Look for the correct Yubikey-Counter attribute in the control list

broken in ccced61
FreeRADIUS · Apr 11, 2018 · bda93c2 · bda93c2
1 parent 47d3670
commit bda93c2
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -48,6 +48,8 @@ FreeRADIUS 3.0.17 Thu 11 Jan 2018 12:00:00 EST urgency=low
 	  Intermediate certs which are not self-signed will now be
 	  checked.
 	* sqlippool now returns "fail" if it fails IP allocation.
+	* Fix rlm_yubikey to look for correct attribute in replay
+	  attack check.
 
 FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low
 	Feature improvements

diff --git a/src/modules/rlm_yubikey/decrypt.c b/src/modules/rlm_yubikey/decrypt.c
@@ -23,6 +23,7 @@ rlm_rcode_t rlm_yubikey_decrypt(rlm_yubikey_t *inst, REQUEST *request, char cons
 	yubikey_token_st token;
 
 	DICT_ATTR const *da;
+	DICT_ATTR const *yubikey_counter_da;
 
 	char private_id[(YUBIKEY_UID_SIZE * 2) + 1];
 	VALUE_PAIR *key, *vp;
@@ -114,13 +115,14 @@ rlm_rcode_t rlm_yubikey_decrypt(rlm_yubikey_t *inst, REQUEST *request, char cons
 
 		return RLM_MODULE_FAIL;
 	}
+	yubikey_counter_da = vp->da;
 	vp->vp_integer = counter;
 	vp->vp_length = 4;
 
 	/*
 	 *	Now we check for replay attacks
 	 */
-	vp = fr_pair_find_by_da(request->config, da, TAG_ANY);
+	vp = fr_pair_find_by_da(request->config, yubikey_counter_da, TAG_ANY);
 	if (!vp) {
 		RWDEBUG("Yubikey-Counter not found in control list, skipping replay attack checks");
 		return RLM_MODULE_OK;