powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1016 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 2cda77266d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2cda77266d'
${ noResults }
base/SOURCES/Expose-context-errors-in-pk...

73 lines
3.2 KiB
Raw Blame History

From 9c0a06f38189d255575acdae5efb22b76b4c33b3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 13 Nov 2017 13:32:37 -0500
Subject: [PATCH] Expose context errors in pkinit_server_plugin_init
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
an error when OCSP support was requested, but this error message was
suppressed in pkinit_server_plugin_init(). Add a trace log for each
realm initialization error, and pass through the realm initialization
error when the KDC serves only one realm. Other error messages from
pkinit_init_kdc_profile(), such as missing pkinit_identity or
pkinit_anchors, are also now exposted.
[ghudson@mit.edu: clarified commit message]
ticket: 8621 (new)
target_version: 1.16
tags: pullup
(cherry picked from commit 225aab3540c13c6289b22022d5e110f6fc26151d)
---
src/plugins/preauth/pkinit/pkinit_srv.c | 19 +++++++++++++------
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 8e77606f8..143d331a2 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1622,16 +1622,23 @@ pkinit_server_plugin_init(krb5_context context,
for (i = 0, j = 0; i < numrealms; i++) {
TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
- retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
- if (retval == 0 && plgctx != NULL)
+ krb5_clear_error_message(context);
+ retval = pkinit_server_plugin_init_realm(context, realmnames[i],
+ &plgctx);
+ if (retval)
+ TRACE_PKINIT_SERVER_INIT_FAIL(context, realmnames[i], retval);
+ else
realm_contexts[j++] = plgctx;
}
if (j == 0) {
- retval = EINVAL;
- krb5_set_error_message(context, retval,
- _("No realms configured correctly for pkinit "
- "support"));
+ if (numrealms == 1) {
+ k5_prependmsg(context, retval, "PKINIT initialization failed");
+ } else {
+ retval = EINVAL;
+ k5_setmsg(context, retval,
+ _("No realms configured correctly for pkinit support"));
+ }
goto errout;
}
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
index 6abe28c0c..8d489469f 100644
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
@@ -100,6 +100,9 @@
TRACE(c, "PKINIT server skipping EKU check due to configuration")
#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \
TRACE(c, "PKINIT server initializing realm {str}", realm)
+#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval) \
+ TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \
+ realm, retval)
#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \
TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \