Re: engine format keys
am 04.10.2005 16:56:11 von Kent Yoder
------=_Part_53611_15065888.1128437771231
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi Geoff,
> Sorry I didn't notice this earlier. I added some hooks to modssl ages ago
> to support engine ctrl-commands if that helps. In fact you may have to
Thanks for the patch. I don't think I'm going to be able to
accomplish what I wanted with control commands though. Basically I
need my engine's load_privkey function to be called if
PEM_read_PrivateKey fails, or perhaps explicitly with some option to
modssl.
> jiggle with this patch if you want to update it to the latest mod_ssl
> version, but it may be easier than redoing it from scratch;
>
> http://www.geoffthorpe.net/crypto/
>
> If you get it running with a more recent version and feel like giving me =
a
> newer diff, I'd appreciate being able to replace the one on my site. I
> don't think Ralf wants to include this functionality now that mod_ssl is
> just in maintenance-mode and (kinda) deprecated in favour of apache2.
Ahh, I see. Thanks for the info. I guess the next step is to poke
the apache2 guys for openssl 0.9.8 support. I did try compiling 2.1
beta with it without luck. Updated patch attached...
Thanks,
Kent
> Cheers,
> Geoff
>
> --
> Geoff Thorpe
> geoff@geoffthorpe.net
> http://www.geoffthorpe.net/
>
> M=EAme ceux qui se sentent pas des n=F4tres, ne nous voyant plus =E0 geno=
ux,
> seront, plus que jamais, chez eux chez nous.
> -- Loco Locass
>
--
Kent Yoder
IBM LTC Security Dev.
------=_Part_53611_15065888.1128437771231
Content-Type: text/x-patch; name=mod_ssl-2.8.24-1.3.33-control.diff;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="mod_ssl-2.8.24-1.3.33-control.diff"
diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.c mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.c
--- mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.c 2005-07-06 03:32:14.000000000 -0500
+++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.c 2005-10-03 21:42:52.739731294 -0500
@@ -96,6 +96,9 @@
AP_SRV_CMD(CryptoDevice, TAKE1,
"SSL external Crypto Device usage "
"(`builtin', `...')")
+ AP_SRV_CMD(CryptoDeviceCtrl, TAKE12,
+ "SSL external Crypto Device custom control commands "
+ "(`cmd[:arg] [pre|post]')")
#endif
AP_SRV_CMD(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.h mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.h
--- mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.h 2005-07-06 03:32:14.000000000 -0500
+++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.h 2005-10-03 21:42:52.741731054 -0500
@@ -557,6 +557,7 @@
ssl_ds_table *tPrivateKey;
#ifdef SSL_EXPERIMENTAL_ENGINE
char *szCryptoDevice;
+ table *tCryptoDeviceCtrl;
#endif
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
@@ -653,6 +654,7 @@
const char *ssl_cmd_SSLMutex(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLCryptoDeviceCtrl(cmd_parms *, char *, char *, char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_config.c mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_config. c
--- mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_config.c 2005-07-06 03:32:15.000000000 -0500
+++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_config. c 2005-10-03 21:42:52.743730814 -0500
@@ -142,6 +142,7 @@
mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
#ifdef SSL_EXPERIMENTAL_ENGINE
mc->szCryptoDevice = NULL;
+ mc->tCryptoDeviceCtrl = ap_make_table(pPool, 10);
#endif
(void)memset(mc->pTmpKeys, 0, SSL_TKPIDX_MAX*sizeof(void *));
@@ -473,6 +474,64 @@
return "SSLCryptoDevice: Invalid argument";
return NULL;
}
+
+/* Our static variables get reset between first and second pass ... so this
+ * variable is mixed in key-value strings and incremented. On the second pass,
+ * the key-values will match so will replace, rather than supplement, the table
+ * entries. (All this to prevent getting two copies of everything?!) */
+static int braindead = 0;
+
+const char *ssl_cmd_SSLCryptoDeviceCtrl(
+ cmd_parms *cmd, char *struct_ptr, char *arg, char *prepost)
+{
+ SSLModConfigRec *mc = myModConfig();
+ const char *err;
+ ENGINE *e;
+ char *colon, *value, *converted_arg, *converted_val;
+
+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
+ return err;
+ if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) {
+ err = "SSLCryptoDeviceCtrl: Must follow a valid engine";
+ goto end;
+ }
+ if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL)) {
+ err = "SSLCryptoDeviceCtrl: The engine has no 'ctrl' handler";
+ goto end;
+ }
+ if(prepost) {
+ if(strcmp(prepost, "pre") && strcmp(prepost, "post")) {
+ err = "SSLCryptoDeviceCtrl: Only 'pre' and 'post are valid options";
+ goto end;
+ }
+ } else
+ prepost = "pre";
+ /* Now separate out the argument into name:value (or name:'NULL' if there is
+ * no value). */
+ colon = strchr(arg, ':');
+ if(colon) {
+ *colon = '\0';
+ value = colon + 1;
+ } else
+ value = NULL;
+ if (ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FROM_NAME, 0, arg, NULL) < 0) {
+ err = "SSLCryptoDeviceCtrl: The engine doesn't recognise that command";
+ goto end;
+ }
+ converted_arg = ap_palloc(cmd->pool, strlen(arg) + 5);
+ sprintf(converted_arg, "%i,%s", braindead++, arg);
+ if(!value)
+ converted_val = prepost;
+ else {
+ converted_val = ap_palloc(cmd->pool, strlen(value) + 5);
+ sprintf(converted_val, "%s%s", prepost, value);
+ }
+ ap_table_set(mc->tCryptoDeviceCtrl, converted_arg, converted_val);
+end:
+ if(e)
+ ENGINE_free(e);
+ return err;
+}
#endif
const char *ssl_cmd_SSLRandomSeed(
diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_init.c mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_init.c
--- mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_init.c 2005-07-06 03:32:15.000000000 -0500
+++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_init.c 2005-10-03 21:49:15.351710550 -0500
@@ -341,10 +341,40 @@
* a hardware accellerator card for crypto operations.
*/
#ifdef SSL_EXPERIMENTAL_ENGINE
+typedef struct st_engine_dummy {
+ ENGINE *e;
+ int ispost;
+ const char *bailed;
+} engine_dummy;
+static int internal_ctrl_cb(void *r, const char *k, const char *v)
+{
+ engine_dummy *d = (engine_dummy *)r;
+ while(isdigit(*k) || (*k == ','))
+ k++;
+ if(strncmp(v, "post", 4) == 0) {
+ /* This key-value pair is for "post" operation */
+ if(!d->ispost)
+ return 1;
+ v += 4;
+ } else {
+ /* This key-value pair is for "pre" operation */
+ if(d->ispost)
+ return 1;
+ v += 3;
+ }
+ if(strlen(v) == 0)
+ v = NULL;
+ if(!ENGINE_ctrl_cmd_string(d->e, k, v, 0)) {
+ d->bailed = k;
+ return 0;
+ }
+ return 1;
+}
void ssl_init_Engine(server_rec *s, pool *p)
{
SSLModConfigRec *mc = myModConfig();
ENGINE *e;
+ engine_dummy d;
if (mc->szCryptoDevice != NULL) {
if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) {
@@ -352,6 +382,17 @@
mc->szCryptoDevice);
ssl_die();
}
+
+ d.e = e;
+ d.ispost = 0;
+ d.bailed = NULL;
+ ap_table_do(internal_ctrl_cb, &d, mc->tCryptoDeviceCtrl, NULL);
+ if(d.bailed) {
+ ssl_log(s, SSL_LOG_ERROR, "Init: Failed on command '%s'", d.bailed);
+ ssl_die();
+ }
+
+
if (strEQ(mc->szCryptoDevice, "chil"))
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
@@ -359,6 +400,14 @@
mc->szCryptoDevice);
ssl_die();
}
+
+ d.ispost = 1;
+ ap_table_do(internal_ctrl_cb, &d, mc->tCryptoDeviceCtrl, NULL);
+ if(d.bailed) {
+ ssl_log(s, SSL_LOG_ERROR, "Init: Failed on command '%s'", d.bailed);
+ ssl_die();
+ }
+
ENGINE_free(e);
}
return;
------=_Part_53611_15065888.1128437771231--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: engine format keys
am 12.10.2005 06:31:00 von Geoff Thorpe
Hi Kent,
On October 6, 2005 05:01 pm, Kent Yoder wrote:
> Yep, passphrase entry is at least part of the problem with calling
> ENGINE_load_private_key. After a few different attempts, I'm a bit
> stumped. The load key call wants a UI* passed to it, which eventually
> has UI_process() called on it by the engine. I've tried various ways
> of stuffing the modssl_read_bio_cb_fn pointer and the server rec into
> this structure, with a custom flush function which'd get called by
> UI_process. I haven't been able to test this approach yet, since it
> appears that openssl's UI_STRING and UI_METHOD structs aren't declared
> in a way that works in ui.h. For instance, any mention of
> sizeof(UI_STRING) brings an incomplete type error. Any help would be
> appreciated, I may not be using the ui interface correctly.
Alas I can't give you any off-the-top hints about UI_METHOD because I=20
haven't used it myself, so I've CC'd Richard who is the guy who did=20
UI_METHOD. Richard, if there's anything obvious in the above snippet=20
please feel free to comment. However I'd suggest taking this over to the=20
openssl-dev mail list Kent - then Richard and/or others can follow up=20
more meaningfully (and the subsequent discussion might be useful for=20
ongoing development).
Cheers,
Geoff
=2D-=20
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/
M=EAme ceux qui se sentent pas des n=F4tres, ne nous voyant plus =E0 genoux,
seront, plus que jamais, chez eux chez nous.
-- Loco Locass
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org