From 455c90b1a6189e5330dbb0469fd037cef717a722 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Mon, 11 Jun 2012 14:57:01 +0100
Subject: [PATCH] Return error from OpenSSL load_certificate() for PKCS#11 URLs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 openssl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/openssl.c b/openssl.c
index adbb9771..544cf4c7 100644
--- a/openssl.c
+++ b/openssl.c
@@ -593,6 +593,13 @@ static int reload_pem_cert(struct openconnect_info *vpninfo)
 
 static int load_certificate(struct openconnect_info *vpninfo)
 {
+	if (!strncmp(vpninfo->sslkey, "pkcs11:", 7) ||
+	    !strncmp(vpninfo->cert, "pkcs11:", 7)) {
+		vpn_progress(vpninfo, PRG_ERR,
+			     _("This binary built without PKCS#11 support\n"));
+		return -EINVAL;
+	}
+		     
 	vpn_progress(vpninfo, PRG_TRACE,
 		     _("Using certificate file %s\n"), vpninfo->cert);