opensc-devel

[Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Hasso T. <has...@gm...>]

Hi,

There have been many reports from MacOSX users during last years that
PKCS#11 support in OpenVPN is broken for them. The problem seems to be
related to forking (using execve()) and PKCS#11. Following post
describes the situation well:

http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick

PKCS#11 support is started, PIN is asked etc, during first execve()
(ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
from second execve() (ifconfig tun0 <address>...) it doesn't return. The
last line from pcscd log is "Client failed to authenticate".

Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
to use system() instead of execve() and it solves the problem.
Unfortunately support for system() is removed from 2.3.

Now, the question is what exactly is wrong? The very same conf works
with Linux/BSD. I suspect that it's something to do with old smartcard
related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
found out that there have been reports from users who are not using
opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
OpenVPN works fine for them. So, I suspect it's something opensc can fix.


Regards,

-- 
Hasso Tepper

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Alon Bar-L. <alo...@gm...>]

Please send full debug log of openvpn.
Thanks.

On Wed, Feb 6, 2013 at 10:37 PM, Hasso Tepper <has...@gm...> wrote:
> Hi,
>
> There have been many reports from MacOSX users during last years that
> PKCS#11 support in OpenVPN is broken for them. The problem seems to be
> related to forking (using execve()) and PKCS#11. Following post
> describes the situation well:
>
> http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick
>
> PKCS#11 support is started, PIN is asked etc, during first execve()
> (ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
> from second execve() (ifconfig tun0 <address>...) it doesn't return. The
> last line from pcscd log is "Client failed to authenticate".
>
> Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
> to use system() instead of execve() and it solves the problem.
> Unfortunately support for system() is removed from 2.3.
>
> Now, the question is what exactly is wrong? The very same conf works
> with Linux/BSD. I suspect that it's something to do with old smartcard
> related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
> found out that there have been reports from users who are not using
> opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
> OpenVPN works fine for them. So, I suspect it's something opensc can fix.
>
>
> Regards,
>
> --
> Hasso Tepper
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Hasso T. <has...@gm...>]

Alon Bar-Lev wrote:
> Please send full debug log of openvpn.

Attached.


Thanks,

-- 
Hasso Tepper

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Alon Bar-L. <alo...@gm...>]

This is not the usual log...
I cannot see option values, and I see communications before any
PKCS#11 call, and I do not see the PKCS#11 initialization...

But even with this data, please also provide full debug of opensc PKCS#11 log.

Thanks,
Alon

On Thu, Feb 7, 2013 at 10:49 AM, Hasso Tepper <has...@gm...> wrote:
> Alon Bar-Lev wrote:
>> Please send full debug log of openvpn.
>
> Attached.
>
>
> Thanks,
>
> --
> Hasso Tepper

[Opensc-devel] Fwd: OpenVPN, PKCS#11 and MacOSX

[Ludovic R. <lud...@gm...>]

---------- Forwarded message ----------
From: Ludovic Rousseau <lud...@gm...>
Date: 2013/2/13
Subject: Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX
To: Hasso Tepper <has...@gm...>
Cc : OpenSC Development <ope...@li...>


2013/2/13 Alon Bar-Lev <alo...@gm...>:
> Hi,

Hello,

> Problem seems to be in pcsc-lite.

Exact.

> Call to pcsc_disconnect is not returning.
>
> Ludovic, can you please take a look?
> This happens after standard sequence of fork() usage with PKCS#11,
> child process should finalize and initialize PKCS#11.

I can reproduce the problem using the PC/SC Unitary Test SCard_fork.py [1].
After the fork the application should not do any PC/SC call in the son
using the father PC/SC context. Otherwise the PC/SC calls in the
father will be blocked.

It is a bug in Apple PC/SC. The same Unitary Test works find on
GNU/Linux with a recent PC/SC lite.

I don't know if the bug is easy to circumvent in OpenSC. OpenSC would
have to detect the application has forked and forget about the PC/SC
context in the son. This may be done only in C_Finalize() and only for
Mac OS X.

Bye,

[1] http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/UnitaryTests/SCard_fork.py?view=markup

--
 Dr. Ludovic Rousseau


-- 
 Dr. Ludovic Rousseau