]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f22510a)
Avoid setting AS key when OTP preauth fails
authorNathaniel McCallum <npmccallum@redhat.com>
Thu, 26 May 2016 20:54:29 +0000 (16:54 -0400)
committerGreg Hudson <ghudson@mit.edu>
Thu, 26 May 2016 22:24:30 +0000 (18:24 -0400)
In otp_client_process(), call cb->set_as_key() later in the function
after the OTP request has been created.  The previous position of this
call caused the AS key to be replaced even when later code in the
function failed, preventing other preauth mechanisms from retrieving
the correct AS key.

ticket: 8421 (new)
target_version: 1.14-new
target_version: 1.13-new
tags: pullup

src/lib/krb5/krb/preauth_otp.c patch | blob | blame | history

diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index d9ddc8bf3b7dcdc42c3a2c2167fb52e9d85f6fc0..3de528b5ae19b5d8747e83cb1483151d87db2f5a 100644 (file)
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     if (as_key == NULL)
         return ENOENT;
 
-    /* Use FAST armor key as response key. */
-    retval = cb->set_as_key(context, rock, as_key);
-    if (retval != 0)
-        return retval;
-
     /* Attempt to get token selection from the responder. */
     pin = empty_data();
     value = empty_data();
@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     if (retval != 0)
         goto error;
 
+    /* Use FAST armor key as response key. */
+    retval = cb->set_as_key(context, rock, as_key);
+    if (retval != 0)
+        goto error;
+
     /* Encode the request into the pa_data output. */
     retval = set_pa_data(req, pa_data_out);
 error:
Mirror of https://github.com/krb5/krb5.git