src/PVE/OTP.pm

   1 package PVE::OTP;
   2
   3 use strict;
   4 use warnings;
   5 use Digest::SHA;
   6 use MIME::Base32; #libmime-base32-perl
   7 use MIME::Base64;
   8 use URI::Escape;
   9 use HTTP::Request;
  10 use LWP::UserAgent;
  11
  12 use PVE::Tools;
  13
  14 # hotp/totp code
  15
  16 sub hotp($$;$) {
  17         my ($binsecret, $number, $digits) = @_;
  18
  19         $digits = 6 if !defined($digits);
  20
  21         my $bincounter = pack('Q>', $number);
  22         my $hmac = Digest::SHA::hmac_sha1($bincounter, $binsecret);
  23
  24         my $offset = unpack('C', substr($hmac,19) & pack('C', 0x0F));
  25         my $part = substr($hmac, $offset, 4);
  26         my $otp = unpack('N', $part);
  27         my $value = ($otp & 0x7fffffff) % (10**$digits);
  28         return sprintf("%0${digits}d", $value);
  29 }
  30
  31 # experimental code for yubico OTP verification
  32
  33 sub yubico_compute_param_sig {
  34     my ($param, $api_key) = @_;
  35
  36     my $paramstr = '';
  37     foreach my $key (sort keys %$param) {
  38         $paramstr .= '&' if $paramstr;
  39         $paramstr .= "$key=$param->{$key}";
  40     }
  41
  42     # hmac_sha1_base64 does not add '=' padding characters, so we use encode_base64
  43     my $sig = uri_escape(encode_base64(Digest::SHA::hmac_sha1($paramstr, decode_base64($api_key || '')), ''));
  44
  45     return ($paramstr, $sig);
  46 }
  47
  48 sub yubico_verify_otp {
  49     my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_;
  50
  51     die "yubico: missing password\n" if !defined($otp);
  52     die "yubico: missing API ID\n" if !defined($api_id);
  53     die "yubico: missing API KEY\n" if !defined($api_key);
  54     die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/;
  55
  56     die "yubico: wrong OTP length\n" if (length($otp) < 32) || (length($otp) > 48);
  57
  58     $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
  59
  60     my $params = {
  61         nonce =>  Digest::SHA::hmac_sha1_hex(time(), rand()),
  62         id => $api_id,
  63         otp => uri_escape($otp),
  64         timestamp => 1,
  65     };
  66
  67     my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key);
  68
  69     $paramstr .= "&h=$sig" if $api_key;
  70
  71     my $req = HTTP::Request->new('GET' => "$url?$paramstr");
  72
  73     my $ua = LWP::UserAgent->new(protocols_allowed => ['http', 'https'], timeout => 30);
  74
  75     if ($proxy) {
  76         $ua->proxy(['http', 'https'], $proxy);
  77     } else {
  78         $ua->env_proxy;
  79     }
  80
  81     my $response = $ua->request($req);
  82     my $code = $response->code;
  83
  84     if ($code != 200) {
  85         my $msg = $response->message || 'unknown';
  86         die "Invalid response from server: $code $msg\n";
  87     }
  88
  89     my $raw = $response->decoded_content;
  90
  91     my $result = {};
  92     foreach my $kvpair (split(/\n/, $raw)) {
  93         chomp $kvpair;
  94         if($kvpair =~ /^\S+=/) {
  95             my ($k, $v) = split(/=/, $kvpair, 2);
  96             $v =~ s/\s//g;
  97             $result->{$k} = $v;
  98         }
  99     }
 100
 101     my $rsig = $result->{h};
 102     delete $result->{h};
 103
 104     if ($api_key) {
 105         my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
 106         $vsig = uri_unescape($vsig);
 107         die "yubico: result signature verification failed\n" if $rsig ne $vsig;
 108     }
 109
 110     die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK';
 111
 112     my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12);
 113
 114     my $found;
 115     foreach my $k (PVE::Tools::split_list($keys)) {
 116         if ($k eq $publicid) {
 117             $found = 1;
 118             last;
 119         }
 120     }
 121
 122     die "yubico auth failed: key does not belong to user\n" if !$found;
 123
 124     return $result;
 125 }
 126
 127 sub oath_verify_otp {
 128     my ($otp, $keys, $step, $digits) = @_;
 129
 130     die "oath: missing password\n" if !defined($otp);
 131     die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
 132
 133     $step = 30 if !$step;
 134     $digits = 6 if !$digits;
 135
 136     my $found;
 137     foreach my $k (PVE::Tools::split_list($keys)) {
 138         # Note: we generate 3 values to allow small time drift
 139         my $binkey;
 140         if ($k =~ /^[A-Z2-7=]{16}$/) {
 141             $binkey = MIME::Base32::decode_rfc3548($k);
 142         } elsif ($k =~ /^[A-Fa-f0-9]{40}$/) {
 143             $binkey = pack('H*', $k);
 144         } else {
 145             die "unrecognized key format, must be hex or base32 encoded\n";
 146         }
 147
 148         # force integer division for time/step
 149         use integer;
 150         my $now = time()/$step - 1;
 151         $found = 1 if $otp eq hotp($binkey, $now+0, $digits);
 152         $found = 1 if $otp eq hotp($binkey, $now+1, $digits);
 153         $found = 1 if $otp eq hotp($binkey, $now+2, $digits);
 154         last if $found;
 155     }
 156
 157     die "oath auth failed\n" if !$found;
 158 }
 159
 160 1;