This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

NOTE: this patch is related to the above ticket, but does not solve it.
For the solution, please see patch 0064. This behavior fix is from patch
0062 (rescinded) and is worth keeping.
From 4a044ebd32995d6d9792e6e5c5179748b8b7ee90 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Fri, 19 Sep 2014 12:18:34 -0400
Subject: [PATCH] Move OTP synchronization step to after counter writeback

This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493
---
 daemons/ipa-slapi-plugins/libotp/libotp.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/libotp.c b/daemons/ipa-slapi-plugins/libotp/libotp.c
index 41f9e7b4809fbca82452d260b9aa7d1d3059fd2e..083190c1effe84b62f35ccebef6d3ebeda07be5f 100644
--- a/daemons/ipa-slapi-plugins/libotp/libotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/libotp.c
@@ -208,26 +208,22 @@ static bool validate(struct otptoken *token, time_t now, ssize_t step,
 
         if (*second != tmp)
             return false;
+    }
 
+    /* Write the step value. */
+    if (!writeattr(token, attr, step))
+        return false;
+
+    /* Save our modifications to the object. */
+    switch (token->type) {
+    case OTPTOKEN_TOTP:
         /* Perform optional synchronization steps. */
-        switch (token->type) {
-        case OTPTOKEN_TOTP:
+        if (second != NULL) {
             tmp = (step - now / token->totp.step) * token->totp.step;
             if (!writeattr(token, T("clockOffset"), tmp))
                 return false;
-            break;
-        default:
-            break;
+            token->totp.offset = tmp;
         }
-    }
-
-    /* Write the step value. */
-    if (!writeattr(token, attr, step))
-        return false;
-
-    /* Save our modifications to the object. */
-    switch (token->type) {
-    case OTPTOKEN_TOTP:
         token->totp.watermark = step;
         break;
     case OTPTOKEN_HOTP:
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to