From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 27 Jul 2015 14:34:54 +0000 (-0400)
Subject: Add KDC_ERR_PREAUTH_EXPIRED support
X-Git-Tag: krb5-1.14-alpha1~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3e0af0774dd100f00fbc8895b99355d82d86bf1;p=thirdparty%2Fkrb5.git

Add KDC_ERR_PREAUTH_EXPIRED support

Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED.  In
init_creds_step_reply(), handle a preauth-expired error by restarting
the exchange.

ticket: 8224 (new)
---

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e05524f86a..8bc8c482d7 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char   u_char;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KDC_ERR_PREAUTH_EXPIRED                 90 /* RFC 6113 */
 #define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED      91 /* RFC 6113 */
 #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 7ba7c1e0a8..b80f06f44d 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -131,7 +131,7 @@ error_code KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE,	"The KDC did not respond to th
 error_code KRB5PLACEHOLD_87,	"KRB5 error code 87"
 error_code KRB5PLACEHOLD_88,	"KRB5 error code 88"
 error_code KRB5PLACEHOLD_89,	"KRB5 error code 89"
-error_code KRB5PLACEHOLD_90,	"KRB5 error code 90"
+error_code KRB5KDC_ERR_PREAUTH_EXPIRED,			"Preauthentication expired"
 error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,	"More preauthentication data is required"
 error_code KRB5PLACEHOLD_92,	"KRB5 error code 92"
 error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 7ddc80ad18..ba635fe3b5 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1387,6 +1387,11 @@ init_creds_step_reply(krb5_context context,
             ctx->enc_pa_rep_permitted = FALSE;
             ctx->restarted = TRUE;
             code = restart_init_creds_loop(context, ctx, FALSE);
+        } else if (reply_code == KDC_ERR_PREAUTH_EXPIRED) {
+            /* We sent an expired KDC cookie.  Start over, allowing another
+             * FAST upgrade. */
+            ctx->restarted = FALSE;
+            code = restart_init_creds_loop(context, ctx, FALSE);
         } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
                     reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
             /* reset the list of preauth types to try */