I've recently worked on a better version of pkcs11-helper. I've also merged

it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be able to use smartcards. The changes allows the following features: 1. Thread safe, is activated if USE_PTHREAD. 2. Slot event - Will allow us in the future to disconnect VPN when smartcard is removed. In order to support this OpenVPN must support threading... At least SIGUSR1 from a different thread. Threading should be supported in both Windows and Linux. -- currently disabled. When I talk about threading support it is just support in configuration script and that the method that SIGUSR1 self can be called from a different thread. I already handle the monitor threads. 3. Certificate enumeration - Will allow us to finally have one configuration file for all users! When you add the plugin GUI stuff you talked about, we will be able to display a list of available certificates for the user to select. -- currently disabled. 4. Data object manipulation - Will allow us to store tls-auth on the smartcard as well. -- currently disabled. 5. Many other minor improvements. Alon Bar-Lev git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2006-04-05 07:17:02 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2006-04-05 07:17:02 +0000
commit: 18597b93f7b43f63173f373fbd8548f2d08e25bb (patch)
tree: 31287d7784477dff653e5b92daee22872f58cab2 /options.c
parent: Added man page entry for --setenv-safe. (diff)
download: openvpn-18597b93f7b43f63173f373fbd8548f2d08e25bb.tar.xz
1 files changed, 43 insertions, 27 deletions
diff --git a/options.c b/options.c
index a889eb5..793ae66 100644
--- a/options.c
+++ b/options.c
@@ -492,12 +492,19 @@ static const char usage_message[] =
   "\n"
   "PKCS#11 Options:\n"
   "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
+  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
+  "                              path. Set for each provider.\n"
   "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
   "                              auto    : Try  to determind automatically (default).\n"
-  "                              recover : Use SignRecover.\n"
   "                              sign    : Use Sign.\n"
+  "                              recover : Use SignRecover.\n"
+  "                              any     : Use Sign and then SignRecover.\n"
+  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
+  "                              certificate can be accessed. Set for each provider.\n"
+  "--pkcs11-pin-cache seconds  : Number of seconds to cache PIN. The default is -1\n"
+  "                              cache until token is removed.\n"
   "--pkcs11-slot-type method   : Slot locate method:\n"
-  "                              id      : By slot id (numeric [prov#:]slot#).\n"
+  "                              id      : By slot id (numeric [prov:]slot#).\n"
   "                              name    : By slot name.\n"
   "                              label   : By the card label that resides in slot.\n"
   "--pkcs11-slot name          : The slot name.\n"
@@ -506,11 +513,6 @@ static const char usage_message[] =
   "                              label   : By the object label (string).\n"
   "                              subject : By certificate subject (String).\n"
   "--pkcs11-id name            : The object name.\n"
-  "--pkcs11-pin-cache seconds  : Number of seconds to cache PIN. The default is -1\n"
-  "                              cache until token removed.\n"
-  "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n"
-  "--pkcs11-cert-private       : Set if login should be performed before\n"
-  "                              certificate can be accessed.\n"
 #endif			/* ENABLE_PKCS11 */
  "\n"
   "SSL Library information:\n"
@@ -688,8 +690,6 @@ init_options (struct options *o)
 #endif
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
-  o->pkcs11_protected_authentication = false;
-  o->pkcs11_cert_private = false;
 #endif			/* ENABLE_PKCS11 */
 }
 
@@ -1265,16 +1265,24 @@ show_settings (const struct options *o)
   }
   {
     int i;
+    for (i=0;i<MAX_PARMS;i++)
+      SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
+  }
+  {
+    int i;
     for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++)
       SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s");
   }
+  {
+    int i;
+    for (i=0;i<MAX_PARMS;i++)
+      SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
+  }
+  SHOW_INT (pkcs11_pin_cache_period);
   SHOW_STR (pkcs11_slot_type);
   SHOW_STR (pkcs11_slot);
   SHOW_STR (pkcs11_id_type);
   SHOW_STR (pkcs11_id);
-  SHOW_INT (pkcs11_pin_cache_period);
-  SHOW_BOOL (pkcs11_protected_authentication);
-  SHOW_BOOL (pkcs11_cert_private);
 #endif			/* ENABLE_PKCS11 */
 
 #if P2MP
@@ -5080,6 +5088,15 @@ add_option (struct options *options,
       for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
       	options->pkcs11_providers[j-1] = p[j];
     }
+  else if (streq (p[0], "pkcs11-protected-authentication"))
+    {
+      int j;
+
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+        options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
+    }
   else if (streq (p[0], "pkcs11-sign-mode") && p[1])
     {
       int j;
@@ -5089,6 +5106,20 @@ add_option (struct options *options,
       for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
       	options->pkcs11_sign_mode[j-1] = p[j];
     }
+  else if (streq (p[0], "pkcs11-cert-private"))
+    {
+      int j;
+
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+
+      for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+        options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
+    }
+   else if (streq (p[0], "pkcs11-pin-cache") && p[1])
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->pkcs11_pin_cache_period = atoi (p[1]);
+    }
   else if (streq (p[0], "pkcs11-slot-type") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -5109,21 +5140,6 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->pkcs11_id = p[1];
     }
-   else if (streq (p[0], "pkcs11-pin-cache") && p[1])
-    {
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_pin_cache_period = atoi (p[1]);
-    }
-  else if (streq (p[0], "pkcs11-protected-authentication"))
-    {
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_protected_authentication = true;
-    }
-  else if (streq (p[0], "pkcs11-cert-private"))
-    {
-      VERIFY_PERMISSION (OPT_P_GENERAL);
-      options->pkcs11_cert_private = true;
-    }
 #endif
 #ifdef TUNSETPERSIST
   else if (streq (p[0], "rmtun"))
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2006-04-05 07:17:02 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2006-04-05 07:17:02 +0000
commit	18597b93f7b43f63173f373fbd8548f2d08e25bb (patch)
tree	31287d7784477dff653e5b92daee22872f58cab2 /options.c
parent	Added man page entry for --setenv-safe. (diff)
download	openvpn-18597b93f7b43f63173f373fbd8548f2d08e25bb.tar.xz