Use OpenSSL TPM2 engine

We should look at whether we want to do this natively (probably not; we
should rely on the OpenSSL STORE mechanism instead), and we should
definitely look at how we're going to do it for GnuTLS. But this is a
start...

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/openssl.c b/openssl.c
index 52c95484e540f51cde93e73980c87b450dc32aa6..134ec7d1cea3764d4cea13329c8d93435eb40581 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -615,7 +615,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12 *p12
 }
 
 #ifdef HAVE_ENGINE
-static int load_tpm_certificate(struct openconnect_info *vpninfo)
+static int load_tpm_certificate(struct openconnect_info *vpninfo,
+                               const char *engine)
 {
        ENGINE *e;
        EVP_PKEY *key;
@@ -624,7 +625,7 @@ static int load_tpm_certificate(struct openconnect_info *vpninfo)
 
        ENGINE_load_builtin_engines();
 
-       e = ENGINE_by_id("tpm");
+       e = ENGINE_by_id(engine);
        if (!e) {
                vpn_progress(vpninfo, PRG_ERR, _("Can't load TPM engine.\n"));
                openconnect_report_ssl_errors(vpninfo);
@@ -673,7 +674,8 @@ static int load_tpm_certificate(struct openconnect_info *vpninfo)
        return ret;
 }
 #else
-static int load_tpm_certificate(struct openconnect_info *vpninfo)
+static int load_tpm_certificate(struct openconnect_info *vpninfo,
+                               const char *engine)
 {
        vpn_progress(vpninfo, PRG_ERR,
                     _("This version of OpenConnect was built without TPM support\n"));
@@ -946,7 +948,10 @@ static int load_certificate(struct openconnect_info *vpninfo)
        while (fgets(buf, 255, f)) {
                if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
                        fclose(f);
-                       return load_tpm_certificate(vpninfo);
+                       return load_tpm_certificate(vpninfo, "tpm");
+               } else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n")) {
+                       fclose(f);
+                       return load_tpm_certificate(vpninfo, "tpm2");
                } else if (!strcmp(buf, "-----BEGIN RSA PRIVATE KEY-----\n") ||
                           !strcmp(buf, "-----BEGIN DSA PRIVATE KEY-----\n") ||
                           !strcmp(buf, "-----BEGIN EC PRIVATE KEY-----\n") ||