Commit 7f6d9584 authored by Inca Rose's avatar Inca Rose Committed by Pekka Pessi

Add support for password protected private key.

 - Add a new tport tag to carry the passphrase
 - Add openSSL password callback function

Minor style fixes by Pekka Pessi.
parent 325ac3af
......@@ -198,6 +198,12 @@ enum tport_tls_verify_policy {
TPTLS_VERIFY_SUBJECTS_ALL = 0xF,
};
TPORT_DLL extern tag_typedef_t tptag_tls_passphrase;
#define TPTAG_TLS_PASSPHRASE(x) tptag_tls_passphrase, tag_str_v(x)
TPORT_DLL extern tag_typedef_t tptag_tls_passphrase_ref;
#define TPTAG_TLS_PASSPHRASE_REF(x) tptag_tls_passphrase_ref, tag_str_vr(&(x))
TPORT_DLL extern tag_typedef_t tptag_tls_verify_policy;
#define TPTAG_TLS_VERIFY_POLICY(x) tptag_tls_verify_policy, tag_uint_v((x))
......
......@@ -288,6 +288,16 @@ tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
*/
tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
/**@def TPTAG_TLS_PASSPHRASE(x)
*
* Sets the passphrase password to be used by openSSL to encrypt/decrypt
* private key files.
*
* @NEW_1_12_11.
*/
tag_typedef_t tptag_tls_passphrase = STRTAG_TYPEDEF(tls_passphrase);
/**@def TPTAG_TLS_VERIFY_POLICY(x)
*
* The verification of certificates can be controlled:
......
......@@ -160,6 +160,27 @@ void tls_log_errors(unsigned level, char const *s, unsigned long e)
}
}
/*
* This callback hands back the password to be used during decryption.
*
* buf : the function will write the password into this buffer
* size : the size of "buf"
* rwflag : indicates whether the callback is being used for reading/
* decryption (0) or writing/encryption (1)
* userdata : pointer tls_issues_t where the passphrase is stored
*/
static int passwd_cb(char *buf, int size, int rwflag, void *userdata)
{
if (rwflag == 0) { // reading/decryption
tls_issues_t *tlsi = (tls_issues_t *)userdata;
strncpy(buf, tlsi->passphrase, size);
buf[size - 1] = '\0';
return strlen(tlsi->passphrase);
}
return 0;
}
static
tls_t *tls_create(int type)
......@@ -289,6 +310,12 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
return -1;
}
/* Set callback if we have a passphrase */
if (ti->passphrase != NULL) {
SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
......
......@@ -56,6 +56,7 @@ typedef struct tls_issues_s {
int configured; /* If non-zero, complain about certificate errors */
char *cert; /* CERT file name. File format is PEM */
char *key; /* Private key file. PEM format */
char *passphrase; /* Passphrase for password protected private key */
char *randFile; /* Seed file for the PRNG (default: tls_seed.dat) */
char *CAfile; /* PEM file of CA's */
char *CApath; /* PEM file path of CA's */
......
......@@ -182,6 +182,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
char const *path = NULL;
unsigned tls_version = 1;
unsigned tls_verify = 0;
char const *passphrase = NULL;
unsigned tls_policy = TPTLS_VERIFY_NONE;
unsigned tls_depth = 0;
unsigned tls_date = 1;
......@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
TPTAG_CERTIFICATE_REF(path),
TPTAG_TLS_VERSION_REF(tls_version),
TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
TPTAG_TLS_PASSPHRASE_REF(passphrase),
TPTAG_TLS_VERIFY_POLICY_REF(tls_policy),
TPTAG_TLS_VERIFY_DEPTH_REF(tls_depth),
TPTAG_TLS_VERIFY_DATE_REF(tls_date),
......@@ -218,6 +220,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
ti.passphrase = su_strdup(autohome, passphrase);
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
ti.version = tls_version;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment