linotp.tokens.hmactoken module

This file containes the dynamic hmac token implementation: - HmacTokenClas (HOTP)

class linotp.tokens.hmactoken.HmacTokenClass(a_token)

Bases: TokenClass

hotp token class implementation

autosync(hmac2Otp, anOtpVal)

auto - sync the token based on two otp values - internal method to realize the autosync within the checkOtp method

Parameters

  • hmac2Otp (hmac object) – the hmac object (with reference to the token secret)

  • anOtpVal (string) – the actual otp value

Returns

counter or -1 if otp does not exist

Return type

int

checkOtp(anOtpVal, counter, window, options=None)

checkOtp - validate the token otp against a given otpvalue

Parameters

  • anOtpVal (string) – the to be verified otpvalue

  • counter (int) – the counter state, that should be verified

  • window (int) – the counter +window, which should be checked

  • options (dict) – the dict, which could contain token specific info

Returns

the counter state or -1

Return type

int

checkResponse4Challenge(user, passw, options=None, challenges=None)

verify the response of a previous challenge

Parameters

  • user – the requesting user

  • passw – the to be checked pass (pin+otp)

  • options – options an additional argument, which could be token specific

  • challenges – the list of challenges, where each challenge is described as dict

Returns

tuple of (otpcounter and the list of matching challenges)

check_otp_exist(otp, window=10, user=None, autoassign=False)

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

Parameters

  • otp (string) – the to be verified otp value

  • window (int) – the lookahead window for the counter

Returns

counter or -1 if otp does not exist

Return type

int

createChallenge(state, options=None)

create a challenge, which is submitted to the user

Parameters

  • state – the state/transaction id

  • options – the request context parameters / data

Returns

tuple of (bool, message and data) message is submitted to the user data is preserved in the challenge attributes are additional attributes, which could be returned

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

Parameters

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns

subsection if key exists or user defined

Return type

s.o.

classmethod getClassPrefix()
classmethod getClassType()

getClassType - return the token type shortname

Returns

‘hmac’

Return type

string

getInitDetail(params, user=None)

to complete the token normalisation, the response of the initialiastion should be build by the token specific method, the getInitDetails

getOtp(curTime=None)

get the next OTP value

Returns

next otp value

Return type

string

getSyncTimeOut()

get the token sync timeout value

Returns

timeout value in seconds

Return type

int

get_multi_otp(count=0, epoch_start=0, epoch_end=0, curTime=None)

return a dictionary of multiple future OTP values of the HOTP/HMAC token

Parameters

count (int) – how many otp values should be returned

Returns

tuple of status: boolean, error: text and the OTP dictionary

is_challenge_request(passw, user, options=None)

check, if the request would start a challenge

  • default: if the passw contains only the pin, this request would

trigger a challenge

  • in this place as well the policy for a token is checked

Parameters

  • passw – password, which might be pin or pin+otp

  • options – dictionary of additional request parameters

Returns

returns true or false

is_challenge_response(passw, user, options=None, challenges=None)

This method checks, if this is a request, that is the response to a previously sent challenge.

The default behaviour to check if this is the response to a previous challenge is simply by checking if the request contains a parameter state or transactionid i.e. checking if the options parameter contains a key state or transactionid.

This method does not try to verify the response itself! It only determines, if this is a response for a challenge or not.

Parameters

  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – the requesting user

  • options ((dict)) – dictionary of additional request parameters

  • challenges – A list of challenges for this token. These challenges may be used, to identify if this request is a response for a challenge.

Returns

true or false

resync(otp1, otp2, options=None)

resync the token based on two otp values - external method to do the resync of the token

Parameters

  • otp1 (string) – the first otp value

  • otp2 (string) – the second otp value

  • options (dict or None) – optional token specific parameters

Returns

counter or -1 if otp does not exist

Return type

int

update(param, reset_failcount=True)

update - process the initialization parameters

Parameters

param (dict) – dict of initialization parameters

Returns

nothing

validate_seed(seed)

Check if the seed string contains only hexadecimal characters.

Parameters

seed – a string that should be checked for

validity as a seed (aka otpkey) :raises InvalidSeedException: if the seed contains invalid characters