[winpr,sspi] properly log all kerberos calls
to ease debugging log each failure of a kerberos related function along with location and function name
This commit is contained in:
parent
4c17dfb71d
commit
5298580bbd
@ -119,11 +119,34 @@ static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\
|
||||
static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
|
||||
(void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
|
||||
|
||||
static void kerberos_log_msg(krb5_context ctx, krb5_error_code code)
|
||||
#define krb_log_exec(fkt, ctx, ...) \
|
||||
kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
|
||||
#define krb_log_exec_ptr(fkt, ctx, ...) \
|
||||
kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
|
||||
static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
|
||||
const char* file, const char* fkt, size_t line)
|
||||
{
|
||||
const char* msg = krb5_get_error_message(ctx, code);
|
||||
WLog_ERR(TAG, msg);
|
||||
krb5_free_error_message(ctx, msg);
|
||||
switch (code)
|
||||
{
|
||||
case 0:
|
||||
case KRB5_KT_END:
|
||||
break;
|
||||
default:
|
||||
{
|
||||
const DWORD level = WLOG_ERROR;
|
||||
|
||||
wLog* log = WLog_Get(TAG);
|
||||
if (WLog_IsLevelActive(log, level))
|
||||
{
|
||||
const char* msg = krb5_get_error_message(ctx, code);
|
||||
WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "%s (%s [%d])",
|
||||
what, msg, code);
|
||||
krb5_free_error_message(ctx, msg);
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
return code;
|
||||
}
|
||||
|
||||
static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
|
||||
@ -184,7 +207,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
#ifdef WITH_KRB5
|
||||
SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
|
||||
KRB_CREDENTIALS* credentials = NULL;
|
||||
krb5_error_code rv = 0;
|
||||
krb5_context ctx = NULL;
|
||||
krb5_ccache ccache = NULL;
|
||||
krb5_keytab keytab = NULL;
|
||||
@ -213,7 +235,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
pszPrincipal = username;
|
||||
}
|
||||
|
||||
if ((rv = krb5_init_context(&ctx)))
|
||||
if (krb_log_exec_ptr(krb5_init_context, &ctx))
|
||||
goto cleanup;
|
||||
|
||||
if (domain)
|
||||
@ -224,7 +246,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
|
||||
CharUpperA(udomain);
|
||||
/* Will use domain if realm is not specified in username */
|
||||
rv = krb5_set_default_realm(ctx, udomain);
|
||||
krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
|
||||
free(udomain);
|
||||
|
||||
if (rv)
|
||||
@ -242,7 +264,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
if (p)
|
||||
CharUpperA(p);
|
||||
|
||||
rv = krb5_parse_name(ctx, cpszPrincipal, &principal);
|
||||
krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
|
||||
free(cpszPrincipal);
|
||||
|
||||
if (rv)
|
||||
@ -251,7 +273,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
|
||||
if (krb_settings && krb_settings->cache)
|
||||
{
|
||||
if ((rv = krb5_cc_set_default_name(ctx, krb_settings->cache)))
|
||||
if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
@ -264,16 +286,16 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
{
|
||||
if (own_ccache)
|
||||
{
|
||||
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
|
||||
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
{
|
||||
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
|
||||
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ((rv = krb5_cc_initialize(ctx, ccache, principal)))
|
||||
if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
@ -282,9 +304,9 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
||||
{
|
||||
/* Use the default cache with it's default principal */
|
||||
if ((rv = krb5_cc_default(ctx, &ccache)))
|
||||
if (krb_log_exec(krb5_cc_default, ctx, &ccache))
|
||||
goto cleanup;
|
||||
if ((rv = krb5_cc_get_principal(ctx, ccache, &principal)))
|
||||
if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
|
||||
goto cleanup;
|
||||
own_ccache = FALSE;
|
||||
}
|
||||
@ -292,33 +314,33 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
{
|
||||
if (own_ccache)
|
||||
{
|
||||
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
|
||||
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
{
|
||||
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
|
||||
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
if (krb_settings && krb_settings->keytab)
|
||||
{
|
||||
if ((rv = krb5_kt_resolve(ctx, krb_settings->keytab, &keytab)))
|
||||
if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (fCredentialUse & SECPKG_CRED_INBOUND)
|
||||
if ((rv = krb5_kt_default(ctx, &keytab)))
|
||||
if (krb_log_exec(krb5_kt_default, ctx, &keytab))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Get initial credentials if required */
|
||||
if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
||||
{
|
||||
if ((rv = krb5glue_get_init_creds(ctx, principal, ccache, krb5_prompter, password,
|
||||
krb_settings)))
|
||||
if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter, password,
|
||||
krb_settings))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -331,9 +353,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||
|
||||
cleanup:
|
||||
|
||||
if (rv)
|
||||
kerberos_log_msg(ctx, rv);
|
||||
|
||||
free(domain);
|
||||
free(username);
|
||||
free(password);
|
||||
@ -715,7 +734,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
KRB_CREDENTIALS* credentials;
|
||||
KRB_CONTEXT* context;
|
||||
KRB_CONTEXT new_context = { 0 };
|
||||
krb5_error_code rv = KRB5KDC_ERR_NONE;
|
||||
PSecBuffer input_buffer = NULL;
|
||||
PSecBuffer output_buffer = NULL;
|
||||
PSecBuffer bindings_buffer = NULL;
|
||||
@ -764,7 +782,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
{
|
||||
context = &new_context;
|
||||
|
||||
if ((rv = krb5_init_context(&context->ctx)))
|
||||
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
if (fContextReq & ISC_REQ_USE_SESSION_KEY)
|
||||
@ -836,26 +854,27 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
case KERBEROS_STATE_AP_REQ:
|
||||
|
||||
/* Set auth_context options */
|
||||
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
|
||||
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
|
||||
goto cleanup;
|
||||
if ((rv = krb5_auth_con_setflags(context->ctx, context->auth_ctx,
|
||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
|
||||
KRB5_AUTH_CONTEXT_USE_SUBKEY)))
|
||||
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
|
||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
|
||||
goto cleanup;
|
||||
if ((rv = krb5glue_auth_con_set_cksumtype(context->ctx, context->auth_ctx,
|
||||
GSS_CHECKSUM_TYPE)))
|
||||
if (krb_log_exec(krb5glue_auth_con_set_cksumtype, context->ctx, context->auth_ctx,
|
||||
GSS_CHECKSUM_TYPE))
|
||||
goto cleanup;
|
||||
|
||||
/* Get a service ticket */
|
||||
if ((rv = krb5_sname_to_principal(context->ctx, host, sname, KRB5_NT_SRV_HST,
|
||||
&in_creds.server)))
|
||||
if (krb_log_exec(krb5_sname_to_principal, context->ctx, host, sname, KRB5_NT_SRV_HST,
|
||||
&in_creds.server))
|
||||
goto cleanup;
|
||||
|
||||
if ((rv = krb5_cc_get_principal(context->ctx, credentials->ccache, &in_creds.client)))
|
||||
if (krb_log_exec(krb5_cc_get_principal, context->ctx, credentials->ccache,
|
||||
&in_creds.client))
|
||||
goto cleanup;
|
||||
|
||||
if ((rv = krb5_get_credentials(context->ctx, context->u2u ? KRB5_GC_USER_USER : 0,
|
||||
credentials->ccache, &in_creds, &creds)))
|
||||
if (krb_log_exec(krb5_get_credentials, context->ctx,
|
||||
context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
|
||||
&creds))
|
||||
goto cleanup;
|
||||
|
||||
/* Write the checksum (delegation not implemented) */
|
||||
@ -896,8 +915,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
}
|
||||
|
||||
/* Make the AP_REQ message */
|
||||
if ((rv = krb5_mk_req_extended(context->ctx, &context->auth_ctx, ap_flags, &cksum,
|
||||
creds, &output_token)))
|
||||
if (krb_log_exec(krb5_mk_req_extended, context->ctx, &context->auth_ctx, ap_flags,
|
||||
&cksum, creds, &output_token))
|
||||
goto cleanup;
|
||||
|
||||
if (!sspi_gss_wrap_token(output_buffer,
|
||||
@ -907,12 +926,15 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
|
||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||
{
|
||||
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->local_seq);
|
||||
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->local_seq))
|
||||
goto cleanup;
|
||||
context->remote_seq ^= context->local_seq;
|
||||
}
|
||||
|
||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
|
||||
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
|
||||
&context->keyset))
|
||||
goto cleanup;
|
||||
|
||||
context->state = KERBEROS_STATE_AP_REP;
|
||||
|
||||
@ -927,23 +949,29 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||
|
||||
if (tok_id == TOK_ID_AP_REP)
|
||||
{
|
||||
if ((rv = krb5_rd_rep(context->ctx, context->auth_ctx, &input_token, &reply)))
|
||||
if (krb_log_exec(krb5_rd_rep, context->ctx, context->auth_ctx, &input_token,
|
||||
&reply))
|
||||
goto cleanup;
|
||||
krb5_free_ap_rep_enc_part(context->ctx, reply);
|
||||
}
|
||||
else if (tok_id == TOK_ID_ERROR)
|
||||
{
|
||||
rv = krb5glue_log_error(context->ctx, &input_token, TAG);
|
||||
krb5glue_log_error(context->ctx, &input_token, TAG);
|
||||
goto cleanup;
|
||||
}
|
||||
else
|
||||
goto bad_token;
|
||||
|
||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->remote_seq);
|
||||
{
|
||||
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->remote_seq))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
|
||||
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
|
||||
&context->keyset))
|
||||
goto cleanup;
|
||||
|
||||
context->state = KERBEROS_STATE_FINAL;
|
||||
|
||||
@ -984,8 +1012,6 @@ cleanup:
|
||||
in_creds.second_ticket = edata;
|
||||
krb5_free_cred_contents(context->ctx, &in_creds);
|
||||
}
|
||||
if (rv)
|
||||
kerberos_log_msg(context->ctx, rv);
|
||||
|
||||
krb5_free_creds(context->ctx, creds);
|
||||
if (output_token.data)
|
||||
@ -1047,7 +1073,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
krb5_data input_token = { 0 };
|
||||
krb5_data output_token = { 0 };
|
||||
SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
|
||||
krb5_error_code rv = 0;
|
||||
krb5_flags ap_flags = 0;
|
||||
krb5glue_authenticator authenticator;
|
||||
char* target = NULL;
|
||||
@ -1080,7 +1105,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
{
|
||||
context = &new_context;
|
||||
|
||||
if ((rv = krb5_init_context(&context->ctx)))
|
||||
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
|
||||
@ -1114,59 +1139,73 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
realm++;
|
||||
}
|
||||
|
||||
if ((rv = krb5_parse_name_flags(context->ctx, sname ? sname : "",
|
||||
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal)))
|
||||
if (krb_log_exec(krb5_parse_name_flags, context->ctx, sname ? sname : "",
|
||||
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
|
||||
goto cleanup;
|
||||
|
||||
if (realm)
|
||||
if ((rv = krb5glue_set_principal_realm(context->ctx, principal, realm)))
|
||||
goto cleanup;
|
||||
|
||||
if ((rv = krb5_kt_start_seq_get(context->ctx, credentials->keytab, &cur)))
|
||||
goto cleanup;
|
||||
|
||||
while ((rv = krb5_kt_next_entry(context->ctx, credentials->keytab, &entry, &cur)) == 0)
|
||||
{
|
||||
if ((!sname ||
|
||||
krb5_principal_compare_any_realm(context->ctx, principal, entry.principal)) &&
|
||||
(!realm || krb5_realm_compare(context->ctx, principal, entry.principal)))
|
||||
break;
|
||||
krb5glue_free_keytab_entry_contents(context->ctx, &entry);
|
||||
if (krb_log_exec(krb5glue_set_principal_realm, context->ctx, principal, realm))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
krb5_kt_end_seq_get(context->ctx, credentials->keytab, &cur);
|
||||
if (krb_log_exec(krb5_kt_start_seq_get, context->ctx, credentials->keytab, &cur))
|
||||
goto cleanup;
|
||||
|
||||
do
|
||||
{
|
||||
krb5_error_code rv =
|
||||
krb_log_exec(krb5_kt_next_entry, context->ctx, credentials->keytab, &entry, &cur);
|
||||
if (rv == KRB5_KT_END)
|
||||
break;
|
||||
if (rv != 0)
|
||||
goto cleanup;
|
||||
|
||||
if ((!sname || krb_log_exec(krb5_principal_compare_any_realm, context->ctx, principal,
|
||||
entry.principal)) &&
|
||||
(!realm ||
|
||||
krb_log_exec(krb5_realm_compare, context->ctx, principal, entry.principal)))
|
||||
break;
|
||||
if (krb_log_exec(krb5glue_free_keytab_entry_contents, context->ctx, &entry))
|
||||
goto cleanup;
|
||||
} while (1);
|
||||
|
||||
if (krb_log_exec(krb5_kt_end_seq_get, context->ctx, credentials->keytab, &cur))
|
||||
goto cleanup;
|
||||
|
||||
if (!entry.principal)
|
||||
goto cleanup;
|
||||
|
||||
/* Get the TGT */
|
||||
if ((rv = krb5_get_init_creds_keytab(context->ctx, &creds, entry.principal,
|
||||
credentials->keytab, 0, NULL, NULL)))
|
||||
if (krb_log_exec(krb5_get_init_creds_keytab, context->ctx, &creds, entry.principal,
|
||||
credentials->keytab, 0, NULL, NULL))
|
||||
goto cleanup;
|
||||
|
||||
if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
|
||||
goto cleanup;
|
||||
|
||||
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
|
||||
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
|
||||
goto cleanup;
|
||||
|
||||
if ((rv = krb5glue_auth_con_setuseruserkey(context->ctx, context->auth_ctx,
|
||||
&krb5glue_creds_getkey(creds))))
|
||||
if (krb_log_exec(krb5glue_auth_con_setuseruserkey, context->ctx, context->auth_ctx,
|
||||
&krb5glue_creds_getkey(creds)))
|
||||
goto cleanup;
|
||||
|
||||
context->state = KERBEROS_STATE_AP_REQ;
|
||||
}
|
||||
else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
|
||||
{
|
||||
if ((rv = krb5_rd_req(context->ctx, &context->auth_ctx, &input_token, NULL,
|
||||
credentials->keytab, &ap_flags, NULL)))
|
||||
if (krb_log_exec(krb5_rd_req, context->ctx, &context->auth_ctx, &input_token, NULL,
|
||||
credentials->keytab, &ap_flags, NULL))
|
||||
goto cleanup;
|
||||
|
||||
krb5_auth_con_setflags(context->ctx, context->auth_ctx,
|
||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY);
|
||||
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
|
||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
|
||||
goto cleanup;
|
||||
|
||||
/* Retrieve and validate the checksum */
|
||||
if ((rv = krb5_auth_con_getauthenticator(context->ctx, context->auth_ctx, &authenticator)))
|
||||
if (krb_log_exec(krb5_auth_con_getauthenticator, context->ctx, context->auth_ctx,
|
||||
&authenticator))
|
||||
goto cleanup;
|
||||
if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
|
||||
&context->flags))
|
||||
@ -1176,7 +1215,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
{
|
||||
if (!output_buffer)
|
||||
goto bad_token;
|
||||
if ((rv = krb5_mk_rep(context->ctx, context->auth_ctx, &output_token)))
|
||||
if (krb_log_exec(krb5_mk_rep, context->ctx, context->auth_ctx, &output_token))
|
||||
goto cleanup;
|
||||
if (!sspi_gss_wrap_token(output_buffer,
|
||||
context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
|
||||
@ -1194,13 +1233,17 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
|
||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||
{
|
||||
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->local_seq);
|
||||
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->remote_seq);
|
||||
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->local_seq))
|
||||
goto cleanup;
|
||||
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
|
||||
(INT32*)&context->remote_seq))
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, TRUE, &context->keyset);
|
||||
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, TRUE,
|
||||
&context->keyset))
|
||||
goto cleanup;
|
||||
|
||||
context->state = KERBEROS_STATE_FINAL;
|
||||
}
|
||||
@ -1233,9 +1276,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||
|
||||
cleanup:
|
||||
|
||||
if (rv)
|
||||
kerberos_log_msg(context->ctx, rv);
|
||||
|
||||
free(target);
|
||||
if (output_token.data)
|
||||
krb5glue_free_data_contents(context->ctx, &output_token);
|
||||
if (entry.principal)
|
||||
@ -1312,16 +1353,28 @@ static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle ph
|
||||
|
||||
if (context->flags & SSPI_GSS_C_CONF_FLAG)
|
||||
{
|
||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_HEADER, &header);
|
||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_PADDING, &pad);
|
||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER, &trailer);
|
||||
krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key,
|
||||
KRB5_CRYPTO_TYPE_HEADER, &header);
|
||||
if (rv)
|
||||
return rv;
|
||||
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
|
||||
&pad);
|
||||
if (rv)
|
||||
return rv;
|
||||
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
|
||||
&trailer);
|
||||
if (rv)
|
||||
return rv;
|
||||
/* GSS header (= 16 bytes) + encrypted header = 32 bytes */
|
||||
ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
|
||||
}
|
||||
if (context->flags & SSPI_GSS_C_INTEG_FLAG)
|
||||
{
|
||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
|
||||
&ContextSizes->cbMaxSignature);
|
||||
krb5_error_code rv =
|
||||
krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
|
||||
&ContextSizes->cbMaxSignature);
|
||||
if (rv)
|
||||
return rv;
|
||||
ContextSizes->cbMaxSignature += 16;
|
||||
}
|
||||
|
||||
@ -1473,7 +1526,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
|
||||
encrypt_iov[2].data.length = 16;
|
||||
|
||||
/* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
|
||||
if (krb5glue_crypto_length_iov(context->ctx, key, encrypt_iov, ARRAYSIZE(encrypt_iov)))
|
||||
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, encrypt_iov,
|
||||
ARRAYSIZE(encrypt_iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
if (sig_buffer->cbBuffer <
|
||||
encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
|
||||
@ -1500,7 +1554,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
|
||||
/* Set the correct RRC */
|
||||
Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
|
||||
|
||||
if (krb5glue_encrypt_iov(context->ctx, key, usage, encrypt_iov, ARRAYSIZE(encrypt_iov)))
|
||||
if (krb_log_exec(krb5glue_encrypt_iov, context->ctx, key, usage, encrypt_iov,
|
||||
ARRAYSIZE(encrypt_iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
return SEC_E_OK;
|
||||
@ -1576,7 +1631,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
|
||||
/* Fill in the lengths of the iov array */
|
||||
iov[1].data.length = data_buffer->cbBuffer;
|
||||
iov[2].data.length = 16;
|
||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
/* We don't expect a trailer buffer; everything must be in sig_buffer */
|
||||
@ -1592,7 +1647,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
|
||||
iov[3].data.data = iov[2].data.data + iov[2].data.length;
|
||||
iov[4].data.data = iov[3].data.data + iov[3].data.length;
|
||||
|
||||
if (krb5glue_decrypt_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||
if (krb_log_exec(krb5glue_decrypt_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
/* Validate the encrypted header */
|
||||
@ -1647,7 +1702,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
|
||||
/* Fill in the lengths of the iov array */
|
||||
iov[0].data.length = data_buffer->cbBuffer;
|
||||
iov[1].data.length = 16;
|
||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
/* Ensure the buffer is big enough */
|
||||
@ -1666,7 +1721,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
|
||||
iov[1].data.data = header;
|
||||
iov[2].data.data = header + 16;
|
||||
|
||||
if (krb5glue_make_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||
if (krb_log_exec(krb5glue_make_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
sig_buffer->cbBuffer = iov[2].data.length + 16;
|
||||
@ -1736,7 +1791,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
|
||||
/* Fill in the iov array lengths */
|
||||
iov[0].data.length = data_buffer->cbBuffer;
|
||||
iov[1].data.length = 16;
|
||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
if (sig_buffer->cbBuffer != iov[2].data.length + 16)
|
||||
@ -1747,7 +1802,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
|
||||
iov[1].data.data = header;
|
||||
iov[2].data.data = header + 16;
|
||||
|
||||
if (krb5glue_verify_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov), &is_valid))
|
||||
if (krb_log_exec(krb5glue_verify_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov),
|
||||
&is_valid))
|
||||
return SEC_E_INTERNAL_ERROR;
|
||||
|
||||
if (!is_valid)
|
||||
|
Loading…
Reference in New Issue
Block a user