pkcs15: PIN value not validated in pkcs15-verify
In pkcs15-verify the value of PIN is not more validated for conformity with PIN policy, value is only checked for maximal allowed length. So that, no more need of 'ignore-pin-length' configuration option - now it's default behavior of common framework.
This commit is contained in:
Viktor Tarasov
parent
0efe1ec05e
commit
3f023d3342
|
|
@ -625,18 +625,6 @@ app opensc-pkcs11 {
|
|||
# create_slots_for_pins = "user,sign";
|
||||
# create_slots_for_pins = application;
|
||||
# create_slots_for_pins = "application,sign";
|
||||
|
||||
# Enable C_Login to accept all PIN's lengths.
|
||||
#
|
||||
# Normally when length of applied PIN is less then value of 'min-length' PKCS15 pin attribute,
|
||||
# PIN is rejected by pkcs#15 framework and is not really verified by card.
|
||||
# Thus the on-card 'retry' PIN value remains unchanged.
|
||||
# Pkcs#15 framework of pksc#11 module returns CKR_INCORRECT_PIN.
|
||||
# That's default behavior.
|
||||
# With following option enabled all applied PINs will be verified by card.
|
||||
#
|
||||
# Default: false
|
||||
ignore_pin_length = true;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -630,18 +630,6 @@ app opensc-pkcs11 {
|
|||
# create_slots_for_pins = "user,sign";
|
||||
# create_slots_for_pins = application;
|
||||
# create_slots_for_pins = "application,sign";
|
||||
|
||||
# Enable C_Login to accept all PIN's lengths.
|
||||
#
|
||||
# Normally when length of applied PIN is less then value of 'min-length' PKCS15 pin attribute,
|
||||
# PIN is rejected by pkcs#15 framework and is not really verified by card.
|
||||
# Thus the on-card 'retry' PIN value remains unchanged.
|
||||
# Pkcs#15 framework of pksc#11 module returns CKR_INCORRECT_PIN.
|
||||
# That's default behavior.
|
||||
# With following option enabled all applied PINs will be verified by card.
|
||||
#
|
||||
# Default: false
|
||||
ignore_pin_length = true;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -290,13 +290,11 @@ int sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card,
|
|||
sc_card_t *card;
|
||||
struct sc_pin_cmd_data data;
|
||||
|
||||
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_NORMAL);
|
||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "PIN(%p;len:%i)", pincode, pinlen);
|
||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Auth(type:%X;method:%X)", auth_info->auth_type, auth_info->auth_method);
|
||||
LOG_FUNC_CALLED(ctx);
|
||||
sc_log(ctx, "PIN(type:%X;method:%X;len:)", auth_info->auth_type, auth_info->auth_method, pinlen);
|
||||
|
||||
r = _validate_pin(p15card, auth_info, pinlen);
|
||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "PIN value do not conforms the PIN policy");
|
||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "PIN value validated");
|
||||
if (pinlen > SC_MAX_PIN_SIZE)
|
||||
LOG_TEST_RET(ctx, SC_ERROR_INVALID_PIN_LENGTH, "Invalid PIN size");
|
||||
|
||||
card = p15card->card;
|
||||
|
||||
|
|
|
|||
|
|
@ -486,15 +486,6 @@ md_is_supports_container_key_import(PCARD_DATA pCardData)
|
|||
}
|
||||
|
||||
|
||||
/* Get know if PIN with the length less then PIN's min.length has to be applied to card */
|
||||
static BOOL
|
||||
md_is_ignore_pin_length(PCARD_DATA pCardData)
|
||||
{
|
||||
logprintf(pCardData, 2, "Is short PIN has to be applied to card?\n");
|
||||
return md_get_config_bool(pCardData, "md_ignore_pin_length", MD_STATIC_FLAG_IGNORE_PIN_LENGTH, FALSE);
|
||||
}
|
||||
|
||||
|
||||
/* Check if specified PIN has been verified */
|
||||
static BOOL
|
||||
md_is_pin_set(PCARD_DATA pCardData, DWORD role)
|
||||
|
|
@ -2313,7 +2304,6 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData,
|
|||
__in DWORD cbPin,
|
||||
__out_opt PDWORD pcAttemptsRemaining)
|
||||
{
|
||||
int r, pin_min_length = 0;
|
||||
struct sc_pkcs15_object *pin_obj = NULL;
|
||||
struct sc_pkcs15_auth_info *auth_info = NULL;
|
||||
char type[256];
|
||||
|
|
@ -2321,6 +2311,7 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData,
|
|||
struct md_file *cardcf_file = NULL;
|
||||
CARD_CACHE_FILE_FORMAT *cardcf = NULL;
|
||||
DWORD dwret;
|
||||
int r;
|
||||
|
||||
if(!pCardData)
|
||||
return SCARD_E_INVALID_PARAMETER;
|
||||
|
|
@ -2368,15 +2359,7 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData,
|
|||
return SCARD_F_INTERNAL_ERROR;
|
||||
auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
|
||||
|
||||
if (md_is_ignore_pin_length(pCardData)) {
|
||||
logprintf(pCardData, 2, "Accept PIN with length less then minimal.\n");
|
||||
pin_min_length = auth_info->attrs.pin.min_length;
|
||||
auth_info->attrs.pin.min_length = 1;
|
||||
}
|
||||
|
||||
r = sc_pkcs15_verify_pin(vs->p15card, pin_obj, (const u8 *) pbPin, cbPin);
|
||||
if (pin_min_length)
|
||||
auth_info->attrs.pin.min_length = pin_min_length;
|
||||
if (r) {
|
||||
logprintf(pCardData, 1, "PIN code verification failed: %s; tries left %i\n", sc_strerror(r), auth_info->tries_left);
|
||||
|
||||
|
|
@ -3294,12 +3277,12 @@ DWORD WINAPI CardAuthenticateEx(__in PCARD_DATA pCardData,
|
|||
__out_opt PDWORD pcbSessionPin,
|
||||
__out_opt PDWORD pcAttemptsRemaining)
|
||||
{
|
||||
int r, pin_min_length = 0;
|
||||
VENDOR_SPECIFIC *vs;
|
||||
CARD_CACHE_FILE_FORMAT *cardcf = NULL;
|
||||
DWORD dwret;
|
||||
struct sc_pkcs15_object *pin_obj = NULL;
|
||||
struct sc_pkcs15_auth_info *auth_info = NULL;
|
||||
int r;
|
||||
|
||||
logprintf(pCardData, 1, "\nP:%d T:%d pCardData:%p ",GetCurrentProcessId(), GetCurrentThreadId(), pCardData);
|
||||
logprintf(pCardData, 1, "CardAuthenticateEx\n");
|
||||
|
|
@ -3361,16 +3344,7 @@ DWORD WINAPI CardAuthenticateEx(__in PCARD_DATA pCardData,
|
|||
}
|
||||
}
|
||||
|
||||
if (md_is_ignore_pin_length(pCardData)) {
|
||||
logprintf(pCardData, 2, "Accept PIN with length less then minimal.\n");
|
||||
pin_min_length = auth_info->attrs.pin.min_length;
|
||||
auth_info->attrs.pin.min_length = 1;
|
||||
}
|
||||
|
||||
r = sc_pkcs15_verify_pin(vs->p15card, pin_obj, (const u8 *) pbPinData, cbPinData);
|
||||
if (pin_min_length)
|
||||
auth_info->attrs.pin.min_length = pin_min_length;
|
||||
|
||||
if (r) {
|
||||
logprintf(pCardData, 1, "PIN code verification failed: %s; tries left %i\n", sc_strerror(r), auth_info->tries_left);
|
||||
|
||||
|
|
|
|||
|
|
@ -1396,7 +1396,7 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
|
|||
struct sc_pkcs15_card *p15card = NULL;
|
||||
struct sc_pkcs15_object *auth_object = NULL;
|
||||
struct sc_pkcs15_auth_info *pin_info = NULL;
|
||||
int rc, pin_min_length = 0;
|
||||
int rc;
|
||||
|
||||
fw_data = (struct pkcs15_fw_data *) p11card->fws_data[slot->fw_data_idx];
|
||||
if (!fw_data)
|
||||
|
|
@ -1493,21 +1493,9 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
|
|||
* a valid pin (which is processed normally). --okir */
|
||||
if (ulPinLen == 0)
|
||||
pPin = NULL;
|
||||
} else {
|
||||
/*
|
||||
* If PIN is out of range, it cannot be correct.
|
||||
*/
|
||||
if (sc_pkcs11_conf.ignore_pin_length) {
|
||||
sc_log(context, "Ignore minimal PIN length");
|
||||
pin_min_length = pin_info->attrs.pin.min_length;
|
||||
pin_info->attrs.pin.min_length = 1;
|
||||
}
|
||||
|
||||
if (ulPinLen < pin_info->attrs.pin.min_length || ulPinLen > pin_info->attrs.pin.max_length) {
|
||||
if (pin_min_length)
|
||||
pin_info->attrs.pin.min_length = pin_min_length;
|
||||
return CKR_PIN_INCORRECT;
|
||||
}
|
||||
}
|
||||
else if (ulPinLen > pin_info->attrs.pin.max_length) {
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1524,8 +1512,6 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
|
|||
*/
|
||||
if (userType != CKU_CONTEXT_SPECIFIC) {
|
||||
if (sc_pkcs11_conf.lock_login && (rc = lock_card(fw_data)) < 0) {
|
||||
if (pin_min_length)
|
||||
pin_info->attrs.pin.min_length = pin_min_length;
|
||||
return sc_to_cryptoki_error(rc, "C_Login");
|
||||
}
|
||||
}
|
||||
|
|
@ -1533,9 +1519,6 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType,
|
|||
rc = sc_pkcs15_verify_pin(p15card, auth_object, pPin, ulPinLen);
|
||||
sc_log(context, "PKCS15 verify PIN returned %d", rc);
|
||||
|
||||
if (pin_min_length)
|
||||
pin_info->attrs.pin.min_length = pin_min_length;
|
||||
|
||||
if (rc != SC_SUCCESS)
|
||||
return sc_to_cryptoki_error(rc, "C_Login");
|
||||
|
||||
|
|
|
|||
|
|
@ -300,7 +300,6 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
|
|||
conf->create_puk_slot = 0;
|
||||
conf->zero_ckaid_for_ca_certs = 0;
|
||||
conf->create_slots_flags = 0;
|
||||
conf->ignore_pin_length = 0;
|
||||
|
||||
conf_block = sc_get_conf_block(ctx, "pkcs11", NULL, 1);
|
||||
if (!conf_block)
|
||||
|
|
@ -324,8 +323,6 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
|
|||
conf->create_puk_slot = scconf_get_bool(conf_block, "create_puk_slot", conf->create_puk_slot);
|
||||
conf->zero_ckaid_for_ca_certs = scconf_get_bool(conf_block, "zero_ckaid_for_ca_certs", conf->zero_ckaid_for_ca_certs);
|
||||
|
||||
conf->ignore_pin_length = scconf_get_bool(conf_block, "ignore_pin_length", conf->ignore_pin_length);
|
||||
|
||||
create_slots_for_pins = (char *)scconf_get_str(conf_block, "create_slots_for_pins", "all");
|
||||
tmp = strdup(create_slots_for_pins);
|
||||
op = strtok(tmp, " ,");
|
||||
|
|
|
|||
Loading…
Reference in New Issue