Lot's of changes aggregated during vacation.

Most of them involves implementing back the functionality
which already worked before splitting utility in two.

CMakeLists.txt

@@ -152,7 +152,7 @@ ADD_CUSTOM_TARGET(man ALL DEPENDS ${man_gz})
 # Install target
 ##
 SET(CMAKE_INSTALL_PREFIX /usr)
-INSTALL(TARGETS pam_otpasswd otpasswd
+INSTALL(TARGETS pam_otpasswd otpasswd agent_otp
   RUNTIME DESTINATION bin
   LIBRARY DESTINATION /lib/security)
 

ChangeLog

@@ -18,7 +18,7 @@ Done:
           - Clean memory so there're no key/counter leaks
         * [+] Do not store things in mpz_t which don't need it (spass)
         * [+] Sanitize gettext environment
-
+	* [+] Accept 2G[2] passcode specification entries.
 In progress:
         * [?] Cleanup PPP interface. This should look like follows.
               "State" is class implementing some basic features of
@@ -34,15 +34,14 @@ TODO Major:
         * [%] Parameter -c alphabet=3,codelenght=8 is accepted but doesn't
               work. 
         * [%] Printing with -l when skipped to the last passcard works.
-	* [?] Accept 2G[2] passcode specification entries.
         * [?] Parametrize PAM messages.
         * [?] OOB Channel usage time updates + DoS security
         * [?] Static password expire warnings + enforcement. 
         * [?] Logging warnings printed to user at WARN level
         * [?] Key quality checking (duplicates)
         * [?] "Problem solving section" in docs, mentioning use of -v on
               errors in the first place.
-        * [?] Global DB should work with users which aren't in passwd.
+        * [?] Global DB should work with users which aren't in /etc/passwd.
               Should it?
         * [?] Check if lock files are links. if so. fail. Or rather always unlink
               before overwritting.

agent/agent_interface.c

@@ -57,9 +57,11 @@ int agent_connect(agent **a_out, const char *agent_executable)
 	if (pipe(out) != 0)
 		goto cleanup1;
 
-	/* Verify that agent executable exists */
-	if (agent_executable == NULL)
+	/* Verify that agent executable PATH exists */
+	if (agent_executable == NULL) {
+		print(PRINT_NOTICE, "NOTICE: No path for OTP Agent given, using default ./agent_otp\n");
 		agent_executable = "./agent_otp";
+	}
 
 	a->pid = fork();
 
@@ -177,8 +179,8 @@ int agent_disconnect(agent *a)
 {
 	int ret = 0;
 	/* TODO: Send quit message if client */
-
-	/* Wait for child to close? */
+	/* TODO: Wait for child to close? */
+	assert(a);
 
 	/* Close descriptors  */
 	if (a->in != -1)
@@ -227,7 +229,7 @@ const char *agent_strerror(int error)
 	default:
 		if (error >= 100 && error <= 2000)
 			return _( ppp_get_error_desc(error) );
-		return _( "Unknown error" );
+		return _( "Not an agent/PPP error." );
 	}
 	return NULL;
 }
@@ -435,10 +437,29 @@ int agent_get_passcode(agent *a, const num_t counter, char *reply)
 }
 
 
-/*
+int agent_authenticate(agent *a, const char *passcode)
+{
+	int ret;
+	assert(a);
+	assert(passcode);
+
+	agent_hdr_init(a, 0);
+
+	ret = agent_hdr_set_str(a, passcode);
+	if (ret != AGENT_OK) {
+		print(PRINT_CRITICAL, "Passcode too long to send to agent.\n");
+		return ret;
+	}
+
+	ret = agent_query(a, AGENT_REQ_AUTHENTICATE);
+	if (ret != AGENT_OK)
+		return ret;
+
+	ret = agent_hdr_get_arg_int(a);
+	return ret;
+}
 
 
-*/
 
 
 

agent/agent_interface.h

@@ -187,14 +187,7 @@ extern int agent_flag_get(agent *a, int *flags);
 
 
 /** Status query */
-
 /* Set of getters/setters */
-/* Taken from ppp_common.h...
-enum AGENT_TYPE {
-	AGENT_COUNTER_UNSALTED,
-	AGENT_COUNTER_SALTED,
-};
-*/
 extern int agent_get_num(agent *a, int field, num_t *key);
 extern int agent_get_int(agent *a, int field, int *integer);
 
@@ -212,6 +205,10 @@ extern int agent_get_alphabet(agent *a, int id, const char **alphebet);
 
 /* Config query */
 extern int agent_get_passcode(agent *a, num_t counter, char *reply); 
+
+/** Try to authenticate */
+extern int agent_authenticate(agent *a, const char *passcode); 
+
 // void agent_set(agent *a);
 
 

agent/agent_private.h

@@ -82,6 +82,8 @@ enum AGENT_REQUEST {
 	AGENT_REQ_SET_INT,
 	AGENT_REQ_SET_STR,
 
+	/* Authenticate user with password */
+	AGENT_REQ_AUTHENTICATE,
 };
 
 

agent/request.c

@@ -169,6 +169,11 @@ static int request_verify_policy(const agent *a, const cfg_t *cfg)
 		}
 		return AGENT_OK;
 
+
+	case AGENT_REQ_AUTHENTICATE:
+		/* TODO: Add it from scratch later */
+		return AGENT_OK;
+
 		/* Those which doesn't require policy check */
 	case AGENT_REQ_STATE_NEW:
 	case AGENT_REQ_STATE_LOAD:
@@ -526,6 +531,27 @@ static int request_execute(agent *a, const cfg_t *cfg)
 		_send_reply(a, ret);
 		break;
 
+	case AGENT_REQ_AUTHENTICATE:
+		print(PRINT_NOTICE, "Executing (%d): Authenticate\n", r_type);
+
+		/* State must exist, but doesn't need to be already read. */
+		if (!a->s) {
+			ret = AGENT_ERR_NO_STATE;
+		} else {
+			ret = ppp_increment(a->s);
+			if (ret == 0) {
+				ret = ppp_authenticate(a->s, r_str);
+				if (ret != 0) {
+					print(PRINT_NOTICE, "CLI authentication failed.\n");
+				}
+			} else {
+				print(PRINT_NOTICE, "Agent: ppp_increment failed.\n");
+			}
+		}
+		_send_reply(a, ret);
+		break;
+
+
 	case AGENT_REQ_GET_ALPHABET:
 	{
 		print(PRINT_NOTICE, "Executing (%d): Get alphabet\n", r_type);
@@ -540,6 +566,7 @@ static int request_execute(agent *a, const cfg_t *cfg)
 		_send_reply(a, ret);
 		break;
 	}
+
 	case AGENT_REQ_SET_INT:
 		print(PRINT_NOTICE, "Executing (%d): Set int\n", r_type);
 		/* This sets PPP field: alphabet, codelength, but not flags. */

libotp/ppp.c

@@ -331,34 +331,6 @@ void ppp_add_salt(const state *s, num_t *passcode)
 	}
 }
 
-int ppp_get_passcode_number(const state *s, const num_t passcard, num_t *passcode, char column, char row)
-{
-	if (column < 'A' || column >= 'A' + s->codes_in_row) {
-		print(PRINT_NOTICE, "Column out of possible range!\n");
-		return 1;
-	}
-
-	if (row < 1 || row > 10) {
-		print(PRINT_NOTICE, "Row out of range!\n");
-		return 1;
-	}
-
-	/* Start with calculating first passcode on card */
-	/* passcode = (passcard-1)*codes_on_card + salt */
-	*passcode = num_sub_i(passcard, 1);
-	*passcode = num_mul_i(*passcode, s->codes_on_card);
-
-	/* Then add location on card */
-	*passcode = num_add_i(*passcode, (row - 1) * s->codes_in_row);
-	*passcode = num_add_i(*passcode, column - 'A');
-
-	/* Add salt if required */
-	ppp_add_salt(s, passcode);
-	return 0;
-}
-
-
-
 int ppp_get_passcode(const state *s, const num_t counter, char *passcode)
 {
 	unsigned char cnt_bin[16];
@@ -987,6 +959,18 @@ int ppp_get_int(const state *s, int field, unsigned int *arg)
 		*arg = s->flags;
 		break;
 
+	case PPP_FIELD_CODES_ON_CARD:
+		/* Ask about this only when already calculated */
+		assert(s->codes_on_card != 0); 
+		*arg = s->codes_on_card;
+		break;
+
+	case PPP_FIELD_CODES_IN_ROW:
+		/* Ask about this only when already calculated */
+		assert(s->codes_in_row != 0); 
+		*arg = s->codes_in_row;
+		break;
+
 	default:
 		print(PRINT_CRITICAL, "Illegal field passed to ppp_get_int\n");
 		*arg = -1;

libotp/ppp.h

@@ -142,13 +142,6 @@ extern int ppp_get_current(const state *s, char *passcode);
  * be generated for current passcode (i.e. reserved by ppp_increment call) */
 extern int ppp_authenticate(const state *s, const char *passcode);
 
-/** Decode external card number and XY code position into a counter 
- * This function decreases passcard by one so counting starts at '1'.
- * Counter is created with salt included. Result returned in 'passcode'. */
-extern int ppp_get_passcode_number(
-	const state *s, const num_t passcard,
-	num_t *passcode, char column, char row);
-
 /** Adds a salt to given passcode if salt is used.
  * In other words: converts from user supplied passcode
  * into system passcode number. */

libotp/ppp_common.h

@@ -160,6 +160,8 @@ enum {
 	PPP_FIELD_CODE_LENGTH,		/* unsigned int */
 	PPP_FIELD_ALPHABET,		/* unsigned int */
 	PPP_FIELD_FLAGS,		/* unsigned int */
+	PPP_FIELD_CODES_ON_CARD,	/* unsigned int */
+	PPP_FIELD_CODES_IN_ROW,		/* unsigned int */
 
 	PPP_FIELD_KEY,			/* String, getters return hexes */
 	PPP_FIELD_COUNTER, 		/* mpz */