krb5 commit [krb5-1.16]: Expose context errors in pkinit_server_plugin_init
Greg Hudson
ghudson at mit.edu
Wed Nov 22 13:11:19 EST 2017
https://github.com/krb5/krb5/commit/96bbaedd6e665b67ef89452e3cc84bc36f7860dc
commit 96bbaedd6e665b67ef89452e3cc84bc36f7860dc
Author: Robbie Harwood <rharwood at redhat.com>
Date: Mon Nov 13 13:32:37 2017 -0500
Expose context errors in pkinit_server_plugin_init
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
an error when OCSP support was requested, but this error message was
suppressed in pkinit_server_plugin_init(). Add a trace log for each
realm initialization error, and pass through the realm initialization
error when the KDC serves only one realm. Other error messages from
pkinit_init_kdc_profile(), such as missing pkinit_identity or
pkinit_anchors, are also now exposted.
[ghudson at mit.edu: clarified commit message]
(cherry picked from commit 225aab3540c13c6289b22022d5e110f6fc26151d)
ticket: 8621
version_fixed: 1.16
src/plugins/preauth/pkinit/pkinit_srv.c | 19 +++++++++++++------
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 7210fc1..4e96858 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1680,16 +1680,23 @@ pkinit_server_plugin_init(krb5_context context,
for (i = 0, j = 0; i < numrealms; i++) {
TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
- retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
- if (retval == 0 && plgctx != NULL)
+ krb5_clear_error_message(context);
+ retval = pkinit_server_plugin_init_realm(context, realmnames[i],
+ &plgctx);
+ if (retval)
+ TRACE_PKINIT_SERVER_INIT_FAIL(context, realmnames[i], retval);
+ else
realm_contexts[j++] = plgctx;
}
if (j == 0) {
- retval = EINVAL;
- krb5_set_error_message(context, retval,
- _("No realms configured correctly for pkinit "
- "support"));
+ if (numrealms == 1) {
+ k5_prependmsg(context, retval, "PKINIT initialization failed");
+ } else {
+ retval = EINVAL;
+ k5_setmsg(context, retval,
+ _("No realms configured correctly for pkinit support"));
+ }
goto errout;
}
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
index acd485b..d4eb39d 100644
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
@@ -102,6 +102,9 @@
TRACE(c, "PKINIT server skipping EKU check due to configuration")
#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \
TRACE(c, "PKINIT server initializing realm {str}", realm)
+#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval) \
+ TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \
+ realm, retval)
#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \
TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \
More information about the cvs-krb5
mailing list