- 14 Jun, 2012 8 commits
-
-
David Woodhouse authored
Signed-off-by:David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
We *can* use arbitrary privkeys, by using the cert_callback to provide them on demand. And even without gnutls_privkey_import_ext() to give us a constructed privkey that represents the TPM key, we can cope by registering a sign_callback on the TLS session. This means that we can support the TPM, and also fix the lack of extra supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12. It also means my code is an even bigger mess of #ifdefs than it was before. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
The library *will* free them later. Honest! If we say "should", someone might get confused and think we're saying the *caller* needs to do it. Signed-off-by: -
David Woodhouse authored
There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant 'len' arg which serves no purpose except to check that the caller knows how big a SHA1 is. If it's not 41, we bail. Next time the soname is getting bumped, I'll add a similar redundant check to openconnect_get_cert_sha1() too. I should have done that when it was first converted from an internal function to a public-facing one in commit 20840ab0. But I didn't, and it's not worth bumping the soname again right now *just* for that. Signed-off-by:
-
David Woodhouse authored
I really ought to script a check for this. Signed-off-by: -
David Woodhouse authored
Signed-off-by:
-
- 13 Jun, 2012 18 commits
-
-
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
The UI may cache user input by form->auth_id, opt->name. But those were always the same (and auth_id was even NULL for OpenSSL UI callbacks from the TPM engine), so it wasn't very helpful. Fix it. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has caused me to sometimes return without setting 'ret'. Make it uninitialised to start with, and then the compiler should warn if I 'goto out' again without setting 'ret'. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Yes, it doesn't *actually* do any matching... yet. Signed-off-by: -
David Woodhouse authored
Based on GnuTLS TPM code by Carolin Latze <latze@angry-red-pla.net> and Tobias Soder. Like the OpenSSL TPM ENGINE, this only supports a key 'blob' rather than using keys by UUID. That shouldn't be hard to fix if someone wants it. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Due to a typo, it wasn't using OpenSSL for DTLS unless you specified --without-openssl on the configure command line. Signed-off-by:
-
- 12 Jun, 2012 8 commits
-
-
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
The key, in the ctx, holds a reference on the engine. We should be dropping our own. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Not strictly needed to free stuff right before we exit, but it makes it easier to find leaks in the library code. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by:
-
- 11 Jun, 2012 6 commits
-
-
David Woodhouse authored
Turns out this might not be entirely OpenSSL-specific; we should be able to support it in GnuTLS too. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Theoretically, the OpenSSL side can (and should) gain PKCS#11 support at some point. There *is* a PKCS#11 engine, although it seems somewhat unloved. Signed-off-by: -
David Woodhouse authored
Signed-off-by: -
David Woodhouse authored
Oops. The whole point in doing it this way with full sentences instead of crap like ("with%s TPM support", tpm?"":"out") was to ease translation... and then I forgot to mark the strings translatable :) Signed-off-by:
-
