diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-19 10:14:26 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-19 11:16:00 +0200 |
| commit | e5254397345dd340d87625cbeb92cbe4b9f3b103 (patch) | |
| tree | 5640a8584e99f100a085367c0c91d31049e946ca | |
| parent | 847d8fe8b4cc7e829d6b1370f53735e546c6704c (diff) | |
| download | gnutls-e5254397345dd340d87625cbeb92cbe4b9f3b103.tar.gz | |
pkcs11: login prior to the operation not the initialization
That ensures that re-authentication is performed at the appropriate
stage of the operation. Brings the PKCS#11 support in par with the 3.5.x
branch.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/pkcs11_privkey.c | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index a97a7f5591..e4a540f93c 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -235,18 +235,6 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key, PKCS11_CHECK_INIT_PRIVKEY(key); - retry_login: - if (key->reauth || req_login) { - ret = - pkcs11_login(&key->sinfo, &key->pin, - key->uinfo, 0, 1-req_login); - if (ret < 0) { - gnutls_assert(); - _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); - /* let's try the operation anyway */ - } - } - sinfo = &key->sinfo; mech.mechanism = pk_to_mech(key->pk_algorithm); @@ -262,6 +250,18 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key, goto cleanup; } + retry_login: + if (key->reauth || req_login) { + ret = + pkcs11_login(&key->sinfo, &key->pin, + key->uinfo, 0, 1-req_login); + if (ret < 0) { + gnutls_assert(); + _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); + /* let's try the operation anyway */ + } + } + /* Work out how long the signature must be: */ rv = pkcs11_sign(sinfo->module, sinfo->pks, hash->data, hash->size, NULL, &siglen); @@ -488,18 +488,6 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key, if (key->pk_algorithm != GNUTLS_PK_RSA) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - retry_login: - if (key->reauth || req_login) { - ret = - pkcs11_login(&key->sinfo, &key->pin, - key->uinfo, 0, 1-req_login); - if (ret < 0) { - gnutls_assert(); - _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); - /* let's try the operation anyway */ - } - } - mech.mechanism = CKM_RSA_PKCS; mech.parameter = NULL; mech.parameter_len = 0; @@ -513,6 +501,18 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key, goto cleanup; } + retry_login: + if (key->reauth || req_login) { + ret = + pkcs11_login(&key->sinfo, &key->pin, + key->uinfo, 0, 1-req_login); + if (ret < 0) { + gnutls_assert(); + _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); + /* let's try the operation anyway */ + } + } + /* Work out how long the plaintext must be: */ rv = pkcs11_decrypt(key->sinfo.module, key->sinfo.pks, ciphertext->data, ciphertext->size, NULL, &siglen); |