{"syslog", 0, 0, 'l'},
{"tpm-key", 0, 0, 't'},
{"tpm-password", 1, 0, 'p'},
+ {"key-password", 1, 0, 'p'},
{"user", 1, 0, 'u'},
{"verbose", 0, 0, 'v'},
{"version", 0, 0, 'V'},
printf(" -U, --setuid=USER Drop privileges after connecting\n");
printf(" -m, --mtu=MTU Request MTU from server\n");
printf(" -p, --tpm-password=PASS Set TPM SRK PIN\n");
+ printf(" -p, --key-password=PASS Set PEM key passphrase\n");
printf(" -q, --quiet Less output\n");
printf(" -Q, --queue-len=LEN Set packet queue limit to LEN pkts\n");
printf(" -s, --script=SCRIPT Use vpnc-compatible config script\n");
.I MTU
]
[
-.B -p,--tpm-password
+.B -p,--tpm-password,--key-password
.I PASS
]
[
.I MTU
from server
.TP
-.B -p,--tpm-password=PASS
-Provide SRK (System Root Key) PIN for TPM
+.B -p,--tpm-password=PASS,--key-password=PASS
+Provide SRK (System Root Key) PIN for TPM or PEM passphrase for certificate
.TP
.B -q,--quiet
Less output
return i ?: ret;
}
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+ struct openconnect_info *vpninfo = v;
+
+ /* Only try the provided password once... */
+ SSL_CTX_set_default_passwd_cb(vpninfo->https_ctx, NULL);
+ SSL_CTX_set_default_passwd_cb_userdata(vpninfo->https_ctx, NULL);
+
+ if (len <= strlen(vpninfo->tpmpass)) {
+ vpninfo->progress(vpninfo, PRG_ERR,
+ "PEM password too long (%zd >= %d)\n",
+ strlen(vpninfo->tpmpass), len);
+ return -1;
+ }
+ strcpy(buf, vpninfo->tpmpass);
+ return strlen(vpninfo->tpmpass);
+}
static int load_certificate(struct openconnect_info *vpninfo)
{
return -EINVAL;
}
} else {
+ if (vpninfo->tpmpass) {
+ SSL_CTX_set_default_passwd_cb(vpninfo->https_ctx,
+ pem_pw_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(vpninfo->https_ctx,
+ vpninfo);
+ }
again:
if (!SSL_CTX_use_RSAPrivateKey_file(vpninfo->https_ctx,
vpninfo->sslkey,