summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/preauth')
-rw-r--r--src/plugins/preauth/pkinit/pkinit_crypto_openssl.c8
-rw-r--r--src/plugins/preauth/pkinit/pkinit_identity.c3
2 files changed, 9 insertions, 2 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ad86ba4e36..0136d4f470 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1030,10 +1030,14 @@ cms_signeddata_create(krb5_context context,
id_cryptoctx->intermediateCAs);
X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs);
if (!X509_verify_cert(&certctx)) {
- pkiDebug("failed to create a certificate chain: %s\n",
- X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx)));
+ int code = X509_STORE_CTX_get_error(&certctx);
+ const char *msg = X509_verify_cert_error_string(code);
+ pkiDebug("failed to create a certificate chain: %s\n", msg);
if (!sk_X509_num(id_cryptoctx->trustedCAs))
pkiDebug("No trusted CAs found. Check your X509_anchors\n");
+ retval = KRB5_PREAUTH_FAILED;
+ krb5_set_error_message(context, retval,
+ _("Cannot create cert chain: %s"), msg);
goto cleanup;
}
certstack = X509_STORE_CTX_get1_chain(&certctx);
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 39d2a0ed4e..cdee8417e1 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -548,6 +548,9 @@ pkinit_identity_initialize(krb5_context context,
idopts->identity_alt[i]);
}
} else {
+ retval = KRB5_PREAUTH_FAILED;
+ krb5_set_error_message(context, retval,
+ _("No user identity options specified"));
pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
goto errout;
}
generated by cgit (git 2.34.1) at 2024-09-28 09:37:29 +0000