_gnutls_pkcs11_check_init: improved transition between states

The init_level_t for PKCS#11 modules, was incorrectly handled as a
linear state transition, causing few cases in the transition to be
incorrectly handled. Define precisely the state transitions and
enforce them in _gnutls_pkcs11_check_init.

That addresses a regression introduced by the previous state handling
addition, which made impossible to switch from the trusted state to
the all modules.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index de9afbdee5..9ce7294b9d 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -86,10 +86,14 @@ typedef int (*pkcs11_reinit_function)(void *priv);
 typedef enum init_level_t {
 	PROV_UNINITIALIZED = 0,
 	PROV_INIT_MANUAL,
+	PROV_INIT_MANUAL_TRUSTED,
 	PROV_INIT_TRUSTED,
 	PROV_INIT_ALL
 } init_level_t;
 
+/* See _gnutls_pkcs11_check_init() for possible Transitions.
+ */
+
 int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
 
 #define FIX_KEY_USAGE(pk, usage) \
@@ -101,7 +105,7 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
 	}
 
 #define PKCS11_CHECK_INIT \
-	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
+	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
 	if (ret < 0) \
 		return gnutls_assert_val(ret)
 
@@ -111,7 +115,7 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
 		return gnutls_assert_val(ret)
 
 #define PKCS11_CHECK_INIT_RET(x) \
-	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
+	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
 	if (ret < 0) \
 		return gnutls_assert_val(x)