[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-76-gdd68c2b
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-76-gdd68c2b |
|
Date: |
Sat, 21 Jul 2012 17:01:08 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=dd68c2b19c9950ce67d78cc30546972aa04398fc
The branch, master has been updated
via dd68c2b19c9950ce67d78cc30546972aa04398fc (commit)
via 4a5b6fee0248bd5f58333f7f902004c1dd9f38e6 (commit)
via b0a1222324dead25954b30f35ef0599523fd1e07 (commit)
via 52c7cfc6e06c42a48cd4507f42b070df9a5c26ed (commit)
via 6b092a018d2e979d51faef49784afb1164c89621 (commit)
via e3361a9157c3d57aadb1b9955accc53aca20b82a (commit)
via 9d32dca615dc5c7e291168fba43fc5204eee83a4 (commit)
via 85bf56607c0d41d69468992c74b0fa8311e43134 (commit)
via a8eb0a98bacf125bf791cac899f90190d30ce10c (commit)
via 8b1c66a625797023419461e926289c4f8416a6b4 (commit)
via 0fa91f03976bd59fb056ece345efb7f496528355 (commit)
via e81cb21e0fc40b203a77acf338a727cd5e26df92 (commit)
via 9cda828053a6a0878535963f81a7fc1f772d8b59 (commit)
via 83155cf54ac3983bcefa93a451b038b625e9a357 (commit)
from 443d50192733f4d85ba87f5622c08b54ba5b9fd7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dd68c2b19c9950ce67d78cc30546972aa04398fc
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 19:01:07 2012 +0200
doc fixes
commit 4a5b6fee0248bd5f58333f7f902004c1dd9f38e6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 19:00:57 2012 +0200
handle noindent
commit b0a1222324dead25954b30f35ef0599523fd1e07
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 18:58:51 2012 +0200
more elaborate PIN documentation
commit 52c7cfc6e06c42a48cd4507f42b070df9a5c26ed
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 18:49:30 2012 +0200
handle more complex enums
commit 6b092a018d2e979d51faef49784afb1164c89621
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 18:07:51 2012 +0200
discussed the generic and openssl privkey import functions.
commit e3361a9157c3d57aadb1b9955accc53aca20b82a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:59:43 2012 +0200
added tpm flag
commit 9d32dca615dc5c7e291168fba43fc5204eee83a4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:58:20 2012 +0200
more doc fixes
commit 85bf56607c0d41d69468992c74b0fa8311e43134
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:54:18 2012 +0200
doc fix
commit a8eb0a98bacf125bf791cac899f90190d30ce10c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:49:29 2012 +0200
doc updates
commit 8b1c66a625797023419461e926289c4f8416a6b4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:48:10 2012 +0200
more set_pin functions.
commit 0fa91f03976bd59fb056ece345efb7f496528355
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 17:45:41 2012 +0200
set PIN function when reading a certificate
commit e81cb21e0fc40b203a77acf338a727cd5e26df92
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 14:16:52 2012 +0200
GNUTLS_PKCS11_PIN -> GNUTLS_PIN
commit 9cda828053a6a0878535963f81a7fc1f772d8b59
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 14:14:53 2012 +0200
use stack for file paths
commit 83155cf54ac3983bcefa93a451b038b625e9a357
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jul 21 14:04:05 2012 +0200
doc updates
-----------------------------------------------------------------------
Summary of changes:
doc/Makefile.am | 2 +
doc/cha-cert-auth2.texi | 12 +++++++
doc/cha-library.texi | 1 +
doc/cha-tokens.texi | 54 +++++++++++++++++++++++++++-------
doc/examples/ex-cert-select-pkcs11.c | 6 ++--
doc/invoke-tpmtool.texi | 41 +++++++++++++++++++-------
doc/latex/Makefile.am | 10 +++++-
doc/latex/gnutls.tex | 2 +
doc/latex/macros.tex | 4 ++
doc/manpages/tpmtool.1 | 7 ++--
doc/scripts/gdoc | 2 +-
doc/scripts/mytexi2latex | 1 +
lib/gnutls_x509.c | 8 +++--
lib/includes/gnutls/gnutls.h.in | 47 +++++++++++++++++------------
lib/pkcs11.c | 14 ++++----
lib/pkcs11_write.c | 4 +-
lib/tpm.c | 2 +-
lib/x509/pkcs12.c | 3 +-
src/common.c | 8 ++--
src/pkcs11.c | 2 +-
tests/openpgp-auth.c | 12 ++++---
tests/openpgp-auth2.c | 12 ++++---
22 files changed, 174 insertions(+), 80 deletions(-)
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 8cdc10d..55b99b3 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -481,6 +481,7 @@ ENUMS += enums/gnutls_mac_algorithm_t
ENUMS += enums/gnutls_openpgp_crt_fmt_t
ENUMS += enums/gnutls_openpgp_crt_status_t
ENUMS += enums/gnutls_params_type_t
+ENUMS += enums/gnutls_pin_flag_t
ENUMS += enums/gnutls_pk_algorithm_t
ENUMS += enums/gnutls_pkcs11_obj_attr_t
ENUMS += enums/gnutls_pkcs11_obj_info_t
@@ -1061,6 +1062,7 @@ FUNCS +=
functions/gnutls_x509_crt_get_authority_key_gn_serial
FUNCS += functions/gnutls_x509_crt_get_subject_key_id
FUNCS += functions/gnutls_x509_crt_get_subject_unique_id
FUNCS += functions/gnutls_x509_crt_get_issuer_unique_id
+FUNCS += functions/gnutls_x509_crt_set_pin_function
FUNCS += functions/gnutls_x509_crt_get_authority_info_access
FUNCS += functions/gnutls_x509_crt_get_crl_dist_points
FUNCS += functions/gnutls_x509_crt_set_crl_dist_points2
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 09d79a1..9e4baba 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -353,6 +353,18 @@ of their usage is also shown.
@verbatiminclude examples/ex-pkcs12.c
address@hidden Other structures
address@hidden OpenSSL encrypted keys
+Unfortunately the structures discussed in the previous sections are
+not the only structures that may hold an encrypted private key. For example
+the OpenSSL library offers a custom key encryption method. Those structures
+are also supported in GnuTLS with @funcref{gnutls_x509_privkey_import_openssl}.
+
address@hidden
+
+Generic and higher level private key import functions are also available.
address@hidden,gnutls_privkey_import_x509_raw}
+
@include invoke-certtool.texi
@include invoke-ocsptool.texi
diff --git a/doc/cha-library.texi b/doc/cha-library.texi
index ecd4356..0278eaa 100644
--- a/doc/cha-library.texi
+++ b/doc/cha-library.texi
@@ -96,6 +96,7 @@ options are given.
--disable-openpgp-authentication
--disable-openssl-compatibility
--without-p11-kit
+--without-tpm
@end verbatim
For the complete list, refer to the output from @code{configure --help}.
diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi
index 0ed2c70..2f2dc19 100644
--- a/doc/cha-tokens.texi
+++ b/doc/cha-tokens.texi
@@ -74,7 +74,7 @@ sequence.
@showfuncdesc{gnutls_pubkey_export}
An important function is @funcref{gnutls_pubkey_import_url} which will import
-public keys from URLs that identify objects stored in tokens (see @ref{Smart
cards and HSMs,Trusted platform module}).
+public keys from URLs that identify objects stored in tokens (see @ref{Smart
cards and HSMs} and @ref{Trusted platform module}).
A function to check for a supported by GnuTLS URL is
@funcref{gnutls_url_is_supported}.
@showfuncdesc{gnutls_url_is_supported}
@@ -175,6 +175,7 @@ system, being the @acronym{Gnome Keyring}.
@menu
* PKCS11 Initialization::
+* Accessing objects that require a PIN::
* Reading objects::
* Writing objects::
* Using a PKCS11 token with TLS::
@@ -194,13 +195,47 @@ module: /usr/lib/opensc-pkcs11.so
@end example
If you use this file, then there is no need for other initialization in
address@hidden, except for the PIN and token functions. Those allow retrieving
a PIN
-when accessing a protected object, such as a private key, as well as probe
-the user to insert the token. All the initialization functions are below.
address@hidden, except for the PIN and token functions (see next section).
+However, you may manually initialize the PKCS #11 subsystem if the default
+settings are not desirable.
@showfuncdesc{gnutls_pkcs11_init}
+
+Note that PKCS #11 modules must be reinitialized on the child processes
+after a @funcintref{fork}. @acronym{GnuTLS} provides
@funcref{gnutls_pkcs11_reinit}
+to be called for this purpose.
+
address@hidden
+
address@hidden Accessing objects that require a PIN
address@hidden Accessing objects that require a PIN
+
+Objects stored in token such as a private keys are typically protected
+from access by a PIN or password. This PIN may be required to either read
+the object (if allowed) or to perform operations with it. To allow obtaining
+the PIN when accessing a protected object, as well as probe
+the user to insert the token the following functions allow to set a callback.
+
@showfuncD{gnutls_pkcs11_set_token_function,gnutls_pkcs11_set_pin_function,gnutls_pkcs11_add_provider,gnutls_pkcs11_get_pin_function}
+The callback is of type @funcintref{gnutls_pin_callback_t} and will have as
+input the provided userdata, the PIN attempt number, a URL describing the
+token, a label describing the object and flags. The PIN must be at most
+of @code{pin_max} size and must be copied to pin variable. The function must
+return 0 on success or a negative error code otherwise.
+
address@hidden
+typedef int (*gnutls_pin_callback_t) (void *userdata, int attempt,
+ const char *token_url,
+ const char *token_label,
+ unsigned int flags,
+ char *pin, size_t pin_max);
address@hidden verbatim
+
+The flags are of @code{gnutls_pin_flag_t} type and are explained below.
+
address@hidden,The @address@hidden enumeration.}
+
Note that due to limitations of @acronym{PKCS} #11 there are issues when
multiple libraries
are sharing a module. To avoid this problem GnuTLS uses @acronym{p11-kit}
that provides a middleware to control access to resources over the
@@ -211,13 +246,7 @@ To avoid conflicts with multiple registered callbacks for
PIN functions,
set functions. In addition context specific PIN functions are allowed, e.g., by
using functions below.
address@hidden,gnutls_pubkey_set_pin_function,gnutls_privkey_set_pin_function}
-
-Moreover PKCS #11 modules must be reinitialized on the child processes
-after a @funcintref{fork}. @acronym{GnuTLS} provides
@funcref{gnutls_pkcs11_reinit}
-to be called for this purpose.
-
address@hidden
address@hidden,gnutls_pubkey_set_pin_function,gnutls_privkey_set_pin_function,gnutls_pkcs11_obj_set_pin_function,gnutls_x509_crt_set_pin_function}
@node Reading objects
@subsection Reading objects
@@ -357,6 +386,9 @@ identified by a URL of the form:
tpmkey:file=/path/to/file
@end verbatim
+When objects require a PIN to be accessed the same callbacks as with PKCS #11
+objects are expected (see @ref{Accessing objects that require a PIN}).
+
@node Key generation
@subsection Key generation
diff --git a/doc/examples/ex-cert-select-pkcs11.c
b/doc/examples/ex-cert-select-pkcs11.c
index e8cb21e..e867926 100644
--- a/doc/examples/ex-cert-select-pkcs11.c
+++ b/doc/examples/ex-cert-select-pkcs11.c
@@ -49,11 +49,11 @@ pin_callback (void *user, int attempt, const char
*token_url,
printf ("PIN required for token '%s' with URL '%s'\n", token_label,
token_url);
- if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
+ if (flags & GNUTLS_PIN_FINAL_TRY)
printf ("*** This is the final try before locking!\n");
- if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
+ if (flags & GNUTLS_PIN_COUNT_LOW)
printf ("*** Only few tries left before locking!\n");
- if (flags & GNUTLS_PKCS11_PIN_WRONG)
+ if (flags & GNUTLS_PIN_WRONG)
printf ("*** Wrong PIN\n");
password = getpass ("Enter pin: ");
diff --git a/doc/invoke-tpmtool.texi b/doc/invoke-tpmtool.texi
index a34eef8..9b1041b 100644
--- a/doc/invoke-tpmtool.texi
+++ b/doc/invoke-tpmtool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-tpmtool.texi)
#
-# It has been AutoGen-ed July 18, 2012 at 07:46:21 PM by AutoGen 5.16
+# It has been AutoGen-ed July 21, 2012 at 02:02:18 PM by AutoGen 5.16
# From the definitions ../src/tpmtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -52,6 +52,11 @@ USAGE: tpmtool [ -<flag> [<val>] | --<name>address@hidden|
@}<val>] ]...
generate-rsa
-- and prohibits these options:
legacy
+ --legacy Any generated key will be a legacy key
+ - requires these options:
+ generate-rsa
+ -- and prohibits these options:
+ signing
--user Any registered key will be a user key
- requires these options:
register
@@ -62,11 +67,6 @@ USAGE: tpmtool [ -<flag> [<val>] | --<name>address@hidden|
@}<val>] ]...
register
-- and prohibits these options:
user
- --legacy Any generated key will be a legacy key
- - requires these options:
- generate-rsa
- -- and prohibits these options:
- signing
--pubkey=str Prints the public key of the provided key
--list Lists all stored keys in the TPM
--delete=str Delete the key identified by the given URL
(UUID).
@@ -99,7 +99,9 @@ Specifies the debug level.
@cindex tpmtool-generate-rsa
This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair on the specified token.
+Generates an RSA private-public key pair in the TPM chip.
+The key may be stored in filesystem and protected by a PIN, or stored
(registered)
+in the TPM chip flash.
@anchor{tpmtool user}
@subsubheading user option
@cindex tpmtool-user
@@ -142,7 +144,8 @@ The generated key will be stored in system persistent
storage.
This is the ``specify the security level [low, legacy, normal, high, ultra].''
option.
This option takes an argument string @file{Security parameter}.
-This is alternative to the bits option.
+This is alternative to the bits option. Note however that the
+values allowed by the TPM chip are quantized and given values may be rounded
up.
@anchor{tpmtool exit status}
@subsubheading tpmtool exit status
@@ -159,13 +162,29 @@ The operation failed or the command syntax was not valid.
@anchor{tpmtool Examples}
@subsubheading tpmtool Examples
-To generate a public key use:
+To generate a key that is to be stored in filesystem use:
@example
-$ tpmtool --generate-rsa --sec-param normal --outfile tpmkey.pem
+$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
address@hidden example
+
+To generate a key that is to be stored in TPM's flash use:
address@hidden
+$ tpmtool --generate-rsa --bits 2048 --register --user
@end example
To get the public key of a TPM key use:
@example
-$ tpmtool --pubkey --infile tpmkey.tpm --outfile pubkey.pem
+$ tpmtool --pubkey
tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
+ --outfile pubkey.pem
address@hidden example
+
+or if the key is stored in the filesystem:
address@hidden
+$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
address@hidden example
+
+To list all keys stored in TPM use:
address@hidden
+$ tpmtool --list
@end example
diff --git a/doc/latex/Makefile.am b/doc/latex/Makefile.am
index 409bc75..f22138b 100644
--- a/doc/latex/Makefile.am
+++ b/doc/latex/Makefile.am
@@ -5,9 +5,9 @@ GEN_TEX_OBJECTS = cha-preface.tex cha-library.tex
cha-intro-tls.tex cha-cert-aut
cha-cert-auth.tex cha-gtls-app.tex sec-tls-app.tex cha-programs.tex
cha-support.tex \
cha-functions.tex error_codes.tex cha-ciphersuites.tex algorithms.tex
cha-shared-key.tex \
cha-errors.tex alerts.tex cha-internals.tex cha-gtls-examples.tex
cha-upgrade.tex \
- invoke-certtool.tex invoke-gnutls-cli.tex invoke-gnutls-serv.tex \
+ invoke-certtool.tex invoke-gnutls-cli.tex invoke-gnutls-serv.tex
cha-tokens.tex \
invoke-srptool.tex invoke-psktool.tex invoke-gnutls-cli-debug.tex \
- invoke-p11tool.tex invoke-ocsptool.tex
+ invoke-p11tool.tex invoke-ocsptool.tex invoke-tpmtool.tex
invoke-certtool.tex: ../invoke-certtool.texi
../scripts/mytexi2latex $< > $@
@@ -15,9 +15,15 @@ invoke-certtool.tex: ../invoke-certtool.texi
cha-upgrade.tex: ../cha-upgrade.texi
../scripts/mytexi2latex $< > $@
+cha-tokens.tex: ../cha-tokens.texi
+ ../scripts/mytexi2latex $< > $@
+
invoke-gnutls-cli.tex: ../invoke-gnutls-cli.texi
../scripts/mytexi2latex $< > $@
+invoke-tpmtool.tex: ../invoke-tpmtool.texi
+ ../scripts/mytexi2latex $< > $@
+
invoke-gnutls-serv.tex: ../invoke-gnutls-serv.texi
../scripts/mytexi2latex $< > $@
diff --git a/doc/latex/gnutls.tex b/doc/latex/gnutls.tex
index 1585f35..77e9366 100644
--- a/doc/latex/gnutls.tex
+++ b/doc/latex/gnutls.tex
@@ -66,6 +66,8 @@
\input{cha-cert-auth2}
+\input{cha-tokens}
+
\input{cha-gtls-app}
\input{cha-gtls-examples}
diff --git a/doc/latex/macros.tex b/doc/latex/macros.tex
index fbfb687..7e657e1 100644
--- a/doc/latex/macros.tex
+++ b/doc/latex/macros.tex
@@ -193,6 +193,10 @@
{\vspace{0.5cm}{\bf Description:}\footnotesize}
{}
+\newenvironment{functionLimitation}%
+{\vspace{0.5cm}{\it Limitation:}\footnotesize}
+{}
+
\newenvironment{enum}%
{}%
{}
diff --git a/doc/manpages/tpmtool.1 b/doc/manpages/tpmtool.1
index 771b72f..4d20fea 100644
--- a/doc/manpages/tpmtool.1
+++ b/doc/manpages/tpmtool.1
@@ -1,8 +1,8 @@
-.TH tpmtool 1 "20 Jul 2012" "@VERSION@" "User Commands"
+.TH tpmtool 1 "21 Jul 2012" "@VERSION@" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (tpmtool-args.man)
.\"
-.\" It has been AutoGen-ed July 20, 2012 at 10:20:00 PM by AutoGen 5.16
+.\" It has been AutoGen-ed July 21, 2012 at 02:01:40 PM by AutoGen 5.16
.\" From the definitions ../../src/tpmtool-args.def.tmp
.\" and the template file agman-cmd.tpl
.\"
@@ -102,7 +102,8 @@ Delete the key identified by the given URL (UUID)..
.BR \-\-sec\-param "=\fIsecurity parameter\fP"
Specify the security level [low, legacy, normal, high, ultra]..
.sp
-This is alternative to the bits option.
+This is alternative to the bits option. Note however that the
+values allowed by the TPM chip are quantized and given values may be rounded
up.
.TP
.BR \-\-bits "=\fInumber\fP"
Specify the number of bits for key generate.
diff --git a/doc/scripts/gdoc b/doc/scripts/gdoc
index ac5dea4..61b870d 100755
--- a/doc/scripts/gdoc
+++ b/doc/scripts/gdoc
@@ -857,7 +857,7 @@ sub dump_function {
sub dump_enum {
my $prototype = shift @_;
- if (($prototype =~
m/^\s*typedef\s+enum\s*[a-zA-Z0-9_~:]*\s*\{([a-zA-Z0-9_~=,:\s]+)\s*\}\s*([a-zA-Z0-9_]+);.*/))
{
+ if (($prototype =~
m/^\s*typedef\s+enum\s*[a-zA-Z0-9_~:]*\s*\{([a-zA-Z0-9_~=,:\s\(\)\<]+)\s*\}\s*([a-zA-Z0-9_]+);.*/))
{
# || $prototype =~ m/^\s*enum\s+([a-zA-Z0-9_~:]+).*/) {
$args = $1;
$name = $2;
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index 5681f9e..a4b35b2 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -350,6 +350,7 @@ multitable:
$line =~
s/address@hidden($match+)\,($match+)\}/\\includegraphics\[width\=$2\]\{\.\.\/$1\}/g;
$line =~ s/address@hidden($spacematch+)\}/$1/g;
$line =~ s/address@hidden/\{\\bf /g;
+ $line =~ s/address@hidden//g;
$line =~ s/address@hidden//g;
$line =~ s/address@hidden (.*)/\% $1/g;
$line =~ s/address@hidden($mathmatch+)\}/\$$1\$/g;
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 51ac672..e4bb73c 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -652,7 +652,7 @@ cleanup:
}
-/* Reads a private key from a token.
+/* Reads a certificate key from a token.
*/
static int
read_cert_url (gnutls_certificate_credentials_t res, const char *url)
@@ -678,6 +678,9 @@ read_cert_url (gnutls_certificate_credentials_t res, const
char *url)
goto cleanup;
}
+ if (res->pin.cb)
+ gnutls_x509_crt_set_pin_function(crt, res->pin.cb, res->pin.data);
+
ret = gnutls_x509_crt_import_pkcs11_url (crt, url, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
@@ -1854,8 +1857,7 @@ int
* be called more than once (in case multiple keys/certificates exist
* for the server).
*
- * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
- * supported. Encrypted PKCS#8 private keys are supported. However,
+ * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
* only password based security, and the same password for all
* operations, are supported.
*
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 89f18d8..25cb1ea 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -697,6 +697,7 @@ typedef enum
GNUTLS_CB_TLS_UNIQUE
} gnutls_channel_binding_t;
+
/* If you want to change this, then also change the define in
* gnutls_int.h, and recompile.
*/
@@ -1744,39 +1745,47 @@ int gnutls_load_file(const char* filename,
gnutls_datum_t * data);
int gnutls_url_is_supported (const char* url);
/* PIN callback */
+
/**
* gnutls_pin_flag_t:
- * @GNUTLS_PKCS11_PIN_USER: The PIN for the user.
- * @GNUTLS_PKCS11_PIN_SO: The PIN for the security officer.
- * @GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC: The PIN is for a specific action and
key like signing.
- * @GNUTLS_PKCS11_PIN_FINAL_TRY: This is the final try before blocking.
- * @GNUTLS_PKCS11_PIN_COUNT_LOW: Few tries remain before token blocks.
- * @GNUTLS_PKCS11_PIN_WRONG: Last given PIN was not correct.
+ * @GNUTLS_PIN_USER: The PIN for the user.
+ * @GNUTLS_PIN_SO: The PIN for the security officer (admin).
+ * @GNUTLS_PIN_CONTEXT_SPECIFIC: The PIN is for a specific action and key like
signing.
+ * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.
+ * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.
+ * @GNUTLS_PIN_WRONG: Last given PIN was not correct.
*
- * Enumeration of different PIN flags.
+ * Enumeration of different flags that are input to the PIN function.
*/
-typedef enum
- {
- GNUTLS_PKCS11_PIN_USER = (1 << 0),
- GNUTLS_PKCS11_PIN_SO = (1 << 1),
- GNUTLS_PKCS11_PIN_FINAL_TRY = (1 << 2),
- GNUTLS_PKCS11_PIN_COUNT_LOW = (1 << 3),
- GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC = (1 << 4),
- GNUTLS_PKCS11_PIN_WRONG = (1 << 5),
+ typedef enum
+ {
+ GNUTLS_PIN_USER = (1 << 0),
+ GNUTLS_PIN_SO = (1 << 1),
+ GNUTLS_PIN_FINAL_TRY = (1 << 2),
+ GNUTLS_PIN_COUNT_LOW = (1 << 3),
+ GNUTLS_PIN_CONTEXT_SPECIFIC = (1 << 4),
+ GNUTLS_PIN_WRONG = (1 << 5),
} gnutls_pin_flag_t;
+#define GNUTLS_PKCS11_PIN_USER GNUTLS_PIN_USER
+#define GNUTLS_PKCS11_PIN_SO GNUTLS_PIN_SO
+#define GNUTLS_PKCS11_PIN_FINAL_TRY GNUTLS_PIN_FINAL_TRY
+#define GNUTLS_PKCS11_PIN_COUNT_LOW GNUTLS_PIN_COUNT_LOW
+#define GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC GNUTLS_PIN_CONTEXT_SPECIFIC
+#define GNUTLS_PKCS11_PIN_WRONG GNUTLS_PIN_WRONG
+
/**
* gnutls_pin_callback_t:
* @userdata: user-controlled data from gnutls_pkcs11_set_pin_function().
* @attempt: pin-attempt counter, initially 0.
- * @token_url: PKCS11 URL.
- * @token_label: label of PKCS11 token.
+ * @token_url: URL of token.
+ * @token_label: label of token.
* @flags: a #gnutls_pin_flag_t flag.
* @pin: buffer to hold PIN, of size @pin_max.
* @pin_max: size of @pin buffer.
*
- * Callback function type for PKCS#11 PIN entry. It is set by
- * gnutls_pkcs11_set_pin_function().
+ * Callback function type for PKCS#11 or TPM PIN entry. It is set by
+ * functions like gnutls_pkcs11_set_pin_function().
*
* The callback should provides the PIN code to unlock the token with
* label @token_label, specified by the URL @token_url.
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 32f6a8a..6440f0c 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1987,23 +1987,23 @@ retrieve_pin_from_callback (const struct pin_info_st
*pin_info,
if (user_type == CKU_USER)
{
- flags |= GNUTLS_PKCS11_PIN_USER;
+ flags |= GNUTLS_PIN_USER;
if (token_info->flags & CKF_USER_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ flags |= GNUTLS_PIN_COUNT_LOW;
if (token_info->flags & CKF_USER_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ flags |= GNUTLS_PIN_FINAL_TRY;
}
else if (user_type == CKU_SO)
{
- flags |= GNUTLS_PKCS11_PIN_SO;
+ flags |= GNUTLS_PIN_SO;
if (token_info->flags & CKF_SO_PIN_COUNT_LOW)
- flags |= GNUTLS_PKCS11_PIN_COUNT_LOW;
+ flags |= GNUTLS_PIN_COUNT_LOW;
if (token_info->flags & CKF_SO_PIN_FINAL_TRY)
- flags |= GNUTLS_PKCS11_PIN_FINAL_TRY;
+ flags |= GNUTLS_PIN_FINAL_TRY;
}
if (attempts > 0)
- flags |= GNUTLS_PKCS11_PIN_WRONG;
+ flags |= GNUTLS_PIN_WRONG;
if (pin_info && pin_info->cb)
ret = pin_info->cb (pin_info->data, attempts, (char*)token_str, label,
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 5717b99..b5bf727 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -784,8 +784,8 @@ gnutls_pkcs11_token_set_pin (const char *token_url,
return ret;
}
- if (((flags & GNUTLS_PKCS11_PIN_USER) && oldpin == NULL) ||
- (flags & GNUTLS_PKCS11_PIN_SO))
+ if (((flags & GNUTLS_PIN_USER) && oldpin == NULL) ||
+ (flags & GNUTLS_PIN_SO))
ses_flags = SESSION_WRITE | SESSION_LOGIN | SESSION_SO;
else
ses_flags = SESSION_WRITE | SESSION_LOGIN;
diff --git a/lib/tpm.c b/lib/tpm.c
index 2c00787..976fee8 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -185,7 +185,7 @@ char* url = NULL;
int ret;
if (attempts > 0)
- flags |= GNUTLS_PKCS11_PIN_WRONG;
+ flags |= GNUTLS_PIN_WRONG;
if (uuid)
{
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index d66f91a..ebbf954 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1388,8 +1388,7 @@ skip:
* and both may be set to %NULL. If either is non-%NULL, then both must
* be.
*
- * MAC:ed PKCS#12 files are supported. Encrypted PKCS#12 bags are
- * supported. Encrypted PKCS#8 private keys are supported. However,
+ * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
* only password based security, and the same password for all
* operations, are supported.
*
diff --git a/src/common.c b/src/common.c
index 4b58d94..3928491 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1068,23 +1068,23 @@ pin_callback (void *user, int attempt, const char
*token_url,
static char *cached_url = NULL;
static char cached_pin[32] = "";
- if (flags & GNUTLS_PKCS11_PIN_SO)
+ if (flags & GNUTLS_PIN_SO)
desc = "security officer";
else
desc = "user";
- if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
+ if (flags & GNUTLS_PIN_FINAL_TRY)
{
cache = 0;
printf ("*** This is the final try before locking!\n");
}
- if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
+ if (flags & GNUTLS_PIN_COUNT_LOW)
{
cache = 0;
printf ("*** Only few tries left before locking!\n");
}
- if (flags & GNUTLS_PKCS11_PIN_WRONG)
+ if (flags & GNUTLS_PIN_WRONG)
{
cache = 0;
printf ("*** Wrong PIN has been provided!\n");
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 36a2919..203dafa 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -614,7 +614,7 @@ pkcs11_init (FILE * outfile, const char *url, const char
*label,
exit (1);
}
- ret = gnutls_pkcs11_token_set_pin (url, NULL, pin, GNUTLS_PKCS11_PIN_USER);
+ ret = gnutls_pkcs11_token_set_pin (url, NULL, pin, GNUTLS_PIN_USER);
if (ret < 0)
{
fprintf (stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
diff --git a/tests/openpgp-auth.c b/tests/openpgp-auth.c
index 503519a..548d511 100644
--- a/tests/openpgp-auth.c
+++ b/tests/openpgp-auth.c
@@ -60,7 +60,7 @@ doit ()
int err, i;
int sockets[2];
const char *srcdir;
- char *pub_key_path, *priv_key_path;
+ char pub_key_path[512], priv_key_path[512];
pid_t child;
gnutls_global_init ();
@@ -87,12 +87,16 @@ doit ()
if (err != 0)
fail ("socketpair %s\n", strerror (errno));
- pub_key_path = malloc (strlen (srcdir) + strlen (pub_key_file) + 2);
+ if (sizeof(pub_key_path) < strlen (srcdir) + strlen (pub_key_file) + 2)
+ abort();
+
strcpy (pub_key_path, srcdir);
strcat (pub_key_path, "/");
strcat (pub_key_path, pub_key_file);
- priv_key_path = malloc (strlen (srcdir) + strlen (priv_key_file) + 2);
+ if (sizeof(priv_key_path) < strlen (srcdir) + strlen (priv_key_file) + 2)
+ abort();
+
strcpy (priv_key_path, srcdir);
strcat (priv_key_path, "/");
strcat (priv_key_path, priv_key_file);
@@ -267,8 +271,6 @@ doit ()
}
- free(pub_key_path);
- free(priv_key_path);
gnutls_global_deinit ();
}
#else
diff --git a/tests/openpgp-auth2.c b/tests/openpgp-auth2.c
index 8877df5..79a7ad9 100644
--- a/tests/openpgp-auth2.c
+++ b/tests/openpgp-auth2.c
@@ -69,7 +69,7 @@ doit ()
int err;
int sockets[2];
const char *srcdir;
- char *pub_key_path, *priv_key_path;
+ char pub_key_path[512], priv_key_path[512];
pid_t child;
gnutls_global_init ();
@@ -86,12 +86,16 @@ doit ()
if (err != 0)
fail ("socketpair %s\n", strerror (errno));
- pub_key_path = malloc (strlen (srcdir) + strlen (pub_key_file) + 2);
+ if (sizeof(pub_key_path) < strlen (srcdir) + strlen (pub_key_file) + 2)
+ abort();
+
strcpy (pub_key_path, srcdir);
strcat (pub_key_path, "/");
strcat (pub_key_path, pub_key_file);
- priv_key_path = malloc (strlen (srcdir) + strlen (priv_key_file) + 2);
+ if (sizeof(priv_key_path) < strlen (srcdir) + strlen (priv_key_file) + 2)
+ abort();
+
strcpy (priv_key_path, srcdir);
strcat (priv_key_path, "/");
strcat (priv_key_path, priv_key_file);
@@ -250,8 +254,6 @@ doit ()
fail ("child failed: %d\n", status);
}
- free(pub_key_path);
- free(priv_key_path);
gnutls_global_deinit ();
}
#else
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_21-76-gdd68c2b,
Nikos Mavrogiannopoulos <=