On 14.04.2014 10:47, Jan Kaluža wrote:
> On 04/12/2014 12:37 PM, Kaspar Brand wrote:
>> We can partly restore the argument structure for "exec"-type programs,
>> but effectively, lifting the limit of 2 (or 3) certs per SSL host means
>> that there's no longer a reliable way of determining if we are actually
>> loading an "RSA", "DSA", or "ECC" key when calling the
>> SSLPassPhraseDialog program.
>
> It would be useful to have the same arguments as before, but if that's
> not possible to do in all cases now, I would say just increasing the
> arguments count won't help anything.
I'm attaching a cleaned up patch, which does it in a somewhat more
systematic way. If we apply this to 2.4.x, then we have at least
compatibility with existing configs and exec-type SSLPassPhraseDialog
programs.
> I have already asked the original reporter of this incompatibility, but
> I have not received the answer yet. I will try to ask him again and will
> write an email if I get the response this time.
>
> My guess is that they are just using that second argument in the script
> and since the argument is not here, the script is failing now. I don't
> think it's used for anything more important than that, but I have no
> clue right now.
For the sake of transparency/completeness, this is the bug report for
Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1084230
> Anyway, would you merge your documentation patch with httpd-2.4 with the
> mention it changed in 2.4.9?
I already did that with r1585902 (cf.
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog).
Kaspar
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1587799)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -43,6 +43,14 @@ typedef struct {
const char *pkey_file;
} pphrase_cb_arg_t;
+#ifdef HAVE_ECC
+static const char *key_types[] = {"RSA", "DSA", "ECC"};
+#define CERTKEYS_IDX_MAX 2
+#else
+static const char *key_types[] = {"RSA", "DSA"};
+#define CERTKEYS_IDX_MAX 1
+#endif
+
/*
* Return true if the named file exists and is readable
*/
@@ -574,16 +582,29 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize,
*/
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
- const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 3);
+ const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 4);
+ const char *idx = ap_strrchr_c(ppcb_arg->key_id, ':') + 1;
char *result;
+ int i;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01969)
"Init: Requesting pass phrase from dialog filter "
"program (%s)", cmd);
argv[0] = cmd;
- argv[1] = ppcb_arg->key_id;
- argv[2] = NULL;
+ argv[1] = apr_pstrndup(ppcb_arg->p, ppcb_arg->key_id,
+ idx-1 - ppcb_arg->key_id);
+ if ((i = atoi(idx)) < CERTKEYS_IDX_MAX+1) {
+ /*
+ * For compatibility with existing 2.4.x configurations, use
+ * "RSA", "DSA" and "ECC" strings for the first two/three keys
+ */
+ argv[2] = key_types[i];
+ } else {
+ /* Four and above: use the integer index */
+ argv[2] = apr_pstrdup(ppcb_arg->p, idx);
+ }
+ argv[3] = NULL;
result = ssl_util_readfilter(ppcb_arg->s, ppcb_arg->p, cmd, argv);
apr_cpystrn(buf, result, bufsize);
