From d5fc6e14b0b4f240b3b225487637c265471a9fc7 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 29 Mar 2016 17:13:46 +0300 Subject: GSS: make Curl_gss_log_error more verbose Also display the GSS_C_GSS_CODE (major code) when specified instead of only GSS_C_MECH_CODE (minor code). In addition, the old code was printing a colon twice after the prefix and also miscalculated the length of the buffer in between calls to gss_display_status (the length of ": " was missing). Also, gss_buffer is not guaranteed to be NULL terminated and thus need to restrict reading by its length. Closes #738 --- lib/curl_gssapi.c | 61 ++++++++++++++++++++++++++++------------------- lib/curl_gssapi.h | 4 ++-- lib/vauth/krb5_gssapi.c | 20 +++++++++------- lib/vauth/spnego_gssapi.c | 7 +++--- 4 files changed, 54 insertions(+), 38 deletions(-) (limited to 'lib') diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c index 75af67036..6f9121e4e 100644 --- a/lib/curl_gssapi.c +++ b/lib/curl_gssapi.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2011 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 2011 - 2016, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -76,45 +76,56 @@ OM_uint32 Curl_gss_init_sec_context( NULL /* time_rec */); } -/* - * Curl_gss_log_error() - * - * This is used to log a GSS-API error status. - * - * Parameters: - * - * data [in] - The session handle. - * status [in] - The status code. - * prefix [in] - The prefix of the log message. - */ -void Curl_gss_log_error(struct SessionHandle *data, OM_uint32 status, - const char *prefix) -{ +#define GSS_LOG_BUFFER_LEN 1024 +static size_t display_gss_error(OM_uint32 status, int type, + char *buf, size_t len) { OM_uint32 maj_stat; OM_uint32 min_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; - char buf[1024]; - size_t len; - snprintf(buf, sizeof(buf), "%s", prefix); - len = strlen(buf); do { maj_stat = gss_display_status(&min_stat, status, - GSS_C_MECH_CODE, + type, GSS_C_NO_OID, &msg_ctx, &status_string); - if(sizeof(buf) > len + status_string.length + 1) { - snprintf(buf + len, sizeof(buf) - len, - ": %s", (char*)status_string.value); - len += status_string.length; + if(GSS_LOG_BUFFER_LEN > len + status_string.length + 3) { + len += snprintf(buf + len, GSS_LOG_BUFFER_LEN - len, + "%.*s. ", (int)status_string.length, + (char*)status_string.value); } gss_release_buffer(&min_stat, &status_string); } while(!GSS_ERROR(maj_stat) && msg_ctx != 0); - infof(data, "%s\n", buf); + return len; +} + +/* + * Curl_gss_log_error() + * + * This is used to log a GSS-API error status. + * + * Parameters: + * + * data [in] - The session handle. + * prefix [in] - The prefix of the log message. + * major [in] - The major status code. + * minor [in] - The minor status code. + */ +void Curl_gss_log_error(struct SessionHandle *data, const char *prefix, + OM_uint32 major, OM_uint32 minor) +{ + char buf[GSS_LOG_BUFFER_LEN]; + size_t len = 0; + + if(major != GSS_S_FAILURE) + len = display_gss_error(major, GSS_C_GSS_CODE, buf, len); + + display_gss_error(minor, GSS_C_MECH_CODE, buf, len); + + infof(data, "%s%s\n", prefix, buf); } #endif /* HAVE_GSSAPI */ diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h index c1642a8b6..42fd1e41d 100644 --- a/lib/curl_gssapi.h +++ b/lib/curl_gssapi.h @@ -56,8 +56,8 @@ OM_uint32 Curl_gss_init_sec_context( OM_uint32 *ret_flags); /* Helper to log a GSS-API error status */ -void Curl_gss_log_error(struct SessionHandle *data, OM_uint32 status, - const char *prefix); +void Curl_gss_log_error(struct SessionHandle *data, const char *prefix, + OM_uint32 major, OM_uint32 minor); /* Provide some definitions missing in old headers */ #ifdef HAVE_OLD_GSSMIT diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c index 20274a02d..87accd13e 100644 --- a/lib/vauth/krb5_gssapi.c +++ b/lib/vauth/krb5_gssapi.c @@ -101,7 +101,8 @@ CURLcode Curl_auth_create_gssapi_user_message(struct SessionHandle *data, gss_major_status = gss_import_name(&gss_minor_status, &spn_token, GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn); if(GSS_ERROR(gss_major_status)) { - Curl_gss_log_error(data, gss_minor_status, "gss_import_name() failed: "); + Curl_gss_log_error(data, "gss_import_name() failed: ", + gss_major_status, gss_minor_status); free(spn); @@ -147,8 +148,8 @@ CURLcode Curl_auth_create_gssapi_user_message(struct SessionHandle *data, if(output_token.value) gss_release_buffer(&gss_status, &output_token); - Curl_gss_log_error(data, gss_minor_status, - "gss_init_sec_context() failed: "); + Curl_gss_log_error(data, "gss_init_sec_context() failed: ", + gss_major_status, gss_minor_status); return CURLE_RECV_ERROR; } @@ -224,8 +225,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct SessionHandle *data, &username, NULL, NULL, NULL, NULL, NULL, NULL); if(GSS_ERROR(gss_major_status)) { - Curl_gss_log_error(data, gss_minor_status, - "gss_inquire_context() failed: "); + Curl_gss_log_error(data, "gss_inquire_context() failed: ", + gss_major_status, gss_minor_status); free(chlg); @@ -236,7 +237,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct SessionHandle *data, gss_major_status = gss_display_name(&gss_minor_status, username, &username_token, NULL); if(GSS_ERROR(gss_major_status)) { - Curl_gss_log_error(data, gss_minor_status, "gss_display_name() failed: "); + Curl_gss_log_error(data, "gss_display_name() failed: ", + gss_major_status, gss_minor_status); free(chlg); @@ -251,7 +253,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct SessionHandle *data, gss_major_status = gss_unwrap(&gss_minor_status, krb5->context, &input_token, &output_token, NULL, &qop); if(GSS_ERROR(gss_major_status)) { - Curl_gss_log_error(data, gss_minor_status, "gss_unwrap() failed: "); + Curl_gss_log_error(data, "gss_unwrap() failed: ", + gss_major_status, gss_minor_status); gss_release_buffer(&gss_status, &username_token); free(chlg); @@ -325,7 +328,8 @@ CURLcode Curl_auth_create_gssapi_security_message(struct SessionHandle *data, GSS_C_QOP_DEFAULT, &input_token, NULL, &output_token); if(GSS_ERROR(gss_major_status)) { - Curl_gss_log_error(data, gss_minor_status, "gss_wrap() failed: "); + Curl_gss_log_error(data, "gss_wrap() failed: ", + gss_major_status, gss_minor_status); free(message); diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c index 9aa96dfdb..2f50daaa5 100644 --- a/lib/vauth/spnego_gssapi.c +++ b/lib/vauth/spnego_gssapi.c @@ -102,7 +102,8 @@ CURLcode Curl_auth_decode_spnego_message(struct SessionHandle *data, GSS_C_NT_HOSTBASED_SERVICE, &nego->server_name); if(GSS_ERROR(major_status)) { - Curl_gss_log_error(data, minor_status, "gss_import_name() failed: "); + Curl_gss_log_error(data, "gss_import_name() failed: ", + major_status, minor_status); free(spn); @@ -150,8 +151,8 @@ CURLcode Curl_auth_decode_spnego_message(struct SessionHandle *data, if(output_token.value) gss_release_buffer(&unused_status, &output_token); - Curl_gss_log_error(data, minor_status, - "gss_init_sec_context() failed: "); + Curl_gss_log_error(data, "gss_init_sec_context() failed: ", + major_status, minor_status); return CURLE_OUT_OF_MEMORY; } -- cgit v1.2.3