ssl_engine_pphrase.c

Checkout Tools
  • last updated 58 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Remove

redundant assignment (clang warning).

* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without

ENGINE support.

PR: 62563

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load

the engine associated with the private key (&cert) explicitly

rather than requiring the engine to be set as the default method

for all operations (with "SSLCryptoDevice <engine>").

(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested

improvement and guidance)

* modules/ssl/ssl_engine_pphrase.c: Add logno tags.

  1. … 1 more file in changeset.
Hook up PKCS#11 PIN entry through configured passphrase entry method.

* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API

around passphrase entry.

(modssl_load_engine_keypair): Take vhost ID and use above rather than

default OpenSSL UI.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.

Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton

  1. … 2 more files in changeset.
mod_ssl: Add support for loading TLS certificates through the PKCS#11

engine.

* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed

from modssl_is_engine_key.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Adjust accordingly.

(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):

Rename from modssl_load_engine_key; load certificate if

cert id is passed.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally

load the certificate from the engine as well.

* docs/manual/: Update manual.

  1. … 7 more files in changeset.
Simplify the ssl_asn1_table API, remove abstraction (it is used only

to cache serialized EVP_PKEYs not any char * blobs), and document.

* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and

serialize internally. Use ap_realloc. Return the ssl_asn1_t *

pointer. Don't call apr_hash_set() for unchanged pointer case.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Adjust for the above.

* modules/ssl/ssl_private.h: Adjust as above, add docs.

  1. … 2 more files in changeset.
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused

second argument.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Adjust

accordingly.

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Simplify code, no functional change.

mod_ssl: Add support for loading private keys from ENGINEs. Support

for PKCS#11 URIs only, and PIN entry is not threaded through

SSLPassPhraseDialog config yet.

* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Use it, skip check for file existence for engine keys.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):

New function.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):

For engine keys, load via modssl_load_engine_pkey.

Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton

  1. … 7 more files in changeset.
mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

  1. … 2 more files in changeset.
Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we

retry with the same filename we used for SSL_CTX_use_PrivateKey_file first

  1. … 2 more files in changeset.
make the ppcb_arg initialization a bit more uniform and easier to read
CodeWarrior compiler doesnt allow vars as struct inits.

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:

ssl_private.h

- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c

- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c

- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c

- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs

ssl_util.c

- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}

- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

  1. … 9 more files in changeset.
Throw away the myCtxVar{Set,Get} abomination and introduce

a pphrase_cb_arg_t struct instead, for passing stuff between

ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct

members instead of using additional local variables, to make

the data flow more transparent. (Doesn't "vastly simplify"

the code yet, but hopefully we'll get there when further

stripping down ssl_pphrase_Handle.)

  1. … 1 more file in changeset.
Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

  1. … 6 more files in changeset.
Address a todo listed in

https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

  1. … 7 more files in changeset.
Like r1532122: Axe needless string duplication in

setup for call to apr_proc_create().

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

  1. … 11 more files in changeset.
Pass the server_rec to ssl_die() and use it to log a message to the main error

log, pointing to the appropriate virtual host error log

  1. … 8 more files in changeset.
Various code cleanup to avoid compiler, cppcheck, or clang warnings:

modules/debugging/mod_firehose.c: Make some internal functions static

(to do: logs_cleanup() is unused)

modules/filters/mod_charset_lite.c: Remove dead assignments

modules/filters/mod_include.c: likewise

modules/metadata/mod_usertrack.c: likewise

modules/proxy/mod_proxy_ftp.c: likewise

modules/ssl/ssl_engine_pphrase.c: likewise

modules/proxy/mod_proxy_balancer.c: likewise;

Remove NULL check that can never happen

modules/proxy/proxy_util.c: Axe NULL-check that can never happen and if it

would, it would just mask another bug

os/unix/unixd.c: likewise

modules/http/http_filters.c: Remove sub-condition that is always true

modules/lua/mod_lua.c: Add default cases to switch statements

modules/generators/mod_autoindex.c: Unsigned value can never be < 0

server/util_expr_eval.c: Fix compiler warnings with VC and on OS2

  1. … 12 more files in changeset.
Add some more log message tags

Add some more mod_ssl macros that confuse coccinelle. Remove restriction

on format string because it causes coccinelle to not consider multi line format

strings.

  1. … 5 more files in changeset.
Add some more log message tags

Remove some log message tags from ap_log_* calls that log lots of

different error messages, in particular the config parsing errors.

Not sure how we should handle those.

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 12 more files in changeset.
Add lots of unique tags to error log messages

  1. … 172 more files in changeset.
Cleanup effort in prep for GA push:

Trim trailing whitespace... no func change

  1. … 118 more files in changeset.
Drop support for the RSA BSAFE SSL-C toolkit from configure,

and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other

than OpenSSL was reached on dev@httpd in June 2010 (message

with ID <20100602162310.GA11156@redhat.com> and follow-ups).

  1. … 15 more files in changeset.
Add some debug logging when loading server certificates

PR: 37912

Submitted by: Nick Burch <nick burch alfresco com>

  1. … 1 more file in changeset.
* modules/ssl/ssl_engine_pphrase.c: Fix comment, no functional change.

* modules/ssl/ssl_private.h: Drop some redundant/unused macros; pick

up stdlib.h.

* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle),

modules/ssl/ssl_engine_vars.c: Stop pretending mod_ssl has a version

independent of the rest of the server.

  1. … 2 more files in changeset.