Ticket #538: 0001-pkcs11-Workaround-to-make-PKCS-11-PIN-token-work-wit.patch

src/openvpn/console.h

@@ -42 +42 @@
 #define QUERY_USER_NUMSLOTS 10
 extern struct _query_user query_user[];  /**< Global variable, declared in console.c */
 
+typedef enum {
+                QUERYUSER_NO_ECHO,        /**< hide user input, used for passwords */
+                QUERYUSER_FORCE_BUILTIN   /**< Force using the builtin query mechanism
+                                               (pkcs11-helper workaround) */
+} QueryFlags;
+
 /**
  * Wipes all data put into all of the query_user structs
  *
@@ -75 +81 @@
 bool query_user_exec_builtin(void);
 
 
-#if defined(ENABLE_SYSTEMD)
 /**
  * Executes a configured setup, using the compiled method for querying the user
  *
@@ -83 +88 @@
  *
  * @return True if executing all the defined steps completed successfully
  */
-bool query_user_exec(void);
-
-#else  /* ENABLE_SYSTEMD not defined*/
-/**
- * Wrapper function enabling query_user_exec() if no alternative methods have
- * been enabled
- *
- */
-static bool
-query_user_exec(void)
+static inline bool
+query_user_exec(bool force_builtin)
 {
-    return query_user_exec_builtin();
+#ifdef ENABLE_SYSTEMD
+        bool query_user_exec_systemd(void); /* console_systemd.c */
+        if (!force_builtin)
+        {
+                return query_user_exec_systemd();
+        }
+#endif
+        return query_user_exec_builtin();
 }
-#endif  /* defined(ENABLE_SYSTEMD) */
 
 
 /**
@@ -109 +112 @@
 static inline bool
 query_user_SINGLE(char *prompt, size_t prompt_len,
                   char *resp, size_t resp_len,
-                  bool echo)
+                  QueryFlags flags)
 {
     query_user_clear();
-    query_user_add(prompt, prompt_len, resp, resp_len, echo);
-    return query_user_exec();
+    query_user_add(prompt, prompt_len, resp, resp_len,
+                   (flags & QUERYUSER_NO_ECHO));
+    return query_user_exec(flags & QUERYUSER_FORCE_BUILTIN);
 }
 
 #endif /* ifndef CONSOLE_H */

src/openvpn/console_systemd.c

@@ -95 +95 @@
  *
  */
 bool
-query_user_exec(void)
+query_user_exec_systemd(void)
 {
     bool ret = true;  /* Presume everything goes okay */
     int i;

src/openvpn/misc.c

@@ -186 +186 @@
 
             buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
             if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt),
-                                   up->password, USER_PASS_LEN, false))
+                                   up->password, USER_PASS_LEN,
+                                   QUERYUSER_NO_ECHO))
             {
                 msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
             }
@@ -285 +286 @@
                     buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text);
                     buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
 
+                    QueryFlags qryflag = 0;
+                    if (BOOL_CAST(ac->flags&CR_ECHO))
+                    {
+                        qryflag |= QUERYUSER_NO_ECHO;
+                    }
                     if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
-                                           response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO)))
+                                           response, USER_PASS_LEN, qryflag))
                     {
                         msg(M_FATAL, "ERROR: could not read challenge response from stdin");
                     }
@@ -320 +326 @@
                                    up->password, USER_PASS_LEN, false);
                 }
 
-                if (!query_user_exec() )
+                if (!query_user_exec((flags & GET_USER_PASS_FORCE_BUILTIN)) )
                 {
                     msg(M_FATAL, "ERROR: Failed retrieving username or password");
                 }
@@ -343 +349 @@
                     challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc);
                     buf_printf(&challenge, "CHALLENGE: %s", auth_challenge);
 
+                    QueryFlags qryflag = QUERYUSER_NO_ECHO;
+                    if (BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))
+                    {
+                        qryflag = 0;
+                    }
                     if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
-                                           response, USER_PASS_LEN,
-                                           BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)))
+                                           response, USER_PASS_LEN, qryflag))
                     {
                         msg(M_FATAL, "ERROR: could not retrieve static challenge response");
                     }

src/openvpn/misc.h

@@ -126 +126 @@
 #define GET_USER_PASS_STATIC_CHALLENGE_ECHO  (1<<9) /* SCRV1 protocol -- echo response */
 
 #define GET_USER_PASS_INLINE_CREDS (1<<10)  /* indicates that auth_file is actually inline creds */
+#define GET_USER_PASS_FORCE_BUILTIN (1<<11) /* force using the built-in query_user function */
 
 bool get_user_pass_cr(struct user_pass *up,
                       const char *auth_file,

src/openvpn/pkcs11.c

@@ -257 +257 @@
             &token_pass,
             NULL,
             prompt,
-            GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
+            GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY
+             | GET_USER_PASS_NOFATAL | GET_USER_PASS_FORCE_BUILTIN
             )
         )
     {
@@ -814 +815 @@
 
     buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display);
     if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt),
-                           pin, pin_max, false))
+                           pin, pin_max,
+                           (QUERYUSER_NO_ECHO | QUERYUSER_FORCE_BUILTIN)))
     {
         msg(M_FATAL, "Could not retrieve the PIN");
     }