You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the feature
The PKCS#11 specification allows a token to expose flags that indicate if the PIN authentication failure count is too high and might soon get locked.
pkcs11-provider should consult these flags on authentication and if the flag CKF_USER_PIN_FINAL_TRY is returned, refuse to attempt a login, and require the user to reset the counter by performing a manual unlock once via tools like pkcs11-tool.
Expected behavior
Never lockup a token by checking token flags before login.
Additional context
Might not work if tokens do not report the flags correctly.
There is also a TOCTOU problem if two threads concurrently try to login, but better than nothing.
The text was updated successfully, but these errors were encountered:
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.
A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.
Fixes: latchset#455
Signed-off-by: Simo Sorce <[email protected]>
For tokens that properly report the status of the PIN authentication
counter via token flags, check them out and refuse to attempt login if
the token is on its last try.
A token should never be on its last try and finding this flags set is an
indication that someone may have hardocded an in correct pin in the
configuration or an URI. Proceeding would have a high chance of ending
up blocking the token.
Fixes: latchset#455
Signed-off-by: Simo Sorce <[email protected]>
Describe the feature
The PKCS#11 specification allows a token to expose flags that indicate if the PIN authentication failure count is too high and might soon get locked.
pkcs11-provider should consult these flags on authentication and if the flag CKF_USER_PIN_FINAL_TRY is returned, refuse to attempt a login, and require the user to reset the counter by performing a manual unlock once via tools like pkcs11-tool.
Expected behavior
Never lockup a token by checking token flags before login.
Additional context
Might not work if tokens do not report the flags correctly.
There is also a TOCTOU problem if two threads concurrently try to login, but better than nothing.
The text was updated successfully, but these errors were encountered: