subject:"\[opensc\-devel\] PIN caching problems with pkcs11\-helper 1.08"

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

2011-08-16 Thread Jonatan Åkerlind

On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote:
 Jonatan,
 Can you please try the attached patch and see if it helps?
 Thanks!
...
 
 seems to work fine, will continue testing during the day. This is on
 an
 AMD64 architecture if it makes any difference. So far i have only
 entered my PIN code once at startup of my vpn session, the session has
 renegotiated a few times now.
 
 /Jonatan

Been using it for a day now and so far I haven't seen any problem. Works
fine for me.

/Jonatan

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

2011-08-16 Thread Alon Bar-Lev

Thanks for your report and testing!

2011/8/16 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se:
 On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote:
 Jonatan,
 Can you please try the attached patch and see if it helps?
 Thanks!
 ...

 seems to work fine, will continue testing during the day. This is on
 an
 AMD64 architecture if it makes any difference. So far i have only
 entered my PIN code once at startup of my vpn session, the session has
 renegotiated a few times now.

 /Jonatan

 Been using it for a day now and so far I haven't seen any problem. Works
 fine for me.

 /Jonatan


___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

2011-08-12 Thread Alon Bar-Lev

Jonatan,
Can you please try the attached patch and see if it helps?
Thanks!

On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev alon.bar...@gmail.com wrote:

 Martin,

 The openssl engine is called with 0x24 buffer size and expect it to be
 encrypted by private key with same length.

 Prototype:
 ---
 static
 int
 __pkcs11h_openssl_enc (
        IN int flen,
        IN const unsigned char *from,
        OUT unsigned char *to,
        IN OUT RSA *rsa,
        IN int padding
 ) {
 ---

 I may got this wrong.
 Will investigate.

 On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak mar...@martinpaljak.net 
 wrote:
  Hello,
 
  2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se:
  We have a setup using the Aladdin eToken PRO USB device for certificate
  storage using opensc/openct to interface it with openvpn. Works fine but
  with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn
  startup and then once at each renegotiation. Confirmed with various
  versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct
  (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN
  caching seems ok and only asks for the pin code once at startup and no
  more) but with pkcs11-helper 1.08 the PIN caching does not work.
 
  Attached is a log from openvpn with verbosity 99 (gives a lot of info)
  using pkcs11-helper 1.08. It contains the startup and a couple of
  renegotiations filtered to only include lines with pkcs in them.
 
  This might be relevant:
 
  PKCS#11: __pkcs11h_certificate_doPrivateOperation entry
  certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0,
               source_size=0024, target=0x757936,
  *p_target_size=0024
 
  the target size is the same as input size, which makes one of the
  operations fail with CKR_BUFFER_TOO_SMALL and will trigger another
  try, which will mean another PIN entry. Probably something else is
  fishy as well.
  ___
  opensc-devel mailing list
  opensc-devel@lists.opensc-project.org
  http://www.opensc-project.org/mailman/listinfo/opensc-devel
Index: lib/pkcs11h-openssl.c
===
--- lib/pkcs11h-openssl.c	(revision 205)
+++ lib/pkcs11h-openssl.c	(revision 207)
@@ -291,7 +291,7 @@
 	pkcs11h_certificate_t certificate = __pkcs11h_openssl_get_pkcs11h_certificate (rsa);
 	PKCS11H_BOOL session_locked = FALSE;
 	CK_RV rv = CKR_FUNCTION_FAILED;
-	size_t tlen = (size_t)flen;
+	size_t tlen;
 
 	_PKCS11H_ASSERT (from!=NULL);
 	_PKCS11H_ASSERT (to!=NULL);
@@ -312,6 +312,8 @@
 		goto cleanup;
 	}
 
+	tlen = (size_t)RSA_size(rsa);
+
 	if ((rv = pkcs11h_certificate_lockSession (certificate)) != CKR_OK) {
 		goto cleanup;
 	}
Index: lib/pkcs11h-certificate.c
===
--- lib/pkcs11h-certificate.c	(revision 205)
+++ lib/pkcs11h-certificate.c	(revision 207)
@@ -961,16 +961,17 @@
 			rv
 		);
 
+		if (rv == CKR_BUFFER_TOO_SMALL  op != __pkcs11h_private_op_unwrap) {
+			certificate-operation_active = TRUE;
+		}
+
 		if (target != NULL) {
 			if (rv != CKR_OK) {
 goto retry;
 			}
 		}
 		else {
-			if (
-rv == CKR_OK ||
-rv == CKR_BUFFER_TOO_SMALL
-			) {
+			if (rv == CKR_OK) {
 if (op != __pkcs11h_private_op_unwrap) {
 	certificate-operation_active = TRUE;
 }
@@ -994,6 +995,10 @@
 		}
 
 		if (!op_succeed) {
+			if (rv == CKR_BUFFER_TOO_SMALL) {
+goto cleanup;
+			}
+
 			/*
 			 * OpenSC workaround
 			 * It still allows C_FindObjectsInit when
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] PIN caching problems with pkcs11-helper 1.08

2011-08-11 Thread Jonatan Åkerlind

We have a setup using the Aladdin eToken PRO USB device for certificate
storage using opensc/openct to interface it with openvpn. Works fine but
with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn
startup and then once at each renegotiation. Confirmed with various
versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct
(0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN
caching seems ok and only asks for the pin code once at startup and no
more) but with pkcs11-helper 1.08 the PIN caching does not work.

Attached is a log from openvpn with verbosity 99 (gives a lot of info)
using pkcs11-helper 1.08. It contains the startup and a couple of
renegotiations filtered to only include lines with pkcs in them.

/Jonatan

Fri Aug  5 09:37:04 2011 us=441187   pkcs12_file = '[UNDEF]'
Fri Aug  5 09:37:04 2011 us=441666   pkcs11_providers = /usr/lib/opensc-pkcs11.so
Fri Aug  5 09:37:04 2011 us=441680   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441694   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441708   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441721   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441734   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441748   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441761   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441775   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441788   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441802   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441815   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441828   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441842   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441856   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441869   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441883   pkcs11_protected_authentication = DISABLED
Fri Aug  5 09:37:04 2011 us=441897   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441911   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441924   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441938   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441951   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441965   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441978   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=441992   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442005   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442019   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442039   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442053   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442067   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442080   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442093   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442107   pkcs11_private_mode = 
Fri Aug  5 09:37:04 2011 us=442120   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442134   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442147   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442165   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442179   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442193   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442206   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442220   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442233   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442246   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442260   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442273   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442286   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442300   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442313   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442326   pkcs11_cert_private = DISABLED
Fri Aug  5 09:37:04 2011 us=442340   pkcs11_pin_cache_period = -1
Fri Aug  5 09:37:04 2011 us=442354   pkcs11_id = 'OpenSC\x20Project/PKCS\x2315/28088614271A/OpenSC\x20Card\x20\x28Jonatan02\x20VPN\x29/46'
Fri Aug  5 09:37:04 2011 us=442368   pkcs11_id_management = DISABLED
Fri Aug  5 09:37:04 2011 us=442956 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul  1 2011
Fri Aug  5 09:37:04 2011 us=443026 PKCS#11: pkcs11_initialize - entered
Fri Aug  5 09:37:04 2011 us=443191 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Fri Aug  5 09:37:04 2011 us=443215 PKCS#11: pkcs11_addProvider -

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

2011-08-11 Thread Martin Paljak

Hello,

2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se:
 We have a setup using the Aladdin eToken PRO USB device for certificate
 storage using opensc/openct to interface it with openvpn. Works fine but
 with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn
 startup and then once at each renegotiation. Confirmed with various
 versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct
 (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN
 caching seems ok and only asks for the pin code once at startup and no
 more) but with pkcs11-helper 1.08 the PIN caching does not work.

 Attached is a log from openvpn with verbosity 99 (gives a lot of info)
 using pkcs11-helper 1.08. It contains the startup and a couple of
 renegotiations filtered to only include lines with pkcs in them.

This might be relevant:

PKCS#11: __pkcs11h_certificate_doPrivateOperation entry
certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0,
  source_size=0024, target=0x757936,
*p_target_size=0024

the target size is the same as input size, which makes one of the
operations fail with CKR_BUFFER_TOO_SMALL and will trigger another
try, which will mean another PIN entry. Probably something else is
fishy as well.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

[opensc-devel] PIN caching problems with pkcs11-helper 1.08

Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

5 matches

Site Navigation

Mail list logo

Footer information