Further fixes to rlm_totp

diff --git a/src/modules/rlm_totp/rlm_totp.c b/src/modules/rlm_totp/rlm_totp.c
index 869d15529d44447e12ca404eae379a909187370b..4325bdbed6790d51182bd22832a22ec795130b0d 100644 (file)
--- a/src/modules/rlm_totp/rlm_totp.c
+++ b/src/modules/rlm_totp/rlm_totp.c
@@ -129,12 +129,12 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
        if (fr_type_is_null(user_password->type)) RETURN_MODULE_NOOP;
 
        if (user_password->vb_length == 0) {
-               RDEBUG("TOTP.From-User is empty");
+               RWARN("TOTP.From-User is empty");
                RETURN_MODULE_FAIL;
        }
 
        if ((user_password->vb_length != 6) && (user_password->vb_length != 8)) {
-               RDEBUG("TOTP.From-User has incorrect length. Expected 6 or 8, got %zu", user_password->vb_length);
+               RWARN("TOTP.From-User has incorrect length. Expected 6 or 8, got %zu", user_password->vb_length);
                RETURN_MODULE_FAIL;
        }
 
@@ -148,11 +148,11 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
        } else {
                ssize_t len;
 
-               if (!fr_type_is_null(secret->type)) RETURN_MODULE_NOOP;
+               if (fr_type_is_null(secret->type)) RETURN_MODULE_NOOP;
 
                len = fr_base32_decode(&FR_DBUFF_TMP((uint8_t *) buffer, sizeof(buffer)), &FR_SBUFF_IN(secret->vb_strvalue, secret->vb_length), true, true);
                if (len < 0) {
-                       RDEBUG("TOTP.Secret cannot be decoded");
+                       RERROR("TOTP.Secret cannot be decoded");
                        RETURN_MODULE_FAIL;
                }
 
@@ -160,9 +160,16 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                our_keylen = len;
        }
 
-       if (fr_totp_cmp(&inst->totp, request, fr_time_to_sec(request->packet->timestamp), our_key, our_keylen, user_password->vb_strvalue) != 0) RETURN_MODULE_FAIL;
+       switch (fr_totp_cmp(&inst->totp, request, fr_time_to_sec(request->packet->timestamp), our_key, our_keylen, user_password->vb_strvalue)) {
+       case 0:
+               RETURN_MODULE_OK;
 
-       RETURN_MODULE_OK;
+       case -2:
+               RETURN_MODULE_FAIL;
+
+       default:
+               RETURN_MODULE_REJECT;
+       }
 }
 
 /*

diff --git a/src/modules/rlm_totp/totp.c b/src/modules/rlm_totp/totp.c
index 67f4ae823cfa5a2d74a190f5853a72b84e0be430..91b9cfcd421718387e7464ac16e9bb4b10f0c92e 100644 (file)
--- a/src/modules/rlm_totp/totp.c
+++ b/src/modules/rlm_totp/totp.c
@@ -60,12 +60,13 @@ static void totp_log(char const *fmt, ...)
  * @param[in] cfg      Instance of fr_totp_t
  * @param[in] request  The current request
  * @param[in] now      The current time
- * @param[in] key      Key to decrypt.
+ * @param[in] key      Key to encrypt.
  * @param[in] keylen   Length of key field.
  * @param[in] totp     TOTP password entered by the user.
  * @return
  *     -  0  On Success
  *     - -1  On Failure
+ *     - -2  On incorrect arguments
  */
 int fr_totp_cmp(fr_totp_t const *cfg, request_t *request, time_t now, uint8_t const *key, size_t keylen, char const *totp)
 {
@@ -83,17 +84,17 @@ int fr_totp_cmp(fr_totp_t const *cfg, request_t *request, time_t now, uint8_t co
 
        if (cfg->otp_length != 6 && cfg->otp_length != 8) {
                fr_strerror_const("The 'opt_length' has incorrect length. Expected 6 or 8.");
-               return -1;
+               return -2;
        }
 
        if (keylen < 1) {
                fr_strerror_const("Invalid 'keylen' parameter value.");
-               return -1;
+               return -2;
        }
 
        if (!*totp) {
                fr_strerror_const("Invalid 'totp' parameter value.");
-               return -1;
+               return -2;
        }
 
        /*