From: Fredrik Thulin Date: Mon, 17 Jan 2011 08:39:53 +0000 (+0100) Subject: Add support for the challenge-response mode in Yubikey version 2.2. X-Git-Tag: v1.4.0~16 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c48760bebf9e8630f37e38f9b46a0bc507b65a8;p=yubikey-personalization.old Add support for the challenge-response mode in Yubikey version 2.2. --- diff --git a/libykpers-1.map b/libykpers-1.map index a3f17eb..a67e4e0 100644 --- a/libykpers-1.map +++ b/libykpers-1.map @@ -75,6 +75,10 @@ LIBYKPERS_1.0 { ykp_set_cfgflag_OATH_FIXED_MODHEX1; ykp_set_cfgflag_OATH_FIXED_MODHEX2; ykp_set_cfgflag_OATH_FIXED_MODHEX; + ykp_set_cfgflag_CHAL_YUBICO; + ykp_set_cfgflag_CHAL_HMAC; + ykp_set_cfgflag_HMAC_LT64; + ykp_set_cfgflag_CHAL_BTN_TRIG; ykp_set_fixed; ykp_set_tktflag_APPEND_CR; ykp_set_tktflag_APPEND_DELAY1; @@ -84,6 +88,7 @@ LIBYKPERS_1.0 { ykp_set_tktflag_PROTECT_CFG2; ykp_set_tktflag_TAB_FIRST; ykp_set_tktflag_OATH_HOTP; + ykp_set_tktflag_CHAL_RESP; ykp_set_uid; ykp_strerror; ykp_write_config; diff --git a/ykpers.c b/ykpers.c index 89e7f5c..4e9c923 100644 --- a/ykpers.c +++ b/ykpers.c @@ -272,6 +272,13 @@ static bool vcheck_v21_or_greater(const YKP_CONFIG *cfg) cfg->yk_major_version > 2; } +static bool vcheck_v22_or_greater(const YKP_CONFIG *cfg) +{ + return (cfg->yk_major_version == 2 && + cfg->yk_minor_version >= 2) || + cfg->yk_major_version > 2; +} + #define def_set_charfield(fnname,fieldname,size,extra,vcheck) \ int ykp_set_ ## fnname(YKP_CONFIG *cfg, unsigned char *input, size_t len) \ { \ @@ -344,6 +351,7 @@ def_set_tktflag(APPEND_DELAY2,vcheck_all) def_set_tktflag(APPEND_CR,vcheck_all) def_set_tktflag(PROTECT_CFG2,vcheck_no_v1) def_set_tktflag(OATH_HOTP,vcheck_v21_or_greater) +def_set_tktflag(CHAL_RESP,vcheck_v22_or_greater) def_set_cfgflag(SEND_REF,vcheck_all) def_set_cfgflag(TICKET_FIRST,vcheck_v1) @@ -359,6 +367,10 @@ def_set_cfgflag(OATH_HOTP8,vcheck_v21_or_greater) def_set_cfgflag(OATH_FIXED_MODHEX1,vcheck_v21_or_greater) def_set_cfgflag(OATH_FIXED_MODHEX2,vcheck_v21_or_greater) def_set_cfgflag(OATH_FIXED_MODHEX,vcheck_v21_or_greater) +def_set_cfgflag(CHAL_YUBICO,vcheck_v22_or_greater) +def_set_cfgflag(CHAL_HMAC,vcheck_v22_or_greater) +def_set_cfgflag(HMAC_LT64,vcheck_v22_or_greater) +def_set_cfgflag(CHAL_BTN_TRIG,vcheck_v22_or_greater) const char str_key_value_separator[] = ": "; const char str_hex_prefix[] = "h:"; @@ -387,6 +399,7 @@ struct map_st ticket_flags_map[] = { { TKTFLAG_APPEND_CR, "APPEND_CR", vcheck_all, 0 }, { TKTFLAG_PROTECT_CFG2, "PROTECT_CFG2", vcheck_no_v1, 0 }, { TKTFLAG_OATH_HOTP, "OATH_HOTP", vcheck_v21_or_greater, 0 }, + { TKTFLAG_CHAL_RESP, "CHAL_RESP", vcheck_v22_or_greater, 0 }, { 0, "", 0 } }; @@ -403,6 +416,10 @@ struct map_st config_flags_map[] = { cfgFlag 0x40 as OATH_FIXED_MODHEX2 and not STRONG_PW2 if TKTFLAG_OATH_HOTP is set. */ + { CFGFLAG_CHAL_YUBICO, "CHAL_YUBICO", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP }, + { CFGFLAG_CHAL_HMAC, "CHAL_HMAC", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP }, + { CFGFLAG_HMAC_LT64, "HMAC_LT64", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP }, + { CFGFLAG_CHAL_BTN_TRIG, "CHAL_BTN_TRIG", vcheck_v22_or_greater, TKTFLAG_CHAL_RESP }, { CFGFLAG_OATH_HOTP8, "OATH_HOTP8", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP }, { CFGFLAG_OATH_FIXED_MODHEX1, "OATH_FIXED_MODHEX1", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP }, { CFGFLAG_OATH_FIXED_MODHEX2, "OATH_FIXED_MODHEX2", vcheck_v21_or_greater, TKTFLAG_OATH_HOTP }, diff --git a/ykpers.h b/ykpers.h index cb394d2..ec1963d 100644 --- a/ykpers.h +++ b/ykpers.h @@ -62,6 +62,7 @@ int ykp_set_tktflag_APPEND_DELAY2(YKP_CONFIG *cfg, bool state); int ykp_set_tktflag_APPEND_CR(YKP_CONFIG *cfg, bool state); int ykp_set_tktflag_PROTECT_CFG2(YKP_CONFIG *cfg, bool state); int ykp_set_tktflag_OATH_HOTP(YKP_CONFIG *cfg, bool state); +int ykp_set_tktflag_CHAL_RESP(YKP_CONFIG *cfg, bool state); int ykp_set_cfgflag_SEND_REF(YKP_CONFIG *cfg, bool state); int ykp_set_cfgflag_TICKET_FIRST(YKP_CONFIG *cfg, bool state); @@ -77,6 +78,10 @@ int ykp_set_cfgflag_OATH_HOTP8(YKP_CONFIG *cfg, bool state); int ykp_set_cfgflag_OATH_FIXED_MODHEX1(YKP_CONFIG *cfg, bool state); int ykp_set_cfgflag_OATH_FIXED_MODHEX2(YKP_CONFIG *cfg, bool state); int ykp_set_cfgflag_OATH_FIXED_MODHEX(YKP_CONFIG *cfg, bool state); +int ykp_set_cfgflag_CHAL_YUBICO(YKP_CONFIG *cfg, bool state); +int ykp_set_cfgflag_CHAL_HMAC(YKP_CONFIG *cfg, bool state); +int ykp_set_cfgflag_HMAC_LT64(YKP_CONFIG *cfg, bool state); +int ykp_set_cfgflag_CHAL_BTN_TRIG(YKP_CONFIG *cfg, bool state); int ykp_write_config(const YKP_CONFIG *cfg, int (*writer)(const char *buf, size_t count, diff --git a/ykpersonalize.1 b/ykpersonalize.1 index 2db6dfa..1ac0895 100644 --- a/ykpersonalize.1 +++ b/ykpersonalize.1 @@ -143,6 +143,11 @@ having the lock bit set. [\-]\fBoath-hotp\fR Set OATH-HOTP mode rather than Yubikey mode. In this mode, the token functions according to the OATH-HOTP standard. +.TP +\fBYubikey 2.2 firmware and above\fR +.TP +[\-]\fBchal-resp\fR +Set challenge-response mode. .SH Configuration flags [\-]\fBsend-ref\fR Send a reference string of all 16 modhex characters before the fixed @@ -201,6 +206,23 @@ When set, the first two bytes of the fixed part is sent as modhex. .TP [\-]\fBoath-fixed-modhex\fR When set, the fixed part is sent as modhex. +.TP +\fBYubikey 2.1 firmware and above\fR +.TP +[\-]\fBchal-yubico\fR +Yubico OTP challenge-response mode. +.TP +[\-]\fBchal-hmac\fR +Generate HMAC-SHA1 challenge responses. +.TP +[\-]\fBhmac-lt64\fR +Calculate HMAC on less than 64 bytes input. Whatever is in the last byte +of the challenge is used as end of input marker (backtracking from end of payload). +.TP +[\-]\fBchal-btn-trig\fR +The Yubikey will wait for the user to press the key (within 15 seconds) before +answering the challenge. + .SH OATH-HOTP Mode When using OATH-HOTP mode, an AES key of 160 bits (20 bytes, 40 chars of hex) can be supplied with -a. @@ -211,6 +233,13 @@ See section "5.3.4 - OATH-HOTP Token Identifier" of the for details, but in short the token identifier is 2 bytes manufacturer prefix, 2 character token type and then 8 bytes manufacturer unique ID. +.SH Challenge-response Mode +In \fBCHAL-RESP\fR mode, the token will NOT generate any keypresses when the button +is pressed (although it is perfectly possible to have one slot with a keypress-generating +configuration, and the other in challenge-response mode). Instead, a program capable of +sending USB HID feature reports to the token must be used to send it a challenge, and +read the response. A C-based program to do that will be developed by Yubico shortly. + .SH BUGS Report ykpersonalize bugs in .URL "http://code.google.com/p/yubikey-personalization/issues/list" "the issue tracker" diff --git a/ykpersonalize.c b/ykpersonalize.c index 489edef..9d62855 100644 --- a/ykpersonalize.c +++ b/ykpersonalize.c @@ -83,6 +83,9 @@ const char *usage = " Ticket flags for firmware version 2.1 and above:\n" " [-]oath-hotp set/clear OATH_HOTP\n" "\n" +" Ticket flags for firmware version 2.2 and above:\n" +" [-]chal-resp set/clear CHAL_RESP\n" +"\n" " Configuration flags for all firmware versions:\n" " [-]send-ref set/clear SEND_REF\n" " [-]pacing-10ms set/clear PACING_10MS\n" @@ -105,6 +108,12 @@ const char *usage = " [-]oath-fixed-modhex2 set/clear OATH_FIXED_MODHEX2\n" " [-]oath-fixed-modhex set/clear OATH_MODHEX\n" "\n" +" Configuration flags for firmware version 2.2 and above:\n" +" [-]chal-yubico set/clear CHAL_YUBICO\n" +" [-]chal-hmac set/clear CHAL_HMAC\n" +" [-]hmac-lt64 set/clear HMAC_LT64\n" +" [-]chal-btn-trig set/clear CHAL_BTN_TRIG\n" +"\n" "-y always commit (do not prompt)\n" "\n" "-v verbose\n" @@ -309,6 +318,7 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, TKTFLAG("append-cr", APPEND_CR) TKTFLAG("protect-cfg2", PROTECT_CFG2) TKTFLAG("oath-hotp", OATH_HOTP) + TKTFLAG("chal-resp", CHAL_RESP) #undef TKTFLAG #define CFGFLAG(o, f) \ @@ -337,6 +347,10 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, CFGFLAG("oath-fixed-modhex1", OATH_FIXED_MODHEX1) CFGFLAG("oath-fixed-modhex2", OATH_FIXED_MODHEX2) CFGFLAG("oath-fixed-modhex", OATH_FIXED_MODHEX) + CFGFLAG("chal-yubico", CHAL_YUBICO) + CFGFLAG("chal-hmac", CHAL_HMAC) + CFGFLAG("hmac-lt64", HMAC_LT64) + CFGFLAG("chal-btn-trig", CHAL_BTN_TRIG) #undef CFGFLAG else { fprintf(stderr, "Unknown option '%s'\n",