Re: net/openvpn,mbedtls: add pkcs11 support

Fri, 03 Jan 2025 03:15:55 -0800 

On 2025/01/03 10:59, Klemens Nanni wrote:
> 03.01.2025 09:32, Bjorn Ketelaars пишет:
> > With your diff, pkcs11-helper builds without support for mbedtls. Have a
> > look at the output of configure. BTW, 'make test' fails all tests.
> > 
> > I think you also need to pass MBEDTLS_CFLAGS and MBEDTLS_LIBS. With this
> > mbedtls is picked up, pkcs11-helper compiles, and passes all tests.
> > Could you recheck with the diff below?
> 
> Ah, I forgot to pass MBEDTLS_*, thanks.
> 
> Still no luck, it doesn't even make it to the PIN1 prompt:
> 
> $ doas openvpn ./config.ovpn
> ...
> 2025-01-03 13:54:03 OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (mbed TLS)] 
> [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
> 2025-01-03 13:54:03 library versions: mbed TLS 2.28.0, LZO 2.10
> 2025-01-03 13:54:03 PKCS#11: Adding PKCS#11 provider 
> '/usr/local/lib/p11-kit-proxy.so'
> 2025-01-03 13:54:04 ERROR: external key with mbed TLS requires a certificate 
> with an RSA key.
> 2025-01-03 13:54:04 PKCS#11: Cannot register signing function

I wonder if LD_DEBUG will give any clues as to what's happening here.

> 2025-01-03 13:54:04 Cannot load certificate "..." using PKCS#11 interface
> 2025-01-03 13:54:04 Error: private key password verification failed
> 2025-01-03 13:54:04 Exiting due to fatal error
> $ pkg_info -m | egrep 'vpn|pkcs'
> openvpn-2.6.12p1-mbedtls easy-to-use, robust, and highly configurable VPN
> pkcs11-helper-1.30.0p1 library with PKCS#11 providers for end-user 
> applications
> $ ldd `which openvpn`     
> /usr/local/sbin/openvpn:
>       Start            End              Type  Open Ref GrpRef Name
>       0000096b1fa76000 0000096b1fb4d000 exe   2    0   0      
> /usr/local/sbin/openvpn
>       0000096d5258a000 0000096d525ba000 rlib  0    1   0      
> /usr/local/lib/liblzo2.so.1.0
>       0000096d69388000 0000096d693bf000 rlib  0    1   0      
> /usr/local/lib/liblz4.so.3.3
>       0000096dac816000 0000096dac84c000 rlib  0    2   0      
> /usr/local/lib/libmbedtls.so.7.0
>       0000096dd3a92000 0000096dd3a9f000 rlib  0    5   0      
> /usr/lib/libpthread.so.27.1
>       0000096d89899000 0000096d898bc000 rlib  0    3   0      
> /usr/local/lib/libmbedx509.so.3.2
>       0000096e18e1f000 0000096e18ea9000 rlib  0    4   0      
> /usr/local/lib/libmbedcrypto.so.5.0
>       0000096dda918000 0000096dda931000 rlib  0    1   0      
> /usr/local/lib/libpkcs11-helper.so.0.0
>       0000096e0ac66000 0000096e0ad6d000 rlib  0    1   0      
> /usr/lib/libc.so.100.3
>       0000096e041c4000 0000096e041c4000 ld.so 0    1   0      
> /usr/libexec/ld.so
> 
> 
> If at all, pkcs11-helper should have FLAVOR=mbedtls, of course.
>

Reply via email to