From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from enterprise02.smtp.diehl.com ([193.201.238.220]) by metis.ext.pengutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lJGyr-0002ZJ-DM for ptxdist@pengutronix.de; Mon, 08 Mar 2021 15:35:34 +0100 From: Denis Osterland-Heim Date: Mon, 8 Mar 2021 14:35:31 +0000 Message-ID: <41269dbe347d965f3330dd690949c045bf7458f6.camel@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Language: en-US Content-Type: multipart/mixed; boundary="_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_" MIME-Version: 1.0 Subject: Re: [ptxdist] yubi HSM pkcs11 plugin for signing provider List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: "ptxdist@pengutronix.de" --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 QW0gTW9udGFnLCBkZW4gMDguMDMuMjAyMSwgMTM6MzQgKzAxMDAgc2NocmllYiBEZW5pcyBPc3Rl cmxhbmQtSGVpbToNCj4gT3JpZ2luYWwgbWJveGVzIGFyZSBhdHRhY2hlZCB0byBtYWlsIGluIHJl c3BvbnNlLg0KPg0KPiBEZW5pcyBPc3RlcmxhbmQtSGVpbSAoNSk6DQo+ICAgICAgIGhvc3QtZ2Vu Z2V0b3B0OiBtb3ZlIHRvIF9ub3Byb21wdCBzZWN0aW9uDQo+ICAgICAgIGhvc3QtbGliZWRpdDog bmV3IHBhY2thZ2UNCj4gICAgICAgaG9zdC1saWJjdXJsOiBlbmFibGUgaHR0cChzKSBzdXBwb3J0 DQo+ICAgICAgIGxpYnAxMTogdmVyc2lvbiBidW1wIDAuNC4xMCAtPiAwLjQuMTENCj4gICAgICAg aG9zdC15dWJpaHNtLXNoZWxsOiBuZXcgcGFja2FnZQ0KPg0KPiAgLi4uYWRkLWNsaWVudC1jZXJ0 LXN1cHBvcnQtZm9yLXBrY3MxMS1tb2R1bGUucGF0Y2ggfCA4OCArKysrKysrKysrKysrKysrKysr KysrDQo+ICAuLi4vMDAwMi1hZGQtYmFzaC1saWtlLXZhcmlhYmxlLWV4dGVuc2lvbi5wYXRjaCAg ICB8IDY3ICsrKysrKysrKysrKysrKysNCj4gIC4uLi8wMDAzLWFkZC1ub3Byb3h5LW9wdGlvbi5w YXRjaCAgICAgICAgICAgICAgICAgIHwgNzYgKysrKysrKysrKysrKysrKysrKw0KPiAgcGF0Y2hl cy95dWJpaHNtLXNoZWxsLTIuMS4wL3NlcmllcyAgICAgICAgICAgICAgICAgfCAgNiArKw0KPiAg cnVsZXMvaG9zdC1nZW5nZXRvcHQuaW4gICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgNCAr LQ0KPiAgcnVsZXMvaG9zdC1saWJjdXJsLm1ha2UgICAgICAgICAgICAgICAgICAgICAgICAgICAg fCAgNCArLQ0KPiAgcnVsZXMvaG9zdC1saWJlZGl0LmluICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgfCAgNSArKw0KPiAgcnVsZXMvaG9zdC1saWJlZGl0Lm1ha2UgICAgICAgICAgICAgICAg ICAgICAgICAgICAgfCAxMSArKysNCj4gIHJ1bGVzL2hvc3QteXViaWhzbS1zaGVsbC5pbiAgICAg ICAgICAgICAgICAgICAgICAgIHwgMTMgKysrKw0KPiAgcnVsZXMvaG9zdC15dWJpaHNtLXNoZWxs Lm1ha2UgICAgICAgICAgICAgICAgICAgICAgfCAzNyArKysrKysrKysNCj4gIHJ1bGVzL2xpYnAx MS5tYWtlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgIDQgKy0NCj4gIDExIGZp bGVzIGNoYW5nZWQsIDMwOSBpbnNlcnRpb25zKCspLCA2IGRlbGV0aW9ucygtKQ0KPg0KPiBiYXNl LWNvbW1pdDogMTQzMWVkNTJjICgibGlid2Fjb206IG5ldyBwYWNrYWdlIikNCj4NCkRpZWhsIENv bm5lY3Rpdml0eSBTb2x1dGlvbnMgR21iSA0KR2VzY2jDpGZ0c2bDvGhydW5nOiBIb3JzdCBMZW9u YmVyZ2VyDQpTaXR6IGRlciBHZXNlbGxzY2hhZnQ6IE7DvHJuYmVyZyAtIFJlZ2lzdGVyZ2VyaWNo dDogQW10c2dlcmljaHQNCk7DvHJuYmVyZzogSFJCIDMyMzE1DQoNCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fDQoNCkRlciBJbmhhbHQgZGVyIHZvcnN0ZWhlbmRlbiBFLU1haWwgaXN0 IG5pY2h0IHJlY2h0bGljaCBiaW5kZW5kLiBEaWVzZSBFLU1haWwgZW50aGFlbHQgdmVydHJhdWxp Y2hlIHVuZC9vZGVyIHJlY2h0bGljaCBnZXNjaHVldHp0ZSBJbmZvcm1hdGlvbmVuLg0KSW5mb3Jt aWVyZW4gU2llIHVucyBiaXR0ZSwgd2VubiBTaWUgZGllc2UgRS1NYWlsIGZhZWxzY2hsaWNoZXJ3 ZWlzZSBlcmhhbHRlbiBoYWJlbi4gQml0dGUgbG9lc2NoZW4gU2llIGluIGRpZXNlbSBGYWxsIGRp ZSBOYWNocmljaHQuDQpKZWRlIHVuZXJsYXVidGUgRm9ybSBkZXIgUmVwcm9kdWt0aW9uLCBCZWth bm50Z2FiZSwgQWVuZGVydW5nLCBWZXJ0ZWlsdW5nIHVuZC9vZGVyIFB1Ymxpa2F0aW9uIGRpZXNl ciBFLU1haWwgaXN0IHN0cmVuZ3N0ZW5zIHVudGVyc2FndC4NCg0KLSBJbmZvcm1hdGlvbmVuIHp1 bSBEYXRlbnNjaHV0eiwgaW5zYmVzb25kZXJlIHp1IElocmVuIFJlY2h0ZW4sIGVyaGFsdGVuIFNp ZSB1bnRlcjoNCg0KaHR0cHM6Ly93d3cuZGllaGwuY29tL2dyb3VwL2RlL3RyYW5zcGFyZW56LXVu ZC1pbmZvcm1hdGlvbnNwZmxpY2h0ZW4vDQoNClRoZSBjb250ZW50cyBvZiB0aGUgYWJvdmUgbWVu dGlvbmVkIGUtbWFpbCBpcyBub3QgbGVnYWxseSBiaW5kaW5nLiBUaGlzIGUtbWFpbCBjb250YWlu cyBjb25maWRlbnRpYWwgYW5kL29yIGxlZ2FsbHkgcHJvdGVjdGVkIGluZm9ybWF0aW9uLiBQbGVh c2UgaW5mb3JtIHVzIGlmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZS1tYWlsIGJ5DQptaXN0YWtl IGFuZCBkZWxldGUgaXQgaW4gc3VjaCBhIGNhc2UuIEVhY2ggdW5hdXRob3JpemVkIHJlcHJvZHVj dGlvbiwgZGlzY2xvc3VyZSwgYWx0ZXJhdGlvbiwgZGlzdHJpYnV0aW9uIGFuZC9vciBwdWJsaWNh dGlvbiBvZiB0aGlzIGUtbWFpbCBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLg0KDQotIEZvciBnZW5l cmFsIGluZm9ybWF0aW9uIG9uIGRhdGEgcHJvdGVjdGlvbiBhbmQgeW91ciByZXNwZWN0aXZlIHJp Z2h0cyBwbGVhc2UgdmlzaXQ6DQoNCmh0dHBzOi8vd3d3LmRpZWhsLmNvbS9ncm91cC9lbi90cmFu c3BhcmVuY3ktYW5kLWluZm9ybWF0aW9uLW9ibGlnYXRpb25zLw0KDQoNCg== --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 08 Mar 2021 14:35:31 GMT"; modification-date="Mon, 08 Mar 2021 14:35:31 GMT" Content-ID: Return-Path: X-Original-To: ptxdist@pengutronix.de Delivered-To: osterlad@cwpc1435.diehlako.local Received: by cwpc1435.diehlako.local (Postfix, from userid 1001) id 694783E432B; Mon, 8 Mar 2021 13:34:19 +0100 (CET) From: Denis Osterland-Heim To: Subject: [PATCH 1/5] host-gengetopt: move to _noprompt section Date: Mon, 8 Mar 2021 13:34:14 +0100 Message-ID: <20210308123418.10187-2-denis.osterland@diehl.com> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 This allows to select this from platforms as well. Signed-off-by: Denis Osterland-Heim --- rules/host-gengetopt.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in index f6855ab5f..d42ccf477 100644 --- a/rules/host-gengetopt.in +++ b/rules/host-gengetopt.in @@ -1,8 +1,8 @@ -## SECTION=hosttools +## SECTION=hosttools_noprompt config HOST_GENGETOPT tristate - prompt "gengetopt" + default ALLYES help Gengetopt is a tool to write command line option parsing code for C programs. -- 2.30.1 --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 08 Mar 2021 14:35:31 GMT"; modification-date="Mon, 08 Mar 2021 14:35:31 GMT" Content-ID: Return-Path: X-Original-To: ptxdist@pengutronix.de Delivered-To: osterlad@cwpc1435.diehlako.local Received: by cwpc1435.diehlako.local (Postfix, from userid 1001) id 6C38E3E432B; Mon, 8 Mar 2021 13:34:19 +0100 (CET) From: Denis Osterland-Heim To: Subject: [PATCH 2/5] host-libedit: new package Date: Mon, 8 Mar 2021 13:34:15 +0100 Message-ID: <20210308123418.10187-3-denis.osterland@diehl.com> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 Signed-off-by: Denis Osterland-Heim --- rules/host-libedit.in | 5 +++++ rules/host-libedit.make | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 rules/host-libedit.in create mode 100644 rules/host-libedit.make diff --git a/rules/host-libedit.in b/rules/host-libedit.in new file mode 100644 index 000000000..49e7c4548 --- /dev/null +++ b/rules/host-libedit.in @@ -0,0 +1,5 @@ +## SECTION=hosttools_noprompt + +config HOST_LIBEDIT + tristate + default ALLYES diff --git a/rules/host-libedit.make b/rules/host-libedit.make new file mode 100644 index 000000000..ae8bff95f --- /dev/null +++ b/rules/host-libedit.make @@ -0,0 +1,11 @@ +# -*-makefile-*- +# +# Copyright (C) 2021 by Denis Osterland-Heim +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit + +# vim: syntax=make -- 2.30.1 --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 08 Mar 2021 14:35:31 GMT"; modification-date="Mon, 08 Mar 2021 14:35:31 GMT" Content-ID: Return-Path: X-Original-To: ptxdist@pengutronix.de Delivered-To: osterlad@cwpc1435.diehlako.local Received: by cwpc1435.diehlako.local (Postfix, from userid 1001) id 73FE83E593A; Mon, 8 Mar 2021 13:34:19 +0100 (CET) From: Denis Osterland-Heim To: Subject: [PATCH 5/5] host-yubihsm-shell: new package Date: Mon, 8 Mar 2021 13:34:18 +0100 Message-ID: <20210308123418.10187-6-denis.osterland@diehl.com> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 This package provides the pkcs11 plugin for yubi HSMs, which allows to create a signing provider for it. Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162 To use it together with a CA server: Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage") `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP communication in compile stage. Signed-off-by: Denis Osterland-Heim --- ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++ ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++ .../0003-add-noproxy-option.patch | 76 ++++++++++++++++ patches/yubihsm-shell-2.1.0/series | 6 ++ rules/host-yubihsm-shell.in | 13 +++ rules/host-yubihsm-shell.make | 37 ++++++++ 6 files changed, 287 insertions(+) create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch create mode 100644 patches/yubihsm-shell-2.1.0/series create mode 100644 rules/host-yubihsm-shell.in create mode 100644 rules/host-yubihsm-shell.make diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch new file mode 100644 index 000000000..dbce11c85 --- /dev/null +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch @@ -0,0 +1,88 @@ +From: Denis Osterland-Heim +Date: Tue, 26 Jan 2021 14:19:52 +0100 +Subject: [PATCH] add client cert support for pkcs11 module + +Allows to authenticate with client certificates at HSM server. + +Signed-off-by: Denis Osterland-Heim +--- + lib/yubihsm.h | 6 ++++++ + lib/yubihsm_curl.c | 8 ++++++++ + pkcs11/cmdline.ggo | 2 ++ + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++ + 4 files changed, 30 insertions(+) + +diff --git a/lib/yubihsm.h b/lib/yubihsm.h +index ef80d42b1865..da08f68038dd 100644 +--- a/lib/yubihsm.h ++++ b/lib/yubihsm.h +@@ -518,6 +518,12 @@ typedef enum { + /// Proxy server to use for connecting to the connector (const char *). Not + /// implemented on Windows + YH_CONNECTOR_PROXY_SERVER = 2, ++ /// File with client certificate to authenticate client with (const char *). ++ /// Not implemented on Windows ++ YH_CONNECTOR_HTTPS_CERT = 3, ++ /// File with client certificates key (const char *). ++ /// Not implemented on Windows ++ YH_CONNECTOR_HTTPS_KEY = 4, + } yh_connector_option; + + #pragma pack(push, 1) +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c +index 6360f3693268..2f46802e0fe1 100644 +--- a/lib/yubihsm_curl.c ++++ b/lib/yubihsm_curl.c +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt, + option = CURLOPT_CAINFO; + optname = "CURLOPT_CAINFO"; + break; ++ case YH_CONNECTOR_HTTPS_CERT: ++ option = CURLOPT_SSLCERT; ++ optname = "CURLOPT_SSLCERT"; ++ break; ++ case YH_CONNECTOR_HTTPS_KEY: ++ option = CURLOPT_SSLKEY; ++ optname = "CURLOPT_SSLKEY"; ++ break; + case YH_CONNECTOR_PROXY_SERVER: + option = CURLOPT_PROXY; + optname = "CURLOPT_PROXY"; +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo +index 9a357b73062d..9e87e2aa2861 100644 +--- a/pkcs11/cmdline.ggo ++++ b/pkcs11/cmdline.ggo +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off + option "libdebug" - "Enable libyubihsm debugging" flag off + option "debug-file" - "Output file for debugging" string optional default="stderr" + option "cacert" - "Cacert to use for HTTPS validation" string optional ++option "cert" - "HTTPS client certificate to authenticate with" string optional ++option "key" - "HTTPS client certificate key" string optional + option "proxy" - "Proxy server to use for connector" string optional + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5" + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c +index f543c94ed373..25aec8e7c5fe 100644 +--- a/pkcs11/yubihsm_pkcs11.c ++++ b/pkcs11/yubihsm_pkcs11.c +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { + goto c_i_failure; + } + } ++ if (args_info.cert_given) { ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT, ++ args_info.cert_arg) != YHR_SUCCESS) { ++ DBG_ERR("Failed to set HTTPS cert option"); ++ goto c_i_failure; ++ } ++ } ++ if (args_info.key_given) { ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY, ++ args_info.key_arg) != YHR_SUCCESS) { ++ DBG_ERR("Failed to set HTTPS key option"); ++ goto c_i_failure; ++ } ++ } + if (args_info.proxy_given) { + if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER, + args_info.proxy_arg) != YHR_SUCCESS) { diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch new file mode 100644 index 000000000..e3d64659a --- /dev/null +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch @@ -0,0 +1,67 @@ +From: Denis Osterland-Heim +Date: Tue, 2 Feb 2021 08:50:48 +0100 +Subject: [PATCH] add bash like variable extension + +Support for `~` and environment variables like `${HOME}`. + +Signed-off-by: Denis Osterland-Heim +--- + lib/yubihsm_curl.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c +index 2f46802e0fe1..52ca14ddf2d4 100644 +--- a/lib/yubihsm_curl.c ++++ b/lib/yubihsm_curl.c +@@ -16,6 +16,7 @@ + + #include + #include ++#include + + #include + +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt, + const void *val) { + CURLoption option; + const char *optname; ++ wordexp_t expanded; ++ bool expand = false; + + switch (opt) { + case YH_CONNECTOR_HTTPS_CA: + option = CURLOPT_CAINFO; + optname = "CURLOPT_CAINFO"; ++ expand = true; + break; + case YH_CONNECTOR_HTTPS_CERT: + option = CURLOPT_SSLCERT; + optname = "CURLOPT_SSLCERT"; ++ expand = true; + break; + case YH_CONNECTOR_HTTPS_KEY: + option = CURLOPT_SSLKEY; + optname = "CURLOPT_SSLKEY"; ++ expand = true; + break; + case YH_CONNECTOR_PROXY_SERVER: + option = CURLOPT_PROXY; +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt, + DBG_ERR("%d is an unknown option", opt); + return YHR_INVALID_PARAMETERS; + } +- CURLcode rc = curl_easy_setopt(connection, option, (char *) val); ++ if (expand) ++ { ++ if (wordexp((const char *)val, &expanded, 0)) ++ { ++ DBG_ERR("Failed to expand %s\n", optname); ++ return YHR_CONNECTOR_ERROR; ++ } ++ } ++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val); ++ if (expand) ++ wordfree(&expanded); + if (rc == CURLE_OK) { + DBG_INFO("Successfully set %s.", optname); + return YHR_SUCCESS; diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch new file mode 100644 index 000000000..788b9cacf --- /dev/null +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch @@ -0,0 +1,76 @@ +From: Denis Osterland-Heim +Date: Tue, 2 Feb 2021 08:32:54 +0100 +Subject: [PATCH] add noproxy option + +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3 + +Use `noproxy=*` in your config file to use the plugin outside of +get stage, e.g. in barebox compile stage. + +Signed-off-by: Denis Osterland-Heim +--- + lib/yubihsm.h | 3 +++ + lib/yubihsm_curl.c | 4 ++++ + pkcs11/cmdline.ggo | 1 + + pkcs11/yubihsm_pkcs11.c | 7 +++++++ + 4 files changed, 15 insertions(+) + +diff --git a/lib/yubihsm.h b/lib/yubihsm.h +index da08f68038dd..5f90eca0d8e8 100644 +--- a/lib/yubihsm.h ++++ b/lib/yubihsm.h +@@ -524,6 +524,9 @@ typedef enum { + /// File with client certificates key (const char *). + /// Not implemented on Windows + YH_CONNECTOR_HTTPS_KEY = 4, ++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy. ++ /// Not implemented on Windows ++ YH_CONNECTOR_NOPROXY = 5, + } yh_connector_option; + + #pragma pack(push, 1) +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c +index 52ca14ddf2d4..f7f7cd8f54da 100644 +--- a/lib/yubihsm_curl.c ++++ b/lib/yubihsm_curl.c +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt, + option = CURLOPT_PROXY; + optname = "CURLOPT_PROXY"; + break; ++ case YH_CONNECTOR_NOPROXY: ++ option = CURLOPT_NOPROXY; ++ optname = "CURLOPT_NOPROXY"; ++ break; + default: + DBG_ERR("%d is an unknown option", opt); + return YHR_INVALID_PARAMETERS; +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo +index 9e87e2aa2861..cdf97ae0d33d 100644 +--- a/pkcs11/cmdline.ggo ++++ b/pkcs11/cmdline.ggo +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional + option "cert" - "HTTPS client certificate to authenticate with" string optional + option "key" - "HTTPS client certificate key" string optional + option "proxy" - "Proxy server to use for connector" string optional ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5" + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple + +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c +index 25aec8e7c5fe..38b08bbf8000 100644 +--- a/pkcs11/yubihsm_pkcs11.c ++++ b/pkcs11/yubihsm_pkcs11.c +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { + goto c_i_failure; + } + } ++ if (args_info.noproxy_given) { ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY, ++ args_info.noproxy_arg) != YHR_SUCCESS) { ++ DBG_ERR("Failed to set noproxy option"); ++ goto c_i_failure; ++ } ++ } + + if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) { + DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]); diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series new file mode 100644 index 000000000..a0fbb2915 --- /dev/null +++ b/patches/yubihsm-shell-2.1.0/series @@ -0,0 +1,6 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-add-client-cert-support-for-pkcs11-module.patch +0002-add-bash-like-variable-extension.patch +0003-add-noproxy-option.patch +# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in new file mode 100644 index 000000000..3b17a2e98 --- /dev/null +++ b/rules/host-yubihsm-shell.in @@ -0,0 +1,13 @@ +## SECTION=hosttools_noprompt + +config HOST_YUBIHSM_SHELL + tristate + default ALLYES + select HOST_CMAKE + select HOST_OPENSSL + select HOST_LIBCURL + select HOST_LIBUSB + select HOST_GENGETOPT + select HOST_LIBEDIT + select HOST_PCSC_LITE + select HOST_LIBP11 diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make new file mode 100644 index 000000000..3ebfc8c1f --- /dev/null +++ b/rules/host-yubihsm-shell.make @@ -0,0 +1,37 @@ +# -*-makefile-*- +# +# Copyright (C) 2021 by Denis Osterland-Heim +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell + +# +# Paths and names +# +HOST_YUBIHSM_SHELL_VERSION := 2.1.0 +HOST_YUBIHSM_SHELL_MD5 := 7363c0bc4ed037e262474beaa6e1407b +HOST_YUBIHSM_SHELL := yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION) +HOST_YUBIHSM_SHELL_SUFFIX := tar.gz +HOST_YUBIHSM_SHELL_URL := https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX) +HOST_YUBIHSM_SHELL_SOURCE := $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX) +HOST_YUBIHSM_SHELL_DIR := $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL) + +# ---------------------------------------------------------------------------- +# Prepare +# ---------------------------------------------------------------------------- + +# +# cmake +# +HOST_YUBIHSM_SHELL_CONF_TOOL := cmake +HOST_YUBIHSM_SHELL_CONF_OPT := \ + $(HOST_CMAKE_OPT) \ + -DBUILD_ONLY_LIB=OFF \ + -DENABLE_COVERAGE=OFF \ + -DSUPRESS_MSVC_WARNINGS=ON \ + -DWITHOUT_MANPAGES=1 + +# vim: syntax=make -- 2.30.1 --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 08 Mar 2021 14:35:31 GMT"; modification-date="Mon, 08 Mar 2021 14:35:31 GMT" Content-ID: Return-Path: X-Original-To: ptxdist@pengutronix.de Delivered-To: osterlad@cwpc1435.diehlako.local Received: by cwpc1435.diehlako.local (Postfix, from userid 1001) id 6EB673E593A; Mon, 8 Mar 2021 13:34:19 +0100 (CET) From: Denis Osterland-Heim To: Subject: [PATCH 3/5] host-libcurl: enable http(s) support Date: Mon, 8 Mar 2021 13:34:16 +0100 Message-ID: <20210308123418.10187-4-denis.osterland@diehl.com> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 Signed-off-by: Denis Osterland-Heim --- rules/host-libcurl.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make index dc28de778..1a2a1fcf5 100644 --- a/rules/host-libcurl.make +++ b/rules/host-libcurl.make @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT := \ --without-librtmp \ \ --disable-ares \ - --disable-http \ + --enable-http \ --disable-nghttp2 \ --disable-cookies \ --disable-ftp \ @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT := \ --disable-file \ --disable-crypto-auth \ --disable-libssh2 \ - --without-ssl + --with-ssl $(STATEDIR)/host-libcurl.install: @$(call targetinfo) -- 2.30.1 --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Mon, 08 Mar 2021 14:35:31 GMT"; modification-date="Mon, 08 Mar 2021 14:35:31 GMT" Content-ID: <855FFED7364667448F51AEA76E4EABB0@diehl.internal> Return-Path: X-Original-To: ptxdist@pengutronix.de Delivered-To: osterlad@cwpc1435.diehlako.local Received: by cwpc1435.diehlako.local (Postfix, from userid 1001) id 716543E593A; Mon, 8 Mar 2021 13:34:19 +0100 (CET) From: Denis Osterland-Heim To: Subject: [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Date: Mon, 8 Mar 2021 13:34:17 +0100 Message-ID: <20210308123418.10187-5-denis.osterland@diehl.com> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210308123418.10187-1-denis.osterland@diehl.com> References: <20210308123418.10187-1-denis.osterland@diehl.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain MIME-Version: 1.0 Signed-off-by: Denis Osterland-Heim --- rules/libp11.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/libp11.make b/rules/libp11.make index 8e2d1517f..2c551b914 100644 --- a/rules/libp11.make +++ b/rules/libp11.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11 # # Paths and names # -LIBP11_VERSION := 0.4.10 -LIBP11_MD5 := 3464874bb5ca47b8e4c1d540758dcfe9 +LIBP11_VERSION := 0.4.11 +LIBP11_MD5 := 8b907abd572b0eb8e63413549f68dbe1 LIBP11 := libp11-$(LIBP11_VERSION) LIBP11_SUFFIX := tar.gz LIBP11_URL := https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX) -- 2.30.1 --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_ Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de --_006_41269dbe347d965f3330dd690949c045bf7458f6cameldiehlcom_--