From patchwork Fri Jan 20 02:18:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3008 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1001664dyk; Thu, 19 Jan 2023 18:19:26 -0800 (PST) X-Google-Smtp-Source: AMrXdXtUwWMR7ruUYi6hMnkmS4yyV68KvXUT1QViwH3HR1nYwrFfnaGpLS1Fd8hK4WvckBAlSoP7 X-Received: by 2002:aa7:9116:0:b0:577:272f:fdb with SMTP id 22-20020aa79116000000b00577272f0fdbmr12509985pfh.29.1674181166747; Thu, 19 Jan 2023 18:19:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674181166; cv=none; d=google.com; s=arc-20160816; b=Nbq8zlz9og1H9XdvUI5HALjDjnhc9LjnGM4kuC1U8FMAy9Ov7sXvRtlnap2xTPfjCZ 7dQ7eqp+C3pKThcAblKBxr0n6+j4oUXjo+XxW1C2fHrXEownlTQLX8OS5D16jmFB2Fja 9rBO4NW6ZEzUGCsa0VhwFHXXZgXg8gNEUHJcBZ6N8kZQ8Aq6t4lKffvjpaiyme1FS1+U mjpWJFimX/Yshw5aCDUE3Ympukl+xmvPLOW4GCwy43hs8PrNqT42o/Vh2HrmjYgauXbe Q5swGskPBo6SB06PUmZP+GvCQNYesLIQFNuSjynaNotRgf+GCuhets9CdkDGYVtth1Nv i25Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=3rZDboyEPdpfl8WhV/eHY1V6j6sZt1dOG09icOHf6PQ=; b=CyBSk2lzTuE+wP3T0xsUPq7Ig17LdMeTBwtjUjV6nYlxvG3yaTaKmZmx4/3VKSc5dc hbulnn91zAuct1+ETO8BkjGJ8gXjyxqpyUuOTM02DtAOTt4Q3Q27rgIaY+WI8LLBnzIx YD5ZtXoDVcOK0Ijy2EimQN8LHUbOAwkvZ1yMN7w7NDcrGaySk/fiuKF16+1Asstc4Pae oBHNMyyZWNr0AE2Mu/tvkyP02ZcYTjD89RoUDO/0aLkJ11VO+DoMsSn+tRN8as/cu6RD 8GqduJNlBv6odhvKQu0RgD+tI3BWhW6/tAxWagRz4FVkhTCTTfFekmyn/QTAUCBQ46o2 acmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EkvtXto7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l5JFanj0; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=BtkVcMpg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g22-20020a056a001a1600b0058dcdfcf42asi8803778pfv.304.2023.01.19.18.19.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jan 2023 18:19:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EkvtXto7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l5JFanj0; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=BtkVcMpg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pIgzY-0002jg-No; Fri, 20 Jan 2023 02:18:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pIgzW-0002jW-FJ for openvpn-devel@lists.sourceforge.net; Fri, 20 Jan 2023 02:18:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Br+qXBQVXcpIEfcm/3NRJLs/kfA+kF/GLHgVuoZHPpE=; b=EkvtXto7gwBFneW4cEd28jZsbn wXcxBAXcFob609OS9pa4CtomuLX4L4ET+axaoX0evSVdYHpdhDWIAoIbdJHvlE5UYnq148QwYLXaY RDkS6eSQAsONimfUZDsTrXdtvxlJ6ZrzXoYRDb7AE7iMA3phIhJwJ2JPTq+iEVKN8iGE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Br+qXBQVXcpIEfcm/3NRJLs/kfA+kF/GLHgVuoZHPpE=; b=l 5JFanj0NcooWXCLqrqDjO29Y06dCL6NVAK26coZK9oJL6qLecXgq9URvYoQivtHdBDMJ+I4882Trn gemKLgTT4YjAvslhJkvjgEYp/xAn/pJkNkOsFwu5ll3NX2cLNGBRbntzPbRJk02OQVlRGFNFzLex8 b7DZShqIlRi8qyiY=; Received: from mail-il1-f181.google.com ([209.85.166.181]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pIgzU-009lyJ-Mw for openvpn-devel@lists.sourceforge.net; Fri, 20 Jan 2023 02:18:53 +0000 Received: by mail-il1-f181.google.com with SMTP id r19so1757842ilt.7 for ; Thu, 19 Jan 2023 18:18:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Br+qXBQVXcpIEfcm/3NRJLs/kfA+kF/GLHgVuoZHPpE=; b=BtkVcMpgQCc+tPUBts8hSClN3EK3yDeCS1/a3XxeLJxEIp6ouq7OTDgeGxaVPmNagq nK/898vS8CLFmvlvJOQm7iRVJRKdbAXP9WNDPHjc5kkk+oUDBtfvXHzF0mhcdOX8mVvd JbtJL55z8hYcYto25dei7E9JVpBh1/ws/1Yvjj03Rjb8Ctnl2HeqWetXSgNHnO8Pop2j fnd9QQ18NOwOgJpB5sz+azOMkrygP9Bjtjmjo4XE5m1nQ5hxzprMHBBpVlZSWB2tJypj L4bfXIOdYNN0ezSq76T3KIcK0MMRPJfe0Qggnp8ATWjp3/hiA4azefE0KGDmYFkwIz+c Cvzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Br+qXBQVXcpIEfcm/3NRJLs/kfA+kF/GLHgVuoZHPpE=; b=PtSfHpqK6VdgiUJAwI8tQusw/qlU1TDzYF3wbt9x5upr1lbmf3EBdqWVPmsScZvtee Y+ypaDEXhFdgenb6Vb6jcnK6Kj+zu6Ss4Xxhdvj+dpmYOeDZtf6YplKS/ght8FVcgtZU eg1ULSr5jgx+fQqA8l3alaaAEV5HqgH1QH3KFLKyQyZz92kBCooIU4rfRh3uZBpz/ACs 52N+P1BBGXkkOsquvFYNsEpKMInfsnzn/Jp9qqoCrI7fpiBPS5S3IF21gzIqj5Z599ef xYEYXOl5oCVqxmtDiL+uXbv4ktuPDHXcG/+6tOQqUmrGnyKevVjK+CphHuqJKamGQM9G 8QvA== X-Gm-Message-State: AFqh2koiZhdVuxbLeKisOl0J77cscWy2m0q7GrFlY4cnEDXwLGaTyLFp xGo2Ptm4yo9QBJ6ML27UlhExTDKmv6c= X-Received: by 2002:a92:d202:0:b0:309:2fa4:d45 with SMTP id y2-20020a92d202000000b003092fa40d45mr2095257ily.0.1674181126817; Thu, 19 Jan 2023 18:18:46 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id s3-20020a92d903000000b0030da1d0c348sm9705623iln.87.2023.01.19.18.18.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jan 2023 18:18:46 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 19 Jan 2023 21:18:41 -0500 Message-Id: <20230120021841.2048791-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - If there are no pkcs11-providers either directly specified or through p11-kit-proxy made available through a build-time detection, these options are ignored. Log a warning in such cases. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.181 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.181 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1pIgzU-009lyJ-Mw Subject: [Openvpn-devel] [PATCH] Warn when pkcs11-id or pkcs11-id-management options are ignored X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1755506191308476784?= X-GMAIL-MSGID: =?utf-8?q?1755506191308476784?= From: Selva Nair - If there are no pkcs11-providers either directly specified or through p11-kit-proxy made available through a build-time detection, these options are ignored. Log a warning in such cases. Especially important on Windows where automatic loading of p11-kit is not enabled in our release builds. - Document this behaviour. Signed-off-by: Selva Nair Acked-By: Frank Lichtenheld --- doc/man-sections/pkcs11-options.rst | 23 ++++++++++++++--------- src/openvpn/options.c | 9 +++++++++ 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index c064aca5..de1662b7 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -13,7 +13,8 @@ PKCS#11 / SmartCard options --pkcs11-id name Specify the serialized certificate id to be used. The id can be gotten - by the standalone ``--show-pkcs11-ids`` option. + by the standalone ``--show-pkcs11-ids`` option. See also the description + of ``--pkcs11-providers`` option. --pkcs11-id-management Acquire PKCS#11 id from management interface. In this case a @@ -21,6 +22,7 @@ PKCS#11 / SmartCard options application may use pkcs11-id-count command to retrieve available number of certificates, and pkcs11-id-get command to retrieve certificate id and certificate body. + See also the description of ``--pkcs11-providers`` option. --pkcs11-pin-cache seconds Specify how many seconds the PIN can be cached, the default is until the @@ -51,15 +53,18 @@ PKCS#11 / SmartCard options pkcs11-protected-authentication 0 pkcs11-protected-authentication 1 ---pkcs11-providers provider +--pkcs11-providers providers Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface - (Cryptoki) providers to load. This option can be used instead of - ``--cert``, ``--key`` and ``--pkcs12``. - - If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module - will be loaded by default if either the ``--pkcs11-id`` or - ``--pkcs11-id-management`` options are specified without - ``--pkcs11-provider`` being given. + (Cryptoki) providers to load. A space-separated list of one or more + provider library names may be specified. This option along with ``--pkcs11-id`` + or ``pkcs11-id-management`` can be used instead of + ``--cert`` and ``--key`` or ``--pkcs12``. + + If p11-kit is present on the system and was enabled during build, its + :code:`p11-kit-proxy.so` module will be loaded by default if either + the ``--pkcs11-id`` or ``--pkcs11-id-management`` options is present without + ``--pkcs11-providers``. If default loading is not enabled in the build and + no providers are specified, the former options will be ignored. --show-pkcs11-ids args (Standalone) Show PKCS#11 token object list. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4932a869..f24af3d7 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2855,6 +2855,15 @@ options_postprocess_verify_ce(const struct options *options, { check_ca_required(options); #ifdef ENABLE_PKCS11 + if (!options->pkcs11_providers[0] && options->pkcs11_id) + { + msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified"); + } + else if (!options->pkcs11_providers[0] && options->pkcs11_id_management) + { + msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified"); + } + if (options->pkcs11_providers[0]) { if (options->pkcs11_id_management && options->pkcs11_id != NULL)