diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-24 08:36:06 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-25 07:07:30 +0200 |
commit | 792ea391da2c67fd74bab53e30c9e1d1e62cb76a (patch) | |
tree | 357e0e575a3a9868c7461553338378cd024a18cc /lib/pkcs11.c | |
parent | e62e926e6c44c867bd88c9853997e30fa6476f50 (diff) | |
download | gnutls-792ea391da2c67fd74bab53e30c9e1d1e62cb76a.tar.gz |
retrieve_pin: refuse to retrieve PIN from URI more than one time
That is, prevent re-using a static PIN if it has already been
known to be wrong. Introduced tests of that behavior.
Resolves #425
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/pkcs11.c')
-rw-r--r-- | lib/pkcs11.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e1aa64f191..e4d14f9f4b 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2602,6 +2602,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, /* First check for pin-value field */ pinfile = p11_kit_uri_get_pin_value(info); if (pinfile != NULL) { + if (attempts > 0) { + _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n"); + return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); + } + _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n"); *pin = p11_kit_pin_new_for_string(pinfile); if (*pin != NULL) @@ -2610,6 +2615,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info, /* Check if a pinfile is specified, and use that if possible */ pinfile = p11_kit_uri_get_pin_source(info); if (pinfile != NULL) { + if (attempts > 0) { + _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n"); + return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR); + } + _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n"); ret = retrieve_pin_from_source(pinfile, token_info, attempts, |