Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Skeleton IBM TSS support
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Oct 11, 2018
1 parent ff4fb5c commit 7333b79
Show file tree
Hide file tree
Showing 4 changed files with 102 additions and 7 deletions.
10 changes: 8 additions & 2 deletions Makefile.am
Expand Up @@ -31,7 +31,7 @@ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c m
lib_srcs_cisco = auth.c cstp.c
lib_srcs_juniper = oncp.c lzo.c auth-juniper.c
lib_srcs_globalprotect = gpst.c auth-globalprotect.c
lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c gnutls_tpm2_esys.c
lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c
lib_srcs_openssl = openssl.c openssl-pkcs11.c
lib_srcs_win32 = tun-win32.c sspi.c
lib_srcs_posix = tun.c
Expand All @@ -45,7 +45,7 @@ lib_srcs_dtls = dtls.c

POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \
gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \
$(lib_srcs_esp) $(lib_srcs_dtls) \
$(lib_srcs_esp) $(lib_srcs_dtls) gnutls_tpm2_esys.c gnutls_tpm2_ibm.c \
$(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \
$(lib_srcs_win32) $(lib_srcs_posix) $(lib_srcs_gssapi) $(lib_srcs_iconv) \
$(lib_srcs_oath) $(lib_srcs_yubikey) $(lib_srcs_stoken) openconnect-internal.h
Expand All @@ -65,6 +65,12 @@ library_srcs += $(lib_srcs_gnutls)
lib_srcs_esp += gnutls-esp.c
lib_srcs_dtls += gnutls-dtls.c
endif
if OPENCONNECT_TSS2_ESYS
library_srcs += gnutls_tpm2_esys.c
endif
if OPENCONNECT_TSS2_IBM
library_srcs += gnutls_tpm2_ibm.c
endif
if OPENCONNECT_OPENSSL
library_srcs += $(lib_srcs_openssl)
lib_srcs_esp += openssl-esp.c
Expand Down
28 changes: 27 additions & 1 deletion configure.ac
Expand Up @@ -357,6 +357,7 @@ if test -n "$default_gnutls_priority"; then
AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string])
fi

tss2lib=
case "$ssl_library" in
OpenSSL)
oldLIBS="${LIBS}"
Expand Down Expand Up @@ -483,7 +484,29 @@ case "$ssl_library" in
LIBS="$oldlibs"
CFLAGS="$oldcflags"

PKG_CHECK_MODULES(TPM2, [libtasn1 tss2-esys], [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])], [:])
PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no])
if test "$have_tasn1" = "yes"; then
PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys],
[AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])
AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)'])
AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)'])
tss2lib=tss2-esys],
[:])
if test "$tss2lib" = "xxNOTIMPLEMENTEDYETxx"; then
AC_CHECK_LIB([tss], [TSS_Create], [tss2inc=tss2
tss2lib=tss],
AC_CHECK_LIB([ibmtss], [TSS_Create], [tss2inc=ibmtss
tss2lib=ibmtss], []))
if test "$tss2lib" != ""; then
AC_CHECK_HEADER($tss2inc/tss.h,
[AC_DEFINE_UNQUOTED(HAVE_TSS2, $tss2inc, [TSS2 library])
AC_SUBST(TSS2_LIBS, [-l$tss2lib])
AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS)'])
AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_LIBS)'])],
[tss2lib=])
fi
fi
fi

AC_DEFINE(OPENCONNECT_GNUTLS, 1, [Using GnuTLS])
AC_SUBST(SSL_PC, [gnutls])
Expand All @@ -497,6 +520,9 @@ case "$ssl_library" in
;;
esac

AM_CONDITIONAL(OPENCONNECT_TSS2_ESYS, [ test "$tss2lib" = "tss2-esys" ])
AM_CONDITIONAL(OPENCONNECT_TSS2_IBM, [ test "$tss2lib" = "ibmtss" -o "$tss2lib" = "tss" ])

test_pkcs11=
if test "$pkcs11_support" != ""; then
AC_CHECK_PROG(test_pkcs11, softhsm2-util, yes)
Expand Down
4 changes: 0 additions & 4 deletions gnutls_tpm2_esys.c
Expand Up @@ -53,8 +53,6 @@
#include "openconnect-internal.h"
#include "gnutls.h"

#ifdef HAVE_TSS2

#include <stdio.h>
#include <string.h>

Expand Down Expand Up @@ -521,5 +519,3 @@ void release_tpm2_ctx(struct openconnect_info *vpninfo)
free(vpninfo->tpm2);
vpninfo->tpm2 = NULL;
}

#endif /* HAVE_TSS2 */
67 changes: 67 additions & 0 deletions gnutls_tpm2_ibm.c
@@ -0,0 +1,67 @@
/*
* OpenConnect (SSL + DTLS) VPN client
*
* Copyright © 2018 David Woodhouse.
*
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1, as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/

#include "config.h"

#include "openconnect-internal.h"
#include "gnutls.h"

#include <stdio.h>
#include <string.h>

#define TSSINCLUDE(x) < HAVE_TSS2/x >
#include TSSINCLUDE(tss.h)

struct oc_tpm2_ctx {
TPM2B_PUBLIC pub;
TPM2B_PRIVATE priv;
TPM2B_DIGEST userauth;
TPM2B_DIGEST ownerauth;
unsigned int need_userauth:1;
unsigned int need_ownerauth:1;
};

int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
void *_vpninfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
return GNUTLS_E_PK_SIGN_FAILED;
}

int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
void *_vpninfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
return GNUTLS_E_PK_SIGN_FAILED;
}

int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
{
vpn_progress(vpninfo, PRG_ERR,
_("TPM2 support via IBM TSS not yet implemented\n"));

return -EINVAL;
}


void release_tpm2_ctx(struct openconnect_info *vpninfo)
{
if (vpninfo->tpm2)
free(vpninfo->tpm2);
vpninfo->tpm2 = NULL;
}

0 comments on commit 7333b79

Please sign in to comment.