diff --git a/lib/ykpiv.c b/lib/ykpiv.c index 8afdaf9..4b316c4 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -180,7 +180,7 @@ ykpiv_rc ykpiv_connect(ykpiv_state *state, const char *wanted) { fprintf(stderr, "Failed communicating with card: '%s'\n", ykpiv_strerror(res)); } continue; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { return YKPIV_OK; } else { if(state->verbose) { @@ -283,7 +283,7 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, res = send_data(state, &apdu, data, &recv_len, sw); if(res != YKPIV_OK) { return res; - } else if(*sw != 0x9000 && *sw >> 8 != 0x61) { + } else if(*sw != SW_SUCCESS && *sw >> 8 != 0x61) { return YKPIV_OK; } if(*out_len + recv_len - 2 > max_out) { @@ -313,7 +313,7 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, res = send_data(state, &apdu, data, &recv_len, sw); if(res != YKPIV_OK) { return res; - } else if(*sw != 0x9000 && *sw >> 8 != 0x61) { + } else if(*sw != SW_SUCCESS && *sw >> 8 != 0x61) { return YKPIV_OK; } if(*out_len + recv_len - 2 > max_out) { @@ -399,7 +399,7 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { apdu.st.data[2] = 0x80; if((res = send_data(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { return res; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { return YKPIV_AUTHENTICATION_ERROR; } memcpy(challenge, data + 4, 8); @@ -435,7 +435,7 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { apdu.st.lc = dataptr - apdu.st.data; if((res = send_data(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { return res; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { return YKPIV_AUTHENTICATION_ERROR; } } @@ -497,7 +497,7 @@ ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, con memcpy(apdu.st.data + 3, new_key, DES_KEY_SZ * 3); if((res = send_data(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { return res; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { return YKPIV_OK; } return YKPIV_GENERIC_ERROR; @@ -599,11 +599,11 @@ static ykpiv_rc _general_authenticate(ykpiv_state *state, fprintf(stderr, "Sign command failed to communicate.\n"); } return res; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { if(state->verbose) { fprintf(stderr, "Failed sign command with code %x.\n", sw); } - if (sw == 0x6982) + if (sw == SW_ERR_SECURITY_STATUS) return YKPIV_AUTHENTICATION_ERROR; else return YKPIV_GENERIC_ERROR; @@ -664,7 +664,7 @@ ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len) { apdu.st.ins = YKPIV_INS_GET_VERSION; if((res = send_data(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { return res; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { int result = snprintf(version, len, "%d.%d.%d", data[0], data[1], data[2]); if(result < 0) { return YKPIV_SIZE_ERROR; @@ -703,12 +703,12 @@ ykpiv_rc ykpiv_verify(ykpiv_state *state, const char *pin, int *tries) { } if((res = send_data(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { return res; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { return YKPIV_OK; } else if((sw >> 8) == 0x63) { *tries = (sw & 0xf); return YKPIV_WRONG_PIN; - } else if(sw == 0x6983) { + } else if(sw == SW_ERR_AUTH_BLOCKED) { *tries = 0; return YKPIV_WRONG_PIN; } else { @@ -750,11 +750,11 @@ static ykpiv_rc _change_pin_internal(ykpiv_state *state, int action, const char res = ykpiv_transfer_data(state, templ, indata, sizeof(indata), data, &recv_len, &sw); if(res != YKPIV_OK) { return res; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { if((sw >> 8) == 0x63) { *tries = sw & 0xf; return YKPIV_WRONG_PIN; - } else if(sw == 0x6983) { + } else if(sw == SW_ERR_AUTH_BLOCKED) { return YKPIV_PIN_LOCKED; } else { if(state->verbose) { @@ -796,7 +796,7 @@ ykpiv_rc ykpiv_fetch_object(ykpiv_state *state, int object_id, return res; } - if(sw == 0x9000) { + if(sw == SW_SUCCESS) { size_t outlen; int offs = get_length(data + 1, &outlen); if(offs == 0) { @@ -837,7 +837,7 @@ ykpiv_rc ykpiv_save_object(ykpiv_state *state, int object_id, return res; } - if(sw == 0x9000) { + if(sw == SW_SUCCESS) { return YKPIV_OK; } else { return YKPIV_GENERIC_ERROR; @@ -956,10 +956,10 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u if (ykpiv_transfer_data(state, templ, key_data, in_ptr - key_data, data, &recv_len, &sw) != YKPIV_OK) return YKPIV_GENERIC_ERROR; - if (sw == 0x6982) + if (sw == SW_ERR_SECURITY_STATUS) return YKPIV_AUTHENTICATION_ERROR; - if (sw != 0x9000) + if (sw != SW_SUCCESS) return YKPIV_GENERIC_ERROR; return YKPIV_OK; diff --git a/lib/ykpiv.h b/lib/ykpiv.h index 2a3fae7..de082f2 100644 --- a/lib/ykpiv.h +++ b/lib/ykpiv.h @@ -189,6 +189,14 @@ extern "C" #define YKPIV_INS_GET_DATA 0xcb #define YKPIV_INS_PUT_DATA 0xdb +/* sw is status words, see NIST special publication 800-73-4, section 5.6 */ +#define SW_SUCCESS 0x9000 +#define SW_ERR_SECURITY_STATUS 0x6982 +#define SW_ERR_AUTH_BLOCKED 0x6983 +#define SW_ERR_INCORRECT_PARAM 0x6a80 +/* this is a custom sw for yubikey */ +#define SW_ERR_INCORRECT_SLOT 0x6b00 + /* Yubico vendor specific instructions */ #define YKPIV_INS_SET_MGMKEY 0xff #define YKPIV_INS_IMPORT_KEY 0xfe diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 65eba49..fdb370a 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -168,11 +168,11 @@ static bool generate_key(ykpiv_state *state, const char *slot, &recv_len, &sw) != YKPIV_OK) { fprintf(stderr, "Failed to communicate.\n"); goto generate_out; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { fprintf(stderr, "Failed to generate new key ("); - if(sw == 0x6b00) { + if(sw == SW_ERR_INCORRECT_SLOT) { fprintf(stderr, "slot not supported?)\n"); - } else if(sw == 0x6a80) { + } else if(sw == SW_ERR_INCORRECT_PARAM) { if(pin_policy != pin_policy__NULL) { fprintf(stderr, "pin policy not supported?)\n"); } else if(touch_policy != touch_policy__NULL) { @@ -297,7 +297,7 @@ static bool reset(ykpiv_state *state) { /* note: the reset function is only available when both pins are blocked. */ if(ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw) != YKPIV_OK) { return false; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { return true; } return false; @@ -320,7 +320,7 @@ static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries if(ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw) != YKPIV_OK) { return false; - } else if(sw == 0x9000) { + } else if(sw == SW_SUCCESS) { return true; } return false; @@ -1676,7 +1676,7 @@ static bool attest(ykpiv_state *state, const char *slot, if(ykpiv_transfer_data(state, templ, NULL, 0, data, &len, &sw) != YKPIV_OK) { fprintf(stderr, "Failed to communicate.\n"); goto attest_out; - } else if(sw != 0x9000) { + } else if(sw != SW_SUCCESS) { fprintf(stderr, "Failed to attest key.\n"); goto attest_out; }