krb5 commit [krb5-1.11]: Use protocol error for PKINIT cert expiry

Thu Oct 17 18:46:40 EDT 2013

https://github.com/krb5/krb5/commit/d2935ee933907870b1e5c97aab723bc63b47d0ec
commit d2935ee933907870b1e5c97aab723bc63b47d0ec
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Oct 14 17:02:31 2013 -0400

    Use protocol error for PKINIT cert expiry
    
    If we fail to create a cert chain in cms_signeddata_create(), return
    KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
    rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
    consistent with other error clauses in the same function.
    
    (cherry picked from commit cd59782cb32b79e4001a86b0fe47af8b6275ef0c)
    
    ticket: 7726 (new)
    version_fixed: 1.11.4
    status: resolved

 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 2cd3440..6363303 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1039,7 +1039,7 @@ cms_signeddata_create(krb5_context context,
                 pkiDebug("failed to create a certificate chain: %s\n", msg);
                 if (!sk_X509_num(id_cryptoctx->trustedCAs))
                     pkiDebug("No trusted CAs found. Check your X509_anchors\n");
-                retval = KRB5_PREAUTH_FAILED;
+                retval = KRB5KDC_ERR_PREAUTH_FAILED;
                 krb5_set_error_message(context, retval,
                                        _("Cannot create cert chain: %s"), msg);
                 goto cleanup;
