mturk 2005/06/07 01:15:32
Modified: jni/native/include ssl_private.h
jni/native/src sslcontext.c sslutils.c
Log:
Implement password handling.
The supplied password can be "pass:real_password" or
"exec:path_to_the executable"
Revision Changes Path
1.16 +4 -12
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- ssl_private.h 7 Jun 2005 07:22:06 -0000 1.15
+++ ssl_private.h 7 Jun 2005 08:15:32 -0000 1.16
@@ -118,16 +118,6 @@
#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
#define SSL_VERIFY_PEER_STRICT
(SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-#define SSL_PASSWORD_PROMPT (0)
-#define SSL_PASSWORD_FILE (1)
-#define SSL_PASSWORD_EXEC (2)
-#define SSL_PASSWORD_ENGINE (3)
-
-#define STR_PASSWORD_PROMPT ("pass:")
-#define STR_PASSWORD_FILE ("file:")
-#define STR_PASSWORD_EXEC ("exec:")
-#define STR_PASSWORD_ENGINE ("engine:")
-
extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
typedef struct {
@@ -141,9 +131,11 @@
typedef struct {
char password[SSL_MAX_PASSWORD_LEN];
+ const char *pass;
const char *prompt;
- int mode;
tcn_ssl_ctxt_t *ctx;
+ apr_file_t *wrtty;
+ apr_file_t *rdtty;
} tcn_pass_cb_t;
struct tcn_ssl_ctxt_t {
1.22 +3 -7 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- sslcontext.c 6 Jun 2005 15:13:26 -0000 1.21
+++ sslcontext.c 7 Jun 2005 08:15:32 -0000 1.22
@@ -467,7 +467,6 @@
jboolean rv = JNI_TRUE;
TCN_ALLOC_CSTRING(cert);
TCN_ALLOC_CSTRING(key);
- TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
char err[256];
@@ -479,10 +478,8 @@
rv = JNI_FALSE;
goto cleanup;
}
- if (J2S(password)) {
- strncpy(c->password.password, J2S(password), SSL_MAX_PASSWORD_LEN);
- c->password.password[SSL_MAX_PASSWORD_LEN - 1] = '\0';
- }
+ if (password)
+ c->password.pass = tcn_pstrdup(e, password, c->pool);
key_file = J2S(key);
cert_file = J2S(cert);
if (!key_file)
@@ -523,7 +520,6 @@
cleanup:
TCN_FREE_CSTRING(cert);
TCN_FREE_CSTRING(key);
- TCN_FREE_CSTRING(password);
return rv;
}
1.17 +88 -11 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- sslutils.c 7 Jun 2005 07:22:06 -0000 1.16
+++ sslutils.c 7 Jun 2005 08:15:32 -0000 1.17
@@ -100,14 +100,71 @@
return APR_SUCCESS;
}
+static apr_status_t ssl_pipe_child_create(tcn_pass_cb_t *data, apr_pool_t
*p, const char *progname)
+{
+ /* Child process code for 'ErrorLog "|..."';
+ * may want a common framework for this, since I expect it will
+ * be common for other foo-loggers to want this sort of thing...
+ */
+ apr_status_t rc;
+ apr_procattr_t *procattr;
+ apr_proc_t *procnew;
+
+ if (((rc = apr_procattr_create(&procattr, p)) == APR_SUCCESS) &&
+ ((rc = apr_procattr_io_set(procattr,
+ APR_FULL_BLOCK,
+ APR_FULL_BLOCK,
+ APR_NO_PIPE)) == APR_SUCCESS)) {
+ char **args;
+ const char *pname;
+
+ apr_tokenize_to_argv(progname, &args, p);
+ pname = apr_pstrdup(p, args[0]);
+ procnew = (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
+ rc = apr_proc_create(procnew, pname, (const char * const *)args,
+ NULL, procattr, p);
+ if (rc == APR_SUCCESS) {
+ /* XXX: not sure if we aught to...
+ * apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
+ */
+ data->wrtty = procnew->in;
+ data->rdtty = procnew->out;
+ }
+ }
+ return rc;
+}
+
+static int pipe_get_passwd_cb(tcn_pass_cb_t *data, char *buf, int length,
+ const char *prompt)
+{
+ apr_status_t rc;
+ char *p;
+
+ apr_file_puts(prompt, data->wrtty);
+
+ buf[0]='\0';
+ rc = apr_file_gets(buf, length, data->rdtty);
+ apr_file_puts(APR_EOL_STR, data->wrtty);
+
+ if (rc != APR_SUCCESS || apr_file_eof(data->rdtty)) {
+ memset(buf, 0, length);
+ return 1; /* failure */
+ }
+ if ((p = strchr(buf, '\n')) != NULL)
+ *p = '\0';
+#ifdef WIN32
+ if ((p = strchr(buf, '\r')) != NULL)
+ *p = '\0';
+#endif
+ return 0;
+}
+
#define PROMPT_STRING "Enter password: "
/* Simple echo password prompting */
int SSL_password_prompt(tcn_pass_cb_t *data)
{
int rv = 0;
data->password[0] = '\0';
- if (!data->prompt)
- data->prompt = PROMPT_STRING;
if (data->ctx && data->ctx->bio_is) {
if (data->ctx->bio_is->flags & SSL_BIO_FLAG_RDONLY) {
/* Use error BIO in case of stdin */
@@ -162,19 +219,39 @@
if (buf == NULL)
return 0;
+ *buf = '\0';
if (cb_data == NULL) {
memset(&c, 0, sizeof(tcn_pass_cb_t));
cb_data = &c;
}
- else {
- /* TODO: Implement password prompt checking.
- * and decide what mechanism to use for obtaining
- * the password.
- */
- }
- if (cb_data->password[0] ||
- (SSL_password_prompt(cb_data) > 0)) {
+ if (cb_data->password[0]) {
+ /* Return already obtained password */
strncpy(buf, cb_data->password, bufsiz);
+ buf[bufsiz - 1] = '\0';
+ return strlen(buf);
+ }
+ if (!cb_data->prompt)
+ cb_data->prompt = PROMPT_STRING;
+ if (cb_data->pass) {
+ if (strncmp(cb_data->pass, "pass:", 5) == 0)
+ strncpy(buf, cb_data->pass + 5, bufsiz);
+ else if (strncmp(cb_data->pass, "exec:", 5) == 0) {
+ apr_pool_t *p;
+ apr_pool_create(&p, cb_data->ctx->pool);
+ if (ssl_pipe_child_create(cb_data, p,
+ cb_data->pass + 5) == APR_SUCCESS) {
+ pipe_get_passwd_cb(cb_data, buf, bufsiz, cb_data->prompt);
+ }
+ apr_pool_destroy(p);
+ }
+ buf[bufsiz-1] = '\0';
+ strncpy(cb_data->password, buf, SSL_MAX_PASSWORD_LEN);
+ cb_data->password[SSL_MAX_PASSWORD_LEN - 1] = '\0';
+ return strlen(buf);
+ }
+ else {
+ if (SSL_password_prompt(cb_data) > 0)
+ strncpy(buf, cb_data->password, bufsiz);
}
buf[bufsiz - 1] = '\0';
return strlen(buf);
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
