Opened 12 years ago
Closed 12 years ago
#231 closed Bug / Defect (fixed)
Options parsing demands unnecessary configuration if PKCS11 is used
Reported by: | felixbrunner | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Configuration | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | pkcs11 |
Cc: |
Description
Options parsing produces the following error output if pkcs11 options are selected:
Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth
-user-pass
Parsing seems to miss that pks11 options are selected and continues with consistency checks.
I believe this is caused by the following if statement in options.c:
#ifdef ENABLE_PKCS11 if (options->pkcs11_providers[0]) { notnull (options->ca_file, "CA file (--ca)"); if (options->pkcs11_id_management && options->pkcs11_id != NULL) msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); if (!options->pkcs11_id_management && options->pkcs11_id == NULL) msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified."); if (options->priv_key_file) msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); #ifdef MANAGMENT_EXTERNAL_KEY if (options->management_flags & MF_EXTERNAL_KEY) msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); #endif if (options->pkcs12_file) msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified."); #endif } else #endif #ifdef ENABLE_CRYPTOAPI #ifdef MANAGMENT_EXTERNAL_KEY // Felix: The following if statement completes the if then else statement and the code continues options parsing. This seems to be the issue. if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) msg (M_USAGE, "--key and --management-external-key are mutually exclusive"); #endif
The previous version, i.e. OpenVPN 2.2 shows a different behavior and accepts the configuration. When I modify the configuration and provide a useless 'auth-user-pass' option, the OpenVPN client asks for username and password, but still uses the pkcs11 module to access certificates from my eToken. So the functionality itself works, it is just an issue with command line parsing:
Attachments (1)
Change History (2)
Changed 12 years ago by
Attachment: | client.ovpn added |
---|
comment:1 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Thank you for your report. We've applied a patch (which will be included in the v2.3_RC1 release) which we believe solves this issue.
commit ad0cc02234e17ab1f43488c4393059ea1c9d8f95 Author: Arne Schwabe <arne@rfc2549.org> Date: Wed Oct 17 12:46:14 2012 +0200 Options parsing demands unnecessary configuration if PKCS11 is used In the old patch the if incorrectly closed the outer if condition. (closes ticket #231) Trac-ticket: 231 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1350470774-12511-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7095 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 70a07339f8d323d69cdcf8d59da1f331d39e4d0a)
Configuration file using pkcs11 option