diff options
Diffstat (limited to 'src/lib/gssapi/krb5/init_sec_context.c')
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 13a971ffa6..acac47184b 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -77,6 +77,10 @@ #include <stdlib.h> #include <assert.h> +/* + * $Id$ + */ + /* XXX This is for debugging only!!! Should become a real bitfield at some point */ int krb5_gss_dbg_client_expcreds = 0; @@ -109,11 +113,25 @@ static krb5_error_code get_credentials(context, cred, server, now, in_creds.keyblock.enctype = 0; + /* + * Initial iteration is necessary to catch a non-matching + * credential prior to looping through the GSSAPI-supported + * enctypes, since an enctype mismatch in the loop below will + * return KRB5_CC_NOTFOUND rather than one of the other error + * codes. + */ + code = krb5_get_credentials(context, 0, cred->ccache, + &in_creds, out_creds); + if (code) + goto cleanup; + krb5_free_creds(context, *out_creds); + *out_creds = NULL; for (i = 0; enctypes[i]; i++) { in_creds.keyblock.enctype = enctypes[i]; code = krb5_get_credentials(context, 0, cred->ccache, &in_creds, out_creds); - if (code != KRB5_CC_NOT_KTYPE && code != KRB5KDC_ERR_ETYPE_NOSUPP) + if (code != KRB5_CC_NOT_KTYPE && code != KRB5_CC_NOTFOUND + && code != KRB5KDC_ERR_ETYPE_NOSUPP) break; } if (enctypes[i] == 0) { |