From: Nikos Mavrogiannopoulos Date: Fri, 13 Jul 2012 15:22:06 +0000 (+0200) Subject: Added flag to disable the use of callbacks in TPM keys. X-Git-Tag: gnutls_3_1_0pre0~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9eac1c562bdcf72b1cdc77026553f23aefc00f1b;p=thirdparty%2Fgnutls.git Added flag to disable the use of callbacks in TPM keys. --- diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index 754019993f..562e30c3ef 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -78,7 +78,8 @@ int gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey, const gnutls_datum_t * fdata, gnutls_x509_crt_fmt_t format, - const char *srk_password); + const char *srk_password, + unsigned int flags); int gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey_t key, gnutls_digest_algorithm_t * @@ -149,6 +150,10 @@ int gnutls_x509_crt_set_pubkey (gnutls_x509_crt_t crt, gnutls_pubkey_t key); int gnutls_x509_crq_set_pubkey (gnutls_x509_crq_t crq, gnutls_pubkey_t key); #define GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA 1 +/* The following flag disables call to PIN callbacks etc. + * Only works for TPM keys. + */ +#define GNUTLS_PUBKEY_DISABLE_CALLBACKS (1<<2) int gnutls_pubkey_verify_hash2 (gnutls_pubkey_t key, gnutls_sign_algorithm_t algo, @@ -179,6 +184,10 @@ gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key); #define GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE (1<<0) #define GNUTLS_PRIVKEY_IMPORT_COPY (1<<1) +/* The following flag disables call to PIN callbacks etc. + * Only works for TPM keys. + */ +#define GNUTLS_PRIVKEY_DISABLE_CALLBACKS (1<<2) int gnutls_privkey_import_pkcs11 (gnutls_privkey_t pkey, gnutls_pkcs11_privkey_t key, unsigned int flags); @@ -205,7 +214,7 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey, const gnutls_datum_t * fdata, gnutls_x509_crt_fmt_t format, const char *srk_password, - const char *tpm_password); + const char *tpm_password, unsigned int flags); int gnutls_privkey_import_tpm_url (gnutls_privkey_t pkey, diff --git a/lib/tpm.c b/lib/tpm.c index ecff8e4724..c9cdbd349d 100644 --- a/lib/tpm.c +++ b/lib/tpm.c @@ -517,11 +517,9 @@ out_ctx: * @key_password: A password for the key (optional) * * This function will import the given private key to the abstract - * #gnutls_privkey_t structure. If a password is needed to access - * TPM then or the provided password is wrong, then - * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the key password - * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR - * is returned. + * #gnutls_privkey_t structure. + * + * With respect to passwords the same as in gnutls_privkey_import_tpm_url() apply. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -534,9 +532,13 @@ gnutls_privkey_import_tpm_raw (gnutls_privkey_t pkey, const gnutls_datum_t * fdata, gnutls_x509_crt_fmt_t format, const char *srk_password, - const char *key_password) + const char *key_password, + unsigned int flags) { - return import_tpm_key_cb(pkey, fdata, format, NULL, srk_password, key_password); + if (flags & GNUTLS_PRIVKEY_DISABLE_CALLBACKS) + return import_tpm_key(pkey, fdata, format, NULL, srk_password, key_password); + else + return import_tpm_key_cb(pkey, fdata, format, NULL, srk_password, key_password); } struct tpmkey_url_st @@ -783,12 +785,16 @@ cleanup: * @url: The URL of the TPM key to be imported * @srk_password: The password for the SRK key (optional) * @key_password: A password for the key (optional) - * @flags: should be zero + * @flags: One of the %GNUTLS_PRIVKEY flags * * This function will import the given private key to the abstract - * #gnutls_privkey_t structure. If a password is needed to access - * TPM then or the provided password is wrong, then - * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. If the key password + * #gnutls_privkey_t structure. + * + * Note that unless %GNUTLS_PRIVKEY_DISABLE_CALLBACKS + * is specified, if incorrect (or NULL) passwords are given + * the PKCS11 callback functions will be used to obtain the + * correct passwords. Otherwise if the SRK password is wrong + * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned and if the key password * is wrong or not provided then %GNUTLS_E_TPM_KEY_PASSWORD_ERROR * is returned. * @@ -823,7 +829,7 @@ int ret; } ret = gnutls_privkey_import_tpm_raw (pkey, &fdata, GNUTLS_X509_FMT_PEM, - srk_password, key_password); + srk_password, key_password, flags); if (ret < 0) { gnutls_assert(); @@ -832,7 +838,10 @@ int ret; } else if (durl.uuid_set) { - ret = import_tpm_key_cb (pkey, NULL, 0, &durl.uuid, srk_password, key_password); + if (flags & GNUTLS_PRIVKEY_DISABLE_CALLBACKS) + ret = import_tpm_key (pkey, NULL, 0, &durl.uuid, srk_password, key_password); + else + ret = import_tpm_key_cb (pkey, NULL, 0, &durl.uuid, srk_password, key_password); if (ret < 0) { gnutls_assert(); @@ -1035,11 +1044,12 @@ int ret; * @format: The format of the private key * @srk_password: The password for the SRK key (optional) * @key_password: A password for the key (optional) + * @flags: One of the %GNUTLS_PUBKEY flags * * This function will import the public key from the provided - * TPM key structure. If a password is needed to decrypt - * the provided key or the provided password is wrong, then - * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. + * TPM key structure. + * + * With respect to passwords the same as in gnutls_pubkey_import_tpm_url() apply. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -1051,9 +1061,13 @@ int gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey, const gnutls_datum_t * fdata, gnutls_x509_crt_fmt_t format, - const char *srk_password) + const char *srk_password, + unsigned int flags) { - return import_tpm_pubkey_cb(pkey, fdata, format, NULL, srk_password); + if (flags & GNUTLS_PUBKEY_DISABLE_CALLBACKS) + return import_tpm_pubkey_cb(pkey, fdata, format, NULL, srk_password); + else + return import_tpm_pubkey(pkey, fdata, format, NULL, srk_password); } /** @@ -1064,9 +1078,13 @@ gnutls_pubkey_import_tpm_raw (gnutls_pubkey_t pkey, * @flags: should be zero * * This function will import the given private key to the abstract - * #gnutls_privkey_t structure. If a password is needed to access - * TPM then or the provided password is wrong, then - * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. + * #gnutls_privkey_t structure. + * + * Note that unless %GNUTLS_PUBKEY_DISABLE_CALLBACKS + * is specified, if incorrect (or NULL) passwords are given + * the PKCS11 callback functions will be used to obtain the + * correct passwords. Otherwise if the SRK password is wrong + * %GNUTLS_E_TPM_SRK_PASSWORD_ERROR is returned. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -1099,7 +1117,7 @@ int ret; } ret = gnutls_pubkey_import_tpm_raw (pkey, &fdata, GNUTLS_X509_FMT_PEM, - srk_password); + srk_password, flags); if (ret < 0) { gnutls_assert(); @@ -1108,7 +1126,10 @@ int ret; } else if (durl.uuid_set) { - ret = import_tpm_pubkey_cb (pkey, NULL, 0, &durl.uuid, srk_password); + if (flags & GNUTLS_PUBKEY_DISABLE_CALLBACKS) + ret = import_tpm_pubkey (pkey, NULL, 0, &durl.uuid, srk_password); + else + ret = import_tpm_pubkey_cb (pkey, NULL, 0, &durl.uuid, srk_password); if (ret < 0) { gnutls_assert();