search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / crypto / dist / heimdal / appl / otp / otp.c
bloba7a7556cd64c7f593a137b95fd43bdb103fff1bd
1 /*
2 * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "otp_locl.h"
35 #include <getarg.h>
36
37 __RCSID("$Heimdal: otp.c 12753 2003-09-03 09:37:03Z lha $"
38 "$NetBSD$");
39
40 static int listp;
41 static int deletep;
42 static int openp;
43 static int renewp;
44 static char* alg_string;
45 static char *user;
46 static int version_flag;
47 static int help_flag;
48
49 struct getargs args[] = {
50 { "list", 'l', arg_flag, &listp, "list OTP status" },
51 { "delete", 'd', arg_flag, &deletep, "delete OTP" },
52 { "open", 'o', arg_flag, &openp, "open a locked OTP" },
53 { "renew", 'r', arg_flag, &renewp, "securely renew OTP" },
54 { "hash", 'f', arg_string, &alg_string,
55 "hash algorithm (md4, md5, or sha)", "algorithm"},
56 { "user", 'u', arg_string, &user,
57 "user other than current user (root only)", "user" },
58 { "version", 0, arg_flag, &version_flag },
59 { "help", 'h', arg_flag, &help_flag }
60 };
61
62 int num_args = sizeof(args) / sizeof(args[0]);
63
64 static void
65 usage(int code)
66 {
67 arg_printusage(args, num_args, NULL, "[num seed]");
68 exit(code);
69 }
70
71 /*
72 * Renew the OTP for a user.
73 * The pass-phrase is not required (RFC 1938/8.0)
74 */
75
76 static int
77 renew (int argc, char **argv, OtpAlgorithm *alg, char *user)
78 {
79 OtpContext newctx, *ctx;
80 char prompt[128];
81 char pw[64];
82 void *dbm;
83 int ret;
84
85 newctx.alg = alg;
86 newctx.user = user;
87 newctx.n = atoi (argv[0]);
88 strlcpy (newctx.seed, argv[1], sizeof(newctx.seed));
89 strlwr(newctx.seed);
90 snprintf (prompt, sizeof(prompt),
91 "[ otp-%s %u %s ]",
92 newctx.alg->name,
93 newctx.n,
94 newctx.seed);
95 if (UI_UTIL_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 &&
96 otp_parse (newctx.key, pw, alg) == 0) {
97 ctx = &newctx;
98 ret = 0;
99 } else
100 return 1;
101
102 dbm = otp_db_open ();
103 if (dbm == NULL) {
104 warnx ("otp_db_open failed");
105 return 1;
106 }
107 otp_put (dbm, ctx);
108 otp_db_close (dbm);
109 return ret;
110 }
111
112 /*
113 * Return 0 if the user could enter the next OTP.
114 * I would rather have returned !=0 but it's shell-like here around.
115 */
116
117 static int
118 verify_user_otp(char *username)
119 {
120 OtpContext ctx;
121 char passwd[OTP_MAX_PASSPHRASE + 1];
122 char prompt[128], ss[256];
123
124 if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) {
125 warnx("no otp challenge found for %s", username);
126 return 1;
127 }
128
129 snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss);
130 if(UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0))
131 return 1;
132 return otp_verify_user (&ctx, passwd);
133 }
134
135 /*
136 * Set the OTP for a user
137 */
138
139 static int
140 set (int argc, char **argv, OtpAlgorithm *alg, char *user)
141 {
142 void *db;
143 OtpContext ctx;
144 char pw[OTP_MAX_PASSPHRASE + 1];
145 int ret;
146 int i;
147
148 ctx.alg = alg;
149 ctx.user = strdup (user);
150 if (ctx.user == NULL)
151 err (1, "out of memory");
152
153 ctx.n = atoi (argv[0]);
154 strlcpy (ctx.seed, argv[1], sizeof(ctx.seed));
155 strlwr(ctx.seed);
156 do {
157 if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1))
158 return 1;
159 if (strlen (pw) < OTP_MIN_PASSPHRASE)
160 printf ("Too short pass-phrase. Use at least %d characters\n",
161 OTP_MIN_PASSPHRASE);
162 } while(strlen(pw) < OTP_MIN_PASSPHRASE);
163 ctx.alg->init (ctx.key, pw, ctx.seed);
164 for (i = 0; i < ctx.n; ++i)
165 ctx.alg->next (ctx.key);
166 db = otp_db_open ();
167 if(db == NULL) {
168 free (ctx.user);
169 err (1, "otp_db_open failed");
170 }
171 ret = otp_put (db, &ctx);
172 otp_db_close (db);
173 free (ctx.user);
174 return ret;
175 }
176
177 /*
178 * Delete otp of user from the database
179 */
180
181 static int
182 delete_otp (int argc, char **argv, char *user)
183 {
184 void *db;
185 OtpContext ctx;
186 int ret;
187
188 db = otp_db_open ();
189 if(db == NULL)
190 errx (1, "otp_db_open failed");
191
192 ctx.user = user;
193 ret = otp_delete(db, &ctx);
194 otp_db_close (db);
195 return ret;
196 }
197
198 /*
199 * Tell whether the user has an otp
200 */
201
202 static int
203 has_an_otp(char *user)
204 {
205 void *db;
206 OtpContext ctx;
207 int ret;
208
209 db = otp_db_open ();
210 if(db == NULL) {
211 warnx ("otp_db_open failed");
212 return 0; /* if no db no otp! */
213 }
214
215 ctx.user = user;
216 ret = otp_simple_get(db, &ctx);
217
218 otp_db_close (db);
219 return !ret;
220 }
221
222 /*
223 * Get and print out the otp entry for some user
224 */
225
226 static void
227 print_otp_entry_for_name (void *db, char *user)
228 {
229 OtpContext ctx;
230
231 ctx.user = user;
232 if (!otp_simple_get(db, &ctx)) {
233 fprintf(stdout,
234 "%s\totp-%s %d %s",
235 ctx.user, ctx.alg->name, ctx.n, ctx.seed);
236 if (ctx.lock_time)
237 fprintf(stdout,
238 "\tlocked since %s",
239 ctime(&ctx.lock_time));
240 else
241 fprintf(stdout, "\n");
242 }
243 }
244
245 static int
246 open_otp (int argc, char **argv, char *user)
247 {
248 void *db;
249 OtpContext ctx;
250 int ret;
251
252 db = otp_db_open ();
253 if (db == NULL)
254 errx (1, "otp_db_open failed");
255
256 ctx.user = user;
257 ret = otp_simple_get (db, &ctx);
258 if (ret == 0)
259 ret = otp_put (db, &ctx);
260 otp_db_close (db);
261 return ret;
262 }
263
264 /*
265 * Print otp entries for one or all users
266 */
267
268 static int
269 list_otps (int argc, char **argv, char *user)
270 {
271 void *db;
272 struct passwd *pw;
273
274 db = otp_db_open ();
275 if(db == NULL)
276 errx (1, "otp_db_open failed");
277
278 if (user)
279 print_otp_entry_for_name(db, user);
280 else
281 /* scans all users... so as to get a deterministic order */
282 while ((pw = getpwent()))
283 print_otp_entry_for_name(db, pw->pw_name);
284
285 otp_db_close (db);
286 return 0;
287 }
288
289 int
290 main (int argc, char **argv)
291 {
292 int defaultp = 0;
293 int uid = getuid();
294 OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
295 int optind = 0;
296
297 setprogname (argv[0]);
298 if(getarg(args, num_args, argc, argv, &optind))
299 usage(1);
300 if(help_flag)
301 usage(0);
302 if(version_flag) {
303 print_version(NULL);
304 exit(0);
305 }
306
307 if(deletep && uid != 0)
308 errx (1, "Only root can delete OTPs");
309 if(alg_string) {
310 alg = otp_find_alg (alg_string);
311 if (alg == NULL)
312 errx (1, "Unknown algorithm: %s", alg_string);
313 }
314 if (user && uid != 0)
315 errx (1, "Only root can use `-u'");
316 argc -= optind;
317 argv += optind;
318
319 if (!(listp || deletep || renewp || openp))
320 defaultp = 1;
321
322 if ( listp + deletep + renewp + defaultp + openp != 1)
323 usage(1); /* one of -d or -l or -r or none */
324
325 if(deletep || openp || listp) {
326 if(argc != 0)
327 errx(1, "delete, open, and list requires no arguments");
328 } else {
329 if(argc != 2)
330 errx(1, "setup, and renew requires `num', and `seed'");
331 }
332 if (listp)
333 return list_otps (argc, argv, user);
334
335 if (user == NULL) {
336 struct passwd *pwd;
337
338 pwd = k_getpwuid(uid);
339 if (pwd == NULL)
340 err (1, "You don't exist");
341 user = pwd->pw_name;
342 }
343
344 /*
345 * users other that root must provide the next OTP to update the sequence.
346 * it avoids someone to use a pending session to change an OTP sequence.
347 * see RFC 1938/8.0.
348 */
349 if (uid != 0 && (defaultp || renewp)) {
350 if (!has_an_otp(user)) {
351 errx (1, "Only root can set an initial OTP");
352 } else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */
353 if (verify_user_otp(user) != 0) {
354 errx (1, "User authentification failed");
355 }
356 }
357 }
358
359 if (deletep)
360 return delete_otp (argc, argv, user);
361 else if (renewp)
362 return renew (argc, argv, alg, user);
363 else if (openp)
364 return open_otp (argc, argv, user);
365 else
366 return set (argc, argv, alg, user);
367 }
NetBSD on the FriendlyARM MINI2440