OpenPAM

Check-in [2c3e230a26]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add a calc command that prints the current code.
Timelines: family | ancestors | descendants | both | trunk | svn-rev-827
Files: files | file ages | folders
SHA1: 2c3e230a268ffd56c95742a03731e18176174965
User & Date: des 2014-10-22 10:03:14
Context
2014-10-23
08:25
Better tests for line continuation. check-in: ffc118cff2 user: des tags: trunk, svn-rev-828
2014-10-22
10:03
Add a calc command that prints the current code. check-in: 2c3e230a26 user: des tags: trunk, svn-rev-827
2014-10-18
22:35
Remove unused variable. check-in: 96303d7417 user: des tags: trunk, svn-rev-824
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to bin/oathkey/oathkey.1.

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
..
63
64
65
66
67
68
69




70
71
72
73
74
75
76
77
78
79



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd October 8, 2014
.Dt OATHKEY 1
.Os
.Sh NAME
.Nm oathkey
.Nd OATH key management tool
.Sh SYNOPSIS
.Nm
................................................................................
Enable verbose mode.
.It Fl w
Enable writeback mode (see below).
.El
.Pp
The commands are:
.Bl -tag -width 6n




.It Cm genkey
Generate a new key.
If writeback mode is enabled, the user's key is set; otherwise, it is
printed to standard output.
.It Cm getkey
Print the user's key.
.It Cm geturi
Print the user's key in otpauth URI form.
.It Cm setkey Ar uri
Set the user's key to the given otpauth URI.



.It Cm verify Ar code
Verify that the given code is the correct current response for the
user's key.
If writeback mode is enabled and the response matched, the user's
keyfile is updated to prevent reuse.
.It Cm uri
Deprecated synonym for
.Cm geturi .
.El
.Sh SEE ALSO
.Xr oath_hotp 3 ,
.Xr oath_key 3 ,
.Xr oath_totp 3 ,
.Xr pam_oath 8
.Sh AUTHORS







|







 







>
>
>
>










>
>
>





<
<
<







24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
..
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91



92
93
94
95
96
97
98
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd October 22, 2014
.Dt OATHKEY 1
.Os
.Sh NAME
.Nm oathkey
.Nd OATH key management tool
.Sh SYNOPSIS
.Nm
................................................................................
Enable verbose mode.
.It Fl w
Enable writeback mode (see below).
.El
.Pp
The commands are:
.Bl -tag -width 6n
.It Cm calc
Compute and display the current code for the given key.
If writeback mode is enabled, the user's keyfile is updated to prevent
reuse.
.It Cm genkey
Generate a new key.
If writeback mode is enabled, the user's key is set; otherwise, it is
printed to standard output.
.It Cm getkey
Print the user's key.
.It Cm geturi
Print the user's key in otpauth URI form.
.It Cm setkey Ar uri
Set the user's key to the given otpauth URI.
.It Cm uri
Deprecated synonym for
.Cm geturi .
.It Cm verify Ar code
Verify that the given code is the correct current response for the
user's key.
If writeback mode is enabled and the response matched, the user's
keyfile is updated to prevent reuse.



.El
.Sh SEE ALSO
.Xr oath_hotp 3 ,
.Xr oath_key 3 ,
.Xr oath_totp 3 ,
.Xr pam_oath 8
.Sh AUTHORS

Changes to bin/oathkey/oathkey.c.

86
87
88
89
90
91
92


















93
94
95
96
97
98
99
...
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
...
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
...
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
...
251
252
253
254
255
256
257


































258
259
260
261
262
263
264
265
266
267
268

269
270
271
272
273
274
275
...
350
351
352
353
354
355
356


357
358
359
360
361
362
363
364
365
366
367
		warnx("failed to convert key to otpauth URI");
		return (RET_ERROR);
	}
	printf("%s\n", keyuri);
	free(keyuri);
	return (RET_SUCCESS);
}



















/*
 * Save key to file
 * XXX liboath should take care of this for us
 */
static int
oathkey_save(struct oath_key *key)
................................................................................
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	ret = oathkey_print_hex(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Print the otpauth URI for a key
................................................................................
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	ret = oathkey_print_uri(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Check whether a given response is correct for the given keyfile.
................................................................................
	struct oath_key *key;
	unsigned long response;
	char *end;
	int match, ret;

	if (argc < 1)
		return (RET_USAGE);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	response = strtoul(*argv, &end, 10);
	if (end == *argv || *end != '\0')
		response = ULONG_MAX; /* never valid */
	if (key->mode == om_totp)
		match = oath_totp_match(key, response, 3 /* XXX window */);
	else if (key->mode == om_hotp)
		match = oath_hotp_match(key, response, 17 /* XXX window */);
................................................................................
		    match ? "matched" : "did not match");
	ret = match ? RET_SUCCESS : RET_FAILURE;
	if (match && writeback)
		ret = oathkey_save(key);
	oath_key_free(key);
	return (ret);
}



































/*
 * Print usage string and exit.
 */
static void
usage(void)
{
	fprintf(stderr,
	    "usage: oathkey [-hvw] [-u user] [-k keyfile] <command>\n"
	    "\n"
	    "Commands:\n"

	    "    genkey      Generate a new key\n"
	    "    getkey      Print the key in hexadecimal form\n"
	    "    geturi      Print the key in otpauth URI form\n"
	    "    setkey      Generate a new key\n"
	    "    verify <response>\n"
	    "                Verify a response\n");
	exit(1);
................................................................................
			err(1, "asprintf()");

	/*
	 * Execute the requested command
	 */
	if (strcmp(cmd, "help") == 0)
		ret = RET_USAGE;


	else if (strcmp(cmd, "genkey") == 0)
		ret = oathkey_genkey(argc, argv);
	else if (strcmp(cmd, "getkey") == 0)
		ret = oathkey_getkey(argc, argv);	
	else if (strcmp(cmd, "geturi") == 0 || strcmp(cmd, "uri") == 0)
		ret = oathkey_geturi(argc, argv);
	else if (strcmp(cmd, "setkey") == 0)
		ret = oathkey_setkey(argc, argv);
	else if (strcmp(cmd, "verify") == 0)
		ret = oathkey_verify(argc, argv);
	else







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







|
<
<
|







 







|
<
<
|







 







|
<
<
|







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>











>







 







>
>



|







86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
...
197
198
199
200
201
202
203
204


205
206
207
208
209
210
211
212
...
218
219
220
221
222
223
224
225


226
227
228
229
230
231
232
233
...
238
239
240
241
242
243
244
245


246
247
248
249
250
251
252
253
...
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
...
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
		warnx("failed to convert key to otpauth URI");
		return (RET_ERROR);
	}
	printf("%s\n", keyuri);
	free(keyuri);
	return (RET_SUCCESS);
}

/*
 * Load key from file
 */
static int
oathkey_load(struct oath_key **key)
{

	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((*key = oath_key_from_file(keyfile)) == NULL) {
		warn("%s", keyfile);
		if (errno == EACCES || errno == EPERM)
			return (RET_UNAUTH);
		return (RET_ERROR);
	}
	return (RET_SUCCESS);
}

/*
 * Save key to file
 * XXX liboath should take care of this for us
 */
static int
oathkey_save(struct oath_key *key)
................................................................................
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if ((ret = oathkey_load(&key)) != RET_SUCCESS)


		return (ret);
	ret = oathkey_print_hex(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Print the otpauth URI for a key
................................................................................
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if ((ret = oathkey_load(&key)) != RET_SUCCESS)


		return (ret);
	ret = oathkey_print_uri(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Check whether a given response is correct for the given keyfile.
................................................................................
	struct oath_key *key;
	unsigned long response;
	char *end;
	int match, ret;

	if (argc < 1)
		return (RET_USAGE);
	if ((ret = oathkey_load(&key)) != RET_SUCCESS)


		return (ret);
	response = strtoul(*argv, &end, 10);
	if (end == *argv || *end != '\0')
		response = ULONG_MAX; /* never valid */
	if (key->mode == om_totp)
		match = oath_totp_match(key, response, 3 /* XXX window */);
	else if (key->mode == om_hotp)
		match = oath_hotp_match(key, response, 17 /* XXX window */);
................................................................................
		    match ? "matched" : "did not match");
	ret = match ? RET_SUCCESS : RET_FAILURE;
	if (match && writeback)
		ret = oathkey_save(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Compute the current code
 */
static int
oathkey_calc(int argc, char *argv[])
{
	struct oath_key *key;
	unsigned int current;
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if ((ret = oathkey_load(&key)) != RET_SUCCESS)
		return (ret);
	if (key->mode == om_totp)
		current = oath_totp_current(key);
	else if (key->mode == om_hotp)
		current = oath_hotp_current(key);
	else
		current = -1;
	if (current == (unsigned int)-1) {
		warnx("OATH error");
		ret = RET_ERROR;
	} else {
		printf("%.*d\n", (int)key->digits, current);
		ret = RET_SUCCESS;
		if (writeback)
			ret = oathkey_save(key);
	}
	oath_key_free(key);
	return (ret);
}

/*
 * Print usage string and exit.
 */
static void
usage(void)
{
	fprintf(stderr,
	    "usage: oathkey [-hvw] [-u user] [-k keyfile] <command>\n"
	    "\n"
	    "Commands:\n"
	    "    calc        Print the current code\n"
	    "    genkey      Generate a new key\n"
	    "    getkey      Print the key in hexadecimal form\n"
	    "    geturi      Print the key in otpauth URI form\n"
	    "    setkey      Generate a new key\n"
	    "    verify <response>\n"
	    "                Verify a response\n");
	exit(1);
................................................................................
			err(1, "asprintf()");

	/*
	 * Execute the requested command
	 */
	if (strcmp(cmd, "help") == 0)
		ret = RET_USAGE;
	else if (strcmp(cmd, "calc") == 0)
		ret = oathkey_calc(argc, argv);
	else if (strcmp(cmd, "genkey") == 0)
		ret = oathkey_genkey(argc, argv);
	else if (strcmp(cmd, "getkey") == 0)
		ret = oathkey_getkey(argc, argv);
	else if (strcmp(cmd, "geturi") == 0 || strcmp(cmd, "uri") == 0)
		ret = oathkey_geturi(argc, argv);
	else if (strcmp(cmd, "setkey") == 0)
		ret = oathkey_setkey(argc, argv);
	else if (strcmp(cmd, "verify") == 0)
		ret = oathkey_verify(argc, argv);
	else