Commit dfc89589 authored by David Woodhouse's avatar David Woodhouse
Browse files

Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED

Fixes: #123

 (for OpenSSL build)
Signed-off-by: David Woodhouse's avatarDavid Woodhouse <dwmw2@infradead.org>
parent 10e40ebe
Pipeline #139115636 failed with stage
in 6 minutes and 25 seconds
......@@ -381,7 +381,7 @@ int load_pkcs11_certificate(struct openconnect_info *vpninfo)
}
/* If there was precisely one matching slot, and we still didn't find the cert,
try logging in to it. */
if (matching_slots == 1 && login_slot->token->loginRequired) {
if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
slot = login_slot;
vpn_progress(vpninfo, PRG_INFO,
_("Logging in to PKCS#11 slot '%s'\n"),
......@@ -615,7 +615,7 @@ int load_pkcs11_key(struct openconnect_info *vpninfo)
login_slot = vpninfo->pkcs11_cert_slot;
vpninfo->pkcs11_cert_slot = NULL;
}
if (matching_slots == 1 && login_slot->token->loginRequired) {
if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
slot = login_slot;
vpn_progress(vpninfo, PRG_INFO,
_("Logging in to PKCS#11 slot '%s'\n"),
......
......@@ -69,6 +69,10 @@ if OPENCONNECT_GNUTLS
# the certs after we log in. Perhaps it's cached the results?
PKCS11_TOKENS += openconnect-test2
endif # OPENCONNECT_GNUTLS
if OPENCONNECT_OPENSSL
# GnuTLS build fails this one: https://gitlab.com/gnutls/gnutls/-/issues/977
PKCS11_TOKENS += openconnect-test3
endif # OPENCONNECT_OPENSSL
endif # TEST_PKCS11
endif # HAVE_CWRAP
......@@ -258,3 +262,33 @@ softhsm-setup2:
--load-privkey $(certsdir)/ec-key-pkcs8.pem \
--label EC --id 03 --login \
--write "pkcs11:token=openconnect-test2;pin-value=1234"
# Fourth test: token lacks CKF_LOGIN_REQUIRED (#123)
softhsm-setup3:
$(SHM2_UTIL) --show-slots
$(SHM2_UTIL) --init-token --free --label openconnect-test3 \
--so-pin 12345678 --pin 1234
# Remove the CKF_LOGIN_REQUIRED flag
TOKOBJ=$$(grep -l openconnect-test3 $(srcdir)/softhsm/*/token.object); \
if [ -n "$$TOKOBJ" ] && od -t x1 $$TOKOBJ | grep -q '^0000160.* 04 2d$$'; then \
echo -en \\x29 | dd bs=1 count=1 conv=notrunc seek=127 of=$$TOKOBJ; \
else \
echo "Token file not understood"; \
exit 1; \
fi
$(P11TOOL) --load-certificate $(certsdir)/user-cert.pem \
--load-privkey $(certsdir)/user-key-pkcs8.pem \
--label RSA --id 01 --login \
--write "pkcs11:token=openconnect-test3;pin-value=1234"
$(P11TOOL) --load-certificate $(certsdir)/dsa-cert.pem \
--load-privkey $(certsdir)/dsa-key-pkcs8.pem \
--label DSA --id 02 --login \
--write "pkcs11:token=openconnect-test3;pin-value=1234"
$(P11TOOL) --load-certificate $(certsdir)/ec-cert.pem \
--load-privkey $(certsdir)/ec-key-pkcs8.pem \
--label EC --id 03 --login \
--write "pkcs11:token=openconnect-test3;pin-value=1234"
......@@ -27,6 +27,7 @@
<li>Fix crash with uninitialised OIDC token.</li>
<li>GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms</li>
<li>Disable <a href="https://en.wikipedia.org/wiki/Nagle's_algorithm">Nagle's algorithm</a> for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.</li>
<li>Work around PKCS#11 tokens which forget to set <tt>CKF_LOGIN_REQUIRED</tt> (<a href="https://gitlab.com/openconnect/openconnect/issues/116">#116</a>).</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.07.tar.gz">OpenConnect v8.07</a></b>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment