Hi,
On Tue, Dec 31, 2024 at 12:32:38AM +0000, Klemens Nanni wrote: > OpenVPN can use smart cards instead of --key/cert which works great for me > via --pkcs11-id '...' with values from 'openvpn --show-pkcs11-ids | grep id:' > on the client and no further config; the server needs no changes. > > See openvpn(8) "PKCS#11 / SmartCard options" for more. > > > New dependency: > Information for inst:pkcs11-helper-1.30.0 > > Comment: > library with PKCS > > Required by: > openvpn-2.6.12p0 > > Description: > pkcs11-helper allows using multiple PKCS#11 providers at the same > time, enumerating available token certificates, or selecting a > certificate directly by serialized id, handling card removal and > card insert events, handling card re-insert to a different > slot, supporting session expiration and much more all using a > simple API. > > pkcs11-helper is not designed to manage card content, since object > attributes are usually vendor specific, and 99% of application need > to access existing objects in order to perform signature and > decryption. > > Maintainer: Klemens Nanni <k...@openbsd.org> > > WWW: https://github.com/OpenSC/pkcs11-helper > > It can use different TLS implementations - I explictly enabled LibreSSL > alone and left OpenVPN's FLAVOR=mbedtls unchanged as I don't use that. > > Feedback? OK? 1. Please address the comments below, > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/openvpn/Makefile,v > diff -u -p -r1.130 Makefile > --- Makefile 21 Dec 2024 11:38:33 -0000 1.130 > +++ Makefile 30 Dec 2024 23:16:33 -0000 > @@ -26,6 +26,8 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/ > LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" > CONFIGURE_ARGS+=--with-openssl-engine=no > > +SEPARATE_BUILD= Yes > + > DEBUG_PACKAGES= ${BUILD_PACKAGES} > > FLAVORS= mbedtls > @@ -36,7 +38,14 @@ LIB_DEPENDS+= security/polarssl > CONFIGURE_ARGS+= --with-crypto-library=mbedtls > WANTLIB += mbedcrypto mbedtls mbedx509 pthread > .else > -WANTLIB += crypto ssl > +REVISION= 0 Even if the changes are specific to the default FLAVOR, please move REVISION next to DISTNAME so that I don't forget it in the next openvpn update. > +LIB_DEPENDS+= security/pkcs11-helper > +# dlopen()s p11-kit-proxy.so > +BUILD_DEPENDS+= security/p11-kit > +RUN_DEPENDS+= security/p11-kit IIUC the BDEP on security/p11-kit is needed to deterministically set a default pkcs11 module name ("p11-kit-proxy.so" on OpenBSD, grep for DEFAULT_PKCS11_MODULE). openvpn then dlopens DEFAULT_PKCS11_MODULE through pkcs11-helper. Also IIUC, you then only need p11-kit at runtime if you want to use one of the modules from p11-kit, including the default p11-kit-proxy.so mentioned above. openvpn(8) already lists the name of the p11-kit package that can be installed. So please drop the RUN_DEPENDS line. > +CONFIGURE_ARGS+= --enable-pkcs11 > +WANTLIB += pthread pkcs11-helper > +WANTLIB += crypto ssl pkcs11-helper Please regen WANTLIB to reorder, drop the redundant "pkcs11-helper" mention and use a single line. > .endif > > SAMPLES_DIR= ${PREFIX}/share/examples/openvpn > 2. This security/pkcs11-helper port looks good to me, but you may want to look into the pthread_mutex_destroy warnings I see at runtime: pbuild /usr/ports/net/openvpn$ openvpn --show-pkcs11-ids 2025-01-02 12:45:34 PKCS#11: Adding PKCS#11 provider '/usr/local/lib/p11-kit-proxy.so' The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. pthread_mutex_destroy on mutex with waiters! pthread_mutex_destroy on mutex with waiters! pthread_mutex_destroy on mutex with waiters! I have no idea whether those warnings can turn into a problem in practice. ok jca@ to import security/pkcs1-helper as is, ok jca@ for net/openvpn with the changes listed above. -- jca
