Hello community, here is the log from the commit of package ykpers for openSUSE:Factory checked in at 2019-07-16 08:41:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ykpers (Old) and /work/SRC/openSUSE:Factory/.ykpers.new.1887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ykpers" Tue Jul 16 08:41:14 2019 rev:9 rq:715345 version:1.20.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ykpers/ykpers.changes 2019-02-25 17:53:52.522515543 +0100 +++ /work/SRC/openSUSE:Factory/.ykpers.new.1887/ykpers.changes 2019-07-16 08:41:21.403036888 +0200 @@ -1,0 +2,10 @@ +Sun Jul 14 19:37:26 UTC 2019 - Karol Babioch <[email protected]> + +- Version 1.20.0 (released 2019-07-03d) + - Add yk_open_key_vid_pid() allowing vid and pid to be specified. + - Documentation fixes. + - Clear potentially sensitive material from buffers. + - Fix potential buffer overwrite. +- Applied spec-cleaner + +------------------------------------------------------------------- Old: ---- ykpers-1.19.3.tar.gz ykpers-1.19.3.tar.gz.sig New: ---- ykpers-1.20.0.tar.gz ykpers-1.20.0.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ykpers.spec ++++++ --- /var/tmp/diff_new_pack.Wsuk82/_old 2019-07-16 08:41:21.923037062 +0200 +++ /var/tmp/diff_new_pack.Wsuk82/_new 2019-07-16 08:41:21.923037062 +0200 @@ -17,22 +17,21 @@ Name: ykpers -Version: 1.19.3 +Version: 1.20.0 Release: 0 Summary: Reference implementation for configuration of YubiKeys License: BSD-2-Clause Group: Productivity/Networking/Security -Url: https://developers.yubico.com/yubikey-personalization/ -Source: https://developers.yubico.com/yubikey-personalization/Releases/ykpers-%{version}.tar.gz +URL: https://developers.yubico.com/yubikey-personalization/ +Source0: https://developers.yubico.com/yubikey-personalization/Releases/ykpers-%{version}.tar.gz Source1: https://developers.yubico.com/yubikey-personalization/Releases/ykpers-%{version}.tar.gz.sig -Source2: %name.keyring -Provides: yubikey-personalization = %{version} -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: libyubikey-devel => 1.12 -BuildRequires: pkg-config -BuildRequires: pkgconfig(json-c) => 0.10 +Source2: %{name}.keyring +BuildRequires: libyubikey-devel >= 1.12 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(json-c) >= 0.10 BuildRequires: pkgconfig(libusb-1.0) BuildRequires: pkgconfig(udev) +Provides: yubikey-personalization = %{version} %description Yubico's YubiKey can be re-programmed. This project provides a reference implementation for configuration of YubiKeys. @@ -68,17 +67,15 @@ %install %make_install -find %{buildroot}%{_libdir} -type f -name '*.la' -delete -print +find %{buildroot} -type f -name "*.la" -delete -print %post %{?udev_rules_update:%udev_rules_update} %post -n libykpers-1-1 -p /sbin/ldconfig - %postun -n libykpers-1-1 -p /sbin/ldconfig %files -%defattr(-,root,root) %doc ChangeLog README %license COPYING %{_bindir}/* @@ -86,11 +83,9 @@ %{_udevrulesdir}/*-yubikey.rules %files -n libykpers-1-1 -%defattr(-,root,root) %{_libdir}/libykpers-1.so.* %files -n libykpers-devel -%defattr(-,root,root) %dir %{_includedir}/ykpers-1 %{_includedir}/ykpers-1/*.h %{_libdir}/pkgconfig/ykpers-1.pc ++++++ ykpers-1.19.3.tar.gz -> ykpers-1.20.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ChangeLog new/ykpers-1.20.0/ChangeLog --- old/ykpers-1.19.3/ChangeLog 2019-02-22 09:11:03.000000000 +0100 +++ new/ykpers-1.20.0/ChangeLog 2019-07-03 14:06:34.000000000 +0200 @@ -1,3 +1,60 @@ +2019-07-03 Klas Lindfors <[email protected]> + + * NEWS: NEWS for 1.20.0 + +2019-04-23 Klas Lindfors <[email protected]> + + * : commit 72a8a15cd4ea24abd4a16ac2db2a964dad5ef81e Author: Ernie + Hershey <[email protected]> Date: Thu Apr 18 17:09:30 2019 -0400 + +2019-03-15 Klas Lindfors <[email protected]> + + * : commit 731d6b5cee16670e896ceddd8badb3704f1664da Merge: 3bd3104 + 5b29733 Author: Klas Lindfors <[email protected]> Date: Fri Mar 15 + 09:06:32 2019 +0100 + +2019-03-15 Klas Lindfors <[email protected]> + + * : commit f0ae7670a4f5b04419a85855b9cb889d19826d46 Author: Gabriel + Kihlman <[email protected]> Date: Thu Mar 14 12:35:19 2019 + +0100 + +2019-03-14 Gabriel Kihlman <[email protected]> + + * ykpers.c: Clear potentially sensitive material from stack + allocated buffer + +2019-03-14 Gabriel Kihlman <[email protected]> + + * ykcore/ykcore.c: Return the handle to the opened key + +2019-03-11 Klas Lindfors <[email protected]> + + * : Merge pull request #139 from Yubico/open_vid_pid add yk_open_key_vid_pid() function allowing vid and pid to be + specified + +2019-03-05 pedro martelletto <[email protected]> + + * contrib/oath-unlock-reprogram.sh: contrib/oath-unlock-reprogram: + rely on /dev/urandom's distribution as per https://github.com/Yubico/developers.yubico.com/issues/87 + +2019-03-05 pedro martelletto <[email protected]> + + * ykpersonalize.1.adoc: ykpersonalize.1: rely on /dev/urandom's + distribution to generate secrets as per https://github.com/Yubico/developers.yubico.com/issues/87 + +2019-03-04 Klas Lindfors <[email protected]> + + * configure.ac, libykpers-1.map, ykcore/ykcore.c, ykcore/ykcore.h, + ykcore/ykcore_backend.h, ykcore/ykcore_libusb-1.0.c, + ykcore/ykcore_libusb.c, ykcore/ykcore_osx.c, ykcore/ykcore_stub.c, + ykcore/ykcore_windows.c: add yk_open_key_vid_pid() function allowing + vid and pid to be specified fixes #136 + +2019-02-22 Klas Lindfors <[email protected]> + + * NEWS, configure.ac: bump version to 1.19.4 + 2019-02-22 Klas Lindfors <[email protected]> * NEWS: NEWS for 1.19.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/NEWS new/ykpers-1.20.0/NEWS --- old/ykpers-1.19.3/NEWS 2019-02-22 09:10:01.000000000 +0100 +++ new/ykpers-1.20.0/NEWS 2019-07-03 14:03:23.000000000 +0200 @@ -1,5 +1,15 @@ Yubikey-personalize NEWS -- History of user-visible changes. -*- outline -*- +* Version 1.20.0 (released 2019-07-03d) + +** Add yk_open_key_vid_pid() allowing vid and pid to be specified. + +** Documentation fixes. + +** Clear potentially sensitive material from buffers. + +** Fix potential buffer overwrite. + * Version 1.19.3 (released 2019-02-22) ** Fix capability read. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/configure new/ykpers-1.20.0/configure --- old/ykpers-1.19.3/configure 2019-02-22 08:38:42.000000000 +0100 +++ new/ykpers-1.20.0/configure 2019-04-23 09:52:29.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for yubikey-personalization 1.19.3. +# Generated by GNU Autoconf 2.69 for yubikey-personalization 1.20.0. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='yubikey-personalization' PACKAGE_TARNAME='ykpers' -PACKAGE_VERSION='1.19.3' -PACKAGE_STRING='yubikey-personalization 1.19.3' +PACKAGE_VERSION='1.20.0' +PACKAGE_STRING='yubikey-personalization 1.20.0' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='https://developers.yubico.com/yubikey-personalization/' @@ -1386,7 +1386,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures yubikey-personalization 1.19.3 to adapt to many kinds of systems. +\`configure' configures yubikey-personalization 1.20.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1457,7 +1457,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of yubikey-personalization 1.19.3:";; + short | recursive ) echo "Configuration of yubikey-personalization 1.20.0:";; esac cat <<\_ACEOF @@ -1590,7 +1590,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -yubikey-personalization configure 1.19.3 +yubikey-personalization configure 1.20.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1868,7 +1868,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by yubikey-personalization $as_me 1.19.3, which was +It was created by yubikey-personalization $as_me 1.20.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2251,11 +2251,11 @@ # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -LT_CURRENT=20 +LT_CURRENT=21 -LT_REVISION=3 +LT_REVISION=0 -LT_AGE=19 +LT_AGE=20 am__api_version='1.15' @@ -2744,7 +2744,7 @@ # Define the identity of the package. PACKAGE='ykpers' - VERSION='1.19.3' + VERSION='1.20.0' cat >>confdefs.h <<_ACEOF @@ -16025,7 +16025,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by yubikey-personalization $as_me 1.19.3, which was +This file was extended by yubikey-personalization $as_me 1.20.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16083,7 +16083,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -yubikey-personalization config.status 1.19.3 +yubikey-personalization config.status 1.20.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/configure.ac new/ykpers-1.20.0/configure.ac --- old/ykpers-1.19.3/configure.ac 2019-02-20 15:34:51.000000000 +0100 +++ new/ykpers-1.20.0/configure.ac 2019-03-15 09:05:59.000000000 +0100 @@ -26,7 +26,7 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -AC_INIT([yubikey-personalization], [1.19.3], +AC_INIT([yubikey-personalization], [1.20.0], [[email protected]], [ykpers], [https://developers.yubico.com/yubikey-personalization/]) AC_CONFIG_AUX_DIR([build-aux]) @@ -36,9 +36,9 @@ # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST(LT_CURRENT, 20) -AC_SUBST(LT_REVISION,3) -AC_SUBST(LT_AGE, 19) +AC_SUBST(LT_CURRENT, 21) +AC_SUBST(LT_REVISION,0) +AC_SUBST(LT_AGE, 20) AM_INIT_AUTOMAKE([1.11.3 -Wall -Werror]) AM_SILENT_RULES([yes]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/contrib/oath-unlock-reprogram.sh new/ykpers-1.20.0/contrib/oath-unlock-reprogram.sh --- old/ykpers-1.19.3/contrib/oath-unlock-reprogram.sh 2018-11-27 09:19:44.000000000 +0100 +++ new/ykpers-1.20.0/contrib/oath-unlock-reprogram.sh 2019-03-15 09:05:59.000000000 +0100 @@ -81,8 +81,8 @@ echo "notice: Found YubiKey serial $serialno with old unlock code $oldunlock..." - secret=`dd if=/dev/urandom bs=20 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"'` - new_unlock=`dd if=/dev/urandom bs=6 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"'` + secret=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:upper:]' | tr -cd '[:xdigit:]' | fold -w40 | head -1) + new_unlock=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:upper:]' | tr -cd '[:xdigit:]' | fold -w12 | head -1) seed=`dd if=/dev/urandom bs=2 count=1 2>/dev/null | hexdump -v -e '/2 "%u"'` seed=`expr "$seed" "*" 16` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/libykpers-1.map new/ykpers-1.20.0/libykpers-1.map --- old/ykpers-1.19.3/libykpers-1.map 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/libykpers-1.map 2019-03-15 09:05:59.000000000 +0100 @@ -279,3 +279,10 @@ yk_write_device_info; # Variables: } LIBYKPERS_1.18; + +LIBYKPERS_1.20 { + global: +# Functions: + yk_open_key_vid_pid; +# Variables: +} LIBYKPERS_1.19; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore.c new/ykpers-1.20.0/ykcore/ykcore.c --- old/ykpers-1.19.3/ykcore/ykcore.c 2019-02-22 09:09:29.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore.c 2019-03-15 09:06:50.000000000 +0100 @@ -80,14 +80,9 @@ return yk_open_key(0); } -YK_KEY *yk_open_key(int index) +YK_KEY *yk_open_key_vid_pid(int vid, const int* pids, size_t pids_len, int index) { - int pids[] = {YUBIKEY_PID, NEO_OTP_PID, NEO_OTP_CCID_PID, - NEO_OTP_U2F_PID, NEO_OTP_U2F_CCID_PID, YK4_OTP_PID, - YK4_OTP_U2F_PID, YK4_OTP_CCID_PID, YK4_OTP_U2F_CCID_PID, - PLUS_U2F_OTP_PID}; - - YK_KEY *yk = _ykusb_open_device(YUBICO_VID, pids, sizeof(pids) / sizeof(int), index); + YK_KEY *yk = _ykusb_open_device(vid, pids, pids_len, index); int rc = yk_errno; if (yk) { @@ -103,6 +98,16 @@ return yk; } +static const int yubico_pids[] = {YUBIKEY_PID, NEO_OTP_PID, NEO_OTP_CCID_PID, + NEO_OTP_U2F_PID, NEO_OTP_U2F_CCID_PID, YK4_OTP_PID, + YK4_OTP_U2F_PID, YK4_OTP_CCID_PID, YK4_OTP_U2F_CCID_PID, + PLUS_U2F_OTP_PID}; + +YK_KEY *yk_open_key(int index) +{ + return yk_open_key_vid_pid(YUBICO_VID, yubico_pids, sizeof(yubico_pids) / sizeof(yubico_pids[0]), index); +} + int yk_close_key(YK_KEY *yk) { return _ykusb_close_device(yk); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore.h new/ykpers-1.20.0/ykcore/ykcore.h --- old/ykpers-1.19.3/ykcore/ykcore.h 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore.h 2019-03-15 09:05:59.000000000 +0100 @@ -81,6 +81,7 @@ /* opens first key available. For backwards compatability */ extern YK_KEY *yk_open_first_key(void); extern YK_KEY *yk_open_key(int); /* opens nth key available */ +extern YK_KEY *yk_open_key_vid_pid(int, const int*, size_t, int); extern int yk_close_key(YK_KEY *k); /* closes a previously opened key */ /************************************************************************* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_backend.h new/ykpers-1.20.0/ykcore/ykcore_backend.h --- old/ykpers-1.19.3/ykcore/ykcore_backend.h 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_backend.h 2019-03-15 09:05:59.000000000 +0100 @@ -39,7 +39,7 @@ int _ykusb_start(void); int _ykusb_stop(void); -void * _ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len, int index); +void * _ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len, int index); int _ykusb_close_device(void *); int _ykusb_read(void *dev, int report_type, int report_number, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_libusb-1.0.c new/ykpers-1.20.0/ykcore/ykcore_libusb-1.0.c --- old/ykpers-1.19.3/ykcore/ykcore_libusb-1.0.c 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_libusb-1.0.c 2019-03-15 09:05:59.000000000 +0100 @@ -161,7 +161,7 @@ return 0; } -void *_ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len, int index) +void *_ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len, int index) { libusb_device *dev = NULL; libusb_device_handle *h = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_libusb.c new/ykpers-1.20.0/ykcore/ykcore_libusb.c --- old/ykpers-1.19.3/ykcore/ykcore_libusb.c 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_libusb.c 2019-03-15 09:05:59.000000000 +0100 @@ -148,7 +148,7 @@ return 1; } -void *_ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len, int index) +void *_ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len, int index) { struct usb_bus *bus; struct usb_device *yk_device = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_osx.c new/ykpers-1.20.0/ykcore/ykcore_osx.c --- old/ykpers-1.19.3/ykcore/ykcore_osx.c 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_osx.c 2019-03-15 09:05:59.000000000 +0100 @@ -79,7 +79,7 @@ return result; } -void *_ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len, int index) +void *_ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len, int index) { void *yk = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_stub.c new/ykpers-1.20.0/ykcore/ykcore_stub.c --- old/ykpers-1.19.3/ykcore/ykcore_stub.c 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_stub.c 2019-03-15 09:05:59.000000000 +0100 @@ -46,7 +46,7 @@ return 0; } -void * _ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len) +void * _ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len) { yk_errno = YK_ENOTYETIMPL; return NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykcore/ykcore_windows.c new/ykpers-1.20.0/ykcore/ykcore_windows.c --- old/ykpers-1.19.3/ykcore/ykcore_windows.c 2019-02-20 15:34:39.000000000 +0100 +++ new/ykpers-1.20.0/ykcore/ykcore_windows.c 2019-03-15 09:05:59.000000000 +0100 @@ -49,7 +49,7 @@ return 1; } -void * _ykusb_open_device(int vendor_id, int *product_ids, size_t pids_len, int index) +void * _ykusb_open_device(int vendor_id, const int *product_ids, size_t pids_len, int index) { HDEVINFO hi; SP_DEVICE_INTERFACE_DATA di; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykpbkdf2.c new/ykpers-1.20.0/ykpbkdf2.c --- old/ykpers-1.19.3/ykpbkdf2.c 2019-02-19 13:27:15.000000000 +0100 +++ new/ykpers-1.20.0/ykpbkdf2.c 2019-03-15 09:06:54.000000000 +0100 @@ -54,7 +54,7 @@ unsigned char *dk, size_t dklen, YK_PRF_METHOD *prf_method) { - if (salt_len > 256) { + if (salt_len > (255 - 4)) { return 0; } size_t l = ((dklen - 1 + prf_method->output_size) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykpers-version.h new/ykpers-1.20.0/ykpers-version.h --- old/ykpers-1.19.3/ykpers-version.h 2019-02-22 08:38:44.000000000 +0100 +++ new/ykpers-1.20.0/ykpers-version.h 2019-04-23 09:52:32.000000000 +0200 @@ -42,7 +42,7 @@ * version number. Used together with ykpers_check_version() to verify * header file and run-time library consistency. */ -#define YKPERS_VERSION_STRING "1.19.3" +#define YKPERS_VERSION_STRING "1.20.0" /** * YKPERS_VERSION_NUMBER @@ -52,7 +52,7 @@ * this symbol will have the value 0x01020300. The last two digits * are only used between public releases, and will otherwise be 00. */ -#define YKPERS_VERSION_NUMBER 0x011303 +#define YKPERS_VERSION_NUMBER 0x011400 /** * YKPERS_VERSION_MAJOR @@ -70,7 +70,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 2. */ -#define YKPERS_VERSION_MINOR 19 +#define YKPERS_VERSION_MINOR 20 /** * YKPERS_VERSION_PATCH @@ -79,7 +79,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 3. */ -#define YKPERS_VERSION_PATCH 3 +#define YKPERS_VERSION_PATCH 0 const char *ykpers_check_version (const char *req_version); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykpers.c new/ykpers-1.20.0/ykpers.c --- old/ykpers-1.19.3/ykpers.c 2019-02-19 13:29:54.000000000 +0100 +++ new/ykpers-1.20.0/ykpers.c 2019-03-15 09:06:50.000000000 +0100 @@ -32,6 +32,7 @@ #include "ykpbkdf2.h" #include "yktsd.h" #include "ykpers-json.h" +#include "ykcore/ykbzero.h" #include <ykpers.h> @@ -408,7 +409,7 @@ } } - memset (buf, 0, sizeof(buf)); + insecure_memzero (buf, sizeof(buf)); return rc; } return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykpersonalize.1 new/ykpers-1.20.0/ykpersonalize.1 --- old/ykpers-1.19.3/ykpersonalize.1 2019-02-19 10:11:07.000000000 +0100 +++ new/ykpers-1.20.0/ykpersonalize.1 2019-07-03 14:06:35.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: ykpersonalize .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: Version 1.19.1 +.\" Date: Version 1.20.0 .\" Manual: YubiKey Personalization Tool Manual .\" Source: ykpersonalize .\" Language: English .\" -.TH "YKPERSONALIZE" "1" "Version 1\&.19\&.1" "ykpersonalize" "YubiKey Personalization Tool M" +.TH "YKPERSONALIZE" "1" "Version 1\&.20\&.0" "ykpersonalize" "YubiKey Personalization Tool M" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -63,17 +63,17 @@ .PP \fB\-z\fR .RS 4 -delete configuration in selected slot +delete configuration in selected slot\&. .RE .PP \fB\-s\fR\fIfile\fR .RS 4 -save configuration to file instead of key\&. (if file is \-, send to stdout) +save configuration to file instead of key (if file is \-, send to stdout)\&. .RE .PP \fB\-i\fR\fIfile\fR .RS 4 -read configuration from file\&. (if file is \-, read from stdin) Configuration import is only valid for the ycfg format\&. +read configuration from file (if file is \-, read from stdin)\&. Configuration import is only valid for the ycfg format\&. .RE .PP \fB\-f\fR\fIformat\fR @@ -89,15 +89,15 @@ .PP \fB\-a\fR[\fIxxx\fR] .RS 4 -the AES secret key as a 32 (or 40 for OATH\-HOTP/HMAC CHAL\-RESP) char hex value (not modhex) (none to prompt for key on stdin) If +the AES secret key as a 32 (or 40 for OATH\-HOTP/HMAC CHAL\-RESP) char hex value (not modhex) (none to prompt for key on stdin)\&. If \fB\-a\fR is not used a random key will be generated\&. .RE .PP \fB\-c\fR[\fIxxx\fR] .RS 4 -A 12 char hex value (not modhex) to use as access code for programming\&. NOTE: this does NOT SET the access code, that\(cqs done with -\fB\-oaccess\fR\fI=\fR\&. If no argument is provided code is prompted for on stdin\&. +a 12 char hex value (not modhex) to use as the access code for programming\&. NOTE: this does NOT SET the access code\&. That is done with +\fB\-oaccess\fR\fI=\fR\&. If no argument is provided the code is prompted for on stdin\&. .RE .PP \fB\-o\fR\fIoption\fR @@ -130,50 +130,50 @@ \fIticket\-flag\fR .RS 4 Set/clear ticket flag, see the section -\fITicket flags\fR +\fITicket Flags\fR\&. .RE .PP \fIconfiguration\-flag\fR .RS 4 -Set/clear ticket flag, see the section -\fIConfiguration flags\fR +Set/clear configuration flag, see the section +\fIConfiguration flags\fR\&. .RE .RE .PP \fB\-y\fR .RS 4 -always commit without prompting +always commit without prompting\&. .RE .PP \fB\-d\fR .RS 4 -dry\-run, run without writing a YubiKey +dry\-run, run without writing a YubiKey\&. .RE .PP \fB\-v\fR .RS 4 -Be more verbose +be more verbose\&. .RE .PP \fB\-h\fR .RS 4 -Help +display help\&. .RE .PP \fB\-V\fR .RS 4 -Version +display version\&. .RE .SS "YubiKey Neo only" .PP \fB\-n\fR URI .RS 4 -Program NFC NDEF URI +program NFC NDEF URI\&. .RE .PP \fB\-t\fR text .RS 4 -Program NFC NDEF text +program NFC NDEF text\&. .RE .SS "YubiKey 3 and 4 only" .PP @@ -223,7 +223,7 @@ .RE .RE .sp -Removing OTP mode also disable communication between ykpersonalize and the YubiKey, further mode changes will have to be done with ykneomgr (for CCID mode) or u2f\-host (for U2F mode) +Removing OTP mode also disables communication between ykpersonalize and the YubiKey\&. Further mode changes will have to be done with ykneomgr (for CCID mode) or u2f\-host (for U2F mode)\&. .SS "YubiKey 3 and above" .PP \fB\-S\fR\fI0605\&...\fR @@ -252,7 +252,7 @@ .RE .\} .sp -An example for simplified us dvorak would be: +An example for simplified U\&.S\&. Dvorak would be: .sp .if n \{\ .RS 4 @@ -276,7 +276,7 @@ .RE .\} .sp -Or for a French BÉPO keyboard (French DVORAK): +Or for a French BÉPO keyboard (French Dvorak): .sp .if n \{\ .RS 4 @@ -338,17 +338,17 @@ .PP \fBappend\-delay1\fR .RS 4 -add a half\-second delay before sending the one\-time password part\&. This option is only valid for firmware 1\&.x and 2\&.x\&. +Add a half\-second delay before sending the one\-time password part\&. This option is only valid for firmware 1\&.x and 2\&.x\&. .RE .PP \fBappend\-delay2\fR .RS 4 -a half\-second delay after sending the one\-time password part\&. This option is only valid for firmware 1\&.x and 2\&.x\&. +Add a half\-second delay after sending the one\-time password part\&. This option is only valid for firmware 1\&.x and 2\&.x\&. .RE .PP \fBappend\-cr\fR .RS 4 -a carriage return after sending the one\-time password part\&. +Add a carriage return after sending the one\-time password part\&. .RE .SS "YubiKey 2\&.0 firmware and above" .PP @@ -442,22 +442,22 @@ .PP \fBoath\-hotp8\fR .RS 4 -When set, generate an 8\-digit HOTP rather than a 6\-digit one\&. +Generate an 8\-digit HOTP rather than a 6\-digit one\&. .RE .PP \fBoath\-fixed\-modhex1\fR .RS 4 -When set, the first byte of the fixed part is sent as modhex\&. +Send the first byte of the fixed part as modhex\&. .RE .PP \fBoath\-fixed\-modhex2\fR .RS 4 -When set, the first two bytes of the fixed part is sent as modhex\&. +Send the first two bytes of the fixed part as modhex\&. .RE .PP \fBoath\-fixed\-modhex\fR .RS 4 -When set, the fixed part is sent as modhex\&. +Send the fixed part is as modhex\&. .RE .PP \fBoath\-id\fR=m:OOTTUUUUUUUU @@ -579,7 +579,9 @@ .RS 4 .\} .nf -ykpersonalize \-1 \-ouid=h:`dd if=/dev/urandom bs=1 count=6 status=none | hexdump \-e \*(Aq/1 "%02x"\*(Aq` \-ofixed=h:ff`dd if=/dev/urandom bs=1 count=5 status=none | hexdump \-e \*(Aq/1 "%02x"\*(Aq` +ouid=`dd if=/dev/urandom 2>/dev/null | tr \-d \*(Aq[:upper:]\*(Aq | tr \-cd \*(Aq[:xdigit:]\*(Aq | fold \-w12 | head \-1` +ofixed=ff`dd if=/dev/urandom 2>/dev/null | tr \-d \*(Aq[:upper:]\*(Aq | tr \-cd \*(Aq[:xdigit:]\*(Aq | fold \-w10 | head \-1` +ykpersonalize \-1 \-ouid=h:$ouid \-ofixed=h:$ofixed .fi .if n \{\ .RE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ykpers-1.19.3/ykpersonalize.1.adoc new/ykpers-1.20.0/ykpersonalize.1.adoc --- old/ykpers-1.19.3/ykpersonalize.1.adoc 2018-11-27 09:19:44.000000000 +0100 +++ new/ykpers-1.20.0/ykpersonalize.1.adoc 2019-04-23 09:53:46.000000000 +0200 @@ -32,21 +32,21 @@ configuration, the option flags **-oappend-cr**, **-ostatic-ticket**, **-ostrong-pw1**, *-ostrong-pw2* and *-oman-update* are set by default. -*-z*:: delete configuration in selected slot +*-z*:: delete configuration in selected slot. -*-s*'file':: save configuration to file instead of key. (if file -is -, send to stdout) +*-s*'file':: save configuration to file instead of key (if file +is -, send to stdout). -*-i*'file':: read configuration from file. (if file is -, read -from stdin) Configuration import is only valid for the ycfg format. +*-i*'file':: read configuration from file (if file is -, read +from stdin). Configuration import is only valid for the ycfg format. *-f*'format':: format to be used with *-s* and *-i*. Valid options are *ycfg* and *legacy*. -*-a*['xxx']:: the AES secret key as a 32 (or 40 for OATH-HOTP/HMAC CHAL-RESP) char hex value (not modhex) (none to prompt for key on stdin) If *-a* is not used a random key will be generated. +*-a*['xxx']:: the AES secret key as a 32 (or 40 for OATH-HOTP/HMAC CHAL-RESP) char hex value (not modhex) (none to prompt for key on stdin). If *-a* is not used a random key will be generated. -*-c*['xxx']:: A 12 char hex value (not modhex) to use as access -code for programming. NOTE: this does NOT SET the access code, that’s -done with **-oaccess**__=__. If no argument is provided code is prompted for on stdin. +*-c*['xxx']:: a 12 char hex value (not modhex) to use as the access +code for programming. NOTE: this does NOT SET the access code. That is +done with **-oaccess**__=__. If no argument is provided the code is prompted for on stdin. *-o*'option':: change configuration option. Possible option arguments are: @@ -62,22 +62,22 @@ *oath-imf*='xxx'::: Set OATH Initial Moving Factor. This is the initial counter value for the YubiKey. This should be a value between 0 and 1048560, evenly dividable by 16. -[-]'ticket-flag'::: Set/clear ticket flag, see the section 'Ticket flags' +[-]'ticket-flag'::: Set/clear ticket flag, see the section link:#ticket-flags['Ticket Flags']. -[-]'configuration-flag'::: Set/clear ticket flag, see the section 'Configuration flags' +[-]'configuration-flag'::: Set/clear configuration flag, see the section link:#configuration-flags['Configuration flags']. -*-y*:: always commit without prompting -*-d*:: dry-run, run without writing a YubiKey -*-v*:: Be more verbose -*-h*:: Help -*-V*:: Version +*-y*:: always commit without prompting. +*-d*:: dry-run, run without writing a YubiKey. +*-v*:: be more verbose. +*-h*:: display help. +*-V*:: display version. === YubiKey Neo only -*-n* URI:: Program NFC NDEF URI +*-n* URI:: program NFC NDEF URI. -*-t* text:: Program NFC NDEF text +*-t* text:: program NFC NDEF text. === YubiKey 3 and 4 only @@ -99,9 +99,9 @@ autoeject_timeout is the timeout in seconds before the card is automatically ejected in mode 81 -Removing OTP mode also disable communication between ykpersonalize and -the YubiKey, further mode changes will have to be done with ykneomgr (for CCID mode) -or u2f-host (for U2F mode) +Removing OTP mode also disables communication between ykpersonalize and +the YubiKey. Further mode changes will have to be done with ykneomgr (for CCID mode) +or u2f-host (for U2F mode). === YubiKey 3 and above @@ -117,7 +117,7 @@ 06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425269e2b28 + -An example for simplified us dvorak would be: +An example for simplified U.S. Dvorak would be: 0c110b071c180d0a0619130f120e09378c918b879c988d8a8699938f928e89b7271e1f202122232425269e2b28 + @@ -125,7 +125,7 @@ 06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899a79e9fa0a1a2a3a4a5a6382b28 + -Or for a French BÉPO keyboard (French DVORAK): +Or for a French BÉPO keyboard (French Dvorak): 0b140c0938363707130512330f0d16188b948c89b8b6b787938592b38f8d9698a79e9fa0a1a2a3a4a5a69c2b28 + @@ -163,17 +163,15 @@ part. This is useful if you have the fixed portion equal to the user name and two input fields that you navigate between using tab. -[-]*append-tab2*:: +[-]*append-tab2*:: Send a tab character as the last character. -Send a tab character as the last character. - -[-]*append-delay1*:: add a half-second delay before sending the one-time password part. This +[-]*append-delay1*:: Add a half-second delay before sending the one-time password part. This option is only valid for firmware 1.x and 2.x. -[-]*append-delay2*:: a half-second delay after sending the one-time password part. This +[-]*append-delay2*:: Add a half-second delay after sending the one-time password part. This option is only valid for firmware 1.x and 2.x. -[-]*append-cr*:: a carriage return after sending the one-time password part. +[-]*append-cr*:: Add a carriage return after sending the one-time password part. === YubiKey 2.0 firmware and above @@ -255,21 +253,13 @@ with the *-ostatic-ticket* option. This is only valid for firmware 2.x. === YubiKey 2.1 firmware and above -[-]*oath-hotp8*:: - -When set, generate an 8-digit HOTP rather than a 6-digit one. - -[-]*oath-fixed-modhex1*:: - -When set, the first byte of the fixed part is sent as modhex. - -[-]*oath-fixed-modhex2*:: +[-]*oath-hotp8*:: Generate an 8-digit HOTP rather than a 6-digit one. -When set, the first two bytes of the fixed part is sent as modhex. +[-]*oath-fixed-modhex1*:: Send the first byte of the fixed part as modhex. -[-]*oath-fixed-modhex*:: +[-]*oath-fixed-modhex2*:: Send the first two bytes of the fixed part as modhex. -When set, the fixed part is sent as modhex. +[-]*oath-fixed-modhex*:: Send the fixed part is as modhex. *oath-id*=m:OOTTUUUUUUUU:: @@ -397,7 +387,9 @@ Programming for YubiCloud: - ykpersonalize -1 -ouid=h:`dd if=/dev/urandom bs=1 count=6 status=none | hexdump -e '/1 "%02x"'` -ofixed=h:ff`dd if=/dev/urandom bs=1 count=5 status=none | hexdump -e '/1 "%02x"'` + ouid=`dd if=/dev/urandom 2>/dev/null | tr -d '[:upper:]' | tr -cd '[:xdigit:]' | fold -w12 | head -1` + ofixed=ff`dd if=/dev/urandom 2>/dev/null | tr -d '[:upper:]' | tr -cd '[:xdigit:]' | fold -w10 | head -1` + ykpersonalize -1 -ouid=h:$ouid -ofixed=h:$ofixed This will program a key with a random 6 byte uid and a 12 character fixed string starting with vv. This is suitable for upload to YubiCloud at
