[gnutls-devel] GnuTLS | p11tool: fix admin user PIN initialization (!776)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Oct 17 23:33:33 CEST 2018

The static buffer problem with getpass still persists.

You also need to copy the buffer pointed to by pin which is returned by getpass in pkcs11_set_token_pin, so its not overwritten by pin_callback's getpass:

# p11tool --initialize-so-pin <url>
Setting admin's PIN...
Enter Administrator's old PIN: 87654321                    "oldpin=getpass, copied to _oldpin"
Enter Administrators's new PIN: 76543210                   "pin=getpass, not copied"
Token 'swtok' with URL '<url>' requires security officer PIN
Enter PIN: 87654321                                        "password=getpass, pin overwritten"
Error in pkcs11_set_token_pin:1516: Error in provided PIN. "C_SetPIN fails since oldpin=newpin"

It would possibly be the best option to substitute all getpass occurences by something like the following wrapper (which still lacks thread-safety):
int getpass_copy(char *pass, size_t passlen, const char *prompt) {
    char tmp;

    tmp = getpass(prompt);
    if (tmp == NULL)
        return SOME_ERROR;

    if (strlen(tmp) >= passlen)
        return SOME_ERROR;

    strcpy(pass, tmp);

    OPENSSL_cleanse(tmp, strlen(tmp));
    return SUCCESS;

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/776#note_109670727
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181017/4904df65/attachment.html>

More information about the Gnutls-devel mailing list