ssl_engine_pphrase.c [plain text]
#include "ssl_private.h"
static apr_status_t exists_and_readable(char *fname, apr_pool_t *pool, apr_time_t *mtime)
{
apr_status_t stat;
apr_finfo_t sbuf;
apr_file_t *fd;
if ((stat = apr_stat(&sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS)
return stat;
if (sbuf.filetype != APR_REG)
return APR_EGENERAL;
if ((stat = apr_file_open(&fd, fname, APR_READ, 0, pool)) != APR_SUCCESS)
return stat;
if (mtime) {
*mtime = sbuf.mtime;
}
apr_file_close(fd);
return APR_SUCCESS;
}
static char *asn1_table_vhost_key(SSLModConfigRec *mc, apr_pool_t *p,
char *id, char *an)
{
char *key = apr_psprintf(p, "%s:%s", id, an);
void *keyptr = apr_hash_get(mc->tVHostKeys, key,
APR_HASH_KEY_STRING);
if (!keyptr) {
keyptr = apr_pstrdup(mc->pPool, key);
apr_hash_set(mc->tVHostKeys, keyptr,
APR_HASH_KEY_STRING, keyptr);
}
return (char *)keyptr;
}
#define BUILTIN_DIALOG_BACKOFF 2
#define BUILTIN_DIALOG_RETRIES 5
static apr_file_t *writetty = NULL;
static apr_file_t *readtty = NULL;
static server_rec *ssl_pphrase_server_rec = NULL;
#ifdef SSLC_VERSION_NUMBER
int ssl_pphrase_Handle_CB(char *, int, int);
#else
int ssl_pphrase_Handle_CB(char *, int, int, void *);
#endif
static char *pphrase_array_get(apr_array_header_t *arr, int idx)
{
if ((idx < 0) || (idx >= arr->nelts)) {
return NULL;
}
return ((char **)arr->elts)[idx];
}
static void pphrase_array_clear(apr_array_header_t *arr)
{
if (arr->nelts > 0) {
memset(arr->elts, 0, arr->elt_size * arr->nelts);
}
arr->nelts = 0;
}
void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc;
server_rec *pServ;
char *cpVHostID;
char szPath[MAX_STRING_LEN];
EVP_PKEY *pPrivateKey;
ssl_asn1_t *asn1;
unsigned char *ucp;
long int length;
X509 *pX509Cert;
BOOL bReadable;
apr_array_header_t *aPassPhrase;
int nPassPhrase;
int nPassPhraseCur;
char *cpPassPhraseCur;
int nPassPhraseRetry;
int nPassPhraseDialog;
int nPassPhraseDialogCur;
BOOL bPassPhraseDialogOnce;
char **cpp;
int i, j;
ssl_algo_t algoCert, algoKey, at;
char *an;
char *cp;
apr_time_t pkey_mtime = 0;
int isterm = 1;
apr_status_t rv;
aPassPhrase = apr_array_make(p, 2, sizeof(char *));
nPassPhrase = 0;
nPassPhraseDialog = 0;
for (pServ = s; pServ != NULL; pServ = pServ->next) {
sc = mySrvConfig(pServ);
if (!sc->enabled)
continue;
cpVHostID = ssl_util_vhostid(p, pServ);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, pServ,
"Loading certificate & private key of SSL-aware server");
if (sc->server->pks->cert_files[0] == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ,
"Server should be SSL-aware but has no certificate "
"configured [Hint: SSLCertificateFile] (%s:%d)",
pServ->defn_name, pServ->defn_line_number);
ssl_die();
}
algoCert = SSL_ALGO_UNKNOWN;
algoKey = SSL_ALGO_UNKNOWN;
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Init: Can't open server certificate file %s",
szPath);
ssl_die();
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Unable to read server certificate from file %s", szPath);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
at = ssl_util_algotypeof(pX509Cert, NULL);
an = ssl_util_algotypestr(at);
if (algoCert & at) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Multiple %s server certificates not "
"allowed", an);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoCert |= at;
cp = asn1_table_vhost_key(mc, p, cpVHostID, an);
length = i2d_X509(pX509Cert, NULL);
ucp = ssl_asn1_table_set(mc->tPublicCert, cp, length);
(void)i2d_X509(pX509Cert, &ucp);
X509_free(pX509Cert);
if (sc->server->pks->key_files[j] != NULL)
apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
myCtxVarSet(mc, 1, pServ);
myCtxVarSet(mc, 2, p);
myCtxVarSet(mc, 3, aPassPhrase);
myCtxVarSet(mc, 4, &nPassPhraseCur);
myCtxVarSet(mc, 5, &cpPassPhraseCur);
myCtxVarSet(mc, 6, cpVHostID);
myCtxVarSet(mc, 7, an);
myCtxVarSet(mc, 8, &nPassPhraseDialog);
myCtxVarSet(mc, 9, &nPassPhraseDialogCur);
myCtxVarSet(mc, 10, &bPassPhraseDialogOnce);
nPassPhraseCur = 0;
nPassPhraseRetry = 0;
nPassPhraseDialogCur = 0;
bPassPhraseDialogOnce = TRUE;
pPrivateKey = NULL;
for (;;) {
if ((rv = exists_and_readable(szPath, p,
&pkey_mtime)) != APR_SUCCESS ) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Init: Can't open server private key file "
"%s",szPath);
ssl_die();
}
if (pkey_mtime) {
int i;
for (i=0; i < SSL_AIDX_MAX; i++) {
const char *key_id =
ssl_asn1_table_keyfmt(p, cpVHostID, i);
ssl_asn1_t *asn1 =
ssl_asn1_table_get(mc->tPrivateKey, key_id);
if (asn1 && (asn1->source_mtime == pkey_mtime)) {
ap_log_error(APLOG_MARK, APLOG_INFO,
0, pServ,
"%s reusing existing "
"%s private key on restart",
cpVHostID, ssl_asn1_keystr(i));
return;
}
}
}
cpPassPhraseCur = NULL;
ssl_pphrase_server_rec = s;
ERR_clear_error();
bReadable = ((pPrivateKey = SSL_read_PrivateKey(szPath, NULL,
ssl_pphrase_Handle_CB, s)) != NULL ? TRUE : FALSE);
if (bReadable)
break;
if (nPassPhraseCur < nPassPhrase) {
nPassPhraseCur++;
continue;
}
#ifndef WIN32
if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
#else
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
#endif
&& cpPassPhraseCur != NULL
&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect "
"(%d more retr%s permitted).\n",
(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry),
(BUILTIN_DIALOG_RETRIES-nPassPhraseRetry) == 1 ? "y" : "ies");
nPassPhraseRetry++;
if (nPassPhraseRetry > BUILTIN_DIALOG_BACKOFF)
apr_sleep((nPassPhraseRetry-BUILTIN_DIALOG_BACKOFF)
* 5 * APR_USEC_PER_SEC);
continue;
}
#ifdef WIN32
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: SSLPassPhraseDialog builtin is not "
"supported on Win32 (key file "
"%s)", szPath);
ssl_die();
}
#endif
if (cpPassPhraseCur == NULL) {
if (nPassPhraseDialogCur && pkey_mtime &&
!(isterm = isatty(fileno(stdout))))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0,
pServ,
"Init: Unable to read pass phrase "
"[Hint: key introduced or changed "
"before restart?]");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0,
pServ, "Init: Private key not found");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
if (writetty) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");
apr_file_printf(writetty, "**Stopped\n");
}
}
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0,
pServ, "Init: Pass phrase incorrect");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
if (writetty) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
apr_file_printf(writetty, "**Stopped\n");
}
}
ssl_die();
}
if (pPrivateKey == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Unable to read server private key from "
"file %s [Hint: Perhaps it is in a separate file? "
" See SSLCertificateKeyFile]", szPath);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
at = ssl_util_algotypeof(NULL, pPrivateKey);
an = ssl_util_algotypestr(at);
if (algoKey & at) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Multiple %s server private keys not "
"allowed", an);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoKey |= at;
if (nPassPhraseDialogCur == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServ,
"unencrypted %s private key - pass phrase not "
"required", an);
}
else {
if (cpPassPhraseCur != NULL) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
pServ,
"encrypted %s private key - pass phrase "
"requested", an);
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
pServ,
"encrypted %s private key - pass phrase"
" reused", an);
}
}
if (cpPassPhraseCur != NULL) {
cpp = (char **)apr_array_push(aPassPhrase);
*cpp = cpPassPhraseCur;
nPassPhrase++;
}
cp = asn1_table_vhost_key(mc, p, cpVHostID, an);
length = i2d_PrivateKey(pPrivateKey, NULL);
ucp = ssl_asn1_table_set(mc->tPrivateKey, cp, length);
(void)i2d_PrivateKey(pPrivateKey, &ucp);
if (nPassPhraseDialogCur != 0) {
asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp);
asn1->source_mtime = pkey_mtime;
}
EVP_PKEY_free(pPrivateKey);
}
}
if (nPassPhraseDialog > 0) {
sc = mySrvConfig(s);
if (writetty) {
apr_file_printf(writetty, "\n"
"OK: Pass Phrase Dialog successful.\n");
}
}
if (aPassPhrase->nelts) {
pphrase_array_clear(aPassPhrase);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Wiped out the queried pass phrases from memory");
}
if (readtty) {
apr_file_close(readtty);
apr_file_close(writetty);
readtty = writetty = NULL;
}
return;
}
static apr_status_t ssl_pipe_child_create(apr_pool_t *p, const char *progname)
{
apr_status_t rc;
apr_procattr_t *procattr;
apr_proc_t *procnew;
if (((rc = apr_procattr_create(&procattr, p)) == APR_SUCCESS) &&
((rc = apr_procattr_io_set(procattr,
APR_FULL_BLOCK,
APR_FULL_BLOCK,
APR_NO_PIPE)) == APR_SUCCESS)) {
char **args;
const char *pname;
apr_tokenize_to_argv(progname, &args, p);
pname = apr_pstrdup(p, args[0]);
procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
rc = apr_proc_create(procnew, pname, (const char * const *)args,
NULL, procattr, p);
if (rc == APR_SUCCESS) {
writetty = procnew->in;
readtty = procnew->out;
}
}
return rc;
}
static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
{
apr_status_t rc;
char *p;
apr_file_puts(prompt, writetty);
buf[0]='\0';
rc = apr_file_gets(buf, length, readtty);
apr_file_puts(APR_EOL_STR, writetty);
if (rc != APR_SUCCESS || apr_file_eof(readtty)) {
memset(buf, 0, length);
return 1;
}
if ((p = strchr(buf, '\n')) != NULL) {
*p = '\0';
}
#ifdef WIN32
if ((p = strchr(buf, '\r')) != NULL) {
*p = '\0';
}
#endif
return 0;
}
#ifdef SSLC_VERSION_NUMBER
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
{
void *srv = ssl_pphrase_server_rec;
#else
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{
#endif
SSLModConfigRec *mc;
server_rec *s;
apr_pool_t *p;
apr_array_header_t *aPassPhrase;
SSLSrvConfigRec *sc;
int *pnPassPhraseCur;
char **cppPassPhraseCur;
char *cpVHostID;
char *cpAlgoType;
int *pnPassPhraseDialog;
int *pnPassPhraseDialogCur;
BOOL *pbPassPhraseDialogOnce;
char *cpp;
int len = -1;
mc = myModConfig((server_rec *)srv);
s = myCtxVarGet(mc, 1, server_rec *);
p = myCtxVarGet(mc, 2, apr_pool_t *);
aPassPhrase = myCtxVarGet(mc, 3, apr_array_header_t *);
pnPassPhraseCur = myCtxVarGet(mc, 4, int *);
cppPassPhraseCur = myCtxVarGet(mc, 5, char **);
cpVHostID = myCtxVarGet(mc, 6, char *);
cpAlgoType = myCtxVarGet(mc, 7, char *);
pnPassPhraseDialog = myCtxVarGet(mc, 8, int *);
pnPassPhraseDialogCur = myCtxVarGet(mc, 9, int *);
pbPassPhraseDialogOnce = myCtxVarGet(mc, 10, BOOL *);
sc = mySrvConfig(s);
(*pnPassPhraseDialog)++;
(*pnPassPhraseDialogCur)++;
if ((cpp = pphrase_array_get(aPassPhrase, *pnPassPhraseCur)) != NULL) {
apr_cpystrn(buf, cpp, bufsize);
len = strlen(buf);
return len;
}
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
char *prompt;
int i;
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
if (!readtty) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Creating pass phrase dialog pipe child "
"'%s'", sc->server->pphrase_dialog_path);
if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)
!= APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to create pass phrase pipe '%s'",
sc->server->pphrase_dialog_path);
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
}
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Requesting pass phrase via piped dialog");
}
else {
#ifdef WIN32
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
#else
apr_file_open_stdout(&writetty, p);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Requesting pass phrase via builtin terminal "
"dialog");
#endif
}
if (*pnPassPhraseDialog == 1) {
apr_file_printf(writetty, "%s mod_ssl/%s (Pass Phrase Dialog)\n",
AP_SERVER_BASEVERSION, MOD_SSL_VERSION);
apr_file_printf(writetty, "Some of your private key files are encrypted for security reasons.\n");
apr_file_printf(writetty, "In order to read them you have to provide the pass phrases.\n");
}
if (*pbPassPhraseDialogOnce) {
*pbPassPhraseDialogOnce = FALSE;
apr_file_printf(writetty, "\n");
apr_file_printf(writetty, "Server %s (%s)\n", cpVHostID, cpAlgoType);
}
prompt = "Enter pass phrase:";
for (;;) {
apr_file_puts(prompt, writetty);
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
}
else {
i = EVP_read_pw_string(buf, bufsize, "", FALSE);
}
if (i != 0) {
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
}
len = strlen(buf);
if (len < 1)
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase empty (needs to be at least 1 character).\n");
else
break;
}
}
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
const char **argv = apr_palloc(p, sizeof(char *) * 4);
char *result;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Requesting pass phrase from dialog filter "
"program (%s)", cmd);
argv[0] = cmd;
argv[1] = cpVHostID;
argv[2] = cpAlgoType;
argv[3] = NULL;
result = ssl_util_readfilter(s, p, cmd, argv);
apr_cpystrn(buf, result, bufsize);
len = strlen(buf);
}
*cppPassPhraseCur = apr_pstrdup(p, buf);
return (len);
}