}
/* If there was precisely one matching slot, and we still didn't find the cert,
try logging in to it. */
- if (matching_slots == 1 && login_slot->token->loginRequired) {
+ if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
slot = login_slot;
vpn_progress(vpninfo, PRG_INFO,
_("Logging in to PKCS#11 slot '%s'\n"),
login_slot = vpninfo->pkcs11_cert_slot;
vpninfo->pkcs11_cert_slot = NULL;
}
- if (matching_slots == 1 && login_slot->token->loginRequired) {
+ if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
slot = login_slot;
vpn_progress(vpninfo, PRG_INFO,
_("Logging in to PKCS#11 slot '%s'\n"),
# the certs after we log in. Perhaps it's cached the results?
PKCS11_TOKENS += openconnect-test2
endif # OPENCONNECT_GNUTLS
+if OPENCONNECT_OPENSSL
+# GnuTLS build fails this one: https://gitlab.com/gnutls/gnutls/-/issues/977
+PKCS11_TOKENS += openconnect-test3
+endif # OPENCONNECT_OPENSSL
endif # TEST_PKCS11
endif # HAVE_CWRAP
--load-privkey $(certsdir)/ec-key-pkcs8.pem \
--label EC --id 03 --login \
--write "pkcs11:token=openconnect-test2;pin-value=1234"
+
+# Fourth test: token lacks CKF_LOGIN_REQUIRED (#123)
+softhsm-setup3:
+ $(SHM2_UTIL) --show-slots
+ $(SHM2_UTIL) --init-token --free --label openconnect-test3 \
+ --so-pin 12345678 --pin 1234
+
+# Remove the CKF_LOGIN_REQUIRED flag
+ TOKOBJ=$$(grep -l openconnect-test3 $(srcdir)/softhsm/*/token.object); \
+ if [ -n "$$TOKOBJ" ] && od -t x1 $$TOKOBJ | grep -q '^0000160.* 04 2d$$'; then \
+ echo -en \\x29 | dd bs=1 count=1 conv=notrunc seek=127 of=$$TOKOBJ; \
+ else \
+ echo "Token file not understood"; \
+ exit 1; \
+ fi
+
+ $(P11TOOL) --load-certificate $(certsdir)/user-cert.pem \
+ --load-privkey $(certsdir)/user-key-pkcs8.pem \
+ --label RSA --id 01 --login \
+ --write "pkcs11:token=openconnect-test3;pin-value=1234"
+
+ $(P11TOOL) --load-certificate $(certsdir)/dsa-cert.pem \
+ --load-privkey $(certsdir)/dsa-key-pkcs8.pem \
+ --label DSA --id 02 --login \
+ --write "pkcs11:token=openconnect-test3;pin-value=1234"
+
+ $(P11TOOL) --load-certificate $(certsdir)/ec-cert.pem \
+ --load-privkey $(certsdir)/ec-key-pkcs8.pem \
+ --label EC --id 03 --login \
+ --write "pkcs11:token=openconnect-test3;pin-value=1234"
<li>Fix crash with uninitialised OIDC token.</li>
<li>GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms</li>
<li>Disable <a href="https://en.wikipedia.org/wiki/Nagle's_algorithm">Nagle's algorithm</a> for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.</li>
+ <li>Work around PKCS#11 tokens which forget to set <tt>CKF_LOGIN_REQUIRED</tt> (<a href="https://gitlab.com/openconnect/openconnect/issues/123">#123</a>).</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.07.tar.gz">OpenConnect v8.07</a></b>
projects / users / dwmw2 / openconnect.git / commitdiff