Commit 2fbafcd7 authored by venaas's avatar venaas Committed by venaas
Browse files

added password for encr keys

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@56 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 1a36791c
......@@ -82,6 +82,14 @@ void ssl_locking_callback(int mode, int type, const char *file, int line) {
pthread_mutex_unlock(&ssl_locks[type]);
}
static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
int pwdlen = strlen(userdata);
if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */
return 0;
memcpy(buf, userdata, pwdlen);
return pwdlen;
}
static int verify_cb(int ok, X509_STORE_CTX *ctx) {
char buf[256];
X509 *err_cert;
......@@ -156,6 +164,10 @@ SSL_CTX *ssl_init() {
}
ctx = SSL_CTX_new(TLSv1_method());
if (options.tlscertificatekeypassword) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, options.tlscertificatekeypassword);
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
}
if (SSL_CTX_use_certificate_chain_file(ctx, options.tlscertificatefile) &&
SSL_CTX_use_PrivateKey_file(ctx, options.tlscertificatekeyfile, SSL_FILETYPE_PEM) &&
SSL_CTX_check_private_key(ctx) &&
......@@ -1805,6 +1817,10 @@ void getmainconfig(const char *configfile) {
options.tlscertificatekeyfile = stringcopy(val, 0);
continue;
}
if (!strcasecmp(opt, "TLSCertificateKeyPassword")) {
options.tlscertificatekeypassword = stringcopy(val, 0);
continue;
}
if (!strcasecmp(opt, "UDPServerPort")) {
options.udpserverport = stringcopy(val, 0);
continue;
......
......@@ -9,6 +9,8 @@ TLSCACertificatePath /etc/cacerts
# You must specify the below for TLS, we will always present our certificate
TLSCertificateFile /etc/hostcertkey/host.example.com.pem
TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem
# Optionally specify password if key is encrypted (not very secure)
TLSCertificateKeyPassword follow the white rabbit
# You can optionally specify a non-standard UDP port to listen
#UDPServerPort 1814
......@@ -52,9 +52,10 @@ struct options {
char *tlscacertificatepath;
char *tlscertificatefile;
char *tlscertificatekeyfile;
char *tlscertificatekeypassword;
char *udpserverport;
};
/* requests that our client will send */
struct request {
unsigned char *buf;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment