pkcs11_get_attribute_avalue: correctly handle a -1 value length from C_GetAttributeValue

That is, work-around modules which do not return an error on sensitive objects. Relates #108
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-30 09:11:40 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-06-30 10:55:49 +0200
commit: ba32fcac83ccb3454ece348d2360282b1739658a (patch)
tree: d2046f12be82d5bf1d813b1955cda4512e852299
parent: ebe0546128902ce2d4a0f130fe48b5a86a222bcf (diff)
download: gnutls-ba32fcac83ccb3454ece348d2360282b1739658a.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/pkcs11_int.c b/lib/pkcs11_int.c
index 25c537bbed..2994baf113 100644
--- a/lib/pkcs11_int.c
+++ b/lib/pkcs11_int.c
@@ -137,6 +137,12 @@ pkcs11_get_attribute_avalue(struct ck_function_list * module,
 	templ.value_len = 0;
 	rv = (module)->C_GetAttributeValue(sess, object, &templ, 1);
 	if (rv == CKR_OK) {
+		/* PKCS#11 v2.20 requires sensitive values to set a length
+		 * of -1. In that case an error should have been returned,
+		 * but some implementations return CKR_OK instead. */
+		if (templ.value_len == (unsigned long)-1)
+			return CKR_ATTRIBUTE_SENSITIVE;
+
 		if (templ.value_len == 0)
 			return rv;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-30 09:11:40 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-06-30 10:55:49 +0200
commit	ba32fcac83ccb3454ece348d2360282b1739658a (patch)
tree	d2046f12be82d5bf1d813b1955cda4512e852299
parent	ebe0546128902ce2d4a0f130fe48b5a86a222bcf (diff)
download	gnutls-ba32fcac83ccb3454ece348d2360282b1739658a.tar.gz