Closed
Bug 298516
Opened 20 years ago
Closed 19 years ago
Implement minimum length of PINs for FIPS 140-2 mode
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11
People
(Reporter: glenbeasley, Assigned: wtc)
Details
Attachments
(1 file, 1 obsolete file)
2.11 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
Implement minimum length of PINs for FIPS 140-2 mode see VE 03.25.01 (level 2
requirement).
Probablity of guessing a PIN should be less than one in 1,000,000
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.11
Assignee | ||
Comment 1•20 years ago
|
||
While I was reading the softoken code related to
minimum password lengths, I found these problems.
1. pk11db.c: I believe this is a bug. tmp should
match "FIPSTokenDescription=", and minPW should
match "minPWLen=".
2. pkcs11.c: if slot->minimumPinLen == 0 is true,
slot->minimumPinLen <= SFTK_MAX_PIN must be true,
so the latter is not necessary.
3. pkcs11.c: I'm wondering why we don't just set
pInfo->ulMinPinLen to slot->minimumPinLen. Is this
to handle the error case that slot->minimumPinLen is
negative?
Attachment #188601 -
Flags: review?(rrelyea)
Assignee | ||
Updated•20 years ago
|
OS: Solaris → All
Hardware: Sun → All
Comment 2•20 years ago
|
||
Comment on attachment 188601 [details] [diff] [review]
Problems found by code inspection
Everything you identified here are actual bugs. pkcs11.c changes are fine.
in pk11db.c, our line:
+ SECMOD_HANDLE_STRING_ARG(index,tmp,"FIPSTokenDescription=",;)
should read
+ SECMOD_HANDLE_STRING_ARG(index,fpslotdes,"FIPSTokenDescription=",;)
The minPW line is correct in your patch.
r+ if you make the above change...
Attachment #188601 -
Flags: review?(rrelyea) → review-
Assignee | ||
Comment 3•20 years ago
|
||
Bob, thanks for the review. I implemented your
suggested change, and also a check to ensure that
slot->minimumPinLen can't be negative even if we
get "minPWLen=<a negative number>" in the token
parameter string.
Attachment #188601 -
Attachment is obsolete: true
Attachment #190073 -
Flags: review?(rrelyea)
Comment 4•20 years ago
|
||
Comment on attachment 190073 [details] [diff] [review]
Problems found by code inspection, v2 (checked in)
r+= rrelyea
Attachment #190073 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 5•20 years ago
|
||
Comment on attachment 190073 [details] [diff] [review]
Problems found by code inspection, v2 (checked in)
I checked in this patch on the NSS trunk (NSS 3.11).
Checking in pk11db.c;
/cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c
new revision: 1.33; previous revision: 1.32
done
Checking in pkcs11.c;
/cvsroot/mozilla/security/nss/lib/softoken/pkcs11.c,v <-- pkcs11.c
new revision: 1.103; previous revision: 1.102
done
Attachment #190073 -
Attachment description: Proposed patch v2 → Problems found by code inspection, v2 (checked in)
Assignee | ||
Comment 6•19 years ago
|
||
The patch (attachment 196364 [details] [diff] [review]) in bug 298517 imposes a minimum
length (currently 7 Unicode characters) for passwords/PINs in
FIPS mode. It also imposes a minimum quality for passwords/PINs.
It has been checked in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•