From patchwork Thu Sep 30 01:33:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kristof Provost via Openvpn-devel X-Patchwork-Id: 1976 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.54]) by backend30.mail.ord1d.rsapps.net with LMTP id fw6CJsugVWHaWwAAIUCqbw (envelope-from ) for ; Thu, 30 Sep 2021 07:34:35 -0400 Received: from proxy20.mail.iad3a.rsapps.net ([172.27.255.54]) by director14.mail.ord1d.rsapps.net with LMTP id eAHUJcugVWHTaAAAeJ7fFg (envelope-from ) for ; Thu, 30 Sep 2021 07:34:35 -0400 Received: from smtp40.gate.iad3a ([172.27.255.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3a.rsapps.net with LMTPS id kCH4HsugVWEeHwAAtfLT2w (envelope-from ) for ; Thu, 30 Sep 2021 07:34:35 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=pass header.d=lists.sourceforge.net; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=mail.ru; dmarc=pass (p=none; dis=none) header.from=lists.sourceforge.net X-Suspicious-Flag: NO X-Classification-ID: 62a7fc84-21e2-11ec-86b2-5254003a14f9-1-1 Received: from [216.105.38.7] ([216.105.38.7:55898] helo=lists.sourceforge.net) by smtp40.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DD/2A-05987-AC0A5516; Thu, 30 Sep 2021 07:34:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: Reply-To:From:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To:Sender:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=RfNUWuQQ9z2kfkB9tSrOr1aZ1dSc4oPobY8hWeYA4tQ=; b=JPIPgtdmiX/3lqwWPxrzzuTkN1 +3GLIB5HlsqHoDpSUMHzJIqL1p5ec73CSRQJUjPvX1prgD2IFvB87KY0uHtRHwmIt4xzoUS2X+kRy VscNdrKgUImyc9+EsyKwdCJ26J4rgJX4zihNRT/hrO10FtMkdFq+VMdGJYZhFVt0MxHg=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mVuJZ-00043P-3L; Thu, 30 Sep 2021 11:33:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mVuJW-00043I-U2 for openvpn-devel@lists.sourceforge.net; Thu, 30 Sep 2021 11:33:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uEFwocuxBtzvgThrKy4v0Kwb8oUAXUBrMr01SJsCaXQ=; b=FEbK3u+BQWFAHG2tKK5XWAXClx Hwl+oARaFfUVaoKHqQ8IpLpQSN/NbOQJfSqT572PB3Wkmiv6W5J08cjVe+ICIKmiq6Te8qrCih30i fuFZKMS3jhnWXA93k/Gw4AAX30b9+qH/6E/khp4iR8k0FR5UnYg7e5jA7nEVoV7JHjZo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=uEFwocuxBtzvgThrKy4v0Kwb8oUAXUBrMr01SJsCaXQ=; b=Y mY4oNMUTt7a80y3xOM61q4wtxH5PZtPFZalATiyirE0Pyuxn7/J60zmWEv9J4nhX4zZFXP5A5aEHu DeYrR+uHITVfJlYFMYGLgxcOdvdpAW0VTRXsBgulBWHswJBEbaSZi6lWBnSgoPjnH7BSAc/BVmgkZ Lig19RtvOl4bwSp8=; Received: from smtp45.i.mail.ru ([94.100.177.105]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mVuJV-00058k-D5 for openvpn-devel@lists.sourceforge.net; Thu, 30 Sep 2021 11:33:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail4; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From:From:Subject:Content-Type:Content-Transfer-Encoding:To:Cc; bh=uEFwocuxBtzvgThrKy4v0Kwb8oUAXUBrMr01SJsCaXQ=; t=1633001601;x=1633607001; b=oYktISo3RcHeqY0kniAy5XJrEpIqQQ7iw+1WU8AgUh7XWnzMzyofCEoztaKvQAfxbmaqjy9QeU02aR2rqbqxbav2Z+y+ecWlDGot/Z4zpx+ynnm9pOM+YeRSfXo9siNRYihvb7Ck3XEfrk+zq7K2Od04WXmUtt50xSLU+9h+BGJRhdQdHmWc8CVRG/tEo3BUSGBDXpO5dN3P2WvYDtg6OSxwxot2y27rOlp7rdRmK/JLkmvVDl2NFTsyZDAjxkh38MJXKcb8ha27jo2J+O3WuMS20FtzQXJC0vavO1RbD5+q5uUW4EGKjy7L3Flkq+XliAA2r0+3X7XijNKzBHGEbw==; Received: by smtp45.i.mail.ru with esmtpa (envelope-from ) id 1mVuJO-0003cw-24; Thu, 30 Sep 2021 14:33:14 +0300 To: openvpn-devel@lists.sourceforge.net Date: Thu, 30 Sep 2021 14:33:08 +0300 Message-Id: <20210930113308.815777-1-mkh199740@mail.ru> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-174C08C4: 5188C02AEC42908C481ED7ADC579193296BBA28369E3F2D2713F3D5F7D406D31BCF678C7329BA986 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD96A58C36AA2E996498302BFE8288A953FFF2204EAAF1B1FDF182A05F538085040D88627F6364874F0C7598409174337566A30D169FF646D2575FE0D2BD9E089A8 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE77E216A0E97507353EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637C9D01A858C0EE7638638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8C78C7B0252CF19A0DB4DB50CF263121B6F9789CCF6C18C3F8528715B7D10C86878DA827A17800CE78A80DFD3A0D2C7BC9FA2833FD35BB23D9E625A9149C048EE33AC447995A7AD18C26CFBAC0749D213D2E47CDBA5A96583BD4B6F7A4D31EC0BC014FD901B82EE079FA2833FD35BB23D27C277FBC8AE2E8B2EE5AD8F952D28FBA471835C12D1D977C4224003CC836476EB9C4185024447017B076A6E789B0E975F5C1EE8F4F765FC3D00E8C71C4718F53AA81AA40904B5D9CF19DD082D7633A078D18283394535A93AA81AA40904B5D98AA50765F7900637C26902ED2B7E8AB3D81D268191BDAD3D698AB9A7B718F8C4D1B931868CE1C5781A620F70A64A45A98AA50765F79006372E808ACE2090B5E1725E5C173C3A84C3C5EA940A35A165FF2DBA43225CD8A89FD2A95C73FD1EFF45262FEC7FBD7D1F5BB5C8C57E37DE458BEDA766A37F9254B7 X-C1DE0DAB: 8BD88D57C5CADBC8B2710865C38675107974D5E02CA35D15A3B1A56EE2B804F6B226C914C9968946695E9D90444CEC266C620977D64CC464F33AD4E5D03448204771BEE1DE1D9A0891D6A21951FC820EAECFEA0B235666DF2C6BEA0A7F9CB621C234C8B12C006B74DDDBEFF638FB807606F8493A18859BD44F0CC6504DCD1AA2B1881A6453793CE9C32612AADDFBE061A578B9D5218D629AA71A35648BE338CEAA817B2FB80CBF9E1E618B5D5F965AFDA9866AE3D1150DD5 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D347324AA9FA07FF01EBD6CECE8F44F5887360727F6EF00F294AF07AA0BC0FBA9AEB8141FFB2C24F2261D7E09C32AA3244CC6EB0837A6AFA111593760909B71DB8C7101BF96129E4011729B2BEF169E0186 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojJNmX3owDPmF6a45Nppa0sQ== X-Mailru-Sender: 657AADBC28A10CF52A410D375151B7405EBA8E8B6E1E0EC1C759840917433756199531D441672C9AAAA2806AB0B4B245C77752E0C033A69E51EEEAE12B3A16D222A816F0B9C1C36A3453F38A29522196 X-Mras: Ok X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: New pkcs11-helper interface allows to setup pkcs11 provider via properties: https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 Also pkcs11-helper added ability to setup init args for pkcs11 provider: https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [94.100.177.105 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [mkh199740[at]mail.ru] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [mkh199740[at]mail.ru] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mVuJV-00058k-D5 Subject: [Openvpn-devel] [PATCH] Add ability to specify initialize flags for pkcs11 provider X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Petr Mikhalicin via Openvpn-devel From: Kristof Provost via Openvpn-devel Reply-To: Petr Mikhalicin Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox New pkcs11-helper interface allows to setup pkcs11 provider via properties: https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 Also pkcs11-helper added ability to setup init args for pkcs11 provider: https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 Signed-off-by: Petr Mikhalicin Signed-off-by: Petr Mikhalicin <mkh199740@mail.ru>

Sorry for the long delay in getting back on this. I somehow also missed the related discussion on Trac (https://community.openvpn.net/openvpn/ticket/1453)

I don't quite understand the need for exposing "init-args" to the user. The only two supported flags in the cryptoki docs are related to the use of threads. But we are the application and we should know what flags to pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required, can't we just set it unconditionally? 

That said, OpenVPN2 is single threaded, so why is there a "bug in openvpn" related to the use of pkcs11 library from multiple threads referred to in the trac ticket?

Selva
--- src/openvpn/init.c | 3 +- src/openvpn/options.c | 23 ++++++++++++ src/openvpn/options.h | 1 + src/openvpn/pkcs11.c | 82 ++++++++++++++++++++++++++++++++----------- src/openvpn/pkcs11.h | 3 +- 5 files changed, 90 insertions(+), 22 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6d09e566..6af585ac 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -682,7 +682,8 @@ context_init_1(struct context *c) for (i = 0; ioptions.pkcs11_providers[i] != NULL; i++) { pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], - c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); + c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i], + c->options.pkcs11_init_flags[i]); } } #endif diff --git a/src/openvpn/options.c b/src/openvpn/options.c index b3a83aa1..0939ee86 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -664,6 +664,11 @@ static const char usage_message[] = " 8 : Use Unwrap.\n" "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" " certificate can be accessed. Set for each provider.\n" + "--pkcs11-init-flags hex ... : PKCS#11 init flags.\n" + " It's bitwise OR of some PKCS#11 initialize flags.\n" + " Most popular of them is:\n" + " 1 : CKF_LIBRARY_CANT_CREATE_OS_THREADS\n" + " 2 : CKF_OS_LOCKING_OK\n" "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" " cache until token is removed.\n" "--pkcs11-id-management : Acquire identity from management interface.\n" @@ -1838,6 +1843,13 @@ show_settings(const struct options *o) SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); } } + { + int i; + for (i = 0; ipkcs11_init_flags[i], "%08x"); + } + } SHOW_INT(pkcs11_pin_cache_period); SHOW_STR(pkcs11_id); SHOW_BOOL(pkcs11_id_management); @@ -8778,6 +8790,17 @@ add_option(struct options *options, options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0; } } + else if (streq(p[0], "pkcs11-init-flags")) + { + int j; + + VERIFY_PERMISSION(OPT_P_GENERAL); + + for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { + sscanf(p[j], "%x", &(options->pkcs11_init_flags[j-1])); + } + } else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 98c21a2a..2317528e 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -573,6 +573,7 @@ struct options unsigned pkcs11_private_mode[MAX_PARMS]; bool pkcs11_protected_authentication[MAX_PARMS]; bool pkcs11_cert_private[MAX_PARMS]; + unsigned pkcs11_init_flags[MAX_PARMS]; int pkcs11_pin_cache_period; const char *pkcs11_id; bool pkcs11_id_management; diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 02d0f51f..29db7ea4 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -374,12 +374,17 @@ pkcs11_terminate(void) bool pkcs11_addProvider( const char *const provider, - const bool protected_auth, + const bool _protected_auth, const unsigned private_mode, - const bool cert_private + const bool _cert_private, + const unsigned init_flags ) { CK_RV rv = CKR_OK; + int success = true; + PKCS11H_BOOL protected_auth = _protected_auth; + PKCS11H_BOOL cert_private = _cert_private; + CK_C_INITIALIZE_ARGS_PTR p_init_args; ASSERT(provider!=NULL); @@ -396,29 +401,66 @@ pkcs11_addProvider( provider ); - if ( - (rv = pkcs11h_addProvider( - provider, - provider, - protected_auth, - private_mode, - PKCS11H_SLOTEVENT_METHOD_AUTO, - 0, - cert_private - )) != CKR_OK - ) - { - msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); + if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv)); + success = false; + goto exit; + } + if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1)) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot setup provider '%s' location '%s' %ld-'%s'", provider, provider, rv, pkcs11h_getMessage(rv)); + success = false; + goto cleanup; + } + if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &protected_auth, sizeof(protected_auth))) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot setup provider '%s' ptorected auth mode '%s' %ld-'%s'", provider, protected_auth ? "true" : "false", rv, pkcs11h_getMessage(rv)); + success = false; + goto cleanup; + } + if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode, sizeof(private_mode))) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot setup provider '%s' private mask mode '%08x' %ld-'%s'", provider, private_mode, rv, pkcs11h_getMessage(rv)); + success = false; + goto cleanup; + } + if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_private, sizeof(cert_private))) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot setup provider '%s' private cert mode '%s' %ld-'%s'", provider, cert_private ? "true" : "false", rv, pkcs11h_getMessage(rv)); + success = false; + goto cleanup; } + // pkcs11-helper take ownership over this pointer + if ((p_init_args = malloc(sizeof(*p_init_args))) == NULL) { + msg(M_FATAL, "PKCS#11: Cannot allocate memory"); + success = false; + goto cleanup; + } + + memset(p_init_args, 0, sizeof(*p_init_args)); + p_init_args->flags = init_flags; + + if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_INIT_ARGS, &p_init_args, sizeof(p_init_args))) != CKR_OK) { + msg(M_WARN, "PKCS#11: Cannot setup provider '%s' init flags '%08x' %ld-'%s'", provider, init_flags, rv, pkcs11h_getMessage(rv)); + free(p_init_args); + success = false; + goto cleanup; + } + if ((rv = pkcs11h_initializeProvider(provider)) != CKR_OK) { + success = false; + goto cleanup; + } + +cleanup: + if (!success) { + pkcs11h_removeProvider(provider); + } + +exit: dmsg( D_PKCS11_DEBUG, - "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'", - rv, - pkcs11h_getMessage(rv) - ); + "PKCS#11: pkcs11 registration is %s", + success ? "success" : "failed" + ); - return rv == CKR_OK; + return success; } int diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index ec524706..bf3f2dfa 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -42,7 +42,8 @@ pkcs11_addProvider( const char *const provider, const bool fProtectedAuthentication, const unsigned private_mode, - const bool fCertIsPrivate + const bool fCertIsPrivate, + const unsigned init_flags ); int