svn rev #25855: trunk/src/plugins/preauth/pkinit/
ghudson@MIT.EDU
ghudson at MIT.EDU
Mon May 7 23:04:22 EDT 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25855
Commit By: ghudson
Log Message:
First pass at PKINIT client trace logs
Trace basic decisions about PKINIT client protocol processing.
Changed Files:
U trunk/src/plugins/preauth/pkinit/deps
U trunk/src/plugins/preauth/pkinit/pkinit.h
U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
A trunk/src/plugins/preauth/pkinit/pkinit_trace.h
Modified: trunk/src/plugins/preauth/pkinit/deps
===================================================================
--- trunk/src/plugins/preauth/pkinit/deps 2012-05-08 03:04:15 UTC (rev 25854)
+++ trunk/src/plugins/preauth/pkinit/deps 2012-05-08 03:04:22 UTC (rev 25855)
@@ -24,34 +24,39 @@
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
- pkinit_accessor.h pkinit_crypto.h pkinit_srv.c
+ pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_trace.h
pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_lib.c
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_lib.c \
+ pkinit_trace.h
pkinit_kdf_test.so pkinit_kdf_test.po $(OUTPRE)pkinit_kdf_test.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_crypto_openssl.h pkinit_kdf_test.c
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_crypto_openssl.h \
+ pkinit_kdf_test.c pkinit_trace.h
pkinit_kdf_constants.so pkinit_kdf_constants.po $(OUTPRE)pkinit_kdf_constants.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
- pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
+ pkinit_kdf_constants.c pkinit_trace.h
pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h \
+ pkinit_trace.h
pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -63,25 +68,29 @@
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
- pkinit_accessor.h pkinit_crypto.h pkinit_profile.c
+ pkinit_accessor.h pkinit_crypto.h pkinit_profile.c \
+ pkinit_trace.h
pkinit_identity.so pkinit_identity.po $(OUTPRE)pkinit_identity.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_identity.c
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_identity.c \
+ pkinit_trace.h
pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_matching.c
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_matching.c \
+ pkinit_trace.h
pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_crypto_openssl.c pkinit_crypto_openssl.h
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
+ pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_crypto_openssl.c \
+ pkinit_crypto_openssl.h pkinit_trace.h
Modified: trunk/src/plugins/preauth/pkinit/pkinit.h
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit.h 2012-05-08 03:04:15 UTC (rev 25854)
+++ trunk/src/plugins/preauth/pkinit/pkinit.h 2012-05-08 03:04:22 UTC (rev 25855)
@@ -38,6 +38,7 @@
#include <autoconf.h>
#include <profile.h>
#include "pkinit_accessor.h"
+#include "pkinit_trace.h"
/*
* It is anticipated that all the special checks currently
Modified: trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2012-05-08 03:04:15 UTC (rev 25854)
+++ trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2012-05-08 03:04:22 UTC (rev 25855)
@@ -138,6 +138,7 @@
der_req, &cksum);
if (retval)
goto cleanup;
+ TRACE_PKINIT_CLIENT_REQ_CHECKSUM(context, &cksum);
#ifdef DEBUG_CKSUM
pkiDebug("calculating checksum on buf size (%d)\n", der_req->length);
print_buffer(der_req->data, der_req->length);
@@ -293,6 +294,7 @@
switch(protocol) {
case DH_PROTOCOL:
+ TRACE_PKINIT_CLIENT_REQ_DH(context);
pkiDebug("as_req: DH key transport algorithm\n");
retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid);
if (retval) {
@@ -314,6 +316,7 @@
}
break;
case RSA_PROTOCOL:
+ TRACE_PKINIT_CLIENT_REQ_RSA(context);
pkiDebug("as_req: RSA key transport algorithm\n");
switch((int)reqctx->pa_type) {
case KRB5_PADATA_PK_AS_REQ_OLD:
@@ -517,8 +520,8 @@
int *need_eku_checking)
{
krb5_error_code retval;
- char **certhosts = NULL, **cfghosts = NULL;
- krb5_principal *princs = NULL;
+ char **certhosts = NULL, **cfghosts = NULL, **hostptr;
+ krb5_principal *princs = NULL, *princptr;
unsigned char ***get_dns;
int i, j;
@@ -536,6 +539,8 @@
} else {
pkiDebug("%s: pkinit_kdc_hostname values found in config file\n",
__FUNCTION__);
+ for (hostptr = cfghosts; *hostptr != NULL; hostptr++)
+ TRACE_PKINIT_CLIENT_SAN_CONFIG_DNSNAME(context, *hostptr);
get_dns = (unsigned char ***)&certhosts;
}
@@ -544,9 +549,16 @@
&princs, NULL, get_dns);
if (retval) {
pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
+ TRACE_PKINIT_CLIENT_SAN_ERR(context);
retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
goto out;
}
+ for (princptr = princs; *princptr != NULL; princptr++)
+ TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ if (certhosts != NULL) {
+ for (hostptr = certhosts; *hostptr != NULL; hostptr++)
+ TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr);
+ }
#if 0
retval = call_san_checking_plugins(context, plgctx, reqctx, idctx,
princs, hosts, &plugin_decision,
@@ -569,6 +581,7 @@
pkiDebug("%s: Checking pkinit sans\n", __FUNCTION__);
for (i = 0; princs != NULL && princs[i] != NULL; i++) {
if (krb5_principal_compare(context, princs[i], kdcprinc)) {
+ TRACE_PKINIT_CLIENT_SAN_MATCH_PRINC(context, kdcprinc);
pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
*valid_san = 1;
*need_eku_checking = 0;
@@ -590,6 +603,7 @@
pkiDebug("%s: comparing cert name '%s' with config name '%s'\n",
__FUNCTION__, certhosts[i], cfghosts[j]);
if (strcmp(certhosts[i], cfghosts[j]) == 0) {
+ TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(context, certhosts[i]);
pkiDebug("%s: we have a dnsName match\n", __FUNCTION__);
*valid_san = 1;
retval = 0;
@@ -597,6 +611,7 @@
}
}
}
+ TRACE_PKINIT_CLIENT_SAN_MATCH_NONE(context);
pkiDebug("%s: no dnsName san match found\n", __FUNCTION__);
/* We found no match */
@@ -632,6 +647,7 @@
*eku_accepted = 0;
if (reqctx->opts->require_eku == 0) {
+ TRACE_PKINIT_CLIENT_EKU_SKIP(context);
pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__);
*eku_accepted = 1;
retval = 0;
@@ -649,6 +665,10 @@
}
out:
+ if (eku_accepted)
+ TRACE_PKINIT_CLIENT_EKU_ACCEPT(context);
+ else
+ TRACE_PKINIT_CLIENT_EKU_REJECT(context);
pkiDebug("%s: returning retval %d, eku_accepted %d\n",
__FUNCTION__, retval, *eku_accepted);
return retval;
@@ -715,9 +735,10 @@
&dh_data.length,
NULL, NULL, NULL)) != 0) {
pkiDebug("failed to verify pkcs7 signed data\n");
+ TRACE_PKINIT_CLIENT_REP_DH_FAIL(context);
goto cleanup;
}
-
+ TRACE_PKINIT_CLIENT_REP_DH(context);
break;
case choice_pa_pk_as_rep_encKeyPack:
pkiDebug("as_rep: RSA key transport algorithm\n");
@@ -730,8 +751,10 @@
(unsigned char **)&dh_data.data,
&dh_data.length)) != 0) {
pkiDebug("failed to verify pkcs7 enveloped data\n");
+ TRACE_PKINIT_CLIENT_REP_RSA_FAIL(context);
goto cleanup;
}
+ TRACE_PKINIT_CLIENT_REP_RSA(context);
break;
default:
pkiDebug("unknown as_rep type %d\n", kdc_reply->choice);
@@ -813,6 +836,8 @@
error_message(retval));
goto cleanup;
}
+ TRACE_PKINIT_CLIENT_KDF_ALG(context, kdc_reply->u.dh_Info.kdfID,
+ key_block);
/* ...otherwise, use the older octetstring2key function. */
} else {
@@ -824,6 +849,7 @@
error_message(retval));
goto cleanup;
}
+ TRACE_PKINIT_CLIENT_KDF_OS2K(context, key_block);
}
break;
@@ -884,6 +910,8 @@
if ((cksum.length != key_pack->asChecksum.length) ||
memcmp(cksum.contents, key_pack->asChecksum.contents,
cksum.length)) {
+ TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(context, &cksum,
+ &key_pack->asChecksum);
pkiDebug("failed to match the checksums\n");
#ifdef DEBUG_CKSUM
pkiDebug("calculating checksum on buf size (%d)\n",
@@ -907,6 +935,7 @@
krb5_copy_keyblock_contents(context, &key_pack->replyKey,
key_block);
+ TRACE_PKINIT_CLIENT_REP_RSA_KEY(context, key_block, &cksum);
break;
default:
@@ -1076,6 +1105,7 @@
reqctx->cryptoctx, reqctx->idopts,
reqctx->idctx, 1, request->client);
if (retval) {
+ TRACE_PKINIT_CLIENT_NO_IDENTITY(context);
pkiDebug("pkinit_identity_initialize returned %d (%s)\n",
retval, error_message(retval));
return retval;
@@ -1166,6 +1196,7 @@
}
if (do_again) {
+ TRACE_PKINIT_CLIENT_TRYAGAIN(context);
retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, pa_type,
out_padata, prompter, prompter_data,
gic_opt);
Added: trunk/src/plugins/preauth/pkinit/pkinit_trace.h
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_trace.h (rev 0)
+++ trunk/src/plugins/preauth/pkinit/pkinit_trace.h 2012-05-08 03:04:22 UTC (rev 25855)
@@ -0,0 +1,90 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* plugins/preauth/pkinit/pkinit_trace.h - PKINIT tracing macros */
+/*
+ * Copyright (C) 2012 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PKINIT_TRACE_H
+#define PKINIT_TRACE_H
+
+#include "k5-trace.h"
+
+#define TRACE_PKINIT_CLIENT_EKU_ACCEPT(c) \
+ TRACE(c, "PKINIT client found acceptable EKU in KDC cert")
+#define TRACE_PKINIT_CLIENT_EKU_REJECT(c) \
+ TRACE(c, "PKINIT client found no acceptable EKU in KDC cert")
+#define TRACE_PKINIT_CLIENT_EKU_SKIP(c) \
+ TRACE(c, "PKINIT client skipping EKU check due to configuration")
+#define TRACE_PKINIT_CLIENT_KDF_ALG(c, kdf, keyblock) \
+ TRACE(c, "PKINIT client used KDF {hexdata} to compute reply key " \
+ "{keyblock}", kdf, keyblock)
+#define TRACE_PKINIT_CLIENT_KDF_OS2K(c, keyblock) \
+ TRACE(c, "PKINIT client used octetstring2key to compute reply key " \
+ "{keyblock}", keyblock)
+#define TRACE_PKINIT_CLIENT_NO_IDENTITY(c) \
+ TRACE(c, "PKINIT client has no configured identity; giving up")
+#define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \
+ TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \
+ "received {cksum}", expected, received)
+#define TRACE_PKINIT_CLIENT_REP_DH(c) \
+ TRACE(c, "PKINIT client verified DH reply")
+#define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \
+ TRACE(c, "PKINIT client could not verify DH reply")
+#define TRACE_PKINIT_CLIENT_REP_RSA(c) \
+ TRACE(c, "PKINIT client verified RSA reply")
+#define TRACE_PKINIT_CLIENT_REP_RSA_KEY(c, keyblock, cksum) \
+ TRACE(c, "PKINIT client retrieved reply key {keyblock} from RSA " \
+ "reply (checksum {cksum})", keyblock, cksum)
+#define TRACE_PKINIT_CLIENT_REP_RSA_FAIL(c) \
+ TRACE(c, "PKINIT client could not verify RSA reply")
+#define TRACE_PKINIT_CLIENT_REQ_CHECKSUM(c, cksum) \
+ TRACE(c, "PKINIT client computed kdc-req-body checksum {cksum}", cksum)
+#define TRACE_PKINIT_CLIENT_REQ_DH(c) \
+ TRACE(c, "PKINIT client making DH request")
+#define TRACE_PKINIT_CLIENT_REQ_RSA(c) \
+ TRACE(c, "PKINIT client making RSA request")
+#define TRACE_PKINIT_CLIENT_SAN_CONFIG_DNSNAME(c, host) \
+ TRACE(c, "PKINIT client config accepts KDC dNSName SAN {string}", host)
+#define TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(c, host) \
+ TRACE(c, "PKINIT client matched KDC hostname {string} against " \
+ "dNSName SAN; EKU check still required", host)
+#define TRACE_PKINIT_CLIENT_SAN_MATCH_NONE(c) \
+ TRACE(c, "PKINIT client found no acceptable SAN in KDC cert")
+#define TRACE_PKINIT_CLIENT_SAN_MATCH_PRINC(c, princ) \
+ TRACE(c, "PKINIT client matched KDC principal {princ} against " \
+ "id-pkinit-san; no EKU check required", princ)
+#define TRACE_PKINIT_CLIENT_SAN_ERR(c) \
+ TRACE(c, "PKINIT client failed to decode SANs in KDC cert")
+#define TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(c, host) \
+ TRACE(c, "PKINIT client found dNSName SAN in KDC cert: {string}", host)
+#define TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(c, princ) \
+ TRACE(c, "PKINIT client found id-pkinit-san in KDC cert: {princ}", princ)
+#define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \
+ TRACE(c, "PKINIT client trying again with KDC-provided parameters")
+#endif /* PKINIT_TRACE_H */
More information about the cvs-krb5
mailing list