New pkcs11-helper interface allows to setup pkcs11 provider via
properties:
https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85
Also pkcs11-helper added ability to setup init args for pkcs11 provider:
https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097
Signed-off-by: Petr Mikhalicin
---
src/openvpn/init.c| 3 +-
src/openvpn/options.c | 23
src/openvpn/options.h | 1 +
src/openvpn/pkcs11.c | 82 ---
src/openvpn/pkcs11.h | 3 +-
5 files changed, 90 insertions(+), 22 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 6d09e566..6af585ac 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -682,7 +682,8 @@ context_init_1(struct context *c)
for (i = 0; ioptions.pkcs11_providers[i] != NULL; i++)
{
pkcs11_addProvider(c->options.pkcs11_providers[i],
c->options.pkcs11_protected_authentication[i],
- c->options.pkcs11_private_mode[i],
c->options.pkcs11_cert_private[i]);
+ c->options.pkcs11_private_mode[i],
c->options.pkcs11_cert_private[i],
+ c->options.pkcs11_init_flags[i]);
}
}
#endif
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index b3a83aa1..0939ee86 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -664,6 +664,11 @@ static const char usage_message[] =
" 8 : Use Unwrap.\n"
"--pkcs11-cert-private [0|1] ... : Set if login should be performed
before\n"
" certificate can be accessed. Set for
each provider.\n"
+"--pkcs11-init-flags hex ... : PKCS#11 init flags.\n"
+" It's bitwise OR of some PKCS#11 initialize
flags.\n"
+" Most popular of them is:\n"
+" 1 :
CKF_LIBRARY_CANT_CREATE_OS_THREADS\n"
+" 2 : CKF_OS_LOCKING_OK\n"
"--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The
default is -1\n"
" cache until token is removed.\n"
"--pkcs11-id-management : Acquire identity from management
interface.\n"
@@ -1838,6 +1843,13 @@ show_settings(const struct options *o)
SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ?
"ENABLED" : "DISABLED", "%s");
}
}
+{
+int i;
+for (i = 0; ipkcs11_init_flags[i], "%08x");
+}
+}
SHOW_INT(pkcs11_pin_cache_period);
SHOW_STR(pkcs11_id);
SHOW_BOOL(pkcs11_id_management);
@@ -8778,6 +8790,17 @@ add_option(struct options *options,
options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
}
}
+else if (streq(p[0], "pkcs11-init-flags"))
+{
+int j;
+
+VERIFY_PERMISSION(OPT_P_GENERAL);
+
+for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+{
+sscanf(p[j], "%x", &(options->pkcs11_init_flags[j-1]));
+}
+}
else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 98c21a2a..2317528e 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -573,6 +573,7 @@ struct options
unsigned pkcs11_private_mode[MAX_PARMS];
bool pkcs11_protected_authentication[MAX_PARMS];
bool pkcs11_cert_private[MAX_PARMS];
+unsigned pkcs11_init_flags[MAX_PARMS];
int pkcs11_pin_cache_period;
const char *pkcs11_id;
bool pkcs11_id_management;
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 02d0f51f..29db7ea4 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -374,12 +374,17 @@ pkcs11_terminate(void)
bool
pkcs11_addProvider(
const char *const provider,
-const bool protected_auth,
+const bool _protected_auth,
const unsigned private_mode,
-const bool cert_private
+const bool _cert_private,
+const unsigned init_flags
)
{
CK_RV rv = CKR_OK;
+int success = true;
+PKCS11H_BOOL protected_auth = _protected_auth;
+PKCS11H_BOOL cert_private = _cert_private;
+CK_C_INITIALIZE_ARGS_PTR p_init_args;
ASSERT(provider!=NULL);
@@ -396,29 +401,66 @@ pkcs11_addProvider(
provider
);
-if (
-(rv = pkcs11h_addProvider(
- provider,
- provider,
- protected_auth,
- private_mode,
- PKCS11H_SLOTEVENT_METHOD_AUTO,
- 0,
- cert_private
- )) != CKR_OK
-)
-{
-msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'",
provider, rv, pkcs11h_getMessage(rv));
+if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK) {
+msg(M_WARN, "PKCS#11: Cannot re