[gnutls-devel] GnuTLS | tpm: Try to use password from the PIN callback if srk_password is NULL (!796)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Nov 19 15:36:15 CET 2018
Stefan Berger commented on a discussion on lib/includes/gnutls/gnutls.h.in:
> * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.
> * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.
> * @GNUTLS_PIN_WRONG: Last given PIN was not correct.
> + * @GNUTLS_PIN_MAY_BE_MISSING: It is fine if the PIN is missing.
Not quite. I introduced this flag to prevent the existing PIN callback from exiting (`exit(1)`), which was ok before when the first attempt was made to use the srk_password = NULL, which could then fail if the TPM 1.2 had a real password. I turned this around now, asking the PIN callback first, which may not not have a PIN, which is fine, and we try the srk_password = NULL then instead.
```
if (password[0] == 0 || password[0] == '\n') {
if (flags & GNUTLS_PIN_MAY_BE_MISSING)
return -1;
fprintf(stderr, "No PIN given.\n");
if (info != NULL && info->batch != 0) {
fprintf(stderr, "note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables\n")
}
exit(1);
}
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/796#note_118304979
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181119/323167fd/attachment.html>
More information about the Gnutls-devel
mailing list