]>
Commit | Line | Data |
---|---|---|
06a0313f DM |
1 | package PVE::OTP; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use Digest::SHA; | |
6 | use MIME::Base32; #libmime-base32-perl | |
7 | use MIME::Base64; | |
8 | use URI::Escape; | |
9 | use HTTP::Request; | |
10 | use LWP::UserAgent; | |
11 | ||
12 | use PVE::Tools; | |
13 | ||
14 | # hotp/totp code | |
15 | ||
16 | sub hotp($$;$) { | |
17 | my ($binsecret, $number, $digits) = @_; | |
18 | ||
19 | $digits = 6 if !defined($digits); | |
20 | ||
21 | my $bincounter = pack('Q>', $number); | |
22 | my $hmac = Digest::SHA::hmac_sha1($bincounter, $binsecret); | |
23 | ||
24 | my $offset = unpack('C', substr($hmac,19) & pack('C', 0x0F)); | |
25 | my $part = substr($hmac, $offset, 4); | |
26 | my $otp = unpack('N', $part); | |
27 | my $value = ($otp & 0x7fffffff) % (10**$digits); | |
28 | return sprintf("%0${digits}d", $value); | |
29 | } | |
30 | ||
31 | # experimental code for yubico OTP verification | |
32 | ||
33 | sub yubico_compute_param_sig { | |
34 | my ($param, $api_key) = @_; | |
35 | ||
36 | my $paramstr = ''; | |
37 | foreach my $key (sort keys %$param) { | |
38 | $paramstr .= '&' if $paramstr; | |
39 | $paramstr .= "$key=$param->{$key}"; | |
40 | } | |
41 | ||
42 | # hmac_sha1_base64 does not add '=' padding characters, so we use encode_base64 | |
43 | my $sig = uri_escape(encode_base64(Digest::SHA::hmac_sha1($paramstr, decode_base64($api_key || '')), '')); | |
44 | ||
45 | return ($paramstr, $sig); | |
46 | } | |
47 | ||
48 | sub yubico_verify_otp { | |
49 | my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_; | |
50 | ||
51 | die "yubico: missing password\n" if !defined($otp); | |
52 | die "yubico: missing API ID\n" if !defined($api_id); | |
53 | die "yubico: missing API KEY\n" if !defined($api_key); | |
54 | die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/; | |
55 | ||
56 | die "yubico: wrong OTP length\n" if (length($otp) < 32) || (length($otp) > 48); | |
57 | ||
58 | $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url); | |
59 | ||
60 | my $params = { | |
61 | nonce => Digest::SHA::hmac_sha1_hex(time(), rand()), | |
62 | id => $api_id, | |
63 | otp => uri_escape($otp), | |
64 | timestamp => 1, | |
65 | }; | |
66 | ||
67 | my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key); | |
68 | ||
69 | $paramstr .= "&h=$sig" if $api_key; | |
70 | ||
71 | my $req = HTTP::Request->new('GET' => "$url?$paramstr"); | |
72 | ||
73 | my $ua = LWP::UserAgent->new(protocols_allowed => ['http', 'https'], timeout => 30); | |
74 | ||
75 | if ($proxy) { | |
76 | $ua->proxy(['http', 'https'], $proxy); | |
77 | } else { | |
78 | $ua->env_proxy; | |
79 | } | |
80 | ||
81 | my $response = $ua->request($req); | |
82 | my $code = $response->code; | |
83 | ||
84 | if ($code != 200) { | |
85 | my $msg = $response->message || 'unknown'; | |
86 | die "Invalid response from server: $code $msg\n"; | |
87 | } | |
88 | ||
89 | my $raw = $response->decoded_content; | |
90 | ||
91 | my $result = {}; | |
92 | foreach my $kvpair (split(/\n/, $raw)) { | |
93 | chomp $kvpair; | |
94 | if($kvpair =~ /^\S+=/) { | |
95 | my ($k, $v) = split(/=/, $kvpair, 2); | |
96 | $v =~ s/\s//g; | |
97 | $result->{$k} = $v; | |
98 | } | |
99 | } | |
100 | ||
101 | my $rsig = $result->{h}; | |
102 | delete $result->{h}; | |
103 | ||
104 | if ($api_key) { | |
105 | my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key); | |
106 | $vsig = uri_unescape($vsig); | |
107 | die "yubico: result signature verification failed\n" if $rsig ne $vsig; | |
108 | } | |
109 | ||
110 | die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK'; | |
111 | ||
112 | my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12); | |
113 | ||
114 | my $found; | |
115 | foreach my $k (PVE::Tools::split_list($keys)) { | |
116 | if ($k eq $publicid) { | |
117 | $found = 1; | |
118 | last; | |
119 | } | |
120 | } | |
121 | ||
122 | die "yubico auth failed: key does not belong to user\n" if !$found; | |
123 | ||
124 | return $result; | |
125 | } | |
126 | ||
127 | sub oath_verify_otp { | |
128 | my ($otp, $keys, $step, $digits) = @_; | |
129 | ||
130 | die "oath: missing password\n" if !defined($otp); | |
131 | die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/; | |
132 | ||
133 | $step = 30 if !$step; | |
134 | $digits = 6 if !$digits; | |
135 | ||
136 | my $found; | |
137 | foreach my $k (PVE::Tools::split_list($keys)) { | |
138 | # Note: we generate 3 values to allow small time drift | |
139 | my $binkey; | |
140 | if ($k =~ /^[A-Z2-7=]{16}$/) { | |
141 | $binkey = MIME::Base32::decode_rfc3548($k); | |
142 | } elsif ($k =~ /^[A-Fa-f0-9]{40}$/) { | |
143 | $binkey = pack('H*', $k); | |
144 | } else { | |
145 | die "unrecognized key format, must be hex or base32 encoded\n"; | |
146 | } | |
147 | ||
148 | # force integer division for time/step | |
149 | use integer; | |
150 | my $now = time()/$step - 1; | |
151 | $found = 1 if $otp eq hotp($binkey, $now+0, $digits); | |
152 | $found = 1 if $otp eq hotp($binkey, $now+1, $digits); | |
153 | $found = 1 if $otp eq hotp($binkey, $now+2, $digits); | |
154 | last if $found; | |
155 | } | |
156 | ||
157 | die "oath auth failed\n" if !$found; | |
158 | } | |
159 | ||
160 | 1; |