proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-25 16:34:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

drop oathtool dependency

Browse Source 
Generate hotp/totp in perl directly, also support keys in
hex notation (this is how eg. the
yubikey-personalization-gui displays them, but without the
whitespaces).
This commit is contained in:
Wolfgang Bumiller 2016-07-01 10:15:28 +02:00 committed by Fabian Grünbichler
parent b10d0e266b
commit 9d52f6f2ae
2 changed files with 34 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
PVE/AccessControl.pm
View File

@ -8,6 +8,7 @@ use Crypt::OpenSSL::RSA;
use Net::SSLeay; use Net::SSLeay;
use Net::IP; use Net::IP;
use MIME::Base64; use MIME::Base64;
use MIME::Base32 qw(RFC); #libmime-base32-perl
use Digest::SHA; use Digest::SHA;
use URI::Escape; use URI::Escape;
use LWP::UserAgent; use LWP::UserAgent;
@ -1172,6 +1173,23 @@ sub remove_vm_from_pool {
lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed"); lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
} }
# hotp/totp code
sub hotp($$;$) {
my ($binsecret, $number, $digits) = @_;
$digits = 6 if !defined($digits);
my $bincounter = pack('Q>', $number);
my $hmac = Digest::SHA::hmac_sha1($bincounter, $binsecret);
my $offset = unpack('C', substr($hmac,19) & pack('C', 0x0F));
my $part = substr($hmac, $offset, 4);
my $otp = unpack('N', $part);
my $value = ($otp & 0x7fffffff) % (10**$digits);
return sprintf("%0${digits}d", $value);
}
# experimental code for yubico OTP verification # experimental code for yubico OTP verification
sub yubico_compute_param_sig { sub yubico_compute_param_sig {
@ -1278,20 +1296,23 @@ sub oath_verify_otp {
$digits = 6 if !$digits; $digits = 6 if !$digits;
my $found; my $found;
my $parser = sub {
my $line = shift;
if ($line =~ m/^\d{6}$/) {
$found = 1 if $otp eq $line;
}
};
foreach my $k (PVE::Tools::split_list($keys)) { foreach my $k (PVE::Tools::split_list($keys)) {
# Note: we generate 3 values to allow small time drift # Note: we generate 3 values to allow small time drift
my $now = localtime(time() - $step); my $binkey;
my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k]; if ($k =~ /^[A-Z2-7=]{32}$/) {
eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); }; $binkey = MIME::Base32::decode_rfc3548($k);
} elsif ($k =~ /^[A-Fa-f0-9]{40}$/) {
$binkey = pack('H*', $k);
} else {
die "unrecognized key format, must be hex or base32 encoded\n";
}
# force integer division for time/step
use integer;
my $now = time()/$step - 1;
$found = 1 if $otp eq hotp($binkey, $now+0, $digits);
$found = 1 if $otp eq hotp($binkey, $now+1, $digits);
$found = 1 if $otp eq hotp($binkey, $now+2, $digits);
last if $found; last if $found;
} }

2
control.in
View File

@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
Section: perl Section: perl
Priority: optional Priority: optional
Architecture: @@ARCH@@ Architecture: @@ARCH@@
Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, liburi-perl, libwww-perl, oathtool, libmime-base32-perl Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, liburi-perl, libwww-perl, libmime-base32-perl
Maintainer: Proxmox Support Team <support@proxmox.com> Maintainer: Proxmox Support Team <support@proxmox.com>
Description: Proxmox VE access control library Description: Proxmox VE access control library
This package contains the role based user management and access This package contains the role based user management and access