[Cryptech-Commits] [sw/pkcs11] 02/02: Track PIN changes on libhal master branch.

git at cryptech.is git at cryptech.is
Thu May 26 04:13:00 UTC 2016


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch rpc
in repository sw/pkcs11.

commit 079d5ffc207fc2609b9293f9efe4781bed493ee0
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Wed May 25 22:44:42 2016 -0400

    Track PIN changes on libhal master branch.
---
 GNUmakefile   |  10 +++--
 p11_common.h  |  61 ---------------------------
 p11util.c     | 129 ++++++++++++++++++++++++++++++++++++++++++++--------------
 pkcs11.c      |   5 +--
 unit_tests.py |   7 +++-
 5 files changed, 112 insertions(+), 100 deletions(-)

diff --git a/GNUmakefile b/GNUmakefile
index dc41be5..212409a 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -96,7 +96,7 @@ attributes.h: attributes.yaml scripts/build-attributes GNUmakefile
 py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes GNUmakefile
 	python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py
 
-pkcs11.o: pkcs11.c p11_common.h schema.h attributes.h
+pkcs11.o: pkcs11.c schema.h attributes.h
 	${CC} ${CFLAGS} -c $<
 
 pkcs11.so: pkcs11.o ${LIBS}
@@ -105,7 +105,7 @@ pkcs11.so: pkcs11.o ${LIBS}
 libpkcs11.so: pkcs11.so
 	${OBJCOPY} -w -G 'C_*' $< $@
 
-p11util.o: p11util.c p11_common.h schema.h
+p11util.o: p11util.c schema.h
 	${CC} ${CFLAGS} -c $<
 
 p11util: p11util.o ${LIBS}
@@ -145,11 +145,13 @@ ifneq "${HSMBULLY}" ""
 		sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_SERVER} ${HSMBULLY_SERVER_BIN} & \
 		pid=$$!; \
 		sleep 5; \
-		(echo fnord; echo fnord) | CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
+		(echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \
+		CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
 		PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \
 		sudo kill $$pid; \
 	else \
-		(echo fnord; echo fnord) | sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
+		(echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \
+		sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
 		sudo PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \
 	fi; \
 	sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER}
diff --git a/p11_common.h b/p11_common.h
deleted file mode 100644
index 898e087..0000000
--- a/p11_common.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * p11_common.h
- * ------------
- *
- * Common definitions and SQL support code for Cryptech PKCS #11 engine.
- *
- * We could split the functions out of this into a separate .c file,
- * but there's no real point in doing so, and it's simpler to keep it
- * all in one file, the build process is complex enough already.
- *
- * Author: Rob Austein
- * Copyright (c) 2015, NORDUnet A/S
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- * - Redistributions of source code must retain the above copyright notice,
- *   this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in the
- *   documentation and/or other materials provided with the distribution.
- *
- * - Neither the name of the NORDUnet nor the names of its contributors may
- *   be used to endorse or promote products derived from this software
- *   without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _P11_COMMON_H_
-#define _P11_COMMON_H_
-
-/*
- * Placeholders for PIN length limits.  Figure out real values later.
- * Minimum length here is much too short, we allow it for now because
- * some test programs fail if we insist on a reasonable length.
- */
-
-#warning Figure out PIN length limits
-#define P11_MIN_PIN_LENGTH      4
-#define P11_MAX_PIN_LENGTH      4096
-
-#endif /* _P11_COMMON_H_ */
-
-/*
- * Local variables:
- * indent-tabs-mode: nil
- * End:
- */
diff --git a/p11util.c b/p11util.c
index db36888..09f1e44 100644
--- a/p11util.c
+++ b/p11util.c
@@ -47,8 +47,6 @@
 
 #include <hal.h>
 
-#include "p11_common.h"
-
 /*
  * Apparently the cool kids don't use getpassword() anymore, and there
  * is no fully portable replacement, so the advice is just to roll
@@ -116,6 +114,7 @@ static int getpin_tty(const char *prompt,
   OPT_FLG('u', "set-user-pin",   "set \"user\" PIN")                            \
   OPT_FLG('w', "set-wheel-pin",  "set \"wheel\" PIN")                           \
   OPT_FLG('p', "pin-from-stdin", "read PIN from stdin instead of /dev/tty")     \
+  OPT_FLG('S', "login-as-so",    "login as Security Officer")                   \
   OPT_END
 
 #define OPT_END
@@ -137,10 +136,11 @@ static void usage(const int code, const char *jane)
 }
 
 static void parse_args(int argc, char *argv[],
-                       int *do_set_so_pin,
-                       int *do_set_user_pin,
-                       int *do_set_wheel_pin,
-                       int *read_from_stdin)
+                       int *set_so_pin,
+                       int *set_user_pin,
+                       int *set_wheel_pin,
+                       int *read_from_stdin,
+                       int *login_as_so)
 {
   int c;
 
@@ -156,7 +156,7 @@ static void parse_args(int argc, char *argv[],
 #undef OPT_ARG
 #undef OPT_FLG
 
-  assert(argv && do_set_so_pin && do_set_user_pin && do_set_wheel_pin && read_from_stdin);
+  assert(argv && set_so_pin && set_user_pin && set_wheel_pin && read_from_stdin && login_as_so);
   opterr = 0;
 
   if (argc == 1)
@@ -173,15 +173,19 @@ static void parse_args(int argc, char *argv[],
       continue;
 
     case 's':
-      *do_set_so_pin = 1;
+      *set_so_pin = 1;
       continue;
 
     case 'u':
-      *do_set_user_pin = 1;
+      *set_user_pin = 1;
       continue;
 
     case 'w':
-      *do_set_wheel_pin = 1;
+      *set_wheel_pin = 1;
+      continue;
+
+    case 'S':
+      *login_as_so = 1;
       continue;
 
     default:
@@ -198,22 +202,22 @@ static void parse_args(int argc, char *argv[],
 static int set_pin(const hal_user_t user, const int read_from_stdin)
 {
   const char *prompt = NULL, *label = NULL;
-  char pin[P11_MAX_PIN_LENGTH + 1], *p;
+  char pin[hal_rpc_max_pin_length + 1], *p;
 
   switch (user) {
 
   case HAL_USER_NORMAL:
-    prompt = "Enter user PIN: ";
+    prompt = "Enter new user PIN: ";
     label  = "user";
     break;
 
   case HAL_USER_SO:
-    prompt = "Enter SO PIN: ";
+    prompt = "Enter new SO PIN: ";
     label  = "SO";
     break;
 
   case HAL_USER_WHEEL:
-    prompt = "Enter wheel PIN: ";
+    prompt = "Enter new wheel PIN: ";
     label  = "wheel";
     break;
 
@@ -237,11 +241,11 @@ static int set_pin(const hal_user_t user, const int read_from_stdin)
 
   const size_t len = strlen(pin);
 
-  if (len < P11_MIN_PIN_LENGTH || len > P11_MAX_PIN_LENGTH) {
+  if (len < hal_rpc_min_pin_length || len > hal_rpc_max_pin_length) {
     fprintf(stderr, "Unacceptable length %lu for %s PIN, allowed range [%lu, %lu]\n",
             (unsigned long) len, label,
-            (unsigned long) P11_MIN_PIN_LENGTH,
-            (unsigned long) P11_MAX_PIN_LENGTH);
+            (unsigned long) hal_rpc_min_pin_length,
+            (unsigned long) hal_rpc_max_pin_length);
     memset(pin, 0, sizeof(pin));
     return 0;
   }
@@ -260,31 +264,96 @@ static int set_pin(const hal_user_t user, const int read_from_stdin)
   return 1;
 }
 
+static int login(const int login_as_so, const int read_from_stdin)
+{
+  const hal_user_t user = login_as_so ? HAL_USER_SO : HAL_USER_WHEEL;
+  const hal_client_handle_t client = {HAL_HANDLE_NONE};
+  char pin[hal_rpc_max_pin_length + 1], *p;
+  const char *prompt = NULL;
+
+  switch (user) {
+
+  case HAL_USER_SO:
+    prompt = "Enter current SO PIN: ";
+    break;
+
+  case HAL_USER_WHEEL:
+    prompt = "Enter current wheel PIN: ";
+    break;
+
+  default:
+    return 0;
+  }
+
+  if (read_from_stdin) {
+    if (fgets(pin, sizeof(pin), stdin) == NULL) {
+      perror("Couldn't read PIN");
+      return 0;
+    }
+    if ((p = strchr(pin, '\n')) != NULL)
+      *p = '\0';
+  }
+
+  else {
+    if (!getpin_tty(prompt, pin, sizeof(pin)))
+      return 0;
+  }
+
+  const hal_error_t err = hal_rpc_login(client, user, pin, strlen(pin));
+
+  if (err != HAL_OK)
+    fprintf(stderr, "Couldn't log in: %s\n", hal_error_string(err));
+
+  memset(pin, 0, sizeof(pin));
+
+  return err == HAL_OK;
+}
+
 

 
 int main(int argc, char *argv[])
 {
-  int do_set_so_pin = 0, do_set_user_pin = 0, do_set_wheel_pin = 0, read_from_stdin = 0;
+  int set_so_pin = 0, set_user_pin = 0, set_wheel_pin = 0, read_from_stdin = 0, login_as_so = 0;
   hal_error_t err;
+  int ok = 0;
+
+  parse_args(argc, argv, &set_so_pin, &set_user_pin, &set_wheel_pin, &read_from_stdin, &login_as_so);
+
+  if ((err = hal_rpc_client_init()) != HAL_OK) {
+    fprintf(stderr, "Couldn't initialize RPC: %s\n", hal_error_string(err));
+    goto fail;
+  }
 
-  parse_args(argc, argv, &do_set_so_pin, &do_set_user_pin, &do_set_wheel_pin, &read_from_stdin);
+  if (!login(login_as_so, read_from_stdin)) {
+    fprintf(stderr, "Couldn't log in\n");
+    goto fail;
+  }
 
-  if ((err = hal_rpc_client_init()) != HAL_OK)
-    return fprintf(stderr, "Couldn't initialize RPC: %s\n", hal_error_string(err)), 1;
+  if (set_wheel_pin && !set_pin(HAL_USER_WHEEL, read_from_stdin)) {
+    fprintf(stderr, "Couldn't set wheel PIN\n");
+    goto fail;
+  }
 
-  if (do_set_wheel_pin && !set_pin(HAL_USER_WHEEL, read_from_stdin))
-    return fprintf(stderr, "Couldn't set wheel PIN\n"), 2;
+  if (set_so_pin && !set_pin(HAL_USER_SO, read_from_stdin)) {
+    fprintf(stderr, "Couldn't set SO PIN\n");
+    goto fail;
+  }
+
+  if (set_user_pin && !set_pin(HAL_USER_NORMAL, read_from_stdin)) {
+    fprintf(stderr, "Couldn't set user PIN\n");
+    goto fail;
+  }
 
-  if (do_set_so_pin && !set_pin(HAL_USER_SO, read_from_stdin))
-    return fprintf(stderr, "Couldn't set SO PIN\n"), 3;
+  ok = 1;
 
-  if (do_set_user_pin && !set_pin(HAL_USER_NORMAL, read_from_stdin))
-    return fprintf(stderr, "Couldn't set user PIN\n"), 4;
+ fail:
 
-  if ((err = hal_rpc_client_close()) != HAL_OK)
-    return fprintf(stderr, "Couldn't shut down RPC: %s\n", hal_error_string(err)), 5;
+  if ((err = hal_rpc_client_close()) != HAL_OK) {
+    fprintf(stderr, "Couldn't shut down RPC: %s\n", hal_error_string(err));
+    ok = 0;
+  }
 
-  return 0;
+  return !ok;
 }
 
 /*
diff --git a/pkcs11.c b/pkcs11.c
index 667c3da..dcb418b 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -64,7 +64,6 @@
 #include "pkcs11.h"
 
 #include "attributes.h"
-#include "p11_common.h"
 
 /*
  * This PKCS #11 implementation is hardwired with one slot, the token
@@ -2820,8 +2819,8 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID,
   pInfo->ulSessionCount         = CK_UNAVAILABLE_INFORMATION;
   pInfo->ulMaxRwSessionCount    = CK_EFFECTIVELY_INFINITE;
   pInfo->ulRwSessionCount       = CK_UNAVAILABLE_INFORMATION;
-  pInfo->ulMaxPinLen            = P11_MAX_PIN_LENGTH;
-  pInfo->ulMinPinLen            = P11_MIN_PIN_LENGTH;
+  pInfo->ulMaxPinLen            = (CK_ULONG) hal_rpc_min_pin_length;
+  pInfo->ulMinPinLen            = (CK_ULONG) hal_rpc_max_pin_length;
   pInfo->ulTotalPublicMemory    = CK_UNAVAILABLE_INFORMATION;
   pInfo->ulFreePublicMemory     = CK_UNAVAILABLE_INFORMATION;
   pInfo->ulTotalPrivateMemory   = CK_UNAVAILABLE_INFORMATION;
diff --git a/unit_tests.py b/unit_tests.py
index 27d938a..3c359fb 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -22,6 +22,9 @@ def parse_arguments(argv = ()):
     parser.add_argument("--quiet",      action = "store_true",                          help = "suppress chatter")
     parser.add_argument("--so-pin",     default = "fnord",                              help = "security officer PIN")
     parser.add_argument("--user-pin",   default = "fnord",                              help = "user PIN")
+    parser.add_argument("--wheel-pin",  default = "fnord",                              help = "wheel PIN")
+    parser.add_argument("--initial-pin",                                                help = "initial PIN",
+                        default = "YouReallyNeedToChangeThisPINRightNowWeAreNotKidding")
     parser.add_argument("--slot",       default = 0, type = int,                        help = "slot number")
     parser.add_argument("--libpkcs11",  default = "./libpkcs11.so",                     help = "PKCS #11 library")
     parser.add_argument("--p11util",    default = "./p11util",                          help = "p11util binary")
@@ -66,8 +69,8 @@ def setUpModule():
 
     if not args.quiet:
         print "Setting PINs"
-    Popen((args.p11util, "-sup"), stdin = PIPE).communicate(
-        "{args.so_pin}\n{args.user_pin}\n".format(args = args))
+    Popen((args.p11util, "-wsup"), stdin = PIPE).communicate("".join(pin + "\n" for pin in (
+        args.initial_pin, args.wheel_pin, args.so_pin, args.user_pin)))
 
     if not args.quiet:
         print "Loading PKCS #11 library", args.libpkcs11



More information about the Commits mailing list