Add openconnect_has_tss_blob_support()

Turns out this might not be entirely OpenSSL-specific; we should be able
to support it in GnuTLS too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index e459764..b6dc842 100644 (file)
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -26,6 +26,7 @@ OPENCONNECT_2.0 {
        openconnect_get_cert_details;
        openconnect_get_cert_DER;
        openconnect_init_ssl;
+       openconnect_has_tss_blob_support;
        openconnect_has_pkcs11_support;
 };
 

diff --git a/library.c b/library.c
index c90f32a..7aa55db 100644 (file)
--- a/library.c
+++ b/library.c
@@ -235,3 +235,22 @@ int openconnect_has_pkcs11_support(void)
        return 0;
 #endif
 }
+
+#if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
+#include <openssl/engine.h>
+#endif
+int openconnect_has_tss_blob_support(void)
+{
+#if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
+       ENGINE *e;
+
+       ENGINE_load_builtin_engines();
+
+       e = ENGINE_by_id("tpm");
+       if (e) {
+               ENGINE_free(e);
+               return 1;
+       }
+#endif
+       return 0;
+}

diff --git a/main.c b/main.c
index 77de51a..8e74d99 100644 (file)
--- a/main.c
+++ b/main.c
@@ -180,9 +180,11 @@ static void helpmessage(void)
 
 static void print_build_opts(void)
 {
-       openconnect_init_ssl();
 #if defined (OPENCONNECT_OPENSSL) && defined (HAVE_ENGINE)
-       printf(_("Using OpenSSL with TPM ENGINE support\n"));
+       if (openconnect_has_tss_blob_support())
+               printf(_("Using OpenSSL with TPM ENGINE support. Loading TPM engine succeeded.\n"));
+       else
+               printf(_("Using OpenSSL with TPM ENGINE support, but loading TPM engine failed.\n"));
 #elif defined (OPENCONNECT_OPENSSL)
        printf(_("Using OpenSSL without TPM ENGINE support\n"));
 #elif defined (OPENCONNECT_GNUTLS) && defined (HAVE_P11KIT)

diff --git a/openconnect.h b/openconnect.h
index 3dd5303..6410657 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -36,7 +36,7 @@
 /*
  * API version 2.0:
  *  - OPENCONNECT_X509 is now an opaque type.
- *  - Add openconnect_has_pkcs11_support()
+ *  - Add openconnect_has_pkcs11_support(), openconnect_has_tss_blob_support()
  *  - Rename openconnect_init_openssl() -> openconnect_init_ssl()
  *  - Rename openconnect_vpninfo_new_with_cbdata() -> openconnect_vpninfo_new()
  *    and kill the old openconnect_vpninfo_new() and its callback types.
@@ -237,4 +237,9 @@ void openconnect_vpninfo_free (struct openconnect_info *vpninfo);
    can accept PKCS#11 URLs in place of filenames, for the certificate and key. */
 int openconnect_has_pkcs11_support(void);
 
+/* The OpenSSL TPM ENGINE stores keys in a PEM file labelled with the string
+   -----BEGIN TSS KEY BLOB-----. GnuTLS may learn to support this format too,
+   in the near future. */
+int openconnect_has_tss_blob_support(void);
+
 #endif /* __OPENCONNECT_H__ */