HEIMDAL:lib/krb5: let krb5_rd_req_ctx() fallback only on KRB5KRB_AP_ERR_BAD_INTEGRITY

This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.

We only want to retry with the next key if the decryption
failed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/third_party/heimdal/lib/krb5/rd_req.c b/third_party/heimdal/lib/krb5/rd_req.c
index 2dd359c85b6b2b8eeef69081592f23824aa2d664..cb0cdb209cf2f2753da390e31405f3bfe3945dfe 100644 (file)
--- a/third_party/heimdal/lib/krb5/rd_req.c
+++ b/third_party/heimdal/lib/krb5/rd_req.c
@@ -1029,10 +1029,15 @@ krb5_rd_req_ctx(krb5_context context,
                                      &o->ap_req_options,
                                      &o->ticket,
                                      KRB5_KU_AP_REQ_AUTH);
-           if (ret) {
+           if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+               /* failed to decrypt, try the next key */
                krb5_kt_free_entry (context, &entry);
                continue;
            }
+           if (ret) {
+               krb5_kt_free_entry (context, &entry);
+               break;
+           }
 
            /*
             * Found a match, save the keyblock for PAC processing,