Add retval of fido_assert_verify to debug output #380
Description
Is your feature request related to a problem?
Yes. While experimenting with authenticating within Cockpit (browser WebAuthn w. passkeys to backend PAM module) I've enabled debug mode for pam-u2f to figure out issues between the data provided from the front-end to the PAM module.
Problem is that something is currently failing and the logs I see do not output the return value of fido_assert_verify so I'm not entirely sure what is wrong with the data or mapping.
debug(pam_u2f): pam-u2f.c:147 (pam_sm_authenticate): Maximum number of devices not set. Using default (24)
debug(pam_u2f): pam-u2f.c:170 (pam_sm_authenticate): Requesting authentication for user admin
debug(pam_u2f): pam-u2f.c:181 (pam_sm_authenticate): Found user admin
debug(pam_u2f): pam-u2f.c:182 (pam_sm_authenticate): Home directory for admin is /home/admin
debug(pam_u2f): pam-u2f.c:208 (pam_sm_authenticate): Using authentication file /etc/u2f_mappings
debug(pam_u2f): util.c:228 (parse_native_format): Read 147 bytes
debug(pam_u2f): util.c:232 (parse_native_format): Matched user: admin
debug(pam_u2f): util.c:193 (parse_native_credential): Empty attributes
debug(pam_u2f): util.c:255 (parse_native_format): KeyHandle for device number 1: oq1q4q9o6aApgYT11XUbrKAzfz9jhWR4XZ2GeIG0qik=
debug(pam_u2f): util.c:257 (parse_native_format): publicKey for device number 1: yhE8sR6WDMaq/QFGvo02Rvb6SmRIIoPT+4DF+V8bUgqeDoKGZeU3Dyxsalii2c4bIwpjLZj8YWQZMgObrC9+pQ==
debug(pam_u2f): util.c:259 (parse_native_format): COSE type for device number 1: es256
debug(pam_u2f): util.c:261 (parse_native_format): Attributes for device number 1:
debug(pam_u2f): util.c:777 (get_devices_from_authfile): Found 1 device(s) for user admin
debug(pam_u2f): pam-u2f.c:261 (pam_sm_authenticate): Touch request notifications will be emitted via '/var/run/user/0/pam-u2f-authpending'
debug(pam_u2f): util.c:1016 (prepare_assert): Key handle: oq1q4q9o6aApgYT11XUbrKAzfz9jhWR4XZ2GeIG0qik=
debug(pam_u2f): util.c:1430 (do_manual_authentication): Attempting authentication with device number 1
debug(pam_u2f): util.c:1445 (do_manual_authentication): Challenge: ux6jgNBONovwJL1hU3L5cXLF82srsFFxWTaTxqgHFIE=
cockpit-session: pam: Challenge #1:
cockpit-session: pam: ux6jgNBONovwJL1hU3L5cXLF82srsFFxWTaTxqgHFIE=
localhost
oq1q4q9o6aApgYT11XUbrKAzfz9jhWR4XZ2GeIG0qik=
cockpit-session: pam: Please pass the challenge(s) above to fido2-assert, and paste the results in the prompt below.
cbor_decode_assert_authdata: buf=0x55b05e8f1870, len=37
fido_check_flags: flags=01
fido_check_flags: up=0, uv=0
fido_get_signed_hash: cose_alg=-7
es256_verify_sig: EVP_PKEY_verify
es256_pk_verify_sig: es256_verify_sig
debug(pam_u2f): pam-u2f.c:316 (pam_sm_authenticate): alwaysok needed (otherwise return with 7)
debug(pam_u2f): pam-u2f.c:319 (pam_sm_authenticate): done. [Success]
See the current code:
Lines 1484 to 1489 in b5846bb
Describe the solution that you'd like
I'd love to see debug output when return code of fido_assert_verify isn't FIDO_OK for easier debugging
Describe the alternatives that you've considered
Currently looking at libfido2 code to see the most reasonable exit code given the debug logs
Additional context
For the record, data I sent back to pam-u2f is this
eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidXg2amdOQk9Ob3Z3SkwxaFUzTDVjWExGODJzcnNGRnhXVGFUeHFnSEZJRSIsIm9yaWdpbiI6Imh0dHBzOi8vbG9jYWxob3N0OjkwOTEiLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUiOiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczovL2dvby5nbC5xano5emsveWFiUGV4In0=
localhost
WCVJlg3liA6MaHQ0Fw9kdmBbj+SuuaKGMseZXPO6gx2XYwEAAAAC
MEUCIAt6A8PJAUtgyMo6bOtxnAuoSYSs4Mnzt8+s/TW1bY75AiEAvf4nI+YI/XKVYywWQv9KE9sTm5Dbuh3zKSmru0Vfq+8=
with mapping
admin:oq1q4q9o6aApgYT11XUbrKAzfz9jhWR4XZ2GeIG0qik=,yhE8sR6WDMaq/QFGvo02Rvb6SmRIIoPT+4DF+V8bUgqeDoKGZeU3Dyxsalii2c4bIwpjLZj8YWQZMgObrC9+pQ==,es256,