Warn when pkcs11-id or pkcs11-id-management options are ignored

- If there are no pkcs11-providers either directly specified or
  through p11-kit-proxy made available through a build-time detection,
  these options are ignored. Log a warning in such cases.

  Especially important on Windows where automatic loading of p11-kit
  is not enabled in our release builds.

- Document this behaviour.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230120021841.2048791-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26056.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

doc/man-sections/pkcs11-options.rst

@@ -13,7 +13,8 @@ PKCS#11 / SmartCard options
 
 --pkcs11-id name
   Specify the serialized certificate id to be used. The id can be gotten
-  by the standalone ``--show-pkcs11-ids`` option.
+  by the standalone ``--show-pkcs11-ids`` option. See also the description
+  of ``--pkcs11-providers`` option.
 
 --pkcs11-id-management
   Acquire PKCS#11 id from management interface. In this case a
@@ -21,6 +22,7 @@ PKCS#11 / SmartCard options
   application may use pkcs11-id-count command to retrieve available number of
   certificates, and pkcs11-id-get command to retrieve certificate id and
   certificate body.
+  See also the description of ``--pkcs11-providers`` option.
 
 --pkcs11-pin-cache seconds
   Specify how many seconds the PIN can be cached, the default is until the
@@ -51,15 +53,18 @@ PKCS#11 / SmartCard options
      pkcs11-protected-authentication 0
      pkcs11-protected-authentication 1
 
---pkcs11-providers provider
+--pkcs11-providers providers
   Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface
-  (Cryptoki) providers to load. This option can be used instead of
-  ``--cert``, ``--key`` and ``--pkcs12``.
+  (Cryptoki) providers to load. A space-separated list of one or more
+  provider library names may be specified. This option along with ``--pkcs11-id``
+  or ``pkcs11-id-management`` can be used instead of
+  ``--cert`` and ``--key`` or ``--pkcs12``.
 
-  If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module
-  will be loaded by default if either the ``--pkcs11-id`` or
-  ``--pkcs11-id-management`` options are specified without
-  ``--pkcs11-provider`` being given.
+  If p11-kit is present on the system and was enabled during build, its
+  :code:`p11-kit-proxy.so` module will be loaded by default if either
+  the ``--pkcs11-id`` or ``--pkcs11-id-management`` options is present without
+  ``--pkcs11-providers``. If default loading is not enabled in the build and
+  no providers are specified, the former options will be ignored.
 
 --show-pkcs11-ids args
   (Standalone) Show PKCS#11 token object list.

src/openvpn/options.c

@@ -2855,6 +2855,15 @@ options_postprocess_verify_ce(const struct options *options,
     {
         check_ca_required(options);
 #ifdef ENABLE_PKCS11
+        if (!options->pkcs11_providers[0] && options->pkcs11_id)
+        {
+            msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
+        }
+        else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
+        {
+            msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
+        }
+
         if (options->pkcs11_providers[0])
         {
             if (options->pkcs11_id_management && options->pkcs11_id != NULL)