oath-toolkit-help
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] Patch to include totp validation to the pam modu


From: Max Thoursie
Subject: Re: [OATH-Toolkit-help] Patch to include totp validation to the pam module
Date: Wed, 6 Apr 2011 11:30:48 +0200

On Tue, Apr 5, 2011 at 4:31 PM, Rien Broekstra <address@hidden> wrote:
> I just bought a number of feitian C200 OTP tokens, found this project, and
> saw that totp support was present but not yet in the pam module. Therefore I
> took the liberty of making a patch which enables PAM authentication with
> totp tokens. It should apply cleanly to oath-toolkit-1.6.2.

Great to see some work in this area! I wrote a similar patch a few
weeks ago, but I never got around to update the documentation or
test-cases, and neither to send it to the list. I'll include my
version for comparsion.

One comment I got from Simon was that it should include an option to
disable reuse of a token in the same time window.

> Users who wish to authenticate via totp should use 'TOTP' as the first
> column in the usersfile. The field which normally contains the moving factor
> for hotp contains the time step size for totp. The window size is hardcoded
> to 0. I.e:
>
> TOTP    name    -       <seed>  60      207470  2011-04-05T16:04:02L

Using the moving factor for time step size was a good move, I've
should have thought of that. But why hardcode the window size when it
can be configured for HOTP?

Here's my patch:

diff --git a/liboath/usersfile.c b/liboath/usersfile.c
index 8d9ce9a..b509b28 100644
--- a/liboath/usersfile.c
+++ b/liboath/usersfile.c
@@ -31,19 +31,29 @@
 #include <errno.h>             /* For errno. */
 #include <sys/stat.h>          /* For S_IRUSR, S_IWUSR. */

+typedef enum
+{
+  OATH_DIGITS_MASK = 0xff,
+  OATH_TYPE_HOTP = 1 << 8,
+  OATH_TYPE_TOTP = 2 << 8,
+  OATH_TYPE_MASK = 0xff00
+} oath_type;
+
 static unsigned
 parse_type (const char *str)
 {
  if (strcmp (str, "HOTP/E/6") == 0)
-    return 6;
+    return OATH_TYPE_HOTP | 6;
  if (strcmp (str, "HOTP/E/7") == 0)
-    return 7;
+    return OATH_TYPE_HOTP | 7;
  if (strcmp (str, "HOTP/E/8") == 0)
-    return 8;
+    return OATH_TYPE_HOTP | 8;
  if (strcmp (str, "HOTP/E") == 0)
-    return 6;
+    return OATH_TYPE_HOTP | 6;
  if (strcmp (str, "HOTP") == 0)
-    return 6;
+    return OATH_TYPE_HOTP | 6;
+  if (strcmp (str, "TOTP") == 0)
+    return OATH_TYPE_TOTP | 6;
  return 0;
 }

@@ -69,12 +79,15 @@ parse_usersfile (const char *username,
      uint64_t start_moving_factor = 0;
      int rc;
      char *prev_otp = NULL;
+      int type = 0;

      if (p == NULL)
       continue;

      /* Read token type */
-      digits = parse_type (p);
+      rc = parse_type (p);
+      type = rc & OATH_TYPE_MASK;
+      digits = rc & OATH_DIGITS_MASK;
      if (digits == 0)
       continue;
 @@ -142,8 +155,16 @@ parse_usersfile (const char *username,
      if (prev_otp && strcmp (prev_otp, otp) == 0)
       return OATH_REPLAYED_OTP;

-      rc = oath_hotp_validate (secret, secret_length,
-                              start_moving_factor, window, otp);
+      if (type == OATH_TYPE_HOTP) {
+        rc = oath_hotp_validate (secret, secret_length,
+                                 start_moving_factor, window, otp);
+      } else if (type == OATH_TYPE_TOTP) {
+        rc = oath_totp_validate (secret, secret_length,
+                                 time(NULL), 30, 0,
+                                 window, otp);
+      } else {
+        continue;
+      }
      if (rc < 0)
       return rc;
      *new_moving_factor = start_moving_factor + rc;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]