V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-19 13:14:05 +01:00
parent 7a94c2cf0e
commit eb1c23d628
1 changed files with 12 additions and 3 deletions
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -878,24 +878,33 @@ write_google_authenticator_file() {

  umask 0077
  {
-    declare accept hex val
+    declare accept="" hex="" val=""
+
    printf '%s\n' "${var_secret}"
    printf '" RATE_LIMIT 3 30\n'
    printf '" WINDOW_SIZE 10\n'
    printf '" DISALLOW_REUSE\n'
    printf '" TOTP_AUTH\n'
+
    ### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL).
    for i in {1..8}; do
+
      ### Draw 32 bits; rejection sampling to avoid modulo bias.
      while :; do
+
        hex="$(openssl rand -hex 4)" || exit 1
-        val=$((16#${hex}))                              # 0..4294967295
-        accept=$(( (1<<32) / 100000000 * 100000000 ))   # 4_200_000_000
+        val=$((16#${hex}))
+        accept=$(( (1<<32) / 100000000 * 100000000 ))
+
        if (( val < accept )); then
+
          printf '%08d\n' "$(( val % 100000000 ))"
          break
+
       fi
+
      done
+
    done
  } >| "${var_base}/.google_authenticator"
  chown "${var_user_id}:${var_group_id}" "${var_base}/.google_authenticator"