From patchwork Tue Mar 19 16:15:08 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kuba Sanak <contact@kuba.fyi>
X-Patchwork-Id: 1913711
X-Patchwork-Delegate: sbabic@denx.de
Return-Path: <swupdate+bncBDU3J4FNVAHRBHHU42XQMGQEZVNE3XY@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=googlegroups.com header.i=@googlegroups.com
 header.a=rsa-sha256 header.s=20230601 header.b=PW1908zo;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
 (client-ip=2a00:1450:4864:20::23c; helo=mail-lj1-x23c.google.com;
 envelope-from=swupdate+bncbdu3j4fnvahrbhhu42xqmgqezvne3xy@googlegroups.com;
 receiver=patchwork.ozlabs.org)
Received: from mail-lj1-x23c.google.com (mail-lj1-x23c.google.com
 [IPv6:2a00:1450:4864:20::23c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TzcJg4R5Mz1yWs
	for <incoming@patchwork.ozlabs.org>; Wed, 20 Mar 2024 03:15:30 +1100 (AEDT)
Received: by mail-lj1-x23c.google.com with SMTP id
 38308e7fff4ca-2d496045d19sf29074691fa.0
        for <incoming@patchwork.ozlabs.org>;
 Tue, 19 Mar 2024 09:15:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710864926; cv=pass;
        d=google.com; s=arc-20160816;
        b=x58hvrSixobcKF3q8huDPV3THETj8o5VsM3dPjx19Ol30WsS3lVvXeDfJPXFHxgJ0r
         7u2LGQiGXoJcGMm1oMf2kVa881tPUP3+k2rmiBLveK05722z8dYM2HKNB2Pr8KdRUj0f
         p7ACQ+5QaRuIqQnnYARGHuBm5rHzHYLWDBtz9BANSWghe4Dn/1PcwUNBZLtlXn+2kpcS
         6tHBycv6vB0BCGaIZCw+TGXwviuKwuZqirTG9MPNSne1tt61nEw33vEe93Y0lHSXRrEG
         SNh+tEbHszKLtfKxokfsCtRM5+U7ku3LkXAXk/lUiiMoA9loBF9w0f0f7qNseeMSZre6
         L69A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id
         :message-id:subject:from:to:date:dkim-signature;
        bh=RaScnnouDJG+33JWSZmqr85UMkZQSetFxoHGDZEdsWc=;
        fh=dhj0OJsk6GNm4liXfUdL8oicOfUZZZSJzGELKo5+RiM=;
        b=eGpQCP3e4jqAIiGMGOwO1txlr7oxpz/Ho5ji9k4R7draKE5FuGNS9Ju5MNw3oNIhFH
         dd4wTgIq31rlei5f+XkcBwZ5byQYMxteTwymSJQbnQySgL9Wvg3+KbW6xGzoY1YrcN9X
         5DMNhpqUlvyxJVE7WUrclao33U60YWp07s1yevO0WQ+HZEcsKQ+2NKTSm6BykYZhvMtL
         H+DwEUdQ+7rDoyCM4F33FnYVDbt27iY2/yBO1sSQw5TGGzMTFD8/fxFARQLjdeKk+cLi
         pXHnzLU1gsN2HY79FzzGW37hLBI1nvTG0txzfEs3n2OHXi1OvwnDlzBeE+3zz+bjW8Sg
         5Dcg==;
        darn=patchwork.ozlabs.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@kuba.fyi header.s=protonmail2 header.b=VLXb2p+C;
       spf=pass (google.com: domain of contact@kuba.fyi designates
 185.70.40.18 as permitted sender) smtp.mailfrom=contact@kuba.fyi;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=kuba.fyi
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1710864926; x=1711469726;
 darn=patchwork.ozlabs.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :feedback-id:message-id:subject:from:to:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RaScnnouDJG+33JWSZmqr85UMkZQSetFxoHGDZEdsWc=;
        b=PW1908zofXch42gGU4yxkqJDQA+6KXdsoxXzUTCN/ZJkda6FMGe9DkCuH49plXjMSE
         bBZLgDTYQHXGcZBd9EKZtfr/rw/RBNa+I3QnF4HfKpuyMB5sp1H+q1hM3kYmEnuUIaE7
         Q2HSgL8U9muAXYlUzfn1dDjJnc0/fAcYKWrOiM4ejWsSkByeMGQlKevJttkFs3c4VQ93
         9oRu5kSlQtMTv10RPO7FXXBz8hBetjcny3z50fe8owWwxLTdUQFhaycjrkSyjJkhG4pK
         BXuT8AMQiMBTCjmRl1chFF/SibuTblmLCVcIdF23YNdV8IhYPh0xIhHsrlRBBfZ4Hozu
         J+mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710864926; x=1711469726;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :feedback-id:message-id:subject:from:to:date:x-beenthere
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=RaScnnouDJG+33JWSZmqr85UMkZQSetFxoHGDZEdsWc=;
        b=G96zVLQQ2PmSjLCEjppURbXmRIFbuEDxBwK39fWKzjL3uqZaYt19g6A8GHGueabeXt
         3vKP2E0ImPW2ijWhWGLBawG9N+3ZLrEQY9Q0JRKJcMO1dicuw40Pu4BsUJ/fHKTFvQC5
         6PrCSMhVnPqn/zm53krtR6M4hcVUzt7UTAQ7EY9MVDEqYStp0Pme+aX6McWSmIHNZfvJ
         Ah/shYTCErKoWMr7SDkP+lbLF2F1/8dZcnz2S3MUfQtTwS43RUpSpbn8l4dr1FfBfNaL
         OPWJdEUxyDI6gokWgO1wbBj+KPb4hnmW+qcDAmsN+3S5SPth7cCyrSM4wLpPR6iZP1N0
         Gobg==
X-Forwarded-Encrypted: i=2;
 AJvYcCWj6xcD4a/uNlpUpRCOeZfctIOAcUE/xf9im1DB3jbVHatSXPOnzpoksctMdeO7hF4AULTjleD8z5wE4jjcDuEAXSdk9y6HUK5UwnYv3g==
X-Gm-Message-State: AOJu0YycRiQubaeeNfq1lUI/b+DIoJEI0QOkx1XRXdtKH+fT7CBhGUY+
	5fzPoAfWJyKeQegtrGEHFK6TBD8enLIJ15h10KqrRnQ5BalMEn5j
X-Google-Smtp-Source: 
 AGHT+IGB4VgHzzPsBv2B2mVHnWFVGgI+Bo9/mlGfN8hnvMyudra+QetmFXaB1v86RNmCyISg1ZycLg==
X-Received: by 2002:a2e:7004:0:b0:2d4:93d3:11ab with SMTP id
 l4-20020a2e7004000000b002d493d311abmr6682079ljc.6.1710864925303;
        Tue, 19 Mar 2024 09:15:25 -0700 (PDT)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a2e:9b46:0:b0:2d4:122c:9578 with SMTP id
 o6-20020a2e9b46000000b002d4122c9578ls115316ljj.2.-pod-prod-01-eu;
 Tue, 19 Mar 2024 09:15:23 -0700 (PDT)
X-Received: by 2002:a2e:8698:0:b0:2d4:6d7c:779b with SMTP id
 l24-20020a2e8698000000b002d46d7c779bmr11000454lji.41.1710864922913;
        Tue, 19 Mar 2024 09:15:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1710864922; cv=none;
        d=google.com; s=arc-20160816;
        b=iuq891WKTrHAtRBS2KzE77WabZgt1KppOOWNQCHhGSABx2igM2rbzZ6AKjU4jc5X71
         4niU2Y2v5TcxC+WQC16pjY+8vw79N13v3KVUMaTvUObHjx5p3vYSzh+SpWaNOmbsv+F+
         2EsQ+2Wq/lXuYl23weFMYOBtWXc9B4SH65rrTlb860qZ48TwFi+nXkviRyQ7U6KZN1Nz
         G3S6gYpBwDoupw+ed92Zxzvcv+plEo5niyAW4GzW01hrplSCMrQFtc4Euw17mvcp5ukP
         lyxulG1gtMOKzKtgSZM71SkJ68bI5+z9lE5S54AOU2dSmmrC/k1+VFbmfzOL68CfkHom
         wJKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:feedback-id:message-id
         :subject:from:to:date:dkim-signature;
        bh=Gi45pqehmYZHx9u1i0QOQUZN1N3cIn5RbwuS9NyARZI=;
        fh=nvZsCFpxgpf+fsVXzjnWA8g1K3V/kNbRAKogjNDW4HY=;
        b=kUFMsu6ddgOFyeSiAWU1kLCkfYN0hjxIobrN28GH+eVnaQkJB/088cGMS6wpeggBJo
         xEKA6Q4mwtvsG7/hso1EW1hb7ebhzc+TBuuWRZWHz16pFpENkSLdrDA+mJOZKz8oybj5
         3LxgLowHLJHHLcOQWEi/G2MaZliwtzwed67eNqcQ5ISawRc6WYmQKJK5sYjTAvoid6Wa
         A6qQmjU+xpmeqAcAC0JczUgRz9hFoomyXVr4b0aPz9zd1SJOSvVHPhUhV+0+Tl77NdQj
         CwR5FJvafnPRbxRtEHUrLhgnooiKZy2yhCTWJQpUcctL5G21P5txmeQOxScxyarToUwK
         VTHw==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@kuba.fyi header.s=protonmail2 header.b=VLXb2p+C;
       spf=pass (google.com: domain of contact@kuba.fyi designates
 185.70.40.18 as permitted sender) smtp.mailfrom=contact@kuba.fyi;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=kuba.fyi
Received: from mail-4018.proton.ch (mail-4018.proton.ch. [185.70.40.18])
        by gmr-mx.google.com with ESMTPS id
 p6-20020a05600c430600b004140e37ecf5si61959wme.1.2024.03.19.09.15.22
        for <swupdate@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Mar 2024 09:15:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of contact@kuba.fyi designates
 185.70.40.18 as permitted sender) client-ip=185.70.40.18;
Date: Tue, 19 Mar 2024 16:15:08 +0000
To: swupdate@googlegroups.com
X-Patchwork-Original-From: "'Kuba Sanak' via swupdate"
 <swupdate@googlegroups.com>
From: Kuba Sanak <contact@kuba.fyi>
Subject: [swupdate] [PATCH] Add the ability to specify SSL key password in
 Suricatta config
Message-ID: <A389D425-2F4D-486F-9705-5DCA012231C3@kuba.fyi>
Feedback-ID: 44448442:user:proton
MIME-Version: 1.0
X-Original-Sender: contact@kuba.fyi
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@kuba.fyi header.s=protonmail2 header.b=VLXb2p+C;       spf=pass
 (google.com: domain of contact@kuba.fyi designates 185.70.40.18 as permitted
 sender) smtp.mailfrom=contact@kuba.fyi;       dmarc=pass (p=QUARANTINE
 sp=QUARANTINE dis=NONE) header.from=kuba.fyi
X-Original-From: Kuba Sanak <contact@kuba.fyi>
Reply-To: Kuba Sanak <contact@kuba.fyi>
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

This enables encrypted SSL keys to be used e.g. when mTLS is used to
authenticate with Hawkbit behind reverse-proxy

Signed-off-by: Kuba Sanak <contact@kuba.fyi>
---
 corelib/channel_curl.c | 3 +++
 corelib/server_utils.c | 3 +++
 include/channel_curl.h | 1 +
 suricatta/server_lua.c | 3 +++
 4 files changed, 10 insertions(+)

--
2.43.0

diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 35f7f37..69afc7e 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -599,6 +599,9 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
 	    (curl_easy_setopt(channel_curl->handle,
 			      CURLOPT_SSLKEY,
 			      channel_data->sslkey) != CURLE_OK) ||
+	    (curl_easy_setopt(channel_curl->handle,
+			      CURLOPT_KEYPASSWD,
+			      channel_data->sslkeypassword) != CURLE_OK) ||
 	    (curl_easy_setopt(channel_curl->handle,
 			      CURLOPT_SSLCERT,
 			      channel_data->sslcert) != CURLE_OK) ||
diff --git a/corelib/server_utils.c b/corelib/server_utils.c
index f74b90c..948f2bb 100644
--- a/corelib/server_utils.c
+++ b/corelib/server_utils.c
@@ -37,6 +37,9 @@ int channel_settings(void *elem, void *data)
 	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslkey", tmp);
 	if (strlen(tmp))
 		SETSTRING(chan->sslkey, tmp);
+	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "sslkeypassword", tmp);
+	if (strlen(tmp))
+		SETSTRING(chan->sslkeypassword, tmp);
 	GET_FIELD_STRING_RESET(LIBCFG_PARSER, elem, "ciphers", tmp);
 	if (strlen(tmp))
 		SETSTRING(chan->ciphers, tmp);
diff --git a/include/channel_curl.h b/include/channel_curl.h
index b346a6c..d787787 100644
--- a/include/channel_curl.h
+++ b/include/channel_curl.h
@@ -55,6 +55,7 @@ typedef struct {
 	bool dry_run;
 	char *cafile;
 	char *sslkey;
+	char *sslkeypassword;
 	char *sslcert;
 	char *ciphers;
 	char *proxy;
diff --git a/suricatta/server_lua.c b/suricatta/server_lua.c
index f5b90f6..dc08a12 100644
--- a/suricatta/server_lua.c
+++ b/suricatta/server_lua.c
@@ -525,6 +525,7 @@ static void channel_push_options(lua_State *L, channel_data_t *channel_data)
 	push_to_table(L, "dry_run",            channel_data->dry_run);
 	push_to_table(L, "cafile",             channel_data->cafile);
 	push_to_table(L, "sslkey",             channel_data->sslkey);
+	push_to_table(L, "sslkeypassword",     channel_data->sslkeypassword);
 	push_to_table(L, "sslcert",            channel_data->sslcert);
 	push_to_table(L, "ciphers",            channel_data->ciphers);
 	if (channel_data->proxy && channel_data->proxy == USE_PROXY_ENV) {
@@ -571,6 +572,7 @@ static void channel_set_options(lua_State *L, channel_data_t *channel_data)
 	get_from_table(L, "dry_run",            channel_data->dry_run);
 	get_from_table(L, "cafile",             channel_data->cafile, COPY_DEST);
 	get_from_table(L, "sslkey",             channel_data->sslkey, COPY_DEST);
+	get_from_table(L, "sslkeypassword",     channel_data->sslkeypassword, COPY_DEST);
 	get_from_table(L, "sslcert",            channel_data->sslcert, COPY_DEST);
 	get_from_table(L, "ciphers",            channel_data->ciphers, COPY_DEST);
 	get_from_table(L, "info",               channel_data->info, COPY_DEST);
@@ -623,6 +625,7 @@ static void channel_free_options(channel_data_t *channel_data)
 	free(channel_data->iface);
 	free(channel_data->cafile);
 	free(channel_data->sslkey);
+	free(channel_data->sslkeypassword);
 	free(channel_data->sslcert);
 	free(channel_data->ciphers);
 	if (channel_data->proxy && channel_data->proxy != USE_PROXY_ENV) {