|
 |
e58a44 |
From 9c0a06f38189d255575acdae5efb22b76b4c33b3 Mon Sep 17 00:00:00 2001
|
|
|
e58a44 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
e58a44 |
Date: Mon, 13 Nov 2017 13:32:37 -0500
|
|
|
e58a44 |
Subject: [PATCH] Expose context errors in pkinit_server_plugin_init
|
|
|
e58a44 |
|
|
|
e58a44 |
Commit 3ff426b9048a8024e5c175256c63cd0ad0572320 attempted to display
|
|
|
e58a44 |
an error when OCSP support was requested, but this error message was
|
|
|
e58a44 |
suppressed in pkinit_server_plugin_init(). Add a trace log for each
|
|
|
e58a44 |
realm initialization error, and pass through the realm initialization
|
|
|
e58a44 |
error when the KDC serves only one realm. Other error messages from
|
|
|
e58a44 |
pkinit_init_kdc_profile(), such as missing pkinit_identity or
|
|
|
e58a44 |
pkinit_anchors, are also now exposted.
|
|
|
e58a44 |
|
|
|
e58a44 |
[ghudson@mit.edu: clarified commit message]
|
|
|
e58a44 |
|
|
|
e58a44 |
ticket: 8621 (new)
|
|
|
e58a44 |
target_version: 1.16
|
|
|
e58a44 |
tags: pullup
|
|
|
e58a44 |
|
|
|
e58a44 |
(cherry picked from commit 225aab3540c13c6289b22022d5e110f6fc26151d)
|
|
|
e58a44 |
---
|
|
|
e58a44 |
src/plugins/preauth/pkinit/pkinit_srv.c | 19 +++++++++++++------
|
|
|
e58a44 |
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +++
|
|
|
e58a44 |
2 files changed, 16 insertions(+), 6 deletions(-)
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
index 8e77606f8..143d331a2 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
@@ -1622,16 +1622,23 @@ pkinit_server_plugin_init(krb5_context context,
|
|
|
e58a44 |
|
|
|
e58a44 |
for (i = 0, j = 0; i < numrealms; i++) {
|
|
|
e58a44 |
TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
|
|
|
e58a44 |
- retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
|
|
|
e58a44 |
- if (retval == 0 && plgctx != NULL)
|
|
|
e58a44 |
+ krb5_clear_error_message(context);
|
|
|
e58a44 |
+ retval = pkinit_server_plugin_init_realm(context, realmnames[i],
|
|
|
e58a44 |
+ &plgctx);
|
|
|
e58a44 |
+ if (retval)
|
|
|
e58a44 |
+ TRACE_PKINIT_SERVER_INIT_FAIL(context, realmnames[i], retval);
|
|
|
e58a44 |
+ else
|
|
|
e58a44 |
realm_contexts[j++] = plgctx;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
if (j == 0) {
|
|
|
e58a44 |
- retval = EINVAL;
|
|
|
e58a44 |
- krb5_set_error_message(context, retval,
|
|
|
e58a44 |
- _("No realms configured correctly for pkinit "
|
|
|
e58a44 |
- "support"));
|
|
|
e58a44 |
+ if (numrealms == 1) {
|
|
|
e58a44 |
+ k5_prependmsg(context, retval, "PKINIT initialization failed");
|
|
|
e58a44 |
+ } else {
|
|
|
e58a44 |
+ retval = EINVAL;
|
|
|
e58a44 |
+ k5_setmsg(context, retval,
|
|
|
e58a44 |
+ _("No realms configured correctly for pkinit support"));
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
goto errout;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
|
|
|
e58a44 |
index 6abe28c0c..8d489469f 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_trace.h
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
|
|
|
e58a44 |
@@ -100,6 +100,9 @@
|
|
|
e58a44 |
TRACE(c, "PKINIT server skipping EKU check due to configuration")
|
|
|
e58a44 |
#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \
|
|
|
e58a44 |
TRACE(c, "PKINIT server initializing realm {str}", realm)
|
|
|
e58a44 |
+#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval) \
|
|
|
e58a44 |
+ TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \
|
|
|
e58a44 |
+ realm, retval)
|
|
|
e58a44 |
#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \
|
|
|
e58a44 |
TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
|
|
|
e58a44 |
#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \
|