mirror of
https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
synced 2024-09-20 02:40:08 +00:00
Check passphrase length when changing.
This commit is contained in:
parent
55781cb7bb
commit
704d8a5cf1
@ -1,3 +1,8 @@
|
||||
2018-01-22 NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
* src/openpgp.c (USER_PASSWD_MINLEN): New.
|
||||
(cmd_change_password): Check passphrase length.
|
||||
|
||||
2018-01-22 NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
* src/openpgp.c (cmd_change_password): Remove access to private
|
||||
|
7
NEWS
7
NEWS
@ -11,7 +11,12 @@ agreement to USB Forum. Now, we have new file named gnuk-vidpid.elf
|
||||
for flashing. The file gnuk.elf can be used to generate
|
||||
gnuk-vidpid.elf and we can check if it is reproducible or not.
|
||||
|
||||
** Remove access with BY_ADMIN
|
||||
** Passphrase length check
|
||||
|
||||
Now, Gnuk checks length of passphrase if it's too short when
|
||||
changing passphrase.
|
||||
|
||||
** Remove possible access with BY_ADMIN (to flash ROM data)
|
||||
|
||||
For admin-less mode, access by OPENPGP_CARD_INITIAL_PW3 remained on
|
||||
flash ROM. This could be considered a backdoor, if some other person
|
||||
|
@ -37,6 +37,7 @@
|
||||
|
||||
static struct eventflag *openpgp_comm;
|
||||
|
||||
#define USER_PASSWD_MINLEN 6
|
||||
#define ADMIN_PASSWD_MINLEN 8
|
||||
|
||||
#define CLS(a) a.cmd_apdu_head[0]
|
||||
@ -347,8 +348,9 @@ cmd_change_password (void)
|
||||
newpw_len = len - pw_len;
|
||||
ks_pw3 = gpg_do_read_simple (NR_DO_KEYSTRING_PW3);
|
||||
|
||||
/* Check length of password for admin-less mode. */
|
||||
if (ks_pw3 == NULL && newpw_len < ADMIN_PASSWD_MINLEN)
|
||||
/* Check length of password */
|
||||
if ((ks_pw3 == NULL && newpw_len < ADMIN_PASSWD_MINLEN)
|
||||
|| newpw_len < USER_PASSWD_MINLEN)
|
||||
{
|
||||
DEBUG_INFO ("new password length is too short.");
|
||||
GPG_CONDITION_NOT_SATISFIED ();
|
||||
@ -388,6 +390,7 @@ cmd_change_password (void)
|
||||
{
|
||||
newpw = pw + pw_len;
|
||||
newpw_len = len - pw_len;
|
||||
|
||||
if (newpw_len == 0 && admin_authorized == BY_ADMIN)
|
||||
{
|
||||
const uint8_t *initial_pw;
|
||||
@ -397,6 +400,12 @@ cmd_change_password (void)
|
||||
newsalt_len = 0;
|
||||
pw3_null = 1;
|
||||
}
|
||||
else if (newpw_len < ADMIN_PASSWD_MINLEN)
|
||||
{
|
||||
DEBUG_INFO ("new password length is too short.");
|
||||
GPG_CONDITION_NOT_SATISFIED ();
|
||||
return;
|
||||
}
|
||||
|
||||
who_old = admin_authorized;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user