Opened 8 years ago

Closed 8 years ago

#231 closed Bug / Defect (fixed)

Options parsing demands unnecessary configuration if PKCS11 is used

Reported by: felixbrunner Owned by:
Priority: major Milestone:
Component: Configuration Version: OpenVPN 2.3-beta / 2.3-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: pkcs11
Cc:

Description

Options parsing produces the following error output if pkcs11 options are selected:

Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth
-user-pass

Parsing seems to miss that pks11 options are selected and continues with consistency checks.
I believe this is caused by the following if statement in options.c:

#ifdef ENABLE_PKCS11
      if (options->pkcs11_providers[0])
       {
        notnull (options->ca_file, "CA file (--ca)");

	if (options->pkcs11_id_management && options->pkcs11_id != NULL)
	  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
	if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
	  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
	if (options->cert_file)
	  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
	if (options->priv_key_file)
	  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
#ifdef MANAGMENT_EXTERNAL_KEY
	if (options->management_flags & MF_EXTERNAL_KEY)
	  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
#endif
	if (options->pkcs12_file)
	  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
#ifdef ENABLE_CRYPTOAPI
	if (options->cryptoapi_cert)
	  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
#endif
       }
      else
#endif
#ifdef ENABLE_CRYPTOAPI
#ifdef MANAGMENT_EXTERNAL_KEY
// Felix: The following if statement completes the if then else statement and the code continues options parsing. This seems to be the issue.
	 if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
		msg (M_USAGE, "--key and --management-external-key are mutually exclusive");
#endif

The previous version, i.e. OpenVPN 2.2 shows a different behavior and accepts the configuration. When I modify the configuration and provide a useless 'auth-user-pass' option, the OpenVPN client asks for username and password, but still uses the pkcs11 module to access certificates from my eToken. So the functionality itself works, it is just an issue with command line parsing:

Attachments (1)

client.ovpn (3.8 KB) - added by felixbrunner 8 years ago.
Configuration file using pkcs11 option

Download all attachments as: .zip

Change History (2)

Changed 8 years ago by felixbrunner

Attachment: client.ovpn added

Configuration file using pkcs11 option

comment:1 Changed 8 years ago by David Sommerseth

Resolution: fixed
Status: newclosed

Thank you for your report. We've applied a patch (which will be included in the v2.3_RC1 release) which we believe solves this issue.

commit ad0cc02234e17ab1f43488c4393059ea1c9d8f95
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Oct 17 12:46:14 2012 +0200

    Options parsing demands unnecessary configuration if PKCS11 is used
    
    In the old patch the if incorrectly closed the outer if condition.
    (closes ticket #231)
    
    Trac-ticket: 231
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: David Sommerseth <davids@redhat.com>
    Message-Id: 1350470774-12511-1-git-send-email-arne@rfc2549.org
    URL: http://article.gmane.org/gmane.network.openvpn.devel/7095
    Signed-off-by: David Sommerseth <davids@redhat.com>
    (cherry picked from commit 70a07339f8d323d69cdcf8d59da1f331d39e4d0a)
Note: See TracTickets for help on using tickets.