]>
git.proxmox.com Git - pve-common.git/blob - src/PVE/OTP.pm
6 use MIME
::Base32
; #libmime-base32-perl
17 my ($binsecret, $number, $digits) = @_;
19 $digits = 6 if !defined($digits);
21 my $bincounter = pack('Q>', $number);
22 my $hmac = Digest
::SHA
::hmac_sha1
($bincounter, $binsecret);
24 my $offset = unpack('C', substr($hmac,19) & pack('C', 0x0F));
25 my $part = substr($hmac, $offset, 4);
26 my $otp = unpack('N', $part);
27 my $value = ($otp & 0x7fffffff) % (10**$digits);
28 return sprintf("%0${digits}d", $value);
31 # experimental code for yubico OTP verification
33 sub yubico_compute_param_sig
{
34 my ($param, $api_key) = @_;
37 foreach my $key (sort keys %$param) {
38 $paramstr .= '&' if $paramstr;
39 $paramstr .= "$key=$param->{$key}";
42 # hmac_sha1_base64 does not add '=' padding characters, so we use encode_base64
43 my $sig = uri_escape
(encode_base64
(Digest
::SHA
::hmac_sha1
($paramstr, decode_base64
($api_key || '')), ''));
45 return ($paramstr, $sig);
48 sub yubico_verify_otp
{
49 my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_;
51 die "yubico: missing password\n" if !defined($otp);
52 die "yubico: missing API ID\n" if !defined($api_id);
53 die "yubico: missing API KEY\n" if !defined($api_key);
54 die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/;
56 die "yubico: wrong OTP length\n" if (length($otp) < 32) || (length($otp) > 48);
58 $url = 'https://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
61 nonce
=> Digest
::SHA
::hmac_sha1_hex
(time(), rand()),
63 otp
=> uri_escape
($otp),
67 my ($paramstr, $sig) = yubico_compute_param_sig
($params, $api_key);
69 $paramstr .= "&h=$sig" if $api_key;
71 my $req = HTTP
::Request-
>new('GET' => "$url?$paramstr");
73 my $ua = LWP
::UserAgent-
>new(protocols_allowed
=> ['http', 'https'], timeout
=> 30);
76 $ua->proxy(['http', 'https'], $proxy);
81 my $response = $ua->request($req);
82 my $code = $response->code;
85 my $msg = $response->message || 'unknown';
86 die "Invalid response from server: $code $msg\n";
89 my $raw = $response->decoded_content;
92 foreach my $kvpair (split(/\n/, $raw)) {
94 if($kvpair =~ /^\S+=/) {
95 my ($k, $v) = split(/=/, $kvpair, 2);
101 my $rsig = $result->{h
};
105 my ($datastr, $vsig) = yubico_compute_param_sig
($result, $api_key);
106 $vsig = uri_unescape
($vsig);
107 die "yubico: result signature verification failed\n" if $rsig ne $vsig;
110 die "yubico auth failed: $result->{status}\n" if $result->{status
} ne 'OK';
112 my $publicid = $result->{publicid
} = substr(lc($result->{otp
}), 0, 12);
115 foreach my $k (PVE
::Tools
::split_list
($keys)) {
116 if ($k eq $publicid) {
122 die "yubico auth failed: key does not belong to user\n" if !$found;
127 sub oath_verify_otp
{
128 my ($otp, $keys, $step, $digits) = @_;
130 die "oath: missing password\n" if !defined($otp);
131 die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
133 $step = 30 if !$step;
134 $digits = 6 if !$digits;
137 foreach my $k (PVE
::Tools
::split_list
($keys)) {
138 # Note: we generate 3 values to allow small time drift
140 if ($k =~ /^v2-0x([0-9a-fA-F]+)$/) {
142 $binkey = pack('H*', $1);
143 } elsif ($k =~ /^v2-([A-Z2-7=]+)$/) {
145 $binkey = MIME
::Base32
::decode_rfc3548
($1);
146 } elsif ($k =~ /^[A-Z2-7=]{16}$/) {
147 $binkey = MIME
::Base32
::decode_rfc3548
($k);
148 } elsif ($k =~ /^[A-Fa-f0-9]{40}$/) {
149 $binkey = pack('H*', $k);
151 die "unrecognized key format, must be hex or base32 encoded\n";
154 # force integer division for time/step
156 my $now = time()/$step - 1;
157 $found = 1 if $otp eq hotp
($binkey, $now+0, $digits);
158 $found = 1 if $otp eq hotp
($binkey, $now+1, $digits);
159 $found = 1 if $otp eq hotp
($binkey, $now+2, $digits);
163 die "oath auth failed\n" if !$found;