summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2017-05-29 11:26:19 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-06-16 15:07:53 +0000
commit4849d2a397192419b5dd2268c6eeea0e5421a6c3 (patch)
tree7277cf24c26158aa2066f25520c1da886fcb71e5
parent49a33f79c941a18d90a6dada9c32f526b1a5aa9c (diff)
downloadgnutls-4849d2a397192419b5dd2268c6eeea0e5421a6c3.tar.gz
pkcs11: simplified pkcs11_login()
By cleanups, as well as including the reauth flag in the flags option. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r--lib/pkcs11.c28
-rw-r--r--lib/pkcs11_int.h4
-rw-r--r--lib/pkcs11_privkey.c8
3 files changed, 19 insertions, 21 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 5785c4c782..b88b5af846 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1345,7 +1345,7 @@ pkcs11_open_session(struct pkcs11_session_info *sinfo,
ret =
pkcs11_login(sinfo, pin_info, info,
- flags, 0);
+ flags);
if (ret < 0) {
gnutls_assert();
pkcs11_close_session(sinfo);
@@ -1426,7 +1426,7 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
ret =
pkcs11_login(&sinfo, pin_info,
- info, flags, 0);
+ info, flags);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -2556,8 +2556,7 @@ int
pkcs11_login(struct pkcs11_session_info *sinfo,
struct pin_info_st *pin_info,
struct p11_kit_uri *info,
- unsigned flags,
- unsigned reauth)
+ unsigned flags)
{
struct ck_session_info session_info;
int attempt = 0, ret;
@@ -2569,18 +2568,18 @@ pkcs11_login(struct pkcs11_session_info *sinfo,
return 0;
}
- if (!(flags & SESSION_SO)) {
- if (reauth == 0)
- user_type = CKU_USER;
- else
- user_type = CKU_CONTEXT_SPECIFIC;
- } else
+ if (flags & SESSION_SO) {
user_type = CKU_SO;
+ } else if (flags & SESSION_CONTEXT_SPECIFIC) {
+ user_type = CKU_CONTEXT_SPECIFIC;
+ } else {
+ user_type = CKU_USER;
+ }
if (!(flags & (SESSION_FORCE_LOGIN|SESSION_SO)) &&
!(sinfo->tinfo.flags & CKF_LOGIN_REQUIRED)) {
gnutls_assert();
- _gnutls_debug_log("p11: No login required.\n");
+ _gnutls_debug_log("p11: No login required in token.\n");
return 0;
}
@@ -2611,7 +2610,7 @@ pkcs11_login(struct pkcs11_session_info *sinfo,
/* Check whether the session is already logged in, and if so, just skip */
rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks,
&session_info);
- if (rv == CKR_OK && reauth == 0 &&
+ if (rv == CKR_OK && !(flags & SESSION_CONTEXT_SPECIFIC) &&
(session_info.state == CKS_RO_USER_FUNCTIONS
|| session_info.state == CKS_RW_USER_FUNCTIONS)) {
ret = 0;
@@ -2655,15 +2654,14 @@ pkcs11_login(struct pkcs11_session_info *sinfo,
login_finished:
_gnutls_debug_log("p11: Login result = %s (%lu)\n", (rv==0)?"ok":p11_kit_strerror(rv), rv);
- if (rv == CKR_USER_TYPE_INVALID && user_type == CKU_CONTEXT_SPECIFIC) {
+ if (unlikely(rv == CKR_USER_TYPE_INVALID && user_type == CKU_CONTEXT_SPECIFIC)) {
_gnutls_debug_log("p11: Retrying login with CKU_USER\n");
/* PKCS#11 v2.10 don't know about CKU_CONTEXT_SPECIFIC */
user_type = CKU_USER;
goto retry_login;
}
- ret = (rv == CKR_OK
- || rv ==
+ ret = (rv == CKR_OK || rv ==
CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err(rv);
cleanup:
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 60a1494af6..885a69ff00 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -111,8 +111,7 @@ int pkcs11_get_info(struct p11_kit_uri *info,
size_t * output_size);
int pkcs11_login(struct pkcs11_session_info *sinfo,
struct pin_info_st *pin_info,
- struct p11_kit_uri *info, unsigned so,
- unsigned reauth);
+ struct p11_kit_uri *info, unsigned flags);
int pkcs11_call_token_func(struct p11_kit_uri *info, const unsigned retry);
@@ -132,6 +131,7 @@ _gnutls_x509_crt_import_pkcs11_url(gnutls_x509_crt_t crt,
#define SESSION_SO (1<<2) /* security officer session */
#define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */
#define SESSION_FORCE_LOGIN (1<<4) /* force login even when CFK_LOGIN_REQUIRED is not set */
+#define SESSION_CONTEXT_SPECIFIC (1<<5)
int pkcs11_open_session(struct pkcs11_session_info *sinfo,
struct pin_info_st *pin_info,
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 51a20dc7be..07dc9e0a79 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -291,7 +291,7 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
unsigned long siglen;
struct pkcs11_session_info *sinfo;
unsigned retried_login = 0;
- unsigned flags = SESSION_LOGIN;
+ unsigned flags = SESSION_LOGIN|SESSION_CONTEXT_SPECIFIC;
PKCS11_CHECK_INIT_PRIVKEY(key);
@@ -320,7 +320,7 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
flags |= SESSION_FORCE_LOGIN;
ret =
pkcs11_login(&key->sinfo, &key->pin,
- key->uinfo, flags, 1);
+ key->uinfo, flags);
if (ret < 0) {
gnutls_assert();
_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");
@@ -563,7 +563,7 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
struct ck_mechanism mech;
unsigned long siglen;
unsigned retried_login = 0;
- unsigned login_flags = SESSION_LOGIN;
+ unsigned login_flags = SESSION_LOGIN|SESSION_CONTEXT_SPECIFIC;
PKCS11_CHECK_INIT_PRIVKEY(key);
@@ -593,7 +593,7 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
login_flags |= SESSION_FORCE_LOGIN;
ret =
pkcs11_login(&key->sinfo, &key->pin,
- key->uinfo, login_flags, 1);
+ key->uinfo, login_flags);
if (ret < 0) {
gnutls_assert();
_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");