From 2071c0a5a05b11d72a345d4b66562fc069ba438c Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 18 Mar 2009 14:39:32 +0000
Subject: [PATCH] Sanity check OTP before asking KSM, to get a better error
 code.

---
 verify.php | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/verify.php b/verify.php
index 9077c7f..0f4afaa 100644
--- a/verify.php
+++ b/verify.php
@@ -15,6 +15,8 @@ mysql_select_db($baseParams['__DB_NAME__'], $conn)
 
 //// Extract values from HTTP request
 //
+$h = getHttpVal('h', '');
+
 $client = getHttpVal('id', 0);
 if ($client <= 0) {
 	debug('Client ID is missing');
@@ -43,7 +45,6 @@ debug($cd);
 //// Check client signature
 //
 $apiKey = base64_decode($cd['secret']);
-$h = getHttpVal('h', '');
 
 if ($cd['chk_sig'] && $h == '') {
 	debug('Signature missing');
@@ -64,6 +65,14 @@ if ($cd['chk_sig'] && $h == '') {
 	}
 }
 
+//// Sanity check OTP
+//
+if (strlen($otp) <= TOKEN_LEN) {
+  debug('Too short OTP: ' . $otp);
+  sendResp(S_BAD_OTP);
+  exit;
+}
+
 //// Decode OTP from input
 //
 $otpinfo = decryptOTP($otp, $baseParams['__YKKMS_URL__']);
@@ -75,12 +84,6 @@ debug($otpinfo);
 
 //// Get Yubikey from DB
 //
-if (strlen($otp) <= TOKEN_LEN) {
-  debug('Too short OTP: ' . $otp);
-  sendResp(S_BAD_OTP);
-  exit;
-}
-
 $devId = substr($otp, 0, strlen ($otp) - TOKEN_LEN);
 $ad = getAuthData($conn, $devId);
 if (!is_array($ad)) {