remap mechanism-specific status codes in mechglue/spnego

This patch creates a mapping in the mechglue/spnego code to modify mechanism status codes when passing them back to the application, so that mechglue's display_status dispatcher can determine the correct mechanism to dispatch to. This is part of the "get enhanced error messages from gssapi applications" project; ticket 5590 has updates to the Kerberos 5 mechanism to extract enhanced error messages (when there are any) from the Kerberos library. util/gen.pl, util/t_*.pm: New code generation script and templates. lib/gssapi/generic: Add a new, global mapping that enumerates the {mechOID,status} pairs as they're seen, allowing a magic mechOID value to indicate com_err error codes from mechglue and spnego, and reserving status code 0 for unknown errors. Preload the Kerberos "wrong principal" error code once for each mechanism OID used for Kerberos, so the entries get fixed positions (1-3) in the table. lib/gssapi/gss_libinit.c: Call the initializer and destructor functions. lib/gssapi/mechglue, lib/gssapi/spnego: Enter all mechanism-generated or locally-generated status codes into the mapping table, and return the table index to the application. Do the reverse in display_status, to get the messages from the mechanism.. lib/rpc: Define new function gssrpcint_printf to use for debugging instead of printf, to redirect output away from dejagnu; add a couple more debugging calls. Check for minor status codes 1-3 now instead of KRB5KRB_AP_WRONG_PRINC. tests/dejagnu/krb-standalone/gssftp.exp: Test getting more detailed error messages back, by having the ftp client attempt to authenticate to a non-existent service, and examining the error message for the service principal name. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19831 dc483132-0cff-0310-8789-dd5450dbe970
author: Ken Raeburn <raeburn@mit.edu> 2007-08-16 22:55:06 +0000
committer: Ken Raeburn <raeburn@mit.edu> 2007-08-16 22:55:06 +0000
commit: c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0 (patch)
tree: 824bd8c158b1c5b72913515953c7e8576399d912 /src/lib/rpc
parent: 9db2f5eb745287654117e70032d05dd9f5a91a3f (diff)
download: krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.zip
krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.gz
krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.bz2
2 files changed, 31 insertions, 2 deletions
diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
index 3e87820..89569f0 100644
--- a/src/lib/rpc/auth_gssapi_misc.c
+++ b/src/lib/rpc/auth_gssapi_misc.c
@@ -15,7 +15,8 @@
 
 #ifdef DEBUG_GSSAPI
 int misc_debug_gssapi = DEBUG_GSSAPI;
-#define L_PRINTF(l,args) if (misc_debug_gssapi >= l) printf args
+extern void gssrpcint_printf(const char *, ...);
+#define L_PRINTF(l,args) if (misc_debug_gssapi >= l) gssrpcint_printf args
 #define PRINTF(args) L_PRINTF(99, args)
 #define AUTH_GSSAPI_DISPLAY_STATUS(args) \
 	if (misc_debug_gssapi) auth_gssapi_display_status args
@@ -178,6 +179,9 @@ static void auth_gssapi_display_status_1(
 	  fprintf (stderr, "GSS-API authentication error %s: ", m);
 	  fwrite (msg.value, msg.length, 1, stderr);
 	  putc ('\n', stderr);
+	  if (misc_debug_gssapi)
+	      gssrpcint_printf("GSS-API authentication error %s: %*s\n",
+			       m, msg.length, msg.value);
 	  (void) gss_release_buffer(&minor_stat, &msg);
 	  
 	  if (!msg_ctx)
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index a18ab68..cb1e8f9 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -45,7 +45,26 @@
 
 #ifdef DEBUG_GSSAPI
 int svc_debug_gssapi = DEBUG_GSSAPI;
-#define L_PRINTF(l,args) if (svc_debug_gssapi >= l) printf args
+void gssrpcint_printf(const char *format, ...)
+{
+    va_list ap;
+    va_start(ap, format);
+#if 1
+    vprintf(format, ap);
+#else
+    {
+	static FILE *f;
+	if (f == NULL)
+	    f = fopen("/dev/pts/4", "a");
+	if (f) {
+	    vfprintf(f, format, ap);
+	    fflush(f);
+	}
+    }
+#endif
+    va_end(ap);
+}
+#define L_PRINTF(l,args) if (svc_debug_gssapi >= l) gssrpcint_printf args
 #define PRINTF(args) L_PRINTF(99, args)
 #define AUTH_GSSAPI_DISPLAY_STATUS(args) \
 	if (svc_debug_gssapi) auth_gssapi_display_status args
@@ -383,6 +402,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
 	       if (server_creds == client_data->server_creds)
 		    break;
 
+	       gssrpcint_printf("accept_sec_context returned 0x%x 0x%x\n",
+				call_res.gss_major, call_res.gss_minor);
 	       if (call_res.gss_major == GSS_S_COMPLETE ||
 		   call_res.gss_major == GSS_S_CONTINUE_NEEDED) {
 		    /* server_creds was right, set it! */
@@ -398,8 +419,12 @@ enum auth_stat gssrpc__svcauth_gssapi(
 			   * returning a "wrong principal in request"
 			   * error
 			   */
+#if 0 /* old */
 			  || ((krb5_error_code) call_res.gss_minor !=
 			      (krb5_error_code) KRB5KRB_AP_WRONG_PRINC)
+#else
+			  || (call_res.gss_minor <= 0 || call_res.gss_minor > 3)
+#endif
 #endif
 			  ) {
 		    break;
author	Ken Raeburn <raeburn@mit.edu>	2007-08-16 22:55:06 +0000
committer	Ken Raeburn <raeburn@mit.edu>	2007-08-16 22:55:06 +0000
commit	c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0 (patch)
tree	824bd8c158b1c5b72913515953c7e8576399d912 /src/lib/rpc
parent	9db2f5eb745287654117e70032d05dd9f5a91a3f (diff)
download	krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.zip krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.gz krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.bz2