[29420] in CVS-changelog-for-Kerberos-V5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

krb5 commit: Avoid setting AS key when OTP preauth fails

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 26 18:24:48 2016

Date: Thu, 26 May 2016 18:24:42 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201605262224.u4QMOgqA012947@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/0712d0059d72ddeaf1764f8fa173a321e3bc072d
commit 0712d0059d72ddeaf1764f8fa173a321e3bc072d
Author: Nathaniel McCallum <npmccallum@redhat.com>
Date:   Thu May 26 16:54:29 2016 -0400

    Avoid setting AS key when OTP preauth fails
    
    In otp_client_process(), call cb->set_as_key() later in the function
    after the OTP request has been created.  The previous position of this
    call caused the AS key to be replaced even when later code in the
    function failed, preventing other preauth mechanisms from retrieving
    the correct AS key.
    
    ticket: 8421 (new)
    target_version: 1.14-new
    target_version: 1.13-new
    tags: pullup

 src/lib/krb5/krb/preauth_otp.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index d9ddc8b..3de528b 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -1081,11 +1081,6 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     if (as_key == NULL)
         return ENOENT;
 
-    /* Use FAST armor key as response key. */
-    retval = cb->set_as_key(context, rock, as_key);
-    if (retval != 0)
-        return retval;
-
     /* Attempt to get token selection from the responder. */
     pin = empty_data();
     value = empty_data();
@@ -1115,6 +1110,11 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     if (retval != 0)
         goto error;
 
+    /* Use FAST armor key as response key. */
+    retval = cb->set_as_key(context, rock, as_key);
+    if (retval != 0)
+        goto error;
+
     /* Encode the request into the pa_data output. */
     retval = set_pa_data(req, pa_data_out);
 error:
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[29420] in CVS-changelog-for-Kerberos-V5

krb5 commit: Avoid setting AS key when OTP preauth fails

daemon@ATHENA.MIT.EDU (Greg Hudson)Thu May 26 18:24:48 2016

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 26 18:24:48 2016