gnutls.h 2.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
/*
 * OpenConnect (SSL + DTLS) VPN client
 *
 * Copyright © 2008-2012 Intel Corporation.
 *
 * Author: David Woodhouse <dwmw2@infradead.org>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * version 2.1, as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to:
 *
 *   Free Software Foundation, Inc.
 *   51 Franklin Street, Fifth Floor,
 *   Boston, MA 02110-1301 USA
 */

#ifndef __OPENCONNECT_GNUTLS_H__
#define __OPENCONNECT_GNUTLS_H__

#include <gnutls/gnutls.h>
#include <gnutls/pkcs12.h>
30 31 32
#include <gnutls/abstract.h>

#include "openconnect-internal.h"
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

#ifndef HAVE_GNUTLS_PKCS12_SIMPLE_PARSE
/* If we're using a version of GnuTLS from before this was 
   exported, pull in our local copy. */
int gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, const char *password,
				gnutls_x509_privkey_t * key,
				gnutls_x509_crt_t ** chain,
				unsigned int * chain_len,
				gnutls_x509_crt_t ** extra_certs,
				unsigned int * extra_certs_len,
				gnutls_x509_crl_t * crl,
				unsigned int flags);

#endif /* !HAVE_GNUTLS_PKCS12_SIMPLE_PARSE */

48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
int gtls2_tpm_sign_cb(gnutls_session_t sess, void *_vpninfo,
		      gnutls_certificate_type_t cert_type,
		      const gnutls_datum_t *cert, const gnutls_datum_t *data,
		      gnutls_datum_t *sig);
int gtls2_tpm_sign_dummy_data(struct openconnect_info *vpninfo,
			      const gnutls_datum_t *data,
			      gnutls_datum_t *sig);
#endif /* !HAVE_GNUTLS_CERTIFICATE_SET_KEY */

/* In GnuTLS 2.12 this can't be a real private key; we have to use the sign_callback
   instead. But we want to set the 'pkey' variable to *something* non-NULL in order
   to indicate that we aren't just using an x509 key. */
#define OPENCONNECT_TPM_PKEY ((void *)1UL)

static inline int sign_dummy_data(struct openconnect_info *vpninfo,
				  gnutls_privkey_t pkey,
				  const gnutls_datum_t *data,
67
				  gnutls_datum_t *sig)
68
{
69
#if defined(HAVE_TROUSERS) && !defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
70
	if (pkey == OPENCONNECT_TPM_PKEY)
71 72 73 74 75 76 77 78
		return gtls2_tpm_sign_dummy_data(vpninfo, data, sig);
#endif
	return gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, data, sig);
}

int load_tpm_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
		 gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);

79
#endif /* __OPENCONNECT_GNUTLS_H__ */