Skip to content

Commit

Permalink
Add ability to specify initialize flags for pkcs11 provider
Browse files Browse the repository at this point in the history 
New pkcs11-helper interface allows to setup pkcs11 provider via
properties: alonbl/pkcs11-helper@b78d21c

Also pkcs11-helper added ability to setup init args for pkcs11 provider:
alonbl/pkcs11-helper@133f893
  • Loading branch information
@lo1ol
lo1ol committed Sep 30, 2021
1 parent 7205cdd commit 840d6f8
Show file tree
Hide file tree
Showing 5 changed files with 90 additions and 22 deletions.
3 changes: 2 additions & 1 deletion src/openvpn/init.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -682,7 +682,8 @@ context_init_1(struct context *c)
for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
{
pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i],
c->options.pkcs11_init_flags[i]);
}
}
#endif
Expand Down
23 changes: 23 additions & 0 deletions src/openvpn/options.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,11 @@ static const char usage_message[] =
" 8 : Use Unwrap.\n"
"--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
" certificate can be accessed. Set for each provider.\n"
"--pkcs11-init-flags hex ... : PKCS#11 init flags.\n"
" It's bitwise OR of some PKCS#11 initialize flags.\n"
" Most popular of them is:\n"
" 1 : CKF_LIBRARY_CANT_CREATE_OS_THREADS\n"
" 2 : CKF_OS_LOCKING_OK\n"
"--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
" cache until token is removed.\n"
"--pkcs11-id-management : Acquire identity from management interface.\n"
Expand Down Expand Up @@ -1838,6 +1843,13 @@ show_settings(const struct options *o)
SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
}
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
{
SHOW_PARM(pkcs11_init_flags, o->pkcs11_init_flags[i], "%08x");
}
}
SHOW_INT(pkcs11_pin_cache_period);
SHOW_STR(pkcs11_id);
SHOW_BOOL(pkcs11_id_management);
Expand Down Expand Up @@ -8778,6 +8790,17 @@ add_option(struct options *options,
options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
}
}
else if (streq(p[0], "pkcs11-init-flags"))
{
int j;

VERIFY_PERMISSION(OPT_P_GENERAL);

for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
sscanf(p[j], "%x", &(options->pkcs11_init_flags[j-1]));
}
}
else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
Expand Down
1 change: 1 addition & 0 deletions src/openvpn/options.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,7 @@ struct options
unsigned pkcs11_private_mode[MAX_PARMS];
bool pkcs11_protected_authentication[MAX_PARMS];
bool pkcs11_cert_private[MAX_PARMS];
unsigned pkcs11_init_flags[MAX_PARMS];
int pkcs11_pin_cache_period;
const char *pkcs11_id;
bool pkcs11_id_management;
Expand Down
82 changes: 62 additions & 20 deletions src/openvpn/pkcs11.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,12 +374,17 @@ pkcs11_terminate(void)
bool
pkcs11_addProvider(
const char *const provider,
const bool protected_auth,
const bool _protected_auth,
const unsigned private_mode,
const bool cert_private
const bool _cert_private,
const unsigned init_flags
)
{
CK_RV rv = CKR_OK;
int success = true;
PKCS11H_BOOL protected_auth = _protected_auth;
PKCS11H_BOOL cert_private = _cert_private;
CK_C_INITIALIZE_ARGS_PTR p_init_args;

ASSERT(provider!=NULL);

Expand All @@ -396,29 +401,66 @@ pkcs11_addProvider(
provider
);

if (
(rv = pkcs11h_addProvider(
provider,
provider,
protected_auth,
private_mode,
PKCS11H_SLOTEVENT_METHOD_AUTO,
0,
cert_private
)) != CKR_OK
)
{
msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
success = false;
goto exit;
}
if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1)) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot setup provider '%s' location '%s' %ld-'%s'", provider, provider, rv, pkcs11h_getMessage(rv));
success = false;
goto cleanup;
}
if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &protected_auth, sizeof(protected_auth))) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot setup provider '%s' ptorected auth mode '%s' %ld-'%s'", provider, protected_auth ? "true" : "false", rv, pkcs11h_getMessage(rv));
success = false;
goto cleanup;
}
if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode, sizeof(private_mode))) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot setup provider '%s' private mask mode '%08x' %ld-'%s'", provider, private_mode, rv, pkcs11h_getMessage(rv));
success = false;
goto cleanup;
}
if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_private, sizeof(cert_private))) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot setup provider '%s' private cert mode '%s' %ld-'%s'", provider, cert_private ? "true" : "false", rv, pkcs11h_getMessage(rv));
success = false;
goto cleanup;
}

// pkcs11-helper take ownership over this pointer
if ((p_init_args = malloc(sizeof(*p_init_args))) == NULL) {
msg(M_FATAL, "PKCS#11: Cannot allocate memory");
success = false;
goto cleanup;
}

memset(p_init_args, 0, sizeof(*p_init_args));
p_init_args->flags = init_flags;

if ((rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_INIT_ARGS, &p_init_args, sizeof(p_init_args))) != CKR_OK) {
msg(M_WARN, "PKCS#11: Cannot setup provider '%s' init flags '%08x' %ld-'%s'", provider, init_flags, rv, pkcs11h_getMessage(rv));
free(p_init_args);
success = false;
goto cleanup;
}
if ((rv = pkcs11h_initializeProvider(provider)) != CKR_OK) {
success = false;
goto cleanup;
}

cleanup:
if (!success) {
pkcs11h_removeProvider(provider);
}

exit:
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
rv,
pkcs11h_getMessage(rv)
);
"PKCS#11: pkcs11 registration is %s",
success ? "success" : "failed"
);

return rv == CKR_OK;
return success;
}

int
Expand Down
3 changes: 2 additions & 1 deletion src/openvpn/pkcs11.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ pkcs11_addProvider(
const char *const provider,
const bool fProtectedAuthentication,
const unsigned private_mode,
const bool fCertIsPrivate
const bool fCertIsPrivate,
const unsigned init_flags
);

int
Expand Down

0 comments on commit 840d6f8

Please sign in to comment.