From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 30 Jun 2016 07:11:40 +0000 (+0200)
Subject: pkcs11_get_attribute_avalue: correctly handle a -1 value length from C_GetAttributeValue
X-Git-Tag: gnutls_3_5_2~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bebc0df42f13fb19d6b31599e196c780abca9d40;p=thirdparty%2Fgnutls.git

pkcs11_get_attribute_avalue: correctly handle a -1 value length from C_GetAttributeValue

That is, work-around modules which do not return an error on sensitive
objects.

Relates #108
---

diff --git a/lib/pkcs11_int.c b/lib/pkcs11_int.c
index 944ee678b2..dce59475c7 100644
--- a/lib/pkcs11_int.c
+++ b/lib/pkcs11_int.c
@@ -137,6 +137,12 @@ pkcs11_get_attribute_avalue(struct ck_function_list * module,
 	templ.value_len = 0;
 	rv = (module)->C_GetAttributeValue(sess, object, &templ, 1);
 	if (rv == CKR_OK) {
+		/* PKCS#11 v2.20 requires sensitive values to set a length
+		 * of -1. In that case an error should have been returned,
+		 * but some implementations return CKR_OK instead. */
+		if (templ.value_len == (unsigned long)-1)
+			return CKR_ATTRIBUTE_SENSITIVE;
+
 		if (templ.value_len == 0)
 			return rv;