From: Nathaniel McCallum Date: Thu, 26 May 2016 20:54:29 +0000 (-0400) Subject: Avoid setting AS key when OTP preauth fails X-Git-Tag: krb5-1.15-beta1~188 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0712d0059d72ddeaf1764f8fa173a321e3bc072d;p=thirdparty%2Fkrb5.git Avoid setting AS key when OTP preauth fails In otp_client_process(), call cb->set_as_key() later in the function after the OTP request has been created. The previous position of this call caused the AS key to be replaced even when later code in the function failed, preventing other preauth mechanisms from retrieving the correct AS key. ticket: 8421 (new) target_version: 1.14-new target_version: 1.13-new tags: pullup --- diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c index d9ddc8bf3b..3de528b5ae 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (as_key == NULL) return ENOENT; - /* Use FAST armor key as response key. */ - retval = cb->set_as_key(context, rock, as_key); - if (retval != 0) - return retval; - /* Attempt to get token selection from the responder. */ pin = empty_data(); value = empty_data(); @@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (retval != 0) goto error; + /* Use FAST armor key as response key. */ + retval = cb->set_as_key(context, rock, as_key); + if (retval != 0) + goto error; + /* Encode the request into the pa_data output. */ retval = set_pa_data(req, pa_data_out); error: