Openconnect supporting SafeNet eToken 5300

Pavel Gavronsky kamm555 at hotmail.com
Wed Jun 29 06:37:55 PDT 2022 

Dimitri thank you,

Probably you are right regarding the building/installing from RPM, I do not remember now.
As for the problem itself - the openconnect is working good using a SmartCard certificate, but failed to use USB Token with the same certificate.

These are ldd's output, you are right, there is a difference in modules:

v8.10: 
ldd /usr/sbin/openconnect
        linux-vdso.so.1 (0x00007ffe1219f000)
        libopenconnect.so.5 => /lib/x86_64-linux-gnu/libopenconnect.so.5 (0x00007fbb6cd9a000)
        libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fbb6cb9a000)
        libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fbb6c9ec000)
        libproxy.so.1 => /lib/x86_64-linux-gnu/libproxy.so.1 (0x00007fbb6c9c7000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fbb6c9a5000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbb6c7e0000)
        libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fbb6c7c8000)
        libtss2-esys.so.0 => /lib/x86_64-linux-gnu/libtss2-esys.so.0 (0x00007fbb6c736000)
        libtss2-mu.so.0 => /lib/x86_64-linux-gnu/libtss2-mu.so.0 (0x00007fbb6c6ea000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbb6c6cd000)
        libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fbb6c599000)
        libstoken.so.1 => /lib/x86_64-linux-gnu/libstoken.so.1 (0x00007fbb6c38b000)
        libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fbb6c336000)
        libpcsclite.so.1 => /lib/x86_64-linux-gnu/libpcsclite.so.1 (0x00007fbb6c328000)
        liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fbb6c305000)
        libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007fbb6c2e4000)
        libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007fbb6c162000)
        libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (0x00007fbb6c11a000)
        libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6 (0x00007fbb6c0cf000)
        libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fbb6c04e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fbb6ce1a000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbb6c048000)
        libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007fbb6be5f000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fbb6be37000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fbb6bcf3000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fbb6bb24000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fbb6bb0a000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fbb6b816000)
        libtss2-sys.so.1 => /lib/x86_64-linux-gnu/libtss2-sys.so.1 (0x00007fbb6b7f2000)
        libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007fbb6b7e6000)
        libtomcrypt.so.1 => /lib/x86_64-linux-gnu/libtomcrypt.so.1 (0x00007fbb6b702000)
        libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fbb6b628000)
        libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fbb6b5f8000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fbb6b5f2000)
        libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fbb6b5e3000)
        libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007fbb69ac8000)
        libtommath.so.1 => /lib/x86_64-linux-gnu/libtommath.so.1 (0x00007fbb69aa8000)
        libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fbb69aa1000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fbb69a87000)

v9.00:
ldd /usr/local/sbin/openconnect
        linux-vdso.so.1 (0x00007ffeb82e0000)
        libopenconnect.so.5 => /usr/local/lib/libopenconnect.so.5 (0x00007f9c7241b000)
        libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f9c7221b000)
        libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f9c7206d000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9c71ea8000)
        libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6 (0x00007f9c71e5f000)
        libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f9c71dde000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f9c71dbf000)
        libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f9c71c8b000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f9c71b47000)
        libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f9c71b26000)
        libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f9c719a4000)
        libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f9c7198e000)
        libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (0x00007f9c71944000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9c71922000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9c724b4000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9c7191c000)
        libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007f9c71733000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f9c7170b000)
        libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007f9c716fd000)
        libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007f9c6fbe4000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f9c6fa17000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f9c6f9fd000)
Regards,
Pavel


From: Dimitri Papadopoulos Orfanos <dimitri.papadopoulos at cea.fr>
Sent: Wednesday, June 29, 2022 2:31 PM
To: Pavel Gavronsky <kamm555 at hotmail.com>
Cc: openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300 
 
Had you really *compiled* 8.10 on this machine? Without gnutls-dev, I 
don't see how you could have built OpenConnect based on GnuTLS. Had you 
perhaps installed a DEB package instead?

Any way, as you can see, the error originates in the p11 library. 
Perhaps 8.10 and 9.00 use a different p11 library, so compare the output 
of "ldd" for both versions. But most probably, as pointed out by Nikos, 
that's probably an issue with the a broken proprietary PKCS#11 token. 
See this thread for example:
        https://lists.infradead.org/pipermail/openconnect-devel/2016-February/003470.html

Also I have lost track of the initial issue. Am I correct that both 8.10 
and 9.00 fail to connect using the SafeNet USB eToken 5300? Do they just 
fail differently?

Finally please note that the latest release of OpenConnect is 9.01. Not 
that I believe that 9.01 might fix anything, but it is definitely better 
to build the latest available release.

Dimitri

Le 29/06/2022 à 11:51, Pavel Gavronsky a écrit :
> Dimitry, many thanks,
> 
> gnutls-dev was missing. It's strange, because I compiled the previous v8.10 build on this machine.
> 
> Now I can compare the debug logs.
> 
> With GnuTLS it looks better in v.9.00, at least there is a step of asking the Token PIN. But it failed. May I ask you to look...
> 
> Old v.8.10 LOGs:
> 
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxeb42;token=GSTEST01;id=%B6%XXXXXXXX%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
> (p11-kit:7409) sys_C_GetSlotList: in
> (p11-kit:7409) sys_C_GetSlotList: out: 0x0
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> PIN required for GSTEST01
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> (p11-kit:7409) sys_C_GetSlotList: in
> (p11-kit:7409) sys_C_GetSlotList: out: 0x0
> (p11-kit:7409) sys_C_GetTokenInfo: in
> (p11-kit:7409) sys_C_GetTokenInfo: out: 0x0
> Using PKCS#11 key pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxx42;token=GSTEST01;id=%B6%A2%74%B2xxxxxxxxxx%D6%5C%0C%FD%7E;object=No%20Friendly%20Name%20Available;type=private
> Using client certificate 'xxxx xxx\ '
> (p11-kit:7409) sys_C_GetSlotList: in
> 
> 
> New v9.00 LOGs:
> 
> (p11-kit:8449) sys_C_GetTokenInfo: in
> (p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
> gnutls[2]: p11: No login requested.
> gnutls[2]: p11: Skipped object, missing attrs.   <------------------------------------------------- looks like some kind of ERROR
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
> (p11-kit:8449) sys_C_GetSlotList: in
> (p11-kit:8449) sys_C_GetSlotList: out: 0x0
> (p11-kit:8449) sys_C_GetTokenInfo: in
> (p11-kit:8449) sys_C_GetTokenInfo: out: 0x0
> PIN required for xxx
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> gnutls[2]: p11: Skipped object, missing attrs. <------------------------------------------------- looks like some kind of ERROR
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2261
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2222
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2350
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3613
> Error loading certificate from PKCS#11: The requested data were not available.
> Loading certificate failed. Aborting.
> Failed to complete authentication
> (p11-kit:8449) uninit_common: uninitializing library
> (p11-kit:8449) uninit_common: uninitializing library
> 
> 
> 
> Regards,
> Pavel

More information about the openconnect-devel mailing list