TOTP integration

client/cmd_opts.h

@@ -66,6 +66,7 @@ enum {
     FD_SET_STDIN,
     FD_SET_ALT,
     FAULT_INJECTION_TAG,
+    USE_TOTP,
 
     /* Put GPG-related items below the following line */
     GPG_ENCRYPTION      = 0x200,
@@ -158,6 +159,7 @@ static struct option cmd_opts[] =
     {"verbose",             0, NULL, 'v'},
     {"version",             0, NULL, 'V'},
     {"wget-cmd",            1, NULL, 'w'},
+    {"totp",                0, NULL, USE_TOTP},
     {0, 0, 0, 0}
 };
 

client/config_init.c

@@ -132,6 +132,7 @@ enum
     FWKNOP_CLI_ARG_RESOLVE_IP_HTTPS,
     FWKNOP_CLI_ARG_RESOLVE_HTTP_ONLY,
     FWKNOP_CLI_ARG_WGET_CMD,
+    FWKNOP_CLI_ARG_USE_TOTP,
     FWKNOP_CLI_ARG_NO_SAVE_ARGS,
     FWKNOP_CLI_LAST_ARG
 } fwknop_cli_arg_t;
@@ -181,7 +182,8 @@ static fko_var_t fko_var_array[FWKNOP_CLI_LAST_ARG] =
     { "RESOLVE_IP_HTTPS",      FWKNOP_CLI_ARG_RESOLVE_IP_HTTPS      },
     { "RESOLVE_HTTP_ONLY",     FWKNOP_CLI_ARG_RESOLVE_HTTP_ONLY     },
     { "WGET_CMD",              FWKNOP_CLI_ARG_WGET_CMD              },
-    { "NO_SAVE_ARGS",          FWKNOP_CLI_ARG_NO_SAVE_ARGS          }
+    { "NO_SAVE_ARGS",          FWKNOP_CLI_ARG_NO_SAVE_ARGS          },
+    { "USE_TOTP",              FWKNOP_CLI_ARG_USE_TOTP              }
 };
 
 /* Array to define which conf. variables are critical and should not be
@@ -219,7 +221,7 @@ generate_keys(fko_cli_options_t *options)
         /* Generate the key through libfko */
         res = fko_key_gen(options->key_base64, options->key_len,
                 options->hmac_key_base64, options->hmac_key_len,
-                options->hmac_type);
+                options->hmac_type, options->totp_key_base32, options->totp_key_len);
 
         /* Exit upon key generation failure*/
         if(res != FKO_SUCCESS)
@@ -1294,6 +1296,12 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
             options->resolve_http_only = 1;
         else;
     }
+    else if (var->pos == FWKNOP_CLI_ARG_USE_TOTP)
+    {
+        if (is_yes_str(val))
+            options->use_totp = 1;
+        else;
+    }
     /* avoid saving .fwknop.run by default */
     else if (var->pos == FWKNOP_CLI_ARG_NO_SAVE_ARGS)
     {
@@ -1418,6 +1426,7 @@ add_single_var_to_rc(FILE* fhandle, short var_pos, fko_cli_options_t *options)
         case FWKNOP_CLI_ARG_KEY_HMAC:
             strlcpy(val, options->hmac_key, sizeof(val));
             break;
+        /* TODO: does TOTP need FWKNOP_CLI_ARG_TOTP stuff as well? */
         case FWKNOP_CLI_ARG_HMAC_DIGEST_TYPE :
             hmac_digest_inttostr(options->hmac_type, val, sizeof(val));
             break;
@@ -2470,6 +2479,9 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 options->input_fd = strtol_wrapper(optarg, 0,
                         -1, EXIT_UPON_ERR, &is_err);
                 break;
+            case USE_TOTP:
+                options->use_totp = 1;
+                break;
             default:
                 usage();
                 exit(EXIT_FAILURE);
@@ -2493,6 +2505,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
         {
             add_var_to_bitmask(FWKNOP_CLI_ARG_KEY_RIJNDAEL_BASE64, &var_bitmask);
             add_var_to_bitmask(FWKNOP_CLI_ARG_KEY_HMAC_BASE64, &var_bitmask);
+            /* TODO: TOTP?*/
         }
         else;
 
@@ -2657,6 +2670,7 @@ usage(void)
       "     --time-offset-plus      Add time to outgoing SPA packet timestamp.\n"
       "     --time-offset-minus     Subtract time from outgoing SPA packet\n"
       "                             timestamp.\n"
+      "     --totp                  Use TOTP.\n"
     );
 
     return;

client/fwknop.c

@@ -40,6 +40,8 @@
 */
 static int get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
     char *key, int *key_len, char *hmac_key, int *hmac_key_len);
+static int get_totp(fko_ctx_t ctx, fko_cli_options_t *options,
+    char *totp);
 static void errmsg(const char *msg, const int err);
 static int prev_exec(fko_cli_options_t *options, int argc, char **argv);
 static int get_save_file(char *args_save_file);
@@ -390,6 +392,19 @@ main(int argc, char **argv)
         key_len = 16;
     }
 
+    if(options.use_totp)
+    {
+        char *temp = malloc(6);
+        get_totp(ctx, &options, temp);
+        fko_set_totp(ctx, temp);
+        temp = NULL;
+        free(temp);
+    } 
+    else
+    {
+        log_msg(LOG_VERBOSITY_NORMAL, "Not using TOTP");
+    }
+
     /* Finalize the context data (encrypt and encode the SPA data)
     */
     res = fko_spa_data_final(ctx, key, key_len, hmac_key, hmac_key_len);
@@ -1239,6 +1254,30 @@ get_keys(fko_ctx_t ctx, fko_cli_options_t *options,
     return 1;
 }
 
+/* Prompt for and receive a TOTP
+*/
+static int
+get_totp(fko_ctx_t ctx, fko_cli_options_t *options,
+    char *totp)
+{
+    char   *key_tmp = NULL;
+    if (options->use_totp)
+    {
+        key_tmp = getpasswd("Enter TOTP: ", options->input_fd);
+        if(key_tmp == NULL)
+        {
+            log_msg(LOG_VERBOSITY_ERROR, "[*] get_totp() error.");
+            return 0;
+        }
+        /* TODO: ensure the length of the input */
+        memcpy(totp, key_tmp, 6);
+    }
+    else
+    {
+        log_msg(LOG_VERBOSITY_ERROR, "[-] Could not read TOTP from user.");
+    }
+}
+
 /* Display an FKO error message.
 */
 void

client/fwknop_common.h

@@ -86,6 +86,7 @@ typedef struct fko_cli_options
     char args_save_file[MAX_PATH_LEN];
     int  no_save_args;
     int  use_hmac;
+    int  use_totp;
     char spa_server_str[MAX_SERVER_STR_LEN];  /* may be a hostname */
     char allow_ip_str[MAX_IPV4_STR_LEN];
     char spoof_ip_src_str[MAX_IPV4_STR_LEN];
@@ -112,6 +113,13 @@ typedef struct fko_cli_options
     int  have_hmac_key;
     int  have_hmac_base64_key;
     int  hmac_type;
+    /* TOTP key is never read from the .fwknoprc file, but this is needed for key generation
+    */
+    char totp_key[MAX_KEY_LEN+1];
+    char totp_key_base32[MAX_KEY_LEN+1];
+    int  totp_key_len;
+    int  have_totp_key;
+    int  have_base64_totp_key;
 
     /* NAT access
     */

common/fko_util.c

@@ -706,6 +706,28 @@ append_msg_to_buf(char *buf, size_t buf_size, const char* msg, ...)
     return bytes_written;
 }
 
+/* Determine if a buffer contains only characters from the base32
+ * encoding set
+*/
+int
+is_base32(const unsigned char * const buf, const unsigned short int len)
+{
+    unsigned short int  i;
+    int                 rv = 1;
+
+    for(i=0; i<len; i++)
+    {
+        /* the last check is a modified version of isdigit() in range 2-7*/
+        if(!(isupper(buf[i]) || buf[i] == '=' || (buf[i] >= 50 && buf[i] <= 55)))
+        {
+            rv = 0;
+            break;
+        }
+    }
+
+    return rv;
+}
+
 /* Determine if a buffer contains only characters from the base64
  * encoding set
 */
@@ -912,6 +934,7 @@ dump_ctx_to_buffer(fko_ctx_t ctx, char *dump_buf, size_t dump_buf_len)
     char       *enc_data        = NULL;
     char       *hmac_data       = NULL;
     char       *spa_digest      = NULL;
+    char       *totp            = NULL;
 #if HAVE_LIBGPGME
     char          *gpg_signer        = NULL;
     char          *gpg_recip         = NULL;
@@ -955,6 +978,7 @@ dump_ctx_to_buffer(fko_ctx_t ctx, char *dump_buf, size_t dump_buf_len)
         RETURN_ON_FKO_ERROR(err, fko_get_spa_message(ctx, &spa_message));
         RETURN_ON_FKO_ERROR(err, fko_get_spa_nat_access(ctx, &nat_access));
         RETURN_ON_FKO_ERROR(err, fko_get_spa_server_auth(ctx, &server_auth));
+        RETURN_ON_FKO_ERROR(err, fko_get_totp(ctx, &totp));
         RETURN_ON_FKO_ERROR(err, fko_get_spa_client_timeout(ctx, &client_timeout));
         RETURN_ON_FKO_ERROR(err, fko_get_spa_digest_type(ctx, &digest_type));
         RETURN_ON_FKO_ERROR(err, fko_get_spa_hmac_type(ctx, &hmac_type));
@@ -1012,6 +1036,7 @@ dump_ctx_to_buffer(fko_ctx_t ctx, char *dump_buf, size_t dump_buf_len)
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, " Message String: %s\n", spa_message == NULL ? NULL_STRING : spa_message);
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, "     Nat Access: %s\n", nat_access == NULL ? NULL_STRING : nat_access);
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, "    Server Auth: %s\n", server_auth == NULL ? NULL_STRING : server_auth);
+        cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, "           TOTP: %s\n", totp == NULL ? NULL_STRING : totp);
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, " Client Timeout: %u\n", client_timeout);
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, "    Digest Type: %u (%s)\n", digest_type, digest_str);
         cp += append_msg_to_buf(dump_buf+cp, dump_buf_len-cp, "      HMAC Type: %u (%s)\n", hmac_type, hmac_type == 0 ? "None" : hmac_str);

common/fko_util.h

@@ -42,6 +42,7 @@ int     is_valid_encoded_msg_len(const int len);
 int     is_valid_pt_msg_len(const int len);
 int     is_valid_ipv4_addr(const char * const ip_str, const int len);
 int     is_valid_hostname(const char * const hostname_str, const int len);
+int     is_base32(const unsigned char * const buf, const unsigned short int len);
 int     is_base64(const unsigned char * const buf, const unsigned short int len);
 void    hex_dump(const unsigned char *data, const int size);
 int     enc_mode_strtoint(const char *enc_mode_str);

lib/Makefile.am

@@ -1,14 +1,15 @@
 lib_LTLIBRARIES     = libfko.la
 
 libfko_source_files = \
-    base64.c base64.h cipher_funcs.c cipher_funcs.h digest.c digest.h \
+    base32.c base32.h base64.c base64.h cipher_funcs.c cipher_funcs.h digest.c digest.h \
     fko_client_timeout.c fko_common.h fko_digest.c fko_encode.c \
     fko_decode.c fko_encryption.c fko_error.c fko_funcs.c fko_message.c \
     fko_message.h fko_nat_access.c fko_rand_value.c fko_server_auth.c \
     fko.h fko_limits.h fko_timestamp.c fko_hmac.c hmac.c hmac.h \
     fko_user.c fko_user.h md5.c md5.h rijndael.c rijndael.h sha1.c \
     sha1.h sha2.c sha2.h sha3.c sha3.h fko_context.h fko_state.h \
-    gpgme_funcs.c gpgme_funcs.h
+    gpgme_funcs.c gpgme_funcs.h \
+    totp.c totp.h
 
 if WANT_C_UNIT_TESTS
 noinst_PROGRAMS     = fko_utests