Add openconnect_has_pkcs11_support()

Theoretically, the OpenSSL side can (and should) gain PKCS#11 support at
some point. There *is* a PKCS#11 engine, although it seems somewhat unloved.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 4773241..e459764 100644 (file)
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -26,6 +26,7 @@ OPENCONNECT_2.0 {
        openconnect_get_cert_details;
        openconnect_get_cert_DER;
        openconnect_init_ssl;
+       openconnect_has_pkcs11_support;
 };
 
 OPENCONNECT_PRIVATE {

diff --git a/library.c b/library.c
index 92b7c25..c90f32a 100644 (file)
--- a/library.c
+++ b/library.c
@@ -226,3 +226,12 @@ const char *openconnect_get_version (void)
 {
        return openconnect_version_str;
 }
+
+int openconnect_has_pkcs11_support(void)
+{
+#if defined (OPENCONNECT_GNUTLS) && defined (HAVE_P11KIT)
+       return 1;
+#else
+       return 0;
+#endif
+}

diff --git a/openconnect.h b/openconnect.h
index e4787a7..3dd5303 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -36,6 +36,7 @@
 /*
  * API version 2.0:
  *  - OPENCONNECT_X509 is now an opaque type.
+ *  - Add openconnect_has_pkcs11_support()
  *  - Rename openconnect_init_openssl() -> openconnect_init_ssl()
  *  - Rename openconnect_vpninfo_new_with_cbdata() -> openconnect_vpninfo_new()
  *    and kill the old openconnect_vpninfo_new() and its callback types.
@@ -232,4 +233,8 @@ struct openconnect_info *openconnect_vpninfo_new (char *useragent,
                                                  void *privdata);
 void openconnect_vpninfo_free (struct openconnect_info *vpninfo);
 
+/* SSL certificate capabilities. openconnect_has_pkcs11_support() means that we
+   can accept PKCS#11 URLs in place of filenames, for the certificate and key. */
+int openconnect_has_pkcs11_support(void);
+
 #endif /* __OPENCONNECT_H__ */