diff options
Diffstat (limited to 'src/plugins/preauth')
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 3 |
2 files changed, 9 insertions, 2 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index ad86ba4e36..0136d4f470 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context, id_cryptoctx->intermediateCAs); X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs); if (!X509_verify_cert(&certctx)) { - pkiDebug("failed to create a certificate chain: %s\n", - X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx))); + int code = X509_STORE_CTX_get_error(&certctx); + const char *msg = X509_verify_cert_error_string(code); + pkiDebug("failed to create a certificate chain: %s\n", msg); if (!sk_X509_num(id_cryptoctx->trustedCAs)) pkiDebug("No trusted CAs found. Check your X509_anchors\n"); + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("Cannot create cert chain: %s"), msg); goto cleanup; } certstack = X509_STORE_CTX_get1_chain(&certctx); diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 39d2a0ed4e..cdee8417e1 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context, idopts->identity_alt[i]); } } else { + retval = KRB5_PREAUTH_FAILED; + krb5_set_error_message(context, retval, + _("No user identity options specified")); pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } |