pkcs11_get_attribute_avalue: correctly handle a -1 value length from C_GetAttributeValue

That is, work-around modules which do not return an error on sensitive
objects.

Relates #108

diff --git a/lib/pkcs11_int.c b/lib/pkcs11_int.c
index 944ee678b245c0d6a9861d8b496f50127f70c35b..dce59475c76a5aa1e0c5241c98ebbd2a4cb61a74 100644 (file)
--- a/lib/pkcs11_int.c
+++ b/lib/pkcs11_int.c
@@ -137,6 +137,12 @@ pkcs11_get_attribute_avalue(struct ck_function_list * module,
        templ.value_len = 0;
        rv = (module)->C_GetAttributeValue(sess, object, &templ, 1);
        if (rv == CKR_OK) {
+               /* PKCS#11 v2.20 requires sensitive values to set a length
+                * of -1. In that case an error should have been returned,
+                * but some implementations return CKR_OK instead. */
+               if (templ.value_len == (unsigned long)-1)
+                       return CKR_ATTRIBUTE_SENSITIVE;
+
                if (templ.value_len == 0)
                        return rv;