5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * Copyright 2001-2005 Google, Inc.
20 * Copyright 2005,2006 TRI-D Systems, Inc.
32 #include <openssl/des.h> /* des_cblock */
33 #include <time.h> /* time_t */
34 #include <sys/types.h> /* size_t and ssize_t */
37 * Things you might like to change (although most are configurables)
40 /* Default passwd file */
41 #define OTP_PWDFILE "/etc/otppasswd"
43 /* state manager rendezvous point */
44 #define OTP_LSMD_RP "/var/run/lsmd/socket"
46 /* Default prompt for presentation of challenge */
47 #define OTP_CHALLENGE_PROMPT "Challenge: %s\n Response: "
49 /* Must be a multiple of sizeof(des_cblock) (8); read src before changing. */
50 #define OTP_MAX_CHALLENGE_LEN 16
52 /* Password that means "challenge me" in fast_sync mode */
53 #define OTP_CHALLENGE_REQ "challenge"
55 /* Password that means "challenge me and resync" in fast_sync mode */
56 #define OTP_RESYNC_REQ "resync"
58 /* Max event window size for sync modes */
59 #define OTP_MAX_EWINDOW_SIZE 10
60 /* Max time window size for sync modes. More than 10 may not be usable. */
61 #define OTP_MAX_TWINDOW_SIZE 10
64 * PRNG device that does not block;
65 * /dev/urandom is "merely" cryptographically strong on Linux. :-)
67 #define OTP_DEVURANDOM "/dev/urandom"
71 * You shouldn't change anything past this point
75 /* struct used for instance/option data */
76 typedef struct otp_option_t {
77 char *pwdfile; /* file containing user:card_type:key entries */
78 char *lsmd_rp; /* state manager rendezvous point */
79 char *chal_prompt; /* text to present challenge to user, must have %s */
80 int chal_len; /* challenge length, min 5 digits */
81 int softfail; /* number of auth fails before time delay starts */
82 int hardfail; /* number of auth fails when user is locked out */
83 int fast_sync; /* response-before-challenge mode */
84 int allow_sync; /* useful to override pwdfile card_type settings */
85 int allow_async; /* C/R mode allowed? */
86 char *chal_req; /* keyword requesting challenge for fast_sync mode */
87 char *resync_req; /* keyword requesting resync for fast_sync mode */
88 int prepend_pin; /* prepend (vs. append) PIN? */
89 int ewindow_size; /* sync mode event window size (right side value) */
90 int rwindow_size; /* softfail override event window size */
91 int rwindow_delay; /* softfail override max time delay */
92 int site_transform; /* apply site transform to challenge? (undoc) */
93 int debug; /* print debug info? */
94 #if defined(FREERADIUS)
95 /* freeradius-specific items */
96 int chal_delay; /* max delay time for response, in seconds */
97 const char *name; /* instance name for otp_token_authorize() */
98 int mschapv2_mppe_policy; /* whether or not do to mppe for mschapv2 */
99 int mschapv2_mppe_types; /* key type/length for mschapv2/mppe */
100 int mschap_mppe_policy; /* whether or not do to mppe for mschap */
101 int mschap_mppe_types; /* key type/length for mschap/mppe */
103 /* PAM specific items */
104 char *fast_prompt; /* fast mode prompt */
108 /* user-specific info */
109 #define OTP_MAX_CARDNAME_LEN 32
110 #define OTP_MAX_KEY_LEN 256
111 #define OTP_MAX_PIN_LEN 256
113 typedef struct otp_card_info_t {
114 const char *username;
115 struct cardops_t *cardops;
117 char card[OTP_MAX_CARDNAME_LEN + 1];
118 uint32_t featuremask;
120 char keystring[OTP_MAX_KEY_LEN * 2 + 1];
121 unsigned char keyblock[OTP_MAX_KEY_LEN];
122 char pin[OTP_MAX_PIN_LEN + 1];
128 /* state manager fd pool */
129 typedef struct lsmd_fd_t {
130 pthread_mutex_t mutex;
132 struct lsmd_fd_t *next;
135 /* user-specific state info */
136 #define OTP_MAX_CSD_LEN 64
137 #define OTP_MAX_RD_LEN 8
138 typedef struct otp_user_state_t {
139 int locked; /* locked aka success flag */
140 lsmd_fd_t *fdp; /* fd for return data */
141 int nullstate; /* null state? */
142 int updated; /* state updated? (1 unless err) */
143 ssize_t clen; /* challenge length */
145 unsigned char challenge[OTP_MAX_CHALLENGE_LEN]; /* prev sync chal */
146 char csd[OTP_MAX_CSD_LEN+1]; /* card-specific data */
147 char rd[OTP_MAX_RD_LEN+1]; /* rwindow data */
148 uint32_t failcount; /* number of consecutive failures */
149 uint32_t authtime; /* time of last auth */
150 uint32_t mincardtime; /* minimum cardtime */
152 int32_t scratch1; /* card-specific scratch data */
153 int32_t scratch2; /* card-specific scratch data */
154 int32_t scratch3; /* card-specific scratch data */
157 /* fc (failcondition) shortcuts */
158 #define OTP_FC_FAIL_NONE 0 /* no failures */
159 #define OTP_FC_FAIL_HARD 1 /* failed hard */
160 #define OTP_FC_FAIL_SOFT 2 /* failed soft */
163 /* return codes from otp_pw_valid() */
165 #define OTP_RC_USER_UNKNOWN 1
166 #define OTP_RC_AUTHINFO_UNAVAIL 2
167 #define OTP_RC_AUTH_ERR 3
168 #define OTP_RC_MAXTRIES 4
169 #define OTP_RC_SERVICE_ERR 5
170 struct otp_pwe_cmp_t;
171 typedef int (*cmpfunc_t)(struct otp_pwe_cmp_t *, const char *, const char *);
172 extern int otp_pw_valid(const char *, char *, const char *, int,
173 const otp_option_t *, cmpfunc_t, void *, const char *);
176 extern int otp_x99_mac(const unsigned char *, size_t, unsigned char [8],
177 const unsigned char [OTP_MAX_KEY_LEN], const char *);
180 extern int otp_hotp_mac(const unsigned char [8], unsigned char [7],
181 const unsigned char [OTP_MAX_KEY_LEN], size_t,
185 /* Character maps for generic hex and vendor specific decimal modes */
186 extern const char otp_hex_conversion[];
187 extern const char otp_cc_dec_conversion[];
188 extern const char otp_snk_dec_conversion[];
189 extern const char otp_sc_friendly_conversion[];
191 extern int otp_get_random(int, unsigned char *, int, const char *);
192 extern int otp_async_challenge(int, char *, int, const char *);
194 extern ssize_t otp_keystring2keyblock(const char *, unsigned char []);
195 extern char *otp_keyblock2keystring(char *, const unsigned char [], size_t,
198 extern int otp_get_card_info(const char *, const char *, otp_card_info_t *,
202 extern int otp_state_get(const otp_option_t *, const char *,
203 otp_user_state_t *, const char *);
204 extern int otp_state_put(const char *, otp_user_state_t *, const char *);
207 extern ssize_t otp_challenge_transform(const char *,
208 unsigned char [OTP_MAX_CHALLENGE_LEN],
212 extern void otp_log(int, const char *, ...);
214 #if defined(FREERADIUS)