From 54129c319c9b2f2916c8c6322502664bc3c367c1 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 16 Nov 2021 20:22:03 +1300
Subject: [PATCH] kdc: Don't keep trying keys for encrypted-challenge if one
 decrypts but fails to verify

This also enables a KRB5KRB_AP_ERR_SKEW error to be returned to the
client.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 kdc/kerberos5.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 2446d4897..cc867c6bf 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -637,7 +637,12 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	    krb5_error_code ret2;
 	    char *str = NULL;
 
+	    krb5_crypto_destroy(r->context, longtermcrypto);
+
 	    invalidPassword = (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY);
+	    if (!invalidPassword) {
+		goto out;
+	    }
 
 	    ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
 	    if (ret2)
@@ -648,7 +653,6 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	    krb5_free_error_message(r->context, msg);
 	    free(str);
 
-	    krb5_crypto_destroy(r->context, longtermcrypto);
 	    continue;
 	}