From: Greg Hudson Date: Tue, 27 Apr 2010 09:36:28 +0000 (+0000) Subject: If IAKERB is used with no TGT, return KRB5_CC_NOTFOUND instead of X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4c2346afcaebdd284f9cf491121d742bbd80c97;p=thirdparty%2Fkrb5.git If IAKERB is used with no TGT, return KRB5_CC_NOTFOUND instead of going fruitlessly into the AS code path and returning EINVAL. Also better handle the case where service credentials exist but are of an unsupported enctype. Make a note that we aren't as consistent as we would like to be in the case where the TGT exists but has expired. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/iakerb@23948 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 3ae4f3bb2a..ad98dad6e3 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -707,7 +707,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx, code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED, cred->ccache, &in_creds, &out_creds); - if (code == KRB5_CC_NOTFOUND) { + if (code == KRB5_CC_NOTFOUND || code == KRB5_CC_NOT_KTYPE) { krb5_principal tgs; krb5_data *realm = krb5_princ_realm(ctx->k5c, in_creds.client); @@ -726,10 +726,14 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx, in_creds.server = tgs; + /* It would be nice if we could return KRB5KRB_AP_ERR_TKT_EXPIRED if + * the TGT is expired, for consistency with the krb5 mech. As it + * stands, we won't see the expired TGT and will return + * KRB5_CC_NOTFOUND. */ code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED, cred->ccache, &in_creds, &out_creds); - if (code == KRB5_CC_NOTFOUND) { + if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL) { *state = IAKERB_AS_REQ; code = 0; } else if (code == 0) {