[winpr,sspi] properly log all kerberos calls

to ease debugging log each failure of a kerberos related function along
with location and function name
This commit is contained in:
Armin Novak 2024-01-13 20:32:35 +01:00 committed by David Fort
parent 4c17dfb71d
commit 5298580bbd

View File

@ -119,11 +119,34 @@ static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\
static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
(void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
static void kerberos_log_msg(krb5_context ctx, krb5_error_code code)
#define krb_log_exec(fkt, ctx, ...) \
kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
#define krb_log_exec_ptr(fkt, ctx, ...) \
kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
const char* file, const char* fkt, size_t line)
{
const char* msg = krb5_get_error_message(ctx, code);
WLog_ERR(TAG, msg);
krb5_free_error_message(ctx, msg);
switch (code)
{
case 0:
case KRB5_KT_END:
break;
default:
{
const DWORD level = WLOG_ERROR;
wLog* log = WLog_Get(TAG);
if (WLog_IsLevelActive(log, level))
{
const char* msg = krb5_get_error_message(ctx, code);
WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "%s (%s [%d])",
what, msg, code);
krb5_free_error_message(ctx, msg);
}
}
break;
}
return code;
}
static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
@ -184,7 +207,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
#ifdef WITH_KRB5
SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
KRB_CREDENTIALS* credentials = NULL;
krb5_error_code rv = 0;
krb5_context ctx = NULL;
krb5_ccache ccache = NULL;
krb5_keytab keytab = NULL;
@ -213,7 +235,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
pszPrincipal = username;
}
if ((rv = krb5_init_context(&ctx)))
if (krb_log_exec_ptr(krb5_init_context, &ctx))
goto cleanup;
if (domain)
@ -224,7 +246,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
CharUpperA(udomain);
/* Will use domain if realm is not specified in username */
rv = krb5_set_default_realm(ctx, udomain);
krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
free(udomain);
if (rv)
@ -242,7 +264,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
if (p)
CharUpperA(p);
rv = krb5_parse_name(ctx, cpszPrincipal, &principal);
krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
free(cpszPrincipal);
if (rv)
@ -251,7 +273,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
if (krb_settings && krb_settings->cache)
{
if ((rv = krb5_cc_set_default_name(ctx, krb_settings->cache)))
if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
goto cleanup;
}
else
@ -264,16 +286,16 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
{
if (own_ccache)
{
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
goto cleanup;
}
else
{
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
goto cleanup;
}
if ((rv = krb5_cc_initialize(ctx, ccache, principal)))
if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
goto cleanup;
}
else
@ -282,9 +304,9 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
{
/* Use the default cache with it's default principal */
if ((rv = krb5_cc_default(ctx, &ccache)))
if (krb_log_exec(krb5_cc_default, ctx, &ccache))
goto cleanup;
if ((rv = krb5_cc_get_principal(ctx, ccache, &principal)))
if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
goto cleanup;
own_ccache = FALSE;
}
@ -292,33 +314,33 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
{
if (own_ccache)
{
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
goto cleanup;
}
else
{
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
goto cleanup;
}
}
if (krb_settings && krb_settings->keytab)
{
if ((rv = krb5_kt_resolve(ctx, krb_settings->keytab, &keytab)))
if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
goto cleanup;
}
else
{
if (fCredentialUse & SECPKG_CRED_INBOUND)
if ((rv = krb5_kt_default(ctx, &keytab)))
if (krb_log_exec(krb5_kt_default, ctx, &keytab))
goto cleanup;
}
/* Get initial credentials if required */
if (fCredentialUse & SECPKG_CRED_OUTBOUND)
{
if ((rv = krb5glue_get_init_creds(ctx, principal, ccache, krb5_prompter, password,
krb_settings)))
if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter, password,
krb_settings))
goto cleanup;
}
@ -331,9 +353,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
cleanup:
if (rv)
kerberos_log_msg(ctx, rv);
free(domain);
free(username);
free(password);
@ -715,7 +734,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
KRB_CREDENTIALS* credentials;
KRB_CONTEXT* context;
KRB_CONTEXT new_context = { 0 };
krb5_error_code rv = KRB5KDC_ERR_NONE;
PSecBuffer input_buffer = NULL;
PSecBuffer output_buffer = NULL;
PSecBuffer bindings_buffer = NULL;
@ -764,7 +782,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
{
context = &new_context;
if ((rv = krb5_init_context(&context->ctx)))
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
return SEC_E_INTERNAL_ERROR;
if (fContextReq & ISC_REQ_USE_SESSION_KEY)
@ -836,26 +854,27 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
case KERBEROS_STATE_AP_REQ:
/* Set auth_context options */
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
goto cleanup;
if ((rv = krb5_auth_con_setflags(context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
KRB5_AUTH_CONTEXT_USE_SUBKEY)))
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
goto cleanup;
if ((rv = krb5glue_auth_con_set_cksumtype(context->ctx, context->auth_ctx,
GSS_CHECKSUM_TYPE)))
if (krb_log_exec(krb5glue_auth_con_set_cksumtype, context->ctx, context->auth_ctx,
GSS_CHECKSUM_TYPE))
goto cleanup;
/* Get a service ticket */
if ((rv = krb5_sname_to_principal(context->ctx, host, sname, KRB5_NT_SRV_HST,
&in_creds.server)))
if (krb_log_exec(krb5_sname_to_principal, context->ctx, host, sname, KRB5_NT_SRV_HST,
&in_creds.server))
goto cleanup;
if ((rv = krb5_cc_get_principal(context->ctx, credentials->ccache, &in_creds.client)))
if (krb_log_exec(krb5_cc_get_principal, context->ctx, credentials->ccache,
&in_creds.client))
goto cleanup;
if ((rv = krb5_get_credentials(context->ctx, context->u2u ? KRB5_GC_USER_USER : 0,
credentials->ccache, &in_creds, &creds)))
if (krb_log_exec(krb5_get_credentials, context->ctx,
context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
&creds))
goto cleanup;
/* Write the checksum (delegation not implemented) */
@ -896,8 +915,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
}
/* Make the AP_REQ message */
if ((rv = krb5_mk_req_extended(context->ctx, &context->auth_ctx, ap_flags, &cksum,
creds, &output_token)))
if (krb_log_exec(krb5_mk_req_extended, context->ctx, &context->auth_ctx, ap_flags,
&cksum, creds, &output_token))
goto cleanup;
if (!sspi_gss_wrap_token(output_buffer,
@ -907,12 +926,15 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
{
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
(INT32*)&context->local_seq);
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->local_seq))
goto cleanup;
context->remote_seq ^= context->local_seq;
}
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_AP_REP;
@ -927,23 +949,29 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
if (tok_id == TOK_ID_AP_REP)
{
if ((rv = krb5_rd_rep(context->ctx, context->auth_ctx, &input_token, &reply)))
if (krb_log_exec(krb5_rd_rep, context->ctx, context->auth_ctx, &input_token,
&reply))
goto cleanup;
krb5_free_ap_rep_enc_part(context->ctx, reply);
}
else if (tok_id == TOK_ID_ERROR)
{
rv = krb5glue_log_error(context->ctx, &input_token, TAG);
krb5glue_log_error(context->ctx, &input_token, TAG);
goto cleanup;
}
else
goto bad_token;
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq);
{
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq))
goto cleanup;
}
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_FINAL;
@ -984,8 +1012,6 @@ cleanup:
in_creds.second_ticket = edata;
krb5_free_cred_contents(context->ctx, &in_creds);
}
if (rv)
kerberos_log_msg(context->ctx, rv);
krb5_free_creds(context->ctx, creds);
if (output_token.data)
@ -1047,7 +1073,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
krb5_data input_token = { 0 };
krb5_data output_token = { 0 };
SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
krb5_error_code rv = 0;
krb5_flags ap_flags = 0;
krb5glue_authenticator authenticator;
char* target = NULL;
@ -1080,7 +1105,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
{
context = &new_context;
if ((rv = krb5_init_context(&context->ctx)))
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
return SEC_E_INTERNAL_ERROR;
if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
@ -1114,59 +1139,73 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
realm++;
}
if ((rv = krb5_parse_name_flags(context->ctx, sname ? sname : "",
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal)))
if (krb_log_exec(krb5_parse_name_flags, context->ctx, sname ? sname : "",
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
goto cleanup;
if (realm)
if ((rv = krb5glue_set_principal_realm(context->ctx, principal, realm)))
goto cleanup;
if ((rv = krb5_kt_start_seq_get(context->ctx, credentials->keytab, &cur)))
goto cleanup;
while ((rv = krb5_kt_next_entry(context->ctx, credentials->keytab, &entry, &cur)) == 0)
{
if ((!sname ||
krb5_principal_compare_any_realm(context->ctx, principal, entry.principal)) &&
(!realm || krb5_realm_compare(context->ctx, principal, entry.principal)))
break;
krb5glue_free_keytab_entry_contents(context->ctx, &entry);
if (krb_log_exec(krb5glue_set_principal_realm, context->ctx, principal, realm))
goto cleanup;
}
krb5_kt_end_seq_get(context->ctx, credentials->keytab, &cur);
if (krb_log_exec(krb5_kt_start_seq_get, context->ctx, credentials->keytab, &cur))
goto cleanup;
do
{
krb5_error_code rv =
krb_log_exec(krb5_kt_next_entry, context->ctx, credentials->keytab, &entry, &cur);
if (rv == KRB5_KT_END)
break;
if (rv != 0)
goto cleanup;
if ((!sname || krb_log_exec(krb5_principal_compare_any_realm, context->ctx, principal,
entry.principal)) &&
(!realm ||
krb_log_exec(krb5_realm_compare, context->ctx, principal, entry.principal)))
break;
if (krb_log_exec(krb5glue_free_keytab_entry_contents, context->ctx, &entry))
goto cleanup;
} while (1);
if (krb_log_exec(krb5_kt_end_seq_get, context->ctx, credentials->keytab, &cur))
goto cleanup;
if (!entry.principal)
goto cleanup;
/* Get the TGT */
if ((rv = krb5_get_init_creds_keytab(context->ctx, &creds, entry.principal,
credentials->keytab, 0, NULL, NULL)))
if (krb_log_exec(krb5_get_init_creds_keytab, context->ctx, &creds, entry.principal,
credentials->keytab, 0, NULL, NULL))
goto cleanup;
if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
goto cleanup;
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
goto cleanup;
if ((rv = krb5glue_auth_con_setuseruserkey(context->ctx, context->auth_ctx,
&krb5glue_creds_getkey(creds))))
if (krb_log_exec(krb5glue_auth_con_setuseruserkey, context->ctx, context->auth_ctx,
&krb5glue_creds_getkey(creds)))
goto cleanup;
context->state = KERBEROS_STATE_AP_REQ;
}
else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
{
if ((rv = krb5_rd_req(context->ctx, &context->auth_ctx, &input_token, NULL,
credentials->keytab, &ap_flags, NULL)))
if (krb_log_exec(krb5_rd_req, context->ctx, &context->auth_ctx, &input_token, NULL,
credentials->keytab, &ap_flags, NULL))
goto cleanup;
krb5_auth_con_setflags(context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY);
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
goto cleanup;
/* Retrieve and validate the checksum */
if ((rv = krb5_auth_con_getauthenticator(context->ctx, context->auth_ctx, &authenticator)))
if (krb_log_exec(krb5_auth_con_getauthenticator, context->ctx, context->auth_ctx,
&authenticator))
goto cleanup;
if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
&context->flags))
@ -1176,7 +1215,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
{
if (!output_buffer)
goto bad_token;
if ((rv = krb5_mk_rep(context->ctx, context->auth_ctx, &output_token)))
if (krb_log_exec(krb5_mk_rep, context->ctx, context->auth_ctx, &output_token))
goto cleanup;
if (!sspi_gss_wrap_token(output_buffer,
context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
@ -1194,13 +1233,17 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
{
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
(INT32*)&context->local_seq);
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq);
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->local_seq))
goto cleanup;
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq))
goto cleanup;
}
krb5glue_update_keyset(context->ctx, context->auth_ctx, TRUE, &context->keyset);
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, TRUE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_FINAL;
}
@ -1233,9 +1276,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
cleanup:
if (rv)
kerberos_log_msg(context->ctx, rv);
free(target);
if (output_token.data)
krb5glue_free_data_contents(context->ctx, &output_token);
if (entry.principal)
@ -1312,16 +1353,28 @@ static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle ph
if (context->flags & SSPI_GSS_C_CONF_FLAG)
{
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_HEADER, &header);
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_PADDING, &pad);
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER, &trailer);
krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key,
KRB5_CRYPTO_TYPE_HEADER, &header);
if (rv)
return rv;
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
&pad);
if (rv)
return rv;
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
&trailer);
if (rv)
return rv;
/* GSS header (= 16 bytes) + encrypted header = 32 bytes */
ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
}
if (context->flags & SSPI_GSS_C_INTEG_FLAG)
{
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
&ContextSizes->cbMaxSignature);
krb5_error_code rv =
krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
&ContextSizes->cbMaxSignature);
if (rv)
return rv;
ContextSizes->cbMaxSignature += 16;
}
@ -1473,7 +1526,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
encrypt_iov[2].data.length = 16;
/* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
if (krb5glue_crypto_length_iov(context->ctx, key, encrypt_iov, ARRAYSIZE(encrypt_iov)))
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, encrypt_iov,
ARRAYSIZE(encrypt_iov)))
return SEC_E_INTERNAL_ERROR;
if (sig_buffer->cbBuffer <
encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
@ -1500,7 +1554,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
/* Set the correct RRC */
Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
if (krb5glue_encrypt_iov(context->ctx, key, usage, encrypt_iov, ARRAYSIZE(encrypt_iov)))
if (krb_log_exec(krb5glue_encrypt_iov, context->ctx, key, usage, encrypt_iov,
ARRAYSIZE(encrypt_iov)))
return SEC_E_INTERNAL_ERROR;
return SEC_E_OK;
@ -1576,7 +1631,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
/* Fill in the lengths of the iov array */
iov[1].data.length = data_buffer->cbBuffer;
iov[2].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR;
/* We don't expect a trailer buffer; everything must be in sig_buffer */
@ -1592,7 +1647,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
iov[3].data.data = iov[2].data.data + iov[2].data.length;
iov[4].data.data = iov[3].data.data + iov[3].data.length;
if (krb5glue_decrypt_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
if (krb_log_exec(krb5glue_decrypt_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR;
/* Validate the encrypted header */
@ -1647,7 +1702,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
/* Fill in the lengths of the iov array */
iov[0].data.length = data_buffer->cbBuffer;
iov[1].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR;
/* Ensure the buffer is big enough */
@ -1666,7 +1721,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
iov[1].data.data = header;
iov[2].data.data = header + 16;
if (krb5glue_make_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
if (krb_log_exec(krb5glue_make_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR;
sig_buffer->cbBuffer = iov[2].data.length + 16;
@ -1736,7 +1791,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
/* Fill in the iov array lengths */
iov[0].data.length = data_buffer->cbBuffer;
iov[1].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR;
if (sig_buffer->cbBuffer != iov[2].data.length + 16)
@ -1747,7 +1802,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
iov[1].data.data = header;
iov[2].data.data = header + 16;
if (krb5glue_verify_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov), &is_valid))
if (krb_log_exec(krb5glue_verify_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov),
&is_valid))
return SEC_E_INTERNAL_ERROR;
if (!is_valid)