yubico-piv-tool: Switch to ykpiv_set_pin_retries()
This commit is contained in:
+1
-1
@@ -589,7 +589,7 @@ START_TEST(test_reset) {
|
||||
test_authenticate(0);
|
||||
res = ykpiv_verify(g_state, "123456", NULL);
|
||||
ck_assert_int_eq(res, YKPIV_OK);
|
||||
res = ykpiv_set_pin_retries(g_state, 8);
|
||||
res = ykpiv_set_pin_retries(g_state, 8, 3);
|
||||
ck_assert_int_eq(res, YKPIV_OK);
|
||||
|
||||
// Block and reset again, verifying increased PIN retries
|
||||
|
||||
+13
-5
@@ -963,28 +963,36 @@ ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries) {
|
||||
if (NULL == state || NULL == tries) {
|
||||
return YKPIV_ARGUMENT_ERROR;
|
||||
}
|
||||
// Force a re-select to unverify, because once verified the spec dictates that
|
||||
// subsequent verify calls will return a "verification not needed" instead of
|
||||
// the number of tries left...
|
||||
res = _ykpiv_select_application(state);
|
||||
if (res != YKPIV_OK) return res;
|
||||
ykrc = ykpiv_verify(state, NULL, tries);
|
||||
// WRONG_PIN is expected on successful query.
|
||||
return ykrc == YKPIV_WRONG_PIN ? YKPIV_OK : ykrc;
|
||||
}
|
||||
|
||||
|
||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries) {
|
||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries) {
|
||||
ykpiv_rc res = YKPIV_OK;
|
||||
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, (unsigned char)tries, YKPIV_RETRIES_DEFAULT};
|
||||
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, 0, 0};
|
||||
unsigned char data[0xff];
|
||||
unsigned long recv_len = sizeof(data);
|
||||
int sw = 0;
|
||||
|
||||
if (0 == tries) {
|
||||
//zero value means no change in retry count according to minidriver spec
|
||||
// Special case: if either retry count is 0, it's a successful no-op
|
||||
if (pin_tries == 0 || puk_tries == 0) {
|
||||
return YKPIV_OK;
|
||||
}
|
||||
if (tries > YKPIV_RETRIES_MAX || tries < 1) {
|
||||
|
||||
if (pin_tries > 0xff || puk_tries > 0xff || pin_tries < 1 || puk_tries < 1) {
|
||||
return YKPIV_RANGE_ERROR;
|
||||
}
|
||||
|
||||
templ[2] = (unsigned char)pin_tries;
|
||||
templ[3] = (unsigned char)puk_tries;
|
||||
|
||||
res = ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw);
|
||||
if (YKPIV_OK == res) {
|
||||
if (SW_SUCCESS == sw) {
|
||||
|
||||
+4
-1
@@ -122,8 +122,10 @@ extern "C"
|
||||
const unsigned char *qinv, size_t qinv_len,
|
||||
const unsigned char *ec_data, unsigned char ec_data_len,
|
||||
const unsigned char pin_policy, const unsigned char touch_policy);
|
||||
// TREV TODO: document that this only works when NOT verified, as per spec (NIST SP 800-73-3 part 2 page 11)
|
||||
ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries);
|
||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries);
|
||||
// TREV TODO: document that 0 == successful no-op.
|
||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries);
|
||||
|
||||
#define YKPIV_ALGO_TAG 0x80
|
||||
#define YKPIV_ALGO_3DES 0x03
|
||||
@@ -203,6 +205,7 @@ extern "C"
|
||||
#define YKPIV_INS_AUTHENTICATE 0x87
|
||||
#define YKPIV_INS_GET_DATA 0xcb
|
||||
#define YKPIV_INS_PUT_DATA 0xdb
|
||||
// TREV TODO: why aren't all of them here? ex: select app (0xa4)
|
||||
|
||||
/* sw is status words, see NIST special publication 800-73-4, section 5.6 */
|
||||
#define SW_SUCCESS 0x9000
|
||||
|
||||
+6
-16
@@ -257,26 +257,16 @@ static bool reset(ykpiv_state *state) {
|
||||
}
|
||||
|
||||
static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries, int verbose) {
|
||||
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, pin_retries, puk_retries};
|
||||
unsigned char data[0xff];
|
||||
unsigned long recv_len = sizeof(data);
|
||||
int sw;
|
||||
|
||||
if(pin_retries > 0xff || puk_retries > 0xff || pin_retries < 1 || puk_retries < 1) {
|
||||
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
|
||||
return false;
|
||||
}
|
||||
ykpiv_rc res;
|
||||
|
||||
if(verbose) {
|
||||
fprintf(stderr, "Setting pin retries to %d and puk retries to %d.\n", pin_retries, puk_retries);
|
||||
}
|
||||
|
||||
if(ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw) != YKPIV_OK) {
|
||||
return false;
|
||||
} else if(sw == SW_SUCCESS) {
|
||||
return true;
|
||||
res = ykpiv_set_pin_retries(state, pin_retries, puk_retries);
|
||||
if (res == YKPIV_RANGE_ERROR) {
|
||||
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
|
||||
}
|
||||
return false;
|
||||
return res == YKPIV_OK;
|
||||
}
|
||||
|
||||
static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
|
||||
@@ -1812,7 +1802,7 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
break;
|
||||
case action_arg_pinMINUS_retries:
|
||||
if(!args_info.pin_retries_arg || !args_info.puk_retries_arg) {
|
||||
if(!args_info.pin_retries_given || !args_info.puk_retries_given) {
|
||||
fprintf(stderr, "The '%s' action needs both --pin-retries and --puk-retries arguments.\n",
|
||||
cmdline_parser_action_values[action]);
|
||||
return EXIT_FAILURE;
|
||||
|
||||
Reference in New Issue
Block a user