aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--GNUmakefile10
-rw-r--r--p11_common.h61
-rw-r--r--p11util.c129
-rw-r--r--pkcs11.c5
-rw-r--r--unit_tests.py7
5 files changed, 112 insertions, 100 deletions
diff --git a/GNUmakefile b/GNUmakefile
index dc41be5..212409a 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -96,7 +96,7 @@ attributes.h: attributes.yaml scripts/build-attributes GNUmakefile
py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes GNUmakefile
python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py
-pkcs11.o: pkcs11.c p11_common.h schema.h attributes.h
+pkcs11.o: pkcs11.c schema.h attributes.h
${CC} ${CFLAGS} -c $<
pkcs11.so: pkcs11.o ${LIBS}
@@ -105,7 +105,7 @@ pkcs11.so: pkcs11.o ${LIBS}
libpkcs11.so: pkcs11.so
${OBJCOPY} -w -G 'C_*' $< $@
-p11util.o: p11util.c p11_common.h schema.h
+p11util.o: p11util.c schema.h
${CC} ${CFLAGS} -c $<
p11util: p11util.o ${LIBS}
@@ -145,11 +145,13 @@ ifneq "${HSMBULLY}" ""
sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_SERVER} ${HSMBULLY_SERVER_BIN} & \
pid=$$!; \
sleep 5; \
- (echo fnord; echo fnord) | CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
+ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \
+ CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \
sudo kill $$pid; \
else \
- (echo fnord; echo fnord) | sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
+ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \
+ sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \
sudo PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \
fi; \
sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER}
diff --git a/p11_common.h b/p11_common.h
deleted file mode 100644
index 898e087..0000000
--- a/p11_common.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * p11_common.h
- * ------------
- *
- * Common definitions and SQL support code for Cryptech PKCS #11 engine.
- *
- * We could split the functions out of this into a separate .c file,
- * but there's no real point in doing so, and it's simpler to keep it
- * all in one file, the build process is complex enough already.
- *
- * Author: Rob Austein
- * Copyright (c) 2015, NORDUnet A/S
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- * - Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _P11_COMMON_H_
-#define _P11_COMMON_H_
-
-/*
- * Placeholders for PIN length limits. Figure out real values later.
- * Minimum length here is much too short, we allow it for now because
- * some test programs fail if we insist on a reasonable length.
- */
-
-#warning Figure out PIN length limits
-#define P11_MIN_PIN_LENGTH 4
-#define P11_MAX_PIN_LENGTH 4096
-
-#endif /* _P11_COMMON_H_ */
-
-/*
- * Local variables:
- * indent-tabs-mode: nil
- * End:
- */
diff --git a/p11util.c b/p11util.c
index db36888..09f1e44 100644
--- a/p11util.c
+++ b/p11util.c
@@ -47,8 +47,6 @@
#include <hal.h>
-#include "p11_common.h"
-
/*
* Apparently the cool kids don't use getpassword() anymore, and there
* is no fully portable replacement, so the advice is just to roll
@@ -116,6 +114,7 @@ static int getpin_tty(const char *prompt,
OPT_FLG('u', "set-user-pin", "set \"user\" PIN") \
OPT_FLG('w', "set-wheel-pin", "set \"wheel\" PIN") \
OPT_FLG('p', "pin-from-stdin", "read PIN from stdin instead of /dev/tty") \
+ OPT_FLG('S', "login-as-so", "login as Security Officer") \
OPT_END
#define OPT_END
@@ -137,10 +136,11 @@ static void usage(const int code, const char *jane)
}
static void parse_args(int argc, char *argv[],
- int *do_set_so_pin,
- int *do_set_user_pin,
- int *do_set_wheel_pin,
- int *read_from_stdin)
+ int *set_so_pin,
+ int *set_user_pin,
+ int *set_wheel_pin,
+ int *read_from_stdin,
+ int *login_as_so)
{
int c;
@@ -156,7 +156,7 @@ static void parse_args(int argc, char *argv[],
#undef OPT_ARG
#undef OPT_FLG
- assert(argv && do_set_so_pin && do_set_user_pin && do_set_wheel_pin && read_from_stdin);
+ assert(argv && set_so_pin && set_user_pin && set_wheel_pin && read_from_stdin && login_as_so);
opterr = 0;
if (argc == 1)
@@ -173,15 +173,19 @@ static void parse_args(int argc, char *argv[],
continue;
case 's':
- *do_set_so_pin = 1;
+ *set_so_pin = 1;
continue;
case 'u':
- *do_set_user_pin = 1;
+ *set_user_pin = 1;
continue;
case 'w':
- *do_set_wheel_pin = 1;
+ *set_wheel_pin = 1;
+ continue;
+
+ case 'S':
+ *login_as_so = 1;
continue;
default:
@@ -198,22 +202,22 @@ static void parse_args(int argc, char *argv[],
static int set_pin(const hal_user_t user, const int read_from_stdin)
{
const char *prompt = NULL, *label = NULL;
- char pin[P11_MAX_PIN_LENGTH + 1], *p;
+ char pin[hal_rpc_max_pin_length + 1], *p;
switch (user) {
case HAL_USER_NORMAL:
- prompt = "Enter user PIN: ";
+ prompt = "Enter new user PIN: ";
label = "user";
break;
case HAL_USER_SO:
- prompt = "Enter SO PIN: ";
+ prompt = "Enter new SO PIN: ";
label = "SO";
break;
case HAL_USER_WHEEL:
- prompt = "Enter wheel PIN: ";
+ prompt = "Enter new wheel PIN: ";
label = "wheel";
break;
@@ -237,11 +241,11 @@ static int set_pin(const hal_user_t user, const int read_from_stdin)
const size_t len = strlen(pin);
- if (len < P11_MIN_PIN_LENGTH || len > P11_MAX_PIN_LENGTH) {
+ if (len < hal_rpc_min_pin_length || len > hal_rpc_max_pin_length) {
fprintf(stderr, "Unacceptable length %lu for %s PIN, allowed range [%lu, %lu]\n",
(unsigned long) len, label,
- (unsigned long) P11_MIN_PIN_LENGTH,
- (unsigned long) P11_MAX_PIN_LENGTH);
+ (unsigned long) hal_rpc_min_pin_length,
+ (unsigned long) hal_rpc_max_pin_length);
memset(pin, 0, sizeof(pin));
return 0;
}
@@ -260,31 +264,96 @@ static int set_pin(const hal_user_t user, const int read_from_stdin)
return 1;
}
+static int login(const int login_as_so, const int read_from_stdin)
+{
+ const hal_user_t user = login_as_so ? HAL_USER_SO : HAL_USER_WHEEL;
+ const hal_client_handle_t client = {HAL_HANDLE_NONE};
+ char pin[hal_rpc_max_pin_length + 1], *p;
+ const char *prompt = NULL;
+
+ switch (user) {
+
+ case HAL_USER_SO:
+ prompt = "Enter current SO PIN: ";
+ break;
+
+ case HAL_USER_WHEEL:
+ prompt = "Enter current wheel PIN: ";
+ break;
+
+ default:
+ return 0;
+ }
+
+ if (read_from_stdin) {
+ if (fgets(pin, sizeof(pin), stdin) == NULL) {
+ perror("Couldn't read PIN");
+ return 0;
+ }
+ if ((p = strchr(pin, '\n')) != NULL)
+ *p = '\0';
+ }
+
+ else {
+ if (!getpin_tty(prompt, pin, sizeof(pin)))
+ return 0;
+ }
+
+ const hal_error_t err = hal_rpc_login(client, user, pin, strlen(pin));
+
+ if (err != HAL_OK)
+ fprintf(stderr, "Couldn't log in: %s\n", hal_error_string(err));
+
+ memset(pin, 0, sizeof(pin));
+
+ return err == HAL_OK;
+}
+
int main(int argc, char *argv[])
{
- int do_set_so_pin = 0, do_set_user_pin = 0, do_set_wheel_pin = 0, read_from_stdin = 0;
+ int set_so_pin = 0, set_user_pin = 0, set_wheel_pin = 0, read_from_stdin = 0, login_as_so = 0;
hal_error_t err;
+ int ok = 0;
+
+ parse_args(argc, argv, &set_so_pin, &set_user_pin, &set_wheel_pin, &read_from_stdin, &login_as_so);
+
+ if ((err = hal_rpc_client_init()) != HAL_OK) {
+ fprintf(stderr, "Couldn't initialize RPC: %s\n", hal_error_string(err));
+ goto fail;
+ }
- parse_args(argc, argv, &do_set_so_pin, &do_set_user_pin, &do_set_wheel_pin, &read_from_stdin);
+ if (!login(login_as_so, read_from_stdin)) {
+ fprintf(stderr, "Couldn't log in\n");
+ goto fail;
+ }
- if ((err = hal_rpc_client_init()) != HAL_OK)
- return fprintf(stderr, "Couldn't initialize RPC: %s\n", hal_error_string(err)), 1;
+ if (set_wheel_pin && !set_pin(HAL_USER_WHEEL, read_from_stdin)) {
+ fprintf(stderr, "Couldn't set wheel PIN\n");
+ goto fail;
+ }
- if (do_set_wheel_pin && !set_pin(HAL_USER_WHEEL, read_from_stdin))
- return fprintf(stderr, "Couldn't set wheel PIN\n"), 2;
+ if (set_so_pin && !set_pin(HAL_USER_SO, read_from_stdin)) {
+ fprintf(stderr, "Couldn't set SO PIN\n");
+ goto fail;
+ }
+
+ if (set_user_pin && !set_pin(HAL_USER_NORMAL, read_from_stdin)) {
+ fprintf(stderr, "Couldn't set user PIN\n");
+ goto fail;
+ }
- if (do_set_so_pin && !set_pin(HAL_USER_SO, read_from_stdin))
- return fprintf(stderr, "Couldn't set SO PIN\n"), 3;
+ ok = 1;
- if (do_set_user_pin && !set_pin(HAL_USER_NORMAL, read_from_stdin))
- return fprintf(stderr, "Couldn't set user PIN\n"), 4;
+ fail:
- if ((err = hal_rpc_client_close()) != HAL_OK)
- return fprintf(stderr, "Couldn't shut down RPC: %s\n", hal_error_string(err)), 5;
+ if ((err = hal_rpc_client_close()) != HAL_OK) {
+ fprintf(stderr, "Couldn't shut down RPC: %s\n", hal_error_string(err));
+ ok = 0;
+ }
- return 0;
+ return !ok;
}
/*
diff --git a/pkcs11.c b/pkcs11.c
index 667c3da..dcb418b 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -64,7 +64,6 @@
#include "pkcs11.h"
#include "attributes.h"
-#include "p11_common.h"
/*
* This PKCS #11 implementation is hardwired with one slot, the token
@@ -2820,8 +2819,8 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID,
pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
pInfo->ulMaxRwSessionCount = CK_EFFECTIVELY_INFINITE;
pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION;
- pInfo->ulMaxPinLen = P11_MAX_PIN_LENGTH;
- pInfo->ulMinPinLen = P11_MIN_PIN_LENGTH;
+ pInfo->ulMaxPinLen = (CK_ULONG) hal_rpc_min_pin_length;
+ pInfo->ulMinPinLen = (CK_ULONG) hal_rpc_max_pin_length;
pInfo->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION;
pInfo->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION;
pInfo->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION;
diff --git a/unit_tests.py b/unit_tests.py
index 27d938a..3c359fb 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -22,6 +22,9 @@ def parse_arguments(argv = ()):
parser.add_argument("--quiet", action = "store_true", help = "suppress chatter")
parser.add_argument("--so-pin", default = "fnord", help = "security officer PIN")
parser.add_argument("--user-pin", default = "fnord", help = "user PIN")
+ parser.add_argument("--wheel-pin", default = "fnord", help = "wheel PIN")
+ parser.add_argument("--initial-pin", help = "initial PIN",
+ default = "YouReallyNeedToChangeThisPINRightNowWeAreNotKidding")
parser.add_argument("--slot", default = 0, type = int, help = "slot number")
parser.add_argument("--libpkcs11", default = "./libpkcs11.so", help = "PKCS #11 library")
parser.add_argument("--p11util", default = "./p11util", help = "p11util binary")
@@ -66,8 +69,8 @@ def setUpModule():
if not args.quiet:
print "Setting PINs"
- Popen((args.p11util, "-sup"), stdin = PIPE).communicate(
- "{args.so_pin}\n{args.user_pin}\n".format(args = args))
+ Popen((args.p11util, "-wsup"), stdin = PIPE).communicate("".join(pin + "\n" for pin in (
+ args.initial_pin, args.wheel_pin, args.so_pin, args.user_pin)))
if not args.quiet:
print "Loading PKCS #11 library", args.libpkcs11