krb5 commit: Avoid protocol error constants in KDC code
ghudson at mit.edu
ghudson at mit.edu
Fri Aug 12 18:02:21 EDT 2022
https://github.com/krb5/krb5/commit/0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3
commit 0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jul 21 13:32:50 2022 -0400
Avoid protocol error constants in KDC code
For simplicity, return com_err codes from validate_as_request() and
validate_tgs_request() instead of protocol error constants.
src/kdc/do_as_req.c | 18 +++----
src/kdc/do_tgs_req.c | 39 +++++++--------
src/kdc/kdc_util.c | 37 ++++++---------
src/kdc/kdc_util.h | 4 +-
src/kdc/tgs_policy.c | 131 +++++++++++++++++++++++++--------------------------
5 files changed, 103 insertions(+), 126 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 0d3af592f..02b6eac04 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -76,8 +76,8 @@
static krb5_error_code
prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, krb5_db_entry *,
- krb5_keyblock *, int, krb5_pa_data **, krb5_boolean,
- krb5_principal, krb5_data **, const char *);
+ krb5_keyblock *, krb5_error_code, krb5_pa_data **,
+ krb5_boolean, krb5_principal, krb5_data **, const char *);
/* Determine the key-expiration value according to RFC 4120 section 5.4.2. */
static krb5_timestamp
@@ -370,10 +370,6 @@ egress:
state->status = emsg;
}
if (errcode != KRB5KDC_ERR_DISCARD) {
- errcode -= ERROR_TABLE_BASE_krb5;
- if (errcode < 0 || errcode > KRB_ERR_MAX)
- errcode = KRB_ERR_GENERIC;
-
errcode = prepare_error_as(state->rstate, state->request,
state->local_tgt, &state->local_tgt_key,
errcode, state->e_data,
@@ -634,10 +630,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
errcode = validate_as_request(realm, state->request, state->client,
state->server, state->kdc_time,
&state->status, &state->e_data);
- if (errcode) {
- errcode += ERROR_TABLE_BASE_krb5;
+ if (errcode)
goto errout;
- }
au_state->stage = ISSUE_TKT;
@@ -774,7 +768,7 @@ errout:
static krb5_error_code
prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
- int error, krb5_pa_data **e_data_in,
+ krb5_error_code code, krb5_pa_data **e_data_in,
krb5_boolean typed_e_data, krb5_principal canon_client,
krb5_data **response, const char *status)
{
@@ -806,9 +800,9 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
if (retval)
goto cleanup;
- errpkt.error = error;
+ errpkt.error = errcode_to_protocol(code);
errpkt.server = request->server;
- errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client :
+ errpkt.client = (code == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
request->client;
errpkt.text = string2data((char *)status);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b64aaf1da..63e79c082 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -70,8 +70,9 @@
#include <ctype.h>
static krb5_error_code
-prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
- krb5_principal,krb5_data **,const char *, krb5_pa_data **);
+prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *, krb5_ticket *,
+ krb5_error_code, krb5_principal, krb5_data **, const char *,
+ krb5_pa_data **);
static krb5_error_code
decrypt_2ndtkt(krb5_context, krb5_kdc_req *, krb5_flags, krb5_db_entry *,
@@ -113,7 +114,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
const krb5_ticket *stkt = NULL;
krb5_enc_tkt_part enc_tkt_reply;
int newtransited = 0;
- krb5_error_code retval = 0;
+ krb5_error_code retval = 0, errcode;
krb5_keyblock server_keyblock, *encrypting_key;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key, local_tgt_key;
@@ -121,7 +122,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
krb5_principal cprinc = NULL, sprinc = NULL, altcprinc = NULL;
krb5_principal stkt_authdata_client = NULL;
krb5_last_req_entry *nolrarray[2], nolrentry;
- int errcode;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
@@ -290,15 +290,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (errcode)
goto cleanup;
- retval = validate_tgs_request(realm, request, server, header_ticket,
- header_pac, stkt, stkt_pac, stkt_server,
- kdc_time, s4u_x509_user, client,
- is_crossrealm, is_referral, &status,
- &e_data);
- if (retval) {
- if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
+ errcode = validate_tgs_request(realm, request, server, header_ticket,
+ header_pac, stkt, stkt_pac, stkt_server,
+ kdc_time, s4u_x509_user, client,
+ is_crossrealm, is_referral, &status,
+ &e_data);
+ if (errcode) {
+ if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
- errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
@@ -313,7 +312,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
header_ticket->enc_part2->client,
server, &stkt_authdata_client,
&status);
- if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
+ if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
else if (errcode)
au_state->violation = LOCAL_POLICY;
@@ -720,9 +719,6 @@ cleanup:
status = krb5_get_error_message(context, errcode);
got_err = 1;
}
- errcode -= ERROR_TABLE_BASE_krb5;
- if (errcode < 0 || errcode > KRB_ERR_MAX)
- errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
(server != NULL) ? server->princ : NULL,
@@ -774,11 +770,10 @@ cleanup:
}
static krb5_error_code
-prepare_error_tgs (struct kdc_request_state *state,
- krb5_kdc_req *request, krb5_ticket *ticket, int error,
- krb5_principal canon_server,
- krb5_data **response, const char *status,
- krb5_pa_data **e_data)
+prepare_error_tgs(struct kdc_request_state *state, krb5_kdc_req *request,
+ krb5_ticket *ticket, krb5_error_code code,
+ krb5_principal canon_server, krb5_data **response,
+ const char *status, krb5_pa_data **e_data)
{
krb5_context context = state->realm_data->realm_context;
krb5_error errpkt;
@@ -792,7 +787,7 @@ prepare_error_tgs (struct kdc_request_state *state,
retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
if (retval)
return(retval);
- errpkt.error = error;
+ errpkt.error = errcode_to_protocol(code);
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 01a4fdb1b..d6c61f4aa 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -659,13 +659,7 @@ check_anon(kdc_realm_t *realm, krb5_principal client, krb5_principal server)
return 0;
}
-/*
- * Routines that validate a AS request; checks a lot of things. :-)
- *
- * Returns a Kerberos protocol error number, which is _not_ the same
- * as a com_err error number!
- */
-int
+krb5_error_code
validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp kdc_time, const char **status,
@@ -679,16 +673,16 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
*/
if (request->kdc_options & AS_INVALID_OPTIONS) {
*status = "INVALID AS OPTIONS";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* The client must not be expired */
if (client->expiration && ts_after(kdc_time, client->expiration)) {
*status = "CLIENT EXPIRED";
if (vague_errors)
- return(KRB_ERR_GENERIC);
+ return KRB5KRB_ERR_GENERIC;
else
- return(KDC_ERR_NAME_EXP);
+ return KRB5KDC_ERR_NAME_EXP;
}
/* The client's password must not be expired, unless the server is
@@ -697,15 +691,15 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
!isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
if (vague_errors)
- return(KRB_ERR_GENERIC);
+ return KRB5KRB_ERR_GENERIC;
else
- return(KDC_ERR_KEY_EXP);
+ return KRB5KDC_ERR_KEY_EXP;
}
/* The server must not be expired */
if (server->expiration && ts_after(kdc_time, server->expiration)) {
*status = "SERVICE EXPIRED";
- return(KDC_ERR_SERVICE_EXP);
+ return KRB5KDC_ERR_SERVICE_EXP;
}
/*
@@ -715,7 +709,7 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE) &&
!isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "REQUIRED PWCHANGE";
- return(KDC_ERR_KEY_EXP);
+ return KRB5KDC_ERR_KEY_EXP;
}
/* Client and server must allow postdating tickets */
@@ -724,39 +718,36 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
(isflagset(client->attributes, KRB5_KDB_DISALLOW_POSTDATED) ||
isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED))) {
*status = "POSTDATE NOT ALLOWED";
- return(KDC_ERR_CANNOT_POSTDATE);
+ return KRB5KDC_ERR_CANNOT_POSTDATE;
}
/* Check to see if client is locked out */
if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
*status = "CLIENT LOCKED OUT";
- return(KDC_ERR_CLIENT_REVOKED);
+ return KRB5KDC_ERR_CLIENT_REVOKED;
}
/* Check to see if server is locked out */
if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
*status = "SERVICE LOCKED OUT";
- return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
/* Check to see if server is allowed to be a service */
if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) {
*status = "SERVICE NOT ALLOWED";
- return(KDC_ERR_MUST_USE_USER2USER);
+ return KRB5KDC_ERR_MUST_USE_USER2USER;
}
if (check_anon(realm, client->princ, request->server) != 0) {
*status = "ANONYMOUS NOT ALLOWED";
- return(KDC_ERR_POLICY);
+ return KRB5KDC_ERR_POLICY;
}
/* Perform KDB module policy checks. */
ret = krb5_db_check_policy_as(context, request, client, server, kdc_time,
status, e_data);
- if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
- return errcode_to_protocol(ret);
-
- return 0;
+ return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
}
/*
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 070a27a0e..852d9c025 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -78,12 +78,12 @@ get_local_tgt(krb5_context context, const krb5_data *realm,
krb5_db_entry *candidate, krb5_db_entry **alias_out,
krb5_db_entry **storage_out, krb5_keyblock *kb_out);
-int
+krb5_error_code
validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *,
krb5_db_entry *, krb5_timestamp,
const char **, krb5_pa_data ***);
-int
+krb5_error_code
validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index dfa836a13..1a1648eb0 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -64,21 +64,21 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = {
static const struct tgsflagrule tgsflagrules[] = {
{ KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE,
- "TGT NOT FORWARDABLE", KDC_ERR_BADOPTION },
+ "TGT NOT FORWARDABLE", KRB5KDC_ERR_BADOPTION },
{ KDC_OPT_PROXY, TKT_FLG_PROXIABLE,
- "TGT NOT PROXIABLE", KDC_ERR_BADOPTION },
+ "TGT NOT PROXIABLE", KRB5KDC_ERR_BADOPTION },
{ (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE,
- "TGT NOT POSTDATABLE", KDC_ERR_BADOPTION },
+ "TGT NOT POSTDATABLE", KRB5KDC_ERR_BADOPTION },
{ KDC_OPT_VALIDATE, TKT_FLG_INVALID,
- "VALIDATE VALID TICKET", KDC_ERR_BADOPTION },
+ "VALIDATE VALID TICKET", KRB5KDC_ERR_BADOPTION },
{ KDC_OPT_RENEW, TKT_FLG_RENEWABLE,
- "TICKET NOT RENEWABLE", KDC_ERR_BADOPTION }
+ "TICKET NOT RENEWABLE", KRB5KDC_ERR_BADOPTION }
};
/*
* Some TGS-REQ options require that the ticket have corresponding flags set.
*/
-static int
+static krb5_error_code
check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
{
size_t i;
@@ -98,7 +98,7 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
if (isflagset(tkt->enc_part2->flags, TKT_FLG_INVALID) &&
!isflagset(req->kdc_options, KDC_OPT_VALIDATE)) {
*status = "TICKET NOT VALID";
- return KRB_AP_ERR_TKT_NYV;
+ return KRB5KRB_AP_ERR_TKT_NYV;
}
return 0;
@@ -106,17 +106,17 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
static const struct tgsflagrule svcdenyrules[] = {
{ KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE,
- "NON-RENEWABLE TICKET", KDC_ERR_POLICY },
+ "NON-RENEWABLE TICKET", KRB5KDC_ERR_POLICY },
{ KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED,
- "NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE },
+ "NON-POSTDATABLE TICKET", KRB5KDC_ERR_CANNOT_POSTDATE },
{ KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY,
- "DUP_SKEY DISALLOWED", KDC_ERR_POLICY }
+ "DUP_SKEY DISALLOWED", KRB5KDC_ERR_POLICY }
};
/*
* A service principal can forbid some TGS-REQ options.
*/
-static int
+static krb5_error_code
check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server,
krb5_ticket *tkt, krb5_timestamp kdc_time,
const char **status)
@@ -140,24 +140,24 @@ check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server,
/*
* A service principal can deny all TGS-REQs for it.
*/
-static int
+static krb5_error_code
check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server,
krb5_ticket *tkt, krb5_timestamp kdc_time,
const char **status)
{
if (server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
*status = "SERVER LOCKED OUT";
- return KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
if ((server->attributes & KRB5_KDB_DISALLOW_SVR) &&
!(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) {
*status = "SERVER NOT ALLOWED";
- return KDC_ERR_MUST_USE_USER2USER;
+ return KRB5KDC_ERR_MUST_USE_USER2USER;
}
if (server->attributes & KRB5_KDB_DISALLOW_TGT_BASED) {
if (krb5_is_tgs_principal(tkt->server)) {
*status = "TGT BASED NOT ALLOWED";
- return KDC_ERR_POLICY;
+ return KRB5KDC_ERR_POLICY;
}
}
return 0;
@@ -166,7 +166,7 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server,
/*
* A service principal can require certain TGT flags.
*/
-static int
+static krb5_error_code
check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server,
krb5_ticket *tkt,
krb5_timestamp kdc_time, const char **status)
@@ -174,30 +174,30 @@ check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server,
if (server->attributes & KRB5_KDB_REQUIRES_HW_AUTH) {
if (!(tkt->enc_part2->flags & TKT_FLG_HW_AUTH)) {
*status = "NO HW PREAUTH";
- return KRB_ERR_GENERIC;
+ return KRB5KRB_ERR_GENERIC;
}
}
if (server->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) {
if (!(tkt->enc_part2->flags & TKT_FLG_PRE_AUTH)) {
*status = "NO PREAUTH";
- return KRB_ERR_GENERIC;
+ return KRB5KRB_ERR_GENERIC;
}
}
return 0;
}
-static int
+static krb5_error_code
check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt,
krb5_timestamp kdc_time, const char **status)
{
if (server->expiration && ts_after(kdc_time, server->expiration)) {
*status = "SERVICE EXPIRED";
- return KDC_ERR_SERVICE_EXP;
+ return KRB5KDC_ERR_SERVICE_EXP;
}
return 0;
}
-static int
+static krb5_error_code
check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server,
krb5_ticket *tkt, krb5_timestamp kdc_time,
const char **status)
@@ -217,7 +217,7 @@ check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server,
/*
* Check header ticket timestamps against the current time.
*/
-static int
+static krb5_error_code
check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
krb5_timestamp kdc_time, const char **status)
{
@@ -229,7 +229,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
starttime = times->starttime ? times->starttime : times->authtime;
if (ts_after(starttime, kdc_time)) {
*status = "NOT_YET_VALID";
- return KRB_AP_ERR_TKT_NYV;
+ return KRB5KRB_AP_ERR_TKT_NYV;
}
}
/*
@@ -239,26 +239,26 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
if ((req->kdc_options & KDC_OPT_RENEW) &&
ts_after(kdc_time, times->renew_till)) {
*status = "TKT_EXPIRED";
- return KRB_AP_ERR_TKT_EXPIRED;
+ return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
return 0;
}
/* Check for local user tickets issued by foreign realms. This check is
* skipped for S4U2Self requests. */
-static int
+static krb5_error_code
check_tgs_lineage(krb5_db_entry *server, krb5_ticket *tkt,
krb5_boolean is_crossrealm, const char **status)
{
if (is_crossrealm && data_eq(tkt->enc_part2->client->realm,
server->princ->realm)) {
*status = "INVALID LINEAGE";
- return KDC_ERR_POLICY;
+ return KRB5KDC_ERR_POLICY;
}
return 0;
}
-static int
+static krb5_error_code
check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
krb5_timestamp kdc_time,
@@ -273,13 +273,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
if (!is_referral &&
!is_client_db_alias(context, server, tkt->enc_part2->client)) {
*status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH";
- return KRB_AP_ERR_BADMATCH;
+ return KRB5KRB_AP_ERR_BADMATCH;
}
/* S4U2Self requests must use options valid for AS requests. */
if (req->kdc_options & AS_INVALID_OPTIONS) {
*status = "INVALID S4U2SELF OPTIONS";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/*
@@ -299,13 +299,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
/* This could happen if the requesting server no longer exists, and we
* found a referral instead. Treat this as a server lookup failure. */
*status = "LOOKING_UP_SERVER";
- return KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
if (client != NULL && is_crossrealm && !is_referral) {
/* A local server should not need a cross-realm TGT to impersonate
* a local principal. */
*status = "NOT_CROSS_REALM_REQUEST";
- return KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
}
if (client == NULL && !is_crossrealm) {
/*
@@ -314,7 +314,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
* follow referrals back to us.
*/
*status = "S4U2SELF_CLIENT_NOT_OURS";
- return KDC_ERR_POLICY; /* match Windows error */
+ return KRB5KDC_ERR_POLICY; /* match Windows error */
}
if (client == NULL && s4u_x509_user->user_id.user->length == 0) {
/*
@@ -323,13 +323,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
* the subject-certificate field.
*/
*status = "INVALID_XREALM_S4U2SELF_REQUEST";
- return KDC_ERR_POLICY; /* match Windows error */
+ return KRB5KDC_ERR_POLICY; /* match Windows error */
}
/* The header ticket PAC must be present. */
if (pac == NULL) {
*status = "S4U2SELF_NO_PAC";
- return KDC_ERR_TGT_REVOKED;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
if (client != NULL) {
@@ -337,7 +337,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
tkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2SELF_LOCAL_PAC_CLIENT";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* Validate the client policy. Use an empty server principal to bypass
@@ -350,7 +350,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
s4u_x509_user->user_id.user, NULL, NULL,
TRUE) != 0) {
*status = "S4U2SELF_FOREIGN_PAC_CLIENT";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
}
@@ -420,7 +420,7 @@ cleanup:
return result;
}
-static int
+static krb5_error_code
check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
@@ -430,35 +430,35 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
/* A forwardable second ticket must be present in the request. */
if (stkt == NULL) {
*status = "NO_2ND_TKT";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
if (!(stkt->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
*status = "EVIDENCE_TKT_NOT_FORWARDABLE";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* Constrained delegation is mutually exclusive with renew/forward/etc.
* (and therefore requires the header ticket to be a TGT). */
if (req->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
*status = "INVALID_S4U2PROXY_OPTIONS";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* Can't get a TGT (otherwise it would be unconstrained delegation). */
if (krb5_is_tgs_principal(req->server)) {
*status = "NOT_ALLOWED_TO_DELEGATE";
- return KDC_ERR_POLICY;
+ return KRB5KDC_ERR_POLICY;
}
/* The header ticket PAC must be present and for the impersonator. */
if (pac == NULL) {
*status = "S4U2PROXY_NO_HEADER_PAC";
- return KDC_ERR_TGT_REVOKED;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
tkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2PROXY_HEADER_PAC";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/*
@@ -470,7 +470,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
if (stkt_pac == NULL) {
*status = "S4U2PROXY_NO_STKT_PAC";
- return KRB_AP_ERR_MODIFIED;
+ return KRB5KRB_AP_ERR_MODIFIED;
}
if (!is_crossrealm) {
/* For an initial or same-realm request, the second ticket server and
@@ -478,7 +478,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
if (!is_client_db_alias(context, stkt_server,
tkt->enc_part2->client)) {
*status = "EVIDENCE_TICKET_MISMATCH";
- return KDC_ERR_SERVER_NOMATCH;
+ return KRB5KDC_ERR_SERVER_NOMATCH;
}
/* The second ticket client and PAC client are the subject, and must
@@ -486,7 +486,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
if (krb5_pac_verify(context, stkt_pac, stkt->enc_part2->times.authtime,
stkt->enc_part2->client, NULL, NULL) != 0) {
*status = "S4U2PROXY_LOCAL_STKT_PAC";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
} else {
@@ -501,7 +501,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
!krb5_principal_compare(context, stkt->enc_part2->client,
tkt->enc_part2->client)) {
*status = "XREALM_EVIDENCE_TICKET_MISMATCH";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* The second ticket PAC must be present and for the impersonated
@@ -510,41 +510,41 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
verify_deleg_pac(context, stkt_pac, stkt->enc_part2,
req->server) != 0) {
*status = "S4U2PROXY_CROSS_STKT_PAC";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
}
return 0;
}
-static int
+static krb5_error_code
check_tgs_u2u(krb5_context context, krb5_kdc_req *req, const krb5_ticket *stkt,
krb5_db_entry *server, const char **status)
{
/* A second ticket must be present in the request. */
if (stkt == NULL) {
*status = "NO_2ND_TKT";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/* The second ticket must be a TGT to the server realm. */
if (!is_local_tgs_principal(stkt->server) ||
!data_eq(stkt->server->data[1], server->princ->realm)) {
*status = "2ND_TKT_NOT_TGS";
- return KDC_ERR_POLICY;
+ return KRB5KDC_ERR_POLICY;
}
/* The second ticket client must match the requested server. */
if (!is_client_db_alias(context, server, stkt->enc_part2->client)) {
*status = "2ND_TKT_MISMATCH";
- return KDC_ERR_SERVER_NOMATCH;
+ return KRB5KDC_ERR_SERVER_NOMATCH;
}
return 0;
}
/* Validate the PAC of a non-S4U TGS request, if one is present. */
-static int
+static krb5_error_code
check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
krb5_pac pac, krb5_db_entry *server,
krb5_boolean is_crossrealm, const char **status)
@@ -566,7 +566,7 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
return 0;
*status = "HEADER_PAC";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
/*
@@ -574,19 +574,19 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
* checks that are peculiar to these cases. (e.g., ticket service principal
* matches requested service principal)
*/
-static int
+static krb5_error_code
check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt,
const char **status)
{
if (!krb5_principal_compare(context, tkt->server, req->server)) {
*status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
- return KDC_ERR_SERVER_NOMATCH;
+ return KRB5KDC_ERR_SERVER_NOMATCH;
}
/* Cannot proxy ticket granting tickets. */
if ((req->kdc_options & KDC_OPT_PROXY) &&
krb5_is_tgs_principal(req->server)) {
*status = "CAN'T PROXY TGT";
- return KDC_ERR_BADOPTION;
+ return KRB5KDC_ERR_BADOPTION;
}
return 0;
}
@@ -595,23 +595,23 @@ check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt,
* Do some checks for a normal TGS-REQ (where the ticket service must be a TGS
* principal).
*/
-static int
+static krb5_error_code
check_tgs_tgt(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
{
/* Make sure it's a TGS principal. */
if (!krb5_is_tgs_principal(tkt->server)) {
*status = "BAD TGS SERVER NAME";
- return KRB_AP_ERR_NOT_US;
+ return KRB5KRB_AP_ERR_NOT_US;
}
/* TGS principal second component must match service realm. */
if (!data_eq(tkt->server->data[1], req->server->realm)) {
*status = "BAD TGS SERVER INSTANCE";
- return KRB_AP_ERR_NOT_US;
+ return KRB5KRB_AP_ERR_NOT_US;
}
return 0;
}
-int
+krb5_error_code
validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
const krb5_ticket *stkt, krb5_pac stkt_pac,
@@ -650,7 +650,7 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
/* Check the hot list */
if (check_hot_list(ticket)) {
*status = "HOT_LIST";
- return(KRB_AP_ERR_REPEAT);
+ return(KRB5KRB_AP_ERR_REPEAT);
}
if (s4u_x509_user != NULL) {
@@ -685,14 +685,11 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
if (check_anon(realm, ticket->enc_part2->client, request->server) != 0) {
*status = "ANONYMOUS NOT ALLOWED";
- return(KDC_ERR_POLICY);
+ return(KRB5KDC_ERR_POLICY);
}
/* Perform KDB module policy checks. */
ret = krb5_db_check_policy_tgs(context, request, server, ticket, status,
e_data);
- if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
- return errcode_to_protocol(ret);
-
- return 0;
+ return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
}
More information about the cvs-krb5
mailing list