From a21a20cb6569fa31616d7f4f1efa585cce5f54d4 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Mon, 13 Jun 2016 09:04:22 +0200
Subject: [PATCH] only process results of OTP check after user is found

relates #97
---
 pam_yubico.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index fa9f943..2688e59 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -1040,21 +1040,6 @@ pam_sm_authenticate (pam_handle_t * pamh,
 	ykclient_strerror (rc)));
   DBG (("ykclient url used: %s", ykclient_get_last_url(ykc)));
 
-  switch (rc)
-    {
-    case YKCLIENT_OK:
-      break;
-
-    case YKCLIENT_BAD_OTP:
-    case YKCLIENT_REPLAYED_OTP:
-      retval = PAM_AUTH_ERR;
-      goto done;
-
-    default:
-      retval = PAM_AUTHINFO_UNAVAIL;
-      goto done;
-    }
-
   /* authorize the user with supplied token id */
   if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
     valid_token = authorize_user_token_ldap (cfg, user, otp_id);
@@ -1064,7 +1049,21 @@ pam_sm_authenticate (pam_handle_t * pamh,
   switch(valid_token)
     {
     case 1:
-      retval = PAM_SUCCESS;
+      switch (rc)
+      {
+        case YKCLIENT_OK:
+          retval = PAM_SUCCESS;
+          break;
+
+        case YKCLIENT_BAD_OTP:
+        case YKCLIENT_REPLAYED_OTP:
+          retval = PAM_AUTH_ERR;
+          break;
+
+        default:
+          retval = PAM_AUTHINFO_UNAVAIL;
+          break;
+      }
       break;
     case 0:
       DBG (("Internal error while validating user"));