From patchwork Mon Feb 18 04:31:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hilko Bengen X-Patchwork-Id: 686 X-Patchwork-Delegate: davids@openvpn.net Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.7]) by backend30.mail.ord1d.rsapps.net with LMTP id gPLWAR/QalxhKQAAIUCqbw for ; Mon, 18 Feb 2019 10:32:47 -0500 Received: from proxy18.mail.iad3a.rsapps.net ([172.27.255.7]) by director8.mail.ord1d.rsapps.net with LMTP id uPItOx7QalzxTAAAfY0hYg ; Mon, 18 Feb 2019 10:32:47 -0500 Received: from smtp51.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3a.rsapps.net with LMTP id UJ3mNR7QalyqNwAAon3hFg ; Mon, 18 Feb 2019 10:32:46 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp51.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=hilluzination.de X-Suspicious-Flag: YES X-Classification-ID: 7085ecd0-3392-11e9-900a-525400aaff7b-1-1 Received: from [216.105.38.7] ([216.105.38.7:11328] helo=lists.sourceforge.net) by smtp51.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 18/86-05682-E10DA6C5; Mon, 18 Feb 2019 10:32:46 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gvktr-0003Ow-0k; Mon, 18 Feb 2019 15:32:07 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gvktp-0003Oo-Pa for openvpn-devel@lists.sourceforge.net; Mon, 18 Feb 2019 15:32:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=d3t4AVq5EO6mNt3cfODlfiTCoP7rXQuBXtiZ/jTqCBU=; b=fS9OVDXEnRnS32OOgLzvr0JDGX f2xLINVdtKmjX1n3bNBX6xE76wGrmDFhxzi7TxvPjRlIuVxgp5gaLDpc3AM3qzchYpb0a2Y44DGtN okdXVbMTvms6zjUPteAwxWJWDiwEJmy1a8Ox8yKhkuYk8ZDxu1PBlmNBvW2Q4tZlaLXk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=d3t4AVq5EO6mNt3cfODlfiTCoP7rXQuBXtiZ/jTqCBU=; b=U 4aoj4VnGPJo9HjJ/YLfsqPKcanK5lNP2UOiGUm6rGlgUKPOwASZkD1LJYp97DyC+ETMH3qUnUyzRQ Kuw+WLInzDVu0zML2iUr4Zsgf+aJmWVsxqyvw6S44kvRl4MgqV7ncLoEcFCE0F+DqYd4jTuVyI9k2 x1l/tbW7qNSi+Jv4=; Received: from herbie.hilluzination.de ([37.120.170.61]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gvktn-00F8WB-9B for openvpn-devel@lists.sourceforge.net; Mon, 18 Feb 2019 15:32:05 +0000 Received: from x4db62695.dyn.telefonica.de ([77.182.38.149] helo=ataraxia.lan) by herbie.hilluzination.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gvktg-0005XU-Fs for openvpn-devel@lists.sourceforge.net; Mon, 18 Feb 2019 16:31:56 +0100 Received: from bengen by ataraxia.lan with local (Exim 4.92-RC6) (envelope-from ) id 1gvktF-00012R-OI; Mon, 18 Feb 2019 16:31:30 +0100 From: Hilko Bengen To: openvpn-devel@lists.sourceforge.net Date: Mon, 18 Feb 2019 16:31:28 +0100 Message-Id: <20190218153129.3818-1-bengen@hilluzination.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] X-Headers-End: 1gvktn-00F8WB-9B Subject: [Openvpn-devel] [PATCH] Do not set pkcs11-helper "safe fork mode" X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From the pkcs11-helper API documentation about pkcs11h_setForkMode(): > This funciton is releavant if PKCS11H_FEATURE_MASK_THREADING is > set. If safe mode is on, the child process can use the loaded > PKCS#11 providers but it cannot use fork(), while it is in one of > the hooks functions, since locked mutexes cannot be released. As far as I can tell, pkcs11-helper functionality is not used in a child process that is created after initialization. Even if OpenVPN is turned into a daemon, the pkcs11-helper library is only initialized after calling possibly_become_daemon(), i.e. in the child process. All other uses of fork() are immediately followed by an exec() This simple change fixes the symptoms described in both (hang on password prompt when systemd support is enabled) and (hang on initialization with newer versions of pkcs11-helper). I have successfully tested that this makes the described symptoms go away. For this, I used a YubiKey NEO on Debian/stable, a rebuild of OpenVPN 2.4.6 and two versions of libpkcs11-helper: - libpkcs11-helper 1.21-1 from Debian/stretch - a backport of libpkcs11-helper 1.25-1 from Debian/buster --- src/openvpn/pkcs11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 93f8580a..d40ca458 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -312,7 +312,7 @@ pkcs11_initialize( pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); - if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK) + if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK) { msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); goto cleanup;