URL: https://github.com/freeipa/freeipa/pull/1671 Author: frozencemetery Title: #1671: Log errors from NSS during FIPS OTP key import Action: opened
PR body: """ This is the requested logging from #1621 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1671/head:pr1671 git checkout pr1671
From 4c6e48f64753aa32fd219f2cbeb56a6c3e8825cf Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Thu, 1 Mar 2018 14:25:55 -0500 Subject: [PATCH] Log errors from NSS during FIPS OTP key import Signed-off-by: Robbie Harwood <rharw...@redhat.com> --- daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c index 0c9de96d37..1b9110ebf8 100644 --- a/daemons/ipa-slapi-plugins/libotp/hotp.c +++ b/daemons/ipa-slapi-plugins/libotp/hotp.c @@ -49,7 +49,9 @@ #include <blapit.h> #include <pk11pub.h> #include <hasht.h> +#include <prerror.h> #include <prnetdb.h> +#include <syslog.h> struct digest_buffer { uint8_t buf[SHA512_LENGTH]; @@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key) PK11_ATTR_SESSION | PK11_ATTR_PRIVATE | PK11_ATTR_SENSITIVE, NULL); - if (!ekey) + if (!ekey) { + syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d", + PR_GetError()); goto egress; + } /* Encrypt the input key. */ if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len, - ctitem.len, key->data, key->len) != SECSuccess) + ctitem.len, key->data, key->len) != SECSuccess) { + syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d", + PR_GetError()); goto egress; + } /* Unwrap the input key. */ skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem, &ctitem, mech, CKA_SIGN, key->len); + if (!skey) { + syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d", + PR_GetError()); + } egress: PK11_FreeSymKey(ekey);
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org