yubico-piv-tool: Switch to ykpiv_set_pin_retries()

This commit is contained in:
Trevor Bentley
2017-09-13 15:55:55 +02:00
parent ec8e2786e6
commit 8135a55200
4 changed files with 24 additions and 23 deletions
+1 -1
View File
@@ -589,7 +589,7 @@ START_TEST(test_reset) {
test_authenticate(0);
res = ykpiv_verify(g_state, "123456", NULL);
ck_assert_int_eq(res, YKPIV_OK);
res = ykpiv_set_pin_retries(g_state, 8);
res = ykpiv_set_pin_retries(g_state, 8, 3);
ck_assert_int_eq(res, YKPIV_OK);
// Block and reset again, verifying increased PIN retries
+13 -5
View File
@@ -963,28 +963,36 @@ ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries) {
if (NULL == state || NULL == tries) {
return YKPIV_ARGUMENT_ERROR;
}
// Force a re-select to unverify, because once verified the spec dictates that
// subsequent verify calls will return a "verification not needed" instead of
// the number of tries left...
res = _ykpiv_select_application(state);
if (res != YKPIV_OK) return res;
ykrc = ykpiv_verify(state, NULL, tries);
// WRONG_PIN is expected on successful query.
return ykrc == YKPIV_WRONG_PIN ? YKPIV_OK : ykrc;
}
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries) {
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries) {
ykpiv_rc res = YKPIV_OK;
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, (unsigned char)tries, YKPIV_RETRIES_DEFAULT};
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, 0, 0};
unsigned char data[0xff];
unsigned long recv_len = sizeof(data);
int sw = 0;
if (0 == tries) {
//zero value means no change in retry count according to minidriver spec
// Special case: if either retry count is 0, it's a successful no-op
if (pin_tries == 0 || puk_tries == 0) {
return YKPIV_OK;
}
if (tries > YKPIV_RETRIES_MAX || tries < 1) {
if (pin_tries > 0xff || puk_tries > 0xff || pin_tries < 1 || puk_tries < 1) {
return YKPIV_RANGE_ERROR;
}
templ[2] = (unsigned char)pin_tries;
templ[3] = (unsigned char)puk_tries;
res = ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw);
if (YKPIV_OK == res) {
if (SW_SUCCESS == sw) {
+4 -1
View File
@@ -122,8 +122,10 @@ extern "C"
const unsigned char *qinv, size_t qinv_len,
const unsigned char *ec_data, unsigned char ec_data_len,
const unsigned char pin_policy, const unsigned char touch_policy);
// TREV TODO: document that this only works when NOT verified, as per spec (NIST SP 800-73-3 part 2 page 11)
ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries);
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries);
// TREV TODO: document that 0 == successful no-op.
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries);
#define YKPIV_ALGO_TAG 0x80
#define YKPIV_ALGO_3DES 0x03
@@ -203,6 +205,7 @@ extern "C"
#define YKPIV_INS_AUTHENTICATE 0x87
#define YKPIV_INS_GET_DATA 0xcb
#define YKPIV_INS_PUT_DATA 0xdb
// TREV TODO: why aren't all of them here? ex: select app (0xa4)
/* sw is status words, see NIST special publication 800-73-4, section 5.6 */
#define SW_SUCCESS 0x9000
+6 -16
View File
@@ -257,26 +257,16 @@ static bool reset(ykpiv_state *state) {
}
static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries, int verbose) {
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, pin_retries, puk_retries};
unsigned char data[0xff];
unsigned long recv_len = sizeof(data);
int sw;
if(pin_retries > 0xff || puk_retries > 0xff || pin_retries < 1 || puk_retries < 1) {
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
return false;
}
ykpiv_rc res;
if(verbose) {
fprintf(stderr, "Setting pin retries to %d and puk retries to %d.\n", pin_retries, puk_retries);
}
if(ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw) != YKPIV_OK) {
return false;
} else if(sw == SW_SUCCESS) {
return true;
res = ykpiv_set_pin_retries(state, pin_retries, puk_retries);
if (res == YKPIV_RANGE_ERROR) {
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
}
return false;
return res == YKPIV_OK;
}
static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
@@ -1812,7 +1802,7 @@ int main(int argc, char *argv[]) {
}
break;
case action_arg_pinMINUS_retries:
if(!args_info.pin_retries_arg || !args_info.puk_retries_arg) {
if(!args_info.pin_retries_given || !args_info.puk_retries_given) {
fprintf(stderr, "The '%s' action needs both --pin-retries and --puk-retries arguments.\n",
cmdline_parser_action_values[action]);
return EXIT_FAILURE;