3
* $Id: otp.h,v 1.28.2.2 2006/01/11 15:50:15 nbk Exp $
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License as published by
7
* the Free Software Foundation; either version 2 of the License, or
8
* (at your option) any later version.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19
* Copyright 2001-2005 Google, Inc.
20
* Copyright 2005 TRI-D Systems, Inc.
32
#include <openssl/des.h> /* des_cblock */
33
#include <time.h> /* time_t */
34
#include <sys/types.h> /* size_t and ssize_t */
37
* Things you might like to change (although most are configurables)
40
/* Default passwd file */
41
#define OTP_PWDFILE "/etc/otppasswd"
43
/* state manager rendezvous point */
44
#define OTP_LSMD_RP "/var/run/lsmd/socket"
46
/* Default prompt for presentation of challenge */
47
#define OTP_CHALLENGE_PROMPT "Challenge: %s\n Response: "
49
/* Must be a multiple of sizeof(des_cblock) (8); read src before changing. */
50
#define OTP_MAX_CHALLENGE_LEN 16
52
/* Password that means "challenge me" in fast_sync mode */
53
#define OTP_CHALLENGE_REQ "challenge"
55
/* Password that means "challenge me and resync" in fast_sync mode */
56
#define OTP_RESYNC_REQ "resync"
58
/* Max event window size for sync modes */
59
#define OTP_MAX_EWINDOW_SIZE 10
60
/* Max time window size for sync modes. More than 10 may not be usable. */
61
#define OTP_MAX_TWINDOW_SIZE 10
64
* PRNG device that does not block;
65
* /dev/urandom is "merely" cryptographically strong on Linux. :-)
67
#define OTP_DEVURANDOM "/dev/urandom"
71
* You shouldn't change anything past this point
75
/* struct used for instance/option data */
76
typedef struct otp_option_t {
77
char *pwdfile; /* file containing user:card_type:key entries */
78
char *lsmd_rp; /* state manager rendezvous point */
79
char *chal_prompt; /* text to present challenge to user, must have %s */
80
int chal_len; /* challenge length, min 5 digits */
81
int softfail; /* number of auth fails before time delay starts */
82
int hardfail; /* number of auth fails when user is locked out */
83
int fast_sync; /* response-before-challenge mode */
84
int allow_sync; /* useful to override pwdfile card_type settings */
85
int allow_async; /* C/R mode allowed? */
86
char *chal_req; /* keyword requesting challenge for fast_sync mode */
87
char *resync_req; /* keyword requesting resync for fast_sync mode */
88
int prepend_pin; /* prepend (vs. append) PIN? */
89
int ewindow_size; /* sync mode event window size (right side value) */
90
int rwindow_size; /* softfail override event window size */
91
int rwindow_delay; /* softfail override max time delay */
92
int debug; /* print debug info? */
93
#if defined(FREERADIUS)
94
/* freeradius-specific items */
95
int chal_delay; /* max delay time for response, in seconds */
96
const char *name; /* instance name for otp_token_authorize() */
97
int mschapv2_mppe_policy; /* whether or not do to mppe for mschapv2 */
98
int mschapv2_mppe_types; /* key type/length for mschapv2/mppe */
99
int mschap_mppe_policy; /* whether or not do to mppe for mschap */
100
int mschap_mppe_types; /* key type/length for mschap/mppe */
102
/* PAM specific items */
103
char *fast_prompt; /* fast mode prompt */
107
/* user-specific info */
108
#define OTP_MAX_CARDNAME_LEN 32
109
#define OTP_MAX_KEY_LEN 256
110
#define OTP_MAX_PIN_LEN 256
112
typedef struct otp_card_info_t {
113
const char *username;
114
struct cardops_t *cardops;
116
char card[OTP_MAX_CARDNAME_LEN + 1];
117
uint32_t featuremask;
119
char keystring[OTP_MAX_KEY_LEN * 2 + 1];
120
unsigned char keyblock[OTP_MAX_KEY_LEN];
121
char pin[OTP_MAX_PIN_LEN + 1];
127
/* state manager fd pool */
128
typedef struct lsmd_fd_t {
129
pthread_mutex_t mutex;
131
struct lsmd_fd_t *next;
134
/* user-specific state info */
135
#define OTP_MAX_CSD_LEN 64
136
#define OTP_MAX_RD_LEN 8
137
typedef struct otp_user_state_t {
138
int locked; /* locked aka success flag */
139
lsmd_fd_t *fdp; /* fd for return data */
140
int nullstate; /* null state? */
141
int updated; /* state updated? (1 unless err) */
142
ssize_t clen; /* challenge length */
144
unsigned char challenge[OTP_MAX_CHALLENGE_LEN]; /* prev sync chal */
145
char csd[OTP_MAX_CSD_LEN+1]; /* card-specific data */
146
char rd[OTP_MAX_RD_LEN+1]; /* rwindow data */
147
uint32_t failcount; /* number of consecutive failures */
148
uint32_t authtime; /* time of last auth */
149
uint32_t mincardtime; /* minimum cardtime */
151
int32_t scratch1; /* card-specific scratch data */
152
int32_t scratch2; /* card-specific scratch data */
153
int32_t scratch3; /* card-specific scratch data */
156
/* fc (failcondition) shortcuts */
157
#define OTP_FC_FAIL_NONE 0 /* no failures */
158
#define OTP_FC_FAIL_HARD 1 /* failed hard */
159
#define OTP_FC_FAIL_SOFT 2 /* failed soft */
162
/* return codes from otp_pw_valid() */
164
#define OTP_RC_USER_UNKNOWN 1
165
#define OTP_RC_AUTHINFO_UNAVAIL 2
166
#define OTP_RC_AUTH_ERR 3
167
#define OTP_RC_MAXTRIES 4
168
#define OTP_RC_SERVICE_ERR 5
169
struct otp_pwe_cmp_t;
170
typedef int (*cmpfunc_t)(struct otp_pwe_cmp_t *, const char *, const char *);
171
extern int otp_pw_valid(const char *, char *, const char *, int,
172
const otp_option_t *, cmpfunc_t, void *, const char *);
175
extern int otp_x99_mac(const unsigned char *, size_t, unsigned char [8],
176
const unsigned char [OTP_MAX_KEY_LEN], const char *);
179
extern int otp_hotp_mac(const unsigned char [8], unsigned char [7],
180
const unsigned char [OTP_MAX_KEY_LEN], size_t,
184
/* Character maps for generic hex and vendor specific decimal modes */
185
extern const char otp_hex_conversion[];
186
extern const char otp_cc_dec_conversion[];
187
extern const char otp_snk_dec_conversion[];
188
extern const char otp_sc_friendly_conversion[];
190
extern int otp_get_random(int, unsigned char *, int, const char *);
191
extern int otp_async_challenge(int, char *, int, const char *);
193
extern ssize_t otp_keystring2keyblock(const char *, unsigned char []);
194
extern char *otp_keyblock2keystring(char *, const unsigned char [], size_t,
197
extern int otp_get_card_info(const char *, const char *, otp_card_info_t *,
201
extern int otp_state_get(const otp_option_t *, const char *,
202
otp_user_state_t *, const char *);
203
extern int otp_state_put(const char *, otp_user_state_t *, const char *);
206
extern ssize_t otp_challenge_transform(const char *,
207
unsigned char [OTP_MAX_CHALLENGE_LEN],
211
extern void otp_log(int, const char *, ...);
213
#if defined(FREERADIUS)