diff --git a/src/include/tls-h b/src/include/tls-h index 206f55db7980..3c002e4a5c24 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -351,6 +351,7 @@ struct fr_tls_server_conf_t { CONF_SECTION *cs; char const *private_key_password; + char const *private_key_password_file; char const *private_key_file; char const *certificate_file; char const *random_file; diff --git a/src/main/tls.c b/src/main/tls.c index 354dc05d9a15..b6dcace3cd88 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1634,6 +1634,7 @@ static CONF_PARSER tls_server_config[] = { { "CA_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, fr_tls_server_conf_t, ca_file), NULL }, { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_file), NULL }, { "private_key_password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, private_key_password), NULL }, + { "private_key_password_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, private_key_password_file), NULL }, #ifdef PSK_MAX_IDENTITY_LEN { "psk_identity", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, psk_identity), NULL }, { "psk_hexphrase", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, psk_password), NULL }, @@ -3851,6 +3852,29 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ SSL_CTX_set_default_passwd_cb(ctx, cbtls_password); } } + if (conf->private_key_password_file) { + FILE* passwordfile = fopen(conf->private_key_password_file, "r"); + if (passwordfile) { + char password[256]; + if(fgets(password, sizeof(password), passwordfile)) { + /* + * Remove CR/LF characters at the end of the string + */ + size_t index = strlen(password); + while (index > 0 && (password[index - 1] == '\r' || password[index - 1] == '\n')) { + index = index - 1; + password[index] = '\0'; + } + SSL_CTX_set_default_passwd_cb_userdata(ctx, password); + SSL_CTX_set_default_passwd_cb(ctx, cbtls_password); + } else { + ERROR(LOG_PREFIX ": Error reading private_key_password_file %s", conf->private_key_password_file); + } + fclose(passwordfile); + } else { + ERROR(LOG_PREFIX ": Error opening private_key_password_file %s", conf->private_key_password_file); + } + } #ifdef PSK_MAX_IDENTITY_LEN /*