From b9194a0292ce57418b3c9f5faf2ee5509f0fb749 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 1 Mar 2018 14:25:55 -0500
Subject: [PATCH] Log errors from NSS during FIPS OTP key import
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 0c9de96d37183e597867b736d6324db60fa1b3bb..1b9110ebf89a705c9c670d4d33fc7ed615ad25f3 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -49,7 +49,9 @@
#include <blapit.h>
#include <pk11pub.h>
#include <hasht.h>
+#include <prerror.h>
#include <prnetdb.h>
+#include <syslog.h>
struct digest_buffer {
uint8_t buf[SHA512_LENGTH];
@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
PK11_ATTR_SESSION |
PK11_ATTR_PRIVATE |
PK11_ATTR_SENSITIVE, NULL);
- if (!ekey)
+ if (!ekey) {
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
+ PR_GetError());
goto egress;
+ }
/* Encrypt the input key. */
if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
- ctitem.len, key->data, key->len) != SECSuccess)
+ ctitem.len, key->data, key->len) != SECSuccess) {
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
+ PR_GetError());
goto egress;
+ }
/* Unwrap the input key. */
skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
&ctitem, mech, CKA_SIGN, key->len);
+ if (!skey) {
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
+ PR_GetError());
+ }
egress:
PK11_FreeSymKey(ekey);
--
2.14.3