persistent softfail (forced by nullstate) fixes

diff --git a/src/modules/rlm_otp/cardops/cryptocard.c b/src/modules/rlm_otp/cardops/cryptocard.c
index 82227d1..a0324c7 100644 (file)
--- a/src/modules/rlm_otp/cardops/cryptocard.c
+++ b/src/modules/rlm_otp/cardops/cryptocard.c
@@ -245,6 +245,10 @@ __attribute__ ((unused))
 #ifdef __GNUC__
 __attribute__ ((unused))
 #endif
+                     int auth_rc,
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
                      const char *log_prefix)
 {
   return 0;

diff --git a/src/modules/rlm_otp/cardops/cryptocard.h b/src/modules/rlm_otp/cardops/cryptocard.h
index a58c3ce..959508b 100644 (file)
--- a/src/modules/rlm_otp/cardops/cryptocard.h
+++ b/src/modules/rlm_otp/cardops/cryptocard.h
@@ -53,7 +53,7 @@ static int cryptocard_response(otp_user_info_t *, char *, const char *,
                                const char *);
 static int cryptocard_updatecsd(const otp_user_info_t *, otp_user_state_t *,
                                 const char [OTP_MAX_CHALLENGE_LEN + 1],
-                                unsigned, time_t, const char *);
+                                unsigned, time_t, int, const char *);
 static int cryptocard_nexttwin(int);
 static int cryptocard_maxtwin(const otp_user_info_t *,
                               const char [OTP_MAX_CSD_LEN + 1], time_t);

diff --git a/src/modules/rlm_otp/otp_cardops.c b/src/modules/rlm_otp/otp_cardops.c
index e1b9cd5..fd660cb 100644 (file)
--- a/src/modules/rlm_otp/otp_cardops.c
+++ b/src/modules/rlm_otp/otp_cardops.c
@@ -228,7 +228,10 @@ otp_pw_valid(const char *username, char *challenge, const char *passcode,
 
   /* Set fc (failcondition). */
   if (opt->hardfail && user_state.failcount >= (unsigned) opt->hardfail) {
+    /* NOTE: persistent softfail stops working */
     fc = OTP_FC_FAIL_HARD;
+  } else if (opt->softfail && user_state.authtime == INT32_MAX) {
+    fc = OTP_FC_FAIL_SOFT;
   } else if (opt->softfail &&
              user_state.failcount >= (unsigned) opt->softfail) {
     uint32_t when;
@@ -542,7 +545,7 @@ sync_response:
           /* update csd on successful auth or rwindow candidate */
           (void) strcpy(user_state.csd, csd);
           if (user_info.cardops->updatecsd(&user_info, &user_state, challenge,
-                                           t, now, log_prefix) != 0) {
+                                           t, now, rc, log_prefix) != 0) {
             otp_log(OTP_LOG_ERR, "%s: unable to update csd for [%s]",
                     log_prefix, username);
             rc = OTP_RC_SERVICE_ERR;

diff --git a/src/modules/rlm_otp/otp_cardops.h b/src/modules/rlm_otp/otp_cardops.h
index 94c6dec..826b0cb 100644 (file)
--- a/src/modules/rlm_otp/otp_cardops.h
+++ b/src/modules/rlm_otp/otp_cardops.h
@@ -78,7 +78,7 @@ typedef struct cardops_t {
                   char [OTP_MAX_RESPONSE_LEN + 1], const char *);
   int (*updatecsd)(const otp_user_info_t *, otp_user_state_t *,
                    const char [OTP_MAX_CHALLENGE_LEN + 1],
-                   unsigned, time_t, const char *);
+                   unsigned, time_t, int, const char *);
   int (*nexttwin)(int);
   int (*maxtwin)(const otp_user_info_t *, const char [OTP_MAX_CSD_LEN + 1],
                  time_t);