Improve PIN/PUK length testing when KDF is enabled

github-af · Apr 12, 2023 · 8b1463c · 8b1463c
1 parent faaa48c
commit 8b1463c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 10 deletions.
diff --git a/src/fr/anssi/smartpgp/Persistent.java b/src/fr/anssi/smartpgp/Persistent.java
@@ -236,8 +236,8 @@ protected void reset(final boolean isRegistering) {
         Common.beginTransaction(isRegistering);
         user_pin_length = (byte)Constants.USER_PIN_DEFAULT.length;
         user_pin.update(Constants.USER_PIN_DEFAULT, (short)0, user_pin_length);
-        user_pin.resetAndUnblock();
         Common.commitTransaction(isRegistering);
+        user_pin.resetAndUnblock();
 
         Common.beginTransaction(isRegistering);
         user_puk_length = (short)0;
@@ -253,8 +253,8 @@ protected void reset(final boolean isRegistering) {
         Common.beginTransaction(isRegistering);
         admin_pin_length = (byte)Constants.ADMIN_PIN_DEFAULT.length;
         admin_pin.update(Constants.ADMIN_PIN_DEFAULT, (short)0, admin_pin_length);
-        admin_pin.resetAndUnblock();
         Common.commitTransaction(isRegistering);
+        admin_pin.resetAndUnblock();
 
         isTerminated = false;
     }

diff --git a/src/fr/anssi/smartpgp/SmartPGPApplet.java b/src/fr/anssi/smartpgp/SmartPGPApplet.java
@@ -767,10 +767,17 @@ private final void processResetRetryCounter(final short lc,
 
         case (byte)0x02:
             assertAdmin();
-            if((lc < Constants.USER_PIN_MIN_SIZE) ||
-               (lc > Constants.USER_PIN_MAX_SIZE)) {
-                ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
-                return;
+            if(data.keyDerivationIsActive()) {
+                if(lc != data.keyDerivationSize()) {
+                    ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+                    return;
+                }
+            } else {
+                if((lc < Constants.USER_PIN_MIN_SIZE) ||
+                   (lc > Constants.USER_PIN_MAX_SIZE)) {
+                    ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+                    return;
+                }
             }
             transients.setUserPinMode81(false);
             transients.setUserPinMode82(false);
@@ -1142,10 +1149,17 @@ private final void processPutData(final short lc,
 
             case Constants.TAG_RESETTING_CODE:
                 assertAdmin();
-                if((lc < Constants.USER_PUK_MIN_SIZE) ||
-                   (lc > Constants.USER_PUK_MAX_SIZE)) {
-                    ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
-                    return;
+                if(data.keyDerivationIsActive()) {
+                    if(lc != data.keyDerivationSize()) {
+                        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+                        return;
+                    }
+                } else {
+                    if((lc < Constants.USER_PUK_MIN_SIZE) ||
+                       (lc > Constants.USER_PUK_MAX_SIZE)) {
+                        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+                        return;
+                    }
                 }
                 JCSystem.beginTransaction();
                 data.user_puk_length = (byte)lc;