5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 * Copyright 2001-2005 Google, Inc.
20 * Copyright 2005 TRI-D Systems, Inc.
32 #include <openssl/des.h> /* des_cblock */
33 #include <time.h> /* time_t */
36 * Things you might like to change (although most are configurables)
39 /* Default passwd file */
40 #define OTP_PWDFILE "/etc/otppasswd"
42 /* state manager rendezvous point */
43 #define OTP_LSMD_RP "/var/run/lsmd/socket"
45 /* Default prompt for presentation of challenge */
46 #define OTP_CHALLENGE_PROMPT "Challenge: %s\n Response: "
48 /* Must be a multiple of sizeof(des_cblock) (8); read src before changing. */
49 #define OTP_MAX_CHALLENGE_LEN 32
51 /* Password that means "challenge me" in fast_sync mode */
52 #define OTP_CHALLENGE_REQ "challenge"
54 /* Password that means "challenge me and resync" in fast_sync mode */
55 #define OTP_RESYNC_REQ "resync"
57 /* Max event window size for sync modes */
58 #define OTP_MAX_EWINDOW_SIZE 10
59 /* Max time window size for sync modes. More than 10 may not be usable. */
60 #define OTP_MAX_TWINDOW_SIZE 10
63 * PRNG device that does not block;
64 * /dev/urandom is "merely" cryptographically strong on Linux. :-)
66 #define OTP_DEVURANDOM "/dev/urandom"
70 * You shouldn't change anything past this point
74 /* struct used for instance/option data */
75 typedef struct otp_option_t {
76 char *pwdfile; /* file containing user:card_type:key entries */
77 char *lsmd_rp; /* state manager rendezvous point */
78 char *chal_prompt; /* text to present challenge to user, must have %s */
79 int chal_len; /* challenge length, min 5 digits */
80 int softfail; /* number of auth fails before time delay starts */
81 int hardfail; /* number of auth fails when user is locked out */
82 int fast_sync; /* response-before-challenge mode */
83 int allow_sync; /* useful to override pwdfile card_type settings */
84 int allow_async; /* C/R mode allowed? */
85 char *chal_req; /* keyword requesting challenge for fast_sync mode */
86 char *resync_req; /* keyword requesting resync for fast_sync mode */
87 int prepend_pin; /* prepend (vs. append) PIN? */
88 int ewindow_size; /* sync mode event window size (right side value) */
89 int ewindow2_size; /* softfail override event window size */
90 int ewindow2_delay; /* softfail override max time delay */
91 #if defined(FREERADIUS)
92 /* freeradius-specific items */
93 int chal_delay; /* max delay time for response, in seconds */
94 const char *name; /* instance name for otp_token_authorize() */
95 int mschapv2_mppe_policy; /* whether or not do to mppe for mschapv2 */
96 int mschapv2_mppe_types; /* key type/length for mschapv2/mppe */
97 int mschap_mppe_policy; /* whether or not do to mppe for mschap */
98 int mschap_mppe_types; /* key type/length for mschap/mppe */
100 /* PAM specific items */
101 int debug; /* print debug info? */
102 char *fast_prompt; /* fast mode prompt */
105 int twindow_min; /* sync mode time window left side */
106 int twindow_max; /* sync mode time window right side */
110 /* user-specific info */
111 #define OTP_MAX_CARDNAME_LEN 32
112 #define OTP_MAX_KEY_LEN 256
113 #define OTP_MAX_PIN_LEN 256
115 typedef struct otp_user_info_t {
116 const char *username;
117 struct cardops_t *cardops;
119 char card[OTP_MAX_CARDNAME_LEN + 1];
120 uint32_t featuremask;
122 char keystring[OTP_MAX_KEY_LEN * 2 + 1];
123 unsigned char keyblock[OTP_MAX_KEY_LEN];
124 char pin[OTP_MAX_PIN_LEN + 1];
130 /* state manager fd pool */
131 typedef struct lsmd_fd_t {
132 pthread_mutex_t mutex;
134 struct lsmd_fd_t *next;
137 /* user-specific state info */
138 #define OTP_MAX_CSD_LEN 64
139 typedef struct otp_user_state_t {
140 int locked; /* locked aka success flag */
141 lsmd_fd_t *fdp; /* fd for return data */
142 int updated; /* state updated? (1 unless err) */
143 char challenge[OTP_MAX_CHALLENGE_LEN+1]; /* next sync chal */
144 char csd[OTP_MAX_CSD_LEN+1]; /* card specific data */
145 unsigned failcount; /* number of consecutive failures */
146 time_t authtime; /* time of last auth */
147 int authpos; /* window position for softfail */
150 /* fc (failcondition) shortcuts */
151 #define OTP_FC_FAIL_NONE 0 /* no failures */
152 #define OTP_FC_FAIL_HARD 1 /* failed hard */
153 #define OTP_FC_FAIL_SOFT 2 /* failed soft */
156 /* return codes from otp_pw_valid() */
158 #define OTP_RC_USER_UNKNOWN 1
159 #define OTP_RC_AUTHINFO_UNAVAIL 2
160 #define OTP_RC_AUTH_ERR 3
161 #define OTP_RC_MAXTRIES 4
162 #define OTP_RC_SERVICE_ERR 5
163 struct otp_pwe_cmp_t;
164 typedef int (*cmpfunc_t)(struct otp_pwe_cmp_t *, const char *);
165 extern int otp_pw_valid(const char *, char *, const char *, int,
166 const otp_option_t *, cmpfunc_t, void *, const char *);
169 extern int otp_x99_mac(const unsigned char *, size_t, unsigned char [8],
170 const unsigned char [OTP_MAX_KEY_LEN], const char *);
173 extern int otp_hotp_mac(const unsigned char [8], unsigned char [7],
174 const unsigned char [OTP_MAX_KEY_LEN], size_t,
178 /* Character maps for generic hex and vendor specific decimal modes */
179 extern const char otp_hex_conversion[];
180 extern const char otp_cc_dec_conversion[];
181 extern const char otp_snk_dec_conversion[];
182 extern const char otp_sc_friendly_conversion[];
184 extern int otp_get_random(int, unsigned char *, int);
185 extern int otp_get_challenge(int, char *, int);
187 extern int otp_keystring2keyblock(const char *, unsigned char []);
188 extern void otp_keyblock2keystring(char *, const des_cblock, const char [17]);
190 extern int otp_get_user_info(const char *, const char *, otp_user_info_t *);
193 extern int otp_state_get(const otp_option_t *, const char *,
194 otp_user_state_t *, const char *);
195 extern int otp_state_put(const char *, otp_user_state_t *, const char *);
198 extern int otp_challenge_transform(const char *,
199 char [OTP_MAX_CHALLENGE_LEN + 1]);
202 extern void otp_log(int, const char *, ...);
204 #if defined(FREERADIUS)