<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p class="details" style="font-style: italic; color: #777777;">
<a href="https://gitlab.com/stefanberger">Stefan Berger</a>
commented on a discussion
on <a href="https://gitlab.com/gnutls/gnutls/merge_requests/796#note_116246528">lib/includes/gnutls/gnutls.h.in</a>:
</p>
<table>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="2788" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2788
</td>
<td class="diff-line-num new_line" data-linenumber="2788" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2788
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC2788" class="line" lang="c"><span class="cm" style="color: #998; font-style: italic;"> * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.</span></span>
</pre>
</td>
</tr>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="2789" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2789
</td>
<td class="diff-line-num new_line" data-linenumber="2789" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2789
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC2789" class="line" lang="c"><span class="cm" style="color: #998; font-style: italic;"> * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.</span></span>
</pre>
</td>
</tr>
<tr class="line_holder" id="">
<td class="diff-line-num old_line" data-linenumber="2790" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2790
</td>
<td class="diff-line-num new_line" data-linenumber="2790" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">
2790
</td>
<td class="line_content noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;">
<pre style="margin: 0;"> <span id="LC2790" class="line" lang="c"><span class="cm" style="color: #998; font-style: italic;"> * @GNUTLS_PIN_WRONG: Last given PIN was not correct.</span></span>
</pre>
</td>
</tr>
<tr class="line_holder new" id="">
<td class="diff-line-num new old_line" data-linenumber="2791" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">
</td>
<td class="diff-line-num new new_line" data-linenumber="2791" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">
2791
</td>
<td class="line_content new noteable_line" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">
<pre style="margin: 0;">+<span id="LC2791" class="line" lang="c"><span class="cm" style="color: #998; font-style: italic;"> * @GNUTLS_PIN_MAY_BE_MISSING: It is fine if the PIN is missing.</span></span>
</pre>
</td>
</tr>
</table>
<div>
<p dir="auto">This patch is messing with the behavior of how the callback is invoked. If I didn't introduce this flag the pin handler in certtool would currently exit() if there was not environment variable set to get the PIN from (GNUTLS_PIN or GNUTLS_SO_PIN). So with this flag I say it's ok if there's no such environment variable and please don't exit().</p>
<p dir="auto">The root of the problem is that the interface from certtool into the library is missing parameters to set the SRK and key passwords. So the library has to pass srk_password NULL once the srk_password is in a functions parameter list, but NULL may map into the 'well known' password of 20 zero bytes, which may or may not be what the user wants. In case the SRK password is indeed the 20 zero bytes the PIN callback should not return a different password, so the user has to have GNUTLS_PIN unset (which is a behavior change as well). In case it is a string password that invocation of the PIN callback should return the SRK string password from the environment variable. Invoking the PIN callback before doing the first key operation intends to avoid authentication failures with the TPM, which may lock down the TPM and have it refuse operations that require authentication.</p>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/merge_requests/796#note_116246528">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/e6f88d1b7da9395267d0c8441ee3c75e/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/merge_requests/796#note_116246528"}}</script>
</p>
</div>
</body>
</html>