From 9929130f03f6a7f8a5f1acc23e92a609c8f27938 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 26 May 2016 16:54:29 -0400 Subject: [PATCH] Avoid setting AS key when OTP preauth fails In otp_client_process(), call cb->set_as_key() later in the function after the OTP request has been created. The previous position of this call caused the AS key to be replaced even when later code in the function failed, preventing other preauth mechanisms from retrieving the correct AS key. ticket: 8421 (new) target_version: 1.14-new target_version: 1.13-new tags: pullup --- src/lib/krb5/krb/preauth_otp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c index d9ddc8b..3de528b 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (as_key == NULL) return ENOENT; - /* Use FAST armor key as response key. */ - retval = cb->set_as_key(context, rock, as_key); - if (retval != 0) - return retval; - /* Attempt to get token selection from the responder. */ pin = empty_data(); value = empty_data(); @@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (retval != 0) goto error; + /* Use FAST armor key as response key. */ + retval = cb->set_as_key(context, rock, as_key); + if (retval != 0) + goto error; + /* Encode the request into the pa_data output. */ retval = set_pa_data(req, pa_data_out); error: -- 2.8.1