From 147dcb1bfe523c2024a40d6ab68564b983ed7a56 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 16 Sep 2015 09:59:35 +0200 Subject: [PATCH 01/12] don't auto-select windows backend on else less confusing to fall through, also better message for no pcsc library found --- configure.ac | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index ff69bb9..eb453ba 100644 --- a/configure.ac +++ b/configure.ac @@ -79,11 +79,12 @@ fi if test "x$with_backend" = xcheck; then AC_CHECK_HEADERS([PCSC/winscard.h]) + AC_CHECK_HEADERS([winscard.h]) AC_MSG_CHECKING([between Mac/Windows winscard]) if test "x$ac_cv_header_PCSC_winscard_h" = xyes; then with_backend=macscard AC_MSG_RESULT([Mac]) - else + elif test "x$ac_cv_header_winscard_h" = xyes; then with_backend=winscard AC_MSG_RESULT([Windows]) fi @@ -120,7 +121,7 @@ if test "x$with_backend" = xpcsc || test "x$with_backend" = xwinscard \ || test "x$with_backend" = xmacscard; then AC_DEFINE([BACKEND_PCSC], 1, [Define to 1 if you the PCSC backend.]) else - AC_MSG_ERROR([cannot find PCSC/winscard library/headers]) + AC_MSG_ERROR([cannot find PCSC library]) fi AC_ARG_ENABLE([coverage], From d30f6fc781f403b156f4fe4548cb23651e8a6a84 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 16 Sep 2015 14:32:30 +0200 Subject: [PATCH 02/12] unblock-pin shouldn't tell you new puk --- tool/yubico-piv-tool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index a1b278d..cf6e463 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -978,7 +978,7 @@ static bool change_pin(ykpiv_state *state, enum enum_action action, const char * char pinbuf[9] = {0}; char new_pinbuf[9] = {0}; const char *name = action == action_arg_changeMINUS_pin ? "pin" : "puk"; - const char *new_name = action == action_arg_changeMINUS_pin ? "new pin" : "new puk"; + const char *new_name = action == action_arg_changeMINUS_puk ? "new puk" : "new pin"; int sw; size_t pin_len; size_t new_len; From b952a4a3c5368e691a2cb97b6516379391a794ee Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 16 Sep 2015 16:21:54 +0200 Subject: [PATCH 03/12] Output a no if nothing is found on windows/mac check --- configure.ac | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure.ac b/configure.ac index eb453ba..d6bda08 100644 --- a/configure.ac +++ b/configure.ac @@ -87,6 +87,8 @@ if test "x$with_backend" = xcheck; then elif test "x$ac_cv_header_winscard_h" = xyes; then with_backend=winscard AC_MSG_RESULT([Windows]) + else + AC_MSG_RESULT([no]) fi fi From 17ebced2e6968b40ce7e331a4f782cc682309ff3 Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Thu, 24 Sep 2015 14:20:25 +0200 Subject: [PATCH 04/12] Mask more one pin change. --- tool/yubico-piv-tool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index cf6e463..a86e88a 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -1021,7 +1021,7 @@ static bool change_pin(ykpiv_state *state, enum enum_action action, const char * return false; } else if(sw != 0x9000) { if((sw >> 8) == 0x63) { - int tries = sw & 0xff; + int tries = sw & 0xf; fprintf(stderr, "Failed verifying %s code, now %d tries left before blocked.\n", name, tries); } else if(sw == 0x6983) { From 7640d342455807c7ef40642293795cd3f09dd595 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Mon, 28 Sep 2015 11:15:30 +0200 Subject: [PATCH 05/12] use 261 byte buffer for receive --- lib/ykpiv.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/ykpiv.c b/lib/ykpiv.c index 2c50af3..96ccd55 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -244,8 +244,8 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, } do { size_t this_size = 0xff; - unsigned long recv_len = 0xff; - unsigned char data[0xff]; + unsigned char data[261]; + unsigned long recv_len = sizeof(data); APDU apdu; memset(apdu.raw, 0, sizeof(apdu.raw)); @@ -281,8 +281,8 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, } while(in_ptr < in_data + in_len); while(*sw >> 8 == 0x61) { APDU apdu; - unsigned long recv_len = 0xff; - unsigned char data[0xff]; + unsigned char data[261]; + unsigned long recv_len = sizeof(data); if(state->verbose > 2) { fprintf(stderr, "The card indicates there is %d bytes more data for us.\n", *sw & 0xff); @@ -348,7 +348,7 @@ static ykpiv_rc send_data(ykpiv_state *state, APDU *apdu, ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { APDU apdu; - unsigned char data[0xff]; + unsigned char data[261]; DES_cblock challenge; unsigned long recv_len = sizeof(data); int sw; @@ -391,7 +391,7 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { DES_cblock response; DES_ecb3_encrypt(&challenge, &response, &ks1, &ks2, &ks3, 0); - recv_len = 0xff; + recv_len = sizeof(data); memset(apdu.raw, 0, sizeof(apdu)); apdu.st.ins = YKPIV_INS_AUTHENTICATE; apdu.st.p1 = YKPIV_ALGO_3DES; /* triple des */ @@ -434,7 +434,7 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key) { APDU apdu; - unsigned char data[0xff]; + unsigned char data[261]; unsigned long recv_len = sizeof(data); int sw; size_t i; @@ -629,7 +629,7 @@ ykpiv_rc ykpiv_decipher_data(ykpiv_state *state, const unsigned char *in, ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len) { APDU apdu; - unsigned char data[0xff]; + unsigned char data[261]; unsigned long recv_len = sizeof(data); int sw; ykpiv_rc res; @@ -651,7 +651,7 @@ ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len) { ykpiv_rc ykpiv_verify(ykpiv_state *state, const char *pin, int *tries) { APDU apdu; - unsigned char data[0xff]; + unsigned char data[261]; unsigned long recv_len = sizeof(data); int sw; size_t len = 0; From f36c7619b0a4b860810052b92f0af040207e15d2 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 1 Oct 2015 14:49:41 +0200 Subject: [PATCH 06/12] NEWS for 1.0.3 --- NEWS | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 334a654..cc5ac89 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,12 @@ yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- -* Version 1.0.3 (unreleased) +* Version 1.0.3 (released 2015-10-01) + +** Correct wording on unblock-pin action. + +** Show pin retries correctly. + +** Use a bigger buffer for receiving data. * Version 1.0.2 (released 2015-09-04) From 9855e20a14d8467afc1f5b30e62ed4821a400a3a Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 1 Oct 2015 14:58:53 +0200 Subject: [PATCH 07/12] bump version --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index d6bda08..98bf0f2 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -AC_INIT([yubico-piv-tool], [1.0.3]) +AC_INIT([yubico-piv-tool], [1.0.4]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) # Interfaces added: AGE++ # Interfaces removed: AGE=0 AC_SUBST([LT_CURRENT], 1) -AC_SUBST([LT_REVISION], 8) +AC_SUBST([LT_REVISION], 9) AC_SUBST([LT_AGE], 0) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) From f2da95e599833ae71caf391370a815b0d5df461d Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 1 Oct 2015 15:06:08 +0200 Subject: [PATCH 08/12] bump version in NEWS --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index cc5ac89..69d5743 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- +* Version 1.0.4 (unreleased) + * Version 1.0.3 (released 2015-10-01) ** Correct wording on unblock-pin action. From 4ecd34c8e3b77f673aafcb464e52269fd4bf6228 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 7 Oct 2015 14:40:55 +0200 Subject: [PATCH 09/12] try travis for osx --- .travis.yml | 11 ++++++----- build-and-test.sh | 24 +++++++++++++++++++++--- mac.mk | 2 +- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/.travis.yml b/.travis.yml index 5d91991..0f39fff 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,7 @@ language: c +os: + - osx + - linux compiler: - gcc - clang @@ -6,16 +9,14 @@ env: - EXTRA=libpcsclite-dev script: - ./build-and-test.sh -before_install: - - sudo apt-get update -qq - - sudo apt-get remove -qq -y $REMOVE - - sudo apt-get autoremove -qq - - sudo apt-get install -qq -y gengetopt help2man $EXTRA matrix: include: - compiler: gcc + os: linux env: EXTRA="wine mingw-w64 mingw-w64-dev" REMOVE=mingw32 ARCH=32 - compiler: gcc + os: linux env: EXTRA="wine mingw-w64 mingw-w64-dev" REMOVE=mingw32 ARCH=64 - compiler: gcc + os: linux env: COVERAGE="--enable-coverage" EXTRA="libpcsclite-dev lcov" diff --git a/build-and-test.sh b/build-and-test.sh index 4c07d45..956d835 100755 --- a/build-and-test.sh +++ b/build-and-test.sh @@ -4,13 +4,31 @@ set -e autoreconf -i +if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then + sudo apt-get update -qq + sudo apt-get remove -qq -y $REMOVE + sudo apt-get autoremove -qq + sudo apt-get install -qq -y gengetopt help2man $EXTRA + TAR=tar +else + ARCH=osx + brew update + brew install help2man + brew install pkg-config + brew install gengetopt + brew install gnu-tar + TAR=gtar +fi if [ "x$ARCH" != "x" ]; then version=`cat NEWS | grep unreleased | cut -d' ' -f3` set +e - tar --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz . + $TAR --exclude .git --transform="s/^\./yubico-piv-tool-${version}/" -czf yubico-piv-tool-${version}.tar.gz . set -e - - make -f windows.mk ${ARCH}bit VERSION=$version + if [ "x$ARCH" != "xosx" ]; then + make -f windows.mk ${ARCH}bit VERSION=$version + else + make -f mac.mk mac VERSION=$version + fi else ./configure $COVERAGE make check diff --git a/mac.mk b/mac.mk index 1c4ffc4..30e7d35 100644 --- a/mac.mk +++ b/mac.mk @@ -61,7 +61,7 @@ doit: tar xfz $(PACKAGE)-$(VERSION).tar.gz && \ cd $(PACKAGE)-$(VERSION)/ && \ PKG_CONFIG_PATH=$(PWD)/tmp/root/lib/pkgconfig ./configure --prefix=$(PWD)/tmp/root && \ - make install check && \ + make install $(CHECK) && \ chmod u+w $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \ install_name_tool -id @executable_path/../lib/libcrypto.1.0.0.dylib $(PWD)/tmp/root/lib/libcrypto.1.0.0.dylib && \ install_name_tool -id @executable_path/../lib/libykpiv.1.dylib $(PWD)/tmp/root/lib/libykpiv.1.dylib && \ From 69326b868d3f051116324bc89bc57b528b8adbaa Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 9 Oct 2015 10:40:59 +0200 Subject: [PATCH 10/12] actually run valgrind for the tests --- lib/tests/Makefile.am | 2 +- tool/tests/Makefile.am | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/tests/Makefile.am b/lib/tests/Makefile.am index 1f9ba54..61b4d64 100644 --- a/lib/tests/Makefile.am +++ b/lib/tests/Makefile.am @@ -34,4 +34,4 @@ LDADD = ../libykpiv.la check_PROGRAMS = basic parse_key TESTS = $(check_PROGRAMS) -TESTS_ENVIRONMENT = $(VALGRIND) +LOG_COMPILER = $(VALGRIND) diff --git a/tool/tests/Makefile.am b/tool/tests/Makefile.am index b0d9766..7148d1d 100644 --- a/tool/tests/Makefile.am +++ b/tool/tests/Makefile.am @@ -26,7 +26,8 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. TESTS_ENVIRONMENT = export VERSION=$(PACKAGE_VERSION); export EXEEXT=$(EXEEXT); -TESTS_ENVIRONMENT += $(VALGRIND) + +LOG_COMPILER = $(VALGRIND) AM_CFLAGS = $(WARN_CFLAGS) AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_builddir)/lib From 777b40b3c2a1b1c5f59914e47c4acb07144f8add Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 9 Oct 2015 11:14:58 +0200 Subject: [PATCH 11/12] read key from stdin if no key is given as argument --- tool/cmdline.ggo | 2 +- tool/yubico-piv-tool.c | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/tool/cmdline.ggo b/tool/cmdline.ggo index ec984ff..eefa59d 100644 --- a/tool/cmdline.ggo +++ b/tool/cmdline.ggo @@ -27,7 +27,7 @@ option "verbose" v "Print more information" int optional default="0" argoptional option "reader" r "Only use a matching reader" string optional default="Yubikey" -option "key" k "Authentication key to use" string optional default="010203040506070801020304050607080102030405060708" +option "key" k "Authentication key to use" string optional default="010203040506070801020304050607080102030405060708" argoptional option "action" a "Action to take" values="version","generate","set-mgm-key", "reset","pin-retries","import-key","import-certificate","set-chuid", "request-certificate","verify-pin","change-pin","change-puk","unblock-pin", diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index a86e88a..0ae43f9 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -1754,7 +1754,16 @@ int main(int argc, char *argv[]) { if(needs_auth) { unsigned char key[KEY_LEN]; size_t key_len = sizeof(key); - if(ykpiv_hex_decode(args_info.key_arg, strlen(args_info.key_arg), key, &key_len) != YKPIV_OK) { + char keybuf[KEY_LEN*2+1]; + char *key_ptr = args_info.key_arg; + if(args_info.key_given && args_info.key_orig == NULL) { + if(!read_pw("management key", keybuf, sizeof(keybuf), false)) { + fprintf(stderr, "Failed to read management key from stdin,\n"); + return EXIT_FAILURE; + } + key_ptr = keybuf; + } + if(ykpiv_hex_decode(key_ptr, strlen(key_ptr), key, &key_len) != YKPIV_OK) { fprintf(stderr, "Failed decoding key!\n"); return EXIT_FAILURE; } From 066ea79211c0dfbdf05719c35235d17583b6fde7 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 15 Oct 2015 09:20:42 +0200 Subject: [PATCH 12/12] fixup what PIV actually stands for fixes #32 --- doc/YubiKey_NEO_PIV_introduction.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/YubiKey_NEO_PIV_introduction.adoc b/doc/YubiKey_NEO_PIV_introduction.adoc index b99dffe..51c8d4d 100644 --- a/doc/YubiKey_NEO_PIV_introduction.adoc +++ b/doc/YubiKey_NEO_PIV_introduction.adoc @@ -1,7 +1,7 @@ Introduction to the YubiKey NEO PIV Applet ========================================== -The YubiKey NEO supports the Privilege and Identification Card (PIV) +The YubiKey NEO supports the Personal Identity Verification (PIV) card interface specified in NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". This enables you to perform RSA or ECC sign/decrypt operations using a private key stored on the