Handle concat OTP responder case

krb5 · Oct 16, 2012 · aac9c2a · aac9c2a
1 parent 432c3e6
commit aac9c2a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
@@ -6427,6 +6427,15 @@ krb5_prompter_posix(krb5_context context, void *data, const char *name,
  */
 #define KRB5_RESPONDER_OTP_FLAGS_NEXTOTP       (1 << 2)
 
+/**
+ * This flag indicates that the PIN MUST be returned as a separate item. This
+ * flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If
+ * this flag is not set, the responder may either concatenate PIN + token value
+ * and store it as "value" in the answer or it may return them separately. If
+ * they are returned separately, they will be concatenated internally.
+ */
+#define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN  (1 << 3)
+
 typedef struct krb5_responder_context_st *krb5_responder_context;
 
 /**

diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
@@ -157,8 +157,11 @@ codec_encode_tokeninfo(krb5_otp_tokeninfo *ti, k5_json_object *out)
         goto error;
 
     flags = KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN;
-    if (ti->flags & KRB5_OTP_FLAG_COLLECT_PIN)
+    if (ti->flags & KRB5_OTP_FLAG_COLLECT_PIN) {
         flags |= KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN;
+        if (ti->flags & KRB5_OTP_FLAG_SEPARATE_PIN)
+            flags |= KRB5_RESPONDER_OTP_FLAGS_NEXTOTP;
+    }
     if (ti->flags & KRB5_OTP_FLAG_NEXTOTP)
         flags |= KRB5_RESPONDER_OTP_FLAGS_NEXTOTP;
 
@@ -642,16 +645,16 @@ make_request(krb5_context ctx, krb5_otp_tokeninfo *ti, const krb5_data *value,
         goto error;
 
     if (ti->flags & KRB5_OTP_FLAG_COLLECT_PIN) {
-        if (pin == NULL || pin->data == NULL) {
-            retval = EINVAL; /* No pin found! */
-            goto error;
-        }
-
         if (ti->flags & KRB5_OTP_FLAG_SEPARATE_PIN) {
+            if (pin == NULL || pin->data == NULL) {
+                retval = EINVAL; /* No pin found! */
+                goto error;
+            }
+
             retval = krb5int_copy_data_contents(ctx, pin, &req->pin);
             if (retval != 0)
                 goto error;
-        } else {
+        } else if (pin != NULL && pin->data != NULL) {
             krb5_free_data_contents(ctx, &req->otp_value);
             retval = asprintf(&req->otp_value.data, "%.*s%.*s",
                               pin->length, pin->data,
@@ -662,7 +665,7 @@ make_request(krb5_context ctx, krb5_otp_tokeninfo *ti, const krb5_data *value,
                 goto error;
             }
             req->otp_value.length = req->pin.length + req->otp_value.length;
-        }
+        } /* Otherwise, the responder has already combined them. */
     }
 
     *out_req = req;