- throw in a not-applied-by-default patch to try to make pkinit debugging into a run-time boolean option named "pkinit_debug"
This commit is contained in:
Nalin Dahyabhai
parent
b77e5a0e35
commit
cbdf0e37a6
99
krb5-pkinit-debug.patch
Normal file
99
krb5-pkinit-debug.patch
Normal file
@ -0,0 +1,99 @@
|
||||
This is a cheap, non-very-portable way to make debugging a run-time option.
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
||||
index 6598482..85e1c0d 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit.h
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <krb5/krb5.h>
|
||||
#include <krb5/preauth_plugin.h>
|
||||
#include <k5-int-pkinit.h>
|
||||
+#include <autoconf.h>
|
||||
#include <profile.h>
|
||||
#include "pkinit_accessor.h"
|
||||
|
||||
@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */
|
||||
#define pkiDebug printf
|
||||
#else
|
||||
/* Still evaluates for side effects. */
|
||||
-static inline void pkiDebug (const char *fmt, ...) { }
|
||||
+/* static inline void pkiDebug (const char *fmt, ...) { } */
|
||||
+#define pkiDebug if (pkinit_debug_is_enabled()) printf
|
||||
/* This is better if the compiler doesn't inline variadic functions
|
||||
well, but gcc will warn about "left-hand operand of comma
|
||||
expression has no effect". Still evaluates for side effects. */
|
||||
/* #define pkiDebug (void) */
|
||||
#endif
|
||||
+extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc);
|
||||
+extern int pkinit_debug_is_enabled(void);
|
||||
|
||||
/* Solaris compiler doesn't grok __FUNCTION__
|
||||
* hack for now. Fix all the uses eventually. */
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
index 6888c1b..bb39fce 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
|
||||
@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context,
|
||||
pkinit_req_context reqctx = (pkinit_req_context)request_context;
|
||||
krb5_keyblock *armor_key = NULL;
|
||||
|
||||
+ pkinit_debug_init(context, &(request->server->realm), 0);
|
||||
+
|
||||
pkiDebug("pkinit_client_process %p %p %p %p\n",
|
||||
context, plgctx, reqctx, request);
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
|
||||
index a6d7762..2b59fd0 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
|
||||
@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
|
||||
|
||||
fclose(f);
|
||||
}
|
||||
+
|
||||
+/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass
|
||||
+ in a context structure, which is where this flag would be better placed. */
|
||||
+static __thread int pkinit_debug_enabled = 0;
|
||||
+
|
||||
+void
|
||||
+pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc)
|
||||
+{
|
||||
+ pkinit_debug_enabled = -1;
|
||||
+ if (kdc) {
|
||||
+ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug",
|
||||
+ -1, &pkinit_debug_enabled);
|
||||
+ }
|
||||
+ if (pkinit_debug_enabled == -1) {
|
||||
+ pkinit_libdefault_boolean(context, realm, "pkinit_debug",
|
||||
+ 0, &pkinit_debug_enabled);
|
||||
+ }
|
||||
+ printf("pkinit_debug: %d\n", pkinit_debug_enabled);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+pkinit_debug_is_enabled(void)
|
||||
+{
|
||||
+ return (pkinit_debug_enabled == 1);
|
||||
+}
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
index 5a7a5ad..d7a0a44 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context,
|
||||
pkinit_kdc_context plgctx = NULL;
|
||||
krb5_keyblock *armor_key = NULL;
|
||||
|
||||
+ pkinit_debug_init(context, &(request->server->realm), 1);
|
||||
+
|
||||
pkiDebug("pkinit_server_get_edata: entered!\n");
|
||||
|
||||
/* Remove (along with armor_key) when FAST PKINIT is settled. */
|
||||
@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context,
|
||||
int is_signed = 1;
|
||||
krb5_keyblock *armor_key;
|
||||
|
||||
+ pkinit_debug_init(context, &(request->server->realm), 1);
|
||||
+
|
||||
pkiDebug("pkinit_verify_padata: entered!\n");
|
||||
if (data == NULL || data->length <= 0 || data->contents == NULL)
|
||||
return 0;
|
||||
@ -51,6 +51,7 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch
|
||||
Patch72: krb5-pkinit-cms2.patch
|
||||
Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
|
||||
Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
|
||||
Patch75: krb5-pkinit-debug.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -193,6 +194,7 @@ ln -s NOTICE LICENSE
|
||||
%patch72 -p1 -b .pkinit_cms2
|
||||
%patch73 -p1 -b .2011-001
|
||||
%patch74 -p1 -b .2011-002
|
||||
#%patch75 -p1 -b .pkinit-debug
|
||||
gzip doc/*.ps
|
||||
|
||||
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
|
||||
@ -651,6 +653,10 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Thu Feb 17 2011 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- throw in a not-applied-by-default patch to try to make pkinit debugging
|
||||
into a run-time boolean option named "pkinit_debug"
|
||||
|
||||
* Wed Feb 16 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-6
|
||||
- turn on NSS as the backend for libk5crypto, adding nss-devel as a build
|
||||
dependency when that switch is flipped
|
||||
|
||||
Loading…
Reference in New Issue
Block a user