Add TOTP (RFC6238) one-time password support

David Woodhouse dwmw2 at infradead.org
Thu Mar 7 18:55:18 EST 2013


On Thu, 2013-03-07 at 18:39 -0500, John Morrissey wrote:
> The patch below adds TOTP (RFC6238) one-time password support to
> OpenConnect.

Thanks. This looks good. I'll look over it a bit more carefully in the
morning.

> A couple notes:
> 
> - I changed some of the CLI options and vpninfo structure members to make
>   the use of "stoken" (as in libstoken) vs "software token" a bit less
>   ambiguous. --stoken is still accepted on the command line for backwards
>   compatibility.

That seems to make sense.

> - openconnect_set_stoken_mode no longer accepts the use_stoken argument
>   and instead always tries to initialize libstoken when called. This
>   makes sense in openconnect(8), but I'm not sure how much of a concern
>   this API change is for upstream consumers of libopenconnect. I also
>   wasn't sure how to account for this in libopenconnect.map.in.

You can't account for it. It's an ABI break and it would take us to
libopenconnect.so.3. I'd like to avoid this change, if possible.

Admittedly, I don't think anyone is *using* the existing functions from
a GUI; I certainly haven't seen any NetworkManager-openconnect patches
go by which implement stoken support there. But that isn't really the
point. There are consumers of this library that I *don't* keep a close
eye on, like kde-plasma-networkmanagement and Shimo.


> Other than that, I think it does what it says on the box. It builds when
> libstoken (only) is present, libstoken and liboath are both present, and
> when neither library is present. I don't have a SecureID installation to
> actually test with, but the code changes to the libstoken path are minimal,
> so I think they're OK.

I've already received complaints about the way that stoken support is
automatically built if libstoken is present, and silently omitted if
not. It would be nice to have a --disable-oath argument to configure:
http://www.gentoo.org/proj/en/qa/automagic.xml

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130307/a0841cb8/attachment-0001.bin>


More information about the openconnect-devel mailing list