From 9f768cc829bcd17a153a4e8a7068b7deb22f8382 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 28 Mar 2003 22:51:33 +0000 Subject: [PATCH] * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in case we get NO_MATCHING_KEY later. This allows us to log a more sane error if an incorrect password is used for encrypting the enc-timestamp preauth. ticket: 1324 status: open target_version: 1.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15306 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 7 +++++++ src/kdc/kdc_preauth.c | 14 +++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 040281988..29bec03c5 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +2003-03-28 Tom Yu + + * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in + case we get NO_MATCHING_KEY later. This allows us to log a more + sane error if an incorrect password is used for encrypting the + enc-timestamp preauth. + 2003-03-16 Sam Hartman * main.c (initialize_realms): Add support to call diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 4747f27de..f5c1e121a 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -457,7 +457,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_key_data * client_key; krb5_int32 start; krb5_timestamp timenow; - + krb5_error_code decrypt_err; + scratch.data = pa->contents; scratch.length = pa->length; @@ -471,6 +472,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, goto cleanup; start = 0; + decrypt_err = 0; while (1) { if ((retval = krb5_dbe_search_enctype(context, client, &start, enc_data->enctype, @@ -488,6 +490,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_free_keyblock_contents(context, &key); if (retval == 0) break; + else + decrypt_err = retval; } if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) @@ -513,6 +517,14 @@ cleanup: krb5_free_data_contents(context, &enc_ts_data); if (pa_enc) free(pa_enc); + /* + * If we get NO_MATCHING_KEY and decryption previously failed, and + * we failed to find any other keys of the correct enctype after + * that failed decryption, it probably means that the password was + * incorrect. + */ + if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) + retval = decrypt_err; return retval; } -- 2.26.2