void YubiKeyWriter::doChallengeResponse(const QString challenge, QString &response, int slot, bool hmac) {
YubiKeyFinder::getInstance()->stop();
YK_KEY *yk = 0;
bool error = false;
qDebug() << "Challenge to slot " << slot << " with challenge: " << challenge;
try {
int yk_cmd;
QByteArray chal_array = challenge.toLatin1();
const unsigned char *chal = reinterpret_cast<const unsigned char*>(chal_array.constData());
unsigned char resp[64];
memset(resp, 0, sizeof(resp));
if (!(yk = yk_open_first_key())) {
throw 0;
}
switch(slot) {
case 1:
yk_cmd = (hmac == true) ? SLOT_CHAL_HMAC1 : SLOT_CHAL_OTP1;
break;
case 2:
yk_cmd = (hmac == true) ? SLOT_CHAL_HMAC2 : SLOT_CHAL_OTP2;
break;
default:
throw 0;
break;
}
if(! yk_challenge_response(yk, yk_cmd, 1, challenge.length(),
chal, sizeof(resp), resp)) {
throw 0;
}
// 20 (160 bits) for hmac-sha1 and 16 (128 bits) for yubico mode
if(hmac == true) {
response = YubiKeyUtil::qstrHexEncode(resp, 20);
} else {
response = YubiKeyUtil::qstrModhexEncode(resp, 16);
}
emit diagnostics(QString("Successful challenge response with slot %1").arg(slot));
} catch(...) {
error = true;
}
if (yk && !yk_close_key(yk)) {
error = true;
}
YubiKeyFinder::getInstance()->start();
if(error) {
qDebug() << "Challenge response failed.";
QString errMsg = reportError(true);
}
}
///
/// Perform a ChallengeResponse operation on specified slot
///
__declspec(dllexport) int ChallengeResponse(uint32_t slot, BOOL may_block,
const unsigned char *challenge, uint32_t challenge_len,
unsigned char *response, uint32_t response_len)
{
uint8_t command;
YK_KEY* key;
int result;
if (slot == 1)
{
command = SLOT_CHAL_HMAC1;
}
else if (slot == 2)
{
command = SLOT_CHAL_HMAC2;
}
else
{
// invalid slot
return ERROR_INVALID_SLOT;
}
if (challenge_len > 64)
{
// cannot be bigger than 64 bytes
return ERROR_CHALLENGE_TOO_BIG;
}
key = yk_open_first_key();
if (key == NULL)
{
return ERROR_CANNOT_OPEN_KEY;
}
result = 0;
if (!yk_challenge_response(key, command, may_block, challenge_len, challenge, response_len, response))
{
_lastError = yk_errno;
result = ERROR_IN_CHALLENGE_RESPONSE;
}
yk_close_key(key);
return result;
}
int challenge_response(YK_KEY *yk, int slot,
char *challenge, unsigned int len,
bool hmac, bool may_block, bool verbose,
char *response, unsigned int res_size, unsigned int *res_len)
{
int yk_cmd;
if(hmac == true) {
*res_len = 20;
} else {
*res_len = 16;
}
if (res_size < *res_len) {
return 0;
}
memset(response, 0, res_size);
if (verbose) {
fprintf(stderr, "Sending %u bytes %s challenge to slot %i\n", len, (hmac == true)?"HMAC":"Yubico", slot);
//_yk_hexdump(challenge, len);
}
switch(slot) {
case 1:
yk_cmd = (hmac == true) ? SLOT_CHAL_HMAC1 : SLOT_CHAL_OTP1;
break;
case 2:
yk_cmd = (hmac == true) ? SLOT_CHAL_HMAC2 : SLOT_CHAL_OTP2;
break;
default:
return 0;
}
if(! yk_challenge_response(yk, yk_cmd, may_block, len,
(unsigned char*)challenge, res_size, (unsigned char*)response)) {
return 0;
}
return 1;
}
int main(int argc, char **argv) {
unsigned int version = 0, help = 0;
char challenge_old[CHALLENGELEN + 1],
challenge_new[CHALLENGELEN + 1],
response_old[RESPONSELEN],
response_new[RESPONSELEN],
passphrase_old[PASSPHRASELEN + 1],
passphrase_new[PASSPHRASELEN + 1];
const char * tmp;
char challengefilename[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 1],
challengefiletmpname[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 7 /* -XXXXXX */ + 1];
int challengefile = 0, challengefiletmp = 0;
struct timeval tv;
int i;
size_t len;
int8_t rc = EXIT_FAILURE;
/* cryptsetup */
const char * device_name;
int8_t luks_slot = -1;
struct crypt_device *cryptdevice;
crypt_status_info cryptstatus;
crypt_keyslot_info cryptkeyslot;
char * passphrase = NULL;
/* keyutils */
key_serial_t key;
void * payload = NULL;
char * second_factor = NULL, * new_2nd_factor = NULL, * new_2nd_factor_verify = NULL;
/* yubikey */
YK_KEY * yk;
uint8_t yk_slot = SLOT_CHAL_HMAC2;
unsigned int serial = 0;
/* iniparser */
dictionary * ini;
char section_ykslot[10 /* unsigned int in char */ + 1 + sizeof(CONFYKSLOT) + 1];
char section_luksslot[10 + 1 + sizeof(CONFLUKSSLOT) + 1];
/* get command line options */
while ((i = getopt_long(argc, argv, optstring, options_long, NULL)) != -1)
switch (i) {
case 'h':
help++;
break;
case 'n':
case 'N':
if (new_2nd_factor != NULL) {
fprintf(stderr, "We already have a new second factor. Did you specify it twice?\n");
goto out10;
}
if (optarg == NULL) { /* N */
if ((new_2nd_factor = ask_secret("new second factor")) == NULL)
goto out10;
if ((new_2nd_factor_verify = ask_secret("new second factor for verification")) == NULL)
goto out10;
if (strcmp(new_2nd_factor, new_2nd_factor_verify) != 0) {
fprintf(stderr, "Verification failed, given strings do not match.\n");
goto out10;
}
} else { /* n */
new_2nd_factor = strdup(optarg);
memset(optarg, '*', strlen(optarg));
}
break;
case 's':
case 'S':
if (second_factor != NULL) {
fprintf(stderr, "We already have a second factor. Did you specify it twice?\n");
goto out10;
}
if (optarg == NULL) { /* S */
second_factor = ask_secret("current second factor");
} else { /* s */
second_factor = strdup(optarg);
memset(optarg, '*', strlen(optarg));
}
break;
case 'V':
version++;
break;
}
if (version > 0)
printf("%s: %s v%s (compiled: " __DATE__ ", " __TIME__ ")\n", argv[0], PROGNAME, VERSION);
if (help > 0)
fprintf(stderr, "usage: %s [-h|--help] [-n|--new-2nd-factor <new-2nd-factor>] [-N|--ask-new-2nd-factor]\n"
" [-s|--2nd-factor <2nd-factor>] [-S|--ask-2nd-factor] [-V|--version]\n", argv[0]);
if (version > 0 || help > 0)
return EXIT_SUCCESS;
/* initialize random seed */
gettimeofday(&tv, NULL);
srand(tv.tv_usec * tv.tv_sec);
/* initialize static buffers */
memset(challenge_old, 0, CHALLENGELEN + 1);
memset(challenge_new, 0, CHALLENGELEN + 1);
memset(response_old, 0, RESPONSELEN);
memset(response_new, 0, RESPONSELEN);
memset(passphrase_old, 0, PASSPHRASELEN + 1);
memset(passphrase_new, 0, PASSPHRASELEN + 1);
if ((ini = iniparser_load(CONFIGFILE)) == NULL) {
fprintf(stderr, "Could not parse configuration file.\n");
goto out10;
}
if ((device_name = iniparser_getstring(ini, "general:" CONFDEVNAME, NULL)) == NULL) {
/* read from crypttab? */
/* get device from currently open devices? */
fprintf(stderr, "Could not read LUKS device from configuration file.\n");
goto out20;
}
/* init and open first Yubikey */
if (yk_init() == 0) {
perror("yk_init() failed");
goto out20;
}
if ((yk = yk_open_first_key()) == NULL) {
fprintf(stderr, "No Yubikey available.\n");
goto out30;
}
/* read the serial number from key */
if (yk_get_serial(yk, 0, 0, &serial) == 0) {
perror("yk_get_serial() failed");
goto out40;
}
/* get the yk slot */
sprintf(section_ykslot, "%d:" CONFYKSLOT, serial);
yk_slot = iniparser_getint(ini, "general:" CONFYKSLOT, yk_slot);
yk_slot = iniparser_getint(ini, section_ykslot, yk_slot);
switch (yk_slot) {
case 1:
case SLOT_CHAL_HMAC1:
yk_slot = SLOT_CHAL_HMAC1;
break;
case 2:
case SLOT_CHAL_HMAC2:
default:
yk_slot = SLOT_CHAL_HMAC2;
break;
}
/* get the luks slot */
sprintf(section_luksslot, "%d:" CONFLUKSSLOT, serial);
luks_slot = iniparser_getint(ini, section_luksslot, luks_slot);
if (luks_slot < 0) {
fprintf(stderr, "Please set LUKS key slot for Yubikey with serial %d!\n"
"Add something like this to " CONFIGFILE ":\n\n"
"[%d]\nluks slot = 1\n", serial, serial);
goto out40;
}
if (second_factor == NULL) {
/* get second factor from key store */
if ((key = request_key("user", "ykfde-2f", NULL, 0)) < 0)
fprintf(stderr, "Failed requesting key. That's ok if you do not use\n"
"second factor. Give it manually if required.\n");
if (key > -1) {
/* if we have a key id we have a key - so this should succeed */
if (keyctl_read_alloc(key, &payload) < 0) {
perror("Failed reading payload from key");
goto out40;
}
second_factor = payload;
} else
second_factor = strdup("");
}
/* warn when second factor is not enabled in config */
if ((*second_factor != 0 || new_2nd_factor != NULL) &&
iniparser_getboolean(ini, "general:" CONF2NDFACTOR, 0) == 0)
fprintf(stderr, "Warning: Processing second factor, but not enabled in config!\n");
/* get random number and limit to printable ASCII character (32 to 126) */
for(i = 0; i < CHALLENGELEN; i++)
challenge_new[i] = (rand() % (126 - 32)) + 32;
/* these are the filenames for challenge
* we need this for reading and writing */
sprintf(challengefilename, CHALLENGEDIR "/challenge-%d", serial);
sprintf(challengefiletmpname, CHALLENGEDIR "/challenge-%d-XXXXXX", serial);
/* write new challenge to file */
if ((challengefiletmp = mkstemp(challengefiletmpname)) < 0) {
fprintf(stderr, "Could not open file %s for writing.\n", challengefiletmpname);
goto out40;
}
if (write(challengefiletmp, challenge_new, CHALLENGELEN) < 0) {
fprintf(stderr, "Failed to write challenge to file.\n");
goto out50;
}
challengefiletmp = close(challengefiletmp);
/* now that the new challenge has been written to file...
* add second factor to new challenge */
tmp = new_2nd_factor ? new_2nd_factor : second_factor;
len = strlen(tmp);
memcpy(challenge_new, tmp, len < MAX2FLEN ? len : MAX2FLEN);
/* do challenge/response and encode to hex */
if (yk_challenge_response(yk, yk_slot, true,
CHALLENGELEN, (unsigned char *) challenge_new,
RESPONSELEN, (unsigned char *) response_new) == 0) {
perror("yk_challenge_response() failed");
goto out50;
}
yubikey_hex_encode((char *) passphrase_new, (char *) response_new, SHA1_DIGEST_SIZE);
/* get status of crypt device
* We expect this to be active (or busy). It is the actual root device, no? */
cryptstatus = crypt_status(cryptdevice, device_name);
if (cryptstatus != CRYPT_ACTIVE && cryptstatus != CRYPT_BUSY) {
fprintf(stderr, "Device %s is invalid or inactive.\n", device_name);
goto out50;
}
/* initialize crypt device */
if (crypt_init_by_name(&cryptdevice, device_name) < 0) {
fprintf(stderr, "Device %s failed to initialize.\n", device_name);
goto out60;
}
cryptkeyslot = crypt_keyslot_status(cryptdevice, luks_slot);
if (cryptkeyslot == CRYPT_SLOT_INVALID) {
fprintf(stderr, "Key slot %d is invalid.\n", luks_slot);
goto out60;
} else if (cryptkeyslot == CRYPT_SLOT_ACTIVE || cryptkeyslot == CRYPT_SLOT_ACTIVE_LAST) {
/* read challenge from file */
if ((challengefile = open(challengefilename, O_RDONLY)) < 0) {
perror("Failed opening challenge file for reading");
goto out60;
}
if (read(challengefile, challenge_old, CHALLENGELEN) < 0) {
perror("Failed reading challenge from file");
goto out60;
}
challengefile = close(challengefile);
/* finished reading challenge */
/* copy the second factor */
len = strlen(second_factor);
memcpy(challenge_old, second_factor, len < MAX2FLEN ? len : MAX2FLEN);
/* do challenge/response and encode to hex */
if (yk_challenge_response(yk, yk_slot, true,
CHALLENGELEN, (unsigned char *) challenge_old,
RESPONSELEN, (unsigned char *) response_old) == 0) {
perror("yk_challenge_response() failed");
goto out60;
}
yubikey_hex_encode((char *) passphrase_old, (char *) response_old, SHA1_DIGEST_SIZE);
if (crypt_keyslot_change_by_passphrase(cryptdevice, luks_slot, luks_slot,
passphrase_old, PASSPHRASELEN,
passphrase_new, PASSPHRASELEN) < 0) {
fprintf(stderr, "Could not update passphrase for key slot %d.\n", luks_slot);
goto out60;
}
if (unlink(challengefilename) < 0) {
fprintf(stderr, "Failed to delete old challenge file.\n");
goto out60;
}
} else { /* ck == CRYPT_SLOT_INACTIVE */
if ((passphrase = ask_secret("existing LUKS passphrase")) == NULL)
goto out60;
if (crypt_keyslot_add_by_passphrase(cryptdevice, luks_slot,
passphrase, strlen(passphrase),
passphrase_new, PASSPHRASELEN) < 0) {
fprintf(stderr, "Could not add passphrase for key slot %d.\n", luks_slot);
goto out60;
}
}
if (rename(challengefiletmpname, challengefilename) < 0) {
fprintf(stderr, "Failed to rename new challenge file.\n");
goto out60;
}
rc = EXIT_SUCCESS;
out60:
/* free crypt context */
crypt_free(cryptdevice);
out50:
/* close the challenge file */
if (challengefile)
close(challengefile);
if (challengefiletmp)
close(challengefiletmp);
if (access(challengefiletmpname, F_OK) == 0)
unlink(challengefiletmpname);
out40:
/* close Yubikey */
if (yk_close_key(yk) == 0)
perror("yk_close_key() failed");
out30:
/* release Yubikey */
if (yk_release() == 0)
perror("yk_release() failed");
out20:
/* free iniparser dictionary */
iniparser_freedict(ini);
out10:
/* wipe response (cleartext password!) from memory */
/* This is statically allocated and always save to wipe! */
memset(challenge_old, 0, CHALLENGELEN + 1);
memset(challenge_new, 0, CHALLENGELEN + 1);
memset(response_old, 0, RESPONSELEN);
memset(response_new, 0, RESPONSELEN);
memset(passphrase_old, 0, PASSPHRASELEN + 1);
memset(passphrase_new, 0, PASSPHRASELEN + 1);
free(passphrase);
free(new_2nd_factor_verify);
free(new_2nd_factor);
free(second_factor);
return rc;
}
int main(int argc, char **argv) {
char challenge_old[CHALLENGELEN + 1],
challenge_new[CHALLENGELEN + 1],
repose_old[RESPONSELEN],
repose_new[RESPONSELEN],
passphrase_old[PASSPHRASELEN + 1],
passphrase_new[PASSPHRASELEN + 1];
char challengefilename[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 1],
challengefiletmpname[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 7 /* -XXXXXX */ + 1];
int challengefile = 0, challengefiletmp = 0;
struct timeval tv;
int i;
int8_t rc = EXIT_FAILURE;
/* cryptsetup */
char * device_name;
int8_t luks_slot = -1;
struct crypt_device *cd;
crypt_status_info cs;
crypt_keyslot_info ck;
/* yubikey */
YK_KEY * yk;
uint8_t yk_slot = SLOT_CHAL_HMAC2;
unsigned int serial = 0;
/* iniparser */
dictionary * ini;
char section_ykslot[10 /* unsigned int in char */ + 1 + sizeof(CONFYKSLOT) + 1];
char section_luksslot[10 /* unsigned int in char */ + 1 + sizeof(CONFLUKSSLOT) + 1];
/* initialize random seed */
gettimeofday(&tv, NULL);
srand(tv.tv_usec * tv.tv_sec);
memset(challenge_old, 0, CHALLENGELEN + 1);
memset(challenge_new, 0, CHALLENGELEN + 1);
memset(repose_old, 0, RESPONSELEN);
memset(repose_new, 0, RESPONSELEN);
memset(passphrase_old, 0, PASSPHRASELEN + 1);
memset(passphrase_new, 0, PASSPHRASELEN + 1);
if ((ini = iniparser_load(CONFIGFILE)) == NULL) {
rc = EXIT_FAILURE;
fprintf(stderr, "Could not parse configuration file.\n");
goto out10;
}
if ((device_name = iniparser_getstring(ini, "general:" CONFDEVNAME, NULL)) == NULL) {
rc = EXIT_FAILURE;
/* read from crypttab? */
/* get device from currently open devices? */
fprintf(stderr, "Could not read LUKS device from configuration file.\n");
goto out20;
}
/* init and open first Yubikey */
if ((rc = yk_init()) < 0) {
perror("yk_init() failed");
goto out20;
}
if ((yk = yk_open_first_key()) == NULL) {
rc = EXIT_FAILURE;
perror("yk_open_first_key() failed");
goto out30;
}
/* read the serial number from key */
if ((rc = yk_get_serial(yk, 0, 0, &serial)) < 0) {
perror("yk_get_serial() failed");
goto out40;
}
/* get the yk slot */
sprintf(section_ykslot, "%d:" CONFYKSLOT, serial);
yk_slot = iniparser_getint(ini, "general:" CONFYKSLOT, yk_slot);
yk_slot = iniparser_getint(ini, section_ykslot, yk_slot);
switch (yk_slot) {
case 1:
case SLOT_CHAL_HMAC1:
yk_slot = SLOT_CHAL_HMAC1;
break;
case 2:
case SLOT_CHAL_HMAC2:
default:
yk_slot = SLOT_CHAL_HMAC2;
break;
}
/* get the luks slot */
sprintf(section_luksslot, "%d:" CONFLUKSSLOT, serial);
luks_slot = iniparser_getint(ini, section_luksslot, luks_slot);
if (luks_slot < 0) {
rc = EXIT_FAILURE;
fprintf(stderr, "Please set LUKS key slot for Yubikey with serial %d!\n", serial);
printf("Add something like this to " CONFIGFILE ":\n\n[%d]\nluks slot = 1\n", serial);
goto out40;
}
/* get random number and limit to printable ASCII character (32 to 126) */
for(i = 0; i < CHALLENGELEN; i++)
challenge_new[i] = (rand() % (126 - 32)) + 32;
/* do challenge/response and encode to hex */
if ((rc = yk_challenge_response(yk, yk_slot, true,
CHALLENGELEN, (unsigned char *)challenge_new,
RESPONSELEN, (unsigned char *)repose_new)) < 0) {
perror("yk_challenge_response() failed");
goto out40;
}
yubikey_hex_encode((char *)passphrase_new, (char *)repose_new, 20);
/* initialize crypt device */
if ((rc = crypt_init_by_name(&cd, device_name)) < 0) {
fprintf(stderr, "Device %s failed to initialize.\n", device_name);
goto out40;
}
/* these are the filenames for challenge
* we need this for reading and writing */
sprintf(challengefilename, CHALLENGEDIR "/challenge-%d", serial);
sprintf(challengefiletmpname, CHALLENGEDIR "/challenge-%d-XXXXXX", serial);
/* write new challenge to file */
if ((rc = challengefiletmp = mkstemp(challengefiletmpname)) < 0) {
fprintf(stderr, "Could not open file %s for writing.\n", challengefiletmpname);
goto out50;
}
if ((rc = write(challengefiletmp, challenge_new, CHALLENGELEN)) < 0) {
fprintf(stderr, "Failed to write challenge to file.\n");
goto out60;
}
challengefiletmp = close(challengefiletmp);
/* get status of crypt device
* We expect this to be active (or busy). It is the actual root device, no? */
cs = crypt_status(cd, device_name);
if (cs != CRYPT_ACTIVE && cs != CRYPT_BUSY) {
rc = EXIT_FAILURE;
fprintf(stderr, "Device %s is invalid or inactive.\n", device_name);
goto out60;
}
ck = crypt_keyslot_status(cd, luks_slot);
if (ck == CRYPT_SLOT_INVALID) {
rc = EXIT_FAILURE;
fprintf(stderr, "Key slot %d is invalid.\n", luks_slot);
goto out60;
} else if (ck == CRYPT_SLOT_ACTIVE || ck == CRYPT_SLOT_ACTIVE_LAST) {
/* read challenge from file */
if ((rc = challengefile = open(challengefilename, O_RDONLY)) < 0) {
perror("Failed opening challenge file for reading");
goto out60;
}
if ((rc = read(challengefile, challenge_old, CHALLENGELEN)) < 0) {
perror("Failed reading challenge from file");
goto out60;
}
challengefile = close(challengefile);
/* finished reading challenge */
/* do challenge/response and encode to hex */
if ((rc = yk_challenge_response(yk, yk_slot, true,
CHALLENGELEN, (unsigned char *)challenge_old,
RESPONSELEN, (unsigned char *)repose_old)) < 0) {
perror("yk_challenge_response() failed");
goto out60;
}
yubikey_hex_encode((char *)passphrase_old, (char *)repose_old, 20);
if ((rc = crypt_keyslot_change_by_passphrase(cd, luks_slot, luks_slot,
passphrase_old, PASSPHRASELEN,
passphrase_new, PASSPHRASELEN)) < 0) {
fprintf(stderr, "Could not update passphrase for key slot %d.\n", luks_slot);
goto out60;
}
if ((rc = unlink(challengefilename)) < 0) {
fprintf(stderr, "Failed to delete old challenge file.\n");
goto out60;
}
} else { /* ck == CRYPT_SLOT_INACTIVE */
if ((rc = crypt_keyslot_add_by_passphrase(cd, luks_slot, NULL, 0,
passphrase_new, PASSPHRASELEN)) < 0) {
fprintf(stderr, "Could add passphrase for key slot %d.\n", luks_slot);
goto out60;
}
}
if ((rc = rename(challengefiletmpname, challengefilename)) < 0) {
fprintf(stderr, "Failed to rename new challenge file.\n");
goto out60;
}
rc = EXIT_SUCCESS;
out60:
/* close the challenge file */
if (challengefile)
close(challengefile);
if (challengefiletmp)
close(challengefiletmp);
if (access(challengefiletmpname, F_OK) == 0 )
unlink(challengefiletmpname);
out50:
/* free crypt context */
crypt_free(cd);
out40:
/* close Yubikey */
if (!yk_close_key(yk))
perror("yk_close_key() failed");
out30:
/* release Yubikey */
if (!yk_release())
perror("yk_release() failed");
out20:
/* free iniparser dictionary */
iniparser_freedict(ini);
out10:
/* wipe response (cleartext password!) from memory */
/* This is statically allocated and always save to wipe! */
memset(challenge_old, 0, CHALLENGELEN + 1);
memset(challenge_new, 0, CHALLENGELEN + 1);
memset(repose_old, 0, RESPONSELEN);
memset(repose_new, 0, RESPONSELEN);
memset(passphrase_old, 0, PASSPHRASELEN + 1);
memset(passphrase_new, 0, PASSPHRASELEN + 1);
return rc;
}
