From: Klas Lindfors Date: Wed, 8 Jan 2014 13:49:50 +0000 (+0100) Subject: prompt for key on stdin if -a is given without key X-Git-Tag: v1.15.0~16 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4883e9aeee5d1a986373f2e56da5a4a8621efa57;p=yubikey-personalization prompt for key on stdin if -a is given without key --- diff --git a/ykpers-args.c b/ykpers-args.c index a6d1096..5d3f910 100644 --- a/ykpers-args.c +++ b/ykpers-args.c @@ -67,8 +67,8 @@ const char *usage = "-iFILE read configuration from FILE.\n" " (if FILE is -, read from stdin)\n" "-fformat set the data format for -s and -i valid values are ycfg or legacy.\n" -"-aXXX.. The AES secret key as a 32 (or 40 for OATH-HOTP/HMAC CHAL-RESP)\n" -" char hex value (not modhex)\n" +"-a[XXX..] The AES secret key as a 32 (or 40 for OATH-HOTP/HMAC CHAL-RESP)\n" +" char hex value (not modhex) (none to prompt for key on stdin)\n" "-cXXX.. A 12 char hex value (not modhex) to use as access code for programming\n" " (this does NOT SET the access code, that's done with -oaccess=)\n" "-nXXX.. Write NDEF URI to YubiKey NEO, must be used with -1 or -2\n" @@ -157,7 +157,7 @@ const char *usage = "-V tool version\n" "-h help (this text)\n" ; -const char *optstring = "u12xza:c:n:t:hi:o:s:f:dvym:S::V"; +const char *optstring = "u12xza::c:n:t:hi:o:s:f:dvym:S::V"; static int _set_fixed(char *opt, YKP_CONFIG *cfg); static int _format_decimal_as_hex(uint8_t *dst, size_t dst_len, uint8_t *src); @@ -232,7 +232,7 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, YK_KEY *yk, bool *autocommit, char **salt, YK_STATUS *st, bool *verbose, bool *dry_run, unsigned char *access_code, bool *use_access_code, - bool *aesviahash, char *ndef_type, char *ndef, + char *keylocation, char *ndef_type, char *ndef, unsigned char *usb_mode, bool *zap, unsigned char *scan_bin, unsigned char *cr_timeout, unsigned char *autoeject_timeout, int *num_modes_seen, @@ -381,8 +381,12 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, YK_KEY *yk, } break; case 'a': - *aesviahash = true; - aeshash = optarg; + if(optarg) { + aeshash = optarg; + *keylocation = 1; + } else { + *keylocation = 2; + } break; case 'c': { size_t access_code_len = 0; @@ -708,7 +712,7 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, YK_KEY *yk, } } - if (*aesviahash) { + if (*keylocation == 1) { bool long_key_valid = false; int res = 0; diff --git a/ykpers-args.h b/ykpers-args.h index 2d3b542..bf07edd 100644 --- a/ykpers-args.h +++ b/ykpers-args.h @@ -39,7 +39,7 @@ int args_to_config(int argc, char **argv, YKP_CONFIG *cfg, YK_KEY *yk, bool *autocommit, char **salt, YK_STATUS *st, bool *verbose, bool *dry_run, unsigned char *access_code, bool *use_access_code, - bool *aesviahash, char *ndef_type, char *ndef, unsigned char *usb_mode, + char *keylocation, char *ndef_type, char *ndef, unsigned char *usb_mode, bool *zap, unsigned char *scan_bin, unsigned char *cr_timeout, unsigned char *autoeject_timeout, int *num_modes_seen, int *exit_code); diff --git a/ykpersonalize.c b/ykpersonalize.c index 9985930..bf54a4f 100644 --- a/ykpersonalize.c +++ b/ykpersonalize.c @@ -47,7 +47,7 @@ int main(int argc, char **argv) FILE *outf = NULL; const char *outfname = NULL; int data_format = YKP_FORMAT_LEGACY; bool verbose = false; - bool aesviahash = false; + char keylocation = 0; bool use_access_code = false; unsigned char access_code[256]; unsigned char scan_codes[sizeof(SCAN_MAP)]; @@ -127,7 +127,7 @@ int main(int argc, char **argv) &autocommit, &salt, st, &verbose, &dry_run, access_code, &use_access_code, - &aesviahash, &ndef_type, ndef_string, + &keylocation, &ndef_type, ndef_string, &usb_mode, &zap, scan_codes, &cr_timeout, &autoeject_timeout, &num_modes_seen, &exit_code)) { goto err; @@ -186,22 +186,42 @@ int main(int argc, char **argv) goto err; if (!ykp_import_config(cfg, data, strlen(data), data_format)) goto err; - } else if (! aesviahash && ! zap && (ykp_command(cfg) == SLOT_CONFIG || ykp_command(cfg) == SLOT_CONFIG2)) { - char passphrasebuf[256]; size_t passphraselen; - fprintf(stderr, "Passphrase to create AES key: "); - fflush(stderr); - if (!fgets(passphrasebuf, sizeof(passphrasebuf), stdin)) - { - perror ("fgets"); - exit_code = 1; + } else if (! zap && (ykp_command(cfg) == SLOT_CONFIG || ykp_command(cfg) == SLOT_CONFIG2)) { + char keybuf[42]; size_t keylen; + if(keylocation == 2) { + bool long_key = false; + if((ykp_get_tktflag_OATH_HOTP(cfg) && !ykp_get_cfgflag_CHAL_YUBICO(cfg)) || + (ykp_get_tktflag_CHAL_RESP(cfg) && ykp_get_cfgflag_CHAL_HMAC(cfg))) { + long_key = true; + fprintf(stderr, " HMAC key, up to 20 bytes (40 characters hex) : "); + } else { + fprintf(stderr, " AES key, 16 bytes (32 characters hex) : "); + } + fflush(stderr); + if(!fgets(keybuf, sizeof(keybuf), stdin)) { + printf("error?\n"); + perror ("fgets"); + exit_code = 1; + goto err; + } + keylen = strnlen(keybuf, sizeof(keybuf)); + if(keybuf[keylen - 1] == '\n') { + keybuf[keylen - 1] = '\0'; + } + if(long_key) { + if(ykp_HMAC_key_from_hex(cfg, keybuf)) { + goto err; + } + } else { + if(ykp_AES_key_from_hex(cfg, keybuf)) { + goto err; + } + } + } else if(keylocation == 0) { + /* TODO: random */ + ykp_errno = YKP_ENOTYETIMPL; goto err; } - passphraselen = strlen(passphrasebuf); - if (passphrasebuf[passphraselen - 1] == '\n') - passphrasebuf[passphraselen - 1] = '\0'; - if (!ykp_AES_key_from_passphrase(cfg, - passphrasebuf, salt)) - goto err; } if (outf) {