From 091285e0567dd4161bd0c4a8be860a8f469a99b4 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 28 May 2009 17:09:41 +0100
Subject: [PATCH] Allow PEM passphrase to be set on command line

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 main.c        |  2 ++
 openconnect.8 |  6 +++---
 ssl.c         | 23 +++++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/main.c b/main.c
index e662add..74d78ca 100644
--- a/main.c
+++ b/main.c
@@ -65,6 +65,7 @@ static struct option long_options[] = {
 	{"syslog", 0, 0, 'l'},
 	{"tpm-key", 0, 0, 't'},
 	{"tpm-password", 1, 0, 'p'},
+	{"key-password", 1, 0, 'p'},
 	{"user", 1, 0, 'u'},
 	{"verbose", 0, 0, 'v'},
 	{"version", 0, 0, 'V'},
@@ -103,6 +104,7 @@ void usage(void)
 	printf("  -U, --setuid=USER               Drop privileges after connecting\n");
 	printf("  -m, --mtu=MTU                   Request MTU from server\n");
 	printf("  -p, --tpm-password=PASS         Set TPM SRK PIN\n");
+	printf("  -p, --key-password=PASS         Set PEM key passphrase\n");
 	printf("  -q, --quiet                     Less output\n");
 	printf("  -Q, --queue-len=LEN             Set packet queue limit to LEN pkts\n");
 	printf("  -s, --script=SCRIPT             Use vpnc-compatible config script\n");
diff --git a/openconnect.8 b/openconnect.8
index 37f6491..d18698a 100644
--- a/openconnect.8
+++ b/openconnect.8
@@ -50,7 +50,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .I MTU
 ]
 [
-.B -p,--tpm-password
+.B -p,--tpm-password,--key-password
 .I PASS
 ]
 [
@@ -195,8 +195,8 @@ Request
 .I MTU
 from server
 .TP
-.B -p,--tpm-password=PASS
-Provide SRK (System Root Key) PIN for TPM
+.B -p,--tpm-password=PASS,--key-password=PASS
+Provide SRK (System Root Key) PIN for TPM or PEM passphrase for certificate
 .TP
 .B -q,--quiet
 Less output
diff --git a/ssl.c b/ssl.c
index 3f9c117..8bd75c0 100644
--- a/ssl.c
+++ b/ssl.c
@@ -95,6 +95,23 @@ int openconnect_SSL_gets(SSL *ssl, char *buf, size_t len)
 	return i ?: ret;
 }
 
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+	struct openconnect_info *vpninfo = v;
+
+	/* Only try the provided password once... */
+	SSL_CTX_set_default_passwd_cb(vpninfo->https_ctx, NULL);
+	SSL_CTX_set_default_passwd_cb_userdata(vpninfo->https_ctx, NULL);
+
+	if (len <= strlen(vpninfo->tpmpass)) {
+		vpninfo->progress(vpninfo, PRG_ERR,
+				  "PEM password too long (%zd >= %d)\n",
+				  strlen(vpninfo->tpmpass), len);
+		return -1;
+	}
+	strcpy(buf, vpninfo->tpmpass);
+	return strlen(vpninfo->tpmpass);
+}
 
 static int load_certificate(struct openconnect_info *vpninfo)
 {
@@ -152,6 +169,12 @@ static int load_certificate(struct openconnect_info *vpninfo)
 			return -EINVAL;
 		}
 	} else {
+		if (vpninfo->tpmpass) {
+			SSL_CTX_set_default_passwd_cb(vpninfo->https_ctx,
+						      pem_pw_cb);
+			SSL_CTX_set_default_passwd_cb_userdata(vpninfo->https_ctx,
+							       vpninfo);
+		}
 	again:
 		if (!SSL_CTX_use_RSAPrivateKey_file(vpninfo->https_ctx,
 						    vpninfo->sslkey,
-- 
2.7.4