diff --git a/src/cmd_chall.rs b/src/cmd_chall.rs index a5625bc..aaa1f32 100644 --- a/src/cmd_chall.rs +++ b/src/cmd_chall.rs @@ -1,4 +1,3 @@ -use std::collections::BTreeMap; use std::ops::Deref; use clap::{App, Arg, ArgMatches, SubCommand}; @@ -7,6 +6,8 @@ use rust_util::util_msg; use yubico_manager::config::{Config, Mode, Slot}; use yubico_manager::Yubico; +use crate::hmacutil; + pub struct CommandImpl; impl Command for CommandImpl { @@ -27,25 +28,9 @@ impl Command for CommandImpl { let json_output = sub_arg_matches.is_present("json"); if json_output { util_msg::set_logger_std_out(false); } - let sha1_output = sub_arg_matches.is_present("sha1"); - let sha256_output = sub_arg_matches.is_present("sha256"); - let sha384_output = sub_arg_matches.is_present("sha384"); - let sha512_output = sub_arg_matches.is_present("sha512"); - let challenge_bytes: Vec = if let Some(challenge) = sub_arg_matches.value_of("challenge") { - challenge.as_bytes().to_vec() - } else if let Some(challenge_hex) = sub_arg_matches.value_of("challenge-hex") { - opt_result!(hex::decode(challenge_hex), "Decode challenge hex: {}, failed: {}", challenge_hex) - } else { - return simple_error!("Challenge must assigned"); - }; - - // Challenge can not be greater than 64 bytes - if challenge_bytes.len() > 64 { - return simple_error!("Challenge bytes is: {}, more than 64", challenge_bytes.len()); - } + let challenge_bytes = hmacutil::get_challenge_bytes(sub_arg_matches)?; let mut yubi = Yubico::new(); - if let Ok(device) = yubi.find_yubikey() { success!("Found key, Vendor ID: {:?}, Product ID: {:?}", device.vendor_id, device.product_id); @@ -59,31 +44,7 @@ impl Command for CommandImpl { // In HMAC Mode, the result will always be the SAME for the SAME provided challenge let hmac_result = opt_result!(yubi.challenge_response_hmac(&challenge_bytes, config), "Challenge HMAC failed: {}"); - // Just for debug, lets check the hex - let v: &[u8] = hmac_result.deref(); - let hex_string = hex::encode(v); - let hex_sha1 = iff!(sha1_output, Some(crate::digest::sha1_bytes(v)), None); - let hex_sha256 = iff!(sha256_output, Some(crate::digest::sha256_bytes(v)), None); - let hex_sha384 = iff!(sha384_output, Some(crate::digest::sha384_bytes(v)), None); - let hex_sha512 = iff!(sha512_output, Some(crate::digest::sha512_bytes(v)), None); - - if json_output { - let mut json = BTreeMap::<&'_ str, String>::new(); - json.insert("challenge_hex", hex::encode(challenge_bytes)); - json.insert("response_hex", hex_string); - hex_sha1.map(|hex_sha1| json.insert("response_sha1_hex", hex::encode(hex_sha1))); - hex_sha256.map(|hex_sha256| json.insert("response_sha256_hex", hex::encode(hex_sha256))); - hex_sha384.map(|hex_sha384| json.insert("response_sha384_hex", hex::encode(hex_sha384))); - hex_sha512.map(|hex_sha512| json.insert("response_sha512_hex", hex::encode(hex_sha512))); - - println!("{}", serde_json::to_string_pretty(&json).expect("Convert to JSON failed!")); - } else { - success!("Challenge HEX: {}", hex::encode(challenge_bytes)); - success!("Response HEX: {}", hex_string); - if let Some(hex_sha256) = hex_sha256 { success!("Response SHA256 HEX: {}", hex::encode(hex_sha256)); } - if let Some(hex_sha384) = hex_sha384 { success!("Response SHA384 HEX: {}", hex::encode(hex_sha384)); } - if let Some(hex_sha512) = hex_sha512 { success!("Response SHA512 HEX: {}", hex::encode(hex_sha512)); } - } + hmacutil::output_hmac_result(sub_arg_matches, json_output, challenge_bytes, hmac_result.deref()); } else { warning!("YubiKey not found"); return Ok(Some(1)); diff --git a/src/cmd_hmac_sha1.rs b/src/cmd_hmac_sha1.rs index 2a44585..6a9213a 100644 --- a/src/cmd_hmac_sha1.rs +++ b/src/cmd_hmac_sha1.rs @@ -1,10 +1,8 @@ -use std::collections::BTreeMap; - use clap::{App, Arg, ArgMatches, SubCommand}; +use rust_util::{util_msg, XResult}; use rust_util::util_clap::{Command, CommandError}; -use rust_util::util_msg; -use yubico_manager::hmacmode::HmacKey; -use yubico_manager::sec::hmac_sha1; + +use crate::hmacutil; pub struct CommandImpl; @@ -29,65 +27,24 @@ impl Command for CommandImpl { if json_output { util_msg::set_logger_std_out(false); } let variable = sub_arg_matches.is_present("variable"); - let sha1_output = sub_arg_matches.is_present("sha1"); - let sha256_output = sub_arg_matches.is_present("sha256"); - let sha384_output = sub_arg_matches.is_present("sha384"); - let sha512_output = sub_arg_matches.is_present("sha512"); - let secret_bytes: Vec = if let Some(secret) = sub_arg_matches.value_of("secret") { - opt_result!(hex::decode(secret), "Decode secret hex: {}, failed: {}", secret) - } else { - return simple_error!("Secret must assigned"); - }; - let challenge_bytes: Vec = if let Some(challenge) = sub_arg_matches.value_of("challenge") { - challenge.as_bytes().to_vec() - } else if let Some(challenge_hex) = sub_arg_matches.value_of("challenge-hex") { - opt_result!(hex::decode(challenge_hex), "Decode challenge hex: {}, failed: {}", challenge_hex) - } else { - return simple_error!("Challenge must assigned"); - }; + let secret_bytes = get_secret_bytes(sub_arg_matches)?; + let challenge_bytes = hmacutil::get_challenge_bytes(sub_arg_matches)?; - if secret_bytes.len() != 20 { - return simple_error!("Secret length must be 20, actual is: {}", secret_bytes.len()); - } - - // Challenge can not be greater than 64 bytes - if challenge_bytes.len() > 64 { - return simple_error!("Challenge bytes is: {}, more than 64", challenge_bytes.len()); - } - - let hmac_key = HmacKey::from_slice(&secret_bytes); - let mut challenge = [0; 64]; - if variable && challenge_bytes.last() == Some(&0) { - challenge = [0xff; 64]; - } - (&mut challenge[..challenge_bytes.len()]).copy_from_slice(&challenge_bytes); - let hmac_result = hmac_sha1(&hmac_key, &challenge); - - let v: &[u8] = &hmac_result; - let hex_string = hex::encode(v); - let hex_sha1 = iff!(sha1_output, Some(crate::digest::sha1_bytes(v)), None); - let hex_sha256 = iff!(sha256_output, Some(crate::digest::sha256_bytes(v)), None); - let hex_sha384 = iff!(sha384_output, Some(crate::digest::sha384_bytes(v)), None); - let hex_sha512 = iff!(sha512_output, Some(crate::digest::sha512_bytes(v)), None); - - if json_output { - let mut json = BTreeMap::<&'_ str, String>::new(); - json.insert("challenge_hex", hex::encode(challenge_bytes)); - json.insert("response_hex", hex_string); - hex_sha1.map(|hex_sha1| json.insert("response_sha1_hex", hex::encode(hex_sha1))); - hex_sha256.map(|hex_sha256| json.insert("response_sha256_hex", hex::encode(hex_sha256))); - hex_sha384.map(|hex_sha384| json.insert("response_sha384_hex", hex::encode(hex_sha384))); - hex_sha512.map(|hex_sha512| json.insert("response_sha512_hex", hex::encode(hex_sha512))); - - println!("{}", serde_json::to_string_pretty(&json).expect("Convert to JSON failed!")); - } else { - success!("Challenge HEX: {}", hex::encode(challenge_bytes)); - success!("Response HEX: {}", hex_string); - if let Some(hex_sha256) = hex_sha256 { success!("Response SHA256 HEX: {}", hex::encode(hex_sha256)); } - if let Some(hex_sha384) = hex_sha384 { success!("Response SHA384 HEX: {}", hex::encode(hex_sha384)); } - if let Some(hex_sha512) = hex_sha512 { success!("Response SHA512 HEX: {}", hex::encode(hex_sha512)); } - } + let hmac_result = hmacutil::calculate_hmac_sha1_result(&secret_bytes, &challenge_bytes, variable); + hmacutil::output_hmac_result(sub_arg_matches, json_output, challenge_bytes, &hmac_result); Ok(None) } } + +fn get_secret_bytes(sub_arg_matches: &ArgMatches) -> XResult> { + let secret_bytes: Vec = if let Some(secret) = sub_arg_matches.value_of("secret") { + opt_result!(hex::decode(secret), "Decode secret hex: {}, failed: {}", secret) + } else { + return simple_error!("Secret must assigned"); + }; + if secret_bytes.len() != 20 { + return simple_error!("Secret length must be 20, actual is: {}", secret_bytes.len()); + } + Ok(secret_bytes) +} diff --git a/src/hmacutil.rs b/src/hmacutil.rs new file mode 100644 index 0000000..1e6e560 --- /dev/null +++ b/src/hmacutil.rs @@ -0,0 +1,64 @@ +use std::collections::BTreeMap; + +use clap::ArgMatches; +use rust_util::XResult; +use yubico_manager::hmacmode::HmacKey; +use yubico_manager::sec::hmac_sha1; + +pub fn get_challenge_bytes(sub_arg_matches: &ArgMatches) -> XResult> { + let challenge_bytes: Vec = if let Some(challenge) = sub_arg_matches.value_of("challenge") { + challenge.as_bytes().to_vec() + } else if let Some(challenge_hex) = sub_arg_matches.value_of("challenge-hex") { + opt_result!(hex::decode(challenge_hex), "Decode challenge hex: {}, failed: {}", challenge_hex) + } else { + return simple_error!("Challenge must assigned"); + }; + if challenge_bytes.len() > 64 { + return simple_error!("Challenge bytes is: {}, more than 64", challenge_bytes.len()); + } + Ok(challenge_bytes) +} + +pub fn calculate_hmac_sha1_result(secret_bytes: &Vec, challenge_bytes: &Vec, variable: bool) -> [u8; 20] { + let hmac_key = HmacKey::from_slice(&secret_bytes); + let mut challenge = [0; 64]; + if variable && challenge_bytes.last() == Some(&0) { + challenge = [0xff; 64]; + } + (&mut challenge[..challenge_bytes.len()]).copy_from_slice(&challenge_bytes); + let hmac_result = hmac_sha1(&hmac_key, &challenge); + hmac_result +} + + +pub fn output_hmac_result(sub_arg_matches: &ArgMatches, json_output: bool, challenge_bytes: Vec, result: &[u8]) { + let sha1_output = sub_arg_matches.is_present("sha1"); + let sha256_output = sub_arg_matches.is_present("sha256"); + let sha384_output = sub_arg_matches.is_present("sha384"); + let sha512_output = sub_arg_matches.is_present("sha512"); + + let hex_string = hex::encode(result); + let hex_sha1 = iff!(sha1_output, Some(crate::digest::sha1_bytes(result)), None); + let hex_sha256 = iff!(sha256_output, Some(crate::digest::sha256_bytes(result)), None); + let hex_sha384 = iff!(sha384_output, Some(crate::digest::sha384_bytes(result)), None); + let hex_sha512 = iff!(sha512_output, Some(crate::digest::sha512_bytes(result)), None); + + if json_output { + let mut json = BTreeMap::<&'_ str, String>::new(); + json.insert("challenge_hex", hex::encode(challenge_bytes)); + json.insert("response_hex", hex_string); + hex_sha1.map(|hex_sha1| json.insert("response_sha1_hex", hex::encode(hex_sha1))); + hex_sha256.map(|hex_sha256| json.insert("response_sha256_hex", hex::encode(hex_sha256))); + hex_sha384.map(|hex_sha384| json.insert("response_sha384_hex", hex::encode(hex_sha384))); + hex_sha512.map(|hex_sha512| json.insert("response_sha512_hex", hex::encode(hex_sha512))); + + println!("{}", serde_json::to_string_pretty(&json).expect("Convert to JSON failed!")); + } else { + success!("Challenge HEX: {}", hex::encode(challenge_bytes)); + success!("Response HEX: {}", hex_string); + if let Some(hex_sha256) = hex_sha256 { success!("Response SHA256 HEX: {}", hex::encode(hex_sha256)); } + if let Some(hex_sha384) = hex_sha384 { success!("Response SHA384 HEX: {}", hex::encode(hex_sha384)); } + if let Some(hex_sha512) = hex_sha512 { success!("Response SHA512 HEX: {}", hex::encode(hex_sha512)); } + } +} + diff --git a/src/main.rs b/src/main.rs index e7fd832..88393a1 100644 --- a/src/main.rs +++ b/src/main.rs @@ -11,6 +11,7 @@ mod digest; mod pivutil; mod rsautil; mod pkiutil; +mod hmacutil; mod pgpcardutil; mod cmd_list; mod cmd_u2fregister;