Package: openvpn Version: 2.4.6-1 Hello,
I managed to get OpenVPN 2.4.6 (backported to Debian/Stretch) to work along PKCS#11 by: - applying (attached) patch taken from https://community.openvpn.net/openvpn/ticket/549 - applying (attached) patch inspired by https://community.openvpn.net/openvpn/ticket/538 and taking into account Gert Döring's comment - *and* using patched/re-configured pkcs11-helper, as proposed in Debian bug #907452: https://bugs.debian.org/907452 Since this issue has been around for years and no quick fix seems to be coming from upstream, would you consider applying those patches as debian/patches ? Thanks and best, Cédric -- Cédric Dufour @ Idiap Research Institute
Description: Fix for OpenVPN bug #538 --- Origin: upstream Bug: https://community.openvpn.net/openvpn/ticket/538 Bug-Debian: https://bugs.debian.org/772812 Last-Update: 2018-08-28 --- openvpn-2.4.6.orig/src/openvpn/console.h +++ openvpn-2.4.6/src/openvpn/console.h @@ -83,7 +83,7 @@ bool query_user_exec_builtin(void); * * @return True if executing all the defined steps completed successfully */ -bool query_user_exec(void); +bool query_user_exec(bool builtin); #else /* ENABLE_SYSTEMD not defined*/ /** @@ -92,7 +92,7 @@ bool query_user_exec(void); * */ static bool -query_user_exec(void) +query_user_exec(bool builtin) { return query_user_exec_builtin(); } @@ -109,11 +109,11 @@ query_user_exec(void) static inline bool query_user_SINGLE(char *prompt, size_t prompt_len, char *resp, size_t resp_len, - bool echo) + bool echo, bool builtin) { query_user_clear(); query_user_add(prompt, prompt_len, resp, resp_len, echo); - return query_user_exec(); + return query_user_exec(builtin); } #endif /* ifndef CONSOLE_H */ --- openvpn-2.4.6.orig/src/openvpn/console_systemd.c +++ openvpn-2.4.6/src/openvpn/console_systemd.c @@ -95,13 +95,13 @@ get_console_input_systemd(const char *pr * */ bool -query_user_exec(void) +query_user_exec(bool builtin) { bool ret = true; /* Presume everything goes okay */ int i; /* If systemd is not available, use the default built-in mechanism */ - if (!check_systemd_running()) + if (builtin || !check_systemd_running()) { return query_user_exec_builtin(); } --- openvpn-2.4.6.orig/src/openvpn/misc.c +++ openvpn-2.4.6/src/openvpn/misc.c @@ -939,7 +939,9 @@ get_user_pass_cr(struct user_pass *up, buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), - up->password, USER_PASS_LEN, false)) + up->password, USER_PASS_LEN, + false, + BOOL_CAST(flags & GET_USER_PASS_FORCE_BUILTIN))) { msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); } @@ -1039,7 +1041,9 @@ get_user_pass_cr(struct user_pass *up, buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), - response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) + response, USER_PASS_LEN, + BOOL_CAST(ac->flags&CR_ECHO), + BOOL_CAST(flags & GET_USER_PASS_FORCE_BUILTIN))) { msg(M_FATAL, "ERROR: could not read challenge response from stdin"); } @@ -1073,7 +1077,7 @@ get_user_pass_cr(struct user_pass *up, up->password, USER_PASS_LEN, false); } - if (!query_user_exec() ) + if (!query_user_exec(BOOL_CAST(flags & GET_USER_PASS_FORCE_BUILTIN)) ) { msg(M_FATAL, "ERROR: Failed retrieving username or password"); } @@ -1098,7 +1102,8 @@ get_user_pass_cr(struct user_pass *up, if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), response, USER_PASS_LEN, - BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) + BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), + BOOL_CAST(flags & GET_USER_PASS_FORCE_BUILTIN))) { msg(M_FATAL, "ERROR: could not retrieve static challenge response"); } --- openvpn-2.4.6.orig/src/openvpn/misc.h +++ openvpn-2.4.6/src/openvpn/misc.h @@ -234,6 +234,8 @@ struct static_challenge_info {}; #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ +#define GET_USER_PASS_FORCE_BUILTIN (1<<11) /* force builtin prompt to work around 538 */ + bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, --- openvpn-2.4.6.orig/src/openvpn/pkcs11.c +++ openvpn-2.4.6/src/openvpn/pkcs11.c @@ -215,7 +215,7 @@ _pkcs11_openvpn_token_prompt( &token_resp, NULL, "token-insertion-request", - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL + GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL|GET_USER_PASS_FORCE_BUILTIN ) ) { @@ -257,7 +257,7 @@ _pkcs11_openvpn_pin_prompt( &token_pass, NULL, prompt, - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL + GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL|GET_USER_PASS_FORCE_BUILTIN ) ) { @@ -707,7 +707,7 @@ tls_ctx_use_pkcs11( &id_resp, NULL, "pkcs11-id-request", - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL + GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL|GET_USER_PASS_FORCE_BUILTIN ) ) { @@ -814,7 +814,8 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prom buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display); if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), - pin, pin_max, false)) + pin, pin_max, + false, true)) { msg(M_FATAL, "Could not retrieve the PIN"); }
Description: Fix for OpenVPN bug #549 --- Origin: upstream Bug: https://community.openvpn.net/openvpn/ticket/549 Bug-Debian: https://bugs.debian.org/772812 Last-Update: 2018-08-28 --- openvpn-2.4.6.orig/src/openvpn/misc.c +++ openvpn-2.4.6/src/openvpn/misc.c @@ -45,6 +45,10 @@ #include "console.h" #include "win32.h" +#ifdef HAVE_VFORK_H +#include <vfork.h> +#endif + #include "memdbg.h" #ifdef ENABLE_IPROUTE @@ -204,7 +208,11 @@ openvpn_execve(const struct argv *a, con char *const *envp = (char *const *)make_env_array(es, true, &gc); pid_t pid; +#ifdef HAVE_WORKING_VFORK + pid = vfork(); +#else pid = fork(); +#endif if (pid == (pid_t)0) /* child side */ { execve(cmd, argv, envp);
