rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0042-p11_child-add-descriptions-for-error-codes-to-debug-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ced1f5999da391400b61715bbeadd618c57a1623
  2.   SOURCES
  3.   0042-p11_child-add-descriptions-for-error-codes-to-debug-.patch
Blob History Raw
ced1f5 
From aa476a78b67a60d4ca2433091268a7790b4d62f7 Mon Sep 17 00:00:00 2001
ced1f5 
From: Sumit Bose <sbose@redhat.com>
ced1f5 
Date: Mon, 30 Oct 2017 10:22:33 +0100
ced1f5 
Subject: [PATCH 42/46] p11_child: add descriptions for error codes to debug
ced1f5 
 messages
ced1f5 
MIME-Version: 1.0
ced1f5 
Content-Type: text/plain; charset=UTF-8
ced1f5 
Content-Transfer-Encoding: 8bit
ced1f5
ced1f5 
Additionally to the NSS erro code a text message describing the error is
ced1f5 
added. This will help to see why p11_child ignores specific
ced1f5 
certificates. For example it would be more obvious why the certificate
ced1f5 
is not valid (expired, missing CA cert, failed OCSP etc).
ced1f5
ced1f5 
Related to https://pagure.io/SSSD/sssd/issue/3560
ced1f5
ced1f5 
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
ced1f5 
Tested-by: Scott Poore <spoore@redhat.com>
ced1f5 
(cherry picked from commit 08d1f8c0d6eece6a48201d7f8824b282eac3458d)
ced1f5 
---
ced1f5 
 src/p11_child/p11_child_nss.c | 91 ++++++++++++++++++++++++-------------------
ced1f5 
 1 file changed, 50 insertions(+), 41 deletions(-)
ced1f5
ced1f5 
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
ced1f5 
index c676375cf7f6677a1d7f38f09b9bb5fd820d60c5..5f289688e41f4ea610292b907036e05cf95eb29d 100644
ced1f5 
--- a/src/p11_child/p11_child_nss.c
ced1f5 
+++ b/src/p11_child/p11_child_nss.c
ced1f5 
@@ -75,15 +75,16 @@ static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert)
ced1f5 
     key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
ced1f5 
     if (key_id == NULL) {
ced1f5 
         DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-              "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
ced1f5 
-              PR_GetError());
ced1f5 
+              "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return NULL;
ced1f5 
     }
ced1f5
ced1f5 
     key_id_str = CERT_Hexify(key_id, PR_FALSE);
ced1f5 
     SECITEM_FreeItem(key_id, PR_TRUE);
ced1f5 
     if (key_id_str == NULL) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return NULL;
ced1f5 
     }
ced1f5
ced1f5 
@@ -138,8 +139,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5
ced1f5 
     nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
ced1f5 
     if (nss_ctx == NULL) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return EIO;
ced1f5 
     }
ced1f5
ced1f5 
@@ -232,8 +233,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         if (pin != NULL) {
ced1f5 
             rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin));
ced1f5 
             if (rv !=  SECSuccess) {
ced1f5 
-                DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d].\n",
ced1f5 
-                                         PR_GetError());
ced1f5 
+                DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n",
ced1f5 
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
                 return EIO;
ced1f5 
             }
ced1f5 
         } else {
ced1f5 
@@ -246,8 +247,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5
ced1f5 
     cert_list = PK11_ListCertsInSlot(slot);
ced1f5 
     if (cert_list == NULL) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return EIO;
ced1f5 
     }
ced1f5
ced1f5 
@@ -265,31 +266,33 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5
ced1f5 
     rv = CERT_FilterCertListByUsage(cert_list, certUsageSSLClient, PR_FALSE);
ced1f5 
     if (rv != SECSuccess) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListByUsage failed: [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return EIO;
ced1f5 
     }
ced1f5
ced1f5 
     rv = CERT_FilterCertListForUserCerts(cert_list);
ced1f5 
     if (rv != SECSuccess) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_FilterCertListForUserCerts failed: [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
+              "CERT_FilterCertListForUserCerts failed: [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return EIO;
ced1f5 
     }
ced1f5
ced1f5
ced1f5 
     handle = CERT_GetDefaultCertDB();
ced1f5 
     if (handle == NULL) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         return EIO;
ced1f5 
     }
ced1f5
ced1f5 
     if (cert_verify_opts->do_ocsp) {
ced1f5 
         rv = CERT_EnableOCSPChecking(handle);
ced1f5 
         if (rv != SECSuccess) {
ced1f5 
-            DEBUG(SSSDBG_OP_FAILURE, "CERT_EnableOCSPChecking failed: [%d].\n",
ced1f5 
-                                     PR_GetError());
ced1f5 
+            DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
+                  "CERT_EnableOCSPChecking failed: [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             return EIO;
ced1f5 
         }
ced1f5
ced1f5 
@@ -300,16 +303,16 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
                          cert_verify_opts->ocsp_default_responder_signing_cert);
ced1f5 
             if (rv != SECSuccess) {
ced1f5 
                 DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                      "CERT_SetOCSPDefaultResponder failed: [%d].\n",
ced1f5 
-                      PR_GetError());
ced1f5 
+                      "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n",
ced1f5 
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
                 return EIO;
ced1f5 
             }
ced1f5
ced1f5 
             rv = CERT_EnableOCSPDefaultResponder(handle);
ced1f5 
             if (rv != SECSuccess) {
ced1f5 
                 DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                      "CERT_EnableOCSPDefaultResponder failed: [%d].\n",
ced1f5 
-                      PR_GetError());
ced1f5 
+                      "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n",
ced1f5 
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
                 return EIO;
ced1f5 
             }
ced1f5 
         }
ced1f5 
@@ -318,8 +321,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
     found_cert = NULL;
ced1f5 
     valid_certs = CERT_NewCertList();
ced1f5 
     if (valid_certs == NULL) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         ret = ENOMEM;
ced1f5 
         goto done;
ced1f5 
     }
ced1f5 
@@ -345,9 +348,10 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
                                            NULL, NULL);
ced1f5 
             if (rv != SECSuccess) {
ced1f5 
                 DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                      "Certificate [%s][%s] not valid [%d], skipping.\n",
ced1f5 
+                      "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
ced1f5 
                       cert_list_node->cert->nickname,
ced1f5 
-                      cert_list_node->cert->subjectName, PR_GetError());
ced1f5 
+                      cert_list_node->cert->subjectName,
ced1f5 
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
                 continue;
ced1f5 
             }
ced1f5 
         }
ced1f5 
@@ -386,7 +390,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
             rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert);
ced1f5 
             if (rv != SECSuccess) {
ced1f5 
                 DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                      "CERT_AddCertToListTail failed [%d].\n", PR_GetError());
ced1f5 
+                      "CERT_AddCertToListTail failed [%d][%s].\n",
ced1f5 
+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
                 ret = EIO;
ced1f5 
                 goto done;
ced1f5 
             }
ced1f5 
@@ -400,8 +405,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         rv = CERT_DisableOCSPDefaultResponder(handle);
ced1f5 
         if (rv != SECSuccess) {
ced1f5 
             DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                  "CERT_DisableOCSPDefaultResponder failed: [%d].\n",
ced1f5 
-                  PR_GetError());
ced1f5 
+                  "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
         }
ced1f5 
     }
ced1f5
ced1f5 
@@ -433,15 +438,17 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         rv = PK11_GenerateRandom(random_value, sizeof(random_value));
ced1f5 
         if (rv != SECSuccess) {
ced1f5 
             DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                  "PK11_GenerateRandom failed [%d].\n", PR_GetError());
ced1f5 
+                  "PK11_GenerateRandom failed [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             return EIO;
ced1f5 
         }
ced1f5
ced1f5 
         priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL);
ced1f5 
         if (priv_key == NULL) {
ced1f5 
             DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                  "PK11_FindPrivateKeyFromCert failed [%d]." \
ced1f5 
-                  "Maybe pin is missing.\n", PR_GetError());
ced1f5 
+                  "PK11_FindPrivateKeyFromCert failed [%d][%s]."
ced1f5 
+                  "Maybe pin is missing.\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = EIO;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -451,8 +458,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         if (algtag == SEC_OID_UNKNOWN) {
ced1f5 
             SECKEY_DestroyPrivateKey(priv_key);
ced1f5 
             DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                  "SEC_GetSignatureAlgorithmOidTag failed [%d].\n",
ced1f5 
-                  PR_GetError());
ced1f5 
+                  "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = EIO;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -462,8 +469,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
                           priv_key, algtag);
ced1f5 
         SECKEY_DestroyPrivateKey(priv_key);
ced1f5 
         if (rv != SECSuccess) {
ced1f5 
-            DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d].\n",
ced1f5 
-                                     PR_GetError());
ced1f5 
+            DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = EIO;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -471,7 +478,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         pub_key = CERT_ExtractPublicKey(found_cert);
ced1f5 
         if (pub_key == NULL) {
ced1f5 
             DEBUG(SSSDBG_OP_FAILURE,
ced1f5 
-                  "CERT_ExtractPublicKey failed [%d].\n", PR_GetError());
ced1f5 
+                  "CERT_ExtractPublicKey failed [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = EIO;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -481,8 +489,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
                             NULL);
ced1f5 
         SECKEY_DestroyPublicKey(pub_key);
ced1f5 
         if (rv != SECSuccess) {
ced1f5 
-            DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d].\n",
ced1f5 
-                                     PR_GetError());
ced1f5 
+            DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = EACCES;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -507,7 +515,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5 
         PORT_Free(key_id_str);
ced1f5 
         key_id_str = get_key_id_str(slot, found_cert);
ced1f5 
         if (key_id_str == NULL) {
ced1f5 
-            DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d].\n", PR_GetError());
ced1f5 
+            DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n",
ced1f5 
+                  PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
             ret = ENOMEM;
ced1f5 
             goto done;
ced1f5 
         }
ced1f5 
@@ -562,8 +571,8 @@ done:
ced1f5
ced1f5 
     rv = NSS_ShutdownContext(nss_ctx);
ced1f5 
     if (rv != SECSuccess) {
ced1f5 
-        DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d].\n",
ced1f5 
-                                 PR_GetError());
ced1f5 
+        DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
ced1f5 
+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
ced1f5 
     }
ced1f5
ced1f5 
     return ret;
ced1f5 
--
ced1f5 
2.13.6
ced1f5

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation