[RADIATOR] Minor AuthBy SQLTOTP bug

Mike McCauley mikem at open.com.au
Thu Aug 23 03:09:10 CDT 2012 

Hi Roy,

thanks for reporting this.
It is fixed in the latest patch set.
We apologise for any inconvenience.

Cheers.

On Wednesday, August 22, 2012 05:34:13 PM Roy Badami wrote:
> Also potentially a (very minor) code bug in AuthSQLTOTP.pm
> 
> checkTOTP() doesn't correctly handle the case where $last_timestep is
> undefined (due to a NULL in the database) if the PIN check fails.  The
> code does contains the line:
> 
>     $last_timestep += 0; # In case database has NULL
> 
> but this line is skipped if the PIN is incorrect, leading to incorrect
> SQL (at least in the case of postgres, which is my platform of choice)
> 
> Assuming the initial value of last_timestep is NULL (which is permitted
> by the sample schema in totp.sql) then you get an SQL error if the first
> ever log-in attempt involves typing an incorrect PIN:
> 
> Wed Aug 22 17:22:03 2012: DEBUG: Query to 'dbi:Pg:dbname=radiator':
> 'SELECT secret, active, pin, digits, bad_logins, EXTRACT(EPOCH FROM
> accessed), last_timestep FROM totpkeys WHERE username='roy-test'':
> Wed Aug 22 17:22:03 2012: DEBUG: do query to 'dbi:Pg:dbname=radiator':
> 'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where
> username='roy-test'':
> Wed Aug 22 17:22:03 2012: ERR: do failed for 'update totpkeys set
> accessed=now(), bad_logins=1, last_timestep= where username='roy-test'':
> ERROR:  syntax error at or near "where"
> LINE 1: ... set accessed=now(), bad_logins=1, last_timestep= where user...
> 
> Regards
> 
> roy
> 
>                                                               ^
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list