diff mbox series

Add the ability to specify SSL key password in Suricatta config

Message ID A389D425-2F4D-486F-9705-5DCA012231C3@kuba.fyi
State Under Review
Delegated to: Stefano Babic
Headers show
Series Add the ability to specify SSL key password in Suricatta config | expand

Commit Message

Kuba Sanak March 19, 2024, 4:15 p.m. UTC 
This enables encrypted SSL keys to be used e.g. when mTLS is used to
authenticate with Hawkbit behind reverse-proxy

Signed-off-by: Kuba Sanak <contact@kuba.fyi>
---
 corelib/channel_curl.c | 3 +++
 corelib/server_utils.c | 3 +++
 include/channel_curl.h | 1 +
 suricatta/server_lua.c | 3 +++
 4 files changed, 10 insertions(+)

--
2.43.0
diff mbox series

Patch

diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 35f7f37..69afc7e 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -599,6 +599,9 @@  channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
 	    (curl_easy_setopt(channel_curl->handle,
 			      CURLOPT_SSLKEY,
 			      channel_data->sslkey) != CURLE_OK) ||
+	    (curl_easy_setopt(channel_curl->handle,
+			      CURLOPT_KEYPASSWD,
+			      channel_data->sslkeypassword) != CURLE_OK) ||
 	    (curl_easy_setopt(channel_curl->handle,
 			      CURLOPT_SSLCERT,
 			      channel_data->sslcert) != CURLE_OK) ||
diff --git a/corelib/server_utils.c b/corelib/server_utils.c
index f74b90c..948f2bb 100644
--- a/corelib/server_utils.c
+++ b/corelib/server_utils.c
@@ -37,6 +37,9 @@  int channel_settings(void *elem, void *data)
 	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslkey", tmp);
 	if (strlen(tmp))
 		SETSTRING(chan->sslkey, tmp);
+	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslkeypassword", tmp);
+	if (strlen(tmp))
+		SETSTRING(chan->sslkeypassword, tmp);
 	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "ciphers", tmp);
 	if (strlen(tmp))
 		SETSTRING(chan->ciphers, tmp);
diff --git a/include/channel_curl.h b/include/channel_curl.h
index b346a6c..d787787 100644
--- a/include/channel_curl.h
+++ b/include/channel_curl.h
@@ -55,6 +55,7 @@  typedef struct {
 	bool dry_run;
 	char *cafile;
 	char *sslkey;
+	char *sslkeypassword;
 	char *sslcert;
 	char *ciphers;
 	char *proxy;
diff --git a/suricatta/server_lua.c b/suricatta/server_lua.c
index f5b90f6..dc08a12 100644
--- a/suricatta/server_lua.c
+++ b/suricatta/server_lua.c
@@ -525,6 +525,7 @@  static void channel_push_options(lua_State *L, channel_data_t *channel_data)
 	push_to_table(L, "dry_run",            channel_data->dry_run);
 	push_to_table(L, "cafile",             channel_data->cafile);
 	push_to_table(L, "sslkey",             channel_data->sslkey);
+	push_to_table(L, "sslkeypassword",     channel_data->sslkeypassword);
 	push_to_table(L, "sslcert",            channel_data->sslcert);
 	push_to_table(L, "ciphers",            channel_data->ciphers);
 	if (channel_data->proxy && channel_data->proxy == USE_PROXY_ENV) {
@@ -571,6 +572,7 @@  static void channel_set_options(lua_State *L, channel_data_t *channel_data)
 	get_from_table(L, "dry_run",            channel_data->dry_run);
 	get_from_table(L, "cafile",             channel_data->cafile, COPY_DEST);
 	get_from_table(L, "sslkey",             channel_data->sslkey, COPY_DEST);
+	get_from_table(L, "sslkeypassword",     channel_data->sslkeypassword, COPY_DEST);
 	get_from_table(L, "sslcert",            channel_data->sslcert, COPY_DEST);
 	get_from_table(L, "ciphers",            channel_data->ciphers, COPY_DEST);
 	get_from_table(L, "info",               channel_data->info, COPY_DEST);
@@ -623,6 +625,7 @@  static void channel_free_options(channel_data_t *channel_data)
 	free(channel_data->iface);
 	free(channel_data->cafile);
 	free(channel_data->sslkey);
+	free(channel_data->sslkeypassword);
 	free(channel_data->sslcert);
 	free(channel_data->ciphers);
 	if (channel_data->proxy && channel_data->proxy != USE_PROXY_ENV) {