krb5 commit: Only handle IAKERB errors in initiator step
ghudson at mit.edu
ghudson at mit.edu
Tue Apr 8 17:28:57 EDT 2025
https://github.com/krb5/krb5/commit/e2e5f386ccf2bea1fa55ce544f43098ae2b38f89
commit e2e5f386ccf2bea1fa55ce544f43098ae2b38f89
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Fri Apr 4 12:04:00 2025 +0200
Only handle IAKERB errors in initiator step
iakerb_initiator_step() must pass through most KRB-ERROR messages in
order to properly handle recoverable AS and TGS errors such as
KDC_ERR_PREAUTH_REQUIRED. Only stop on IAKERB errors.
[ghudson at mit.edu: changed code to check for com_err codes instead of
protocol codes; changed iakerb_acceptor_realm() to respond with an
IAKERB error when realm determination fails and modified test case
accordingly; added a test case by requiring preauth on the user
principal when testing IAKERB; rewrote commit message]
ticket: 9169
src/lib/gssapi/krb5/iakerb.c | 14 +++++++++++---
src/tests/gssapi/t_gssapi.py | 3 ++-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index a0c64403b..90a9bce11 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -349,8 +349,8 @@ iakerb_acceptor_realm(iakerb_ctx_id_t ctx, gss_cred_id_t verifier_cred,
ret = krb5_get_default_realm(ctx->k5c, &defrealm);
if (ret) {
/* Generate an error reply if there is no default realm. */
- ret = iakerb_mk_error(ctx->k5c, verifier_cred, KRB_ERR_GENERIC,
- &reply);
+ ret = iakerb_mk_error(ctx->k5c, verifier_cred,
+ KRB_AP_ERR_IAKERB_KDC_NOT_FOUND, &reply);
if (ret)
goto cleanup;
} else {
@@ -600,7 +600,15 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
if (krb5_is_krb_error(&in)) {
code = iakerb_rd_error(ctx->k5c, &in);
- goto cleanup;
+ if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND &&
+ ctx->state == IAKERB_REALM_DISCOVERY) {
+ save_error_string(code, _("The IAKERB proxy could not "
+ "determine its realm"));
+ }
+ if (code == KRB5KRB_AP_ERR_IAKERB_KDC_NOT_FOUND ||
+ code == KRB5KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE)
+ goto cleanup;
+ code = 0;
}
}
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index cf57762e4..149f46d5c 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -9,6 +9,7 @@ for realm in multipass_realms():
realm.run(['./t_pcontok', 'p:' + realm.host_princ])
realm = K5Realm()
+realm.run([kadminl, 'modprinc', '+preauth', realm.user_princ])
remove_default = {'libdefaults': {'default_realm': None}}
change_default = {'libdefaults': {'default_realm': 'WRONG.REALM'}}
@@ -32,7 +33,7 @@ realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
# error because the acceptor does not know the realm.
realm.run(['./t_iakerb', 'e:user', password('user'), 'h:host@' + hostname,
'h:host'], env=no_default, expected_code=1,
- expected_msg='Generic error')
+ expected_msg='The IAKERB proxy could not determine its realm')
# Test again, using a GSS_KRB5_NT_PRINCIPAL_NAME acceptor name so that
# gss_accept_sec_context() knows the realm.
More information about the cvs-krb5
mailing list