that the resynchronization loop will always run at least once.
Adjust the loop condition, which unintentionally ignored errors.
Remove a debugging message.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@851 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Use UINT_MAX to indicate an invalid response.
- The meaning of the window parameter has changed slightly.
The calc command now accepts a count of codes to generate.
The resync command now fails if the key is not resynchronizable.
Clean up the usage message.
Document exit codes.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@850 185d5e19-27fe-0310-9dcf-9bff6b9f3609
of codes to check *in addition* to the current code. Note that for TOTP,
the window goes in both directions; a window of 1 means to check the
current code plus the previous and next.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@849 185d5e19-27fe-0310-9dcf-9bff6b9f3609
a new key.
Allow resynchronizing with three keys instead of two, increasing the
resynchronization window from 100 keys to 1000 keys.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@847 185d5e19-27fe-0310-9dcf-9bff6b9f3609
because the getopt(3) spec had not been updated to include it.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@844 185d5e19-27fe-0310-9dcf-9bff6b9f3609
from their token. If the first code is found within the synchronization
window (currently hardcoded to 99) and the second is the next code in the
sequence, the counter is reset to one past the second code.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@842 185d5e19-27fe-0310-9dcf-9bff6b9f3609
libpam and / or liboath. Doing so disables building the corresponding
library and its documentation, but still builts the corresponding tools
and modules and runs the unit tests.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@834 185d5e19-27fe-0310-9dcf-9bff6b9f3609
and PAM as code. As a side effect, this simplifies the code for CVEs.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@820 185d5e19-27fe-0310-9dcf-9bff6b9f3609
- Rename the uri command to geturi (but retain backward compatibility).
- Add a getkey command that prints the key in hexadecimal.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@818 185d5e19-27fe-0310-9dcf-9bff6b9f3609
size of the buffer is not necessarily known, and which can replace the
"memset(str, 0, strlen(str))" idiom. Use it to clear buffers which may
have contained authentication tokens.
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@803 185d5e19-27fe-0310-9dcf-9bff6b9f3609
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609