mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[winpr,sspi] properly log all kerberos calls 

to ease debugging log each failure of a kerberos related function along
with location and function name
This commit is contained in:
Armin Novak 2024-01-13 20:32:35 +01:00 committed by David Fort
parent 4c17dfb71d
commit 5298580bbd
1 changed files with 153 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
winpr/libwinpr/sspi/Kerberos/kerberos.c
View File

@ -119,11 +119,34 @@ static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\
static const WinPrAsn1_OID kerberos_u2u_OID = { 10, static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
(void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" }; (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
static void kerberos_log_msg(krb5_context ctx, krb5_error_code code) #define krb_log_exec(fkt, ctx, ...) \
kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
#define krb_log_exec_ptr(fkt, ctx, ...) \
kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
const char* file, const char* fkt, size_t line)
{ {
const char* msg = krb5_get_error_message(ctx, code); switch (code)
WLog_ERR(TAG, msg); {
krb5_free_error_message(ctx, msg); case 0:
case KRB5_KT_END:
break;
default:
{
const DWORD level = WLOG_ERROR;
wLog* log = WLog_Get(TAG);
if (WLog_IsLevelActive(log, level))
{
const char* msg = krb5_get_error_message(ctx, code);
WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "%s (%s [%d])",
what, msg, code);
krb5_free_error_message(ctx, msg);
}
}
break;
}
return code;
} }
static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated) static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
@ -184,7 +207,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
#ifdef WITH_KRB5 #ifdef WITH_KRB5
SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL; SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
KRB_CREDENTIALS* credentials = NULL; KRB_CREDENTIALS* credentials = NULL;
krb5_error_code rv = 0;
krb5_context ctx = NULL; krb5_context ctx = NULL;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
krb5_keytab keytab = NULL; krb5_keytab keytab = NULL;
@ -213,7 +235,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
pszPrincipal = username; pszPrincipal = username;
} }
if ((rv = krb5_init_context(&ctx))) if (krb_log_exec_ptr(krb5_init_context, &ctx))
goto cleanup; goto cleanup;
if (domain) if (domain)
@ -224,7 +246,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
CharUpperA(udomain); CharUpperA(udomain);
/* Will use domain if realm is not specified in username */ /* Will use domain if realm is not specified in username */
rv = krb5_set_default_realm(ctx, udomain); krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
free(udomain); free(udomain);
if (rv) if (rv)
@ -242,7 +264,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
if (p) if (p)
CharUpperA(p); CharUpperA(p);
rv = krb5_parse_name(ctx, cpszPrincipal, &principal); krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
free(cpszPrincipal); free(cpszPrincipal);
if (rv) if (rv)
@ -251,7 +273,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
if (krb_settings && krb_settings->cache) if (krb_settings && krb_settings->cache)
{ {
if ((rv = krb5_cc_set_default_name(ctx, krb_settings->cache))) if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
goto cleanup; goto cleanup;
} }
else else
@ -264,16 +286,16 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
{ {
if (own_ccache) if (own_ccache)
{ {
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache))) if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
goto cleanup; goto cleanup;
} }
else else
{ {
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache))) if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
goto cleanup; goto cleanup;
} }
if ((rv = krb5_cc_initialize(ctx, ccache, principal))) if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
goto cleanup; goto cleanup;
} }
else else
@ -282,9 +304,9 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
else if (fCredentialUse & SECPKG_CRED_OUTBOUND) else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
{ {
/* Use the default cache with it's default principal */ /* Use the default cache with it's default principal */
if ((rv = krb5_cc_default(ctx, &ccache))) if (krb_log_exec(krb5_cc_default, ctx, &ccache))
goto cleanup; goto cleanup;
if ((rv = krb5_cc_get_principal(ctx, ccache, &principal))) if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
goto cleanup; goto cleanup;
own_ccache = FALSE; own_ccache = FALSE;
} }
@ -292,33 +314,33 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
{ {
if (own_ccache) if (own_ccache)
{ {
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache))) if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
goto cleanup; goto cleanup;
} }
else else
{ {
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache))) if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
goto cleanup; goto cleanup;
} }
} }
if (krb_settings && krb_settings->keytab) if (krb_settings && krb_settings->keytab)
{ {
if ((rv = krb5_kt_resolve(ctx, krb_settings->keytab, &keytab))) if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
goto cleanup; goto cleanup;
} }
else else
{ {
if (fCredentialUse & SECPKG_CRED_INBOUND) if (fCredentialUse & SECPKG_CRED_INBOUND)
if ((rv = krb5_kt_default(ctx, &keytab))) if (krb_log_exec(krb5_kt_default, ctx, &keytab))
goto cleanup; goto cleanup;
} }
/* Get initial credentials if required */ /* Get initial credentials if required */
if (fCredentialUse & SECPKG_CRED_OUTBOUND) if (fCredentialUse & SECPKG_CRED_OUTBOUND)
{ {
if ((rv = krb5glue_get_init_creds(ctx, principal, ccache, krb5_prompter, password, if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter, password,
krb_settings))) krb_settings))
goto cleanup; goto cleanup;
} }
@ -331,9 +353,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
cleanup: cleanup:
if (rv)
kerberos_log_msg(ctx, rv);
free(domain); free(domain);
free(username); free(username);
free(password); free(password);
@ -715,7 +734,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
KRB_CREDENTIALS* credentials; KRB_CREDENTIALS* credentials;
KRB_CONTEXT* context; KRB_CONTEXT* context;
KRB_CONTEXT new_context = { 0 }; KRB_CONTEXT new_context = { 0 };
krb5_error_code rv = KRB5KDC_ERR_NONE;
PSecBuffer input_buffer = NULL; PSecBuffer input_buffer = NULL;
PSecBuffer output_buffer = NULL; PSecBuffer output_buffer = NULL;
PSecBuffer bindings_buffer = NULL; PSecBuffer bindings_buffer = NULL;
@ -764,7 +782,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
{ {
context = &new_context; context = &new_context;
if ((rv = krb5_init_context(&context->ctx))) if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
if (fContextReq & ISC_REQ_USE_SESSION_KEY) if (fContextReq & ISC_REQ_USE_SESSION_KEY)
@ -836,26 +854,27 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
case KERBEROS_STATE_AP_REQ: case KERBEROS_STATE_AP_REQ:
/* Set auth_context options */ /* Set auth_context options */
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx))) if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
goto cleanup; goto cleanup;
if ((rv = krb5_auth_con_setflags(context->ctx, context->auth_ctx, if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
KRB5_AUTH_CONTEXT_USE_SUBKEY)))
goto cleanup; goto cleanup;
if ((rv = krb5glue_auth_con_set_cksumtype(context->ctx, context->auth_ctx, if (krb_log_exec(krb5glue_auth_con_set_cksumtype, context->ctx, context->auth_ctx,
GSS_CHECKSUM_TYPE))) GSS_CHECKSUM_TYPE))
goto cleanup; goto cleanup;
/* Get a service ticket */ /* Get a service ticket */
if ((rv = krb5_sname_to_principal(context->ctx, host, sname, KRB5_NT_SRV_HST, if (krb_log_exec(krb5_sname_to_principal, context->ctx, host, sname, KRB5_NT_SRV_HST,
&in_creds.server))) &in_creds.server))
goto cleanup; goto cleanup;
if ((rv = krb5_cc_get_principal(context->ctx, credentials->ccache, &in_creds.client))) if (krb_log_exec(krb5_cc_get_principal, context->ctx, credentials->ccache,
&in_creds.client))
goto cleanup; goto cleanup;
if ((rv = krb5_get_credentials(context->ctx, context->u2u ? KRB5_GC_USER_USER : 0, if (krb_log_exec(krb5_get_credentials, context->ctx,
credentials->ccache, &in_creds, &creds))) context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
&creds))
goto cleanup; goto cleanup;
/* Write the checksum (delegation not implemented) */ /* Write the checksum (delegation not implemented) */
@ -896,8 +915,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
} }
/* Make the AP_REQ message */ /* Make the AP_REQ message */
if ((rv = krb5_mk_req_extended(context->ctx, &context->auth_ctx, ap_flags, &cksum, if (krb_log_exec(krb5_mk_req_extended, context->ctx, &context->auth_ctx, ap_flags,
creds, &output_token))) &cksum, creds, &output_token))
goto cleanup; goto cleanup;
if (!sspi_gss_wrap_token(output_buffer, if (!sspi_gss_wrap_token(output_buffer,
@ -907,12 +926,15 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
{ {
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx, if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->local_seq); (INT32*)&context->local_seq))
goto cleanup;
context->remote_seq ^= context->local_seq; context->remote_seq ^= context->local_seq;
} }
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset); if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_AP_REP; context->state = KERBEROS_STATE_AP_REP;
@ -927,23 +949,29 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
if (tok_id == TOK_ID_AP_REP) if (tok_id == TOK_ID_AP_REP)
{ {
if ((rv = krb5_rd_rep(context->ctx, context->auth_ctx, &input_token, &reply))) if (krb_log_exec(krb5_rd_rep, context->ctx, context->auth_ctx, &input_token,
&reply))
goto cleanup; goto cleanup;
krb5_free_ap_rep_enc_part(context->ctx, reply); krb5_free_ap_rep_enc_part(context->ctx, reply);
} }
else if (tok_id == TOK_ID_ERROR) else if (tok_id == TOK_ID_ERROR)
{ {
rv = krb5glue_log_error(context->ctx, &input_token, TAG); krb5glue_log_error(context->ctx, &input_token, TAG);
goto cleanup; goto cleanup;
} }
else else
goto bad_token; goto bad_token;
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx, {
(INT32*)&context->remote_seq); if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq))
goto cleanup;
}
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset); if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_FINAL; context->state = KERBEROS_STATE_FINAL;
@ -984,8 +1012,6 @@ cleanup:
in_creds.second_ticket = edata; in_creds.second_ticket = edata;
krb5_free_cred_contents(context->ctx, &in_creds); krb5_free_cred_contents(context->ctx, &in_creds);
} }
if (rv)
kerberos_log_msg(context->ctx, rv);
krb5_free_creds(context->ctx, creds); krb5_free_creds(context->ctx, creds);
if (output_token.data) if (output_token.data)
@ -1047,7 +1073,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
krb5_data input_token = { 0 }; krb5_data input_token = { 0 };
krb5_data output_token = { 0 }; krb5_data output_token = { 0 };
SECURITY_STATUS status = SEC_E_INTERNAL_ERROR; SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
krb5_error_code rv = 0;
krb5_flags ap_flags = 0; krb5_flags ap_flags = 0;
krb5glue_authenticator authenticator; krb5glue_authenticator authenticator;
char* target = NULL; char* target = NULL;
@ -1080,7 +1105,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
{ {
context = &new_context; context = &new_context;
if ((rv = krb5_init_context(&context->ctx))) if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID)) if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
@ -1114,59 +1139,73 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
realm++; realm++;
} }
if ((rv = krb5_parse_name_flags(context->ctx, sname ? sname : "", if (krb_log_exec(krb5_parse_name_flags, context->ctx, sname ? sname : "",
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))) KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
goto cleanup; goto cleanup;
if (realm) if (realm)
if ((rv = krb5glue_set_principal_realm(context->ctx, principal, realm)))
goto cleanup;
if ((rv = krb5_kt_start_seq_get(context->ctx, credentials->keytab, &cur)))
goto cleanup;
while ((rv = krb5_kt_next_entry(context->ctx, credentials->keytab, &entry, &cur)) == 0)
{ {
if ((!sname || if (krb_log_exec(krb5glue_set_principal_realm, context->ctx, principal, realm))
krb5_principal_compare_any_realm(context->ctx, principal, entry.principal)) && goto cleanup;
(!realm || krb5_realm_compare(context->ctx, principal, entry.principal)))
break;
krb5glue_free_keytab_entry_contents(context->ctx, &entry);
} }
krb5_kt_end_seq_get(context->ctx, credentials->keytab, &cur); if (krb_log_exec(krb5_kt_start_seq_get, context->ctx, credentials->keytab, &cur))
goto cleanup;
do
{
krb5_error_code rv =
krb_log_exec(krb5_kt_next_entry, context->ctx, credentials->keytab, &entry, &cur);
if (rv == KRB5_KT_END)
break;
if (rv != 0)
goto cleanup;
if ((!sname || krb_log_exec(krb5_principal_compare_any_realm, context->ctx, principal,
entry.principal)) &&
(!realm ||
krb_log_exec(krb5_realm_compare, context->ctx, principal, entry.principal)))
break;
if (krb_log_exec(krb5glue_free_keytab_entry_contents, context->ctx, &entry))
goto cleanup;
} while (1);
if (krb_log_exec(krb5_kt_end_seq_get, context->ctx, credentials->keytab, &cur))
goto cleanup;
if (!entry.principal) if (!entry.principal)
goto cleanup; goto cleanup;
/* Get the TGT */ /* Get the TGT */
if ((rv = krb5_get_init_creds_keytab(context->ctx, &creds, entry.principal, if (krb_log_exec(krb5_get_init_creds_keytab, context->ctx, &creds, entry.principal,
credentials->keytab, 0, NULL, NULL))) credentials->keytab, 0, NULL, NULL))
goto cleanup; goto cleanup;
if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket)) if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
goto cleanup; goto cleanup;
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx))) if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
goto cleanup; goto cleanup;
if ((rv = krb5glue_auth_con_setuseruserkey(context->ctx, context->auth_ctx, if (krb_log_exec(krb5glue_auth_con_setuseruserkey, context->ctx, context->auth_ctx,
&krb5glue_creds_getkey(creds)))) &krb5glue_creds_getkey(creds)))
goto cleanup; goto cleanup;
context->state = KERBEROS_STATE_AP_REQ; context->state = KERBEROS_STATE_AP_REQ;
} }
else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ) else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
{ {
if ((rv = krb5_rd_req(context->ctx, &context->auth_ctx, &input_token, NULL, if (krb_log_exec(krb5_rd_req, context->ctx, &context->auth_ctx, &input_token, NULL,
credentials->keytab, &ap_flags, NULL))) credentials->keytab, &ap_flags, NULL))
goto cleanup; goto cleanup;
krb5_auth_con_setflags(context->ctx, context->auth_ctx, if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY); KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
goto cleanup;
/* Retrieve and validate the checksum */ /* Retrieve and validate the checksum */
if ((rv = krb5_auth_con_getauthenticator(context->ctx, context->auth_ctx, &authenticator))) if (krb_log_exec(krb5_auth_con_getauthenticator, context->ctx, context->auth_ctx,
&authenticator))
goto cleanup; goto cleanup;
if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE, if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
&context->flags)) &context->flags))
@ -1176,7 +1215,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
{ {
if (!output_buffer) if (!output_buffer)
goto bad_token; goto bad_token;
if ((rv = krb5_mk_rep(context->ctx, context->auth_ctx, &output_token))) if (krb_log_exec(krb5_mk_rep, context->ctx, context->auth_ctx, &output_token))
goto cleanup; goto cleanup;
if (!sspi_gss_wrap_token(output_buffer, if (!sspi_gss_wrap_token(output_buffer,
context->u2u ? &kerberos_u2u_OID : &kerberos_OID, context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
@ -1194,13 +1233,17 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG) if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
{ {
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx, if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->local_seq); (INT32*)&context->local_seq))
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx, goto cleanup;
(INT32*)&context->remote_seq); if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
(INT32*)&context->remote_seq))
goto cleanup;
} }
krb5glue_update_keyset(context->ctx, context->auth_ctx, TRUE, &context->keyset); if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, TRUE,
&context->keyset))
goto cleanup;
context->state = KERBEROS_STATE_FINAL; context->state = KERBEROS_STATE_FINAL;
} }
@ -1233,9 +1276,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
cleanup: cleanup:
if (rv) free(target);
kerberos_log_msg(context->ctx, rv);
if (output_token.data) if (output_token.data)
krb5glue_free_data_contents(context->ctx, &output_token); krb5glue_free_data_contents(context->ctx, &output_token);
if (entry.principal) if (entry.principal)
@ -1312,16 +1353,28 @@ static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle ph
if (context->flags & SSPI_GSS_C_CONF_FLAG) if (context->flags & SSPI_GSS_C_CONF_FLAG)
{ {
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_HEADER, &header); krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key,
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_PADDING, &pad); KRB5_CRYPTO_TYPE_HEADER, &header);
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER, &trailer); if (rv)
return rv;
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
&pad);
if (rv)
return rv;
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
&trailer);
if (rv)
return rv;
/* GSS header (= 16 bytes) + encrypted header = 32 bytes */ /* GSS header (= 16 bytes) + encrypted header = 32 bytes */
ContextSizes->cbSecurityTrailer = header + pad + trailer + 32; ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
} }
if (context->flags & SSPI_GSS_C_INTEG_FLAG) if (context->flags & SSPI_GSS_C_INTEG_FLAG)
{ {
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM, krb5_error_code rv =
&ContextSizes->cbMaxSignature); krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
&ContextSizes->cbMaxSignature);
if (rv)
return rv;
ContextSizes->cbMaxSignature += 16; ContextSizes->cbMaxSignature += 16;
} }
@ -1473,7 +1526,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
encrypt_iov[2].data.length = 16; encrypt_iov[2].data.length = 16;
/* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */ /* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
if (krb5glue_crypto_length_iov(context->ctx, key, encrypt_iov, ARRAYSIZE(encrypt_iov))) if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, encrypt_iov,
ARRAYSIZE(encrypt_iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
if (sig_buffer->cbBuffer < if (sig_buffer->cbBuffer <
encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32) encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
@ -1500,7 +1554,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
/* Set the correct RRC */ /* Set the correct RRC */
Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length); Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
if (krb5glue_encrypt_iov(context->ctx, key, usage, encrypt_iov, ARRAYSIZE(encrypt_iov))) if (krb_log_exec(krb5glue_encrypt_iov, context->ctx, key, usage, encrypt_iov,
ARRAYSIZE(encrypt_iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
return SEC_E_OK; return SEC_E_OK;
@ -1576,7 +1631,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
/* Fill in the lengths of the iov array */ /* Fill in the lengths of the iov array */
iov[1].data.length = data_buffer->cbBuffer; iov[1].data.length = data_buffer->cbBuffer;
iov[2].data.length = 16; iov[2].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov))) if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
/* We don't expect a trailer buffer; everything must be in sig_buffer */ /* We don't expect a trailer buffer; everything must be in sig_buffer */
@ -1592,7 +1647,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
iov[3].data.data = iov[2].data.data + iov[2].data.length; iov[3].data.data = iov[2].data.data + iov[2].data.length;
iov[4].data.data = iov[3].data.data + iov[3].data.length; iov[4].data.data = iov[3].data.data + iov[3].data.length;
if (krb5glue_decrypt_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov))) if (krb_log_exec(krb5glue_decrypt_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
/* Validate the encrypted header */ /* Validate the encrypted header */
@ -1647,7 +1702,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
/* Fill in the lengths of the iov array */ /* Fill in the lengths of the iov array */
iov[0].data.length = data_buffer->cbBuffer; iov[0].data.length = data_buffer->cbBuffer;
iov[1].data.length = 16; iov[1].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov))) if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
/* Ensure the buffer is big enough */ /* Ensure the buffer is big enough */
@ -1666,7 +1721,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
iov[1].data.data = header; iov[1].data.data = header;
iov[2].data.data = header + 16; iov[2].data.data = header + 16;
if (krb5glue_make_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov))) if (krb_log_exec(krb5glue_make_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
sig_buffer->cbBuffer = iov[2].data.length + 16; sig_buffer->cbBuffer = iov[2].data.length + 16;
@ -1736,7 +1791,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
/* Fill in the iov array lengths */ /* Fill in the iov array lengths */
iov[0].data.length = data_buffer->cbBuffer; iov[0].data.length = data_buffer->cbBuffer;
iov[1].data.length = 16; iov[1].data.length = 16;
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov))) if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
if (sig_buffer->cbBuffer != iov[2].data.length + 16) if (sig_buffer->cbBuffer != iov[2].data.length + 16)
@ -1747,7 +1802,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
iov[1].data.data = header; iov[1].data.data = header;
iov[2].data.data = header + 16; iov[2].data.data = header + 16;
if (krb5glue_verify_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov), &is_valid)) if (krb_log_exec(krb5glue_verify_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov),
&is_valid))
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
if (!is_valid) if (!is_valid)