120 lines
4.8 KiB
Diff
120 lines
4.8 KiB
Diff
From c3725a13ef694c2c34813953153f33ebfbaf1c27 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 15 Mar 2024 11:29:47 +0100
|
|
Subject: [PATCH 10/12] krb5: make sure answer_pkinit() use matching debug
|
|
messages
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Resolves: https://github.com/SSSD/sssd/issues/7152
|
|
|
|
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
(cherry picked from commit 7c33f9d57cebfff80778f930ff0cc3144a7cc261)
|
|
---
|
|
src/providers/krb5/krb5_child.c | 77 ++++++++++++++++++---------------
|
|
1 file changed, 42 insertions(+), 35 deletions(-)
|
|
|
|
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
index 116f2adda..926109588 100644
|
|
--- a/src/providers/krb5/krb5_child.c
|
|
+++ b/src/providers/krb5/krb5_child.c
|
|
@@ -745,51 +745,58 @@ static krb5_error_code answer_pkinit(krb5_context ctx,
|
|
DEBUG(SSSDBG_TRACE_ALL, "Setting pkinit_prompting.\n");
|
|
kr->pkinit_prompting = true;
|
|
|
|
- if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
- && (sss_authtok_get_type(kr->pd->authtok)
|
|
+ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
+ if ((sss_authtok_get_type(kr->pd->authtok)
|
|
== SSS_AUTHTOK_TYPE_SC_PIN
|
|
|| sss_authtok_get_type(kr->pd->authtok)
|
|
== SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
|
|
- kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL,
|
|
- &token_name, NULL,
|
|
- &module_name, NULL,
|
|
- NULL, NULL, NULL, NULL);
|
|
- if (kerr != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "sss_authtok_get_sc failed.\n");
|
|
- goto done;
|
|
- }
|
|
+ kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL,
|
|
+ &token_name, NULL,
|
|
+ &module_name, NULL,
|
|
+ NULL, NULL, NULL, NULL);
|
|
+ if (kerr != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "sss_authtok_get_sc failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
|
|
- for (c = 0; chl->identities[c] != NULL; c++) {
|
|
- if (chl->identities[c]->identity != NULL
|
|
- && pkinit_identity_matches(chl->identities[c]->identity,
|
|
- token_name, module_name)) {
|
|
- break;
|
|
+ for (c = 0; chl->identities[c] != NULL; c++) {
|
|
+ if (chl->identities[c]->identity != NULL
|
|
+ && pkinit_identity_matches(chl->identities[c]->identity,
|
|
+ token_name, module_name)) {
|
|
+ break;
|
|
+ }
|
|
}
|
|
- }
|
|
|
|
- if (chl->identities[c] == NULL) {
|
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
- "No matching identity for [%s][%s] found in pkinit challenge.\n",
|
|
- token_name, module_name);
|
|
- kerr = EINVAL;
|
|
- goto done;
|
|
- }
|
|
+ if (chl->identities[c] == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "No matching identity for [%s][%s] found in pkinit "
|
|
+ "challenge.\n", token_name, module_name);
|
|
+ kerr = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
|
|
- kerr = krb5_responder_pkinit_set_answer(ctx, rctx,
|
|
- chl->identities[c]->identity,
|
|
- pin);
|
|
- if (kerr != 0) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "krb5_responder_set_answer failed.\n");
|
|
- }
|
|
+ kerr = krb5_responder_pkinit_set_answer(ctx, rctx,
|
|
+ chl->identities[c]->identity,
|
|
+ pin);
|
|
+ if (kerr != 0) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "krb5_responder_set_answer failed.\n");
|
|
+ }
|
|
|
|
- goto done;
|
|
+ goto done;
|
|
+ } else {
|
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
+ "Unexpected authentication token type [%s]\n",
|
|
+ sss_authtok_type_to_str(sss_authtok_get_type(kr->pd->authtok)));
|
|
+ kerr = EAGAIN;
|
|
+ goto done;
|
|
+ }
|
|
} else {
|
|
- DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n",
|
|
- sss_authtok_type_to_str(sss_authtok_get_type(kr->pd->authtok)));
|
|
+ /* We only expect SSS_PAM_PREAUTH here, but also for all other
|
|
+ * commands the graceful solution would be to let the caller
|
|
+ * check other authentication methods as well. */
|
|
kerr = EAGAIN;
|
|
- goto done;
|
|
}
|
|
|
|
done:
|
|
--
|
|
2.42.0
|
|
|