diff --git a/Makefile.am b/Makefile.am index ee4bf303..522725eb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,7 +31,7 @@ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c m lib_srcs_cisco = auth.c cstp.c lib_srcs_juniper = oncp.c lzo.c auth-juniper.c lib_srcs_globalprotect = gpst.c auth-globalprotect.c -lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c gnutls_tpm2_esys.c +lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c lib_srcs_openssl = openssl.c openssl-pkcs11.c lib_srcs_win32 = tun-win32.c sspi.c lib_srcs_posix = tun.c @@ -45,7 +45,7 @@ lib_srcs_dtls = dtls.c POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \ gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \ - $(lib_srcs_esp) $(lib_srcs_dtls) \ + $(lib_srcs_esp) $(lib_srcs_dtls) gnutls_tpm2_esys.c gnutls_tpm2_ibm.c \ $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \ $(lib_srcs_win32) $(lib_srcs_posix) $(lib_srcs_gssapi) $(lib_srcs_iconv) \ $(lib_srcs_oath) $(lib_srcs_yubikey) $(lib_srcs_stoken) openconnect-internal.h @@ -65,6 +65,12 @@ library_srcs += $(lib_srcs_gnutls) lib_srcs_esp += gnutls-esp.c lib_srcs_dtls += gnutls-dtls.c endif +if OPENCONNECT_TSS2_ESYS +library_srcs += gnutls_tpm2_esys.c +endif +if OPENCONNECT_TSS2_IBM +library_srcs += gnutls_tpm2_ibm.c +endif if OPENCONNECT_OPENSSL library_srcs += $(lib_srcs_openssl) lib_srcs_esp += openssl-esp.c diff --git a/configure.ac b/configure.ac index 3aabd9ea..ff2a7d82 100644 --- a/configure.ac +++ b/configure.ac @@ -357,6 +357,7 @@ if test -n "$default_gnutls_priority"; then AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string]) fi +tss2lib= case "$ssl_library" in OpenSSL) oldLIBS="${LIBS}" @@ -483,7 +484,29 @@ case "$ssl_library" in LIBS="$oldlibs" CFLAGS="$oldcflags" - PKG_CHECK_MODULES(TPM2, [libtasn1 tss2-esys], [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])], [:]) + PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no]) + if test "$have_tasn1" = "yes"; then + PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys], + [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2]) + AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)']) + AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)']) + tss2lib=tss2-esys], + [:]) + if test "$tss2lib" = "xxNOTIMPLEMENTEDYETxx"; then + AC_CHECK_LIB([tss], [TSS_Create], [tss2inc=tss2 + tss2lib=tss], + AC_CHECK_LIB([ibmtss], [TSS_Create], [tss2inc=ibmtss + tss2lib=ibmtss], [])) + if test "$tss2lib" != ""; then + AC_CHECK_HEADER($tss2inc/tss.h, + [AC_DEFINE_UNQUOTED(HAVE_TSS2, $tss2inc, [TSS2 library]) + AC_SUBST(TSS2_LIBS, [-l$tss2lib]) + AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS)']) + AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_LIBS)'])], + [tss2lib=]) + fi + fi + fi AC_DEFINE(OPENCONNECT_GNUTLS, 1, [Using GnuTLS]) AC_SUBST(SSL_PC, [gnutls]) @@ -497,6 +520,9 @@ case "$ssl_library" in ;; esac +AM_CONDITIONAL(OPENCONNECT_TSS2_ESYS, [ test "$tss2lib" = "tss2-esys" ]) +AM_CONDITIONAL(OPENCONNECT_TSS2_IBM, [ test "$tss2lib" = "ibmtss" -o "$tss2lib" = "tss" ]) + test_pkcs11= if test "$pkcs11_support" != ""; then AC_CHECK_PROG(test_pkcs11, softhsm2-util, yes) diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c index 677cd6ca..36332d81 100644 --- a/gnutls_tpm2_esys.c +++ b/gnutls_tpm2_esys.c @@ -53,8 +53,6 @@ #include "openconnect-internal.h" #include "gnutls.h" -#ifdef HAVE_TSS2 - #include #include @@ -521,5 +519,3 @@ void release_tpm2_ctx(struct openconnect_info *vpninfo) free(vpninfo->tpm2); vpninfo->tpm2 = NULL; } - -#endif /* HAVE_TSS2 */ diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c new file mode 100644 index 00000000..33f360c8 --- /dev/null +++ b/gnutls_tpm2_ibm.c @@ -0,0 +1,67 @@ +/* + * OpenConnect (SSL + DTLS) VPN client + * + * Copyright © 2018 David Woodhouse. + * + * Author: David Woodhouse + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * version 2.1, as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + */ + +#include "config.h" + +#include "openconnect-internal.h" +#include "gnutls.h" + +#include +#include + +#define TSSINCLUDE(x) < HAVE_TSS2/x > +#include TSSINCLUDE(tss.h) + +struct oc_tpm2_ctx { + TPM2B_PUBLIC pub; + TPM2B_PRIVATE priv; + TPM2B_DIGEST userauth; + TPM2B_DIGEST ownerauth; + unsigned int need_userauth:1; + unsigned int need_ownerauth:1; +}; + +int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, + void *_vpninfo, unsigned int flags, + const gnutls_datum_t *data, gnutls_datum_t *sig) +{ + return GNUTLS_E_PK_SIGN_FAILED; +} + +int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo, + void *_vpninfo, unsigned int flags, + const gnutls_datum_t *data, gnutls_datum_t *sig) +{ + return GNUTLS_E_PK_SIGN_FAILED; +} + +int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig, + unsigned int parent, int emptyauth, gnutls_datum_t *privdata, gnutls_datum_t *pubdata) +{ + vpn_progress(vpninfo, PRG_ERR, + _("TPM2 support via IBM TSS not yet implemented\n")); + + return -EINVAL; +} + + +void release_tpm2_ctx(struct openconnect_info *vpninfo) +{ + if (vpninfo->tpm2) + free(vpninfo->tpm2); + vpninfo->tpm2 = NULL; +}