Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote: Jonatan, Can you please try the attached patch and see if it helps? Thanks! ... seems to work fine, will continue testing during the day. This is on an AMD64 architecture if it makes any difference. So far i have only entered my PIN code once at startup of my vpn session, the session has renegotiated a few times now. /Jonatan Been using it for a day now and so far I haven't seen any problem. Works fine for me. /Jonatan ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Thanks for your report and testing! 2011/8/16 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote: Jonatan, Can you please try the attached patch and see if it helps? Thanks! ... seems to work fine, will continue testing during the day. This is on an AMD64 architecture if it makes any difference. So far i have only entered my PIN code once at startup of my vpn session, the session has renegotiated a few times now. /Jonatan Been using it for a day now and so far I haven't seen any problem. Works fine for me. /Jonatan ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Jonatan, Can you please try the attached patch and see if it helps? Thanks! On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: Martin, The openssl engine is called with 0x24 buffer size and expect it to be encrypted by private key with same length. Prototype: --- static int __pkcs11h_openssl_enc ( IN int flen, IN const unsigned char *from, OUT unsigned char *to, IN OUT RSA *rsa, IN int padding ) { --- I may got this wrong. Will investigate. On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak mar...@martinpaljak.net wrote: Hello, 2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. This might be relevant: PKCS#11: __pkcs11h_certificate_doPrivateOperation entry certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0, source_size=0024, target=0x757936, *p_target_size=0024 the target size is the same as input size, which makes one of the operations fail with CKR_BUFFER_TOO_SMALL and will trigger another try, which will mean another PIN entry. Probably something else is fishy as well. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Index: lib/pkcs11h-openssl.c === --- lib/pkcs11h-openssl.c (revision 205) +++ lib/pkcs11h-openssl.c (revision 207) @@ -291,7 +291,7 @@ pkcs11h_certificate_t certificate = __pkcs11h_openssl_get_pkcs11h_certificate (rsa); PKCS11H_BOOL session_locked = FALSE; CK_RV rv = CKR_FUNCTION_FAILED; - size_t tlen = (size_t)flen; + size_t tlen; _PKCS11H_ASSERT (from!=NULL); _PKCS11H_ASSERT (to!=NULL); @@ -312,6 +312,8 @@ goto cleanup; } + tlen = (size_t)RSA_size(rsa); + if ((rv = pkcs11h_certificate_lockSession (certificate)) != CKR_OK) { goto cleanup; } Index: lib/pkcs11h-certificate.c === --- lib/pkcs11h-certificate.c (revision 205) +++ lib/pkcs11h-certificate.c (revision 207) @@ -961,16 +961,17 @@ rv ); + if (rv == CKR_BUFFER_TOO_SMALL op != __pkcs11h_private_op_unwrap) { + certificate-operation_active = TRUE; + } + if (target != NULL) { if (rv != CKR_OK) { goto retry; } } else { - if ( -rv == CKR_OK || -rv == CKR_BUFFER_TOO_SMALL - ) { + if (rv == CKR_OK) { if (op != __pkcs11h_private_op_unwrap) { certificate-operation_active = TRUE; } @@ -994,6 +995,10 @@ } if (!op_succeed) { + if (rv == CKR_BUFFER_TOO_SMALL) { +goto cleanup; + } + /* * OpenSC workaround * It still allows C_FindObjectsInit when ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] PIN caching problems with pkcs11-helper 1.08
We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. /Jonatan Fri Aug 5 09:37:04 2011 us=441187 pkcs12_file = '[UNDEF]' Fri Aug 5 09:37:04 2011 us=441666 pkcs11_providers = /usr/lib/opensc-pkcs11.so Fri Aug 5 09:37:04 2011 us=441680 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441694 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441708 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441721 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441734 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441748 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441761 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441775 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441788 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441802 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441815 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441828 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441842 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441856 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441869 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441883 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441897 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441911 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441924 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441938 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441951 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441965 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441978 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441992 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442005 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442019 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442039 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442053 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442067 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442080 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442093 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442107 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442120 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442134 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442147 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442165 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442179 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442193 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442206 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442220 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442233 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442246 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442260 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442273 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442286 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442300 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442313 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442326 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442340 pkcs11_pin_cache_period = -1 Fri Aug 5 09:37:04 2011 us=442354 pkcs11_id = 'OpenSC\x20Project/PKCS\x2315/28088614271A/OpenSC\x20Card\x20\x28Jonatan02\x20VPN\x29/46' Fri Aug 5 09:37:04 2011 us=442368 pkcs11_id_management = DISABLED Fri Aug 5 09:37:04 2011 us=442956 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 1 2011 Fri Aug 5 09:37:04 2011 us=443026 PKCS#11: pkcs11_initialize - entered Fri Aug 5 09:37:04 2011 us=443191 PKCS#11: pkcs11_initialize - return 0-'CKR_OK' Fri Aug 5 09:37:04 2011 us=443215 PKCS#11: pkcs11_addProvider -
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Hello, 2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. This might be relevant: PKCS#11: __pkcs11h_certificate_doPrivateOperation entry certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0, source_size=0024, target=0x757936, *p_target_size=0024 the target size is the same as input size, which makes one of the operations fail with CKR_BUFFER_TOO_SMALL and will trigger another try, which will mean another PIN entry. Probably something else is fishy as well. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel