diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2016-05-26 16:54:29 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-07-06 15:17:06 -0400 |
| commit | c82185d4b62cb943d47f90d93f4e51d0dd184d18 (patch) | |
| tree | db37409d34f7f51c1f9685cb237958224a34d67b | |
| parent | 3132229302a7526b94e8b272086623e981a93249 (diff) | |
| download | krb5-c82185d4b62cb943d47f90d93f4e51d0dd184d18.zip krb5-c82185d4b62cb943d47f90d93f4e51d0dd184d18.tar.gz krb5-c82185d4b62cb943d47f90d93f4e51d0dd184d18.tar.bz2 | |
Avoid setting AS key when OTP preauth fails
In otp_client_process(), call cb->set_as_key() later in the function
after the OTP request has been created. The previous position of this
call caused the AS key to be replaced even when later code in the
function failed, preventing other preauth mechanisms from retrieving
the correct AS key.
(cherry picked from commit 0712d0059d72ddeaf1764f8fa173a321e3bc072d)
ticket: 8421
version_fixed: 1.13.6
tags: -pullup
status: resolved
| -rw-r--r-- | src/lib/krb5/krb/preauth_otp.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c index d9ddc8b..3de528b 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (as_key == NULL) return ENOENT; - /* Use FAST armor key as response key. */ - retval = cb->set_as_key(context, rock, as_key); - if (retval != 0) - return retval; - /* Attempt to get token selection from the responder. */ pin = empty_data(); value = empty_data(); @@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, if (retval != 0) goto error; + /* Use FAST armor key as response key. */ + retval = cb->set_as_key(context, rock, as_key); + if (retval != 0) + goto error; + /* Encode the request into the pa_data output. */ retval = set_pa_data(req, pa_data_out); error: |