From: Sam Hartman <hartmans@mit.edu>
Date: Mon, 12 Jan 2009 19:43:07 +0000 (+0000)
Subject: Restore behavior of returning KRB5APP_ERR_BAD_INTEGRITY from
X-Git-Tag: krb5-1.7-alpha1~85
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=c48565831ee3714ee816d5aa9e083ea3fcff403d;p=krb5.git

Restore behavior of returning KRB5APP_ERR_BAD_INTEGRITY from
preauth methods.
This creates a problem for Windows clients, but not doing it creates a problem for MIT clients.
Today our KDC is more likely to be used with MIT clients, but we need to examine this issues in more detail.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21725 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 8ea296940..6ec156440 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1156,6 +1156,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
      */
     switch(retval) {
     case 0: /* in case of PA-PAC-REQUEST with no PA-ENC-TIMESTAMP */
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
     case KRB5KRB_AP_ERR_SKEW:
     case KRB5KDC_ERR_ETYPE_NOSUPP:
     /* rfc 4556 */
@@ -1179,7 +1180,6 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */
     /* case KRB5KDC_ERR_KEY_TOO_WEAK: */
 	return retval;
-    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
     default:
 	return KRB5KDC_ERR_PREAUTH_FAILED;
     }