Commit 7fbfa379 authored by Francis Dupont's avatar Francis Dupont
Browse files

Accept up to 256 byte PINs in native PKCS#11. [RT #37410]

parent 498b0610
3984. [func] Accept 256 byte long PINs in native PKCS#11
crypto. [RT #37410]
3983. [bug] Change #3940 was incomplete: negative trust anchors
could be set to last up to a week, but the
"nta-lifetime" and "nta-recheck" options were
......
......@@ -130,7 +130,10 @@
#include <pkcs11/cryptoki.h>
#include <pkcs11/pkcs11.h>
#define PINLEN 32
/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
#ifndef PINLEN
#define PINLEN 256
#endif
#ifndef PK11_NO_LOGERR
#define PK11_NO_LOGERR 1
......@@ -163,7 +166,7 @@ struct pk11_token {
char manuf[32];
char model[16];
char serial[16];
char pin[PINLEN];
char pin[PINLEN + 1];
};
static ISC_LIST(pk11_token_t) tokens;
......@@ -498,7 +501,9 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
/* Override the token's PIN */
if (logon && pin != NULL && *pin != '\0') {
memset(token->pin, 0, PINLEN);
if (strlen(pin) > PINLEN)
return ISC_R_RANGE;
memset(token->pin, 0, PINLEN + 1);
strncpy(token->pin, pin, PINLEN);
}
......@@ -1099,7 +1104,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
char *uri, *p, *a, *na, *v;
size_t len, l;
FILE *stream = NULL;
char pin[PINLEN];
char pin[PINLEN + 1];
isc_boolean_t gotpin = ISC_FALSE;
isc_result_t ret;
......@@ -1207,10 +1212,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
ret = isc_stdio_open(v, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto err;
memset(pin, 0, PINLEN);
ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
memset(pin, 0, PINLEN + 1);
ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
goto err;
if (l > PINLEN)
DST_RET(ISC_R_RANGE);
ret = isc_stdio_close(stream);
stream = NULL;
if (ret != ISC_R_SUCCESS)
......@@ -1238,7 +1245,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
DST_RET(ISC_R_NOTFOUND);
obj->slot = token->slotid;
if (gotpin) {
memmove(token->pin, pin, PINLEN);
memmove(token->pin, pin, PINLEN + 1);
obj->reqlogon = ISC_TRUE;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment