websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
daemons/ipa-slapi-plugins/libotp/Makefile.am Normal file
View File

@@ -0,0 +1,18 @@
NULL =
PLUGIN_COMMON_DIR = $(srcdir)/../common
AM_CPPFLAGS = \
-I$(PLUGIN_COMMON_DIR) \
$(DIRSRV_CFLAGS) \
$(NSPR_CFLAGS) \
$(NSS_CFLAGS) \
$(NULL)
noinst_LTLIBRARIES = libhotp.la libotp.la
libhotp_la_SOURCES = hotp.c hotp.h
libotp_la_SOURCES = otp_config.c otp_config.h otp_token.c otp_token.h
libotp_la_LIBADD = libhotp.la
check_PROGRAMS = t_hotp
TESTS = $(check_PROGRAMS)
t_hotp_LDADD = libhotp.la $(NSPR_LIBS) $(NSS_LIBS)

1110
daemons/ipa-slapi-plugins/libotp/Makefile.in Normal file
View File

File diff suppressed because it is too large Load Diff

170
daemons/ipa-slapi-plugins/libotp/hotp.c Normal file
View File

@@ -0,0 +1,170 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
/*
* This file contains an implementation of HOTP (RFC 4226) and TOTP (RFC 6238).
* For details of how these algorithms work, please see the relevant RFCs.
*/
#include "hotp.h"
#include <time.h>
#include <nss.h>
#include <pk11pub.h>
#include <hasht.h>
#include <prnetdb.h>
struct digest_buffer {
uint8_t buf[SHA512_LENGTH];
unsigned int len;
};
static const struct {
const char *algo;
CK_MECHANISM_TYPE mech;
} algo2mech[] = {
{ "sha1", CKM_SHA_1_HMAC },
{ "sha256", CKM_SHA256_HMAC },
{ "sha384", CKM_SHA384_HMAC },
{ "sha512", CKM_SHA512_HMAC },
{ }
};
/*
* This code is mostly cargo-cult taken from here:
* http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
*
* It should implement HMAC with the given mechanism (SHA: 1, 256, 384, 512).
*/
static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
struct digest_buffer *out)
{
SECItem param = { siBuffer, NULL, 0 };
PK11SlotInfo *slot = NULL;
PK11SymKey *symkey = NULL;
PK11Context *ctx = NULL;
bool ret = false;
SECStatus s;
slot = PK11_GetBestSlot(mech, NULL);
if (slot == NULL) {
slot = PK11_GetInternalKeySlot();
if (slot == NULL) {
goto done;
}
}
symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
CKA_SIGN, key, NULL);
if (symkey == NULL)
goto done;
ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, symkey, &param);
if (ctx == NULL)
goto done;
s = PK11_DigestBegin(ctx);
if (s != SECSuccess)
goto done;
s = PK11_DigestOp(ctx, in->data, in->len);
if (s != SECSuccess)
goto done;
s = PK11_DigestFinal(ctx, out->buf, &out->len, sizeof(out->buf));
if (s != SECSuccess)
goto done;
ret = true;
done:
if (ctx != NULL)
PK11_DestroyContext(ctx, PR_TRUE);
if (symkey != NULL)
PK11_FreeSymKey(symkey);
if (slot != NULL)
PK11_FreeSlot(slot);
return ret;
}
/*
* An implementation of HOTP (RFC 4226).
*/
bool hotp(const struct hotp_token *token, uint64_t counter, uint32_t *out)
{
const SECItem cntr = { siBuffer, (uint8_t *) &counter, sizeof(counter) };
SECItem keyitm = { siBuffer, token->key.bytes, token->key.len };
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
PRUint64 offset, binary, div;
struct digest_buffer digest;
int digits = token->digits;
int i;
/* Convert counter to network byte order. */
counter = PR_htonll(counter);
/* Find the mech. */
for (i = 0; algo2mech[i].algo; i++) {
if (strcasecmp(algo2mech[i].algo, token->algo) == 0) {
mech = algo2mech[i].mech;
break;
}
}
/* Create the digits divisor. */
for (div = 1; digits > 0; digits--) {
div *= 10;
}
/* Do the digest. */
if (!hmac(&keyitm, mech, &cntr, &digest)) {
return false;
}
/* Truncate. */
offset = digest.buf[digest.len - 1] & 0xf;
binary = (digest.buf[offset + 0] & 0x7f) << 0x18;
binary |= (digest.buf[offset + 1] & 0xff) << 0x10;
binary |= (digest.buf[offset + 2] & 0xff) << 0x08;
binary |= (digest.buf[offset + 3] & 0xff) << 0x00;
binary = binary % div;
*out = binary;
return true;
}

60
daemons/ipa-slapi-plugins/libotp/hotp.h Normal file
View File

@@ -0,0 +1,60 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#pragma once
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
struct hotp_token_key {
uint8_t *bytes;
size_t len;
};
struct hotp_token {
struct hotp_token_key key;
char *algo;
int digits;
};
/*
* An implementation of HOTP (RFC 4226).
*/
bool hotp(const struct hotp_token *token, uint64_t counter, uint32_t *out);

364
daemons/ipa-slapi-plugins/libotp/otp_config.c Normal file
View File

@@ -0,0 +1,364 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2014 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "otp_config.h"
#include "util.h"
#include <pratom.h>
#include <plstr.h>
#define OTP_CONFIG_AUTH_TYPE_DISABLED (1 << 31)
struct spec {
uint32_t (*func)(Slapi_Entry *, const char *attr);
const char *prefix;
const char *attr;
uint32_t dflt;
};
struct record {
struct record *next;
const struct spec *spec;
Slapi_DN *sdn;
uint32_t value;
};
struct otp_config {
Slapi_ComponentId *plugin_id;
struct record *records;
};
static uint32_t string_to_types(const char *str)
{
static const struct {
const char *string;
uint32_t config;
} map[] = {
{ "disabled", OTP_CONFIG_AUTH_TYPE_DISABLED },
{ "password", OTP_CONFIG_AUTH_TYPE_PASSWORD },
{ "otp", OTP_CONFIG_AUTH_TYPE_OTP },
{ "pkinit", OTP_CONFIG_AUTH_TYPE_PKINIT },
{ "radius", OTP_CONFIG_AUTH_TYPE_RADIUS },
{}
};
for (uint32_t i = 0; map[i].string != NULL; i++) {
if (strcasecmp(map[i].string, str) == 0)
return map[i].config;
}
return OTP_CONFIG_AUTH_TYPE_NONE;
}
static uint32_t entry_to_authtypes(Slapi_Entry *e, const char *attr)
{
char **auth_types = NULL;
if (e == NULL)
return OTP_CONFIG_AUTH_TYPE_NONE;
/* Fetch the auth type values from the config entry. */
auth_types = slapi_entry_attr_get_charray(e, attr);
if (auth_types == NULL)
return OTP_CONFIG_AUTH_TYPE_NONE;
uint32_t types = OTP_CONFIG_AUTH_TYPE_NONE;
for (uint32_t i = 0; auth_types[i] != NULL; i++)
types |= string_to_types(auth_types[i]);
slapi_ch_array_free(auth_types);
return types;
}
static uint32_t entry_to_window(Slapi_Entry *e, const char *attr)
{
long long val;
if (e == NULL)
return 0;
val = slapi_entry_attr_get_longlong(e, attr);
return val > 0 ? val : 0;
}
static const struct spec authtypes = {
entry_to_authtypes,
"cn=ipaConfig,cn=etc,%s",
"ipaUserAuthType",
OTP_CONFIG_AUTH_TYPE_PASSWORD
};
static const struct spec totp_auth_window = {
entry_to_window,
"cn=otp,cn=etc,%s",
"ipatokenTOTPauthWindow",
300
};
static const struct spec totp_sync_window = {
entry_to_window,
"cn=otp,cn=etc,%s",
"ipatokenTOTPsyncWindow",
86400
};
static const struct spec hotp_auth_window = {
entry_to_window,
"cn=otp,cn=etc,%s",
"ipatokenHOTPauthWindow",
10
};
static const struct spec hotp_sync_window = {
entry_to_window,
"cn=otp,cn=etc,%s",
"ipatokenHOTPsyncWindow",
100
};
static Slapi_DN *make_sdn(const char *prefix, const Slapi_DN *suffix)
{
char *dn = slapi_ch_smprintf(prefix, slapi_sdn_get_dn(suffix));
return slapi_sdn_new_dn_passin(dn);
}
static uint32_t find_value(const struct otp_config *cfg,
const Slapi_DN *suffix, const struct spec *spec)
{
uint32_t value = 0;
Slapi_DN *sdn;
sdn = make_sdn(spec->prefix, suffix);
for (struct record *rec = cfg->records; rec != NULL; rec = rec->next) {
if (rec->spec != spec)
continue;
if (slapi_sdn_compare(sdn, rec->sdn) != 0)
continue;
value = PR_ATOMIC_ADD(&rec->value, 0);
break;
}
slapi_sdn_free(&sdn);
return value;
}
static void update(const struct otp_config *cfg, Slapi_DN *src,
Slapi_Entry *entry)
{
Slapi_DN *dst = entry == NULL ? NULL : slapi_entry_get_sdn(entry);
for (struct record *rec = cfg->records; rec != NULL; rec = rec->next) {
uint32_t val = rec->spec->dflt;
/* If added, modified or moved into place... */
if (dst != NULL && slapi_sdn_compare(rec->sdn, dst) == 0) {
Slapi_Attr *attr = NULL;
if (slapi_entry_attr_find(entry, rec->spec->attr, &attr) == 0)
val = rec->spec->func(entry, rec->spec->attr);
/* If NOT deleted or moved out of place... */
} else if (slapi_sdn_compare(rec->sdn, src) != 0)
continue;
PR_ATOMIC_SET(&rec->value, val);
}
}
struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
{
static const struct spec *specs[] = {
&authtypes,
&totp_auth_window,
&totp_sync_window,
&hotp_auth_window,
&hotp_sync_window,
NULL
};
struct otp_config *cfg = NULL;
void *node = NULL;
int search_result = 0;
cfg = (typeof(cfg)) slapi_ch_calloc(1, sizeof(*cfg));
cfg->plugin_id = plugin_id;
/* Build the config table. */
for (Slapi_DN *sfx = slapi_get_first_suffix(&node, 0);
sfx != NULL;
sfx = slapi_get_next_suffix(&node, 0)) {
for (size_t i = 0; specs[i] != NULL; i++) {
Slapi_Entry *entry = NULL;
struct record *rec;
/* Create the config entry. */
rec = (typeof(rec)) slapi_ch_calloc(1, sizeof(*rec));
rec->spec = specs[i];
rec->sdn = make_sdn(rec->spec->prefix, sfx);
/* Add config to the list. */
rec->next = cfg->records;
cfg->records = rec;
/* Load the specified entry. */
search_result = slapi_search_internal_get_entry(rec->sdn,
NULL, &entry, plugin_id);
if (search_result != LDAP_SUCCESS) {
LOG_TRACE("File '%s' line %d: Unable to access LDAP entry "
"'%s'. Perhaps it doesn't exist? "
"Error code: %d\n", __FILE__, __LINE__,
slapi_sdn_get_dn(rec->sdn), search_result);
}
update(cfg, rec->sdn, entry);
slapi_entry_free(entry);
}
}
return cfg;
}
static void record_fini(struct record **rec)
{
if (rec == NULL || *rec == NULL)
return;
record_fini(&(*rec)->next);
slapi_sdn_free(&(*rec)->sdn);
slapi_ch_free((void **) rec);
}
void otp_config_fini(struct otp_config **cfg)
{
if (cfg == NULL || *cfg == NULL)
return;
record_fini(&(*cfg)->records);
slapi_ch_free((void **) cfg);
}
void otp_config_update(struct otp_config *cfg, Slapi_PBlock *pb)
{
Slapi_Entry *entry = NULL;
Slapi_DN *src = NULL;
int oprc = 0;
/* Just bail if the operation failed. */
if (slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 || oprc != 0)
return;
/* Get the source SDN. */
if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &src) != 0)
return;
/* Ignore the error here (delete operations). */
(void) slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &entry);
update(cfg, src, entry);
}
Slapi_ComponentId *otp_config_plugin_id(const struct otp_config *cfg)
{
if (cfg == NULL)
return NULL;
return cfg->plugin_id;
}
uint32_t otp_config_auth_types(const struct otp_config *cfg,
Slapi_Entry *user_entry)
{
uint32_t glbl = OTP_CONFIG_AUTH_TYPE_NONE;
uint32_t user = OTP_CONFIG_AUTH_TYPE_NONE;
const Slapi_DN *sfx;
/* Load the global value. */
sfx = slapi_get_suffix_by_dn(slapi_entry_get_sdn(user_entry));
glbl = find_value(cfg, sfx, &authtypes);
/* Load the user value if not disabled. */
if ((glbl & OTP_CONFIG_AUTH_TYPE_DISABLED) == 0)
user = entry_to_authtypes(user_entry, authtypes.attr);
/* Filter out the disabled flag. */
glbl &= ~OTP_CONFIG_AUTH_TYPE_DISABLED;
user &= ~OTP_CONFIG_AUTH_TYPE_DISABLED;
if (user != OTP_CONFIG_AUTH_TYPE_NONE)
return user;
if (glbl != OTP_CONFIG_AUTH_TYPE_NONE)
return glbl;
return OTP_CONFIG_AUTH_TYPE_PASSWORD;
}
struct otp_config_window
otp_config_window(const struct otp_config *cfg, Slapi_Entry *token_entry)
{
const struct spec *auth = NULL, *sync = NULL;
struct otp_config_window wndw = { 0, 0 };
const Slapi_DN *sfx;
char **clses;
sfx = slapi_get_suffix_by_dn(slapi_entry_get_sdn_const(token_entry));
clses = slapi_entry_attr_get_charray(token_entry, SLAPI_ATTR_OBJECTCLASS);
for (size_t i = 0; clses != NULL && clses[i] != NULL; i++) {
if (strcasecmp(clses[i], "ipatokenTOTP") == 0) {
auth = &totp_auth_window;
sync = &totp_sync_window;
break;
}
if (strcasecmp(clses[i], "ipatokenHOTP") == 0) {
auth = &hotp_auth_window;
sync = &hotp_sync_window;
break;
}
}
slapi_ch_array_free(clses);
if (auth == NULL || sync == NULL)
return wndw;
wndw.auth = find_value(cfg, sfx, auth);
wndw.sync = find_value(cfg, sfx, sync);
return wndw;
}

82
daemons/ipa-slapi-plugins/libotp/otp_config.h Normal file
View File

@@ -0,0 +1,82 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2014 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#pragma once
#include <dirsrv/slapi-plugin.h>
#define OTP_CONFIG_AUTH_TYPE_NONE 0
#define OTP_CONFIG_AUTH_TYPE_PASSWORD (1 << 0)
#define OTP_CONFIG_AUTH_TYPE_OTP (1 << 1)
#define OTP_CONFIG_AUTH_TYPE_PKINIT (1 << 2)
#define OTP_CONFIG_AUTH_TYPE_RADIUS (1 << 3)
struct otp_config;
struct otp_config_window {
uint32_t auth;
uint32_t sync;
};
struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id);
void otp_config_fini(struct otp_config **cfg);
void otp_config_update(struct otp_config *cfg, Slapi_PBlock *pb);
Slapi_ComponentId *otp_config_plugin_id(const struct otp_config *cfg);
/* Gets the permitted authentication types for the given user entry.
*
* The entry should be queried for the "ipaUserAuthType" attribute.
*/
uint32_t otp_config_auth_types(const struct otp_config *cfg,
Slapi_Entry *user_entry);
/* Gets the window sizes for a token.
*
* The entry should be queried for the following attributes:
* objectClass
* ipatokenTOTPauthWindow
* ipatokenTOTPsyncWindow
* ipatokenHOTPauthWindow
* ipatokenHOTPsyncWindow
*/
struct otp_config_window otp_config_window(const struct otp_config *cfg,
Slapi_Entry *token_entry);

533
daemons/ipa-slapi-plugins/libotp/otp_token.c Normal file
View File

@@ -0,0 +1,533 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "otp_token.h"
#include "otp_config.h"
#include "hotp.h"
#include <time.h>
#include <errno.h>
#define TOKEN(s) "ipaToken" s
#define O(s) TOKEN("OTP" s)
#define T(s) TOKEN("TOTP" s)
#define H(s) TOKEN("HOTP" s)
#define IPA_OTP_DEFAULT_TOKEN_STEP 30
#define IPA_OTP_OBJCLS_FILTER \
"(|(objectClass=ipaTokenTOTP)(objectClass=ipaTokenHOTP))"
enum type {
TYPE_NONE = 0,
TYPE_TOTP,
TYPE_HOTP,
};
struct otp_token {
const struct otp_config *cfg;
Slapi_DN *sdn;
struct hotp_token token;
enum type type;
struct otp_config_window window;
union {
struct {
uint64_t watermark;
int step; /* Seconds. */
int offset;
} totp;
struct {
uint64_t counter;
} hotp;
};
};
static inline bool is_algo_valid(const char *algo)
{
static const char *valid_algos[] = { "sha1", "sha256", "sha384",
"sha512", NULL };
int i, ret;
for (i = 0; valid_algos[i]; i++) {
ret = strcasecmp(algo, valid_algos[i]);
if (ret == 0)
return true;
}
return false;
}
static const struct berval *entry_attr_get_berval(const Slapi_Entry* e,
const char *type)
{
Slapi_Attr* attr = NULL;
Slapi_Value *v;
int ret;
ret = slapi_entry_attr_find(e, type, &attr);
if (ret != 0 || attr == NULL)
return NULL;
ret = slapi_attr_first_value(attr, &v);
if (ret < 0)
return NULL;
return slapi_value_get_berval(v);
}
static bool writeattr(const struct otp_token *token, const char *attr,
long long val)
{
Slapi_PBlock *pb = NULL;
bool success = false;
char value[32];
int ret;
LDAPMod *mods[] = {
&(LDAPMod) {
LDAP_MOD_REPLACE, (char *) attr,
.mod_values = (char *[]) { value, NULL }
},
NULL
};
snprintf(value, sizeof(value), "%lld", val);
pb = slapi_pblock_new();
slapi_modify_internal_set_pb(pb, slapi_sdn_get_dn(token->sdn), mods, NULL,
NULL, otp_config_plugin_id(token->cfg), 0);
if (slapi_modify_internal_pb(pb) != 0)
goto error;
if (slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret) != 0)
goto error;
if (ret != LDAP_SUCCESS)
goto error;
success = true;
error:
slapi_pblock_destroy(pb);
return success;
}
/**
* Validate a token.
*
* If the second token code is specified, perform synchronization.
*/
static bool validate(struct otp_token *token, time_t now, ssize_t step,
uint32_t first, const uint32_t *second)
{
const char *attr;
uint32_t tmp;
/* Calculate the absolute step. */
switch (token->type) {
case TYPE_TOTP:
attr = T("watermark");
step = (now + token->totp.offset) / token->totp.step + step;
if (token->totp.watermark > 0 && step < token->totp.watermark)
return false;
break;
case TYPE_HOTP:
if (step < 0) /* NEVER go backwards! */
return false;
attr = H("counter");
step = token->hotp.counter + step;
break;
default:
return false;
}
/* Validate the first code. */
if (!hotp(&token->token, step++, &tmp))
return false;
if (first != tmp)
return false;
/* Validate the second code if specified. */
if (second != NULL) {
if (!hotp(&token->token, step++, &tmp))
return false;
if (*second != tmp)
return false;
}
/* Write the step value. */
if (!writeattr(token, attr, step))
return false;
/* Save our modifications to the object. */
switch (token->type) {
case TYPE_TOTP:
/* Perform optional synchronization steps. */
if (second != NULL) {
long long off = (step - now / token->totp.step) * token->totp.step;
if (!writeattr(token, T("clockOffset"), off))
return false;
token->totp.offset = off;
}
token->totp.watermark = step;
break;
case TYPE_HOTP:
token->hotp.counter = step;
break;
default:
break;
}
return true;
}
static void otp_token_free(struct otp_token *token)
{
if (token == NULL)
return;
slapi_sdn_free(&token->sdn);
free(token->token.key.bytes);
slapi_ch_free_string(&token->token.algo);
free(token);
}
void otp_token_free_array(struct otp_token **tokens)
{
if (tokens == NULL)
return;
for (size_t i = 0; tokens[i] != NULL; i++)
otp_token_free(tokens[i]);
free(tokens);
}
static struct otp_token *otp_token_new(const struct otp_config *cfg,
Slapi_Entry *entry)
{
const struct berval *tmp;
struct otp_token *token;
char **vals;
token = calloc(1, sizeof(struct otp_token));
if (token == NULL)
return NULL;
token->cfg = cfg;
token->window = otp_config_window(cfg, entry);
/* Get the token type. */
vals = slapi_entry_attr_get_charray(entry, "objectClass");
if (vals == NULL)
goto error;
token->type = TYPE_NONE;
for (int i = 0; vals[i] != NULL; i++) {
if (strcasecmp(vals[i], "ipaTokenTOTP") == 0)
token->type = TYPE_TOTP;
else if (strcasecmp(vals[i], "ipaTokenHOTP") == 0)
token->type = TYPE_HOTP;
}
slapi_ch_array_free(vals);
if (token->type == TYPE_NONE)
goto error;
/* Get SDN. */
token->sdn = slapi_sdn_dup(slapi_entry_get_sdn(entry));
if (token->sdn == NULL)
goto error;
/* Get key. */
tmp = entry_attr_get_berval(entry, O("key"));
if (tmp == NULL)
goto error;
token->token.key.len = tmp->bv_len;
token->token.key.bytes = malloc(token->token.key.len);
if (token->token.key.bytes == NULL)
goto error;
memcpy(token->token.key.bytes, tmp->bv_val, token->token.key.len);
/* Get length. */
token->token.digits = slapi_entry_attr_get_int(entry, O("digits"));
if (token->token.digits != 6 && token->token.digits != 8)
goto error;
/* Get algorithm. */
token->token.algo = slapi_entry_attr_get_charptr(entry, O("algorithm"));
if (token->token.algo == NULL)
token->token.algo = slapi_ch_strdup("sha1");
if (!is_algo_valid(token->token.algo))
goto error;
switch (token->type) {
case TYPE_TOTP:
/* Get offset. */
token->totp.offset = slapi_entry_attr_get_int(entry, T("clockOffset"));
/* Get watermark. */
token->totp.watermark = slapi_entry_attr_get_int(entry, T("watermark"));
/* Get step. */
token->totp.step = slapi_entry_attr_get_uint(entry, T("timeStep"));
if (token->totp.step < 5)
token->totp.step = IPA_OTP_DEFAULT_TOKEN_STEP;
break;
case TYPE_HOTP:
/* Get counter. */
token->hotp.counter = slapi_entry_attr_get_int(entry, H("counter"));
break;
default:
break;
}
return token;
error:
otp_token_free(token);
return NULL;
}
static struct otp_token **find(const struct otp_config *cfg, const char *user_dn,
const char *token_dn, const char *intfilter,
const char *extfilter)
{
struct otp_token **tokens = NULL;
const Slapi_DN *basedn = NULL;
Slapi_Entry **entries = NULL;
Slapi_PBlock *pb = NULL;
Slapi_DN *sdn = NULL;
char *filter = NULL;
size_t count = 0;
int result = -1;
if (intfilter == NULL)
intfilter = "";
if (extfilter == NULL)
extfilter = "";
/* Create the filter. */
if (user_dn == NULL) {
filter = "(&" IPA_OTP_OBJCLS_FILTER "%s%s)";
filter = slapi_filter_sprintf(filter, intfilter, extfilter);
} else {
filter = "(&" IPA_OTP_OBJCLS_FILTER "(ipatokenOwner=%s%s)%s%s)";
filter = slapi_filter_sprintf(filter, ESC_AND_NORM_NEXT_VAL,
user_dn, intfilter, extfilter);
}
/* Create the search. */
pb = slapi_pblock_new();
if (token_dn != NULL) {
/* Find only the token specified. */
slapi_search_internal_set_pb(pb, token_dn, LDAP_SCOPE_BASE, filter,
NULL, 0, NULL, NULL,
otp_config_plugin_id(cfg), 0);
} else {
sdn = slapi_sdn_new_dn_byval(user_dn);
basedn = slapi_get_suffix_by_dn(sdn);
slapi_sdn_free(&sdn);
if (basedn == NULL)
goto error;
/* Find all user tokens. */
slapi_search_internal_set_pb(pb, slapi_sdn_get_dn(basedn),
LDAP_SCOPE_SUBTREE, filter, NULL, 0,
NULL, NULL, otp_config_plugin_id(cfg), 0);
}
slapi_search_internal_pb(pb);
slapi_ch_free_string(&filter);
/* Get the results. */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
if (result != LDAP_SUCCESS)
goto error;
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
if (entries == NULL)
goto error;
/* TODO: Can I get the count another way? */
for (count = 0; entries[count] != NULL; count++)
continue;
/* Create the array. */
tokens = calloc(count + 1, sizeof(*tokens));
if (tokens == NULL)
goto error;
for (count = 0; entries[count] != NULL; count++) {
tokens[count] = otp_token_new(cfg, entries[count]);
if (tokens[count] == NULL) {
otp_token_free_array(tokens);
tokens = NULL;
goto error;
}
}
error:
slapi_pblock_destroy(pb);
return tokens;
}
struct otp_token **otp_token_find(const struct otp_config *cfg,
const char *user_dn, const char *token_dn,
bool active, const char *filter)
{
static const char template[] =
"(|(ipatokenNotBefore<=%04d%02d%02d%02d%02d%02dZ)(!(ipatokenNotBefore=*)))"
"(|(ipatokenNotAfter>=%04d%02d%02d%02d%02d%02dZ)(!(ipatokenNotAfter=*)))"
"(|(ipatokenDisabled=FALSE)(!(ipatokenDisabled=*)))";
char actfilt[sizeof(template)];
struct tm tm;
time_t now;
if (!active)
return find(cfg, user_dn, token_dn, NULL, filter);
/* Get the current time. */
if (time(&now) == (time_t) -1)
return NULL;
if (gmtime_r(&now, &tm) == NULL)
return NULL;
/* Get the current time string. */
if (snprintf(actfilt, sizeof(actfilt), template,
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
tm.tm_hour, tm.tm_min, tm.tm_sec,
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
tm.tm_hour, tm.tm_min, tm.tm_sec) < 0)
return NULL;
return find(cfg, user_dn, token_dn, actfilt, filter);
}
const Slapi_DN *otp_token_get_sdn(struct otp_token *token)
{
return token->sdn;
}
/*
* Convert code berval to decimal.
*
* NOTE: We can't use atol() or strtoul() because:
* 1. If we have leading zeros, atol() fails.
* 2. Neither support limiting conversion by length.
*/
static bool bvtod(const struct berval *code, int digits, uint32_t *out)
{
*out = 0;
if (code == NULL || digits <= 0 || code->bv_len < digits)
return false;
for (ber_len_t i = code->bv_len - digits; i < code->bv_len; i++) {
if (code->bv_val[i] < '0' || code->bv_val[i] > '9')
return false;
*out *= 10;
*out += code->bv_val[i] - '0';
}
return true;
}
static bool step_is_valid(struct otp_token *token, bool sync, uint32_t i)
{
uint32_t window = sync ? token->window.sync : token->window.auth;
switch (token->type) {
case TYPE_TOTP:
return i * token->totp.step < window;
case TYPE_HOTP:
return i < window;
default:
return false;
}
}
bool otp_token_validate_berval(struct otp_token * const *tokens,
struct berval *first_code,
struct berval *second_code)
{
time_t now = 0;
if (tokens == NULL)
return false;
if (time(&now) == (time_t) -1)
return false;
for (ssize_t i = 0, cnt = 1; cnt != 0; i++) {
cnt = 0;
for (int j = 0; tokens[j] != NULL; j++) {
uint32_t *secondp = NULL;
uint32_t second;
uint32_t first;
/* Don't validate beyond the specified window. */
if (!step_is_valid(tokens[j], second_code != NULL, i))
continue;
cnt++;
/* Parse the first code. */
if (!bvtod(first_code, tokens[j]->token.digits, &first))
continue;
/* Parse the second code. */
if (second_code != NULL) {
secondp = &second;
if (!bvtod(second_code, tokens[j]->token.digits, secondp))
continue;
}
/* Validate the positive/negative steps. */
if (!validate(tokens[j], now, i, first, secondp) &&
!validate(tokens[j], now, -i, first, secondp))
continue;
/* Codes validated; strip. */
first_code->bv_len -= tokens[j]->token.digits;
first_code->bv_val[first_code->bv_len] = '\0';
if (second_code != NULL) {
second_code->bv_len -= tokens[j]->token.digits;
second_code->bv_val[second_code->bv_len] = '\0';
}
return true;
}
}
return false;
}

88
daemons/ipa-slapi-plugins/libotp/otp_token.h Normal file
View File

@@ -0,0 +1,88 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#pragma once
#include "otp_config.h"
#include <stdbool.h>
#include <stdlib.h>
struct otp_token;
/* Frees the token array. */
void
otp_token_free_array(struct otp_token **tokens);
/* Find tokens.
*
* All criteria below are cumulative. For example, if you specify both dn and
* active and the token at the dn specified isn't active, an empty array will
* be returned.
*
* If user_dn is not NULL, the user's tokens are returned.
*
* If token_dn is not NULL, only this specified token is returned.
*
* If active is true, only tokens that are active are returned.
*
* If filter is not NULL, the filter will be added to the search criteria.
*
* Returns NULL on error. If no tokens are found, an empty array is returned.
* The array is NULL terminated.
*/
struct otp_token **otp_token_find(const struct otp_config *cfg,
const char *user_dn, const char *token_dn,
bool active, const char *filter);
/* Get the SDN of the token. */
const Slapi_DN *otp_token_get_sdn(struct otp_token *token);
/* Perform OTP authentication.
*
* If only the first code is specified, validation will be performed and the
* validated token will be stripped.
*
* If both codes are specified, synchronization will be performed and the
* validated tokens will be stripped.
*
* Returns true if and only if all specified tokens were validated.
*/
bool otp_token_validate_berval(struct otp_token * const *tokens,
struct berval *first_code,
struct berval *second_code);

121
daemons/ipa-slapi-plugins/libotp/t_hotp.c Normal file
View File

@@ -0,0 +1,121 @@
/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include "hotp.h"
#include <assert.h>
#include <stddef.h>
#include <time.h>
#include <string.h>
#include <nss.h>
#define KEY(s) { (uint8_t *) s, sizeof(s) - 1 }
/* All HOTP test examples from RFC 4226 (Appendix D). */
static const struct hotp_token hotp_token = {
KEY("12345678901234567890"),
"sha1",
6
};
static const uint32_t hotp_answers[] = {
755224,
287082,
359152,
969429,
338314,
254676,
287922,
162583,
399871,
520489
};
/* All TOTP test examples from RFC 6238 (Appendix B). */
#define SHA1 { KEY("12345678901234567890"), "sha1", 8 }
#define SHA256 { KEY("12345678901234567890123456789012"), "sha256", 8 }
#define SHA512 { KEY("12345678901234567890123456789012" \
"34567890123456789012345678901234"), "sha512", 8 }
static const struct {
struct hotp_token token;
time_t time;
uint32_t answer;
} totp_tests[] = {
{ SHA1, 59, 94287082 },
{ SHA256, 59, 46119246 },
{ SHA512, 59, 90693936 },
{ SHA1, 1111111109, 7081804 },
{ SHA256, 1111111109, 68084774 },
{ SHA512, 1111111109, 25091201 },
{ SHA1, 1111111111, 14050471 },
{ SHA256, 1111111111, 67062674 },
{ SHA512, 1111111111, 99943326 },
{ SHA1, 1234567890, 89005924 },
{ SHA256, 1234567890, 91819424 },
{ SHA512, 1234567890, 93441116 },
{ SHA1, 2000000000, 69279037 },
{ SHA256, 2000000000, 90698825 },
{ SHA512, 2000000000, 38618901 },
#ifdef _LP64 /* Only do these tests on 64-bit systems. */
{ SHA1, 20000000000, 65353130 },
{ SHA256, 20000000000, 77737706 },
{ SHA512, 20000000000, 47863826 },
#endif
};
int
main(int argc, const char *argv[])
{
uint32_t otp;
int i;
NSS_NoDB_Init(".");
for (i = 0; i < sizeof(hotp_answers) / sizeof(*hotp_answers); i++) {
assert(hotp(&hotp_token, i, &otp));
assert(otp == hotp_answers[i]);
}
for (i = 0; i < sizeof(totp_tests) / sizeof(*totp_tests); i++) {
assert(hotp(&totp_tests[i].token, totp_tests[i].time / 30, &otp));
assert(otp == totp_tests[i].answer);
}
NSS_Shutdown();
return 0;
}