Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add code to prevent locking the token by mistake #457

Merged
merged 2 commits into from
Oct 29, 2024
Merged

Add code to prevent locking the token by mistake #457

merged 2 commits into from
Oct 29, 2024

Conversation

simo5
Copy link
Member

@simo5 simo5 commented Oct 24, 2024
edited
Loading

Description

For tokens that properly report the status of the PIN authentication counter via token flags, check them out and refuse to attempt login if the token is on its last try.

A token should never be on its last try and finding this flags set is an indication that someone may have hardocded an in correct pin in the configuration or an URI. Proceeding would have a high chance of ending up blocking the token.

Fixes: #455

Checklist

  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages
  • Coverity Scan has run if needed (code PR) and no new defects were found

@simo5 simo5 requested a review from Jakuje October 24, 2024 15:25
Jakuje
Jakuje previously approved these changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@simo5 simo5 added the covscan Triggers Coverity Scanner label Oct 24, 2024
@simo5
Copy link
Member Author

simo5 commented Oct 24, 2024

@Jakuje I have not added tests for this feature, do you think it is obvious enough, or do you think I should try to create a test? I might be able to do it with kryoptic at least.

@github-actions github-actions bot removed the covscan Triggers Coverity Scanner label Oct 24, 2024
@Jakuje
Copy link
Contributor

Jakuje commented Oct 25, 2024

I think having a test coverage for this would be helpful to be sure it works as expected.

Just something simple trying to login several times using pkcs11 provider and bad pin (different processes so this is not caught by the mechanism preventing relogin with bad pin), then checking it is not locked (for example using pkcs11-tool), then using the right pin in pkcs11 tool and then verifying the functionality again with pkcs11 provider.

@simo5
Add code to prevent locking the token by mistake
f740d8d 
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.

A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.

Fixes: latchset#455

Signed-off-by: Simo Sorce <[email protected]>
@simo5 simo5 force-pushed the nopinlock branch 5 times, most recently from 6c393f3 to 4cb0d53 Compare October 25, 2024 20:18
@simo5 simo5 requested a review from Jakuje October 25, 2024 20:30
@simo5
Copy link
Member Author

simo5 commented Oct 25, 2024

Added a test!

Jakuje
Jakuje reviewed Oct 29, 2024
View reviewed changes
tests/tpinlock Outdated Show resolved Hide resolved
tests/meson.build Show resolved Hide resolved
@simo5
Copy link
Member Author

simo5 commented Oct 29, 2024

So I will push a change soon as -T was not working with tokens with multiple slots as pkcs11-tool was trying to login to each token that way, -I works better to test the login.

However softhsm gets to pin count low and then never locks it (I tried manually some 30/40 login attempts.

While softokn seem to never set even any low count or lock flags at all.

So neither can be tested.

@simo5
Test pin locking prevention
9e36e1f 
Only kryoptic seem to correctly enforce pin lockout and return the
correct flags.
Softhsm seem to expose CKF_PIN_COUNT_LOW at some point but never lock
the token.
Softoken seem not support pin counting or locking at all.

Signed-off-by: Simo Sorce <[email protected]>
@simo5 simo5 requested a review from Jakuje October 29, 2024 15:19
@simo5 simo5 added the covscan-ok Coverity scan passed label Oct 29, 2024
@simo5 simo5 merged commit 1e8bb9b into latchset:main Oct 29, 2024
42 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees
No one assigned
Labels
covscan-ok Coverity scan passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Check PIN lockout status
2 participants
@simo5 @Jakuje