[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-4-g9949e1f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-4-g9949e1f |
|
Date: |
Fri, 06 Jul 2012 17:28:19 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=9949e1ffb462c9b6ac95d5068956d8393ec12a6d
The branch, master has been updated
via 9949e1ffb462c9b6ac95d5068956d8393ec12a6d (commit)
from d1b7996804f90b0d5efb8a6c468f78fc4b07386f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9949e1ffb462c9b6ac95d5068956d8393ec12a6d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Jul 6 19:28:03 2012 +0200
distinguish password errors and use the internal octet string decoding
functions.
-----------------------------------------------------------------------
Summary of changes:
lib/gnutls_errors.c | 6 ++-
lib/includes/gnutls/abstract.h | 10 ++--
lib/includes/gnutls/gnutls.h.in | 3 +-
lib/tpm.c | 100 ++++++++++++--------------------------
tests/Makefile.am | 2 +-
5 files changed, 46 insertions(+), 75 deletions(-)
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 83e485d..ec90423 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -295,7 +295,11 @@ static const gnutls_error_entry error_algorithms[] = {
ERROR_ENTRY (N_("Error in parsing."),
GNUTLS_E_PARSING_ERROR, 1),
ERROR_ENTRY (N_("Error in provided PIN."),
- GNUTLS_E_PIN_ERROR, 1),
+ GNUTLS_E_PKCS11_PIN_ERROR, 1),
+ ERROR_ENTRY (N_("Error in provided password for TPM."),
+ GNUTLS_E_TPM_PASSWORD_ERROR, 1),
+ ERROR_ENTRY (N_("Error in provided password for key to be loaded in TPM."),
+ GNUTLS_E_TPM_SRK_PASSWORD_ERROR, 1),
ERROR_ENTRY (N_("PKCS #11 error in slot"),
GNUTLS_E_PKCS11_SLOT_ERROR, 1),
ERROR_ENTRY (N_("Thread locking error"),
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index bb75864..69dde11 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -189,10 +189,12 @@ int gnutls_privkey_import_x509_raw (gnutls_privkey_t pkey,
gnutls_x509_crt_fmt_t format,
const char* password);
-int gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
- const gnutls_datum_t * fdata,
- gnutls_x509_crt_fmt_t format,
- const char* password);
+int
+gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
+ const gnutls_datum_t * fdata,
+ gnutls_x509_crt_fmt_t format,
+ const char *srk_password,
+ const char *tpm_password);
int gnutls_privkey_import_pkcs11_url (gnutls_privkey_t key, const char *url);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 92bd6d3..c729ae0 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1915,7 +1915,8 @@ int gnutls_load_file(const char* filename, gnutls_datum_t
* data);
#define GNUTLS_E_SESSION_EOF -328
#define GNUTLS_E_TPM_ERROR -329
-#define GNUTLS_E_PIN_ERROR GNUTLS_E_PKCS11_PIN_ERROR
+#define GNUTLS_E_TPM_PASSWORD_ERROR -330
+#define GNUTLS_E_TPM_SRK_PASSWORD_ERROR -331
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/lib/tpm.c b/lib/tpm.c
index 650a846..366b560 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -33,6 +33,7 @@
#include <gnutls_int.h>
#include <gnutls_errors.h>
#include <pkcs11_int.h>
+#include <x509/common.h>
#include <trousers/tss.h>
#include <trousers/trousers.h>
@@ -113,10 +114,15 @@ tpm_sign_fn (gnutls_privkey_t key, void *_s,
* @pkey: The private key
* @fdata: The TPM key to be imported
* @format: The format of the private key
- * @password: A password (optional)
+ * @srk_password: A password for the key (optional)
+ * @tpm_password: A password for the TPM (optional)
*
* This function will import the given private key to the abstract
- * #gnutls_privkey_t structure.
+ * #gnutls_privkey_t structure. If a password is needed to decrypt
+ * the provided key or the provided password is wrong, then
+ * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the TPM password
+ * is wrong or not provided then %GNUTLS_E_TPM_PASSWORD_ERROR
+ * is returned.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -128,73 +134,40 @@ int
gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
const gnutls_datum_t * fdata,
gnutls_x509_crt_fmt_t format,
- const char *password)
+ const char *srk_password,
+ const char *tpm_password)
{
static const TSS_UUID SRK_UUID = TSS_UUID_SRK;
- char pin_value[GNUTLS_PKCS11_MAX_PIN_LEN];
gnutls_datum_t asn1;
- unsigned int tss_len;
- unsigned int attempts = 0;
- int ofs, err, ret;
+ size_t slen;
+ int err, ret;
struct tpm_ctx_st *s;
gnutls_datum_t tmp_sig;
static const char nullpass[20];
- err = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
- if (err)
+ ret = gnutls_pem_base64_decode_alloc ("TSS KEY BLOB", fdata, &asn1);
+ if (ret)
{
gnutls_assert ();
_gnutls_debug_log ("Error decoding TSS key blob: %s\n",
- gnutls_strerror (err));
- return GNUTLS_E_INVALID_REQUEST;
+ gnutls_strerror (ret));
+ return ret;
}
- /* FIXME: do proper decoding */
-
- /* Ick. We have to parse the ASN1 OCTET_STRING for ourselves. */
- if (asn1.size < 2 || asn1.data[0] != 0x04 /* OCTET_STRING */ )
+ slen = asn1.size;
+ ret = _gnutls_x509_decode_octet_string(NULL, asn1.data, asn1.size,
asn1.data, &slen);
+ if (ret < 0)
{
- gnutls_assert ();
- _gnutls_debug_log ("Error in TSS key blob\n");
- ret = GNUTLS_E_PARSING_ERROR;
+ gnutls_assert();
goto out_blob;
}
+ asn1.size = slen;
s = gnutls_malloc (sizeof (*s));
if (s == NULL)
{
gnutls_assert ();
ret = GNUTLS_E_MEMORY_ERROR;
- goto out_ctx;
- }
-
- tss_len = asn1.data[1];
- ofs = 2;
- if (tss_len & 0x80)
- {
- unsigned int lenlen = tss_len & 0x7f;
-
- if (asn1.size < 2 + lenlen || lenlen > 3)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Error in TSS key blob\n");
- ret = GNUTLS_E_PARSING_ERROR;
- goto out_blob;
- }
-
- tss_len = 0;
- while (lenlen)
- {
- tss_len <<= 8;
- tss_len |= asn1.data[ofs++];
- lenlen--;
- }
- }
- if (tss_len + ofs != asn1.size)
- {
- gnutls_assert ();
- _gnutls_debug_log ("Error in TSS key blob\n");
- ret = GNUTLS_E_PARSING_ERROR;
goto out_blob;
}
@@ -205,7 +178,7 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
_gnutls_debug_log ("Failed to create TPM context: %s\n",
Trspi_Error_String (err));
ret = GNUTLS_E_TPM_ERROR;
- goto out_blob;
+ goto out_ctx;
}
err = Tspi_Context_Connect (s->tpm_context, NULL);
if (err)
@@ -214,7 +187,7 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
_gnutls_debug_log ("Failed to connect TPM context: %s\n",
Trspi_Error_String (err));
ret = GNUTLS_E_TPM_ERROR;
- goto out_context;
+ goto out_tspi_ctx;
}
err =
Tspi_Context_LoadKeyByUUID (s->tpm_context, TSS_PS_TYPE_SYSTEM,
@@ -225,7 +198,7 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
_gnutls_debug_log
("Failed to load TPM SRK key: %s\n", Trspi_Error_String (err));
ret = GNUTLS_E_TPM_ERROR;
- goto out_context;
+ goto out_tspi_ctx;
}
err = Tspi_GetPolicyObject (s->srk, TSS_POLICY_USAGE, &s->srk_policy);
if (err)
@@ -238,10 +211,10 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
}
/* We don't seem to get the error here... */
- if (password)
+ if (srk_password)
err = Tspi_Policy_SetSecret (s->srk_policy,
TSS_SECRET_MODE_PLAIN,
- strlen (password), (BYTE *) password);
+ strlen (srk_password), (BYTE *) srk_password);
else /* Well-known NULL key */
err = Tspi_Policy_SetSecret (s->srk_policy,
TSS_SECRET_MODE_SHA1,
@@ -257,10 +230,10 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
/* ... we get it here instead. */
err = Tspi_Context_LoadKeyByBlob (s->tpm_context, s->srk,
- tss_len, asn1.data + ofs, &s->tpm_key);
+ asn1.size, asn1.data, &s->tpm_key);
if (err != 0)
{
- if (password)
+ if (srk_password)
{
gnutls_assert ();
_gnutls_debug_log
@@ -276,7 +249,7 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey,
}
else
{
- ret = gnutls_assert_val (GNUTLS_E_PIN_ERROR);
+ ret = gnutls_assert_val (GNUTLS_E_TPM_SRK_PASSWORD_ERROR);
goto out_srkpol;
}
}
@@ -321,25 +294,16 @@ retry_sign:
}
}
- ret =
- _gnutls_pin_func (_gnutls_pin_data, attempts++, "tpm:",
- "TPM key", 0, pin_value,
- GNUTLS_PKCS11_MAX_PIN_LEN);
- if (ret < 0)
- {
- ret = gnutls_assert_val (GNUTLS_E_PIN_ERROR);
- goto out_key_policy;
- }
-
err = Tspi_Policy_SetSecret (s->tpm_key_policy,
TSS_SECRET_MODE_PLAIN,
- strlen (pin_value), (void *) pin_value);
+ strlen (tpm_password), (void *)
tpm_password);
if (err)
{
gnutls_assert ();
_gnutls_debug_log ("Failed to set key PIN: %s\n",
Trspi_Error_String (err));
+ ret = GNUTLS_E_TPM_PASSWORD_ERROR;
goto out_key_policy;
}
goto retry_sign;
@@ -364,7 +328,7 @@ out_srkpol:
out_srk:
Tspi_Context_CloseObject (s->tpm_context, s->srk);
s->srk = 0;
-out_context:
+out_tspi_ctx:
Tspi_Context_Close (s->tpm_context);
s->tpm_context = 0;
out_ctx:
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d997018..e28332b 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -69,7 +69,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder
certuniqueid \
x509cert x509cert-tl infoaccess rsa-encrypt-decrypt \
mini-loss-time mini-tdb mini-dtls-rehandshake mini-record \
mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \
- mini-emsgsize-dtls
+ mini-emsgsize-dtls tpm
if ENABLE_OCSP
ctests += ocsp
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-4-g9949e1f,
Nikos Mavrogiannopoulos <=