krb5 commit: Add KDC_ERR_PREAUTH_EXPIRED support

Tue Aug 11 22:40:50 EDT 2015

https://github.com/krb5/krb5/commit/d3e0af0774dd100f00fbc8895b99355d82d86bf1
commit d3e0af0774dd100f00fbc8895b99355d82d86bf1
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Jul 27 10:34:54 2015 -0400

    Add KDC_ERR_PREAUTH_EXPIRED support
    
    Define KDC_ERR_PREAUTH_EXPIRED and KRB5KDC_ERR_PREAUTH_EXPIRED.  In
    init_creds_step_reply(), handle a preauth-expired error by restarting
    the exchange.
    
    ticket: 8224 (new)

 src/include/k5-int.h                  |    1 +
 src/lib/krb5/error_tables/krb5_err.et |    2 +-
 src/lib/krb5/krb/get_in_tkt.c         |    5 +++++
 3 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e05524f..8bc8c48 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char   u_char;
                                                       not find a KDC */
 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
                                                       to the IAKERB proxy */
+#define KDC_ERR_PREAUTH_EXPIRED                 90 /* RFC 6113 */
 #define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED      91 /* RFC 6113 */
 #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
 
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 7ba7c1e..b80f06f 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -131,7 +131,7 @@ error_code KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE,	"The KDC did not respond to th
 error_code KRB5PLACEHOLD_87,	"KRB5 error code 87"
 error_code KRB5PLACEHOLD_88,	"KRB5 error code 88"
 error_code KRB5PLACEHOLD_89,	"KRB5 error code 89"
-error_code KRB5PLACEHOLD_90,	"KRB5 error code 90"
+error_code KRB5KDC_ERR_PREAUTH_EXPIRED,			"Preauthentication expired"
 error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,	"More preauthentication data is required"
 error_code KRB5PLACEHOLD_92,	"KRB5 error code 92"
 error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 7ddc80a..ba635fe 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1387,6 +1387,11 @@ init_creds_step_reply(krb5_context context,
             ctx->enc_pa_rep_permitted = FALSE;
             ctx->restarted = TRUE;
             code = restart_init_creds_loop(context, ctx, FALSE);
+        } else if (reply_code == KDC_ERR_PREAUTH_EXPIRED) {
+            /* We sent an expired KDC cookie.  Start over, allowing another
+             * FAST upgrade. */
+            ctx->restarted = FALSE;
+            code = restart_init_creds_loop(context, ctx, FALSE);
         } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
                     reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
             /* reset the list of preauth types to try */
