From: David Woodhouse Date: Tue, 14 Apr 2020 12:48:09 +0000 (+0100) Subject: Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED X-Git-Tag: v8.09~10 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f97239a73b995ec422b6c4656bf14d6f3ea06a62;p=users%2Fdwmw2%2Fopenconnect.git Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED Fixes: #123 (for OpenSSL build) Signed-off-by: David Woodhouse --- diff --git a/openssl-pkcs11.c b/openssl-pkcs11.c index 0ba6b163..171d65a8 100644 --- a/openssl-pkcs11.c +++ b/openssl-pkcs11.c @@ -381,7 +381,7 @@ int load_pkcs11_certificate(struct openconnect_info *vpninfo) } /* If there was precisely one matching slot, and we still didn't find the cert, try logging in to it. */ - if (matching_slots == 1 && login_slot->token->loginRequired) { + if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) { slot = login_slot; vpn_progress(vpninfo, PRG_INFO, _("Logging in to PKCS#11 slot '%s'\n"), @@ -615,7 +615,7 @@ int load_pkcs11_key(struct openconnect_info *vpninfo) login_slot = vpninfo->pkcs11_cert_slot; vpninfo->pkcs11_cert_slot = NULL; } - if (matching_slots == 1 && login_slot->token->loginRequired) { + if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) { slot = login_slot; vpn_progress(vpninfo, PRG_INFO, _("Logging in to PKCS#11 slot '%s'\n"), diff --git a/tests/Makefile.am b/tests/Makefile.am index ba7b88f7..4645fe45 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -69,6 +69,10 @@ if OPENCONNECT_GNUTLS # the certs after we log in. Perhaps it's cached the results? PKCS11_TOKENS += openconnect-test2 endif # OPENCONNECT_GNUTLS +if OPENCONNECT_OPENSSL +# GnuTLS build fails this one: https://gitlab.com/gnutls/gnutls/-/issues/977 +PKCS11_TOKENS += openconnect-test3 +endif # OPENCONNECT_OPENSSL endif # TEST_PKCS11 endif # HAVE_CWRAP @@ -258,3 +262,33 @@ softhsm-setup2: --load-privkey $(certsdir)/ec-key-pkcs8.pem \ --label EC --id 03 --login \ --write "pkcs11:token=openconnect-test2;pin-value=1234" + +# Fourth test: token lacks CKF_LOGIN_REQUIRED (#123) +softhsm-setup3: + $(SHM2_UTIL) --show-slots + $(SHM2_UTIL) --init-token --free --label openconnect-test3 \ + --so-pin 12345678 --pin 1234 + +# Remove the CKF_LOGIN_REQUIRED flag + TOKOBJ=$$(grep -l openconnect-test3 $(srcdir)/softhsm/*/token.object); \ + if [ -n "$$TOKOBJ" ] && od -t x1 $$TOKOBJ | grep -q '^0000160.* 04 2d$$'; then \ + echo -en \\x29 | dd bs=1 count=1 conv=notrunc seek=127 of=$$TOKOBJ; \ + else \ + echo "Token file not understood"; \ + exit 1; \ + fi + + $(P11TOOL) --load-certificate $(certsdir)/user-cert.pem \ + --load-privkey $(certsdir)/user-key-pkcs8.pem \ + --label RSA --id 01 --login \ + --write "pkcs11:token=openconnect-test3;pin-value=1234" + + $(P11TOOL) --load-certificate $(certsdir)/dsa-cert.pem \ + --load-privkey $(certsdir)/dsa-key-pkcs8.pem \ + --label DSA --id 02 --login \ + --write "pkcs11:token=openconnect-test3;pin-value=1234" + + $(P11TOOL) --load-certificate $(certsdir)/ec-cert.pem \ + --load-privkey $(certsdir)/ec-key-pkcs8.pem \ + --label EC --id 03 --login \ + --write "pkcs11:token=openconnect-test3;pin-value=1234" diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/2da91be2-c722-1e38-acb9-d42aa5911b3b.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/2da91be2-c722-1e38-acb9-d42aa5911b3b.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/2da91be2-c722-1e38-acb9-d42aa5911b3b.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/2da91be2-c722-1e38-acb9-d42aa5911b3b.object new file mode 100644 index 00000000..d63cabb0 Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/2da91be2-c722-1e38-acb9-d42aa5911b3b.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/53c2b10f-0c5e-de1d-2d1e-22fd048e3d70.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/53c2b10f-0c5e-de1d-2d1e-22fd048e3d70.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/53c2b10f-0c5e-de1d-2d1e-22fd048e3d70.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/53c2b10f-0c5e-de1d-2d1e-22fd048e3d70.object new file mode 100644 index 00000000..7f601412 Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/53c2b10f-0c5e-de1d-2d1e-22fd048e3d70.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/6795319c-f776-6faa-b1d7-3878b9096eff.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/6795319c-f776-6faa-b1d7-3878b9096eff.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/6795319c-f776-6faa-b1d7-3878b9096eff.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/6795319c-f776-6faa-b1d7-3878b9096eff.object new file mode 100644 index 00000000..e1ecdf35 Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/6795319c-f776-6faa-b1d7-3878b9096eff.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/9bf49199-36eb-ac67-8fee-644f9a743af2.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/9bf49199-36eb-ac67-8fee-644f9a743af2.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/9bf49199-36eb-ac67-8fee-644f9a743af2.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/9bf49199-36eb-ac67-8fee-644f9a743af2.object new file mode 100644 index 00000000..3b9c194a Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/9bf49199-36eb-ac67-8fee-644f9a743af2.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/a273d1ac-570a-d217-b4b1-a8d7ed34203c.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/a273d1ac-570a-d217-b4b1-a8d7ed34203c.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/a273d1ac-570a-d217-b4b1-a8d7ed34203c.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/a273d1ac-570a-d217-b4b1-a8d7ed34203c.object new file mode 100644 index 00000000..8e9ba97b Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/a273d1ac-570a-d217-b4b1-a8d7ed34203c.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/ea59535b-eecb-e2fd-a6e3-99d828e5972f.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/ea59535b-eecb-e2fd-a6e3-99d828e5972f.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/ea59535b-eecb-e2fd-a6e3-99d828e5972f.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/ea59535b-eecb-e2fd-a6e3-99d828e5972f.object new file mode 100644 index 00000000..a9ae8fc7 Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/ea59535b-eecb-e2fd-a6e3-99d828e5972f.object differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/generation b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/generation new file mode 100644 index 00000000..379d85ce Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/generation differ diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/token.lock b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/token.lock new file mode 100644 index 00000000..e69de29b diff --git a/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/token.object b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/token.object new file mode 100644 index 00000000..dd6294b4 Binary files /dev/null and b/tests/softhsm/e0a4adf3-068e-288d-1c53-a97935ad11e7/token.object differ diff --git a/www/changelog.xml b/www/changelog.xml index b3a96c0c..ba0c2b53 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -27,6 +27,7 @@
  • Fix crash with uninitialised OIDC token.
  • GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms
  • Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.
    • +
  • Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED (#123).

  • OpenConnect v8.07