[PATCH] Fix sslpassword_program for ssl-bump http ports

Tsantilas Christos Fri, 17 Feb 2012 10:28:59 -0800

Currently the sslpassword_program configuration parameter does not work
for encrypted certificate keys on ssl-bump enabled http ports, and user
always asked to give the SSL key password.


This patch fixes this problem.

Regards,
   Christos

=== modified file 'src/ssl/gadgets.cc'
--- src/ssl/gadgets.cc	2012-01-20 18:55:04 +0000
+++ src/ssl/gadgets.cc	2012-02-17 17:14:39 +0000
@@ -219,50 +219,50 @@
     return true;
 }
 
 /**
  \ingroup ServerProtocolSSLInternal
  * Read certificate from file.
  */
 static X509 * readSslX509Certificate(char const * certFilename)
 {
     if (!certFilename)
         return NULL;
     Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
     if (!bio)
         return NULL;
     if (!BIO_read_filename(bio.get(), certFilename))
         return NULL;
     X509 *certificate = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL);
     return certificate;
 }
 
-EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename)
+EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback)
 {
     if (!keyFilename)
         return NULL;
     Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
     if (!bio)
         return NULL;
     if (!BIO_read_filename(bio.get(), keyFilename))
         return NULL;
-    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
+    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, passwd_callback, NULL);
     return pkey;
 }
 
 void Ssl::readCertAndPrivateKeyFromFiles(Ssl::X509_Pointer & cert, Ssl::EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename)
 {
     if (keyFilename == NULL)
         keyFilename = certFilename;
     pkey.reset(readSslPrivateKey(keyFilename));
     cert.reset(readSslX509Certificate(certFilename));
     if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
         pkey.reset(NULL);
         cert.reset(NULL);
     }
 }
 
 bool Ssl::sslDateIsInTheFuture(char const * date)
 {
     ASN1_UTCTIME tm;
     tm.flags = 0;
     tm.type = 23;

=== modified file 'src/ssl/gadgets.h'
--- src/ssl/gadgets.h	2011-10-27 15:27:25 +0000
+++ src/ssl/gadgets.h	2012-02-17 17:15:26 +0000
@@ -106,39 +106,39 @@
 /**
  \ingroup SslCrtdSslAPI
  * Sign SSL request.
  * \param x509 if this param equals NULL, returning certificate will be selfsigned.
  * \return X509 Signed certificate.
  */
 X509 * signRequest(X509_REQ_Pointer const & request, X509_Pointer const & x509, EVP_PKEY_Pointer const & pkey, ASN1_TIME * timeNotAfter, BIGNUM const * serial);
 
 /**
  \ingroup SslCrtdSslAPI
  * Decide on the kind of certificate and generate a CA- or self-signed one.
  * Return generated certificate and private key in resultX509 and resultPkey
  * variables.
  */
 bool generateSslCertificateAndPrivateKey(char const *host, X509_Pointer const & signedX509, EVP_PKEY_Pointer const & signedPkey, X509_Pointer & cert, EVP_PKEY_Pointer & pkey, BIGNUM const* serial);
 
 /**
  \ingroup SslCrtdSslAPI
  * Read private key from file. Make sure that this is not encrypted file.
  */
-EVP_PKEY * readSslPrivateKey(char const * keyFilename);
+EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);
 
 /**
  \ingroup SslCrtdSslAPI
  *  Read certificate and private key from files.
  * \param certFilename name of file with certificate.
  * \param keyFilename name of file with private key.
  */
 void readCertAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename);
 
 /**
  \ingroup SslCrtdSslAPI
  * Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
  * return false.
 */
 bool sslDateIsInTheFuture(char const * date);
 
 } // namespace Ssl
 #endif // SQUID_SSL_GADGETS_H

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2012-01-22 14:15:59 +0000
+++ src/ssl/support.cc	2012-02-17 17:16:17 +0000
@@ -1301,29 +1301,29 @@
                 debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
             // and add to the chain any certificate loaded from the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");
             }
         }
     }
 
     return certificate;
 }
 
 void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename)
 {
     if (keyFilename == NULL)
         keyFilename = certFilename;
     if (!chain)
         chain.reset(sk_X509_new_null());
     if (!chain)
         debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain");
-    pkey.reset(readSslPrivateKey(keyFilename));
+    pkey.reset(readSslPrivateKey(keyFilename, ssl_ask_password_cb));
     cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
     if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
         pkey.reset(NULL);
         cert.reset(NULL);
     }
 }
 
 #endif /* USE_SSL */

[PATCH] Fix sslpassword_program for ssl-bump http ports

Reply via email to