* kdc_preauth.c (verify_enc_timestamp): Save decryption error, in

	case we get NO_MATCHING_KEY later.  This allows us to log a more
	sane error if an incorrect password is used for encrypting the
	enc-timestamp preauth.

ticket: 1324
status: open
target_version: 1.3
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15306 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 13 insertions, 1 deletions

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 4747f27de..f5c1e121a 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -457,7 +457,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
     krb5_key_data *		client_key;
     krb5_int32			start;
     krb5_timestamp		timenow;
-    
+    krb5_error_code		decrypt_err;
+
     scratch.data = pa->contents;
     scratch.length = pa->length;
 
@@ -471,6 +472,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
 	goto cleanup;
 
     start = 0;
+    decrypt_err = 0;
     while (1) {
 	if ((retval = krb5_dbe_search_enctype(context, client,
 					      &start, enc_data->enctype,
@@ -488,6 +490,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
 	krb5_free_keyblock_contents(context, &key);
 	if (retval == 0)
 	    break;
+	else
+	    decrypt_err = retval;
     }
 
     if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
@@ -513,6 +517,14 @@ cleanup:
     krb5_free_data_contents(context, &enc_ts_data);
     if (pa_enc)
 	free(pa_enc);
+    /*
+     * If we get NO_MATCHING_KEY and decryption previously failed, and
+     * we failed to find any other keys of the correct enctype after
+     * that failed decryption, it probably means that the password was
+     * incorrect.
+     */
+    if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
+	retval = decrypt_err;
     return retval;
 }