This patch modifies the NIM Kerberos v5 plug-in to use the

krb5_get_error_message() function to look up the error string 
if the call to krb5_get_init_creds_password() fails. If the call 
to krb5_get_error_message() fails, the caller will failover to 
the previous method of looking up a suitable error message based 
on the error code.

ticket: 5745
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20572 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 64 insertions, 8 deletions

diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c
index 8d0de12..efab36e 100644
--- a/src/windows/identity/plugins/krb5/krb5funcs.c
+++ b/src/windows/identity/plugins/krb5/krb5funcs.c
@@ -1357,7 +1357,8 @@ khm_krb5_kinit(krb5_context       alt_ctx,
                DWORD              addressless,
                DWORD              publicIP,
                krb5_prompter_fct  prompter,
-               void *             p_data)
+               void *             p_data,
+               char **            pp_error_message)
 {
     krb5_error_code		        code = 0;
     krb5_context		        ctx = NULL;
@@ -1387,6 +1388,8 @@ khm_krb5_kinit(krb5_context       alt_ctx,
             goto cleanup;
     }
 
+    pkrb5_clear_error_message(ctx);
+
     if (ccache) {
         _reportf(L"Using supplied ccache name %S", ccache);
         code = pkrb5_cc_resolve(ctx, ccache, &cc);
@@ -1523,6 +1526,18 @@ khm_krb5_kinit(krb5_context       alt_ctx,
     if (code) goto cleanup;
 
 cleanup:
+    if (pp_error_message) {
+        const char * em;
+
+        em = pkrb5_get_error_message(ctx, code);
+        if (em == NULL) {
+            *pp_error_message = NULL;
+        } else {
+            *pp_error_message = _strdup(em);
+            pkrb5_free_error_message(ctx, em);
+        }
+    }
+
     if ( addrs ) {
         for ( i=0;i<addr_count;i++ ) {
             if ( addrs[i] ) {
diff --git a/src/windows/identity/plugins/krb5/krb5funcs.h b/src/windows/identity/plugins/krb5/krb5funcs.h
index 990db26..62e4bd5 100644
--- a/src/windows/identity/plugins/krb5/krb5funcs.h
+++ b/src/windows/identity/plugins/krb5/krb5funcs.h
@@ -123,7 +123,8 @@ khm_krb5_kinit(krb5_context       alt_ctx,
                DWORD              addressless,
                DWORD              publicIP,
                krb5_prompter_fct  prompter,
-               void *             p_data);
+               void *             p_data,
+               char **            pp_error_message);
 
 long
 khm_krb5_changepwd(char * principal,
diff --git a/src/windows/identity/plugins/krb5/krb5newcreds.c b/src/windows/identity/plugins/krb5/krb5newcreds.c
index 6b64302..48c10a4 100644
--- a/src/windows/identity/plugins/krb5/krb5newcreds.c
+++ b/src/windows/identity/plugins/krb5/krb5newcreds.c
@@ -633,8 +633,15 @@ k5_kinit_fiber_proc(PVOID lpParameter)
     while(TRUE)
     {
         if(g_fjob.command == FIBER_CMD_KINIT) {
+            char * error_msg = NULL;
+
             g_fjob.state = FIBER_STATE_KINIT;
 
+            if (g_fjob.error_message) {
+                PFREE(g_fjob.error_message);
+                g_fjob.error_message = NULL;
+            }
+
             g_fjob.prompt_set = 0;
 
             if (k5_cached_kinit_prompter()) {
@@ -670,6 +677,11 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                                                g_fjob.renewable);
 
         retry_kinit:
+            if (error_msg) {
+                free(error_msg);
+                error_msg = NULL;
+            }
+
             g_fjob.code =
                 khm_krb5_kinit(0,
                                g_fjob.principal,
@@ -682,7 +694,8 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                                g_fjob.addressless,
                                g_fjob.publicIP,
                                k5_kinit_prompter,
-                               &g_fjob);
+                               &g_fjob,
+                               &error_msg);
 
             /* If the principal was found to be valid, and if we
                restricted the options that were being passed to kinit,
@@ -695,6 +708,17 @@ k5_kinit_fiber_proc(PVOID lpParameter)
                 g_fjob.state = FIBER_STATE_KINIT;
                 goto retry_kinit;
             }
+
+            if (error_msg) {
+                wchar_t tmp[1024];
+
+                if (AnsiStrToUnicode(tmp, sizeof(tmp), error_msg)) {
+                    g_fjob.error_message = PWCSDUP(tmp);
+                }
+
+                free(error_msg);
+                error_msg = NULL;
+            }
         }
 
     _switch_to_main:
@@ -1489,6 +1513,9 @@ k5_free_kinit_job(void)
     if (g_fjob.ccache)
         PFREE(g_fjob.ccache);
 
+    if (g_fjob.error_message)
+        PFREE(g_fjob.error_message);
+
     ZeroMemory(&g_fjob, sizeof(g_fjob));
 }
 
@@ -1625,7 +1652,7 @@ k5_find_tgt_filter(khm_handle cred,
     khm_int32 rv;
 
     if (KHM_SUCCEEDED(kcdb_cred_get_identity(cred,
-                                           &cident)) &&
+                                             &cident)) &&
         cident == ident &&
         KHM_SUCCEEDED(kcdb_cred_get_flags(cred, &f)) &&
         (f & KCDB_CRED_FLAG_INITIAL) &&
@@ -2108,6 +2135,11 @@ k5_msg_cred_dialog(khm_int32 msg_type,
                         d->cred_message = NULL;
                     }
 
+                    if (g_fjob.error_message) {
+                        StringCbCopy(msg, sizeof(msg), g_fjob.error_message);
+                        goto have_message;
+                    }
+
                     msg[0] = L'\0';
 
                     switch(g_fjob.code) {
@@ -2151,6 +2183,8 @@ k5_msg_cred_dialog(khm_int32 msg_type,
                         }
                     }
 
+                have_message:
+
                     if (msg[0]) {
                         StringCbLength(msg, sizeof(msg), &cb);
                         cb += sizeof(wchar_t);
@@ -2312,11 +2346,15 @@ k5_msg_cred_dialog(khm_int32 msg_type,
 
                 if(g_fjob.code != 0) {
                     wchar_t tbuf[1024];
-                    DWORD suggestion;
+                    DWORD suggestion = 0;
                     kherr_suggestion suggest_code;
 
-                    khm_err_describe(g_fjob.code, tbuf, sizeof(tbuf),
-                                     &suggestion, &suggest_code);
+                    if (g_fjob.error_message) {
+                        StringCbCopy(tbuf, sizeof(tbuf), g_fjob.error_message);
+                    } else {
+                        khm_err_describe(g_fjob.code, tbuf, sizeof(tbuf),
+                                         &suggestion, &suggest_code);
+                    }
 
                     _report_cs0(KHERR_ERROR, tbuf);
                     if (suggestion != 0)
@@ -2691,7 +2729,8 @@ k5_msg_cred_dialog(khm_int32 msg_type,
                                               d->addressless, /* addressless */
                                               d->publicIP, /* public IP */
                                               NULL, /* prompter */
-                                              NULL /* prompter data */);
+                                              NULL, /* prompter data */
+                                              NULL  /* error message */);
 
                         if (code) {
                             rv = KHM_ERROR_UNKNOWN;
diff --git a/src/windows/identity/plugins/krb5/krbcred.h b/src/windows/identity/plugins/krb5/krbcred.h
index a194343..ddc745c 100644
--- a/src/windows/identity/plugins/krb5/krbcred.h
+++ b/src/windows/identity/plugins/krb5/krbcred.h
@@ -171,6 +171,7 @@ typedef struct _fiber_job_t {
     int     code;
     int     state;
     int     prompt_set;
+    wchar_t *error_message;
 
     BOOL    null_password;
     BOOL    valid_principal;