- /* Check for a configured FAST ec auth indicator. */
- realmstr = k5memdup0(realm.data, realm.length, &retval);
- if (realmstr != NULL)
- retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
- realmstr,
- KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR,
- NULL, &ai);
-
- if (retval == 0)
- retval = cb->client_keys(context, rock, &client_keys);
- if (retval == 0) {
- for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) {
- retval = krb5_c_fx_cf2_simple(context,
- armor_key, "clientchallengearmor",
- &client_keys[i], "challengelongterm",
- &challenge_key);
- if (retval == 0)
- retval = krb5_c_decrypt(context, challenge_key,
- KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
- NULL, enc, &plain);
- if (challenge_key)
- krb5_free_keyblock(context, challenge_key);
- challenge_key = NULL;
- if (retval == 0)
- break;
- /*We failed to decrypt. Try next key*/
- retval = 0;
- }
- if (client_keys[i].enctype == 0) {
- retval = KRB5KDC_ERR_PREAUTH_FAILED;
- k5_setmsg(context, retval,
- _("Incorrect password in encrypted challenge"));
- }
+ if (client_keys[i].enctype == ENCTYPE_NULL) {
+ ret = KRB5KDC_ERR_PREAUTH_FAILED;
+ k5_setmsg(context, ret,
+ _("Incorrect password in encrypted challenge"));
+ goto cleanup;