Skeleton IBM TSS support

author David Woodhouse <dwmw2@infradead.org>

Tue, 9 Oct 2018 10:06:16 +0000 (11:06 +0100)

committer David Woodhouse <dwmw2@infradead.org>

Thu, 11 Oct 2018 01:14:17 +0000 (18:14 -0700)
author David Woodhouse <dwmw2@infradead.org>
Tue, 9 Oct 2018 10:06:16 +0000 (11:06 +0100)
committer David Woodhouse <dwmw2@infradead.org>
Thu, 11 Oct 2018 01:14:17 +0000 (18:14 -0700)
diff --git a/Makefile.am b/Makefile.am

index ee4bf303c682df3cc59986d4c17d364dd5844864..522725eb5e582b4b61ef4b2ee8b811f6395d7602 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,7 +31,7 @@ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c m
  lib_srcs_cisco = auth.c cstp.c
  lib_srcs_juniper = oncp.c lzo.c auth-juniper.c
  lib_srcs_globalprotect = gpst.c auth-globalprotect.c
-lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c gnutls_tpm2_esys.c
+lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c
  lib_srcs_openssl = openssl.c openssl-pkcs11.c
  lib_srcs_win32 = tun-win32.c sspi.c
  lib_srcs_posix = tun.c
@@ -45,7 +45,7 @@ lib_srcs_dtls = dtls.c
  
  POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \
            gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \
-          $(lib_srcs_esp) $(lib_srcs_dtls) \
+          $(lib_srcs_esp) $(lib_srcs_dtls) gnutls_tpm2_esys.c gnutls_tpm2_ibm.c \
            $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \
            $(lib_srcs_win32) $(lib_srcs_posix) $(lib_srcs_gssapi) $(lib_srcs_iconv) \
            $(lib_srcs_oath) $(lib_srcs_yubikey) $(lib_srcs_stoken) openconnect-internal.h
@@ -65,6 +65,12 @@ library_srcs += $(lib_srcs_gnutls)
  lib_srcs_esp += gnutls-esp.c
  lib_srcs_dtls += gnutls-dtls.c
  endif
+if OPENCONNECT_TSS2_ESYS
+library_srcs += gnutls_tpm2_esys.c
+endif
+if OPENCONNECT_TSS2_IBM
+library_srcs += gnutls_tpm2_ibm.c
+endif
  if OPENCONNECT_OPENSSL
  library_srcs += $(lib_srcs_openssl)
  lib_srcs_esp += openssl-esp.c
diff --git a/configure.ac b/configure.ac

index 3aabd9ea9f71042c4b222e60d8364c6854a4e9b7..ff2a7d825a1e280958f0937465cf6ad2a730ab1f 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -357,6 +357,7 @@ if test -n "$default_gnutls_priority"; then
     AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string])
  fi
  
+tss2lib=
  case "$ssl_library" in
      OpenSSL)
         oldLIBS="${LIBS}"
@@ -483,7 +484,29 @@ case "$ssl_library" in
         LIBS="$oldlibs"
         CFLAGS="$oldcflags"
  
-       PKG_CHECK_MODULES(TPM2, [libtasn1 tss2-esys], [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])], [:])
+       PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no])
+       if test "$have_tasn1" = "yes"; then
+          PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys],
+                            [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2])
+                             AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)'])
+                             AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)'])
+                             tss2lib=tss2-esys],
+                            [:])
+          if test "$tss2lib" = "xxNOTIMPLEMENTEDYETxx"; then
+              AC_CHECK_LIB([tss], [TSS_Create], [tss2inc=tss2
+                                                 tss2lib=tss],
+                           AC_CHECK_LIB([ibmtss], [TSS_Create], [tss2inc=ibmtss
+                                                                 tss2lib=ibmtss], []))
+              if test "$tss2lib" != ""; then
+                  AC_CHECK_HEADER($tss2inc/tss.h,
+                                  [AC_DEFINE_UNQUOTED(HAVE_TSS2, $tss2inc, [TSS2 library])
+                                   AC_SUBST(TSS2_LIBS, [-l$tss2lib])
+                                   AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS)'])
+                                   AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_LIBS)'])],
+                                  [tss2lib=])
+              fi
+          fi
+       fi
  
         AC_DEFINE(OPENCONNECT_GNUTLS, 1, [Using GnuTLS])
         AC_SUBST(SSL_PC, [gnutls])
@@ -497,6 +520,9 @@ case "$ssl_library" in
         ;;
  esac
  
+AM_CONDITIONAL(OPENCONNECT_TSS2_ESYS, [ test "$tss2lib" = "tss2-esys" ])
+AM_CONDITIONAL(OPENCONNECT_TSS2_IBM, [ test "$tss2lib" = "ibmtss" -o "$tss2lib" = "tss" ])
+
  test_pkcs11=
  if test "$pkcs11_support" != ""; then
     AC_CHECK_PROG(test_pkcs11, softhsm2-util, yes)
diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c

index 677cd6ca35751609187126cfc67399d494ce4b9c..36332d8185884453910d06a2af34496dd6e5ae9c 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -53,8 +53,6 @@
  #include "openconnect-internal.h"
  #include "gnutls.h"
  
-#ifdef HAVE_TSS2
-
  #include <stdio.h>
  #include <string.h>
  
@@ -521,5 +519,3 @@ void release_tpm2_ctx(struct openconnect_info *vpninfo)
                 free(vpninfo->tpm2);
         vpninfo->tpm2 = NULL;
  }
-
-#endif /* HAVE_TSS2 */
diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c

new file mode 100644 (file)

index 0000000..33f360c
--- /dev/null
+++ b/gnutls_tpm2_ibm.c
@@ -0,0 +1,67 @@
+/*
+ * OpenConnect (SSL + DTLS) VPN client
+ *
+ * Copyright © 2018 David Woodhouse.
+ *
+ * Author: David Woodhouse <dwmw2@infradead.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * version 2.1, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ */
+
+#include "config.h"
+
+#include "openconnect-internal.h"
+#include "gnutls.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#define TSSINCLUDE(x) < HAVE_TSS2/x >
+#include TSSINCLUDE(tss.h)
+
+struct oc_tpm2_ctx {
+       TPM2B_PUBLIC pub;
+       TPM2B_PRIVATE priv;
+       TPM2B_DIGEST userauth;
+       TPM2B_DIGEST ownerauth;
+       unsigned int need_userauth:1;
+       unsigned int need_ownerauth:1;
+};
+
+int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+                         void *_vpninfo, unsigned int flags,
+                         const gnutls_datum_t *data, gnutls_datum_t *sig)
+{
+       return GNUTLS_E_PK_SIGN_FAILED;
+}
+
+int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+                        void *_vpninfo, unsigned int flags,
+                        const gnutls_datum_t *data, gnutls_datum_t *sig)
+{
+       return GNUTLS_E_PK_SIGN_FAILED;
+}
+
+int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+                    unsigned int parent, int emptyauth, gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
+{
+       vpn_progress(vpninfo, PRG_ERR,
+                    _("TPM2 support via IBM TSS not yet implemented\n"));
+
+       return -EINVAL;
+}
+
+
+void release_tpm2_ctx(struct openconnect_info *vpninfo)
+{
+       if (vpninfo->tpm2)
+               free(vpninfo->tpm2);
+       vpninfo->tpm2 = NULL;
+}
author	David Woodhouse <dwmw2@infradead.org>
	Tue, 9 Oct 2018 10:06:16 +0000 (11:06 +0100)
committer	David Woodhouse <dwmw2@infradead.org>
	Thu, 11 Oct 2018 01:14:17 +0000 (18:14 -0700)
Makefile.am		patch \| blob \| history
configure.ac		patch \| blob \| history
gnutls_tpm2_esys.c		patch \| blob \| history
gnutls_tpm2_ibm.c	[new file with mode: 0644]	patch \| blob