Re: net/openvpn,mbedtls: add pkcs11 support

Bjorn Ketelaars Thu, 02 Jan 2025 22:33:01 -0800

On Fri 03/01/2025 00:20, Klemens Nanni wrote:
> 03.01.2025 02:29, Jeremie Courreges-Anglas пишет:
> > Klemens: could you please test the mbedtls FLAVOR for your use case?
> 
> Doesn't work:
> 
>   OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (mbed TLS)] [LZO] [LZ4] 
> [PKCS11] [MH/RECVDA] [AEAD]
>   library versions: mbed TLS 2.28.0, LZO 2.10
>   Cannot initialize 19-'CKR_ATTRIBUTE_VALUE_INVALID'
>   Exiting due to fatal error
> 
> Same result when switching the helper to mbed/polar;
> builds and packages, but doesn't link against it - perhaps something's 
> missing?


With your diff, pkcs11-helper builds without support for mbedtls. Have a
look at the output of configure. BTW, 'make test' fails all tests.

I think you also need to pass MBEDTLS_CFLAGS and MBEDTLS_LIBS. With this
mbedtls is picked up, pkcs11-helper compiles, and passes all tests.
Could you recheck with the diff below?


diff --git Makefile Makefile
index ea1d224c45e..aa299b4ea3a 100644
--- Makefile
+++ Makefile
@@ -1,11 +1,11 @@
 COMMENT =              library with PKCS\#11 providers for end-user 
applications
 CATEGORIES =           security
 DISTNAME =             pkcs11-helper-1.30.0
-REVISION =             0
+REVISION =             1
 
 SHARED_LIBS =          pkcs11-helper   0.0     # 1.0
 
-WANTLIB =              crypto
+WANTLIB =              mbedcrypto mbedtls mbedx509 pthread
 
 MAINTAINER =           Klemens Nanni <k...@openbsd.org>
 
@@ -17,12 +17,15 @@ SITES =                     
${HOMEPAGE}/releases/download/${DISTNAME}/
 EXTRACT_SUFX =         .tar.bz2
 
 BUILD_DEPENDS =                security/p11-kit
+LIB_DEPENDS =          security/polarssl
 
 CONFIGURE_STYLE =      gnu
 CONFIGURE_ARGS =       --enable-tests \
                        --with-test-provider=`pkg-config 
--variable=proxy_module p11-kit-1` \
                        --disable-crypto-engine-gnutls \
-                       --disable-crypto-engine-mbedtls \
+                       --enable-crypto-engine-mbedtls \
+                       --disable-openssl \
+                       --disable-crypto-engine-openssl \
                        --disable-crypto-engine-nss \
                        --disable-doc \
                        --disable-static
@@ -38,6 +41,9 @@ LIBTOOL_FLAGS =               --tag=disable-static
 CONFIGURE_ARGS +=      --disable-slotevent \
                        --disable-threading
 
+CONFIGURE_ENV=         MBEDTLS_CFLAGS="-I${LOCALBASE}/include" \
+                       MBEDTLS_LIBS="-L${LOCALBASE}/lib -lmbedtls -lmbedx509 
-lmbedcrypto"
+
 USE_GMAKE =            Yes
 SEPARATE_BUILD =       Yes
 
diff --git pkg/PLIST pkg/PLIST
index e7ab0747e5e..5dda6db3773 100644
--- pkg/PLIST
+++ pkg/PLIST
@@ -5,7 +5,6 @@ include/pkcs11-helper-1.0/pkcs11h-core.h
 include/pkcs11-helper-1.0/pkcs11h-data.h
 include/pkcs11-helper-1.0/pkcs11h-def.h
 include/pkcs11-helper-1.0/pkcs11h-engines.h
-include/pkcs11-helper-1.0/pkcs11h-openssl.h
 include/pkcs11-helper-1.0/pkcs11h-token.h
 include/pkcs11-helper-1.0/pkcs11h-version.h
 @comment lib/libpkcs11-helper.la

Re: net/openvpn,mbedtls: add pkcs11 support

Reply via email to