diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-10-15 15:59:48 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-10-24 11:04:25 +0200 |
commit | f68a86202bd1aaeb3988566def4374359b211875 (patch) | |
tree | aeeaabaf6a12c9f35315e3a0f4f5f99afb5d3af7 /src/pkcs11.c | |
parent | 1d5e93dbd69358fe7d66a3a6dd461d7fbb0738ee (diff) | |
download | gnutls-f68a86202bd1aaeb3988566def4374359b211875.tar.gz |
p11tool: fix initialization of security officer's PINtmp-initialize-so-pin-fix
Previously we would call gnutls_pkcs11_token_set_pin() without an
old PIN provided, which will result to the use of C_InitPIN() on the
underlying module. The C_InitPIN() in contrast with C_SetPIN() will
only work for the user and not for the administrator. As such, we
always provide the oldpin for when we change the admin's PIN.
Resolves #561
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'src/pkcs11.c')
-rw-r--r-- | src/pkcs11.c | 57 |
1 files changed, 25 insertions, 32 deletions
diff --git a/src/pkcs11.c b/src/pkcs11.c index 0dc2c563fe..66ef6b0fe0 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -21,8 +21,6 @@ */ #include <config.h> -#include <getpass.h> - #include <gnutls/gnutls.h> #include <gnutls/pkcs11.h> #include <gnutls/abstract.h> @@ -1411,8 +1409,7 @@ pkcs11_init(FILE * outfile, const char *url, const char *label, common_info_st * info) { int ret; - const char *pin; - char so_pin[32]; + char so_pin[MAX_PIN_LEN]; pkcs11_common(info); @@ -1426,21 +1423,19 @@ pkcs11_init(FILE * outfile, const char *url, const char *label, app_exit(1); } - if (info->so_pin != NULL) - pin = info->so_pin; - else { - pin = getenv("GNUTLS_SO_PIN"); - if (pin == NULL && info->batch == 0) - pin = getpass("Enter Security Officer's PIN: "); - if (pin == NULL) + if (info->so_pin != NULL) { + snprintf(so_pin, sizeof(so_pin), "%s", info->so_pin); + } else { + getenv_copy(so_pin, sizeof(so_pin), "GNUTLS_SO_PIN"); + if (so_pin[0] == 0 && info->batch == 0) + getpass_copy(so_pin, sizeof(so_pin), "Enter Security Officer's PIN: "); + if (so_pin[0] == 0) app_exit(1); } - if (strlen(pin) >= sizeof(so_pin) || pin[0] == '\n') + if (so_pin[0] == '\n' || so_pin[0] == 0) app_exit(1); - strcpy(so_pin, pin); - fprintf(stderr, "Initializing token... "); ret = gnutls_pkcs11_token_init(url, so_pin, label); if (ret < 0) { @@ -1459,7 +1454,7 @@ void pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, unsigned so) { int ret; - const char *pin; + char newpin[MAX_PIN_LEN] = ""; pkcs11_common(info); @@ -1468,34 +1463,32 @@ pkcs11_set_token_pin(FILE * outfile, const char *url, common_info_st * info, uns app_exit(1); } - fprintf(stderr, "Setting token's user PIN...\n"); + if (so) + fprintf(stderr, "Setting admin's PIN...\n"); + else + fprintf(stderr, "Setting user's PIN...\n"); if (so) { - if (info->so_pin != NULL) { - pin = info->so_pin; - } else { - pin = getenv("GNUTLS_SO_PIN"); - if (pin == NULL && info->batch == 0) - pin = getpass("Enter Administrators's new PIN: "); - if (pin == NULL) - app_exit(1); + getenv_copy(newpin, sizeof(newpin), "GNUTLS_NEW_SO_PIN"); + if (newpin[0] == 0 && info->batch == 0) { + getpass_copy(newpin, sizeof(newpin), "Enter Administrators's new PIN: "); } } else { if (info->pin != NULL) { - pin = info->pin; + snprintf(newpin, sizeof(newpin), "%s", info->pin); } else { - pin = getenv("GNUTLS_PIN"); - if (pin == NULL && info->batch == 0) - pin = getpass("Enter User's new PIN: "); - if (pin == NULL) - app_exit(1); + getenv_copy(newpin, sizeof(newpin), "GNUTLS_PIN"); + if (newpin[0] == 0 && info->batch == 0) + getpass_copy(newpin, sizeof(newpin), "Enter User's new PIN: "); } } - if (pin == NULL || pin[0] == '\n') + if (newpin[0] == 0 || newpin[0] == '\n') { + fprintf(stderr, "No PIN was given to change\n"); app_exit(1); + } - ret = gnutls_pkcs11_token_set_pin(url, NULL, pin, (so!=0)?GNUTLS_PIN_SO:GNUTLS_PIN_USER); + ret = gnutls_pkcs11_token_set_pin(url, NULL, newpin, (so!=0)?GNUTLS_PIN_SO:GNUTLS_PIN_USER); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, gnutls_strerror(ret)); |