[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-281-ge2111f1
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-281-ge2111f1 |
|
Date: |
Fri, 02 Jul 2010 18:05:30 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e2111f1b689826a1187921631801eee876ed8fa5
The branch, master has been updated
via e2111f1b689826a1187921631801eee876ed8fa5 (commit)
via f1752e1d55a706af81e337e7c852bf85633686dc (commit)
via 3be9f27677f4a939ffcb7b19f7d63b21d44c48ef (commit)
via c1f531f9302cd1b7264f73985158a3b0fb2b1835 (commit)
via 7a5065ecfee46c77ace6db55b8c3c19933ae659d (commit)
via 557368ad3afbe8d247aa79737d888d53afaf2264 (commit)
via de64c80eef25fb35724a5801de328a8b79a453f5 (commit)
from 7bc857765c3f8b6799a47d82b583e9616c0cfd39 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e2111f1b689826a1187921631801eee876ed8fa5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:52:52 2010 +0200
PIN callback supplies the token URL. The callback function in common.c
will cache PIN if requested for second time.
commit f1752e1d55a706af81e337e7c852bf85633686dc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:24:39 2010 +0200
Reverted the SAVE_PIN approach in PIN callback. The new approach will be to
provide
enough information for the callback to save the PIN itself.
commit 3be9f27677f4a939ffcb7b19f7d63b21d44c48ef
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:19:18 2010 +0200
removed unneeded function.
commit c1f531f9302cd1b7264f73985158a3b0fb2b1835
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:17:43 2010 +0200
More uses of gnutls_certificate_free_ca_names
commit 7a5065ecfee46c77ace6db55b8c3c19933ae659d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:16:10 2010 +0200
Do not allow setting NULL lock functions
commit 557368ad3afbe8d247aa79737d888d53afaf2264
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:14:57 2010 +0200
corrected lock usage.
commit de64c80eef25fb35724a5801de328a8b79a453f5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 2 19:14:09 2010 +0200
bumped library version
-----------------------------------------------------------------------
Summary of changes:
doc/examples/ex-cert-select-pkcs11.c | 30 ++++
lib/gcrypt/init.c | 5 -
lib/gnutls_cert.c | 5 +-
lib/gnutls_errors.c | 2 -
lib/includes/gnutls/gnutls.h.in | 1 -
lib/includes/gnutls/pkcs11.h | 6 +-
lib/locks.c | 3 +
lib/m4/hooks.m4 | 4 +-
lib/nettle/rnd.c | 4 +-
lib/pkcs11.c | 267 ++++++++++++++++------------------
lib/pkcs11_int.h | 24 +--
lib/pkcs11_privkey.c | 3 +-
lib/pkcs11_write.c | 4 +-
src/common.c | 21 +++-
src/pkcs11.c | 47 +++++-
15 files changed, 239 insertions(+), 187 deletions(-)
diff --git a/doc/examples/ex-cert-select-pkcs11.c
b/doc/examples/ex-cert-select-pkcs11.c
index 8ff4d2e..0a6f5e9 100644
--- a/doc/examples/ex-cert-select-pkcs11.c
+++ b/doc/examples/ex-cert-select-pkcs11.c
@@ -23,6 +23,7 @@
#define MAX_BUF 1024
#define MSG "GET / HTTP/1.0\r\n\r\n"
+#define MIN(x,y) (((x)<(y))?(x):(y))
#define CAFILE "ca.pem"
#define CERT_URL "pkcs11:manufacturer=EnterSafe;object=Certificate" \
@@ -76,6 +77,31 @@ load_keys (void)
}
+static int pin_callback(void* user, int attempt, const char *token_url,
+ const char *token_label, unsigned int flags, char* pin, size_t pin_max)
+{
+const char* password;
+int len;
+
+ printf("PIN required for token '%s' with URL '%s'\n", token_label,
token_url);
+ if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
+ printf("*** This is the final try before locking!\n");
+ if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
+ printf("*** Only few tries left before locking!\n");
+
+ password = getpass("Enter pin: ");
+ if (password==NULL || password[0] == 0) {
+ fprintf(stderr, "No password given\n");
+ exit(1);
+ }
+
+ len = MIN(pin_max,strlen(password));
+ memcpy(pin, password, len);
+ pin[len] = 0;
+
+ return 0;
+}
+
int
main (void)
{
@@ -88,6 +114,10 @@ main (void)
*/
gnutls_global_init ();
+ /* PKCS11 private key operations might require PIN.
+ * Register a callback.
+ */
+ gnutls_pkcs11_set_pin_function (pin_callback, NULL);
load_keys ();
diff --git a/lib/gcrypt/init.c b/lib/gcrypt/init.c
index a511ac5..4e2a065 100644
--- a/lib/gcrypt/init.c
+++ b/lib/gcrypt/init.c
@@ -59,11 +59,6 @@ static int wrap_gcry_mutex_deinit(void** m)
return 0;
}
-void _gnutls_gcry_register_mutexes(void)
-{
-
-}
-
int gnutls_crypto_init(void)
{
/* Initialize libgcrypt if it hasn't already been initialized. */
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 2f41f28..0e278c7 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -179,7 +179,10 @@ gnutls_certificate_get_openpgp_keyring
(gnutls_certificate_credentials_t sc,
*
* This function will delete all the CA name in the given
* credentials. Clients may call this to save some memory since in
- * client side the CA names are not used.
+ * client side the CA names are not used. Servers might want to use
+ * this function if a large list of trusted CAs is present and
+ * sending the names of it would just consume bandwidth without providing
+ * information to client.
*
* CA names are used by servers to advertize the CAs they support to
* clients.
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 22ff77e..8e6bd40 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -285,8 +285,6 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_("PKCS #11 error in PIN."),
GNUTLS_E_PKCS11_PIN_ERROR, 1),
ERROR_ENTRY (N_("PKCS #11 PIN should be saved."),
- GNUTLS_E_PKCS11_PIN_SAVE, 1),
- ERROR_ENTRY (N_("PKCS #11 error"),
GNUTLS_E_PKCS11_ERROR, 1),
ERROR_ENTRY (N_("PKCS #11 error in slot"),
GNUTLS_E_PKCS11_SLOT_ERROR, 1),
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index f115691..6ff039b 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1744,7 +1744,6 @@ extern "C"
#define GNUTLS_E_PKCS11_LOAD_ERROR -301
#define GNUTLS_E_PARSING_ERROR -302
#define GNUTLS_E_PKCS11_PIN_ERROR -303
-#define GNUTLS_E_PKCS11_PIN_SAVE -304
#define GNUTLS_E_PKCS11_SLOT_ERROR -305
#define GNUTLS_E_LOCKING_ERROR -306
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 8ef30a2..dd5ae55 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -22,11 +22,11 @@ typedef int (*gnutls_pkcs11_token_callback_t)(
);
/* flags */
-#define GNUTLS_PKCS11_PIN_FINAL_TRY 1
-#define GNUTLS_PKCS11_PIN_COUNT_LOW 2
+#define GNUTLS_PKCS11_PIN_FINAL_TRY (1<<0)
+#define GNUTLS_PKCS11_PIN_COUNT_LOW (1<<1)
typedef int (*gnutls_pkcs11_pin_callback_t)(void *userdata, int attempt,
- const char *slot_descr, const char *token_label,
+ const char *token_url, const char *token_label,
unsigned int flags, char *pin, size_t pin_max);
struct gnutls_pkcs11_obj_st;
diff --git a/lib/locks.c b/lib/locks.c
index c017fc1..c758d80 100644
--- a/lib/locks.c
+++ b/lib/locks.c
@@ -173,6 +173,9 @@ mutex_unlock_func gnutls_mutex_unlock =
gnutls_system_mutex_unlock;
void gnutls_global_set_mutex(mutex_init_func init, mutex_deinit_func deinit,
mutex_lock_func lock, mutex_unlock_func unlock)
{
+ if (init == NULL || deinit == NULL || lock == NULL || unlock == NULL)
+ return;
+
gnutls_mutex_init = init;
gnutls_mutex_deinit = deinit;
gnutls_mutex_lock = lock;
diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4
index 720a675..4dfe20b 100644
--- a/lib/m4/hooks.m4
+++ b/lib/m4/hooks.m4
@@ -26,8 +26,8 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
# Interfaces changed/added/removed: CURRENT++ REVISION=0
# Interfaces added: AGE++
# Interfaces removed: AGE=0
- AC_SUBST(LT_CURRENT, 42)
- AC_SUBST(LT_REVISION, 6)
+ AC_SUBST(LT_CURRENT, 43)
+ AC_SUBST(LT_REVISION, 9)
AC_SUBST(LT_AGE, 16)
AC_SUBST(CXX_LT_CURRENT, 27)
diff --git a/lib/nettle/rnd.c b/lib/nettle/rnd.c
index 169049d..26d9e12 100644
--- a/lib/nettle/rnd.c
+++ b/lib/nettle/rnd.c
@@ -41,8 +41,8 @@
static void* rnd_mutex;
-#define RND_LOCK if (gnutls_mutex_lock(&rnd_mutex)!=0) abort()
-#define RND_UNLOCK if (gnutls_mutex_unlock(&rnd_mutex)!=0) abort()
+#define RND_LOCK if (gnutls_mutex_lock(rnd_mutex)!=0) abort()
+#define RND_UNLOCK if (gnutls_mutex_unlock(rnd_mutex)!=0) abort()
enum {
RANDOM_SOURCE_TRIVIA=0,
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 0d1d8d4..365303c 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -418,19 +418,14 @@ void gnutls_pkcs11_deinit(void)
* is required for PKCS 11 operations.
*
* Callback for PKCS#11 PIN entry. The callback provides the PIN code
- * to unlock the token with label 'token_label' in the slot described
- * by 'slot_descr'.
+ * to unlock the token with label 'token_label', specified by the URL
+ * 'token_url'.
*
* The PIN code, as a NUL-terminated ASCII string, should be copied
* into the 'pin' buffer (of maximum size pin_max), and
* return 0 to indicate success. Alternatively, the callback may
- * return a negative gnutls error code to indicate failure and cancel
+ * return a negative gnutls error code to indicate failure and cancel
* PIN entry (in which case, the contents of the 'pin' parameter are ignored).
- *
- * The special error code GNUTLS_E_PKCS11_PIN_SAVE can be returned to
- * tell the caller to save the pin for future use with this token. This will
- * only work if the token is being used with a single &gnutls_pkcs11_privkey_t
- * structure and thread safety is not an issue.
*
* When a PIN is required, the callback will be invoked repeatedly
* (and indefinitely) until either the returned PIN code is correct,
@@ -804,8 +799,7 @@ void gnutls_pkcs11_obj_deinit(gnutls_pkcs11_obj_t crt)
**/
int
gnutls_pkcs11_obj_export(gnutls_pkcs11_obj_t obj,
- void *output_data,
- size_t * output_data_size)
+ void *output_data, size_t * output_data_size)
{
if (obj == NULL || obj->raw.data == NULL) {
gnutls_assert();
@@ -840,8 +834,7 @@ static void terminate_string(unsigned char *str, size_t len)
int pkcs11_find_object(pakchois_session_t ** _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info,
- token_creds_st * creds, unsigned int flags)
+ struct pkcs11_url_info *info, unsigned int flags)
{
int ret;
pakchois_session_t *pks;
@@ -858,8 +851,7 @@ int pkcs11_find_object(pakchois_session_t ** _pks,
return GNUTLS_E_INVALID_REQUEST;
}
- ret =
- pkcs11_open_session(&pks, info, creds, flags & SESSION_LOGIN);
+ ret = pkcs11_open_session(&pks, info, flags & SESSION_LOGIN);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -901,9 +893,23 @@ int pkcs11_find_object(pakchois_session_t ** _pks,
return ret;
}
+static void fix_strings(struct token_info *info)
+{
+ terminate_string(info->tinfo.manufacturer_id,
+ sizeof info->
+ tinfo.manufacturer_id);
+ terminate_string(info->tinfo.label,
+ sizeof info->tinfo.label);
+ terminate_string(info->tinfo.model,
+ sizeof info->tinfo.model);
+ terminate_string(info->tinfo.serial_number,
+ sizeof info->tinfo.serial_number);
+ terminate_string(info->sinfo.slot_description,
+ sizeof info->sinfo.slot_description);
+}
+
int pkcs11_open_session(pakchois_session_t ** _pks,
- struct pkcs11_url_info *info,
- token_creds_st * creds, unsigned int flags)
+ struct pkcs11_url_info *info, unsigned int flags)
{
ck_rv_t rv;
int x, z, ret;
@@ -938,15 +944,7 @@ int pkcs11_open_session(pakchois_session_t ** _pks,
}
/* XXX make wrapper for token_info? */
- terminate_string(tinfo.tinfo.manufacturer_id,
- sizeof tinfo.tinfo.
- manufacturer_id);
- terminate_string(tinfo.tinfo.label,
- sizeof tinfo.tinfo.label);
- terminate_string(tinfo.tinfo.model,
- sizeof tinfo.tinfo.model);
- terminate_string(tinfo.tinfo.serial_number,
- sizeof tinfo.tinfo.serial_number);
+ fix_strings(&tinfo);
if (pkcs11_token_matches_info(info, &tinfo.tinfo) <
0) {
@@ -954,7 +952,7 @@ int pkcs11_open_session(pakchois_session_t ** _pks,
}
if (flags & SESSION_LOGIN) {
- ret = pkcs11_login(pks, &tinfo, creds);
+ ret = pkcs11_login(pks, &tinfo);
if (ret < 0) {
gnutls_assert();
pakchois_close_session(pks);
@@ -1012,25 +1010,17 @@ int _pkcs11_traverse_tokens(find_func_t find_func, void
*input,
goto next;
}
+ /* XXX make wrapper for token_info? */
+ fix_strings(&info);
+
if (flags & SESSION_LOGIN) {
- ret = pkcs11_login(pks, &info, NULL);
+ ret = pkcs11_login(pks, &info);
if (ret < 0) {
gnutls_assert();
return ret;
}
}
- /* XXX make wrapper for token_info? */
- terminate_string(info.tinfo.manufacturer_id,
- sizeof info.tinfo.
- manufacturer_id);
- terminate_string(info.tinfo.label,
- sizeof info.tinfo.label);
- terminate_string(info.tinfo.model,
- sizeof info.tinfo.model);
- terminate_string(info.tinfo.serial_number,
- sizeof info.tinfo.serial_number);
-
ret = find_func(pks, &info, input);
next:
@@ -1198,18 +1188,18 @@ static int pkcs11_obj_import_pubkey(pakchois_session_t
* pks,
if (ret >= 0)
ret =
- _gnutls_set_datum(&crt->
- pubkey[1],
+ _gnutls_set_datum(&crt->pubkey
+ [1],
a[1].value,
- a[1].
- value_len);
+ a
+ [1].value_len);
if (ret < 0) {
gnutls_assert();
- _gnutls_free_datum(&crt->
- pubkey[1]);
- _gnutls_free_datum(&crt->
- pubkey[0]);
+ _gnutls_free_datum(&crt->pubkey
+ [1]);
+ _gnutls_free_datum(&crt->pubkey
+ [0]);
return GNUTLS_E_MEMORY_ERROR;
}
} else {
@@ -1235,18 +1225,18 @@ static int pkcs11_obj_import_pubkey(pakchois_session_t
* pks,
if (ret >= 0)
ret =
- _gnutls_set_datum(&crt->
- pubkey[1],
+ _gnutls_set_datum(&crt->pubkey
+ [1],
a[1].value,
- a[1].
- value_len);
+ a
+ [1].value_len);
if (ret < 0) {
gnutls_assert();
- _gnutls_free_datum(&crt->
- pubkey[1]);
- _gnutls_free_datum(&crt->
- pubkey[0]);
+ _gnutls_free_datum(&crt->pubkey
+ [1]);
+ _gnutls_free_datum(&crt->pubkey
+ [0]);
return GNUTLS_E_MEMORY_ERROR;
}
} else {
@@ -1270,22 +1260,22 @@ static int pkcs11_obj_import_pubkey(pakchois_session_t
* pks,
if (ret >= 0)
ret =
- _gnutls_set_datum(&crt->
- pubkey[3],
+ _gnutls_set_datum(&crt->pubkey
+ [3],
a[1].value,
- a[1].
- value_len);
+ a
+ [1].value_len);
if (ret < 0) {
gnutls_assert();
- _gnutls_free_datum(&crt->
- pubkey[0]);
- _gnutls_free_datum(&crt->
- pubkey[1]);
- _gnutls_free_datum(&crt->
- pubkey[2]);
- _gnutls_free_datum(&crt->
- pubkey[3]);
+ _gnutls_free_datum(&crt->pubkey
+ [0]);
+ _gnutls_free_datum(&crt->pubkey
+ [1]);
+ _gnutls_free_datum(&crt->pubkey
+ [2]);
+ _gnutls_free_datum(&crt->pubkey
+ [3]);
return GNUTLS_E_MEMORY_ERROR;
}
} else {
@@ -1470,7 +1460,8 @@ static int find_obj_url(pakchois_session_t * pks, struct
token_info *info,
if (pakchois_get_attribute_value(pks, obj, a, 2) == CKR_OK) {
gnutls_datum_t id =
{ find_data->crt->info.certid_raw,
- find_data->crt->info.certid_raw_size };
+ find_data->crt->info.certid_raw_size
+ };
gnutls_datum_t data =
{ a[0].value, a[0].value_len };
gnutls_datum_t label =
@@ -1479,9 +1470,8 @@ static int find_obj_url(pakchois_session_t * pks, struct
token_info *info,
if (class == CKO_PUBLIC_KEY) {
ret =
pkcs11_obj_import_pubkey(pks, obj,
- find_data->
- crt, &id,
- &label,
+ find_data->crt,
+ &id, &label,
&info->tinfo);
} else {
ret =
@@ -1519,12 +1509,12 @@ static int find_obj_url(pakchois_session_t * pks,
struct token_info *info,
unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
{
- switch(flags) {
- case GNUTLS_PKCS11_OBJ_FLAG_LOGIN:
- return SESSION_LOGIN;
- default:
- return 0;
- }
+ switch (flags) {
+ case GNUTLS_PKCS11_OBJ_FLAG_LOGIN:
+ return SESSION_LOGIN;
+ default:
+ return 0;
+ }
}
/**
@@ -1542,7 +1532,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
* negative error value.
**/
int gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t cert, const char *url,
- unsigned int flags)
+ unsigned int flags)
{
int ret;
struct url_find_data_st find_data;
@@ -1556,7 +1546,9 @@ int gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t
cert, const char *url,
return ret;
}
- ret = _pkcs11_traverse_tokens(find_obj_url, &find_data,
pkcs11_obj_flags_to_int(flags));
+ ret =
+ _pkcs11_traverse_tokens(find_obj_url, &find_data,
+ pkcs11_obj_flags_to_int(flags));
if (ret < 0) {
gnutls_assert();
@@ -1737,25 +1729,31 @@ struct pkey_list {
size_t key_ids_size;
};
-int pkcs11_login(pakchois_session_t * pks, struct token_info *info,
- token_creds_st * creds)
+int pkcs11_login(pakchois_session_t * pks, const struct token_info *info)
{
int attempt = 0, ret;
ck_rv_t rv;
+ char* token_url;
int pin_len;
+ struct pkcs11_url_info uinfo;
- if (pakchois_get_token_info
- (info->prov->module, info->sid, &info->tinfo) != CKR_OK) {
- gnutls_assert();
- _gnutls_debug_log("pk11: GetTokenInfo failed\n");
- return GNUTLS_E_PKCS11_ERROR;
- }
if ((info->tinfo.flags & CKF_LOGIN_REQUIRED) == 0) {
gnutls_assert();
_gnutls_debug_log("pk11: No login required.\n");
return 0;
}
+
+ memset(&uinfo, 0, sizeof(uinfo));
+ strcpy(uinfo.manufacturer, info->tinfo.manufacturer_id);
+ strcpy(uinfo.token, info->tinfo.label);
+ strcpy(uinfo.model, info->tinfo.model);
+ strcpy(uinfo.serial, info->tinfo.serial_number);
+ ret = pkcs11_info_to_url(&uinfo, &token_url);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
/* For a token with a "protected" (out-of-band) authentication
* path, calling login with a NULL username is all that is
@@ -1767,78 +1765,60 @@ int pkcs11_login(pakchois_session_t * pks, struct
token_info *info,
gnutls_assert();
_gnutls_debug_log
("pk11: Protected login failed.\n");
- return GNUTLS_E_PKCS11_ERROR;
+ ret = GNUTLS_E_PKCS11_ERROR;
+ goto cleanup;
}
}
/* Otherwise, PIN entry is necessary for login, so fail if there's
* no callback. */
- if (!pin_func && !creds) {
+ if (!pin_func) {
gnutls_assert();
_gnutls_debug_log
("pk11: No pin callback but login required.\n");
- return GNUTLS_E_PKCS11_ERROR;
+ ret = GNUTLS_E_PKCS11_ERROR;
+ goto cleanup;
}
- terminate_string(info->sinfo.slot_description,
- sizeof info->sinfo.slot_description);
-
do {
+ struct ck_token_info tinfo;
char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
- unsigned int flags = 0;
+ unsigned int flags;
/* If login has been attempted once already, check the token
* status again, the flags might change. */
if (attempt) {
if (pakchois_get_token_info
(info->prov->module, info->sid,
- &info->tinfo) != CKR_OK) {
+ &tinfo) != CKR_OK) {
gnutls_assert();
_gnutls_debug_log
("pk11: GetTokenInfo failed\n");
- return GNUTLS_E_PKCS11_ERROR;
+ ret = GNUTLS_E_PKCS11_ERROR;
+ goto cleanup;
}
}
- if (creds != NULL && creds->pin_size > 0 &&
- !(info->tinfo.flags & CKF_USER_PIN_FINAL_TRY)) {
-
- memcpy(pin, creds->pin, creds->pin_size);
- pin_len = creds->pin_size;
-
- ret = 0;
- } else {
- if (info->tinfo.flags & CKF_USER_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
- if (info->tinfo.flags & CKF_USER_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
-
- terminate_string(info->tinfo.label,
- sizeof info->tinfo.label);
-
- ret = pin_func(pin_data, attempt++,
- (char *) info->sinfo.
- slot_description,
- (char *) info->tinfo.label, flags,
- pin, sizeof(pin));
- if (ret < 0 && ret != GNUTLS_E_PKCS11_PIN_SAVE) {
- gnutls_assert();
- return GNUTLS_E_PKCS11_PIN_ERROR;
- }
- pin_len = strlen(pin);
+ flags = 0;
+ if (tinfo.flags & CKF_USER_PIN_COUNT_LOW)
+ flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ if (tinfo.flags & CKF_USER_PIN_FINAL_TRY)
+ flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ ret = pin_func(pin_data, attempt++,
+ (char *) token_url,
+ (char *) info->tinfo.label, flags,
+ pin, sizeof(pin));
+ if (ret < 0) {
+ gnutls_assert();
+ ret = GNUTLS_E_PKCS11_PIN_ERROR;
+ goto cleanup;
}
+ pin_len = strlen(pin);
rv = pakchois_login(pks, CKU_USER, (unsigned char *) pin,
pin_len);
- if (ret == GNUTLS_E_PKCS11_PIN_SAVE && creds
- && (rv == CKR_OK
- || rv == CKR_USER_ALREADY_LOGGED_IN)) {
- memcpy(creds->pin, pin, pin_len);
- creds->pin_size = pin_len;
- }
-
/* Try to scrub the pin off the stack. Clever compilers will
* probably optimize this away, oh well. */
memset(pin, 0, sizeof pin);
@@ -1846,9 +1826,14 @@ int pkcs11_login(pakchois_session_t * pks, struct
token_info *info,
_gnutls_debug_log("pk11: Login result = %lu\n", rv);
- return (rv == CKR_OK
+
+ ret = (rv == CKR_OK
|| rv ==
CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err(rv);
+
+cleanup:
+ gnutls_free(token_url);
+ return ret;
}
static int find_privkeys(pakchois_session_t * pks, struct token_info *info,
@@ -2155,9 +2140,8 @@ static int find_objs(pakchois_session_t * pks, struct
token_info *info,
if (find_data->current < *find_data->n_list) {
ret =
- gnutls_pkcs11_obj_init(&find_data->
- p_list[find_data->
- current]);
+ gnutls_pkcs11_obj_init(&find_data->p_list
+ [find_data->current]);
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -2166,18 +2150,15 @@ static int find_objs(pakchois_session_t * pks, struct
token_info *info,
if (class == CKO_PUBLIC_KEY) {
ret =
pkcs11_obj_import_pubkey(pks, obj,
- find_data->
- p_list
- [find_data->
- current],
+ find_data->p_list
+
[find_data->current],
&id, &label,
&info->tinfo);
} else {
ret =
pkcs11_obj_import(class,
- find_data->
- p_list[find_data->
- current],
+ find_data->p_list
+ [find_data->current],
&value, &id, &label,
&info->tinfo);
}
@@ -2231,7 +2212,7 @@ int gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t
* p_list,
unsigned int *n_list,
const char *url,
gnutls_pkcs11_obj_attr_t attrs,
- unsigned int flags)
+ unsigned int flags)
{
int ret;
struct crt_find_data_st find_data;
@@ -2252,7 +2233,9 @@ int gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t
* p_list,
return ret;
}
- ret = _pkcs11_traverse_tokens(find_objs, &find_data,
pkcs11_obj_flags_to_int(flags));
+ ret =
+ _pkcs11_traverse_tokens(find_objs, &find_data,
+ pkcs11_obj_flags_to_int(flags));
if (ret < 0) {
gnutls_assert();
return ret;
@@ -2275,7 +2258,7 @@ int gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t
* p_list,
* negative error value.
**/
int gnutls_x509_crt_import_pkcs11_url(gnutls_x509_crt_t crt,
- const char *url, unsigned int flags)
+ const char *url, unsigned int flags)
{
gnutls_pkcs11_obj_t pcrt;
int ret;
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 783478d..e345091 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -7,11 +7,6 @@
#define PKCS11_ID_SIZE 128
#define PKCS11_LABEL_SIZE 128
-typedef struct token_creds {
- char pin[GNUTLS_PKCS11_MAX_PIN_LEN];
- size_t pin_size;
-} token_creds_st;
-
struct token_info {
struct ck_token_info tinfo;
struct ck_slot_info sinfo;
@@ -23,14 +18,12 @@ struct pkcs11_url_info {
/* everything here is null terminated strings */
opaque id[PKCS11_ID_SIZE * 3 + 1]; /* hex with delimiters */
opaque type[16]; /* cert/key etc. */
- opaque
- manufacturer[sizeof
- (((struct ck_token_info *) NULL)->
- manufacturer_id) + 1];
+ opaque manufacturer[sizeof
+ (((struct ck_token_info *) NULL)->
+ manufacturer_id) + 1];
opaque token[sizeof(((struct ck_token_info *) NULL)->label) + 1];
- opaque
- serial[sizeof(((struct ck_token_info *) NULL)->serial_number) +
- 1];
+ opaque serial[sizeof(((struct ck_token_info *) NULL)->
+ serial_number) + 1];
opaque model[sizeof(((struct ck_token_info *) NULL)->model) + 1];
opaque label[PKCS11_LABEL_SIZE + 1];
@@ -62,8 +55,7 @@ int pkcs11_url_to_info(const char *url, struct
pkcs11_url_info *info);
int pkcs11_get_info(struct pkcs11_url_info *info,
gnutls_pkcs11_obj_info_t itype, void *output,
size_t * output_size);
-int pkcs11_login(pakchois_session_t * pks, struct token_info *info,
- token_creds_st *);
+int pkcs11_login(pakchois_session_t * pks, const struct token_info *info);
extern gnutls_pkcs11_token_callback_t token_func;
extern void *token_data;
@@ -75,7 +67,7 @@ int pkcs11_info_to_url(const struct pkcs11_url_info *info,
char **url);
#define SESSION_LOGIN 2
int pkcs11_open_session(pakchois_session_t ** _pks,
struct pkcs11_url_info *info,
- token_creds_st * creds, unsigned int flags);
+ unsigned int flags);
int _pkcs11_traverse_tokens(find_func_t find_func, void *input,
unsigned int flags);
ck_object_class_t pkcs11_strtype_to_class(const char *type);
@@ -86,7 +78,7 @@ int pkcs11_token_matches_info(struct pkcs11_url_info *info,
/* flags are SESSION_* */
int pkcs11_find_object(pakchois_session_t ** _pks,
ck_object_handle_t * _obj,
- struct pkcs11_url_info *info, token_creds_st *,
+ struct pkcs11_url_info *info,
unsigned int flags);
unsigned int pkcs11_obj_flags_to_int(unsigned int flags);
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 11b744a..5b31b03 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -35,7 +35,6 @@ struct gnutls_pkcs11_privkey_st {
gnutls_pk_algorithm_t pk_algorithm;
unsigned int flags;
struct pkcs11_url_info info;
- token_creds_st creds;
};
/**
@@ -172,7 +171,7 @@ gnutls_pkcs11_privkey_sign_data(gnutls_pkcs11_privkey_t
signer,
do { \
int retries = 0; \
int rret; \
- ret = pkcs11_find_object (&pks, &obj, &key->info, &key->creds, \
+ ret = pkcs11_find_object (&pks, &obj, &key->info, \
SESSION_LOGIN); \
if (ret < 0) { \
rret = token_func(token_data, key->info.token,
retries++); \
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 312e352..b9e4e41 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -66,7 +66,7 @@ int gnutls_pkcs11_copy_x509_crt(const char *token_url,
}
ret =
- pkcs11_open_session(&pks, &info, NULL,
+ pkcs11_open_session(&pks, &info,
SESSION_WRITE | pkcs11_obj_flags_to_int(flags));
if (ret < 0) {
gnutls_assert();
@@ -208,7 +208,7 @@ int gnutls_pkcs11_copy_x509_privkey(const char *token_url,
}
ret =
- pkcs11_open_session(&pks, &info, NULL,
+ pkcs11_open_session(&pks, &info,
SESSION_WRITE | pkcs11_obj_flags_to_int(flags));
if (ret < 0) {
gnutls_assert();
diff --git a/src/common.c b/src/common.c
index 6fde2ec..1371ded 100644
--- a/src/common.c
+++ b/src/common.c
@@ -861,18 +861,28 @@ service_to_port (const char *service)
return ntohs (server_port->s_port);
}
-static int pin_callback(void* user, int attempt, const char *slot_descr,
+static int pin_callback(void* user, int attempt, const char *token_url,
const char *token_label, unsigned int flags, char* pin, size_t pin_max)
{
const char* password;
int len;
+/* allow caching of PIN */
+static char* cached_url = NULL;
+static char cached_pin[32] = "";
- printf("PIN required for token '%s' in slot '%s'\n", token_label,
slot_descr);
+ printf("PIN required for token '%s' with URL '%s'\n", token_label,
token_url);
if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
printf("*** This is the final try before locking!\n");
if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
printf("*** Only few tries left before locking!\n");
+ if (flags == 0 && cached_url != NULL) {
+ if (strcmp(cached_url, token_url)==0) {
+ strcpy(pin, cached_pin);
+ return 0;
+ }
+ }
+
password = getpass("Enter pin: ");
if (password==NULL || password[0] == 0) {
fprintf(stderr, "No password given\n");
@@ -883,7 +893,12 @@ int len;
memcpy(pin, password, len);
pin[len] = 0;
- return GNUTLS_E_PKCS11_PIN_SAVE; /* 0 to not save it */
+ /* cache */
+ strcpy(cached_pin, pin);
+ if (cached_url) free(cached_url);
+ cached_url = strdup(token_url);
+
+ return 0;
}
static int token_callback(void* user, const char* label, const unsigned retry)
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 02489ea..5ee92e6 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2010 Free Software Foundation, Inc.
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
#include <config.h>
#include <gnutls/gnutls.h>
@@ -8,32 +27,48 @@
#include <stdlib.h>
#include "certtool-common.h"
#include "certtool-cfg.h"
+#include <unistd.h>
#include <string.h>
#define MIN(x,y) ((x)<(y))?(x):(y)
-static int pin_callback(void* user, int attempt, const char *slot_descr,
+static int pin_callback(void* user, int attempt, const char *token_url,
const char *token_label, unsigned int flags, char* pin, size_t pin_max)
{
const char* password;
int len;
+/* allow caching of PIN */
+static char* cached_url = NULL;
+static char cached_pin[32] = "";
- printf("PIN required for token '%s' in slot '%s'\n", token_label,
slot_descr);
+ printf("PIN required for token '%s' with URL '%s'\n", token_label,
token_url);
if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
printf("*** This is the final try before locking!\n");
if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
printf("*** Only few tries left before locking!\n");
-
- password = get_pass();
- if (password==NULL) {
+
+ if (flags == 0 && cached_url != NULL) {
+ if (strcmp(cached_url, token_url)==0) {
+ strcpy(pin, cached_pin);
+ return 0;
+ }
+ }
+
+ password = getpass("Enter pin: ");
+ if (password==NULL || password[0] == 0) {
fprintf(stderr, "No password given\n");
exit(1);
}
-
+
len = MIN(pin_max,strlen(password));
memcpy(pin, password, len);
pin[len] = 0;
+ /* cache */
+ strcpy(cached_pin, pin);
+ if (cached_url) free(cached_url);
+ cached_url = strdup(token_url);
+
return 0;
}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-281-ge2111f1,
Nikos Mavrogiannopoulos <=