Only handle IAKERB errors in initiator step

iakerb_initiator_step() must pass through most KRB-ERROR messages in
order to properly handle recoverable AS and TGS errors such as
KDC_ERR_PREAUTH_REQUIRED.  Only stop on IAKERB errors.

[ghudson@mit.edu: changed code to check for com_err codes instead of
protocol codes; changed iakerb_acceptor_realm() to respond with an
IAKERB error when realm determination fails and modified test case
accordingly; added a test case by requiring preauth on the user
principal when testing IAKERB; rewrote commit message]

ticket: 9169

diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index a0c64403bec512acd0235bde86932539b60d0808..90a9bce11ad70b784a0f9e91bd13a0e7e79b0627 100644 (file)
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -349,8 +349,8 @@ iakerb_acceptor_realm(iakerb_ctx_id_t ctx, gss_cred_id_t verifier_cred,
         ret = krb5_get_default_realm(ctx->k5c, &defrealm);
         if (ret) {
             /* Generate an error reply if there is no default realm. */
-            ret = iakerb_mk_error(ctx->k5c, verifier_cred, KRB_ERR_GENERIC,
-                                  &reply);
+            ret = iakerb_mk_error(ctx->k5c, verifier_cred,
+                                  KRB_AP_ERR_IAKERB_KDC_NOT_FOUND, &reply);
             if (ret)
                 goto cleanup;
         } else {
@@ -600,7 +600,15 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
 
         if (krb5_is_krb_error(&in)) {
             code = iakerb_rd_error(ctx->k5c, &in);
-            goto cleanup;
+            if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND &&
+                ctx->state == IAKERB_REALM_DISCOVERY) {
+                save_error_string(code, _("The IAKERB proxy could not "
+                                          "determine its realm"));
+            }
+            if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND ||
+                code == KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE)
+                goto cleanup;
+            code = 0;
         }
     }
 

diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index cf57762e43a183ef1bcb9422a57d1d59229b137c..149f46d5c9145f6752e92d468047b181a34f6fcf 100755 (executable)
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -9,6 +9,7 @@ for realm in multipass_realms():
     realm.run(['./t_pcontok', 'p:' + realm.host_princ])
 
 realm = K5Realm()
+realm.run([kadminl, 'modprinc', '+preauth', realm.user_princ])
 
 remove_default = {'libdefaults': {'default_realm': None}}
 change_default = {'libdefaults': {'default_realm': 'WRONG.REALM'}}
@@ -32,7 +33,7 @@ realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
 # error because the acceptor does not know the realm.
 realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
            'h:host'], env=no_default, expected_code=1,
-          expected_msg='Generic error')
+          expected_msg='The IAKERB proxy could not determine its realm')
 
 # Test again, using a GSS_KRB5_NT_PRINCIPAL_NAME acceptor name so that
 # gss_accept_sec_context() knows the realm.