Re: [OATH-toolkit-help] HOTP in HTTP Digest

[Simon Josefsson]

Daniel Pocock <address@hidden> writes:

> Hi Simon,
>
> I've added the following to dynalogin:
>
>  
> https://dynalogin.svn.sourceforge.net/svnroot/dynalogin/trunk/libdynalogin/hotpdigest.c
>
> As well as branching phpMyID to provide a complete OpenID provider
> backed by your HOTP code:
>
>  
> https://dynalogin.svn.sourceforge.net/svnroot/dynalogin/trunk/phpMyID-dynalogin/
>
> The hotpdigest.c code is not really that complicated and given that it
> is really an implementation of the HOTP algorithm (re-implementing
> your hotp_validate_otp method to work with digest values), it may be
> more appropriate in your package - what do you think?

Hi Daniel.  This is quite nice, but adding HTTP Digest stuff to OATH
Toolkit feels a bit backwards -- but I have come up with a solution.

What do you think if there were a hotp_validate_otp_callback() interface
that took a callback function to implement the 'strcmp' operation?  Then
you could call hotp_validate_otp_callback and provide a function pointer
to your function that generates a HTTP Digest response and comparing it
with what was received by the web server?

This approach would work with any approach where you are comparing
hashes of OTPs rather than OTPs directly.

Btw, I have implemented TOTP in Git, see how oathtool can now generate
TOTP matching the test vectors.  Will release it soon...

address@hidden:~/src/oath-toolkit/oathtool$ ./oathtool --totp --now "1970-01-01 
UTC 00:00:59" 3132333435363738393031323334353637383930 --digit 8 --verbose
Hex secret: 3132333435363738393031323334353637383930
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Time now: 1970-01-01 00:00:59 UTC (59)
Counter: 0x1 (1)

94287082
address@hidden:~/src/oath-toolkit/oathtool$ 

/Simon