diff options
author | Ken Raeburn <raeburn@mit.edu> | 2007-08-16 22:55:06 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2007-08-16 22:55:06 +0000 |
commit | c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0 (patch) | |
tree | 824bd8c158b1c5b72913515953c7e8576399d912 /src/lib/rpc | |
parent | 9db2f5eb745287654117e70032d05dd9f5a91a3f (diff) | |
download | krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.zip krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.gz krb5-c15ec7751a7d7c1d97dbeb1dd88dda2a328515e0.tar.bz2 |
remap mechanism-specific status codes in mechglue/spnego
This patch creates a mapping in the mechglue/spnego code to modify
mechanism status codes when passing them back to the application, so
that mechglue's display_status dispatcher can determine the correct
mechanism to dispatch to.
This is part of the "get enhanced error messages from gssapi
applications" project; ticket 5590 has updates to the Kerberos 5
mechanism to extract enhanced error messages (when there are any) from
the Kerberos library.
util/gen.pl, util/t_*.pm: New code generation script and templates.
lib/gssapi/generic: Add a new, global mapping that enumerates the
{mechOID,status} pairs as they're seen, allowing a magic mechOID value
to indicate com_err error codes from mechglue and spnego, and
reserving status code 0 for unknown errors. Preload the Kerberos
"wrong principal" error code once for each mechanism OID used for
Kerberos, so the entries get fixed positions (1-3) in the table.
lib/gssapi/gss_libinit.c: Call the initializer and destructor
functions.
lib/gssapi/mechglue, lib/gssapi/spnego: Enter all mechanism-generated
or locally-generated status codes into the mapping table, and return
the table index to the application. Do the reverse in display_status,
to get the messages from the mechanism..
lib/rpc: Define new function gssrpcint_printf to use for debugging
instead of printf, to redirect output away from dejagnu; add a couple
more debugging calls. Check for minor status codes 1-3 now instead of
KRB5KRB_AP_WRONG_PRINC.
tests/dejagnu/krb-standalone/gssftp.exp: Test getting more detailed
error messages back, by having the ftp client attempt to authenticate
to a non-existent service, and examining the error message for the
service principal name.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19831 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/rpc')
-rw-r--r-- | src/lib/rpc/auth_gssapi_misc.c | 6 | ||||
-rw-r--r-- | src/lib/rpc/svc_auth_gssapi.c | 27 |
2 files changed, 31 insertions, 2 deletions
diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c index 3e87820..89569f0 100644 --- a/src/lib/rpc/auth_gssapi_misc.c +++ b/src/lib/rpc/auth_gssapi_misc.c @@ -15,7 +15,8 @@ #ifdef DEBUG_GSSAPI int misc_debug_gssapi = DEBUG_GSSAPI; -#define L_PRINTF(l,args) if (misc_debug_gssapi >= l) printf args +extern void gssrpcint_printf(const char *, ...); +#define L_PRINTF(l,args) if (misc_debug_gssapi >= l) gssrpcint_printf args #define PRINTF(args) L_PRINTF(99, args) #define AUTH_GSSAPI_DISPLAY_STATUS(args) \ if (misc_debug_gssapi) auth_gssapi_display_status args @@ -178,6 +179,9 @@ static void auth_gssapi_display_status_1( fprintf (stderr, "GSS-API authentication error %s: ", m); fwrite (msg.value, msg.length, 1, stderr); putc ('\n', stderr); + if (misc_debug_gssapi) + gssrpcint_printf("GSS-API authentication error %s: %*s\n", + m, msg.length, msg.value); (void) gss_release_buffer(&minor_stat, &msg); if (!msg_ctx) diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index a18ab68..cb1e8f9 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -45,7 +45,26 @@ #ifdef DEBUG_GSSAPI int svc_debug_gssapi = DEBUG_GSSAPI; -#define L_PRINTF(l,args) if (svc_debug_gssapi >= l) printf args +void gssrpcint_printf(const char *format, ...) +{ + va_list ap; + va_start(ap, format); +#if 1 + vprintf(format, ap); +#else + { + static FILE *f; + if (f == NULL) + f = fopen("/dev/pts/4", "a"); + if (f) { + vfprintf(f, format, ap); + fflush(f); + } + } +#endif + va_end(ap); +} +#define L_PRINTF(l,args) if (svc_debug_gssapi >= l) gssrpcint_printf args #define PRINTF(args) L_PRINTF(99, args) #define AUTH_GSSAPI_DISPLAY_STATUS(args) \ if (svc_debug_gssapi) auth_gssapi_display_status args @@ -383,6 +402,8 @@ enum auth_stat gssrpc__svcauth_gssapi( if (server_creds == client_data->server_creds) break; + gssrpcint_printf("accept_sec_context returned 0x%x 0x%x\n", + call_res.gss_major, call_res.gss_minor); if (call_res.gss_major == GSS_S_COMPLETE || call_res.gss_major == GSS_S_CONTINUE_NEEDED) { /* server_creds was right, set it! */ @@ -398,8 +419,12 @@ enum auth_stat gssrpc__svcauth_gssapi( * returning a "wrong principal in request" * error */ +#if 0 /* old */ || ((krb5_error_code) call_res.gss_minor != (krb5_error_code) KRB5KRB_AP_WRONG_PRINC) +#else + || (call_res.gss_minor <= 0 || call_res.gss_minor > 3) +#endif #endif ) { break; |