giomba/opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pkcs11: use 'ignore-pin-length' config option

Browse Source 
When doing C_Login default behavior is to ignore the applied PINs with lengths less
then value of PKCS#15 PIN attribure 'min-length'. Such a PINs are not
really verified by card.

With 'ignore-pin-length' option in 'true' all applied PINs are verified by card.
This commit is contained in:
Viktor Tarasov 2013-12-25 23:12:33 +01:00
parent b1a5ebfac7
commit 0761a5ea02
3 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/pkcs11/framework-pkcs15.c
View File

@ -1396,7 +1396,7 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
struct sc_pkcs15_card *p15card = NULL;
struct sc_pkcs15_object *auth_object = NULL;
struct sc_pkcs15_auth_info *pin_info = NULL;
int rc;
int rc, pin_min_length = 0;
fw_data = (struct pkcs15_fw_data *) p11card->fws_data[slot->fw_data_idx];
if (!fw_data)
@ -1495,12 +1495,19 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
pPin = NULL;
} else {
/*
* If PIN is out of range,
* it cannot be correct.
* If PIN is out of range, it cannot be correct.
*/
if (ulPinLen < pin_info->attrs.pin.min_length ||
ulPinLen > pin_info->attrs.pin.max_length)
if (sc_pkcs11_conf.ignore_pin_length) {
sc_log(context, "Ignore minimal PIN length");
pin_min_length = pin_info->attrs.pin.min_length;
pin_info->attrs.pin.min_length = 1;
}
if (ulPinLen < pin_info->attrs.pin.min_length || ulPinLen > pin_info->attrs.pin.max_length) {
if (pin_min_length)
pin_info->attrs.pin.min_length = pin_min_length;
return CKR_PIN_INCORRECT;
}
}
@ -1516,13 +1523,19 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
* before the crypto operation that requires the assertion
*/
if (userType != CKU_CONTEXT_SPECIFIC) {
if (sc_pkcs11_conf.lock_login && (rc = lock_card(fw_data)) < 0)
return sc_to_cryptoki_error(rc, "C_Login");
if (sc_pkcs11_conf.lock_login && (rc = lock_card(fw_data)) < 0) {
if (pin_min_length)
pin_info->attrs.pin.min_length = pin_min_length;
return sc_to_cryptoki_error(rc, "C_Login");
}
}
rc = sc_pkcs15_verify_pin(p15card, auth_object, pPin, ulPinLen);
sc_log(context, "PKCS15 verify PIN returned %d", rc);
if (pin_min_length)
pin_info->attrs.pin.min_length = pin_min_length;
if (rc != SC_SUCCESS)
return sc_to_cryptoki_error(rc, "C_Login");

3
src/pkcs11/misc.c
View File

@ -300,6 +300,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
conf->create_puk_slot = 0;
conf->zero_ckaid_for_ca_certs = 0;
conf->create_slots_flags = 0;
conf->ignore_pin_length = 0;
conf_block = sc_get_conf_block(ctx, "pkcs11", NULL, 1);
if (!conf_block)
@ -323,6 +324,8 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
conf->create_puk_slot = scconf_get_bool(conf_block, "create_puk_slot", conf->create_puk_slot);
conf->zero_ckaid_for_ca_certs = scconf_get_bool(conf_block, "zero_ckaid_for_ca_certs", conf->zero_ckaid_for_ca_certs);
conf->ignore_pin_length = scconf_get_bool(conf_block, "ignore_pin_length", conf->ignore_pin_length);
create_slots_for_pins = (char *)scconf_get_str(conf_block, "create_slots_for_pins", "all");
tmp = strdup(create_slots_for_pins);
op = strtok(tmp, " ,");

1
src/pkcs11/sc-pkcs11.h
View File

@ -82,6 +82,7 @@ struct sc_pkcs11_config {
unsigned int create_puk_slot;
unsigned int zero_ckaid_for_ca_certs;
unsigned int create_slots_flags;
unsigned char ignore_pin_length;
};
/*