Opened 20 months ago

Last modified 18 months ago

#740 accepted Bug / Defect

No PIN prompt with PKCS11 in Windows GUI mode

Reported by: Bjoern Voigt Owned by: selvanair
Priority: major Milestone: release 2.4
Component: Windows GUI Version: OpenVPN 2.3.12 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: selvanair, Samuli Seppänen

Description

The OpenVPN GUI for Windows is unable to query a PIN for smartcards (tested with Yubikey 4). The GUI queries username and password (if needed), but it fails to query the PIN. The problem seems to be similar to bug #538.

The source code shows that OpenVPN has at least three options for querying the PIN:

  1. script/file (not tested)
  2. management console (tested manually with telnet)
  3. console input

1) and 2) may be good options, but I haven't found no good and secure standard solutions for it. So only 3) can be easily setup.

Solution 3) does not work in OpenVPN GUI. It works, if OpenVPN is started in console.

I suggest, that PIN entry is handled the same way like username/passwords.

Change History (18)

comment:1 Changed 20 months ago by Bjoern Voigt

I wrote some code to solve the issue:

https://github.com/bjoernv/openvpn-gui

The code uses for PIN requests the same dialog as for private key requests. It is tested with a RSA key pair on a Yubikey 4. In next step a separate dialog should follow.

Please test the code.

comment:2 Changed 20 months ago by dms

I've tried this patch on a Windows 10, 64bit client using a Nitrokey and can confirm that now a dialogue pops up for me asking for the pin to access the certificate and that when the correct pin is provided a connection is made successfully to the OpenVPN server.

Thank you!

comment:3 Changed 20 months ago by Gert Döring

Cc: selvanair added
Owner: set to Gert Döring
Status: newassigned

@selvanair: since you're working on the gui bits related to this anyway right now - could you have a look?

(This might be something to include both in the master and 2.3 branches for gui)

comment:4 Changed 20 months ago by Gert Döring

Owner: Gert Döring deleted

comment:5 Changed 20 months ago by selvanair

I will submit a PR for this soon -- the feature branch is here:
https://github.com/selvanair/openvpn-gui/tree/pkcs11-pin-v3

Test reports / comments would be highly appreciated.

As for back-porting this to the GUI branch for 2.3, it may be easier to just fork off a new branch of the GUI for 2.3 distribution. The master branch of GUI should work well with 2.3 except for a initial message that encourages the user to start the interactive service..

comment:6 Changed 20 months ago by selvanair

Owner: set to selvanair
Status: assignedaccepted

comment:7 Changed 19 months ago by selvanair

Support for token insertion request and pin prompt is in PR 61. Review and/or test reports would be highly appreciated. A test executable is available here

edit: Its PR 91, not 61 (the link is right)

Last edited 19 months ago by selvanair (previous) (diff)

comment:8 Changed 19 months ago by Gert Döring

Cc: Samuli Seppänen added

@bjoernv: can you test with the executable provided by selvanair in comment 7? If that works for you, we have a feature-ACK and just need the code review to have it merged...

Copying in mattock as well (gui merging, windows installers).

comment:9 Changed 19 months ago by Bjoern Voigt

I am not sure which is the recommended testing setup? (Where should I register the executable openvpn-gui-pkcs11-pin.exe?)

Currently I use the Windows CryptoAPI interface, but I can try to test the OpenSC API.

comment:10 Changed 19 months ago by selvanair

@bjoernv: No special test setup required.

Use the same config as that you originally reported to be not showing pkcs11 pin prompt through the GUI, but working from console. This test GUI works the same way as the released binary except for additional features including support for pkcs11 pin prompt.

If your installed openvpn version is 2.3.x, start this GUI as admin (runas administrator). With openvpn 2.4, running as limited user will work.

comment:11 in reply to:  7 Changed 18 months ago by Bjoern Voigt

Replying to selvanair:

Support for token insertion request and pin prompt is in PR 61. Review and/or test reports would be highly appreciated. A test executable is available here

edit: Its PR 91, not 61 (the link is right)

I successfully tested PR 91 in OpenSC and CryptoAPI modes:

setup 1: OpenSC

  • pkcs11-providers opensc-pkcs11.dll
  • pkcs11-protected-authentication 1
  • pkcs11-id "piv_II/..."
  • Yubikey 4 in smartcard mode

setup 2: CryptoAPI

  • cryptoapicert "SUBJ:myusername-client1"
  • Yubikey 4 in smartcard mode

There is one annoying problem left:

  • If the Yubikey is removed and inserted again during OpenVPN startup, it will not be recognized anymore and the message dialog "Please insert PIV_II (PIV Card Holder pin)" (OK/Cancel) opens again and again in an endless loop regardless if you press OK or Cancel. The PIN entry dialog does not show up.

comment:12 Changed 18 months ago by selvanair

@bjoernv: Thanks for the test report.

The GUI starts openvpn with --auth-retry-interact and that could explain repeated restarts on private-key authentication failure (in this case due to no token found). Will fix this by setting retry to none if cancel is pressed.

The failure to detect the token when re-inserted could be a mis-behaviour in the pkcs11-helper library used by openvpn. This needs to be investigated.

comment:13 Changed 18 months ago by selvanair

PR updated with no retry on failed/cancelled token insertion. New test exec is here

comment:14 Changed 18 months ago by selvanair

Milestone: release 2.4

comment:15 Changed 18 months ago by Bjoern Voigt

I tested the latest PR again with a Yubikey 4 and OpenSC drivers. In the following situations the new code works right:

  1. Yubikey 4 insert -> start account in OpenVPN GUI -> "Input Password/PIN for Token 'PIV_II (PIV Card holder pin)" dialog -> enter correct PIN -> OK
  2. Yubikey 4 insert -> start account in OpenVPN GUI -> "Input Password/PIN for Token 'PIV_II (PIV Card holder pin)" dialog -> Cancel -> Stop -> OK
  3. start account in OpenVPN GUI -> "Please insert PIV_II (PIV Card Holder pin) token" dialog -> Cancel -> Stop -> OK

In the following more exotic situation the program still runs in an endless loop:

  1. Yubikey 4 insert -> start account in OpenVPN GUI -> "Input Password/PIN for Token 'PIV_II (PIV Card holder pin)" dialog -> remove Yubikey 4 -> enter correct or incorrect PIN -> "Please insert PIV_II (PIV Card Holder pin) token" dialog -> last dialog loops regardless if the user chooses OK or Cancel. The user still can press "Disconnect" on the log windows, if he is fast enough to close the session.

comment:16 in reply to:  12 Changed 18 months ago by Bjoern Voigt

Replying to selvanair:

The failure to detect the token when re-inserted could be a mis-behaviour in the pkcs11-helper library used by openvpn. This needs to be investigated.

You are probably right. I tested this without the OpenVPN GUI directly with openvpn.exe. This also does not work in the following situation:

Yubikey 4 insert -> start openvpn.exe -> "Input Password/PIN for Token 'PIV_II (PIV Card holder pin)" message -> remove Yubikey 4 -> enter correct or incorrect PIN -> "Please insert PIV_II (PIV Card Holder pin) token" message -> last message loops.

comment:17 Changed 18 months ago by selvanair

@bjoernv Thanks for the detailed tests. So the looping of the token insertion request on physically removing the device is coming from openvpn itself.

I'll ask in the openvpn-devel list on how to fix this either in openvpn or pkcs11-helper.

comment:18 Changed 18 months ago by selvanair

I could not reproduce this looping behaviour using a token on Windows (safenet ikey4000). Startin from command line, on removing the token during password prompt leads to a prompt exit with private key password verification failure. From the GUI, it prompts to re-insert the token (because of auth-retry infinite) but exits on clicking cancel, as expected.

@bjoernv: could you please post a verb=4 log to see what's happening during the looping? The issue could be hardware-specific.

Note: See TracTickets for help on using tickets.