If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1044,6 +1044,13 @@ if test "${enable_pkcs11}" = "yes"; then |
1044 | 1044 |
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}" |
1045 | 1045 |
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}" |
1046 | 1046 |
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11]) |
1047 |
+ PKG_CHECK_MODULES( |
|
1048 |
+ [P11KIT], |
|
1049 |
+ [p11-kit-1], |
|
1050 |
+ [proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" |
|
1051 |
+ AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])], |
|
1052 |
+ [] |
|
1053 |
+ ) |
|
1047 | 1054 |
fi |
1048 | 1055 |
|
1049 | 1056 |
if test "${enable_pedantic}" = "yes"; then |
... | ... |
@@ -4355,6 +4355,16 @@ This option can be used instead of |
4355 | 4355 |
.B \-\-cert, \-\-key, |
4356 | 4356 |
and |
4357 | 4357 |
.B \-\-pkcs12. |
4358 |
+ |
|
4359 |
+If p11-kit is present on the system, its |
|
4360 |
+.B p11-kit-proxy.so |
|
4361 |
+module will be loaded by default if either the |
|
4362 |
+.B \-\-pkcs11\-id |
|
4363 |
+or |
|
4364 |
+.B \-\-pkcs11\-id\-management |
|
4365 |
+options are specified without |
|
4366 |
+.B \-\-pkcs11\-provider |
|
4367 |
+being given. |
|
4358 | 4368 |
.\"********************************************************* |
4359 | 4369 |
.TP |
4360 | 4370 |
.B \-\-pkcs11-private-mode mode... |
... | ... |
@@ -2466,6 +2466,15 @@ options_postprocess_mutate_invariant (struct options *options) |
2466 | 2466 |
#endif |
2467 | 2467 |
} |
2468 | 2468 |
#endif |
2469 |
+ |
|
2470 |
+#ifdef DEFAULT_PKCS11_MODULE |
|
2471 |
+ /* If p11-kit is present on the system then load its p11-kit-proxy.so |
|
2472 |
+ by default if the user asks for PKCS#11 without otherwise specifying |
|
2473 |
+ the module to use. */ |
|
2474 |
+ if (!options->pkcs11_providers[0] && |
|
2475 |
+ (options->pkcs11_id || options->pkcs11_id_management)) |
|
2476 |
+ options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE; |
|
2477 |
+#endif |
|
2469 | 2478 |
} |
2470 | 2479 |
|
2471 | 2480 |
static void |