static SwkbdCallbackResult swkbdCallbackThing(void* user, const char** ppMessage, const char* text, size_t textlen) { char *secret; signed short secretLength; int ret = oath_base32_decode(text, strlen(text), &secret, &secretLength); if(ret != OATH_OK) { printf("Error decoding secret: %s\n", oath_strerror(ret)); sprintf(*ppMessage, "Error decoding: %s", oath_strerror(ret)); return SWKBD_CALLBACK_CONTINUE; }else{ unsigned long otp = generateTOTP(secret, &secretLength); if(otp == 0) { *ppMessage = "OTP generation failed."; printf("\nOTP generation failed.\n"); return SWKBD_CALLBACK_CONTINUE; }else{ sprintf(*ppMessage, "OTP: %06lu", otp); printf("*** OTP: %06lu ***\n\n", otp); return SWKBD_CALLBACK_CONTINUE; } } return SWKBD_CALLBACK_OK; }
int main (void) { signed i; for (i = 3; i >= OATH_LAST_ERROR - 3; i--) { const char *name = oath_strerror_name (i); const char *err = oath_strerror (i); if ((i <= 0 && i >= OATH_LAST_ERROR) && name == NULL) { printf ("No error string for return code %d\n", i); return 1; } if ((i > 0 || i < OATH_LAST_ERROR) && name != NULL) { printf ("Error string for unknown return code %d\n", i); return 1; } printf ("%d: %s: %s\n", i, name, err); } return 0; }
/* Returns 0 if the user is successfully authenticated, and sets the appropriate group name. */ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len) { struct plain_ctx_st *pctx = ctx; if (pctx->failed || (pctx->cpass[0] != 0 && strcmp(crypt(pass, pctx->cpass), pctx->cpass) != 0)) { if (pctx->retries++ < MAX_PASSWORD_TRIES-1) { pctx->pass_msg = pass_msg_failed; return ERR_AUTH_CONTINUE; } else { syslog(LOG_AUTH, "plain-auth: error authenticating user '%s'", pctx->username); return ERR_AUTH_FAIL; } } if (pctx->cpass[0] == 0 && otp_file == NULL) { syslog(LOG_AUTH, "plain-auth: user '%s' has empty password and no OTP file configured", pctx->username); return ERR_AUTH_FAIL; } #ifdef HAVE_LIBOATH if (otp_file != NULL) { int ret; time_t last; if (pctx->cpass[0] != 0) { /* we just checked the password */ pctx->cpass[0] = 0; pctx->pass_msg = pass_msg_otp; return ERR_AUTH_CONTINUE; } /* no primary password -> check OTP */ ret = oath_authenticate_usersfile(otp_file, pctx->username, pass, HOTP_WINDOW, NULL, &last); if (ret != OATH_OK) { syslog(LOG_AUTH, "plain-auth: OTP auth failed for '%s': %s", pctx->username, oath_strerror(ret)); return ERR_AUTH_FAIL; } } #endif if (pctx->failed) return ERR_AUTH_FAIL; return 0; }
unsigned long generateTOTP(unsigned char const * secret, size_t const * secretLength) { if(*secretLength < 1) { printf("Secret is zero-length, cannot generate TOTP\n"); return INVALID_DECODED_SECRET; } if(!InitializeClockOffset) { printf("Failed to initializ clock offset, cannot generate TOTP\n"); return INVALID_DECODED_SECRET; } unsigned long timerightnow = currentTimeUTC(); unsigned char otp[REQUESTED_OTP_DIGITS+1]; /* must allocate for trailing NULL */ int ret = oath_totp_generate(secret, (size_t)*secretLength, timerightnow, OATH_TOTP_DEFAULT_TIME_STEP_SIZE, OATH_TOTP_DEFAULT_START_TIME, REQUESTED_OTP_DIGITS, (char*)&otp); if(ret != OATH_OK) { printf("Error generating TOTP: %s\n", oath_strerror(ret)); return INVALID_DECODED_SECRET; } return atol(otp); }
int main() { gfxInitDefault(); consoleInit(GFX_BOTTOM, NULL); printf("%s %s by %s\n", APP_TITLE, APP_VERSION, APP_AUTHOR); printf("Build date: %s %s\n\n", __DATE__, __TIME__); //printf("Current time: %d\n\n", (int)time(NULL)); printf("Calculating time difference from UTC... make sure you are connected to the Internet. "); Result InitClockOffsetResult = InitializeClockOffset(); if (!InitClockOffsetResult) { printf("Error initializing time offset: %08x", InitClockOffsetResult); return 1; } printf("OK\n"); int ret = oath_init(); if(ret != OATH_OK) { printf("Error initializing liboath: %s\n", oath_strerror(ret)); return 1; } char encoded_secret[1024]; FILE *secretFile; signed short secretTxtDecLength; if((secretFile = fopen("secret.txt", "r")) == NULL) { printf("warning: Secret.txt not found in application directory (SD root if installed as CIA)"); /*while(aptMainLoop()) { gspWaitForVBlank(); hidScanInput(); unsigned long kDown = hidKeysDown(); if(kDown & KEY_A) break; gfxFlushBuffers(); gfxSwapBuffers(); } return 1;*/ }else{ printf("Opened secret.txt\n"); fscanf(secretFile, "%[^\n]", encoded_secret); fclose(secretFile); if(strlen(encoded_secret) < 1){ printf("warning: secret.txt exists but is empty.\n"); }else{ printf("Read secret.txt: %s\n", encoded_secret); ret = oath_base32_decode(&encoded_secret, strlen(&encoded_secret), NULL, &secretTxtDecLength); if(ret != OATH_OK) { printf("Error decoding secret.txt: %s\n", oath_strerror(ret)); memset(&encoded_secret[0], 0, sizeof(encoded_secret)); // wipe the copy we have in memory, to avoid prefilling the swkbd with undecodable stuff }else{ printf("Read secret.txt successfully."); } } } char inputSecret[1024]; bool quit = false; bool ask = false; printf("Press A to begin, or start to exit.\n\n"); // Main loop while (aptMainLoop()) { gspWaitForVBlank(); hidScanInput(); unsigned long kDown = hidKeysDown(); if (kDown & KEY_A) ask = true; if(ask && !quit) { static SwkbdState swkbd; static SwkbdStatusData swkbdStatus; SwkbdButton button = SWKBD_BUTTON_NONE; swkbdInit(&swkbd, SWKBD_TYPE_WESTERN, 2, 512); swkbdSetHintText(&swkbd, "Enter your TOTP secret."); swkbdSetButton(&swkbd, SWKBD_BUTTON_LEFT, "Quit", false); swkbdSetButton(&swkbd, SWKBD_BUTTON_MIDDLE, "Load txt", true); swkbdSetButton(&swkbd, SWKBD_BUTTON_RIGHT, "Go", true); swkbdSetInitialText(&swkbd, inputSecret); swkbdSetFeatures(&swkbd, SWKBD_DEFAULT_QWERTY); swkbdSetFilterCallback(&swkbd, swkbdCallbackThing, NULL); swkbdInputText(&swkbd, inputSecret, sizeof(inputSecret)); switch(button) { case SWKBD_BUTTON_LEFT: // quit quit = true; break; case SWKBD_BUTTON_MIDDLE: // read secret.txt strcpy(inputSecret, encoded_secret); break; case SWKBD_BUTTON_RIGHT: // go (this is handled in filter callback) break; default: break; } if(quit) break; // quit to HBL } if (kDown & KEY_START) { break; // break in order to return to hbmenu } // Flush and swap framebuffers gfxFlushBuffers(); gfxSwapBuffers(); } gfxExit(); return 0; }
PAM_EXTERN int pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval, rc; const char *user = NULL; const char *password = NULL; char otp[MAX_OTP_LEN + 1]; int password_len = 0; struct pam_conv *conv; struct pam_message *pmsg[1], msg[1]; struct pam_response *resp; int nargs = 1; struct cfg cfg; char *query_prompt = NULL; char *onlypasswd = strdup (""); /* empty passwords never match */ parse_cfg (flags, argc, argv, &cfg); retval = pam_get_user (pamh, &user, NULL); if (retval != PAM_SUCCESS) { DBG (("get user returned error: %s", pam_strerror (pamh, retval))); goto done; } DBG (("get user returned: %s", user)); if (cfg.try_first_pass || cfg.use_first_pass) { retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); if (retval != PAM_SUCCESS) { DBG (("get password returned error: %s", pam_strerror (pamh, retval))); goto done; } DBG (("get password returned: %s", password)); } if (cfg.use_first_pass && password == NULL) { DBG (("use_first_pass set and no password, giving up")); retval = PAM_AUTH_ERR; goto done; } rc = oath_init (); if (rc != OATH_OK) { DBG (("oath_init() failed (%d)", rc)); retval = PAM_AUTHINFO_UNAVAIL; goto done; } if (password == NULL) { retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (retval != PAM_SUCCESS) { DBG (("get conv returned error: %s", pam_strerror (pamh, retval))); goto done; } pmsg[0] = &msg[0]; { const char *query_template = "One-time password (OATH) for `%s': "; size_t len = strlen (query_template) + strlen (user); size_t wrote; query_prompt = malloc (len); if (!query_prompt) { retval = PAM_BUF_ERR; goto done; } wrote = snprintf (query_prompt, len, query_template, user); if (wrote < 0 || wrote >= len) { retval = PAM_BUF_ERR; goto done; } msg[0].msg = query_prompt; } msg[0].msg_style = PAM_PROMPT_ECHO_OFF; resp = NULL; retval = conv->conv (nargs, (const struct pam_message **) pmsg, &resp, conv->appdata_ptr); free (query_prompt); query_prompt = NULL; if (retval != PAM_SUCCESS) { DBG (("conv returned error: %s", pam_strerror (pamh, retval))); goto done; } DBG (("conv returned: %s", resp->resp)); password = resp->resp; } if (password) password_len = strlen (password); else { DBG (("Could not read password")); retval = PAM_AUTH_ERR; goto done; } if (password_len < MIN_OTP_LEN) { DBG (("OTP too short: %s", password)); retval = PAM_AUTH_ERR; goto done; } else if (cfg.digits != 0 && password_len < cfg.digits) { DBG (("OTP shorter than digits=%d: %s", cfg.digits, password)); retval = PAM_AUTH_ERR; goto done; } else if (cfg.digits == 0 && password_len > MAX_OTP_LEN) { DBG (("OTP too long (and no digits=): %s", password)); retval = PAM_AUTH_ERR; goto done; } else if (cfg.digits != 0 && password_len > cfg.digits) { free (onlypasswd); onlypasswd = strdup (password); /* user entered their system password followed by generated OTP? */ onlypasswd[password_len - cfg.digits] = '\0'; DBG (("Password: %s ", onlypasswd)); memcpy (otp, password + password_len - cfg.digits, cfg.digits); otp[cfg.digits] = '\0'; retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd); if (retval != PAM_SUCCESS) { DBG (("set_item returned error: %s", pam_strerror (pamh, retval))); goto done; } } else { strcpy (otp, password); password = NULL; } DBG (("OTP: %s", otp ? otp : "(null)")); { time_t last_otp; rc = oath_authenticate_usersfile (cfg.usersfile, user, otp, cfg.window, onlypasswd, &last_otp); DBG (("authenticate rc %d (%s: %s) last otp %s", rc, oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN", oath_strerror (rc), ctime (&last_otp))); } if (rc != OATH_OK) { DBG (("One-time password not authorized to login as user '%s'", user)); retval = PAM_AUTH_ERR; goto done; } retval = PAM_SUCCESS; done: oath_done (); free (query_prompt); free (onlypasswd); if (cfg.alwaysok && retval != PAM_SUCCESS) { DBG (("alwaysok needed (otherwise return with %d)", retval)); retval = PAM_SUCCESS; } DBG (("done. [%s]", pam_strerror (pamh, retval))); return retval; }
int main (int argc, char *argv[]) { struct gengetopt_args_info args_info; char *secret; size_t secretlen = 0; int rc; size_t window; uint64_t moving_factor; unsigned digits; char otp[10]; time_t now, when, t0, time_step_size; int totpflags = 0; set_program_name (argv[0]); if (cmdline_parser (argc, argv, &args_info) != 0) return EXIT_FAILURE; if (args_info.version_given) { char *p; int l = -1; if (strcmp (oath_check_version (NULL), OATH_VERSION) != 0) l = asprintf (&p, "OATH Toolkit liboath.so %s oath.h %s", oath_check_version (NULL), OATH_VERSION); else if (strcmp (OATH_VERSION, PACKAGE_VERSION) != 0) l = asprintf (&p, "OATH Toolkit %s", oath_check_version (NULL), OATH_VERSION); version_etc (stdout, "oathtool", l == -1 ? "OATH Toolkit" : p, PACKAGE_VERSION, "Simon Josefsson", (char *) NULL); if (l != -1) free (p); return EXIT_SUCCESS; } if (args_info.help_given) usage (EXIT_SUCCESS); if (args_info.inputs_num == 0) { cmdline_parser_print_help (); emit_bug_reporting_address (); return EXIT_SUCCESS; } rc = oath_init (); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "liboath initialization failed: %s", oath_strerror (rc)); if (args_info.base32_flag) { rc = oath_base32_decode (args_info.inputs[0], strlen (args_info.inputs[0]), &secret, &secretlen); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "base32 decoding failed: %s", oath_strerror (rc)); } else { secretlen = 1 + strlen (args_info.inputs[0]) / 2; secret = malloc (secretlen); if (!secret) error (EXIT_FAILURE, errno, "malloc"); rc = oath_hex2bin (args_info.inputs[0], secret, &secretlen); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "hex decoding of secret key failed"); } if (args_info.counter_orig) moving_factor = args_info.counter_arg; else moving_factor = 0; if (args_info.digits_orig) digits = args_info.digits_arg; else digits = 6; if (args_info.window_orig) window = args_info.window_arg; else window = 0; if (digits != 6 && digits != 7 && digits != 8) error (EXIT_FAILURE, 0, "only digits 6, 7 and 8 are supported"); if (validate_otp_p (args_info.inputs_num) && !args_info.digits_orig) digits = strlen (args_info.inputs[1]); else if (validate_otp_p (args_info.inputs_num) && args_info.digits_orig && args_info.digits_arg != strlen (args_info.inputs[1])) error (EXIT_FAILURE, 0, "given one-time password has bad length %d != %ld", args_info.digits_arg, strlen (args_info.inputs[1])); if (args_info.inputs_num > 2) error (EXIT_FAILURE, 0, "too many parameters"); if (args_info.verbose_flag) { char *tmp; tmp = malloc (2 * secretlen + 1); if (!tmp) error (EXIT_FAILURE, errno, "malloc"); oath_bin2hex (secret, secretlen, tmp); printf ("Hex secret: %s\n", tmp); free (tmp); rc = oath_base32_encode (secret, secretlen, &tmp, NULL); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "base32 encoding failed: %s", oath_strerror (rc)); printf ("Base32 secret: %s\n", tmp); free (tmp); if (args_info.inputs_num == 2) printf ("OTP: %s\n", args_info.inputs[1]); printf ("Digits: %d\n", digits); printf ("Window size: %ld\n", window); } if (args_info.totp_given) { now = time (NULL); when = parse_time (args_info.now_arg, now); t0 = parse_time (args_info.start_time_arg, now); time_step_size = parse_duration (args_info.time_step_size_arg); if (when == BAD_TIME) error (EXIT_FAILURE, 0, "cannot parse time `%s'", args_info.now_arg); if (t0 == BAD_TIME) error (EXIT_FAILURE, 0, "cannot parse time `%s'", args_info.start_time_arg); if (time_step_size == BAD_TIME) error (EXIT_FAILURE, 0, "cannot parse time `%s'", args_info.time_step_size_arg); if (strcmp (args_info.totp_arg, "sha256") == 0) totpflags = OATH_TOTP_HMAC_SHA256; else if (strcmp (args_info.totp_arg, "sha512") == 0) totpflags = OATH_TOTP_HMAC_SHA512; if (args_info.verbose_flag) verbose_totp (t0, time_step_size, when); } else { if (args_info.verbose_flag) verbose_hotp (moving_factor); } if (generate_otp_p (args_info.inputs_num) && !args_info.totp_given) { size_t iter = 0; do { rc = oath_hotp_generate (secret, secretlen, moving_factor + iter, digits, false, OATH_HOTP_DYNAMIC_TRUNCATION, otp); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "generating one-time password failed (%d)", rc); printf ("%s\n", otp); } while (window - iter++ > 0); } else if (generate_otp_p (args_info.inputs_num) && args_info.totp_given) { size_t iter = 0; do { rc = oath_totp_generate2 (secret, secretlen, when + iter * time_step_size, time_step_size, t0, digits, totpflags, otp); if (rc != OATH_OK) error (EXIT_FAILURE, 0, "generating one-time password failed (%d)", rc); printf ("%s\n", otp); } while (window - iter++ > 0); } else if (validate_otp_p (args_info.inputs_num) && !args_info.totp_given) { rc = oath_hotp_validate (secret, secretlen, moving_factor, window, args_info.inputs[1]); if (rc == OATH_INVALID_OTP) error (EXIT_OTP_INVALID, 0, "password \"%s\" not found in range %ld .. %ld", args_info.inputs[1], (long) moving_factor, (long) moving_factor + window); else if (rc < 0) error (EXIT_FAILURE, 0, "validating one-time password failed (%d)", rc); printf ("%d\n", rc); } else if (validate_otp_p (args_info.inputs_num) && args_info.totp_given) { rc = oath_totp_validate4 (secret, secretlen, when, time_step_size, t0, window, NULL, NULL, totpflags, args_info.inputs[1]); if (rc == OATH_INVALID_OTP) error (EXIT_OTP_INVALID, 0, "password \"%s\" not found in range %ld .. %ld", args_info.inputs[1], (long) ((when - t0) / time_step_size - window / 2), (long) ((when - t0) / time_step_size + window / 2)); else if (rc < 0) error (EXIT_FAILURE, 0, "validating one-time password failed (%d)", rc); printf ("%d\n", rc); } free (secret); oath_done (); return EXIT_SUCCESS; }