[Freeipa-devel] [freeipa PR#1671][opened] Log errors from NSS during FIPS OTP key import

Mon, 12 Mar 2018 10:43:00 -0700 

   URL: https://github.com/freeipa/freeipa/pull/1671
Author: frozencemetery
 Title: #1671: Log errors from NSS during FIPS OTP key import
Action: opened

PR body:
"""
This is the requested logging from #1621 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1671/head:pr1671
git checkout pr1671

From 4c6e48f64753aa32fd219f2cbeb56a6c3e8825cf Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Thu, 1 Mar 2018 14:25:55 -0500
Subject: [PATCH] Log errors from NSS during FIPS OTP key import

Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
 daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 0c9de96d37..1b9110ebf8 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -49,7 +49,9 @@
 #include <blapit.h>
 #include <pk11pub.h>
 #include <hasht.h>
+#include <prerror.h>
 #include <prnetdb.h>
+#include <syslog.h>
 
 struct digest_buffer {
     uint8_t buf[SHA512_LENGTH];
@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
                                      PK11_ATTR_SESSION |
                                      PK11_ATTR_PRIVATE |
                                      PK11_ATTR_SENSITIVE, NULL);
-    if (!ekey)
+    if (!ekey) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
+               PR_GetError());
         goto egress;
+    }
 
     /* Encrypt the input key. */
     if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
-                     ctitem.len, key->data, key->len) != SECSuccess)
+                     ctitem.len, key->data, key->len) != SECSuccess) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
+               PR_GetError());
         goto egress;
+    }
 
     /* Unwrap the input key. */
     skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
                              &ctitem, mech, CKA_SIGN, key->len);
+    if (!skey) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
+               PR_GetError());
+    }
 
 egress:
     PK11_FreeSymKey(ekey);

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to