[stunnel-users] patch for using stunnel as client with pkcs11-engine and opensc smartcard

Michal Trojnara Michal.Trojnara at mirt.net
Sun Jan 29 20:53:01 CET 2012


Hi Märt,

Thank you very much.

Isn't it better to fix broken engine library that uses user callback data, 
instead of applying a crude workaround to stunnel?
This library is clearly abusing the OpenSSL API.

Mike

On Sunday, 29 of January 2012, Märt Laak wrote:
> Dear stunnel users,
> 
> As there is no development/patches related this issue I made Wiki page
> describing the problem and offering temporary solution/pathes:
> http://martlaak.wikispaces.com/Stunnel+and+engine_pkcs11
> PS! You can also download patched windows build from that page.
> 
> With best regards,
> Märt Laak
> 
> On Sun, Oct 3, 2010 at 10:49 AM, Märt Laak <martlaak at gmail.com> wrote:
> > Dear stunnel managers,
> > 
> > I would like to inform you that there exist some incompatibility with
> > stunnel and openssl pkcs11-engine with external PIN entry device (like
> > RSA smartcard using opensc) in Linux.
> > 
> > We use this config to load openssl engine stunnel.conf:
> > ---
> > engine=dynamic
> > engineCtrl=SO_PATH:/usr/lib/**engines/engine_pkcs11.so
> > engineCtrl=ID:pkcs11
> > engineCtrl=LIST_ADD:1
> > engineCtrl=LOAD
> > engineCtrl=MODULE_PATH:/usr/**lib/opensc-pkcs11.so
> > engineCtrl=INIT
> > ---
> > 
> > Problem is, with this setup stunnel does not allow user to enter PIN for
> > the secret key.
> > Instead it tries to get secret key without PIN, 3 times (and then
> > therefore usually blocks card PIN) and retires:
> > ----
> > Initializing engine 1
> > Engine 1 initialized
> > PRNG seeded successfully
> > Certificate: mart.pem
> > Certificate loaded
> > Key file: id_01
> > error queue: 26096080 : error:26096080:engine
> > routines:ENGINE_load_private_ **key:failed loading private key
> > error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
> > incorrect
> > Wrong PIN: retrying
> > error queue: 26096080 : error:26096080:engine
> > routines:ENGINE_load_private_ **key:failed loading private key
> > error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
> > incorrect
> > Wrong PIN: retrying
> > error queue: 26096080 : error:26096080:engine
> > routines:ENGINE_load_private_ **key:failed loading private key
> > ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11
> > library:PKCS11_login:PIN incorrect
> > ----
> > 
> > I discovered workaround that is valid form version 4.26 till current
> > 4.34, as follows, NULL-ing the ui_data.method property in ctx.c:
> > ---
> > diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c
> > *** stunnel-4.34/src/ctx.c    2010-09-14 18:08:43.000000000 +0300
> > --- stunnel-4.34-patched/src/ctx.c    2010-09-28 21:56:36.219081931 +0300
> > ***************
> > *** 304,309 ****
> > --- 304,310 ----
> > 
> >      UI_method_set_reader(ui_**method, pin_cb);
> >  
> >  #else /* USE_WIN32 */
> >  
> >      ui_method=UI_OpenSSL();
> > 
> > +     ui_data.section = NULL;
> > 
> >  #endif /* USE_WIN32 */
> >  
> >      if(section->engine)
> >      
> >          for(i=1; i<=3; i++) {
> > 
> > ---
> > 
> > After that patch private key loads correctly:
> > ---
> > Initializing engine 1
> > Engine 1 initialized
> > PRNG seeded successfully
> > Certificate: mart.pem
> > Certificate loaded
> > Key file: id_01
> > private key loaded
> > ---
> > 
> > It would be nice if:
> > * somebody investigates more precisely why the OpenSSL PIN entry is not
> > showing with unpached stunnel
> > * include my or better patch for this situation
> > 
> > Thank you very much for excellent piece of software!
> > 
> > With best regards,
> > Märt Laak

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120129/983d3c08/attachment.sig>


More information about the stunnel-users mailing list