*) mod_authn_socache: Fix crash at startup in certain configurations.
PR 56371. (regression in 2.4.7) [Jan Kaluza]
+ *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
+ programs to the form used in releases up to 2.4.7, and emulate
+ a backwards-compatible behavior for existing setups. [Kaspar Brand]
+
*) mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
- programs, and implement a special merging algorithm for
- SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7
- trunk patch: not sensible for trunk (unneeded backwards compatibility)
- 2.4.x patch: https://people.apache.org/~kbrand/mod_ssl-2.4.x-pphrase-certkeyfile-compat.diff
- +1: kbrand, jkaluza, jim
-
* mod_proxy_scgi: Support Unix sockets
httpd patch: http://svn.apache.org/r1592529
2.4.x patch: trunk patch works modulo CHANGES
<li><code>exec:/path/to/program</code>
<p>
Here an external program is configured which is called at startup for each
- encrypted Private Key file.
- For versions up to 2.4.7, it is called with two arguments (the first is
+ encrypted Private Key file. It is called with two arguments (the first is
of the form ``<code>servername:portnumber</code>'', the second is either
- ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''), which
+ ``<code>RSA</code>'', ``<code>DSA</code>'', ``<code>ECC</code>'' or an
+ integer index starting at 3 if more than three keys are configured), which
indicate for which server and algorithm it has to print the corresponding
- Pass Phrase to <code>stdout</code>.
- Starting with version 2.4.9, it is called with one argument, a string of the
+ Pass Phrase to <code>stdout</code>. In versions 2.4.8 (unreleased)
+ and 2.4.9, it is called with one argument, a string of the
form ``<code>servername:portnumber:index</code>'' (with <code>index</code>
- being a zero-based sequence number), which indicate the server, TCP port
+ being a zero-based integer number), which indicate the server, TCP port
and certificate number. The intent is that this external
program first runs security checks to make sure that the system is not
compromised by an attacker, and only when these checks were passed
cfgMergeString(pkp->ca_cert_file);
}
+static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p,
+ apr_array_header_t *base,
+ apr_array_header_t *add,
+ apr_array_header_t *mrg)
+{
+ int i;
+
+ /*
+ * pick up to CERTKEYS_IDX_MAX+1 entries from "add" (in which case they
+ * they "knock out" their corresponding entries in "base", emulating
+ * the behavior with cfgMergeString in releases up to 2.4.7)
+ */
+ for (i = 0; i < add->nelts && i <= CERTKEYS_IDX_MAX; i++) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
+ }
+
+ /* add remaining ones from "base" */
+ while (i < base->nelts) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(base, i, const char *);
+ i++;
+ }
+
+ /* and finally, append the rest of "add" (if there are any) */
+ for (i = CERTKEYS_IDX_MAX+1; i < add->nelts; i++) {
+ APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *);
+ }
+}
+
static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
modssl_ctx_t *base,
modssl_ctx_t *add,
{
modssl_ctx_cfg_merge(p, base, add, mrg);
- cfgMergeArray(pks->cert_files);
- cfgMergeArray(pks->key_files);
+ /*
+ * For better backwards compatibility with releases up to 2.4.7,
+ * merging global and vhost-level SSLCertificateFile and
+ * SSLCertificateKeyFile directives needs special treatment.
+ * See also PR 56306 and 56353.
+ */
+ modssl_ctx_cfg_merge_certkeys_array(p, base->pks->cert_files,
+ add->pks->cert_files,
+ mrg->pks->cert_files);
+ modssl_ctx_cfg_merge_certkeys_array(p, base->pks->key_files,
+ add->pks->key_files,
+ mrg->pks->key_files);
cfgMergeString(pks->ca_name_path);
cfgMergeString(pks->ca_name_file);
const char *pkey_file;
} pphrase_cb_arg_t;
+#ifdef HAVE_ECC
+static const char *key_types[] = {"RSA", "DSA", "ECC"};
+#else
+static const char *key_types[] = {"RSA", "DSA"};
+#endif
+
/*
* Return true if the named file exists and is readable
*/
*/
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
- const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 3);
+ const char **argv = apr_palloc(ppcb_arg->p, sizeof(char *) * 4);
+ const char *idx = ap_strrchr_c(ppcb_arg->key_id, ':') + 1;
char *result;
+ int i;
ap_log_error(APLOG_MARK, APLOG_INFO, 0, ppcb_arg->s, APLOGNO(01969)
"Init: Requesting pass phrase from dialog filter "
"program (%s)", cmd);
argv[0] = cmd;
- argv[1] = ppcb_arg->key_id;
- argv[2] = NULL;
+ argv[1] = apr_pstrndup(ppcb_arg->p, ppcb_arg->key_id,
+ idx-1 - ppcb_arg->key_id);
+ if ((i = atoi(idx)) < CERTKEYS_IDX_MAX+1) {
+ /*
+ * For compatibility with existing 2.4.x configurations, use
+ * "RSA", "DSA" and "ECC" strings for the first two/three keys
+ */
+ argv[2] = key_types[i];
+ } else {
+ /* Four and above: use the integer index */
+ argv[2] = apr_pstrdup(ppcb_arg->p, idx);
+ }
+ argv[3] = NULL;
result = ssl_util_readfilter(ppcb_arg->s, ppcb_arg->p, cmd, argv);
apr_cpystrn(buf, result, bufsize);
#define DEFAULT_OCSP_TIMEOUT 10
#endif
+/*
+ * For better backwards compatibility with the SSLCertificate[Key]File
+ * and SSLPassPhraseDialog ("exec" type) directives in 2.4.7 and earlier
+ */
+#ifdef HAVE_ECC
+#define CERTKEYS_IDX_MAX 2
+#else
+#define CERTKEYS_IDX_MAX 1
+#endif
+
/**
* Define the SSL options
*/
projects / apache / commitdiff