diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in index f23db2f7..d71b46bd 100644 --- a/etc/opensc.conf.in +++ b/etc/opensc.conf.in @@ -625,18 +625,6 @@ app opensc-pkcs11 { # create_slots_for_pins = "user,sign"; # create_slots_for_pins = application; # create_slots_for_pins = "application,sign"; - - # Enable C_Login to accept all PIN's lengths. - # - # Normally when length of applied PIN is less then value of 'min-length' PKCS15 pin attribute, - # PIN is rejected by pkcs#15 framework and is not really verified by card. - # Thus the on-card 'retry' PIN value remains unchanged. - # Pkcs#15 framework of pksc#11 module returns CKR_INCORRECT_PIN. - # That's default behavior. - # With following option enabled all applied PINs will be verified by card. - # - # Default: false - ignore_pin_length = true; } } diff --git a/etc/opensc.conf.win.in b/etc/opensc.conf.win.in index 139940d9..11b458c0 100644 --- a/etc/opensc.conf.win.in +++ b/etc/opensc.conf.win.in @@ -630,18 +630,6 @@ app opensc-pkcs11 { # create_slots_for_pins = "user,sign"; # create_slots_for_pins = application; # create_slots_for_pins = "application,sign"; - - # Enable C_Login to accept all PIN's lengths. - # - # Normally when length of applied PIN is less then value of 'min-length' PKCS15 pin attribute, - # PIN is rejected by pkcs#15 framework and is not really verified by card. - # Thus the on-card 'retry' PIN value remains unchanged. - # Pkcs#15 framework of pksc#11 module returns CKR_INCORRECT_PIN. - # That's default behavior. - # With following option enabled all applied PINs will be verified by card. - # - # Default: false - ignore_pin_length = true; } } diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c index 6604c325..2973d22b 100644 --- a/src/libopensc/pkcs15-pin.c +++ b/src/libopensc/pkcs15-pin.c @@ -290,13 +290,11 @@ int sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, sc_card_t *card; struct sc_pin_cmd_data data; - SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_NORMAL); - sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "PIN(%p;len:%i)", pincode, pinlen); - sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Auth(type:%X;method:%X)", auth_info->auth_type, auth_info->auth_method); + LOG_FUNC_CALLED(ctx); + sc_log(ctx, "PIN(type:%X;method:%X;len:)", auth_info->auth_type, auth_info->auth_method, pinlen); - r = _validate_pin(p15card, auth_info, pinlen); - SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "PIN value do not conforms the PIN policy"); - sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "PIN value validated"); + if (pinlen > SC_MAX_PIN_SIZE) + LOG_TEST_RET(ctx, SC_ERROR_INVALID_PIN_LENGTH, "Invalid PIN size"); card = p15card->card; diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c index 755999f9..f84b2f08 100644 --- a/src/minidriver/minidriver.c +++ b/src/minidriver/minidriver.c @@ -486,15 +486,6 @@ md_is_supports_container_key_import(PCARD_DATA pCardData) } -/* Get know if PIN with the length less then PIN's min.length has to be applied to card */ -static BOOL -md_is_ignore_pin_length(PCARD_DATA pCardData) -{ - logprintf(pCardData, 2, "Is short PIN has to be applied to card?\n"); - return md_get_config_bool(pCardData, "md_ignore_pin_length", MD_STATIC_FLAG_IGNORE_PIN_LENGTH, FALSE); -} - - /* Check if specified PIN has been verified */ static BOOL md_is_pin_set(PCARD_DATA pCardData, DWORD role) @@ -2313,7 +2304,6 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData, __in DWORD cbPin, __out_opt PDWORD pcAttemptsRemaining) { - int r, pin_min_length = 0; struct sc_pkcs15_object *pin_obj = NULL; struct sc_pkcs15_auth_info *auth_info = NULL; char type[256]; @@ -2321,6 +2311,7 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData, struct md_file *cardcf_file = NULL; CARD_CACHE_FILE_FORMAT *cardcf = NULL; DWORD dwret; + int r; if(!pCardData) return SCARD_E_INVALID_PARAMETER; @@ -2368,15 +2359,7 @@ DWORD WINAPI CardAuthenticatePin(__in PCARD_DATA pCardData, return SCARD_F_INTERNAL_ERROR; auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; - if (md_is_ignore_pin_length(pCardData)) { - logprintf(pCardData, 2, "Accept PIN with length less then minimal.\n"); - pin_min_length = auth_info->attrs.pin.min_length; - auth_info->attrs.pin.min_length = 1; - } - r = sc_pkcs15_verify_pin(vs->p15card, pin_obj, (const u8 *) pbPin, cbPin); - if (pin_min_length) - auth_info->attrs.pin.min_length = pin_min_length; if (r) { logprintf(pCardData, 1, "PIN code verification failed: %s; tries left %i\n", sc_strerror(r), auth_info->tries_left); @@ -3294,12 +3277,12 @@ DWORD WINAPI CardAuthenticateEx(__in PCARD_DATA pCardData, __out_opt PDWORD pcbSessionPin, __out_opt PDWORD pcAttemptsRemaining) { - int r, pin_min_length = 0; VENDOR_SPECIFIC *vs; CARD_CACHE_FILE_FORMAT *cardcf = NULL; DWORD dwret; struct sc_pkcs15_object *pin_obj = NULL; struct sc_pkcs15_auth_info *auth_info = NULL; + int r; logprintf(pCardData, 1, "\nP:%d T:%d pCardData:%p ",GetCurrentProcessId(), GetCurrentThreadId(), pCardData); logprintf(pCardData, 1, "CardAuthenticateEx\n"); @@ -3361,16 +3344,7 @@ DWORD WINAPI CardAuthenticateEx(__in PCARD_DATA pCardData, } } - if (md_is_ignore_pin_length(pCardData)) { - logprintf(pCardData, 2, "Accept PIN with length less then minimal.\n"); - pin_min_length = auth_info->attrs.pin.min_length; - auth_info->attrs.pin.min_length = 1; - } - r = sc_pkcs15_verify_pin(vs->p15card, pin_obj, (const u8 *) pbPinData, cbPinData); - if (pin_min_length) - auth_info->attrs.pin.min_length = pin_min_length; - if (r) { logprintf(pCardData, 1, "PIN code verification failed: %s; tries left %i\n", sc_strerror(r), auth_info->tries_left); diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index ba14d9fd..e933706f 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -1396,7 +1396,7 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType, struct sc_pkcs15_card *p15card = NULL; struct sc_pkcs15_object *auth_object = NULL; struct sc_pkcs15_auth_info *pin_info = NULL; - int rc, pin_min_length = 0; + int rc; fw_data = (struct pkcs15_fw_data *) p11card->fws_data[slot->fw_data_idx]; if (!fw_data) @@ -1493,21 +1493,9 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType, * a valid pin (which is processed normally). --okir */ if (ulPinLen == 0) pPin = NULL; - } else { - /* - * If PIN is out of range, it cannot be correct. - */ - if (sc_pkcs11_conf.ignore_pin_length) { - sc_log(context, "Ignore minimal PIN length"); - pin_min_length = pin_info->attrs.pin.min_length; - pin_info->attrs.pin.min_length = 1; - } - - if (ulPinLen < pin_info->attrs.pin.min_length || ulPinLen > pin_info->attrs.pin.max_length) { - if (pin_min_length) - pin_info->attrs.pin.min_length = pin_min_length; - return CKR_PIN_INCORRECT; - } + } + else if (ulPinLen > pin_info->attrs.pin.max_length) { + return CKR_ARGUMENTS_BAD; } @@ -1524,8 +1512,6 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType, */ if (userType != CKU_CONTEXT_SPECIFIC) { if (sc_pkcs11_conf.lock_login && (rc = lock_card(fw_data)) < 0) { - if (pin_min_length) - pin_info->attrs.pin.min_length = pin_min_length; return sc_to_cryptoki_error(rc, "C_Login"); } } @@ -1533,9 +1519,6 @@ pkcs15_login(struct sc_pkcs11_slot *slot, CK_USER_TYPE userType, rc = sc_pkcs15_verify_pin(p15card, auth_object, pPin, ulPinLen); sc_log(context, "PKCS15 verify PIN returned %d", rc); - if (pin_min_length) - pin_info->attrs.pin.min_length = pin_min_length; - if (rc != SC_SUCCESS) return sc_to_cryptoki_error(rc, "C_Login"); diff --git a/src/pkcs11/misc.c b/src/pkcs11/misc.c index 2528d0a5..02109f97 100644 --- a/src/pkcs11/misc.c +++ b/src/pkcs11/misc.c @@ -300,7 +300,6 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx) conf->create_puk_slot = 0; conf->zero_ckaid_for_ca_certs = 0; conf->create_slots_flags = 0; - conf->ignore_pin_length = 0; conf_block = sc_get_conf_block(ctx, "pkcs11", NULL, 1); if (!conf_block) @@ -324,8 +323,6 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx) conf->create_puk_slot = scconf_get_bool(conf_block, "create_puk_slot", conf->create_puk_slot); conf->zero_ckaid_for_ca_certs = scconf_get_bool(conf_block, "zero_ckaid_for_ca_certs", conf->zero_ckaid_for_ca_certs); - conf->ignore_pin_length = scconf_get_bool(conf_block, "ignore_pin_length", conf->ignore_pin_length); - create_slots_for_pins = (char *)scconf_get_str(conf_block, "create_slots_for_pins", "all"); tmp = strdup(create_slots_for_pins); op = strtok(tmp, " ,");