krb5: check for PIN locked in error message

sumit-bose · sumit-bose · commit bc91676e2289 · 2026-01-23T15:54:33.000+01:00
Currently the PIN locked message is only displays if the Smartcard
authentication is done locally, e.g. if the system is offline. During
pkinit libkrb5 does not send a dedicated error code but the error
message generated by the library contains a hint.

This patch checks the libkrb5 error message in case the authentication
fails with the pre-authentication failed error code. This is a bit
tricky because 'krb5_get_error_message()' currently only returns a
defined result at the first call after a failed library call.
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
@@ -125,18 +125,47 @@ struct krb5_req {
 
 static krb5_context krb5_error_ctx;
 
+static inline void debug_and_log(int level, int line,
+                                 krb5_error_code krb5_error,
+                                 const char *krb5_error_msg)
+{
+    DEBUG(level, "%d: [%d][%s]\n", line, krb5_error, krb5_error_msg);
+    if (level & (SSSDBG_CRIT_FAILURE | SSSDBG_FATAL_FAILURE)) {
+         sss_log(SSS_LOG_ERR, "%s", krb5_error_msg);
+    }
+
+    return;
+}
+
 #define KRB5_CHILD_DEBUG_INT(level, errctx, krb5_error) do { \
     const char *__krb5_error_msg; \
     __krb5_error_msg = sss_krb5_get_error_message(errctx, krb5_error); \
-    DEBUG(level, "%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg); \
-    if (level & (SSSDBG_CRIT_FAILURE | SSSDBG_FATAL_FAILURE)) { \
-         sss_log(SSS_LOG_ERR, "%s", __krb5_error_msg); \
-    } \
+    debug_and_log(level, __LINE__, krb5_error, __krb5_error_msg); \
     sss_krb5_free_error_message(errctx, __krb5_error_msg); \
 } while(0)
 
 #define KRB5_CHILD_DEBUG(level, error) KRB5_CHILD_DEBUG_INT(level, krb5_error_ctx, error)
 
+static bool debug_and_check_if_pin_locked_error(krb5_context ctx, int level,
+                                                krb5_error_code krb5_error)
+{
+    const char *krb5_error_msg;
+    bool res = false;
+
+    /* sss_krb5_free_error_message() never returns NULL */
+    krb5_error_msg = sss_krb5_get_error_message(ctx, krb5_error);
+
+    if (strstr(krb5_error_msg, "pin locked") != NULL) {
+        res = true;
+    }
+
+    debug_and_log(level, __LINE__, krb5_error, krb5_error_msg);
+
+    sss_krb5_free_error_message(ctx, krb5_error_msg);
+
+    return res;
+}
+
 static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname,
                                      krb5_principal server_principal,
                                      krb5_principal client_principal,
@@ -2404,6 +2433,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
     char *cc_name;
     int ret;
     char *identity = NULL;
+    const uint32_t user_info_pin_locked = SSS_PAM_USER_INFO_PIN_LOCKED;
 
     kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
                                                   sss_krb5_expire_callback_func,
@@ -2469,7 +2499,32 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
         return 0;
     } else {
         if (kerr != 0) {
-            KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+            /* If
+             *  - during authentication
+             *  - the pre-authentication failed
+             *  - while Smartcard authentication was possible
+             *  - and Smartcard credentials were available
+             *  check if the PIN might be locked.
+             * Must be called before/instead of KRB5_CHILD_DEBUG because
+             * krb5_get_error_message() might only return the proper error
+             * message at the first call. */
+            if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
+                    && kerr == KRB5_PREAUTH_FAILED
+                    && kr->pkinit_prompting == true
+                    && IS_SC_AUTHTOK(kr->pd->authtok) ) {
+                if (debug_and_check_if_pin_locked_error(kr->ctx,
+                                                  SSSDBG_CRIT_FAILURE, kerr) ) {
+                    ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO,
+                                           sizeof(uint32_t),
+                                           (const uint8_t *) &user_info_pin_locked);
+                    if (ret != EOK) {
+                        DEBUG(SSSDBG_OP_FAILURE,
+                              "Failed to add PIN locked message.\n");
+                    }
+                }
+            } else {
+                KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+            }
 
             if (kerr == EAGAIN) {
                 /* The most probable reason for krb5_get_init_creds_password()
