[Fedora-directory-commits] mod_nss mod_nss.h, 1.15, 1.16 nss_engine_config.c, 1.12, 1.13 nss_engine_pphrase.c, 1.6, 1.7

Robert Crittenden (rcritten) fedora-directory-commits at redhat.com
Fri Aug 25 20:19:51 UTC 2006


Author: rcritten

Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23125

Modified Files:
	mod_nss.h nss_engine_config.c nss_engine_pphrase.c 
Log Message:
204138

Add new NSSPassPhraseDialog method, defer, where only the tokens that
are found in the file pointed to by this directive are initialized.

Otherwise every token that NSS finds it attempts to authenticate.

Syntax is: NSSPassPhraseDialog defer:/path/to/password.conf



Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- mod_nss.h	9 Aug 2006 20:11:45 -0000	1.15
+++ mod_nss.h	25 Aug 2006 20:19:48 -0000	1.16
@@ -200,6 +200,7 @@
     SSL_PPTYPE_UNSET   = UNSET,
     SSL_PPTYPE_BUILTIN = 0,
     SSL_PPTYPE_FILE    = 1,
+    SSL_PPTYPE_DEFER   = 2,
 } nss_pphrase_t;
 
 /*


Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- nss_engine_config.c	5 Jul 2006 15:20:00 -0000	1.12
+++ nss_engine_config.c	25 Aug 2006 20:19:48 -0000	1.13
@@ -546,12 +546,18 @@
         mc->pphrase_dialog_type  = SSL_PPTYPE_BUILTIN;
         mc->pphrase_dialog_path = NULL;
     }
-    else if ((arglen > 5) && strEQn(arg, "file:", 5)) {
+    else if (((arglen > 5) && strEQn(arg, "file:", 5)) ||
+            ((arglen > 6) && strEQn(arg, "defer:", 6))) {
         apr_finfo_t finfo;
         apr_status_t rc;
 
-        mc->pphrase_dialog_type  = SSL_PPTYPE_FILE;
-        mc->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+5);
+        if (strEQn(arg, "file:", 5)) {
+            mc->pphrase_dialog_type  = SSL_PPTYPE_FILE;
+            mc->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+5);
+        } else {
+            mc->pphrase_dialog_type  = SSL_PPTYPE_DEFER;
+            mc->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+6);
+        }
         if (!mc->pphrase_dialog_path)
             return apr_pstrcat(cmd->pool,
                               "Invalid NSSPassPhraseDialog file: path ",
@@ -631,6 +637,10 @@
         seed->nSrc   = SSL_RSSRC_EXEC;
         seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
     }
+    else if ((arg2len > 6) && strEQn(arg2, "defer:", 6)) {
+        seed->nSrc   = SSL_RSSRC_FILE;
+        seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
+    }
     else if (strcEQ(arg2, "builtin")) {
         seed->nSrc   = SSL_RSSRC_BUILTIN;
         seed->cpPath = NULL;


Index: nss_engine_pphrase.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_pphrase.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- nss_engine_pphrase.c	20 Jun 2006 20:25:20 -0000	1.6
+++ nss_engine_pphrase.c	25 Aug 2006 20:19:48 -0000	1.7
@@ -74,6 +74,15 @@
             continue;
         }
 
+        if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) {
+            char * passwd = nss_get_password(stdin, stdout, slot, nss_check_password, parg);
+            if (passwd == NULL) {
+                PK11_FreeSlot(slot);
+                continue;
+            }
+            free(passwd);
+        }
+
         ret = PK11_Authenticate(slot, PR_TRUE, parg);
         if (SECSuccess != ret) {
             status = SECFailure;
@@ -209,7 +218,8 @@
 
     token_name = PK11_GetTokenName(slot);
 
-    if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE) {
+    if (parg->mc->pphrase_dialog_type == SSL_PPTYPE_FILE ||
+        parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) {
         /* Try to get the passwords from the password file if it exists.
          * THIS IS UNSAFE and is provided for convenience only. Without this
          * capability the server would have to be started in foreground mode.
@@ -235,6 +245,14 @@
         }
     }
 
+    /* For SSL_PPTYPE_DEFER we only want to authenticate passwords found
+     * in the password file.
+     */
+    if ((parg->mc->pphrase_dialog_type == SSL_PPTYPE_DEFER) &&
+        (pwdstr == NULL)) {
+        return NULL;
+    }
+
     /* This purposely comes after the file check because that is more
      * authoritative.
      */




More information about the Fedora-directory-commits mailing list