├── conf ├── gitignore └── ykfde.conf ├── dracut ├── ykfde.sh ├── parse-mod.sh └── module-setup.sh ├── .gitignore ├── .editorconfig ├── systemd ├── ykfde-worker.service ├── ykfde.service └── ykfde-2f.service ├── mkinitcpio └── ykfde ├── udev └── 20-ykfde.rules ├── bin ├── Makefile ├── ykfde-cpio.c ├── worker.c └── ykfde.c ├── README.md ├── config.def.h ├── Makefile ├── README-dracut.md ├── README-mkinitcpio.md └── COPYING.md /conf/gitignore: -------------------------------------------------------------------------------- 1 | # do not track changes 2 | challenge-* 3 | -------------------------------------------------------------------------------- /dracut/ykfde.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Placeholder to do something 4 | 5 | exit 0 6 | 7 | -------------------------------------------------------------------------------- /dracut/parse-mod.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /sbin/initqueue --settled --unique --onetime /sbin/ykfde.sh 4 | 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | config.h 2 | bin/ykfde 3 | bin/ykfde-cpio 4 | bin/worker 5 | version.h 6 | *.html 7 | mkinitcpio-ykfde-*.tar.gz 8 | mkinitcpio-ykfde-*.tar.gz.asc 9 | mkinitcpio-ykfde-*.tar.xz 10 | mkinitcpio-ykfde-*.tar.xz.asc 11 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig configuration for mkinitcpio-ykfde 2 | # http://EditorConfig.org 3 | 4 | # Top-most EditorConfig file 5 | root = true 6 | 7 | # Unix-style newlines without trailing whitespaces, 8 | # but with a newline ending every file, utf-8 charset 9 | [*] 10 | end_of_line = lf 11 | insert_final_newline = true 12 | trim_trailing_whitespace = true 13 | charset = utf-8 14 | 15 | # set indent to tabs with width of eight 16 | [*.{c,h}] 17 | indent_style = tab 18 | indent_size = 8 19 | -------------------------------------------------------------------------------- /systemd/ykfde-worker.service: -------------------------------------------------------------------------------- 1 | # (C) 2016-2025 by Christian Hesse 2 | # 3 | # This program is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | 8 | [Unit] 9 | Description=Run ykfde worker 10 | DefaultDependencies=no 11 | Before=cryptsetup-pre.target 12 | Wants=cryptsetup-pre.target 13 | After=ykfde-2f.service 14 | 15 | [Service] 16 | Type=notify 17 | KeyringMode=shared 18 | ExecStart=/usr/lib/ykfde/worker 19 | -------------------------------------------------------------------------------- /systemd/ykfde.service: -------------------------------------------------------------------------------- 1 | # (C) 2016-2025 by Christian Hesse 2 | # 3 | # This program is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | 8 | [Unit] 9 | Description=Yubikey full disk encryption 10 | 11 | [Service] 12 | Type=oneshot 13 | KeyringMode=shared 14 | NotifyAccess=all 15 | ExecStart=-/usr/bin/ykfde 16 | ExecStart=/usr/bin/ykfde-cpio 17 | ExecStop=/usr/bin/ykfde-cpio 18 | RemainAfterExit=yes 19 | 20 | [Install] 21 | WantedBy=multi-user.target 22 | -------------------------------------------------------------------------------- /systemd/ykfde-2f.service: -------------------------------------------------------------------------------- 1 | # (C) 2016-2025 by Christian Hesse 2 | # 3 | # This program is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | 8 | [Unit] 9 | Description=Get 2nd Factor for YKFDE 10 | DefaultDependencies=no 11 | Before=cryptsetup-pre.target 12 | Wants=cryptsetup-pre.target 13 | ConditionPathExists=/etc/ykfde.d/ 14 | 15 | [Service] 16 | Type=oneshot 17 | RemainAfterExit=yes 18 | TimeoutSec=0 19 | KeyringMode=shared 20 | ExecStart=/usr/bin/systemd-ask-password --no-tty --no-output --id='ykfde-2f' --keyname='ykfde-2f' 'Please enter second factor for Yubikey full disk encryption!' 21 | -------------------------------------------------------------------------------- /conf/ykfde.conf: -------------------------------------------------------------------------------- 1 | [general] 2 | # Specify what Yubikey slot to use for full disk encryption. 3 | # This is just the system default, you can configure one or more 4 | # Yubikeys below. 5 | # The specified slot has to be configured for HMAC-SHA1. 6 | yk slot = 2 7 | 8 | # This is the LUKS device. Make sure you use the name, not 9 | # block device, e.g. it has to match first column of 10 | # /etc/crypttab.initramfs. 11 | device name = crypt 12 | 13 | # Do we use second factor? This setting controls wheter or not 14 | # support is added to initramfs. 15 | second factor = yes 16 | 17 | # For every Yubikey in use add a section here. 18 | # * 'yk slot' is optional and only required for keys differing 19 | # from system default. 20 | # * 'luks slot' is required to make sure one Yukikey is associated 21 | # with exactly one LUKS slot! 22 | #[1234567] 23 | #yk slot = 1 24 | #luks slot = 1 25 | -------------------------------------------------------------------------------- /mkinitcpio/ykfde: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | build() { 4 | # install basic files to initramfs 5 | add_binary /usr/lib/ykfde/worker 6 | add_file /usr/lib/initcpio/udev/20-ykfde.rules /usr/lib/udev/rules.d/20-ykfde.rules 7 | add_file /etc/ykfde.conf 8 | add_systemd_unit ykfde-worker.service 9 | add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-worker.service ../ykfde-worker.service 10 | 11 | # this is required for second factor 12 | if grep -E -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then 13 | add_systemd_unit cryptsetup-pre.target 14 | add_systemd_unit ykfde-2f.service 15 | add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-2f.service ../ykfde-2f.service 16 | add_binary systemd-ask-password 17 | fi 18 | } 19 | 20 | help() { 21 | echo "This hook adds support for opening LUKS devices with Yubico key." 22 | echo "Read the documentation for additional steps to set this up." 23 | } 24 | -------------------------------------------------------------------------------- /dracut/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | check() { 4 | return 0 5 | } 6 | 7 | # called by dracut 8 | depends() { 9 | return 0 10 | } 11 | 12 | install() { 13 | # install basic files to initramfs 14 | inst_rules "$moddir/20-ykfde.rules" 15 | inst_hook cmdline 30 "$moddir/parse-mod.sh" 16 | inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh 17 | inst_binary /usr/lib/ykfde/worker 18 | inst_simple /etc/ykfde.conf 19 | inst_simple /usr/lib/systemd/system/ykfde-worker.service 20 | ln_r $systemdsystemunitdir/ykfde-worker.service $systemdsystemunitdir/sysinit.target.wants/ykfde-worker.service 21 | 22 | # this is required for second factor 23 | if grep -E -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then 24 | inst_simple /usr/lib/systemd/system/cryptsetup-pre.target 25 | inst_simple /usr/lib/systemd/system/ykfde-2f.service 26 | ln_r $systemdsystemunitdir/ykfde-2f.service $systemdsystemunitdir/sysinit.target.wants/ykfde-2f.service 27 | inst_binary /usr/bin/systemd-ask-password 28 | fi 29 | 30 | dracut_need_initqueue 31 | } 32 | 33 | -------------------------------------------------------------------------------- /udev/20-ykfde.rules: -------------------------------------------------------------------------------- 1 | # do challenge/response with Yubikey and try to answer password agent 2 | 3 | # Known Yubikey product ids as of 2015-01-04, 4 | # Yubikeys with OTP should support HMAC-SHA1 as well. 5 | # see /usr/include/ykpers-1/ykdef.h or 6 | # https://github.com/Yubico/yubikey-personalization/blob/master/ykcore/ykdef.h 7 | # 8 | # 0010 Yubikey (version 1 and 2) 9 | # 0110 Yubikey NEO - OTP only 10 | # 0111 Yubikey NEO - OTP and CCID 11 | # 0112 Yubikey NEO - CCID only 12 | # 0113 Yubikey NEO - U2F only 13 | # 0114 Yubikey NEO - OTP and U2F 14 | # 0115 Yubikey NEO - U2F and CCID 15 | # 0116 Yubikey NEO - OTP, U2F and CCID 16 | # 0401 Yubikey 4 - OTP only 17 | # 0402 Yubikey 4 - U2F only 18 | # 0403 Yubikey 4 - OTP and U2F 19 | # 0404 Yubikey 4 - CCID only 20 | # 0405 Yubikey 4 - OTP and CCID 21 | # 0406 Yubikey 4 - U2F and CCID 22 | # 0407 Yubikey 4 - OTP, U2F and CCID 23 | # 0410 Yubikey plus - OTP+U2F 24 | 25 | ACTION=="add", SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", \ 26 | ATTRS{idVendor}=="1050", \ 27 | ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \ 28 | RUN+="/usr/bin/systemctl start ykfde-worker.service" 29 | -------------------------------------------------------------------------------- /bin/Makefile: -------------------------------------------------------------------------------- 1 | # commands 2 | CC := gcc 3 | INSTALL := install 4 | RM := rm 5 | # flags 6 | CFLAGS += -std=gnu11 -O2 -fPIC -Wall -Werror 7 | CFLAGS_EXTRA += $(shell pkg-config --cflags --libs iniparser) 8 | CFLAGS_EXTRA += $(shell pkg-config --cflags --libs libkeyutils) 9 | CFLAGS_EXTRA += $(shell pkg-config --cflags --libs ykpers-1) -lyubikey 10 | CFLAGS_SYSTEMD := $(shell pkg-config --cflags --libs libsystemd 2>/dev/null) 11 | ifneq ($(CFLAGS_SYSTEMD),) 12 | CFLAGS_EXTRA += -DHAVE_SYSTEMD $(CFLAGS_SYSTEMD) 13 | endif 14 | LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie 15 | 16 | all: worker ykfde ykfde-cpio 17 | 18 | worker: worker.c ../config.h 19 | $(CC) worker.c $(CFLAGS) $(CFLAGS_EXTRA) $(LDFLAGS) -o worker 20 | 21 | ykfde: ykfde.c ../config.h ../version.h 22 | $(CC) ykfde.c $(CFLAGS) $(CFLAGS_EXTRA) -lcryptsetup $(LDFLAGS) -o ykfde 23 | 24 | ykfde-cpio: ykfde-cpio.c ../config.h ../version.h 25 | $(CC) ykfde-cpio.c $(CFLAGS) -larchive $(LDFLAGS) -o ykfde-cpio 26 | 27 | install: worker ykfde ykfde-cpio 28 | $(INSTALL) -D -m0755 worker $(DESTDIR)/usr/lib/ykfde/worker 29 | $(INSTALL) -D -m0755 ykfde $(DESTDIR)/usr/bin/ykfde 30 | $(INSTALL) -D -m0755 ykfde-cpio $(DESTDIR)/usr/bin/ykfde-cpio 31 | 32 | clean: 33 | $(RM) -f worker ykfde ykfde-cpio 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | mkinitcpio-ykfde 2 | ================ 3 | 4 | **Full disk encryption with Yubikey (Yubico key)** 5 | 6 | This allows to automatically unlock a LUKS encrypted hard disk from `systemd`- 7 | enabled initramfs. 8 | 9 | Requirements, building, installing and usage 10 | -------------------------------------------- 11 | 12 | Most of this is generic, but it still differs in detail for 13 | distributions. Please look at what matches best for you. 14 | 15 | * [mkinitcpio based initramfs (Arch Linux, ...)](README-mkinitcpio.md) 16 | * [dracut based initramfs (Fedora, ...)](README-dracut.md) 17 | 18 | Limitation / TODO 19 | ----------------- 20 | 21 | No known limitations. Yeah! 22 | 23 | License and warranty 24 | -------------------- 25 | 26 | This program is free software: you can redistribute it and/or modify 27 | it under the terms of the GNU General Public License as published by 28 | the Free Software Foundation, either version 3 of the License, or 29 | (at your option) any later version. 30 | 31 | This program is distributed in the hope that it will be useful, 32 | but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | [GNU General Public License](COPYING.md) for more details. 35 | 36 | ### Upstream 37 | 38 | URL: 39 | [GitHub.com](https://github.com/eworm-de/mkinitcpio-ykfde#mkinitcpio-ykfde) 40 | 41 | Mirror: 42 | [eworm.de](https://git.eworm.de/cgit.cgi/mkinitcpio-ykfde/) 43 | [GitLab.com](https://gitlab.com/eworm-de/mkinitcpio-ykfde#mkinitcpio-ykfde) 44 | -------------------------------------------------------------------------------- /config.def.h: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2014-2025 by Christian Hesse 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | * 17 | */ 18 | 19 | #ifndef _CONFIG_H 20 | #define _CONFIG_H 21 | 22 | /* path to the configuration file */ 23 | #define CONFIGFILE "/etc/ykfde.conf" 24 | 25 | /* path to challenge files 26 | * make sure this is an absolute path with trailing slash */ 27 | #define CHALLENGEDIR "/etc/ykfde.d/" 28 | 29 | /* config file device name */ 30 | #define CONFDEVNAME "device name" 31 | /* config file Yubikey slot */ 32 | #define CONFYKSLOT "yk slot" 33 | /* config file LUKS slot */ 34 | #define CONFLUKSSLOT "luks slot" 35 | /* config file second factor */ 36 | #define CONF2NDFACTOR "second factor" 37 | 38 | /* path to cpio archive (initramfs image) */ 39 | #define CPIOFILE "/boot/ykfde-challenges.img" 40 | /* path to temporary cpio archive (initramfs image) */ 41 | #define CPIOTMPFILE CPIOFILE "-XXXXXX" 42 | 43 | #endif /* _CONFIG_H */ 44 | 45 | // vim: set syntax=c: 46 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # commands 2 | INSTALL := install 3 | MD := markdown 4 | RM := rm 5 | CP := cp 6 | SED := sed 7 | # this is just a fallback in case you do not use git but downloaded 8 | # a release tarball... 9 | VERSION := 0.7.9 10 | 11 | .DELETE_ON_ERROR: 12 | 13 | all: bin/worker bin/ykfde bin/ykfde-cpio README.html README-mkinitcpio.html README-dracut.html 14 | 15 | bin/worker: bin/worker.c config.h 16 | $(MAKE) -C bin worker 17 | 18 | bin/ykfde: bin/ykfde.c config.h version.h 19 | $(MAKE) -C bin ykfde 20 | 21 | bin/ykfde-cpio: bin/ykfde-cpio.c config.h version.h 22 | $(MAKE) -C bin ykfde-cpio 23 | 24 | config.h: 25 | $(CP) config.def.h config.h 26 | 27 | version.h: $(wildcard .git/HEAD .git/index .git/refs/tags/*) Makefile 28 | printf "#ifndef VERSION\n#define VERSION \"%s\"\n#endif\n" $(shell git describe --long 2>/dev/null || echo ${VERSION}) > $@ 29 | 30 | %.html: %.md 31 | $(MD) $< > $@ 32 | $(SED) -i 's/\(README[-[:alnum:]]*\).md/\1.html/g' $@ 33 | 34 | install: install-mkinitcpio 35 | 36 | install-bin: bin/worker bin/ykfde bin/ykfde-cpio 37 | $(MAKE) -C bin install 38 | $(INSTALL) -D -m0644 conf/ykfde.conf $(DESTDIR)/etc/ykfde.conf 39 | $(INSTALL) -d -m0700 $(DESTDIR)/etc/ykfde.d/ 40 | $(INSTALL) -D -m0644 conf/gitignore $(DESTDIR)/etc/ykfde.d/.gitignore 41 | $(INSTALL) -D -m0644 systemd/ykfde.service $(DESTDIR)/usr/lib/systemd/system/ykfde.service 42 | $(INSTALL) -D -m0644 systemd/ykfde-2f.service $(DESTDIR)/usr/lib/systemd/system/ykfde-2f.service 43 | $(INSTALL) -D -m0644 systemd/ykfde-worker.service $(DESTDIR)/usr/lib/systemd/system/ykfde-worker.service 44 | 45 | install-doc: README.html README-mkinitcpio.html README-dracut.html 46 | $(INSTALL) -D -m0644 README.md $(DESTDIR)/usr/share/doc/ykfde/README.md 47 | $(INSTALL) -D -m0644 README.html $(DESTDIR)/usr/share/doc/ykfde/README.html 48 | $(INSTALL) -D -m0644 README-mkinitcpio.md $(DESTDIR)/usr/share/doc/ykfde/README-mkinitcpio.md 49 | $(INSTALL) -D -m0644 README-mkinitcpio.html $(DESTDIR)/usr/share/doc/ykfde/README-mkinitcpio.html 50 | $(INSTALL) -D -m0644 README-dracut.md $(DESTDIR)/usr/share/doc/ykfde/README-dracut.md 51 | $(INSTALL) -D -m0644 README-dracut.html $(DESTDIR)/usr/share/doc/ykfde/README-dracut.html 52 | 53 | install-mkinitcpio: install-bin install-doc 54 | $(INSTALL) -D -m0644 mkinitcpio/ykfde $(DESTDIR)/usr/lib/initcpio/install/ykfde 55 | $(INSTALL) -D -m0644 udev/20-ykfde.rules $(DESTDIR)/usr/lib/initcpio/udev/20-ykfde.rules 56 | 57 | install-dracut: install-bin install-doc 58 | $(INSTALL) -D -m0755 dracut/module-setup.sh $(DESTDIR)/usr/lib/dracut/modules.d/90ykfde/module-setup.sh 59 | $(INSTALL) -D -m0755 dracut/parse-mod.sh $(DESTDIR)/usr/lib/dracut/modules.d/90ykfde/parse-mod.sh 60 | $(INSTALL) -D -m0755 dracut/ykfde.sh $(DESTDIR)/usr/lib/dracut/modules.d/90ykfde/ykfde.sh 61 | $(INSTALL) -D -m0644 udev/20-ykfde.rules $(DESTDIR)/usr/lib/dracut/modules.d/90ykfde/20-ykfde.rules 62 | 63 | clean: 64 | $(MAKE) -C bin clean 65 | $(RM) -f README.html README-mkinitcpio.html README-dracut.html version.h 66 | 67 | distclean: clean 68 | $(RM) -f config.h 69 | 70 | release: 71 | git archive --format=tar.xz --prefix=mkinitcpio-ykfde-$(VERSION)/ $(VERSION) > mkinitcpio-ykfde-$(VERSION).tar.xz 72 | gpg --armor --detach-sign --comment mkinitcpio-ykfde-$(VERSION).tar.xz mkinitcpio-ykfde-$(VERSION).tar.xz 73 | git archive --format=tar.gz --prefix=mkinitcpio-ykfde-$(VERSION)/ $(VERSION) > mkinitcpio-ykfde-$(VERSION).tar.gz 74 | gpg --armor --detach-sign --comment mkinitcpio-ykfde-$(VERSION).tar.gz mkinitcpio-ykfde-$(VERSION).tar.gz 75 | git notes --ref=refs/notes/signatures/tar add -C $$(git archive --format=tar --prefix=mkinitcpio-ykfde-$(VERSION)/ $(VERSION) | gpg --armor --detach-sign --comment mkinitcpio-ykfde-$(VERSION).tar | git hash-object -w --stdin) $(VERSION) 76 | -------------------------------------------------------------------------------- /README-dracut.md: -------------------------------------------------------------------------------- 1 | Full disk encryption with Yubikey (Yubico key) for dracut 2 | ========================================================= 3 | 4 | This enables you to automatically unlock a LUKS encrypted filesystem from 5 | a `systemd`-enabled initramfs. 6 | 7 | Requirements 8 | ------------ 9 | 10 | To compile and use Yubikey full disk encryption you need: 11 | 12 | * libyubikey-devel 13 | * ykpers-devel 14 | * iniparser-devel 15 | * libarchive-devel 16 | * cryptsetup-devel 17 | * python-markdown 18 | * systemd-devel 19 | * keyutils-libs-devel 20 | 21 | Additionally you will need to have `make` and `pkg-config` installed to 22 | successfully compile. 23 | 24 | Build and install 25 | ----------------- 26 | 27 | Building and installing is very easy. Just run: 28 | 29 | > make 30 | 31 | Some distributions do have different names for `markdown` executable. 32 | For Fedora you have to run: 33 | 34 | > make MD=markdown_py 35 | 36 | Build command is followed by: 37 | 38 | > make install-dracut 39 | 40 | This will place the files in their desired places in the filesystem. 41 | Keep in mind that you need `root` privileges for installation, so switch 42 | user or prepend the last command with `sudo`. 43 | 44 | Usage 45 | ----- 46 | 47 | ### config files `/etc/crypttab` and `/etc/ykfde.conf` 48 | 49 | Make sure systemd knows about your encrypted device by 50 | adding a line to `/etc/crypttab`. It should read like: 51 | 52 | > `mapping-name` /dev/`LUKS-device` - 53 | 54 | Usually there is already an entry for your device. 55 | 56 | Update `/etc/ykfde.conf` with correct settings. Add the value of 57 | `mapping-name` from above to `device name` in the `general` section. Then 58 | add a new section with your key's decimal serial number containing the key 59 | slot setting. The minimal file should look like this: 60 | 61 | [general] 62 | device name = crypt 63 | 64 | [1234567] 65 | luks slot = 1 66 | 67 | *Be warned*: Do not remove or overwrite your interactive (regular) key! 68 | Keep that for backup and rescue - LUKS encrypted volumes have a total 69 | of 8 slots (from 0 to 7). 70 | 71 | ### Key setup 72 | 73 | `ykfde` will read its information from these files and understands some 74 | additional options. Run `ykfde --help` for details. Then prepare 75 | the key. Plug it in and make sure it is configured for `HMAC-SHA1`. This can 76 | be done with `ykpersonalize` from terminal (package `ykpers`) 77 | or with GUI application `YubiKey Personalization Tool`. After that, run: 78 | 79 | > ykfde 80 | 81 | This will store a challenge in `/etc/ykfde.d/` and add a new slot to 82 | your LUKS device based on the `/etc/ykfde.conf` configuration. When 83 | `ykfde` asks for a passphrase it requires a valid passphrase from a 84 | previously available slot. 85 | 86 | Alternatively, adding a key with second factor (`foo` in this example) 87 | is as easy: 88 | 89 | > ykfde --new-2nd-factor foo 90 | 91 | To update the challenge run: 92 | 93 | > ykfde --2nd-factor foo 94 | 95 | And changing second factor (from `foo` to `bar` in this example) is 96 | straight forward: 97 | 98 | > ykfde --2nd-factor foo --new-2nd-factor bar 99 | 100 | The current and new second factor can be read from terminal, increasing 101 | security by not displaying on display and not writing to shell history. 102 | Use switches `--ask-2nd-factor` and `--ask-new-2nd-factor` for that. 103 | 104 | Make sure to enable second factor in `/etc/ykfde.conf`. 105 | 106 | ### cpio archive with challenges 107 | 108 | Every time you update a challenge and/or a second factor run: 109 | 110 | > ykfde-cpio 111 | 112 | This will write a cpio archive to `/boot/ykfde-challenges.img` containing 113 | your current challenges. Enable systemd service `ykfde` to do this 114 | automatically on every boot: 115 | 116 | > systemctl enable ykfde.service 117 | 118 | ### `dracut` 119 | 120 | Build the initramfs: 121 | 122 | > dracut -f 123 | 124 | ### Boot loader 125 | 126 | Make sure to load the cpio archive `/boot/ykfde-challenges.img` 127 | as an additional initramfs. It has to be listed *after* microcode 128 | updates (if available), but *before* main initramfs. 129 | 130 | With `grub` you need to list `ykfde-challenges.img` in configuration 131 | variable `GRUB_EARLY_INITRD_LINUX_CUSTOM` in `/etc/default/grub`: 132 | 133 | > GRUB_EARLY_INITRD_LINUX_CUSTOM="ykfde-challenges.img" 134 | 135 | Then update your `grub` configuration by running: 136 | 137 | > grub-mkconfig -o /boot/grub/grub.cfg 138 | 139 | A valid configuration for `systemd-boot` should be placed in 140 | `/boot/loader/entries/default.conf` and look something like this: 141 | 142 | ``` 143 | title Default 144 | linux /vmlinuz-linux 145 | initrd /intel-ucode.img 146 | initrd /ykfde-challenges.img 147 | initrd /initramfs-linux.img 148 | options root=... rw quiet 149 | ``` 150 | 151 | Reboot and have fun! 152 | -------------------------------------------------------------------------------- /README-mkinitcpio.md: -------------------------------------------------------------------------------- 1 | Full disk encryption with Yubikey (Yubico key) for mkinitcpio 2 | ============================================================= 3 | 4 | This enables you to automatically unlock a LUKS encrypted filesystem from 5 | a `systemd`-enabled initramfs. 6 | 7 | Requirements 8 | ------------ 9 | 10 | To compile and use Yubikey full disk encryption you need: 11 | 12 | * [yubikey-personalization](https://github.com/Yubico/yubikey-personalization) 13 | * [iniparser](https://github.com/ndevilla/iniparser) 14 | * [systemd](https://www.github.com/systemd/systemd) 15 | * [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) 16 | * keyutils and linux with `CONFIG_KEYS` enabled 17 | * [mkinitcpio](https://projects.archlinux.org/mkinitcpio.git/) 18 | * [markdown](https://daringfireball.net/projects/markdown/) (HTML documentation) 19 | * [libarchive](https://www.libarchive.org/) (Update challenge on boot) 20 | 21 | Additionally you will need to have `make` and `pkg-config` installed to 22 | successfully compile. 23 | 24 | Build and install 25 | ----------------- 26 | 27 | Building and installing is very easy. Just run: 28 | 29 | > make 30 | 31 | followed by: 32 | 33 | > make install-mkinitcpio 34 | 35 | This will place the files in their desired places in the filesystem. 36 | Keep in mind that you need `root` privileges for installation, so switch 37 | user or prepend the last command with `sudo`. 38 | 39 | Usage 40 | ----- 41 | 42 | ### config files `/etc/crypttab.initramfs` and `/etc/ykfde.conf` 43 | 44 | Make sure systemd knows about your encrypted device by 45 | adding a line to `/etc/crypttab.initramfs`. It should read like: 46 | 47 | > `mapping-name` /dev/`LUKS-device` - 48 | 49 | Usually there is already an entry for your device. If you do not already 50 | have a `systemd`-enabled initramfs, you will need to create this file from 51 | scratch. 52 | 53 | Update `/etc/ykfde.conf` with correct settings. Add the value of 54 | `mapping-name` from above to `device name` in the `general` section. Then 55 | add a new section with your key's decimal serial number containing the key 56 | slot setting. The minimal file should look like this: 57 | 58 | [general] 59 | device name = crypt 60 | 61 | [1234567] 62 | luks slot = 1 63 | 64 | *Be warned*: Do not remove or overwrite your interactive (regular) key! 65 | Keep that for backup and rescue - LUKS encrypted volumes have a total 66 | of 8 slots (from 0 to 7). 67 | 68 | ### Key setup 69 | 70 | `ykfde` will read its information from these files and understands some 71 | additional options. Run `ykfde --help` for details. Then prepare 72 | the key. Plug it in and make sure it is configured for `HMAC-SHA1`. This can 73 | be done with `ykpersonalize` from terminal (package `yubikey-personalization`) 74 | or with GUI application `YubiKey Personalization Tool` (package 75 | `yubikey-personalization-gui`). After that, run: 76 | 77 | > ykfde 78 | 79 | This will store a challenge in `/etc/ykfde.d/` and add a new slot to 80 | your LUKS device based on the `/etc/ykfde.conf` configuration. When 81 | `ykfde` asks for a passphrase it requires a valid passphrase from a 82 | previously available slot. 83 | 84 | Alternatively, adding a key with second factor (`foo` in this example) 85 | is as easy: 86 | 87 | > ykfde --new-2nd-factor foo 88 | 89 | To update the challenge run: 90 | 91 | > ykfde --2nd-factor foo 92 | 93 | And changing second factor (from `foo` to `bar` in this example) is 94 | straight forward: 95 | 96 | > ykfde --2nd-factor foo --new-2nd-factor bar 97 | 98 | The current and new second factor can be read from terminal, increasing 99 | security by not displaying on display and not writing to shell history. 100 | Use switches `--ask-2nd-factor` and `--ask-new-2nd-factor` for that. 101 | 102 | Make sure to enable second factor in `/etc/ykfde.conf`. 103 | 104 | ### cpio archive with challenges 105 | 106 | Every time you update a challenge and/or a second factor run: 107 | 108 | > ykfde-cpio 109 | 110 | This will write a cpio archive to `/boot/ykfde-challenges.img` containing 111 | your current challenges. Enable systemd service `ykfde` to do this 112 | automatically on every boot: 113 | 114 | > systemctl enable ykfde.service 115 | 116 | ### mkinitcpio hook `ykfde` 117 | 118 | Lastly, add `ykfde` to your hook list in `/etc/mkinitcpio.conf`. You should 119 | already have `systemd` and `sd-encrypt` there as a `systemd`-enabled 120 | initramfs is prerequisite. A working example config is as follows: 121 | 122 | > HOOKS="base systemd keyboard autodetect modconf block ykfde sd-encrypt sd-lvm2 filesystems fsck" 123 | 124 | Now rebuild your initramfs with: 125 | 126 | > mkinitcpio -p linux 127 | 128 | ### Boot loader 129 | 130 | Make sure to load the cpio archive `/boot/ykfde-challenges.img` 131 | as an additional initramfs. It has to be listed *after* microcode 132 | updates (if available), but *before* main initramfs. 133 | 134 | With `grub` you need to list `ykfde-challenges.img` in configuration 135 | variable `GRUB_EARLY_INITRD_LINUX_CUSTOM` in `/etc/default/grub`: 136 | 137 | > GRUB_EARLY_INITRD_LINUX_CUSTOM="ykfde-challenges.img" 138 | 139 | Then update your `grub` configuration by running: 140 | 141 | > grub-mkconfig -o /boot/grub/grub.cfg 142 | 143 | A valid configuration for `systemd-boot` should be placed in 144 | `/boot/loader/entries/default.conf` and look something like this: 145 | 146 | ``` 147 | title Default 148 | linux /vmlinuz-linux 149 | initrd /intel-ucode.img 150 | initrd /ykfde-challenges.img 151 | initrd /initramfs-linux.img 152 | options root=... rw quiet 153 | ``` 154 | 155 | Reboot and have fun! 156 | -------------------------------------------------------------------------------- /bin/ykfde-cpio.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2014-2025 by Christian Hesse 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | * 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | 30 | #include "../config.h" 31 | #include "../version.h" 32 | 33 | #define PROGNAME "ykfde-cpio" 34 | 35 | const static char optstring[] = "hV"; 36 | const static struct option options_long[] = { 37 | /* name has_arg flag val */ 38 | { "help", no_argument, NULL, 'h' }, 39 | { "version", no_argument, NULL, 'V' }, 40 | { 0, 0, 0, 0 } 41 | }; 42 | 43 | int add_dir(struct archive *archive, const char * path) { 44 | struct stat st; 45 | struct archive_entry *entry; 46 | int8_t rc = EXIT_FAILURE; 47 | 48 | /* initialize struct stat for directories from root */ 49 | if (stat("/", &st) < 0) { 50 | perror("stat() failed"); 51 | goto out; 52 | } 53 | 54 | if ((entry = archive_entry_new()) == NULL) { 55 | fprintf(stderr, "archive_entry_new() failed"); 56 | goto out; 57 | } 58 | 59 | archive_entry_set_pathname(entry, path); 60 | archive_entry_set_filetype(entry, AE_IFDIR); 61 | archive_entry_copy_stat(entry, &st); 62 | if (archive_write_header(archive, entry) != ARCHIVE_OK) { 63 | fprintf(stderr, "archive_write_header() failed"); 64 | goto out; 65 | } 66 | archive_entry_free(entry); 67 | 68 | rc = EXIT_SUCCESS; 69 | 70 | out: 71 | return rc; 72 | } 73 | 74 | int main(int argc, char **argv) { 75 | int i; 76 | unsigned int version = 0, help = 0; 77 | char cpiotmpfile[] = CPIOTMPFILE; 78 | struct archive *archive; 79 | struct archive_entry *entry; 80 | struct stat st; 81 | char buff[64]; 82 | int len, fdfile, fdarchive; 83 | DIR * dir; 84 | struct dirent * ent; 85 | char * filename, * path; 86 | off_t pathlength = 0; 87 | int8_t rc = EXIT_FAILURE; 88 | 89 | /* get command line options */ 90 | while ((i = getopt_long(argc, argv, optstring, options_long, NULL)) != -1) 91 | switch (i) { 92 | case 'h': 93 | help++; 94 | break; 95 | case 'V': 96 | version++; 97 | break; 98 | } 99 | 100 | if (version > 0) 101 | printf("%s: %s v%s (compiled: " __DATE__ ", " __TIME__ ")\n", argv[0], PROGNAME, VERSION); 102 | 103 | if (help > 0) 104 | fprintf(stderr, "usage: %s [-h|--help] [-V|--version]\n", argv[0]); 105 | 106 | if (version > 0 || help > 0) 107 | return EXIT_SUCCESS; 108 | 109 | if ((fdarchive = mkstemp(cpiotmpfile)) < 0) { 110 | perror("mkstemp() failed"); 111 | goto out10; 112 | } 113 | 114 | if ((archive = archive_write_new()) == NULL) { 115 | fprintf(stderr, "archive_write_new() failed.\n"); 116 | goto out10; 117 | } 118 | 119 | if (archive_write_set_format_cpio_newc(archive) != ARCHIVE_OK) { 120 | fprintf(stderr, "archive_write_set_format_cpio_newc() failed.\n"); 121 | goto out10; 122 | } 123 | 124 | if (archive_write_open_fd(archive, fdarchive) != ARCHIVE_OK) { 125 | fprintf(stderr, "archive_write_open_fd() failed.\n"); 126 | goto out10; 127 | } 128 | 129 | while (1) { 130 | path = strdup(CHALLENGEDIR + 1); 131 | if (strstr(path + pathlength, "/") == NULL) 132 | break; 133 | 134 | *strstr(path + pathlength, "/") = 0; 135 | pathlength = strlen(path) + 1; 136 | 137 | if (add_dir(archive, path) < 0) { 138 | fprintf(stderr, "add_dir() failed"); 139 | goto out10; 140 | } 141 | 142 | free(path); 143 | } 144 | 145 | if ((dir = opendir(CHALLENGEDIR)) == NULL) { 146 | perror("opendir() failed"); 147 | goto out10; 148 | } 149 | 150 | while ((ent = readdir(dir)) != NULL) { 151 | filename = malloc(sizeof(CHALLENGEDIR) + strlen(ent->d_name) + 1); 152 | sprintf(filename, CHALLENGEDIR "%s", ent->d_name); 153 | 154 | if (stat(filename, &st) < 0) { 155 | perror("stat() failed"); 156 | goto out10; 157 | } 158 | 159 | if (S_ISREG(st.st_mode)) { 160 | if ((entry = archive_entry_new()) == NULL) { 161 | fprintf(stderr, "archive_entry_new() failed.\n"); 162 | goto out10; 163 | } 164 | 165 | /* these do not return exit code */ 166 | archive_entry_set_pathname(entry, filename + 1); 167 | archive_entry_set_size(entry, st.st_size); 168 | archive_entry_set_filetype(entry, AE_IFREG); 169 | archive_entry_set_perm(entry, 0644); 170 | 171 | if (archive_write_header(archive, entry) != ARCHIVE_OK) { 172 | fprintf(stderr, "archive_write_header() failed"); 173 | goto out10; 174 | } 175 | 176 | if ((fdfile = open(filename, O_RDONLY)) < 0) { 177 | perror("open() failed"); 178 | goto out10; 179 | } 180 | 181 | if ((len = read(fdfile, buff, sizeof(buff))) < 0) { 182 | perror("read() failed"); 183 | goto out10; 184 | } 185 | 186 | while (len > 0) { 187 | if (archive_write_data(archive, buff, len) < 0) { 188 | fprintf(stderr, "archive_write_data() failed"); 189 | goto out10; 190 | } 191 | 192 | if ((len = read(fdfile, buff, sizeof(buff))) < 0) { 193 | perror("read() failed"); 194 | goto out10; 195 | } 196 | } 197 | 198 | if (close(fdfile) < 0) { 199 | perror("close() failed"); 200 | goto out10; 201 | } 202 | 203 | archive_entry_free(entry); 204 | } 205 | free(filename); 206 | } 207 | 208 | if (closedir(dir) < 0) { 209 | perror("closedir() failed"); 210 | goto out10; 211 | } 212 | 213 | if (archive_write_close(archive) != ARCHIVE_OK) { 214 | fprintf(stderr, "archive_write_close() failed"); 215 | goto out10; 216 | } 217 | 218 | if (archive_write_free(archive) != ARCHIVE_OK) { 219 | fprintf(stderr, "archive_write_free() failed"); 220 | goto out10; 221 | } 222 | 223 | if (access(CPIOFILE, F_OK) == 0 && unlink(CPIOFILE) < 0) { 224 | perror("unkink() failed"); 225 | goto out10; 226 | } 227 | 228 | if (rename(cpiotmpfile, CPIOFILE) < 0) { 229 | perror("rename() failed"); 230 | goto out10; 231 | } 232 | 233 | rc = EXIT_SUCCESS; 234 | 235 | out10: 236 | if (access(cpiotmpfile, F_OK) == 0) 237 | unlink(cpiotmpfile); 238 | 239 | return rc; 240 | } 241 | 242 | // vim: set syntax=c: 243 | -------------------------------------------------------------------------------- /bin/worker.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2014-2025 by Christian Hesse 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | * 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #include 35 | 36 | #include 37 | 38 | #include 39 | 40 | #include 41 | #include 42 | #include 43 | 44 | #include "../config.h" 45 | 46 | /* Yubikey supports write of 64 byte challenge to slot, 47 | * returns HMAC-SHA1 response. 48 | * 49 | * Lengths are defined in ykpers-1/ykdef.h: 50 | * SHA1_MAX_BLOCK_SIZE 64 51 | * SHA1_DIGEST_SIZE 20 52 | * 53 | * For passphrase we use hex encoded digest, that is 54 | * twice the length of binary digest. */ 55 | #define CHALLENGELEN SHA1_MAX_BLOCK_SIZE 56 | #define RESPONSELEN SHA1_MAX_BLOCK_SIZE 57 | #define PASSPHRASELEN SHA1_DIGEST_SIZE * 2 58 | 59 | #define ASK_PATH "/run/systemd/ask-password/" 60 | #define ASK_MESSAGE "Please enter passphrase for disk" 61 | 62 | /*** send_on_socket ***/ 63 | static int send_on_socket(int fd, const char *socket_name, const void *packet, size_t size) { 64 | union { 65 | struct sockaddr sa; 66 | struct sockaddr_un un; 67 | } sa = { 68 | .un.sun_family = AF_UNIX, 69 | }; 70 | 71 | memcpy(sa.un.sun_path, socket_name, sizeof(sa.un.sun_path)); 72 | 73 | if (sendto(fd, packet, size, MSG_NOSIGNAL, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(socket_name)) < 0) { 74 | perror("sendto() failed"); 75 | return EXIT_FAILURE; 76 | } 77 | 78 | return EXIT_SUCCESS; 79 | } 80 | 81 | /*** yk_open_and_check ***/ 82 | static YK_KEY * yk_open_and_check(const unsigned int expected, unsigned int * serial) { 83 | YK_KEY * yk; 84 | 85 | if ((yk = yk_open_first_key()) == NULL) { 86 | if (errno != EAGAIN) 87 | perror("yk_open_first_key() failed"); 88 | goto out1; 89 | } 90 | 91 | if (serial != NULL) { 92 | /* read the serial number from key */ 93 | if (yk_get_serial(yk, 0, 0, serial) == 0) { 94 | perror("yk_get_serial() failed"); 95 | goto out2; 96 | } 97 | 98 | if (expected > 0 && expected != *serial) { 99 | fprintf(stderr, "Opened Yubikey with unexpected serial number (%d != %d)...\n", expected, *serial); 100 | goto out2; 101 | } 102 | } 103 | 104 | return yk; 105 | 106 | out2: 107 | /* close Yubikey */ 108 | if (yk_close_key(yk) == 0) 109 | perror("yk_close_key() failed"); 110 | 111 | out1: 112 | return NULL; 113 | } 114 | 115 | /*** read_challenge ***/ 116 | static int read_challenge(const unsigned int serial, char * challenge) { 117 | int rc = EXIT_FAILURE; 118 | char challengefilename[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 1]; 119 | int challengefile; 120 | 121 | snprintf(challengefilename, sizeof(challengefilename), CHALLENGEDIR "/challenge-%d", serial); 122 | 123 | /* check if challenge file exists */ 124 | if (access(challengefilename, R_OK) == -1) { 125 | goto out1; 126 | } 127 | 128 | /* read challenge from file */ 129 | if ((challengefile = open(challengefilename, O_RDONLY)) < 0) { 130 | perror("Failed opening challenge file for reading"); 131 | goto out1; 132 | } 133 | 134 | if (read(challengefile, challenge, CHALLENGELEN) < 0) { 135 | perror("Failed reading challenge from file"); 136 | goto out2; 137 | } 138 | 139 | rc = EXIT_SUCCESS; 140 | 141 | out2: 142 | close(challengefile); 143 | 144 | out1: 145 | return rc; 146 | } 147 | 148 | /*** get_second_factor ***/ 149 | static char * get_second_factor(void) { 150 | key_serial_t key; 151 | void * payload = NULL; 152 | 153 | /* get second factor from key store 154 | * If this fails it is not critical... possibly we just do not 155 | * use second factor. */ 156 | key = keyctl_search(KEY_SPEC_USER_KEYRING, "user", "ykfde-2f", 0); 157 | 158 | if (key > 0) { 159 | /* if we have a key id we have a key - so this should succeed */ 160 | if (keyctl_read_alloc(key, &payload) < 0) { 161 | perror("Failed reading payload from key"); 162 | return NULL; 163 | } 164 | 165 | return payload; 166 | } 167 | 168 | return NULL; 169 | } 170 | 171 | /*** get_response ***/ 172 | static int get_response(const unsigned int serial, uint8_t slot, char * challenge, char * passphrase) { 173 | YK_KEY * yk; 174 | char response[RESPONSELEN]; 175 | char * second_factor; 176 | size_t second_factor_len; 177 | /* iniparser */ 178 | dictionary * ini; 179 | char section_ykslot[10 /* unsigned int in char */ + 1 + sizeof(CONFYKSLOT) + 1]; 180 | 181 | memset(response, 0, RESPONSELEN); 182 | 183 | if ((second_factor = get_second_factor()) != NULL) { 184 | /* we replace part of the challenge with the second factor */ 185 | second_factor_len = strlen(second_factor); 186 | memcpy(challenge, second_factor, second_factor_len < CHALLENGELEN / 2 ? 187 | second_factor_len : CHALLENGELEN / 2); 188 | memset(second_factor, 0, second_factor_len); 189 | free(second_factor); 190 | } 191 | 192 | /* try to read config file 193 | * If anything here fails we do not care... slot 2 is the default. */ 194 | if ((ini = iniparser_load(CONFIGFILE)) != NULL) { 195 | /* first try the general setting */ 196 | slot = iniparser_getint(ini, "general:" CONFYKSLOT, slot); 197 | 198 | sprintf(section_ykslot, "%d:" CONFYKSLOT, serial); 199 | 200 | /* then probe for setting with serial number */ 201 | slot = iniparser_getint(ini, section_ykslot, slot); 202 | 203 | switch (slot) { 204 | case 1: 205 | case SLOT_CHAL_HMAC1: 206 | slot = SLOT_CHAL_HMAC1; 207 | break; 208 | case 2: 209 | case SLOT_CHAL_HMAC2: 210 | default: 211 | slot = SLOT_CHAL_HMAC2; 212 | break; 213 | } 214 | 215 | iniparser_freedict(ini); 216 | } 217 | 218 | /* open Yubikey and check serial */ 219 | if ((yk = yk_open_and_check(serial, NULL)) == NULL) { 220 | fprintf(stderr, "yk_open_and_check() failed\n"); 221 | goto out1; 222 | } 223 | 224 | /* do challenge/response and encode to hex */ 225 | if (yk_challenge_response(yk, slot, true, 226 | CHALLENGELEN, (unsigned char *) challenge, 227 | RESPONSELEN, (unsigned char *) response) == 0) { 228 | perror("yk_challenge_response() failed"); 229 | goto out2; 230 | } 231 | 232 | yubikey_hex_encode((char *) passphrase, (char *) response, SHA1_DIGEST_SIZE); 233 | 234 | out2: 235 | /* close Yubikey */ 236 | if (yk_close_key(yk) == 0) 237 | perror("yk_close_key() failed"); 238 | 239 | out1: 240 | memset(response, 0, RESPONSELEN); 241 | 242 | return EXIT_SUCCESS; 243 | } 244 | 245 | /*** add_keyring ***/ 246 | static int add_keyring(const char * passphrase) { 247 | key_serial_t key; 248 | 249 | /* add key to kernel key store 250 | * Put it into session keyring first, set permissions and 251 | * move it to user keyring. */ 252 | if ((key = add_key("user", "cryptsetup", passphrase, 253 | PASSPHRASELEN, KEY_SPEC_USER_KEYRING)) < 0) { 254 | perror("add_key() failed"); 255 | return -1; 256 | } 257 | 258 | if (keyctl_set_timeout(key, 150) < 0) { 259 | perror("keyctl_set_timeout() failed"); 260 | return -1; 261 | } 262 | 263 | return EXIT_SUCCESS; 264 | } 265 | 266 | /*** answer_askpass ***/ 267 | static int answer_askpass(const char * ask_file, const char * passphrase) { 268 | int rc = EXIT_FAILURE, fd_askpass; 269 | const char * ask_message, * ask_socket; 270 | /* iniparser */ 271 | dictionary * ini; 272 | 273 | if ((ini = iniparser_load(ask_file)) == NULL) { 274 | perror("cannot parse file"); 275 | goto out1; 276 | } 277 | 278 | ask_message = iniparser_getstring(ini, "Ask:Message", NULL); 279 | 280 | if (strncmp(ask_message, ASK_MESSAGE, strlen(ASK_MESSAGE)) != 0) 281 | goto out2; 282 | 283 | if ((ask_socket = iniparser_getstring(ini, "Ask:Socket", NULL)) == NULL) { 284 | perror("Could not get socket name"); 285 | goto out2; 286 | } 287 | 288 | if ((fd_askpass = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0)) < 0) { 289 | perror("socket() failed"); 290 | goto out2; 291 | } 292 | 293 | if (send_on_socket(fd_askpass, ask_socket, passphrase, PASSPHRASELEN + 1) < 0) { 294 | perror("send_on_socket() failed"); 295 | goto out3; 296 | } 297 | 298 | rc = EXIT_SUCCESS; 299 | 300 | out3: 301 | close(fd_askpass); 302 | 303 | out2: 304 | iniparser_freedict(ini); 305 | 306 | out1: 307 | return rc; 308 | } 309 | 310 | /*** walk_askpass ***/ 311 | static int walk_askpass(const char * passphrase) { 312 | int rc = EXIT_FAILURE; 313 | DIR * dir; 314 | struct dirent * ent; 315 | 316 | /* change to directory so we do not have to assemble complete/absolute path */ 317 | if (chdir(ASK_PATH) != 0) { 318 | perror("chdir() failed"); 319 | return rc; 320 | } 321 | 322 | /* Is the request already there? */ 323 | if ((dir = opendir(ASK_PATH)) != NULL) { 324 | while ((ent = readdir(dir)) != NULL) { 325 | if (strncmp(ent->d_name, "ask.", 4) == 0) { 326 | if ((rc = answer_askpass(ent->d_name, passphrase)) == EXIT_SUCCESS) 327 | goto out; 328 | } 329 | } 330 | } else { 331 | perror ("opendir() failed"); 332 | return EXIT_FAILURE; 333 | } 334 | 335 | rc = EXIT_SUCCESS; 336 | 337 | out: 338 | closedir(dir); 339 | 340 | return rc; 341 | } 342 | 343 | /*** main ***/ 344 | int main(int argc, char **argv) { 345 | int8_t rc = EXIT_FAILURE; 346 | /* Yubikey */ 347 | YK_KEY * yk; 348 | uint8_t slot = SLOT_CHAL_HMAC2; 349 | unsigned int serial = 0; 350 | /* challenge and passphrase */ 351 | char challenge[CHALLENGELEN + 1]; 352 | char passphrase[PASSPHRASELEN + 2]; 353 | 354 | #ifdef DEBUG 355 | /* reopening stderr to /dev/console may help debugging... */ 356 | FILE * tmp = freopen("/dev/console", "w", stderr); 357 | (void) tmp; 358 | #endif 359 | 360 | /* check that we are running from systemd */ 361 | if (sd_notify(0, "READY=0\nSTATUS=Work in progress...") <= 0) { 362 | fprintf(stderr, "This is expected to run from a systemd service.\n"); 363 | goto out10; 364 | } 365 | 366 | /* initialize static memory */ 367 | memset(challenge, 0, CHALLENGELEN + 1); 368 | memset(passphrase, 0, PASSPHRASELEN + 2); 369 | 370 | *passphrase = '+'; 371 | 372 | /* init and open first Yubikey */ 373 | if (yk_init() == 0) { 374 | perror("yk_init() failed"); 375 | goto out10; 376 | } 377 | 378 | /* open Yubikey and get serial */ 379 | if ((yk = yk_open_and_check(0, &serial)) == NULL) { 380 | if (errno == EAGAIN) 381 | rc = EXIT_SUCCESS; 382 | goto out30; 383 | } 384 | 385 | /* close Yubikey */ 386 | if (yk_close_key(yk) == 0) { 387 | perror("yk_close_key() failed"); 388 | goto out30; 389 | } 390 | 391 | if ((rc = read_challenge(serial, challenge)) < 0) 392 | goto out30; 393 | 394 | if ((rc = get_response(serial, slot, challenge, passphrase + 1)) < 0) 395 | goto out30; 396 | 397 | if ((rc = add_keyring(passphrase + 1)) < 0) 398 | goto out30; 399 | 400 | if ((rc = walk_askpass(passphrase)) < 0) 401 | goto out30; 402 | 403 | out30: 404 | /* release Yubikey */ 405 | if (yk_release() == 0) 406 | perror("yk_release() failed"); 407 | 408 | out10: 409 | /* wipe challenge from memory */ 410 | memset(challenge, 0, CHALLENGELEN + 1); 411 | memset(passphrase, 0, PASSPHRASELEN + 2); 412 | 413 | /* notify systemd that we are ready 414 | This does not indicate whether or not we are successful, but prevents 415 | systemd from reporting: Failed with result 'protocol'. */ 416 | sd_notify(0, "READY=1\nSTATUS=All done."); 417 | 418 | return rc; 419 | } 420 | 421 | // vim: set syntax=c: 422 | -------------------------------------------------------------------------------- /bin/ykfde.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2014-2025 by Christian Hesse 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published by 6 | * the Free Software Foundation, either version 3 of the License, or 7 | * (at your option) any later version. 8 | * 9 | * This program is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | * 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | * 17 | */ 18 | 19 | #define _GNU_SOURCE 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #include 32 | 33 | #include 34 | 35 | #include 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #include 42 | 43 | #include "../config.h" 44 | #include "../version.h" 45 | 46 | #define PROGNAME "ykfde" 47 | 48 | /* Yubikey supports write of 64 byte challenge to slot, returns 49 | * HMAC-SHA1 response. 50 | * 51 | * Lengths are defined in ykpers-1/ykdef.h: 52 | * SHA1_MAX_BLOCK_SIZE 64 53 | * SHA1_DIGEST_SIZE 20 54 | * 55 | * For passphrase we use hex encoded digest, that is twice the 56 | * length of binary digest. */ 57 | #define CHALLENGELEN SHA1_MAX_BLOCK_SIZE 58 | #define RESPONSELEN SHA1_MAX_BLOCK_SIZE 59 | #define PASSPHRASELEN SHA1_DIGEST_SIZE * 2 60 | #define MAX2FLEN CHALLENGELEN / 2 61 | 62 | const static char optstring[] = "hn:Ns:SV"; 63 | const static struct option options_long[] = { 64 | /* name has_arg flag val */ 65 | { "help", no_argument, NULL, 'h' }, 66 | { "2nd-factor", required_argument, NULL, 's' }, 67 | { "ask-2nd-factor", no_argument, NULL, 'S' }, 68 | { "new-2nd-factor", required_argument, NULL, 'n' }, 69 | { "ask-new-2nd-factor", no_argument, NULL, 'N' }, 70 | { "version", no_argument, NULL, 'V' }, 71 | { 0, 0, 0, 0 } 72 | }; 73 | 74 | char * ask_secret(const char * text) { 75 | struct termios tp, tp_save; 76 | char * factor = NULL; 77 | size_t len; 78 | ssize_t readlen; 79 | bool onTerminal = false; 80 | 81 | /* get terminal properties */ 82 | if (tcgetattr(STDIN_FILENO, &tp) == 0) { 83 | onTerminal = true; 84 | tp_save = tp; 85 | 86 | /* disable echo on terminal */ 87 | tp.c_lflag &= ~ECHO; 88 | if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &tp) < 0) { 89 | fprintf(stderr, "Failed setting terminal attributes.\n"); 90 | return NULL; 91 | } 92 | 93 | printf("Please give %s:", text); 94 | } 95 | 96 | readlen = getline(&factor, &len, stdin); 97 | factor[readlen - 1] = '\0'; 98 | 99 | if (onTerminal == true) { 100 | putchar('\n'); 101 | 102 | /* restore terminal */ 103 | if (tcsetattr(STDIN_FILENO, TCSANOW, &tp_save) < 0) { 104 | fprintf(stderr, "Failed to restore terminal attributes.\n"); 105 | free(factor); 106 | return NULL; 107 | } 108 | } 109 | 110 | return factor; 111 | } 112 | 113 | int main(int argc, char **argv) { 114 | unsigned int version = 0, help = 0, challenge_int[CHALLENGELEN]; 115 | char challenge_old[CHALLENGELEN + 1], 116 | challenge_new[CHALLENGELEN + 1], 117 | response_old[RESPONSELEN], 118 | response_new[RESPONSELEN], 119 | passphrase_old[PASSPHRASELEN + 1], 120 | passphrase_new[PASSPHRASELEN + 1]; 121 | const char * tmp; 122 | char challengefilename[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 1], 123 | challengefiletmpname[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 7 /* -XXXXXX */ + 1]; 124 | int challengefile = 0, challengefiletmp = 0; 125 | int i; 126 | size_t len; 127 | int8_t rc = EXIT_FAILURE; 128 | /* cryptsetup */ 129 | const char * device_name; 130 | int8_t luks_slot = -1; 131 | struct crypt_device *cryptdevice; 132 | crypt_status_info cryptstatus; 133 | crypt_keyslot_info cryptkeyslot; 134 | char * passphrase = NULL; 135 | /* keyutils */ 136 | key_serial_t key = -1; 137 | void * payload = NULL; 138 | char * second_factor = NULL, * new_2nd_factor = NULL, * new_2nd_factor_verify = NULL; 139 | /* yubikey */ 140 | YK_KEY * yk; 141 | uint8_t yk_slot = SLOT_CHAL_HMAC2; 142 | unsigned int serial = 0; 143 | /* iniparser */ 144 | dictionary * ini; 145 | char section_ykslot[10 /* unsigned int in char */ + 1 + sizeof(CONFYKSLOT) + 1]; 146 | char section_luksslot[10 + 1 + sizeof(CONFLUKSSLOT) + 1]; 147 | 148 | /* get command line options */ 149 | while ((i = getopt_long(argc, argv, optstring, options_long, NULL)) != -1) 150 | switch (i) { 151 | case 'h': 152 | help++; 153 | break; 154 | case 'n': 155 | case 'N': 156 | if (new_2nd_factor != NULL) { 157 | fprintf(stderr, "We already have a new second factor. Did you specify it twice?\n"); 158 | goto out10; 159 | } 160 | 161 | if (optarg == NULL) { /* N */ 162 | if ((new_2nd_factor = ask_secret("new second factor")) == NULL) 163 | goto out10; 164 | 165 | if ((new_2nd_factor_verify = ask_secret("new second factor for verification")) == NULL) 166 | goto out10; 167 | 168 | if (strcmp(new_2nd_factor, new_2nd_factor_verify) != 0) { 169 | fprintf(stderr, "Verification failed, given strings do not match.\n"); 170 | goto out10; 171 | } 172 | } else { /* n */ 173 | new_2nd_factor = strdup(optarg); 174 | memset(optarg, '*', strlen(optarg)); 175 | } 176 | 177 | break; 178 | case 's': 179 | case 'S': 180 | if (second_factor != NULL) { 181 | fprintf(stderr, "We already have a second factor. Did you specify it twice?\n"); 182 | goto out10; 183 | } 184 | 185 | if (optarg == NULL) { /* S */ 186 | second_factor = ask_secret("current second factor"); 187 | } else { /* s */ 188 | second_factor = strdup(optarg); 189 | memset(optarg, '*', strlen(optarg)); 190 | } 191 | 192 | break; 193 | case 'V': 194 | version++; 195 | break; 196 | } 197 | 198 | if (version > 0) 199 | printf("%s: %s v%s (compiled: " __DATE__ ", " __TIME__ ")\n", argv[0], PROGNAME, VERSION); 200 | 201 | if (help > 0) 202 | fprintf(stderr, "usage: %s [-h|--help] [-n|--new-2nd-factor ] [-N|--ask-new-2nd-factor]\n" 203 | " [-s|--2nd-factor <2nd-factor>] [-S|--ask-2nd-factor] [-V|--version]\n", argv[0]); 204 | 205 | if (version > 0 || help > 0) 206 | return EXIT_SUCCESS; 207 | 208 | /* initialize static buffers */ 209 | memset(challenge_int, 0, CHALLENGELEN * sizeof(unsigned int)); 210 | memset(challenge_old, 0, CHALLENGELEN + 1); 211 | memset(challenge_new, 0, CHALLENGELEN + 1); 212 | memset(response_old, 0, RESPONSELEN); 213 | memset(response_new, 0, RESPONSELEN); 214 | memset(passphrase_old, 0, PASSPHRASELEN + 1); 215 | memset(passphrase_new, 0, PASSPHRASELEN + 1); 216 | 217 | if ((ini = iniparser_load(CONFIGFILE)) == NULL) { 218 | fprintf(stderr, "Could not parse configuration file.\n"); 219 | goto out10; 220 | } 221 | 222 | if ((device_name = iniparser_getstring(ini, "general:" CONFDEVNAME, NULL)) == NULL) { 223 | /* read from crypttab? */ 224 | /* get device from currently open devices? */ 225 | fprintf(stderr, "Could not read LUKS device from configuration file.\n"); 226 | goto out20; 227 | } 228 | 229 | /* init and open first Yubikey */ 230 | if (yk_init() == 0) { 231 | perror("yk_init() failed"); 232 | goto out20; 233 | } 234 | 235 | if ((yk = yk_open_first_key()) == NULL) { 236 | fprintf(stderr, "No Yubikey available.\n"); 237 | goto out30; 238 | } 239 | 240 | /* read the serial number from key */ 241 | if (yk_get_serial(yk, 0, 0, &serial) == 0) { 242 | perror("yk_get_serial() failed"); 243 | goto out40; 244 | } 245 | 246 | /* get the yk slot */ 247 | sprintf(section_ykslot, "%d:" CONFYKSLOT, serial); 248 | yk_slot = iniparser_getint(ini, "general:" CONFYKSLOT, yk_slot); 249 | yk_slot = iniparser_getint(ini, section_ykslot, yk_slot); 250 | switch (yk_slot) { 251 | case 1: 252 | case SLOT_CHAL_HMAC1: 253 | yk_slot = SLOT_CHAL_HMAC1; 254 | break; 255 | case 2: 256 | case SLOT_CHAL_HMAC2: 257 | default: 258 | yk_slot = SLOT_CHAL_HMAC2; 259 | break; 260 | } 261 | 262 | /* get the luks slot */ 263 | sprintf(section_luksslot, "%d:" CONFLUKSSLOT, serial); 264 | luks_slot = iniparser_getint(ini, section_luksslot, luks_slot); 265 | if (luks_slot < 0) { 266 | fprintf(stderr, "Please set LUKS key slot for Yubikey with serial %d!\n" 267 | "Add something like this to " CONFIGFILE ":\n\n" 268 | "[%d]\nluks slot = 1\n", serial, serial); 269 | goto out40; 270 | } 271 | 272 | /* try to get a second factor */ 273 | if (iniparser_getboolean(ini, "general:" CONF2NDFACTOR, 0) > 0 && 274 | second_factor == NULL && new_2nd_factor == NULL) { 275 | if (sd_notify(0, "READY=0\nSTATUS=Detecting systemd...") == 0) 276 | fprintf(stderr, "Not running from systemd, you may have to give\n" 277 | "second factor manually if required.\n"); 278 | else if ((key = keyctl_search(KEY_SPEC_USER_KEYRING, "user", "ykfde-2f", 0)) < 0) 279 | /* get second factor from key store */ 280 | fprintf(stderr, "Failed requesting key. That's ok if you do not use\n" 281 | "second factor. Give it manually if required.\n"); 282 | 283 | /* if we have a key id we have a key - so this should succeed */ 284 | if (key > -1) { 285 | if (keyctl_read_alloc(key, &payload) < 0) { 286 | perror("Failed reading payload from key"); 287 | goto out40; 288 | } 289 | second_factor = payload; 290 | } 291 | } 292 | 293 | /* use an empty string if second_factor is still NULL */ 294 | if (second_factor == NULL) 295 | second_factor = strdup(""); 296 | 297 | /* warn when second factor is not enabled in config */ 298 | if (iniparser_getboolean(ini, "general:" CONF2NDFACTOR, 0) == 0 && 299 | ((second_factor != NULL && *second_factor != 0) || 300 | (new_2nd_factor != NULL && *new_2nd_factor != 0))) 301 | fprintf(stderr, "Warning: Processing second factor, but not enabled in config!\n"); 302 | 303 | /* get random number - try random first, fall back to urandom 304 | We generate an array of unsigned int, the use modulo to limit to printable 305 | ASCII characters (32 to 127). */ 306 | if ((len = getrandom(challenge_int, CHALLENGELEN * sizeof(unsigned int), GRND_RANDOM|GRND_NONBLOCK)) != CHALLENGELEN * sizeof(unsigned int)) 307 | len += getrandom((void *)((size_t)challenge_int + len), CHALLENGELEN * sizeof(unsigned int) - len, 0); 308 | for (i = 0; i < CHALLENGELEN; i++) 309 | challenge_new[i] = (challenge_int[i] % (127 - 32)) + 32; 310 | 311 | /* these are the filenames for challenge 312 | * we need this for reading and writing */ 313 | sprintf(challengefilename, CHALLENGEDIR "/challenge-%d", serial); 314 | sprintf(challengefiletmpname, CHALLENGEDIR "/challenge-%d-XXXXXX", serial); 315 | 316 | /* write new challenge to file */ 317 | if ((challengefiletmp = mkstemp(challengefiletmpname)) < 0) { 318 | fprintf(stderr, "Could not open file %s for writing.\n", challengefiletmpname); 319 | goto out40; 320 | } 321 | if (write(challengefiletmp, challenge_new, CHALLENGELEN) < 0) { 322 | fprintf(stderr, "Failed to write challenge to file.\n"); 323 | goto out50; 324 | } 325 | if (fsync(challengefiletmp) < 0) { 326 | fprintf(stderr, "Failed to sync file to disk.\n"); 327 | goto out50; 328 | } 329 | challengefiletmp = close(challengefiletmp); 330 | 331 | /* now that the new challenge has been written to file... 332 | * add second factor to new challenge */ 333 | tmp = new_2nd_factor ? new_2nd_factor : second_factor; 334 | len = strlen(tmp); 335 | memcpy(challenge_new, tmp, len < MAX2FLEN ? len : MAX2FLEN); 336 | 337 | /* do challenge/response and encode to hex */ 338 | if (yk_challenge_response(yk, yk_slot, true, 339 | CHALLENGELEN, (unsigned char *) challenge_new, 340 | RESPONSELEN, (unsigned char *) response_new) == 0) { 341 | perror("yk_challenge_response() failed"); 342 | goto out50; 343 | } 344 | yubikey_hex_encode((char *) passphrase_new, (char *) response_new, SHA1_DIGEST_SIZE); 345 | 346 | /* get status of crypt device 347 | * We expect this to be active (or busy). It is the actual root device, no? */ 348 | cryptstatus = crypt_status(cryptdevice, device_name); 349 | if (cryptstatus != CRYPT_ACTIVE && cryptstatus != CRYPT_BUSY) { 350 | fprintf(stderr, "Device %s is invalid or inactive.\n", device_name); 351 | goto out50; 352 | } 353 | 354 | /* initialize crypt device */ 355 | if (crypt_init_by_name(&cryptdevice, device_name) < 0) { 356 | fprintf(stderr, "Device %s failed to initialize.\n", device_name); 357 | goto out60; 358 | } 359 | 360 | cryptkeyslot = crypt_keyslot_status(cryptdevice, luks_slot); 361 | 362 | if (cryptkeyslot == CRYPT_SLOT_INVALID) { 363 | fprintf(stderr, "Key slot %d is invalid.\n", luks_slot); 364 | goto out60; 365 | } else if (cryptkeyslot == CRYPT_SLOT_ACTIVE || cryptkeyslot == CRYPT_SLOT_ACTIVE_LAST) { 366 | /* read challenge from file */ 367 | if ((challengefile = open(challengefilename, O_RDONLY)) < 0) { 368 | perror("Failed opening challenge file for reading"); 369 | goto out60; 370 | } 371 | 372 | if (read(challengefile, challenge_old, CHALLENGELEN) < 0) { 373 | perror("Failed reading challenge from file"); 374 | goto out60; 375 | } 376 | 377 | challengefile = close(challengefile); 378 | /* finished reading challenge */ 379 | 380 | /* copy the second factor */ 381 | len = strlen(second_factor); 382 | memcpy(challenge_old, second_factor, len < MAX2FLEN ? len : MAX2FLEN); 383 | 384 | /* do challenge/response and encode to hex */ 385 | if (yk_challenge_response(yk, yk_slot, true, 386 | CHALLENGELEN, (unsigned char *) challenge_old, 387 | RESPONSELEN, (unsigned char *) response_old) == 0) { 388 | perror("yk_challenge_response() failed"); 389 | goto out60; 390 | } 391 | yubikey_hex_encode((char *) passphrase_old, (char *) response_old, SHA1_DIGEST_SIZE); 392 | 393 | if (crypt_keyslot_change_by_passphrase(cryptdevice, luks_slot, luks_slot, 394 | passphrase_old, PASSPHRASELEN, 395 | passphrase_new, PASSPHRASELEN) < 0) { 396 | fprintf(stderr, "Could not update passphrase for key slot %d.\n", luks_slot); 397 | goto out60; 398 | } 399 | 400 | if (renameat2(AT_FDCWD, challengefiletmpname, AT_FDCWD, challengefilename, RENAME_EXCHANGE) < 0) { 401 | fprintf(stderr, "Failed to rename (exchange) challenge files.\n"); 402 | goto out60; 403 | } 404 | 405 | if (unlink(challengefiletmpname) < 0) { 406 | fprintf(stderr, "Failed to delete old challenge file.\n"); 407 | goto out60; 408 | } 409 | } else { /* ck == CRYPT_SLOT_INACTIVE */ 410 | if ((passphrase = ask_secret("existing LUKS passphrase")) == NULL) 411 | goto out60; 412 | 413 | if (crypt_keyslot_add_by_passphrase(cryptdevice, luks_slot, 414 | passphrase, strlen(passphrase), 415 | passphrase_new, PASSPHRASELEN) < 0) { 416 | fprintf(stderr, "Could not add passphrase for key slot %d.\n", luks_slot); 417 | goto out60; 418 | } 419 | 420 | if (rename(challengefiletmpname, challengefilename) < 0) { 421 | fprintf(stderr, "Failed to rename new challenge file.\n"); 422 | goto out60; 423 | } 424 | } 425 | 426 | sd_notify(0, "READY=1\nSTATUS=All done."); 427 | 428 | rc = EXIT_SUCCESS; 429 | 430 | out60: 431 | /* free crypt context */ 432 | crypt_free(cryptdevice); 433 | 434 | out50: 435 | /* close the challenge file */ 436 | if (challengefile) 437 | close(challengefile); 438 | if (challengefiletmp) 439 | close(challengefiletmp); 440 | if (access(challengefiletmpname, F_OK) == 0) 441 | unlink(challengefiletmpname); 442 | 443 | out40: 444 | /* close Yubikey */ 445 | if (yk_close_key(yk) == 0) 446 | perror("yk_close_key() failed"); 447 | 448 | out30: 449 | /* release Yubikey */ 450 | if (yk_release() == 0) 451 | perror("yk_release() failed"); 452 | 453 | out20: 454 | /* free iniparser dictionary */ 455 | iniparser_freedict(ini); 456 | 457 | out10: 458 | /* wipe response (cleartext password!) from memory */ 459 | /* This is statically allocated and always save to wipe! */ 460 | memset(challenge_int, 0, CHALLENGELEN * sizeof(unsigned int)); 461 | memset(challenge_old, 0, CHALLENGELEN + 1); 462 | memset(challenge_new, 0, CHALLENGELEN + 1); 463 | memset(response_old, 0, RESPONSELEN); 464 | memset(response_new, 0, RESPONSELEN); 465 | memset(passphrase_old, 0, PASSPHRASELEN + 1); 466 | memset(passphrase_new, 0, PASSPHRASELEN + 1); 467 | 468 | free(passphrase); 469 | free(new_2nd_factor_verify); 470 | free(new_2nd_factor); 471 | free(second_factor); 472 | 473 | return rc; 474 | } 475 | 476 | // vim: set syntax=c: 477 | -------------------------------------------------------------------------------- /COPYING.md: -------------------------------------------------------------------------------- 1 | ### GNU GENERAL PUBLIC LICENSE 2 | 3 | Version 3, 29 June 2007 4 | 5 | Copyright (C) 2007 Free Software Foundation, Inc. 6 | 7 | 8 | Everyone is permitted to copy and distribute verbatim copies of this 9 | license document, but changing it is not allowed. 10 | 11 | ### Preamble 12 | 13 | The GNU General Public License is a free, copyleft license for 14 | software and other kinds of works. 15 | 16 | The licenses for most software and other practical works are designed 17 | to take away your freedom to share and change the works. By contrast, 18 | the GNU General Public License is intended to guarantee your freedom 19 | to share and change all versions of a program--to make sure it remains 20 | free software for all its users. We, the Free Software Foundation, use 21 | the GNU General Public License for most of our software; it applies 22 | also to any other work released this way by its authors. You can apply 23 | it to your programs, too. 24 | 25 | When we speak of free software, we are referring to freedom, not 26 | price. Our General Public Licenses are designed to make sure that you 27 | have the freedom to distribute copies of free software (and charge for 28 | them if you wish), that you receive source code or can get it if you 29 | want it, that you can change the software or use pieces of it in new 30 | free programs, and that you know you can do these things. 31 | 32 | To protect your rights, we need to prevent others from denying you 33 | these rights or asking you to surrender the rights. Therefore, you 34 | have certain responsibilities if you distribute copies of the 35 | software, or if you modify it: responsibilities to respect the freedom 36 | of others. 37 | 38 | For example, if you distribute copies of such a program, whether 39 | gratis or for a fee, you must pass on to the recipients the same 40 | freedoms that you received. You must make sure that they, too, receive 41 | or can get the source code. And you must show them these terms so they 42 | know their rights. 43 | 44 | Developers that use the GNU GPL protect your rights with two steps: 45 | (1) assert copyright on the software, and (2) offer you this License 46 | giving you legal permission to copy, distribute and/or modify it. 47 | 48 | For the developers' and authors' protection, the GPL clearly explains 49 | that there is no warranty for this free software. For both users' and 50 | authors' sake, the GPL requires that modified versions be marked as 51 | changed, so that their problems will not be attributed erroneously to 52 | authors of previous versions. 53 | 54 | Some devices are designed to deny users access to install or run 55 | modified versions of the software inside them, although the 56 | manufacturer can do so. This is fundamentally incompatible with the 57 | aim of protecting users' freedom to change the software. The 58 | systematic pattern of such abuse occurs in the area of products for 59 | individuals to use, which is precisely where it is most unacceptable. 60 | Therefore, we have designed this version of the GPL to prohibit the 61 | practice for those products. If such problems arise substantially in 62 | other domains, we stand ready to extend this provision to those 63 | domains in future versions of the GPL, as needed to protect the 64 | freedom of users. 65 | 66 | Finally, every program is threatened constantly by software patents. 67 | States should not allow patents to restrict development and use of 68 | software on general-purpose computers, but in those that do, we wish 69 | to avoid the special danger that patents applied to a free program 70 | could make it effectively proprietary. To prevent this, the GPL 71 | assures that patents cannot be used to render the program non-free. 72 | 73 | The precise terms and conditions for copying, distribution and 74 | modification follow. 75 | 76 | ### TERMS AND CONDITIONS 77 | 78 | #### 0. Definitions. 79 | 80 | "This License" refers to version 3 of the GNU General Public License. 81 | 82 | "Copyright" also means copyright-like laws that apply to other kinds 83 | of works, such as semiconductor masks. 84 | 85 | "The Program" refers to any copyrightable work licensed under this 86 | License. Each licensee is addressed as "you". "Licensees" and 87 | "recipients" may be individuals or organizations. 88 | 89 | To "modify" a work means to copy from or adapt all or part of the work 90 | in a fashion requiring copyright permission, other than the making of 91 | an exact copy. The resulting work is called a "modified version" of 92 | the earlier work or a work "based on" the earlier work. 93 | 94 | A "covered work" means either the unmodified Program or a work based 95 | on the Program. 96 | 97 | To "propagate" a work means to do anything with it that, without 98 | permission, would make you directly or secondarily liable for 99 | infringement under applicable copyright law, except executing it on a 100 | computer or modifying a private copy. Propagation includes copying, 101 | distribution (with or without modification), making available to the 102 | public, and in some countries other activities as well. 103 | 104 | To "convey" a work means any kind of propagation that enables other 105 | parties to make or receive copies. Mere interaction with a user 106 | through a computer network, with no transfer of a copy, is not 107 | conveying. 108 | 109 | An interactive user interface displays "Appropriate Legal Notices" to 110 | the extent that it includes a convenient and prominently visible 111 | feature that (1) displays an appropriate copyright notice, and (2) 112 | tells the user that there is no warranty for the work (except to the 113 | extent that warranties are provided), that licensees may convey the 114 | work under this License, and how to view a copy of this License. If 115 | the interface presents a list of user commands or options, such as a 116 | menu, a prominent item in the list meets this criterion. 117 | 118 | #### 1. Source Code. 119 | 120 | The "source code" for a work means the preferred form of the work for 121 | making modifications to it. "Object code" means any non-source form of 122 | a work. 123 | 124 | A "Standard Interface" means an interface that either is an official 125 | standard defined by a recognized standards body, or, in the case of 126 | interfaces specified for a particular programming language, one that 127 | is widely used among developers working in that language. 128 | 129 | The "System Libraries" of an executable work include anything, other 130 | than the work as a whole, that (a) is included in the normal form of 131 | packaging a Major Component, but which is not part of that Major 132 | Component, and (b) serves only to enable use of the work with that 133 | Major Component, or to implement a Standard Interface for which an 134 | implementation is available to the public in source code form. A 135 | "Major Component", in this context, means a major essential component 136 | (kernel, window system, and so on) of the specific operating system 137 | (if any) on which the executable work runs, or a compiler used to 138 | produce the work, or an object code interpreter used to run it. 139 | 140 | The "Corresponding Source" for a work in object code form means all 141 | the source code needed to generate, install, and (for an executable 142 | work) run the object code and to modify the work, including scripts to 143 | control those activities. However, it does not include the work's 144 | System Libraries, or general-purpose tools or generally available free 145 | programs which are used unmodified in performing those activities but 146 | which are not part of the work. For example, Corresponding Source 147 | includes interface definition files associated with source files for 148 | the work, and the source code for shared libraries and dynamically 149 | linked subprograms that the work is specifically designed to require, 150 | such as by intimate data communication or control flow between those 151 | subprograms and other parts of the work. 152 | 153 | The Corresponding Source need not include anything that users can 154 | regenerate automatically from other parts of the Corresponding Source. 155 | 156 | The Corresponding Source for a work in source code form is that same 157 | work. 158 | 159 | #### 2. Basic Permissions. 160 | 161 | All rights granted under this License are granted for the term of 162 | copyright on the Program, and are irrevocable provided the stated 163 | conditions are met. This License explicitly affirms your unlimited 164 | permission to run the unmodified Program. The output from running a 165 | covered work is covered by this License only if the output, given its 166 | content, constitutes a covered work. This License acknowledges your 167 | rights of fair use or other equivalent, as provided by copyright law. 168 | 169 | You may make, run and propagate covered works that you do not convey, 170 | without conditions so long as your license otherwise remains in force. 171 | You may convey covered works to others for the sole purpose of having 172 | them make modifications exclusively for you, or provide you with 173 | facilities for running those works, provided that you comply with the 174 | terms of this License in conveying all material for which you do not 175 | control copyright. Those thus making or running the covered works for 176 | you must do so exclusively on your behalf, under your direction and 177 | control, on terms that prohibit them from making any copies of your 178 | copyrighted material outside their relationship with you. 179 | 180 | Conveying under any other circumstances is permitted solely under the 181 | conditions stated below. Sublicensing is not allowed; section 10 makes 182 | it unnecessary. 183 | 184 | #### 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 185 | 186 | No covered work shall be deemed part of an effective technological 187 | measure under any applicable law fulfilling obligations under article 188 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 189 | similar laws prohibiting or restricting circumvention of such 190 | measures. 191 | 192 | When you convey a covered work, you waive any legal power to forbid 193 | circumvention of technological measures to the extent such 194 | circumvention is effected by exercising rights under this License with 195 | respect to the covered work, and you disclaim any intention to limit 196 | operation or modification of the work as a means of enforcing, against 197 | the work's users, your or third parties' legal rights to forbid 198 | circumvention of technological measures. 199 | 200 | #### 4. Conveying Verbatim Copies. 201 | 202 | You may convey verbatim copies of the Program's source code as you 203 | receive it, in any medium, provided that you conspicuously and 204 | appropriately publish on each copy an appropriate copyright notice; 205 | keep intact all notices stating that this License and any 206 | non-permissive terms added in accord with section 7 apply to the code; 207 | keep intact all notices of the absence of any warranty; and give all 208 | recipients a copy of this License along with the Program. 209 | 210 | You may charge any price or no price for each copy that you convey, 211 | and you may offer support or warranty protection for a fee. 212 | 213 | #### 5. Conveying Modified Source Versions. 214 | 215 | You may convey a work based on the Program, or the modifications to 216 | produce it from the Program, in the form of source code under the 217 | terms of section 4, provided that you also meet all of these 218 | conditions: 219 | 220 | - a) The work must carry prominent notices stating that you modified 221 | it, and giving a relevant date. 222 | - b) The work must carry prominent notices stating that it is 223 | released under this License and any conditions added under 224 | section 7. This requirement modifies the requirement in section 4 225 | to "keep intact all notices". 226 | - c) You must license the entire work, as a whole, under this 227 | License to anyone who comes into possession of a copy. This 228 | License will therefore apply, along with any applicable section 7 229 | additional terms, to the whole of the work, and all its parts, 230 | regardless of how they are packaged. This License gives no 231 | permission to license the work in any other way, but it does not 232 | invalidate such permission if you have separately received it. 233 | - d) If the work has interactive user interfaces, each must display 234 | Appropriate Legal Notices; however, if the Program has interactive 235 | interfaces that do not display Appropriate Legal Notices, your 236 | work need not make them do so. 237 | 238 | A compilation of a covered work with other separate and independent 239 | works, which are not by their nature extensions of the covered work, 240 | and which are not combined with it such as to form a larger program, 241 | in or on a volume of a storage or distribution medium, is called an 242 | "aggregate" if the compilation and its resulting copyright are not 243 | used to limit the access or legal rights of the compilation's users 244 | beyond what the individual works permit. Inclusion of a covered work 245 | in an aggregate does not cause this License to apply to the other 246 | parts of the aggregate. 247 | 248 | #### 6. Conveying Non-Source Forms. 249 | 250 | You may convey a covered work in object code form under the terms of 251 | sections 4 and 5, provided that you also convey the machine-readable 252 | Corresponding Source under the terms of this License, in one of these 253 | ways: 254 | 255 | - a) Convey the object code in, or embodied in, a physical product 256 | (including a physical distribution medium), accompanied by the 257 | Corresponding Source fixed on a durable physical medium 258 | customarily used for software interchange. 259 | - b) Convey the object code in, or embodied in, a physical product 260 | (including a physical distribution medium), accompanied by a 261 | written offer, valid for at least three years and valid for as 262 | long as you offer spare parts or customer support for that product 263 | model, to give anyone who possesses the object code either (1) a 264 | copy of the Corresponding Source for all the software in the 265 | product that is covered by this License, on a durable physical 266 | medium customarily used for software interchange, for a price no 267 | more than your reasonable cost of physically performing this 268 | conveying of source, or (2) access to copy the Corresponding 269 | Source from a network server at no charge. 270 | - c) Convey individual copies of the object code with a copy of the 271 | written offer to provide the Corresponding Source. This 272 | alternative is allowed only occasionally and noncommercially, and 273 | only if you received the object code with such an offer, in accord 274 | with subsection 6b. 275 | - d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | - e) Convey the object code using peer-to-peer transmission, 288 | provided you inform other peers where the object code and 289 | Corresponding Source of the work are being offered to the general 290 | public at no charge under subsection 6d. 291 | 292 | A separable portion of the object code, whose source code is excluded 293 | from the Corresponding Source as a System Library, need not be 294 | included in conveying the object code work. 295 | 296 | A "User Product" is either (1) a "consumer product", which means any 297 | tangible personal property which is normally used for personal, 298 | family, or household purposes, or (2) anything designed or sold for 299 | incorporation into a dwelling. In determining whether a product is a 300 | consumer product, doubtful cases shall be resolved in favor of 301 | coverage. For a particular product received by a particular user, 302 | "normally used" refers to a typical or common use of that class of 303 | product, regardless of the status of the particular user or of the way 304 | in which the particular user actually uses, or expects or is expected 305 | to use, the product. A product is a consumer product regardless of 306 | whether the product has substantial commercial, industrial or 307 | non-consumer uses, unless such uses represent the only significant 308 | mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to 312 | install and execute modified versions of a covered work in that User 313 | Product from a modified version of its Corresponding Source. The 314 | information must suffice to ensure that the continued functioning of 315 | the modified object code is in no case prevented or interfered with 316 | solely because modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or 331 | updates for a work that has been modified or installed by the 332 | recipient, or for the User Product in which it has been modified or 333 | installed. Access to a network may be denied when the modification 334 | itself materially and adversely affects the operation of the network 335 | or violates the rules and protocols for communication across the 336 | network. 337 | 338 | Corresponding Source conveyed, and Installation Information provided, 339 | in accord with this section must be in a format that is publicly 340 | documented (and with an implementation available to the public in 341 | source code form), and must require no special password or key for 342 | unpacking, reading or copying. 343 | 344 | #### 7. Additional Terms. 345 | 346 | "Additional permissions" are terms that supplement the terms of this 347 | License by making exceptions from one or more of its conditions. 348 | Additional permissions that are applicable to the entire Program shall 349 | be treated as though they were included in this License, to the extent 350 | that they are valid under applicable law. If additional permissions 351 | apply only to part of the Program, that part may be used separately 352 | under those permissions, but the entire Program remains governed by 353 | this License without regard to the additional permissions. 354 | 355 | When you convey a copy of a covered work, you may at your option 356 | remove any additional permissions from that copy, or from any part of 357 | it. (Additional permissions may be written to require their own 358 | removal in certain cases when you modify the work.) You may place 359 | additional permissions on material, added by you to a covered work, 360 | for which you have or can give appropriate copyright permission. 361 | 362 | Notwithstanding any other provision of this License, for material you 363 | add to a covered work, you may (if authorized by the copyright holders 364 | of that material) supplement the terms of this License with terms: 365 | 366 | - a) Disclaiming warranty or limiting liability differently from the 367 | terms of sections 15 and 16 of this License; or 368 | - b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | - c) Prohibiting misrepresentation of the origin of that material, 372 | or requiring that modified versions of such material be marked in 373 | reasonable ways as different from the original version; or 374 | - d) Limiting the use for publicity purposes of names of licensors 375 | or authors of the material; or 376 | - e) Declining to grant rights under trademark law for use of some 377 | trade names, trademarks, or service marks; or 378 | - f) Requiring indemnification of licensors and authors of that 379 | material by anyone who conveys the material (or modified versions 380 | of it) with contractual assumptions of liability to the recipient, 381 | for any liability that these contractual assumptions directly 382 | impose on those licensors and authors. 383 | 384 | All other non-permissive additional terms are considered "further 385 | restrictions" within the meaning of section 10. If the Program as you 386 | received it, or any part of it, contains a notice stating that it is 387 | governed by this License along with a term that is a further 388 | restriction, you may remove that term. If a license document contains 389 | a further restriction but permits relicensing or conveying under this 390 | License, you may add to a covered work material governed by the terms 391 | of that license document, provided that the further restriction does 392 | not survive such relicensing or conveying. 393 | 394 | If you add terms to a covered work in accord with this section, you 395 | must place, in the relevant source files, a statement of the 396 | additional terms that apply to those files, or a notice indicating 397 | where to find the applicable terms. 398 | 399 | Additional terms, permissive or non-permissive, may be stated in the 400 | form of a separately written license, or stated as exceptions; the 401 | above requirements apply either way. 402 | 403 | #### 8. Termination. 404 | 405 | You may not propagate or modify a covered work except as expressly 406 | provided under this License. Any attempt otherwise to propagate or 407 | modify it is void, and will automatically terminate your rights under 408 | this License (including any patent licenses granted under the third 409 | paragraph of section 11). 410 | 411 | However, if you cease all violation of this License, then your license 412 | from a particular copyright holder is reinstated (a) provisionally, 413 | unless and until the copyright holder explicitly and finally 414 | terminates your license, and (b) permanently, if the copyright holder 415 | fails to notify you of the violation by some reasonable means prior to 416 | 60 days after the cessation. 417 | 418 | Moreover, your license from a particular copyright holder is 419 | reinstated permanently if the copyright holder notifies you of the 420 | violation by some reasonable means, this is the first time you have 421 | received notice of violation of this License (for any work) from that 422 | copyright holder, and you cure the violation prior to 30 days after 423 | your receipt of the notice. 424 | 425 | Termination of your rights under this section does not terminate the 426 | licenses of parties who have received copies or rights from you under 427 | this License. If your rights have been terminated and not permanently 428 | reinstated, you do not qualify to receive new licenses for the same 429 | material under section 10. 430 | 431 | #### 9. Acceptance Not Required for Having Copies. 432 | 433 | You are not required to accept this License in order to receive or run 434 | a copy of the Program. Ancillary propagation of a covered work 435 | occurring solely as a consequence of using peer-to-peer transmission 436 | to receive a copy likewise does not require acceptance. However, 437 | nothing other than this License grants you permission to propagate or 438 | modify any covered work. These actions infringe copyright if you do 439 | not accept this License. Therefore, by modifying or propagating a 440 | covered work, you indicate your acceptance of this License to do so. 441 | 442 | #### 10. Automatic Licensing of Downstream Recipients. 443 | 444 | Each time you convey a covered work, the recipient automatically 445 | receives a license from the original licensors, to run, modify and 446 | propagate that work, subject to this License. You are not responsible 447 | for enforcing compliance by third parties with this License. 448 | 449 | An "entity transaction" is a transaction transferring control of an 450 | organization, or substantially all assets of one, or subdividing an 451 | organization, or merging organizations. If propagation of a covered 452 | work results from an entity transaction, each party to that 453 | transaction who receives a copy of the work also receives whatever 454 | licenses to the work the party's predecessor in interest had or could 455 | give under the previous paragraph, plus a right to possession of the 456 | Corresponding Source of the work from the predecessor in interest, if 457 | the predecessor has it or can get it with reasonable efforts. 458 | 459 | You may not impose any further restrictions on the exercise of the 460 | rights granted or affirmed under this License. For example, you may 461 | not impose a license fee, royalty, or other charge for exercise of 462 | rights granted under this License, and you may not initiate litigation 463 | (including a cross-claim or counterclaim in a lawsuit) alleging that 464 | any patent claim is infringed by making, using, selling, offering for 465 | sale, or importing the Program or any portion of it. 466 | 467 | #### 11. Patents. 468 | 469 | A "contributor" is a copyright holder who authorizes use under this 470 | License of the Program or a work on which the Program is based. The 471 | work thus licensed is called the contributor's "contributor version". 472 | 473 | A contributor's "essential patent claims" are all patent claims owned 474 | or controlled by the contributor, whether already acquired or 475 | hereafter acquired, that would be infringed by some manner, permitted 476 | by this License, of making, using, or selling its contributor version, 477 | but do not include claims that would be infringed only as a 478 | consequence of further modification of the contributor version. For 479 | purposes of this definition, "control" includes the right to grant 480 | patent sublicenses in a manner consistent with the requirements of 481 | this License. 482 | 483 | Each contributor grants you a non-exclusive, worldwide, royalty-free 484 | patent license under the contributor's essential patent claims, to 485 | make, use, sell, offer for sale, import and otherwise run, modify and 486 | propagate the contents of its contributor version. 487 | 488 | In the following three paragraphs, a "patent license" is any express 489 | agreement or commitment, however denominated, not to enforce a patent 490 | (such as an express permission to practice a patent or covenant not to 491 | sue for patent infringement). To "grant" such a patent license to a 492 | party means to make such an agreement or commitment not to enforce a 493 | patent against the party. 494 | 495 | If you convey a covered work, knowingly relying on a patent license, 496 | and the Corresponding Source of the work is not available for anyone 497 | to copy, free of charge and under the terms of this License, through a 498 | publicly available network server or other readily accessible means, 499 | then you must either (1) cause the Corresponding Source to be so 500 | available, or (2) arrange to deprive yourself of the benefit of the 501 | patent license for this particular work, or (3) arrange, in a manner 502 | consistent with the requirements of this License, to extend the patent 503 | license to downstream recipients. "Knowingly relying" means you have 504 | actual knowledge that, but for the patent license, your conveying the 505 | covered work in a country, or your recipient's use of the covered work 506 | in a country, would infringe one or more identifiable patents in that 507 | country that you have reason to believe are valid. 508 | 509 | If, pursuant to or in connection with a single transaction or 510 | arrangement, you convey, or propagate by procuring conveyance of, a 511 | covered work, and grant a patent license to some of the parties 512 | receiving the covered work authorizing them to use, propagate, modify 513 | or convey a specific copy of the covered work, then the patent license 514 | you grant is automatically extended to all recipients of the covered 515 | work and works based on it. 516 | 517 | A patent license is "discriminatory" if it does not include within the 518 | scope of its coverage, prohibits the exercise of, or is conditioned on 519 | the non-exercise of one or more of the rights that are specifically 520 | granted under this License. You may not convey a covered work if you 521 | are a party to an arrangement with a third party that is in the 522 | business of distributing software, under which you make payment to the 523 | third party based on the extent of your activity of conveying the 524 | work, and under which the third party grants, to any of the parties 525 | who would receive the covered work from you, a discriminatory patent 526 | license (a) in connection with copies of the covered work conveyed by 527 | you (or copies made from those copies), or (b) primarily for and in 528 | connection with specific products or compilations that contain the 529 | covered work, unless you entered into that arrangement, or that patent 530 | license was granted, prior to 28 March 2007. 531 | 532 | Nothing in this License shall be construed as excluding or limiting 533 | any implied license or other defenses to infringement that may 534 | otherwise be available to you under applicable patent law. 535 | 536 | #### 12. No Surrender of Others' Freedom. 537 | 538 | If conditions are imposed on you (whether by court order, agreement or 539 | otherwise) that contradict the conditions of this License, they do not 540 | excuse you from the conditions of this License. If you cannot convey a 541 | covered work so as to satisfy simultaneously your obligations under 542 | this License and any other pertinent obligations, then as a 543 | consequence you may not convey it at all. For example, if you agree to 544 | terms that obligate you to collect a royalty for further conveying 545 | from those to whom you convey the Program, the only way you could 546 | satisfy both those terms and this License would be to refrain entirely 547 | from conveying the Program. 548 | 549 | #### 13. Use with the GNU Affero General Public License. 550 | 551 | Notwithstanding any other provision of this License, you have 552 | permission to link or combine any covered work with a work licensed 553 | under version 3 of the GNU Affero General Public License into a single 554 | combined work, and to convey the resulting work. The terms of this 555 | License will continue to apply to the part which is the covered work, 556 | but the special requirements of the GNU Affero General Public License, 557 | section 13, concerning interaction through a network will apply to the 558 | combination as such. 559 | 560 | #### 14. Revised Versions of this License. 561 | 562 | The Free Software Foundation may publish revised and/or new versions 563 | of the GNU General Public License from time to time. Such new versions 564 | will be similar in spirit to the present version, but may differ in 565 | detail to address new problems or concerns. 566 | 567 | Each version is given a distinguishing version number. If the Program 568 | specifies that a certain numbered version of the GNU General Public 569 | License "or any later version" applies to it, you have the option of 570 | following the terms and conditions either of that numbered version or 571 | of any later version published by the Free Software Foundation. If the 572 | Program does not specify a version number of the GNU General Public 573 | License, you may choose any version ever published by the Free 574 | Software Foundation. 575 | 576 | If the Program specifies that a proxy can decide which future versions 577 | of the GNU General Public License can be used, that proxy's public 578 | statement of acceptance of a version permanently authorizes you to 579 | choose that version for the Program. 580 | 581 | Later license versions may give you additional or different 582 | permissions. However, no additional obligations are imposed on any 583 | author or copyright holder as a result of your choosing to follow a 584 | later version. 585 | 586 | #### 15. Disclaimer of Warranty. 587 | 588 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 589 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 590 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT 591 | WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT 592 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 593 | A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND 594 | PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE 595 | DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR 596 | CORRECTION. 597 | 598 | #### 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR 602 | CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 603 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES 604 | ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT 605 | NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR 606 | LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM 607 | TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER 608 | PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 609 | 610 | #### 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | ### How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these 626 | terms. 627 | 628 | To do so, attach the following notices to the program. It is safest to 629 | attach them to the start of each source file to most effectively state 630 | the exclusion of warranty; and each file should have at least the 631 | "copyright" line and a pointer to where the full notice is found. 632 | 633 | 634 | Copyright (C) 635 | 636 | This program is free software: you can redistribute it and/or modify 637 | it under the terms of the GNU General Public License as published by 638 | the Free Software Foundation, either version 3 of the License, or 639 | (at your option) any later version. 640 | 641 | This program is distributed in the hope that it will be useful, 642 | but WITHOUT ANY WARRANTY; without even the implied warranty of 643 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 644 | GNU General Public License for more details. 645 | 646 | You should have received a copy of the GNU General Public License 647 | along with this program. If not, see . 648 | 649 | Also add information on how to contact you by electronic and paper 650 | mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands \`show w' and \`show c' should show the 661 | appropriate parts of the General Public License. Of course, your 662 | program's commands might be different; for a GUI interface, you would 663 | use an "about box". 664 | 665 | You should also get your employer (if you work as a programmer) or 666 | school, if any, to sign a "copyright disclaimer" for the program, if 667 | necessary. For more information on this, and how to apply and follow 668 | the GNU GPL, see . 669 | 670 | The GNU General Public License does not permit incorporating your 671 | program into proprietary programs. If your program is a subroutine 672 | library, you may consider it more useful to permit linking proprietary 673 | applications with the library. If this is what you want to do, use the 674 | GNU Lesser General Public License instead of this License. But first, 675 | please read . 676 | --------------------------------------------------------------------------------