static SwkbdCallbackResult swkbdCallbackThing(void* user, const char** ppMessage, const char* text, size_t textlen)
{
char *secret;
signed short secretLength;
int ret = oath_base32_decode(text, strlen(text), &secret, &secretLength);
if(ret != OATH_OK) {
printf("Error decoding secret: %s\n", oath_strerror(ret));
sprintf(*ppMessage, "Error decoding: %s", oath_strerror(ret));
return SWKBD_CALLBACK_CONTINUE;
}else{
unsigned long otp = generateTOTP(secret, &secretLength);
if(otp == 0) {
*ppMessage = "OTP generation failed.";
printf("\nOTP generation failed.\n");
return SWKBD_CALLBACK_CONTINUE;
}else{
sprintf(*ppMessage, "OTP: %06lu", otp);
printf("*** OTP: %06lu ***\n\n", otp);
return SWKBD_CALLBACK_CONTINUE;
}
}
return SWKBD_CALLBACK_OK;
}
int
main (void)
{
signed i;
for (i = 3; i >= OATH_LAST_ERROR - 3; i--)
{
const char *name = oath_strerror_name (i);
const char *err = oath_strerror (i);
if ((i <= 0 && i >= OATH_LAST_ERROR) && name == NULL)
{
printf ("No error string for return code %d\n", i);
return 1;
}
if ((i > 0 || i < OATH_LAST_ERROR) && name != NULL)
{
printf ("Error string for unknown return code %d\n", i);
return 1;
}
printf ("%d: %s: %s\n", i, name, err);
}
return 0;
}
/* Returns 0 if the user is successfully authenticated, and sets the appropriate group name.
*/
static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
{
struct plain_ctx_st *pctx = ctx;
if (pctx->failed || (pctx->cpass[0] != 0
&& strcmp(crypt(pass, pctx->cpass), pctx->cpass) != 0)) {
if (pctx->retries++ < MAX_PASSWORD_TRIES-1) {
pctx->pass_msg = pass_msg_failed;
return ERR_AUTH_CONTINUE;
} else {
syslog(LOG_AUTH,
"plain-auth: error authenticating user '%s'",
pctx->username);
return ERR_AUTH_FAIL;
}
}
if (pctx->cpass[0] == 0 && otp_file == NULL) {
syslog(LOG_AUTH,
"plain-auth: user '%s' has empty password and no OTP file configured",
pctx->username);
return ERR_AUTH_FAIL;
}
#ifdef HAVE_LIBOATH
if (otp_file != NULL) {
int ret;
time_t last;
if (pctx->cpass[0] != 0) { /* we just checked the password */
pctx->cpass[0] = 0;
pctx->pass_msg = pass_msg_otp;
return ERR_AUTH_CONTINUE;
}
/* no primary password -> check OTP */
ret = oath_authenticate_usersfile(otp_file, pctx->username,
pass, HOTP_WINDOW, NULL, &last);
if (ret != OATH_OK) {
syslog(LOG_AUTH,
"plain-auth: OTP auth failed for '%s': %s",
pctx->username, oath_strerror(ret));
return ERR_AUTH_FAIL;
}
}
#endif
if (pctx->failed)
return ERR_AUTH_FAIL;
return 0;
}
unsigned long generateTOTP(unsigned char const * secret, size_t const * secretLength) {
if(*secretLength < 1) {
printf("Secret is zero-length, cannot generate TOTP\n");
return INVALID_DECODED_SECRET;
}
if(!InitializeClockOffset) {
printf("Failed to initializ clock offset, cannot generate TOTP\n");
return INVALID_DECODED_SECRET;
}
unsigned long timerightnow = currentTimeUTC();
unsigned char otp[REQUESTED_OTP_DIGITS+1]; /* must allocate for trailing NULL */
int ret = oath_totp_generate(secret, (size_t)*secretLength, timerightnow, OATH_TOTP_DEFAULT_TIME_STEP_SIZE, OATH_TOTP_DEFAULT_START_TIME, REQUESTED_OTP_DIGITS, (char*)&otp);
if(ret != OATH_OK) {
printf("Error generating TOTP: %s\n", oath_strerror(ret));
return INVALID_DECODED_SECRET;
}
return atol(otp);
}
int main() {
gfxInitDefault();
consoleInit(GFX_BOTTOM, NULL);
printf("%s %s by %s\n", APP_TITLE, APP_VERSION, APP_AUTHOR);
printf("Build date: %s %s\n\n", __DATE__, __TIME__);
//printf("Current time: %d\n\n", (int)time(NULL));
printf("Calculating time difference from UTC... make sure you are connected to the Internet. ");
Result InitClockOffsetResult = InitializeClockOffset();
if (!InitClockOffsetResult) {
printf("Error initializing time offset: %08x", InitClockOffsetResult);
return 1;
}
printf("OK\n");
int ret = oath_init();
if(ret != OATH_OK) {
printf("Error initializing liboath: %s\n", oath_strerror(ret));
return 1;
}
char encoded_secret[1024];
FILE *secretFile;
signed short secretTxtDecLength;
if((secretFile = fopen("secret.txt", "r")) == NULL) {
printf("warning: Secret.txt not found in application directory (SD root if installed as CIA)");
/*while(aptMainLoop()) {
gspWaitForVBlank();
hidScanInput();
unsigned long kDown = hidKeysDown();
if(kDown & KEY_A) break;
gfxFlushBuffers();
gfxSwapBuffers();
}
return 1;*/
}else{
printf("Opened secret.txt\n");
fscanf(secretFile, "%[^\n]", encoded_secret);
fclose(secretFile);
if(strlen(encoded_secret) < 1){
printf("warning: secret.txt exists but is empty.\n");
}else{
printf("Read secret.txt: %s\n", encoded_secret);
ret = oath_base32_decode(&encoded_secret, strlen(&encoded_secret), NULL, &secretTxtDecLength);
if(ret != OATH_OK) {
printf("Error decoding secret.txt: %s\n", oath_strerror(ret));
memset(&encoded_secret[0], 0, sizeof(encoded_secret)); // wipe the copy we have in memory, to avoid prefilling the swkbd with undecodable stuff
}else{
printf("Read secret.txt successfully.");
}
}
}
char inputSecret[1024];
bool quit = false;
bool ask = false;
printf("Press A to begin, or start to exit.\n\n");
// Main loop
while (aptMainLoop())
{
gspWaitForVBlank();
hidScanInput();
unsigned long kDown = hidKeysDown();
if (kDown & KEY_A) ask = true;
if(ask && !quit) {
static SwkbdState swkbd;
static SwkbdStatusData swkbdStatus;
SwkbdButton button = SWKBD_BUTTON_NONE;
swkbdInit(&swkbd, SWKBD_TYPE_WESTERN, 2, 512);
swkbdSetHintText(&swkbd, "Enter your TOTP secret.");
swkbdSetButton(&swkbd, SWKBD_BUTTON_LEFT, "Quit", false);
swkbdSetButton(&swkbd, SWKBD_BUTTON_MIDDLE, "Load txt", true);
swkbdSetButton(&swkbd, SWKBD_BUTTON_RIGHT, "Go", true);
swkbdSetInitialText(&swkbd, inputSecret);
swkbdSetFeatures(&swkbd, SWKBD_DEFAULT_QWERTY);
swkbdSetFilterCallback(&swkbd, swkbdCallbackThing, NULL);
swkbdInputText(&swkbd, inputSecret, sizeof(inputSecret));
switch(button) {
case SWKBD_BUTTON_LEFT: // quit
quit = true;
break;
case SWKBD_BUTTON_MIDDLE: // read secret.txt
strcpy(inputSecret, encoded_secret);
break;
case SWKBD_BUTTON_RIGHT: // go (this is handled in filter callback)
break;
default:
break;
}
if(quit) break; // quit to HBL
}
if (kDown & KEY_START) {
break; // break in order to return to hbmenu
}
// Flush and swap framebuffers
gfxFlushBuffers();
gfxSwapBuffers();
}
gfxExit();
return 0;
}
PAM_EXTERN int
pam_sm_authenticate (pam_handle_t * pamh,
int flags, int argc, const char **argv)
{
int retval, rc;
const char *user = NULL;
const char *password = NULL;
char otp[MAX_OTP_LEN + 1];
int password_len = 0;
struct pam_conv *conv;
struct pam_message *pmsg[1], msg[1];
struct pam_response *resp;
int nargs = 1;
struct cfg cfg;
char *query_prompt = NULL;
char *onlypasswd = strdup (""); /* empty passwords never match */
parse_cfg (flags, argc, argv, &cfg);
retval = pam_get_user (pamh, &user, NULL);
if (retval != PAM_SUCCESS)
{
DBG (("get user returned error: %s", pam_strerror (pamh, retval)));
goto done;
}
DBG (("get user returned: %s", user));
if (cfg.try_first_pass || cfg.use_first_pass)
{
retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
if (retval != PAM_SUCCESS)
{
DBG (("get password returned error: %s",
pam_strerror (pamh, retval)));
goto done;
}
DBG (("get password returned: %s", password));
}
if (cfg.use_first_pass && password == NULL)
{
DBG (("use_first_pass set and no password, giving up"));
retval = PAM_AUTH_ERR;
goto done;
}
rc = oath_init ();
if (rc != OATH_OK)
{
DBG (("oath_init() failed (%d)", rc));
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
if (password == NULL)
{
retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
if (retval != PAM_SUCCESS)
{
DBG (("get conv returned error: %s", pam_strerror (pamh, retval)));
goto done;
}
pmsg[0] = &msg[0];
{
const char *query_template = "One-time password (OATH) for `%s': ";
size_t len = strlen (query_template) + strlen (user);
size_t wrote;
query_prompt = malloc (len);
if (!query_prompt)
{
retval = PAM_BUF_ERR;
goto done;
}
wrote = snprintf (query_prompt, len, query_template, user);
if (wrote < 0 || wrote >= len)
{
retval = PAM_BUF_ERR;
goto done;
}
msg[0].msg = query_prompt;
}
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
resp = NULL;
retval = conv->conv (nargs, (const struct pam_message **) pmsg,
&resp, conv->appdata_ptr);
free (query_prompt);
query_prompt = NULL;
if (retval != PAM_SUCCESS)
{
DBG (("conv returned error: %s", pam_strerror (pamh, retval)));
goto done;
}
DBG (("conv returned: %s", resp->resp));
password = resp->resp;
}
if (password)
password_len = strlen (password);
else
{
DBG (("Could not read password"));
retval = PAM_AUTH_ERR;
goto done;
}
if (password_len < MIN_OTP_LEN)
{
DBG (("OTP too short: %s", password));
retval = PAM_AUTH_ERR;
goto done;
}
else if (cfg.digits != 0 && password_len < cfg.digits)
{
DBG (("OTP shorter than digits=%d: %s", cfg.digits, password));
retval = PAM_AUTH_ERR;
goto done;
}
else if (cfg.digits == 0 && password_len > MAX_OTP_LEN)
{
DBG (("OTP too long (and no digits=): %s", password));
retval = PAM_AUTH_ERR;
goto done;
}
else if (cfg.digits != 0 && password_len > cfg.digits)
{
free (onlypasswd);
onlypasswd = strdup (password);
/* user entered their system password followed by generated OTP? */
onlypasswd[password_len - cfg.digits] = '\0';
DBG (("Password: %s ", onlypasswd));
memcpy (otp, password + password_len - cfg.digits, cfg.digits);
otp[cfg.digits] = '\0';
retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
if (retval != PAM_SUCCESS)
{
DBG (("set_item returned error: %s", pam_strerror (pamh, retval)));
goto done;
}
}
else
{
strcpy (otp, password);
password = NULL;
}
DBG (("OTP: %s", otp ? otp : "(null)"));
{
time_t last_otp;
rc = oath_authenticate_usersfile (cfg.usersfile,
user,
otp, cfg.window, onlypasswd, &last_otp);
DBG (("authenticate rc %d (%s: %s) last otp %s", rc,
oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
oath_strerror (rc), ctime (&last_otp)));
}
if (rc != OATH_OK)
{
DBG (("One-time password not authorized to login as user '%s'", user));
retval = PAM_AUTH_ERR;
goto done;
}
retval = PAM_SUCCESS;
done:
oath_done ();
free (query_prompt);
free (onlypasswd);
if (cfg.alwaysok && retval != PAM_SUCCESS)
{
DBG (("alwaysok needed (otherwise return with %d)", retval));
retval = PAM_SUCCESS;
}
DBG (("done. [%s]", pam_strerror (pamh, retval)));
return retval;
}
int
main (int argc, char *argv[])
{
struct gengetopt_args_info args_info;
char *secret;
size_t secretlen = 0;
int rc;
size_t window;
uint64_t moving_factor;
unsigned digits;
char otp[10];
time_t now, when, t0, time_step_size;
int totpflags = 0;
set_program_name (argv[0]);
if (cmdline_parser (argc, argv, &args_info) != 0)
return EXIT_FAILURE;
if (args_info.version_given)
{
char *p;
int l = -1;
if (strcmp (oath_check_version (NULL), OATH_VERSION) != 0)
l = asprintf (&p, "OATH Toolkit liboath.so %s oath.h %s",
oath_check_version (NULL), OATH_VERSION);
else if (strcmp (OATH_VERSION, PACKAGE_VERSION) != 0)
l = asprintf (&p, "OATH Toolkit %s",
oath_check_version (NULL), OATH_VERSION);
version_etc (stdout, "oathtool", l == -1 ? "OATH Toolkit" : p,
PACKAGE_VERSION, "Simon Josefsson", (char *) NULL);
if (l != -1)
free (p);
return EXIT_SUCCESS;
}
if (args_info.help_given)
usage (EXIT_SUCCESS);
if (args_info.inputs_num == 0)
{
cmdline_parser_print_help ();
emit_bug_reporting_address ();
return EXIT_SUCCESS;
}
rc = oath_init ();
if (rc != OATH_OK)
error (EXIT_FAILURE, 0, "liboath initialization failed: %s",
oath_strerror (rc));
if (args_info.base32_flag)
{
rc = oath_base32_decode (args_info.inputs[0],
strlen (args_info.inputs[0]),
&secret, &secretlen);
if (rc != OATH_OK)
error (EXIT_FAILURE, 0, "base32 decoding failed: %s",
oath_strerror (rc));
}
else
{
secretlen = 1 + strlen (args_info.inputs[0]) / 2;
secret = malloc (secretlen);
if (!secret)
error (EXIT_FAILURE, errno, "malloc");
rc = oath_hex2bin (args_info.inputs[0], secret, &secretlen);
if (rc != OATH_OK)
error (EXIT_FAILURE, 0, "hex decoding of secret key failed");
}
if (args_info.counter_orig)
moving_factor = args_info.counter_arg;
else
moving_factor = 0;
if (args_info.digits_orig)
digits = args_info.digits_arg;
else
digits = 6;
if (args_info.window_orig)
window = args_info.window_arg;
else
window = 0;
if (digits != 6 && digits != 7 && digits != 8)
error (EXIT_FAILURE, 0, "only digits 6, 7 and 8 are supported");
if (validate_otp_p (args_info.inputs_num) && !args_info.digits_orig)
digits = strlen (args_info.inputs[1]);
else if (validate_otp_p (args_info.inputs_num) && args_info.digits_orig &&
args_info.digits_arg != strlen (args_info.inputs[1]))
error (EXIT_FAILURE, 0,
"given one-time password has bad length %d != %ld",
args_info.digits_arg, strlen (args_info.inputs[1]));
if (args_info.inputs_num > 2)
error (EXIT_FAILURE, 0, "too many parameters");
if (args_info.verbose_flag)
{
char *tmp;
tmp = malloc (2 * secretlen + 1);
if (!tmp)
error (EXIT_FAILURE, errno, "malloc");
oath_bin2hex (secret, secretlen, tmp);
printf ("Hex secret: %s\n", tmp);
free (tmp);
rc = oath_base32_encode (secret, secretlen, &tmp, NULL);
if (rc != OATH_OK)
error (EXIT_FAILURE, 0, "base32 encoding failed: %s",
oath_strerror (rc));
printf ("Base32 secret: %s\n", tmp);
free (tmp);
if (args_info.inputs_num == 2)
printf ("OTP: %s\n", args_info.inputs[1]);
printf ("Digits: %d\n", digits);
printf ("Window size: %ld\n", window);
}
if (args_info.totp_given)
{
now = time (NULL);
when = parse_time (args_info.now_arg, now);
t0 = parse_time (args_info.start_time_arg, now);
time_step_size = parse_duration (args_info.time_step_size_arg);
if (when == BAD_TIME)
error (EXIT_FAILURE, 0, "cannot parse time `%s'", args_info.now_arg);
if (t0 == BAD_TIME)
error (EXIT_FAILURE, 0, "cannot parse time `%s'",
args_info.start_time_arg);
if (time_step_size == BAD_TIME)
error (EXIT_FAILURE, 0, "cannot parse time `%s'",
args_info.time_step_size_arg);
if (strcmp (args_info.totp_arg, "sha256") == 0)
totpflags = OATH_TOTP_HMAC_SHA256;
else if (strcmp (args_info.totp_arg, "sha512") == 0)
totpflags = OATH_TOTP_HMAC_SHA512;
if (args_info.verbose_flag)
verbose_totp (t0, time_step_size, when);
}
else
{
if (args_info.verbose_flag)
verbose_hotp (moving_factor);
}
if (generate_otp_p (args_info.inputs_num) && !args_info.totp_given)
{
size_t iter = 0;
do
{
rc = oath_hotp_generate (secret,
secretlen,
moving_factor + iter,
digits,
false, OATH_HOTP_DYNAMIC_TRUNCATION, otp);
if (rc != OATH_OK)
error (EXIT_FAILURE, 0,
"generating one-time password failed (%d)", rc);
printf ("%s\n", otp);
}
while (window - iter++ > 0);
}
else if (generate_otp_p (args_info.inputs_num) && args_info.totp_given)
{
size_t iter = 0;
do
{
rc = oath_totp_generate2 (secret,
secretlen,
when + iter * time_step_size,
time_step_size, t0, digits, totpflags,
otp);
if (rc != OATH_OK)
error (EXIT_FAILURE, 0,
"generating one-time password failed (%d)", rc);
printf ("%s\n", otp);
}
while (window - iter++ > 0);
}
else if (validate_otp_p (args_info.inputs_num) && !args_info.totp_given)
{
rc = oath_hotp_validate (secret,
secretlen,
moving_factor, window, args_info.inputs[1]);
if (rc == OATH_INVALID_OTP)
error (EXIT_OTP_INVALID, 0,
"password \"%s\" not found in range %ld .. %ld",
args_info.inputs[1],
(long) moving_factor, (long) moving_factor + window);
else if (rc < 0)
error (EXIT_FAILURE, 0,
"validating one-time password failed (%d)", rc);
printf ("%d\n", rc);
}
else if (validate_otp_p (args_info.inputs_num) && args_info.totp_given)
{
rc = oath_totp_validate4 (secret,
secretlen,
when,
time_step_size,
t0,
window,
NULL, NULL, totpflags, args_info.inputs[1]);
if (rc == OATH_INVALID_OTP)
error (EXIT_OTP_INVALID, 0,
"password \"%s\" not found in range %ld .. %ld",
args_info.inputs[1],
(long) ((when - t0) / time_step_size - window / 2),
(long) ((when - t0) / time_step_size + window / 2));
else if (rc < 0)
error (EXIT_FAILURE, 0,
"validating one-time password failed (%d)", rc);
printf ("%d\n", rc);
}
free (secret);
oath_done ();
return EXIT_SUCCESS;
}
