OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

[lvd]

I'm using OpenVPN 2.4.7 from ubuntu20.04 distribution.
My config file is following:

Code: Select all

client
dev tun
proto udp
remote some.domain.name.here 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
auth-user-pass /etc/openvpn/auth.txt
askpass /etc/openvpn/pkcs_pass.txt

pkcs11-providers /usr/lib/libeTPkcs11.so
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/********/********/********'

(note pkcs11-providers dynamic library).

When I start the client like this: sudo openvpn --config /etc/openvpn/ovpn.conf, it runs like this:

Code: Select all

....
Wed May 20 13:05:54 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 20 13:05:54 2020 VERIFY EKU OK
Wed May 20 13:05:54 2020 VERIFY OK: depth=0, C=***, ST=***, L=***, O=***, CN=***, emailAddress=***
Enter ******** token Password: ***************************
Wed May 20 13:05:59 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 20 13:05:59 2020 [********] Peer Connection Initiated with [AF_INET]******************
....

And specifically, it is still requesting cert/token password. When the password is entered, it proceeds normally further.

My question is, how to supply a password in separate file in this case? `askpass` with the correct password in the file is not helping, it seems to be ignored.

[TinCanTech]

What happens if you try like so:

Code: Select all

# askpass /etc/openvpn/pkcs_pass.txt

?

[lvd]

Commenting out askpass changes nothing -- exactly the same password request.

[TinCanTech]

My guess would be that:

--askpass file does not supply a token password to your --pkcs11-providers library

Perhaps the library has some documentation ..

[lvd]

Actually, my guess is the same.
But I can't yet find docs on using safenet tokens this way.

Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?

[TinCanTech]

Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?

None that I am aware of, that is why there is --askpass and --auth-user-pass file options.

[lvd]

I've done some research with strace and now I see, that password request is done by openvpn itself, using systemd-ask-password executable. So it is probably not a problem of the underlying dynamic library.

[TinCanTech]

Sounds like some kind of incompatibility between your SafeNet device (guessing) and openvpn.

I'm not sure of what to expect if a third party device is in use ..

[lvd]

Well, I've made some research...

The password (or pin code) is requested by the openvpn callback function _pkcs11_openvpn_pin_prompt(). It calls get_user_pass() for that pincode, passing always NULL as 'auth_pass' argument. When 'auth_pass' supplied with correct filename, get_user_pass() would read password from there instead of asking user to enter it.
Therefore, asking for "pin" will always ask user to enter password from keyboard.

I've also made a quick hack to re-use "askpass" argument to supply it as the "pin", that uses global_data as the filename:

Code: Select all

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 70cd493a..c90c449d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -654,7 +654,7 @@ context_init_1(struct context *c)
     if (c->first_time)
     {
         int i;
-        pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
+        pkcs11_initialize(true, c->options.pkcs11_pin_cache_period,c->options.key_pass_file);
         for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
         {
             pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index d40ca458..1b616a50 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -34,6 +34,7 @@
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
 #include "basic.h"
 #include "error.h"
+#include "options.h"
 #include "manage.h"
 #include "base64.h"
 #include "pkcs11.h"
@@ -241,7 +242,7 @@ _pkcs11_openvpn_pin_prompt(
     struct user_pass token_pass;
     char prompt[1024];
 
-    (void)global_data;
+//    (void)global_data;
     (void)user_data;
     (void)retry;
 
@@ -255,7 +256,7 @@ _pkcs11_openvpn_pin_prompt(
     if (
         !get_user_pass(
             &token_pass,
-            NULL,
+            (const char *)global_data,
             prompt,
             GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
             )
@@ -282,7 +283,8 @@ _pkcs11_openvpn_pin_prompt(
 bool
 pkcs11_initialize(
     const bool protected_auth,
-    const int nPINCachePeriod
+    const int nPINCachePeriod,
+    const char * key_pass_file
     )
 {
     CK_RV rv = CKR_FUNCTION_FAILED;
@@ -324,7 +326,7 @@ pkcs11_initialize(
         goto cleanup;
     }
 
-    if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
+    if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, (void *)key_pass_file)) != CKR_OK)
     {
         msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
         goto cleanup;
diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
index 66c6a7e1..8ffcaacf 100644
--- a/src/openvpn/pkcs11.h
+++ b/src/openvpn/pkcs11.h
@@ -31,7 +31,8 @@
 bool
 pkcs11_initialize(
     const bool fProtectedAuthentication,
-    const int nPINCachePeriod
+    const int nPINCachePeriod,
+    const char * key_pass_file
     );
 
 void

[maglub]

I am also curious how to get the --askpass to work out of the box. I have tested:

* Version 2.4.7
* Version 2.5.3

But none of them works. I am curious how to write a proper bug-ticket for this, as the --askpass for pkcs11 would be very useful in my scenario (I want openvpn to start unattended on a raspberry pi from a udev rule, which works with a patched binary, as described above/below).

I tried the patch mentioned by "lvd" on a Raspberry Pi, Raspbian 10 (buster), on openvpn 2.5.3. Their patch works as described.

Code: Select all

sudo apt -y install libssl-dev liblzo2-dev libpam0g-dev build-essential -y
sudo apt -y install libsystemd-dev libpkcs11-helper1-dev

wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz

I have the following changes in the source tree (more or less the same as above, just a few row numbers that are different):

Code: Select all

cd openvpn-2.5.3
diff -r ./src/openvpn/init.c ../../openvpn-2.5.3/src/openvpn/init.c
707c707,708
<         pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
---
> //XXX        pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
>         pkcs11_initialize(true, c->options.pkcs11_pin_cache_period,c->options.key_pass_file);

diff -r ./src/openvpn/pkcs11.c ../../openvpn-2.5.3/src/openvpn/pkcs11.c
36a37
> #include "options.h"
244c245
<     (void)global_data;
---
> //XXX    (void)global_data;
258c259,260
<             NULL,
---
> //XXX            NULL,
>             (const char *)global_data,
285c287,289
<     const int nPINCachePeriod
---
> //XXX    const int nPINCachePeriod
>     const int nPINCachePeriod,
>     const char * key_pass_file
327c331,332
<     if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
---
> //XXX    if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
>     if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, (void *)key_pass_file)) != CKR_OK)
diff -r ./src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
<     const int nPINCachePeriod
---
> //XXX    const int nPINCachePeriod
>     const int nPINCachePeriod,
>     const char * key_pass_file

$ diff -r src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
<     const int nPINCachePeriod
---
> //XXX    const int nPINCachePeriod
>     const int nPINCachePeriod,
>     const char * key_pass_file

And then I configured and compiled, built from source:

Code: Select all

cd openvpn-2.5.3
./configure --enable-pkcs11 \
--enable-iproute2 \
--enable-x509-alt-username \
--enable-systemd

time make

And lastly, I replaced the binary in /usr/sbin:

Code: Select all

sudo mv /usr/sbin/openvpn /usr/sbin/openvpn.old
sudo cp src/openvpn/openvpn /usr/sbin/openvpn

Thanks for pointing me in this direction. I would never have thought of the callback function to be broken.

//magnus