Re: [Openvpn-devel] [PATCH v2 2/3] use new pkcs11-helper interface to add providers

Wed, 14 Dec 2022 07:35:55 -0800 

Hi,

On Sun, Dec 11, 2022 at 2:14 PM Marc Becker via Openvpn-devel <
openvpn-devel@lists.sourceforge.net> wrote:

> The new interface in  pkcs11-helper 1.28 allows decoupling of provider
> registration and initialization.
> This allows modifying more (and future) properties apart from the
> 6 fixed ones supported as arguments to pkcs11h_addProvider().
>
> With the new interface it is easier to see (from a code perspective)
> which option is set to which value.
> It's also not necessary to supply values for built-in defaults:
> - slot_event_method=PKCS11H_SLOTEVENT_METHOD_AUTO
> - slot_poll_interval=0
>
> Signed-off-by: Marc Becker <marc.bec...@astos.de>
> ---
> v2: improved code and description, no (essentially) duplicated log output
> ---
>  src/openvpn/pkcs11.c | 33 +++++++++++++++++++++++++++++++++
>  1 file changed, 33 insertions(+)
>
> diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
> index fbc4c472..b74ac8f4 100644
> --- a/src/openvpn/pkcs11.c
> +++ b/src/openvpn/pkcs11.c
> @@ -396,6 +396,38 @@ pkcs11_addProvider(
>          provider
>          );
>
> +#if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0))
> +    if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK)
> +    {
> +        msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'",
> provider, rv, pkcs11h_getMessage(rv));
> +    }
> +    else
> +    {
> +        PKCS11H_BOOL allow_protected_auth = protected_auth;
> +        PKCS11H_BOOL cert_is_private = cert_private;
> +
> +        rv = pkcs11h_setProviderProperty(provider,
> PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1);
> +
> +        if (rv == CKR_OK)
> +        {
> +            rv = pkcs11h_setProviderProperty(provider,
> PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &allow_protected_auth,
> sizeof(allow_protected_auth));
> +        }
> +        if (rv == CKR_OK)
> +        {
> +            rv = pkcs11h_setProviderProperty(provider,
> PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode,
> sizeof(private_mode));
> +        }
> +        if (rv == CKR_OK)
> +        {
> +            rv = pkcs11h_setProviderProperty(provider,
> PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private,
> sizeof(cert_is_private));
> +        }
> +
> +        if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider))
> != CKR_OK)
> +        {
> +            msg(M_WARN, "PKCS#11: Cannot initialize provider '%s'
> %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
> +            pkcs11h_removeProvider(provider);
> +        }
> +    }
> +#else  /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
>      if (
>          (rv = pkcs11h_addProvider(
>               provider,
> @@ -410,6 +442,7 @@ pkcs11_addProvider(
>      {
>          msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'",
> provider, rv, pkcs11h_getMessage(rv));
>      }
> +#endif /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
>
>      dmsg(
>          D_PKCS11_DEBUG,
> --
> 2.38.1.windows.1
>

I have been delaying acking this until I get time to test 3/3, but as 1/3
is has been acked here goes:

Effectively this is the same as the original but splitting addProvider to
explicit register/set-properties/intialize calls when using recent versions
of pkcs11-helper is a useful refactoring.

Acked-by: Selva Nair <selva.n...@gmail.com>

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to