1.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $ 2.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 3.\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100 4.\" 5.\" This file is a derived work. 6.\" The changes are covered by the following Copyright and license: 7.\" 8.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org> 9.\" 10.\" Permission to use, copy, modify, and distribute this software for any 11.\" purpose with or without fee is hereby granted, provided that the above 12.\" copyright notice and this permission notice appear in all copies. 13.\" 14.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21.\" 22.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org> 23.\" and Christian Heimes <cheimes@redhat.com>. 24.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project. All rights reserved. 25.\" 26.\" Redistribution and use in source and binary forms, with or without 27.\" modification, are permitted provided that the following conditions 28.\" are met: 29.\" 30.\" 1. Redistributions of source code must retain the above copyright 31.\" notice, this list of conditions and the following disclaimer. 32.\" 33.\" 2. Redistributions in binary form must reproduce the above copyright 34.\" notice, this list of conditions and the following disclaimer in 35.\" the documentation and/or other materials provided with the 36.\" distribution. 37.\" 38.\" 3. All advertising materials mentioning features or use of this 39.\" software must display the following acknowledgment: 40.\" "This product includes software developed by the OpenSSL Project 41.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 42.\" 43.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 44.\" endorse or promote products derived from this software without 45.\" prior written permission. For written permission, please contact 46.\" openssl-core@openssl.org. 47.\" 48.\" 5. Products derived from this software may not be called "OpenSSL" 49.\" nor may "OpenSSL" appear in their names without prior written 50.\" permission of the OpenSSL Project. 51.\" 52.\" 6. Redistributions of any form whatsoever must retain the following 53.\" acknowledgment: 54.\" "This product includes software developed by the OpenSSL Project 55.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 56.\" 57.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 58.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 59.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 60.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 61.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 62.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 63.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 64.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 65.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 66.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 67.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 68.\" OF THE POSSIBILITY OF SUCH DAMAGE. 69.\" 70.Dd $Mdocdate: September 19 2023 $ 71.Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3 72.Os 73.Sh NAME 74.Nm SSL_CTX_set_default_passwd_cb , 75.Nm SSL_CTX_set_default_passwd_cb_userdata , 76.Nm SSL_CTX_get_default_passwd_cb , 77.Nm SSL_CTX_get_default_passwd_cb_userdata 78.Nd set or get passwd callback for encrypted PEM file handling 79.Sh SYNOPSIS 80.In openssl/ssl.h 81.Ft void 82.Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb" 83.Ft void 84.Fn SSL_CTX_set_default_passwd_cb_userdata "SSL_CTX *ctx" "void *userdata" 85.Ft pem_password_cb * 86.Fn SSL_CTX_get_default_passwd_cb "SSL_CTX *ctx" 87.Ft void * 88.Fn SSL_CTX_get_default_passwd_cb_userdata "SSL_CTX *ctx" 89.Sh DESCRIPTION 90.Fn SSL_CTX_set_default_passwd_cb 91sets the password callback for loading a certificate or private key 92from encrypted PEM format. 93In particular, the callback is used by 94.Xr SSL_CTX_use_certificate_file 3 , 95.Xr SSL_use_certificate_file 3 , 96.Xr SSL_CTX_use_certificate_chain_file 3 , 97.Xr SSL_use_certificate_chain_file 3 , 98.Xr SSL_CTX_use_certificate_chain_mem 3 , 99.Xr SSL_CTX_use_PrivateKey_file 3 , 100.Xr SSL_use_PrivateKey_file 3 , 101.Xr SSL_CTX_use_RSAPrivateKey_file 3 , 102and 103.Xr SSL_use_RSAPrivateKey_file 3 . 104.Pp 105The function pointer type of the 106.Fa cb 107argument is documented in the 108.Xr pem_password_cb 3 109manual page. 110If 111.Fn SSL_CTX_set_default_passwd_cb 112is not called on 113.Fa ctx 114or if it is called with a 115.Fa cb 116argument of 117.Dv NULL , 118.Xr PEM_def_callback 3 119is used instead. 120.Pp 121.Fn SSL_CTX_set_default_passwd_cb_userdata 122sets a pointer to the 123.Fa userdata 124which will be provided to the password callback on invocation. 125.Pp 126Since the 127.Fa cb 128passed to 129.Fn SSL_CTX_set_default_passwd_cb 130will only be used for reading and decryption and not for writing and 131encryption, the library will only call it with a 132.Fa verify 133argument of 0. 134.Pp 135If an application program only needs to read and decrypt 136one single private key, it can be practical to have the 137callback handle the password dialog interactively. 138This happens by default if neither 139.Fn SSL_CTX_set_default_passwd_cb 140nor 141.Fn SSL_CTX_set_default_passwd_cb_userdata 142is called. 143In that case, the library uses 144.Xr PEM_def_callback 3 145with a 146.Fa userdata 147argument of 148.Dv NULL . 149.Pp 150If several keys have to be handled, it can be practical 151to ask for the password once, for example using 152.Xr UI_UTIL_read_pw_string 3 , 153then keep it in memory and use it several times by passing a pointer to it to 154.Fn SSL_CTX_set_default_passwd_cb_userdata . 155.Xr PEM_def_callback 3 156is able to handle this case, too, so calling 157.Fn SSL_CTX_set_default_passwd_cb 158is not needed in this case either. 159.Pp 160Other items in PEM formatting (certificates) can also be encrypted; it is 161however atypical, as certificate information is considered public. 162.Sh RETURN VALUES 163.Fn SSL_CTX_get_default_passwd_cb 164returns a function pointer to the password callback currently set in 165.Fa ctx , 166or 167.Dv NULL 168if none is set. 169.Pp 170.Fn SSL_CTX_get_default_passwd_cb_userdata 171returns a pointer to the userdata currently set in 172.Fa ctx , 173or 174.Dv NULL 175if none is set. 176.Sh EXAMPLES 177The following example provides a subset of the functionality of 178.Xr PEM_def_callback 3 , 179except that 180.Xr PEM_def_callback 3 181does not NUL-terminate and copies up to 182.Fa size 183rather than 184.Fa size No \- 1 185bytes. 186It interprets 187.Fa userdata 188as a NUL-terminated string and copies it to the 189.Fa password 190buffer, truncating the copy if it does not fit. 191.Bd -literal 192int 193trivial_passwd_cb(char *password, int size, int verify, void *userdata) 194{ 195 strlcpy(password, userdata, size); 196 return strlen(password); 197} 198.Ed 199.Sh SEE ALSO 200.Xr pem_password_cb 3 , 201.Xr ssl 3 , 202.Xr SSL_CTX_use_certificate 3 203.Sh HISTORY 204.Fn SSL_CTX_set_default_passwd_cb 205first appeared in SSLeay 0.6.2 and has been available since 206.Ox 2.4 . 207.Pp 208.Fn SSL_CTX_set_default_passwd_cb_userdata 209first appeared in OpenSSL 0.9.4 and has been available since 210.Ox 2.6 . 211.Pp 212.Fn SSL_CTX_get_default_passwd_cb 213and 214.Fn SSL_CTX_get_default_passwd_cb_userdata 215first appeared in OpenSSL 1.1.0 and have been available since 216.Ox 6.3 . 217