[27963] in CVS-changelog-for-Kerberos-V5
krb5 commit: Use protocol error for PKINIT cert expiry
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Oct 17 14:21:14 2013
Date: Thu, 17 Oct 2013 14:21:09 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201310171821.r9HIL97o030970@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/cd59782cb32b79e4001a86b0fe47af8b6275ef0c
commit cd59782cb32b79e4001a86b0fe47af8b6275ef0c
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Oct 14 17:02:31 2013 -0400
Use protocol error for PKINIT cert expiry
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more
consistent with other error clauses in the same function.
ticket: 7718 (new)
target_version: 1.12
tags: pullup
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index af6aea8..b661320 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1109,7 +1109,7 @@ cms_signeddata_create(krb5_context context,
pkiDebug("failed to create a certificate chain: %s\n", msg);
if (!sk_X509_num(id_cryptoctx->trustedCAs))
pkiDebug("No trusted CAs found. Check your X509_anchors\n");
- retval = KRB5_PREAUTH_FAILED;
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, retval,
_("Cannot create cert chain: %s"), msg);
goto cleanup;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5