[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-228-g61857ad
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-228-g61857ad |
|
Date: |
Thu, 17 Jun 2010 12:28:07 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=61857adefc8e03dcaa1458519d402c47c7d50400
The branch, master has been updated
via 61857adefc8e03dcaa1458519d402c47c7d50400 (commit)
via 702b4006c79dd2312013ca2fc71f23faba32f0e1 (commit)
from 2d13627dce95a43207647523020c1d74575f2097 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 61857adefc8e03dcaa1458519d402c47c7d50400
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jun 17 14:26:33 2010 +0200
Added option to the PKCS11 PIN callback to save PIN if the token is being
used
with a single pkcs11_privkey structure.
commit 702b4006c79dd2312013ca2fc71f23faba32f0e1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jun 17 13:49:56 2010 +0200
For Private key operations new sessions are opened when are needed. This
makes the usage of the PKCS11 API thread safe. The only drawback is the
requirement to enter PIN on every operation.
-----------------------------------------------------------------------
Summary of changes:
lib/gnutls_errors.c | 2 +
lib/includes/gnutls/gnutls.h.in | 1 +
lib/includes/gnutls/pkcs11.h | 26 +--------
lib/pkcs11.c | 81 ++++++++++++++++++-------
lib/pkcs11_int.h | 12 +++-
lib/pkcs11_privkey.c | 122 ++++++++++++++++++---------------------
lib/pkcs11_write.c | 6 +-
src/cli.c | 10 +++
src/common.c | 2 +-
9 files changed, 143 insertions(+), 119 deletions(-)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 85d4bd6..3a27da8 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -282,6 +282,8 @@ static const gnutls_error_entry error_algorithms[] = {
GNUTLS_E_PARSING_ERROR, 1),
ERROR_ENTRY (N_("PKCS #11 error in PIN."),
GNUTLS_E_PKCS11_PIN_ERROR, 1),
+ ERROR_ENTRY (N_("PKCS #11 PIN should be saved."),
+ GNUTLS_E_PKCS11_PIN_SAVE, 1),
ERROR_ENTRY (N_("PKCS #11 error"),
GNUTLS_E_PKCS11_ERROR, 1),
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 7ea6ea3..e03e7b3 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1755,6 +1755,7 @@ extern "C"
#define GNUTLS_E_PKCS11_LOAD_ERROR -301
#define GNUTLS_E_PARSING_ERROR -302
#define GNUTLS_E_PKCS11_PIN_ERROR -303
+#define GNUTLS_E_PKCS11_PIN_SAVE -304
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 22850d0..da30b48 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -25,31 +25,9 @@ typedef int (*gnutls_pkcs11_token_callback_t)(
#define GNUTLS_PKCS11_PIN_FINAL_TRY 1
#define GNUTLS_PKCS11_PIN_COUNT_LOW 2
-/* Callback for PKCS#11 PIN entry. The callback provides the PIN code
- * to unlock the token with label 'token_label' in the slot described
- * by 'slot_descr'.
- *
- * The PIN code, as a NUL-terminated ASCII string, should be copied
- * into the 'pin' buffer (of fixed length NE_SSL_P11PINLEN), and
- * return 0 to indicate success. Alternatively, the callback may
- * return -1 to indicate failure and cancel PIN entry (in which case,
- * the contents of the 'pin' parameter are ignored).
- *
- * When a PIN is required, the callback will be invoked repeatedly
- * (and indefinitely) until either the returned PIN code is correct,
- * the callback returns failure, or the token refuses login (e.g. when
- * the token is locked due to too many incorrect PINs!). For the
- * first such invocation, the 'attempt' counter will have value zero;
- * it will increase by one for each subsequent attempt.
- *
- * The NE_SSL_P11PIN_COUNT_LOW and/or NE_SSL_P11PIN_FINAL_TRY hints
- * may be set in the 'flags' argument, if these hints are made
- * available by the token; not all tokens expose these hints. */
typedef int (*gnutls_pkcs11_pin_callback_t)(void *userdata, int attempt,
- const char *slot_descr,
- const char *token_label,
- unsigned int flags,
- char *pin, size_t pin_max);
+ const char *slot_descr, const char *token_label,
+ unsigned int flags, char *pin, size_t pin_max);
struct gnutls_pkcs11_obj_st;
typedef struct gnutls_pkcs11_obj_st* gnutls_pkcs11_obj_t;
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index f2b3708..590db80 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -313,6 +313,28 @@ void gnutls_pkcs11_deinit (void)
* This function will set a callback function to be used when a PIN
* is required for PKCS 11 operations.
*
+ * Callback for PKCS#11 PIN entry. The callback provides the PIN code
+ * to unlock the token with label 'token_label' in the slot described
+ * by 'slot_descr'.
+ *
+ * The PIN code, as a NUL-terminated ASCII string, should be copied
+ * into the 'pin' buffer (of maximum size pin_max), and
+ * return 0 to indicate success. Alternatively, the callback may
+ * return a negative gnutls error code to indicate failure and cancel
+ * PIN entry (in which case, the contents of the 'pin' parameter are ignored).
+ *
+ * The special error code GNUTLS_E_PKCS11_PIN_SAVE can be returned to
+ * tell the caller to save the pin for future use with this token. This will
+ * only work if the token is being used with a single &gnutls_pkcs11_privkey_t
+ * structure and thread safety is not an issue.
+ *
+ * When a PIN is required, the callback will be invoked repeatedly
+ * (and indefinitely) until either the returned PIN code is correct,
+ * the callback returns failure, or the token refuses login (e.g. when
+ * the token is locked due to too many incorrect PINs!). For the
+ * first such invocation, the 'attempt' counter will have value zero;
+ * it will increase by one for each subsequent attempt.
+ *
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
@@ -704,7 +726,7 @@ static void terminate_string(unsigned char *str, size_t len)
}
int pkcs11_find_object (pakchois_session_t** _pks, ck_object_handle_t* _obj,
- struct pkcs11_url_info *info, unsigned int flags)
+ struct pkcs11_url_info *info, token_creds_st* creds, unsigned int flags)
{
int ret;
pakchois_session_t *pks;
@@ -721,7 +743,7 @@ ck_rv_t rv;
return GNUTLS_E_INVALID_REQUEST;
}
- ret = pkcs11_open_session (&pks, info, flags);
+ ret = pkcs11_open_session (&pks, info, creds, flags);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -763,7 +785,8 @@ fail:
return ret;
}
-int pkcs11_open_session (pakchois_session_t** _pks, struct pkcs11_url_info
*info, unsigned int flags)
+int pkcs11_open_session (pakchois_session_t** _pks, struct pkcs11_url_info
*info,
+ token_creds_st* creds, unsigned int flags)
{
ck_rv_t rv;
int x, z, ret;
@@ -800,7 +823,7 @@ int pkcs11_open_session (pakchois_session_t** _pks, struct
pkcs11_url_info *info
}
if (flags&SESSION_LOGIN) {
- ret = pkcs11_login(pks, &tinfo);
+ ret = pkcs11_login(pks, &tinfo, creds);
if (ret < 0) {
gnutls_assert();
pakchois_close_session(pks);
@@ -1478,10 +1501,11 @@ struct pkey_list {
size_t key_ids_size;
};
-int pkcs11_login(pakchois_session_t *pks, struct token_info *info)
+int pkcs11_login(pakchois_session_t *pks, struct token_info *info,
token_creds_st* creds)
{
- int attempt = 0;
+ int attempt = 0, ret;
ck_rv_t rv;
+ int pin_len;
if (pakchois_get_token_info(info->prov->module, info->sid, &info->tinfo)
!= CKR_OK) {
gnutls_assert();
@@ -1489,9 +1513,6 @@ int pkcs11_login(pakchois_session_t *pks, struct
token_info *info)
return GNUTLS_E_PKCS11_ERROR;
}
- /* force login on HW tokens. Some tokens will not list private keys
- * if login has not been performed.
- */
if ((info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0) {
gnutls_assert();
_gnutls_debug_log( "pk11: No login required.\n");
@@ -1514,7 +1535,7 @@ int pkcs11_login(pakchois_session_t *pks, struct
token_info *info)
/* Otherwise, PIN entry is necessary for login, so fail if there's
* no callback. */
- if (!pin_func) {
+ if (!pin_func && !creds) {
gnutls_assert();
_gnutls_debug_log("pk11: No pin callback but login required.\n");
return GNUTLS_E_PKCS11_ERROR;
@@ -1537,21 +1558,35 @@ int pkcs11_login(pakchois_session_t *pks, struct
token_info *info)
}
}
- if (info->tinfo.flags & CKF_USER_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (info->tinfo.flags & CKF_USER_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ if (creds != NULL && creds->pin_size > 0 &&
+ !(info->tinfo.flags & CKF_USER_PIN_FINAL_TRY)) {
+
+ memcpy(pin, creds->pin, creds->pin_size);
+ pin_len = creds->pin_size;
+ } else {
+ if (info->tinfo.flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (info->tinfo.flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
- terminate_string(info->tinfo.label, sizeof info->tinfo.label);
+ terminate_string(info->tinfo.label, sizeof info->tinfo.label);
- if (pin_func(pin_data, attempt++,
- (char *)info->sinfo.slot_description,
- (char *)info->tinfo.label, flags, pin, sizeof(pin))) {
- gnutls_assert();
- return GNUTLS_E_PKCS11_PIN_ERROR;
+ ret = pin_func(pin_data, attempt++,
+ (char *)info->sinfo.slot_description,
+ (char *)info->tinfo.label, flags, pin,
sizeof(pin));
+ if (ret < 0 && ret != GNUTLS_E_PKCS11_PIN_SAVE) {
+ gnutls_assert();
+ return GNUTLS_E_PKCS11_PIN_ERROR;
+ }
+ pin_len = strlen(pin);
+
+ if (ret == GNUTLS_E_PKCS11_PIN_SAVE && creds) {
+ memcpy(creds->pin, pin, pin_len);
+ creds->pin_size = pin_len;
+ }
}
- rv = pakchois_login(pks, CKU_USER, (unsigned char *)pin, strlen(pin));
+ rv = pakchois_login(pks, CKU_USER, (unsigned char *)pin, pin_len);
/* Try to scrub the pin off the stack. Clever compilers will
* probably optimize this away, oh well. */
memset(pin, 0, sizeof pin);
@@ -1697,7 +1732,7 @@ static int find_objs(pakchois_session_t *pks, struct
token_info *info, void* inp
memset(&plist, 0, sizeof(plist));
if (find_data->flags==GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
- ret = pkcs11_login(pks, info);
+ ret = pkcs11_login(pks, info, NULL);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -1714,7 +1749,7 @@ static int find_objs(pakchois_session_t *pks, struct
token_info *info, void* inp
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
} else if (find_data->flags==GNUTLS_PKCS11_OBJ_ATTR_ALL) {
- ret = pkcs11_login(pks, info);
+ ret = pkcs11_login(pks, info, NULL);
if (ret < 0) {
gnutls_assert();
return ret;
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 63e73e0..04da57a 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -7,6 +7,11 @@
#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128
+typedef struct token_creds {
+ char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
+ size_t pin_size;
+} token_creds_st;
+
struct token_info {
struct ck_token_info tinfo;
struct ck_slot_info sinfo;
@@ -51,7 +56,7 @@ int pkcs11_url_to_info(const char* url, struct
pkcs11_url_info* info);
int pkcs11_get_info(struct pkcs11_url_info *info, gnutls_pkcs11_obj_info_t
itype,
void* output, size_t* output_size);
-int pkcs11_login(pakchois_session_t *pks, struct token_info *info);
+int pkcs11_login(pakchois_session_t *pks, struct token_info *info,
token_creds_st *);
extern gnutls_pkcs11_token_callback_t token_func;
extern void* token_data;
@@ -61,7 +66,8 @@ int pkcs11_info_to_url(const struct pkcs11_url_info* info,
char** url);
#define SESSION_WRITE 1
#define SESSION_LOGIN 2
-int pkcs11_open_session (pakchois_session_t** _pks, struct pkcs11_url_info
*info, unsigned int flags);
+int pkcs11_open_session (pakchois_session_t** _pks, struct pkcs11_url_info
*info,
+ token_creds_st * creds, unsigned int flags);
int _pkcs11_traverse_tokens (find_func_t find_func, void* input, unsigned int
flags);
ck_object_class_t pkcs11_strtype_to_class(const char* type);
@@ -69,6 +75,6 @@ int pkcs11_token_matches_info( struct pkcs11_url_info* info,
struct ck_token_inf
/* flags are SESSION_* */
int pkcs11_find_object (pakchois_session_t** _pks, ck_object_handle_t* _obj,
- struct pkcs11_url_info *info, unsigned int flags);
+ struct pkcs11_url_info *info, token_creds_st*, unsigned int flags);
#endif
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 6423839..67eddd9 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -32,11 +32,10 @@
#include <sign.h>
struct gnutls_pkcs11_privkey_st {
- pakchois_session_t *pks;
- ck_object_handle_t obj;
gnutls_pk_algorithm_t pk_algorithm;
unsigned int flags;
struct pkcs11_url_info info;
+ token_creds_st creds;
};
/**
@@ -55,7 +54,6 @@ int gnutls_pkcs11_privkey_init(gnutls_pkcs11_privkey_t * key)
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
- (*key)->obj = CK_INVALID_HANDLE;
return 0;
}
@@ -68,9 +66,6 @@ int gnutls_pkcs11_privkey_init(gnutls_pkcs11_privkey_t * key)
**/
void gnutls_pkcs11_privkey_deinit(gnutls_pkcs11_privkey_t key)
{
- if (key->pks) {
- pakchois_close_session(key->pks);
- }
gnutls_free(key);
}
@@ -112,27 +107,6 @@ int gnutls_pkcs11_privkey_get_info(gnutls_pkcs11_privkey_t
pkey,
return pkcs11_get_info(&pkey->info, itype, output, output_size);
}
-#define RETRY_BLOCK_START int retries = 0; retry:
-
-
-/* the rescan_slots() here is a dummy but if not
- * called my card fails to work when removed and inserted.
- * May have to do with the pkcs11 library I use.
- */
-#define RETRY_CHECK(rv, key) { \
- if (token_func && (rv ==
CKR_SESSION_HANDLE_INVALID||rv==CKR_DEVICE_REMOVED)) { \
- pkcs11_rescan_slots(); \
- pakchois_close_session(key->pks); \
- pkcs11_rescan_slots(); \
- key->pks = NULL; \
- key->obj = CK_INVALID_HANDLE; \
- ret = token_func(token_data, key->info.label,
retries++); \
- if (ret == 0) { \
- pkcs11_find_object (&key->pks, &key->obj,
&key->info, SESSION_LOGIN); \
- goto retry; \
- } \
- } \
- }
/**
* gnutls_pkcs11_privkey_sign_data:
@@ -193,6 +167,19 @@ gnutls_pkcs11_privkey_sign_data(gnutls_pkcs11_privkey_t
signer,
}
+#define FIND_OBJECT(pks, obj, key) \
+ do { \
+ int retries = 0; \
+ ret = pkcs11_find_object (&pks, &obj, &key->info, &key->creds, \
+ SESSION_LOGIN); \
+ if (ret < 0) { \
+ rv = token_func(token_data, key->info.label,
retries++); \
+ if (rv == 0) continue; \
+ gnutls_assert(); \
+ return ret; \
+ } \
+ } while (ret < 0);
+
/**
* gnutls_pkcs11_privkey_sign_hash:
* @key: Holds the key
@@ -214,13 +201,10 @@ int
gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
+ pakchois_session_t *pks;
+ ck_object_handle_t obj;
- RETRY_BLOCK_START;
-
- if (key->obj == CK_INVALID_HANDLE || key->pks == NULL) {
- gnutls_assert();
- return GNUTLS_E_PKCS11_ERROR;
- }
+ FIND_OBJECT(pks, obj, key);
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
@@ -229,37 +213,42 @@ int
gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_sign_init(key->pks, &mech, key->obj);
+ rv = pakchois_sign_init(pks, &mech, obj);
if (rv != CKR_OK) {
- RETRY_CHECK(rv, key);
gnutls_assert();
- return GNUTLS_E_PK_SIGN_FAILED;
+ ret = GNUTLS_E_PK_SIGN_FAILED;
+ goto cleanup;
}
/* Work out how long the signature must be: */
- rv = pakchois_sign(key->pks, hash->data, hash->size, NULL,
+ rv = pakchois_sign(pks, hash->data, hash->size, NULL,
&siglen);
if (rv != CKR_OK) {
- RETRY_CHECK(rv, key);
gnutls_assert();
- return GNUTLS_E_PK_SIGN_FAILED;
+ ret = GNUTLS_E_PK_SIGN_FAILED;
+ goto cleanup;
}
signature->data = gnutls_malloc(siglen);
signature->size = siglen;
- rv = pakchois_sign(key->pks, hash->data, hash->size,
+ rv = pakchois_sign(pks, hash->data, hash->size,
signature->data, &siglen);
if (rv != CKR_OK) {
gnutls_free(signature->data);
- RETRY_CHECK(rv, key);
gnutls_assert();
- return GNUTLS_E_PK_SIGN_FAILED;
+ ret = GNUTLS_E_PK_SIGN_FAILED;
+ goto cleanup;
}
signature->size = siglen;
- return 0;
+ ret = 0;
+
+cleanup:
+ pakchois_close_session(pks);
+
+ return ret;
}
@@ -288,17 +277,17 @@ int
gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
return ret;
}
- if (pkey->info.id[0] == 0) {
+ pkey->flags = flags;
+
+ if (pkey->info.type[0] != 0 && strcmp(pkey->info.type, "private") != 0)
{
gnutls_assert();
- return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ return GNUTLS_E_INVALID_REQUEST;
}
- ret = pkcs11_find_object (&pkey->pks, &pkey->obj, &pkey->info,
SESSION_LOGIN);
- if (ret < 0) {
+ if (pkey->info.id[0] == 0) {
gnutls_assert();
- return ret;
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
- pkey->flags = flags;
return 0;
}
@@ -325,14 +314,11 @@
gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
int ret;
struct ck_mechanism mech;
unsigned long siglen;
+ pakchois_session_t *pks;
+ ck_object_handle_t obj;
- RETRY_BLOCK_START;
-
- if (key->obj == CK_INVALID_HANDLE) {
- gnutls_assert();
- return GNUTLS_E_PKCS11_ERROR;
- }
-
+ FIND_OBJECT(pks, obj, key);
+
mech.mechanism =
key->pk_algorithm == GNUTLS_PK_DSA ? CKM_DSA : CKM_RSA_PKCS;
mech.parameter = NULL;
@@ -340,36 +326,42 @@
gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
/* Initialize signing operation; using the private key discovered
* earlier. */
- rv = pakchois_decrypt_init(key->pks, &mech, key->obj);
+ rv = pakchois_decrypt_init(pks, &mech, obj);
if (rv != CKR_OK) {
- RETRY_CHECK(rv, key);
gnutls_assert();
- return GNUTLS_E_PK_DECRYPTION_FAILED;
+ ret = GNUTLS_E_PK_DECRYPTION_FAILED;
+ goto cleanup;
}
/* Work out how long the plaintext must be: */
- rv = pakchois_decrypt(key->pks, ciphertext->data, ciphertext->size,
NULL,
+ rv = pakchois_decrypt(pks, ciphertext->data, ciphertext->size, NULL,
&siglen);
if (rv != CKR_OK) {
- RETRY_CHECK(rv, key);
gnutls_assert();
- return GNUTLS_E_PK_DECRYPTION_FAILED;
+ ret = GNUTLS_E_PK_DECRYPTION_FAILED;
+ goto cleanup;
}
plaintext->data = gnutls_malloc(siglen);
plaintext->size = siglen;
- rv = pakchois_decrypt(key->pks, ciphertext->data, ciphertext->size,
+ rv = pakchois_decrypt(pks, ciphertext->data, ciphertext->size,
plaintext->data, &siglen);
if (rv != CKR_OK) {
gnutls_free(plaintext->data);
gnutls_assert();
- return GNUTLS_E_PK_DECRYPTION_FAILED;
+ ret = GNUTLS_E_PK_DECRYPTION_FAILED;
+ goto cleanup;
}
plaintext->size = siglen;
- return 0;
+ ret = 0;
+
+cleanup:
+ pakchois_close_session(pks);
+
+ return ret;
}
/**
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 87bcbd0..3ab1b3a 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -64,7 +64,7 @@ int gnutls_pkcs11_copy_x509_crt(const char* token_url,
gnutls_x509_crt_t crt,
return ret;
}
- ret = pkcs11_open_session (&pks, &info, SESSION_WRITE|SESSION_LOGIN);
+ ret = pkcs11_open_session (&pks, &info, NULL,
SESSION_WRITE|SESSION_LOGIN);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -201,7 +201,7 @@ int gnutls_pkcs11_copy_x509_privkey(const char* token_url,
goto cleanup;
}
- ret = pkcs11_open_session (&pks, &info, SESSION_WRITE|SESSION_LOGIN);
+ ret = pkcs11_open_session (&pks, &info, NULL,
SESSION_WRITE|SESSION_LOGIN);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -405,7 +405,7 @@ static int delete_obj_url(pakchois_session_t *pks, struct
token_info *info, void
}
}
- ret = pkcs11_login(pks, info);
+ ret = pkcs11_login(pks, info, NULL);
if (ret < 0) {
gnutls_assert();
return ret;
diff --git a/src/cli.c b/src/cli.c
index 2be32d8..bab94c2 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -238,6 +238,11 @@ load_keys (void)
gnutls_pkcs11_privkey_init (&pkcs11_key);
ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, x509_keyfile, 0);
+ if (ret < 0)
+ {
+ fprintf(stderr, "*** Error loading url: %s\n",
gnutls_strerror(ret));
+ exit(1);
+ }
}
else
{
@@ -294,6 +299,11 @@ load_keys (void)
gnutls_pkcs11_privkey_init (&pkcs11_key);
ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, pgp_keyfile, 0);
+ if (ret < 0)
+ {
+ fprintf(stderr, "*** Error loading url: %s\n",
gnutls_strerror(ret));
+ exit(1);
+ }
}
else
{
diff --git a/src/common.c b/src/common.c
index 3a7ded6..6fde2ec 100644
--- a/src/common.c
+++ b/src/common.c
@@ -883,7 +883,7 @@ int len;
memcpy(pin, password, len);
pin[len] = 0;
- return 0;
+ return GNUTLS_E_PKCS11_PIN_SAVE; /* 0 to not save it */
}
static int token_callback(void* user, const char* label, const unsigned retry)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-228-g61857ad,
Nikos Mavrogiannopoulos <=