From patchwork Sun Dec 11 19:21:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marc Becker <marc.becker@astos.de>
X-Patchwork-Id: 2897
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id
 cd13csp1769756qtb;
        Sun, 11 Dec 2022 11:21:54 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf7LJCKaA/vzBNecsHUra35I0VRUkfY80j7reiXf8OFJfz9FWV5sCI2lvv2IHZgMOx+7vJtX
X-Received: by 2002:a05:6a00:2255:b0:578:3592:6eb7 with SMTP id
 i21-20020a056a00225500b0057835926eb7mr6118069pfu.25.1670786514502;
        Sun, 11 Dec 2022 11:21:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670786514; cv=none;
        d=google.com; s=arc-20160816;
        b=d3KGiU/eeatIZCVvXZoPWqP7v1FI9AZLIPLl3JG6Xa++mGDZXw8UxQx1PS7rd3ye7c
         rOjKkmnOejWIXkTLiK93I4UX2h/QFjIA8YZXyFtYru9f+Lxu6PSguq2ducI9Pd873oVq
         b9gsvLGu+CTewnv+TaRwr9R8M6RI6XN2H49VIjBY+X54JZfmF4fRilMkSZxiR9e5GKv7
         xYz3Vxi2MaJqE6zbsLfhU9b+Dyx0AKJOqHEc5rwPXVueLSXe439iejv89ofwHPu1oGuJ
         M5BC0xb6Fc09/yiHyfx3Th0muWRplIT/Ktq/gjEF7kZ8h0gywH0NdL/XX15sCa+o3zHW
         6I4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:dkim-signature:dkim-signature;
        bh=HmGsvvzyjlKvnJ5TTjUg1RhEsXST+nsO4RVV95q4gEs=;
        b=XsV6FSwgSxO/3Kdu/w0BcXVhCmvRUQm3KXYC2Mz3KOiSi6GaedytJmBWEGXcU7xwIm
         eT4IbvI7NhrAgcUfEKZVIMJAYs6u7w+jTS0R8khtx2t+htAhUKbG020WLII0QkNoIXrp
         j5N9QHX5ubWFTePRm/W2walH3jusArMcHk+/weo2g/3lZ+bbFsOy2PBNknh7zN97UfrB
         xUyWgGUT3zM7mt7OhH85D+nVUHoAKgHfZUutvojFkjcLl3ty6qaKfYliU3l1A4KWCupi
         I6OSeA5AIwoQAGyG06JwzqxpTNPSQb+fX4Gx9j4Vg6Y8ltgz0XHQghkJxncdTST6tZam
         eNJg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=eXGC3m8k;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=E7dkaxYB;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 s8-20020a056a00178800b00565a581ecc0si7184047pfg.11.2022.12.11.11.21.54
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 11 Dec 2022 11:21:54 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=eXGC3m8k;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=E7dkaxYB;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p4RtI-0000jG-8O;
	Sun, 11 Dec 2022 19:21:36 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <marc.becker@astos.de>) id 1p4RtH-0000jA-5Y
 for openvpn-devel@lists.sourceforge.net;
 Sun, 11 Dec 2022 19:21:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=XLtBFUa8A3tr4JUh/WtDYzD0Qkpju7bHlFeDNKCicPg=; b=eXGC3m8k02hhh75TR02LV7vD65
 VNxiCphKRVNXlHZd4KabOmKCZFWwAailbRNqywCFUFnnO9STDbKg+sZHQ0HLbaBatKffdRSRYnhfI
 V+OGkEgRqsx0aLS7XqSLSSaxQp5HNiLAC/rIj7rM99aiNG5XDZH91OliDGPoz6vEnQG4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=XLtBFUa8A3tr4JUh/WtDYzD0Qkpju7bHlFeDNKCicPg=; b=E7dkaxYB4BlTXUZ31WVfuLMGwq
 rpe3+QYiq4h4Hl4YxFpSsUgPkawgnVhD+XVVkoeylnW2InVFsDcLwL3zgzOl4HnzqYPmfHSVRteQf
 PWPHKqdY2RkeVdVLZ2dlR/0Q+0LutwG4R8rLL9+LMxhCV1HZ7AiYBu4EEnSWyldYnWMQ=;
Received: from mail.astos.de ([217.110.68.46])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p4RtG-00E4Fc-13 for openvpn-devel@lists.sourceforge.net;
 Sun, 11 Dec 2022 19:21:35 +0000
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 11 Dec 2022 20:21:24 +0100
Message-Id: <20221211192124.1126-1-marc.becker@astos.de>
In-Reply-To: <1386e3cc-fc65-aa68-fa88-3639f6aec5a2@astos.de>
References: <1386e3cc-fc65-aa68-fa88-3639f6aec5a2@astos.de>
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Change win32 dynamic loader behavior when supplying an
 absolute
 path. The DLL location is considered/preferred to resolve dependencies.
 Support
 in pkcs11-helper for loader flag is detected at compile [...]
 Content analysis details:   (0.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
X-Headers-End: 1p4RtG-00E4Fc-13
Subject: [Openvpn-devel] [PATCH v2 3/3] special handling for PKCS11
 providers on win32
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
X-Patchwork-Original-From: Marc Becker via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
From: Marc Becker <marc.becker@astos.de>
Reply-To: Marc Becker <marc.becker@astos.de>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1751515643436800510?=
X-GMAIL-MSGID: =?utf-8?q?1751946640498387725?=

Change win32 dynamic loader behavior when supplying an absolute path.
The DLL location is considered/preferred to resolve dependencies.
Support in pkcs11-helper for loader flag is detected at compile time.

3rd party DLLs and additional dependencies do not need to be moved to
the OpenVPN directory or require changes to %PATH% configuration.

The included changes to pkcs11-helper are pending and can be removed as
soon as a compatible a version is released/referenced.

Signed-off-by: Marc Becker <marc.becker@astos.de>
---
v2: compress code change an add transitional pkcs11-helper patch
---
 ...cs11-helper-002-dynamic_loader_flags.patch | 105 ++++++++++++++++++
 .../vcpkg-ports/pkcs11-helper/portfile.cmake  |   1 +
 src/openvpn/pkcs11.c                          |   7 ++
 3 files changed, 113 insertions(+)
 create mode 100644 contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-002-dynamic_loader_flags.patch

diff --git a/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-002-dynamic_loader_flags.patch b/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-002-dynamic_loader_flags.patch
new file mode 100644
index 00000000..cdefa20a
--- /dev/null
+++ b/contrib/vcpkg-ports/pkcs11-helper/pkcs11-helper-002-dynamic_loader_flags.patch
@@ -0,0 +1,105 @@
+From 934197611dd1260d17ae0f11ae81c1d2e85612d2 Mon Sep 17 00:00:00 2001
+From: Marc Becker <marc.becker@astos.de>
+Date: Fri, 22 Jul 2022 10:33:05 +0200
+Subject: [PATCH] core: add provider property for loader flags
+
+support flags for dynamic loader via provider property
+set original values as defaults, use verbatim (user-supplied) value
+---
+ include/pkcs11-helper-1.0/pkcs11h-core.h | 11 ++++++++++-
+ lib/_pkcs11h-core.h                      |  2 ++
+ lib/pkcs11h-core.c                       | 13 +++++++++++--
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/include/pkcs11-helper-1.0/pkcs11h-core.h b/include/pkcs11-helper-1.0/pkcs11h-core.h
+index 9028c27..56f8771 100644
+--- a/include/pkcs11-helper-1.0/pkcs11h-core.h
++++ b/include/pkcs11-helper-1.0/pkcs11h-core.h
+@@ -384,8 +384,17 @@ extern "C" {
+  */
+ #define PKCS11H_PROVIDER_PROPERTY_PROVIDER_DESTRUCT_HOOK_DATA 8
+ 
++/**
++ * @brief Provider loader flags for platform.
++ * Value type is unsigned.
++ * Default value is platform dependent:
++ *     win32 -> 0
++ *    dlopen -> RTLD_NOW | RTLD_LOCAL
++ */
++#define PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS 9
++
+ /** @private */
+-#define _PKCS11H_PROVIDER_PROPERTY_LAST 9
++#define _PKCS11H_PROVIDER_PROPERTY_LAST 10
+ 
+ /** @} */
+ 
+diff --git a/lib/_pkcs11h-core.h b/lib/_pkcs11h-core.h
+index f879c0e..1c02e35 100644
+--- a/lib/_pkcs11h-core.h
++++ b/lib/_pkcs11h-core.h
+@@ -134,6 +134,8 @@ struct _pkcs11h_provider_s {
+ #if defined(ENABLE_PKCS11H_SLOTEVENT)
+ 	_pkcs11h_thread_t slotevent_thread;
+ #endif
++
++	unsigned loader_flags;
+ };
+ 
+ struct _pkcs11h_session_s {
+diff --git a/lib/pkcs11h-core.c b/lib/pkcs11h-core.c
+index 0bf11e8..409ad9e 100644
+--- a/lib/pkcs11h-core.c
++++ b/lib/pkcs11h-core.c
+@@ -138,6 +138,7 @@ static const char * __pkcs11h_provider_preperty_names[] = {
+ 	"init_args",
+ 	"provider_destruct_hook",
+ 	"provider_destruct_hook_data",
++	"provider_loader_flags",
+ 	NULL
+ };
+ 
+@@ -916,6 +917,10 @@ pkcs11h_registerProvider (
+ 		reference
+ 	);
+ 
++#if !defined(_WIN32)
++	provider->loader_flags = RTLD_NOW | RTLD_LOCAL;
++#endif
++
+ 	_PKCS11H_DEBUG (
+ 		PKCS11H_LOG_DEBUG2,
+ 		"PKCS#11: pkcs11h_registerProvider Provider '%s'",
+@@ -1001,6 +1006,7 @@ pkcs11h_setProviderPropertyByName (
+ 		case PKCS11H_PROVIDER_PROPERTY_SLOT_EVENT_METHOD:
+ 		case PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE:
+ 		case PKCS11H_PROVIDER_PROPERTY_SLOT_POLL_INTERVAL:
++		case PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS:
+ 			*(unsigned *)value = (unsigned)strtol(value_str, 0, 0);
+ 			value_size = sizeof(unsigned);
+ 		break;
+@@ -1084,6 +1090,9 @@ __pkcs11h_providerPropertyAddress(
+ 		case PKCS11H_PROVIDER_PROPERTY_PROVIDER_DESTRUCT_HOOK_DATA:
+ 			*value = &provider->destruct_hook_data;
+ 			*value_size = sizeof(provider->destruct_hook_data);
++		case PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS:
++			*value = &provider->loader_flags;
++			*value_size = sizeof(provider->loader_flags);
+ 		break;
+ 	}
+ 	rv = CKR_OK;
+@@ -1254,9 +1263,9 @@ pkcs11h_initializeProvider (
+ 	}
+ 
+ #if defined(_WIN32)
+-	provider->handle = LoadLibraryA (provider->provider_location);
++	provider->handle = LoadLibraryExA (provider->provider_location, NULL, provider->loader_flags);
+ #else
+-	provider->handle = dlopen (provider->provider_location, RTLD_NOW | RTLD_LOCAL);
++	provider->handle = dlopen (provider->provider_location, provider->loader_flags);
+ #endif
+ 
+ 	if (provider->handle == NULL) {
+-- 
+2.30.2
+
diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
index 4432b550..1c6cedac 100644
--- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
+++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
@@ -14,6 +14,7 @@ vcpkg_extract_source_archive_ex(
         0001-nmake-compatibility-with-vcpkg-nmake.patch
         0002-config-w32-vc.h.in-indicate-OpenSSL.patch
         pkcs11-helper-001-RFC7512.patch
+        pkcs11-helper-002-dynamic_loader_flags.patch
 )
 
 vcpkg_build_nmake(
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index b74ac8f4..aa027337 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -420,6 +420,13 @@ pkcs11_addProvider(
         {
             rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private, sizeof(cert_is_private));
         }
+#if defined(WIN32) && defined(PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS)
+        if (rv == CKR_OK && platform_absolute_pathname(provider))
+        {
+            unsigned loader_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
+            rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, &loader_flags, sizeof(loader_flags));
+        }
+#endif
 
         if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider)) != CKR_OK)
         {