Changeset 707 in openpam


Ignore:
Timestamp:
Aug 16, 2013, 1:45:55 PM (7 years ago)
Author:
Dag-Erling Smørgrav
Message:

Increase the default synchronization window, and provide options to
control it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/modules/pam_oath/pam_oath.c

    r705 r707  
    5151
    5252#define PAM_OATH_PROMPT "Verification code: "
     53#define PAM_OATH_HOTP_WINDOW 3
     54#define PAM_OATH_TOTP_WINDOW 3
    5355
    5456enum pam_oath_nokey { nokey_error = -1, nokey_fail, nokey_fake, nokey_ignore };
     
    7981
    8082/*
     83 * Parse a numeric option.  Returns -1 if the option is not set or its
     84 * value is not an integer in the range [0, INT_MAX].
     85 */
     86static int
     87pam_oath_int_option(pam_handle_t *pamh, const char *option)
     88{
     89        const char *value;
     90        char *end;
     91        long num;
     92
     93        if ((value = openpam_get_option(pamh, option)) == NULL)
     94                return (-1);
     95        num = strtol(value, &end, 10);
     96        if (*value == '\0' || *end != '\0' || num < 0 || num > INT_MAX) {
     97                openpam_log(PAM_LOG_ERROR, "the value of the %s option "
     98                    "is invalid.", option);
     99                return (-1);
     100        }
     101        return (num);
     102}
     103
     104/*
    81105 * Determine the location of the user's keyfile.
    82106 */
     
    156180        unsigned long response;
    157181        char *password, *end;
    158         int pam_err, ret;
     182        int pam_err, ret, window;
    159183
    160184        /* unused */
     
    235259
    236260        /* verify response */
    237         if (key->mode == om_hotp)
    238                 ret = oath_hotp_match(key, response, 1);
    239         else
    240                 ret = oath_totp_match(key, response, 1);
     261        if (key->mode == om_hotp) {
     262                if ((window = pam_oath_int_option(pamh, "hotp_window")) < 0 &&
     263                    (window = pam_oath_int_option(pamh, "window")) < 0)
     264                        window = PAM_OATH_HOTP_WINDOW;
     265                ret = oath_hotp_match(key, response, window);
     266        } else {
     267                if ((window = pam_oath_int_option(pamh, "totp_window")) < 0 &&
     268                    (window = pam_oath_int_option(pamh, "window")) < 0)
     269                        window = PAM_OATH_TOTP_WINDOW;
     270                ret = oath_totp_match(key, response, window);
     271        }
    241272        openpam_log(PAM_LOG_VERBOSE, "verification code %s",
    242273            ret ? "matched" : "did not match");
Note: See TracChangeset for help on using the changeset viewer.