We can read the issuer from a URI (as a separate parameter, not as a prefix to the label) and store it, but not yet output it. That will be implemented in a future rewrite of oath_key_to_uri().
If the key length is not a multiple of 40 bits, its base32 representation may be padded, and that padding will be encoded. We already decoded the label (which may contain spaces and other unsafe characters), but not the key. For the sake of simplicity and robustness, we now decode the name and value of every property.
This corresponds to OpenPAM r886.
Add an oath_mode(3) function which translates from mode names to numbers.
Consistently use UINT_MAX, not -1, to indicate an invalid response.
Change the meaning of the window parameter to always indicate the number
of codes to check *in addition* to the current code. Note that for TOTP,
the window goes in both directions; a window of 1 means to check the
current code plus the previous and next.