From c7cd31ef9dd4a7414d1822eedee66a1a4cd85fc5 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Sun, 10 Feb 2013 19:07:44 -0800
Subject: [PATCH] make sure we propagate an error code in case of wrong number
 of ms-san

Patch from Matthieu Hautreux
---
 kdc/pkinit.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 46e34e3d1..b6817a19d 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1654,6 +1654,7 @@ match_ms_upn_san(krb5_context context,
     if (list.len != 1) {
 	kdc_log(context, config, 0,
 		"More then one PK-INIT MS UPN SAN");
+	ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
 	goto out;
     }