From 18597b93f7b43f63173f373fbd8548f2d08e25bb Mon Sep 17 00:00:00 2001 From: james Date: Wed, 5 Apr 2006 07:17:02 +0000 Subject: I've recently worked on a better version of pkcs11-helper. I've also merged it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be able to use smartcards. The changes allows the following features: 1. Thread safe, is activated if USE_PTHREAD. 2. Slot event - Will allow us in the future to disconnect VPN when smartcard is removed. In order to support this OpenVPN must support threading... At least SIGUSR1 from a different thread. Threading should be supported in both Windows and Linux. -- currently disabled. When I talk about threading support it is just support in configuration script and that the method that SIGUSR1 self can be called from a different thread. I already handle the monitor threads. 3. Certificate enumeration - Will allow us to finally have one configuration file for all users! When you add the plugin GUI stuff you talked about, we will be able to display a list of available certificates for the user to select. -- currently disabled. 4. Data object manipulation - Will allow us to store tls-auth on the smartcard as well. -- currently disabled. 5. Many other minor improvements. Alon Bar-Lev git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5 --- options.c | 70 +++++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 27 deletions(-) (limited to 'options.c') diff --git a/options.c b/options.c index a889eb5..793ae66 100644 --- a/options.c +++ b/options.c @@ -492,12 +492,19 @@ static const char usage_message[] = "\n" "PKCS#11 Options:\n" "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" + "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n" + " path. Set for each provider.\n" "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" " auto : Try to determind automatically (default).\n" - " recover : Use SignRecover.\n" " sign : Use Sign.\n" + " recover : Use SignRecover.\n" + " any : Use Sign and then SignRecover.\n" + "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" + " certificate can be accessed. Set for each provider.\n" + "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" + " cache until token is removed.\n" "--pkcs11-slot-type method : Slot locate method:\n" - " id : By slot id (numeric [prov#:]slot#).\n" + " id : By slot id (numeric [prov:]slot#).\n" " name : By slot name.\n" " label : By the card label that resides in slot.\n" "--pkcs11-slot name : The slot name.\n" @@ -506,11 +513,6 @@ static const char usage_message[] = " label : By the object label (string).\n" " subject : By certificate subject (String).\n" "--pkcs11-id name : The object name.\n" - "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" - " cache until token removed.\n" - "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n" - "--pkcs11-cert-private : Set if login should be performed before\n" - " certificate can be accessed.\n" #endif /* ENABLE_PKCS11 */ "\n" "SSL Library information:\n" @@ -688,8 +690,6 @@ init_options (struct options *o) #endif #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; - o->pkcs11_protected_authentication = false; - o->pkcs11_cert_private = false; #endif /* ENABLE_PKCS11 */ } @@ -1263,18 +1263,26 @@ show_settings (const struct options *o) for (i=0;ipkcs11_providers[i] != NULL;i++) SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s"); } + { + int i; + for (i=0;ipkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); + } { int i; for (i=0;ipkcs11_sign_mode[i] != NULL;i++) SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s"); } + { + int i; + for (i=0;ipkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); + } + SHOW_INT (pkcs11_pin_cache_period); SHOW_STR (pkcs11_slot_type); SHOW_STR (pkcs11_slot); SHOW_STR (pkcs11_id_type); SHOW_STR (pkcs11_id); - SHOW_INT (pkcs11_pin_cache_period); - SHOW_BOOL (pkcs11_protected_authentication); - SHOW_BOOL (pkcs11_cert_private); #endif /* ENABLE_PKCS11 */ #if P2MP @@ -5080,6 +5088,15 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) options->pkcs11_providers[j-1] = p[j]; } + else if (streq (p[0], "pkcs11-protected-authentication")) + { + int j; + + VERIFY_PERMISSION (OPT_P_GENERAL); + + for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0; + } else if (streq (p[0], "pkcs11-sign-mode") && p[1]) { int j; @@ -5089,6 +5106,20 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) options->pkcs11_sign_mode[j-1] = p[j]; } + else if (streq (p[0], "pkcs11-cert-private")) + { + int j; + + VERIFY_PERMISSION (OPT_P_GENERAL); + + for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0; + } + else if (streq (p[0], "pkcs11-pin-cache") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->pkcs11_pin_cache_period = atoi (p[1]); + } else if (streq (p[0], "pkcs11-slot-type") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -5109,21 +5140,6 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_id = p[1]; } - else if (streq (p[0], "pkcs11-pin-cache") && p[1]) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_pin_cache_period = atoi (p[1]); - } - else if (streq (p[0], "pkcs11-protected-authentication")) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_protected_authentication = true; - } - else if (streq (p[0], "pkcs11-cert-private")) - { - VERIFY_PERMISSION (OPT_P_GENERAL); - options->pkcs11_cert_private = true; - } #endif #ifdef TUNSETPERSIST else if (streq (p[0], "rmtun")) -- cgit