Add KDC_ERR_PREAUTH_EXPIRED support

Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED.  In
init_creds_step_reply(), handle a preauth-expired error by restarting
the exchange.

ticket: 8224 (new)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e05524f86aaa9dc00f68d6e83c9b2b39b39bdbaf..8bc8c482d7b8f13047426319017b68d8b7517c9c 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char   u_char;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KDC_ERR_PREAUTH_EXPIRED                 90 /* RFC 6113 */
 #define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED      91 /* RFC 6113 */
 #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 

diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 7ba7c1e0a84b9de4788895340f2397a4d80be401..b80f06f44d97d30c6d473fd3bb5aabbe8d299549 100644 (file)
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -131,7 +131,7 @@ error_code KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE,   "The KDC did not respond to th
 error_code KRB5PLACEHOLD_87,   "KRB5 error code 87"
 error_code KRB5PLACEHOLD_88,   "KRB5 error code 88"
 error_code KRB5PLACEHOLD_89,   "KRB5 error code 89"
-error_code KRB5PLACEHOLD_90,   "KRB5 error code 90"
+error_code KRB5KDC_ERR_PREAUTH_EXPIRED,                        "Preauthentication expired"
 error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,     "More preauthentication data is required"
 error_code KRB5PLACEHOLD_92,   "KRB5 error code 92"
 error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 7ddc80ad184f3542acd775430c891c88c0f73709..ba635fe3b5f43ac6a5c222efa92c033306573893 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1387,6 +1387,11 @@ init_creds_step_reply(krb5_context context,
             ctx->enc_pa_rep_permitted = FALSE;
             ctx->restarted = TRUE;
             code = restart_init_creds_loop(context, ctx, FALSE);
+        } else if (reply_code == KDC_ERR_PREAUTH_EXPIRED) {
+            /* We sent an expired KDC cookie.  Start over, allowing another
+             * FAST upgrade. */
+            ctx->restarted = FALSE;
+            code = restart_init_creds_loop(context, ctx, FALSE);
         } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
                     reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
             /* reset the list of preauth types to try */