Is there a possibility to release an BSD compatible licensed version of the libu2f-host library?

This would help a lot bringing forward a native openSSH support (see https://bugzilla.mindrot.org/show_bug.cgi?id=2319)

Please help me out with this trivial question; we have developed a whole solution around the Yubico U2F keys and used this specific lib to develop our plugins and integration components. But now we are facing a very complicated issue; we need to be able to identify a specific key (lets say when lost) and link it back to a specific user.

I know that the random challenge / response algorithm (no serial number other than the root certs serial, which is static on all our keys) does not allow for this to be done because of the randomness around it...so I am hoping that somewhere in the lib (maybe on the HID device details of any other identifier) can assist us in uniquely identifying a every key.

PLEASE PLEASE can you assist or guide us in the right direction here...

I use function u2fh_register2 to test my token,but I get puzzling results
So I write simple test code to reappear the puzzling results
You may have noticed that the &p in str2 is defferent to main &p
Please fix it.Thank you

Test Code

#include <stdio.h>
#include <stdlib.h>

void test_addr(char **p) {
	printf("test_p = %p\n", p);
}

void str1(char **p) {
	printf("str1_**p = %p\n", p);
	test_addr(p);
}

void str2(char *p) {
	printf("str2_*p = %p\n", p);
	printf("str2_**p = %p\n", &p);
	test_addr(&p);
}

int main(int argc, char const *argv[])
{
	char *p = (char *)malloc(10 * sizeof(char));
	printf("mainp = %p main&p = %p\n",p, &p);
	str1(&p);
	str2(p);
	free(p);
	return 0;
}

Result

mainp = 00BA13A8 main&p = 0060FF2C
str1_**p = 0060FF2C
test_p = 0060FF2C
str2_*p = 00BA13A8
str2_**p = 0060FF10
test_p = 0060FF10

Building seems to fail on Mavericks currently. Here's a Gist of the full build log: https://gist.github.com/jm/fdedca2e5183b55fe8e5

It appears to assume there is a downloaded source package ($(PACKAGE)-$(VERSION).tar.xz), but even when I fix that by having it simply use the source already cloned (i.e., removing those lines and having it set the path to the root of the cloned source), it fails with syntax errors and a number of other issues from the generated build files.

Am I doing something incorrectly or do I have to do something other than make -f macosx.mk VERSION=0.0 as the README says?

I have taken a look at the Makefile used in MacOS X macosx.mk and it is very monolithic and uses one target only. This could be improved for easier understanding and to be able to use this makefile for development builds, too.

I tried to install it on Mac 10.8.5 with make -f macosx.mk VERSION=0.0, but it failed,

make[2]: Nothing to be done for check'. make[2]: Nothing to be done forcheck-am'.
cp: ../libu2f-host-0.0.tar.xz: No such file or directory

make: *** [doit] Error 1

Is there something lost in my git clone ?

My system was initially not able to find the libu2f-host.so.0 file after building. Below is an output message for u2f-host:

u2f-host: error while loading shared libraries: libu2f-host.so.0: cannot open shared object file: No such file or directory

The issue can be resolved by updating LD_LIBRARY_PATH as follows:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

Can this be added to the main project page?

There is no need to use gnulib for sha256_buffer on modern darwin systems.

Cmake should detect the CommonCrypto/CommonDigest.h then conditionally use CC_SHA256 instead.

Make sure the udev rule works everywhere and document how it is to be used. Compare ykpers.

When i try to compile the code, i get the following error:

Makefile:812: recipe for target 'tmpl-build.stamp' failed
make[2]: *** [tmpl-build.stamp] Error 127
make[2]: Leaving directory '/root/libu2f-host/gtk-doc'
Makefile:641: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/root/libu2f-host'
Makefile:552: recipe for target 'all' failed
make: *** [all] Error 2
root@sheldon-XPS13-9333:~/libu2f-host#

I've installed libu2f-host-1.1.2 from the Yubico release for Mac. The token has been fully provisioned, and used with Chrome to connect to Yubico U2F demo web site.

Any attempt to use u2f-host or discover-test from the bin/ directory fail to even properly talk to the NEO:

$ ~/Downloads/libu2f-host-1.1.2/bin/discover-test -d
USB send: 00ffffffff8600080807060504030201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffffff86001108070605040302010900b44d020101000100000000000000000000000000000000000000000000000000000000000000000000000000000000
device USB_1050_0116_14100000 discovered as 'Yubikey NEO OTP+U2F+CCID'
  version (Interface, Major, Minor, Build): 2, 1, 1, 0  capFlags: 1
USB send: 000900b44d8100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
USB read rc read 64
USB recv: 0900b44d810001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
error: u2fh_devs_discover (-5): cannot find U2F device
max: 0
max: 0
$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+U2F+CCID
$

Demo example for HID api given in the README, also fails:

$ ./demo
Sucessfully initialized HID API...
Successfully opened HID device...
Segmentation fault: 11
$ 

Here's the complete source:

#include <stdio.h>
#include <stdlib.h>
#include <hidapi/hidapi.h>

#define MAX_STR 255

#define DEF_VID 0x4d8
#define DEF_PID 0x3f

int main(int argc, char* argv[])
{
    int res;
    unsigned char buf[165];
    wchar_t wstr[MAX_STR];
    hid_device *handle;
    int i;

    // Initialize the hidapi library
    res = hid_init();
    if (res != 0) {
      wprintf(L"Failed to initialize HID API lib: %d\n", res);
      exit(res);
    } else {
      wprintf(L"Sucessfully initialized HID API...\n");
    }

    // Open the device using the VID, PID,
    // and optionally the Serial number.
    handle = hid_open(0, 0, NULL);
    if (handle < 0) {
      wprintf(L"Failed to open HID device: %d\n", handle);
    } else {
      wprintf(L"Successfully opened HID device...\n");
    }


    // Read the Manufacturer String
    res = hid_get_manufacturer_string(handle, wstr, MAX_STR);
    if (res < 0) {
      wprintf(L"Failed to read manufactorer string: %d\n", res);
    } else {
      wprintf(L"Manufacturer String: %s\n", wstr);
    }

    // Read the Product String
    res = hid_get_product_string(handle, wstr, MAX_STR);
    if (res < 0) {
      wprintf(L"Failed to read product string: %d\n", res);
    } else {
      wprintf(L"Product String: %s\n", wstr);
    }

    // Read the Serial Number String
    res = hid_get_serial_number_string(handle, wstr, MAX_STR);
    if (res < 0) {
      wprintf(L"Failed to read serial number string: %d\n", res);
    } else {
      wprintf(L"Serial Number String: (%d) %s\n", wstr[0], wstr);
    }

    // Read Indexed String 1
    res = hid_get_indexed_string(handle, 1, wstr, MAX_STR);
    if (res < 0) {
      wprintf(L"Failed to read indexed string 1: %d\n", res);
    } else {
      wprintf(L"Indexed String 1: %s\n", wstr);
    }

    // Toggle LED (cmd 0x80). The first byte is the report number (0x0).
    buf[0] = 0x0;
    buf[1] = 0x80;
    res = hid_write(handle, buf, 65);
    if (res < 0) {
      wprintf(L"Failed to write \"Toggle LED\" command: %d\n", res);
    } else {
      wprintf(L"Wrote \"Toggle LED\"...\n");
    }

    // Request state (cmd 0x81). The first byte is the report number (0x0).
    buf[0] = 0x0;
    buf[1] = 0x81;
    res = hid_write(handle, buf, 65);
    if (res < 0) {
      wprintf(L"Failed to request state: %d\n", res);
    } else {
      wprintf(L"Requested state...\n");
    }

    // Read requested state
    res = hid_read(handle, buf, 65);
    if (res < 0) {
      wprintf(L"Failed to read requested state: %d\n", res);
    } else {
      wprintf(L"Successfully read requested state:\n");
    }

    // Print out the returned buffer.
    for (i = 0; i < 4; i++)
        printf("buf[%d]: %d\n", i, buf[i]);

    // Finalize the hidapi library
    res = hid_exit();
    if (res < 0) {
      wprintf(L"Failed to cleanly hid_exit(): %d\n", res);
    } else {
      wprintf(L"Successfully exiting.\n");
    }


    return 0;
}

Help is appreciated!

The license section of the readme indicates that the license should be clear from comment at the top of the file. I'm looking to package up only the udev files and would like to know which license to mark it as.

On line 71 in hid_transport.py only the following line is implemented:
devices.append(HIDDevice)
whereas I would expect that an object of the class HIDDevice would be implemented, like below:
devices.append(HIDDevice(d['path']))

Is there another way to obtain a list of actual HIDDevice objects? Or am I doing something wrong?

pamu2fcfg lets you use arbitrary URL schemes:

pamu2fcfg -o ssh:// -i ssh:// -u brian

The pam_u2f module happily accepts these arbitrary URL schemes:

auth sufficient pam_u2f.so debug manual origin=ssh://

And it generates challenges for them:

Now please copy-paste the below challenge(s) to 'u2f-host -aauthenticate -o ssh://'
{ "keyHandle": "veLxrf9NWAI_Y5-0dfAkp3UiIknKJPtNJ8vKLhQGitg7QhyHDA6kFHY6-mio0qpPtttHOGmJWGtvQ5cuOjmw9A", "version": "U2F_V2", "challenge": "StYAl-MqRhJiic9ftRGRzwNnkcA1p6cteCkB-7mvXE0", "appId": "ssh:\/\/" }
Now, please enter the response(s) below, one per line.
[0]:

But u2f-host doesn't permit them:

$ u2f-host -aauthenticate -o ssh://
error: origin must be pam, http or https

(aside: it also doesn't validate the origin scheme until after stdin is closed, whereas it could do immediately)

So this appears to be inconsistent. Either u2f-host should allow arbitrary schemes; or pamu2fcfg / pam_u2f should enforce the same limitations.

I'm filing this against libu2f-host because I don't see a particular reason in the U2F documentation to limit origins to those three schemes, nor can I find any official documentation of the pam scheme.

I can find examples of app IDs with apk: and ios: schemes.

COPYING.LGPLv2 is not found in https://developers.yubico.com/libu2f-host/Releases/libu2f-host-0.0.4.tar.xz

https://www.yubico.com/support/knowledge-base/categories/articles/can-set-linux-system-use-u2f/ advises

If you have a YubiKey NEO or YubiKey NEO-n ensure you have unlocked the U2F mode by following the instructions at http://yubi.co/unlockU2F

That link redirects to a PDF that says to "Build the YubiKey NEO Manager application on a Linux distro", but https://developers.yubico.com/yubikey-neo-manager/ says the Manager is deprecated.

Hi, I have a doubt. I have set a complete solution around the Yubico U2F keys. But now, I cannot stop duplicate registration of the same device for an user for the same app id. While checking on the keyhandles on my database they show different values for each of the duplicate registration. Please help me out.
Is it something related to the high level/low level JavaScript API?

It's great that parts of the libu2f-host package are now LGPLv2 licensed. However, other parts are still GPLv3, and the only way to tell which is which is checking the license headers in individual source files. Having a package with per-file licensing is very confusing and error-prone.

The ideal solution would be splitting into two packages, each with a single license. Then organizations that cannot use GPLv3 code could import the LGPLv2 code with no fear of accidentally using the wrong file and causing legal problems.

Following the "Building from Git" instructions on the libu2f-host main project page yielded errors for me. Solving them was a matter of apt-get installing the following:

dblatex

Should these packages be added to the "apt-get install gtk-doc-tools gengetopt help2man" build instruction?

Hi Guys,

I am trying, and have for a while now, to compile the library to work in windows without any success. I manage to get the windows.mk file to compile up to the "cp ../$(PACKAGE)-$(VERSION).tar.xz ." (line 51) line after I removed all the $(HOST) entries from the file but I am stuck at resolving it from here on wards. NOTE: If I leave the $(HOST) entries in the file the json and hidapi build also fail with errors.

I installed a 32 and a 64 version of Debian running on VirtualBox just to complete the compile without any success :(

Can someone please assist. I have also tried to compile the tar.gz version with the same results.

The compiler complains that it can't find the ../$(PACKAGE)-$(VERSION).tar.xz file.

Please assist.

The library should have a function that accepts a list of keyhandles for authentication, doing the work to loop through them and send the correct handle to the correct authenticator.

I am trying to build for windows using my Ubuntu VM. I have cloned project on Ubuntu 14.04 deployed on VM. When building, it throws error /usr/bin/ld: unrecognized option '--enable-auto-image-base'. Am I missing something? Downloaded tarball from https://developers.yubico.com/libu2f-host/Releases/ for version 1.1.2.

It is possible add support for others FIDO U2F keys in the 70-u2f.rules file? I think could be good if compatibility was improved. I have some USB vendor and product IDs which could be very useful if someone take care of this bug.

On a freshly-installed Debian jessie (tested both with systemd/udev 215 from jessie and systemd/udev 225 from testing), the udev rule shipped with libu2f-host does not trigger when I insert my Yubikey NEO:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"

I believe this is because the hidraw kernel/subsystem is not set at the same level when the usb vendor/product id are set (see the udevadm info below).

Removing the kernel/subsystem attributes from the rule makes it work:

ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"

This is the udevadm test output of the device in question:

udevadm info -a /dev/usb/hiddev0

Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.

  looking at device '/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/usbmisc/hiddev0':
    KERNEL=="hiddev0"
    SUBSYSTEM=="usbmisc"
    DRIVER==""

  looking at parent device '/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0':
    KERNELS=="1-1:1.0"
    SUBSYSTEMS=="usb"
    DRIVERS=="usbhid"
    ATTRS{bAlternateSetting}==" 0"
    ATTRS{bInterfaceClass}=="03"
    ATTRS{bInterfaceNumber}=="00"
    ATTRS{bInterfaceProtocol}=="00"
    ATTRS{bInterfaceSubClass}=="00"
    ATTRS{bNumEndpoints}=="02"
    ATTRS{supports_autosuspend}=="1"

  looking at parent device '/devices/pci0000:00/0000:00:14.0/usb1/1-1':
    KERNELS=="1-1"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{authorized}=="1"
    ATTRS{avoid_reset_quirk}=="0"
    ATTRS{bConfigurationValue}=="1"
    ATTRS{bDeviceClass}=="00"
    ATTRS{bDeviceProtocol}=="00"
    ATTRS{bDeviceSubClass}=="00"
    ATTRS{bMaxPacketSize0}=="64"
    ATTRS{bMaxPower}=="30mA"
    ATTRS{bNumConfigurations}=="1"
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bcdDevice}=="0333"
    ATTRS{bmAttributes}=="80"
    ATTRS{busnum}=="1"
    ATTRS{configuration}==""
    ATTRS{devnum}=="7"
    ATTRS{devpath}=="1"
    ATTRS{idProduct}=="0113"
    ATTRS{idVendor}=="1050"
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="Yubico"
    ATTRS{maxchild}=="0"
    ATTRS{product}=="Yubikey NEO U2F"
    ATTRS{quirks}=="0x0"
    ATTRS{removable}=="unknown"
    ATTRS{speed}=="12"
    ATTRS{urbnum}=="14"
    ATTRS{version}==" 2.00"

  looking at parent device '/devices/pci0000:00/0000:00:14.0/usb1':
    KERNELS=="usb1"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{authorized}=="1"
    ATTRS{authorized_default}=="1"
    ATTRS{avoid_reset_quirk}=="0"
    ATTRS{bConfigurationValue}=="1"
    ATTRS{bDeviceClass}=="09"
    ATTRS{bDeviceProtocol}=="01"
    ATTRS{bDeviceSubClass}=="00"
    ATTRS{bMaxPacketSize0}=="64"
    ATTRS{bMaxPower}=="0mA"
    ATTRS{bNumConfigurations}=="1"
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bcdDevice}=="0401"
    ATTRS{bmAttributes}=="e0"
    ATTRS{busnum}=="1"
    ATTRS{configuration}==""
    ATTRS{devnum}=="1"
    ATTRS{devpath}=="0"
    ATTRS{idProduct}=="0002"
    ATTRS{idVendor}=="1d6b"
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="Linux 4.1.0-2-amd64 xhci-hcd"
    ATTRS{maxchild}=="11"
    ATTRS{product}=="xHCI Host Controller"
    ATTRS{quirks}=="0x0"
    ATTRS{removable}=="unknown"
    ATTRS{serial}=="0000:00:14.0"
    ATTRS{speed}=="480"
    ATTRS{urbnum}=="126"
    ATTRS{version}==" 2.00"

  looking at parent device '/devices/pci0000:00/0000:00:14.0':
    KERNELS=="0000:00:14.0"
    SUBSYSTEMS=="pci"
    DRIVERS=="xhci_hcd"
    ATTRS{broken_parity_status}=="0"
    ATTRS{class}=="0x0c0330"
    ATTRS{consistent_dma_mask_bits}=="64"
    ATTRS{d3cold_allowed}=="1"
    ATTRS{device}=="0x9cb1"
    ATTRS{dma_mask_bits}=="64"
    ATTRS{driver_override}=="(null)"
    ATTRS{enable}=="1"
    ATTRS{irq}=="42"
    ATTRS{local_cpulist}=="0-3"
    ATTRS{local_cpus}=="0f"
    ATTRS{msi_bus}=="1"
    ATTRS{numa_node}=="-1"
    ATTRS{subsystem_device}=="0x2227"
    ATTRS{subsystem_vendor}=="0x17aa"
    ATTRS{vendor}=="0x8086"

  looking at parent device '/devices/pci0000:00':
    KERNELS=="pci0000:00"
    SUBSYSTEMS==""
    DRIVERS==""

make[2]: Nothing to be done for `check-am'.
cp: ../libu2f-host-0.0.tar.xz: No such file or directory
make: *** [doit] Error 1

...

1- Whenever I have more than two keys registered for an account, the library only authenticates the latest one and for all the other registered keys, I receive "Authentication error"

2- Whenever I have more than 2 keys registered, on authentication the library returns the following error and then quits:
"read: no error"

It would be great if the udev rules could be pushed into upstream systemd so that they would just be on systems by default. I think the following location is where they go:
https://github.com/systemd/systemd/tree/master/rules

Hi there,
Is there a reason why there is no function exported by your shared library to free the results allocated by u2fh_register and u2fh_authenticate functions?

As example, I have managed to compile this program for Windows, I have written a DLL Wrapper, but I have no equivalent in .Net to release the responses in managed code (malloc/strdup pointers) . In Windows there is an API to allocate special buffers but your library is using only C-runtime calls.

Is it possible that you make the "free" function exportable or change the way you allocate these pointers?

My proposal is to add an extra exportable function:
void u2fh_free_data(void* data) {
free(data);
}

My sleepfix PR fixes a rather annoying issue in the current pam-u2f module. Would it be out of line to request a new release?

Hi folks, the last release is almost a year old, and there are new keys in the market (including the one that was given out during USENIX Security Symposium) that are only supported by the udev rules in master, but not in any release.

Any chance to get a new release soon?

Does it support NFC on laptops that have an NFC controller built-in?

AFAIK this functionality is part of the U2F spec, and this client does not implement it. So it is not providing the same guarantees as the spec...

Output of make -f macosx.mk VERSION=0.0 (it's long and has a lot of long lines, so I thought a Gist might be easier to read).

u2f-host/u2f-host.pc.in contains

Cflags: -I${includedir}/u2f-host

Therefore, running pkg-config --cflags results in:

$ pkg-config --cflags u2f-host       
-I/usr/local/include/u2f-host 

This means I need to use #include <u2f-host.h> in my program. However, the file /usr/local/include/u2f-host/u2f-host.h itself contains:

$ grep '^#include' /usr/local/include/u2f-host/u2f-host.h
#include <stdint.h>
#include <string.h>
#include <u2f-host/u2f-host-version.h>
#include <u2f-host/u2f-host-types.h>

…which fails, because the include path already contains the u2f-host directory, so the compiler is looking for the non-existant /usr/local/include/u2f-host/u2f-host/u2f-host-version.h file.

There are two ways to fix this:

1. Change all includes to not use the u2f-host/ prefix, e.g. with sed -i -e 's,#include <u2f-host/,#include <,g' **/*.[ch]. This approach also requires changing the AM_CPPFLAGS line in src/Makefile.am to read AM_CPPFLAGS=-I$(top_srcdir) -I$(top_srcdir)/u2f-host -I$(top_builddir)
2. Change the pkg-config file to use Cflags: -I${includedir} (stripping the u2f-host suffix). This will require changes in all downstream programs unless you also ship a compatibility u2f-host.h file in ${includedir} which includes u2f-host/u2f-host.h.

Not sure which approach you want to pursue, but the first one seems cleaner to me :).

Thanks!

According to the spec the padding should just be dropped. Example of incorrect output:

u2f-host -o https://localhost:5000 -a register
{"challenge": "T8K2jIoMEtSXDqe58ACOmCtKofA_94WVdTG7MoRg0Vg", "version": "U2F_V2", "appId": "https://localhost:5000"}
{ "registrationData": "BQT4wIDtsMB2FuLJOVP7UiJgKuOpql-Z4gXwV8NFnGyKd0NCthqbTQ7MOAC9f_exVtjPp9ChfBqNIpKvhGyDkIPrQK4DodbFQrv__RxK1CjACWKTpz3d2vXjzR-ZBvMbzsNknNNgEfp6kS6kY1_vwQnegdlXV_xU3dV6Y5x_jOZrIlgwggIcMIIBBqADAgECAgQ4Zt91MAsGCSqGSIb3DQEBCzAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowKzEpMCcGA1UEAwwgWXViaWNvIFUyRiBFRSBTZXJpYWwgMTM4MzExNjc4NjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3jfx0DHOblHJO09Ujubh2gQZWwT3ob6-uzzjZD1XiyAob_gsw3FOzXefQRblty48r-U-o4LkDFjx_btwuSHtxoxIwEDAOBgorBgEEAYLECgEBBAAwCwYJKoZIhvcNAQELA4IBAQIaR2TKAInPkq24f6hIU45yzD79uzR5KUMEe4IWqTm69METVio0W2FHWXlpeUe85nGqanwGeW7U67G4_WAnGbcd6zz2QumNsdlmb_AebbdPRa95Z8BG1ub_S04JoxQYNLaa8WRlzN7POgqAnAqkmnsZQ_W9Tj2uO9zP3mpxOkkmnqz7P5zt4Lp5xrv7p15hGOIPD5V-ph7tUmiCJsq0LfeRA36X7aXi32Ap0rt_wyfnRef59YYr7SmwaMuXKjbIZSLesscZZTMzXd-uuLb6DbUCasqEVBkGGqTRfAcOmPov1nHUrNDCkOR0obR4PsJG4PiamIfApNeoXGYpGbok6nucMEQCIEQVvZVHo0etAzPG9vBzSRqolImMYwpyu_EJ83dYx4_GAiBs9TsU3rqWOXbI0JaWEkHMbhR7TmLjx8erxU-i3CYirA==", "clientData": "eyAiY2hhbGxlbmdlIjogIlQ4SzJqSW9NRXRTWERxZTU4QUNPbUN0S29mQV85NFdWZFRHN01vUmcwVmciLCAib3JpZ2luIjogImh0dHBzOlwvXC9sb2NhbGhvc3Q6NTAwMCIsICJ0eXAiOiAibmF2aWdhdG9yLmlkLmZpbmlzaEVucm9sbG1lbnQiIH0=" }

Note the padding in the registrationData and clientData fields.

Currently, one key can be registered more than once for a given account. It should either provide an option (like the JS api does) to enable/disable re-registration of tokens, or if it does re-register, enable the developer to delete the previous entry from the database.

I recently received a Yubikey Neo with product id 0211. Please update your rules!

It has been pointed out on the Debian BTS that the rules we are currently shipping do not work without systemd-logind (as uaccess requires that).

Would there be any drawbacks to making the devices accessible to group plugdev on top of having the uaccess tag?

While attempting to package v1.1.6 in Debian, I ran into a build failure, which seems related to the production of position-independent code:

libtool: link: gcc -shared  -fPIC -DPIC  .libs/global.o .libs/version.o .libs/error.o .libs/devs.o .libs/register.o .libs/authenticate.o .libs/u2fmisc.o  -Wl,--whole-archive ./.libs/libu2f_b64.a ../gl/.libs/libgnu.a -Wl,--no-whole-archive  -lhidapi-hidraw -ljson-c  -g -O2 -fstack-protector-strong -Wl,--version-script=./u2f-host.map -Wl,-z -Wl,relro   -Wl,-soname -Wl,libu2f-host.so.0 -o .libs/libu2f-host.so.0.1.6
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libjson-c.a(json_object.o): relocation R_X86_64_TPOFF32 against `tls_serialization_float_format' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:630: libu2f-host.la] Error 1

I pastebinned a complete build log for your perusal.

dmesg shows:-

[3739895.606335] hid-generic 0003:2581:F1D0.0002: hiddev0,hidraw0: USB HID v1.01 Device [Plug-up Plug-up] on usb-0000:00:1a.1-1/input0

however when running pamu2fcfg it is not detected (No device found. Aborting.) The page for this key is http://www.pu1.fr/sk

udev before some version doesn't support the TAG uaccess, so an alternative rule needs to be created for those systems reportedly it works to set GROUP to plugdev and MODE to 0660

Hi,

Thanks for this work.

In order of making my Hypersecu HyperFIDO works in Debian GNU/Linux for a standard user (not root), I used the udev rules specified. However, the vendor name seems not to be good. However, the vendor code doesn't fit to my key. lsusb gave me : ID 2ccf:0880
So, I changed the udev rules. This ligne
# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"
changed to that line :
# HyperSecu HyperFIDO
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess"

And it then works for me.

I don't have any key for GitHub, so I cannot make a push but I think this could be useful.

Best regards,

Since there have been some updates to the udev rules etc, can you tag a new release please?

Thanks!

Hi guys,
This is probably a noob error. I got libu2f-host compiled for OSX as well as for a Raspi and I am using a localhost u2f-server (python). Register a challenge works fine. The foo file contains some json data, but the next step

u2f-host -aregister -o http://localhost:8081 < foo > bar

fails with: error (-3): error in JSON handling for OSX as well for Raspbian.
Any idea whats wrong with that?

Thanks in advance
Jens

The gtk-doc project finally removed the support for tmpl files, so currently the build fails with missing gtkdoc-mktmpl. Please update the documentation with something actively supported.

Out of source tree builds fail when trying to include u2f-host-version.h in the sub directories src and tests. This is because u2f-host-version.h is dynamically generated and put in the build tree instead of the source tree. These two directories are the same directory when the build is in the source tree but different when the build is out of the source tree.

The fix is trivial and provided in pull request #33.

The header files u2f.h and u2f_hid.h are different from the master copies at https://fidoalliance.org/specs/u2f-specs-master/inc/.

There are non-trivial changes to each of these files, including changes of constants like U2F_SW_WRONG_DATA and U2F_VENDOR_FIRST. But there are also just missing constants like U2F_CHECK_REGISTER.

U2FHID_SYNC also seems missing.

Even if the two versions of files differ, I would not expect them to be incompatible as they currently are. It is possible that the FIDO draft files would need an update as well.

configure doesn't seem to check for gengetopt or help2man. Here's gengetopt:

rharwood@seton:~/libu2f-host$ make
make  all-recursive
make[1]: Entering directory '/home/bos/rharwood/libu2f-host'
Making all in gl
make[2]: Entering directory '/home/bos/rharwood/libu2f-host/gl'
  GEN      arg-nonnull.h
  GEN      c++defs.h
  GEN      warn-on-use.h
  GEN      string.h
  GEN      sys/types.h
make  all-recursive
make[3]: Entering directory '/home/bos/rharwood/libu2f-host/gl'
make[4]: Entering directory '/home/bos/rharwood/libu2f-host/gl'
  CC       check-version.lo
  CC       sha256.lo
  CCLD     libgnu.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[4]: Leaving directory '/home/bos/rharwood/libu2f-host/gl'
make[3]: Leaving directory '/home/bos/rharwood/libu2f-host/gl'
make[2]: Leaving directory '/home/bos/rharwood/libu2f-host/gl'
Making all in u2f-host
make[2]: Entering directory '/home/bos/rharwood/libu2f-host/u2f-host'
  CC       global.lo
  CC       version.lo
  CC       error.lo
  CC       devs.lo
  CC       register.lo
  CC       authenticate.lo
  CC       u2fmisc.lo
  CC       libu2f_b64_la-cencode.lo
  CC       libu2f_b64_la-cdecode.lo
  CCLD     libu2f_b64.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     libu2f-host.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[2]: Leaving directory '/home/bos/rharwood/libu2f-host/u2f-host'
Making all in src
make[2]: Entering directory '/home/bos/rharwood/libu2f-host/src'
gengetopt --no-handle-help --input cmdline.ggo Makefile.am
/bin/bash: gengetopt: command not found
make[2]: *** [Makefile:965: cmdline.c] Error 127
make[2]: Leaving directory '/home/bos/rharwood/libu2f-host/src'
make[1]: *** [Makefile:644: all-recursive] Error 1
make[1]: Leaving directory '/home/bos/rharwood/libu2f-host'
make: *** [Makefile:555: all] Error 2

System is Debian testing, if that matters. Thanks!

After the command for registration or authentication is executed, the process waits for an infinite amount of time for the response from the key. There should be a timeout just like there is in the Javascript api.

At https://developers.yubico.com/libu2f-host/#_building it says:

apt-get install pkg-config libjson0-dev libhidapi-hidraw0

But actually you need libhidapi-dev as well. Otherwise you get the following error at configure time:

checking for HIDAPI... no
checking for HIDAPI... no
configure: error: Package requirements (hidapi-hidraw) were not met:

No package 'hidapi-hidraw' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables HIDAPI_CFLAGS
and HIDAPI_LIBS to avoid the need to call pkg-config.