8 files changed, 31 insertions, 7 deletions

diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index d9b2167c8..a5bf82768 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -104,7 +104,8 @@ usage(const char *mess)
 	    " \\\n\t"
 	    "[--adns <pathname>]"
 	    "[--pkcs11module <path>]"
-	    "[--pkcs11keepstate"
+	    "[--pkcs11keepstate]"
+	    "[--pkcs11initargs <string>]"
 #ifdef DEBUG
 	    " \\\n\t"
 	    "[--debug-none]"
@@ -217,6 +218,11 @@ bool pkcs11_keep_state = FALSE;
 /* by default pluto does not allow pkcs11 proxy access via whack */
 bool pkcs11_proxy = FALSE;
 
+/* argument string to pass to PKCS#11 module.
+ * Not used for compliant modules, just for NSS softoken
+ */
+static const char *pkcs11_init_args = NULL;
+
 int
 main(int argc, char **argv)
 {
@@ -263,6 +269,7 @@ main(int argc, char **argv)
 #endif /* !USE_LWRES */
 	    { "pkcs11module", required_argument, NULL, 'm' },
 	    { "pkcs11keepstate", no_argument, NULL, 'k' },
+	    { "pkcs11initargs", required_argument, NULL, 'z' },
 	    { "pkcs11proxy", no_argument, NULL, 'y' },
 	    { "nat_traversal", no_argument, NULL, '1' },
 	    { "keep_alive", required_argument, NULL, '2' },
@@ -432,6 +439,10 @@ main(int argc, char **argv)
 	    pkcs11_proxy = TRUE;
 	    continue;
 
+	case 'z':	/* --pkcs11initargs */
+	    pkcs11_init_args = optarg;
+	    continue;
+
 #ifdef DEBUG
 	case 'N':	/* --debug-none */
 	    base_debugging = DBG_NONE;
@@ -593,7 +604,7 @@ main(int argc, char **argv)
 
     init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
     init_virtual_ip(virtual_private);
-    scx_init(pkcs11_module_path);   /* load and initialize PKCS #11 module */
+    scx_init(pkcs11_module_path, pkcs11_init_args);   /* load and initialize PKCS #11 module */
     xauth_init();		    /* load and initialize XAUTH module */
     init_rnd_pool();
     init_secret();
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 744f8a6f3..067d0f046 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -690,12 +690,16 @@ scx_find_all_cert_objects(void)
 #endif
 
 /*
- * load and initialize PKCS#11 cryptoki module 
+ * load and initialize PKCS#11 cryptoki module
+ *
+ * init_args should be unused when we have a PKCS#11 compliant module,
+ * but NSS softoken breaks that API.
  */
 void
-scx_init(const char* module)
+scx_init(const char* module, const char *init_args)
 {
 #ifdef SMARTCARD
+    CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, };
     CK_RV rv;
 
     if (scx_initialized)
@@ -726,8 +730,8 @@ scx_init(const char* module)
 
     DBG(DBG_CONTROL | DBG_CRYPT,
 	DBG_log("pkcs11 module initializing...")
-    )   
-    rv = pkcs11_functions->C_Initialize(NULL);
+    )
+    rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
     if (rv != CKR_OK)
     {
 	plog("failed to initialize pkcs11 module: %s"
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index c004ca7dd..864f630a1 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -69,7 +69,7 @@ extern bool pkcs11_keep_state;
 extern bool pkcs11_proxy;
 
 extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id);
-extern void scx_init(const char *module);
+extern void scx_init(const char *module, const char *init_args);
 extern void scx_finalize(void);
 extern bool scx_establish_context(smartcard_t *sc);
 extern bool scx_login(smartcard_t *sc);
diff --git a/src/starter/args.c b/src/starter/args.c
index f6c697f74..605794281 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -173,6 +173,7 @@ static const token_info_t token_info[] =
     { ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
     { ARG_STR,  offsetof(starter_config_t, setup.eapdir), NULL                     },
     { ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
+    { ARG_STR,  offsetof(starter_config_t, setup.pkcs11initargs), NULL             },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
 
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 99851d5b6..970166c90 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -178,6 +178,7 @@ struct starter_config {
 		char	 *virtual_private;
 		char	 *eapdir;
 		char	 *pkcs11module;
+		char	 *pkcs11initargs;
 		bool	 pkcs11keepstate;
 		bool	 pkcs11proxy;
 
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 240d98391..5ea47f69f 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -187,6 +187,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 	arg[argc++] = "--pkcs11module";
 	arg[argc++] = cfg->setup.pkcs11module;
     }
+    if (cfg->setup.pkcs11initargs)
+    {
+	arg[argc++] = "--pkcs11initargs";
+	arg[argc++] = cfg->setup.pkcs11initargs;
+    }
     if (cfg->setup.pkcs11keepstate)
     {
 	arg[argc++] = "--pkcs11keepstate";
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index d527fa0b4..8f5108ad8 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -41,6 +41,7 @@ typedef enum {
     KW_VIRTUAL_PRIVATE,
     KW_EAPDIR,
     KW_PKCS11MODULE,
+    KW_PKCS11INITARGS,
     KW_PKCS11KEEPSTATE,
     KW_PKCS11PROXY,
 
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index b08947117..573a2389a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -50,6 +50,7 @@ virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eapdir,            KW_EAPDIR
 pkcs11module,      KW_PKCS11MODULE
+pkcs11initargs,    KW_PKCS11INITARGS
 pkcs11keepstate,   KW_PKCS11KEEPSTATE
 pkcs11proxy,       KW_PKCS11PROXY
 keyexchange,       KW_KEYEXCHANGE