From 70a00b7fabf13c01ec1cd38c587f208f0be4ac28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 16 Aug 2008 22:59:26 +0000
Subject: [PATCH] Only send KRB_ERROR token when there is clock skew, limits
 when we send KRB-ERROR for non-MUTUAL tokens.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23541 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/accept_sec_context.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 8634d4b8f..84110b7a8 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -371,9 +371,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	if (kret) {
 	    if (in)
 		krb5_rd_req_in_ctx_free(context, in);
-	    ret = GSS_S_FAILURE;
 	    *minor_status = kret;
-	    return ret;
+	    return GSS_S_FAILURE;
 	}
 
 	kret = krb5_rd_req_ctx(context,
@@ -382,13 +381,18 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 			       server,
 			       in, &out);
 	krb5_rd_req_in_ctx_free(context, in);
-	if (kret) {
+	if (kret == KRB5KRB_AP_ERR_SKEW) {
 	    /* 
 	     * No reply in non-MUTUAL mode, but we don't know that its
-	     * non-MUTUAL mode yet, thats inside the 8003 checksum.
+	     * non-MUTUAL mode yet, thats inside the 8003 checksum, so
+	     * lets only send the error token on clock skew, that
+	     * limit when send error token for non-MUTUAL.
 	     */
 	    return send_error_token(minor_status, context, kret,
 				    server, &indata, output_token);
+	} else if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
 	}
 
 	/*