From 0fe0be9980d0e81696f477965f2eb873bd36b335 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 14 Jun 2012 13:30:04 +0200 Subject: [PATCH] Restore responding BAD_OTP if YubiKey is disabled. It seems that we might get into problems if responding OK - the other sync client validation server would think we approved of the OTP. --- ykval-sync.php | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/ykval-sync.php b/ykval-sync.php index ddf40fe..c94f9e7 100644 --- a/ykval-sync.php +++ b/ykval-sync.php @@ -116,15 +116,6 @@ if (!$localParams) { exit; } -if ($localParams['active'] != 1) { - /* The remote server has accepted an OTP from a YubiKey which we would not. We update our - * counters - */ - $myLog->log(LOG_WARNING, 'Received sync-request for de-activated Yubikey ' . $yk_publicname . - ' - check database synchronization!!!'); -} - - /* Conditional update local database */ $sync->updateDbCounters($syncParams); @@ -169,7 +160,15 @@ if ($sync->countersEqual($localParams, $syncParams)) { } } - +if ($localParams['active'] != 1) { + /* The remote server has accepted an OTP from a YubiKey which we would not. + * We still needed to update our counters with the counters from the OTP though. + */ + $myLog->log(LOG_WARNING, 'Received sync-request for de-activated Yubikey ' . $yk_publicname . + ' - check database synchronization!!!'); + sendResp(S_BAD_OTP, $apiKey); + exit; +} $extra=array('modified'=>$localParams['modified'], 'nonce'=>$localParams['nonce'],