From 9ac02165e5b6cc73e4c6e43925f160013e0e4590 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 15 Mar 2024 11:29:47 +0100 Subject: [PATCH] krb5: make sure answer_pkinit() use matching debug messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://github.com/SSSD/sssd/issues/7152 Reviewed-by: Alejandro López Reviewed-by: Justin Stephenson (cherry picked from commit 7c33f9d57cebfff80778f930ff0cc3144a7cc261) (cherry picked from commit bca3c895649546afb755746e01080cee42c8bf77) --- src/providers/krb5/krb5_child.c | 77 ++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 1ee5e7c2d36..ddda690c0ff 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -734,51 +734,58 @@ static krb5_error_code answer_pkinit(krb5_context ctx, DEBUG(SSSDBG_TRACE_ALL, "Setting pkinit_prompting.\n"); kr->pkinit_prompting = true; - if (kr->pd->cmd == SSS_PAM_AUTHENTICATE - && (sss_authtok_get_type(kr->pd->authtok) + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE) { + if ((sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN || sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { - kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL, - &token_name, NULL, - &module_name, NULL, - NULL, NULL, NULL, NULL); - if (kerr != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_authtok_get_sc failed.\n"); - goto done; - } + kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL, + &token_name, NULL, + &module_name, NULL, + NULL, NULL, NULL, NULL); + if (kerr != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_get_sc failed.\n"); + goto done; + } - for (c = 0; chl->identities[c] != NULL; c++) { - if (chl->identities[c]->identity != NULL - && pkinit_identity_matches(chl->identities[c]->identity, - token_name, module_name)) { - break; + for (c = 0; chl->identities[c] != NULL; c++) { + if (chl->identities[c]->identity != NULL + && pkinit_identity_matches(chl->identities[c]->identity, + token_name, module_name)) { + break; + } } - } - if (chl->identities[c] == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "No matching identity for [%s][%s] found in pkinit challenge.\n", - token_name, module_name); - kerr = EINVAL; - goto done; - } + if (chl->identities[c] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No matching identity for [%s][%s] found in pkinit " + "challenge.\n", token_name, module_name); + kerr = EINVAL; + goto done; + } - kerr = krb5_responder_pkinit_set_answer(ctx, rctx, - chl->identities[c]->identity, - pin); - if (kerr != 0) { - DEBUG(SSSDBG_OP_FAILURE, - "krb5_responder_set_answer failed.\n"); - } + kerr = krb5_responder_pkinit_set_answer(ctx, rctx, + chl->identities[c]->identity, + pin); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_responder_set_answer failed.\n"); + } - goto done; + goto done; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unexpected authentication token type [%s]\n", + sss_authtok_type_to_str(sss_authtok_get_type(kr->pd->authtok))); + kerr = EAGAIN; + goto done; + } } else { - DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n", - sss_authtok_type_to_str(sss_authtok_get_type(kr->pd->authtok))); + /* We only expect SSS_PAM_PREAUTH here, but also for all other + * commands the graceful solution would be to let the caller + * check other authentication methods as well. */ kerr = EAGAIN; - goto done; } done: