pkcs11: forward token flags to applications

That is, gnutls_pkcs11_token_get_flags() will not return the
most common/useful PKCS#11 token flags, in addition to trusted and HW
flags.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2 files changed, 58 insertions, 1 deletions

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 1ea635ed73..c3db2181aa 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -373,6 +373,19 @@ int gnutls_pkcs11_token_get_info(const char *url,
 
 #define GNUTLS_PKCS11_TOKEN_HW 1
 #define GNUTLS_PKCS11_TOKEN_TRUSTED (1<<1) /* p11-kit trusted */
+#define GNUTLS_PKCS11_TOKEN_RNG (1<<2) /* CKF_RNG */
+#define GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED (1<<3) /* CKF_LOGIN_REQUIRED */
+#define GNUTLS_PKCS11_TOKEN_PROTECTED_AUTHENTICATION_PATH (1<<4) /* CKF_PROTECTED_AUTHENTICATION_PATH */
+#define GNUTLS_PKCS11_TOKEN_INITIALIZED (1<<5) /* CKF_TOKEN_INITIALIZED */
+#define GNUTLS_PKCS11_TOKEN_USER_PIN_COUNT_LOW (1<<6) /* CKF_USER_PIN_COUNT_LOW */
+#define GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY (1<<7) /* CKF_USER_PIN_FINAL_TRY */
+#define GNUTLS_PKCS11_TOKEN_USER_PIN_LOCKED (1<<8) /* CKF_USER_PIN_LOCKED */
+#define GNUTLS_PKCS11_TOKEN_SO_PIN_COUNT_LOW (1<<9) /* CKF_SO_PIN_COUNT_LOW */
+#define GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY (1<<10) /* CKF_SO_PIN_FINAL_TRY */
+#define GNUTLS_PKCS11_TOKEN_SO_PIN_LOCKED (1<<11) /* CKF_SO_PIN_LOCKED */
+#define GNUTLS_PKCS11_TOKEN_USER_PIN_INITIALIZED (1<<12) /* CKF_USER_PIN_INITIALIZED */
+#define GNUTLS_PKCS11_TOKEN_ERROR_STATE (1<<13) /* CKF_ERROR_STATE */
+
 int gnutls_pkcs11_token_get_flags(const char *url, unsigned int *flags);
 
 #define gnutls_pkcs11_obj_list_import_url(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url3(p_list, n_list, url, attrs|flags)
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 52836fece8..e014a6b5f8 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -59,7 +59,8 @@ struct gnutls_pkcs11_provider_st {
 
 struct find_flags_data_st {
 	struct p11_kit_uri *info;
-	unsigned int slot_flags;
+	unsigned int slot_flags; /* Slot Information Flags */
+	unsigned int token_flags; /* Token Information Flags */
 	unsigned int trusted;
 };
 
@@ -3360,6 +3361,7 @@ find_flags_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo
 	else
 		find_data->trusted = 0;
 	find_data->slot_flags = sinfo->slot_info.flags;
+	find_data->token_flags = sinfo->tinfo.flags;
 
 	return 0;
 }
@@ -3402,9 +3404,51 @@ int gnutls_pkcs11_token_get_flags(const char *url, unsigned int *flags)
 	}
 
 	*flags = 0;
+
+	/* read slot flags */
 	if (find_data.slot_flags & CKF_HW_SLOT)
 		*flags |= GNUTLS_PKCS11_TOKEN_HW;
 
+	/* read token flags */
+	if (find_data.token_flags & CKF_RNG)
+		*flags |= GNUTLS_PKCS11_TOKEN_RNG;
+
+	if (find_data.token_flags & CKF_LOGIN_REQUIRED)
+		*flags |= GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED;
+
+	if (find_data.token_flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+		*flags |= GNUTLS_PKCS11_TOKEN_PROTECTED_AUTHENTICATION_PATH;
+
+	if (find_data.token_flags & CKF_TOKEN_INITIALIZED)
+		*flags |= GNUTLS_PKCS11_TOKEN_INITIALIZED;
+
+	if (find_data.token_flags & CKF_USER_PIN_COUNT_LOW)
+		*flags |= GNUTLS_PKCS11_TOKEN_USER_PIN_COUNT_LOW;
+
+	if (find_data.token_flags & CKF_USER_PIN_FINAL_TRY)
+		*flags |= GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY;
+
+	if (find_data.token_flags & CKF_USER_PIN_LOCKED)
+		*flags |= GNUTLS_PKCS11_TOKEN_USER_PIN_LOCKED;
+
+	if (find_data.token_flags & CKF_SO_PIN_COUNT_LOW)
+		*flags |= GNUTLS_PKCS11_TOKEN_SO_PIN_COUNT_LOW;
+
+	if (find_data.token_flags & CKF_SO_PIN_FINAL_TRY)
+		*flags |= GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY;
+
+	if (find_data.token_flags & CKF_SO_PIN_LOCKED)
+		*flags |= GNUTLS_PKCS11_TOKEN_SO_PIN_LOCKED;
+
+	if (find_data.token_flags & CKF_USER_PIN_INITIALIZED)
+		*flags |= GNUTLS_PKCS11_TOKEN_USER_PIN_INITIALIZED;
+
+#ifdef CKF_ERROR_STATE
+	if (find_data.token_flags & CKF_ERROR_STATE)
+		*flags |= GNUTLS_PKCS11_TOKEN_ERROR_STATE;
+#endif
+
+	/* other flags */
 	if (find_data.trusted != 0)
 		*flags |= GNUTLS_PKCS11_TOKEN_TRUSTED;