Jonatan, Can you please try the attached patch and see if it helps? Thanks!
On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote: > > Martin, > > The openssl engine is called with 0x24 buffer size and expect it to be > encrypted by private key with same length. > > Prototype: > --- > static > int > __pkcs11h_openssl_enc ( > IN int flen, > IN const unsigned char *from, > OUT unsigned char *to, > IN OUT RSA *rsa, > IN int padding > ) { > --- > > I may got this wrong. > Will investigate. > > On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak <mar...@martinpaljak.net> > wrote: > > Hello, > > > > 2011/8/11 Jonatan Åkerlind <jonatan.akerl...@sgsstudentbostader.se>: > >> We have a setup using the Aladdin eToken PRO USB device for certificate > >> storage using opensc/openct to interface it with openvpn. Works fine but > >> with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn > >> startup and then once at each renegotiation. Confirmed with various > >> versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct > >> (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN > >> caching seems ok and only asks for the pin code once at startup and no > >> more) but with pkcs11-helper 1.08 the PIN caching does not work. > >> > >> Attached is a log from openvpn with verbosity 99 (gives a lot of info) > >> using pkcs11-helper 1.08. It contains the startup and a couple of > >> renegotiations filtered to only include lines with pkcs in them. > > > > This might be relevant: > > > > PKCS#11: __pkcs11h_certificate_doPrivateOperation entry > > certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0, > > source_size=0000000000000024, target=0x757936, > > *p_target_size=0000000000000024 > > > > the target size is the same as input size, which makes one of the > > operations fail with CKR_BUFFER_TOO_SMALL and will trigger another > > try, which will mean another PIN entry. Probably something else is > > fishy as well. > > _______________________________________________ > > opensc-devel mailing list > > opensc-devel@lists.opensc-project.org > > http://www.opensc-project.org/mailman/listinfo/opensc-devel
Index: lib/pkcs11h-openssl.c =================================================================== --- lib/pkcs11h-openssl.c (revision 205) +++ lib/pkcs11h-openssl.c (revision 207) @@ -291,7 +291,7 @@ pkcs11h_certificate_t certificate = __pkcs11h_openssl_get_pkcs11h_certificate (rsa); PKCS11H_BOOL session_locked = FALSE; CK_RV rv = CKR_FUNCTION_FAILED; - size_t tlen = (size_t)flen; + size_t tlen; _PKCS11H_ASSERT (from!=NULL); _PKCS11H_ASSERT (to!=NULL); @@ -312,6 +312,8 @@ goto cleanup; } + tlen = (size_t)RSA_size(rsa); + if ((rv = pkcs11h_certificate_lockSession (certificate)) != CKR_OK) { goto cleanup; } Index: lib/pkcs11h-certificate.c =================================================================== --- lib/pkcs11h-certificate.c (revision 205) +++ lib/pkcs11h-certificate.c (revision 207) @@ -961,16 +961,17 @@ rv ); + if (rv == CKR_BUFFER_TOO_SMALL && op != __pkcs11h_private_op_unwrap) { + certificate->operation_active = TRUE; + } + if (target != NULL) { if (rv != CKR_OK) { goto retry; } } else { - if ( - rv == CKR_OK || - rv == CKR_BUFFER_TOO_SMALL - ) { + if (rv == CKR_OK) { if (op != __pkcs11h_private_op_unwrap) { certificate->operation_active = TRUE; } @@ -994,6 +995,10 @@ } if (!op_succeed) { + if (rv == CKR_BUFFER_TOO_SMALL) { + goto cleanup; + } + /* * OpenSC workaround * It still allows C_FindObjectsInit when
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel