[picking this up from the comment in "Re: svn commit: r1585902 - ..."]
On 09.04.2014 21:56, Jeff Trawick wrote:
> IMO this needs to be reworked to restore compatibility for 2.x up
> through 2.4.7, with the new interface used if some new keyword is
> added on the directive. Yeah, some people who reworked their scripts
> will have to add that new keyboard, but this will unblock others
> (vendors, distros, individuals) from upgrading without surprise.
We can partly restore the argument structure for "exec"-type programs,
but effectively, lifting the limit of 2 (or 3) certs per SSL host means
that there's no longer a reliable way of determining if we are actually
loading an "RSA", "DSA", or "ECC" key when calling the
SSLPassPhraseDialog program.
One option for improving backward compatibility with existing
SSLPassPhraseDialog programs could consist of keeping the two-argument
structure (servername:portnumber and index), and to replace the indexes
0 through 2 with the "RSA", "DSA", and "ECC" strings, respectively, as
illustrated by the attached patch (quickly hacked up PoC).
The primary question is on what arguments existing passphrase handling
programs are specifically relying - i.e. if it's mostly about only
having servername:portnumber in the first argument, or whether the
accuracy of RSA/DSA/ECC is equally important.
Kaspar
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1586845)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -43,6 +43,8 @@ typedef struct {
const char *pkey_file;
} pphrase_cb_arg_t;
+static const char *key_types[] = {"RSA", "DSA", "ECC"};
+
/*
* Return true if the named file exists and is readable
*/
@@ -574,16 +576,24 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize,
*/
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
- const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 3);
+ const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 4);
+ const char *idx = ap_strrchr_c(ppcb_arg->key_id, ':') + 1;
char *result;
+ int i;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01969)
"Init: Requesting pass phrase from dialog filter "
"program (%s)", cmd);
argv[0] = cmd;
- argv[1] = ppcb_arg->key_id;
- argv[2] = NULL;
+ argv[1] = apr_pstrndup(ppcb_arg->p, ppcb_arg->key_id,
+ idx - ppcb_arg->key_id - 1);
+ if ((i = atoi(idx)) < 3) {
+ argv[2] = key_types[i];
+ } else {
+ argv[2] = apr_pstrdup(ppcb_arg->p, idx);
+ }
+ argv[3] = NULL;
result = ssl_util_readfilter(ppcb_arg->s, ppcb_arg->p, cmd, argv);
apr_cpystrn(buf, result, bufsize);
