mturk 2005/06/07 04:05:07
Modified: jni/native/include ssl_private.h
jni/native/src ssl.c sslcontext.c sslutils.c
Log:
Add global password callback handle.
In case we set the callback BIO per context then it will be used to
allow multple passwords and keys per vhost base.
Since context are created from single thread we can have multiple passwords
without setting per context BIO.
Revision Changes Path
1.18 +9 -3
jakarta-tomcat-connectors/jni/native/include/ssl_private.h
Index: ssl_private.h
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/jni/native/include/ssl_private.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ssl_private.h 7 Jun 2005 09:13:22 -0000 1.17
+++ ssl_private.h 7 Jun 2005 11:05:07 -0000 1.18
@@ -118,6 +118,10 @@
#define SSL_CVERIFY_OPTIONAL_NO_CA (3)
#define SSL_VERIFY_PEER_STRICT
(SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+#define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are
encrypted for security reasons.\n" \
+ "In order to read them you have to provide
the pass phrases.\n" \
+ "Enter password :"
+
extern void *SSL_temp_keys[SSL_TMP_KEY_MAX];
typedef struct {
@@ -132,9 +136,11 @@
typedef struct {
char password[SSL_MAX_PASSWORD_LEN];
const char *prompt;
- tcn_ssl_ctxt_t *ctx;
+ BIO *bio;
} tcn_pass_cb_t;
+extern tcn_pass_cb_t tcn_password_callback;
+
struct tcn_ssl_ctxt_t {
apr_pool_t *pool;
SSL_CTX *ctx;
@@ -162,7 +168,7 @@
int verify_depth;
int verify_mode;
void *temp_keys[SSL_TMP_KEY_MAX];
- tcn_pass_cb_t password;
+ tcn_pass_cb_t *cb_data;
};
typedef struct {
1.21 +4 -1 jakarta-tomcat-connectors/jni/native/src/ssl.c
Index: ssl.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/ssl.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- ssl.c 6 Jun 2005 08:14:50 -0000 1.20
+++ ssl.c 7 Jun 2005 11:05:07 -0000 1.21
@@ -37,6 +37,7 @@
ENGINE *tcn_ssl_engine = NULL;
void *SSL_temp_keys[SSL_TMP_KEY_MAX];
+tcn_pass_cb_t tcn_password_callback;
/*
* Handle the Temporary RSA Keys and DH Params
@@ -404,6 +405,8 @@
tcn_ssl_engine = ee;
}
#endif
+
+ memset(&tcn_password_callback, 0, sizeof(tcn_pass_cb_t));
/* Initialize PRNG
* This will in most cases call the builtin
* low entropy seed.
1.27 +15 -8 jakarta-tomcat-connectors/jni/native/src/sslcontext.c
Index: sslcontext.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- sslcontext.c 7 Jun 2005 09:57:22 -0000 1.26
+++ sslcontext.c 7 Jun 2005 11:05:07 -0000 1.27
@@ -123,7 +123,6 @@
c->ctx = ctx;
c->pool = p;
c->bio_os = BIO_new(BIO_s_file());
- c->password.ctx = c;
if (c->bio_os != NULL)
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
@@ -162,7 +161,7 @@
/* Set default password callback */
SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb
*)SSL_password_callback);
- SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void *)(&c->password));
+ SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void
*)(&tcn_password_callback));
/*
* Let us cleanup the ssl context when the pool is destroyed
*/
@@ -214,9 +213,12 @@
c->bio_os = bio_handle;
}
else if (dir == 1) {
- if (c->bio_os && c->bio_is != bio_handle)
+ if (c->bio_is && c->bio_is != bio_handle)
SSL_BIO_close(c->bio_is);
- c->bio_os = bio_handle;
+ c->bio_is = bio_handle;
+ if (!c->cb_data)
+ c->cb_data = (tcn_pass_cb_t *)apr_pcalloc(c->pool,
sizeof(tcn_pass_cb_t));
+ c->cb_data->bio = bio_handle;
}
else
return;
@@ -426,6 +428,7 @@
{
BIO *bio = NULL;
EVP_PKEY *key = NULL;
+ void *cb_data = c->cb_data;
if ((bio = BIO_new(BIO_s_file())) == NULL) {
return NULL;
@@ -434,9 +437,11 @@
BIO_free(bio);
return NULL;
}
+ if (!cb_data)
+ cb_data = &tcn_password_callback;
key = PEM_read_bio_PrivateKey(bio, NULL,
(pem_password_cb *)SSL_password_callback,
- (void *)(&c->password));
+ cb_data);
BIO_free(bio);
return key;
}
@@ -481,8 +486,10 @@
goto cleanup;
}
if (J2S(password)) {
- strncpy(c->password.password, J2S(password), SSL_MAX_PASSWORD_LEN);
- c->password.password[SSL_MAX_PASSWORD_LEN-1] = '\0';
+ if (!c->cb_data)
+ c->cb_data = &tcn_password_callback;
+ strncpy(c->cb_data->password, J2S(password), SSL_MAX_PASSWORD_LEN);
+ c->cb_data->password[SSL_MAX_PASSWORD_LEN-1] = '\0';
}
key_file = J2S(key);
cert_file = J2S(cert);
1.20 +8 -14 jakarta-tomcat-connectors/jni/native/src/sslutils.c
Index: sslutils.c
===================================================================
RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslutils.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- sslutils.c 7 Jun 2005 10:00:55 -0000 1.19
+++ sslutils.c 7 Jun 2005 11:05:07 -0000 1.20
@@ -73,19 +73,14 @@
return;
}
-#define PROMPT_STRING "Enter password: "
/* Simple echo password prompting */
int SSL_password_prompt(tcn_pass_cb_t *data)
{
int rv = 0;
data->password[0] = '\0';
- if (data->ctx && data->ctx->bio_is) {
- if (data->ctx->bio_is->flags & SSL_BIO_FLAG_RDONLY) {
- /* Use error BIO in case of stdin */
- BIO_puts(data->ctx->bio_os, data->prompt);
- }
- rv = BIO_gets(data->ctx->bio_is,
- data->password, SSL_MAX_PASSWORD_LEN);
+ if (data->bio) {
+ rv = BIO_gets(data->bio, data->password,
+ SSL_MAX_PASSWORD_LEN);
}
else {
#ifdef WIN32
@@ -121,15 +116,14 @@
{
int rv = 0;
tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb;
- tcn_pass_cb_t c;
if (buf == NULL)
return 0;
*buf = '\0';
- if (cb_data == NULL) {
- memset(&c, 0, sizeof(tcn_pass_cb_t));
- cb_data = &c;
- }
+ if (cb_data == NULL)
+ cb_data = &tcn_password_callback;
+ if (!cb_data->prompt)
+ cb_data->prompt = SSL_DEFAULT_PASS_PROMPT;
if (cb_data->password[0]) {
/* Return already obtained password */
strncpy(buf, cb_data->password, bufsiz);
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
