[29017] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add KDC_ERR_PREAUTH_EXPIRED support
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Aug 11 22:40:54 2015
Date: Tue, 11 Aug 2015 22:40:50 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201508120240.t7C2eo3G024335@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/d3e0af0774dd100f00fbc8895b99355d82d86bf1
commit d3e0af0774dd100f00fbc8895b99355d82d86bf1
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Jul 27 10:34:54 2015 -0400
Add KDC_ERR_PREAUTH_EXPIRED support
Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED. In
init_creds_step_reply(), handle a preauth-expired error by restarting
the exchange.
ticket: 8224 (new)
src/include/k5-int.h | 1 +
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 5 +++++
3 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e05524f..8bc8c48 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char u_char;
not find a KDC */
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
to the IAKERB proxy */
+#define KDC_ERR_PREAUTH_EXPIRED 90 /* RFC 6113 */
#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */
#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 7ba7c1e..b80f06f 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -131,7 +131,7 @@ error_code KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE, "The KDC did not respond to th
error_code KRB5PLACEHOLD_87, "KRB5 error code 87"
error_code KRB5PLACEHOLD_88, "KRB5 error code 88"
error_code KRB5PLACEHOLD_89, "KRB5 error code 89"
-error_code KRB5PLACEHOLD_90, "KRB5 error code 90"
+error_code KRB5KDC_ERR_PREAUTH_EXPIRED, "Preauthentication expired"
error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required"
error_code KRB5PLACEHOLD_92, "KRB5 error code 92"
error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 7ddc80a..ba635fe 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1387,6 +1387,11 @@ init_creds_step_reply(krb5_context context,
ctx->enc_pa_rep_permitted = FALSE;
ctx->restarted = TRUE;
code = restart_init_creds_loop(context, ctx, FALSE);
+ } else if (reply_code == KDC_ERR_PREAUTH_EXPIRED) {
+ /* We sent an expired KDC cookie. Start over, allowing another
+ * FAST upgrade. */
+ ctx->restarted = FALSE;
+ code = restart_init_creds_loop(context, ctx, FALSE);
} else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
/* reset the list of preauth types to try */
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
