From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 14 Oct 2013 21:02:31 +0000 (-0400)
Subject: Use protocol error for PKINIT cert expiry
X-Git-Tag: krb5-1.13-alpha1~349
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd59782cb32b79e4001a86b0fe47af8b6275ef0c;p=thirdparty%2Fkrb5.git

Use protocol error for PKINIT cert expiry

If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
consistent with other error clauses in the same function.

ticket: 7718 (new)
target_version: 1.12
tags: pullup
---

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index af6aea8787..b661320120 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1109,7 +1109,7 @@ cms_signeddata_create(krb5_context context,
                 pkiDebug("failed to create a certificate chain: %s\n", msg);
                 if (!sk_X509_num(id_cryptoctx->trustedCAs))
                     pkiDebug("No trusted CAs found. Check your X509_anchors\n");
-                retval = KRB5_PREAUTH_FAILED;
+                retval = KRB5KDC_ERR_PREAUTH_FAILED;
                 krb5_set_error_message(context, retval,
                                        _("Cannot create cert chain: %s"), msg);
                 goto cleanup;