diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-29 11:26:19 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-17 14:13:21 +0200 |
commit | 74abf3c0e908f101f9be18f572c522a6d8f7b8d2 (patch) | |
tree | 425d7e4712fff1b9dfd7c3b7d90b3cb7ed231684 | |
parent | f95a35c13db73bdee29572181df55044b65b0e5d (diff) | |
download | gnutls-74abf3c0e908f101f9be18f572c522a6d8f7b8d2.tar.gz |
pkcs11: simplified pkcs11_login()
By cleanups, as well as including the reauth flag in the flags option.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/pkcs11.c | 41 | ||||
-rw-r--r-- | lib/pkcs11_int.h | 4 | ||||
-rw-r--r-- | lib/pkcs11_privkey.c | 12 |
3 files changed, 29 insertions, 28 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 44783129df..13e0537485 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1314,7 +1314,7 @@ pkcs11_open_session(struct pkcs11_session_info *sinfo, ret = pkcs11_login(sinfo, pin_info, info, - flags, 0); + flags); if (ret < 0) { gnutls_assert(); pkcs11_close_session(sinfo); @@ -1395,7 +1395,7 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, ret = pkcs11_login(&sinfo, pin_info, - info, flags, 0); + info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -2525,8 +2525,7 @@ int pkcs11_login(struct pkcs11_session_info *sinfo, struct pin_info_st *pin_info, struct p11_kit_uri *info, - unsigned flags, - unsigned reauth) + unsigned flags) { struct ck_session_info session_info; int attempt = 0, ret; @@ -2538,18 +2537,18 @@ pkcs11_login(struct pkcs11_session_info *sinfo, return 0; } - if (!(flags & SESSION_SO)) { - if (reauth == 0) - user_type = CKU_USER; - else - user_type = CKU_CONTEXT_SPECIFIC; - } else + if (flags & SESSION_SO) { user_type = CKU_SO; + } else if (flags & SESSION_CONTEXT_SPECIFIC) { + user_type = CKU_CONTEXT_SPECIFIC; + } else { + user_type = CKU_USER; + } if (!(flags & (SESSION_FORCE_LOGIN|SESSION_SO)) && !(sinfo->tinfo.flags & CKF_LOGIN_REQUIRED)) { gnutls_assert(); - _gnutls_debug_log("p11: No login required.\n"); + _gnutls_debug_log("p11: No login required in token.\n"); return 0; } @@ -2578,15 +2577,17 @@ pkcs11_login(struct pkcs11_session_info *sinfo, memcpy(&tinfo, &sinfo->tinfo, sizeof(tinfo)); /* Check whether the session is already logged in, and if so, just skip */ - rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks, - &session_info); - if (rv == CKR_OK && reauth == 0 && - (session_info.state == CKS_RO_USER_FUNCTIONS - || session_info.state == CKS_RW_USER_FUNCTIONS)) { - ret = 0; - _gnutls_debug_log - ("p11: Already logged in\n"); - goto cleanup; + if (!(flags & SESSION_CONTEXT_SPECIFIC)) { + rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks, + &session_info); + if (rv == CKR_OK && + (session_info.state == CKS_RO_USER_FUNCTIONS + || session_info.state == CKS_RW_USER_FUNCTIONS)) { + ret = 0; + _gnutls_debug_log + ("p11: Already logged in\n"); + goto cleanup; + } } /* If login has been attempted once already, check the token diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index 60a1494af6..885a69ff00 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -111,8 +111,7 @@ int pkcs11_get_info(struct p11_kit_uri *info, size_t * output_size); int pkcs11_login(struct pkcs11_session_info *sinfo, struct pin_info_st *pin_info, - struct p11_kit_uri *info, unsigned so, - unsigned reauth); + struct p11_kit_uri *info, unsigned flags); int pkcs11_call_token_func(struct p11_kit_uri *info, const unsigned retry); @@ -132,6 +131,7 @@ _gnutls_x509_crt_import_pkcs11_url(gnutls_x509_crt_t crt, #define SESSION_SO (1<<2) /* security officer session */ #define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */ #define SESSION_FORCE_LOGIN (1<<4) /* force login even when CFK_LOGIN_REQUIRED is not set */ +#define SESSION_CONTEXT_SPECIFIC (1<<5) int pkcs11_open_session(struct pkcs11_session_info *sinfo, struct pin_info_st *pin_info, diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 728d9c0a2a..0b042463c8 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -291,7 +291,7 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key, unsigned long siglen; struct pkcs11_session_info *sinfo; unsigned req_login = 0; - unsigned login_flags = SESSION_LOGIN; + unsigned login_flags = SESSION_LOGIN|SESSION_CONTEXT_SPECIFIC; PKCS11_CHECK_INIT_PRIVKEY(key); @@ -317,11 +317,11 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key, retry_login: if (key->reauth || req_login) { if (req_login) - login_flags |= SESSION_FORCE_LOGIN; + login_flags = SESSION_LOGIN|SESSION_FORCE_LOGIN; ret = pkcs11_login(&key->sinfo, &key->pin, - key->uinfo, login_flags, 1-req_login); + key->uinfo, login_flags); if (ret < 0) { gnutls_assert(); _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); @@ -564,7 +564,7 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key, struct ck_mechanism mech; unsigned long siglen; unsigned req_login = 0; - unsigned login_flags = SESSION_LOGIN; + unsigned login_flags = SESSION_LOGIN|SESSION_CONTEXT_SPECIFIC; PKCS11_CHECK_INIT_PRIVKEY(key); @@ -591,11 +591,11 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key, retry_login: if (key->reauth || req_login) { if (req_login) - login_flags |= SESSION_FORCE_LOGIN; + login_flags = SESSION_LOGIN|SESSION_FORCE_LOGIN; ret = pkcs11_login(&key->sinfo, &key->pin, - key->uinfo, login_flags, 1-req_login); + key->uinfo, login_flags); if (ret < 0) { gnutls_assert(); _gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n"); |