diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2013-04-16 16:00:09 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-05-17 09:30:51 +0200 |
commit | 5b58348cd316dd817672cb81358ed557c28e09d3 (patch) | |
tree | 0c59e7562938554fc3c217a42d0698e08dde3c3a /daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c | |
parent | 1e1bab4edc0ce4b70a370deac8109092b53b97a2 (diff) | |
download | freeipa-5b58348cd316dd817672cb81358ed557c28e09d3.tar.gz freeipa-5b58348cd316dd817672cb81358ed557c28e09d3.tar.xz freeipa-5b58348cd316dd817672cb81358ed557c28e09d3.zip |
Add OTP support to ipa-pwd-extop
During LDAP bind, this now plugin determines if a user is enabled
for OTP authentication. If so, then the OTP is validated in addition
to the password. This allows 2FA during user binds.
https://fedorahosted.org/freeipa/ticket/3367
http://freeipa.org/page/V3/OTP
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c new file mode 100644 index 000000000..d57f9ab68 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/t_hotp.c @@ -0,0 +1,82 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; version 3 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations + * including the two, subject to the limitations in this paragraph. Non-GPL Code + * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from + * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2013 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#include <assert.h> +#include <stdbool.h> +#include <stdint.h> +#include <stddef.h> +#include <time.h> +#include <string.h> +#include <nss.h> + +/* + * From otp.c + */ +bool ipapwd_hotp(const uint8_t *key, size_t len, const char *algo, int digits, + uint64_t counter, uint32_t *out); + +/* All HOTP test examples from RFC 4226 (Appendix D). */ +static const uint8_t *key = (uint8_t *) "12345678901234567890"; +static const uint32_t answers[] = { + 755224, + 287082, + 359152, + 969429, + 338314, + 254676, + 287922, + 162583, + 399871, + 520489 +}; + +int +main(int argc, const char *argv[]) +{ + uint32_t otp; + int i; + + NSS_NoDB_Init("."); + + for (i = 0; i < sizeof(answers) / sizeof(*answers); i++) { + assert(ipapwd_hotp(key, 20, "sha1", 6, i, &otp)); + assert(otp == answers[i]); + } + + NSS_Shutdown(); + return 0; +} |