[gnutls-devel] GnuTLS | tpm: Try to use password from the PIN callback if srk_password is NULL (!796)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Nov 19 15:36:15 CET 2018

Stefan Berger commented on a discussion on lib/includes/gnutls/gnutls.h.in:

>   * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.
>   * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.
>   * @GNUTLS_PIN_WRONG: Last given PIN was not correct.
> + * @GNUTLS_PIN_MAY_BE_MISSING:  It is fine if the PIN is missing.

Not quite. I introduced this flag to prevent the existing PIN callback from exiting (`exit(1)`), which was ok before when the first attempt was made to use the srk_password = NULL, which could then fail if the TPM 1.2 had a real password. I turned this around now, asking the PIN callback first, which may not not have a PIN, which is fine, and we try the srk_password = NULL then instead.

        if (password[0] == 0 || password[0] == '\n') {
                if (flags & GNUTLS_PIN_MAY_BE_MISSING)
                        return -1;
                fprintf(stderr, "No PIN given.\n");
                if (info != NULL && info->batch != 0) {
                        fprintf(stderr, "note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables\n")

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/796#note_118304979
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181119/323167fd/attachment.html>

More information about the Gnutls-devel mailing list