Hi, On Thu, Jun 23, 2022 at 8:43 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote:
> On 19/6/2022 19:28, Selva Nair wrote: > > Hi,0 > > > > On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel > > <openvpn-devel@lists.sourceforge.net > > <mailto:openvpn-devel@lists.sourceforge.net>> wrote: > > > > New pkcs11-helper interface allows to setup pkcs11 provider via > > properties: > > > https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 > > < > https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 > > > > > > Also pkcs11-helper added ability to setup init args for pkcs11 > provider: > > > https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 > > < > https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 > > > > > > Signed-off-by: Petr Mikhalicin <mkh199...@mail.ru > > <mailto:mkh199...@mail.ru>> > > > > > > Sorry for the long delay in getting back on this. I somehow also missed > > the related discussion on Trac > > (https://community.openvpn.net/openvpn/ticket/1453 > > <https://community.openvpn.net/openvpn/ticket/1453>) > > > > I don't quite understand the need for exposing "init-args" to the user. > > The only two supported flags in the cryptoki docs are related to the use > > of threads. But we are the application and we should know what flags to > > pass --- not the user --- isn't it? If CKF_OS_LOCKING_OK is required, > > can't we just set it unconditionally? > > > > That said, OpenVPN2 is single threaded, so why is there a "bug in > > openvpn" related to the use of pkcs11 library from multiple threads > > referred to in the trac ticket? > > I haven't dug too deep into the matter this time; and it depends also on > the OS you are on. But there has been some issues with pkcs11-helper on > hosts with systemd, due to some intricacies with openvpn doing a fork to > kick off the password query mechanism with systemd colliding with some > pkcs11-helper implementation details. For the systemd case, we added a > workaround which made most people happy. > > For more details: > <https://community.openvpn.net/openvpn/ticket/538> > This is a different issue from mutex locking required when pkcs#11 calls are made from multiple threads. The rationale for this patch was that we may need to tell the provider library whether native OS locking methods are okay or not, which I see no need for in a single threaded program. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
