Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add PKCS#11 support for OpenSSL using libp11
Not that I'm overly worried about feature parity, but it was an interesting
exercise in working out how OpenSSL applications can Do The Right Thing
with PKCS#11. Perhaps I can turn openssl-pkcs11.c into a generic library
function to load EVP_PKEY/X509 from PKCS#11 URIs.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Dec 17, 2014
1 parent e570fbb commit 77a9169
Show file tree
Hide file tree
Showing 9 changed files with 654 additions and 10 deletions.
6 changes: 3 additions & 3 deletions Makefile.am
Expand Up @@ -21,7 +21,7 @@ openconnect_LDADD = libopenconnect.la $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LI
library_srcs = ssl.c http.c auth.c library.c compat.c dtls.c cstp.c \
mainloop.c script.c ntlm.c digest.c
lib_srcs_gnutls = gnutls.c gnutls_pkcs12.c gnutls_tpm.c
lib_srcs_openssl = openssl.c
lib_srcs_openssl = openssl.c openssl-pkcs11.c
lib_srcs_win32 = tun-win32.c sspi.c
lib_srcs_posix = tun.c
lib_srcs_gssapi = gssapi.c
Expand Down Expand Up @@ -62,8 +62,8 @@ library_srcs += $(lib_srcs_posix)
endif

libopenconnect_la_SOURCES = version.c $(library_srcs)
libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS)
libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS)
libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS)
libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS)
if OPENBSD_LIBTOOL
# OpenBSD's libtool doesn't have -version-number, but its -version-info arg
# does what GNU libtool's -version-number does. Which arguably is what the
Expand Down
7 changes: 7 additions & 0 deletions configure.ac
Expand Up @@ -458,6 +458,13 @@ case "$ssl_library" in
check_openssl_dtls=no
;;
openssl)
PKG_CHECK_MODULES(P11KIT, p11-kit-1,
[PKG_CHECK_MODULES(LIBP11, libp11,
[AC_DEFINE(HAVE_LIBP11, 1, [Have libp11 and p11-kit for OpenSSL])
AC_SUBST(P11KIT_PC, ["libp11 p11-kit-1"])
proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
[:])], [:])
AC_DEFINE(OPENCONNECT_OPENSSL, 1, [Using OpenSSL])
AC_DEFINE(DTLS_OPENSSL, 1, [Using OpenSSL for DTLS])
AC_SUBST(SSL_DTLS_PC, [openssl])
Expand Down
13 changes: 13 additions & 0 deletions library.c
Expand Up @@ -276,6 +276,17 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
}
memset(vpninfo->yubikey_pwhash, 0, sizeof(vpninfo->yubikey_pwhash));
free(vpninfo->yubikey_objname);
#endif
#ifdef HAVE_LIBP11
if (vpninfo->pkcs11_ctx) {
if (vpninfo->pkcs11_slot_list)
PKCS11_release_all_slots(vpninfo->pkcs11_ctx,
vpninfo->pkcs11_slot_list,
vpninfo->pkcs11_slot_count);
PKCS11_CTX_unload(vpninfo->pkcs11_ctx);
PKCS11_CTX_free(vpninfo->pkcs11_ctx);
}
free(vpninfo->pkcs11_cert_id);
#endif
/* These check strm->state so they are safe to call multiple times */
inflateEnd(&vpninfo->inflate_strm);
Expand Down Expand Up @@ -519,6 +530,8 @@ int openconnect_has_pkcs11_support(void)
{
#if defined(OPENCONNECT_GNUTLS) && defined(HAVE_P11KIT)
return 1;
#elif defined(OPENCONNECT_OPENSSL) && defined(HAVE_LIBP11)
return 1;
#else
return 0;
#endif
Expand Down
16 changes: 16 additions & 0 deletions openconnect-internal.h
Expand Up @@ -89,6 +89,10 @@
#include <pskc/pskc.h>
#endif

#ifdef HAVE_LIBP11
#include <libp11.h>
#endif

#ifdef HAVE_LIBPCSCLITE
#ifdef __APPLE__
#include <PCSC/wintypes.h>
Expand Down Expand Up @@ -310,6 +314,14 @@ struct openconnect_info {

unsigned pfs;
#if defined(OPENCONNECT_OPENSSL)
#ifdef HAVE_LIBP11
PKCS11_CTX *pkcs11_ctx;
PKCS11_SLOT *pkcs11_slot_list;
unsigned int pkcs11_slot_count;
PKCS11_SLOT *pkcs11_cert_slot;
unsigned char *pkcs11_cert_id;
size_t pkcs11_cert_id_len;
#endif
X509 *cert_x509;
SSL_CTX *https_ctx;
SSL *https_ssl;
Expand Down Expand Up @@ -636,6 +648,10 @@ FILE *openconnect_fopen_utf8(struct openconnect_info *vpninfo,

void openconnect_clear_cookies(struct openconnect_info *vpninfo);

/* openssl-pkcs11.c */
int load_pkcs11_key(struct openconnect_info *vpninfo);
int load_pkcs11_certificate(struct openconnect_info *vpninfo);

/* {gnutls,openssl}.c */
int openconnect_open_https(struct openconnect_info *vpninfo);
void openconnect_close_https(struct openconnect_info *vpninfo, int final);
Expand Down

0 comments on commit 77a9169

Please sign in to comment.