From: David Woodhouse Date: Mon, 2 Jul 2012 23:41:38 +0000 (+0100) Subject: Fix GnuTLS password handling for PKCS#8 files X-Git-Tag: v4.04~4 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=9b4add92247d5c7e3975162d4158a19d85df83fd;p=users%2Fdwmw2%2Fopenconnect.git Fix GnuTLS password handling for PKCS#8 files When we have no preconfigured password for a PKCS#8 file, we were getting the wrong error and were aborting instead of asking for a password. Signed-off-by: David Woodhouse --- diff --git a/gnutls.c b/gnutls.c index 92cca08b..1d21dcde 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1164,14 +1164,25 @@ static int load_certificate(struct openconnect_info *vpninfo) goto out; } } - } else if (strstr((char *)fdata.data, "-----BEGIN ENCRYPTED PRIVATE KEY-----") || - strstr((char *)fdata.data, "-----BEGIN PRIVATE KEY-----")) { - /* PKCS#8 */ + } else if (strstr((char *)fdata.data, "-----BEGIN PRIVATE KEY-----")) { + /* Unencrypted PKCS#8 */ + err = gnutls_x509_privkey_import_pkcs8(key, &fdata, + GNUTLS_X509_FMT_PEM, + NULL, GNUTLS_PKCS_PLAIN); + if (err) { + vpn_progress(vpninfo, PRG_ERR, + _("Failed to load private key as PKCS#8: %s\n"), + gnutls_strerror(err)); + ret = -EINVAL; + goto out; + } + } else if (strstr((char *)fdata.data, "-----BEGIN ENCRYPTED PRIVATE KEY-----")) { + /* Encrypted PKCS#8 */ char *pass = vpninfo->cert_password; while ((err = gnutls_x509_privkey_import_pkcs8(key, &fdata, GNUTLS_X509_FMT_PEM, - pass, pass?0:GNUTLS_PKCS_PLAIN))) { + pass?:"", 0))) { if (err != GNUTLS_E_DECRYPTION_FAILED) { vpn_progress(vpninfo, PRG_ERR, _("Failed to load private key as PKCS#8: %s\n"), diff --git a/www/changelog.xml b/www/changelog.xml index bb5d9f68..995e8830 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -17,7 +17,7 @@