Hi,
On Tue, Dec 31, 2024 at 12:32:38AM +0000, Klemens Nanni wrote:
> OpenVPN can use smart cards instead of --key/cert which works great for me
> via --pkcs11-id '...' with values from 'openvpn --show-pkcs11-ids | grep id:'
> on the client and no further config; the server needs no changes.
>
> See openvpn(8) "PKCS#11 / SmartCard options" for more.
>
>
> New dependency:
> Information for inst:pkcs11-helper-1.30.0
>
> Comment:
> library with PKCS
>
> Required by:
> openvpn-2.6.12p0
>
> Description:
> pkcs11-helper allows using multiple PKCS#11 providers at the same
> time, enumerating available token certificates, or selecting a
> certificate directly by serialized id, handling card removal and
> card insert events, handling card re-insert to a different
> slot, supporting session expiration and much more all using a
> simple API.
>
> pkcs11-helper is not designed to manage card content, since object
> attributes are usually vendor specific, and 99% of application need
> to access existing objects in order to perform signature and
> decryption.
>
> Maintainer: Klemens Nanni <kn@openbsd.org>
>
> WWW: https://github.com/OpenSC/pkcs11-helper
>
> It can use different TLS implementations - I explictly enabled LibreSSL
> alone and left OpenVPN's FLAVOR=mbedtls unchanged as I don't use that.
>
> Feedback? OK?
1. Please address the comments below,
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/Makefile,v
> diff -u -p -r1.130 Makefile
> --- Makefile 21 Dec 2024 11:38:33 -0000 1.130
> +++ Makefile 30 Dec 2024 23:16:33 -0000
> @@ -26,6 +26,8 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/
> LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
> CONFIGURE_ARGS+=--with-openssl-engine=no
>
> +SEPARATE_BUILD= Yes
> +
> DEBUG_PACKAGES= ${BUILD_PACKAGES}
>
> FLAVORS= mbedtls
> @@ -36,7 +38,14 @@ LIB_DEPENDS+= security/polarssl
> CONFIGURE_ARGS+= --with-crypto-library=mbedtls
> WANTLIB += mbedcrypto mbedtls mbedx509 pthread
> .else
> -WANTLIB += crypto ssl
> +REVISION= 0
Even if the changes are specific to the default FLAVOR, please move
REVISION next to DISTNAME so that I don't forget it in the next
openvpn update.
> +LIB_DEPENDS+= security/pkcs11-helper
> +# dlopen()s p11-kit-proxy.so
> +BUILD_DEPENDS+= security/p11-kit
> +RUN_DEPENDS+= security/p11-kit
IIUC the BDEP on security/p11-kit is needed to deterministically set a
default pkcs11 module name ("p11-kit-proxy.so" on OpenBSD, grep for
DEFAULT_PKCS11_MODULE). openvpn then dlopens DEFAULT_PKCS11_MODULE
through pkcs11-helper. Also IIUC, you then only need p11-kit at
runtime if you want to use one of the modules from p11-kit, including
the default p11-kit-proxy.so mentioned above. openvpn(8) already
lists the name of the p11-kit package that can be installed. So
please drop the RUN_DEPENDS line.
> +CONFIGURE_ARGS+= --enable-pkcs11
> +WANTLIB += pthread pkcs11-helper
> +WANTLIB += crypto ssl pkcs11-helper
Please regen WANTLIB to reorder, drop the redundant "pkcs11-helper"
mention and use a single line.
> .endif
>
> SAMPLES_DIR= ${PREFIX}/share/examples/openvpn
>
2. This security/pkcs11-helper port looks good to me, but you may want
to look into the pthread_mutex_destroy warnings I see at runtime:
pbuild /usr/ports/net/openvpn$ openvpn --show-pkcs11-ids
2025-01-02 12:45:34 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/p11-kit-proxy.so'
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
pthread_mutex_destroy on mutex with waiters!
pthread_mutex_destroy on mutex with waiters!
pthread_mutex_destroy on mutex with waiters!
I have no idea whether those warnings can turn into a problem in
practice.
ok jca@ to import security/pkcs1-helper as is, ok jca@ for net/openvpn
with the changes listed above.
--
jca
No comments:
Post a Comment