02.01.2025 15:46, Jeremie Courreges-Anglas пишет:
>
> Hi,
>
> On Tue, Dec 31, 2024 at 12:32:38AM +0000, Klemens Nanni wrote:
>> OpenVPN can use smart cards instead of --key/cert which works great for me
>> via --pkcs11-id '...' with values from 'openvpn --show-pkcs11-ids | grep id:'
>> on the client and no further config; the server needs no changes.
>>
>> See openvpn(8) "PKCS#11 / SmartCard options" for more.
>>
>>
>> New dependency:
>> Information for inst:pkcs11-helper-1.30.0
>>
>> Comment:
>> library with PKCS
>>
>> Required by:
>> openvpn-2.6.12p0
>>
>> Description:
>> pkcs11-helper allows using multiple PKCS#11 providers at the same
>> time, enumerating available token certificates, or selecting a
>> certificate directly by serialized id, handling card removal and
>> card insert events, handling card re-insert to a different
>> slot, supporting session expiration and much more all using a
>> simple API.
>>
>> pkcs11-helper is not designed to manage card content, since object
>> attributes are usually vendor specific, and 99% of application need
>> to access existing objects in order to perform signature and
>> decryption.
>>
>> Maintainer: Klemens Nanni <k...@openbsd.org>
>>
>> WWW: https://github.com/OpenSC/pkcs11-helper
>>
>> It can use different TLS implementations - I explictly enabled LibreSSL
>> alone and left OpenVPN's FLAVOR=mbedtls unchanged as I don't use that.
>>
>> Feedback? OK?
>
> 1. Please address the comments below,
>
>> Index: Makefile
>> ===================================================================
>> RCS file: /cvs/ports/net/openvpn/Makefile,v
>> diff -u -p -r1.130 Makefile
>> --- Makefile 21 Dec 2024 11:38:33 -0000 1.130
>> +++ Makefile 30 Dec 2024 23:16:33 -0000
>> @@ -26,6 +26,8 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/
>> LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
>> CONFIGURE_ARGS+=--with-openssl-engine=no
>>
>> +SEPARATE_BUILD= Yes
>> +
>> DEBUG_PACKAGES= ${BUILD_PACKAGES}
>>
>> FLAVORS= mbedtls
>> @@ -36,7 +38,14 @@ LIB_DEPENDS+= security/polarssl
>> CONFIGURE_ARGS+= --with-crypto-library=mbedtls
>> WANTLIB += mbedcrypto mbedtls mbedx509 pthread
>> .else
>> -WANTLIB += crypto ssl
>> +REVISION= 0
>
> Even if the changes are specific to the default FLAVOR, please move
> REVISION next to DISTNAME so that I don't forget it in the next
> openvpn update.
>
>> +LIB_DEPENDS+= security/pkcs11-helper
>> +# dlopen()s p11-kit-proxy.so
>> +BUILD_DEPENDS+= security/p11-kit
>> +RUN_DEPENDS+= security/p11-kit
>
> IIUC the BDEP on security/p11-kit is needed to deterministically set a
> default pkcs11 module name ("p11-kit-proxy.so" on OpenBSD, grep for
> DEFAULT_PKCS11_MODULE). openvpn then dlopens DEFAULT_PKCS11_MODULE
> through pkcs11-helper. Also IIUC, you then only need p11-kit at
> runtime if you want to use one of the modules from p11-kit, including
> the default p11-kit-proxy.so mentioned above. openvpn(8) already
> lists the name of the p11-kit package that can be installed. So
> please drop the RUN_DEPENDS line.
Right, I'll see if p11-kit is really needed at all, that is, whether the
default works with it being not present during build and/or whether I can
just set it without the package.
>
>> +CONFIGURE_ARGS+= --enable-pkcs11
>> +WANTLIB += pthread pkcs11-helper
>> +WANTLIB += crypto ssl pkcs11-helper
>
> Please regen WANTLIB to reorder, drop the redundant "pkcs11-helper"
> mention and use a single line.
>
>> .endif
>>
>> SAMPLES_DIR= ${PREFIX}/share/examples/openvpn
>>
>
> 2. This security/pkcs11-helper port looks good to me, but you may want
> to look into the pthread_mutex_destroy warnings I see at runtime:
>
> pbuild /usr/ports/net/openvpn$ openvpn --show-pkcs11-ids
> 2025-01-02 12:45:34 PKCS#11: Adding PKCS#11 provider
> '/usr/local/lib/p11-kit-proxy.so'
>
> The following objects are available for use.
> Each object shown below may be used as parameter to
> --pkcs11-id option please remember to use single quote mark.
> pthread_mutex_destroy on mutex with waiters!
> pthread_mutex_destroy on mutex with waiters!
> pthread_mutex_destroy on mutex with waiters!
>
> I have no idea whether those warnings can turn into a problem in
> practice.
Ah, threading should be disabled; it does the TLS handshake fine, but later on
something goes wrong, which I haven't fully diagnosed yet.
'--disable-threading --disable-slotevent' fixes that, but I sent the old
tarball.
>
> ok jca@ to import security/pkcs1-helper as is, ok jca@ for net/openvpn
> with the changes listed above.
Thanks, I'll import with threading turned off and bump openvpn as per above.
