Exemple #1
0
    def comparePin(self, pin):
        log.debug("[comparePin] entering comparePin")
        res = False

        ## check for a valid input
        if pin is None:
            log.error("[comparePin] no valid PIN!")
            return res

        if self.LinOtpPinHash:
            if self.isPinEncrypted():
                log.debug("[comparePin] we got an encrypted PIN!")
                tokenPin = self.LinOtpPinHash[2:]
                decryptTokenPin = decryptPin(tokenPin)
                if decryptTokenPin == pin:
                    res = True
            else:
                log.debug("[comparePin] we got a hashed PIN!")
                ## is there a hashed pin
                hashed_pin = self.getHashedPin(pin)
                if hashed_pin == self.LinOtpPinHash:
                    res = True

        else:  ## token hashed pin is empyt or none
            log.debug("[comparePin] there is no pin for this token!")
            if pin == '':
                res = True

        return res
Exemple #2
0
    def comparePin(self, pin):
        log.debug("[comparePin] entering comparePin")
        res = False

        ## check for a valid input
        if pin is None:
            log.error("[comparePin] no valid PIN!")
            return res

        if self.LinOtpPinHash:
            if self.isPinEncrypted():
                log.debug("[comparePin] we got an encrypted PIN!")
                tokenPin = self.LinOtpPinHash[2:]
                decryptTokenPin = decryptPin(tokenPin)
                if decryptTokenPin == pin:
                    res = True
            else:
                log.debug("[comparePin] we got a hashed PIN!")
                ## is there a hashed pin
                hashed_pin = self.getHashedPin(pin)
                if hashed_pin == self.LinOtpPinHash:
                    res = True

        else: ## token hashed pin is empyt or none
            log.debug("[comparePin] there is no pin for this token!")
            if pin == '':
                res = True

        return res
Exemple #3
0
    def comparePin(self, pin):
        log.debug("[comparePin] entering comparePin")
        res = False

        ## check for a valid input
        if pin is None:
            log.error("[comparePin] no valid PIN!")
            return res

        if (self.isPinEncrypted() == True):
            log.debug("[comparePin] we got an encrypted PIN!")
            tokenPin = self.LinOtpPinHash[2:]
            decryptTokenPin = decryptPin(tokenPin)
            # TODO CKO: remove the TokenPin
            #log.debug("[comparePin] the decrypted PIN is %s" % decryptTokenPin)
            if (decryptTokenPin == pin):
                res = True
        else:
            log.debug("[comparePin] we got a hashed PIN!")
            # TODO CKO: remove the PIN hash
            #log.debug("[comparePin] The Hash is %s while the LinOtpPinHash is %s" % (mypHash,self.LinOtpPinHash))
            if len(self.LinOtpPinHash) > 0:
                mypHash = self.getHashedPin(pin)
            else:
                mypHash = pin
            if (mypHash == self.LinOtpPinHash):
                res = True

        return res
Exemple #4
0
    def do_request(servers, env, user, passw, options):
        """
        make the call to the foreign server
        """
        log.debug("start request to foreign server: %r" % servers)

        for server in servers.split(' '):
            parsed_server = urlparse.urlparse(server)

            # the urlparse has a bug,, where in elder versions, the
            # path is not split from the query
            if not parsed_server.query:
                path, _sep, query = parsed_server.path.partition('?')
            else:
                path = parsed_server.path
                query = parsed_server.query

            # finally we found the query parameters
            params = urlparse.parse_qs(query)
            for key, entry in params.items():
                params[key] = entry[0]

            if 'encsecret' in params:
                params['secret'] = decryptPin(params['encsecret'])
                del params['encsecret']

            parsed_list = list(parsed_server[:])
            parsed_list[ForwardServerPolicy.Path_index] = path.strip()
            parsed_list[ForwardServerPolicy.Query_index] = \
                                                urllib.urlencode(params)
            server_url = urlparse.urlunparse(tuple(parsed_list))

            if 'radius://' in server_url:
                rad = RadiusRequest(server=server_url, env=env)
                res, opt = rad.do_request(user, passw, options)
                return res, opt
            elif 'http://' in server_url or 'https://' in server_url:
                http = HttpRequest(server=server_url, env=env)
                res, opt = http.do_request(user, passw, options)
                return res, opt
Exemple #5
0
    def do_request(servers, env, user, passw, options):
        """
        make the call to the foreign server
        """
        log.debug("start request to foreign server: %r" % servers)

        for server in servers.split(' '):
            parsed_server = urlparse.urlparse(server)

            # the urlparse has a bug,, where in elder versions, the
            # path is not split from the query
            if not parsed_server.query:
                path, _sep, query = parsed_server.path.partition('?')
            else:
                path = parsed_server.path
                query = parsed_server.query

            # finally we found the query parameters
            params = urlparse.parse_qs(query)
            for key, entry in params.items():
                params[key] = entry[0]

            if 'encsecret' in params:
                params['secret'] = decryptPin(params['encsecret'])
                del params['encsecret']

            parsed_list = list(parsed_server[:])
            parsed_list[ForwardServerPolicy.Path_index] = path.strip()
            parsed_list[ForwardServerPolicy.Query_index] = \
                                                urllib.urlencode(params)
            server_url = urlparse.urlunparse(tuple(parsed_list))

            if 'radius://' in server_url:
                rad = RadiusRequest(server=server_url, env=env)
                res, opt = rad.do_request(user, passw, options)
                return res, opt
            elif 'http://' in server_url or 'https://' in server_url:
                http = HttpRequest(server=server_url, env=env)
                res, opt = http.do_request(user, passw, options)
                return res, opt
Exemple #6
0
 def getPin(self):
     ret = -1
     if self.isPinEncrypted() == True:
         tokenPin = self.LinOtpPinHash[2:]
         ret = decryptPin(tokenPin)
     return ret
Exemple #7
0
 def getPin(self):
     ret = -1
     if self.isPinEncrypted() == True:
         tokenPin = self.LinOtpPinHash[2:]
         ret = decryptPin(tokenPin)
     return ret
Exemple #8
0
    def _rollout_2(self, params):
        '''
        2.

        https://linotpserver/admin/init?
            type=ocra&
            genkey=1&
            activationcode=AKTIVIERUNGSCODE&
            user=BENUTZERNAME&
            message=MESSAGE&
            session=SESSIONKEY

        =>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT, "transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL

        - nonce - von HSM oder random ?
        - pkcs5 - kdf2
        - es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!!
          der Token wird über den User gefunden
        - seed = pdkdf2(nonce + activcode + shared secret)
        - challenge generiern - von urandom oder HSM

        '''
        log.debug('[_rollout_2] %r ' % (params))

        activationcode = params.get('activationcode', None)
        if activationcode is not None:

            ##  genkey might have created a new key, so we have to rely on
            encSharedSecret = self.getFromTokenInfo('sharedSecret', None)
            if encSharedSecret is None:
                raise Exception ('missing shared secret of initialition for token %r' % (self.getSerial()))

            sharedSecret = decryptPin(encSharedSecret)

            ##  we generate a nonce, which in the end is a challenge
            nonce = createNonce()
            self.addToTokenInfo('nonce', nonce)

            ##  create a new key from the ocrasuite
            key_len = 20
            if self.ocraSuite.find('-SHA256'):
                key_len = 32
            elif self.ocraSuite.find('-SHA512'):
                key_len = 64


            newkey = kdf2(sharedSecret, nonce, activationcode, key_len)
            self.setOtpKey(binascii.hexlify(newkey))

            ##  generate challenge, which is part of the app_import
            message = params.get('message', None)

            #(transid, challenge, _ret, url) = self.challenge(message)

            #self.createChallenge()
            (res, opt) = create_challenge(self, options=params)

            challenge = opt.get('challenge')
            url = opt.get('url')
            transid = opt.get('transactionid')

            ##  generate response
            info = {}
            uInfo = {}
            info['serial'] = self.getSerial()
            uInfo['se'] = self.getSerial()
            info['nonce'] = nonce
            uInfo['no'] = nonce
            info['transactionid'] = transid
            uInfo['tr'] = transid
            info['challenge'] = challenge
            uInfo['ch'] = challenge
            if message is not None:
                uInfo['me'] = str(message.encode("utf-8"))

            ustr = urllib.urlencode({'u':str(url.encode("utf-8"))})
            uInfo['u'] = ustr[2:]
            info['url'] = str(url.encode("utf-8"))

            app_import = 'lseqr://nonce?%s' % (urllib.urlencode(uInfo))

            ##  add a signature of the url
            signature = {'si': self.signData(app_import) }
            info['signature'] = signature.get('si')

            info['app_import'] = "%s&%s" % (app_import, urllib.urlencode(signature))
            self.info = info

            ##  setup new state
            self.addToTokenInfo('rollout', '2')
            self.enable(True)

        log.debug('[_rollout_2]:')
        return