From: Nick Porter <nick@portercomputing.co.uk>
Date: Mon, 29 Apr 2024 17:10:04 +0000 (+0100)
Subject: Further fixes to rlm_totp
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a0977d24bc133e10c311e32d9d913c45622257d;p=thirdparty%2Ffreeradius-server.git

Further fixes to rlm_totp
---

diff --git a/src/modules/rlm_totp/rlm_totp.c b/src/modules/rlm_totp/rlm_totp.c
index 869d15529d..4325bdbed6 100644
--- a/src/modules/rlm_totp/rlm_totp.c
+++ b/src/modules/rlm_totp/rlm_totp.c
@@ -129,12 +129,12 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 	if (fr_type_is_null(user_password->type)) RETURN_MODULE_NOOP;
 
 	if (user_password->vb_length == 0) {
-		RDEBUG("TOTP.From-User is empty");
+		RWARN("TOTP.From-User is empty");
 		RETURN_MODULE_FAIL;
 	}
 
 	if ((user_password->vb_length != 6) && (user_password->vb_length != 8)) {
-		RDEBUG("TOTP.From-User has incorrect length. Expected 6 or 8, got %zu", user_password->vb_length);
+		RWARN("TOTP.From-User has incorrect length. Expected 6 or 8, got %zu", user_password->vb_length);
 		RETURN_MODULE_FAIL;
 	}
 
@@ -148,11 +148,11 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 	} else {
 		ssize_t len;
 
-		if (!fr_type_is_null(secret->type)) RETURN_MODULE_NOOP;
+		if (fr_type_is_null(secret->type)) RETURN_MODULE_NOOP;
 
 		len = fr_base32_decode(&FR_DBUFF_TMP((uint8_t *) buffer, sizeof(buffer)), &FR_SBUFF_IN(secret->vb_strvalue, secret->vb_length), true, true);
 		if (len < 0) {
-			RDEBUG("TOTP.Secret cannot be decoded");
+			RERROR("TOTP.Secret cannot be decoded");
 			RETURN_MODULE_FAIL;
 		}
 
@@ -160,9 +160,16 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 		our_keylen = len;
 	}
 
-	if (fr_totp_cmp(&inst->totp, request, fr_time_to_sec(request->packet->timestamp), our_key, our_keylen, user_password->vb_strvalue) != 0) RETURN_MODULE_FAIL;
+	switch (fr_totp_cmp(&inst->totp, request, fr_time_to_sec(request->packet->timestamp), our_key, our_keylen, user_password->vb_strvalue)) {
+	case 0:
+		RETURN_MODULE_OK;
 
-	RETURN_MODULE_OK;
+	case -2:
+		RETURN_MODULE_FAIL;
+
+	default:
+		RETURN_MODULE_REJECT;
+	}
 }
 
 /*
diff --git a/src/modules/rlm_totp/totp.c b/src/modules/rlm_totp/totp.c
index 67f4ae823c..91b9cfcd42 100644
--- a/src/modules/rlm_totp/totp.c
+++ b/src/modules/rlm_totp/totp.c
@@ -60,12 +60,13 @@ static void totp_log(char const *fmt, ...)
  * @param[in] cfg	Instance of fr_totp_t
  * @param[in] request	The current request
  * @param[in] now	The current time
- * @param[in] key	Key to decrypt.
+ * @param[in] key	Key to encrypt.
  * @param[in] keylen	Length of key field.
  * @param[in] totp	TOTP password entered by the user.
  * @return
  *	-  0  On Success
  *	- -1  On Failure
+ *	- -2  On incorrect arguments
  */
 int fr_totp_cmp(fr_totp_t const *cfg, request_t *request, time_t now, uint8_t const *key, size_t keylen, char const *totp)
 {
@@ -83,17 +84,17 @@ int fr_totp_cmp(fr_totp_t const *cfg, request_t *request, time_t now, uint8_t co
 
 	if (cfg->otp_length != 6 && cfg->otp_length != 8) {
 		fr_strerror_const("The 'opt_length' has incorrect length. Expected 6 or 8.");
-		return -1;
+		return -2;
 	}
 
 	if (keylen < 1) {
 		fr_strerror_const("Invalid 'keylen' parameter value.");
-		return -1;
+		return -2;
 	}
 
 	if (!*totp) {
 		fr_strerror_const("Invalid 'totp' parameter value.");
-		return -1;
+		return -2;
 	}
 
 	/*