Commit 25d9be59 authored by David Woodhouse's avatar David Woodhouse

Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12

We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.

And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.

This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.

It also means my code is an even bigger mess of #ifdefs than it was before.
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 6e4ce246
......@@ -210,9 +210,7 @@ if test "$with_gnutls" = "yes"; then
AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
[AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
AC_CHECK_FUNC(gnutls_certificate_set_key,
[have_set_key=yes
AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_KEY, 1)],
[have_set_key=no])
[AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_KEY, 1)], [])
if test "$with_openssl" = "" || test "$with_openssl" = "no"; then
AC_CHECK_FUNC(gnutls_session_set_premaster,
[have_gnutls_dtls=yes], [have_gnutls_dtls=no])
......@@ -245,11 +243,9 @@ if test "$with_gnutls" = "yes"; then
AC_CHECK_FUNC(gnutls_pkcs11_add_provider,
[PKG_CHECK_MODULES(P11KIT, p11-kit-1, [AC_DEFINE(HAVE_P11KIT)
AC_SUBST(P11KIT_PC, p11-kit-1)], [:])], [])
LIBS="$oldLIBS"
if test "$have_set_key" = "yes"; then
LIBS="$oldlibs -ltspi"
AC_MSG_CHECKING([for tss library])
AC_LINK_IFELSE([AC_LANG_PROGRAM([
LIBS="$oldlibs -ltspi"
AC_MSG_CHECKING([for tss library])
AC_LINK_IFELSE([AC_LANG_PROGRAM([
#include <trousers/tss.h>
#include <trousers/trousers.h>],[
int err = Tspi_Context_Create((void *)0);
......@@ -259,8 +255,7 @@ if test "$with_gnutls" = "yes"; then
AC_SUBST([TSS_CFLAGS], [])
AC_DEFINE(HAVE_TROUSERS, 1)],
[AC_MSG_RESULT(no)])
LIBS="$oldlibs"
fi
LIBS="$oldlibs"
elif test "$with_gnutls" != "" && test "$with_gnutls" != "no"; then
AC_MSG_ERROR([Values other than 'yes' or 'no' for --with-gnutls are not supported])
fi
......
This diff is collapsed.
......@@ -34,6 +34,7 @@
#endif
#if defined (OPENCONNECT_GNUTLS)
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h>
#ifdef HAVE_TROUSERS
#include <trousers/tss.h>
......@@ -179,7 +180,15 @@ struct openconnect_info {
TSS_HKEY tpm_key;
TSS_HPOLICY tpm_key_policy;
#endif
#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
#ifdef HAVE_P11KIT
gnutls_pkcs11_privkey_t my_p11key;
#endif
gnutls_privkey_t my_pkey;
gnutls_x509_crt_t *my_certs;
unsigned int nr_my_certs;
#endif
#endif /* OPENCONNECT_GNUTLS */
struct keepalive_info ssl_times;
int owe_ssl_dpd_response;
struct pkt *deflate_pkt;
......
......@@ -17,6 +17,7 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
<li>Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12</li>
<li>Fix library references to OpenSSL's <tt>ERR_print_errors_cb()</tt> when built against GnuTLS v2.12</li>
</ul><br/>
</li>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment