diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-24 08:36:06 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-24 16:21:58 +0200 |
| commit | 99379ca687b7b63438c9927b6d20b32d1eedf0a7 (patch) | |
| tree | b8d571aca1da9e6da3c44c82cdd2b5a54b2f68e4 | |
| parent | 118921d28b929918365d484ae796c7584c45f8a3 (diff) | |
| download | gnutls-tmp-pkcs11-wrong-pin.tar.gz | |
retrieve_pin: refuse to retrieve PIN from URI more than one timetmp-pkcs11-wrong-pin
That is, prevent re-using a static PIN if it has already been
known to be wrong. Introduced tests of that behavior.
Resolves #425
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/pkcs11.c | 10 | ||||
| -rw-r--r-- | tests/pkcs11/pkcs11-import-with-pin.c | 29 |
2 files changed, 36 insertions, 3 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e1aa64f191..e4d14f9f4b 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2602,6 +2602,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, /* First check for pin-value field */ pinfile = p11_kit_uri_get_pin_value(info); if (pinfile != NULL) { + if (attempts > 0) { + _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n"); + return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); + } + _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); *pin = p11_kit_pin_new_for_string(pinfile); if (*pin != NULL) @@ -2610,6 +2615,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, /* Check if a pinfile is specified, and use that if possible */ pinfile = p11_kit_uri_get_pin_source(info); if (pinfile != NULL) { + if (attempts > 0) { + _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n"); + return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); + } + _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); ret = retrieve_pin_from_source(pinfile, token_info, attempts, diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c index 60cb679723..4a5efd2589 100644 --- a/tests/pkcs11/pkcs11-import-with-pin.c +++ b/tests/pkcs11/pkcs11-import-with-pin.c @@ -153,6 +153,16 @@ void doit(void) assert(gnutls_privkey_init(&pkey) == 0); /* Test 1 + * Try importing with wrong pin-value */ + ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX"); + if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { + fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + gnutls_privkey_deinit(pkey); + assert(gnutls_privkey_init(&pkey) == 0); + + /* Test 2 * Try importing with pin-value */ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN); if (ret < 0) { @@ -165,13 +175,26 @@ void doit(void) gnutls_free(sig.data); gnutls_privkey_deinit(pkey); - /* Test 2 - * Try importing with pin-source */ + /* Test 3 + * Try importing with wrong pin-source */ track_temp_files(); get_tmpname(file); - write_pin(file, PIN); + write_pin(file, "XXXX"); + + assert(gnutls_privkey_init(&pkey) == 0); + snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); + ret = gnutls_privkey_import_pkcs11_url(pkey, buf); + if (ret != GNUTLS_E_PKCS11_PIN_ERROR) { + fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + + gnutls_privkey_deinit(pkey); + /* Test 4 + * Try importing with pin-source */ + write_pin(file, PIN); assert(gnutls_privkey_init(&pkey) == 0); snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file); |