adulau/ootp
1
0
Fork 0
mirror of https://github.com/adulau/ootp.git synced 2024-11-23 10:37:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

ootp-release-1.03 imported

Browse source
This commit is contained in:
Alexandre Dulaunoy 2017-01-03 12:14:13 +01:00
parent 61dce4ac29
commit 9a903d7a74
48 changed files with 2201 additions and 1126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
basiccard/HOTP.DEF
View file

@ -24,7 +24,7 @@
' OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
' SUCH DAMAGE.
'
' $Id: HOTP.DEF 13 2009-11-26 16:37:03Z maf $
' $Id: HOTP.DEF 91 2009-12-28 02:45:25Z maf $
'
@ -37,8 +37,8 @@
' INS Name Format CapabilityID
'------------------------------------------------------------------------
' 00 PRDisplay (CLA=C8) - 00000001
' RecordNumber(byte), DataFormat(byte), DigitCount(byte)
' DecimalPoint(byte), Delay(byte), MoreData(byte),
' RecordNumber(Byte), DataFormat(Byte), DigitCount(Byte)
' DecimalPoint(Byte), Delay(Byte), MoreData(Byte),
' Data(String)
' 40 SetHost Idx,Count,Hostname,HOTPKey 00000002
' 42 GetHost Idx,Count,Hostname,HOTPKey 00000004
@ -63,15 +63,26 @@
' A1 SetEEBlock P1=Idx,eeBlock XXXXXXXX
'
' enable functions
' HOTP display formats
'
Const FMTHEX40 = 1
Const FMTDEC316 = 2
Const FMTDEC317 = 3
Const FMTDEC318 = 4
Const FMTDEC319 = 5
Const FMTDEC3110 = 6
Const FMTDHEX40 = 7
'
' enable minimal functions for Spyrus Reader
'
'Const ENABLECSETHOST = 1
'Const ENABLECGETHOST = 1
Const ENABLECGETHOSTNAME = 1
'Const ENABLECGETHOTP = 1
Const ENABLECSETADMINMODE = 1
'Const ENABLECSETBALANCECARDINDEX = 1
Const ENABLECSETBALANCECARDINDEX = 1
Const ENABLECSETPIN = 1
Const ENABLECTESTPIN = 1
Const ENABLECGETVERSION = 1
@ -81,7 +92,7 @@ Const ENABLECGETHOST32 = 1
Const ENABLECGETHOTPCOUNT32 = 1
'Const ENABLECGETHOTPHOST = 1
Const ENABLECGETHOTPHOSTCOUNT32 = 1
'Const ENABLECPRDISPLAY = 1
Const ENABLECPRDISPLAY = 1
Const ENABLECCLEARALL = 1
Const ENABLESETREADERKEY = 1
@ -197,55 +208,55 @@ Const CAPSETREADERKEY = &H00020000
Const CAPSETREADERKEY = &H00000000
#endif
declare command &HC8 &H00 PRDisplay(RecordNumber as Byte, DataFormat as Byte, _
Declare Command &HC8 &H00 PRDisplay(RecordNumber as Byte, DataFormat as Byte, _
DigitCount as Byte,DecimalPoint as Byte, _
Delay as Byte, MoreData as Byte, _
Data as String)
declare command &H80 &H40 SetHost(Idx as Byte, Count as Integer, _
Declare Command &H80 &H40 SetHost(Idx as Byte, Count as Integer, _
Hostname as String*12, HOTPKey as String*20)
declare command &H80 &H42 GetHost(Idx as Byte, Count as Integer, _
Declare Command &H80 &H42 GetHost(Idx as Byte, Count as Integer, _
Hostname as String*12, HOTPKey as String*20)
declare command &H80 &H44 GetHostName(Idx as Byte, myPIN as string*5, _
Declare Command &H80 &H44 GetHostName(Idx as Byte, myPIN as String*5, _
Hostname as String*12)
declare command &H80 &H46 GetHOTP(Idx as Byte, myPIN as String*5, _
HOTP as string*5)
Declare Command &H80 &H46 GetHOTP(Idx as Byte, myPIN as String*5, _
HOTP as String*5)
declare command &H80 &H48 SetAdminMode(Mode as Byte, K as String*20)
Declare Command &H80 &H48 SetAdminMode(Mode as Byte, K as String*20)
declare command &H80 &H4A SetBalanceCardIndex(Idx as Byte)
Declare Command &H80 &H4A SetBalanceCardIndex(Idx as Byte)
declare command &H80 &H4C SetPIN(myPIN as String*5, newPIN as string*5)
Declare Command &H80 &H4C SetPIN(myPIN as String*5, newPIN as String*5)
declare command &H80 &H4E TestPIN(myPIN as String*5)
Declare Command &H80 &H4E TestPIN(myPIN as String*5)
declare command &H80 &H50 GetVersion(V as Byte)
Declare Command &H80 &H50 GetVersion(V as Byte)
declare command &H80 &H52 SetAdminKey(K as String*20)
Declare Command &H80 &H52 SetAdminKey(K as String*20)
declare command &H80 &H54 SetHost32(Idx as Byte, Count32 as Long, _
Declare Command &H80 &H54 SetHost32(Idx as Byte, Count32 as Long, _
Hostname as String*12, HOTPKey as String*20)
declare command &h80 &H56 GetHost32(Idx as Byte, Count32 as Long, _
Declare Command &h80 &H56 GetHost32(Idx as Byte, Count32 as Long, _
Hostname as String*12, HOTPKey as String*20)
declare command &H80 &H58 GetHOTPCount32(Idx as Byte, myPIN as String*5, _
Count32 as Long, HOTP as string*5)
Declare Command &H80 &H58 GetHOTPCount32(Idx as Byte, myPIN as String*5, _
Count32 as Long, HOTP as String*5)
declare command &H80 &H5A GetHOTPHost(Idx as Byte, myPIN as String*5, _
HOTP as string*5, Hostname as String*12)
Declare Command &H80 &H5A GetHOTPHost(Idx as Byte, myPIN as String*5, _
HOTP as String*5, Hostname as String*12)
declare command &H80 &H5C GetHOTPHostCount32(Idx as Byte, myPIN as String*5, _
Count32 as Long, HOTP as string*5, Hostname as String*12)
Declare Command &H80 &H5C GetHOTPHostCount32(Idx as Byte, myPIN as String*5, _
Count32 as Long, HOTP as String*5, Hostname as String*12)
declare command &H80 &H5E ClearAll()
Declare Command &H80 &H5E ClearAll()
declare command &H80 &H60 SetReaderKey(readerKey as String*5)
Declare Command &H80 &H60 SetReaderKey(readerKey as String*5)
declare command &H80 &H90 GetCapabilities(Capabilities as Long)
Declare Command &H80 &H90 GetCapabilities(Capabilities as Long)
'
' error codes used

840
basiccard/HOTPC.BAS
View file

File diff suppressed because it is too large Load diff

BIN
basiccard/HOTPC.IMG
View file

Binary file not shown.

8
bcload/bcload.c
View file

@ -26,7 +26,7 @@
*
* Ported from ZeitControl bcload.bas and download.bas sample source
*
* $Id: bcload.c 13 2009-11-26 16:37:03Z maf $
* $Id: bcload.c 90 2009-12-28 02:44:52Z maf $
*/
#include <sys/cdefs.h>
@ -120,7 +120,7 @@ int main(int argc, char **argv)
paranoid = 1;
debug = 0;
verbose = 0;
reader = SCR_DEFAULT_READER;
reader = (char*)0L;
list_readers = 0; /* no */
scrctx = (struct scr_ctx*)0L;
img_fname = "HOTPC.IMG";
@ -700,8 +700,8 @@ void bcimg_read_version_section(struct bcimg *bcimg)
* next two bytes are version number of oldest software that
* can read the image file. Must be > 5.22
*/
if ((version[2] > 5) || ((version[2] == 5) && (version[3] > 22)))
xerr_errx(1, "bcimg_read_version_section(): Unknown image file version.");
if ((version[2] > 5) || ((version[2] == 5) && (version[3] > 71)))
xerr_errx(1, "bcimg_read_version_section(): Untested image file version.");
} /* bcimg_read_version_section */

331
common/otplib.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otplib.c 18 2009-11-26 19:40:06Z maf $
* $Id: otplib.c 84 2009-12-27 17:29:51Z maf $
*/
#include <openssl/ssl.h>
@ -48,9 +48,12 @@
#include "str.h"
#include "otpsc.h"
char *otp_l_status[] = {"error", "active", "inactive", "disabled"};
char *otp_l_format[] = {"error", "hex40"};
char *otp_l_type[] = {"error", "HOTP"};
char *otp_status_l[] = {"error", "active", "inactive", "disabled"};
char *otp_format_l[] = {"error", "hex40", "dhex40", "dec31.6", "dec31.7",
"dec31.8", "dec31.9", "dec31.10"};
char *otp_type_l[] = {"error", "HOTP"};
char *otp_flags_l[] = {"display-count"};
/*
* One Time Password library with HOTP implementation.
@ -66,6 +69,9 @@ char *otp_l_type[] = {"error", "HOTP"};
* otp_hotp_hex40_auth() HOTP 40 bit hex key authentication
* otp_hotp_hex40_crsp() HOTP 40 bit hex key challenge response generator
*
* otp_hotp_dec31_auth() HOTP 31 bit decimal key authentication
* otp_hotp_dec31_crsp() HOTP 31 bit decimal key challenge response generator
*
****
*
* otp_db_open() open OTP db
@ -355,9 +361,10 @@ int otp_hotp_hex40_auth(struct otp_ctx *otpctx, struct otp_user *ou,
char *crsp, int window)
{
uint64_t tmp_count;
uint8_t offset;
u_int rlen;
int i;
u_char result[EVP_MAX_MD_SIZE], decoded[5];
u_char result[EVP_MAX_MD_SIZE], decoded[5], dt[5];
if (otp_db_valid(otpctx, "otp_hotp_hex40_auth") < 0)
return -1;
@ -398,23 +405,136 @@ int otp_hotp_hex40_auth(struct otp_ctx *otpctx, struct otp_user *ou,
SWAP64(tmp_count)
#endif /* BYTE_ORDER */
/* compare the top 40 bits to authenticate user, match then return good */
if (ou->format == OTP_FORMAT_HEX40) {
/* compare top 40 bits to authenticate user, match then AUTH_PASS */
if (!bcmp(decoded, &result, 5)) {
ou->count = tmp_count+1;
return OTP_AUTH_PASS;
}
} else if (ou->format == OTP_FORMAT_DHEX40) {
offset = result[19] & 0xf;
dt[0] = result[offset]; dt[1] = result[offset+1];
dt[2] = result[offset+2]; dt[3] = result[offset+3];
dt[4] = result[offset+4];
/* compare dynamic 40 bits to authenticate user, match then AUTH_PASS */
if (!bcmp(decoded, &dt, 5)) {
ou->count = tmp_count+1;
return OTP_AUTH_PASS;
}
} /* ou->format */
} /* window */
return OTP_AUTH_FAIL;
} /* otp_hotp_hex40_auth */
/*
* function: otp_hotp_dec31_auth()
*
* validate challenge HOTP 31 bit decimal format challenge response
* for user ou with window.
*
* arguments:
* ou - otp user struct
* crsp - user response
* window - window of challenge responses to attempt
*
* return: OTP_ERROR - error
* OTP_AUTH_PASS - user authenticated
* OTP_AUTH_FAIL - user not authenticated
*
*/
int otp_hotp_dec31_auth(struct otp_ctx *otpctx, struct otp_user *ou,
char *crsp, int window)
{
uint64_t tmp_count, mod64u;
uint32_t crsp32u, tmp32u, hotp32u;
uint8_t offset;
u_int rlen;
u_char result[EVP_MAX_MD_SIZE];
int i;
char *endptr;
if (otp_db_valid(otpctx, "otp_hotp_dec31_auth") < 0)
return -1;
crsp32u = strtoul(crsp, &endptr, 10);
if (*endptr) {
xerr_warnx("strtoul(%s): failed at %c.", crsp, *endptr);
return OTP_AUTH_FAIL;
}
tmp_count = ou->count;
/* try to authenticate with count, incrementing count up to count+window */
for (i = 0; i < window; ++i, ++tmp_count) {
/* HOTP is big endian */
#if BYTE_ORDER == LITTLE_ENDIAN
SWAP64(tmp_count)
#endif /* BYTE_ORDER */
/* compute expected response to challenge */
if (!HMAC(EVP_sha1(), ou->key, 20, (void*)&tmp_count, 8,
result, &rlen)) {
if (otpctx->verbose)
xerr_warnx("HMAC(): failed.");
return OTP_ERROR;
}
/* restore from HOTP standard byte order */
#if BYTE_ORDER == LITTLE_ENDIAN
SWAP64(tmp_count)
#endif /* BYTE_ORDER */
offset = result[19] & 0xf;
tmp32u = (result[offset] & 0x7f) << 24 |
(result[offset+1]) << 16 |
(result[offset+2]) << 8 |
(result[offset+3]);
if (ou->format == OTP_FORMAT_DEC31_6)
mod64u = 1000000LL;
else if (ou->format == OTP_FORMAT_DEC31_7)
mod64u = 10000000LL;
else if (ou->format == OTP_FORMAT_DEC31_8)
mod64u = 100000000LL;
else if (ou->format == OTP_FORMAT_DEC31_9)
mod64u = 1000000000LL;
else if (ou->format == OTP_FORMAT_DEC31_10)
mod64u = 10000000000LL;
else
xerr_errx(1, "assertion failure: ou->format invalid for dec31.");
/* final OTP truncation */
hotp32u = tmp32u % mod64u;
/* computed HOTP == user reponse? */
if (hotp32u == crsp32u) {
ou->count = tmp_count + 1;
return OTP_AUTH_PASS;
}
}
return OTP_AUTH_FAIL;
} /* otp_hotp_hex40_auth */
} /* otp_hotp_dec31_auth */
/*
* function: otp_hotp_hex40_crsp()
*
* generate HOTP challenge response in hex40 format from data in ou
* with optional * count_offset applied. Store results in buf as
* with optional count_offset applied. Store results in buf as
* null terminated ASCII string.
*
* arguments:
@ -422,6 +542,7 @@ int otp_hotp_hex40_auth(struct otp_ctx *otpctx, struct otp_user *ou,
* ou - otp_user struct source
* count_offset - offset of count from current count in ou
* buf - buffer with ASCII result. Min 11 bytes.
* buf_size - size of buf
*
* returns: <0 : fail
* 0 : success
@ -431,7 +552,8 @@ int otp_hotp_hex40_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
int64_t count_offset, char *buf, size_t buf_size)
{
uint64_t tmp_count;
u_char result[EVP_MAX_MD_SIZE];
uint8_t offset;
u_char result[EVP_MAX_MD_SIZE], dt[5];
u_int rlen;
if (otp_db_valid(otpctx, "otp_hotp_hex40_crsp") < 0)
@ -459,12 +581,108 @@ int otp_hotp_hex40_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
return OTP_ERROR;
}
if (ou->format == OTP_FORMAT_HEX40) {
str_hex_dump(buf, result, 5);
} else if (ou->format == OTP_FORMAT_DHEX40) {
offset = result[19] & 0xf;
dt[0] = result[offset]; dt[1] = result[offset+1];
dt[2] = result[offset+2]; dt[3] = result[offset+3];
dt[4] = result[offset+4];
str_hex_dump(buf, dt, 5);
}
return 0;
} /* otp_hotp_hex40_crsp */
/*
* function: otp_hotp_dec31_crsp()
*
* generate HOTP challenge response in dec31d* format from data in ou
* with optional count_offset applied. Store results in buf as
* null terminated ASCII string.
*
* arguments:
* otpctx - otp context from otp_db_open()
* ou - otp_user struct source
* count_offset - offset of count from current count in ou
* buf - buffer with ASCII result. Min 11 bytes.
* buf_size - size of buf
*
* returns: <0 : fail
* 0 : success
*
*/
int otp_hotp_dec31_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
int64_t count_offset, char *buf, size_t buf_size)
{
uint64_t tmp_count, mod64u;
uint32_t tmp32u, hotp32u;
uint8_t offset;
u_char result[EVP_MAX_MD_SIZE];
u_int rlen;
if (otp_db_valid(otpctx, "otp_hotp_dec31_crsp") < 0)
return -1;
tmp_count = ou->count;
tmp_count += count_offset;
/* HOTP is big endian */
#if BYTE_ORDER == LITTLE_ENDIAN
SWAP64(tmp_count)
#endif /* BYTE_ORDER */
/* compute expected response to challenge */
if (!HMAC(EVP_sha1(), ou->key, 20, (void*)&tmp_count, 8,
result, &rlen)) {
if (otpctx->verbose)
xerr_warnx("HMAC(): failed.");
return OTP_ERROR;
}
offset = result[19] & 0xf;
tmp32u = (result[offset] & 0x7f) << 24 |
(result[offset+1]) << 16 |
(result[offset+2]) << 8 |
(result[offset+3]);
if (ou->format == OTP_FORMAT_DEC31_6)
mod64u = 1000000LL;
else if (ou->format == OTP_FORMAT_DEC31_7)
mod64u = 10000000LL;
else if (ou->format == OTP_FORMAT_DEC31_8)
mod64u = 100000000LL;
else if (ou->format == OTP_FORMAT_DEC31_9)
mod64u = 1000000000LL;
else if (ou->format == OTP_FORMAT_DEC31_10)
mod64u = 10000000000LL;
else
xerr_errx(1, "assertion failure: ou->format invalid for dec31.");
/* final OTP truncation */
hotp32u = tmp32u % mod64u;
if (buf_size < STR_UINT32_LEN) {
if (otpctx->verbose)
xerr_warnx("buf_size=%d < %d.", buf_size, STR_UINT32_LEN);
return OTP_ERROR;
}
str_uint32toa(buf, hotp32u);
return 0;
} /* otp_hotp_dec31_crsp */
/*
* function: otp_db_open()
*
@ -809,7 +1027,7 @@ otp_db_load_out:
* u_count_ceil - count ceiling
* u_status - status OTP_STATUS_*
* u_type - type OTP_TYPE_HOTP (HOTP implemented)
* u_format - format OTP_FORMAT_HEX40 (HEX40 implemented)
* u_format - format OTP_FORMAT_*
* u_version - version OTP_VERSION (version 1 implemented)
*
*
@ -1043,21 +1261,22 @@ int otp_user_auth(struct otp_ctx *otpctx, char *u_username,
{
time_t now;
struct otp_user ou;
int ret, r, auth_status;
int ret, r, auth_status, crsp_max;
if (otp_db_valid(otpctx, "otp_user_auth") < 0)
return -1;
/* paranoia */
str_safe(u_username, OTP_USER_NAME_LEN);
ret = -1; /* fail */
bzero(&ou, sizeof ou);
auth_status = OTP_AUTH_FAIL;
/* max length of challenge response */
crsp_max = (OTP_HOTP_HEX40_LEN<<1) < OTP_HOTP_DEC31_LEN ?\
(OTP_HOTP_HEX40_LEN<<1) : OTP_HOTP_DEC31_LEN;
/* paranoia */
str_safe(u_username, OTP_USER_NAME_LEN);
str_safe(u_crsp, OTP_HOTP_HEX40_LEN<<1);
str_safe(u_crsp, crsp_max<<1);
/* open user record */
if (otp_urec_open(otpctx, u_username, &ou, O_RDWR, FFDB_OP_LOCK_EX) < 0) {
@ -1093,12 +1312,21 @@ int otp_user_auth(struct otp_ctx *otpctx, char *u_username,
ou.last = now;
/* try to authenticate user */
if (ou.status != OTP_STATUS_ACTIVE)
if (ou.status != OTP_STATUS_ACTIVE) {
auth_status = OTP_AUTH_FAIL;
else if (ou.count >= ou.count_ceil)
} else if (ou.count >= ou.count_ceil) {
auth_status = OTP_AUTH_FAIL;
else
} else {
if ((ou.format == OTP_FORMAT_HEX40) ||
(ou.format == OTP_FORMAT_DHEX40))
auth_status = otp_hotp_hex40_auth(otpctx, &ou, u_crsp, u_window);
else if ((ou.format == OTP_FORMAT_DEC31_6) ||
(ou.format == OTP_FORMAT_DEC31_7) ||
(ou.format == OTP_FORMAT_DEC31_8) ||
(ou.format == OTP_FORMAT_DEC31_9) ||
(ou.format == OTP_FORMAT_DEC31_10))
auth_status = otp_hotp_dec31_auth(otpctx, &ou, u_crsp, u_window);
}
/*
* regardless of authentication status update the db to reflect last access
@ -1368,9 +1596,15 @@ int otp_urec_sanity(struct otp_ctx *otpctx, struct otp_user *ou)
return -1;
}
if (ou->format != OTP_FORMAT_HEX40) {
if ((ou->format != OTP_FORMAT_HEX40) &&
(ou->format != OTP_FORMAT_DHEX40) &&
(ou->format != OTP_FORMAT_DEC31_6) &&
(ou->format != OTP_FORMAT_DEC31_7) &&
(ou->format != OTP_FORMAT_DEC31_8) &&
(ou->format != OTP_FORMAT_DEC31_9) &&
(ou->format != OTP_FORMAT_DEC31_10)) {
if (otpctx->verbose)
xerr_warnx("format != OTP_FORMAT_HEX40.");
xerr_warnx("format invalid.");
return -1;
}
@ -1394,7 +1628,6 @@ int otp_urec_sanity(struct otp_ctx *otpctx, struct otp_user *ou)
* function: otp_urec_crsp()
*
* generate challenge response for ou
* HOTP HEX40 implemented.
*
* arguments:
* otpctx - otp db context returned by otp_db_open()
@ -1407,13 +1640,31 @@ int otp_urec_sanity(struct otp_ctx *otpctx, struct otp_user *ou)
int otp_urec_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
int64_t count_offset, char *buf, size_t buf_size)
{
int crsp_max;
if (otp_db_valid(otpctx, "otp_urec_crsp") < 0)
return -1;
if (buf_size < 5) {
/* max length of challenge response */
if ((ou->format == OTP_FORMAT_HEX40) ||
(ou->format == OTP_FORMAT_DHEX40))
crsp_max = (OTP_HOTP_HEX40_LEN<<1);
else if (ou->format == OTP_FORMAT_DEC31_6)
crsp_max = 6;
else if (ou->format == OTP_FORMAT_DEC31_7)
crsp_max = 7;
else if (ou->format == OTP_FORMAT_DEC31_8)
crsp_max = 8;
else if (ou->format == OTP_FORMAT_DEC31_9)
crsp_max = 9;
else if (ou->format == OTP_FORMAT_DEC31_10)
crsp_max = 10;
else
xerr_errx(1, "assertion failure: ou->format invalid.");
if (buf_size < (crsp_max+1)) {
if (otpctx->verbose)
xerr_warnx("buf_size < 5.");
xerr_warnx("buf_size < %d.", (crsp_max+1));
goto otp_urec_crsp_out;
}
@ -1423,7 +1674,17 @@ int otp_urec_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
goto otp_urec_crsp_out;
}
if ((ou->format == OTP_FORMAT_HEX40) ||
(ou->format == OTP_FORMAT_DHEX40))
return (otp_hotp_hex40_crsp(otpctx, ou, count_offset, buf, buf_size));
else if ((ou->format == OTP_FORMAT_DEC31_6) ||
(ou->format == OTP_FORMAT_DEC31_7) ||
(ou->format == OTP_FORMAT_DEC31_8) ||
(ou->format == OTP_FORMAT_DEC31_9) ||
(ou->format == OTP_FORMAT_DEC31_10))
return (otp_hotp_dec31_crsp(otpctx, ou, count_offset, buf, buf_size));
else
xerr_errx(1, "assertion failure: ou->format invalid.");
otp_urec_crsp_out:
@ -1447,7 +1708,7 @@ otp_urec_crsp_out:
*/
void otp_urec_disp(struct otp_ctx *otpctx, struct otp_user *ou)
{
char tmp[41];
char tmp[41], buf[512];
if (otp_db_valid(otpctx, "otp_urec_disp") < 0)
return;
@ -1461,18 +1722,16 @@ void otp_urec_disp(struct otp_ctx *otpctx, struct otp_user *ou)
ou->count_ceil);
printf("Version........%u\n", (u_int)ou->version);
printf("Status.........%s (%u)\n",
otp_l_status[ou->status], (u_int)ou->status);
str_lookup8(otp_status_l, ou->status, 1, OTP_STATUS_MAX),
(u_int)ou->status);
printf("Format.........%s (%u)\n",
otp_l_format[ou->format], (u_int)ou->format);
printf("Type...........%s (%u)\n", otp_l_type[ou->type], (u_int)ou->type);
printf("Flags..........%2.2x", (u_int)ou->flags);
if (ou->flags)
printf(" [");
if (ou->flags & OTP_USER_FLAGS_DSPCNT)
printf(" display-count");
if (ou->flags)
printf(" ]");
printf("\n");
str_lookup8(otp_format_l, ou->format, 1, OTP_FORMAT_MAX),
(u_int)ou->format);
printf("Type...........%s (%u)\n",
str_lookup8(otp_type_l, ou->type, 1, OTP_TYPE_MAX), (u_int)ou->type);
printf("Flags..........[%s] (0x%2.2x)\n",
str_flag8(otp_flags_l, ou->flags, OTP_FLAGS_BITS, buf, 512),
(u_int)ou->flags);
} /* otp_urec_disp */
@ -1591,7 +1850,7 @@ int main(int argc, char **argv)
/* crsp[0] = 'F'; */
ret = otp_user_auth(otpctx, "maf", crsp, OTP_HOTP_WINDOW);
ret = otp_user_auth(otpctx, "maf", crsp, OTP_WINDOW_DEFAULT);
printf("otp_user_auth(): %d\n", ret);
/*

32
common/otplib.h
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otplib.h 13 2009-11-26 16:37:03Z maf $
* $Id: otplib.h 61 2009-12-17 03:57:22Z maf $
*/
#include <sys/types.h>
@ -69,16 +69,29 @@
#define OTP_DB_FNAME "/etc/otpdb" /* location of user database */
#define OTP_HOTP_WINDOW 10 /* Window of challenges to try */
#define OTP_VERSION 1 /* version of library */
#define OTP_FORMAT_HEX40 1 /* 40 bits in hex */
#define OTP_FORMAT_DHEX40 2 /* 40 bits in hex w. RFC 4226 DT */
#define OTP_FORMAT_DEC31_6 3 /* 31 bits 6 digits in decimal RFC */
#define OTP_FORMAT_DEC31_7 4 /* 31 bits 7 digits in decimal */
#define OTP_FORMAT_DEC31_8 5 /* 31 bits 8 digits in decimal */
#define OTP_FORMAT_DEC31_9 6 /* 31 bits 9 digits in decimal */
#define OTP_FORMAT_DEC31_10 7 /* 31 bits 10 digits in decimal */
#define OTP_FORMAT_MAX 7 /* highest valid format enum */
#define OTP_TYPE_HOTP 1 /* protocol type */
#define OTP_TYPE_MAX 1 /* highest valid type enum */
#define OTP_WINDOW_DEFAULT 10 /* default challenge window */
#define OTP_WINDOW_MAX 255 /* max challenge window */
#define OTP_VERSION_MIN 1 /* min version for this code */
#define OTP_VERSION_MAX 1 /* max version for this code */
#define OTP_HOTP_KEY_SIZE 20 /* HMAC SHA160 key length */
#define OTP_HOTP_HEX40_LEN 5 /* HOTP challenge hex 40 bits */
#define OTP_HOTP_DEC31_LEN 10 /* max 10 digits */
#define OTP_AUTH_PASS 0 /* authenticated */
#define OTP_AUTH_FAIL 1 /* not authenticated */
@ -89,11 +102,14 @@
#define OTP_STATUS_ACTIVE 1 /* user is active */
#define OTP_STATUS_INACTIVE 2 /* user is not active */
#define OTP_STATUS_DISABLED 3 /* user is locked (disabled) */
#define OTP_STATUS_MAX 3 /* highest valid status enum */
#define OTP_USER_N_FIELDS 10 /* n fields in ASCII encoding */
#define OTP_USER_ASCII_LEN 139 /* max ASCII encoded length (w/o null) */
#define OTP_USER_FLAGS_DSPCNT 0x1 /* force display count */
#define OTP_FLAGS_DSPCNT 0x1 /* force display count */
#define OTP_FLAGS_BITS 1 /* bits used */
#define OTP_USER_NAME_LEN 32 /* max length of username (w/o null)*/
#define OTP_USER_KEY_LEN 64 /* key length */
@ -152,6 +168,10 @@ int otp_hotp_hex40_auth(struct otp_ctx *otpctx, struct otp_user *ou,
char *crsp, int window);
int otp_hotp_hex40_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
int64_t count_offset, char *buf, size_t buf_size);
int otp_hotp_dec31_auth(struct otp_ctx *otpctx, struct otp_user *ou,
char *crsp, int window);
int otp_hotp_dec31_crsp(struct otp_ctx *otpctx, struct otp_user *ou,
int64_t count_offset, char *buf, size_t buf_size);
struct otp_ctx *otp_db_open(char *dbname, int flags);
int otp_db_close(struct otp_ctx *otpctx);
@ -183,6 +203,12 @@ void otp_urec_dispsc(struct otp_ctx *otpctx, struct otp_user *ou,
int otp_user_to_ascii(struct otp_ctx *otpctx, struct otp_user *ou);
int otp_user_from_ascii(struct otp_ctx *otpctx, struct otp_user *ou);
char *otp_uflags_str(uint8_t flags, char *tmpbuf, size_t tmpbuf_size);
extern char *otp_status_l[];
extern char *otp_format_l[];
extern char *otp_type_l[];
extern char *otp_flags_l[];
#endif /* OTP_H */

10
common/otpsc.h
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otpsc.h 23 2009-11-28 06:26:22Z maf $
* $Id: otpsc.h 86 2009-12-28 00:05:24Z maf $
*/
/* highest supported index */
@ -209,5 +209,11 @@
#define HOSTNAME_FLAG_MASK 0x80 /* high bit set */
#define HOSTNAME_POS_CHALLENGE 0x00 /* require challenge input */
#define HOSTNAME_POS_READERKEY 0x01 /* require reader key */
#define HOSTNAME_POS_READERKEY 1 /* require reader key */
#define HOSTNAME_POS_FMT 2 /* format, 0=hex, 1=decimal */
#define HOSTNAME_POS_FMT3 8 /* 0000=HEX40, 0001=HEX40 */
#define HOSTNAME_POS_FMT2 9 /* 0010=DEC31.6 0011=DEC31.7 */
#define HOSTNAME_POS_FMT1 10 /* 0100=DEC31.8 0101=DEC31.9 */
#define HOSTNAME_POS_FMT0 11 /* 0110=DEC31.10 0111=DHEX40 */

93
common/scr.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: scr.c 29 2009-11-30 01:11:17Z maf $
* $Id: scr.c 73 2009-12-21 05:14:46Z maf $
*/
#include <sys/cdefs.h>
@ -81,12 +81,11 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
{
struct scr_ctx *scrctx;
size_t ralloc;
int r, ret, cur_reader;
int i, r, ret, cur_reader;
char *buf;
#ifdef SCR_PCSC
char *pcsc_rdr_buf, *p;
DWORD pcsc_rdr_buf_len;
int pcsc_rdr_count;
#endif /* SCR_PCSC */
ret = -1; /* fail */
@ -104,25 +103,20 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
bzero(scrctx, sizeof *scrctx);
scrctx->verbose = verbose;
if (valid_readers & SCR_READER_EMBEDDED_ACR30S) {
++ scrctx->num_readers;
ralloc += strlen(SCR_EMBEDDED_ACR30S_NAME)+1;
}
#ifdef SCR_PCSC
if (valid_readers & SCR_READER_PCSC) {
if ((r = SCardEstablishContext(SCARD_SCOPE_SYSTEM, (void*)0L, (void*)0L,
&scrctx->hContext)) != SCARD_S_SUCCESS) {
if (scrctx->verbose)
xerr_warnx("SCardEstablishContext(): %s.", pcsc_stringify_error(r));
}
pcsc_rdr_buf = (char*)0L;
/* give up on PCSC readers */
goto pcsc_done;
}
/*
* SCARD_AUTOALLOCATE not portable. Do this in two steps
@ -130,9 +124,13 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
*/
if ((r = SCardListReaders(scrctx->hContext, (void*)0L, (void*)0L,
&pcsc_rdr_buf_len)) != SCARD_S_SUCCESS) {
if (scrctx->verbose)
xerr_warnx("SCCardListReaders(): %s.", pcsc_stringify_error(r));
goto scr_ctx_new_out;
/* give up on PCSC readers */
goto pcsc_done;
}
if (!(pcsc_rdr_buf = malloc(pcsc_rdr_buf_len))) {
@ -149,23 +147,33 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
}
/* run through PSCS reader names to get count */
for (p = pcsc_rdr_buf, pcsc_rdr_count = 0;*p;++pcsc_rdr_count)
for (p = pcsc_rdr_buf;*p;++scrctx->pcsc_num_readers)
p += strlen(p);
/* first PCSC reader in the list */
if (pcsc_rdr_count)
if (scrctx->pcsc_num_readers)
scrctx->pcsc_reader_first = scrctx->num_readers;
/* add PCSC readers to total available via scr */
scrctx->num_readers += pcsc_rdr_count;
scrctx->num_readers += scrctx->pcsc_num_readers;
/* resrve space for reader name + "PCSC:" */
ralloc += pcsc_rdr_buf_len + (pcsc_rdr_count * 5);
ralloc += pcsc_rdr_buf_len + (scrctx->pcsc_num_readers * 5);
} /* SCR_READER_PCSC */
#endif /* SCR_PCSC */
pcsc_done:
if (valid_readers & SCR_READER_EMBEDDED_ACR30S) {
++ scrctx->num_readers;
ralloc += strlen(SCR_EMBEDDED_ACR30S_NAME)+1;
}
/* foreach reader allocate char */
ralloc += (scrctx->num_readers) * sizeof (char*);
@ -179,18 +187,12 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
buf = (char*)scrctx->readers + (sizeof (char*))*scrctx->num_readers;
cur_reader = 0;
if (valid_readers & SCR_READER_EMBEDDED_ACR30S) {
scrctx->readers[cur_reader++] = buf;
strcpy(buf, SCR_EMBEDDED_ACR30S_NAME);
buf += strlen(SCR_EMBEDDED_ACR30S_NAME) + 1;
} /* SCR_READER_PCSC */
#ifdef SCR_PCSC
if (valid_readers & SCR_READER_PCSC) {
p = pcsc_rdr_buf;
while (*p) {
while (p && *p) {
scrctx->readers[cur_reader++] = buf;
bcopy("PCSC:", buf, 5);
buf += 5;
@ -203,6 +205,13 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
#endif /* SCR_PCSC */
if (valid_readers & SCR_READER_EMBEDDED_ACR30S) {
scrctx->readers[cur_reader++] = buf;
strcpy(buf, SCR_EMBEDDED_ACR30S_NAME);
buf += strlen(SCR_EMBEDDED_ACR30S_NAME) + 1;
} /* SCR_READER_PCSC */
scrctx->valid = 1;
scrctx->valid_readers = valid_readers;
@ -210,6 +219,12 @@ struct scr_ctx* scr_ctx_new(int valid_readers, int verbose)
scr_ctx_new_out:
/* dump list of readers? */
if (scrctx->verbose) {
for (i = 0; i < scrctx->num_readers; ++i)
xerr_info("reader: %s", scrctx->readers[i]);
}
#ifdef SCR_PCSC
if (pcsc_rdr_buf)
free(pcsc_rdr_buf);
@ -329,6 +344,8 @@ void scr_ctx_free(struct scr_ctx *scrctx)
* to the first reader, embedded:acr30s will default to
* SCR_EMBEDDED_ACR30S_DEVICE
*
* An empty reader string will default to the first available reader
*
* returns: 0 success, connected to reader
* <0 failure
*
@ -343,6 +360,19 @@ int scr_ctx_connect(struct scr_ctx *scrctx, char *reader)
if (scr_ctx_valid(scrctx, (char*)__FUNCTION__) == -1)
goto scr_ctx_connect_out;
/* empty or no reader string */
if ((!reader) || (reader[0] == 0)) {
if (scrctx->num_readers == 0) {
xerr_warnx("No readers.");
goto scr_ctx_connect_out;
}
reader = scrctx->readers[0];
}
n = strlen(reader);
if (!(scrctx->reader = (char*)malloc(n+1))) {
@ -387,10 +417,19 @@ int scr_ctx_connect(struct scr_ctx *scrctx, char *reader)
/* skip PCSC: */
scrctx->pcsc_active_reader = scrctx->reader + 5;
/* PCSC: alone defaults to first PCSC reader */
if (!*scrctx->pcsc_active_reader)
/* PCSC: alone defaults to first PCSC reader if defined */
if (!*scrctx->pcsc_active_reader) {
/* if readers available, then default to first */
if (scrctx->pcsc_num_readers) {
scrctx->pcsc_active_reader =\
scrctx->readers[scrctx->pcsc_reader_first]+5;
} else {
xerr_warnx("No PCSC readers.");
goto scr_ctx_connect_out;
}
} /* PSCS: */
if ((r = SCardConnect(scrctx->hContext, scrctx->pcsc_active_reader,
SCARD_SHARE_EXCLUSIVE, SCARD_PROTOCOL_T1, &scrctx->hCard,

9
common/scr.h
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: scr.h 26 2009-11-29 23:01:37Z maf $
* $Id: scr.h 49 2009-12-14 22:03:08Z maf $
*/
#include "acr30.h"
@ -43,11 +43,6 @@
#define SCR_EMBEDDED_ACR30S_NAME "embedded:acr30s"
#define SCR_EMBEDDED_ACR30S_DEVICE "/dev/cuaU0"
#ifndef SCR_DEFAULT_READER
/* #define SCR_DEFAULT_READER "embedded:acr30s:/dev/cuaU0" */
#define SCR_DEFAULT_READER "PCSC:"
#endif
#define SCR_TX_BUF_LEN 254
#define SCR_RX_BUF_LEN 254
@ -66,12 +61,12 @@ struct scr_ctx
SCARDHANDLE hCard;
DWORD dwActiveProtocol;
char *pcsc_active_reader;
int pcsc_reader_first, pcsc_num_readers;
#endif /* SCR_PCSC */
int verbose, valid, valid_readers, active_reader;
int num_readers;
char **readers;
char *reader;
int pcsc_reader_first;
};
struct scr_io {

130
common/str.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: str.c 15 2009-11-26 18:29:41Z maf $
* $Id: str.c 87 2009-12-28 00:05:53Z maf $
*/
#include <termios.h>
@ -36,6 +36,7 @@
#endif
#include <stdio.h>
#include "str.h"
#include "xerr.h"
/*
* function: chr_hex_l()
@ -149,7 +150,7 @@ int chr_ishex(char d)
* n - length of b in bytes
*
*/
void str_hex_dump(char *buf, u_char *b, size_t n)
int str_hex_dump(char *buf, u_char *b, size_t n)
{
int i, j;
for (i = 0, j = 0; i < n; ++i) {
@ -157,6 +158,7 @@ void str_hex_dump(char *buf, u_char *b, size_t n)
buf[j++] = chr_hex_r(*b++);
}
buf[j] = 0;
return j;
}
/*
@ -390,6 +392,130 @@ int str_safe(char *input, size_t len)
} /* str_safe */
/*
* function: str_uint32toa()
*
* convert unsigned 32 bit integer to ascii. Left align.
*
* arguments:
* s - pointer to output buffer. Must be at least 11 bytes.
* u - uint32_t to convert
*
* returns: length of string
*
*/
int str_uint32toa(char *s, uint32_t u)
{
int len;
char *s1;
len = 0;
s1 = s;
/* 2^32-1 = 4294967295 = max 10 digits + NULL */
s[10] = 0;
do {
++len;
*--s = '0' + (u % 10);
u /= 10;
} while (u);
bcopy(s, s1, len);
s1[len] = 0;
return len;
} /* str_fmt_uint32 */
char *str_lookup8(char *list[], uint8_t id, uint8_t min, uint8_t max)
{
if (id > max) {
xerr_warnx("str_lookup8(): id=%d, max=%d", (int)id, (int)max);
return "err";
}
if (id < min) {
xerr_warnx("str_lookup8(): id=%d, min=%d", (int)id, (int)min);
return "err";
}
return list[id];
} /* str_lookup8 */
char *str_flag8(char *list[], uint8_t flags, uint8_t bits, char *tmpbuf,
size_t tmpbuf_size)
{
int i, l, u;
char *t;
u = 0;
t = tmpbuf;
for (i = 0; i < bits; ++i) {
if (flags & (1<<i)) {
l = strlen(list[i]);
if ((l + u + 2) < tmpbuf_size) {
bcopy(list[i], t, l);
t += l;
u += l;
*t++ = ' ';
} else {
goto str_flag8_err;
}
} /* if */
} /* for */
/* any strings added then back up over trailing space */
if (u)
--t;
*t = 0;
return tmpbuf;
str_flag8_err:
xerr_warnx("str_flag8(): tmpbuf too small.");
return "";
} /* str_flag8 */
int str_find8(char *list[], uint8_t *id, char *s, uint8_t min, uint8_t max)
{
int i;
*id = 0;
for (i = min; i <= max; ++i) {
if (!strcasecmp(s, list[i])) {
*id = i;
return 0;
}
}
xerr_warnx("str_find8(): %s not found.", s);
return -1;
} /* str_find8 */
int str_setflag8(char *list[], uint8_t *flags, char *s, uint8_t min,
uint8_t max)
{
int i;
*flags = 0;
for (i = min; i < max; ++i) {
if (!strcasecmp(s, list[i]))
*flags |= 1<<i;
}
if (*flags)
return 0;
xerr_warnx("str_setflag8(): %s not found.", s);
return -1;
} /* str_setflag8 */
#ifdef STR_EXAMPLE
#include <stdio.h>

19
common/str.h
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: str.h 15 2009-11-26 18:29:41Z maf $
* $Id: str.h 85 2009-12-28 00:05:02Z maf $
*/
#include <sys/types.h>
@ -38,10 +38,25 @@ int chr_ishex(char d);
char chr_hex_l(u_char h);
char chr_hex_r(u_char h);
u_char chr_hex_decode(char h);
void str_hex_dump(char *buf, u_char *b, size_t n);
int str_hex_dump(char *buf, u_char *b, size_t n);
int str_hex_decode(char *in, size_t in_len, u_char *out, size_t out_len);
void str_ftoc(char *buf, char *f, size_t n);
int str_input(const char *prompt, char *buf, size_t buf_size, int flags);
int str_safe(char *input, size_t len);
int str_uint32toa(char *s, uint32_t u);
char *str_lookup8(char *list[], uint8_t id, uint8_t min, uint8_t max);
char *str_flag8(char *list[], uint8_t flags, uint8_t bits, char *tmpbuf,
size_t tmpbuf_size);
int str_setflag8(char *list[], uint8_t *flags, char *s, uint8_t min,
uint8_t max);
int str_find8(char *list[], uint8_t *id, char *s, uint8_t min, uint8_t max);
#define STR_FLAGS_ECHO_OFF 0x1
#define STR_UINT32_LEN 11 /* 2^32-1=4294967295 + NULL = 11 bytes */

32
doc/QUICKSTART
View file

@ -1,5 +1,5 @@
#
# $Id: QUICKSTART 32 2009-11-30 01:18:29Z maf $
# $Id: QUICKSTART 76 2009-12-26 21:04:01Z maf $
#
OpenOTP is an implementation of the HOTP protocol using a ZeitControl
@ -10,7 +10,7 @@ Included is a C library implementation of the HOTP protocol and
associated user database management, HOTP PAM library, OpenVPN plug-in module,
micro RADIUS server with HOTP support, and utilties for managing the Smart
Card, Spyrus reader, and host side HOTP user database. The PCSC-Lite
API provides reader support for Smart Card management under FreeBSD and Linux.
API provides reader support for Smart Card management.
The card management, firmware loaders, C API, and authentication methods
have been developed & tested for FreeBSD and Linux.
@ -25,7 +25,12 @@ downloading firmware to the reader with a Spyrus downloader cable.
Source and Binary for the BasicCard firmware is supplied. Modification
requires the Windows BasicCard development software available as
a free download from ZeitControl. A Unix version of bcload implemented
with the PCSC-Lite interface is included.
with the PCSC-Lite interface and embedded ACR30S driver is included.
The Smart Card based token generator is standards based and may be
used with other RFC compliant HOTP implementations. Other HOTP
token generators may be used with the Unix side HOTP library
and authentication modules.
Distribution:
@ -319,9 +324,9 @@ semanage fcontext -a -t textrel_shlib_t /lib/security/pam_otp.so
# to temporarily disable SELinux for testing use
# setenforce 0
# create the OTP database with one deactivated user (joe)
# create the OTP database with one inactive user (joe)
otp-control -n -u joe -m add
otp-control -u joe -m deactivate
otp-control -u joe -m set-status inactive
otp-control -u joe -m list
>Username.......joe
@ -392,7 +397,7 @@ Password:
Last login: Tue Sep 1 23:21:20 2009 from 10.1.0.26
# activate user
otp-control -u joe -m activate
otp-control -u joe -m set-status -s active
# login with OTP generated earlier
bastion.eng:~% ssh 10.1.0.25
@ -420,22 +425,20 @@ arrow until the "DownloadApp" menu item is present.
Start the htsoft-downloader utility using serial port at /dev/cuaU0 :
# FreeBSD USB Serial Adapter
htsoft-downloader -v1 -f /dev/cuaU0 < $OOTP/firmware/spyrus1.3.hex
htsoft-downloader -v1 -i -f /dev/cuaU0 < $OOTP/firmware/spyrus1.3.hex
# Linux USB Serial Adapter
htsoft-downloader -v1 -f /dev/ttyS0 < $OOTP/firmware/spyrus1.3.hex
htsoft-downloader -v1 -i -f /dev/ttyS0 < $OOTP/firmware/spyrus1.3.hex
Press Enter on the spyrus reader to start the download application:
Waiting for bootloader......
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDwTwwwwPIC reset failed.
htsoft-downloader: htsoft_v1bl_done(): failed
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDwTwF
PIC reset sent, ignored last WOK timeout.
Note the htsoft_v1bl_done(): failed message is cosmetic. The bootloader code
in the spyrus reader does not appear to send a final ACK per the source code
documentation from htsoft/Microchip. Increase the verbosity level for more
debugging information if necessary.
Increase the verbosity level for more debugging information if necessary.
The -i option is required for the bootloader provided with the Spyrus reader.
A Windows PIC downloader which will work with the Spyrus reader is available
at http://www.ehl.cz/pic/pic_e.htm. It will also note an error when trying
@ -759,6 +762,7 @@ See also:
Spyrus http://www.spyrus.com
PCSC-LITE http://pcsclite.alioth.debian.org/
Smart Cards http://www.smartcardfocus.com/
BalanceReader http://www.basiccard.com/chip/balanceR.pdf
#
# The HOTP database is not encrypted. For added security use an encrypted

28
doc/TODO
View file

@ -5,5 +5,31 @@ RADIUS dspcnt flag urd, force display count
RADIUS proxy support
default no GetHost() in BasicCard
get documentation for the ACS balance reader
ACS balance reader support dec31.6?
break out htsoft-downloader, urd, bcload?
architecture document
formats
post
basiccard build notes
full coverage testing for otplib and ffdb
otp-token (soft token)
count use 64 bit current time option
balance reader simulator
Break out Linux/FreeBSD/MAC build notes into separate file from QUICKSTART
Test with Linux PICC. Add spyrus Makefile to build without Windows
Spyrus main.c missing
EE2LCD()
U8 Temp[4];
RESP_INFO *respDump = (RESP_INFO*) Temp;

13
doc/bcload.1
View file

@ -79,7 +79,14 @@ Disable paranoid check for ZC3\&.9 hardware\&. Enhanced Smart Cards will
probably work, support for the professional cards require changes
to \fBbcload\&.c\fP\&.
.IP "-r\fI reader\fP" 10
Set the smart card reader\&. Use -l to list available readers\&.
Set Smart Card reader\&. Use -l to list available readers\&. A reader
is defined as class:reader:[option]\&. PCSC and embedded
are the two available classes\&. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[serial_port]\&.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver\&. Use PCSC: for the first available PC/SC
reader\&. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0\&.
.IP "-t" 10
Force card mode to TEST after programming\&. Defaults to the mode
specified in the image file\&.
@ -87,7 +94,7 @@ specified in the image file\&.
Display verbose status messages while programming the card\&.
.SH "EXAMPLES"
.PP
Download the HOTPC\&.IMG file to the default smart card reader\&. Display
Download the HOTPC\&.IMG file to the default Smart Card reader\&. Display
verbose results\&.
.PP
.nf
@ -127,4 +134,4 @@ Mark Fullmer maf@splintered\&.net
\fBotp-ov-plugin\fP(1)
\fBurd\fP(1)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:15
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

25
doc/bcload.html
View file

@ -150,7 +150,20 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the smart card reader. Use -l to list available readers.</P
>Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:[<SPAN
CLASS="OPTIONAL"
>option</SPAN
>]. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[<SPAN
CLASS="OPTIONAL"
>serial_port</SPAN
>].
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.</P
></DD
><DT
>-t</DT
@ -171,7 +184,7 @@ specified in the image file.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN65"
NAME="AEN67"
></A
><H2
>EXAMPLES</H2
@ -180,10 +193,10 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN67"
NAME="AEN69"
></A
><P
>Download the HOTPC.IMG file to the default smart card reader. Display
>Download the HOTPC.IMG file to the default Smart Card reader. Display
verbose results.</P
><PRE
CLASS="SCREEN"
@ -223,7 +236,7 @@ BCSetState: test</SAMP
><DIV
CLASS="REFSECT1"
><A
NAME="AEN72"
NAME="AEN74"
></A
><H2
>AUTHOR</H2
@ -240,7 +253,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN79"
NAME="AEN81"
></A
><H2
>SEE ALSO</H2

13
doc/bcload.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: bcload.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: bcload.sgml 62 2009-12-18 17:26:31Z maf $ -->
<refentry>
<refmeta>
@ -95,7 +95,14 @@ to <filename>bcload.c</filename>.
<term>-r<replaceable> reader</replaceable></term>
<listitem>
<para>
Set the smart card reader. Use -l to list available readers.
Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:<optional>option</optional>. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:<optional>serial_port</optional>.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.
</para>
</listitem>
</varlistentry>
@ -128,7 +135,7 @@ Display verbose status messages while programming the card.
<informalexample>
<para>
Download the HOTPC.IMG file to the default smart card reader. Display
Download the HOTPC.IMG file to the default Smart Card reader. Display
verbose results.
</para>
<screen>

15
doc/htsoft-downloader.1
View file

@ -69,6 +69,8 @@ on standard output and downloaded to a PIC on the
.SH "OPTIONS"
.IP "-h" 10
Help
.IP "-i" 10
Ignore timeout for last WOK after sending reset\&.
.IP "-f\fI serial_device\fP" 10
Serial device filename\&. Examples:
.IP "" 10
@ -93,7 +95,7 @@ Transfer the HEX file spyrus1\&.1\&.hex to a PIC connected to
the bootloader in this device does not send the last WOK command, this
appears to be harmless\&.
.PP
\fBpic-downloader -v9 -f /dev/ttyUSB0 < spyrys1\&.1\&.hex\fP
\fBpic-downloader -v9 -i -f /dev/ttyUSB0 < spyrys1\&.1\&.hex\fP
.PP
.nf
Waiting for bootloader\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.
@ -108,11 +110,10 @@ write: data=202530A0008430E8202017833010008430362020120A118A2DBD060401800A84
\&.\&.\&.
upload block: load_offset=0x1FFA bytes_to_send=6
Dwrite: cmd=E3 load=0FFD bytes=06 csum=AA
write: data=00CB30C42EBD
wDONE: reply=F8, expecting E4wwwwpic-downloader: htsoft_v1bl_done(): failed
PIC reset failed\&.
upload block: load_offset=0x1FF8 bytes_to_send=8
Dwrite: cmd=E3 load=0FFC bytes=08 csum=7E
write: data=246B120A158A3400
wDONE: reply=F0, expecting E4wPIC reset sent\&.
.fi
.SH "AUTHOR"
.PP
@ -124,4 +125,4 @@ Intel Hexadecimal Object File Format Specification Rev A
www\&.htsoft\&.com
.PP
http://www\&.ehl\&.cz/pic/pic_e\&.htm
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:15
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

25
doc/htsoft-downloader.html
View file

@ -108,6 +108,12 @@ CLASS="VARIABLELIST"
>Help</P
></DD
><DT
>-i</DT
><DD
><P
>Ignore timeout for last WOK after sending reset.</P
></DD
><DT
>-f<TT
CLASS="REPLACEABLE"
><I
@ -175,7 +181,7 @@ output. A level of 1 will indicate the overall status of the transfer.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN60"
NAME="AEN64"
></A
><H2
>EXAMPLE</H2
@ -184,7 +190,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN62"
NAME="AEN66"
></A
><P
>Transfer the HEX file spyrus1.1.hex to a PIC connected to
@ -197,7 +203,7 @@ appears to be harmless.</P
><P
> <B
CLASS="COMMAND"
>pic-downloader -v9 -f /dev/ttyUSB0 &#60; spyrys1.1.hex</B
>pic-downloader -v9 -i -f /dev/ttyUSB0 &#60; spyrys1.1.hex</B
></P
><PRE
CLASS="SCREEN"
@ -213,11 +219,10 @@ write: data=202530A0008430E8202017833010008430362020120A118A2DBD060401800A84
...
upload block: load_offset=0x1FFA bytes_to_send=6
Dwrite: cmd=E3 load=0FFD bytes=06 csum=AA
write: data=00CB30C42EBD
wDONE: reply=F8, expecting E4wwwwpic-downloader: htsoft_v1bl_done(): failed
PIC reset failed.&#13;</PRE
upload block: load_offset=0x1FF8 bytes_to_send=8
Dwrite: cmd=E3 load=0FFC bytes=08 csum=7E
write: data=246B120A158A3400
wDONE: reply=F0, expecting E4wPIC reset sent.</PRE
><P
></P
></DIV
@ -225,7 +230,7 @@ PIC reset failed.&#13;</PRE
><DIV
CLASS="REFSECT1"
><A
NAME="AEN68"
NAME="AEN72"
></A
><H2
>AUTHOR</H2
@ -242,7 +247,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN75"
NAME="AEN79"
></A
><H2
>SEE ALSO</H2

23
doc/htsoft-downloader.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: htsoft-downloader.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: htsoft-downloader.sgml 74 2009-12-26 20:40:57Z maf $ -->
<refentry>
@ -58,6 +58,15 @@ Help
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Ignore timeout for last WOK after sending reset.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f<replaceable> serial_device</replaceable></term>
<listitem>
@ -120,7 +129,7 @@ the bootloader in this device does not send the last WOK command, this
appears to be harmless.
</para>
<para>
<command>pic-downloader -v9 -f /dev/ttyUSB0 < spyrys1.1.hex</command>
<command>pic-downloader -v9 -i -f /dev/ttyUSB0 < spyrys1.1.hex</command>
</para>
<screen>
Waiting for bootloader..........
@ -135,12 +144,10 @@ write: data=202530A0008430E8202017833010008430362020120A118A2DBD060401800A84
...
upload block: load_offset=0x1FFA bytes_to_send=6
Dwrite: cmd=E3 load=0FFD bytes=06 csum=AA
write: data=00CB30C42EBD
wDONE: reply=F8, expecting E4wwwwpic-downloader: htsoft_v1bl_done(): failed
PIC reset failed.
upload block: load_offset=0x1FF8 bytes_to_send=8
Dwrite: cmd=E3 load=0FFC bytes=08 csum=7E
write: data=246B120A158A3400
wDONE: reply=F0, expecting E4wPIC reset sent.
</screen>
</informalexample>

79
doc/otp-control.1
View file

@ -56,7 +56,7 @@
\fBotp-control\fP \(em Local user database configuration for One Time Password package\&.
.SH "SYNOPSIS"
.PP
\fBotp-control\fP [-?hnv] [-c\fI count\fP] [-C\fI count_ceil\fP] [-F\fI sc_flags\fP] [-H\fI sc_hostname\fP] [-I\fI sc_index\fP] [-k\fI key\fP] [-m\fI command_mode\fP] [-o\fI otpdb_pathname\fP] [-u\fI username\fP] [-w\fI window\fP]
\fBotp-control\fP [-?hnv] [-c\fI count\fP] [-C\fI count_ceil\fP] [-f\fI format\fP] [-F\fI flags\fP] [-H\fI sc_hostname\fP] [-I\fI sc_index\fP] [-k\fI key\fP] [-m\fI command_mode\fP] [-o\fI otpdb_pathname\fP] [-s\fI status\fP] [-S\fI sc_flags\fP] [-t\fI type\fP] [-u\fI username\fP] [-w\fI window\fP]
.SH "DESCRIPTION"
.PP
The \fBotp-control\fP command is a front end to the
@ -86,10 +86,23 @@ must be presented to the OTP generator\&. The additional step of entering
the count to the OTP generator is not necessary when keys are not
shared, as the currrent count will increase on the OTP generator and
system database during authentication\&.
.IP "-f" 10
OTP format\&. One of hex40 dhex40 dec31\&.6 dec31\&.7 dec31\&.8 dec31\&.9 dec31\&.10\&.
hex40 (40 bit hex) is the default\&. dec31\&.6 (31 bit decimal truncated to 6
digits) is suggested by RFC 4226 and may be required to interoperate with
other HOTP implementations\&. dhex40 uses the dynamic truncate function
in RFC 4226, where hex40 always uses the top 40 bits\&. dhex40 may be the
default in future releases\&.
.IP "-F" 10
OTP flags\&. All flags are unset by default\&.
.PP
.nf
Flag Description
-----------------------------------------------------------------
display-count : Display HOTP count when prompted for challenge\&.
.fi
.IP "-h" 10
Help\&.
.IP "-F\fI sc_flags\fP" 10
Set the SC flags with the list-sc command mode\&. 0=CHALLENGE, 1=READERKEY\&.
.IP "-H\fI sc_hostname\fP" 10
Set the SC hostname with the list-sc command mode\&.
.IP "-I\fI sc_index\fP" 10
@ -106,26 +119,42 @@ C0C3D47F1CC68ECE0DF81D008F0C0D72D43EB745
Mode Description
-------------------------------------------------
add - Add user
activate - Activate user
create - Create database
deactivate - Deactivate user
disable - Disable user
dump - ASCII dump user record(s)
flags-dspcnt - Set user display count flag\&.
flags-no-dspcnt - Clear user display count flag\&.
generate - Generate HOTP for user
list - List user record (printable)
list-sc - List user record (SC friendly)
load - ASCII load user record(s)
remove - Remove user
set-count - Reset count for user
set-count-ceil - Reset count ceiling for user
set-count - Set user count
set-count-ceil - Set user count ceiling
set-flags - Set user flags
set-format - Set user format
set-status - Set user status
set-type - Set user OTP type
test - Test user
.fi
.IP "-n" 10
Create new database if one does not exist\&.
.IP "-o\fI otp_pathname\fP" 10
Pathname of OTP database\&.
.IP "-s\fI otp_pathname\fP" 10
OTP Status\&. The default status is active\&.
.PP
.nf
Status Description
-----------------------------------------------------------------
active : OTP is required for succesful authentication\&.
inactive : OTP may not be required for successful authentication\&.
The OTP authentication module may be configured to allow
inactive accounts to authenticate\&. This may be used to
temporarily remove the OTP authentication method for a user\&.
disabled : Account is disabled\&. OTP authentication will fail\&.
.fi
.IP "-S\fI sc_flags\fP" 10
Set the SC flags with the list-sc command mode\&. 0=CHALLENGE, 1=READERKEY\&.
.IP "-t\fI type\fP" 10
OTP Type\&. RFC 4226 HOTP is only supported type\&.
.IP "-u\fI username\fP" 10
Username to perform database operation on\&.
.IP "-v" 10
@ -144,32 +173,18 @@ of tokens generated\&.
.PP
\fBadd\fP : add user to OTP database\&. count_cur and count_ceiling may optionally
be specified with -c and -C respectively\&. A random key will be generated
if no key is specified with -k\&.
.PP
\fBactivate\fP : activate user\&. An active user must provide a OTP for successful
authentication\&. An inactive user _may_ be successfully authenticated
without a OTP depending on the application configuration\&. The pam_otp
module can be configured to use this flag with the "allow_inactive" option\&.
if no key is specified with -k\&. The format, flags, status, and type
may be altered from the defaults with -f, -F, -s, and -t respectively\&.
.PP
\fBcreate\fP : create OTP database\&. The OTP database is a base directory with each
user stored in a separate ASCII : delimited file in base_dir/d\&.
.PP
\fBdeactivate\fP : deactivate user\&. See activate\&.
.PP
\fBdisable\fP : disable user\&. A disabled user can not successfully authenticate\&.
.PP
\fBdump\fP : dump user database in ASCII\&. User records are separated by a newline\&.
Fields are : separated\&. All fields except the username are HEX encoded\&.
.PP
#version:user:key:status:format:type:flags:count_cur:count_ceil:last
01:test:1111111111111111111111111111111111111111:01:01:01:00:00000000000003E8:00000000000007D0:0000000000000000
.PP
\fBflags-dspcnt\fP : set the display count flag\&. An application such as pam_otp will use
this flag to control the display of the OTP count when challenging a
user\&.
.PP
\fBflags-no-dspcnt\fP : clear the display count flag\&.
.PP
\fBgenerate\fP : generate OTP for user\&. The -w flag may be used to generate multiple
OTP tokens\&.
.PP
@ -188,6 +203,14 @@ specified with -I and -F\&.
\fBset-count-ceil\fP : set count_ceiling for user\&. A OTP will not authenticate when
count_cur >= count_cieiling\&.
.PP
\fBset-flags\fP : set flags for user\&. See option -F\&.
.PP
\fBset-format\fP : set format for user\&. See option -f\&.
.PP
\fBset-status\fP : set status for user\&. See option -s\&.
.PP
\fBset-type\fP : set status for user\&. See option -t\&.
.PP
\fBtest\fP : test OTP authentication for user\&.
.SH "EXAMPLES"
.PP
@ -213,7 +236,7 @@ Version\&.\&.\&.\&.\&.\&.\&.\&.1
Status\&.\&.\&.\&.\&.\&.\&.\&.\&.active (1)
Format\&.\&.\&.\&.\&.\&.\&.\&.\&.hex40 (1)
Type\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.HOTP (1)
Flags\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.00
Flags\&.\&.\&.\&.\&.\&.\&.\&.\&.\&.[] (0x00)
.fi
.PP
Generate OTP for user bob\&.
@ -267,4 +290,4 @@ Mark Fullmer maf@splintered\&.net
\fBurd\fP(1)
\fBbcload\fP(1)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

201
doc/otp-control.html
View file

@ -53,10 +53,15 @@ CLASS="REPLACEABLE"
><I
> count_ceil</I
></TT
>] [-f<TT
CLASS="REPLACEABLE"
><I
> format</I
></TT
>] [-F<TT
CLASS="REPLACEABLE"
><I
> sc_flags</I
> flags</I
></TT
>] [-H<TT
CLASS="REPLACEABLE"
@ -83,6 +88,21 @@ CLASS="REPLACEABLE"
><I
> otpdb_pathname</I
></TT
>] [-s<TT
CLASS="REPLACEABLE"
><I
> status</I
></TT
>] [-S<TT
CLASS="REPLACEABLE"
><I
> sc_flags</I
></TT
>] [-t<TT
CLASS="REPLACEABLE"
><I
> type</I
></TT
>] [-u<TT
CLASS="REPLACEABLE"
><I
@ -98,7 +118,7 @@ CLASS="REPLACEABLE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN34"
NAME="AEN42"
></A
><H2
>DESCRIPTION</H2
@ -116,7 +136,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
NAME="AEN47"
></A
><H2
>OPTIONS</H2
@ -167,23 +187,35 @@ shared, as the currrent count will increase on the OTP generator and
system database during authentication.</P
></DD
><DT
>-f</DT
><DD
><P
>OTP format. One of hex40 dhex40 dec31.6 dec31.7 dec31.8 dec31.9 dec31.10.
hex40 (40 bit hex) is the default. dec31.6 (31 bit decimal truncated to 6
digits) is suggested by RFC 4226 and may be required to interoperate with
other HOTP implementations. dhex40 uses the dynamic truncate function
in RFC 4226, where hex40 always uses the top 40 bits. dhex40 may be the
default in future releases.</P
></DD
><DT
>-F</DT
><DD
><P
>OTP flags. All flags are unset by default.
<PRE
CLASS="SCREEN"
> Flag Description
-----------------------------------------------------------------
display-count : Display HOTP count when prompted for challenge.</PRE
></P
></DD
><DT
>-h</DT
><DD
><P
>Help.</P
></DD
><DT
>-F<TT
CLASS="REPLACEABLE"
><I
> sc_flags</I
></TT
></DT
><DD
><P
>Set the SC flags with the list-sc command mode. 0=CHALLENGE, 1=READERKEY.</P
></DD
><DT
>-H<TT
CLASS="REPLACEABLE"
><I
@ -235,20 +267,19 @@ CLASS="SCREEN"
> Mode Description
-------------------------------------------------
add - Add user
activate - Activate user
create - Create database
deactivate - Deactivate user
disable - Disable user
dump - ASCII dump user record(s)
flags-dspcnt - Set user display count flag.
flags-no-dspcnt - Clear user display count flag.
generate - Generate HOTP for user
list - List user record (printable)
list-sc - List user record (SC friendly)
load - ASCII load user record(s)
remove - Remove user
set-count - Reset count for user
set-count-ceil - Reset count ceiling for user
set-count - Set user count
set-count-ceil - Set user count ceiling
set-flags - Set user flags
set-format - Set user format
set-status - Set user status
set-type - Set user OTP type
test - Test user</PRE
></DD
><DT
@ -269,6 +300,50 @@ CLASS="REPLACEABLE"
>Pathname of OTP database.</P
></DD
><DT
>-s<TT
CLASS="REPLACEABLE"
><I
> otp_pathname</I
></TT
></DT
><DD
><P
>OTP Status. The default status is active.
<PRE
CLASS="SCREEN"
> Status Description
-----------------------------------------------------------------
active : OTP is required for succesful authentication.
inactive : OTP may not be required for successful authentication.
The OTP authentication module may be configured to allow
inactive accounts to authenticate. This may be used to
temporarily remove the OTP authentication method for a user.
disabled : Account is disabled. OTP authentication will fail.</PRE
></P
></DD
><DT
>-S<TT
CLASS="REPLACEABLE"
><I
> sc_flags</I
></TT
></DT
><DD
><P
>Set the SC flags with the list-sc command mode. 0=CHALLENGE, 1=READERKEY.</P
></DD
><DT
>-t<TT
CLASS="REPLACEABLE"
><I
> type</I
></TT
></DT
><DD
><P
>OTP Type. RFC 4226 HOTP is only supported type.</P
></DD
><DT
>-u<TT
CLASS="REPLACEABLE"
><I
@ -310,7 +385,7 @@ of tokens generated.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN111"
NAME="AEN139"
></A
><H2
>OTP-CONTROL COMMANDS</H2
@ -321,16 +396,8 @@ CLASS="COMMAND"
>
: add user to OTP database. count_cur and count_ceiling may optionally
be specified with -c and -C respectively. A random key will be generated
if no key is specified with -k.</P
><P
><B
CLASS="COMMAND"
>activate</B
>
: activate user. An active user must provide a OTP for successful
authentication. An inactive user _may_ be successfully authenticated
without a OTP depending on the application configuration. The pam_otp
module can be configured to use this flag with the "allow_inactive" option.</P
if no key is specified with -k. The format, flags, status, and type
may be altered from the defaults with -f, -F, -s, and -t respectively.</P
><P
><B
CLASS="COMMAND"
@ -341,18 +408,6 @@ user stored in a separate ASCII : delimited file in base_dir/d.</P
><P
><B
CLASS="COMMAND"
>deactivate</B
>
: deactivate user. See activate.</P
><P
><B
CLASS="COMMAND"
>disable</B
>
: disable user. A disabled user can not successfully authenticate.</P
><P
><B
CLASS="COMMAND"
>dump</B
>
: dump user database in ASCII. User records are separated by a newline.
@ -363,20 +418,6 @@ Fields are : separated. All fields except the username are HEX encoded.</P
><P
><B
CLASS="COMMAND"
>flags-dspcnt</B
>
: set the display count flag. An application such as pam_otp will use
this flag to control the display of the OTP count when challenging a
user.</P
><P
><B
CLASS="COMMAND"
>flags-no-dspcnt</B
>
: clear the display count flag.</P
><P
><B
CLASS="COMMAND"
>generate</B
>
: generate OTP for user. The -w flag may be used to generate multiple
@ -423,6 +464,30 @@ count_cur &#62;= count_cieiling.</P
><P
><B
CLASS="COMMAND"
>set-flags</B
>
: set flags for user. See option -F.</P
><P
><B
CLASS="COMMAND"
>set-format</B
>
: set format for user. See option -f.</P
><P
><B
CLASS="COMMAND"
>set-status</B
>
: set status for user. See option -s.</P
><P
><B
CLASS="COMMAND"
>set-type</B
>
: set status for user. See option -t.</P
><P
><B
CLASS="COMMAND"
>test</B
>
: test OTP authentication for user.</P
@ -430,7 +495,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN146"
NAME="AEN172"
></A
><H2
>EXAMPLES</H2
@ -439,7 +504,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN148"
NAME="AEN174"
></A
><P
>Create a new OTP database /etc/otpdb. Add user bob with random key.</P
@ -460,7 +525,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN153"
NAME="AEN179"
></A
><P
>Display user bob OTP database entry.</P
@ -479,7 +544,7 @@ Version........1
Status.........active (1)
Format.........hex40 (1)
Type...........HOTP (1)
Flags..........00</PRE
Flags..........[] (0x00)</PRE
><P
></P
></DIV
@ -488,7 +553,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN158"
NAME="AEN184"
></A
><P
>Generate OTP for user bob.</P
@ -508,7 +573,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN163"
NAME="AEN189"
></A
><P
>Test OTP for user bob.</P
@ -530,7 +595,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN168"
NAME="AEN194"
></A
><P
>Dump OTP database to stdout. Fields other than username are hex encoded.
@ -552,7 +617,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN173"
NAME="AEN199"
></A
><P
>Dump OTP user to stdout in format friendly to <B
@ -580,7 +645,7 @@ CLASS="COMPUTEROUTPUT"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN180"
NAME="AEN206"
></A
><H2
>AUTHOR</H2
@ -597,7 +662,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN187"
NAME="AEN213"
></A
><H2
>SEE ALSO</H2

156
doc/otp-control.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: otp-control.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: otp-control.sgml 80 2009-12-26 23:25:04Z maf $ -->
<refentry>
@ -26,12 +26,16 @@ Local user database configuration for One Time Password package.
<arg>-?hnv</arg>
<arg>-c<replaceable> count</replaceable></arg>
<arg>-C<replaceable> count_ceil</replaceable></arg>
<arg>-F<replaceable> sc_flags</replaceable></arg>
<arg>-f<replaceable> format</replaceable></arg>
<arg>-F<replaceable> flags</replaceable></arg>
<arg>-H<replaceable> sc_hostname</replaceable></arg>
<arg>-I<replaceable> sc_index</replaceable></arg>
<arg>-k<replaceable> key</replaceable></arg>
<arg>-m<replaceable> command_mode</replaceable></arg>
<arg>-o<replaceable> otpdb_pathname</replaceable></arg>
<arg>-s<replaceable> status</replaceable></arg>
<arg>-S<replaceable> sc_flags</replaceable></arg>
<arg>-t<replaceable> type</replaceable></arg>
<arg>-u<replaceable> username</replaceable></arg>
<arg>-w<replaceable> window</replaceable></arg>
</cmdsynopsis>
@ -88,6 +92,35 @@ system database during authentication.
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
OTP format. One of hex40 dhex40 dec31.6 dec31.7 dec31.8 dec31.9 dec31.10.
hex40 (40 bit hex) is the default. dec31.6 (31 bit decimal truncated to 6
digits) is suggested by RFC 4226 and may be required to interoperate with
other HOTP implementations. dhex40 uses the dynamic truncate function
in RFC 4226, where hex40 always uses the top 40 bits. dhex40 may be the
default in future releases.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-F</term>
<listitem>
<para>
OTP flags. All flags are unset by default.
<screen>
Flag Description
-----------------------------------------------------------------
display-count : Display HOTP count when prompted for challenge.
</screen>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
@ -97,14 +130,6 @@ Help.
</listitem>
</varlistentry>
<varlistentry>
<term>-F<replaceable> sc_flags</replaceable></term>
<listitem>
<para>
Set the SC flags with the list-sc command mode. 0=CHALLENGE, 1=READERKEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-H<replaceable> sc_hostname</replaceable></term>
@ -146,20 +171,19 @@ C0C3D47F1CC68ECE0DF81D008F0C0D72D43EB745
Mode Description
-------------------------------------------------
add - Add user
activate - Activate user
create - Create database
deactivate - Deactivate user
disable - Disable user
dump - ASCII dump user record(s)
flags-dspcnt - Set user display count flag.
flags-no-dspcnt - Clear user display count flag.
generate - Generate HOTP for user
list - List user record (printable)
list-sc - List user record (SC friendly)
load - ASCII load user record(s)
remove - Remove user
set-count - Reset count for user
set-count-ceil - Reset count ceiling for user
set-count - Set user count
set-count-ceil - Set user count ceiling
set-flags - Set user flags
set-format - Set user format
set-status - Set user status
set-type - Set user OTP type
test - Test user
</screen>
</listitem>
@ -183,6 +207,44 @@ Pathname of OTP database.
</listitem>
</varlistentry>
<varlistentry>
<term>-s<replaceable> otp_pathname</replaceable></term>
<listitem>
<para>
OTP Status. The default status is active.
<screen>
Status Description
-----------------------------------------------------------------
active : OTP is required for succesful authentication.
inactive : OTP may not be required for successful authentication.
The OTP authentication module may be configured to allow
inactive accounts to authenticate. This may be used to
temporarily remove the OTP authentication method for a user.
disabled : Account is disabled. OTP authentication will fail.
</screen>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S<replaceable> sc_flags</replaceable></term>
<listitem>
<para>
Set the SC flags with the list-sc command mode. 0=CHALLENGE, 1=READERKEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t<replaceable> type</replaceable></term>
<listitem>
<para>
OTP Type. RFC 4226 HOTP is only supported type.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u<replaceable> username</replaceable></term>
<listitem>
@ -228,28 +290,16 @@ of tokens generated.
<command>add</command>
: add user to OTP database. count_cur and count_ceiling may optionally
be specified with -c and -C respectively. A random key will be generated
if no key is specified with -k.
</para>
<para>
<command>activate</command>
: activate user. An active user must provide a OTP for successful
authentication. An inactive user _may_ be successfully authenticated
without a OTP depending on the application configuration. The pam_otp
module can be configured to use this flag with the "allow_inactive" option.
if no key is specified with -k. The format, flags, status, and type
may be altered from the defaults with -f, -F, -s, and -t respectively.
</para>
<para>
<command>create</command>
: create OTP database. The OTP database is a base directory with each
user stored in a separate ASCII : delimited file in base_dir/d.
</para>
<para>
<command>deactivate</command>
: deactivate user. See activate.
</para>
<para>
<command>disable</command>
: disable user. A disabled user can not successfully authenticate.
</para>
<para>
<command>dump</command>
: dump user database in ASCII. User records are separated by a newline.
@ -258,48 +308,66 @@ Fields are : separated. All fields except the username are HEX encoded.
#version:user:key:status:format:type:flags:count_cur:count_ceil:last
01:test:1111111111111111111111111111111111111111:01:01:01:00:00000000000003E8:00000000000007D0:0000000000000000
</para>
<para>
<command>flags-dspcnt</command>
: set the display count flag. An application such as pam_otp will use
this flag to control the display of the OTP count when challenging a
user.
</para>
<para>
<command>flags-no-dspcnt</command>
: clear the display count flag.
</para>
<para>
<command>generate</command>
: generate OTP for user. The -w flag may be used to generate multiple
OTP tokens.
</para>
<para>
<command>list</command>
: list user record in user friendly format.
</para>
<para>
<command>list-sc</command>
: list user record in otp-sc import friendly format. The SC hostname
must be specified with -H. The SC index and SC flags may optionally be
specified with -I and -F.
</para>
<para>
<command>load</command>
: load user record(s)s in ASCII format. See dump.
</para>
<para>
<command>remove</command>
: remove user from OTP database.
</para>
<para>
<command>set-count</command>
: set count_current for user.
</para>
<para>
<command>set-count-ceil</command>
: set count_ceiling for user. A OTP will not authenticate when
count_cur >= count_cieiling.
</para>
<para>
<command>set-flags</command>
: set flags for user. See option -F.
</para>
<para>
<command>set-format</command>
: set format for user. See option -f.
</para>
<para>
<command>set-status</command>
: set status for user. See option -s.
</para>
<para>
<command>set-type</command>
: set status for user. See option -t.
</para>
<para>
<command>test</command>
: test OTP authentication for user.
@ -339,7 +407,7 @@ Version........1
Status.........active (1)
Format.........hex40 (1)
Type...........HOTP (1)
Flags..........00
Flags..........[] (0x00)
</screen>
</informalexample>

6
doc/otp-ov-plugin.1
View file

@ -56,7 +56,7 @@
\fBotp-ov-plugin\fP \(em OpenVPN plug-in authentication module for OTP database\&.
.SH "SYNOPSIS"
.PP
\fBotp-ov-plugin\fP [-?hv] [-o\fI otpdb_fname\fP]
\fBotp-ov-plugin\fP [-?hv] [-o\fI otpdb_fname\fP] [-w\fI otp_window\fP]
.SH "DESCRIPTION"
.PP
The \fBotp-ov-plugin\fP command is plug-in authentication
@ -74,6 +74,8 @@ Help
Pathname of OTP database\&.
.IP "-v" 10
Verbose
.IP "-w" 10
Set the OTP challenge window\&.
.SH "EXAMPLES"
.PP
Test the module with user bob\&.
@ -101,4 +103,4 @@ Mark Fullmer maf@splintered\&.net
\fBbcload\fP(1)
\fBOpenVPN\fP(8)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

23
doc/otp-ov-plugin.html
View file

@ -48,12 +48,17 @@ CLASS="REPLACEABLE"
><I
> otpdb_fname</I
></TT
>] [-w<TT
CLASS="REPLACEABLE"
><I
> otp_window</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN16"
NAME="AEN18"
></A
><H2
>DESCRIPTION</H2
@ -94,7 +99,7 @@ CLASS="RETURNVALUE"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN25"
NAME="AEN27"
></A
><H2
>OPTIONS</H2
@ -126,13 +131,19 @@ CLASS="REPLACEABLE"
><P
>Verbose</P
></DD
><DT
>-w</DT
><DD
><P
>Set the OTP challenge window.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN41"
NAME="AEN47"
></A
><H2
>EXAMPLES</H2
@ -141,7 +152,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN43"
NAME="AEN49"
></A
><P
>Test the module with user bob.</P
@ -170,7 +181,7 @@ CLASS="SCREEN"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN52"
NAME="AEN58"
></A
><H2
>AUTHOR</H2
@ -187,7 +198,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN59"
NAME="AEN65"
></A
><H2
>SEE ALSO</H2

13
doc/otp-ov-plugin.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: otp-ov-plugin.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: otp-ov-plugin.sgml 50 2009-12-15 01:37:19Z maf $ -->
<refentry>
@ -25,6 +25,7 @@ OpenVPN plug-in authentication module for OTP database.
<command>otp-ov-plugin</command>
<arg>-?hv</arg>
<arg>-o<replaceable> otpdb_fname</replaceable></arg>
<arg>-w<replaceable> otp_window</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -74,6 +75,16 @@ Verbose
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>
Set the OTP challenge window.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

39
doc/otp-sca.1
View file

@ -60,15 +60,15 @@
.SH "DESCRIPTION"
.PP
The \fBotp-sca\fP command implements a terminal for an MCU based
smart card loaded with the OTP firmware (HOTPC\&.IMG)\&. Host entries consisting
of {hostname,count,shared_key} are downloaded to the smart card using
Smart Card loaded with the OTP firmware (HOTPC\&.IMG)\&. Host entries consisting
of {hostname,count,shared_key} are downloaded to the Smart Card using
\fBotp-sca\fP\&. Additionally commands implemented on the
smart card such as HOTP generation and PIN maintenance can be executed
Smart Card such as HOTP generation and PIN maintenance can be executed
with the appropriate administratative key\&.
.SH "OPTIONS"
.IP "-a\fI admin_keyfile\fP" 10
Smart Card administratative key\&. The admin-enable command and
administratative key are used to toggle the smart card into admin mode\&.
administratative key are used to toggle the Smart Card into admin mode\&.
Once in admin mode commands admin-disable, adminkey-set, balancecard-set,
host-get, host-set, pin-set, and sc-clear can be executed\&. The default admin
key, "3030303030303030303030303030303030303030" (HEX), should be changed to
@ -80,10 +80,10 @@ Set debug level\&.
.IP "-h" 10
Help\&.
.IP "-i\fI index\fP" 10
Set the 8 bit index\&. The smart card contains numerically indexed records
Set the 8 bit index\&. The Smart Card contains numerically indexed records
for each host of the form {hostname,count,shared_key}\&. The firmware
will support indexes in the range 0\&.\&.254\&. 255 is reserved\&. Memory
capacity on the smart card may further restrict the index range\&. The
capacity on the Smart Card may further restrict the index range\&. The
ZC3\&.9 BasicCard with firmware revision 3 supports up to 85 records\&.
.IP "-l" 10
List SC Readers
@ -125,11 +125,18 @@ List SC Readers
Configure command_mode modifiers\&. Modifier d applied to the host-get
command will generate output in otpdb format\&. Count (c) and Host (h)
used with hotp-gen allow passing the Count and Host parameters
respectively\&. The smart card may not be configured to support
respectively\&. The Smart Card may not be configured to support
all variations of a command\&.
variations
.IP "-r\fI reader\fP" 10
Set the smart card reader\&. Use -l to list available readers\&.
Set Smart Card reader\&. Use -l to list available readers\&. A reader
is defined as class:reader:[option]\&. PCSC and embedded
are the two available classes\&. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[serial_port]\&.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver\&. Use PCSC: for the first available PC/SC
reader\&. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0\&.
.IP "-R\fI reader_keyfile\fP" 10
Smart Card Reader key\&. The reader-key-set command can be used
to set this key in the Smart Card\&. To emulate the behavior of
@ -145,10 +152,10 @@ PAR II reader this is set in the PAR II EEProm\&.
Set username\&. The username is used with the host-get command and
d modifier\&.
.IP "-v\fI card_api_version\fP" 10
Set the smart card API version\&. The binary API between the terminal
and smart card changed between version 2 and 3\&. See command_mode notes
Set the Smart Card API version\&. The binary API between the terminal
and Smart Card changed between version 2 and 3\&. See command_mode notes
above\&. The default version is 3\&. Configuring version 2 will allow
maintenance of smart card with version 2 firmware\&.
maintenance of Smart Card with version 2 firmware\&.
.SH "SMART CARD COMMANDS"
.PP
\fBadmin-enable\fP : enable administrative mode\&. The commands admin-disable, admin-key-set,
@ -168,7 +175,7 @@ disable admin mode\&.
this command\&. Using a balance reader to generate a HOTP does not require
the use of a PIN, and is disabled by default\&.
.PP
\fBcapabilities-get\fP : each command on the smart card is represented by a capabilities bit and
\fBcapabilities-get\fP : each command on the Smart Card is represented by a capabilities bit and
conditionally compiled into HOTPC\&.IMG\&.
capabilities-get will return the available, compiled-in commands\&. Commands
are defined in \fBHOTP\&.DEF\fP:
@ -254,7 +261,7 @@ to unlock a SC\&.
SC when executing the GetHOTP* commands\&. If the F1 (flag 1) bit of
the hostname is set, this key must match the key provided by the
reader\&. This functionality allows the reader to weakly authenticate
itself to the smart card and may be used to restrict HOTP generation to
itself to the Smart Card and may be used to restrict HOTP generation to
a Spyrus PAR II reader\&.
.PP
\fBsc-clear\fP : reset the SC to defaults, erase all host entries\&.
@ -337,7 +344,7 @@ when done\&.
.fi
.PP
Use \fBotp-control\fP to create a new database for system dev1 with
user test, store the test user database entry to the smart card with
user test, store the test user database entry to the Smart Card with
\fBotp-sca\fP\&.
.PP
.nf
@ -350,7 +357,7 @@ user test, store the test user database entry to the smart card with
# list user test entry in format ready for otp-sca to import\&. Hostname
# of system is dev1
\fBotp-control -o /tmp/otpdb -u test -m list-sc -H dev1 | tail -1 > /tmp/test\&.list\fP
# copy card entry to smart card as index 0
# copy card entry to Smart Card as index 0
\fBecho -n "00:"| cat - /tmp/test\&.list | \&./otp-sca -m host-set\fP
\f(CWSetHost (0): Done\fP
.fi
@ -410,4 +417,4 @@ Mark Fullmer maf@splintered\&.net
\fBbcload\fP(1)
\fBurd\fP(1)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Tue 01 Dec 2009, 17:12
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

61
doc/otp-sca.html
View file

@ -107,13 +107,13 @@ NAME="AEN34"
CLASS="COMMAND"
>otp-sca</B
> command implements a terminal for an MCU based
smart card loaded with the OTP firmware (HOTPC.IMG). Host entries consisting
of {hostname,count,shared_key} are downloaded to the smart card using
Smart Card loaded with the OTP firmware (HOTPC.IMG). Host entries consisting
of {hostname,count,shared_key} are downloaded to the Smart Card using
<B
CLASS="COMMAND"
>otp-sca</B
>. Additionally commands implemented on the
smart card such as HOTP generation and PIN maintenance can be executed
Smart Card such as HOTP generation and PIN maintenance can be executed
with the appropriate administratative key.</P
></DIV
><DIV
@ -138,7 +138,7 @@ CLASS="REPLACEABLE"
><DD
><P
>Smart Card administratative key. The admin-enable command and
administratative key are used to toggle the smart card into admin mode.
administratative key are used to toggle the Smart Card into admin mode.
Once in admin mode commands admin-disable, adminkey-set, balancecard-set,
host-get, host-set, pin-set, and sc-clear can be executed. The default admin
key, "3030303030303030303030303030303030303030" (HEX), should be changed to
@ -181,10 +181,10 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the 8 bit index. The smart card contains numerically indexed records
>Set the 8 bit index. The Smart Card contains numerically indexed records
for each host of the form {hostname,count,shared_key}. The firmware
will support indexes in the range 0..254. 255 is reserved. Memory
capacity on the smart card may further restrict the index range. The
capacity on the Smart Card may further restrict the index range. The
ZC3.9 BasicCard with firmware revision 3 supports up to 85 records.</P
></DD
><DT
@ -248,7 +248,7 @@ CLASS="REPLACEABLE"
>Configure command_mode modifiers. Modifier d applied to the host-get
command will generate output in otpdb format. Count (c) and Host (h)
used with hotp-gen allow passing the Count and Host parameters
respectively. The smart card may not be configured to support
respectively. The Smart Card may not be configured to support
all variations of a command.
variations </P
></DD
@ -261,7 +261,20 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the smart card reader. Use -l to list available readers.</P
>Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:[<SPAN
CLASS="OPTIONAL"
>option</SPAN
>]. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[<SPAN
CLASS="OPTIONAL"
>serial_port</SPAN
>].
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.</P
></DD
><DT
>-R<TT
@ -304,10 +317,10 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the smart card API version. The binary API between the terminal
and smart card changed between version 2 and 3. See command_mode notes
>Set the Smart Card API version. The binary API between the terminal
and Smart Card changed between version 2 and 3. See command_mode notes
above. The default version is 3. Configuring version 2 will allow
maintenance of smart card with version 2 firmware.</P
maintenance of Smart Card with version 2 firmware.</P
></DD
></DL
></DIV
@ -315,7 +328,7 @@ maintenance of smart card with version 2 firmware.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN103"
NAME="AEN105"
></A
><H2
>SMART CARD COMMANDS</H2
@ -360,7 +373,7 @@ the use of a PIN, and is disabled by default.</P
CLASS="COMMAND"
>capabilities-get</B
>
: each command on the smart card is represented by a capabilities bit and
: each command on the Smart Card is represented by a capabilities bit and
conditionally compiled into HOTPC.IMG.
capabilities-get will return the available, compiled-in commands. Commands
are defined in <TT
@ -476,7 +489,7 @@ CLASS="COMMAND"
SC when executing the GetHOTP* commands. If the F1 (flag 1) bit of
the hostname is set, this key must match the key provided by the
reader. This functionality allows the reader to weakly authenticate
itself to the smart card and may be used to restrict HOTP generation to
itself to the Smart Card and may be used to restrict HOTP generation to
a Spyrus PAR II reader.</P
><P
><B
@ -560,7 +573,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN145"
NAME="AEN147"
></A
><H2
>EXAMPLES</H2
@ -569,7 +582,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN147"
NAME="AEN149"
></A
><P
>Change the administratative key from the default. Disable admin mode
@ -623,14 +636,14 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN158"
NAME="AEN160"
></A
><P
>Use <B
CLASS="COMMAND"
>otp-control</B
> to create a new database for system dev1 with
user test, store the test user database entry to the smart card with
user test, store the test user database entry to the Smart Card with
<B
CLASS="COMMAND"
>otp-sca</B
@ -666,7 +679,7 @@ CLASS="COMMAND"
>otp-control -o /tmp/otpdb -u test -m list-sc -H dev1 | tail -1 &#62; /tmp/test.list</B
>
# copy card entry to smart card as index 0
# copy card entry to Smart Card as index 0
<B
CLASS="COMMAND"
>echo -n "00:"| cat - /tmp/test.list | ./otp-sca -m host-set</B
@ -684,7 +697,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN170"
NAME="AEN172"
></A
><P
>Dump card contents to stdout. Note fields are encoded in HEX including
@ -712,7 +725,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN175"
NAME="AEN177"
></A
><P
>Reset user PIN for card with secret.key as the admin key.</P
@ -757,7 +770,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN184"
NAME="AEN186"
></A
><P
>Generate HOTP for dev1. Use hostname-get to find the index for dev1. Use
@ -798,7 +811,7 @@ HOTP: 52DCD05FE5 -- dev1</SAMP
><DIV
CLASS="REFSECT1"
><A
NAME="AEN191"
NAME="AEN193"
></A
><H2
>AUTHOR</H2
@ -815,7 +828,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN198"
NAME="AEN200"
></A
><H2
>SEE ALSO</H2

39
doc/otp-sca.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: otp-sca.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: otp-sca.sgml 62 2009-12-18 17:26:31Z maf $ -->
<refentry>
@ -42,10 +42,10 @@ Smart Card Administration for One Time Password package.
<title>DESCRIPTION</title>
<para>
The <command>otp-sca</command> command implements a terminal for an MCU based
smart card loaded with the OTP firmware (HOTPC.IMG). Host entries consisting
of {hostname,count,shared_key} are downloaded to the smart card using
Smart Card loaded with the OTP firmware (HOTPC.IMG). Host entries consisting
of {hostname,count,shared_key} are downloaded to the Smart Card using
<command>otp-sca</command>. Additionally commands implemented on the
smart card such as HOTP generation and PIN maintenance can be executed
Smart Card such as HOTP generation and PIN maintenance can be executed
with the appropriate administratative key.
</para>
</refsect1>
@ -59,7 +59,7 @@ with the appropriate administratative key.
<listitem>
<para>
Smart Card administratative key. The admin-enable command and
administratative key are used to toggle the smart card into admin mode.
administratative key are used to toggle the Smart Card into admin mode.
Once in admin mode commands admin-disable, adminkey-set, balancecard-set,
host-get, host-set, pin-set, and sc-clear can be executed. The default admin
key, "3030303030303030303030303030303030303030" (HEX), should be changed to
@ -99,10 +99,10 @@ Help.
<term>-i<replaceable> index</replaceable></term>
<listitem>
<para>
Set the 8 bit index. The smart card contains numerically indexed records
Set the 8 bit index. The Smart Card contains numerically indexed records
for each host of the form {hostname,count,shared_key}. The firmware
will support indexes in the range 0..254. 255 is reserved. Memory
capacity on the smart card may further restrict the index range. The
capacity on the Smart Card may further restrict the index range. The
ZC3.9 BasicCard with firmware revision 3 supports up to 85 records.
</para>
</listitem>
@ -164,7 +164,7 @@ List SC Readers
Configure command_mode modifiers. Modifier d applied to the host-get
command will generate output in otpdb format. Count (c) and Host (h)
used with hotp-gen allow passing the Count and Host parameters
respectively. The smart card may not be configured to support
respectively. The Smart Card may not be configured to support
all variations of a command.
variations
</para>
@ -175,7 +175,14 @@ variations
<term>-r<replaceable> reader</replaceable></term>
<listitem>
<para>
Set the smart card reader. Use -l to list available readers.
Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:<optional>option</optional>. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:<optional>serial_port</optional>.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.
</para>
</listitem>
</varlistentry>
@ -214,10 +221,10 @@ d modifier.
<term>-v<replaceable> card_api_version</replaceable></term>
<listitem>
<para>
Set the smart card API version. The binary API between the terminal
and smart card changed between version 2 and 3. See command_mode notes
Set the Smart Card API version. The binary API between the terminal
and Smart Card changed between version 2 and 3. See command_mode notes
above. The default version is 3. Configuring version 2 will allow
maintenance of smart card with version 2 firmware.
maintenance of Smart Card with version 2 firmware.
</para>
</listitem>
</varlistentry>
@ -256,7 +263,7 @@ the use of a PIN, and is disabled by default.
</para>
<para>
<command>capabilities-get</command>
: each command on the smart card is represented by a capabilities bit and
: each command on the Smart Card is represented by a capabilities bit and
conditionally compiled into HOTPC.IMG.
capabilities-get will return the available, compiled-in commands. Commands
are defined in <filename>HOTP.DEF</filename>:
@ -354,7 +361,7 @@ to unlock a SC.
SC when executing the GetHOTP* commands. If the F1 (flag 1) bit of
the hostname is set, this key must match the key provided by the
reader. This functionality allows the reader to weakly authenticate
itself to the smart card and may be used to restrict HOTP generation to
itself to the Smart Card and may be used to restrict HOTP generation to
a Spyrus PAR II reader.
</para>
<para>
@ -464,7 +471,7 @@ when done.
<informalexample>
<para>
Use <command>otp-control</command> to create a new database for system dev1 with
user test, store the test user database entry to the smart card with
user test, store the test user database entry to the Smart Card with
<command>otp-sca</command>.
</para>
<screen>
@ -482,7 +489,7 @@ user test, store the test user database entry to the smart card with
# of system is dev1
<command>otp-control -o /tmp/otpdb -u test -m list-sc -H dev1 | tail -1 > /tmp/test.list</command>
# copy card entry to smart card as index 0
# copy card entry to Smart Card as index 0
<command>echo -n "00:"| cat - /tmp/test.list | ./otp-sca -m host-set</command>
<computeroutput>SetHost (0): Done</computeroutput>

29
doc/otp-sct.1
View file

@ -60,33 +60,40 @@
.SH "DESCRIPTION"
.PP
The \fBotp-sct\fP command is a user interface to generating
One Time Passwords with a smart card loaded with OTP software\&.
One Time Passwords with a Smart Card loaded with OTP software\&.
.SH "OPTIONS"
.IP "-c\fI count\fP" 10
Configure the optional count parameter to sync a smart card to a challenge\&.
Configure the optional count parameter to sync a Smart Card to a challenge\&.
.IP "-d\fI debug_level\fP" 10
Set debug level\&.
.IP "-h" 10
Help\&.
.IP "-i\fI index\fP" 10
Set the 8 bit index\&. The smart card contains numerically indexed records
Set the 8 bit index\&. The Smart Card contains numerically indexed records
for each host system\&. Use the -l option to list hostnames associated with
the index\&. The default index is 0\&.
.IP "-l" 10
List SC Readers
.IP "-L" 10
List host systems configured on the smart card\&. The index is used with the -i option\&.
List host systems configured on the Smart Card\&. The index is used with the -i option\&.
.IP "-o" 10
Set new PIN\&.
.IP "-r\fI reader\fP" 10
Set the smart card reader\&. Use -l to list available readers\&.
Set Smart Card reader\&. Use -l to list available readers\&. A reader
is defined as class:reader:[option]\&. PCSC and embedded
are the two available classes\&. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[serial_port]\&.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver\&. Use PCSC: for the first available PC/SC
reader\&. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0\&.
.IP "-v\fI card_api_version\fP" 10
Set the smart card API version\&. The binary API between the terminal
and smart card changed between version 2 and 3\&. See command mode notes
Set the Smart Card API version\&. The binary API between the terminal
and Smart Card changed between version 2 and 3\&. See command mode notes
above\&. The default version is 3\&. Configuring version 2 will allow
maintenance of smart card with version 2 firmware\&.
maintenance of Smart Card with version 2 firmware\&.
.IP "-V" 10
List the smart card firmware version\&.
List the Smart Card firmware version\&.
.IP "-1" 10
Use the version 1 GetHOTP command instead of the default GetHOTPHostCount32\&.
The latter is not available on firmware revision 1\&. GetHOTP may be conditionally
@ -101,7 +108,7 @@ Generate a HOTP for the first system on the first PCSC reader found\&.
HOTP: dev1\&.eng 2A5AB4B78D\fP
.fi
.PP
List systems configured on smart card in default reader\&. Generate HOTP
List systems configured on Smart Card in default reader\&. Generate HOTP
for dev3\&.eng with count 32\&.
.PP
.nf
@ -131,4 +138,4 @@ Mark Fullmer maf@splintered\&.net
\fBbcload\fP(1)
\fBurd\fP(1)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Tue 01 Dec 2009, 17:12
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

43
doc/otp-sct.html
View file

@ -82,7 +82,7 @@ NAME="AEN24"
CLASS="COMMAND"
>otp-sct</B
> command is a user interface to generating
One Time Passwords with a smart card loaded with OTP software.</P
One Time Passwords with a Smart Card loaded with OTP software.</P
></DIV
><DIV
CLASS="REFSECT1"
@ -105,7 +105,7 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Configure the optional count parameter to sync a smart card to a challenge.</P
>Configure the optional count parameter to sync a Smart Card to a challenge.</P
></DD
><DT
>-d<TT
@ -133,7 +133,7 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the 8 bit index. The smart card contains numerically indexed records
>Set the 8 bit index. The Smart Card contains numerically indexed records
for each host system. Use the -l option to list hostnames associated with
the index. The default index is 0.</P
></DD
@ -147,7 +147,7 @@ the index. The default index is 0.</P
>-L</DT
><DD
><P
>List host systems configured on the smart card. The index is used with the -i option.</P
>List host systems configured on the Smart Card. The index is used with the -i option.</P
></DD
><DT
>-o</DT
@ -164,7 +164,20 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the smart card reader. Use -l to list available readers.</P
>Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:[<SPAN
CLASS="OPTIONAL"
>option</SPAN
>]. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[<SPAN
CLASS="OPTIONAL"
>serial_port</SPAN
>].
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.</P
></DD
><DT
>-v<TT
@ -175,16 +188,16 @@ CLASS="REPLACEABLE"
></DT
><DD
><P
>Set the smart card API version. The binary API between the terminal
and smart card changed between version 2 and 3. See command mode notes
>Set the Smart Card API version. The binary API between the terminal
and Smart Card changed between version 2 and 3. See command mode notes
above. The default version is 3. Configuring version 2 will allow
maintenance of smart card with version 2 firmware.</P
maintenance of Smart Card with version 2 firmware.</P
></DD
><DT
>-V</DT
><DD
><P
>List the smart card firmware version.</P
>List the Smart Card firmware version.</P
></DD
><DT
>-1</DT
@ -200,7 +213,7 @@ compiled out of newer firmware.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN80"
NAME="AEN82"
></A
><H2
>EXAMPLES</H2
@ -209,7 +222,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN82"
NAME="AEN84"
></A
><P
>Generate a HOTP for the first system on the first PCSC reader found.</P
@ -233,10 +246,10 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN87"
NAME="AEN89"
></A
><P
>List systems configured on smart card in default reader. Generate HOTP
>List systems configured on Smart Card in default reader. Generate HOTP
for dev3.eng with count 32.</P
><PRE
CLASS="SCREEN"
@ -277,7 +290,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN96"
NAME="AEN98"
></A
><H2
>AUTHOR</H2
@ -294,7 +307,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN103"
NAME="AEN105"
></A
><H2
>SEE ALSO</H2

29
doc/otp-sct.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: otp-sct.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: otp-sct.sgml 62 2009-12-18 17:26:31Z maf $ -->
<refentry>
@ -37,7 +37,7 @@ Smart Card Terminal for One Time Password package.
<title>DESCRIPTION</title>
<para>
The <command>otp-sct</command> command is a user interface to generating
One Time Passwords with a smart card loaded with OTP software.
One Time Passwords with a Smart Card loaded with OTP software.
</para>
</refsect1>
@ -49,7 +49,7 @@ One Time Passwords with a smart card loaded with OTP software.
<term>-c<replaceable> count</replaceable></term>
<listitem>
<para>
Configure the optional count parameter to sync a smart card to a challenge.
Configure the optional count parameter to sync a Smart Card to a challenge.
</para>
</listitem>
</varlistentry>
@ -76,7 +76,7 @@ Help.
<term>-i<replaceable> index</replaceable></term>
<listitem>
<para>
Set the 8 bit index. The smart card contains numerically indexed records
Set the 8 bit index. The Smart Card contains numerically indexed records
for each host system. Use the -l option to list hostnames associated with
the index. The default index is 0.
</para>
@ -95,7 +95,7 @@ List SC Readers
<term>-L</term>
<listitem>
<para>
List host systems configured on the smart card. The index is used with the -i option.
List host systems configured on the Smart Card. The index is used with the -i option.
</para>
</listitem>
</varlistentry>
@ -113,7 +113,14 @@ Set new PIN.
<term>-r<replaceable> reader</replaceable></term>
<listitem>
<para>
Set the smart card reader. Use -l to list available readers.
Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:<optional>option</optional>. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:<optional>serial_port</optional>.
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.
</para>
</listitem>
</varlistentry>
@ -122,10 +129,10 @@ Set the smart card reader. Use -l to list available readers.
<term>-v<replaceable> card_api_version</replaceable></term>
<listitem>
<para>
Set the smart card API version. The binary API between the terminal
and smart card changed between version 2 and 3. See command mode notes
Set the Smart Card API version. The binary API between the terminal
and Smart Card changed between version 2 and 3. See command mode notes
above. The default version is 3. Configuring version 2 will allow
maintenance of smart card with version 2 firmware.
maintenance of Smart Card with version 2 firmware.
</para>
</listitem>
</varlistentry>
@ -134,7 +141,7 @@ maintenance of smart card with version 2 firmware.
<term>-V</term>
<listitem>
<para>
List the smart card firmware version.
List the Smart Card firmware version.
</para>
</listitem>
</varlistentry>
@ -171,7 +178,7 @@ HOTP: dev1.eng 2A5AB4B78D</computeroutput>
<informalexample>
<para>
List systems configured on smart card in default reader. Generate HOTP
List systems configured on Smart Card in default reader. Generate HOTP
for dev3.eng with count 32.
</para>
<screen>

4
doc/pam_otp.1
View file

@ -79,6 +79,8 @@ require_db_entry option is set\&. By default users not in the OTP
database are permitted\&.
.IP "\fIotpdb=\fP\fBalternate_otpdb\fP" 10
\fBalternate_otpdb\fP is used as the OTP database\&.
.IP "\fIwindow=window\fP" 10
Set OTP challenge window\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
@ -93,4 +95,4 @@ Mark Fullmer maf@splintered\&.net
\fBbcload\fP(1)
\fBpam\fP(8)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

15
doc/pam_otp.html
View file

@ -148,13 +148,24 @@ CLASS="FILENAME"
>alternate_otpdb</TT
> is used as the OTP database.</P
></DD
><DT
><TT
CLASS="REPLACEABLE"
><I
>window=window</I
></TT
></DT
><DD
><P
>Set OTP challenge window.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN53"
NAME="AEN58"
></A
><H2
>AUTHOR</H2
@ -171,7 +182,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN60"
NAME="AEN65"
></A
><H2
>SEE ALSO</H2

11
doc/pam_otp.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: pam_otp.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: pam_otp.sgml 50 2009-12-15 01:37:19Z maf $ -->
<refentry>
@ -95,6 +95,15 @@ database are permitted.
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>window=window</replaceable></term>
<listitem>
<para>
Set OTP challenge window.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

16
doc/spyrus-par2.7
View file

@ -65,8 +65,12 @@ menu and two digit shortcut methods are provided for host selection\&.
Additional functionality includes Smart Card PIN change, overriding default
increment-on-generate per-host HOTP count behavior, and firmware management\&.
.PP
With the HOTP displayed, press Enter to repeat the host selection process
for additional token generation\&.
With the HOTP displayed, press Enter to repeat the host
selection process for additional token generation or Down Arrow
to generate a token for the next host\&.
.PP
The HOTP token is displayed as 40 bit hexadecimal or 6-10 digit decimal
based on the format bit field provided by the Smart Card\&.
.PP
Use the host selection shortcut to extend battery life\&.
.SS "Basic Functions:"
@ -107,6 +111,12 @@ with this option\&.
\fB<UP>\fP Cursor up one line\&.
.PP
\fB<DOWN>\fP Cursor down one line\&.
.SS "HOTP Display"
.PP
.PP
\fB<Enter>\fP Jump back to host selection\&.
.PP
\fB<DOWN>\fP Generate token for next host\&.
.SH "LOADING FIRMWARE"
.PP
The PAR II is factory loaded with the
@ -191,4 +201,4 @@ may not\&.
\fBurd\fP(1)
\fBbcload\fP(1)
\fBOpenVPN\fP(8)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

46
doc/spyrus-par2.html
View file

@ -58,14 +58,18 @@ menu and two digit shortcut methods are provided for host selection.
Additional functionality includes Smart Card PIN change, overriding default
increment-on-generate per-host HOTP count behavior, and firmware management.</P
><P
>With the HOTP displayed, press Enter to repeat the host selection process
for additional token generation.</P
>With the HOTP displayed, press Enter to repeat the host
selection process for additional token generation or Down Arrow
to generate a token for the next host.</P
><P
>The HOTP token is displayed as 40 bit hexadecimal or 6-10 digit decimal
based on the format bit field provided by the Smart Card.</P
><P
>Use the host selection shortcut to extend battery life.</P
><DIV
CLASS="REFSECT2"
><A
NAME="AEN19"
NAME="AEN20"
></A
><H3
>Basic Functions:</H3
@ -85,7 +89,7 @@ life. A timeout will turn off the reader off without intervention.</P
><DIV
CLASS="REFSECT2"
><A
NAME="AEN25"
NAME="AEN26"
></A
><H3
>PIN Entry:</H3
@ -108,7 +112,7 @@ CLASS="KEYSYM"
><DIV
CLASS="REFSECT2"
><A
NAME="AEN33"
NAME="AEN34"
></A
><H3
>Host Selection:</H3
@ -156,7 +160,7 @@ CLASS="KEYSYM"
><DIV
CLASS="REFSECT2"
><A
NAME="AEN49"
NAME="AEN50"
></A
><H3
>Host Selection With Menu:</H3
@ -178,11 +182,31 @@ CLASS="KEYSYM"
>DOWN</SPAN
> Cursor down one line.</P
></DIV
><DIV
CLASS="REFSECT2"
><A
NAME="AEN59"
></A
><H3
>HOTP Display</H3
><P
></P
><P
><SPAN
CLASS="KEYSYM"
>Enter</SPAN
> Jump back to host selection.</P
><P
><SPAN
CLASS="KEYSYM"
>DOWN</SPAN
> Generate token for next host.</P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN58"
NAME="AEN66"
></A
><H2
>LOADING FIRMWARE</H2
@ -248,7 +272,7 @@ CLASS="STEP"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN79"
NAME="AEN87"
></A
><H2
>EEPROM CUSTOMIZATION</H2
@ -355,7 +379,7 @@ CLASS="STEP"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN103"
NAME="AEN111"
></A
><H2
>AUTHOR</H2
@ -372,7 +396,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN110"
NAME="AEN118"
></A
><H2
>BUGS</H2
@ -384,7 +408,7 @@ may not.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN113"
NAME="AEN121"
></A
><H2
>SEE ALSO</H2

25
doc/spyrus-par2.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: spyrus-par2.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: spyrus-par2.sgml 78 2009-12-26 23:23:40Z maf $ -->
<refentry>
@ -37,8 +37,13 @@ Additional functionality includes Smart Card PIN change, overriding default
increment-on-generate per-host HOTP count behavior, and firmware management.
</para>
<para>
With the HOTP displayed, press Enter to repeat the host selection process
for additional token generation.
With the HOTP displayed, press Enter to repeat the host
selection process for additional token generation or Down Arrow
to generate a token for the next host.
</para>
<para>
The HOTP token is displayed as 40 bit hexadecimal or 6-10 digit decimal
based on the format bit field provided by the Smart Card.
</para>
<para>
Use the host selection shortcut to extend battery life.
@ -126,6 +131,20 @@ Host Selection With Menu:
</para>
</refsect2>
<refsect2>
<title>
HOTP Display
</title>
<para>
<para>
<keysym>Enter</keysym> Jump back to host selection.
</para>
<para>
<keysym>DOWN</keysym> Generate token for next host.
</para>
</refsect1>
<refsect1>

6
doc/urd.1
View file

@ -56,7 +56,7 @@
\fBurd\fP \(em Micro footprint RADIUS daemon with One Time Password support\&.
.SH "SYNOPSIS"
.PP
\fBurd\fP [-?AhdDOux] [-a\fI allowed_users_file\fP] [-b\fI local_ip\fP] [-B\fI local_port\fP] [-o\fI otp_db\fP] [-p\fI passwd_file\fP] [-P\fI pid_file\fP] [-s\fI secret_file\fP]
\fBurd\fP [-?AhdDOux] [-a\fI allowed_users_file\fP] [-b\fI local_ip\fP] [-B\fI local_port\fP] [-o\fI otp_db\fP] [-p\fI passwd_file\fP] [-P\fI pid_file\fP] [-s\fI secret_file\fP] [-w\fI otp_window\fP]
.SH "DESCRIPTION"
.PP
The \fBurd\fP daemon implements a minimal subset
@ -139,6 +139,8 @@ will be required\&.
Drop every other RADIUS request from a NAS\&. This is a debugging feature
intended to stress test the reply cache code\&. The reply cache
implements state retention required for the use of One Time Passwords\&.
.IP "-w" 10
Set the OTP challenge window\&.
.SH "EXAMPLES"
.PP
The following command will start the urd server, bind it to IP address
@ -166,4 +168,4 @@ Mark Fullmer maf@splintered\&.net
\fBbcload\fP(1)
\fBotp-ov-plugin\fP(1)
spyrus-par2(7)
...\" created by instant / docbook-to-man, Mon 30 Nov 2009, 13:16
...\" created by instant / docbook-to-man, Sun 27 Dec 2009, 22:01

23
doc/urd.html
View file

@ -78,12 +78,17 @@ CLASS="REPLACEABLE"
><I
> secret_file</I
></TT
>] [-w<TT
CLASS="REPLACEABLE"
><I
> otp_window</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN28"
NAME="AEN30"
></A
><H2
>DESCRIPTION</H2
@ -177,7 +182,7 @@ with a password this feature will be disabled.</P
><DIV
CLASS="REFSECT1"
><A
NAME="AEN53"
NAME="AEN55"
></A
><H2
>OPTIONS</H2
@ -359,13 +364,19 @@ will be required.</P
intended to stress test the reply cache code. The reply cache
implements state retention required for the use of One Time Passwords.</P
></DD
><DT
>-w</DT
><DD
><P
>Set the OTP challenge window.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN128"
NAME="AEN134"
></A
><H2
>EXAMPLES</H2
@ -374,7 +385,7 @@ CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN130"
NAME="AEN136"
></A
><P
>The following command will start the urd server, bind it to IP address
@ -408,7 +419,7 @@ CLASS="SCREEN"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN138"
NAME="AEN144"
></A
><H2
>AUTHOR</H2
@ -425,7 +436,7 @@ HREF="mailto:maf@splintered.net"
><DIV
CLASS="REFSECT1"
><A
NAME="AEN145"
NAME="AEN151"
></A
><H2
>SEE ALSO</H2

12
doc/urd.sgml
View file

@ -1,6 +1,6 @@
<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN">
<!-- $Id: urd.sgml 13 2009-11-26 16:37:03Z maf $ -->
<!-- $Id: urd.sgml 50 2009-12-15 01:37:19Z maf $ -->
<refentry>
@ -31,6 +31,7 @@ Micro footprint RADIUS daemon with One Time Password support.
<arg>-p<replaceable> passwd_file</replaceable></arg>
<arg>-P<replaceable> pid_file</replaceable></arg>
<arg>-s<replaceable> secret_file</replaceable></arg>
<arg>-w<replaceable> otp_window</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -226,6 +227,15 @@ implements state retention required for the use of One Time Passwords.
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>
Set the OTP challenge window.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

36
htsoft-downloader/htsoft-downloader.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: htsoft-downloader.c 13 2009-11-26 16:37:03Z maf $
* $Id: htsoft-downloader.c 75 2009-12-26 20:59:23Z maf $
*/
#include <sys/types.h>
@ -82,7 +82,7 @@ void help(void);
int htsoft_v1bl_idack(int fd, int verbose);
int htsoft_v1bl_upload(int fd, uint16_t load_offset, uint8_t *buf,
uint8_t buf_len, int verbose, int max_retries);
int htsoft_v1bl_done(int fd, int verbose, int retries);
int htsoft_v1bl_done(int fd, int verbose, int retries, int ignore_wok_timeout);
int n22b(char *h, u_char *b);
int n2b(char *h, u_char *b);
@ -97,7 +97,7 @@ int main(int argc, char **argv)
uint8_t ld_buf[256], ld_buf_len;
uint16_t h_load_offset, tmp_load_offset, buf_load_offset;
int i, r, pic_fd, lineno, lbuf_len, got_eof, pic_tmout, verbose;
int max_retries;
int max_retries, ignore_last_wok_timeout;
char *pic_dev;
xerr_setid(argv[0]);
@ -110,8 +110,9 @@ int main(int argc, char **argv)
max_retries = HTSOFT_RETRIES;
h_load_offset = 0;
buf_load_offset = 0;
ignore_last_wok_timeout = 0;
while ((i = getopt(argc, argv, "f:h?r:t:v:")) != -1) {
while ((i = getopt(argc, argv, "f:h?ir:t:v:")) != -1) {
switch (i) {
@ -125,6 +126,10 @@ int main(int argc, char **argv)
exit(0);
break; /* notreached */
case 'i':
ignore_last_wok_timeout = 1;
break;
case 'r':
max_retries = atoi(optarg);
break;
@ -380,7 +385,8 @@ int main(int argc, char **argv)
if (!got_eof)
xerr_warnx("Warning: Short file, no EOF.");
if (htsoft_v1bl_done(pic_fd, verbose, max_retries) < 0)
if (htsoft_v1bl_done(pic_fd, verbose, max_retries,
ignore_last_wok_timeout) < 0)
xerr_errx(1, "htsoft_v1bl_done(): failed");
close(pic_fd);
@ -682,18 +688,21 @@ int htsoft_v1bl_upload(int fd, uint16_t load_offset, uint8_t *buf,
*
* fd - serial com port
* verbose - verbosity level
* retries - number of retries
* ignore_wok_timeout - ignore last WOK -- some devices do not send this
*
* returns 0 success
* <0 failure
*
*/
int htsoft_v1bl_done(int fd, int verbose, int retries)
int htsoft_v1bl_done(int fd, int verbose, int retries, int ignore_wok_timeout)
{
uint8_t t,r;
int n, good_write, i;
int n, good_write, i, timeout;
t = HTSOFT_V1BL_DONE;
good_write = 0;
timeout = 0;
for (i = 0; i < retries; ++i) {
@ -708,6 +717,13 @@ int htsoft_v1bl_done(int fd, int verbose, int retries)
if ((n = read(fd, &r, 1)) < 0)
xerr_err(1, "read()");
/* some devices may not send this */
if (ignore_wok_timeout && n == 0) {
timeout = 1;
good_write = 1;
break;
}
/* timeout? */
if (n == 0)
continue;
@ -736,6 +752,10 @@ int htsoft_v1bl_done(int fd, int verbose, int retries)
if (verbose && !good_write)
printf("PIC reset failed.\n");
else if (verbose && good_write && ignore_wok_timeout && timeout)
printf("PIC reset sent, ignored last WOK timeout.\n");
else
printf("PIC reset complete.\n");
if (good_write)
return 0; /* success */
@ -747,7 +767,7 @@ int htsoft_v1bl_done(int fd, int verbose, int retries)
void help(void)
{
fprintf(stderr,
"htsoft-downloader [-h?v] [-f serial_device] [-r retries]\n");
"htsoft-downloader [-hi?v] [-f serial_device] [-r retries]\n");
fprintf(stderr,
" [-t timeout (.1 second/timeout)] [-v verbose_level]\n");
} /* help */

193
otp-control/otp-control.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otp-control.c 13 2009-11-26 16:37:03Z maf $
* $Id: otp-control.c 55 2009-12-17 01:59:35Z maf $
*/
#include <sys/types.h>
@ -40,9 +40,6 @@
#include "str.h"
#define MODE_ADD 1
#define MODE_ACTIVATE 2
#define MODE_DEACTIVATE 3
#define MODE_DISABLE 4
#define MODE_DUMP 5
#define MODE_GENERATE 6
#define MODE_LIST 7
@ -52,9 +49,11 @@
#define MODE_SET_COUNT_CEIL 11
#define MODE_TEST 12
#define MODE_CREATE 13
#define MODE_FLAGS_DSPCNT_SET 14
#define MODE_FLAGS_DSPCNT_CLEAR 15
#define MODE_LIST_SC 18
#define MODE_SET_STATUS 19
#define MODE_SET_TYPE 20
#define MODE_SET_FORMAT 21
#define MODE_SET_FLAGS 22
#define KEY_HEX160_LEN 40
@ -71,13 +70,13 @@ int main (int argc, char **argv)
int i, j, r, mode, window, db_flags, open_mode, open_op, verbose;
char *otpdb_fname;
uint64_t u_count, u_count_ceil, count_offset, tmp64u;
uint8_t u_version, u_status, u_format, u_type, sc_index;
uint8_t u_version, u_status, u_format, u_type, u_flags, sc_index;
uint8_t sc_flags[SC_HOSTNAME_LEN];
unsigned char u_key160[20];
char key_hex160[KEY_HEX160_LEN+1];
char crsp_tmp[11];
char *u_username, *u_key_ascii, *sc_hostname;
char *endptr;
char *endptr, *i_status, *i_format, *i_type, *i_flags;
otpdb_fname = OTP_DB_FNAME;
sc_index = 0;
@ -92,16 +91,18 @@ int main (int argc, char **argv)
u_format = OTP_FORMAT_HEX40;
u_type = OTP_TYPE_HOTP;
u_status = OTP_STATUS_ACTIVE;
u_flags = 0;
u_username = (char*)0L;
u_key_ascii = (char*)0L;
endptr = (char*)0L;
sc_hostname = (char*)0L;
bzero(sc_flags, SC_HOSTNAME_LEN);
i_status = i_type = i_format = i_flags = (char*)0L;
/* init xerr */
xerr_setid(argv[0]);
while ((i = getopt(argc, argv, "c:C:hF:H:I:?k:m:no:u:w:v")) != -1) {
while ((i = getopt(argc, argv, "c:C:hf:F:H:I:?k:m:no:s:S:t:u:w:v")) != -1) {
switch (i) {
@ -117,15 +118,13 @@ int main (int argc, char **argv)
xerr_errx(1, "strtoull(%s): failed at %c.", optarg, *endptr);
break;
case 'F' :
for (j = 0; j < strlen(optarg); ++j) {
if (optarg[j] == '0')
sc_flags[HOSTNAME_POS_CHALLENGE] = HOSTNAME_FLAG_MASK;
else if (optarg[j] == '1')
sc_flags[HOSTNAME_POS_READERKEY] = HOSTNAME_FLAG_MASK;
else
xerr_errx(1, "Unknown sc_flag %c.", optarg[j]);
} /* j */
case 'f':
i_format = optarg;
break;
case 'F':
if (str_setflag8(otp_flags_l, &u_flags, optarg, 0, OTP_FLAGS_BITS) < 0)
xerr_errx(1, "Invalid flag %s.", optarg);
break;
case 'H':
@ -153,20 +152,10 @@ int main (int argc, char **argv)
if (!strcasecmp(optarg, "add")) {
mode = MODE_ADD;
} else if (!strcasecmp(optarg, "activate")) {
mode = MODE_ACTIVATE;
} else if (!strcasecmp(optarg, "create")) {
mode = MODE_CREATE;
} else if (!strcasecmp(optarg, "deactivate")) {
mode = MODE_DEACTIVATE;
} else if (!strcasecmp(optarg, "disable")) {
mode = MODE_DISABLE;
} else if (!strcasecmp(optarg, "dump")) {
mode = MODE_DUMP;
} else if (!strcasecmp(optarg, "flags-dspcnt")) {
mode = MODE_FLAGS_DSPCNT_SET;
} else if (!strcasecmp(optarg, "flags-no-dspcnt")) {
mode = MODE_FLAGS_DSPCNT_CLEAR;
} else if (!strcasecmp(optarg, "generate")) {
mode = MODE_GENERATE;
} else if (!strcasecmp(optarg, "list")) {
@ -181,6 +170,14 @@ int main (int argc, char **argv)
mode = MODE_SET_COUNT;
} else if (!strcasecmp(optarg, "set-count-ceil")) {
mode = MODE_SET_COUNT_CEIL;
} else if (!strcasecmp(optarg, "set-flags")) {
mode = MODE_SET_FLAGS;
} else if (!strcasecmp(optarg, "set-format")) {
mode = MODE_SET_FORMAT;
} else if (!strcasecmp(optarg, "set-status")) {
mode = MODE_SET_STATUS;
} else if (!strcasecmp(optarg, "set-type")) {
mode = MODE_SET_TYPE;
} else if (!strcasecmp(optarg, "test")) {
mode = MODE_TEST;
} else {
@ -188,6 +185,25 @@ int main (int argc, char **argv)
}
break;
case 's':
i_status = optarg;
break;
case 'S' :
for (j = 0; j < strlen(optarg); ++j) {
if (optarg[j] == '0')
sc_flags[HOSTNAME_POS_CHALLENGE] = HOSTNAME_FLAG_MASK;
else if (optarg[j] == '1')
sc_flags[HOSTNAME_POS_READERKEY] = HOSTNAME_FLAG_MASK;
else
xerr_errx(1, "Unknown sc_flag %c.", optarg[j]);
} /* j */
break;
case 't':
i_type = optarg;
break;
case 'n':
db_flags |= OTP_DB_CREATE_SOFT;
break;
@ -232,12 +248,38 @@ int main (int argc, char **argv)
if ((mode == MODE_LIST_SC) && (!sc_hostname))
xerr_errx(1, "Hostname required.");
/* check username length */
if (u_username && (strlen(u_username) > OTP_USER_NAME_LEN))
xerr_errx(1, "Username > OTP_USER_NAME_LEN.");
/* input key */
if (u_key_ascii && u_key_ascii[0] != '-')
xerr_errx(1, "Key not accepted on command line, use - for stdin");
/* format */
if (i_format)
if (str_find8(otp_format_l, &u_format, i_format, 1, OTP_FORMAT_MAX))
xerr_errx(1, "Invalid format %s.", i_format);
if ((mode == MODE_SET_FORMAT) && (!i_format))
xerr_errx(1, "Format value not specified.");
/* status */
if (i_status)
if (str_find8(otp_status_l, &u_status, i_status, 1, OTP_STATUS_MAX))
xerr_errx(1, "Invalid status %s.", i_status);
if ((mode == MODE_SET_STATUS) && (!i_status))
xerr_errx(1, "Status value not specified.");
/* type */
if (i_type)
if (str_find8(otp_type_l, &u_type, i_type, 1, OTP_TYPE_MAX))
xerr_errx(1, "Invalid type %s.", i_type);
if ((mode == MODE_SET_TYPE) && (!i_type))
xerr_errx(1, "Type value not specified.");
/* user specified key? need key material? */
if (mode == MODE_ADD) {
@ -307,20 +349,16 @@ int main (int argc, char **argv)
/*
* modes requiring open and get of user record:
* ACTIVATE, DEACTIVATE, DISABLE, GENERATE, LIST, SET_COUNT,
* SET_COUNT_CEIL, TEST, FLAGS_DSPCNT_SET, FLAGS_DSPCNT_CLEAR
*/
if ((mode == MODE_ACTIVATE) ||
(mode == MODE_DEACTIVATE) ||
(mode == MODE_DISABLE) ||
(mode == MODE_FLAGS_DSPCNT_SET) ||
(mode == MODE_FLAGS_DSPCNT_CLEAR) ||
(mode == MODE_GENERATE) ||
if ((mode == MODE_GENERATE) ||
(mode == MODE_LIST) ||
(mode == MODE_LIST_SC) ||
(mode == MODE_SET_COUNT) ||
(mode == MODE_SET_COUNT_CEIL) ||
(mode == MODE_SET_FLAGS) ||
(mode == MODE_SET_FORMAT) ||
(mode == MODE_SET_STATUS) ||
(mode == MODE_SET_TYPE) ||
(mode == MODE_TEST)) {
/* rw or ro? */
@ -381,29 +419,25 @@ int main (int argc, char **argv)
} /* MODE_GENERATE */
if ((mode == MODE_ACTIVATE) ||
(mode == MODE_DEACTIVATE) ||
(mode == MODE_DISABLE) ||
(mode == MODE_FLAGS_DSPCNT_SET) ||
(mode == MODE_FLAGS_DSPCNT_CLEAR) ||
(mode == MODE_SET_COUNT) ||
(mode == MODE_SET_COUNT_CEIL)) {
if ((mode == MODE_SET_COUNT) ||
(mode == MODE_SET_COUNT_CEIL) ||
(mode == MODE_SET_FLAGS) ||
(mode == MODE_SET_FORMAT) ||
(mode == MODE_SET_STATUS) ||
(mode == MODE_SET_TYPE)) {
if (mode == MODE_ACTIVATE)
ou.status = OTP_STATUS_ACTIVE;
else if (mode == MODE_DEACTIVATE)
ou.status = OTP_STATUS_INACTIVE;
else if (mode == MODE_DISABLE)
ou.status = OTP_STATUS_DISABLED;
else if (mode == MODE_SET_COUNT)
if (mode == MODE_SET_COUNT)
ou.count = u_count;
else if (mode == MODE_SET_COUNT_CEIL)
ou.count_ceil = u_count_ceil;
else if (mode == MODE_FLAGS_DSPCNT_SET)
ou.flags |= OTP_USER_FLAGS_DSPCNT;
else if (mode == MODE_FLAGS_DSPCNT_CLEAR)
ou.flags &= ~OTP_USER_FLAGS_DSPCNT;
else if (mode == MODE_SET_FLAGS)
ou.flags = u_flags;
else if (mode == MODE_SET_FORMAT)
ou.format = u_format;
else if (mode == MODE_SET_STATUS)
ou.status = u_status;
else if (mode == MODE_SET_TYPE)
ou.type = u_type;
if (otp_urec_put(otpctx, &ou) < 0)
xerr_errx(1, "otp_urec_put(): failed.");
@ -435,35 +469,58 @@ mode_done:
return 0;
}
} /* main */
void help(void)
{
fprintf(stderr, "otp-control [-?hnv] [-c count] [-C count_ceil] [-F sc_flags] [-H sc_hostname]\n");
fprintf(stderr, " [-I sc_index] [-k key] [ -m command_mode] [-o otbdb_pathname]\n");
fprintf(stderr, " [-u username] [-w window]\n\n");
int i;
fprintf(stderr, "otp-control [-?hnv] [-c count] [-C count_ceil] [-f format] [-F flags]\n");
fprintf(stderr, " [-H sc_hostname] [-I sc_index] [-k key] [-m command_mode]\n");
fprintf(stderr, " [-o otbdb_pathname] [-s status] [-S sc_flags] [ -t type]\n");
fprintf(stderr, " [-u username] [-w window]\n");
fprintf(stderr, " -h : help\n");
fprintf(stderr, " -n : create database\n");
fprintf(stderr, " -v : enable verbose output\n\n");
fprintf(stderr, " sc_flags : 0=CHALLENGE, 1=READERKEY\n");
fprintf(stderr, " sc_flags : 0=CHALLENGE 1=READERKEY\n");
fprintf(stderr, " flags : ");
for (i = 0; i < OTP_FLAGS_BITS; ++i)
fprintf(stderr, "%s ", otp_flags_l[i]);
fprintf(stderr, "\n");
fprintf(stderr, " format list : ");
for (i = 1; i <= OTP_FORMAT_MAX; ++i)
fprintf(stderr, "%s ", otp_format_l[i]);
fprintf(stderr, "\n");
fprintf(stderr, " type list : ");
for (i = 1; i <= OTP_TYPE_MAX; ++i)
fprintf(stderr, "%s ", otp_type_l[i]);
fprintf(stderr, "\n");
fprintf(stderr, " status list : ");
for (i = 1; i <= OTP_STATUS_MAX; ++i)
fprintf(stderr, "%s ", otp_status_l[i]);
fprintf(stderr, "\n");
fprintf(stderr, "\n");
fprintf(stderr, " Mode Description\n");
fprintf(stderr, " -------------------------------------------------\n");
fprintf(stderr, " add - Add user\n");
fprintf(stderr, " activate - Activate user\n");
fprintf(stderr, " create - Create database\n");
fprintf(stderr, " deactivate - Deactivate user\n");
fprintf(stderr, " disable - Disable user\n");
fprintf(stderr, " dump - ASCII dump user record(s)\n");
fprintf(stderr, " flags-dspcnt - Set user display count flag.\n");
fprintf(stderr, " flags-no-dspcnt - Clear user display count flag.\n");
fprintf(stderr, " generate - Generate HOTP for user\n");
fprintf(stderr, " list - List user record (printable)\n");
fprintf(stderr, " list-sc - List user record (SC friendly)\n");
fprintf(stderr, " load - ASCII load user record(s)\n");
fprintf(stderr, " remove - Remove user\n");
fprintf(stderr, " set-count - Reset count for user\n");
fprintf(stderr, " set-count-ceil - Reset count ceiling for user\n");
fprintf(stderr, " set-count - Set user count\n");
fprintf(stderr, " set-count-ceil - Set user count ceiling\n");
fprintf(stderr, " set-flags - Set user flags\n");
fprintf(stderr, " set-format - Set user format\n");
fprintf(stderr, " set-status - Set user status\n");
fprintf(stderr, " set-type - Set user OTP type\n");
fprintf(stderr, " test - Test user\n");
}

23
otp-openvpn/otp-ov-plugin.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otp-ov-plugin.c 13 2009-11-26 16:37:03Z maf $
* $Id: otp-ov-plugin.c 50 2009-12-15 01:37:19Z maf $
*/
#include <stdio.h>
@ -41,17 +41,19 @@ void help(void);
int main (int argc, char **argv)
{
struct otp_ctx *otpctx;
char *otpdb_fname, *username, *pass;
int db_flags, i, r, ret;
u_long tmpul;
char *otpdb_fname, *username, *pass, *endptr;
int db_flags, i, r, ret, otp_window;
/* init xerr */
xerr_setid(argv[0]);
otpdb_fname = OTP_DB_FNAME;
db_flags = 0;
otp_window = OTP_WINDOW_DEFAULT;
ret = -1; /* fail */
while ((i = getopt(argc, argv, "h?o:v")) != -1) {
while ((i = getopt(argc, argv, "h?o:vw:")) != -1) {
switch (i) {
@ -68,6 +70,15 @@ int main (int argc, char **argv)
db_flags |= OTP_DB_VERBOSE;
break;
case 'w':
tmpul = strtoul(optarg, &endptr, 0);
if (*endptr)
xerr_errx(1, "stroul(%s): failed at %c.", optarg, *endptr);
if (tmpul > OTP_WINDOW_MAX)
xerr_errx(1, "Challenge window %lu > %lu.", tmpul, OTP_WINDOW_MAX);
otp_window = tmpul;
break;
default:
help();
exit(1);
@ -91,7 +102,7 @@ int main (int argc, char **argv)
if (r != 0)
xerr_errx(1, "User %s does not exist in otp database.", username);
if ((r = otp_user_auth(otpctx, username, pass, OTP_HOTP_WINDOW)) < 0)
if ((r = otp_user_auth(otpctx, username, pass, otp_window)) < 0)
xerr_errx(1, "otp_user_auth(): failed.");
if (otp_db_close(otpctx) < 0)
@ -114,7 +125,7 @@ int main (int argc, char **argv)
void help()
{
fprintf(stderr, "otp-ov-plugin [-?hv] [-o otpdb_pathname]\n");
fprintf(stderr, "otp-ov-plugin [-?hv] [-o otpdb_pathname] [-w otp_window]\n");
fprintf(stderr, " -h : help\n");
fprintf(stderr, " -v : enable verbose output\n");
} /* help */

30
otp-pam/pam_otp.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: pam_otp.c 13 2009-11-26 16:37:03Z maf $
* $Id: pam_otp.c 56 2009-12-17 02:08:05Z maf $
*/
#include <stdio.h>
@ -80,10 +80,11 @@ struct opts {
int display_count;
int allow_inactive;
int require_db_entry;
int otp_window;
char *otpdb_fname;
};
int load_opts(struct opts *opts, int argc, const char **argv);
void load_opts(struct opts *opts, int argc, const char **argv);
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc,
@ -212,7 +213,7 @@ int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc,
pam_msg.msg = (char *)&message;
/* prompt for challenge with optional count */
if (opts.display_count || (ou.flags & OTP_USER_FLAGS_DSPCNT))
if (opts.display_count || (ou.flags & OTP_FLAGS_DSPCNT))
sprintf(message, "HOTP Challenge (%" PRIu64 "): ", ou.count);
else
sprintf(message, "HOTP Challenge: ");
@ -236,10 +237,11 @@ int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc,
}
if (opts.expose_account)
xerr_info("OTP: user=%s response=%s", user, pam_resp->resp);
xerr_info("OTP: user=%s response=%s window=%d", user,
pam_resp->resp, opts.otp_window);
if ((r = otp_user_auth(otpctx, (char*)user, pam_resp->resp,
OTP_HOTP_WINDOW)) < 0) {
opts.otp_window)) < 0) {
xerr_warnx("otp_user_auth(): failed.");
ret = PAM_SERVICE_ERR;
goto cleanup;
@ -321,12 +323,14 @@ struct pam_module _pam_test_modstruct = {
#endif
int load_opts(struct opts *opts, int argc, const char **argv)
void load_opts(struct opts *opts, int argc, const char **argv)
{
int ret = 0;
u_long tmpul;
char *endptr;
bzero(opts, sizeof *opts);
opts->otpdb_fname = OTP_DB_FNAME;
opts->otp_window = OTP_WINDOW_DEFAULT;
/* foreach argument */
while (argc--) {
@ -347,9 +351,15 @@ int load_opts(struct opts *opts, int argc, const char **argv)
opts->require_db_entry = 1;
} else if (!strncmp(*argv, "otpdb=", 6)) {
opts->otpdb_fname=(char*)(*argv)+6;
} else if (!strncmp(*argv, "window=", 7)) {
tmpul = strtoul(optarg, &endptr, 0);
if (*endptr)
xerr_errx(1, "stroul(%s): failed at %c.", *argv, *endptr);
if (tmpul > OTP_WINDOW_MAX)
xerr_errx(1, "Challenge window %lu > %lu.", tmpul, OTP_WINDOW_MAX);
opts->otp_window = tmpul;
} else {
xerr_warnx("Unrecognized argument - %s", argv);
ret = -1;
xerr_errx(1, "Unrecognized argument - %s", argv);
}
++argv;
@ -362,6 +372,4 @@ int load_opts(struct opts *opts, int argc, const char **argv)
opts->otpdb_fname);
}
return ret;
} /* load_opts */

67
otp-sca/otp-sca.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otp-sca.c 13 2009-11-26 16:37:03Z maf $
* $Id: otp-sca.c 88 2009-12-28 00:12:01Z maf $
*/
#include <sys/cdefs.h>
@ -118,7 +118,7 @@ int main(int argc, char **argv)
struct scr_ctx *scrctx;
int i, j, k, r, mode, sc_idx_set, j_start, j_end, done, sc_idx_tmp, opt_mod;
int no_PIN, list_readers;
uint32_t tmp_count, tmp_cap;
uint32_t tmp_count, tmp_cap, tmp32u;
uint64_t tmp64u;
char sc_hostname[SC_HOSTNAME_LEN+1], sc_PIN[SC_PIN_LEN+1];
char sc_newPIN[SC_PIN_LEN+1], sc_newPIN2[SC_PIN_LEN+1];
@ -149,9 +149,9 @@ int main(int argc, char **argv)
sc_fv = 5;
tmp_count = 0;
username = "USER";
reader = SCR_DEFAULT_READER;
list_readers = 0; /* no */
scrctx = (struct scr_ctx*)0L;
reader = (char*)0L;
BZS(sc_hotp);
BZS(sc_idx);
@ -673,6 +673,19 @@ int main(int argc, char **argv)
/* successful SC transaction? */
if (r == 0) {
if (sc_hostname[HOSTNAME_POS_FMT] & HOSTNAME_FLAG_MASK) {
tmp32u = (sc_hotp[0] << 24) | (sc_hotp[1] << 16) |
(sc_hotp[2] << 8) | sc_hotp[3];
k = str_uint32toa(fmt_buf, tmp32u);
} else {
k = str_hex_dump(fmt_buf, sc_hotp, 5);
}
for (i = 0, j = 0; i < SC_HOSTNAME_LEN; ++i) {
/* high bit flag set? */
@ -686,7 +699,12 @@ int main(int argc, char **argv)
xerr_warnx("readerkey flag set and key not in SC transaction.");
} else if ((i != HOSTNAME_POS_CHALLENGE) &&
(i != HOSTNAME_POS_READERKEY)) {
(i != HOSTNAME_POS_READERKEY) &&
(i != HOSTNAME_POS_FMT) &&
(i != HOSTNAME_POS_FMT3) &&
(i != HOSTNAME_POS_FMT2) &&
(i != HOSTNAME_POS_FMT1) &&
(i != HOSTNAME_POS_FMT0)) {
xerr_warnx("sc_hostname high bit set on byte %d.", i);
}
}
@ -696,19 +714,21 @@ int main(int argc, char **argv)
}
str_hex_dump(fmt_buf, sc_hotp, 5);
if (opt_mod & OPT_MOD_HOST) {
strcpy(fmt_buf+10, " -- ");
str_ftoc(fmt_buf+14, sc_hostname, SC_HOSTNAME_LEN);
strcpy(fmt_buf+k, " -- ");
str_ftoc(fmt_buf+k+4, sc_hostname, SC_HOSTNAME_LEN);
}
printf("HOTP: %s\n", fmt_buf);
} else if (r == 1) {
printf("HOTP: rejected\n");
} else {
xerr_errx(1, err_msg);
}
} /* MODE_HOTP_GEN */
@ -820,9 +840,9 @@ int main(int argc, char **argv)
xerr_errx(1, "sccmd_SetAdminKey(): failed.");
if (r == 0)
printf("Set AdminKey: Done\n");
printf("Set AdminKey: Done.\n");
else if (r == 1)
printf("Set AdminKey: Fail\n");
printf("Set AdminKey: Fail.\n");
else
xerr_errx(1, "sccmd_SetAdminKey(): fatal.");
@ -832,18 +852,29 @@ int main(int argc, char **argv)
if (mode == MODE_BALANCECARD_SET) {
if (!sc_idx_set)
sc_idx[0] = SC_BALANCECARD_DISABLE;
if ((r = sccmd_SetBalanceCardIndex(scrctx, sc_fv, sc_idx)) < 0)
xerr_errx(1, "sccmd_SetBalanceCardIndex(): failed.");
if (r == 0)
printf("Set BalanceCardIndex: Disabled\n");
else if (r == 1)
printf("Set BalanceCardIndex: Fail\n");
if (r == 0) {
if (sc_idx[0] == SC_BALANCECARD_DISABLE)
printf("Disable BalanceCard: Done.\n");
else
printf("Set BalanceCardIndex: Done.\n");
} else if (r == 1) {
printf("Set BalanceCardIndex: Fail.\n");
} else {
xerr_errx(1, "sccmd_SetBalanceCardIndex(): fatal.");
}
} /* MODE_BALANCECARD_SET */
/****************/
@ -1027,9 +1058,9 @@ int main(int argc, char **argv)
}
if (r == 0)
printf("SetHost (%d): Done\n", (int)sc_idx[0]);
printf("SetHost (%d): Done.\n", (int)sc_idx[0]);
else if (r == 1)
printf("SetHost (%d): Fail\n", (int)sc_idx[0]);
printf("SetHost (%d): Fail.\n", (int)sc_idx[0]);
else
xerr_errx(1, err_msg);
@ -1060,10 +1091,10 @@ int main(int argc, char **argv)
if (r == 0)
printf("SetSpyrusEEBlock (%d): Done\n",
printf("SetSpyrusEEBlock (%d): Done.\n",
(int)sc_spyrusee_idx[0] & ~HOSTNAME_FLAG_MASK);
else if (r == 1)
printf("SetSpyrusEEBlock (%d): Fail\n",
printf("SetSpyrusEEBlock (%d): Fail.\n",
(int)sc_spyrusee_idx[0] & ~HOSTNAME_FLAG_MASK);
else
xerr_errx(1, err_msg);

23
otp-sct/otp-sct.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: otp-sct.c 13 2009-11-26 16:37:03Z maf $
* $Id: otp-sct.c 88 2009-12-28 00:12:01Z maf $
*/
#include <sys/cdefs.h>
@ -80,7 +80,7 @@ int main(int argc, char **argv)
struct scr_ctx *scrctx;
int i, j, k, r, sc_idx_set, sc_idx_tmp, j_start, j_end;
int reset_pin, list_readers, list_version, get_hotp_version, list_hostnames;
uint32_t tmp_count;
uint32_t tmp_count, tmp32u;
uint64_t tmp64u;
char sc_hostname[SC_HOSTNAME_LEN+1], sc_pin[SC_PIN_LEN+1];
char sc_newpin[SC_PIN_LEN+1], sc_newpin2[SC_PIN_LEN+1];
@ -98,7 +98,7 @@ int main(int argc, char **argv)
sc_idx_set = 0;
reset_pin = 0; /* no */
tmp_count = 0;
reader = SCR_DEFAULT_READER;
reader = (char*)0L;
list_readers = 0; /* no */
list_version = 0; /* no */
list_hostnames = 0; /* no */
@ -217,7 +217,8 @@ int main(int argc, char **argv)
} /* need PIN */
if (!(scrctx = scr_ctx_new(SCR_READER_EMBEDDED_ACR30S|SCR_READER_PCSC, debug))) {
if (!(scrctx = scr_ctx_new(SCR_READER_EMBEDDED_ACR30S|SCR_READER_PCSC,
debug))) {
xerr_errx(1, "scr_ctx_new(): failed");
}
@ -389,6 +390,19 @@ int main(int argc, char **argv)
/* successful SC transaction? */
if (r == 0) {
if (sc_hostname[HOSTNAME_POS_FMT] & HOSTNAME_FLAG_MASK) {
tmp32u = (sc_hotp[0] << 24) | (sc_hotp[1] << 16) |
(sc_hotp[2] << 8) | sc_hotp[3];
str_uint32toa(fmt_buf, tmp32u);
} else {
str_hex_dump(fmt_buf, sc_hotp, 5);
}
for (i = 0, j = 0; i < SC_HOSTNAME_LEN; ++i) {
/* clear high bit for display */
@ -396,7 +410,6 @@ int main(int argc, char **argv)
}
str_hex_dump(fmt_buf, sc_hotp, 5);
if (get_hotp_version == 3) {
str_ftoc(fmt_buf2, sc_hostname, SC_HOSTNAME_LEN);

162
spyrus-par2/main.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: main.c 13 2009-11-26 16:37:03Z maf $
* $Id: main.c 89 2009-12-28 01:35:00Z maf $
*/
#include <htc.h>
@ -65,7 +65,6 @@ GOTO 0x04; Jump to startup
#define SC_GETHOTPHOSTCOUNT32_CLA 0x80
#define SC_GETSPYRUSEEBLOCK_CLA 0x80
#define SC_GETHOSTNAME_INS 0x44
#define SC_GETHOTP_INS 0x46
#define SC_SETPIN_INS 0x4C
@ -75,12 +74,11 @@ GOTO 0x04; Jump to startup
#define SC_GETHOTPHOSTCOUNT32_INS 0x5C
#define SC_GETSPYRUSEEBLOCK_INS 0xA2
U8 protocol = 0x03;
RESP_INFO *Resp;
bank1 U8 Buf[72]; /* Spyrus I/O buffer */
bank2 U8 dbuf[2][16]; /* two current hostnames for menu */
bank2 U8 obuf[2][1]; /* option buffer for menu items */
bank2 U8 obuf[2]; /* option buffer for menu items */
U8 myPIN[5]; /* PIN */
U8 newPIN[5]; /* newPIN if set */
@ -216,12 +214,12 @@ const U8 VERSION[] = {
/* Serial # */
0x0A, 'm', 'a', 'f', ' ', 'H', 'O', 'T', 'P', ' ', ' ',\
/* AE kernel version / program access (unused) */
0x13, 0x22, 0x33
0x14, 0x22, 0x33
};
U8 getPIN(U8 *dest, U8 pos);
void getCount(void);
void dispHOTP(void);
U8 dispHOTP(U8 fmt);
U8 hexdigit(U8 d);
@ -236,6 +234,7 @@ void cmdSCGetSpyrusEEBlock(U8 i);
U8 doSCGetHostname(U8 idx, U8 row);
void powerdown(void);
void msg_powerdown(void);
void menuUpdateCursor(void);
void menuUpdate(void);
@ -254,13 +253,19 @@ U8 EELen(U8 addr, U8 len);
#define HOSTNAME_FLAG_MASK 0x80 /* high bit set */
#define HOSTNAME_POS_CHALLENGE 0x00 /* require challenge input */
#define HOSTNAME_POS_READERKEY 0x01 /* require reader key */
#define HOSTNAME_POS_READERKEY 1 /* require reader key */
#define HOSTNAME_POS_FMT 2 /* format, 0=hex, 1=decimal */
#define HOSTNAME_POS_FMT3 8 /* 0000=HEX40, 0001=HEX40 */
#define HOSTNAME_POS_FMT2 9 /* 0010=DEC31.6 0011=DEC31.7 */
#define HOSTNAME_POS_FMT1 10 /* 0100=DEC31.8 0101=DEC31.9 */
#define HOSTNAME_POS_FMT0 11 /* 0110=DEC31.10 0111=DHEX40 */
#define OPTION_FLAG_CHALLENGE 0x01 /* option set to request challenge */
#define OPTION_FLAG_FMT 0x02 /* option to format HOTP */
int main(void)
{
U8 i, c, j, addr;
U8 i, c, j, addr, fmt;
/* init */
Resp = (RESP_INFO*)Buf;
@ -278,7 +283,7 @@ int main(void)
Str2Lcd(0,0,&Resp->data[2]);
#else
EE2LCD(0, 0, EE_CALC_MSG_ADDR, EE_CALC_MSG_LEN);
powerdown();
msg_powerdown();
#endif /* NO_CALC */
} /* SQ_CALC */
@ -405,7 +410,7 @@ int main(void)
/* no hosts on card then nothing to do */
if (menu_active == 0) {
EE2LCD(0, 0, EE_NOHOSTS_ADDR, EE_NOHOSTS_LEN);
powerdown();
msg_powerdown();
}
/* display menu */
@ -479,7 +484,7 @@ int main(void)
sc_idx = menu_idx - menu_active + menu_cursor;
/* challenge input? */
if ((obuf[menu_cursor][0] & OPTION_FLAG_CHALLENGE) ||
if ((obuf[menu_cursor] & OPTION_FLAG_CHALLENGE) ||
(ml_flags & FLAGS_INPUT_COUNT))
getCount();
@ -503,16 +508,23 @@ int main(void)
dbuf[0][i] = dbuf[menu_cursor][i+3];
dbuf[0][12] = 0;
/* display HOTP screen */
dispHOTP();
/* Binary/Hex HOTP format */
(obuf[menu_cursor] & OPTION_FLAG_FMT) ? fmt = 1 : fmt = 0;
/* display HOTP and maybe cycle to next system */
if (dispHOTP(fmt)) {
ClearLcd();
sc_idx ++;
goto enter_shortcut;
} /* dispHOTP() */
} else {
/* Failure */
Str2Lcd(0,0,"GHPC32 Fail");
/* any key to continue */
GetRawKey(Resp);
Str2Lcd(0,0,"GHPC32:fail");
msg_powerdown();
} /* SC transaction */
@ -521,7 +533,8 @@ int main(void)
/* next input */
continue;
}
} /* RAW_ENTER */
/****** CHANGE PIN ****/
if (key == RAW_STAR) {
@ -544,7 +557,7 @@ int main(void)
ClearLcd();
EE2LCD(0, 0, EE_TRYHARDER_ADDR, EE_TRYHARDER_LEN);
Beep(2);
GetRawKey(Resp);
keyGet();
continue;
}
@ -579,14 +592,15 @@ int main(void)
myPIN[4] = newPIN[4];
} else {
/* Failure */
Str2Lcd(0,0,"SetPIN Fail");
Str2Lcd(0,0,"SetPIN:fail");
msg_powerdown();
}
/* go back to initial screen */
ml_flags |= FLAGS_SCREEN0_UPDATE;
/* any key to continue */
GetRawKey(Resp);
keyGet();
/* success / next input */
continue;
@ -596,10 +610,12 @@ int main(void)
/***** CLEAN INPUT DIGITS */
if (key == RAW_CANCEL) {
short_d0 = 0;
ml_flags &= ~FLAGS_MENU_SHORT_D0;
continue;
}
} /* RAW_CANCEL */
/****** MENU SHORTCUT WITH DIGIT ENTRY ***** */
@ -637,6 +653,9 @@ int main(void)
enter_shortcut:
/* the next sequential HOTP can be selected with the down arrow */
while (1) {
/* input count first? */
if (ml_flags & FLAGS_INPUT_COUNT)
getCount();
@ -665,21 +684,45 @@ enter_shortcut:
dbuf[0][i] = (Buf[20+i]&0x7F);
dbuf[0][12] = 0;
/* display HOTP screen */
dispHOTP();
/* Binary/Hex HOTP format */
(Buf[20+HOSTNAME_POS_FMT] & HOSTNAME_FLAG_MASK) ? fmt = 1 : fmt = 0;
/* display HOTP and maybe cycle to next system */
if(dispHOTP(fmt)) {
sc_idx ++;
ClearLcd();
continue;
} else {
break; /* done */
}
} else {
Str2Lcd(0,0,"GHPHC32:empt");
/* fatal */
msg_powerdown();
} /* hostname not empty */
} else {
/* Failure */
Str2Lcd(0,0,"GHPHC32 Fail");
Str2Lcd(0,0,"GHPHC32:fail");
/* any key to continue */
GetRawKey(Resp);
/* fatal */
msg_powerdown();
} /* SC transaction */
} /* while 1 */
/* initialize for main screen input */
menuInit();
@ -814,7 +857,8 @@ U8 getPIN(U8 *dest, U8 pos)
void keyGet(void)
{
GetRawKey(Resp);
if (GetRawKey(Resp))
powerdown();
key = *Resp->data;
} /* keyGet */
@ -1017,6 +1061,7 @@ U8 SCTransact(void)
if (CardPowerOn(Resp)) {
ClearLcd();
EE2LCD(0, 0, EE_NOCARD_ADDR, EE_NOCARD_LEN);
CardPowerOff();
r = 1; /* no card */
goto SCTransact_err2;
}
@ -1070,7 +1115,7 @@ SCTransact_err:
/* get any key */
SCTransact_err2:
GetRawKey(Resp);
keyGet();
ClearLcd();
@ -1128,9 +1173,12 @@ U8 doSCGetHostname(U8 idx, U8 row)
/* high bit set on first character signals challenge required */
if (Buf[11+HOSTNAME_POS_CHALLENGE] & HOSTNAME_FLAG_MASK)
obuf[row][0] = OPTION_FLAG_CHALLENGE;
obuf[row] = OPTION_FLAG_CHALLENGE;
else
obuf[row][0] = 0;
obuf[row] = 0;
if (Buf[11+HOSTNAME_POS_FMT] & HOSTNAME_FLAG_MASK)
obuf[row] |= OPTION_FLAG_FMT;
/* empty hostname is last */
if (Buf[11] == 0)
@ -1150,7 +1198,8 @@ U8 doSCGetHostname(U8 idx, U8 row)
} else {
powerdown();
Str2Lcd(0,0,"GHN:fail");
msg_powerdown();
}
@ -1158,13 +1207,17 @@ U8 doSCGetHostname(U8 idx, U8 row)
} /* doSCGetHostname */
void powerdown(void)
void msg_powerdown(void)
{
CardPowerOff();
GetRawKey(Resp);
DeactivateRdr();
} /* off */
void powerdown(void)
{
DeactivateRdr();
}
void menuUpdate(void)
{
ClearLcd();
@ -1197,17 +1250,40 @@ void menuUpdateCursor(void)
} /* menuUpdateCursor() */
void dispHOTP(void)
U8 dispHOTP(U8 fmt)
{
U8 i, j, c;
U32 u32;
char *s;
/* HOTP to hex */
if (fmt == 0) { /* HEX */
for (i = 0, j = 0; i < 5; ++i) {
c = Buf[15+i];
dbuf[1][j++] = hexdigit(c>>4);
dbuf[1][j++] = hexdigit(c&0x0F);
}
dbuf[1][j] = 0;
} else { /* decimal */
s = (char*)&u32;
s[3] = Buf[15];
s[2] = Buf[16];
s[1] = Buf[17];
s[0] = Buf[18];
s = Buf; /* starts at Buf+1 */
do {
*++s = u32 % 10 + '0';
} while ((u32 /= 10) > 0);
for (i = 0; s != Buf; --s, ++i)
dbuf[1][i] = *s;
dbuf[1][i] = 0;
}
/*
* note the following code will not compile properly. certain
@ -1237,10 +1313,19 @@ void dispHOTP(void)
}
}
/* any key will return, timeout to powerdown */
if (j == 0)
if (j == 1) {
key = *Resp->data;
if (key == RAW_DOWN)
return 1; /* again */
else
return 0;
}
/* timeout */
powerdown();
return 0; /* unreached */
} /* dispHOTP */
void menuInit(void)
@ -1315,3 +1400,4 @@ U8 EELen(U8 addr, U8 len)
return i;
} /* EELen */

44
urd/urd.c
View file

@ -24,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: urd.c 13 2009-11-26 16:37:03Z maf $
* $Id: urd.c 50 2009-12-15 01:37:19Z maf $
*/
#include <sys/types.h>
@ -59,7 +59,6 @@
* urd_rep_msg in access-challenge hard coded to ABC..
* copy proxy variables into reply packet per RFC?
* packet stress testing
* rc.d script
*/
static void usage(void);
@ -77,18 +76,19 @@ int main(int argc, char **argv)
struct otp_ctx *otpctx;
struct otp_user ou;
char *otpdb_fname;
int otp_skip_unknown, otpdb_flags;
int otp_skip_unknown, otpdb_flags, otp_enable;
#endif /* OOTP_ENABLE */
fd_set rfd;
u_long tmpul;
uint64_t rep_state;
uint32_t local_ip, tmp32u;
uint32_t local_ip;
uint16_t local_port;
uint8_t rep_code;
uint rem_addr_len;
char *authorized_users_fname, *pwfile_fname, *server_secret_fname, *endptr;
char server_secret[URD_SECRET_LEN+1], buf[1024], *pid_fname;
int rep_enc_flags, rep_cache_flags, debug, daemon_mode;
int drop, drop_mode, req_cache_hit, buf_l, pkt_fd, r, i;
int drop, drop_mode, req_cache_hit, buf_l, pkt_fd, r, i, otp_window;
bzero(&loc_addr, sizeof loc_addr);
bzero(&pkt_fd, sizeof pkt_fd);
@ -103,19 +103,21 @@ int main(int argc, char **argv)
local_port = URD_PORT;
drop = 1;
drop_mode = 0;
otp_window = OTP_WINDOW_DEFAULT;
#ifdef OOTP_ENABLE
otpctx = (struct otp_ctx*)0L;
otpdb_fname = OTP_DB_FNAME;
otp_skip_unknown = 0;
otpdb_flags = 0;
otp_enable = 1;
#endif /* OOTP_ENABLE */
xerr_setid(argv[0]);
#ifdef OOTP_ENABLE
while ((i = getopt(argc, argv, "AhduDOx?a:b:B:o:p:s:P:")) != -1) {
while ((i = getopt(argc, argv, "AhduDOx?a:b:B:o:p:s:P:w:")) != -1) {
#else
while ((i = getopt(argc, argv, "AhdDx?a:b:B:p:s:P:")) != -1) {
while ((i = getopt(argc, argv, "AhdDx?a:b:B:p:s:P:w:")) != -1) {
#endif /* OOTP_ENABLE */
switch (i) {
@ -134,12 +136,12 @@ int main(int argc, char **argv)
break;
case 'B':
tmp32u = strtoul(optarg, &endptr, 0);
tmpul = strtoul(optarg, &endptr, 0);
if (*endptr)
xerr_errx(1, "stroul(%s): failed at %c.", optarg, *endptr);
if (tmp32u > 0xFFFF)
if (tmpul > 0xFFFF)
xerr_errx(1, "UDP port out of range 0..65535.");
local_port = tmp32u;
local_port = tmpul;
break;
case 'd':
@ -165,7 +167,7 @@ int main(int argc, char **argv)
break;
case 'O':
otpdb_fname = (char*)0L;
otp_enable = 0;
break;
#endif /* OOTP_ENABLE */
@ -187,6 +189,15 @@ int main(int argc, char **argv)
break;
#endif /* OOTP_ENABLE */
case 'w':
tmpul = strtoul(optarg, &endptr, 0);
if (*endptr)
xerr_errx(1, "stroul(%s): failed at %c.", optarg, *endptr);
if (tmpul > OTP_WINDOW_MAX)
xerr_errx(1, "Challenge window %lu > %lu.", tmpul, OTP_WINDOW_MAX);
otp_window = tmpul;
break;
case 'x':
drop_mode = 1;
break;
@ -264,7 +275,7 @@ int main(int argc, char **argv)
#ifdef OOTP_ENABLE
/* creat OTP context */
if (otpdb_fname)
if (otp_enable)
if (!(otpctx = otp_db_open(otpdb_fname, otpdb_flags)))
xerr_errx(1, "otp_db_open(%s): failed", otpdb_fname);
#endif /* OOTP_ENABLE */
@ -487,7 +498,7 @@ int main(int argc, char **argv)
*
*/
if (!otpdb_fname) {
if (!otp_enable) {
rep_code = RADIUS_CODE_ACCESS_ACCEPT;
rep_enc_flags = 0x0;
@ -720,7 +731,7 @@ int main(int argc, char **argv)
}
if ((r = otp_user_auth(otpctx, urdctx->req.user_name,
urdctx->req.user_pass, OTP_HOTP_WINDOW)) < 0)
urdctx->req.user_pass, otp_window)) < 0)
xerr_errx(1, "otp_user_auth(): failed.");
if (r == OTP_AUTH_PASS) {
@ -989,14 +1000,15 @@ void usage(void)
fprintf(stderr,
"urd [-AhdDOux?] [-a allowed_users_file] [-b local_ip] [-B local_port ]\n");
fprintf(stderr,
" [-o otp_db] [-p passwd_file] [-P pid_file] [-s secret_file]\n\n");
" [-o otp_db] [-p passwd_file] [-P pid_file] [-s secret_file]\n");
#else
fprintf(stderr,
"urd [-AhdDx?] [-a allowed_users_file] [-b local_ip] [-B local_port ]\n");
fprintf(stderr,
" [-p passwd_file] [-P pid_file] [-s secret_file]\n\n");
" [-p passwd_file] [-P pid_file] [-s secret_file]\n");
#endif /* OOTP_ENABLE */
fprintf(stderr, " [-w otp_window]\n\n");
fprintf(stderr, " -A disable authorized_users file (all users in passwd_file valid)\n");
fprintf(stderr, " -h help\n");
fprintf(stderr, " -d enable debugging\n");