[Openvpn-devel] [PATCH 2 v2] Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present

Wed, 17 Dec 2014 10:36:55 +0000 

Following on from the previous patch, this fixes --show-pkcs11-ids too.

Trac: 490
Signed-off-by: David Woodhouse <david.woodho...@intel.com>
---

As I compose the email, I spot that we're actually now looking at the
value of p[2] even when p[1] is NULL. So if the add_option() function is
supposed to be treating p[] as a traditional NULL-terminated array of
pointers where it's invalid to access anything after the NULL one,
that's bad.

In practice, however, it's always an array of MAX_PARMS which has been
entirely cleared, so it's not really a problem. I can fix it anyway if
you prefer...

 doc/openvpn.8         |  8 +++++++-
 src/openvpn/options.c | 30 ++++++++++++++++++++++++++++--
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 0bdea1f..49183ee 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -5490,11 +5490,17 @@ adapter list.
 .SS PKCS#11 Standalone Options:
 .\"*********************************************************
 .TP
-.B \-\-show-pkcs11-ids provider [cert_private]
+.B \-\-show-pkcs11-ids [provider] [cert_private]
 (Standalone)
 Show PKCS#11 token object list. Specify cert_private as 1
 if certificates are stored as private objects.
 
+If p11-kit is present on the system, the
+.B provider
+argument is optional; if omitted the default
+.B p11-kit-proxy.so
+module will be queried.
+
 .B \-\-verb
 option can be used BEFORE this option to produce debugging information.
 .\"*********************************************************
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index b33eb4a..66453b5 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -738,7 +738,11 @@ static const char usage_message[] =
 #ifdef ENABLE_PKCS11
   "\n"
   "PKCS#11 standalone options:\n"
-  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n" 
+#ifndef DEFAULT_PKCS11_MODULE
+  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
+#else
+  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
+#endif
   "                                            --verb option can be added 
*BEFORE* this.\n"
 #endif                         /* ENABLE_PKCS11 */
   "\n"
@@ -6935,11 +6939,33 @@ add_option (struct options *options,
 #endif /* ENABLE_SSL */
 #endif /* ENABLE_CRYPTO */
 #ifdef ENABLE_PKCS11
-  else if (streq (p[0], "show-pkcs11-ids") && p[1])
+  else if (streq (p[0], "show-pkcs11-ids")
+          )
     {
       char *provider =  p[1];
       bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
 
+#ifdef DEFAULT_PKCS11_MODULE
+      if (!provider)
+       provider = DEFAULT_PKCS11_MODULE;
+      else if (!p[2]) {
+       char *endp = NULL;
+       int i = strtol(provider, &endp, 10);
+
+       if (*endp == 0) {
+         /* There was one argument, and it was purely numeric.
+            Interpret it as the cert_private argument */
+         provider = DEFAULT_PKCS11_MODULE;
+         cert_private = i;
+       }
+      }
+#else
+      if (!provider)
+       {
+         msg (msglevel, "--show-pkcs11-ids requires a provider parameter");
+            goto err;
+       }
+#endif
       VERIFY_PERMISSION (OPT_P_GENERAL);
 
       set_debug_level (options->verbosity, SDL_CONSTRAIN);
-- 
2.1.0



-- 
David Woodhouse                            Open Source Technology Centre
david.woodho...@intel.com                              Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to