diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-04-28 03:58:32 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-05-07 12:56:15 -0400 |
commit | eba8c4909ec7ba0d7054d5d1b1061319e9970cc7 (patch) | |
tree | b10c91ffb967d767546c8fa87c105a712b116494 /src/include/k5-trace.h | |
parent | 035eb79b3f250b690502c66aaf664410b1d0e7e0 (diff) | |
download | krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.zip krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.tar.gz krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.tar.bz2 |
Improve krb5_rd_req decryption failure errors
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
Diffstat (limited to 'src/include/k5-trace.h')
-rw-r--r-- | src/include/k5-trace.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 71ce73e..dfd34f6 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -301,6 +301,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_RD_REQ_DECRYPT_SPECIFIC(c, princ, keyblock) \ TRACE(c, "Decrypted AP-REQ with specified server principal {princ}: " \ "{keyblock}", princ, keyblock) +#define TRACE_RD_REQ_DECRYPT_FAIL(c, err) \ + TRACE(c, "Failed to decrypt AP-REQ ticket: {kerr}", err) #define TRACE_RD_REQ_NEGOTIATED_ETYPE(c, etype) \ TRACE(c, "Negotiated enctype based on authenticator: {etype}", \ etype) |