Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED

Fixes: #123 (for OpenSSL build)
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

openssl-pkcs11.c

@@ -381,7 +381,7 @@ int load_pkcs11_certificate(struct openconnect_info *vpninfo)
 	}
 	/* If there was precisely one matching slot, and we still didn't find the cert,
 	   try logging in to it. */
-	if (matching_slots == 1 && login_slot->token->loginRequired) {
+	if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
 		slot = login_slot;
 		vpn_progress(vpninfo, PRG_INFO,
 			     _("Logging in to PKCS#11 slot '%s'\n"),
@@ -615,7 +615,7 @@ int load_pkcs11_key(struct openconnect_info *vpninfo)
 		login_slot = vpninfo->pkcs11_cert_slot;
 		vpninfo->pkcs11_cert_slot = NULL;
 	}
-	if (matching_slots == 1 && login_slot->token->loginRequired) {
+	if (matching_slots == 1 && (login_slot->token->loginRequired || login_slot->token->userPinSet)) {
 		slot = login_slot;
 		vpn_progress(vpninfo, PRG_INFO,
 			     _("Logging in to PKCS#11 slot '%s'\n"),

tests/Makefile.am

@@ -69,6 +69,10 @@ if OPENCONNECT_GNUTLS
 # the certs after we log in. Perhaps it's cached the results?
 PKCS11_TOKENS += openconnect-test2
 endif # OPENCONNECT_GNUTLS
+if OPENCONNECT_OPENSSL
+# GnuTLS build fails this one: https://gitlab.com/gnutls/gnutls/-/issues/977
+PKCS11_TOKENS += openconnect-test3
+endif # OPENCONNECT_OPENSSL
 endif # TEST_PKCS11
 endif # HAVE_CWRAP
 
@@ -258,3 +262,33 @@ softhsm-setup2:
 		   --load-privkey $(certsdir)/ec-key-pkcs8.pem \
 		   --label EC --id 03 --login \
 		   --write "pkcs11:token=openconnect-test2;pin-value=1234"
+
+# Fourth test: token lacks CKF_LOGIN_REQUIRED (#123)
+softhsm-setup3:
+	$(SHM2_UTIL) --show-slots
+	$(SHM2_UTIL) --init-token --free --label openconnect-test3 \
+		--so-pin 12345678 --pin 1234
+
+# Remove the CKF_LOGIN_REQUIRED flag
+	TOKOBJ=$$(grep -l openconnect-test3 $(srcdir)/softhsm/*/token.object); \
+	if [ -n "$$TOKOBJ" ] && od -t x1 $$TOKOBJ | grep -q '^0000160.* 04 2d$$'; then \
+		echo -en \\x29 | dd bs=1 count=1 conv=notrunc seek=127 of=$$TOKOBJ; \
+	else \
+		echo "Token file not understood"; \
+		exit 1; \
+	fi
+
+	$(P11TOOL) --load-certificate $(certsdir)/user-cert.pem \
+		   --load-privkey $(certsdir)/user-key-pkcs8.pem \
+		   --label RSA --id 01 --login \
+		   --write "pkcs11:token=openconnect-test3;pin-value=1234"
+
+	$(P11TOOL) --load-certificate $(certsdir)/dsa-cert.pem \
+		   --load-privkey $(certsdir)/dsa-key-pkcs8.pem \
+		   --label DSA --id 02 --login \
+		   --write "pkcs11:token=openconnect-test3;pin-value=1234"
+
+	$(P11TOOL) --load-certificate $(certsdir)/ec-cert.pem \
+		   --load-privkey $(certsdir)/ec-key-pkcs8.pem \
+		   --label EC --id 03 --login \
+		   --write "pkcs11:token=openconnect-test3;pin-value=1234"

www/changelog.xml

@@ -27,6 +27,7 @@
        <li>Fix crash with uninitialised OIDC token.</li>
        <li>GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms</li>
        <li>Disable <a href="https://en.wikipedia.org/wiki/Nagle's_algorithm">Nagle's algorithm</a> for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP.</li>
+       <li>Work around PKCS#11 tokens which forget to set <tt>CKF_LOGIN_REQUIRED</tt> (<a href="https://gitlab.com/openconnect/openconnect/issues/123">#123</a>).</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.07.tar.gz">OpenConnect v8.07</a></b>