diff --git a/VERSION b/VERSION index fa727ec..acd3eae 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -snap-r184 +snap-r200 diff --git a/bcload/Makefile b/bcload/Makefile index 87820db..ba8f0dd 100644 --- a/bcload/Makefile +++ b/bcload/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile 127 2010-06-15 14:24:34Z maf $ +# $Id: Makefile 189 2011-05-26 03:50:39Z maf $ what: @echo @@ -10,7 +10,7 @@ what: @echo i386-fbsd: - @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="-lpcsclite" all + @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib -L/usr/local/lib" LIBS="-lpcsclite" all i386-linux: @make CC="gcc" CFLAGS="-I../common -I/usr/local/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -D_BSD_SOURCE -D_XOPEN_SOURCE -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="/usr/local/lib/libpcsclite.a -lpthread" all diff --git a/common/otplib.c b/common/otplib.c index 0865ff7..f83a945 100644 --- a/common/otplib.c +++ b/common/otplib.c @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: otplib.c 174 2011-05-16 02:09:26Z maf $ + * $Id: otplib.c 193 2011-06-12 16:43:51Z maf $ */ #include @@ -1104,6 +1104,28 @@ int otp_user_add(struct otp_ctx *otpctx, char *u_username, /* * sanity checks */ + + if (!u_username) { + if (otpctx->verbose) + xerr_warnx("u_username is null."); + goto otp_user_add_out; + } + + if (!u_key_val) { + if (otpctx->verbose) + xerr_warnx("u_key_val is null."); + goto otp_user_add_out; + } + + /* u_loc can be null */ + if (u_loc) { + if (strlen(u_loc) > OTP_USER_LOC_LEN) { + if (otpctx->verbose) + xerr_warnx("strlen(u_loc) > OTP_USER_LOC_LEN."); + goto otp_user_add_out; + } + } + if (ou.db_key.size > OTP_USER_NAME_LEN) { if (otpctx->verbose) xerr_warnx("strlen(u_username) > OTP_USER_NAME_LEN."); @@ -1116,19 +1138,14 @@ int otp_user_add(struct otp_ctx *otpctx, char *u_username, goto otp_user_add_out; } - if (strlen(u_loc) > OTP_USER_LOC_LEN) { - if (otpctx->verbose) - xerr_warnx("strlen(u_loc) > OTP_USER_LOC_LEN."); - goto otp_user_add_out; - } - /* * copy in user fields to ou */ /* lengths checked above */ strncpy(ou.username, u_username, OTP_USER_NAME_LEN); - strncpy(ou.loc, u_loc, OTP_USER_LOC_LEN); + if (u_loc) + strncpy(ou.loc, u_loc, OTP_USER_LOC_LEN); bcopy(u_key_val, &ou.key, u_key_size); ou.key_size = u_key_size; ou.count = u_count; diff --git a/doc/CHANGES b/doc/CHANGES index 8e0bffc..f54d0b3 100644 --- a/doc/CHANGES +++ b/doc/CHANGES @@ -1,5 +1,13 @@ # $Id:$ +htsoft-downloader: Makefile install target fix - eshicks + +pam_otp: allown_unknown typo - eshicks + +otplib: more sanity checking on otp_user_add - eshicks + +otp-tokend: smtp support, fork() on message + urd/rc.d/urd: updated for new flags otp-control: mode generate will honor -c diff --git a/doc/Makefile b/doc/Makefile index 8af1619..187d131 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile 153 2011-04-01 02:38:36Z maf $ +# $Id: Makefile 196 2011-06-12 18:57:25Z maf $ INSTALL=install -c -m0644 @@ -19,12 +19,13 @@ MISCDIR=/usr/local/ootp/doc openjade -V nochunks -c /usr/local/share/sgml/docbook/dsssl/modular/catalog -c /usr/local/share/sgml/docbook/3.1/dtd/catalog -c /usr/local/share/sgml/jade/catalog -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl -t sgml $*.sgml > $*.html MAN1S = htsoft-downloader.1 bcload.1 otp-control.1 otp-ov-plugin.1\ - pam_otp.1 urd.1 otp-sca.1 otp-sct.1 + pam_otp.1 urd.1 otp-sca.1 otp-sct.1 otp-tokend.1 MAN7S = spyrus-par2.7 HTMLS = htsoft-downloader.html bcload.html otp-control.html otp-ov-plugin.html\ - pam_otp.html urd.html otp-sca.html otp-sct.html spyrus-par2.html + pam_otp.html urd.html otp-sca.html otp-sct.html spyrus-par2.html\ + otp-tokend.html MISC = QUICKSTART LICENSE PAR2-USER-GENERIC BALANCE-USER HOTP-2009.pdf diff --git a/doc/TODO b/doc/TODO index ca05765..79f19d0 100644 --- a/doc/TODO +++ b/doc/TODO @@ -1,14 +1,15 @@ -urd option c should not require arg -urd_oareng_pgm support in rc.d +sshd[41599]: v2 format has 11 fields, not 10. +sshd[41599]: otp_ou_fromascii(): failed. +sshd[41599]: otp_urec_open(maf): failed. +sshd[41599]: ffdb_rec_close(): rec_open_ref_count != 0. +sshd[41599]: otp_db_close(): failed. + +OpenOTP patch: fix for weird balance reader + urd opt n should include character list man page for option n -tokend - man page - usage - -urd,openvpn - send-token +document send-token option Enter PIN code does not issue a \n @@ -19,8 +20,6 @@ RADIUS proxy support get documentation for the ACS balance reader ACS balance reader support dec31.6? -break out htsoft-downloader, urd, bcload? - full coverage testing for otplib and ffdb otp-token (soft token) @@ -50,5 +49,3 @@ otp-sca urd - wtmp -otp-control -c should do the right thing when generating otp - diff --git a/doc/bcload.1 b/doc/bcload.1 index 26757da..65af2a6 100644 --- a/doc/bcload.1 +++ b/doc/bcload.1 @@ -136,4 +136,4 @@ Mark Fullmer maf@splintered\&.net \fBotp-ov-plugin\fP(1) \fBurd\fP(1) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/htsoft-downloader.1 b/doc/htsoft-downloader.1 index e347875..052e738 100644 --- a/doc/htsoft-downloader.1 +++ b/doc/htsoft-downloader.1 @@ -124,7 +124,11 @@ Mark Fullmer maf@splintered\&.net .PP Intel Hexadecimal Object File Format Specification Rev A .PP -www\&.htsoft\&.com +http://www\&.htsoft\&.com +.PP +http://www\&.microchip\&.com .PP http://www\&.ehl\&.cz/pic/pic_e\&.htm -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +.PP +ftp://ftp\&.htsoft\&.com/hitech/samples/bootldr\&.zip +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/htsoft-downloader.html b/doc/htsoft-downloader.html index e7deba2..186fc76 100644 --- a/doc/htsoft-downloader.html +++ b/doc/htsoft-downloader.html @@ -260,9 +260,13 @@ NAME="AEN83" >

Intel Hexadecimal Object File Format Specification Rev A

www.htsoft.com

http://www.htsoft.com

http://www.microchip.com

http://www.ehl.cz/pic/pic_e.htm

ftp://ftp.htsoft.com/hitech/samples/bootldr.zip

- + @@ -179,11 +179,17 @@ wDONE: reply=F0, expecting E4wPIC reset sent. Intel Hexadecimal Object File Format Specification Rev A -www.htsoft.com +http://www.htsoft.com + + +http://www.microchip.com http://www.ehl.cz/pic/pic_e.htm + +ftp://ftp.htsoft.com/hitech/samples/bootldr.zip + diff --git a/doc/otp-control.1 b/doc/otp-control.1 index 8939425..d46c907 100644 --- a/doc/otp-control.1 +++ b/doc/otp-control.1 @@ -299,4 +299,4 @@ Mark Fullmer maf@splintered\&.net \fBurd\fP(1) \fBbcload\fP(1) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/otp-ov-plugin.1 b/doc/otp-ov-plugin.1 index c7f4792..95a17b5 100644 --- a/doc/otp-ov-plugin.1 +++ b/doc/otp-ov-plugin.1 @@ -110,4 +110,4 @@ Mark Fullmer maf@splintered\&.net \fBbcload\fP(1) \fBOpenVPN\fP(8) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/otp-sca.1 b/doc/otp-sca.1 index 218b1af..f7850fa 100644 --- a/doc/otp-sca.1 +++ b/doc/otp-sca.1 @@ -428,4 +428,4 @@ Mark Fullmer maf@splintered\&.net \fBbcload\fP(1) \fBurd\fP(1) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/otp-sct.1 b/doc/otp-sct.1 index c73ae09..3dc28b2 100644 --- a/doc/otp-sct.1 +++ b/doc/otp-sct.1 @@ -142,4 +142,4 @@ Mark Fullmer maf@splintered\&.net \fBbcload\fP(1) \fBurd\fP(1) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/otp-tokend.1 b/doc/otp-tokend.1 new file mode 100644 index 0000000..cecde3b --- /dev/null +++ b/doc/otp-tokend.1 @@ -0,0 +1,129 @@ +...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ +...\" +...\" transcript compatibility for postscript use. +...\" +...\" synopsis: .P! +...\" +.de P! +\\&. +.fl \" force out current output buffer +\\!%PB +\\!/showpage{}def +...\" the following is from Ken Flowers -- it prevents dictionary overflows +\\!/tempdict 200 dict def tempdict begin +.fl \" prolog +.sy cat \\$1\" bring in postscript file +...\" the following line matches the tempdict above +\\!end % tempdict % +\\!PE +\\!. +.sp \\$2u \" move below the image +.. +.de pF +.ie \\*(f1 .ds f1 \\n(.f +.el .ie \\*(f2 .ds f2 \\n(.f +.el .ie \\*(f3 .ds f3 \\n(.f +.el .ie \\*(f4 .ds f4 \\n(.f +.el .tm ? font overflow +.ft \\$1 +.. +.de fP +.ie !\\*(f4 \{\ +. ft \\*(f4 +. ds f4\" +' br \} +.el .ie !\\*(f3 \{\ +. ft \\*(f3 +. ds f3\" +' br \} +.el .ie !\\*(f2 \{\ +. ft \\*(f2 +. ds f2\" +' br \} +.el .ie !\\*(f1 \{\ +. ft \\*(f1 +. ds f1\" +' br \} +.el .tm ? font underflow +.. +.ds f1\" +.ds f2\" +.ds f3\" +.ds f4\" +.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n +.TH "\fBotp-tokend\fP" "1" +.SH "NAME" +\fBotp-tokend\fP \(em Deliver tokens via SMTP(S) or HTTP(S)\&. +.SH "SYNOPSIS" +.PP +\fBotp-tokend\fP [-?Dv] [-b\fI bind-path\fP] [-f\fI from-address\fP] [-s\fI subject\fP] [-S\fI smtp_url\fP] [-P\fI pidfile\fP] [-H\fI httl_url\fP] +.SH "DESCRIPTION" +.PP +The \fBotp-tokend\fP daemon processes send-token +requests from the Unix domain socket \fB/var/run/otp-tokend\fP\&. +Tokens are then delivered to the end-user via SMTP, SMTPS, HTTP, or HTTPS\&. +Delivery through SMS or other out of band mechanisms can be implemented +with a HTTPS back end\&. +.PP +Otplib will optionally generate a send-token request when the user record has +the send-token flag and location information set\&. This can be done with +\fBotp-control\fP\&. +.PP +The send-token request is a single datagram with the following ASCII fields +separated by newlines: +.PP +.nf +service +username +location +token +.fi +.PP +If the location (destination to send the token) is all digits the request is +sent via HTTP(S)\&. A request with the @ symbol is sent via SMTP(S)\&. All other +requests are ignored\&. +.SH "OPTIONS" +.IP "-b, --bind-path=\fI bind_path\fP" 10 +Listen for send-token requests from an alternate Unix domain socket\&. +.IP "-D, --disable-daemon-mode" 10 +Disable daemon mode\&. When specified \fBotp-tokend\fP will not +run in the background and stdout is available for debugging information\&. +.IP "-f, --from-address=\fI from_address\fP" 10 +Specify the e-mail from address when using SMTP(S)\&. +.IP "-s, --subject=\fI subject\fP" 10 +Specify the e-mail subject when using SMTP(S)\&. +.IP "-s, --smtp-url=\fI smtp_url\fP" 10 +Specify the URL to an SMTP(S) server\&. Example smtp://127\&.0\&.0\&.1\&. +.IP "-P, --pidfile=\fI pid_file\fP" 10 +Specify an alternate location for a file containing the process ID +of the \fBotp-tokend\fP server\&. +.IP "-H, --http-url=\fI http_url\fP" 10 +Specify the URL to an HTTP(S) server\&. A form will be posted to the +url with the form "to" set to the location, and +"msg" set to the token\&. +.IP "-v, --verbose" 10 +Increase verbosity\&. Can be used multiple times\&. +.IP "--version" 10 +Display software version\&. +.SH "EXAMPLES" +.PP +Start the \fBotp-tokend\fP server in the foreground with verbose +output using https://127\&.0\&.0\&.1:443/sms for HTTP and and smtp://127\&.0\&.0\&.1 for SMTP requests\&. +.PP +.nf +otp-tokend -D -vvv -S smtp://127\&.0\&.0\&.1 -H https://127\&.0\&.0\&.1:443/sms +.fi +.SH "AUTHOR" +.PP +Mark Fullmer maf@splintered\&.net +.SH "SEE ALSO" +.PP +\fBotp-control\fP(1) +\fBotp-sca\fP(1) +\fBotp-sct\fP(1) +\fBpam_otp\fP(1) +\fBhtsoft-downloader\fP(1) +\fBbcload\fP(1) +\fBotp-ov-plugin\fP(1) +spyrus-par2(7) +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/otp-tokend.html b/doc/otp-tokend.html new file mode 100644 index 0000000..8b9005b --- /dev/null +++ b/doc/otp-tokend.html @@ -0,0 +1,315 @@ + +otp-tokend

otp-tokend

Name

otp-tokend -- Deliver tokens via SMTP(S) or HTTP(S).

Synopsis

otp-tokend [-?Dv] [-b bind-path] [-f from-address] [-s subject] [-S smtp_url] [-P pidfile] [-H httl_url]

DESCRIPTION

The otp-tokend daemon processes send-token +requests from the Unix domain socket /var/run/otp-tokend. +Tokens are then delivered to the end-user via SMTP, SMTPS, HTTP, or HTTPS. +Delivery through SMS or other out of band mechanisms can be implemented +with a HTTPS back end.

Otplib will optionally generate a send-token request when the user record has +the send-token flag and location information set. This can be done with +otp-control.

The send-token request is a single datagram with the following ASCII fields +separated by newlines:

service
+username
+location
+token

If the location (destination to send the token) is all digits the request is +sent via HTTP(S). A request with the @ symbol is sent via SMTP(S). All other +requests are ignored.

OPTIONS

-b, --bind-path= bind_path

Listen for send-token requests from an alternate Unix domain socket.

-D, --disable-daemon-mode

Disable daemon mode. When specified otp-tokend will not +run in the background and stdout is available for debugging information.

-f, --from-address= from_address

Specify the e-mail from address when using SMTP(S).

-s, --subject= subject

Specify the e-mail subject when using SMTP(S).

-s, --smtp-url= smtp_url

Specify the URL to an SMTP(S) server. Example smtp://127.0.0.1.

-P, --pidfile= pid_file

Specify an alternate location for a file containing the process ID +of the otp-tokend server.

-H, --http-url= http_url

Specify the URL to an HTTP(S) server. A form will be posted to the +url with the form "to" set to the location, and +"msg" set to the token.

-v, --verbose

Increase verbosity. Can be used multiple times.

--version

Display software version.

EXAMPLES

Start the otp-tokend server in the foreground with verbose +output using https://127.0.0.1:443/sms for HTTP and and smtp://127.0.0.1 for SMTP requests. +

otp-tokend -D -vvv -S smtp://127.0.0.1 -H https://127.0.0.1:443/sms

AUTHOR

Mark Fullmer +<maf@splintered.net>

SEE ALSO

otp-control(1) +otp-sca(1) +otp-sct(1) +pam_otp(1) +htsoft-downloader(1) +bcload(1) +otp-ov-plugin(1) +spyrus-par2(7)

\ No newline at end of file diff --git a/doc/otp-tokend.sgml b/doc/otp-tokend.sgml new file mode 100644 index 0000000..701785e --- /dev/null +++ b/doc/otp-tokend.sgml @@ -0,0 +1,200 @@ + + + + + + + + +otp-tokend + +1 + + + + +otp-tokend + + +Deliver tokens via SMTP(S) or HTTP(S). + + + + + +otp-tokend +-?Dv +-b bind-path +-f from-address +-s subject +-S smtp_url +-P pidfile +-H httl_url + + + + + +DESCRIPTION + +The otp-tokend daemon processes send-token +requests from the Unix domain socket /var/run/otp-tokend. +Tokens are then delivered to the end-user via SMTP, SMTPS, HTTP, or HTTPS. +Delivery through SMS or other out of band mechanisms can be implemented +with a HTTPS back end. + + +Otplib will optionally generate a send-token request when the user record has +the send-token flag and location information set. This can be done with +otp-control. + + +The send-token request is a single datagram with the following ASCII fields +separated by newlines: + + +service +username +location +token + + +If the location (destination to send the token) is all digits the request is +sent via HTTP(S). A request with the @ symbol is sent via SMTP(S). All other +requests are ignored. + + + + +OPTIONS + + + +-b, --bind-path= bind_path + + +Listen for send-token requests from an alternate Unix domain socket. + + + + + +-D, --disable-daemon-mode + + +Disable daemon mode. When specified otp-tokend will not +run in the background and stdout is available for debugging information. + + + + + +-f, --from-address= from_address + + +Specify the e-mail from address when using SMTP(S). + + + + + +-s, --subject= subject + + +Specify the e-mail subject when using SMTP(S). + + + + + +-s, --smtp-url= smtp_url + + +Specify the URL to an SMTP(S) server. Example smtp://127.0.0.1. + + + + + +-P, --pidfile= pid_file + + +Specify an alternate location for a file containing the process ID +of the otp-tokend server. + + + + + +-H, --http-url= http_url + + +Specify the URL to an HTTP(S) server. A form will be posted to the +url with the form "to" set to the location, and +"msg" set to the token. + + + + + +-v, --verbose + + +Increase verbosity. Can be used multiple times. + + + + + +--version + + +Display software version. + + + + + + + + +EXAMPLES + + +Start the otp-tokend server in the foreground with verbose +output using https://127.0.0.1:443/sms for HTTP and and smtp://127.0.0.1 for SMTP requests. + +otp-tokend -D -vvv -S smtp://127.0.0.1 -H https://127.0.0.1:443/sms + + + + + + + + +AUTHOR + + +Mark +Fullmer + +maf@splintered.net + + + + +SEE ALSO + +otp-control(1) +otp-sca(1) +otp-sct(1) +pam_otp(1) +htsoft-downloader(1) +bcload(1) +otp-ov-plugin(1) +spyrus-par2(7) + + + + diff --git a/doc/pam_otp.1 b/doc/pam_otp.1 index c72dfa0..fbbeb8b 100644 --- a/doc/pam_otp.1 +++ b/doc/pam_otp.1 @@ -103,4 +103,4 @@ Mark Fullmer maf@splintered\&.net \fBbcload\fP(1) \fBpam\fP(8) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/spyrus-par2.7 b/doc/spyrus-par2.7 index 15cec37..3a98a19 100644 --- a/doc/spyrus-par2.7 +++ b/doc/spyrus-par2.7 @@ -202,4 +202,4 @@ may not\&. \fBurd\fP(1) \fBbcload\fP(1) \fBOpenVPN\fP(8) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/doc/urd.1 b/doc/urd.1 index 782ba93..564e832 100644 --- a/doc/urd.1 +++ b/doc/urd.1 @@ -189,4 +189,4 @@ Mark Fullmer maf@splintered\&.net \fBbcload\fP(1) \fBotp-ov-plugin\fP(1) spyrus-par2(7) -...\" created by instant / docbook-to-man, Sun 15 May 2011, 23:57 +...\" created by instant / docbook-to-man, Sun 12 Jun 2011, 15:01 diff --git a/htsoft-downloader/Makefile b/htsoft-downloader/Makefile index 9a54f22..03c60bb 100644 --- a/htsoft-downloader/Makefile +++ b/htsoft-downloader/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile 128 2010-06-15 14:25:09Z maf $ +# $Id: Makefile 192 2011-06-12 16:33:42Z maf $ what: @echo @@ -37,7 +37,7 @@ version.c: install: mkdir -p ${BINDIR} - ${INSTALL} ${BINS} ${BINDIR} + ${INSTALL} ${BIN} ${BINDIR} @echo files installed in ${BINDIR} clean: diff --git a/otp-pam/pam_otp.c b/otp-pam/pam_otp.c index ee7ef94..e2e19ba 100644 --- a/otp-pam/pam_otp.c +++ b/otp-pam/pam_otp.c @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: pam_otp.c 168 2011-05-11 04:03:38Z maf $ + * $Id: pam_otp.c 191 2011-06-12 16:32:33Z maf $ */ #include @@ -378,7 +378,7 @@ void load_opts(struct opts *opts, int argc, const char **argv) opts->allow_inactive = 1; } else if (!strcmp(*argv, "require_db_entry")) { opts->allow_unknown = 0; - } else if (!strcmp(*argv, "allown_unknown")) { + } else if (!strcmp(*argv, "allow_unknown")) { opts->allow_unknown = 1; } else if (!strncmp(*argv, "otpdb=", 6)) { opts->otpdb_fname=(char*)(*argv)+6; diff --git a/otp-sca/Makefile b/otp-sca/Makefile index f490eec..24d92eb 100644 --- a/otp-sca/Makefile +++ b/otp-sca/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile 130 2010-06-15 14:26:10Z maf $ +# $Id: Makefile 187 2011-05-26 03:50:28Z maf $ what: @echo @@ -10,7 +10,7 @@ what: @echo i386-fbsd: - @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="-lpcsclite" all + @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib -L/usr/local/lib" LIBS="-lpcsclite" all i386-linux: @make CC="gcc" CFLAGS="-I../common -I/usr/local/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -D_BSD_SOURCE -D_XOPEN_SOURCE -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="/usr/local/lib/libpcsclite.a -lpthread" all @@ -23,7 +23,7 @@ i386-macosx: INSTALL=install -c -m0755 -.c.o:; $(CC) $(CFLAGS) -c $*.c -o $*.o +.c.o:; $(CC) $(CFLAGS) $(INC) -c $*.c -o $*.o BIN = otp-sca COBJS = ../common/xerr.o ../common/str.o ../common/acr30.o ../common/scr.o ../common/sccmd.o diff --git a/otp-sct/Makefile b/otp-sct/Makefile index 7c3b8c4..ae48a67 100644 --- a/otp-sct/Makefile +++ b/otp-sct/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile 131 2010-06-15 14:26:23Z maf $ +# $Id: Makefile 188 2011-05-26 03:50:33Z maf $ what: @echo @@ -10,7 +10,7 @@ what: @echo i386-fbsd: - @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="-lpcsclite" all + @make CC="gcc" CFLAGS="-I../common -I/usr/local/pcsc/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib -L/usr/local/lib" LIBS="-lpcsclite" all i386-linux: @make CC="gcc" CFLAGS="-I../common -I/usr/local/include/PCSC -DSCR_PCSC -g -DHAVE_STRING_H -DHAVE_STRINGS_H -DDEBUG -Wall -D_BSD_SOURCE -D_XOPEN_SOURCE -std=c99 -pedantic" LFLAGS="-L/usr/local/pcsc/lib" LIBS="/usr/local/lib/libpcsclite.a -lpthread" all diff --git a/otp-tokend/otp-tokend.c b/otp-tokend/otp-tokend.c index 76089ab..84a2c0e 100644 --- a/otp-tokend/otp-tokend.c +++ b/otp-tokend/otp-tokend.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -19,14 +20,15 @@ #include "xerr.h" #include "otplib.h" -/* XXX usage +/* * XXX man page */ - -static u_long scan_ip(char *s); static void usage(void); static int write_pidfile(char *fname); +#define REQ_MODE_HTTP 0x1 +#define REQ_MODE_SMTP 0x2 + #define NXT_FIELD(V1,V2)\ f = strsep(&c, "\n");\ if (!f) {\ @@ -36,38 +38,57 @@ static int write_pidfile(char *fname); V2 = c;\ size_t curl_write_cb(void *ptr, size_t size, size_t nmemb, void *userdata); +size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *userdata); + +char *global_token; +char *global_svc; +char *global_hdr_subject; +char *global_hdr_from; int main(int argc, char **argv) { extern char *ootp_version; struct sockaddr_un rx_path; + pid_t pid_child; CURL *curl; + struct curl_slist *smtp_rcpt = NULL; char rx_buf[1024], *c, *f, *msg_svc, *msg_user, *msg_loc, *msg_token; char msg_buf[1024], post_buf[1024], *msg_ue, *loc_ue, *rx_pathname; - char buf[1024], *pid_fname, *url; + char buf[1024], *pid_fname, *url_http, *url_smtp, *url, *hdr_from; + char *hdr_subject; int rx_sock, len, verbose, opt_version, daemon_mode, buf_l, i; + int req_mode, isdigits, isemail; struct option longopts[] = { { "bind-path", 1, (void*)0L, 'b'}, - { "disable-daemon-mode", 1, (void*)0L, 'D'}, + { "disable-daemon-mode", 0, (void*)0L, 'D'}, + { "from-address", 1, (void*)0L, 'f'}, { "help", 0, (void*)0L, 'h'}, { "help", 0, (void*)0L, '?'}, + { "subject", 1, (void*)0L, 's'}, + { "smtp-url", 1, (void*)0L, 'S'}, { "pidfile", 1, (void*)0L, 'P'}, - { "url", 1, (void*)0L, 'u'}, + { "http-url", 1, (void*)0L, 'H'}, { "verbose", 0, (void*)0L, 'v'}, { "version", 1, &opt_version, 1}, { 0, 0, 0, 0}, }; + req_mode = 0; daemon_mode = 1; opt_version = 0; - pid_fname = (char*)0L; + smtp_rcpt = (struct curl_slist*)0L; + pid_fname = "/var/run/otp-tokend.pid"; + url_http = (char*)0L; + url_smtp = (char*)0L; url = (char*)0L; + hdr_from = "hotp@eng.oar.net"; + hdr_subject = "HOTP Token"; verbose = 0; xerr_setid(argv[0]); rx_pathname = OTP_SEND_TOKEN_PATHNAME; - while ((i = getopt_long(argc, argv, "b:Dh?P:u:v", longopts, + while ((i = getopt_long(argc, argv, "b:Df:h?H:P:s:S:v", longopts, (int*)0L)) != -1) { switch (i) { @@ -80,6 +101,10 @@ int main(int argc, char **argv) daemon_mode = 0; break; + case 'f': + hdr_from = optarg; + break; + case 'h': case '?': usage(); @@ -90,8 +115,16 @@ int main(int argc, char **argv) pid_fname = optarg; break; - case 'u': - url = optarg; + case 's': + hdr_subject = optarg; + break; + + case 'S': + url_smtp = optarg; + break; + + case 'H': + url_http = optarg; break; case 'v': @@ -111,8 +144,11 @@ int main(int argc, char **argv) } /* while getopt_long() */ - if (!url) - xerr_errx(1, "url required."); + global_hdr_subject = hdr_subject; + global_hdr_from = hdr_from; + + if (!url_http || !url_smtp) + xerr_errx(1, "HTTP and SMTP url required."); if (daemon_mode) { @@ -137,31 +173,10 @@ int main(int argc, char **argv) xerr_errx(1, "rx_pathname too long."); strncpy(rx_path.sun_path, rx_pathname, sizeof(rx_path.sun_path)); - /* construct pid file name */ - if (!pid_fname) { - - if (strcmp(rx_pathname, OTP_SEND_TOKEN_PATHNAME)) { - - snprintf(buf, sizeof(buf), "/var/run/otp-tokend.pid.%s", - rx_pathname); - - } else { - - snprintf(buf, sizeof(buf), "/var/run/otp-tokend.pid"); - - } - - pid_fname = (char*)&buf; - - } - /* write out pidfile */ if (write_pidfile(pid_fname) < 0) xerr_errx(1, "write_pidfile(%s): fatal", buf); - if (!(curl = curl_easy_init())) - xerr_errx(1, "curl_easy_init()"); - if ((rx_sock = socket(AF_UNIX, SOCK_DGRAM, 0)) < 0) xerr_err(1, "socket()"); @@ -172,30 +187,31 @@ int main(int argc, char **argv) if (bind(rx_sock, (struct sockaddr*)&rx_path, sizeof(rx_path)) < 0) xerr_err(1, "bind(%s)", rx_pathname); - if (verbose > 1) - curl_easy_setopt(curl, CURLOPT_VERBOSE, 1); - - if (curl_easy_setopt(curl, CURLOPT_URL, url) != CURLE_OK) - xerr_errx(1, "curl_easy_setopt(url): failed."); - - if (curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, - &curl_write_cb) != CURLE_OK) - xerr_errx(1, "curl_easy_setopt(CURLOPT_WRITEFUNCTION): failed."); + /* reap children */ + if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) + xerr_errx(1, "signal(SIGCHLD)"); while (1) { if ((len = recv(rx_sock, &rx_buf, sizeof(rx_buf), 0)) < 0) xerr_err(1, "recv()"); - if (len == 0) { - xerr_warnx("rx_buf empty."); - continue; - } + if ((pid_child = fork()) == -1) + xerr_err(1, "fork()"); - if (rx_buf[len - 1] != 0) { - xerr_warnx("recv(): rx_buf not null terminated, skipping."); + /* parent? */ + if (pid_child) continue; - } + + /* child */ + if (verbose > 2) + xerr_info("Child pid=%lu.", (unsigned long)getpid()); + + if (len == 0) + xerr_errx(1, "rx_buf empty."); + + if (rx_buf[len - 1] != 0) + xerr_errx(1, "recv(): rx_buf not null terminated, skipping."); c = rx_buf; @@ -208,34 +224,107 @@ int main(int argc, char **argv) if (*c == '\n') *c = 0; - snprintf(msg_buf, sizeof(msg_buf), "%s: %s", msg_svc, msg_token); - - if (!(msg_ue = curl_escape(msg_buf, 0))) { - xerr_warnx("curl_escape(msg_buf): failed."); - continue; + /* guess destination. All digits == http, @ == smtp */ + isdigits = 1; + isemail = 0; + for (c = msg_loc; *c; ++c) { + if (!isdigit(*c)) + isdigits = 0; + if (*c == '@') + isemail = 1; + } + if (isdigits) { + req_mode = REQ_MODE_HTTP; + url = url_http; + } else if (isemail) { + req_mode = REQ_MODE_SMTP; + url = url_smtp; + } else { + xerr_errx(1, "Req mode not set for %s.", msg_loc); } - if (!(loc_ue = curl_escape(msg_loc, 0))) { - xerr_warnx("curl_escape(msg_loc): failed."); - free(msg_ue); - continue; - } + if (curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) + xerr_errx(1, "curl_global_init(): failed."); - snprintf(post_buf, sizeof(post_buf), "to=%s&msg=%s", loc_ue, msg_ue); + if (!(curl = curl_easy_init())) + xerr_errx(1, "curl_easy_init()"); - if (curl_easy_setopt(curl, CURLOPT_POSTFIELDS, post_buf) != CURLE_OK) - xerr_errx(1, "curl_easy_setopt(CURLOPT_POSTFIELDS, %s): failed.", - post_buf); - - if (curl_easy_perform(curl) != CURLE_OK) - xerr_warnx("1, curl_easy_perform(): failed."); + if (curl_easy_setopt(curl, CURLOPT_URL, url) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(url): failed."); if (verbose > 1) - xerr_info("msg_buf=%s", msg_buf); + curl_easy_setopt(curl, CURLOPT_VERBOSE, 1); - } + if (req_mode == REQ_MODE_HTTP) { -} + if (curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, + &curl_write_cb) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(CURLOPT_WRITEFUNCTION): failed."); + + snprintf(msg_buf, sizeof(msg_buf), "%s: %s", msg_svc, msg_token); + + if (!(msg_ue = curl_escape(msg_buf, 0))) + xerr_errx(1, "curl_escape(%s): failed.", msg_buf); + + if (!(loc_ue = curl_escape(msg_loc, 0))) { + free(msg_ue); + xerr_errx(1, "curl_escape(%s): failed.", msg_loc); + } + + snprintf(post_buf, sizeof(post_buf), "to=%s&msg=%s", loc_ue, msg_ue); + + if (curl_easy_setopt(curl, CURLOPT_POSTFIELDS, post_buf) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(CURLOPT_POSTFIELDS, %s): failed.", + post_buf); + + if (curl_easy_perform(curl) != CURLE_OK) + xerr_errx(1, "curl_easy_perform(): failed."); + + if (verbose > 1) + xerr_info("msg_buf=%s", msg_buf); + + curl_easy_cleanup(curl); + + curl_global_cleanup(); + + } else if (req_mode == REQ_MODE_SMTP) { + + if (curl_easy_setopt(curl, CURLOPT_MAIL_FROM, hdr_from) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(CURLOPT_MAIL_FROM): failed."); + + if (!(smtp_rcpt = curl_slist_append(smtp_rcpt, msg_loc))) + xerr_errx(1, "curl_slist_append(smtp_rcpt, msg_loc): failed."); + + if (curl_easy_setopt(curl, CURLOPT_MAIL_RCPT, smtp_rcpt) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(CURLOPT_MAIL_RCPT): failed."); + + /* needed by read_cb */ + global_token = msg_token; + global_svc = msg_svc; + + if (curl_easy_setopt(curl, CURLOPT_READFUNCTION, + &curl_read_cb) != CURLE_OK) + xerr_errx(1, "curl_easy_setopt(CURLOPT_READFUNCTION): failed."); + + if (curl_easy_perform(curl) != CURLE_OK) + xerr_errx(1, "curl_easy_perform(): failed."); + + curl_slist_free_all(smtp_rcpt); + + } else { + + xerr_errx(1, "req_mode"); + + } + + /* exit child */ + if (verbose > 2) + xerr_info("child exit"); + exit(0); + + } /* forever waiting messages */ + +} /* main */ size_t curl_write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { @@ -248,8 +337,33 @@ size_t curl_write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) return size*nmemb; } +size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *userdata) +{ + size_t t, r; + static int cd; + + if (cd == 0) { + t = size*nmemb; + r = snprintf(ptr, t, + "From: %s \r\nSubject: %s\r\n\r\nToken for %s: %s\r\n", + global_hdr_from, global_hdr_subject, global_svc, global_token); + ++cd; + return r; + } else { + return 0; + } + +} + void usage(void) { + extern char *ootp_version; + + fprintf(stderr, "otp-tokend [-?Dhv] [-b bind-path] [-f from-address] [-s subject]\n"); + fprintf(stderr, " -S smtp-url [-P pidfile] -H http-url\n"); + + printf("%s\n", ootp_version); + } /* @@ -282,79 +396,3 @@ int write_pidfile(char *fname) } /* write_pidfile */ -/* - * function: scan_ip - * - * IP address in string S is converted to a u_long - * (borrowed from tcpdump) - * - * left shift any partial dotted quads, ie 10 is 0x0a000000 not 0x0a - * so scan_ip_prefix() works for standard prefix notation, ie 10/8 - */ -u_long scan_ip(char *s) -{ - struct hostent *he; - struct in_addr *ina; - u_long addr = 0; - uint n; - int dns, shift; - char *t; - - /* if there is anything ascii in here, this may be a hostname */ - for (dns = 0, t = s; *t; ++t) { - if (islower((int)*t) || isupper((int)*t)) { - dns = 1; - break; - } - } - - if (dns) { - - if (!(he = gethostbyname(s))) - goto numeric; - - if (he->h_addrtype != AF_INET) - goto numeric; - - if (he->h_length != sizeof (uint32_t)) - goto numeric; - - ina = (struct in_addr*)*he->h_addr_list; - return (ntohl(ina->s_addr)); - - } /* dns */ - - shift = 0; - -numeric: - while (1) { - - /* n is the nibble */ - n = 0; - - /* nibble's are . bounded */ - while (*s && (*s != '.') && (*s != ' ') && (*s != '\t')) - n = n * 10 + *s++ - '0'; - - /* shift in the nibble */ - addr <<=8; - addr |= n & 0xff; - ++shift; - - /* return on end of string */ - if ((!*s) || (*s == ' ') || (*s == '\t')) - goto ndone; - - /* skip the . */ - ++s; - } /* forever */ - -ndone: - - for (; shift < 4; ++shift) - addr <<=8; - - return addr; - -} /* scan_ip */ -