From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 8 May 2012 03:04:15 +0000 (+0000)
Subject: Improve traced error messages from PKINIT client
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6d19259c7eb9277c12a7f2eec9aa80563b4c5acc;p=krb5.git

Improve traced error messages from PKINIT client

If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ad86ba4e3..0136d4f47 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context,
                                 id_cryptoctx->intermediateCAs);
             X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs);
             if (!X509_verify_cert(&certctx)) {
-                pkiDebug("failed to create a certificate chain: %s\n",
-                         X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx)));
+                int code = X509_STORE_CTX_get_error(&certctx);
+                const char *msg = X509_verify_cert_error_string(code);
+                pkiDebug("failed to create a certificate chain: %s\n", msg);
                 if (!sk_X509_num(id_cryptoctx->trustedCAs))
                     pkiDebug("No trusted CAs found. Check your X509_anchors\n");
+                retval = KRB5_PREAUTH_FAILED;
+                krb5_set_error_message(context, retval,
+                                       _("Cannot create cert chain: %s"), msg);
                 goto cleanup;
             }
             certstack = X509_STORE_CTX_get1_chain(&certctx);
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 39d2a0ed4..cdee8417e 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context,
                                                  idopts->identity_alt[i]);
             }
         } else {
+            retval = KRB5_PREAUTH_FAILED;
+            krb5_set_error_message(context, retval,
+                                   _("No user identity options specified"));
             pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
             goto errout;
         }