diff options
| author | David Woodhouse <dwmw2@infradead.org> | 2014-12-11 13:03:35 +0000 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-12-27 15:06:51 +0100 |
| commit | 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1 (patch) | |
| tree | 51d0b05b10a51409caa5a92c09d789d8a6e9e885 | |
| parent | f682c3d022265207377e327358211b0344f7d490 (diff) | |
| download | openvpn-6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1.tar.gz openvpn-6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1.tar.xz openvpn-6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1.zip | |
pkcs11: Load p11-kit-proxy.so module by default
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | configure.ac | 7 | ||||
| -rw-r--r-- | doc/openvpn.8 | 10 | ||||
| -rw-r--r-- | src/openvpn/options.c | 9 |
3 files changed, 26 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 4767f7e..91e680e 100644 --- a/configure.ac +++ b/configure.ac @@ -1044,6 +1044,13 @@ if test "${enable_pkcs11}" = "yes"; then OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11]) + PKG_CHECK_MODULES( + [P11KIT], + [p11-kit-1], + [proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" + AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])], + [] + ) fi if test "${enable_pedantic}" = "yes"; then diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 80c451b..10d8c28 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4355,6 +4355,16 @@ This option can be used instead of .B \-\-cert, \-\-key, and .B \-\-pkcs12. + +If p11-kit is present on the system, its +.B p11-kit-proxy.so +module will be loaded by default if either the +.B \-\-pkcs11\-id +or +.B \-\-pkcs11\-id\-management +options are specified without +.B \-\-pkcs11\-provider +being given. .\"********************************************************* .TP .B \-\-pkcs11-private-mode mode... diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 99d98b4..9bcad64 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2466,6 +2466,15 @@ options_postprocess_mutate_invariant (struct options *options) #endif } #endif + +#ifdef DEFAULT_PKCS11_MODULE + /* If p11-kit is present on the system then load its p11-kit-proxy.so + by default if the user asks for PKCS#11 without otherwise specifying + the module to use. */ + if (!options->pkcs11_providers[0] && + (options->pkcs11_id || options->pkcs11_id_management)) + options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE; +#endif } static void |