Config cleanup + SSL exemption removed.

ChangeLog

@@ -33,6 +33,9 @@ Trying to sort tasks according to their priority.
 	* [+] Fix db* functions to return values from enum in ppp_common.h
 	* [!] Skipping to 'next' not by 6...
         * [+] Removed dependency - OpenSSL
+	* [+] Modify build config to work with CMake v2.4.7
+        * [+] Config file revised.
+        * [+] Multiple alphabet support started
         * [?] Check if lock files are links. if so. fail. Or rather always unlink 
               before overwritting. 
         * [?] Logging into syslog from utility if SUID; Also deny -v.
@@ -65,7 +68,6 @@ Trying to sort tasks according to their priority.
 	* [-] right trim values from config?
 	* [?] SELinux compatibility.
 	* [?] Import/export of ascii state lines...
-	* [+] Modify build config to work with CMake v2.4.7
 
 	Low-priority:
 	* [?] Improve LaTeX output (some colors, borders?)

crypto/coreutils_sha256.h

@@ -27,10 +27,6 @@
 # include <stdio.h>
 # include <stdint.h>
 
-# ifdef __cplusplus
-extern "C" {
-# endif
-
 /* Structure to save state of computation between the single steps.  */
 struct sha256_ctx
 {
@@ -83,8 +79,4 @@ extern int sha256_stream (FILE *stream, void *resblock);
    digest.  */ 
 extern void *sha256_buffer (const unsigned char *buffer, size_t len, void *resblock);
 
-# ifdef __cplusplus
-}
-# endif
-
 #endif

crypto/polarssl_aes.c

@@ -1,3 +1,8 @@
+/*
+ * This file belongs to PolarSSL package.
+ * Homepage: http://www.polarssl.org/
+ */
+
 /*
  *  FIPS-197 compliant AES implementation
  *

crypto/polarssl_aes.h

@@ -1,3 +1,8 @@
+/*
+ * This file belongs to PolarSSL package.
+ * Homepage: http://www.polarssl.org/
+ */
+
 /**
  * \file aes.h
  *
@@ -23,6 +28,8 @@
 #ifndef POLARSSL_AES_H
 #define POLARSSL_AES_H
 
+/* Those do not enable/disable encrypt/decrypt but
+ * are used as a constants to functions. */
 #define AES_ENCRYPT     1
 #define AES_DECRYPT     0
 
@@ -39,10 +46,6 @@ typedef struct
 }
 aes_context;
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          AES key schedule (encryption)
  *
@@ -123,8 +126,4 @@ void aes_crypt_cfb128( aes_context *ctx,
  */
 int aes_self_test( int verbose );
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif /* aes.h */

examples/otpasswd.conf

@@ -1,43 +1,35 @@
 ##
-# otpasswd configuration file
+#    OTPasswd - One-Time Password Authentication System
+#    --------------------------------------------------
+#       https://savannah.nongnu.org/projects/otpasswd
+#                Updated: 03-Jan-10 (v0.5pre1)
 #
-# Configuration of otpasswd PAM module and key management utility.
+# Configuration of OTPasswd PAM module and key management utility.
 #
-# File consists of entries in form:
+# File consists of entries in a form:
 # VARIABLE=VALUE
 # Whitespaces around '=' are not ignored and values musn't be 
 # surrounded with " or '.
 #
-# In general 0 means "disabled" and 1 - "enabled".
+# In general there're two conventions:
+# 0 - disabled, 1 - enabled or
+# 0 - disallow, 1 - user selectable, 2 - enforced
+#
+# There are some options which aren't implemented currently.
+# They are here so we won't need to break config compatibility soon.
+# Those are labeled with "NI!" (Not implemented) abbreviation.
+#
 ##
 
 ##
 # General configuration
 ## 
 
-# How many messages will be logged into syslog by PAM.
-# (Utility works on level 1, can be switched into 2 by -v option)
-#
-# 0 - Low: Errors
-# 1 - Normal: Errors, Warnings
-# 2 - Verbose: Errors, Warnings, Notices (-v option to utility)
-#     Verbose mode is also enabled by "debug" module option.
-LOGGING=1
-
-# 0 - Normal
-#     User will get additional information on some types of errors during login
-#     (like, otp is enforced and he doesn't have generated key.)
-# 1 - Silent 
-#     Inhibit any not important messages sent to user during authentication
-#     (including "last passcard warnings" of PAM session.).
-#     Can be also enabled by "silent" module option.
-SILENT=0
-
-# Select DB to use:
+# Select DB (state database) to use:
 # global:
-#   If enabled we store user data in global database.
-#   This is required for policies to work, yet this option requires that
-#   otpasswd utility is SUID.
+#   If enabled we store data in global database.
+#   This is required for policies to work, yet this option requires 
+#   OTPasswd utility to be SUID. 
 # user:
 #   Keys located in user home directory. No policies enforced
 # mysql:
@@ -46,30 +38,74 @@ SILENT=0
 #   Not implemented
 DB=user
 
-# Full path to the location of global database
-# We need write rights in this directory to create lock files
-# and user musn't have this rights.  
-GLOBAL_DB=/etc/otpasswd/otshadow
+# Full path to the location of global database.
+# We must have ownership of the file and write rights
+# to the directory. 
+# To prevent possible attacks users musn't have write access
+# to the containing directory.
+DB_GLOBAL=/etc/otpasswd/otshadow
 
-# Name of the file used to keep user keys in their homes
-USER_DB=.otpasswd
+# Name of the file used to keep user keys in their homes. Lock file
+# will be created by appending .lck, temporary file by .tmp
+# suffix. State copy might be created with .old suffix.
+DB_USER=.otpasswd
 
-# MySQL configuration (not implemented)
+# MySQL configuration (NI!)
+#
+# create table state (
+#   `username` char(30) PRIMARY KEY,
+#   `key` long,
+#   `counter` long,
+#   `latest_card` long,
+#   `flags` int,
+#   `codelength` int,
+#   `spass` char(64),
+#   `label` char(30),
+#   `contact` char (60),
+# 
+#   `failures` int,
+#   `recent_failures` int,
+#   `oob_timestamp` long
+# );
 SQL_HOST=127.0.0.1
 SQL_DATABASE=otpasswd
 SQL_USER=otpasswd
 SQL_PASS=generate something random and write here
 
+# LDAP configuration (NI!)
+LDAP_HOST=127.0.0.1
+LDAP_USER=otpasswd
+LDAP_PASS=ldap password
+LDAP_DN=ou=users,dc=domain,dc=com
+
 ##
 # PAM Module configuration
 ##
 
+# How many messages will be logged into syslog by PAM.
+# (Utility works on level 1, can be switched into 2 by -v option)
+#
+# 0 - Low: Errors
+# 1 - Normal: Errors, Warnings
+# 2 - Verbose: Errors, Warnings, Notices (-v option to utility)
+#     Verbose mode is also enabled by "debug" module option.
+LOGGING=1
+
+# 0 - Normal
+#     User will get additional information on some types of errors during login
+#     (like, otp is enforced and he doesn't have generated key.)
+# 1 - Silent 
+#     Inhibit any not important messages sent to user during authentication
+#     (including "last passcard warnings" of PAM session.).
+#     Can be also enabled by "silent" module option.
+SILENT=0
+
 # 0 - Do not ever show passcodes
 # 1 - Use user selected option
 # 2 - Always show passcode (ignore user settings)
 SHOW=1
 
-# If enabled only users who exists in otp db will be able to authenticate.
+# If enabled only users who exists in DB will be able to authenticate.
 ENFORCE=0
 
 # 0 - Do not retry passcode question
@@ -80,54 +116,150 @@ RETRY=0
 # Number of retries (2 to 5)
 RETRIES=3
 
+# NI! User can request key regeneration
+# with PAM prompt (by entering , instead of passcode)
+# The user is then requested a static password which
+# he must have set before.
+KEY_REGENERATION_PROMPT=0
+
+# NI! After authentication display user a number of failed
+# authentication tries.
+FAILURE_WARNING=1
+
+# NI! Number of failures after which delay is incremented.
+FAILURE_BOUNDARY=3
+
+# NI! Seconds of delay after recent failure count raches FAILURE_BOUNDARY 
+FAILURE_DELAY=5
+
+# NI! Require SPASS on each logon (prefixes passcode)
+SPASS_REQUIRE=0
+
 ##
 # 0 - OOB disabled
 # 1 - OOB available on user request (by entering '.' on passcode prompt)
-# 2 - OOB on request, requires static password
+# 2 - OOB on request, requires static password prompt
 # 3 - Sent OOB at the beginning of all authentication sessions.
 ##
 OOB=0
 
 # Path to OOB script
-# This script gets two arguments: User contact field and current passcode.
-OOB_PATH=/etc/security/otpasswd_oob.sh
+# This script gets two arguments: User contact field and current
+# passcode. Script musn't be SUID, and must be readable/executable by
+# user defined in OOB_USER as OTPasswd will drop root privilages in
+# order to run it.
+OOB_PATH=/etc/otpasswd/otpasswd_oob.sh
 
 # User used to run script (don't set to root!)
 OOB_USER=nobody
 
+
 ##
-# Policy configuration
-# (Not implemented!)
-#
+# Utility policy configuration (Mostly NI!)
+# Works only if user doesn't have direct access to state database himself.
+# For example in DB=global.
 ##
+
+# NI! Can user generate himself a key?
 ALLOW_KEY_GENERATION=1
+
+# NI! Allow user to specify a (small) file or a string.
+# Instead of random data this file will be used to generate
+# key (with salted SHA256 hash).
+ALLOW_SOURCED_KEY_GENERATION=0
+
+# NI! Allow user to remove his state information
+ALLOW_KEY_REMOVAL=1
+
+# NI! Can user print himself any passcodes?
 ALLOW_PASSCODE_PRINT=1
+
+# NI! Can user display his key/counter pair?
+# Will disable also state export.
 ALLOW_KEY_PRINT=1
 
+# NI! Allow user to skip passcodes?
+ALLOW_SKIPPING=1
+
+# NI! Can user authenticate on prompt with -a option?
+ALLOW_SHELL_AUTH=1
+
+# NI! Allow user to use -v option?
+ALLOW_VERBOSE_OUTPUT=1
+
+# NI! Allow ascii state import/export.
+ALLOW_STATE_EXPORT=1
+ALLOW_STATE_IMPORT=0
+
+# NI! Can uset set his contact information?
+ALLOW_CONTACT_CHANGE=1
+
+# NI! Can user change label printed on cards?
+ALLOW_LABEL_CHANGE=1
+
 ##
-# Set minimal/maximal length of passcode and alphabet.
-# Alphabet default value can currently only equal 64 or 88.
+# Static password (spass)
 ##
-MIN_PASSCODE_LENGTH=2
-MAX_PASSCODE_LENGTH=16
-MIN_ALPHABET_LENGTH=64
-MAX_ALPHABET_LENGTH=88
+
+# NI! Allow setting/clearing of spass
+SPASS_ALLOW_CHANGE=1
+
+# NI! Minimal length
+SPASS_MIN_LENGTH=7
+# NI! How many digits to require in spass
+SPASS_REQUIRE_DIGIT=1
+# NI! How many special characters to require (non-digit, non-alpha)
+SPASS_REQUIRE_SPECIAL=1
+# NI! How many uppercase alpha characters we require. 
+SPASS_REQUIRE_UPPERCASE=1
 
 ##
-# Set default passcode and alphabet length
+# Set minimal/maximal/default length of passcode.
+# Acceptable passcode length is between 2 and 16.
 ##
-DEF_PASSCODE_LENGTH=4
+PASSCODE_MIN_LENGTH=2
+PASSCODE_MAX_LENGTH=16
+PASSCODE_DEF_LENGTH=4
 
-# 0 - 64 character long alphabet:
+##
+# Set alphabet parameters
+##
+
+# Minimal/Maximal acceptable length of alphabet
+ALPHABET_MIN_LENGTH=32
+ALPHABET_MAX_LENGTH=88
+
+# NI! Allow alphabet selection
+ALPHABET_ALLOW_CHANGE=1
+
+# 0 - Custom alphabet defined in config (by default 0123456789)
+# 1 - 64 characters ("PPP standard"):
 # !#%+23456789:=?@ABCDEFGHJKLMNPRSTUVWXYZabcdefghijkmnopqrstuvwxyz
-# 1 - 88 character long:
+# 2 - 88 characters  ("PPP standard"):
 # !"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKLMNOPRSTUVWXYZ
 # [\\]^_abcdefghijkmnopqrstuvwxyz{|}~
-DEF_ALPHABET=0
+# NI! 3 - 54 characters, no vowels:
+# !#%+23456789:=?@BCDFGHJKLMNPRSTVWXZbcdfghjkmnpqrstvwxz
+# NI! 4 - 78 characters, no vowels:
+# !"#$%&'()*+,-./23456789:;<=>?@BCDFGHJKLMNPRSTVWXZ[\\]^_bcdfghjkmnpqrstvwxz{|}~
+# NI! 5 - 56 characters, only alphanumeric + digits
+# 23456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPRSTUVWXYZ
+ALPHABET_DEF=1
+
+# NI! Custom alphabet.
+ALPHABET_CUSTOM=0123456789
+
+##
+# By default:
+# 1 - Use key without salt (PPPv3.1 compatible)
+# 2 - Use salted key ("Safer", not compatible)
+##
+SALT_DEF=1
 
 ## 
 # 0 - Disallow generation of salt
 # 1 - Allow user to use salt
 # 2 - Enforce usage of salt
 ##
-ALLOW_SALT=1
+SALT_ALLOW=1
+