Jonatan,
Can you please try the attached patch and see if it helps?
Thanks!
On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev <[email protected]> wrote:
>
> Martin,
>
> The openssl engine is called with 0x24 buffer size and expect it to be
> encrypted by private key with same length.
>
> Prototype:
> ---
> static
> int
> __pkcs11h_openssl_enc (
> IN int flen,
> IN const unsigned char *from,
> OUT unsigned char *to,
> IN OUT RSA *rsa,
> IN int padding
> ) {
> ---
>
> I may got this wrong.
> Will investigate.
>
> On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak <[email protected]>
> wrote:
> > Hello,
> >
> > 2011/8/11 Jonatan Åkerlind <[email protected]>:
> >> We have a setup using the Aladdin eToken PRO USB device for certificate
> >> storage using opensc/openct to interface it with openvpn. Works fine but
> >> with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn
> >> startup and then once at each renegotiation. Confirmed with various
> >> versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct
> >> (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN
> >> caching seems ok and only asks for the pin code once at startup and no
> >> more) but with pkcs11-helper 1.08 the PIN caching does not work.
> >>
> >> Attached is a log from openvpn with verbosity 99 (gives a lot of info)
> >> using pkcs11-helper 1.08. It contains the startup and a couple of
> >> renegotiations filtered to only include lines with pkcs in them.
> >
> > This might be relevant:
> >
> > PKCS#11: __pkcs11h_certificate_doPrivateOperation entry
> > certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0,
> > source_size=0000000000000024, target=0x757936,
> > *p_target_size=0000000000000024
> >
> > the target size is the same as input size, which makes one of the
> > operations fail with CKR_BUFFER_TOO_SMALL and will trigger another
> > try, which will mean another PIN entry. Probably something else is
> > fishy as well.
> > _______________________________________________
> > opensc-devel mailing list
> > [email protected]
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
Index: lib/pkcs11h-openssl.c
===================================================================
--- lib/pkcs11h-openssl.c (revision 205)
+++ lib/pkcs11h-openssl.c (revision 207)
@@ -291,7 +291,7 @@
pkcs11h_certificate_t certificate = __pkcs11h_openssl_get_pkcs11h_certificate (rsa);
PKCS11H_BOOL session_locked = FALSE;
CK_RV rv = CKR_FUNCTION_FAILED;
- size_t tlen = (size_t)flen;
+ size_t tlen;
_PKCS11H_ASSERT (from!=NULL);
_PKCS11H_ASSERT (to!=NULL);
@@ -312,6 +312,8 @@
goto cleanup;
}
+ tlen = (size_t)RSA_size(rsa);
+
if ((rv = pkcs11h_certificate_lockSession (certificate)) != CKR_OK) {
goto cleanup;
}
Index: lib/pkcs11h-certificate.c
===================================================================
--- lib/pkcs11h-certificate.c (revision 205)
+++ lib/pkcs11h-certificate.c (revision 207)
@@ -961,16 +961,17 @@
rv
);
+ if (rv == CKR_BUFFER_TOO_SMALL && op != __pkcs11h_private_op_unwrap) {
+ certificate->operation_active = TRUE;
+ }
+
if (target != NULL) {
if (rv != CKR_OK) {
goto retry;
}
}
else {
- if (
- rv == CKR_OK ||
- rv == CKR_BUFFER_TOO_SMALL
- ) {
+ if (rv == CKR_OK) {
if (op != __pkcs11h_private_op_unwrap) {
certificate->operation_active = TRUE;
}
@@ -994,6 +995,10 @@
}
if (!op_succeed) {
+ if (rv == CKR_BUFFER_TOO_SMALL) {
+ goto cleanup;
+ }
+
/*
* OpenSC workaround
* It still allows C_FindObjectsInit when
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
