Skip to content

Commit

Permalink
Add code to prevent locking the token by mistake
Browse files Browse the repository at this point in the history
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.

A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.

Fixes: #455

Signed-off-by: Simo Sorce <[email protected]>
  • Loading branch information
simo5 committed Oct 24, 2024
1 parent 7238f46 commit 12dfe29
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions src/session.c
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,35 @@ static int p11prov_session_prompt_for_pin(struct p11prov_slot *slot,
return ret;
}

static CK_RV check_pin_flags_ok(P11PROV_CTX *ctx, CK_SLOT_ID slotid)
{
CK_TOKEN_INFO token;
CK_RV ret;

ret = p11prov_GetTokenInfo(ctx, slotid, &token);
if (ret != CKR_OK) {
return ret;
}

if (token.flags & CKF_USER_PIN_FINAL_TRY) {
ret = CKR_CANCEL;
P11PROV_raise(ctx, ret,
"Only one auth attempt left on token. "
"Canceling login attempt to avoid locking the token. "
"Manual user login required to reset counter.");
} else if (token.flags & CKF_USER_PIN_LOCKED) {
ret = CKR_PIN_LOCKED;
P11PROV_raise(ctx, ret, "PIN marked as locked, canceling login");
} else if (token.flags & CKF_USER_PIN_TO_BE_CHANGED) {
ret = CKR_PIN_EXPIRED;
P11PROV_raise(ctx, ret, "PIN marked as expired, canceling login");
} else {
ret = CKR_OK;
}

return ret;
}

/* returns a locked login_session if _session is not NULL */
static CK_RV token_login(P11PROV_SESSION *session, P11PROV_URI *uri,
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
Expand Down Expand Up @@ -522,6 +551,11 @@ static CK_RV token_login(P11PROV_SESSION *session, P11PROV_URI *uri,
}
}

ret = check_pin_flags_ok(session->provctx, session->slotid);
if (ret != CKR_OK) {
goto done;
}

P11PROV_debug("Attempt Login on session %lu", session->session);
/* Supports only USER login sessions for now */
ret = p11prov_Login(session->provctx, session->session, user_type, pin,
Expand Down

0 comments on commit 12dfe29

Please sign in to comment.