diff options
-rw-r--r-- | radsecproxy.c | 16 | ||||
-rw-r--r-- | radsecproxy.conf-example | 2 | ||||
-rw-r--r-- | radsecproxy.h | 3 |
3 files changed, 20 insertions, 1 deletions
diff --git a/radsecproxy.c b/radsecproxy.c index 0efb1a8..cbabf03 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -82,6 +82,14 @@ void ssl_locking_callback(int mode, int type, const char *file, int line) { pthread_mutex_unlock(&ssl_locks[type]); } +static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) { + int pwdlen = strlen(userdata); + if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */ + return 0; + memcpy(buf, userdata, pwdlen); + return pwdlen; +} + static int verify_cb(int ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; @@ -156,6 +164,10 @@ SSL_CTX *ssl_init() { } ctx = SSL_CTX_new(TLSv1_method()); + if (options.tlscertificatekeypassword) { + SSL_CTX_set_default_passwd_cb_userdata(ctx, options.tlscertificatekeypassword); + SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); + } if (SSL_CTX_use_certificate_chain_file(ctx, options.tlscertificatefile) && SSL_CTX_use_PrivateKey_file(ctx, options.tlscertificatekeyfile, SSL_FILETYPE_PEM) && SSL_CTX_check_private_key(ctx) && @@ -1805,6 +1817,10 @@ void getmainconfig(const char *configfile) { options.tlscertificatekeyfile = stringcopy(val, 0); continue; } + if (!strcasecmp(opt, "TLSCertificateKeyPassword")) { + options.tlscertificatekeypassword = stringcopy(val, 0); + continue; + } if (!strcasecmp(opt, "UDPServerPort")) { options.udpserverport = stringcopy(val, 0); continue; diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index bde62e3..94321c0 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -9,6 +9,8 @@ TLSCACertificatePath /etc/cacerts # You must specify the below for TLS, we will always present our certificate TLSCertificateFile /etc/hostcertkey/host.example.com.pem TLSCertificateKeyFile /etc/hostcertkey/host.example.com.key.pem +# Optionally specify password if key is encrypted (not very secure) +TLSCertificateKeyPassword follow the white rabbit # You can optionally specify a non-standard UDP port to listen #UDPServerPort 1814 diff --git a/radsecproxy.h b/radsecproxy.h index ac5ec56..9a71de3 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -52,9 +52,10 @@ struct options { char *tlscacertificatepath; char *tlscertificatefile; char *tlscertificatekeyfile; + char *tlscertificatekeypassword; char *udpserverport; }; - + /* requests that our client will send */ struct request { unsigned char *buf; |