yubico-piv-tool: Switch to ykpiv_set_pin_retries()
This commit is contained in:
+1
-1
@@ -589,7 +589,7 @@ START_TEST(test_reset) {
|
|||||||
test_authenticate(0);
|
test_authenticate(0);
|
||||||
res = ykpiv_verify(g_state, "123456", NULL);
|
res = ykpiv_verify(g_state, "123456", NULL);
|
||||||
ck_assert_int_eq(res, YKPIV_OK);
|
ck_assert_int_eq(res, YKPIV_OK);
|
||||||
res = ykpiv_set_pin_retries(g_state, 8);
|
res = ykpiv_set_pin_retries(g_state, 8, 3);
|
||||||
ck_assert_int_eq(res, YKPIV_OK);
|
ck_assert_int_eq(res, YKPIV_OK);
|
||||||
|
|
||||||
// Block and reset again, verifying increased PIN retries
|
// Block and reset again, verifying increased PIN retries
|
||||||
|
|||||||
+13
-5
@@ -963,28 +963,36 @@ ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries) {
|
|||||||
if (NULL == state || NULL == tries) {
|
if (NULL == state || NULL == tries) {
|
||||||
return YKPIV_ARGUMENT_ERROR;
|
return YKPIV_ARGUMENT_ERROR;
|
||||||
}
|
}
|
||||||
|
// Force a re-select to unverify, because once verified the spec dictates that
|
||||||
|
// subsequent verify calls will return a "verification not needed" instead of
|
||||||
|
// the number of tries left...
|
||||||
res = _ykpiv_select_application(state);
|
res = _ykpiv_select_application(state);
|
||||||
|
if (res != YKPIV_OK) return res;
|
||||||
ykrc = ykpiv_verify(state, NULL, tries);
|
ykrc = ykpiv_verify(state, NULL, tries);
|
||||||
// WRONG_PIN is expected on successful query.
|
// WRONG_PIN is expected on successful query.
|
||||||
return ykrc == YKPIV_WRONG_PIN ? YKPIV_OK : ykrc;
|
return ykrc == YKPIV_WRONG_PIN ? YKPIV_OK : ykrc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries) {
|
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries) {
|
||||||
ykpiv_rc res = YKPIV_OK;
|
ykpiv_rc res = YKPIV_OK;
|
||||||
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, (unsigned char)tries, YKPIV_RETRIES_DEFAULT};
|
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, 0, 0};
|
||||||
unsigned char data[0xff];
|
unsigned char data[0xff];
|
||||||
unsigned long recv_len = sizeof(data);
|
unsigned long recv_len = sizeof(data);
|
||||||
int sw = 0;
|
int sw = 0;
|
||||||
|
|
||||||
if (0 == tries) {
|
// Special case: if either retry count is 0, it's a successful no-op
|
||||||
//zero value means no change in retry count according to minidriver spec
|
if (pin_tries == 0 || puk_tries == 0) {
|
||||||
return YKPIV_OK;
|
return YKPIV_OK;
|
||||||
}
|
}
|
||||||
if (tries > YKPIV_RETRIES_MAX || tries < 1) {
|
|
||||||
|
if (pin_tries > 0xff || puk_tries > 0xff || pin_tries < 1 || puk_tries < 1) {
|
||||||
return YKPIV_RANGE_ERROR;
|
return YKPIV_RANGE_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
templ[2] = (unsigned char)pin_tries;
|
||||||
|
templ[3] = (unsigned char)puk_tries;
|
||||||
|
|
||||||
res = ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw);
|
res = ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw);
|
||||||
if (YKPIV_OK == res) {
|
if (YKPIV_OK == res) {
|
||||||
if (SW_SUCCESS == sw) {
|
if (SW_SUCCESS == sw) {
|
||||||
|
|||||||
+4
-1
@@ -122,8 +122,10 @@ extern "C"
|
|||||||
const unsigned char *qinv, size_t qinv_len,
|
const unsigned char *qinv, size_t qinv_len,
|
||||||
const unsigned char *ec_data, unsigned char ec_data_len,
|
const unsigned char *ec_data, unsigned char ec_data_len,
|
||||||
const unsigned char pin_policy, const unsigned char touch_policy);
|
const unsigned char pin_policy, const unsigned char touch_policy);
|
||||||
|
// TREV TODO: document that this only works when NOT verified, as per spec (NIST SP 800-73-3 part 2 page 11)
|
||||||
ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries);
|
ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries);
|
||||||
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, const int tries);
|
// TREV TODO: document that 0 == successful no-op.
|
||||||
|
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries);
|
||||||
|
|
||||||
#define YKPIV_ALGO_TAG 0x80
|
#define YKPIV_ALGO_TAG 0x80
|
||||||
#define YKPIV_ALGO_3DES 0x03
|
#define YKPIV_ALGO_3DES 0x03
|
||||||
@@ -203,6 +205,7 @@ extern "C"
|
|||||||
#define YKPIV_INS_AUTHENTICATE 0x87
|
#define YKPIV_INS_AUTHENTICATE 0x87
|
||||||
#define YKPIV_INS_GET_DATA 0xcb
|
#define YKPIV_INS_GET_DATA 0xcb
|
||||||
#define YKPIV_INS_PUT_DATA 0xdb
|
#define YKPIV_INS_PUT_DATA 0xdb
|
||||||
|
// TREV TODO: why aren't all of them here? ex: select app (0xa4)
|
||||||
|
|
||||||
/* sw is status words, see NIST special publication 800-73-4, section 5.6 */
|
/* sw is status words, see NIST special publication 800-73-4, section 5.6 */
|
||||||
#define SW_SUCCESS 0x9000
|
#define SW_SUCCESS 0x9000
|
||||||
|
|||||||
+6
-16
@@ -257,26 +257,16 @@ static bool reset(ykpiv_state *state) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries, int verbose) {
|
static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries, int verbose) {
|
||||||
unsigned char templ[] = {0, YKPIV_INS_SET_PIN_RETRIES, pin_retries, puk_retries};
|
ykpiv_rc res;
|
||||||
unsigned char data[0xff];
|
|
||||||
unsigned long recv_len = sizeof(data);
|
|
||||||
int sw;
|
|
||||||
|
|
||||||
if(pin_retries > 0xff || puk_retries > 0xff || pin_retries < 1 || puk_retries < 1) {
|
|
||||||
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(verbose) {
|
if(verbose) {
|
||||||
fprintf(stderr, "Setting pin retries to %d and puk retries to %d.\n", pin_retries, puk_retries);
|
fprintf(stderr, "Setting pin retries to %d and puk retries to %d.\n", pin_retries, puk_retries);
|
||||||
}
|
}
|
||||||
|
res = ykpiv_set_pin_retries(state, pin_retries, puk_retries);
|
||||||
if(ykpiv_transfer_data(state, templ, NULL, 0, data, &recv_len, &sw) != YKPIV_OK) {
|
if (res == YKPIV_RANGE_ERROR) {
|
||||||
return false;
|
fprintf(stderr, "pin and puk retries must be between 1 and 255.\n");
|
||||||
} else if(sw == SW_SUCCESS) {
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
return false;
|
return res == YKPIV_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
|
static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
|
||||||
@@ -1812,7 +1802,7 @@ int main(int argc, char *argv[]) {
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case action_arg_pinMINUS_retries:
|
case action_arg_pinMINUS_retries:
|
||||||
if(!args_info.pin_retries_arg || !args_info.puk_retries_arg) {
|
if(!args_info.pin_retries_given || !args_info.puk_retries_given) {
|
||||||
fprintf(stderr, "The '%s' action needs both --pin-retries and --puk-retries arguments.\n",
|
fprintf(stderr, "The '%s' action needs both --pin-retries and --puk-retries arguments.\n",
|
||||||
cmdline_parser_action_values[action]);
|
cmdline_parser_action_values[action]);
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
|
|||||||
Reference in New Issue
Block a user