Record the last successful use of a TOTP key. Also add commented-out
logic to prevent reuse of the same code or an earlier code within the window, and make some minor type adjustments. git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@693 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
b578b6a715
commit
066e2b91ff
|
@ -45,11 +45,11 @@ char *oath_key_to_uri(const struct oath_key *);
|
||||||
struct oath_key *oath_dummy_key(enum oath_mode, enum oath_hash, unsigned int);
|
struct oath_key *oath_dummy_key(enum oath_mode, enum oath_hash, unsigned int);
|
||||||
|
|
||||||
unsigned int oath_hotp(const uint8_t *, size_t, uint64_t, unsigned int);
|
unsigned int oath_hotp(const uint8_t *, size_t, uint64_t, unsigned int);
|
||||||
int oath_hotp_current(struct oath_key *);
|
unsigned int oath_hotp_current(struct oath_key *);
|
||||||
int oath_hotp_match(struct oath_key *, unsigned int, int);
|
int oath_hotp_match(struct oath_key *, unsigned int, int);
|
||||||
|
|
||||||
unsigned int oath_totp(const uint8_t *, size_t, unsigned int);
|
unsigned int oath_totp(const uint8_t *, size_t, unsigned int);
|
||||||
int oath_totp_match(const struct oath_key *, unsigned int, int);
|
|
||||||
unsigned int oath_totp_current(const struct oath_key *);
|
unsigned int oath_totp_current(const struct oath_key *);
|
||||||
|
int oath_totp_match(struct oath_key *, unsigned int, int);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -41,6 +41,7 @@ struct oath_key {
|
||||||
unsigned int digits;
|
unsigned int digits;
|
||||||
uint64_t counter;
|
uint64_t counter;
|
||||||
unsigned int timestep; /* in seconds */
|
unsigned int timestep; /* in seconds */
|
||||||
|
uint64_t lastuse;
|
||||||
|
|
||||||
/* housekeeping */
|
/* housekeeping */
|
||||||
unsigned int mapped:1;
|
unsigned int mapped:1;
|
||||||
|
|
|
@ -92,7 +92,7 @@ oath_hotp(const uint8_t *K, size_t Klen, uint64_t seq, unsigned int Digit)
|
||||||
/*
|
/*
|
||||||
* Computes the current code for the given key and advances the counter.
|
* Computes the current code for the given key and advances the counter.
|
||||||
*/
|
*/
|
||||||
int
|
unsigned int
|
||||||
oath_hotp_current(struct oath_key *k)
|
oath_hotp_current(struct oath_key *k)
|
||||||
{
|
{
|
||||||
unsigned int code;
|
unsigned int code;
|
||||||
|
@ -111,7 +111,7 @@ oath_hotp_current(struct oath_key *k)
|
||||||
/*
|
/*
|
||||||
* Compares the code provided by the user with expected values within a
|
* Compares the code provided by the user with expected values within a
|
||||||
* given window. Returns 1 if there was a match, 0 if not, and -1 if an
|
* given window. Returns 1 if there was a match, 0 if not, and -1 if an
|
||||||
* error occurred.
|
* error occurred. Also advances the counter if there was a match.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
oath_hotp_match(struct oath_key *k, unsigned int response, int window)
|
oath_hotp_match(struct oath_key *k, unsigned int response, int window)
|
||||||
|
|
|
@ -67,8 +67,13 @@ oath_totp_current(const struct oath_key *k)
|
||||||
return (code);
|
return (code);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Compares the code provided by the user with expected values within a
|
||||||
|
* given window. Returns 1 if there was a match, 0 if not, and -1 if an
|
||||||
|
* error occurred.
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
oath_totp_match(const struct oath_key *k, unsigned int response, int window)
|
oath_totp_match(struct oath_key *k, unsigned int response, int window)
|
||||||
{
|
{
|
||||||
unsigned int code;
|
unsigned int code;
|
||||||
uint64_t seq;
|
uint64_t seq;
|
||||||
|
@ -85,9 +90,16 @@ oath_totp_match(const struct oath_key *k, unsigned int response, int window)
|
||||||
seq = time(NULL) / k->timestep;
|
seq = time(NULL) / k->timestep;
|
||||||
dummy = (strcmp(k->label, OATH_DUMMY_LABEL) == 0);
|
dummy = (strcmp(k->label, OATH_DUMMY_LABEL) == 0);
|
||||||
for (int i = -window; i <= window; ++i) {
|
for (int i = -window; i <= window; ++i) {
|
||||||
|
#if OATH_TOTP_PREVENT_REUSE
|
||||||
|
/* XXX disabled for now, should be a key parameter? */
|
||||||
|
if (seq + i <= k->lastuse)
|
||||||
|
continue;
|
||||||
|
#endif
|
||||||
code = oath_hotp(k->key, k->keylen, seq + i, k->digits);
|
code = oath_hotp(k->key, k->keylen, seq + i, k->digits);
|
||||||
if (code == response && !dummy)
|
if (code == response && !dummy) {
|
||||||
|
k->lastuse = seq;
|
||||||
return (1);
|
return (1);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue