Brought up-to-date with Alon's PKCS11 patch at

https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn@645
Pre-2.1_beta5


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@648 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 130 insertions, 124 deletions

diff --git a/options.c b/options.c
index 99e5cc0..0a4a113 100644
--- a/options.c
+++ b/options.c
@@ -425,24 +425,6 @@ static const char usage_message[] =
   "--key file      : Local private key in .pem format.\n"
   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
   "                  and optionally the root CA certificate.\n"
-#ifdef ENABLE_PKCS11
-  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
-  "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
-  "                              auto    : Try  to determind automatically (default).\n"
-  "                              recover : Use SignRecover.\n"
-  "                              sign    : Use Sign.\n"
-  "--pkcs11-slot-type method   : Slot locate method:\n"
-  "                              id      : By slot id (numeric [prov#:]slot#).\n"
-  "                              name    : By slot name.\n"
-  "                              label   : By the card label that resides in slot.\n"
-  "--pkcs11-slot name          : The slot name.\n"
-  "--pkcs11-id-type method     : Certificate and key locate method:\n"
-  "                              id      : By the object id (hex format).\n"
-  "                              label   : By the object label (string).\n"
-  "                              subject : By certificate subject (String).\n"
-  "--pkcs11-id name            : The object name.\n"
-  "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n"
-#endif
 #ifdef WIN32
   "--cryptoapicert select-string : Load the certificate and private key from the\n"
   "                  Windows Certificate System Store.\n"
@@ -479,7 +461,29 @@ static const char usage_message[] =
   "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
   "                  nsCertType designation t = 'client' | 'server'.\n"
 #endif				/* USE_SSL */
+#ifdef ENABLE_PKCS11
   "\n"
+  "PKCS#11 Options:\n"
+  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
+  "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
+  "                              auto    : Try  to determind automatically (default).\n"
+  "                              recover : Use SignRecover.\n"
+  "                              sign    : Use Sign.\n"
+  "--pkcs11-slot-type method   : Slot locate method:\n"
+  "                              id      : By slot id (numeric [prov#:]slot#).\n"
+  "                              name    : By slot name.\n"
+  "                              label   : By the card label that resides in slot.\n"
+  "--pkcs11-slot name          : The slot name.\n"
+  "--pkcs11-id-type method     : Certificate and key locate method:\n"
+  "                              id      : By the object id (hex format).\n"
+  "                              label   : By the object label (string).\n"
+  "                              subject : By certificate subject (String).\n"
+  "--pkcs11-id name            : The object name.\n"
+  "--pkcs11-pin-cache seconds  : Number of seconds to cache PIN. The default is -1\n"
+  "                              cache until token removed.\n"
+  "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n"
+#endif			/* ENABLE_PKCS11 */
+ "\n"
   "SSL Library information:\n"
   "--show-ciphers  : Show cipher algorithms to use with --cipher option.\n"
   "--show-digests  : Show message digest algorithms to use with --auth option.\n"
@@ -554,14 +558,12 @@ static const char usage_message[] =
   "--dev tunX|tapX : tun/tap device\n"
   "--dev-type dt   : Device type.  See tunnel options above for details.\n"
 #endif
-#ifdef USE_SSL
 #ifdef ENABLE_PKCS11
   "\n"
-  "PKCS#11 specific:\n"
+  "PKCS#11 standalone options:\n"
   "--show-pkcs11-slots provider        : Show PKCS#11 provider available slots.\n"
   "--show-pkcs11-objects provider slot : Show PKCS#11 token objects.\n" 
-#endif
-#endif
+#endif				/* ENABLE_PKCS11 */
  ;
 
 #endif /* !ENABLE_SMALL */
@@ -646,11 +648,12 @@ init_options (struct options *o)
   o->renegotiate_seconds = 3600;
   o->handshake_window = 60;
   o->transition_window = 3600;
-#ifdef ENABLE_PKCS11
-  o->pkcs11_protected_authentication = false;
-#endif
 #endif
 #endif
+#ifdef ENABLE_PKCS11
+  o->pkcs11_pin_cache_period = -1;
+  o->pkcs11_protected_authentication = false;
+#endif			/* ENABLE_PKCS11 */
 }
 
 void
@@ -1178,23 +1181,6 @@ show_settings (const struct options *o)
   SHOW_STR (cert_file);
   SHOW_STR (priv_key_file);
   SHOW_STR (pkcs12_file);
-#ifdef ENABLE_PKCS11
-  {
-    int i;
-    for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
-      SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
-  }
-  {
-    int i;
-    for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++)
-      SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s");
-  }
-  SHOW_STR (pkcs11_slot_type);
-  SHOW_STR (pkcs11_slot);
-  SHOW_STR (pkcs11_id_type);
-  SHOW_STR (pkcs11_id);
-  SHOW_BOOL (pkcs11_protected_authentication);
-#endif
 #ifdef WIN32
   SHOW_STR (cryptoapi_cert);
 #endif
@@ -1220,6 +1206,25 @@ show_settings (const struct options *o)
 #endif
 #endif
 
+#ifdef ENABLE_PKCS11
+  {
+    int i;
+    for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
+      SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
+  }
+  {
+    int i;
+    for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++)
+      SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s");
+  }
+  SHOW_STR (pkcs11_slot_type);
+  SHOW_STR (pkcs11_slot);
+  SHOW_STR (pkcs11_id_type);
+  SHOW_STR (pkcs11_id);
+  SHOW_INT (pkcs11_pin_cache_period);
+  SHOW_BOOL (pkcs11_protected_authentication);
+#endif			/* ENABLE_PKCS11 */
+
 #if P2MP
   show_p2mp_parms (o);
 #endif
@@ -1702,11 +1707,6 @@ options_postprocess (struct options *options, bool first_time)
 
 	notnull (options->pkcs11_id, "PKCS#11 id (--pkcs11-id)");
 
-	if (options->pkcs11_protected_authentication && options->key_pass_file != NULL)
-	  msg(M_USAGE, "Parameter --askpass cannot be used when --pkcs11-protected-authentication is also specified.");
-	if (!options->pkcs11_protected_authentication && options->key_pass_file == NULL)
-	  msg (M_USAGE, "Please specify one of --askpass or --pkcs11-protected-autentication options.");
-
 	if (options->cert_file)
 	  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
 	if (options->priv_key_file)
@@ -4733,83 +4733,6 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->cert_file = p[1];
     }
-#ifdef ENABLE_PKCS11
-  else if (streq (p[0], "show-pkcs11-slots") && p[1])
-    {
-      char *module =  p[i++];
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module);
-      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
-    }
-  else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2])
-    {
-      char *provider =  p[i++];
-      char *slot = p[i++];
-      struct gc_arena gc = gc_new ();
-      struct buffer pass_prompt = alloc_buf_gc (128, &gc);
-      char pin[256];
-
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-
-      buf_printf (&pass_prompt, "PIN:");
-
-      if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin)))
-        msg (M_FATAL, "Cannot read password from stdin");
-      
-      gc_free (&gc);
-      
-      show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin);
-      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
-    }
-  else if (streq (p[0], "pkcs11-providers") && p[1])
-    {
-      int j;
-      
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-
-      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
-      	options->pkcs11_providers[j-1] = p[j];
-    }
-  else if (streq (p[0], "pkcs11-sign-mode") && p[1])
-    {
-      int j;
-      
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-
-      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
-      	options->pkcs11_sign_mode[j-1] = p[j];
-    }
-  else if (streq (p[0], "pkcs11-slot-type") && p[1])
-    {
-      ++i;
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_slot_type = p[1];
-    }
-  else if (streq (p[0], "pkcs11-slot") && p[1])
-    {
-      ++i;
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_slot = p[1];
-    }
-  else if (streq (p[0], "pkcs11-id-type") && p[1])
-    {
-      ++i;
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_id_type = p[1];
-    }
-  else if (streq (p[0], "pkcs11-id") && p[1])
-    {
-      ++i;
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_id = p[1];
-    }
-  else if (streq (p[0], "pkcs11-protected-authentication"))
-    {
-      ++i;
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_protected_authentication = true;
-    }
-#endif
 #ifdef WIN32
   else if (streq (p[0], "cryptoapicert") && p[1])
     {
@@ -4968,6 +4891,89 @@ add_option (struct options *options,
     }
 #endif /* USE_SSL */
 #endif /* USE_CRYPTO */
+#ifdef ENABLE_PKCS11
+  else if (streq (p[0], "show-pkcs11-slots") && p[1])
+    {
+      char *module =  p[i++];
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module);
+      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+    }
+  else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2])
+    {
+      char *provider =  p[i++];
+      char *slot = p[i++];
+      struct gc_arena gc = gc_new ();
+      struct buffer pass_prompt = alloc_buf_gc (128, &gc);
+      char pin[256];
+
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      buf_printf (&pass_prompt, "PIN:");
+
+      if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin)))
+        msg (M_FATAL, "Cannot read password from stdin");
+      
+      gc_free (&gc);
+      
+      show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin);
+      openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+    }
+  else if (streq (p[0], "pkcs11-providers") && p[1])
+    {
+      int j;
+      
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
+      	options->pkcs11_providers[j-1] = p[j];
+    }
+  else if (streq (p[0], "pkcs11-sign-mode") && p[1])
+    {
+      int j;
+      
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i)
+      	options->pkcs11_sign_mode[j-1] = p[j];
+    }
+  else if (streq (p[0], "pkcs11-slot-type") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_slot_type = p[1];
+    }
+  else if (streq (p[0], "pkcs11-slot") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_slot = p[1];
+    }
+  else if (streq (p[0], "pkcs11-id-type") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_id_type = p[1];
+    }
+  else if (streq (p[0], "pkcs11-id") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_id = p[1];
+    }
+   else if (streq (p[0], "pkcs11-pin-cache") && p[1])
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_pin_cache_period = atoi (p[1]);
+    }
+  else if (streq (p[0], "pkcs11-protected-authentication"))
+    {
+      ++i;
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_protected_authentication = true;
+    }
+#endif
 #ifdef TUNSETPERSIST
   else if (streq (p[0], "rmtun"))
     {