[RADIATOR] Bug in HOTP verification
Mike McCauley
mikem at open.com.au
Thu Apr 16 16:20:32 CDT 2009
Hello Richard,
thanks for reporting this.
It has now been fixed in the latest patch set.
We apologise for any inconvenience.
Cheers.
On Friday 17 April 2009 04:00:42 am Gopstein, Richard wrote:
> Authentication fails for HOTP values with a leading zero.
>
> In AuthSQLHOTP.pm,
>
> if ($hotp eq $code)
> {
> $found++;
> $bad_logins = 0;
> ($counter_high, $counter_low) = ($temp_high, $temp_low);
> last;
> }
>
> }
>
> Fails the string to numeric comparison when there is a leading zero.
> Setting $hotp = sprintf("%06d",$hotp) fixes the symptom.
>
> Rich
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list