From ac58eafa3223ef40b9b60765b0b3d118f338fffc Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 12 Dec 2018 14:34:00 +0100
Subject: Add support for RSA decryption using PKCS #11 tokens

Add support for loading RSA private key files from PKCS #11 tokens,
identified by PKCS #11 URIs. Add a new 'pkcs11_libs' UAT which can
dynamically load PKCS #11 provider libraries that are not found by
p11-kit.

The configuration GUI will need additional code to discover available
PKCS #11 tokens and will be added later.

This feature requires GnuTLS 3.4 with PKCS #11 support, so Windows,
macOS via Homebrew, Ubuntu 16.04, Debian Stretch. Not supported: RHEL7.
Currently macOS via official packages disables PKCS #11 support, so that
will also not work.

Change-Id: I20646bfd69c6bd13c8c2d27cb65c164a4b0b7a66
Reviewed-on: https://code.wireshark.org/review/30855
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
---
 CMakeLists.txt | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'CMakeLists.txt')

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a228d3bbcf..e175bc6177 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -990,7 +990,7 @@ if(ENABLE_SMI)
 	set(PACKAGELIST ${PACKAGELIST} SMI)
 endif()
 
-# GNU SSL/TLS support
+# Support for TLS decryption using RSA private keys.
 if(ENABLE_GNUTLS)
 	set(PACKAGELIST ${PACKAGELIST} GNUTLS)
 	# Minimum version needed.
@@ -1167,6 +1167,22 @@ if(HAVE_LIBLUA)
 	set(HAVE_LUA_H 1)
 	set(HAVE_LUA 1)
 endif()
+if(GNUTLS_FOUND AND NOT GNUTLS_VERSION VERSION_LESS "3.4.0")
+	# While all Linux and Windows builds have PKCS #11 support enabled,
+	# macos-setup.sh explicitly disables it using --without-p11-kit.
+	#
+	# Require at least GnuTLS 3.4.0 such that public keys can be calculated
+	# from PKCS #11 private keys.
+	include(CheckSymbolExists)
+	cmake_push_check_state()
+	if(WIN32)
+		set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int)
+	endif()
+	set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS})
+	set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
+	check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11)
+	cmake_pop_check_state()
+endif()
 if(HAVE_LIBKERBEROS)
 	set(HAVE_KERBEROS 1)
 endif()
-- 
cgit v1.2.3