Index: stable/10/contrib/opie/libopie/challenge.c =================================================================== --- stable/10/contrib/opie/libopie/challenge.c (revision 270119) +++ stable/10/contrib/opie/libopie/challenge.c (revision 270120) @@ -1,77 +1,79 @@ /* challenge.c: The opiechallenge() library function. %%% portions-copyright-cmetz-96 Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights Reserved. The Inner Net License Version 2 applies to these portions of the software. You should have received a copy of the license with this software. If you didn't get a copy, you may request one from . Portions of this software are Copyright 1995 by Randall Atkinson and Dan McDonald, All Rights Reserved. All Rights under this copyright are assigned to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and License Agreement applies to this software. History: Modified by cmetz for OPIE 2.32. Added extended response set identifier to the challenge. Modified by cmetz for OPIE 2.3. Use opie_ prefix. Send debug info to syslog. Add sha plumbing. Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al. Created at NRL for OPIE 2.2 from opiesubr2.c $FreeBSD$ */ #include "opie_cfg.h" #include #include #if DEBUG #include #endif /* DEBUG */ #include "opie.h" /* Return an OTP challenge string for user 'name'. The return values are: 0 = All good -1 = Low-level error (file, memory, I/O, etc.) 1 = High-level error (user not found or locked) This function MUST eventually be followed by an opieverify() to release the user lock and file handles. This function will give you a blanked-out state block if it returns a nonzero status. Even though it returns a non-zero status and a blank state block, you still MUST call opieverify() to clear the lock and any internal state (the latter condition is not actually used yet). */ static char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" }; int opiechallenge FUNCTION((mp, name, ss), struct opie *mp AND char *name AND char *ss) { int rval = -1; rval = opielookup(mp, name); #if DEBUG if (rval) syslog(LOG_DEBUG, "opiechallenge: opielookup(mp, name=%s) returned %d", name, rval); #endif /* DEBUG */ if (!rval) { rval = opielock(name); #if DEBUG if (rval) syslog(LOG_DEBUG, "opiechallenge: opielock(name=%s) returned %d", name, rval); #endif /* DEBUG */ } if (rval || - (snprintf(ss, OPIE_CHALLENGE_MAX, "otp-%s %d %s ext", algids[MDX], mp->opie_n - 1, mp->opie_seed) >= OPIE_CHALLENGE_MAX)) { + (snprintf(ss, OPIE_CHALLENGE_MAX+1, "otp-%s %d %s ext", algids[MDX], mp->opie_n - 1, mp->opie_seed) >= OPIE_CHALLENGE_MAX+1)) { + if (!rval) + rval = 1; opierandomchallenge(ss); memset(mp, 0, sizeof(*mp)); } return rval; } Index: stable/10/contrib/opie/opie.h =================================================================== --- stable/10/contrib/opie/opie.h (revision 270119) +++ stable/10/contrib/opie/opie.h (revision 270120) @@ -1,175 +1,175 @@ /* opie.h: Data structures and values for the OPIE authentication system that a program might need. %%% portions-copyright-cmetz-96 Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights Reserved. The Inner Net License Version 2 applies to these portions of the software. You should have received a copy of the license with this software. If you didn't get a copy, you may request one from . Portions of this software are Copyright 1995 by Randall Atkinson and Dan McDonald, All Rights Reserved. All Rights under this copyright are assigned to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and License Agreement applies to this software. History: Modified by cmetz for OPIE 2.4. Added sequence number limits. Added struct opie_otpkey and made many functions use it. Added opiestrncpy(). Include header with libmissing prototypes. Modified by cmetz for OPIE 2.32. Added symbolic flag names for opiepasswd(). Added __opieparsechallenge() prototype. Modified by cmetz for OPIE 2.31. Removed active attack protection. Modified by cmetz for OPIE 2.3. Renamed PTR to VOIDPTR. Added re-init key and extension file fields to struct opie. Added opie_ prefix on struct opie members. Added opie_flags field and definitions. Added more prototypes. Changed opiehash() prototype. Modified by cmetz for OPIE 2.22. Define __P correctly if this file is included in a third-party program. Modified by cmetz for OPIE 2.2. Re-did prototypes. Added FUNCTION definition et al. Multiple-include protection. Added struct utsname fake. Got rid of gethostname() cruft. Moved UINT4 here. Provide for *seek whence values. Move MDx context here and unify. Re-did prototypes. Modified at NRL for OPIE 2.0. Written at Bellcore for the S/Key Version 1 software distribution (skey.h). $FreeBSD$ */ #ifndef _OPIE_H #define _OPIE_H 1 struct opie { int opie_flags; char opie_buf[256]; char *opie_principal; int opie_n; char *opie_seed; char *opie_val; long opie_recstart; }; #define __OPIE_FLAGS_RW 1 #define __OPIE_FLAGS_READ 2 /* Minimum length of a secret password */ #ifndef OPIE_SECRET_MIN #define OPIE_SECRET_MIN 10 #endif /* OPIE_SECRET_MIN */ /* Maximum length of a secret password */ #define OPIE_SECRET_MAX 127 /* Minimum length of a seed */ #define OPIE_SEED_MIN 5 /* Maximum length of a seed */ #define OPIE_SEED_MAX 16 -/* Max length of hash algorithm name (md4/md5) */ -#define OPIE_HASHNAME_MAX 3 +/* Max length of hash algorithm name (md4/md5/sha1) */ +#define OPIE_HASHNAME_MAX 4 -/* Maximum length of a challenge (otp-md? 9999 seed) */ -#define OPIE_CHALLENGE_MAX (4+OPIE_HASHNAME_MAX+1+4+1+OPIE_SEED_MAX) +/* Maximum length of a challenge (otp-md? 9999 seed ext) */ +#define OPIE_CHALLENGE_MAX (4+OPIE_HASHNAME_MAX+1+4+1+OPIE_SEED_MAX+1+3) /* Maximum length of a response that we allow */ #define OPIE_RESPONSE_MAX (9+1+19+1+9+OPIE_SEED_MAX+1+19+1+19+1+19) /* Maximum length of a principal (read: user name) */ #define OPIE_PRINCIPAL_MAX 32 /* Maximum sequence number */ #ifndef OPIE_SEQUENCE_MAX #define OPIE_SEQUENCE_MAX 9999 #endif /* OPIE_SEQUENCE_MAX */ /* Restricted sequence number */ #ifndef OPIE_SEQUENCE_RESTRICT #define OPIE_SEQUENCE_RESTRICT 9 #endif /* OPIE_SEQUENCE_RESTRICT */ #define UINT4 u_int32_t struct opie_otpkey { UINT4 words[2]; }; #ifndef SEEK_SET #define SEEK_SET 0 #endif /* SEEK_SET */ #ifndef SEEK_END #define SEEK_END 2 #endif /* SEEK_END */ __BEGIN_DECLS int opieaccessfile __P((char *)); int rdnets __P((long)); int isaddr __P((register char *)); int opiealways __P((char *)); char *opieatob8 __P((struct opie_otpkey *, char *)); void opiebackspace __P((char *)); char *opiebtoa8 __P((char *, struct opie_otpkey *)); char *opiebtoe __P((char *, struct opie_otpkey *)); char *opiebtoh __P((char *, struct opie_otpkey *)); int opieetob __P((struct opie_otpkey *, char *)); int opiechallenge __P((struct opie *,char *,char *)); int opiegenerator __P((char *,char *,char *)); int opiegetsequence __P((struct opie *)); void opiehash __P((struct opie_otpkey *, unsigned)); int opiehtoi __P((register char)); int opiekeycrunch __P((int, struct opie_otpkey *, char *, char *)); int opielock __P((char *)); int opieunlock __P((void)); void opieunlockaeh __P((void)); void opiedisableaeh __P((void)); int opielookup __P((struct opie *,char *)); int opiepasscheck __P((char *)); void opierandomchallenge __P((char *)); char * opieskipspace __P((register char *)); void opiestripcrlf __P((char *)); int opieverify __P((struct opie *,char *)); int opiepasswd __P((struct opie *, int, char *, int, char *, char *)); char *opiereadpass __P((char *, int, int)); int opielogin __P((char *line, char *name, char *host)); const char *opie_get_algorithm __P((void)); int opie_haskey __P((char *username)); char *opie_keyinfo __P((char *)); int opie_passverify __P((char *username, char *passwd)); __END_DECLS #if _OPIE #define VOIDPTR void * #define VOIDRET void #define NOARGS void #define FUNCTION(arglist, args) (args) #define AND , #define FUNCTION_NOARGS () __BEGIN_DECLS struct utmp; int __opiegetutmpentry __P((char *, struct utmp *)); #ifdef EOF FILE *__opieopen __P((char *, int, int)); #endif /* EOF */ int __opiereadrec __P((struct opie *)); int __opiewriterec __P((struct opie *)); int __opieparsechallenge __P((char *buffer, int *algorithm, int *sequence, char **seed, int *exts)); __END_DECLS #define opiestrncpy(dst, src, n) \ do { \ strncpy(dst, src, n-1); \ dst[n-1] = 0; \ } while(0) /* #include "missing.h" */ #endif /* _OPIE */ #define OPIEPASSWD_CONSOLE 1 #define OPIEPASSWD_FORCE 2 #endif /* _OPIE_H */ Index: stable/10/contrib/opie/opiekey.c =================================================================== --- stable/10/contrib/opie/opiekey.c (revision 270119) +++ stable/10/contrib/opie/opiekey.c (revision 270120) @@ -1,346 +1,346 @@ /* opiekey.c: Stand-alone program for computing responses to OTP challenges. Takes a sequence number and seed (presumably from an OPIE challenge) as command line arguments, prompts for the user's secret pass phrase, and outputs a response. %%% portions-copyright-cmetz-96 Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights Reserved. The Inner Net License Version 2 applies to these portions of the software. You should have received a copy of the license with this software. If you didn't get a copy, you may request one from . Portions of this software are Copyright 1995 by Randall Atkinson and Dan McDonald, All Rights Reserved. All Rights under this copyright are assigned to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and License Agreement applies to this software. History: Modified by cmetz for OPIE 2.4. Use struct opie_key for key blocks. Modified by cmetz for OPIE 2.31. Renamed "init" and RESPONSE_INIT to "init-hex" and RESPONSE_INIT_HEX. Removed active attack protection support. Modified by cmetz for OPIE 2.3. OPIE_PASS_MAX changed to OPIE_SECRET_MAX. Added extended responses, which created lots of changes. Eliminated extra variable. Added -x and -t to help. Added -f flag. Added SHA support. Modified by cmetz for OPIE 2.22. Print newline after seed too long message. Check for minimum seed length. Correct a grammar error. Modified at NRL for OPIE 2.2. Check opiereadpass() return. Change opiereadpass() calls to add echo arg. Use FUNCTION definition et al. Check seed length here, too. Added back hex output. Reworked final output function. Modified at NRL for OPIE 2.0. Written at Bellcore for the S/Key Version 1 software distribution (skey.c). $FreeBSD$ */ #include "opie_cfg.h" #include #include #include #include "opie.h" #ifdef __MSDOS__ #include #endif #if HAVE_FCNTL_H #include #endif /* HAVE_FCNTL_H */ extern char *optarg; extern int optind, opterr; int aflag = 0; char *algnames[] = { NULL, NULL, NULL, "SHA-1", "MD4", "MD5" }; char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" }; /******** Begin real source code ***************/ static VOIDRET usage FUNCTION((s), char *s) { fprintf(stderr, "usage: %s [-v] [-h] [-f] [-x] [-t type] [-4 | -5 | -s] [-a] [-n count] sequence_number seed\n", s); exit(1); } #define RESPONSE_STANDARD 0 #define RESPONSE_WORD 1 #define RESPONSE_HEX 2 #define RESPONSE_INIT_HEX 3 #define RESPONSE_INIT_WORD 4 #define RESPONSE_UNKNOWN 5 struct _rtrans { int type; char *name; }; static struct _rtrans rtrans[] = { { RESPONSE_WORD, "word" }, { RESPONSE_HEX, "hex" }, { RESPONSE_INIT_HEX, "init-hex" }, { RESPONSE_INIT_WORD, "init-word" }, { RESPONSE_STANDARD, "" }, { RESPONSE_STANDARD, "standard" }, { RESPONSE_STANDARD, "otp" }, { RESPONSE_UNKNOWN, NULL } }; static void getsecret FUNCTION((secret, promptextra, retype), char *secret AND char *promptextra AND int flags) { fprintf(stderr, "Enter %ssecret pass phrase: ", promptextra); if (!opiereadpass(secret, OPIE_SECRET_MAX, 0)) { fprintf(stderr, "Error reading %ssecret pass phrase!\n", promptextra); exit(1); } if (secret[0] && (flags & 1)) { char verify[OPIE_SECRET_MAX + 1]; fprintf(stderr, "Again %ssecret pass phrase: ", promptextra); if (!opiereadpass(verify, OPIE_SECRET_MAX, 0)) { fprintf(stderr, "Error reading %ssecret pass phrase!\n", promptextra); memset(verify, 0, sizeof(verify)); memset(secret, 0, OPIE_SECRET_MAX + 1); exit(1); } if (verify[0] && strcmp(verify, secret)) { fprintf(stderr, "They don't match. Try again.\n"); memset(verify, 0, sizeof(verify)); memset(secret, 0, OPIE_SECRET_MAX + 1); exit(1); } memset(verify, 0, sizeof(verify)); } if (!(flags & 2) && !aflag && opiepasscheck(secret)) { memset(secret, 0, OPIE_SECRET_MAX + 1); fprintf(stderr, "Secret pass phrases must be between %d and %d characters long.\n", OPIE_SECRET_MIN, OPIE_SECRET_MAX); exit(1); }; } int main FUNCTION((argc, argv), int argc AND char *argv[]) { /* variable declarations */ unsigned algorithm = MDX; /* default algorithm per Makefile's MDX symbol */ int keynum = 0; int i; int count = 1; char secret[OPIE_SECRET_MAX + 1], newsecret[OPIE_SECRET_MAX + 1]; struct opie_otpkey key, newkey; char *seed, newseed[OPIE_SEED_MAX + 1]; char response[OPIE_RESPONSE_MAX + 1]; char *slash; int hex = 0; int type = RESPONSE_STANDARD; int force = 0; - if (slash = strchr(argv[0], '/')) + if (slash = strrchr(argv[0], '/')) slash++; else slash = argv[0]; if (!strcmp(slash, "key") || strstr(slash, "md4")) algorithm = 4; if (strstr(slash, "md5")) algorithm = 5; if (strstr(slash, "sha")) algorithm = 3; while ((i = getopt(argc, argv, "fhvn:x45at:s")) != EOF) { switch (i) { case 'v': opieversion(); case 'n': count = atoi(optarg); break; case 'x': hex = 1; break; case 'f': #if INSECURE_OVERRIDE force = 1; #else /* INSECURE_OVERRIDE */ fprintf(stderr, "Sorry, but the -f option is not supported by this build of OPIE.\n"); #endif /* INSECURE_OVERRIDE */ break; case '4': /* use MD4 algorithm */ algorithm = 4; break; case '5': /* use MD5 algorithm */ algorithm = 5; break; case 'a': aflag = 1; break; case 't': { struct _rtrans *r; for (r = rtrans; r->name && strcmp(r->name, optarg); r++); if (!r->name) { fprintf(stderr, "%s: %s: unknown response type.\n", argv[0], optarg); exit(1); } type = r->type; } break; case 's': algorithm = 3; break; default: usage(argv[0]); } } if ((argc - optind) < 2) usage(argv[0]); fprintf(stderr, "Using the %s algorithm to compute response.\n", algnames[algorithm]); /* get sequence number, which is next-to-last parameter */ keynum = atoi(argv[optind]); if (keynum < 1) { fprintf(stderr, "Sequence number %s is not positive.\n", argv[optind]); exit(1); } /* get seed string, which is last parameter */ seed = argv[optind + 1]; { i = strlen(seed); if (i > OPIE_SEED_MAX) { fprintf(stderr, "Seeds must be less than %d characters long.\n", OPIE_SEED_MAX); exit(1); } if (i < OPIE_SEED_MIN) { fprintf(stderr, "Seeds must be greater than %d characters long.\n", OPIE_SEED_MIN); exit(1); } } fprintf(stderr, "Reminder: Don't use opiekey from telnet or dial-in sessions.\n"); if (opieinsecure()) { fprintf(stderr, "Sorry, but you don't seem to be on the console or a secure terminal.\n"); #if INSECURE_OVERRIDE if (force) fprintf(stderr, "Warning: Continuing could disclose your secret pass phrase to an attacker!\n"); else #endif /* INSECURE_OVERRIDE */ exit(1); } if ((type == RESPONSE_INIT_HEX) || (type == RESPONSE_INIT_WORD)) { #if RETYPE getsecret(secret, "old ", 1); #else /* RETYPE */ getsecret(secret, "old ", 0); #endif /* RETYPE */ getsecret(newsecret, "new ", 1); if (!newsecret[0]) strcpy(newsecret, secret); if (opienewseed(strcpy(newseed, seed)) < 0) { fprintf(stderr, "Error updating seed.\n"); goto error; } if (opiekeycrunch(algorithm, &newkey, newseed, newsecret)) { fprintf(stderr, "%s: key crunch failed (1)\n", argv[0]); goto error; } for (i = 0; i < 499; i++) opiehash(&newkey, algorithm); } else #if RETYPE getsecret(secret, "", 1); #else /* RETYPE */ getsecret(secret, "", 0); #endif /* RETYPE */ /* Crunch seed and secret password into starting key normally */ if (opiekeycrunch(algorithm, &key, seed, secret)) { fprintf(stderr, "%s: key crunch failed\n", argv[0]); goto error; } for (i = 0; i <= (keynum - count); i++) opiehash(&key, algorithm); { char buf[OPIE_SEED_MAX + 48 + 1]; char *c; for (; i <= keynum; i++) { if (count > 1) printf("%d: %s", i, (type == RESPONSE_STANDARD) ? "" : "\n"); switch(type) { case RESPONSE_STANDARD: if (hex) opiebtoh(response, &key); else opiebtoe(response, &key); break; case RESPONSE_WORD: strcpy(response, "word:"); strcat(response, opiebtoe(buf, &key)); break; case RESPONSE_HEX: strcpy(response, "hex:"); strcat(response, opiebtoh(buf, &key)); break; case RESPONSE_INIT_HEX: case RESPONSE_INIT_WORD: if (type == RESPONSE_INIT_HEX) { strcpy(response, "init-hex:"); strcat(response, opiebtoh(buf, &key)); sprintf(buf, ":%s 499 %s:", algids[algorithm], newseed); strcat(response, buf); strcat(response, opiebtoh(buf, &newkey)); } else { strcpy(response, "init-word:"); strcat(response, opiebtoe(buf, &key)); sprintf(buf, ":%s 499 %s:", algids[algorithm], newseed); strcat(response, buf); strcat(response, opiebtoe(buf, &newkey)); } break; } puts(response); opiehash(&key, algorithm); } } memset(secret, 0, sizeof(secret)); memset(newsecret, 0, sizeof(newsecret)); return 0; error: memset(secret, 0, sizeof(secret)); memset(newsecret, 0, sizeof(newsecret)); return 1; } Index: stable/10/usr.bin/opiekey/Makefile =================================================================== --- stable/10/usr.bin/opiekey/Makefile (revision 270119) +++ stable/10/usr.bin/opiekey/Makefile (revision 270120) @@ -1,24 +1,24 @@ # $FreeBSD$ # OPIE_DIST?= ${.CURDIR}/../../contrib/opie PROG= opiekey CFLAGS+=-I${.CURDIR}/../../lib/libopie CFLAGS+=-I${OPIE_DIST} CFLAGS+=-DINSECURE_OVERRIDE WARNS?= 0 DPADD= ${LIBOPIE} ${LIBMD} LDADD= -lopie -lmd LINKS= ${BINDIR}/opiekey ${BINDIR}/otp-md4 LINKS+= ${BINDIR}/opiekey ${BINDIR}/otp-md5 -LINKS+= ${BINDIR}/opiekey ${BINDIR}/otp-sha +LINKS+= ${BINDIR}/opiekey ${BINDIR}/otp-sha1 -MLINKS= opiekey.1 otp-md4.1 opiekey.1 otp-md5.1 opiekey.1 otp-sha.1 +MLINKS= opiekey.1 otp-md4.1 opiekey.1 otp-md5.1 opiekey.1 otp-sha1.1 .PATH: ${OPIE_DIST} .include Index: stable/10 =================================================================== --- stable/10 (revision 270119) +++ stable/10 (revision 270120) Property changes on: stable/10 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r269806,269809-269811