[AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], [])
AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
[AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
+ AC_CHECK_FUNC(gnutls_certificate_set_key,
+ [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_KEY, 1)], [])
if test "$with_openssl" != "" || test "$with_openssl" = "no"; then
AC_CHECK_FUNC(gnutls_session_set_premaster,
[have_gnutls_dtls=yes], [have_gnutls_dtls=no])
const char *pin_description,
P11KitPinFlags flags,
void *_vpninfo);
-#if GNUTLS_VERSION_MAJOR >= 3
-#define HAVE_P11KIT_AND_GNUTLS_3
-#endif
#endif
#include "openconnect-internal.h"
{
gnutls_datum_t fdata;
gnutls_x509_privkey_t key = NULL;
-#ifdef HAVE_P11KIT
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_KEY
gnutls_privkey_t pkey = NULL;
+#endif
+#ifdef HAVE_P11KIT
char *cert_url = (char *)vpninfo->cert;
char *key_url = (char *)vpninfo->sslkey;
#endif
fdata.data = NULL;
- if (vpninfo->cert_type == CERT_TYPE_TPM) {
- vpn_progress(vpninfo, PRG_ERR,
- _("TPM support not available with GnuTLS\n"));
- return -EINVAL;
- }
-
key_is_p11 = !strncmp(vpninfo->sslkey, "pkcs11:", 7);
cert_is_p11 = !strncmp(vpninfo->cert, "pkcs11:", 7);
/* Load certificate(s) first... */
#ifdef HAVE_P11KIT
-#ifndef HAVE_P11KIT_AND_GNUTLS_3
+#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
if (key_is_p11) {
/* With GnuTLS 2.12 we can't *see* the key so we can't
do the expiry check or fill in intermediate CAs. */
ret = 0;
goto out;
}
-#endif
+#endif /* PKCS#11 for GnuTLS v2.12 */
+
+ /* GnuTLS 2.12 *can* handle the cert being in PKCS#11, if the key
+ isn't. Although it's not clear why anyone would ever do that. */
if (cert_is_p11) {
vpn_progress(vpninfo, PRG_TRACE,
_("Using PKCS#11 certificate %s\n"), cert_url);
}
goto got_certs;
}
-#endif
+#endif /* HAVE_P11KIT */
vpn_progress(vpninfo, PRG_TRACE,
_("Using certificate file %s\n"), vpninfo->cert);
goto got_certs;
got_certs:
/* Now we have the certificate(s) and we're looking for the private key... */
-#ifdef HAVE_P11KIT_AND_GNUTLS_3
+#if defined (HAVE_P11KIT) && defined (HAVE_GNUTLS_CERTIFICATE_SET_KEY)
if (key_is_p11) {
gnutls_pkcs11_privkey_t p11key = NULL;
goto out;
}
+ if (vpninfo->cert_type == CERT_TYPE_TPM ||
+ (vpninfo->cert_type == CERT_TYPE_UNKNOWN &&
+ strstr((char *)fdata.data, "-----BEGIN TSS KEY BLOB-----"))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("This version of OpenConnect was built without TPM support\n"));
+ return -EINVAL;
+ }
+
gnutls_x509_privkey_init(&key);
/* Try PKCS#1 (and PKCS#8 without password) first. GnuTLS doesn't
support OpenSSL's old PKCS#1-based encrypted format. We should
_("Adding supporting CA '%s'\n"), name);
}
-#ifdef HAVE_P11KIT_AND_GNUTLS_3
+#if defined(HAVE_GNUTLS_CERTIFICATE_SET_KEY)
if (pkey) {
/* Ug. If we got a gnutls_privkey_t from PKCS#11 rather than the
gnutls_x509_privkey_t that we get from PEM or PKCS#12 files, then
gnutls_free(extra_certs);
gnutls_free(supporting_certs);
gnutls_free(fdata.data);
-#ifdef HAVE_P11KIT
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_KEY
if (pkey)
gnutls_privkey_deinit(pkey);
+#endif
+#ifdef HAVE_P11KIT
if (cert_url != vpninfo->cert)
free(cert_url);
if (key_url != vpninfo->sslkey)