From e778179d1fd60b2bf9e3a3b67ac6a94714b10558 Mon Sep 17 00:00:00 2001
From: Doug MacEachern <dougm@apache.org>
Date: Thu, 28 Feb 2002 00:23:32 +0000
Subject: [PATCH] switch SSLModConfigRec.tPrivateKey to ssl_asn1_table api to
 prevent leakage on restarts.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93614 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/mod_ssl.h            |  2 +-
 modules/ssl/ssl_engine_config.c  |  2 +-
 modules/ssl/ssl_engine_init.c    |  4 ++--
 modules/ssl/ssl_engine_pphrase.c | 16 ++++++++++------
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 99cfb6895c..54ffddc18f 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -519,7 +519,7 @@ typedef struct {
     apr_hash_t     *tTmpKeys;
     void           *pTmpKeys[SSL_TKPIDX_MAX];
     ssl_ds_table   *tPublicCert;
-    ssl_ds_table   *tPrivateKey;
+    apr_hash_t     *tPrivateKey;
 #ifdef SSL_EXPERIMENTAL_ENGINE
     char           *szCryptoDevice;
 #endif
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 2160c4e6c8..6e0ad3e4d3 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -101,7 +101,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
         mc->szMutexFile            = NULL;
         mc->pMutex                 = NULL;
         mc->aRandSeed              = apr_array_make(pPool, 4, sizeof(ssl_randseed_t));
-        mc->tPrivateKey            = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
+        mc->tPrivateKey            = apr_hash_make(pPool);
         mc->tPublicCert            = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
         mc->tTmpKeys               = apr_hash_make(pPool);
 #ifdef SSL_EXPERIMENTAL_ENGINE
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 18a01ddd95..a427a7dadf 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -682,7 +682,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
      */
     ok = FALSE;
     cp = apr_psprintf(p, "%s:RSA", cpVHostID);
-    if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
+    if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp)) != NULL) {
         ssl_log(s, SSL_LOG_TRACE,
                 "Init: (%s) Configuring RSA server private key", cpVHostID);
         ucp = asn1->cpData;
@@ -702,7 +702,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
         ok = TRUE;
     }
     cp = apr_psprintf(p, "%s:DSA", cpVHostID);
-    if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
+    if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp)) != NULL) {
         ssl_log(s, SSL_LOG_TRACE,
                 "Init: (%s) Configuring DSA server private key", cpVHostID);
         ucp = asn1->cpData;
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index 8b0717fcc2..cf5ae614b7 100644
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -114,6 +114,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
     EVP_PKEY *pPrivateKey;
     ssl_asn1_t *asn1;
     unsigned char *ucp;
+    long int length;
     X509 *pX509Cert;
     BOOL bReadable;
     ssl_ds_array *aPassPhrase;
@@ -278,7 +279,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                     !(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
                 {
                     char *key_id = apr_psprintf(p, "%s:%s", cpVHostID, "RSA"); /* XXX: check for DSA key too? */
-                    ssl_asn1_t *asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, key_id);
+                    ssl_asn1_t *asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
                     
                     if (asn1 && (asn1->source_mtime == pkey_mtime)) {
                         ssl_log(pServ, SSL_LOG_INFO,
@@ -427,12 +428,15 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
              * RSA structure which do not survive DSO reloads!)
              */
             cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
-            asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp);
-            asn1->nData  = i2d_PrivateKey(pPrivateKey, NULL);
-            asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
-            ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
+            length = i2d_PrivateKey(pPrivateKey, NULL);
+            ucp = ssl_asn1_table_set(mc->tPrivateKey, cp, length);
+            (void)i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
 
-            asn1->source_mtime = pkey_mtime;
+            if (nPassPhraseDialogCur != 0) {
+                /* remember mtime of encrypted keys */
+                asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp);
+                asn1->source_mtime = pkey_mtime;
+            }
 
             /*
              * Free the private key structure