From: David Woodhouse <dwmw2@infradead.org>
Date: Thu, 27 Sep 2018 11:25:17 +0000 (+0200)
Subject: Use OpenSSL TPM2 engine
X-Git-Tag: v8.00~82
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=7edab6c6c9b5d16b20350688d6467db9acffd219;p=users%2Fdwmw2%2Fopenconnect.git

Use OpenSSL TPM2 engine

We should look at whether we want to do this natively (probably not; we
should rely on the OpenSSL STORE mechanism instead), and we should
definitely look at how we're going to do it for GnuTLS. But this is a
start...

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/openssl.c b/openssl.c
index 52c95484..134ec7d1 100644
--- a/openssl.c
+++ b/openssl.c
@@ -615,7 +615,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12 *p12
 }
 
 #ifdef HAVE_ENGINE
-static int load_tpm_certificate(struct openconnect_info *vpninfo)
+static int load_tpm_certificate(struct openconnect_info *vpninfo,
+				const char *engine)
 {
 	ENGINE *e;
 	EVP_PKEY *key;
@@ -624,7 +625,7 @@ static int load_tpm_certificate(struct openconnect_info *vpninfo)
 
 	ENGINE_load_builtin_engines();
 
-	e = ENGINE_by_id("tpm");
+	e = ENGINE_by_id(engine);
 	if (!e) {
 		vpn_progress(vpninfo, PRG_ERR, _("Can't load TPM engine.\n"));
 		openconnect_report_ssl_errors(vpninfo);
@@ -673,7 +674,8 @@ static int load_tpm_certificate(struct openconnect_info *vpninfo)
 	return ret;
 }
 #else
-static int load_tpm_certificate(struct openconnect_info *vpninfo)
+static int load_tpm_certificate(struct openconnect_info *vpninfo,
+				const char *engine)
 {
 	vpn_progress(vpninfo, PRG_ERR,
 		     _("This version of OpenConnect was built without TPM support\n"));
@@ -946,7 +948,10 @@ static int load_certificate(struct openconnect_info *vpninfo)
 	while (fgets(buf, 255, f)) {
 		if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
 			fclose(f);
-			return load_tpm_certificate(vpninfo);
+			return load_tpm_certificate(vpninfo, "tpm");
+		} else if (!strcmp(buf, "-----BEGIN TSS2 KEY BLOB-----\n")) {
+			fclose(f);
+			return load_tpm_certificate(vpninfo, "tpm2");
 		} else if (!strcmp(buf, "-----BEGIN RSA PRIVATE KEY-----\n") ||
 			   !strcmp(buf, "-----BEGIN DSA PRIVATE KEY-----\n") ||
 			   !strcmp(buf, "-----BEGIN EC PRIVATE KEY-----\n") ||