From: Fredrik Thulin <fredrik@yubico.com>
Date: Wed, 9 Mar 2011 09:22:45 +0000 (+0100)
Subject: Ban -ouid= with -ochal-resp and -ooath-hotp.
X-Git-Tag: v1.5.0~3
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1073baff13a808c80722fc7813d44311864d4934;p=yubikey-personalization

Ban -ouid= with -ochal-resp and -ooath-hotp.

Challenge response and OATH-HOTP store part of the HMAC key in
the 6 bytes for 'uid', so specifying -ouid= with these modes is
just an easy way to end up with another HMAC key being programmed
than you think.
---

diff --git a/tests/test_args_to_config.c b/tests/test_args_to_config.c
index 1d5ba43..14c30ca 100644
--- a/tests/test_args_to_config.c
+++ b/tests/test_args_to_config.c
@@ -146,6 +146,27 @@ YK_STATUS * _test_init_st(int major, int minor, int build)
 	return st;
 }
 
+/*
+ * Utility function to parse arguments and just return the result code.
+ * The calling function does the assert() to get function name in assert output.
+ */
+int _parse_args_rc(char **argv)
+
+{
+	YKP_CONFIG *cfg = ykp_create_config();
+	YK_STATUS *st = _test_init_st(2, 2, 0);
+	int rc = 0;
+
+	int argc = sizeof *argv/sizeof *argv[0] - 1;
+
+	rc = _test_config(cfg, st, argc, argv);
+
+	ykp_free_config(cfg);
+	free(st);
+
+	return rc;
+}
+
 int _test_config_slot1()
 {
 	YKP_CONFIG *cfg = ykp_create_config();
@@ -486,6 +507,28 @@ int _test_key_mixed_case1()
 	free(st);
 }
 
+int _test_uid_for_oath()
+{
+	/* Test that it is not possible to specify UID with OATH */
+	char *argv[] = {
+		"unittest", "-ooath-hotp", "-ouid=h:010203040506",
+		NULL
+	};
+	int rc = _parse_args_rc (argv);
+	assert(rc == 0);
+}
+
+int _test_uid_for_chal_resp()
+{
+	/* Test that it is not possible to specify UID with Challenge Response */
+	char *argv[] = {
+		"unittest", "-ochal-resp", "-ouid=h:010203040506",
+		NULL
+	};
+	int rc = _parse_args_rc (argv);
+	assert(rc == 0);
+}
+
 int main (int argc, char **argv)
 {
 	_test_config_slot1();
@@ -501,6 +544,8 @@ int main (int argc, char **argv)
 	_test_two_modes_at_once2();
 	_test_mode_after_other_option();
 	_test_key_mixed_case1();
+	_test_uid_for_oath();
+	_test_uid_for_chal_resp();
 
 	return 0;
 }
diff --git a/ykpersonalize.c b/ykpersonalize.c
index 888e01c..44f470f 100644
--- a/ykpersonalize.c
+++ b/ykpersonalize.c
@@ -332,6 +332,15 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg,
 					*exit_code = 1;
 					return 0;
 				}
+				/* for OATH-HOTP and CHAL-RESP, uid is not applicable */
+				if ((ycfg->tktFlags & TKTFLAG_OATH_HOTP) == TKTFLAG_OATH_HOTP ||
+				    (ycfg->tktFlags & TKTFLAG_CHAL_RESP) == TKTFLAG_CHAL_RESP) {
+					fprintf(stderr,
+						"Option uid= not valid with -ooath-hotp or -ochal-resp.\n"
+						);
+					*exit_code = 1;
+					return 0;
+				}
 				ykp_set_uid(cfg, uidbin, uidbinlen);
 			}
 			else if (strncmp(optarg, "access=", 7) == 0) {