pkcs11_get_attribute_avalue: correctly handle a -1 value length from C_GetAttributeValue

That is, work-around modules which do not return an error on sensitive objects. Relates #108
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-30 09:11:40 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-30 10:56:26 +0200
commit: 0ef47031faa87befe3cc1d087c96fa9b2893a853 (patch)
tree: da38797818842da78a5a5bcd50e619b14b7c555a
parent: 19e0f41bc573b7b509e69dd63d6a4832d99c10b3 (diff)
download: gnutls-0ef47031faa87befe3cc1d087c96fa9b2893a853.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/pkcs11_int.c b/lib/pkcs11_int.c
index de3d4e5cdc..6ac4929a65 100644
--- a/lib/pkcs11_int.c
+++ b/lib/pkcs11_int.c
@@ -127,6 +127,12 @@ pkcs11_get_attribute_avalue(struct ck_function_list * module,
 	templ.value_len = 0;
 	rv = (module)->C_GetAttributeValue(sess, object, &templ, 1);
 	if (rv == CKR_OK) {
+		/* PKCS#11 v2.20 requires sensitive values to set a length
+		 * of -1. In that case an error should have been returned,
+		 * but some implementations return CKR_OK instead. */
+		if (templ.value_len == (unsigned long)-1)
+			return CKR_ATTRIBUTE_SENSITIVE;
+
 		if (templ.value_len == 0)
 			return rv;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-30 09:11:40 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-30 10:56:26 +0200
commit	0ef47031faa87befe3cc1d087c96fa9b2893a853 (patch)
tree	da38797818842da78a5a5bcd50e619b14b7c555a
parent	19e0f41bc573b7b509e69dd63d6a4832d99c10b3 (diff)
download	gnutls-0ef47031faa87befe3cc1d087c96fa9b2893a853.tar.gz