Record the last successful use of a TOTP key. Also add commented-out
logic to prevent reuse of the same code or an earlier code within the window, and make some minor type adjustments. git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@693 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
b578b6a715
commit
066e2b91ff
|
@ -45,11 +45,11 @@ char *oath_key_to_uri(const struct oath_key *);
|
|||
struct oath_key *oath_dummy_key(enum oath_mode, enum oath_hash, unsigned int);
|
||||
|
||||
unsigned int oath_hotp(const uint8_t *, size_t, uint64_t, unsigned int);
|
||||
int oath_hotp_current(struct oath_key *);
|
||||
unsigned int oath_hotp_current(struct oath_key *);
|
||||
int oath_hotp_match(struct oath_key *, unsigned int, int);
|
||||
|
||||
unsigned int oath_totp(const uint8_t *, size_t, unsigned int);
|
||||
int oath_totp_match(const struct oath_key *, unsigned int, int);
|
||||
unsigned int oath_totp_current(const struct oath_key *);
|
||||
int oath_totp_match(struct oath_key *, unsigned int, int);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -41,6 +41,7 @@ struct oath_key {
|
|||
unsigned int digits;
|
||||
uint64_t counter;
|
||||
unsigned int timestep; /* in seconds */
|
||||
uint64_t lastuse;
|
||||
|
||||
/* housekeeping */
|
||||
unsigned int mapped:1;
|
||||
|
|
|
@ -92,7 +92,7 @@ oath_hotp(const uint8_t *K, size_t Klen, uint64_t seq, unsigned int Digit)
|
|||
/*
|
||||
* Computes the current code for the given key and advances the counter.
|
||||
*/
|
||||
int
|
||||
unsigned int
|
||||
oath_hotp_current(struct oath_key *k)
|
||||
{
|
||||
unsigned int code;
|
||||
|
@ -111,7 +111,7 @@ oath_hotp_current(struct oath_key *k)
|
|||
/*
|
||||
* Compares the code provided by the user with expected values within a
|
||||
* given window. Returns 1 if there was a match, 0 if not, and -1 if an
|
||||
* error occurred.
|
||||
* error occurred. Also advances the counter if there was a match.
|
||||
*/
|
||||
int
|
||||
oath_hotp_match(struct oath_key *k, unsigned int response, int window)
|
||||
|
|
|
@ -67,8 +67,13 @@ oath_totp_current(const struct oath_key *k)
|
|||
return (code);
|
||||
}
|
||||
|
||||
/*
|
||||
* Compares the code provided by the user with expected values within a
|
||||
* given window. Returns 1 if there was a match, 0 if not, and -1 if an
|
||||
* error occurred.
|
||||
*/
|
||||
int
|
||||
oath_totp_match(const struct oath_key *k, unsigned int response, int window)
|
||||
oath_totp_match(struct oath_key *k, unsigned int response, int window)
|
||||
{
|
||||
unsigned int code;
|
||||
uint64_t seq;
|
||||
|
@ -85,9 +90,16 @@ oath_totp_match(const struct oath_key *k, unsigned int response, int window)
|
|||
seq = time(NULL) / k->timestep;
|
||||
dummy = (strcmp(k->label, OATH_DUMMY_LABEL) == 0);
|
||||
for (int i = -window; i <= window; ++i) {
|
||||
#if OATH_TOTP_PREVENT_REUSE
|
||||
/* XXX disabled for now, should be a key parameter? */
|
||||
if (seq + i <= k->lastuse)
|
||||
continue;
|
||||
#endif
|
||||
code = oath_hotp(k->key, k->keylen, seq + i, k->digits);
|
||||
if (code == response && !dummy)
|
||||
if (code == response && !dummy) {
|
||||
k->lastuse = seq;
|
||||
return (1);
|
||||
}
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue