From 63d3f7f29aecf00468025c05bc01723360d86e24 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 12 May 2016 16:13:00 -0400 Subject: p11util now uses libhal and doesn't need to touch SQL. "p11util" is now something of a misnomer, since there's no longer anything about it that's specific to PKCS #11. Probably should become a libhal utility program, eventually. --- p11util.c | 160 ++++++++++++++++++++++---------------------------------------- 1 file changed, 57 insertions(+), 103 deletions(-) (limited to 'p11util.c') diff --git a/p11util.c b/p11util.c index a08cb14..606e40c 100644 --- a/p11util.c +++ b/p11util.c @@ -47,7 +47,7 @@ #include -#include "sql_common.h" +#include "p11_common.h" /* * Apparently the cool kids don't use getpassword() anymore, and there @@ -114,7 +114,7 @@ static int getpin_tty(const char *prompt, OPT_FLG('h', "help", "show help") \ OPT_FLG('s', "set-so-pin", "set Security Officer PIN") \ OPT_FLG('u', "set-user-pin", "set \"user\" PIN") \ - OPT_ARG('i', "set-iterations", "set PBKDF2 iteration count") \ + OPT_FLG('w', "set-wheel-pin", "set \"wheel\" PIN") \ OPT_FLG('p', "pin-from-stdin", "read PIN from stdin instead of /dev/tty") \ OPT_END @@ -139,11 +139,9 @@ static void usage(const int code, const char *jane) static void parse_args(int argc, char *argv[], int *do_set_so_pin, int *do_set_user_pin, - int *do_set_iterations, - int *read_from_stdin, - unsigned long *iterations) + int *do_set_wheel_pin, + int *read_from_stdin) { - char *endptr; int c; #define OPT_FLG(_short_, _long_, _help_) _short_, @@ -158,9 +156,7 @@ static void parse_args(int argc, char *argv[], #undef OPT_ARG #undef OPT_FLG - assert(argv != 0 && - do_set_so_pin != 0 && do_set_user_pin != 0 && do_set_iterations != NULL && - read_from_stdin != NULL && iterations != NULL); + assert(argv && do_set_so_pin && do_set_user_pin && do_set_wheel_pin && read_from_stdin); opterr = 0; if (argc == 1) @@ -172,13 +168,6 @@ static void parse_args(int argc, char *argv[], case 'h': usage(0, argv[0]); - case 'i': - *do_set_iterations = 1; - *iterations = strtoul(optarg, &endptr, 0); - if (*optarg == '\0' || *endptr != '\0') - usage(1, argv[0]); - continue; - case 'p': *read_from_stdin = 1; continue; @@ -191,6 +180,10 @@ static void parse_args(int argc, char *argv[], *do_set_user_pin = 1; continue; + case 'w': + *do_set_wheel_pin = 1; + continue; + default: usage(1, argv[0]); } @@ -202,47 +195,31 @@ static void parse_args(int argc, char *argv[], -#define lose(_msg_) \ - do { \ - fprintf(stderr, "%s\n", _msg_); \ - goto fail; \ - } while (0) - -static int set_iterations(unsigned long iterations) +static int set_pin(const hal_user_t user, const int read_from_stdin) { - static const char update_query[] = - " UPDATE global SET pbkdf2_iterations = ?"; + const char *prompt = NULL, *label = NULL; + char pin[P11_MAX_PIN_LENGTH + 1], *p; - sqlite3_stmt *q = NULL; - int ok = 0; + switch (user) { - if (!sql_check_ok(sql_prepare(&q, update_query)) || - !sql_check_ok(sqlite3_bind_int64(q, 1, iterations)) || - !sql_check_done(sqlite3_step(q))) - lose("Couldn't update database"); + case HAL_USER_NORMAL: + prompt = "Enter user PIN: "; + label = "user"; + break; - ok = 1; + case HAL_USER_SO: + prompt = "Enter SO PIN: "; + label = "SO"; + break; - fail: - sqlite3_finalize(q); - return ok; -} + case HAL_USER_WHEEL: + prompt = "Enter wheel PIN: "; + label = "wheel"; + break; -static int set_pin(const char * const pin_type, const int read_from_stdin) -{ - static const char iterations_query[] = - " SELECT pbkdf2_iterations FROM global"; - - static const char update_format[] = - " UPDATE global SET %s_pin = ?1, %s_pin_salt = ?2"; - - /* Allow user to change these lengths? */ - uint8_t pinbuf[32], salt[16]; - - char pin[P11_MAX_PIN_LENGTH + 1], *p; - sqlite3_stmt *q = NULL; - hal_error_t err; - int ok = 0; + default: + return 0; + } if (read_from_stdin) { if (fgets(pin, sizeof(pin), stdin) == NULL) { @@ -254,8 +231,6 @@ static int set_pin(const char * const pin_type, const int read_from_stdin) } else { - char prompt[sizeof("Enter user PIN: ")]; - snprintf(prompt, sizeof(prompt), "Enter %s PIN: ", pin_type); if (!getpin_tty(prompt, pin, sizeof(pin))) return 0; } @@ -263,73 +238,52 @@ static int set_pin(const char * const pin_type, const int read_from_stdin) const size_t len = strlen(pin); if (len < P11_MIN_PIN_LENGTH || len > P11_MAX_PIN_LENGTH) { - fprintf(stderr, "Unacceptable length %lu for %s PIN, allowd range [%lu, %lu]\n", - (unsigned long) len, pin_type, - (unsigned long) P11_MIN_PIN_LENGTH, (unsigned long) P11_MAX_PIN_LENGTH); + fprintf(stderr, "Unacceptable length %lu for %s PIN, allowed range [%lu, %lu]\n", + (unsigned long) len, label, + (unsigned long) P11_MIN_PIN_LENGTH, + (unsigned long) P11_MAX_PIN_LENGTH); + memset(pin, 0, sizeof(pin)); return 0; } - if (!sql_check_ok(sql_prepare(&q, iterations_query)) || - !sql_check_row(sqlite3_step(q)) || - sqlite3_column_type(q, 0) == SQLITE_NULL) - lose("Couldn't retrieve PBKDF2 iteration count from SQL"); + const hal_client_handle_t client = {HAL_HANDLE_NONE}; - if ((err = hal_get_random(NULL, salt, sizeof(salt))) != HAL_OK) { - fprintf(stderr, "Couldn't generate salt: %s\n", hal_error_string(err)); - goto fail; - } + const hal_error_t err = hal_rpc_set_pin(client, user, pin, len); - if ((err = hal_pbkdf2(NULL, hal_hash_sha256, (uint8_t *) pin, len, salt, sizeof(salt), - pinbuf, sizeof(pinbuf), sqlite3_column_int(q, 0))) != HAL_OK) { - fprintf(stderr, "Couldn't process new PIN: %s\n", hal_error_string(err)); - goto fail; + if (err != HAL_OK) { + fprintf(stderr, "Couldn't set %s PIN: %s\n", label, hal_error_string(err)); + memset(pin, 0, sizeof(pin)); + return 0; } - if (!sql_check_ok(sql_finalize_and_clear(&q)) || - !sql_check_ok(sql_prepare(&q, update_format, pin_type, pin_type)) || - !sql_check_ok(sqlite3_bind_blob(q, 1, pinbuf, sizeof(pinbuf), NULL)) || - !sql_check_ok(sqlite3_bind_blob(q, 2, salt, sizeof(salt), NULL)) || - !sql_check_done(sqlite3_step(q))) - lose("Couldn't update database"); - - ok = 1; - - fail: - sqlite3_finalize(q); memset(pin, 0, sizeof(pin)); - memset(pinbuf, 0, sizeof(pinbuf)); - memset(salt, 0, sizeof(salt)); - return ok; + return 1; } + + int main(int argc, char *argv[]) { - int do_set_so_pin = 0, do_set_user_pin = 0, do_set_iterations = 0, read_from_stdin = 0; - unsigned long iterations; - int ok = 0; - - parse_args(argc, argv, &do_set_so_pin, &do_set_user_pin, &do_set_iterations, &read_from_stdin, &iterations); - - if (!sql_init() || !sql_exec("BEGIN")) - lose("Couldn't initialize SQL, giving up"); - - if (do_set_iterations && !set_iterations(iterations)) - lose("Couldn't set PBKDF2 iteration count"); + int do_set_so_pin = 0, do_set_user_pin = 0, do_set_wheel_pin = 0, read_from_stdin = 0; - if (do_set_so_pin && !set_pin("so", read_from_stdin)) - lose("Couldn't set SO PIN"); + parse_args(argc, argv, &do_set_so_pin, &do_set_user_pin, &do_set_wheel_pin, &read_from_stdin); - if (do_set_user_pin && !set_pin("user", read_from_stdin)) - lose("Couldn't set user PIN"); + if (do_set_wheel_pin && !set_pin(HAL_USER_WHEEL, read_from_stdin)) { + fprintf(stderr, "Couldn't set wheel PIN\n"); + return 1; + } - if (!sql_exec("COMMIT")) - lose("Couldn't commit SQL transaction"); + if (do_set_so_pin && !set_pin(HAL_USER_SO, read_from_stdin)) { + fprintf(stderr, "Couldn't set SO PIN\n"); + return 2; + } - ok = 1; + if (do_set_user_pin && !set_pin(HAL_USER_NORMAL, read_from_stdin)) { + fprintf(stderr, "Couldn't set user PIN\n"); + return 3; + } - fail: - sql_fini(); - return !ok; + return 0; } /* -- cgit v1.2.3