|
 |
8558a7 |
From b9194a0292ce57418b3c9f5faf2ee5509f0fb749 Mon Sep 17 00:00:00 2001
|
|
|
8558a7 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
8558a7 |
Date: Thu, 1 Mar 2018 14:25:55 -0500
|
|
|
8558a7 |
Subject: [PATCH] Log errors from NSS during FIPS OTP key import
|
|
|
8558a7 |
|
|
|
8558a7 |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
8558a7 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
8558a7 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
8558a7 |
---
|
|
|
8558a7 |
daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++--
|
|
|
8558a7 |
1 file changed, 14 insertions(+), 2 deletions(-)
|
|
|
8558a7 |
|
|
|
8558a7 |
diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
|
|
|
8558a7 |
index 0c9de96d37183e597867b736d6324db60fa1b3bb..1b9110ebf89a705c9c670d4d33fc7ed615ad25f3 100644
|
|
|
8558a7 |
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
|
|
|
8558a7 |
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
|
|
|
8558a7 |
@@ -49,7 +49,9 @@
|
|
|
8558a7 |
#include <blapit.h>
|
|
|
8558a7 |
#include <pk11pub.h>
|
|
|
8558a7 |
#include <hasht.h>
|
|
|
8558a7 |
+#include <prerror.h>
|
|
|
8558a7 |
#include <prnetdb.h>
|
|
|
8558a7 |
+#include <syslog.h>
|
|
|
8558a7 |
|
|
|
8558a7 |
struct digest_buffer {
|
|
|
8558a7 |
uint8_t buf[SHA512_LENGTH];
|
|
|
8558a7 |
@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
|
|
|
8558a7 |
PK11_ATTR_SESSION |
|
|
|
8558a7 |
PK11_ATTR_PRIVATE |
|
|
|
8558a7 |
PK11_ATTR_SENSITIVE, NULL);
|
|
|
8558a7 |
- if (!ekey)
|
|
|
8558a7 |
+ if (!ekey) {
|
|
|
8558a7 |
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
|
|
|
8558a7 |
+ PR_GetError());
|
|
|
8558a7 |
goto egress;
|
|
|
8558a7 |
+ }
|
|
|
8558a7 |
|
|
|
8558a7 |
/* Encrypt the input key. */
|
|
|
8558a7 |
if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
|
|
|
8558a7 |
- ctitem.len, key->data, key->len) != SECSuccess)
|
|
|
8558a7 |
+ ctitem.len, key->data, key->len) != SECSuccess) {
|
|
|
8558a7 |
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
|
|
|
8558a7 |
+ PR_GetError());
|
|
|
8558a7 |
goto egress;
|
|
|
8558a7 |
+ }
|
|
|
8558a7 |
|
|
|
8558a7 |
/* Unwrap the input key. */
|
|
|
8558a7 |
skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
|
|
|
8558a7 |
&ctitem, mech, CKA_SIGN, key->len);
|
|
|
8558a7 |
+ if (!skey) {
|
|
|
8558a7 |
+ syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
|
|
|
8558a7 |
+ PR_GetError());
|
|
|
8558a7 |
+ }
|
|
|
8558a7 |
|
|
|
8558a7 |
egress:
|
|
|
8558a7 |
PK11_FreeSymKey(ekey);
|
|
|
8558a7 |
--
|
|
|
8558a7 |
2.14.3
|
|
|
8558a7 |
|