krb5 commit: Avoid protocol error constants in KDC code

ghudson at mit.edu ghudson at mit.edu
Fri Aug 12 18:02:21 EDT 2022


https://github.com/krb5/krb5/commit/0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3
commit 0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Jul 21 13:32:50 2022 -0400

    Avoid protocol error constants in KDC code
    
    For simplicity, return com_err codes from validate_as_request() and
    validate_tgs_request() instead of protocol error constants.

 src/kdc/do_as_req.c  |  18 +++----
 src/kdc/do_tgs_req.c |  39 +++++++--------
 src/kdc/kdc_util.c   |  37 ++++++---------
 src/kdc/kdc_util.h   |   4 +-
 src/kdc/tgs_policy.c | 131 +++++++++++++++++++++++++--------------------------
 5 files changed, 103 insertions(+), 126 deletions(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 0d3af592f..02b6eac04 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -76,8 +76,8 @@
 
 static krb5_error_code
 prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, krb5_db_entry *,
-                 krb5_keyblock *, int, krb5_pa_data **, krb5_boolean,
-                 krb5_principal, krb5_data **, const char *);
+                 krb5_keyblock *, krb5_error_code, krb5_pa_data **,
+                 krb5_boolean, krb5_principal, krb5_data **, const char *);
 
 /* Determine the key-expiration value according to RFC 4120 section 5.4.2. */
 static krb5_timestamp
@@ -370,10 +370,6 @@ egress:
             state->status = emsg;
         }
         if (errcode != KRB5KDC_ERR_DISCARD) {
-            errcode -= ERROR_TABLE_BASE_krb5;
-            if (errcode < 0 || errcode > KRB_ERR_MAX)
-                errcode = KRB_ERR_GENERIC;
-
             errcode = prepare_error_as(state->rstate, state->request,
                                        state->local_tgt, &state->local_tgt_key,
                                        errcode, state->e_data,
@@ -634,10 +630,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     errcode = validate_as_request(realm, state->request, state->client,
                                   state->server, state->kdc_time,
                                   &state->status, &state->e_data);
-    if (errcode) {
-        errcode += ERROR_TABLE_BASE_krb5;
+    if (errcode)
         goto errout;
-    }
 
     au_state->stage = ISSUE_TKT;
 
@@ -774,7 +768,7 @@ errout:
 static krb5_error_code
 prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
                  krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
-                 int error, krb5_pa_data **e_data_in,
+                 krb5_error_code code, krb5_pa_data **e_data_in,
                  krb5_boolean typed_e_data, krb5_principal canon_client,
                  krb5_data **response, const char *status)
 {
@@ -806,9 +800,9 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
     retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
     if (retval)
         goto cleanup;
-    errpkt.error = error;
+    errpkt.error = errcode_to_protocol(code);
     errpkt.server = request->server;
-    errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client :
+    errpkt.client = (code == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
         request->client;
     errpkt.text = string2data((char *)status);
 
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b64aaf1da..63e79c082 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -70,8 +70,9 @@
 #include <ctype.h>
 
 static krb5_error_code
-prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
-                  krb5_principal,krb5_data **,const char *, krb5_pa_data **);
+prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *, krb5_ticket *,
+                  krb5_error_code, krb5_principal, krb5_data **, const char *,
+                  krb5_pa_data **);
 
 static krb5_error_code
 decrypt_2ndtkt(krb5_context, krb5_kdc_req *, krb5_flags, krb5_db_entry *,
@@ -113,7 +114,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
     const krb5_ticket *stkt = NULL;
     krb5_enc_tkt_part enc_tkt_reply;
     int newtransited = 0;
-    krb5_error_code retval = 0;
+    krb5_error_code retval = 0, errcode;
     krb5_keyblock server_keyblock, *encrypting_key;
     krb5_timestamp kdc_time, authtime = 0;
     krb5_keyblock session_key, local_tgt_key;
@@ -121,7 +122,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
     krb5_principal cprinc = NULL, sprinc = NULL, altcprinc = NULL;
     krb5_principal stkt_authdata_client = NULL;
     krb5_last_req_entry *nolrarray[2], nolrentry;
-    int errcode;
     const char        *status = 0;
     krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
     krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
@@ -290,15 +290,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
     if (errcode)
         goto cleanup;
 
-    retval = validate_tgs_request(realm, request, server, header_ticket,
-                                  header_pac, stkt, stkt_pac, stkt_server,
-                                  kdc_time, s4u_x509_user, client,
-                                  is_crossrealm, is_referral, &status,
-                                  &e_data);
-    if (retval) {
-        if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
+    errcode = validate_tgs_request(realm, request, server, header_ticket,
+                                   header_pac, stkt, stkt_pac, stkt_server,
+                                   kdc_time, s4u_x509_user, client,
+                                   is_crossrealm, is_referral, &status,
+                                   &e_data);
+    if (errcode) {
+        if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION)
             au_state->violation = PROT_CONSTRAINT;
-        errcode = retval + ERROR_TABLE_BASE_krb5;
         goto cleanup;
     }
 
@@ -313,7 +312,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
                                             header_ticket->enc_part2->client,
                                             server, &stkt_authdata_client,
                                             &status);
-        if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
+        if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION)
             au_state->violation = PROT_CONSTRAINT;
         else if (errcode)
             au_state->violation = LOCAL_POLICY;
@@ -720,9 +719,6 @@ cleanup:
             status = krb5_get_error_message(context, errcode);
             got_err = 1;
         }
-        errcode -= ERROR_TABLE_BASE_krb5;
-        if (errcode < 0 || errcode > KRB_ERR_MAX)
-            errcode = KRB_ERR_GENERIC;
 
         retval = prepare_error_tgs(state, request, header_ticket, errcode,
                                    (server != NULL) ? server->princ : NULL,
@@ -774,11 +770,10 @@ cleanup:
 }
 
 static krb5_error_code
-prepare_error_tgs (struct kdc_request_state *state,
-                   krb5_kdc_req *request, krb5_ticket *ticket, int error,
-                   krb5_principal canon_server,
-                   krb5_data **response, const char *status,
-                   krb5_pa_data **e_data)
+prepare_error_tgs(struct kdc_request_state *state, krb5_kdc_req *request,
+                  krb5_ticket *ticket, krb5_error_code code,
+                  krb5_principal canon_server, krb5_data **response,
+                  const char *status, krb5_pa_data **e_data)
 {
     krb5_context context = state->realm_data->realm_context;
     krb5_error errpkt;
@@ -792,7 +787,7 @@ prepare_error_tgs (struct kdc_request_state *state,
     retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
     if (retval)
         return(retval);
-    errpkt.error = error;
+    errpkt.error = errcode_to_protocol(code);
     errpkt.server = request->server;
     if (ticket && ticket->enc_part2)
         errpkt.client = ticket->enc_part2->client;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 01a4fdb1b..d6c61f4aa 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -659,13 +659,7 @@ check_anon(kdc_realm_t *realm, krb5_principal client, krb5_principal server)
     return 0;
 }
 
-/*
- * Routines that validate a AS request; checks a lot of things.  :-)
- *
- * Returns a Kerberos protocol error number, which is _not_ the same
- * as a com_err error number!
- */
-int
+krb5_error_code
 validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
                     krb5_db_entry *client, krb5_db_entry *server,
                     krb5_timestamp kdc_time, const char **status,
@@ -679,16 +673,16 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
      */
     if (request->kdc_options & AS_INVALID_OPTIONS) {
         *status = "INVALID AS OPTIONS";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /* The client must not be expired */
     if (client->expiration && ts_after(kdc_time, client->expiration)) {
         *status = "CLIENT EXPIRED";
         if (vague_errors)
-            return(KRB_ERR_GENERIC);
+            return KRB5KRB_ERR_GENERIC;
         else
-            return(KDC_ERR_NAME_EXP);
+            return KRB5KDC_ERR_NAME_EXP;
     }
 
     /* The client's password must not be expired, unless the server is
@@ -697,15 +691,15 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
         !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
         *status = "CLIENT KEY EXPIRED";
         if (vague_errors)
-            return(KRB_ERR_GENERIC);
+            return KRB5KRB_ERR_GENERIC;
         else
-            return(KDC_ERR_KEY_EXP);
+            return KRB5KDC_ERR_KEY_EXP;
     }
 
     /* The server must not be expired */
     if (server->expiration && ts_after(kdc_time, server->expiration)) {
         *status = "SERVICE EXPIRED";
-        return(KDC_ERR_SERVICE_EXP);
+        return KRB5KDC_ERR_SERVICE_EXP;
     }
 
     /*
@@ -715,7 +709,7 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
     if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE) &&
         !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
         *status = "REQUIRED PWCHANGE";
-        return(KDC_ERR_KEY_EXP);
+        return KRB5KDC_ERR_KEY_EXP;
     }
 
     /* Client and server must allow postdating tickets */
@@ -724,39 +718,36 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request,
         (isflagset(client->attributes, KRB5_KDB_DISALLOW_POSTDATED) ||
          isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED))) {
         *status = "POSTDATE NOT ALLOWED";
-        return(KDC_ERR_CANNOT_POSTDATE);
+        return KRB5KDC_ERR_CANNOT_POSTDATE;
     }
 
     /* Check to see if client is locked out */
     if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
         *status = "CLIENT LOCKED OUT";
-        return(KDC_ERR_CLIENT_REVOKED);
+        return KRB5KDC_ERR_CLIENT_REVOKED;
     }
 
     /* Check to see if server is locked out */
     if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
         *status = "SERVICE LOCKED OUT";
-        return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
     }
 
     /* Check to see if server is allowed to be a service */
     if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) {
         *status = "SERVICE NOT ALLOWED";
-        return(KDC_ERR_MUST_USE_USER2USER);
+        return KRB5KDC_ERR_MUST_USE_USER2USER;
     }
 
     if (check_anon(realm, client->princ, request->server) != 0) {
         *status = "ANONYMOUS NOT ALLOWED";
-        return(KDC_ERR_POLICY);
+        return KRB5KDC_ERR_POLICY;
     }
 
     /* Perform KDB module policy checks. */
     ret = krb5_db_check_policy_as(context, request, client, server, kdc_time,
                                   status, e_data);
-    if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
-        return errcode_to_protocol(ret);
-
-    return 0;
+    return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 }
 
 /*
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 070a27a0e..852d9c025 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -78,12 +78,12 @@ get_local_tgt(krb5_context context, const krb5_data *realm,
               krb5_db_entry *candidate, krb5_db_entry **alias_out,
               krb5_db_entry **storage_out, krb5_keyblock *kb_out);
 
-int
+krb5_error_code
 validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *,
                      krb5_db_entry *, krb5_timestamp,
                      const char **, krb5_pa_data ***);
 
-int
+krb5_error_code
 validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
                      krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
                      const krb5_ticket *stkt, krb5_pac stkt_pac,
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index dfa836a13..1a1648eb0 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -64,21 +64,21 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = {
 
 static const struct tgsflagrule tgsflagrules[] = {
     { KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE,
-      "TGT NOT FORWARDABLE", KDC_ERR_BADOPTION },
+      "TGT NOT FORWARDABLE", KRB5KDC_ERR_BADOPTION },
     { KDC_OPT_PROXY, TKT_FLG_PROXIABLE,
-      "TGT NOT PROXIABLE", KDC_ERR_BADOPTION },
+      "TGT NOT PROXIABLE", KRB5KDC_ERR_BADOPTION },
     { (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE,
-      "TGT NOT POSTDATABLE", KDC_ERR_BADOPTION },
+      "TGT NOT POSTDATABLE", KRB5KDC_ERR_BADOPTION },
     { KDC_OPT_VALIDATE, TKT_FLG_INVALID,
-      "VALIDATE VALID TICKET", KDC_ERR_BADOPTION },
+      "VALIDATE VALID TICKET", KRB5KDC_ERR_BADOPTION },
     { KDC_OPT_RENEW, TKT_FLG_RENEWABLE,
-      "TICKET NOT RENEWABLE", KDC_ERR_BADOPTION }
+      "TICKET NOT RENEWABLE", KRB5KDC_ERR_BADOPTION }
 };
 
 /*
  * Some TGS-REQ options require that the ticket have corresponding flags set.
  */
-static int
+static krb5_error_code
 check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
 {
     size_t i;
@@ -98,7 +98,7 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
     if (isflagset(tkt->enc_part2->flags, TKT_FLG_INVALID) &&
         !isflagset(req->kdc_options, KDC_OPT_VALIDATE)) {
         *status = "TICKET NOT VALID";
-        return KRB_AP_ERR_TKT_NYV;
+        return KRB5KRB_AP_ERR_TKT_NYV;
     }
 
     return 0;
@@ -106,17 +106,17 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
 
 static const struct tgsflagrule svcdenyrules[] = {
     { KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE,
-      "NON-RENEWABLE TICKET", KDC_ERR_POLICY },
+      "NON-RENEWABLE TICKET", KRB5KDC_ERR_POLICY },
     { KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED,
-      "NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE },
+      "NON-POSTDATABLE TICKET", KRB5KDC_ERR_CANNOT_POSTDATE },
     { KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY,
-      "DUP_SKEY DISALLOWED", KDC_ERR_POLICY }
+      "DUP_SKEY DISALLOWED", KRB5KDC_ERR_POLICY }
 };
 
 /*
  * A service principal can forbid some TGS-REQ options.
  */
-static int
+static krb5_error_code
 check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server,
                         krb5_ticket *tkt, krb5_timestamp kdc_time,
                         const char **status)
@@ -140,24 +140,24 @@ check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server,
 /*
  * A service principal can deny all TGS-REQs for it.
  */
-static int
+static krb5_error_code
 check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server,
                        krb5_ticket *tkt, krb5_timestamp kdc_time,
                        const char **status)
 {
     if (server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
         *status = "SERVER LOCKED OUT";
-        return KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
     }
     if ((server->attributes & KRB5_KDB_DISALLOW_SVR) &&
         !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) {
         *status = "SERVER NOT ALLOWED";
-        return KDC_ERR_MUST_USE_USER2USER;
+        return KRB5KDC_ERR_MUST_USE_USER2USER;
     }
     if (server->attributes & KRB5_KDB_DISALLOW_TGT_BASED) {
         if (krb5_is_tgs_principal(tkt->server)) {
             *status = "TGT BASED NOT ALLOWED";
-            return KDC_ERR_POLICY;
+            return KRB5KDC_ERR_POLICY;
         }
     }
     return 0;
@@ -166,7 +166,7 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server,
 /*
  * A service principal can require certain TGT flags.
  */
-static int
+static krb5_error_code
 check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server,
                          krb5_ticket *tkt,
                          krb5_timestamp kdc_time, const char **status)
@@ -174,30 +174,30 @@ check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server,
     if (server->attributes & KRB5_KDB_REQUIRES_HW_AUTH) {
         if (!(tkt->enc_part2->flags & TKT_FLG_HW_AUTH)) {
             *status = "NO HW PREAUTH";
-            return KRB_ERR_GENERIC;
+            return KRB5KRB_ERR_GENERIC;
         }
     }
     if (server->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) {
         if (!(tkt->enc_part2->flags & TKT_FLG_PRE_AUTH)) {
             *status = "NO PREAUTH";
-            return KRB_ERR_GENERIC;
+            return KRB5KRB_ERR_GENERIC;
         }
     }
     return 0;
 }
 
-static int
+static krb5_error_code
 check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt,
                    krb5_timestamp kdc_time, const char **status)
 {
     if (server->expiration && ts_after(kdc_time, server->expiration)) {
         *status = "SERVICE EXPIRED";
-        return KDC_ERR_SERVICE_EXP;
+        return KRB5KDC_ERR_SERVICE_EXP;
     }
     return 0;
 }
 
-static int
+static krb5_error_code
 check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server,
                      krb5_ticket *tkt, krb5_timestamp kdc_time,
                      const char **status)
@@ -217,7 +217,7 @@ check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server,
 /*
  * Check header ticket timestamps against the current time.
  */
-static int
+static krb5_error_code
 check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
                 krb5_timestamp kdc_time, const char **status)
 {
@@ -229,7 +229,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
         starttime = times->starttime ? times->starttime : times->authtime;
         if (ts_after(starttime, kdc_time)) {
             *status = "NOT_YET_VALID";
-            return KRB_AP_ERR_TKT_NYV;
+            return KRB5KRB_AP_ERR_TKT_NYV;
         }
     }
     /*
@@ -239,26 +239,26 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
     if ((req->kdc_options & KDC_OPT_RENEW) &&
         ts_after(kdc_time, times->renew_till)) {
         *status = "TKT_EXPIRED";
-        return KRB_AP_ERR_TKT_EXPIRED;
+        return KRB5KRB_AP_ERR_TKT_EXPIRED;
     }
     return 0;
 }
 
 /* Check for local user tickets issued by foreign realms.  This check is
  * skipped for S4U2Self requests. */
-static int
+static krb5_error_code
 check_tgs_lineage(krb5_db_entry *server, krb5_ticket *tkt,
                   krb5_boolean is_crossrealm, const char **status)
 {
     if (is_crossrealm && data_eq(tkt->enc_part2->client->realm,
                                  server->princ->realm)) {
         *status = "INVALID LINEAGE";
-        return KDC_ERR_POLICY;
+        return KRB5KDC_ERR_POLICY;
     }
     return 0;
 }
 
-static int
+static krb5_error_code
 check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
                    krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
                    krb5_timestamp kdc_time,
@@ -273,13 +273,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
     if (!is_referral &&
         !is_client_db_alias(context, server, tkt->enc_part2->client)) {
         *status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH";
-        return KRB_AP_ERR_BADMATCH;
+        return KRB5KRB_AP_ERR_BADMATCH;
     }
 
     /* S4U2Self requests must use options valid for AS requests. */
     if (req->kdc_options & AS_INVALID_OPTIONS) {
         *status = "INVALID S4U2SELF OPTIONS";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /*
@@ -299,13 +299,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
         /* This could happen if the requesting server no longer exists, and we
          * found a referral instead.  Treat this as a server lookup failure. */
         *status = "LOOKING_UP_SERVER";
-        return KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
     }
     if (client != NULL && is_crossrealm && !is_referral) {
         /* A local server should not need a cross-realm TGT to impersonate
          * a local principal. */
         *status = "NOT_CROSS_REALM_REQUEST";
-        return KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
+        return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
     }
     if (client == NULL && !is_crossrealm) {
         /*
@@ -314,7 +314,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
          * follow referrals back to us.
          */
         *status = "S4U2SELF_CLIENT_NOT_OURS";
-        return KDC_ERR_POLICY; /* match Windows error */
+        return KRB5KDC_ERR_POLICY; /* match Windows error */
     }
     if (client == NULL && s4u_x509_user->user_id.user->length == 0) {
         /*
@@ -323,13 +323,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
          * the subject-certificate field.
          */
         *status = "INVALID_XREALM_S4U2SELF_REQUEST";
-        return KDC_ERR_POLICY; /* match Windows error */
+        return KRB5KDC_ERR_POLICY; /* match Windows error */
     }
 
     /* The header ticket PAC must be present. */
     if (pac == NULL) {
         *status = "S4U2SELF_NO_PAC";
-        return KDC_ERR_TGT_REVOKED;
+        return KRB5KDC_ERR_TGT_REVOKED;
     }
 
     if (client != NULL) {
@@ -337,7 +337,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
         if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
                             tkt->enc_part2->client, NULL, NULL) != 0) {
             *status = "S4U2SELF_LOCAL_PAC_CLIENT";
-            return KDC_ERR_BADOPTION;
+            return KRB5KDC_ERR_BADOPTION;
         }
 
         /* Validate the client policy.  Use an empty server principal to bypass
@@ -350,7 +350,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req,
                                 s4u_x509_user->user_id.user, NULL, NULL,
                                 TRUE) != 0) {
             *status = "S4U2SELF_FOREIGN_PAC_CLIENT";
-            return KDC_ERR_BADOPTION;
+            return KRB5KDC_ERR_BADOPTION;
         }
     }
 
@@ -420,7 +420,7 @@ cleanup:
     return result;
 }
 
-static int
+static krb5_error_code
 check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
                     krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac,
                     const krb5_ticket *stkt, krb5_pac stkt_pac,
@@ -430,35 +430,35 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
     /* A forwardable second ticket must be present in the request. */
     if (stkt == NULL) {
         *status = "NO_2ND_TKT";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
     if (!(stkt->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
         *status = "EVIDENCE_TKT_NOT_FORWARDABLE";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /* Constrained delegation is mutually exclusive with renew/forward/etc.
      * (and therefore requires the header ticket to be a TGT). */
     if (req->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
         *status = "INVALID_S4U2PROXY_OPTIONS";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /* Can't get a TGT (otherwise it would be unconstrained delegation). */
     if (krb5_is_tgs_principal(req->server)) {
         *status = "NOT_ALLOWED_TO_DELEGATE";
-        return KDC_ERR_POLICY;
+        return KRB5KDC_ERR_POLICY;
     }
 
     /* The header ticket PAC must be present and for the impersonator. */
     if (pac == NULL) {
         *status = "S4U2PROXY_NO_HEADER_PAC";
-        return KDC_ERR_TGT_REVOKED;
+        return KRB5KDC_ERR_TGT_REVOKED;
     }
     if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime,
                         tkt->enc_part2->client, NULL, NULL) != 0) {
         *status = "S4U2PROXY_HEADER_PAC";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /*
@@ -470,7 +470,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
 
     if (stkt_pac == NULL) {
         *status = "S4U2PROXY_NO_STKT_PAC";
-        return KRB_AP_ERR_MODIFIED;
+        return KRB5KRB_AP_ERR_MODIFIED;
     }
     if (!is_crossrealm) {
         /* For an initial or same-realm request, the second ticket server and
@@ -478,7 +478,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
         if (!is_client_db_alias(context, stkt_server,
                                 tkt->enc_part2->client)) {
             *status = "EVIDENCE_TICKET_MISMATCH";
-            return KDC_ERR_SERVER_NOMATCH;
+            return KRB5KDC_ERR_SERVER_NOMATCH;
         }
 
         /* The second ticket client and PAC client are the subject, and must
@@ -486,7 +486,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
         if (krb5_pac_verify(context, stkt_pac, stkt->enc_part2->times.authtime,
                             stkt->enc_part2->client, NULL, NULL) != 0) {
             *status = "S4U2PROXY_LOCAL_STKT_PAC";
-            return KDC_ERR_BADOPTION;
+            return KRB5KDC_ERR_BADOPTION;
         }
 
     } else {
@@ -501,7 +501,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
             !krb5_principal_compare(context, stkt->enc_part2->client,
                                     tkt->enc_part2->client)) {
             *status = "XREALM_EVIDENCE_TICKET_MISMATCH";
-            return KDC_ERR_BADOPTION;
+            return KRB5KDC_ERR_BADOPTION;
         }
 
         /* The second ticket PAC must be present and for the impersonated
@@ -510,41 +510,41 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req,
             verify_deleg_pac(context, stkt_pac, stkt->enc_part2,
                              req->server) != 0) {
             *status = "S4U2PROXY_CROSS_STKT_PAC";
-            return KDC_ERR_BADOPTION;
+            return KRB5KDC_ERR_BADOPTION;
         }
     }
 
     return 0;
 }
 
-static int
+static krb5_error_code
 check_tgs_u2u(krb5_context context, krb5_kdc_req *req, const krb5_ticket *stkt,
               krb5_db_entry *server, const char **status)
 {
     /* A second ticket must be present in the request. */
     if (stkt == NULL) {
         *status = "NO_2ND_TKT";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
 
     /* The second ticket must be a TGT to the server realm. */
     if (!is_local_tgs_principal(stkt->server) ||
         !data_eq(stkt->server->data[1], server->princ->realm)) {
         *status = "2ND_TKT_NOT_TGS";
-        return KDC_ERR_POLICY;
+        return KRB5KDC_ERR_POLICY;
     }
 
     /* The second ticket client must match the requested server. */
     if (!is_client_db_alias(context, server, stkt->enc_part2->client)) {
         *status = "2ND_TKT_MISMATCH";
-        return KDC_ERR_SERVER_NOMATCH;
+        return KRB5KDC_ERR_SERVER_NOMATCH;
     }
 
     return 0;
 }
 
 /* Validate the PAC of a non-S4U TGS request, if one is present. */
-static int
+static krb5_error_code
 check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
                      krb5_pac pac, krb5_db_entry *server,
                      krb5_boolean is_crossrealm, const char **status)
@@ -566,7 +566,7 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
         return 0;
 
     *status = "HEADER_PAC";
-    return KDC_ERR_BADOPTION;
+    return KRB5KDC_ERR_BADOPTION;
 }
 
 /*
@@ -574,19 +574,19 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt,
  * checks that are peculiar to these cases.  (e.g., ticket service principal
  * matches requested service principal)
  */
-static int
+static krb5_error_code
 check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt,
                  const char **status)
 {
     if (!krb5_principal_compare(context, tkt->server, req->server)) {
         *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
-        return KDC_ERR_SERVER_NOMATCH;
+        return KRB5KDC_ERR_SERVER_NOMATCH;
     }
     /* Cannot proxy ticket granting tickets. */
     if ((req->kdc_options & KDC_OPT_PROXY) &&
         krb5_is_tgs_principal(req->server)) {
         *status = "CAN'T PROXY TGT";
-        return KDC_ERR_BADOPTION;
+        return KRB5KDC_ERR_BADOPTION;
     }
     return 0;
 }
@@ -595,23 +595,23 @@ check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt,
  * Do some checks for a normal TGS-REQ (where the ticket service must be a TGS
  * principal).
  */
-static int
+static krb5_error_code
 check_tgs_tgt(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
 {
     /* Make sure it's a TGS principal. */
     if (!krb5_is_tgs_principal(tkt->server)) {
         *status = "BAD TGS SERVER NAME";
-        return KRB_AP_ERR_NOT_US;
+        return KRB5KRB_AP_ERR_NOT_US;
     }
     /* TGS principal second component must match service realm. */
     if (!data_eq(tkt->server->data[1], req->server->realm)) {
         *status = "BAD TGS SERVER INSTANCE";
-        return KRB_AP_ERR_NOT_US;
+        return KRB5KRB_AP_ERR_NOT_US;
     }
     return 0;
 }
 
-int
+krb5_error_code
 validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
                      krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac,
                      const krb5_ticket *stkt, krb5_pac stkt_pac,
@@ -650,7 +650,7 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
     /* Check the hot list */
     if (check_hot_list(ticket)) {
         *status = "HOT_LIST";
-        return(KRB_AP_ERR_REPEAT);
+        return(KRB5KRB_AP_ERR_REPEAT);
     }
 
     if (s4u_x509_user != NULL) {
@@ -685,14 +685,11 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request,
 
     if (check_anon(realm, ticket->enc_part2->client, request->server) != 0) {
         *status = "ANONYMOUS NOT ALLOWED";
-        return(KDC_ERR_POLICY);
+        return(KRB5KDC_ERR_POLICY);
     }
 
     /* Perform KDB module policy checks. */
     ret = krb5_db_check_policy_tgs(context, request, server, ticket, status,
                                    e_data);
-    if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
-        return errcode_to_protocol(ret);
-
-    return 0;
+    return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 }


More information about the cvs-krb5 mailing list