I am also curious how to get the --askpass to work out of the box. I have tested:
* Version 2.4.7
* Version 2.5.3
But none of them works. I am curious how to write a proper bug-ticket for this, as the --askpass for pkcs11 would be very useful in my scenario (I want openvpn to start unattended on a raspberry pi from a udev rule, which works with a patched binary, as described above/below).
I tried the patch mentioned by "lvd" on a Raspberry Pi, Raspbian 10 (buster), on openvpn 2.5.3. Their patch works as described.
Code: Select all
sudo apt -y install libssl-dev liblzo2-dev libpam0g-dev build-essential -y
sudo apt -y install libsystemd-dev libpkcs11-helper1-dev
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz
I have the following changes in the source tree (more or less the same as above, just a few row numbers that are different):
Code: Select all
cd openvpn-2.5.3
diff -r ./src/openvpn/init.c ../../openvpn-2.5.3/src/openvpn/init.c
707c707,708
< pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
---
> //XXX pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
> pkcs11_initialize(true, c->options.pkcs11_pin_cache_period,c->options.key_pass_file);
diff -r ./src/openvpn/pkcs11.c ../../openvpn-2.5.3/src/openvpn/pkcs11.c
36a37
> #include "options.h"
244c245
< (void)global_data;
---
> //XXX (void)global_data;
258c259,260
< NULL,
---
> //XXX NULL,
> (const char *)global_data,
285c287,289
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
327c331,332
< if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
---
> //XXX if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
> if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, (void *)key_pass_file)) != CKR_OK)
diff -r ./src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
$ diff -r src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
And then I configured and compiled, built from source:
Code: Select all
cd openvpn-2.5.3
./configure --enable-pkcs11 \
--enable-iproute2 \
--enable-x509-alt-username \
--enable-systemd
time make
And lastly, I replaced the binary in /usr/sbin:
Code: Select all
sudo mv /usr/sbin/openvpn /usr/sbin/openvpn.old
sudo cp src/openvpn/openvpn /usr/sbin/openvpn
Thanks for pointing me in this direction. I would never have thought of the callback function to be broken.
//magnus