* kdc_preauth.c (verify_enc_timestamp): Save decryption error, in

author Tom Yu <tlyu@mit.edu>

Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)

committer Tom Yu <tlyu@mit.edu>

Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)
author Tom Yu <tlyu@mit.edu>
Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)
committer Tom Yu <tlyu@mit.edu>
Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog

index 040281988c8f31b663693e11b75e1deb4b63d484..29bec03c5c945821c62b1dfa76bdd9bdfdddd6eb 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+2003-03-28  Tom Yu  <tlyu@mit.edu>
+
+       * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in
+       case we get NO_MATCHING_KEY later.  This allows us to log a more
+       sane error if an incorrect password is used for encrypting the
+       enc-timestamp preauth.
+
  2003-03-16  Sam Hartman  <hartmans@mit.edu>
  
         * main.c (initialize_realms): Add support to call
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c

index 4747f27deb1ac66f4ea47898cfd8b4568b52f360..f5c1e121ab9941b601714c76aa4c46d97e0ce539 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -457,7 +457,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
      krb5_key_data *            client_key;
      krb5_int32                 start;
      krb5_timestamp             timenow;
-    
+    krb5_error_code            decrypt_err;
+
      scratch.data = pa->contents;
      scratch.length = pa->length;
  
@@ -471,6 +472,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
         goto cleanup;
  
      start = 0;
+    decrypt_err = 0;
      while (1) {
         if ((retval = krb5_dbe_search_enctype(context, client,
                                               &start, enc_data->enctype,
@@ -488,6 +490,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
         krb5_free_keyblock_contents(context, &key);
         if (retval == 0)
             break;
+       else
+           decrypt_err = retval;
      }
  
      if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
@@ -513,6 +517,14 @@ cleanup:
      krb5_free_data_contents(context, &enc_ts_data);
      if (pa_enc)
         free(pa_enc);
+    /*
+     * If we get NO_MATCHING_KEY and decryption previously failed, and
+     * we failed to find any other keys of the correct enctype after
+     * that failed decryption, it probably means that the password was
+     * incorrect.
+     */
+    if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
+       retval = decrypt_err;
      return retval;
  }
author	Tom Yu <tlyu@mit.edu>
	Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)
committer	Tom Yu <tlyu@mit.edu>
	Fri, 28 Mar 2003 22:51:33 +0000 (22:51 +0000)
src/kdc/ChangeLog		patch \| blob \| history
src/kdc/kdc_preauth.c		patch \| blob \| history