Module Rfc6287

RFC6287 (OCRA)

see http://tools.ietf.org/html/rfc6287

RFC6287

see https://www.rfc-editor.org/errata_search.php?eid=3729

Errata 3729

type t

The abstract OCRA suite type

type err =
| Invalid_suite_string
| DataInput of string
| Window of string
val t_of_string : string -> (terr) Rresult.result
val string_of_t : t -> string
type di = {
c : bool;

C

q : [ `A | `N | `H ] * int;

Q

p : [ `SHA1 | `SHA256 | `SHA512 ] option;

P

s : int option;

S

t : int option;

T

}
val di_of_t : t -> di
returns

DataInput spec

val challenge : t -> string
returns

random challenge string q with format and length as specified in suite

type pinhash = [
| `String of string
| `Digest of Cstruct.t
]

if pinhash is `String x, gen and verify will apply the Pin Hash algorithm specified in suite to calculate the digest of x.

if pinhash is `Digest d, its length must equal digests size of Pin Hash function (as specified in suite)

type timestamp = [
| `Now
| `Int64 of int64
]

if timestamp is `Now, gen and verify will use Unix.time and the timestep specified in suite to calculate the timestamp value

val gen : ?⁠time:int64 -> ?⁠c:int64 -> ?⁠p:pinhash -> ?⁠s:Cstruct.t -> ?⁠t:timestamp -> key:Cstruct.t -> q:string -> t -> (Cstruct.t, err) Rresult.result

Generate OCRA(K, {[C] | Q | [P | S | T]}).

returns
  • Ok a the response
  • Error (DataInput error_message) if parameters do not match suite
parameter c

DataInput C: Counter

parameter p

DataInput P: Pin Hash

parameter s

DataInput S: Session; length must equal session size (as specified in suite)

parameter t

DataInput T: Timestamp

parameter key

CryptoFunction key K

parameter q

DataInput Q: Challenge

val gen1 : ?⁠time:int64 -> c:int64 option -> p:pinhash option -> s:Cstruct.t option -> t:timestamp option -> key:Cstruct.t -> q:string -> t -> (Cstruct.t, err) Rresult.result
val verify : ?⁠time:int64 -> ?⁠c:int64 -> ?⁠p:pinhash -> ?⁠s:Cstruct.t -> ?⁠t:timestamp -> ?⁠cw:int -> ?⁠tw:int -> key:Cstruct.t -> q:string -> a:Cstruct.t -> t -> (bool * int64 optionerr) Rresult.result

Verify OCRA Response.

returns
  • Ok (true, None) upon successful verification for suite without C DataInput
  • Ok (true, Some next_counter) upon successful verification for suite with C DataInput
  • Ok (false, None) if verification failed
  • Error (DataInput error_message) if parameters do not match suite
  • Error (Window error_message) on invalid cw and tw parameters
parameter c

DataInput C: Counter

parameter p

DataInput P: Pin Hash

parameter s

DataInput S: Session; length must equal session size (as specified in suite)

parameter t

DataInput T: Timestamp

parameter cw

Counter Window

parameter tw

Timestamp Window

parameter key

CryptoFunction key K

parameter q

DataInput Q: Challenge

parameter a

Response to check against

val verify1 : ?⁠time:int64 -> c:int64 option -> p:pinhash option -> s:Cstruct.t option -> t:timestamp option -> cw:int option -> tw:int option -> key:Cstruct.t -> q:string -> a:Cstruct.t -> t -> (bool * int64 optionerr) Rresult.result