Merge pull request #27 from Yubico/archive-notice

add archival notice

.gitignore

@@ -0,0 +1,3 @@
+yubikey-ksm-*.tgz
+yubikey-ksm-*.tgz.sig
+*.1

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "doc"]
-	path = doc
-	url = git@github.com:Yubico/yubikey-ksm.wiki.git

.travis.yml

@@ -0,0 +1,12 @@
+language: php
+php:
+  - 5.6
+  - 5.5
+  - 5.4
+  - 5.3
+env:
+  - DB=mysql
+  - DB=pgsql
+  - DB=sqlite
+script:
+  - ./selftest.sh

BLURB

@@ -0,0 +1,8 @@
+Author: Yubico
+Basename: yubikey-ksm
+Homepage: https://developers.yubico.com/yubikey-ksm/
+License: BSD-2-Clause
+Name: yubikey-ksm
+Project: yubikey-ksm
+Summary: YubiKey Key Storage Module
+Travis: https://travis-ci.org/Yubico/yubikey-ksm

COPYING

@@ -0,0 +1,26 @@
+Copyright (c) 2009-2013 Yubico AB
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+  * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+  * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -1,5 +1,5 @@
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2014 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -26,44 +26,50 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-VERSION = 1.6
+VERSION = 1.16
 PACKAGE = yubikey-ksm
-CODE = .htaccess Makefile NEWS ykksm-config.php ykksm-db.sql	\
+CODE = .htaccess Makefile NEWS README ykksm-config.php ykksm-db.sql	\
 	ykksm-decrypt.php ykksm-export ykksm-gen-keys	\
-	ykksm-import ykksm-utils.php ykksm-checksum
-DOCS = doc/DecryptionProtocol.wiki doc/DesignGoals.wiki		\
-	doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki		\
-	doc/ImportKeysToKSM.wiki doc/Installation.wiki		\
-	doc/KeyProvisioningFormat.wiki doc/ServerHardening.wiki	\
-	doc/SyncMonitor.wiki
+	ykksm-import ykksm-utils.php ykksm-checksum \
+	COPYING BLURB
+DOCS = doc/Decryption_Protocol.adoc doc/Design_Goals.adoc		\
+	doc/Generate_Keys.adoc doc/Generate_KSM_Key.adoc		\
+	doc/Import_Keys_To_KSM.adoc doc/Installation.adoc		\
+	doc/Key_Provisioning_Format.adoc doc/Server_Hardening.adoc	\
+	doc/Sync_Monitor.adoc
 MANS = ykksm-checksum.1 ykksm-export.1 ykksm-gen-keys.1		\
 	ykksm-import.1
 
 all:
 	@echo "Try 'make install' or 'make symlink'."
-	@echo "Docs: https://github.com/Yubico/$(PROJECT)/wiki/Installation"
+	@echo "See doc/Installation.adoc for more information"
 	@exit 1
 
 # Installation rules.
 
-etcprefix = /etc/ykksm
+etcprefix = /etc/yubico/ksm
 binprefix = /usr/bin
-phpprefix = /usr/share/ykksm
-docprefix = /usr/share/doc/ykksm
+phpprefix = /usr/share/yubikey-ksm
+docprefix = /usr/share/doc/yubikey-ksm
+manprefix = /usr/share/man/man1
 wwwgroup = www-data
 
-install:
-	install -D .htaccess $(phpprefix)/.htaccess
-	install -D ykksm-decrypt.php $(phpprefix)/ykksm-decrypt.php
-	install -D ykksm-utils.php $(phpprefix)/ykksm-utils.php
-	install -D ykksm-gen-keys $(binprefix)/ykksm-gen-keys
-	install -D ykksm-import $(binprefix)/ykksm-import
-	install -D ykksm-export $(binprefix)/ykksm-export
-	install -D ykksm-checksum $(binprefix)/ykksm-checksum
-	install -D --backup --mode 640 --group $(wwwgroup) ykksm-config.php $(etcprefix)/ykksm-config.php
-	install -D ykksm-db.sql $(docprefix)/ykksm-db.sql
-	install -D Makefile $(docprefix)/ykksm.mk
-	install -D $(DOCS) $(docprefix)/
+install: $(MANS)
+	install -D --mode 640 .htaccess $(DESTDIR)$(phpprefix)/.htaccess
+	install -D --mode 640 ykksm-decrypt.php $(DESTDIR)$(phpprefix)/ykksm-decrypt.php
+	install -D --mode 640 ykksm-utils.php $(DESTDIR)$(phpprefix)/ykksm-utils.php
+	install -D ykksm-gen-keys $(DESTDIR)$(binprefix)/ykksm-gen-keys
+	install -D ykksm-import $(DESTDIR)$(binprefix)/ykksm-import
+	install -D ykksm-export $(DESTDIR)$(binprefix)/ykksm-export
+	install -D ykksm-checksum $(DESTDIR)$(binprefix)/ykksm-checksum
+	install -D --backup --mode 640 --group $(wwwgroup) ykksm-config.php $(DESTDIR)$(etcprefix)/ykksm-config.php
+	install -D ykksm-gen-keys.1 $(DESTDIR)$(manprefix)/ykksm-gen-keys.1
+	install -D ykksm-import.1 $(DESTDIR)$(manprefix)/ykksm-import.1
+	install -D ykksm-export.1 $(DESTDIR)$(manprefix)/ykksm-export.1
+	install -D ykksm-checksum.1 $(DESTDIR)$(manprefix)/ykksm-checksum.1
+	install -D ykksm-db.sql $(DESTDIR)$(docprefix)/ykksm-db.sql
+	install -D Makefile $(DESTDIR)$(docprefix)/ykksm.mk
+	install -D $(DOCS) $(DESTDIR)$(docprefix)/
 
 wwwprefix = /var/www/wsapi
 
@@ -81,12 +87,16 @@ $(PACKAGE)-$(VERSION).tgz: $(FILES) $(MANS)
 	cp $(CODE) $(PACKAGE)-$(VERSION)/
 	cp $(MANS) $(PACKAGE)-$(VERSION)/
 	cp $(DOCS) $(PACKAGE)-$(VERSION)/doc/
+	git2cl > $(PACKAGE)-$(VERSION)/ChangeLog
 	tar cfz $(PACKAGE)-$(VERSION).tgz $(PACKAGE)-$(VERSION)
 	rm -rf $(PACKAGE)-$(VERSION)
 
 dist: $(PACKAGE)-$(VERSION).tgz
 
-clean: clean-man
+distclean: clean
+	rm -f *.1
+
+clean:
 	rm -f *~
 	rm -rf $(PACKAGE)-$(VERSION)
 
@@ -96,24 +106,20 @@ NAME_ykksm-gen-keys = 'Tool to generate keys on the YKKSM-KEYPROV format.'
 NAME_ykksm-import = 'Tool to import key data on the YKKSM-KEYPROV format.'
 
 %.1: %
-	help2man -N --name=$(NAME_$*) --version-string=1 ./$* > $@
+	help2man -N --name=$(NAME_$*) --version-string=$(VERSION) ./$* > $@
 
 man: $(MANS)
 
-clean-man:
-	rm -f *.1
-
 release: dist
-	@if test -z "$(KEYID)"; then \
-		echo "Try this instead:"; \
-		echo "  make release KEYID=[PGPKEYID]"; \
-		echo "For example:"; \
-		echo "  make release KEYID=2117364A"; \
+	@head -1 NEWS | grep -q "Version $(VERSION) (released `date -I`)" || \
+                (echo 'error: You need to update date/version in NEWS'; exit 1)
+	@if test ! -d "$(YUBICO_WWW_REPO)"; then \
+		echo "yubico www repo not found!"; \
+		echo "Make sure that YUBICO_WWW_REPO is set"; \
 		exit 1; \
 	fi
-	gpg --detach-sign --default-key $(KEYID) $(PACKAGE)-$(VERSION).tgz
+	gpg --detach-sign $(PACKAGE)-$(VERSION).tgz
 	gpg --verify $(PACKAGE)-$(VERSION).tgz.sig
-
-	git tag -sm "$(PACKAGE)-$(VERSION)" $(PACKAGE)-$(VERSION)
-	git push
-	git push --tags
+	git tag -s -m "$(PACKAGE) $(VERSION)" $(PACKAGE)-$(VERSION)
+	$(YUBICO_WWW_REPO)/publish $(PROJECT) $(VERSION) $(PACKAGE)-$(VERSION).tgz*
+	@echo "Release created and tagged, remember to git push && git push --tags"

NEWS

@@ -1,4 +1,62 @@
-* Version 1.6 released 2012-12-18
+* Version 1.16 (unreleased)
+
+* Version 1.15 (released 2014-09-30)
+
+  * Fix boolean SQL portability issue for Oracle.
+
+  * Add self-testing through Travis.
+
+  * Update some URLs.
+
+* Version 1.14 (released 2013-09-18)
+
+  * Add Oracle support via OCI.
+
+  * The README is included in the tarball now.
+
+* Version 1.13 (released 2013-04-17)
+
+  * Updated release procedure, project moved from Google Code to GitHub.
+
+* Version 1.12 (released 2013-02-05)
+
+  * Added COPYING file.
+
+* Version 1.11 (released 2013-01-31)
+
+  * Added missing manprefix to Makefile.
+
+* Version 1.10 (released 2013-01-31)
+
+  * Changed location of files to /usr/share/yubikey-ksm, etc.
+
+  * Changed location of configuration files to /etc/yubico/ksm/.
+
+  * Fixed bug causing scripts reading the database to fail if
+    the config file exists but is not readable by the current user.
+
+* Version 1.9 (released 2013-01-23)
+
+  * Renamed hex2bin to yubi_hex2bin.
+    Issue #1 reported by Dain Nilsson, see:
+    https://github.com/Yubico/yubikey-ksm/issues/1
+
+* Version 1.8 (released 2013-01-21)
+
+  * Added ChangeLog to releases.
+
+  * Updated documentation for building/installing.
+
+* Version 1.7 (released 2012-12-21)
+
+  * Replaced usage of 'mcrypt_ecb' as it is deprecated.
+    Issue #5 reported by Gyula Szabó, see:
+    http://code.google.com/p/yubikey-ksm/issues/detail?id=5.
+
+  * Read database config from /etc/yubico/ksm/config-db files,
+    as generated by dbconfig.
+
+* Version 1.6 (released 2012-12-18)
 
   * ykksm-gen-keys supports the PSKC YubiKey profile.
 
@@ -10,34 +68,34 @@
 
   * Removed ykksm-upgrade.
 
-* Version 1.5 released 2010-09-14
+* Version 1.5 (released 2010-09-14)
 
   * Brown paper bag release to update NEWS and Makefile before release.
 
-* Version 1.4 released 2010-09-14
+* Version 1.4 (released 2010-09-14)
 
   * Don't use PDO rowCount, it is not portable.
     Issue #2 reported by arte42.ripe, see:
-    http://code.google.com/p/yubikey-ksm/issues/detail?id=2>.
+    http://code.google.com/p/yubikey-ksm/issues/detail?id=2.
 
   * Fixed perl warning in ykksm-gen-keys.
     Issue #3 reported by toddejohnson, see:
-    http://code.google.com/p/yubikey-ksm/issues/detail?id=3>.
+    http://code.google.com/p/yubikey-ksm/issues/detail?id=3.
 
   * Improve documentation.
 
-* Version 1.3 released 2010-03-16
+* Version 1.3 (released 2010-03-16)
 
   * Added ykksm-checksum tool.
 
-* Version 1.2 released 2009-12-15
+* Version 1.2 (released 2009-12-15)
 
   * Documentation and installation experience substantially improved.
 
-* Version 1.1 released 2009-12-02
+* Version 1.1 (released 2009-12-02)
 
   * Use PHP PDO instead of hard coding use of MySQL database interface.
 
-* Version 1.0 released 2009-11-19
+* Version 1.0 (released 2009-11-19)
 
   * Initial release.

README

@@ -1,22 +1,24 @@
-yubikey-ksm
-===========
+== YubiKey Key Storage Module (YK-KSM)
+
+NOTE: Yubico has declared end-of-life of YK-KSM and has moved it to YubicoLabs as a reference architecture at https://github.com/YubicoLabs/yubikey-ksm.
+
+The YubiKey Key Storage Module (YK-KSM) provides a AES key storage
+facility for use with a YubiKey validation server.
 
-The YubiKey Key Storage Module (YK-KSM) provides a AES key storage facility for use with a YubiKey validation server.
 The YK-KSM is intended to be run on a locked-down server.
-This separation allows third parties to keep tight control of the AES keys for their YubiKeys, but at the same time allow external validation servers (e.g., Yubico's) to validate OTPs from these YubiKeys.
 
+This separation allows third parties to keep tight control of the AES
+keys for their YubiKeys, but at the same time allow external
+validation servers (e.g., Yubico's) to validate OTPs from these
+YubiKeys.
 
-The YK-KSM was designed to work with the YubiKey validation server in PHP:
+The YK-KSM was designed to work with the YubiKey validation server:
 
-https://github.com/Yubico/yubikey-val-server-php/
+https://developers.yubico.com/yubikey-val/
 
-Documentation is in doc.
+Documentation is in doc/.
 
-If you've checked out the source tree and the doc/ dir is empty, do
+=== Development
 
-   $ git submodule init
-   $ git submodule update
-
-The documentation is also available online at
-
-    http://github.com/Yubico/yubikey-ksm/wiki
+To create a tarball you must have a recent versions of "help2man",
+"git2cl" and the perl module DBI.

README.adoc

@@ -0,0 +1 @@
+README

doc

@@ -1 +0,0 @@
-Subproject commit d6c0505143d6aeba85af471280272cb73923fb5f

doc/Decryption_Protocol.adoc

@@ -0,0 +1,41 @@
+Yubikey KSM Decryption Protocol
+-------------------------------
+
+The protocol for asking the Yubikey Key Storage Module to decrypt an
+OTP is to request a HTTP resource as follows:
+
+ http://ykksm.example.com/wsapi/decrypt/?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh
+
+On success, the response will follow this format:
+
+ ^OK .*
+
+For example:
+
+ OK counter=000f low=c541 high=a7 use=04
+
+The content of the various fields are as follows:
+
+counter::
+ 16-bit hex integer, counting upwards on each powerup&touch
+
+low::
+ 16-bit hex integer, low part of time-stamp of OTP
+
+high::
+ 8-bit hex integer, high part of time-stamp of OTP
+
+use::
+ 8-bit hex integer, counting upwards on each touch
+
+On soft errors, the response will follow this format:
+
+ ^ERR .*
+
+For example:
+
+ ERR Invalid OTP format
+
+The data matching .* will be a english error message in one line.
+
+Any other kind of response means a hard error occured.

doc/Design_Goals.adoc

@@ -0,0 +1,11 @@
+YK-KSM Design Goals
+-------------------
+
+The YK-KSM component was designed for these objectives:
+
+* Have AES key storage be separate from the validation server
+
+* Allow distribution of AES keys to multiple servers for
+  load-balancing and high-availability
+
+* The code must be short and easy to audit

doc/Generate_KSM_Key.adoc

@@ -0,0 +1,74 @@
+Generate KSM Key
+----------------
+
+Import of key material to an YK-KSM is typically always done via the
+OpenPGP encrypted/signed
+link:Key_Provisioning_Format.adoc[Key Provisioning Format].  This setup
+assumes that each YK-KSM system has a private key.
+
+Below is a walk-through of a typical key generation session for a host
+called 'crater'.  As you can see at the end, it generated a key with a
+key id of '8B88A11B'.
+
+After this step you may want to generate AES keys for your YubiKeys,
+see link:Generate_Keys.adoc[Generate Keys], and then import them to your
+KSM, see link:Import_Keys_To_KSM.adoc[Import Keys To KSM].
+
+[source, sh]
+----
+user@crater:~$ gpg --gen-key
+gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Please select what kind of key you want:
+  (1) DSA and Elgamal (default)
+  (2) DSA (sign only)
+  (5) RSA (sign only)
+Your selection? 1
+DSA keypair will have 1024 bits.
+ELG-E keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048) 
+Requested keysize is 2048 bits
+Please specify how long the key should be valid.
+        0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0) 
+Key does not expire at all
+Is this correct? (y/N) y
+
+You need a user ID to identify your key; the software constructs the user ID
+from the Real Name, Comment and Email Address in this form:
+    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
+
+Real name: YK-KSM crater Import Key
+Email address: 
+Comment: 
+You selected this USER-ID:
+    "YK-KSM crater Import Key"
+
+Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+You need a Passphrase to protect your secret key.
+
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+.+++++++++++++++++++++++++..+++++.+++++++++++++++++++++++++...+++++++++++++++.++++++++++.++++++++++++++++++++++++++++++++++++++++.++++++++++>++++++++++......++++++++++..++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++....+++++.+++++...+++++.++++++++++.+++++++++++++++.+++++..+++++.++++++++++.+++++++++++++++..+++++>++++++++++>+++++.................................>+++++..............+++++^^^
+gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
+gpg: key 8B88A11B marked as ultimately trusted
+public and secret key created and signed.
+
+gpg: checking the trustdb
+gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+pub   1024D/8B88A11B 2009-12-14
+      Key fingerprint = 9B18 20A2 F02E 3C3B 84E3  44F5 AE72 7967 8B88 A11B
+uid                  YK-KSM crater Import Key
+sub   2048g/140A17F1 2009-12-14
+
+user@crater:~$
+----

doc/Generate_Keys.adoc

@@ -0,0 +1,88 @@
+Generate Keys
+-------------
+
+To generate some AES keys for your YubiKeys served via your YK-KSM,
+you use the 'ykksm-gen-keys' tool.  The tool is useful for generating
+large sets of test keys, for performance testing of the database and
+web interface.  It can also be used to produce keying material that
+are intended to used for programming real keys.
+
+As you should never store encryption keys in plaintext, you typically
+use the tool by piping it directly to GnuPG.  So the first step will
+always be to create a OpenPGP key for your KSM host, see
+link:Generate_KSM_Key.adoc[Generate KSM Key].  Below we will both sign
+the data from and encrypt it to the same key id '8B88A11B'.  Here is
+how you would generate 5 keys for test purposes:
+
+[source, sh]
+----
+user@ksm:~$ ykksm-gen-keys --urandom 1 5 | gpg -a --encrypt -r 8B88A11B -s > keys.txt
+user@ksm:~$ 
+----
+
+Note the flag --urandom will cause the tool to use /dev/urandom rather
+than /dev/random, which speed things up but is considered by some to
+have weaker security.
+
+After this step you may want to import the keys into your KSM, see
+link:Import_Keys_To_KSM.adoc[Import Keys To KSM].
+
+In production, you may want to separate the key generation facility
+into a separate machine with a separate OpenPGP key.
+
+To display the test keys above, you can decrypt them using GnuPG:
+
+[source, sh]
+----
+user@ksm:~$ gpg < keys.txt
+
+You need a passphrase to unlock the secret key for
+user: "YK-KSM crater Import Key"
+2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)
+
+gpg: encrypted with 2048-bit ELG-E key, ID 140A17F1, created 2009-12-14
+      "YK-KSM crater Import Key"
+# ykksm 1
+# serialnr,identity,internaluid,aeskey,lockpw,created,accessed[,progflags]
+1,cccccccccccb,d74fbdf6a890,82211e0854e7369e83d941f24761a84e,881ae7bee927,2009-12-14T16:40:57,
+2,cccccccccccd,7a5ad1886b70,3091a8048524ab8407ae816457d764e5,8e5ab609e346,2009-12-14T16:40:57,
+3,ccccccccccce,981abbbeafb8,91be4bfd2f40e24ebd39386868aa9619,037b6f6ae73c,2009-12-14T16:40:57,
+4,cccccccccccf,c1f33c17f77b,a2389839d7b80bfe4c80258184aff4ce,abf92cbbdab3,2009-12-14T16:40:57,
+5,cccccccccccg,c55773192393,7387b5f6bede83f64a9cd75b2023826a,d70c937bbbff,2009-12-14T16:40:57,
+gpg: Signature made Mon 14 Dec 2009 04:40:57 PM CET using DSA key ID 8B88A11B
+gpg: Good signature from "YK-KSM crater Import Key"
+user@ksm:~$
+----
+
+The format is documented in the
+link:Key_Provisioning_Format.adoc[Key Provisioning Format] page.
+
+To generate many small files each containing just one key, you can use
+a small wrapper like this:
+
+[source, sh]
+----
+#!/bin/sh
+
+set -e
+
+start=$1
+stop=$2
+key=$3
+urandom=$4
+
+if test -z "$start" || test -z "$stop" || test -z "$key"; then
+    echo "Usage: run-gen-keys START STOP KEY [--urandom]"
+    echo ""
+    echo "Example usage:"
+    echo "  run-gen-keys 4711 11147 A1296239 --urandom"
+    echo ""
+    exit 0
+fi
+
+cur=$start
+while test $cur -le $stop; do
+    ykksm-gen-keys $urandom $cur | gpg -a --sign --encrypt -r $key > $cur.asc
+    cur=`expr $cur + 1`
+done
+----

doc/Import_Keys_To_KSM.adoc

@@ -0,0 +1,85 @@
+Import Keys To Yubikey KSM
+--------------------------
+
+To import keys into the YK-KSM database from text files in the
+encrypted/signed KeyProvisioningFormat format, you can use the tool
+'ykksm-import'.  The tool reads the data on standard input, and will
+import the data to the database.  On any error, execution is aborted,
+so be careful about partial imports leaving the database in an
+intermediate state.
+
+The tool requires that your system has a GnuPG private key, read
+link:Generate_KSM_Key.adoc[Generate KSM Key] on how to generate it.
+
+For example, to import the file generated by the
+link:Generate_Keys.adoc[Generate Keys] document:
+
+[source, sh]
+----
+user@ksm:~$ ykksm-import --verbose --database 'DBI:Pg:dbname=ykksm;host=127.0.0.1' --db-user ykksmimporter --db-passwd otherpassword < ~/keys.txt 
+
+You need a passphrase to unlock the secret key for
+user: "YK-KSM crater Import Key"
+2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)
+
+Verification output:
+[GNUPG:] ENC_TO 8C73EAF1140A17F1 16 0
+[GNUPG:] USERID_HINT 8C73EAF1140A17F1 YK-KSM crater Import Key
+[GNUPG:] NEED_PASSPHRASE 8C73EAF1140A17F1 AE7279678B88A11B 16 0
+[GNUPG:] GOOD_PASSPHRASE
+gpg: encrypted with 2048-bit ELG-E key, ID 140A17F1, created 2009-12-14
+      "YK-KSM crater Import Key"
+[GNUPG:] BEGIN_DECRYPTION
+[GNUPG:] PLAINTEXT 62 1260805257 
+gpg: Signature made Mon 14 Dec 2009 04:40:57 PM CET using DSA key ID 8B88A11B
+[GNUPG:] SIG_ID YGplk8qkUkb75lY0aurb/iS1Oog 2009-12-14 1260805257
+[GNUPG:] GOODSIG AE7279678B88A11B YK-KSM crater Import Key
+gpg: Good signature from "YK-KSM crater Import Key"
+[GNUPG:] VALIDSIG 9B1820A2F02E3C3B84E344F5AE7279678B88A11B 2009-12-14 1260805257 0 4 0 17 2 00 9B1820A2F02E3C3B84E344F5AE7279678B88A11B
+[GNUPG:] TRUST_ULTIMATE
+[GNUPG:] DECRYPTION_OKAY
+[GNUPG:] GOODMDC
+[GNUPG:] END_DECRYPTION
+encrypted to: 8C73EAF1140A17F1
+signed by: 8B88A11B
+
+You need a passphrase to unlock the secret key for
+user: "YK-KSM crater Import Key"
+2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)
+
+line: 1,cccccccccccb,d74fbdf6a890,82211e0854e7369e83d941f24761a84e,881ae7bee927,2009-12-14T16:40:57,
+serialnr 1 publicName cccccccccccb internalName d74fbdf6a890 aesKey 82211e0854e7369e83d941f24761a84e lockCode 881ae7bee927 created 2009-12-14T16:40:57 accessed  eol
+line: 2,cccccccccccd,7a5ad1886b70,3091a8048524ab8407ae816457d764e5,8e5ab609e346,2009-12-14T16:40:57,
+serialnr 2 publicName cccccccccccd internalName 7a5ad1886b70 aesKey 3091a8048524ab8407ae816457d764e5 lockCode 8e5ab609e346 created 2009-12-14T16:40:57 accessed  eol
+line: 3,ccccccccccce,981abbbeafb8,91be4bfd2f40e24ebd39386868aa9619,037b6f6ae73c,2009-12-14T16:40:57,
+serialnr 3 publicName ccccccccccce internalName 981abbbeafb8 aesKey 91be4bfd2f40e24ebd39386868aa9619 lockCode 037b6f6ae73c created 2009-12-14T16:40:57 accessed  eol
+line: 4,cccccccccccf,c1f33c17f77b,a2389839d7b80bfe4c80258184aff4ce,abf92cbbdab3,2009-12-14T16:40:57,
+serialnr 4 publicName cccccccccccf internalName c1f33c17f77b aesKey a2389839d7b80bfe4c80258184aff4ce lockCode abf92cbbdab3 created 2009-12-14T16:40:57 accessed  eol
+line: 5,cccccccccccg,c55773192393,7387b5f6bede83f64a9cd75b2023826a,d70c937bbbff,2009-12-14T16:40:57,
+serialnr 5 publicName cccccccccccg internalName c55773192393 aesKey 7387b5f6bede83f64a9cd75b2023826a lockCode d70c937bbbff created 2009-12-14T16:40:57 accessed  eol
+
+user@ksm:~$
+----
+
+When importing large data sets it is recommended to avoid the
+'--verbose' flag to reduce noise.
+
+To test the import, you can attempt to decrypt an (invalid) OTP for
+one of the AES keys.  Like this:
+
+[source, sh]
+----
+user@ksm:~$ curl 'http://localhost/wsapi/decrypt?otp=cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv'
+ERR Corrupt OTP
+user@ksm:~$
+----
+
+In the system log file /var/log/ykksm.log you should get this error:
+
+[source, sh]
+----
+Dec 14 17:20:08 crater ykksm[12693]: UID error: cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv a515841f249c5f4bb8e9007ab0f7ac2b: a515841f249c vs 7a5ad1886b70
+----
+
+Note that the actual values may differ slightly because the AES key
+you generated was random.

doc/Installation.adoc

@@ -0,0 +1,330 @@
+Installation and Configuration of Yubikey KSM
+---------------------------------------------
+
+The Yubikey KSM module is responsible for storing AES keys and
+providing two interfaces:
+
+* Decrypting an OTP
+
+* Adding new AES keys
+
+It is intentionally not possible to extract the AES keys or to make
+modifications to the database content, see link:Design_Goals.adoc[Design Goals].
+
+The installation procedure documented below applies to any Unix-like
+environment, although it was written for Debian GNU/Linux version 5.0
+(aka "lenny").
+
+Since version 1.1 of the YK-KSM, any database supported by the PHP PDO
+interface is supported by the YK-KSM.  To give concrete examples, we
+will here explain how to set it up using MySQL or PostgreSQL.  Note
+that you only need to install either MySQL or PostgreSQL (or any other
+supported database), not both!
+
+Step 1: YK-KSM Installation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+First you should download and install the latest YK-KSM release:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install wget make help2man
+...
+user@ksm:~$ wget https://developers.yubico.com/yubikey-ksm/Releases/yubikey-ksm-1.15.tgz
+user@ksm:~$ wget https://developers.yubico.com/yubikey-ksm/Releases/yubikey-ksm-1.15.tgz.sig
+user@ksm:~$ gpg --verify yubikey-ksm-1.15.tgz.sig
+...
+user@ksm:~$ tar xfz yubikey-ksm-1.15.tgz
+user@ksm:~$ cd yubikey-ksm-1.15
+user@ksm:~/yubikey-ksm-1.15$ sudo make install
+...
+user@ksm:~/yubikey-ksm-1.15$
+----
+ 
+Alternatively, you may also check out YK-KSM from its source code repository.  For example:
+ 
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install git make help2man
+...
+user@ksm:~$ git clone git://github.com/Yubico/yubikey-ksm.git
+...
+user@ksm:~$ cd yubikey-ksm
+user@ksm:~/yubikey-ksm$ sudo make install
+...
+user@ksm:~/yubikey-ksm$
+----
+
+The rest of this documentation will assume you have installed the
+YK-KSM with 'make install'.
+
+Step 2: Install web server and PHP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You will need to install a web server with PHP5 and the PHP mcrypt
+interface:
+
+[source, sh]
+user@ksm:~$ sudo apt-get install apache2 php5 php5-mcrypt
+
+Any web server with PHP support should work.
+
+Step 3A: MySQL Installation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Install the required packages:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install mysql-server php5-mysql libdbd-mysql-perl
+...
+user@ksm:~$
+----
+ 
+The installation asks you for a MySQL "root" password, and I recommend
+to specify one.
+ 
+To avoid having to specify a password when using the 'mysql' tool
+interactively, you can store the password in ~/.my.cnf, see
+/usr/share/doc/mysql-server-5.0/README.Debian.gz.  For example:
+ 
+[source, sh]
+----
+user@ksm:~$ cat > .my.cnf
+[client]
+user = root
+password = YOURPASSWORD
+user@ksm:~$
+----
+
+First create the database and the tables as follows:
+
+[source, sh]
+----
+user@ksm:~$ echo 'create database ykksm' | mysql
+user@ksm:~$ mysql ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql 
+user@ksm:~$
+----
+
+You should also create database users for the decrypt and import
+interfaces, normally called 'ykksmreader' and 'ykksmimporter':
+
+[source, sh]
+----
+user@ksm:~$ mysql --silent ykksm
+mysql> CREATE USER 'ykksmreader';
+mysql> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
+mysql> SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('yourpassword');
+mysql> CREATE USER 'ykksmimporter';
+mysql> GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost';
+mysql> SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('otherpassword');
+mysql> FLUSH PRIVILEGES;
+mysql> \q
+user@ksm:~$
+----
+
+Step 3B: PostgreSQL Installation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Install some packages:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install postgresql php5-pgsql libdbd-pg-perl
+...
+user@ksm:~$ 
+----
+
+The database needs to be initialized as follows:
+
+[source, sh]
+----
+user@ksm:~$ sudo su postgres
+postgres@ksm:~$ createdb ykksm
+postgres@ksm:~$ psql ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql 
+postgres@ksm:~$
+----
+
+You also need to create a user for the decrypt interface, normally
+called 'ykksmreader':
+
+[source, sh]
+----
+postgres@ksm:~$ psql ykksm -q
+ykksm=# CREATE USER ykksmreader PASSWORD 'yourpassword';
+ykksm=# GRANT SELECT ON yubikeys TO ykksmreader;
+ykksm=# CREATE USER ykksmimporter PASSWORD 'otherpassword';
+ykksm=# GRANT INSERT ON yubikeys TO ykksmimporter;
+ykksm=# \q
+postgres@ksm:~$ 
+----
+
+During installation and debugging it may be useful to watch the
+database log entries:
+
+[source, sh]
+user@ksm:~$ sudo tail -F /var/log/postgresql/postgresql-*-main.log &
+
+Step 4: Include path configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Set the include path by creating a file /etc/php5/conf.d/ykksm.ini
+with the following content:
+
+[source, sh]
+----
+user@ksm:~$ sudo sh -c 'cat > /etc/php5/conf.d/ykksm.ini'
+include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm"
+user@ksm:~$ sudo /etc/init.d/apache2 restart
+user@ksm:~$ 
+----
+
+The paths are the default, if you installed the YK-KSM in some other
+place you need to modify the paths.
+
+Step 5: Logging
+~~~~~~~~~~~~~~~
+
+The PHP interface uses syslog for logging of incoming requests.  The
+facility is set in ykksm-config.php but defaults the LOG_LOCAL0.  To
+place these messages in a separate file, you can add the following to
+/etc/syslog.conf, or if you use rsyslog, create a file
+/etc/rsyslog.d/ykksm.conf with this content:
+
+[source, sh]
+----
+user@ksm:~$ sudo sh -c 'cat > /etc/rsyslog.d/ykksm.conf'
+local0.* -/var/log/ykksm.log
+user@ksm:~$ sudo /etc/init.d/rsyslog restart
+...
+user@ksm:~$ 
+----
+
+The '-' before the filename avoids syncing the file after each write,
+which is recommended for performance.
+
+The log file can grow large quickly, so it is a good idea to setup
+rotation of log files.  Here is an example that rotates the log file
+weekly.  Create a file /etc/logrotate.d/ykksm like this:
+
+[source, sh]
+----
+user@ksm:~$ sudo sh -c 'cat > /etc/logrotate.d/ykksm'
+/var/log/ykksm.log {
+  weekly
+  missingok
+  rotate 9999
+  notifempty
+  postrotate
+    invoke-rc.d rsyslog reload > /dev/null
+  endscript
+}
+user@ksm:~$ 
+----
+
+Step 5.1: Fix default log (optional)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Unfortunately, most default syslog configuration, including the
+syslog.conf configuration file on Debian, will also log all entries to
+/var/log/syslog and/or /var/log/messages.
+
+I am not aware of any way to avoid this without modifying these other
+rules.  To avoid YK-KSM log entries in these other files, you must
+modify the default rules.  For example, edit the following lines of
+/etc/rsyslog.conf (or /etc/syslog.conf if you don't use rsyslog):
+
+[source, sh]
+----
+*.*;auth,authpriv.none          -/var/log/syslog
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        mail,news.none          -/var/log/messages
+----
+
+Change them into:
+
+[source, sh]
+----
+*.*;auth,authpriv.none,local0.none              -/var/log/syslog
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        local0.none;\
+        mail,news.none          -/var/log/messages
+----
+
+Step 6: Decrypt OTP Interface
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The interface to decrypt OTPs is implemented using a PHP script.  You
+can place the script under any URL, but we recommend serving it as
+http://ykksm.example.org/wsapi/decrypt.  The simplest way is to use
+the 'symlink' rule in our makefile:
+
+[source, sh]
+----
+user@ksm:~$ sudo make -f /usr/share/doc/yubikey-ksm/ykksm.mk symlink
+install -d /var/www/wsapi
+ln -sf /usr/share/yubikey-ksm/.htaccess /var/www/wsapi/.htaccess
+ln -sf /usr/share/yubikey-ksm/ykksm-decrypt.php /var/www/wsapi/decrypt.php
+user@ksm:~$ 
+----
+
+You may also run the commands manually.
+
+Step 7: YK-KSM Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You need to edit the ykksm-config.php script.  An example file is
+included in YK-KSM as 'ykksm-config.php'.  It is normally installed as
+/etc/yubico/ksm/ykksm-config.php:
+
+[source, sh]
+----
+user@ksm:~$ sudo cat /etc/yubico/ksm/ykksm-config.php 
+<?php
+$db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
+$db_username = "ykksmreader";
+$db_password = "yourpassword";
+$db_options  = array();
+$logfacility = LOG_LOCAL0;
+?>
+user@ksm:~$ 
+----
+
+Be careful about the user permissions and ownership so that unrelated
+users on the system cannot read the database password.
+
+Typically you only need to modify the database password, and possibly
+the database definition in $db_dsn.  Example DSN for a MySQL setup:
+
+[source, sh]
+$db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
+
+An example DSN for a PostgreSQL setup:
+
+[source, sh]
+$db_dsn      = "pgsql:dbname=ykksm;host=127.0.0.1";
+
+The End
+~~~~~~~
+
+You now have a YK-KSM up and running.  You can test the service by
+requesting a URL.  Using wget, for example:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install wget
+user@ksm:~$ wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
+ERR Unknown yubikey
+user@ksm:~$
+----
+ 
+You will need to import keys into the database for the decrypt function
+to do anything useful.  See link:Server_Hardening.adoc[Server Hardening]
+on how to improve security of your system.  Likely next steps are
+link:Generate_KSM_Key.adoc[Generate KSM Key],
+link:Generate_Keys.adoc[Generate Keys] and/or
+link:Import_Keys_To_KSM.adoc[Import Keys To KSM].

doc/Key_Provisioning_Format.adoc

@@ -0,0 +1,108 @@
+Key Provisioning Data Format
+----------------------------
+
+This file holds data used in the Yubikey personalization phase.
+
+The file is an OpenPGP signed and encrypted text file.  Readers should
+support both CRLF and LF line endings.  The values are text and
+separated by comma ("," ASCII 0x2C).  The first line of the file MUST
+be as follows:
+
+ # ykksm 1
+
+Each of the rest lines in the file follows the following format:
+
+ serialNr,publicName,internalName,aesKey,lockCode,created,accessed[,progflags] # comment
+
+Any data after a # is treated as a comment and is ignored.  Lines of
+the following format:
+
+ # comment
+
+are also treated as comments.
+
+The meaning are as follows:
+
+serialNr::
+ the serial number of the device used for the barcode, decimal integer
+
+publicName::
+ encoding of the "external" yubikey prefix, 0-16 modhex characters, typically 12
+ modhex encoded data
+
+internalName::
+ encoding of the "internal" yubikey identity, always 6 binary bytes = 12 hex,
+ hex encoded data
+
+aesKey::
+ an aes key used for the device, length decides whether it is a 128, 192, or 256 bit keys.
+ hex encoded data
+
+lockCode::
+ the locking code, always 6 binary bytes = 12 hex,
+ hex encoded data
+
+created::
+ timestamp of when the key was created
+ for example 2009-02-24T17:41:57 or empty
+
+accessed::
+ timestamp of when the key was last accessed
+ for example 2009-02-24T17:41:57 or empty
+
+progflags::
+ optional field, integer with flags used during personalization
+ to enable, e.g., static key mode or cr output
+
+Examples of valid data lines:
+
+....
+4711,dlcfffckrcde,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,
+4712,,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40
+4713,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,0
+4714,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,4711
+....
+
+Example of actual data using the password 'foobar' (normally it would
+be encrypted to a particular OpenPGP key id):
+
+....
+-----BEGIN PGP MESSAGE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+jA0EAwMClfljrWYVfm5gycDMIpZXLnzKtUfeEsqXRp63IdAghBzAfdIt4aeJ2kdV
+x8uvvHKeHfytjEo/U9Wg4NYqYoDnMeb4zXBmrRqWu558ldW75e5R2kPImuQnZIBQ
+3WKRbElrLpQTlbdyDDAzlOnVLvTrmekZ8ByUrED3tyZKJw7OW5YsHi3z5N+QNFbZ
+hpMWfDBiJRksQEXv3BbiWVojSS+ZlCBiDjqnbIGuk0nZlJSe3F3Jwdz22Y05aU2h
++2e6vWkqsbvZMVHnU6pauyaM1dh2owXsoHCPLM1fs7ztIh5dAnV9d0TuW4ufKEFQ
+FdH5c4dNgl36CNM8dDlM3c8YpfjxlQ11e6ub7QZC1Eu3gqvfPIvYpczlwjkYOkcH
+nu1Iq42VgUSJzBr36aL9lLySyT8WRizzmJLaGYX/YqKgBXt6RTSO984WsxE6cl80
+paFvFOjybJ2V5GYc7pfdZAM2ySEhnS6PaxYAQXfrEhhtTTCCg1eCqKh4Yamv3u0v
+DAkppMqXeprjpC4cNvrQsVOKGx7HissA5x4rECLC
+=d54w
+-----END PGP MESSAGE-----
+....
+
+Naming Scheme
+~~~~~~~~~~~~~
+
+The files should use the standard GnuPG output extension '.asc'.
+
+If you want to store many keys in a one-key per file approach, we
+suggest to create files named after the serial number.  For example:
+
+....
+0.asc
+1.asc
+2.asc
+3.asc
+4.asc
+5.asc
+6.asc
+7.asc
+8.asc
+9.asc
+10.asc
+11.asc
+...
+....

doc/Make_Release.adoc

@@ -0,0 +1,32 @@
+Maintainer instructions for making releases
+-------------------------------------------
+
+The point of this document is to describe all steps required to make a
+proper release of the yubikey-personalization project.
+
+Dependencies
+~~~~~~~~~~~~
+
+Making a release requires the following packages:
+
+  make, git, gnupg, help2man, git2cl
+
+which can be installed (under Ubuntu) by running:
+
+  sudo apt-get install make git gnupg help2man git2cl
+
+Details
+~~~~~~~
+
+* Make sure the version number in Makefile has been incremented.
+
+* Make sure NEWS describes all changes since the last release.  Use
+  'git log -p' to review.
+
+* Change the '(unreleased)' part in NEWS to '(released 20XX-YY-ZZ)'
+  and commit that with a note 'Version Q.P'.
+
+* Run 'make release'.
+
+* Increment version number in Makefile and add a NEWS template for the
+  next release.

doc/Server_Hardening.adoc

@@ -0,0 +1,289 @@
+Server Hardening
+----------------
+
+While the defaults should be secure, there are some simple
+administrative actions that will increase your overall security.  None
+of these steps are required, but we encourage you to read this
+document to see if the enhancements are relevant for your environment.
+
+Tighten PHP configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Tighten the security of the PHP installation by creating a file
+/etc/php5/conf.d/harden.ini with the following content:
+
+[source, sh]
+----
+user@host:~$ sudo sh -c 'cat > /etc/php5/conf.d/harden.ini'
+display_errors = Off
+log_errors = On
+user@host:~$ 
+----
+
+Tighten Apache configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Tighten the security of the Apache installation by making sure
+directory listings are disabled globally.  Edit
+/etc/apache2/conf.d/security and make sure the following is
+uncommented:
+
+[source, xml]
+----
+<Directory />
+  AllowOverride None
+  Order Deny,Allow
+  Deny from all
+</Directory>
+----
+
+Time Synchronization
+~~~~~~~~~~~~~~~~~~~~
+
+For logging and (on the validation server) time-stamping it is
+important to have synchronized clocks.  Install ntp.
+
+[source, sh]
+----
+user@host:~$ sudo apt-get install ntp
+...
+----
+
+Firewall
+~~~~~~~~
+
+There is no reason why the KSM needs to listen to incoming requests
+from the entire Internet, and restricting access to the intended
+YK-VAL servers are recommended.
+
+[source, sh]
+----
+user@ksm:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
+#!/bin/sh
+
+# IPv4 firewall:
+iptables -F
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+iptables -A INPUT -i lo -p all -j ACCEPT
+iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 -s 1.2.3.4 --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 -s 2.3.4.5 --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 -s 2.3.4.5 --dport 443 -j ACCEPT
+
+# IPv6 firewall:
+ip6tables -F
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT ACCEPT
+ip6tables -A INPUT -i lo -p all -j ACCEPT
+ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 -s 2000:1:2::3 --dport 22 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 -s 2000:2:3::4 --dport 80 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 -s 2000:2:3::4 --dport 443 -j ACCEPT
+
+user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
+user@ksm:~$ 
+----
+
+Replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the address
+of the host you want to be able to login from via SSH, and replace
+2.3.4.5 (for IPv4) and 2000:2:3::4 (for IPv6) with the address of the
+YK-VAL that will be accessing this YK-KSM.  Add more lines for each
+validation server and SSH host.
+
+For a validation server, you may want to allow HTTP(S) requests from
+anyone, but not anything else.
+
+[source, sh]
+----
+user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
+#!/bin/sh
+
+# IPv4 firewall
+iptables -F
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+iptables -A INPUT -i lo -p all -j ACCEPT
+iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 -s 1.2.3.4 --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
+
+# IPv6 firewall:
+ip6tables -F
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT ACCEPT
+ip6tables -A INPUT -i lo -p all -j ACCEPT
+ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 -s 2000:1:2::3 --dport 22 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
+
+user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
+user@ksm:~$ 
+----
+
+Again, replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the
+address of the host you want to be able to login from via SSH.
+
+If you want to allow SSH and HTTP(S) from everywhere, but nothing
+else, try this:
+
+[source, sh]
+----
+user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
+#!/bin/sh
+
+# IPv4 firewall
+iptables -F
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+iptables -A INPUT -i lo -p all -j ACCEPT
+iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
+
+# IPv6 firewall:
+ip6tables -F
+ip6tables -P INPUT DROP
+ip6tables -P FORWARD DROP
+ip6tables -P OUTPUT ACCEPT
+ip6tables -A INPUT -i lo -p all -j ACCEPT
+ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
+ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
+
+user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
+user@val:~$ 
+----
+
+Database Encryption
+~~~~~~~~~~~~~~~~~~~
+
+The database contains sensitive information.  If someone is able to
+access your machine physically, they may shut it off and steal it with
+the goal of reading out the sensitive information.  By encrypting the
+disk, you can prevent this.  Note that this does not protect against
+an attacker who has physical access to your server and sufficient time
+to read out the data from the already running system.
+
+Full disk encryption will give you the highest protection, but
+requires that you can enter the disk encryption password on each
+power-up.  This can be unpractical when your hosting environment is
+remote.
+
+Partial disk encryption allows the operating system to start up, and
+enable you to login to the machine remotely to enter the disk
+encryption password.  This is less secure than full disk encryption,
+because an attacker could physically disconnect your machine, modify
+the operating system to send a copy of the password to the attacker,
+but may be sufficient if you keep good track of when your machine is
+not working properly.
+
+To use partial disk encryption for the database content, we suggest
+you install the operating system as normal but create another file
+system on an encrypted volume.
+
+If you need swap space, be sure to only put the swap on the encrypted
+volume too.  Make sure that the database does not start up
+automatically on boot, and also make sure that the system does not
+attempt to mount your encrypted partition automatically.
+
+Setup:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-amd64
+...
+user@ksm:~$ sudo rmmod loop && sudo modprobe loop
+user@ksm:~$ sudo dd if=/dev/zero of=/root/ksm.img bs=1k count=1M
+...
+user@ksm:~$ sudo losetup -e AES128 /dev/loop0 /root/ksm.img 
+Password: 
+user@ksm:~$ sudo mkfs.ext2 -q /dev/loop0 
+user@ksm:~$ sudo mkdir /ksm
+user@ksm:~$ sudo mount /dev/loop0 /ksm
+user@ksm:~$ sudo /etc/init.d/postgresql-8.3 stop
+...
+user@ksm:~$ sudo update-rc.d -f postgresql-8.3 remove
+user@ksm:~$ sudo mv /var/lib/postgresql /ksm
+user@ksm:~$ sudo ln -s /ksm/postgresql /var/lib/postgresql
+user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-start'
+#!/bin/sh
+set -e
+set -x
+losetup -e AES128 /dev/loop0 /root/ksm.img
+fsck /dev/loop0
+mount /dev/loop0  /ksm/
+/etc/init.d/postgresql-8.3 start
+user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-stop'
+#!/bin/sh
+set -e
+set -x
+/etc/init.d/postgresql-8.3 stop
+umount /ksm
+losetup -d /dev/loop0
+user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
+----
+
+Slightly adapted for MySQL:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-686
+...
+user@ksm:~$ sudo rmmod loop && sudo modprobe loop
+user@ksm:~$ sudo dd if=/dev/zero of=/root/ksm.img bs=1k count=1M
+...
+user@ksm:~$ sudo losetup -e AES128 /dev/loop0 /root/ksm.img 
+Password: 
+user@ksm:~$ sudo mkfs.ext2 -q /dev/loop0 
+user@ksm:~$ sudo mkdir /ksm
+user@ksm:~$ sudo mount /dev/loop0 /ksm
+user@ksm:~$ sudo /etc/init.d/mysql stop
+user@ksm:~$ sudo update-rc.d -f mysql remove
+user@ksm:~$ sudo mv /var/lib/mysql /ksm
+user@ksm:~$ sudo ln -s /ksm/mysql /var/lib/mysql
+user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-start'
+#!/bin/sh
+set -e
+set -x
+losetup -e AES128 /dev/loop0 /root/ksm.img
+fsck /dev/loop0
+mount /dev/loop0  /ksm/
+/etc/init.d/mysql start
+user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-stop'
+#!/bin/sh
+set -e
+set -x
+/etc/init.d/mysql stop
+umount /ksm
+losetup -d /dev/loop0
+user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
+----
+
+Then in the future, to start the YK-KSM, you will need to login to the
+machine and issue the command 'sudo ykksm-start' and enter the disk
+encryption password.
+
+Again, make sure that you don't use any unencrypted swap.
+
+Intrusion Detection
+~~~~~~~~~~~~~~~~~~~
+
+To make some attacks discussed in the previous section harder, make
+sure that your system has a hardware intrusion detection system and
+that your software is notified when it is triggered.  When the
+intrusion detection is triggered, you should stop the database and
+unmount the encrypted volume and send out a signal to your
+administrators.

doc/Sync_Monitor.adoc

@@ -0,0 +1,49 @@
+YK-KSM Synchronization Monitor
+------------------------------
+
+If you deploy multiple redundant YK-KSM instances, it is important to
+monitor them to make sure the data they have is synchronized.  While
+there are many mechanisms to achieve this, we provide a simple yet
+flexible approach.  The 'ykksm-checksum' script reads out the
+important fields from the database and computes a SHA-1 hash of it,
+and truncates the hash to 10 hex characters and prints them to stdout.
+
+The "important fields" are serial number, public name, internal name
+and AES key.
+
+Sample output looks like this, first there is a Unix time (for
+freshness) and then is the truncated hash value.
+
+  1284488221
+  50f5649b80
+
+The script requires the Perl SHA-1 package.  Install it like this:
+
+[source, sh]
+----
+user@ksm:~$ sudo apt-get install libdigest-sha1-perl
+...
+user@ksm:~$ 
+----
+
+The typical way to use this is either manually or to run it in a cron
+job and output the hash to a file that can be downloaded by a remote
+monitor system such as Nagios.  The intention is that you run a check
+that downloads this file from all of your KSMs, and the Nagios check
+verify that all values are 1) fresh (Unix time is not too old) and 2)
+that the truncated hash value is identical on all KSMs.
+
+[source, sh]
+----
+user@ksm:~$ sudo sh -c 'cat > /etc/cron.hourly/run-ykksm-checksum'
+#!/bin/sh
+FILE=/var/www/checksum.txt
+(date --utc +%s; ykksm-checksum --db-user ykksmreader --db-passwd `grep passwo rd /etc/yubico/ksm/ykksm-config.php|cut -d\  -f3|cut -d\" -f2`) > $FILE.tmp
+mv $FILE.tmp $FILE
+user@ksm:~$ sudo chmod +x /etc/cron.hourly/run-ykksm-checksum
+----
+
+If you notice mismatches, you may want to run ykksm-checksum with the
+'-v' parameter on the different hosts and then use 'diff -ur' or
+similar tool to compare the outputs.  This should make it possible to
+identify the missmatching entries easily.

selftest.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+set -e
+set -x
+
+if [ "x$DB" = "xmysql" ]; then
+  dbuser=travis
+
+  mysql -u $dbuser -e 'create database ykksm;'
+  mysql -u $dbuser ykksm < ykksm-db.sql
+
+  dbrun="mysql -u $dbuser ykksm -e"
+elif [ "x$DB" = "xpgsql" ]; then
+  dbuser=postgres
+
+  psql -U $dbuser -c 'create database ykksm;'
+  psql -U $dbuser ykksm < ykksm-db.sql
+
+  dbrun="psql -U $dbuser ykksm -c"
+elif [ "x$DB" = "xsqlite" ]; then
+  dbuser=""
+
+  dbfile=`mktemp`
+  sqlite3 $dbfile < ykksm-db.sql
+  sed -i "s,^.*db_dsn.*$,\$db_dsn = \"sqlite:$dbfile\";," ykksm-config.php
+
+  dbrun="sqlite3 $dbfile"
+else
+  echo "unknown DB $DB"
+  exit 1
+fi
+
+cat > config-db.php << EOF
+<?php
+\$dbuser = '$dbuser';
+\$dbpass = '';
+\$dbname = 'ykksm';
+\$dbtype = '$DB';
+?>
+EOF
+sudo mkdir -p /etc/yubico/ksm/
+sudo chmod 0755 /etc/yubico/ksm/
+sudo mv config-db.php /etc/yubico/ksm/
+
+$dbrun "insert into yubikeys (publicname,internalname,aeskey,serialnr,created,lockcode,creator) values('idkfefrdhtru','609963eae7b5','c68c9df8cbfe7d2f994cb904046c7218',0,0,'','');"
+
+set +e
+
+echo '' | php -B "\$_REQUEST = array('otp' => 'idkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgku');" -F ykksm-decrypt.php | grep -q "^OK counter=0001 low=8d40 high=0f use=00"
+if [ $? != 0 ]; then
+  echo '' | php -B "\$_REQUEST = array('otp' => 'idkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgku');" -F ykksm-decrypt.php
+  sudo tail /var/log/auth.log
+  exit 1
+else
+  echo "Success 1"
+fi
+
+echo '' | php -B "\$_REQUEST = array('otp' => 'idkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgkv');" -F ykksm-decrypt.php | grep -q "^ERR Corrupt OTP"
+if [ $? != 0 ]; then
+  echo '' | php -B "\$_REQUEST = array('otp' => 'idkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgkv');" -F ykksm-decrypt.php
+  sudo tail /var/log/auth.log
+  exit 1
+else
+  echo "Success 2"
+fi
+
+echo '' | php -B "\$_REQUEST = array('otp' => 'cdkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgkv');" -F ykksm-decrypt.php | grep -q "^ERR Unknown yubikey"
+if [ $? != 0 ]; then
+  echo '' | php -B "\$_REQUEST = array('otp' => 'cdkfefrdhtrutjduvtcjbfeuvhehdvjjlbchtlenfgkv');" -F ykksm-decrypt.php
+  sudo tail /var/log/auth.log
+  exit 1
+else
+  echo "Success 3"
+fi

ykksm-checksum

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2010-2012 Yubico AB
+# Copyright (c) 2010-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -55,10 +55,17 @@ sub usage {
     exit 1;
 }
 
+#Support dbconfig-common generated database settings, if available
+our ($dbuser, $dbpass, $basepath, $dbname, $dbserver, $dbport, $dbtype);
+if( -r '/etc/yubico/ksm/config-db.cfg' ) {
+    require '/etc/yubico/ksm/config-db.cfg';
+} else {
+    $dbtype = 'mysql';
+    $dbname = 'ykksm';
+}
+
 my $verbose = 0;
-my $db = "dbi:mysql:ykksm";
-my $dbuser;
-my $dbpasswd;
+my $db = "dbi:$dbtype:$dbname";
 while ($ARGV[0] =~ m/^-(.*)/) {
     my $cmd = shift @ARGV;
     if (($cmd eq "-v") || ($cmd eq "--verbose")) {
@@ -70,7 +77,7 @@ while ($ARGV[0] =~ m/^-(.*)/) {
     } elsif ($cmd eq "--db-user") {
 	$dbuser = shift;
     } elsif ($cmd eq "--db-passwd") {
-	$dbpasswd = shift;
+	$dbpass = shift;
     }
 }
 
@@ -78,7 +85,7 @@ if ($#ARGV>=0) {
     usage();
 }
 
-my $dbh = DBI->connect($db, $dbuser, $dbpasswd, {'RaiseError' => 1});
+my $dbh = DBI->connect($db, $dbuser, $dbpass, {'RaiseError' => 1});
 my $sth = $dbh->prepare ('SELECT serialnr, publicname, internalname, aeskey '.
 			 'FROM yubikeys '.
 			 'ORDER BY serialnr, publicname')

ykksm-config.php

@@ -1,7 +1,20 @@
 <?php
-$db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
-$db_username = "ykksmreader";
-$db_password = "yourpassword";
+//ykksm will use the configuration stored in /etc/yubico/ksm/config-db.php, if that file exists. If it does not exist, the below values will be used.
+
+if(file_exists('/etc/yubico/ksm/config-db.php')) {
+	include '/etc/yubico/ksm/config-db.php';
+} else {
+	$dbuser='ykksmreader';
+	$dbpass='yourpassword';
+	$basepath='';
+	$dbname='ykksm';
+	$dbserver='';
+	$dbport='';
+	$dbtype='mysql';
+}
+$db_dsn      = "$dbtype:dbname=$dbname;host=127.0.0.1";
+$db_username = $dbuser;
+$db_password = $dbpass;
 $db_options  = array();
-$logfacility = LOG_LOCAL0;
+$logfacility = LOG_AUTH;
 ?>

ykksm-decrypt.php

@@ -1,7 +1,7 @@
 <?php
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,8 +28,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+ob_start();
 require_once 'ykksm-config.php';
 require_once 'ykksm-utils.php';
+ob_end_clean();
 
 openlog("ykksm", LOG_PID, $logfacility)
   or die("ERR Syslog open error\n");
@@ -48,25 +50,61 @@ if (!preg_match("/^([cbdefghijklnrtuv]{0,16})([cbdefghijklnrtuv]{32})$/",
 $id = $matches[1];
 $modhex_ciphertext = $matches[2];
 
-try {
-  $dbh = new PDO($db_dsn, $db_username, $db_password, $db_options);
-} catch (PDOException $e) {
-  syslog(LOG_ERR, "Database error: " . $e->getMessage());
-  die("ERR Database error\n");
-}
+# Oracle support in PDO is highly experimental, OCI is used instead
+# Unfortunately PDO and OCI APIs are different...
+$use_oci = substr($db_dsn,0,3) === 'oci';
+
+if (!$use_oci) {
+  try {
+    $dbh = new PDO($db_dsn, $db_username, $db_password, $db_options);
+   } catch (PDOException $e) {
+    syslog(LOG_ERR, "Database error: " . $e->getMessage());
+    die("ERR Database error\n");
+   }
+ }
+else {
+  # "oci:" prefix needs to be removed before passing db_dsn to OCI
+  $db_dsn = substr($db_dsn, 4);
+  $dbh = oci_connect($db_username, $db_password, $db_dsn);
+  if (!$dbh) {
+    $error = oci_error();
+    syslog(LOG_err, "Database error: " . $error["message"]);
+    die("ERR Database error\n");
+   }
+ }
 
 $sql = "SELECT aeskey, internalname FROM yubikeys " .
-       "WHERE publicname = '$id' AND active";
-$result = $dbh->query($sql);
-if (!$result) {
-  syslog(LOG_ERR, "Database query error.  Query: " . $sql . " Error: " .
-	 print_r ($dbh->errorInfo (), true));
-  die("ERR Database error\n");
-}
+       "WHERE publicname = '$id' AND ";
 
-$row = $result->fetch(PDO::FETCH_ASSOC);
-$aeskey = $row['aeskey'];
-$internalname = $row['internalname'];
+if (!$use_oci) {
+  $sql .= "(active OR active = 'true')";
+  $result = $dbh->query($sql);
+  if (!$result) {
+    syslog(LOG_ERR, "Database query error.  Query: " . $sql . " Error: " .
+           print_r ($dbh->errorInfo (), true));
+    die("ERR Database error\n");
+   }
+
+  $row = $result->fetch(PDO::FETCH_ASSOC);
+  $aeskey = $row['aeskey'];
+  $internalname = $row['internalname'];
+ }
+else {
+  $sql .= "active = 1";
+  $result = oci_parse($dbh, $sql);
+  $execute = oci_execute($result);
+  if (!$execute) {
+    $error = oci_error($result);
+    syslog(LOG_ERR, 'Database query error.   Query:  ' . $sql . 'Error: CODE : ' . $error["code"] .
+           ' MESSAGE : ' . $error["message"] . ' POSITION : ' . $error["offset"] .
+           ' STATEMENT : ' . $error["sqltext"]);
+    die("ERR Database error\n");
+   }
+
+  $row = oci_fetch_array($result, OCI_ASSOC);
+  $aeskey = $row['AESKEY'];
+  $internalname = $row['INTERNALNAME'];
+ }
 
 if (!$aeskey) {
   syslog(LOG_INFO, "Unknown yubikey: " . $otp);

ykksm-export

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -53,10 +53,17 @@ sub usage {
     exit 1;
 }
 
+#Support dbconfig-common generated database settings, if available
+our ($dbuser, $dbpass, $basepath, $dbname, $dbserver, $dbport, $dbtype);
+if( -r '/etc/yubico/ksm/config-db.cfg' ) {
+    require '/etc/yubico/ksm/config-db.cfg';
+} else {
+    $dbtype = 'mysql';
+    $dbname = 'ykksm';
+}
+
 my $verbose = 0;
-my $db = "dbi:mysql:ykksm";
-my $dbuser;
-my $dbpasswd;
+my $db = "dbi:$dbtype:$dbname";
 while ($ARGV[0] =~ m/^-(.*)/) {
     my $cmd = shift @ARGV;
     if (($cmd eq "-v") || ($cmd eq "--verbose")) {
@@ -68,7 +75,7 @@ while ($ARGV[0] =~ m/^-(.*)/) {
     } elsif ($cmd eq "--db-user") {
 	$dbuser = shift;
     } elsif ($cmd eq "--db-passwd") {
-	$dbpasswd = shift;
+	$dbpass = shift;
     }
 }
 
@@ -76,7 +83,7 @@ if ($#ARGV>=0) {
     usage();
 }
 
-my $dbh = DBI->connect($db, $dbuser, $dbpasswd, {'RaiseError' => 1});
+my $dbh = DBI->connect($db, $dbuser, $dbpass, {'RaiseError' => 1});
 my $sth = $dbh->prepare
     ('SELECT serialnr, publicname, internalname, aeskey, lockcode, created FROM yubikeys')
     or die "Couldn't prepare statement: " . $dbh->errstr;

ykksm-gen-keys

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

ykksm-import

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -57,11 +57,18 @@ sub usage {
     exit 1;
 }
 
+#Support dbconfig-common generated database settings, if available
+our ($dbuser, $dbpass, $basepath, $dbname, $dbserver, $dbport, $dbtype);
+if( -r '/etc/yubico/ksm/config-db.cfg' ) {
+    require '/etc/yubico/ksm/config-db.cfg';
+} else {
+    $dbtype = 'mysql';
+    $dbname = 'ykksm';
+}
+
 my $verbose = 0;
 my $creator;
-my $db = "dbi:mysql:ykksm";
-my $dbuser;
-my $dbpasswd;
+my $db = "dbi:$dbtype:$dbname";
 while ($ARGV[0] =~ m/^-(.*)/) {
     my $cmd = shift @ARGV;
     if (($cmd eq "-v") || ($cmd eq "--verbose")) {
@@ -75,7 +82,7 @@ while ($ARGV[0] =~ m/^-(.*)/) {
     } elsif ($cmd eq "--db-user") {
 	$dbuser = shift;
     } elsif ($cmd eq "--db-passwd") {
-	$dbpasswd = shift;
+	$dbpass = shift;
     }
 }
 
@@ -114,7 +121,7 @@ print "signed by: " . $signed_by . "\n";
 
 die "Input not signed?" if !$signed_by;
 
-my $dbh = DBI->connect($db, $dbuser, $dbpasswd, {'RaiseError' => 1});
+my $dbh = DBI->connect($db, $dbuser, $dbpass, {'RaiseError' => 1});
 my $inserth = $dbh->prepare_cached(qq{
 INSERT INTO yubikeys (creator, created, serialnr,
                       publicname, internalname, aeskey, lockcode)

ykksm-utils.php

@@ -1,7 +1,7 @@
 <?php
 
 # Written by Simon Josefsson <simon@josefsson.org>.
-# Copyright (c) 2009-2012 Yubico AB
+# Copyright (c) 2009-2013 Yubico AB
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,7 +28,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-function hex2bin($h)
+function yubi_hex2bin($h)
 {
   if (!is_string($h)) return null;
   $r='';
@@ -45,11 +45,13 @@ function modhex2hex($m)
 
 function aes128ecb_decrypt($key,$in)
 {
-  return bin2hex(mcrypt_ecb(MCRYPT_RIJNDAEL_128,
-			    hex2bin($key),
-			    hex2bin($in),
-			    MCRYPT_DECRYPT,
-			    hex2bin('00000000000000000000000000000000')));
+  $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'ecb', '');
+  $iv = yubi_hex2bin('00000000000000000000000000000000');
+  mcrypt_generic_init($td, yubi_hex2bin($key), $iv);
+  $result = bin2hex(mdecrypt_generic($td, yubi_hex2bin($in)));
+  mcrypt_generic_deinit($td);
+
+  return $result;
 }
 	
 function calculate_crc($token)