rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/krb5-1.14.3-fix_otp_as_key.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   8c1676705aba2424a199c01a669dde5740e9d05f
  2.   SOURCES
  3.   krb5-1.14.3-fix_otp_as_key.patch
Blob History Raw
8c1676 
From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001
8c1676 
From: Nathaniel McCallum <npmccallum@redhat.com>
8c1676 
Date: Thu, 26 May 2016 16:54:29 -0400
8c1676 
Subject: [PATCH] Avoid setting AS key when OTP preauth fails
8c1676
8c1676 
In otp_client_process(), call cb->set_as_key() later in the function
8c1676 
after the OTP request has been created.  The previous position of this
8c1676 
call caused the AS key to be replaced even when later code in the
8c1676 
function failed, preventing other preauth mechanisms from retrieving
8c1676 
the correct AS key.
8c1676
8c1676 
ticket: 8421 (new)
8c1676 
target_version: 1.14-new
8c1676 
target_version: 1.13-new
8c1676 
tags: pullup
8c1676 
---
8c1676 
 src/lib/krb5/krb/preauth_otp.c | 10 +++++-----
8c1676 
 1 file changed, 5 insertions(+), 5 deletions(-)
8c1676
8c1676 
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
8c1676 
index d9ddc8b..3de528b 100644
8c1676 
--- a/src/lib/krb5/krb/preauth_otp.c
8c1676 
+++ b/src/lib/krb5/krb/preauth_otp.c
8c1676 
@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
8c1676 
     if (as_key == NULL)
8c1676 
         return ENOENT;
8c1676
8c1676 
-    /* Use FAST armor key as response key. */
8c1676 
-    retval = cb->set_as_key(context, rock, as_key);
8c1676 
-    if (retval != 0)
8c1676 
-        return retval;
8c1676 
-
8c1676 
     /* Attempt to get token selection from the responder. */
8c1676 
     pin = empty_data();
8c1676 
     value = empty_data();
8c1676 
@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
8c1676 
     if (retval != 0)
8c1676 
         goto error;
8c1676
8c1676 
+    /* Use FAST armor key as response key. */
8c1676 
+    retval = cb->set_as_key(context, rock, as_key);
8c1676 
+    if (retval != 0)
8c1676 
+        goto error;
8c1676 
+
8c1676 
     /* Encode the request into the pa_data output. */
8c1676 
     retval = set_pa_data(req, pa_data_out);
8c1676 
 error:
8c1676 
--
8c1676 
2.8.1
8c1676

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation