Move OTP synchronization step to after counter writeback

This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>

1 files changed, 7 insertions, 11 deletions

diff --git a/daemons/ipa-slapi-plugins/libotp/libotp.c b/daemons/ipa-slapi-plugins/libotp/libotp.c
index 870e2415f..c65aef043 100644
--- a/daemons/ipa-slapi-plugins/libotp/libotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/libotp.c
@@ -202,17 +202,6 @@ static bool validate(struct otptoken *token, time_t now, ssize_t step,
 
         if (*second != tmp)
             return false;
-
-        /* Perform optional synchronization steps. */
-        switch (token->type) {
-        case OTPTOKEN_TOTP:
-            tmp = (step - now / token->totp.step) * token->totp.step;
-            if (!writeattr(token, T("clockOffset"), tmp))
-                return false;
-            break;
-        default:
-            break;
-        }
     }
 
     /* Write the step value. */
@@ -222,6 +211,13 @@ static bool validate(struct otptoken *token, time_t now, ssize_t step,
     /* Save our modifications to the object. */
     switch (token->type) {
     case OTPTOKEN_TOTP:
+        /* Perform optional synchronization steps. */
+        if (second != NULL) {
+            tmp = (step - now / token->totp.step) * token->totp.step;
+            if (!writeattr(token, T("clockOffset"), tmp))
+                return false;
+            token->totp.offset = tmp;
+        }
         token->totp.watermark = step;
         break;
     case OTPTOKEN_HOTP: