Closed Bug 298516 Opened 15 years ago Closed 15 years ago
Implement minimum length of PINs for FIPS 140-2 mode
Implement minimum length of PINs for FIPS 140-2 mode see VE 03.25.01 (level 2 requirement). Probablity of guessing a PIN should be less than one in 1,000,000
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.11
While I was reading the softoken code related to minimum password lengths, I found these problems. 1. pk11db.c: I believe this is a bug. tmp should match "FIPSTokenDescription=", and minPW should match "minPWLen=". 2. pkcs11.c: if slot->minimumPinLen == 0 is true, slot->minimumPinLen <= SFTK_MAX_PIN must be true, so the latter is not necessary. 3. pkcs11.c: I'm wondering why we don't just set pInfo->ulMinPinLen to slot->minimumPinLen. Is this to handle the error case that slot->minimumPinLen is negative?
Attachment #188601 - Flags: review?(rrelyea)
Comment on attachment 188601 [details] [diff] [review] Problems found by code inspection Everything you identified here are actual bugs. pkcs11.c changes are fine. in pk11db.c, our line: + SECMOD_HANDLE_STRING_ARG(index,tmp,"FIPSTokenDescription=",;) should read + SECMOD_HANDLE_STRING_ARG(index,fpslotdes,"FIPSTokenDescription=",;) The minPW line is correct in your patch. r+ if you make the above change...
Attachment #188601 - Flags: review?(rrelyea) → review-
Bob, thanks for the review. I implemented your suggested change, and also a check to ensure that slot->minimumPinLen can't be negative even if we get "minPWLen=<a negative number>" in the token parameter string.
Comment on attachment 190073 [details] [diff] [review] Problems found by code inspection, v2 (checked in) r+= rrelyea
Attachment #190073 - Flags: review?(rrelyea) → review+
Comment on attachment 190073 [details] [diff] [review] Problems found by code inspection, v2 (checked in) I checked in this patch on the NSS trunk (NSS 3.11). Checking in pk11db.c; /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.33; previous revision: 1.32 done Checking in pkcs11.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11.c,v <-- pkcs11.c new revision: 1.103; previous revision: 1.102 done
Attachment #190073 - Attachment description: Proposed patch v2 → Problems found by code inspection, v2 (checked in)
The patch (attachment 196364 [details] [diff] [review]) in bug 298517 imposes a minimum length (currently 7 Unicode characters) for passwords/PINs in FIPS mode. It also imposes a minimum quality for passwords/PINs. It has been checked in.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.