* gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is already set to

the correct type, do continue and ask for the password anyways.  (Patch from
Chas Williams, PR krb5-libs/730.)

* preauth2.c (pa_sam): If no sam_flags were set, return KRB5_PREAUTH_BAD_TYPE,
because we don't currently handle that case.

* preauth2.c (pa_sam): Remove unused variable use_sam_key.
(SAMDATA): Cast first result to int, which is what sprintf needs.
(pa_salt): Delete unused variable ret.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12012 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 11 insertions, 8 deletions

diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 1706bce23f..c2ee423cc0 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -22,16 +22,19 @@ krb5_get_as_key_password(context, client, etype, prompter, prompter_data,
 
     password = (krb5_data *) gak_data;
 
-    /* if there's already a key of the correct etype, we're done.
-       if the etype is wrong, free the existing key, and make
-       a new one. */
+    /* If there's already a key of the correct etype, we're done.
+       If the etype is wrong, free the existing key, and make
+       a new one.
 
-    if (as_key->length) {
-	if (as_key->enctype == etype)
-	    return(0);
+       XXX This was the old behavior, and was wrong in hw preauth
+       cases.  Is this new behavior -- always asking -- correct in all
+       cases?  */
 
-	krb5_free_keyblock_contents(context, as_key);
-	as_key->length = 0;
+    if (as_key->length) {
+	if (as_key->enctype != etype) {
+	    krb5_free_keyblock_contents (context, as_key);
+	    as_key->length = 0;
+	}
     }
 
     if (password->data[0] == '\0') {