Ban -ouid= with -ochal-resp and -ooath-hotp.

Challenge response and OATH-HOTP store part of the HMAC key in
the 6 bytes for 'uid', so specifying -ouid= with these modes is
just an easy way to end up with another HMAC key being programmed
than you think.

diff --git a/tests/test_args_to_config.c b/tests/test_args_to_config.c
index 1d5ba437613d5f9471ae3e2a534fe7507b7eae44..14c30ca143bfb384f7043d8ce2b149f4d2fa704e 100644 (file)
--- a/tests/test_args_to_config.c
+++ b/tests/test_args_to_config.c
@@ -146,6 +146,27 @@ YK_STATUS * _test_init_st(int major, int minor, int build)
        return st;
 }
 
+/*
+ * Utility function to parse arguments and just return the result code.
+ * The calling function does the assert() to get function name in assert output.
+ */
+int _parse_args_rc(char **argv)
+
+{
+       YKP_CONFIG *cfg = ykp_create_config();
+       YK_STATUS *st = _test_init_st(2, 2, 0);
+       int rc = 0;
+
+       int argc = sizeof *argv/sizeof *argv[0] - 1;
+
+       rc = _test_config(cfg, st, argc, argv);
+
+       ykp_free_config(cfg);
+       free(st);
+
+       return rc;
+}
+
 int _test_config_slot1()
 {
        YKP_CONFIG *cfg = ykp_create_config();
@@ -486,6 +507,28 @@ int _test_key_mixed_case1()
        free(st);
 }
 
+int _test_uid_for_oath()
+{
+       /* Test that it is not possible to specify UID with OATH */
+       char *argv[] = {
+               "unittest", "-ooath-hotp", "-ouid=h:010203040506",
+               NULL
+       };
+       int rc = _parse_args_rc (argv);
+       assert(rc == 0);
+}
+
+int _test_uid_for_chal_resp()
+{
+       /* Test that it is not possible to specify UID with Challenge Response */
+       char *argv[] = {
+               "unittest", "-ochal-resp", "-ouid=h:010203040506",
+               NULL
+       };
+       int rc = _parse_args_rc (argv);
+       assert(rc == 0);
+}
+
 int main (int argc, char **argv)
 {
        _test_config_slot1();
@@ -501,6 +544,8 @@ int main (int argc, char **argv)
        _test_two_modes_at_once2();
        _test_mode_after_other_option();
        _test_key_mixed_case1();
+       _test_uid_for_oath();
+       _test_uid_for_chal_resp();
 
        return 0;
 }

diff --git a/ykpersonalize.c b/ykpersonalize.c
index 888e01c91151a421818c7c58cefac5dd2c0097b4..44f470f1227cf1b60c6d320988cf4bf1f1d31bd2 100644 (file)
--- a/ykpersonalize.c
+++ b/ykpersonalize.c
@@ -332,6 +332,15 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg,
                                        *exit_code = 1;
                                        return 0;
                                }
+                               /* for OATH-HOTP and CHAL-RESP, uid is not applicable */
+                               if ((ycfg->tktFlags & TKTFLAG_OATH_HOTP) == TKTFLAG_OATH_HOTP ||
+                                   (ycfg->tktFlags & TKTFLAG_CHAL_RESP) == TKTFLAG_CHAL_RESP) {
+                                       fprintf(stderr,
+                                               "Option uid= not valid with -ooath-hotp or -ochal-resp.\n"
+                                               );
+                                       *exit_code = 1;
+                                       return 0;
+                               }
                                ykp_set_uid(cfg, uidbin, uidbinlen);
                        }
                        else if (strncmp(optarg, "access=", 7) == 0) {