Add more friendly error messages with pkinit

This PR depends on whether the HX509_PKCS11_* code are defined in hx509_err.h.
Those are introduced in the Heimdal's PR #136 (https://github.com/heimdal/heimdal/pull/136)

diff --git a/auth.c b/auth.c
index 7ef69638409e957f95d7b782133e341ec6e50020..99e283e07fe9850a89af513b24f0c6675054f179 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -729,10 +729,37 @@ pamk5_password_auth(struct pam_args *args, const char *service,
         if (retval == 0)
             goto verify;
         putil_debug_krb5(args, retval, "pkinit failed");
-        if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT)
-            goto done;
         if (retval != 0 && args->config->use_pkinit)
+        {
+#ifdef HAVE_HX509_ERR_H
+            switch(retval)
+            {
+                case HX509_PKCS11_PIN_LOCKED:
+                    pamk5_conv(args, "User PIN locked.",
+                       PAM_TEXT_INFO, NULL);
+                break; 
+                case HX509_PKCS11_PIN_EXPIRED:
+                    pamk5_conv(args, "User PIN expired.",
+                       PAM_TEXT_INFO, NULL);
+                break; 
+                case HX509_PKCS11_PIN_INCORRECT:
+                    pamk5_conv(args, "User PIN incorrect.",
+                       PAM_TEXT_INFO, NULL);
+                break; 
+                case HX509_PKCS11_PIN_NOT_INITIALIZED:
+                    pamk5_conv(args, "User PIN not initialized.",
+                       PAM_TEXT_INFO, NULL);
+                break; 
+                default:
+                    pamk5_conv(args, "pkinit failed.",
+                       PAM_TEXT_INFO, NULL);
+            }
+#endif
             goto done;
+        }
+        if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT)
+            goto done;
+
     }
 #else
     if (args->config->use_pkinit) {