Re: [RADIATOR] Minor AuthBy SQLTOTP bug

Thu, 23 Aug 2012 01:08:15 -0700 

Hi Roy,

thanks for reporting this.
It is fixed in the latest patch set.
We apologise for any inconvenience.

Cheers.

On Wednesday, August 22, 2012 05:34:13 PM Roy Badami wrote:
> Also potentially a (very minor) code bug in AuthSQLTOTP.pm
> 
> checkTOTP() doesn't correctly handle the case where $last_timestep is
> undefined (due to a NULL in the database) if the PIN check fails.  The
> code does contains the line:
> 
>     $last_timestep += 0; # In case database has NULL
> 
> but this line is skipped if the PIN is incorrect, leading to incorrect
> SQL (at least in the case of postgres, which is my platform of choice)
> 
> Assuming the initial value of last_timestep is NULL (which is permitted
> by the sample schema in totp.sql) then you get an SQL error if the first
> ever log-in attempt involves typing an incorrect PIN:
> 
> Wed Aug 22 17:22:03 2012: DEBUG: Query to 'dbi:Pg:dbname=radiator':
> 'SELECT secret, active, pin, digits, bad_logins, EXTRACT(EPOCH FROM
> accessed), last_timestep FROM totpkeys WHERE username='roy-test'':
> Wed Aug 22 17:22:03 2012: DEBUG: do query to 'dbi:Pg:dbname=radiator':
> 'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where
> username='roy-test'':
> Wed Aug 22 17:22:03 2012: ERR: do failed for 'update totpkeys set
> accessed=now(), bad_logins=1, last_timestep= where username='roy-test'':
> ERROR:  syntax error at or near "where"
> LINE 1: ... set accessed=now(), bad_logins=1, last_timestep= where user...
> 
> Regards
> 
> roy
> 
>                                                               ^
> 
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
-- 
Mike McCauley                               mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to