From d36cb5233294d85a714d3f313a52dac9973a27f0 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Mon, 11 Jun 2012 21:58:02 +0100
Subject: [PATCH] Add openconnect_has_tss_blob_support()

Turns out this might not be entirely OpenSSL-specific; we should be able
to support it in GnuTLS too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 libopenconnect.map.in |  1 +
 library.c             | 19 +++++++++++++++++++
 main.c                |  6 ++++--
 openconnect.h         |  7 ++++++-
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index e459764f..b6dc8427 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -26,6 +26,7 @@ OPENCONNECT_2.0 {
 	openconnect_get_cert_details;
 	openconnect_get_cert_DER;
 	openconnect_init_ssl;
+	openconnect_has_tss_blob_support;
 	openconnect_has_pkcs11_support;
 };
 
diff --git a/library.c b/library.c
index c90f32af..7aa55db7 100644
--- a/library.c
+++ b/library.c
@@ -235,3 +235,22 @@ int openconnect_has_pkcs11_support(void)
 	return 0;
 #endif
 }
+
+#if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
+#include <openssl/engine.h>
+#endif
+int openconnect_has_tss_blob_support(void)
+{
+#if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
+	ENGINE *e;
+
+	ENGINE_load_builtin_engines();
+
+	e = ENGINE_by_id("tpm");
+	if (e) {
+		ENGINE_free(e);
+		return 1;
+	}
+#endif
+	return 0;
+}
diff --git a/main.c b/main.c
index 77de51a4..8e74d990 100644
--- a/main.c
+++ b/main.c
@@ -180,9 +180,11 @@ static void helpmessage(void)
 
 static void print_build_opts(void)
 {
-	openconnect_init_ssl();
 #if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
-	printf(_("Using OpenSSL with TPM ENGINE support\n"));
+	if (openconnect_has_tss_blob_support())
+		printf(_("Using OpenSSL with TPM ENGINE support. Loading TPM engine succeeded.\n"));
+	else
+		printf(_("Using OpenSSL with TPM ENGINE support, but loading TPM engine failed.\n"));
 #elif defined (OPENCONNECT_OPENSSL)
 	printf(_("Using OpenSSL without TPM ENGINE support\n"));
 #elif defined (OPENCONNECT_GNUTLS) && defined (HAVE_P11KIT)
diff --git a/openconnect.h b/openconnect.h
index 3dd5303f..64106576 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -36,7 +36,7 @@
 /*
  * API version 2.0:
  *  - OPENCONNECT_X509 is now an opaque type.
- *  - Add openconnect_has_pkcs11_support()
+ *  - Add openconnect_has_pkcs11_support(), openconnect_has_tss_blob_support()
  *  - Rename openconnect_init_openssl() -> openconnect_init_ssl()
  *  - Rename openconnect_vpninfo_new_with_cbdata() -> openconnect_vpninfo_new()
  *    and kill the old openconnect_vpninfo_new() and its callback types.
@@ -237,4 +237,9 @@ void openconnect_vpninfo_free (struct openconnect_info *vpninfo);
    can accept PKCS#11 URLs in place of filenames, for the certificate and key. */
 int openconnect_has_pkcs11_support(void);
 
+/* The OpenSSL TPM ENGINE stores keys in a PEM file labelled with the string
+   -----BEGIN TSS KEY BLOB-----. GnuTLS may learn to support this format too,
+   in the near future. */
+int openconnect_has_tss_blob_support(void);
+
 #endif /* __OPENCONNECT_H__ */