From 116150c2fcab8676ff46d1c074ad82b5565048d6 Mon Sep 17 00:00:00 2001 From: Simmo Saan Date: Wed, 9 Oct 2019 20:47:42 +0300 Subject: irc: add server option ssl_password for SSL certificate private key password (closes #115) --- src/plugins/irc/irc-command.c | 8 ++++++++ src/plugins/irc/irc-config.c | 19 +++++++++++++++++++ src/plugins/irc/irc-server.c | 30 +++++++++++++++++++++++++----- src/plugins/irc/irc-server.h | 1 + 4 files changed, 53 insertions(+), 5 deletions(-) (limited to 'src/plugins/irc') diff --git a/src/plugins/irc/irc-command.c b/src/plugins/irc/irc-command.c index 31a78be44..ae950cf31 100644 --- a/src/plugins/irc/irc-command.c +++ b/src/plugins/irc/irc-command.c @@ -4756,6 +4756,14 @@ irc_command_display_server (struct t_irc_server *server, int with_detail) weechat_printf (NULL, " ssl_cert . . . . . . : %s'%s'", IRC_COLOR_CHAT_VALUE, weechat_config_string (server->options[IRC_SERVER_OPTION_SSL_CERT])); + /* ssl_password */ + if (weechat_config_option_is_null (server->options[IRC_SERVER_OPTION_SSL_PASSWORD])) + weechat_printf (NULL, " ssl_password . . . . : %s", + _("(hidden)")); + else + weechat_printf (NULL, " ssl_password . . . . : %s%s", + IRC_COLOR_CHAT_VALUE, + _("(hidden)")); /* ssl_priorities */ if (weechat_config_option_is_null (server->options[IRC_SERVER_OPTION_SSL_PRIORITIES])) weechat_printf (NULL, " ssl_priorities . . . : ('%s')", diff --git a/src/plugins/irc/irc-config.c b/src/plugins/irc/irc-config.c index b95354ca1..6943f0a5e 100644 --- a/src/plugins/irc/irc-config.c +++ b/src/plugins/irc/irc-config.c @@ -1700,6 +1700,25 @@ irc_config_server_new_option (struct t_config_file *config_file, callback_change_data, NULL, NULL, NULL); break; + case IRC_SERVER_OPTION_SSL_PASSWORD: + new_option = weechat_config_new_option ( + config_file, section, + option_name, "string", + N_("password for SSL certificate's private key " + "(note: content is evaluated, see /help eval; server " + "options are evaluated with ${irc_server.xxx} and " + "${server} is replaced by the server name)"), + NULL, 0, 0, + default_value, value, + null_value_allowed, + callback_check_value, + callback_check_value_pointer, + callback_check_value_data, + callback_change, + callback_change_pointer, + callback_change_data, + NULL, NULL, NULL); + break; case IRC_SERVER_OPTION_SSL_PRIORITIES: new_option = weechat_config_new_option ( config_file, section, diff --git a/src/plugins/irc/irc-server.c b/src/plugins/irc/irc-server.c index 8bb5dc90a..828924fab 100644 --- a/src/plugins/irc/irc-server.c +++ b/src/plugins/irc/irc-server.c @@ -83,6 +83,7 @@ char *irc_server_options[IRC_SERVER_NUM_OPTIONS][2] = { "ipv6", "on" }, { "ssl", "off" }, { "ssl_cert", "" }, + { "ssl_password", "" }, { "ssl_priorities", "NORMAL:-VERS-SSL3.0" }, { "ssl_dhkey_size", "2048" }, { "ssl_fingerprint", "" }, @@ -4431,7 +4432,7 @@ irc_server_gnutls_callback (const void *pointer, void *data, unsigned int i, cert_list_len, status; time_t cert_time; char *cert_path0, *cert_path1, *cert_path2, *cert_str, *fingerprint_eval; - char *weechat_dir; + char *weechat_dir, *ssl_password; const char *ptr_fingerprint; int rc, ret, fingerprint_match, hostname_match, cert_temp_init; #if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ @@ -4701,18 +4702,26 @@ irc_server_gnutls_callback (const void *pointer, void *data, gnutls_x509_crt_import (server->tls_cert, &filedatum, GNUTLS_X509_FMT_PEM); + /* key password */ + ssl_password = irc_server_eval_expression ( + server, + IRC_SERVER_OPTION_STRING(server, + IRC_SERVER_OPTION_SSL_PASSWORD)); + /* key */ gnutls_x509_privkey_init (&server->tls_cert_key); - ret = gnutls_x509_privkey_import (server->tls_cert_key, - &filedatum, - GNUTLS_X509_FMT_PEM); + ret = gnutls_x509_privkey_import2 (server->tls_cert_key, + &filedatum, + GNUTLS_X509_FMT_PEM, + ssl_password, + 0); if (ret < 0) { ret = gnutls_x509_privkey_import_pkcs8 ( server->tls_cert_key, &filedatum, GNUTLS_X509_FMT_PEM, - NULL, + ssl_password, GNUTLS_PKCS_PLAIN); } if (ret < 0) @@ -4764,6 +4773,9 @@ irc_server_gnutls_callback (const void *pointer, void *data, memcpy (answer, &tls_struct, sizeof (tls_struct)); free (cert_str); } + + if (ssl_password) + free (ssl_password); } else { @@ -5822,6 +5834,9 @@ irc_server_add_to_infolist (struct t_infolist *infolist, if (!weechat_infolist_new_var_string (ptr_item, "ssl_cert", IRC_SERVER_OPTION_STRING(server, IRC_SERVER_OPTION_SSL_CERT))) return 0; + if (!weechat_infolist_new_var_string (ptr_item, "ssl_password", + IRC_SERVER_OPTION_STRING(server, IRC_SERVER_OPTION_SSL_PASSWORD))) + return 0; if (!weechat_infolist_new_var_string (ptr_item, "ssl_priorities", IRC_SERVER_OPTION_STRING(server, IRC_SERVER_OPTION_SSL_PRIORITIES))) return 0; @@ -6072,6 +6087,11 @@ irc_server_print_log () else weechat_log_printf (" ssl_cert . . . . . . : '%s'", weechat_config_string (ptr_server->options[IRC_SERVER_OPTION_SSL_CERT])); + /* ssl_password */ + if (weechat_config_option_is_null (ptr_server->options[IRC_SERVER_OPTION_SSL_PASSWORD])) + weechat_log_printf (" ssl_password . . . . : null"); + else + weechat_log_printf (" ssl_password . . . . : (hidden)"); /* ssl_priorities */ if (weechat_config_option_is_null (ptr_server->options[IRC_SERVER_OPTION_SSL_PRIORITIES])) weechat_log_printf (" ssl_priorities . . . : null ('%s')", diff --git a/src/plugins/irc/irc-server.h b/src/plugins/irc/irc-server.h index 680f406ed..6aaf05e4d 100644 --- a/src/plugins/irc/irc-server.h +++ b/src/plugins/irc/irc-server.h @@ -56,6 +56,7 @@ enum t_irc_server_option IRC_SERVER_OPTION_IPV6, /* use IPv6 protocol */ IRC_SERVER_OPTION_SSL, /* SSL protocol */ IRC_SERVER_OPTION_SSL_CERT, /* client ssl certificate file */ + IRC_SERVER_OPTION_SSL_PASSWORD, /* client ssl certificate key password */ IRC_SERVER_OPTION_SSL_PRIORITIES, /* gnutls priorities */ IRC_SERVER_OPTION_SSL_DHKEY_SIZE, /* Diffie Hellman key size */ IRC_SERVER_OPTION_SSL_FINGERPRINT, /* SHA1 fingerprint of certificate */ -- cgit v1.2.3