[Cryptech-Commits] [user/sra/pkcs11] 02/03: Debug p11util.

git at cryptech.is git at cryptech.is
Wed Jul 1 23:10:38 UTC 2015


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository user/sra/pkcs11.

commit 303152d464631af69c2947631d0629aa31c099b3
Author: Rob Austein <sra at hactrn.net>
Date:   Wed Jul 1 17:34:57 2015 -0400

    Debug p11util.
---
 GNUmakefile                |  2 +-
 p11util.c                  | 32 +++++++++++++++-----------------
 schema.sql                 |  9 ++++++---
 scripts/convert-schema.sed | 10 ++--------
 sql_common.h               |  4 +++-
 5 files changed, 27 insertions(+), 30 deletions(-)

diff --git a/GNUmakefile b/GNUmakefile
index c7e69c3..872930e 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -62,7 +62,7 @@ schema.h: schema.sql scripts/convert-schema.sed GNUmakefile
 attributes.h: attributes.yaml scripts/build-attributes GNUmakefile
 	python scripts/build-attributes attributes.yaml attributes.h
 
-pkcs11.o: pkcs11.c schema.h attributes.h
+pkcs11.o: pkcs11.c sql_common.h schema.h attributes.h
 	${CC} ${CFLAGS} -c $<
 
 pkcs11.so: pkcs11.o ${LIBS}
diff --git a/p11util.c b/p11util.c
index 514422d..7b375f8 100644
--- a/p11util.c
+++ b/p11util.c
@@ -3,12 +3,7 @@
  * things like setting PINs.
  */
 
-/*
- * Apparently getopt_long() works everywhere we're likely to care
- * about.  At least, we've been getting away with it for years in
- * rcynic.  rcynic.c has code to wrap option and usage stuff using
- * getopt_long(), proably just reuse that.
- */
+#define _POSIX_SOURCE
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -86,20 +81,20 @@ static int getpin_tty(const char *prompt,
   OPT_FLG('s', "set-so-pin",     "set Security Officer PIN")			\
   OPT_FLG('u', "set-user-pin",	 "set \"user\" PIN")				\
   OPT_ARG('i', "set-iterations", "set PBKDF2 iteration count")			\
-  OPT_ARG('p', "pin-from-stdin", "read PIN from stdin instead of /dev/tty")	\
+  OPT_FLG('p', "pin-from-stdin", "read PIN from stdin instead of /dev/tty")	\
   OPT_END
 
 #define OPT_END
 
-static void usage (const int code, const char *jane)
+static void usage(const int code, const char *jane)
 {
   assert(jane != NULL);
   FILE *f = code ? stderr : stdout;
 
   fprintf(f, "usage: %s [options]\noptions:\n", jane);
 
-#define OPT_FLG(_short_, _long_, _help_)  fprintf(f, "  -%c      --%-32s%s", _short_, _long_, _help_);
-#define OPT_ARG(_short_, _long_, _help_)  fprintf(f, "  -%c ARG  --%-32s%s", _short_, _long_ " ARG", _help_);
+#define OPT_FLG(_short_, _long_, _help_)  fprintf(f, "  -%c      --%-32s%s\n", _short_, _long_, _help_);
+#define OPT_ARG(_short_, _long_, _help_)  fprintf(f, "  -%c ARG  --%-32s%s\n", _short_, _long_ " ARG", _help_);
   OPTIONS;
 #undef OPT_ARG
 #undef OPT_FLG
@@ -107,12 +102,12 @@ static void usage (const int code, const char *jane)
   exit(code);
 }
 
-static void parse_args (int argc, char *argv[],
-			int *do_set_so_pin,
-			int *do_set_user_pin,
-			int *do_set_iterations,
-			int *read_from_stdin,
-			unsigned long *iterations)
+static void parse_args(int argc, char *argv[],
+		       int *do_set_so_pin,
+		       int *do_set_user_pin,
+		       int *do_set_iterations,
+		       int *read_from_stdin,
+		       unsigned long *iterations)
 {
   char *endptr;
   int c;
@@ -134,6 +129,9 @@ static void parse_args (int argc, char *argv[],
 	 read_from_stdin != NULL && iterations != NULL);
   opterr = 0;
 
+  if (argc == 1)
+    usage(0, argv[0]);
+
   while ((c = getopt_long(argc, argv, short_opts, long_opts, NULL)) > 0) {
     switch (c) {
 
@@ -270,7 +268,7 @@ static int set_pin(const char * const pin_type, const int read_from_stdin)
   return ok;
 }
 
-int main (int argc, char *argv[])
+int main(int argc, char *argv[])
 {
   int do_set_so_pin = 0, do_set_user_pin = 0, do_set_iterations = 0, read_from_stdin = 0;
   unsigned long iterations;
diff --git a/schema.sql b/schema.sql
index 0ff5562..aaf2b21 100644
--- a/schema.sql
+++ b/schema.sql
@@ -84,14 +84,17 @@ CREATE TABLE IF NOT EXISTS global (
        -- Numeric minima for PBKDF2 iterations, length of PIN, and
        -- length of PBKDF2 salt are somewhat arbitrary, and will
        -- probably change over time (which is why they are minima).
-       -- Feel free to suggest better minima.
+       -- Initial testing was with 100000, which takes about 8 seconds
+       -- on a Novena with the current SHA256 and PBKDF2
+       -- implementation, which seems a bit slow, so backed that down
+       -- a bit.  Feel free to suggest better minima.
 
-       pbkdf2_iterations        INTEGER NOT NULL DEFAULT 100000,
+       pbkdf2_iterations        INTEGER NOT NULL DEFAULT 20000,
        so_pin                   BLOB,
        user_pin                 BLOB,
        so_pin_salt,             BLOB,
        user_pin_salt            BLOB,
-       CHECK ((pbkdf2_iterations >= 100000)                                                               AND
+       CHECK ((pbkdf2_iterations >= 10000)                                                                AND
               (so_pin        IS NULL OR (typeof(so_pin)        = "blob" AND length(so_pin)        >= 32)) AND
               (user_pin      IS NULL OR (typeof(user_pin)      = "blob" AND length(user_pin)      >= 32)) AND
               (so_pin_salt   IS NULL OR (typeof(so_pin_salt)   = "blob" AND length(so_pin_salt)   >= 16)) AND
diff --git a/scripts/convert-schema.sed b/scripts/convert-schema.sed
index 55aaadc..f8874b3 100644
--- a/scripts/convert-schema.sed
+++ b/scripts/convert-schema.sed
@@ -56,11 +56,5 @@ s/[ 	]*$//
 s/\\/\\\\/g
 s/"/\\"/g
 
-# Quote each line of text.  Literal transcription would be:
-#
-#   s/^.*$/"&\\n"/
-#
-# but SQL doesn't need the line breaks, so we can use
-# whitespace to generate something a bit more readable.
-#
-s/^.*$/" &"/
+# Quote each line of text.
+s/^.*$/" &" "\\n"/
diff --git a/sql_common.h b/sql_common.h
index 8f1844b..1e55322 100644
--- a/sql_common.h
+++ b/sql_common.h
@@ -50,10 +50,12 @@
 
 /*
  * Placeholders for PIN length limits.  Figure out real values later.
+ * Minimum length here is much too short, we allow it for now because
+ * some test programs fail if we insist on a reasonable length.
  */
 
 #warning Figure out PIN length limits
-#define P11_MIN_PIN_LENGTH      16
+#define P11_MIN_PIN_LENGTH      4
 #define P11_MAX_PIN_LENGTH      4096
 
 /*



More information about the Commits mailing list