From e2e5f386ccf2bea1fa55ce544f43098ae2b38f89 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 4 Apr 2025 12:04:00 +0200
Subject: [PATCH] Only handle IAKERB errors in initiator step

iakerb_initiator_step() must pass through most KRB-ERROR messages in
order to properly handle recoverable AS and TGS errors such as
KDC_ERR_PREAUTH_REQUIRED.  Only stop on IAKERB errors.

[ghudson@mit.edu: changed code to check for com_err codes instead of
protocol codes; changed iakerb_acceptor_realm() to respond with an
IAKERB error when realm determination fails and modified test case
accordingly; added a test case by requiring preauth on the user
principal when testing IAKERB; rewrote commit message]

ticket: 9169
---
 src/lib/gssapi/krb5/iakerb.c | 14 +++++++++++---
 src/tests/gssapi/t_gssapi.py |  3 ++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index a0c64403be..90a9bce11a 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -349,8 +349,8 @@ iakerb_acceptor_realm(iakerb_ctx_id_t ctx, gss_cred_id_t verifier_cred,
         ret = krb5_get_default_realm(ctx->k5c, &defrealm);
         if (ret) {
             /* Generate an error reply if there is no default realm. */
-            ret = iakerb_mk_error(ctx->k5c, verifier_cred, KRB_ERR_GENERIC,
-                                  &reply);
+            ret = iakerb_mk_error(ctx->k5c, verifier_cred,
+                                  KRB_AP_ERR_IAKERB_KDC_NOT_FOUND, &reply);
             if (ret)
                 goto cleanup;
         } else {
@@ -600,7 +600,15 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
 
         if (krb5_is_krb_error(&in)) {
             code = iakerb_rd_error(ctx->k5c, &in);
-            goto cleanup;
+            if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND &&
+                ctx->state == IAKERB_REALM_DISCOVERY) {
+                save_error_string(code, _("The IAKERB proxy could not "
+                                          "determine its realm"));
+            }
+            if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND ||
+                code == KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE)
+                goto cleanup;
+            code = 0;
         }
     }
 
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index cf57762e43..149f46d5c9 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -9,6 +9,7 @@ for realm in multipass_realms():
     realm.run(['./t_pcontok', 'p:' + realm.host_princ])
 
 realm = K5Realm()
+realm.run([kadminl, 'modprinc', '+preauth', realm.user_princ])
 
 remove_default = {'libdefaults': {'default_realm': None}}
 change_default = {'libdefaults': {'default_realm': 'WRONG.REALM'}}
@@ -32,7 +33,7 @@ realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
 # error because the acceptor does not know the realm.
 realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
            'h:host'], env=no_default, expected_code=1,
-          expected_msg='Generic error')
+          expected_msg='The IAKERB proxy could not determine its realm')
 
 # Test again, using a GSS_KRB5_NT_PRINCIPAL_NAME acceptor name so that
 # gss_accept_sec_context() knows the realm.
-- 
2.47.2