Fix OTP KDC module get_string error handling

If cb->get_string returns 0 with no result in otp_edata, make sure we
set retval to avoid sending an empty OTP hint.  If cb->get_string
returns an error code in otp_verify, avoid masking that code.

diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
index 2f7470e114f8c9d0d4b49a059586570f26c730af..bf9c6a89f6f38ec6cad7bd661b4e1d8f3db929a9 100644 (file)
--- a/src/plugins/preauth/otp/main.c
+++ b/src/plugins/preauth/otp/main.c
@@ -204,7 +204,9 @@ otp_edata(krb5_context context, krb5_kdc_req *request,
 
     /* Determine if otp is enabled for the user. */
     retval = cb->get_string(context, rock, "otp", &config);
-    if (retval != 0 || config == NULL)
+    if (retval == 0 && config == NULL)
+        retval = ENOENT;
+    if (retval != 0)
         goto out;
     cb->free_string(context, rock, config);
 
@@ -305,7 +307,7 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
 
     /* Get the principal's OTP configuration string. */
     retval = cb->get_string(context, rock, "otp", &config);
-    if (config == NULL)
+    if (retval == 0 && config == NULL)
         retval = KRB5_PREAUTH_FAILED;
     if (retval != 0) {
         free(rs);