ykp_set_cfgflag_OATH_FIXED_MODHEX1;
ykp_set_cfgflag_OATH_FIXED_MODHEX2;
ykp_set_cfgflag_OATH_FIXED_MODHEX;
+ ykp_set_cfgflag_CHAL_YUBICO;
+ ykp_set_cfgflag_CHAL_HMAC;
+ ykp_set_cfgflag_HMAC_LT64;
+ ykp_set_cfgflag_CHAL_BTN_TRIG;
ykp_set_fixed;
ykp_set_tktflag_APPEND_CR;
ykp_set_tktflag_APPEND_DELAY1;
ykp_set_tktflag_PROTECT_CFG2;
ykp_set_tktflag_TAB_FIRST;
ykp_set_tktflag_OATH_HOTP;
+ ykp_set_tktflag_CHAL_RESP;
ykp_set_uid;
ykp_strerror;
ykp_write_config;
cfg->yk_major_version > 2;
}
+static bool vcheck_v22_or_greater(const YKP_CONFIG *cfg)
+{
+ return (cfg->yk_major_version == 2 &&
+ cfg->yk_minor_version >= 2) ||
+ cfg->yk_major_version > 2;
+}
+
#define def_set_charfield(fnname,fieldname,size,extra,vcheck) \
int ykp_set_ ## fnname(YKP_CONFIG *cfg, unsigned char *input, size_t len) \
{ \
def_set_tktflag(APPEND_CR,vcheck_all)
def_set_tktflag(PROTECT_CFG2,vcheck_no_v1)
def_set_tktflag(OATH_HOTP,vcheck_v21_or_greater)
+def_set_tktflag(CHAL_RESP,vcheck_v22_or_greater)
def_set_cfgflag(SEND_REF,vcheck_all)
def_set_cfgflag(TICKET_FIRST,vcheck_v1)
def_set_cfgflag(OATH_FIXED_MODHEX1,vcheck_v21_or_greater)
def_set_cfgflag(OATH_FIXED_MODHEX2,vcheck_v21_or_greater)
def_set_cfgflag(OATH_FIXED_MODHEX,vcheck_v21_or_greater)
+def_set_cfgflag(CHAL_YUBICO,vcheck_v22_or_greater)
+def_set_cfgflag(CHAL_HMAC,vcheck_v22_or_greater)
+def_set_cfgflag(HMAC_LT64,vcheck_v22_or_greater)
+def_set_cfgflag(CHAL_BTN_TRIG,vcheck_v22_or_greater)
const char str_key_value_separator[] = ": ";
const char str_hex_prefix[] = "h:";
{ TKTFLAG_APPEND_CR, "APPEND_CR", vcheck_all, 0 },
{ TKTFLAG_PROTECT_CFG2, "PROTECT_CFG2", vcheck_no_v1, 0 },
{ TKTFLAG_OATH_HOTP, "OATH_HOTP", vcheck_v21_or_greater, 0 },
+ { TKTFLAG_CHAL_RESP, "CHAL_RESP", vcheck_v22_or_greater, 0 },
{ 0, "", 0 }
};
cfgFlag 0x40 as OATH_FIXED_MODHEX2 and not STRONG_PW2 if TKTFLAG_OATH_HOTP
is set.
*/
+ { CFGFLAG_CHAL_YUBICO, "CHAL_YUBICO", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP },
+ { CFGFLAG_CHAL_HMAC, "CHAL_HMAC", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP },
+ { CFGFLAG_HMAC_LT64, "HMAC_LT64", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP },
+ { CFGFLAG_CHAL_BTN_TRIG, "CHAL_BTN_TRIG", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP },
{ CFGFLAG_OATH_HOTP8, "OATH_HOTP8", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP },
{ CFGFLAG_OATH_FIXED_MODHEX1, "OATH_FIXED_MODHEX1", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP },
{ CFGFLAG_OATH_FIXED_MODHEX2, "OATH_FIXED_MODHEX2", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP },
int ykp_set_tktflag_APPEND_CR(YKP_CONFIG *cfg, bool state);
int ykp_set_tktflag_PROTECT_CFG2(YKP_CONFIG *cfg, bool state);
int ykp_set_tktflag_OATH_HOTP(YKP_CONFIG *cfg, bool state);
+int ykp_set_tktflag_CHAL_RESP(YKP_CONFIG *cfg, bool state);
int ykp_set_cfgflag_SEND_REF(YKP_CONFIG *cfg, bool state);
int ykp_set_cfgflag_TICKET_FIRST(YKP_CONFIG *cfg, bool state);
int ykp_set_cfgflag_OATH_FIXED_MODHEX1(YKP_CONFIG *cfg, bool state);
int ykp_set_cfgflag_OATH_FIXED_MODHEX2(YKP_CONFIG *cfg, bool state);
int ykp_set_cfgflag_OATH_FIXED_MODHEX(YKP_CONFIG *cfg, bool state);
+int ykp_set_cfgflag_CHAL_YUBICO(YKP_CONFIG *cfg, bool state);
+int ykp_set_cfgflag_CHAL_HMAC(YKP_CONFIG *cfg, bool state);
+int ykp_set_cfgflag_HMAC_LT64(YKP_CONFIG *cfg, bool state);
+int ykp_set_cfgflag_CHAL_BTN_TRIG(YKP_CONFIG *cfg, bool state);
int ykp_write_config(const YKP_CONFIG *cfg,
int (*writer)(const char *buf, size_t count,
[\-]\fBoath-hotp\fR
Set OATH-HOTP mode rather than Yubikey mode. In this mode, the token
functions according to the OATH-HOTP standard.
+.TP
+\fBYubikey 2.2 firmware and above\fR
+.TP
+[\-]\fBchal-resp\fR
+Set challenge-response mode.
.SH Configuration flags
[\-]\fBsend-ref\fR
Send a reference string of all 16 modhex characters before the fixed
.TP
[\-]\fBoath-fixed-modhex\fR
When set, the fixed part is sent as modhex.
+.TP
+\fBYubikey 2.1 firmware and above\fR
+.TP
+[\-]\fBchal-yubico\fR
+Yubico OTP challenge-response mode.
+.TP
+[\-]\fBchal-hmac\fR
+Generate HMAC-SHA1 challenge responses.
+.TP
+[\-]\fBhmac-lt64\fR
+Calculate HMAC on less than 64 bytes input. Whatever is in the last byte
+of the challenge is used as end of input marker (backtracking from end of payload).
+.TP
+[\-]\fBchal-btn-trig\fR
+The Yubikey will wait for the user to press the key (within 15 seconds) before
+answering the challenge.
+
.SH OATH-HOTP Mode
When using OATH-HOTP mode, an AES key of 160 bits (20 bytes, 40 chars of hex)
can be supplied with -a.
for details, but in short the token identifier is 2 bytes manufacturer prefix,
2 character token type and then 8 bytes manufacturer unique ID.
+.SH Challenge-response Mode
+In \fBCHAL-RESP\fR mode, the token will NOT generate any keypresses when the button
+is pressed (although it is perfectly possible to have one slot with a keypress-generating
+configuration, and the other in challenge-response mode). Instead, a program capable of
+sending USB HID feature reports to the token must be used to send it a challenge, and
+read the response. A C-based program to do that will be developed by Yubico shortly.
+
.SH BUGS
Report ykpersonalize bugs in
.URL "http://code.google.com/p/yubikey-personalization/issues/list" "the issue tracker"
" Ticket flags for firmware version 2.1 and above:\n"
" [-]oath-hotp set/clear OATH_HOTP\n"
"\n"
+" Ticket flags for firmware version 2.2 and above:\n"
+" [-]chal-resp set/clear CHAL_RESP\n"
+"\n"
" Configuration flags for all firmware versions:\n"
" [-]send-ref set/clear SEND_REF\n"
" [-]pacing-10ms set/clear PACING_10MS\n"
" [-]oath-fixed-modhex2 set/clear OATH_FIXED_MODHEX2\n"
" [-]oath-fixed-modhex set/clear OATH_MODHEX\n"
"\n"
+" Configuration flags for firmware version 2.2 and above:\n"
+" [-]chal-yubico set/clear CHAL_YUBICO\n"
+" [-]chal-hmac set/clear CHAL_HMAC\n"
+" [-]hmac-lt64 set/clear HMAC_LT64\n"
+" [-]chal-btn-trig set/clear CHAL_BTN_TRIG\n"
+"\n"
"-y always commit (do not prompt)\n"
"\n"
"-v verbose\n"
TKTFLAG("append-cr", APPEND_CR)
TKTFLAG("protect-cfg2", PROTECT_CFG2)
TKTFLAG("oath-hotp", OATH_HOTP)
+ TKTFLAG("chal-resp", CHAL_RESP)
#undef TKTFLAG
#define CFGFLAG(o, f) \
CFGFLAG("oath-fixed-modhex1", OATH_FIXED_MODHEX1)
CFGFLAG("oath-fixed-modhex2", OATH_FIXED_MODHEX2)
CFGFLAG("oath-fixed-modhex", OATH_FIXED_MODHEX)
+ CFGFLAG("chal-yubico", CHAL_YUBICO)
+ CFGFLAG("chal-hmac", CHAL_HMAC)
+ CFGFLAG("hmac-lt64", HMAC_LT64)
+ CFGFLAG("chal-btn-trig", CHAL_BTN_TRIG)
#undef CFGFLAG
else {
fprintf(stderr, "Unknown option '%s'\n",
projects / yubikey-personalization.old / commitdiff