From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 Jul 2013 16:14:13 +0000 (-0400)
Subject: Fix OTP KDC module get_string error handling
X-Git-Tag: krb5-1.12-alpha1~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acb490bd01235511294ecb6b23750e648e48f7dc;p=thirdparty%2Fkrb5.git

Fix OTP KDC module get_string error handling

If cb->get_string returns 0 with no result in otp_edata, make sure we
set retval to avoid sending an empty OTP hint.  If cb->get_string
returns an error code in otp_verify, avoid masking that code.
---

diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
index 2f7470e114..bf9c6a89f6 100644
--- a/src/plugins/preauth/otp/main.c
+++ b/src/plugins/preauth/otp/main.c
@@ -204,7 +204,9 @@ otp_edata(krb5_context context, krb5_kdc_req *request,
 
     /* Determine if otp is enabled for the user. */
     retval = cb->get_string(context, rock, "otp", &config);
-    if (retval != 0 || config == NULL)
+    if (retval == 0 && config == NULL)
+        retval = ENOENT;
+    if (retval != 0)
         goto out;
     cb->free_string(context, rock, config);
 
@@ -305,7 +307,7 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
 
     /* Get the principal's OTP configuration string. */
     retval = cb->get_string(context, rock, "otp", &config);
-    if (config == NULL)
+    if (retval == 0 && config == NULL)
         retval = KRB5_PREAUTH_FAILED;
     if (retval != 0) {
         free(rs);