[gnutls-devel] GnuTLS | tpm: Try to use password from the PIN callback if srk_password is NULL (!796)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Nov 10 18:10:07 CET 2018
Stefan Berger commented on a discussion on lib/includes/gnutls/gnutls.h.in:
> * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.
> * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.
> * @GNUTLS_PIN_WRONG: Last given PIN was not correct.
> + * @GNUTLS_PIN_MAY_BE_MISSING: It is fine if the PIN is missing.
This patch is messing with the behavior of how the callback is invoked. If I didn't introduce this flag the pin handler in certtool would currently exit() if there was not environment variable set to get the PIN from (GNUTLS_PIN or GNUTLS_SO_PIN). So with this flag I say it's ok if there's no such environment variable and please don't exit().
The root of the problem is that the interface from certtool into the library is missing parameters to set the SRK and key passwords. So the library has to pass srk_password NULL once the srk_password is in a functions parameter list, but NULL may map into the 'well known' password of 20 zero bytes, which may or may not be what the user wants. In case the SRK password is indeed the 20 zero bytes the PIN callback should not return a different password, so the user has to have GNUTLS_PIN unset (which is a behavior change as well). In case it is a string password that invocation of the PIN callback should return the SRK string password from the environment variable. Invoking the PIN callback before doing the first key operation intends to avoid authentication failures with the TPM, which may lock down the TPM and have it refuse operations that require authentication.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/796#note_116246528
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel