, 2, p);

myCtxVarSet(mc, 3, aPassPhrase);

myCtxVarSet(mc, 4, &nPassPhraseCur);

myCtxVarSet(mc, 5, &cpPassPhraseCur);

myCtxVarSet(mc, 6, cpVHostID);

myCtxVarSet(mc, 7, an);

myCtxVarSet(mc, 8, &nPassPhraseDialog);

myCtxVarSet(mc, 9, &nPassPhraseDialogCur);

myCtxVarSet(mc, 10, &bPassPhraseDialogOnce);

nPassPhraseCur = 0;

nPassPhraseRetry = 0;

nPassPhraseDialogCur = 0;

bPassPhraseDialogOnce = TRUE;

pPrivateKey = NULL;

for (;;) {

/*

if ((rv = exists_and_readable(szPath, p,

&pkey_mtime)) != APR_SUCCESS ) {

ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,

"Init: Can't open server private key file "

"%s",szPath);

ssl_die();

}

/*

if (pkey_mtime) {

int i;

for (i=0; i < SSL_AIDX_MAX; i++) {

const char *key_id =

ssl_asn1_table_keyfmt(p, cpVHostID, i);

ssl_asn1_t *asn1 =

ssl_asn1_table_get(mc->tPrivateKey, key_id);

if (asn1 && (asn1->source_mtime == pkey_mtime)) {

ap_log_error(APLOG_MARK, APLOG_INFO,

0, pServ,

"%s reusing existing "

"%s private key on restart",

cpVHostID, ssl_asn1_keystr(i));

return;

}

}

}

cpPassPhraseCur = NULL;

ssl_pphrase_server_rec = s; /* to make up for sslc flaw */

/* Ensure that the error stack is empty; some SSL

ERR_clear_error();

bReadable = ((pPrivateKey = SSL_read_PrivateKey(szPath, NULL,

ssl_pphrase_Handle_CB, s)) != NULL ? TRUE : FALSE);

/*

if (bReadable)

break;

/*

if (nPassPhraseCur < nPassPhrase) {

nPassPhraseCur++;

continue;

}

/*

#ifndef WIN32

if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN

|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)

#else

if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE

#endif

&& cpPassPhraseCur != NULL

&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {

apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect "

"(%d more retr%s permitted).\n",

(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry),

(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry) == 1 ? "y" : "ies");

nPassPhraseRetry++;

if (nPassPhraseRetry > BUILTIN_DIALOG_BACKOFF)

apr_sleep((nPassPhraseRetry-BUILTIN_DIALOG_BACKOFF)

* 5 * APR_USEC_PER_SEC);

continue;

}

#ifdef WIN32

if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {

ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

"Init: SSLPassPhraseDialog builtin is not "

"supported on Win32 (key file "

"%s)", szPath);

ssl_die();

}

#endif /* WIN32 */

/*

if (cpPassPhraseCur == NULL) {

if (nPassPhraseDialogCur && pkey_mtime &&

!isatty(fileno(stdout))) /* XXX: apr_isatty() */

{

ap_log_error(APLOG_MARK, APLOG_ERR, 0,

pServ,

"Init: Unable to read pass phrase "

"[Hint: key introduced or changed "

"before restart?]");

ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ);

}

else {

ap_log_error(APLOG_MARK, APLOG_ERR, 0,

pServ, "Init: Private key not found");

ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ);

}

if (writetty) {

apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");

apr_file_printf(writetty, "**Stopped\n");

}

}

else {

ap_log_error(APLOG_MARK, APLOG_ERR, 0,

pServ, "Init: Pass phrase incorrect");

ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, pServ);

if (writetty) {

apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");

apr_file_printf(writetty, "**Stopped\n");

}

}

ssl_die();

}

if (pPrivateKey == NULL) {

ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

"Init: Unable to read server private key from "

"file %s [Hint: Perhaps it is in a separate file? "

" See SSLCertificateKeyFile]", szPath);

ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

ssl_die();

}

/*

at = ssl_util_algotypeof(NULL, pPrivateKey);

an = ssl_util_algotypestr(at);

if (algoKey & at) {

ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

"Init: Multiple %s server private keys not "

"allowed", an);

ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

ssl_die();

}

algoKey |= at;

/*

if (nPassPhraseDialogCur == 0) {

ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServ,

"unencrypted %s private key - pass phrase not "

"required", an);

}

else {

if (cpPassPhraseCur != NULL) {

ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,

pServ,

"encrypted %s private key - pass phrase "

"requested", an);

}

else {

ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,

pServ,

"encrypted %s private key - pass phrase"

" reused", an);

}

}

/*

if (cpPassPhraseCur != NULL) {

cpp = (char **)apr_array_push(aPassPhrase);

*cpp = cpPassPhraseCur;

nPassPhrase++;

}

/*

cp = asn1_table_vhost_key(mc, p, cpVHostID, an);

length = i2d_PrivateKey(pPrivateKey, NULL);

ucp = ssl_asn1_table_set(mc->tPrivateKey, cp, length);

(void)i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */

if (nPassPhraseDialogCur != 0) {

/* remember mtime of encrypted keys */

asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp);

asn1->source_mtime = pkey_mtime;

}

/*

EVP_PKEY_free(pPrivateKey);

}

}

/*

if (nPassPhraseDialog > 0) {

sc = mySrvConfig(s);

if (writetty) {

apr_file_printf(writetty, "\n"

"OK: Pass Phrase Dialog successful.\n");

}

}

/*

if (aPassPhrase->nelts) {

pphrase_array_clear(aPassPhrase);

ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

"Init: Wiped out the queried pass phrases from memory");

}

/* Close the pipes if they were opened

if (readtty) {

apr_file_close(readtty);

apr_file_close(writetty);

readtty = writetty = NULL;

}

return;

}

static apr_status_t ssl_pipe_child_create(apr_pool_t *p, const char *progname)

{

/* Child process code for 'ErrorLog "|..."';

apr_status_t rc;

apr_procattr_t *procattr;

apr_proc_t *procnew;

if (((rc = apr_procattr_create(&procattr, p)) == APR_SUCCESS) &&

((rc = apr_procattr_io_set(procattr,

APR_FULL_BLOCK,

APR_FULL_BLOCK,

APR_NO_PIPE)) == APR_SUCCESS)) {

char **args;

const char *pname;

apr_tokenize_to_argv(progname, &args, p);

pname = apr_pstrdup(p, args[0]);

procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));

rc = apr_proc_create(procnew, pname, (const char * const *)args,

NULL, procattr, p);

if (rc == APR_SUCCESS) {

/* XXX: not sure if we aught to...

writetty = procnew->in;

readtty = procnew->out;

}

}

return rc;

}

static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)

{

apr_status_t rc;

char *p;

apr_file_puts(prompt, writetty);

buf[0]='\0';

rc = apr_file_gets(buf, length, readtty);

apr_file_puts(APR_EOL_STR, writetty);

if (rc != APR_SUCCESS || apr_file_eof(readtty)) {

memset(buf, 0, length);

return 1; /* failure */

}

if ((p = strchr(buf, '\n')) != NULL) {

*p = '\0';

}

#ifdef WIN32

/* XXX: apr_sometest */

if ((p = strchr(buf, '\r')) != NULL) {

*p = '\0';

}

#endif

return 0;

}

#ifdef SSLC_VERSION_NUMBER

int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)

{

void *srv = ssl_pphrase_server_rec;

#else

int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)

{

#endif

SSLModConfigRec *mc;

server_rec *s;

apr_pool_t *p;

apr_array_header_t *aPassPhrase;

SSLSrvConfigRec *sc;

int *pnPassPhraseCur;

char **cppPassPhraseCur;

char *cpVHostID;

char *cpAlgoType;

int *pnPassPhraseDialog;

int *pnPassPhraseDialogCur;

BOOL *pbPassPhraseDialogOnce;

char *cpp;

int len = -1;

mc = myModConfig((server_rec *)srv);

/*

s = myCtxVarGet(mc, 1, server_rec *);

p = myCtxVarGet(mc, 2, apr_pool_t *);

aPassPhrase = myCtxVarGet(mc, 3, apr_array_header_t *);

pnPassPhraseCur = myCtxVarGet(mc, 4, int *);

cppPassPhraseCur = myCtxVarGet(mc, 5, char **);

cpVHostID = myCtxVarGet(mc, 6, char *);

cpAlgoType = myCtxVarGet(mc, 7, char *);

pnPassPhraseDialog = myCtxVarGet(mc, 8, int *);

pnPassPhraseDialogCur = myCtxVarGet(mc, 9, int *);

pbPassPhraseDialogOnce = myCtxVarGet(mc, 10, BOOL *);

sc = mySrvConfig(s);

(*pnPassPhraseDialog)++;

(*pnPassPhraseDialogCur)++;

/*

if ((cpp = pphrase_array_get(aPassPhrase, *pnPassPhraseCur)) != NULL) {

apr_cpystrn(buf, cpp, bufsize);

len = strlen(buf);

return len;

}

/*

if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN

|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {

char *prompt;

int i;

if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {

if (!readtty) {

ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

"Init: Creating pass phrase dialog pipe child "

"'%s'", sc->server->pphrase_dialog_path);

if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)

!= APR_SUCCESS) {

ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

"Init: Failed to create pass phrase pipe '%s'",

sc->server->pphrase_dialog_path);

PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);

memset(buf, 0, (unsigned int)bufsize);

return (-1);

}

}

ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

"Init: Requesting pass phrase via piped dialog");

}

else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */

#ifdef WIN32

PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);

memset(buf, 0, (unsigned int)bufsize);

return (-1);

#else

/*

apr_file_open_stdout(&writetty, p);

ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

"Init: Requesting pass phrase via builtin terminal "

"dialog");

#endif

}

/*

if (*pnPassPhraseDialog == 1) {

apr_file_printf(writetty, "%s mod_ssl/%s (Pass Phrase Dialog)\n",

AP_SERVER_BASEVERSION, MOD_SSL_VERSION);

apr_file_printf(writetty, "Some of your private key files are encrypted for security reasons.\n");

apr_file_printf(writetty, "In order to read them you have to provide the pass phrases.\n");

}

if (*pbPassPhraseDialogOnce) {

*pbPassPhraseDialogOnce = FALSE;

apr_file_printf(writetty, "\n");

apr_file_printf(writetty, "Server %s (%s)\n", cpVHostID, cpAlgoType);

}

/*

prompt = "Enter pass phrase:";

for (;;) {

apr_file_puts(prompt, writetty);

if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {

i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);

}

else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */

i = EVP_read_pw_string(buf, bufsize, "", FALSE);

}

if (i != 0) {

PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);

memset(buf, 0, (unsigned int)bufsize);

return (-1);

}

len = strlen(buf);

if (len < 1)

apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase empty (needs to be at least 1 character).\n");

else

break;

}

}

/*

else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {

const char *cmd = sc->server->pphrase_dialog_path;

const char **argv = apr_palloc(p, sizeof(char *) * 4);

char *result;

ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,

"Init: Requesting pass phrase from dialog filter "

"program (%s)", cmd);

argv[0] = cmd;

argv[1] = cpVHostID;

argv[2] = cpAlgoType;

argv[3] = NULL;

result = ssl_util_readfilter(s, p, cmd, argv);

apr_cpystrn(buf, result, bufsize);

len = strlen(buf);

}

/*

*cppPassPhraseCur = apr_pstrdup(p, buf);

/*

return (len);

}