[gnutls-devel] GnuTLS | p11tool --initialize-so-pin does not change so pin but initializes user pin (#561)

[Development of GNU's TLS library]

New Issue was created.

Issue 561: https://gitlab.com/gnutls/gnutls/issues/561
Author:    Patrick Steuer
Assignee:  

## Description of problem:

Hello gnutls team,

I have some problems with p11tool's --initialize-so-pin and --initialize-pin options:

I configured opencryptoki as pkcs11 provider using a p11-kit config file /etc/pkcs11/modules/opencryptoki.module.

I initialized the token as follows:

```
p11tool --list-tokens
Token 0:
	URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311
	Label: IBM OS PKCS#11
	Type: Generic token
	Flags: RNG, Requires login, Uninitialized, uPIN uninitialized
	Manufacturer: IBM Corp.
	Model: IBM SoftTok
	Serial: 123
	Module: /usr/local/lib/opencryptoki/libopencryptoki.so


p11tool --initialize --label="swtok" pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=IBM%20OS%20PKCS%2311
Enter Security Officer's PIN: (INPUT: 87654321, "default so pin")
Initializing token... done

Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs


p11tool --list-tokens
Token 0:
	URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
	Label: swtok
	Type: Generic token
	Flags: RNG, Requires login, uPIN uninitialized
	Manufacturer: IBM Corp.
	Model: IBM SoftTok
	Serial: 123
	Module: /usr/local/lib/opencryptoki/libopencryptoki.so
```

After initialization, the token has the default pin (87654321) and so the CKF_SO_PIN_TO_BE_CHANGED flag is set.
The flag is not shown in the --list-tokens output, but when i activated p11-kit's log-calls (pkcs11.conf(5)), I
could see it is actually set. Next i tried to change the so pin using --initialize-so-pin. When i set the
default so pin using the environment variable (GNUTLS_SO_PIN=87654321), i could not even enter a new so pin,
it just says "Setting token's user PIN...". The debug trace shows a successfull login using the default so pin
and initializing the user pin (C_InitPIN) to the same value (87654321):

```
GNUTLS_SO_PIN=87654321 p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
 OUT: pInfo = {
	cryptokiVersion: 2.20
	manufacturerID: "IBM"
	flags: 0
	libraryDescription: "Meta PKCS11 LIBRARY"
	libraryVersion: 3.10
      }
C_GetInfo = CKR_OK
Setting token's user PIN...
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x3FFDD67DE28 = 48
 OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL3
 OUT: pInfo = {
	label: "swtok"
	manufacturerID: "IBM Corp."
	model: "IBM SoftTok"
	serialNumber: "123"
	flags: 8389709 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_SO_PIN_TO_BE_CHANGED
	ulMaxSessionCount: 18446744073709551614
	ulSessionCount: 0
	ulMaxRwSessionCount: 18446744073709551614
	ulRwSessionCount: 18446744073709551615
	ulMaxPinLen: 8
	ulMinPinLen: 4
	ulTotalPublicMemory: 18446744073709551614
	ulFreePublicMemory: 18446744073709551614
	ulTotalPrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	hardwareVersion: 1.0
	firmwareVersion: 1.0
	utcTime: 2018091222592200
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL3
 OUT: pInfo = {
	slotDescription: "Linux"
	manufacturerID: "IBM"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 0.0
	firmwareVersion: 0.0
      }
C_GetSlotInfo = CKR_OK
C_OpenSession:wa

  IN: slotID = SL3
  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
  IN: pApplication = NULL
  IN: Notify = NULL
 OUT: phSession = 0x3FFDD67E1D8 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
  IN: hSession = S1
 OUT: pInfo = {
	slotID: SL3
	state: CKS_RW_PUBLIC_SESSION
	flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
	ulDeviceError: 0
      }
C_GetSessionInfo = CKR_OK
C_Login
  IN: hSession = S1
  IN: userType = CKU_SO
  IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
  IN: hSession = S1
  IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
  IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
  IN: pReserved = NULL
C_Finalize = CKR_OK
```

Next thing i tried is changing the so pin without having the environment variable set. In that case
i was asked to enter a new so pin ("Enter Administrators's new PIN") and entered a pin different from
the default so pin. However, the debug trace still shows a successful login using the default so pin
and afterwards initializes the user pin to the same value:

```
p11tool --initialize-so-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
 OUT: pInfo = {
	cryptokiVersion: 2.20
	manufacturerID: "IBM"
	flags: 0
	libraryDescription: "Meta PKCS11 LIBRARY"
	libraryVersion: 3.10
      }
C_GetInfo = CKR_OK
Setting token's user PIN...
Enter Administrators's new PIN: (INPUT: 76543210, "new so pin")
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x3FFEC77E0A8 = 48
 OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL3
 OUT: pInfo = {
	label: "swtok"
	manufacturerID: "IBM Corp."
	model: "IBM SoftTok"
	serialNumber: "123"
	flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED
	ulMaxSessionCount: 18446744073709551614
	ulSessionCount: 0
	ulMaxRwSessionCount: 18446744073709551614
	ulRwSessionCount: 18446744073709551615
	ulMaxPinLen: 8
	ulMinPinLen: 4
	ulTotalPublicMemory: 18446744073709551614
	ulFreePublicMemory: 18446744073709551614
	ulTotalPrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	hardwareVersion: 1.0
	firmwareVersion: 1.0
	utcTime: 2018091222532100
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL3
 OUT: pInfo = {
	slotDescription: "Linux"
	manufacturerID: "IBM"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 0.0
	firmwareVersion: 0.0
      }
C_GetSlotInfo = CKR_OK
C_OpenSession
  IN: slotID = SL3
  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
  IN: pApplication = NULL
  IN: Notify = NULL
 OUT: phSession = 0x3FFEC77E458 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
  IN: hSession = S1
 OUT: pInfo = {
	slotID: SL3
	state: CKS_RW_PUBLIC_SESSION
	flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
	ulDeviceError: 0
      }
C_GetSessionInfo = CKR_OK
Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN
Enter PIN: (INPUT: 87654321, "default so pin")
C_Login
  IN: hSession = S1
  IN: userType = CKU_SO
  IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
  IN: hSession = S1
  IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
  IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
  IN: pReserved = NULL
C_Finalize = CKR_OK
```

In both cases (instead of changing the so pin) the user pin was initialized (to the default so pin):

```
p11tool --list-tokens
Token 0:
	URL: pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
	Label: swtok
	Type: Generic token
	Flags: RNG, Requires login
	Manufacturer: IBM Corp.
	Model: IBM SoftTok
	Serial: 123
	Module: /usr/local/lib/opencryptoki/libopencryptoki.so
```

pkcs11 v2.20 says regarding CKF_SO_PIN_TO_BE_CHANGED (which is set
after the initialization):

> [CKF_SO_PIN_TO_BE_CHANGED:] True if the SO PIN value is the default value set by token initialization or manufacturing, or the PIN has been expired by the card.

> If a PIN is set to the default value, or has expired, the
appropriate CKF_USER_PIN_TO_BE_CHANGED or CKF_SO_PIN_TO_BE_CHANGED
flag is set to true. When either of these flags are true, logging
in with the corresponding PIN will succeed, but only the C_SetPIN
function can be called. Calling any other function that required the
user to be logged in will cause CKR_PIN_EXPIRED to be returned until
C_SetPIN is called successfully.

pkcs11 v2.20 says regarding C_InitPin:

> C_InitPIN initializes the normal user’s PIN.


If the --initialize-so-pin option is meant to change the so pin,
then it should do a C_Login with default so pin and a C_SetPIN
using a new so pin instead of calling C_Login and C_InitPIN both
with default so pin, as it is shown in the debug output above?

Moreover, if the environment variable GNUTLS_SO_PIN is set,
the pin for C_Login and C_InitPIN is read from it, so even if
C_InitPIN could be used to change the so pin, it would always be set
to the same default so pin.
In case the environment variable is not set, both the new pin and
the pin (for login) are read by the getpass function. However, it
seems that function writes to a static buffer such that the
second input (the default so pin for login) overwrites the first
input, since it was not copied at the time it was obtained. So
again, even if C_InitPin could be used to change the so pin,
it would always be set to the same default so pin.

If the --initialize-so-pin option is not meant to change the so pin,
but instead just re-initialize it to its default value, why does
it ask to enter a new admin pin (in case the environment variable is not
set)? Which option should be used to change the so pin i.e., leave the
CKF_SO_PIN_TO_BE_CHANGED state after initialization?

Also, the static buffer problem described above, seems also to affect
the --initialize-pin option:

```
p11tool --initialize-pin pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok
C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_OK
C_GetInfo
 OUT: pInfo = {
	cryptokiVersion: 2.20
	manufacturerID: "IBM"
	flags: 0
	libraryDescription: "Meta PKCS11 LIBRARY"
	libraryVersion: 3.10
      }
C_GetInfo = CKR_OK
Setting token's user PIN...
Enter User's new PIN: (INPUT: 76543210, "new user pin")
C_GetSlotList
  IN: tokenPresent = CK_TRUE
  IN: pulCount = 0x3FFE2FFDC28 = 48
 OUT: pSlotList = (1) [ SL3 ]
C_GetSlotList = CKR_OK
C_GetTokenInfo
  IN: slotID = SL3
 OUT: pInfo = {
	label: "swtok"
	manufacturerID: "IBM Corp."
	model: "IBM SoftTok"
	serialNumber: "123"
	flags: 8913989 = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED | CKF_USER_PIN_TO_BE_CHANGED | CKF_SO_PIN_TO_BE_CHANGED
	ulMaxSessionCount: 18446744073709551614
	ulSessionCount: 0
	ulMaxRwSessionCount: 18446744073709551614
	ulRwSessionCount: 18446744073709551615
	ulMaxPinLen: 8
	ulMinPinLen: 4
	ulTotalPublicMemory: 18446744073709551614
	ulFreePublicMemory: 18446744073709551614
	ulTotalPrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	ulFreePrivateMemory: 18446744073709551614
	hardwareVersion: 1.0
	firmwareVersion: 1.0
	utcTime: 2018091223495800
      }
C_GetTokenInfo = CKR_OK
C_GetSlotInfo
  IN: slotID = SL3
 OUT: pInfo = {
	slotDescription: "Linux"
	manufacturerID: "IBM"
	flags: 1 = CKF_TOKEN_PRESENT
	hardwareVersion: 0.0
	firmwareVersion: 0.0
      }
C_GetSlotInfo = CKR_OK
C_OpenSession
  IN: slotID = SL3
  IN: flags = 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
  IN: pApplication = NULL
  IN: Notify = NULL
 OUT: phSession = 0x3FFE2FFDFD8 = S1
C_OpenSession = CKR_OK
C_GetSessionInfo
  IN: hSession = S1
 OUT: pInfo = {
	slotID: SL3
	state: CKS_RW_PUBLIC_SESSION
	flags: 6 = CKF_SERIAL_SESSION | CKF_RW_SESSION
	ulDeviceError: 0
      }
C_GetSessionInfo = CKR_OK
Token 'swtok' with URL 'pkcs11:model=IBM%20SoftTok;manufacturer=IBM%20Corp.;serial=123;token=swtok' requires security officer PIN
Enter PIN: (INPUT: 87654321, "default so pin")
C_Login
  IN: hSession = S1
  IN: userType = CKU_SO
  IN: pPin = (8) "87654321"
C_Login = CKR_OK
C_InitPIN
  IN: hSession = S1
  IN: pPin = (8) "87654321"
C_InitPIN = CKR_OK
C_CloseSession
  IN: hSession = S1
C_CloseSession = CKR_OK
C_Finalize
  IN: pReserved = NULL
C_Finalize = CKR_OK
```

A work-around for the --initialize-pin option is to provide the default so pin via the corresponding environment variable.

## Version of gnutls used:

gnutls-3.6.2-1.fc28.s390x
gnutls-utils-3.6.2-1.fc28.s390x

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 28 (on s390x)

## How reproducible:

1. Set up opencryptoki as a pkcs11 provider using a p11-kit config file.
2. Initilize a token: p11tool --initialize --label="<label>" <url>
3. Try to change the default so pin: p11tool --initialize-so-pin <url>
4. See "Description of problem" for more details.

## Actual results:

SO pin is not changed. Instead, user pin is initialized to default SO pin.

## Expected results:

SO pin is changed i.e., the CKF_SO_PIN_TO_BE_CHANGED flag is set to false.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/561
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180912/310bd0a6/attachment-0001.html>