From fc9ddebdf59cd25d59f8b90616c5753203f62ec8 Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Mon, 20 Oct 2014 22:57:43 +0200
Subject: [PATCH] Accept up to 256 byte PINs in native PKCS#11. [RT #37410]

---
 CHANGES        |  3 +++
 lib/isc/pk11.c | 21 ++++++++++++++-------
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3175f03599..292164fe30 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3984.	[func]		Accept 256 byte long PINs in native PKCS#11
+			crypto. [RT #37410]
+
 3982.	[doc]		Include release notes in product documentation.
 			[RT #37272]
 
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 015bff27be..de4479b7b0 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -130,7 +130,10 @@
 #include <pkcs11/cryptoki.h>
 #include <pkcs11/pkcs11.h>
 
-#define PINLEN	32
+/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
+#ifndef PINLEN
+#define PINLEN	256
+#endif
 
 #ifndef PK11_NO_LOGERR
 #define PK11_NO_LOGERR 1
@@ -163,7 +166,7 @@ struct pk11_token {
 	char			manuf[32];
 	char			model[16];
 	char			serial[16];
-	char			pin[PINLEN];
+	char			pin[PINLEN + 1];
 };
 static ISC_LIST(pk11_token_t) tokens;
 
@@ -498,7 +501,9 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
 
 	/* Override the token's PIN */
 	if (logon && pin != NULL && *pin != '\0') {
-		memset(token->pin, 0, PINLEN);
+		if (strlen(pin) > PINLEN)
+			return ISC_R_RANGE;
+		memset(token->pin, 0, PINLEN + 1);
 		strncpy(token->pin, pin, PINLEN);
 	}
 
@@ -1099,7 +1104,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 	char *uri, *p, *a, *na, *v;
 	size_t len, l;
 	FILE *stream = NULL;
-	char pin[PINLEN];
+	char pin[PINLEN + 1];
 	isc_boolean_t gotpin = ISC_FALSE;
 	isc_result_t ret;
 
@@ -1207,10 +1212,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 			ret = isc_stdio_open(v, "r", &stream);
 			if (ret != ISC_R_SUCCESS)
 				goto err;
-			memset(pin, 0, PINLEN);
-			ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
+			memset(pin, 0, PINLEN + 1);
+			ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
 			if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
 				goto err;
+			if (l > PINLEN)
+				DST_RET(ISC_R_RANGE);
 			ret = isc_stdio_close(stream);
 			stream = NULL;
 			if (ret != ISC_R_SUCCESS)
@@ -1238,7 +1245,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 		DST_RET(ISC_R_NOTFOUND);
 	obj->slot = token->slotid;
 	if (gotpin) {
-		memmove(token->pin, pin, PINLEN);
+		memmove(token->pin, pin, PINLEN + 1);
 		obj->reqlogon = ISC_TRUE;
 	}