Bug #291: No Password prompt for encrypted key files

This adds sslpassword_program directive for specifying external program querying
for the SSL key passphrase

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 1287d5b148dc5f60ad686d1b6bcf6786dece54ea..e9f0cb03b9569f5b0ab821f5ef812bf552be411a 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.354 2004/08/14 21:15:15 hno Exp $
+# $Id: cf.data.pre,v 1.355 2004/09/25 15:46:44 hno Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -294,6 +294,18 @@ DOC_START
                                to OpenSSL.
 DOC_END
 
+NAME: sslpassword_program
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.Program.ssl_password
+TYPE: string
+DOC_START
+       Specify a program used for entering SSL key passphrases
+       when using encrypted SSL certificate keys. If not specified
+       keys must either be unencrypted, or Squid started with the -N
+       option to allow it to query interactively for the passphrase.
+DOC_END
+
 NAME: icp_port udp_port
 TYPE: ushort
 DEFAULT: 0

diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index 22957cea4b706e21eb2f469e635ba8b95defb240..de64a7bac9f85d0117035972d52577ce68662376 100644 (file)
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl_support.cc,v 1.15 2003/04/19 22:19:45 hno Exp $
+ * $Id: ssl_support.cc,v 1.16 2004/09/25 15:46:44 hno Exp $
  *
  * AUTHOR: Benno Rice
  * DEBUG: section 83    SSL accelerator support
@@ -36,6 +36,40 @@
 #include "squid.h"
 #include "fde.h"
 
+static int
+ssl_ask_password_cb(char *buf, int size, int rwflag, void *userdata)
+{
+    FILE *in;
+    int len = 0;
+    char cmdline[1024];
+
+    snprintf(cmdline, sizeof(cmdline), "\"%s\" \"%s\"", Config.Program.ssl_password, (const char *)userdata);
+    in = popen(cmdline, "r");
+
+    if (fgets(buf, size, in))
+
+        len = strlen(buf);
+
+    while (len > 0 && (buf[len - 1] == '\n' || buf[len - 1] == '\r'))
+
+        len--;
+
+    buf[len] = '\0';
+
+    pclose(in);
+
+    return len;
+}
+
+static void
+ssl_ask_password(SSL_CTX * context, const char * prompt)
+{
+    if (Config.Program.ssl_password) {
+        SSL_CTX_set_default_passwd_cb(context, ssl_ask_password_cb);
+        SSL_CTX_set_default_passwd_cb_userdata(context, (void *)prompt);
+    }
+}
+
 static RSA *
 ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
 {
@@ -488,6 +522,7 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c
     }
 
     debug(83, 1) ("Using private key in %s\n", keyfile);
+    ssl_ask_password(sslContext, keyfile);
 
     if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
         ssl_error = ERR_get_error();
@@ -649,6 +684,7 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, c
         }
 
         debug(83, 1) ("Using private key in %s\n", keyfile);
+        ssl_ask_password(sslContext, keyfile);
 
         if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
             ssl_error = ERR_get_error();

diff --git a/src/structs.h b/src/structs.h
index b7c1d1946604177e722f9cb33889af2763667dbc..3a19572072031a4891dc19fcda2ddd45c8d8da27 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.489 2004/08/30 05:12:31 robertc Exp $
+ * $Id: structs.h,v 1.490 2004/09/25 15:46:45 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -387,6 +387,11 @@ struct _SquidConfig
 #endif
 
         char *diskd;
+#if USE_SSL
+
+        char *ssl_password;
+#endif
+
     }
 
     Program;