diff options
author | Greg Hudson <ghudson@mit.edu> | 2022-07-21 13:32:50 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2022-08-12 17:26:35 -0400 |
commit | 0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3 (patch) | |
tree | 0d1b28b8c1db39547c23a522598eada3a690ede4 /src | |
parent | 4f94e95850daa27bbf3471eae1a6a2e532910d85 (diff) | |
download | krb5-0c633b5c9fbdd840e1d131e6b82cb7a28e3b91e3.tar.gz |
Avoid protocol error constants in KDC code
For simplicity, return com_err codes from validate_as_request() and
validate_tgs_request() instead of protocol error constants.
Diffstat (limited to 'src')
-rw-r--r-- | src/kdc/do_as_req.c | 18 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 39 | ||||
-rw-r--r-- | src/kdc/kdc_util.c | 37 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 4 | ||||
-rw-r--r-- | src/kdc/tgs_policy.c | 131 |
5 files changed, 103 insertions, 126 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 0d3af592f..02b6eac04 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -76,8 +76,8 @@ static krb5_error_code prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, krb5_db_entry *, - krb5_keyblock *, int, krb5_pa_data **, krb5_boolean, - krb5_principal, krb5_data **, const char *); + krb5_keyblock *, krb5_error_code, krb5_pa_data **, + krb5_boolean, krb5_principal, krb5_data **, const char *); /* Determine the key-expiration value according to RFC 4120 section 5.4.2. */ static krb5_timestamp @@ -370,10 +370,6 @@ egress: state->status = emsg; } if (errcode != KRB5KDC_ERR_DISCARD) { - errcode -= ERROR_TABLE_BASE_krb5; - if (errcode < 0 || errcode > KRB_ERR_MAX) - errcode = KRB_ERR_GENERIC; - errcode = prepare_error_as(state->rstate, state->request, state->local_tgt, &state->local_tgt_key, errcode, state->e_data, @@ -634,10 +630,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = validate_as_request(realm, state->request, state->client, state->server, state->kdc_time, &state->status, &state->e_data); - if (errcode) { - errcode += ERROR_TABLE_BASE_krb5; + if (errcode) goto errout; - } au_state->stage = ISSUE_TKT; @@ -774,7 +768,7 @@ errout: static krb5_error_code prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, - int error, krb5_pa_data **e_data_in, + krb5_error_code code, krb5_pa_data **e_data_in, krb5_boolean typed_e_data, krb5_principal canon_client, krb5_data **response, const char *status) { @@ -806,9 +800,9 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); if (retval) goto cleanup; - errpkt.error = error; + errpkt.error = errcode_to_protocol(code); errpkt.server = request->server; - errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client : + errpkt.client = (code == KRB5KDC_ERR_WRONG_REALM) ? canon_client : request->client; errpkt.text = string2data((char *)status); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index b64aaf1da..63e79c082 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -70,8 +70,9 @@ #include <ctype.h> static krb5_error_code -prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, - krb5_principal,krb5_data **,const char *, krb5_pa_data **); +prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *, krb5_ticket *, + krb5_error_code, krb5_principal, krb5_data **, const char *, + krb5_pa_data **); static krb5_error_code decrypt_2ndtkt(krb5_context, krb5_kdc_req *, krb5_flags, krb5_db_entry *, @@ -113,7 +114,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, const krb5_ticket *stkt = NULL; krb5_enc_tkt_part enc_tkt_reply; int newtransited = 0; - krb5_error_code retval = 0; + krb5_error_code retval = 0, errcode; krb5_keyblock server_keyblock, *encrypting_key; krb5_timestamp kdc_time, authtime = 0; krb5_keyblock session_key, local_tgt_key; @@ -121,7 +122,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, krb5_principal cprinc = NULL, sprinc = NULL, altcprinc = NULL; krb5_principal stkt_authdata_client = NULL; krb5_last_req_entry *nolrarray[2], nolrentry; - int errcode; const char *status = 0; krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */ krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */ @@ -290,15 +290,14 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (errcode) goto cleanup; - retval = validate_tgs_request(realm, request, server, header_ticket, - header_pac, stkt, stkt_pac, stkt_server, - kdc_time, s4u_x509_user, client, - is_crossrealm, is_referral, &status, - &e_data); - if (retval) { - if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) + errcode = validate_tgs_request(realm, request, server, header_ticket, + header_pac, stkt, stkt_pac, stkt_server, + kdc_time, s4u_x509_user, client, + is_crossrealm, is_referral, &status, + &e_data); + if (errcode) { + if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; - errcode = retval + ERROR_TABLE_BASE_krb5; goto cleanup; } @@ -313,7 +312,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, header_ticket->enc_part2->client, server, &stkt_authdata_client, &status); - if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION) + if (errcode == KRB5KDC_ERR_POLICY || errcode == KRB5KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; else if (errcode) au_state->violation = LOCAL_POLICY; @@ -720,9 +719,6 @@ cleanup: status = krb5_get_error_message(context, errcode); got_err = 1; } - errcode -= ERROR_TABLE_BASE_krb5; - if (errcode < 0 || errcode > KRB_ERR_MAX) - errcode = KRB_ERR_GENERIC; retval = prepare_error_tgs(state, request, header_ticket, errcode, (server != NULL) ? server->princ : NULL, @@ -774,11 +770,10 @@ cleanup: } static krb5_error_code -prepare_error_tgs (struct kdc_request_state *state, - krb5_kdc_req *request, krb5_ticket *ticket, int error, - krb5_principal canon_server, - krb5_data **response, const char *status, - krb5_pa_data **e_data) +prepare_error_tgs(struct kdc_request_state *state, krb5_kdc_req *request, + krb5_ticket *ticket, krb5_error_code code, + krb5_principal canon_server, krb5_data **response, + const char *status, krb5_pa_data **e_data) { krb5_context context = state->realm_data->realm_context; krb5_error errpkt; @@ -792,7 +787,7 @@ prepare_error_tgs (struct kdc_request_state *state, retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec); if (retval) return(retval); - errpkt.error = error; + errpkt.error = errcode_to_protocol(code); errpkt.server = request->server; if (ticket && ticket->enc_part2) errpkt.client = ticket->enc_part2->client; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 01a4fdb1b..d6c61f4aa 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -659,13 +659,7 @@ check_anon(kdc_realm_t *realm, krb5_principal client, krb5_principal server) return 0; } -/* - * Routines that validate a AS request; checks a lot of things. :-) - * - * Returns a Kerberos protocol error number, which is _not_ the same - * as a com_err error number! - */ -int +krb5_error_code validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp kdc_time, const char **status, @@ -679,16 +673,16 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, */ if (request->kdc_options & AS_INVALID_OPTIONS) { *status = "INVALID AS OPTIONS"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* The client must not be expired */ if (client->expiration && ts_after(kdc_time, client->expiration)) { *status = "CLIENT EXPIRED"; if (vague_errors) - return(KRB_ERR_GENERIC); + return KRB5KRB_ERR_GENERIC; else - return(KDC_ERR_NAME_EXP); + return KRB5KDC_ERR_NAME_EXP; } /* The client's password must not be expired, unless the server is @@ -697,15 +691,15 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; if (vague_errors) - return(KRB_ERR_GENERIC); + return KRB5KRB_ERR_GENERIC; else - return(KDC_ERR_KEY_EXP); + return KRB5KDC_ERR_KEY_EXP; } /* The server must not be expired */ if (server->expiration && ts_after(kdc_time, server->expiration)) { *status = "SERVICE EXPIRED"; - return(KDC_ERR_SERVICE_EXP); + return KRB5KDC_ERR_SERVICE_EXP; } /* @@ -715,7 +709,7 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PWCHANGE) && !isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "REQUIRED PWCHANGE"; - return(KDC_ERR_KEY_EXP); + return KRB5KDC_ERR_KEY_EXP; } /* Client and server must allow postdating tickets */ @@ -724,39 +718,36 @@ validate_as_request(kdc_realm_t *realm, krb5_kdc_req *request, (isflagset(client->attributes, KRB5_KDB_DISALLOW_POSTDATED) || isflagset(server->attributes, KRB5_KDB_DISALLOW_POSTDATED))) { *status = "POSTDATE NOT ALLOWED"; - return(KDC_ERR_CANNOT_POSTDATE); + return KRB5KDC_ERR_CANNOT_POSTDATE; } /* Check to see if client is locked out */ if (isflagset(client->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { *status = "CLIENT LOCKED OUT"; - return(KDC_ERR_CLIENT_REVOKED); + return KRB5KDC_ERR_CLIENT_REVOKED; } /* Check to see if server is locked out */ if (isflagset(server->attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { *status = "SERVICE LOCKED OUT"; - return(KDC_ERR_S_PRINCIPAL_UNKNOWN); + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; } /* Check to see if server is allowed to be a service */ if (isflagset(server->attributes, KRB5_KDB_DISALLOW_SVR)) { *status = "SERVICE NOT ALLOWED"; - return(KDC_ERR_MUST_USE_USER2USER); + return KRB5KDC_ERR_MUST_USE_USER2USER; } if (check_anon(realm, client->princ, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; - return(KDC_ERR_POLICY); + return KRB5KDC_ERR_POLICY; } /* Perform KDB module policy checks. */ ret = krb5_db_check_policy_as(context, request, client, server, kdc_time, status, e_data); - if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) - return errcode_to_protocol(ret); - - return 0; + return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; } /* diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 070a27a0e..852d9c025 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -78,12 +78,12 @@ get_local_tgt(krb5_context context, const krb5_data *realm, krb5_db_entry *candidate, krb5_db_entry **alias_out, krb5_db_entry **storage_out, krb5_keyblock *kb_out); -int +krb5_error_code validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, krb5_db_entry *, krb5_timestamp, const char **, krb5_pa_data ***); -int +krb5_error_code validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c index dfa836a13..1a1648eb0 100644 --- a/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c @@ -64,21 +64,21 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = { static const struct tgsflagrule tgsflagrules[] = { { KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE, - "TGT NOT FORWARDABLE", KDC_ERR_BADOPTION }, + "TGT NOT FORWARDABLE", KRB5KDC_ERR_BADOPTION }, { KDC_OPT_PROXY, TKT_FLG_PROXIABLE, - "TGT NOT PROXIABLE", KDC_ERR_BADOPTION }, + "TGT NOT PROXIABLE", KRB5KDC_ERR_BADOPTION }, { (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE, - "TGT NOT POSTDATABLE", KDC_ERR_BADOPTION }, + "TGT NOT POSTDATABLE", KRB5KDC_ERR_BADOPTION }, { KDC_OPT_VALIDATE, TKT_FLG_INVALID, - "VALIDATE VALID TICKET", KDC_ERR_BADOPTION }, + "VALIDATE VALID TICKET", KRB5KDC_ERR_BADOPTION }, { KDC_OPT_RENEW, TKT_FLG_RENEWABLE, - "TICKET NOT RENEWABLE", KDC_ERR_BADOPTION } + "TICKET NOT RENEWABLE", KRB5KDC_ERR_BADOPTION } }; /* * Some TGS-REQ options require that the ticket have corresponding flags set. */ -static int +static krb5_error_code check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) { size_t i; @@ -98,7 +98,7 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) if (isflagset(tkt->enc_part2->flags, TKT_FLG_INVALID) && !isflagset(req->kdc_options, KDC_OPT_VALIDATE)) { *status = "TICKET NOT VALID"; - return KRB_AP_ERR_TKT_NYV; + return KRB5KRB_AP_ERR_TKT_NYV; } return 0; @@ -106,17 +106,17 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) static const struct tgsflagrule svcdenyrules[] = { { KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE, - "NON-RENEWABLE TICKET", KDC_ERR_POLICY }, + "NON-RENEWABLE TICKET", KRB5KDC_ERR_POLICY }, { KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED, - "NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE }, + "NON-POSTDATABLE TICKET", KRB5KDC_ERR_CANNOT_POSTDATE }, { KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY, - "DUP_SKEY DISALLOWED", KDC_ERR_POLICY } + "DUP_SKEY DISALLOWED", KRB5KDC_ERR_POLICY } }; /* * A service principal can forbid some TGS-REQ options. */ -static int +static krb5_error_code check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) @@ -140,24 +140,24 @@ check_tgs_svc_deny_opts(krb5_kdc_req *req, krb5_db_entry *server, /* * A service principal can deny all TGS-REQs for it. */ -static int +static krb5_error_code check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) { if (server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { *status = "SERVER LOCKED OUT"; - return KDC_ERR_S_PRINCIPAL_UNKNOWN; + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; } if ((server->attributes & KRB5_KDB_DISALLOW_SVR) && !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "SERVER NOT ALLOWED"; - return KDC_ERR_MUST_USE_USER2USER; + return KRB5KDC_ERR_MUST_USE_USER2USER; } if (server->attributes & KRB5_KDB_DISALLOW_TGT_BASED) { if (krb5_is_tgs_principal(tkt->server)) { *status = "TGT BASED NOT ALLOWED"; - return KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } } return 0; @@ -166,7 +166,7 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry *server, /* * A service principal can require certain TGT flags. */ -static int +static krb5_error_code check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) @@ -174,30 +174,30 @@ check_tgs_svc_reqd_flags(krb5_kdc_req *req, krb5_db_entry *server, if (server->attributes & KRB5_KDB_REQUIRES_HW_AUTH) { if (!(tkt->enc_part2->flags & TKT_FLG_HW_AUTH)) { *status = "NO HW PREAUTH"; - return KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } } if (server->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) { if (!(tkt->enc_part2->flags & TKT_FLG_PRE_AUTH)) { *status = "NO PREAUTH"; - return KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } } return 0; } -static int +static krb5_error_code check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) { if (server->expiration && ts_after(kdc_time, server->expiration)) { *status = "SERVICE EXPIRED"; - return KDC_ERR_SERVICE_EXP; + return KRB5KDC_ERR_SERVICE_EXP; } return 0; } -static int +static krb5_error_code check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) @@ -217,7 +217,7 @@ check_tgs_svc_policy(krb5_kdc_req *req, krb5_db_entry *server, /* * Check header ticket timestamps against the current time. */ -static int +static krb5_error_code check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, krb5_timestamp kdc_time, const char **status) { @@ -229,7 +229,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, starttime = times->starttime ? times->starttime : times->authtime; if (ts_after(starttime, kdc_time)) { *status = "NOT_YET_VALID"; - return KRB_AP_ERR_TKT_NYV; + return KRB5KRB_AP_ERR_TKT_NYV; } } /* @@ -239,26 +239,26 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, if ((req->kdc_options & KDC_OPT_RENEW) && ts_after(kdc_time, times->renew_till)) { *status = "TKT_EXPIRED"; - return KRB_AP_ERR_TKT_EXPIRED; + return KRB5KRB_AP_ERR_TKT_EXPIRED; } return 0; } /* Check for local user tickets issued by foreign realms. This check is * skipped for S4U2Self requests. */ -static int +static krb5_error_code check_tgs_lineage(krb5_db_entry *server, krb5_ticket *tkt, krb5_boolean is_crossrealm, const char **status) { if (is_crossrealm && data_eq(tkt->enc_part2->client->realm, server->princ->realm)) { *status = "INVALID LINEAGE"; - return KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } return 0; } -static int +static krb5_error_code check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac, krb5_timestamp kdc_time, @@ -273,13 +273,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, if (!is_referral && !is_client_db_alias(context, server, tkt->enc_part2->client)) { *status = "INVALID_S4U2SELF_REQUEST_SERVER_MISMATCH"; - return KRB_AP_ERR_BADMATCH; + return KRB5KRB_AP_ERR_BADMATCH; } /* S4U2Self requests must use options valid for AS requests. */ if (req->kdc_options & AS_INVALID_OPTIONS) { *status = "INVALID S4U2SELF OPTIONS"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* @@ -299,13 +299,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, /* This could happen if the requesting server no longer exists, and we * found a referral instead. Treat this as a server lookup failure. */ *status = "LOOKING_UP_SERVER"; - return KDC_ERR_S_PRINCIPAL_UNKNOWN; + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; } if (client != NULL && is_crossrealm && !is_referral) { /* A local server should not need a cross-realm TGT to impersonate * a local principal. */ *status = "NOT_CROSS_REALM_REQUEST"; - return KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */ + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */ } if (client == NULL && !is_crossrealm) { /* @@ -314,7 +314,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, * follow referrals back to us. */ *status = "S4U2SELF_CLIENT_NOT_OURS"; - return KDC_ERR_POLICY; /* match Windows error */ + return KRB5KDC_ERR_POLICY; /* match Windows error */ } if (client == NULL && s4u_x509_user->user_id.user->length == 0) { /* @@ -323,13 +323,13 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, * the subject-certificate field. */ *status = "INVALID_XREALM_S4U2SELF_REQUEST"; - return KDC_ERR_POLICY; /* match Windows error */ + return KRB5KDC_ERR_POLICY; /* match Windows error */ } /* The header ticket PAC must be present. */ if (pac == NULL) { *status = "S4U2SELF_NO_PAC"; - return KDC_ERR_TGT_REVOKED; + return KRB5KDC_ERR_TGT_REVOKED; } if (client != NULL) { @@ -337,7 +337,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime, tkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2SELF_LOCAL_PAC_CLIENT"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* Validate the client policy. Use an empty server principal to bypass @@ -350,7 +350,7 @@ check_tgs_s4u2self(kdc_realm_t *realm, krb5_kdc_req *req, s4u_x509_user->user_id.user, NULL, NULL, TRUE) != 0) { *status = "S4U2SELF_FOREIGN_PAC_CLIENT"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } } @@ -420,7 +420,7 @@ cleanup: return result; } -static int +static krb5_error_code check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, krb5_db_entry *server, krb5_ticket *tkt, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, @@ -430,35 +430,35 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, /* A forwardable second ticket must be present in the request. */ if (stkt == NULL) { *status = "NO_2ND_TKT"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } if (!(stkt->enc_part2->flags & TKT_FLG_FORWARDABLE)) { *status = "EVIDENCE_TKT_NOT_FORWARDABLE"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* Constrained delegation is mutually exclusive with renew/forward/etc. * (and therefore requires the header ticket to be a TGT). */ if (req->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "INVALID_S4U2PROXY_OPTIONS"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* Can't get a TGT (otherwise it would be unconstrained delegation). */ if (krb5_is_tgs_principal(req->server)) { *status = "NOT_ALLOWED_TO_DELEGATE"; - return KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } /* The header ticket PAC must be present and for the impersonator. */ if (pac == NULL) { *status = "S4U2PROXY_NO_HEADER_PAC"; - return KDC_ERR_TGT_REVOKED; + return KRB5KDC_ERR_TGT_REVOKED; } if (krb5_pac_verify(context, pac, tkt->enc_part2->times.authtime, tkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2PROXY_HEADER_PAC"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* @@ -470,7 +470,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, if (stkt_pac == NULL) { *status = "S4U2PROXY_NO_STKT_PAC"; - return KRB_AP_ERR_MODIFIED; + return KRB5KRB_AP_ERR_MODIFIED; } if (!is_crossrealm) { /* For an initial or same-realm request, the second ticket server and @@ -478,7 +478,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, if (!is_client_db_alias(context, stkt_server, tkt->enc_part2->client)) { *status = "EVIDENCE_TICKET_MISMATCH"; - return KDC_ERR_SERVER_NOMATCH; + return KRB5KDC_ERR_SERVER_NOMATCH; } /* The second ticket client and PAC client are the subject, and must @@ -486,7 +486,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, if (krb5_pac_verify(context, stkt_pac, stkt->enc_part2->times.authtime, stkt->enc_part2->client, NULL, NULL) != 0) { *status = "S4U2PROXY_LOCAL_STKT_PAC"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } } else { @@ -501,7 +501,7 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, !krb5_principal_compare(context, stkt->enc_part2->client, tkt->enc_part2->client)) { *status = "XREALM_EVIDENCE_TICKET_MISMATCH"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* The second ticket PAC must be present and for the impersonated @@ -510,41 +510,41 @@ check_tgs_s4u2proxy(krb5_context context, krb5_kdc_req *req, verify_deleg_pac(context, stkt_pac, stkt->enc_part2, req->server) != 0) { *status = "S4U2PROXY_CROSS_STKT_PAC"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } } return 0; } -static int +static krb5_error_code check_tgs_u2u(krb5_context context, krb5_kdc_req *req, const krb5_ticket *stkt, krb5_db_entry *server, const char **status) { /* A second ticket must be present in the request. */ if (stkt == NULL) { *status = "NO_2ND_TKT"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* The second ticket must be a TGT to the server realm. */ if (!is_local_tgs_principal(stkt->server) || !data_eq(stkt->server->data[1], server->princ->realm)) { *status = "2ND_TKT_NOT_TGS"; - return KDC_ERR_POLICY; + return KRB5KDC_ERR_POLICY; } /* The second ticket client must match the requested server. */ if (!is_client_db_alias(context, server, stkt->enc_part2->client)) { *status = "2ND_TKT_MISMATCH"; - return KDC_ERR_SERVER_NOMATCH; + return KRB5KDC_ERR_SERVER_NOMATCH; } return 0; } /* Validate the PAC of a non-S4U TGS request, if one is present. */ -static int +static krb5_error_code check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt, krb5_pac pac, krb5_db_entry *server, krb5_boolean is_crossrealm, const char **status) @@ -566,7 +566,7 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt, return 0; *status = "HEADER_PAC"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } /* @@ -574,19 +574,19 @@ check_normal_tgs_pac(krb5_context context, krb5_enc_tkt_part *enc_tkt, * checks that are peculiar to these cases. (e.g., ticket service principal * matches requested service principal) */ -static int +static krb5_error_code check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt, const char **status) { if (!krb5_principal_compare(context, tkt->server, req->server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; - return KDC_ERR_SERVER_NOMATCH; + return KRB5KDC_ERR_SERVER_NOMATCH; } /* Cannot proxy ticket granting tickets. */ if ((req->kdc_options & KDC_OPT_PROXY) && krb5_is_tgs_principal(req->server)) { *status = "CAN'T PROXY TGT"; - return KDC_ERR_BADOPTION; + return KRB5KDC_ERR_BADOPTION; } return 0; } @@ -595,23 +595,23 @@ check_tgs_nontgt(krb5_context context, krb5_kdc_req *req, krb5_ticket *tkt, * Do some checks for a normal TGS-REQ (where the ticket service must be a TGS * principal). */ -static int +static krb5_error_code check_tgs_tgt(krb5_kdc_req *req, krb5_ticket *tkt, const char **status) { /* Make sure it's a TGS principal. */ if (!krb5_is_tgs_principal(tkt->server)) { *status = "BAD TGS SERVER NAME"; - return KRB_AP_ERR_NOT_US; + return KRB5KRB_AP_ERR_NOT_US; } /* TGS principal second component must match service realm. */ if (!data_eq(tkt->server->data[1], req->server->realm)) { *status = "BAD TGS SERVER INSTANCE"; - return KRB_AP_ERR_NOT_US; + return KRB5KRB_AP_ERR_NOT_US; } return 0; } -int +krb5_error_code validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, @@ -650,7 +650,7 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, /* Check the hot list */ if (check_hot_list(ticket)) { *status = "HOT_LIST"; - return(KRB_AP_ERR_REPEAT); + return(KRB5KRB_AP_ERR_REPEAT); } if (s4u_x509_user != NULL) { @@ -685,14 +685,11 @@ validate_tgs_request(kdc_realm_t *realm, krb5_kdc_req *request, if (check_anon(realm, ticket->enc_part2->client, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; - return(KDC_ERR_POLICY); + return(KRB5KDC_ERR_POLICY); } /* Perform KDB module policy checks. */ ret = krb5_db_check_policy_tgs(context, request, server, ticket, status, e_data); - if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) - return errcode_to_protocol(ret); - - return 0; + return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; } |