From: Fredrik Thulin Date: Wed, 9 Mar 2011 09:22:45 +0000 (+0100) Subject: Ban -ouid= with -ochal-resp and -ooath-hotp. X-Git-Tag: v1.5.0~3 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1073baff13a808c80722fc7813d44311864d4934;p=yubikey-personalization.old Ban -ouid= with -ochal-resp and -ooath-hotp. Challenge response and OATH-HOTP store part of the HMAC key in the 6 bytes for 'uid', so specifying -ouid= with these modes is just an easy way to end up with another HMAC key being programmed than you think. --- diff --git a/tests/test_args_to_config.c b/tests/test_args_to_config.c index 1d5ba43..14c30ca 100644 --- a/tests/test_args_to_config.c +++ b/tests/test_args_to_config.c @@ -146,6 +146,27 @@ YK_STATUS * _test_init_st(int major, int minor, int build) return st; } +/* + * Utility function to parse arguments and just return the result code. + * The calling function does the assert() to get function name in assert output. + */ +int _parse_args_rc(char **argv) + +{ + YKP_CONFIG *cfg = ykp_create_config(); + YK_STATUS *st = _test_init_st(2, 2, 0); + int rc = 0; + + int argc = sizeof *argv/sizeof *argv[0] - 1; + + rc = _test_config(cfg, st, argc, argv); + + ykp_free_config(cfg); + free(st); + + return rc; +} + int _test_config_slot1() { YKP_CONFIG *cfg = ykp_create_config(); @@ -486,6 +507,28 @@ int _test_key_mixed_case1() free(st); } +int _test_uid_for_oath() +{ + /* Test that it is not possible to specify UID with OATH */ + char *argv[] = { + "unittest", "-ooath-hotp", "-ouid=h:010203040506", + NULL + }; + int rc = _parse_args_rc (argv); + assert(rc == 0); +} + +int _test_uid_for_chal_resp() +{ + /* Test that it is not possible to specify UID with Challenge Response */ + char *argv[] = { + "unittest", "-ochal-resp", "-ouid=h:010203040506", + NULL + }; + int rc = _parse_args_rc (argv); + assert(rc == 0); +} + int main (int argc, char **argv) { _test_config_slot1(); @@ -501,6 +544,8 @@ int main (int argc, char **argv) _test_two_modes_at_once2(); _test_mode_after_other_option(); _test_key_mixed_case1(); + _test_uid_for_oath(); + _test_uid_for_chal_resp(); return 0; } diff --git a/ykpersonalize.c b/ykpersonalize.c index 888e01c..44f470f 100644 --- a/ykpersonalize.c +++ b/ykpersonalize.c @@ -332,6 +332,15 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, *exit_code = 1; return 0; } + /* for OATH-HOTP and CHAL-RESP, uid is not applicable */ + if ((ycfg->tktFlags & TKTFLAG_OATH_HOTP) == TKTFLAG_OATH_HOTP || + (ycfg->tktFlags & TKTFLAG_CHAL_RESP) == TKTFLAG_CHAL_RESP) { + fprintf(stderr, + "Option uid= not valid with -ooath-hotp or -ochal-resp.\n" + ); + *exit_code = 1; + return 0; + } ykp_set_uid(cfg, uidbin, uidbinlen); } else if (strncmp(optarg, "access=", 7) == 0) {