gss_display_status() bug dealing with minor/mech specific error codes?
Will Fiveash
will.fiveash at oracle.com
Tue Apr 23 18:51:43 EDT 2013
I think there is a bug in MIT's gss_display_status() when dealing with
mech specific minor codes. Here is my test program:
#include <gssapi/gssapi.h>
#include <stdlib.h>
#include <stdio.h>
#include <krb5.h>
#include <com_err.h>
static gss_OID_desc krb_mech_OID = {9, "\052\206\110\206\367\022\001\002\002"};
int
main (int argc, char *argv[])
{
OM_uint32 minor_return_status;
OM_uint32 min_status = KRB5_FCC_PERM; /* this is the minor krb mech error */
OM_uint32 more = 0;
OM_uint32 rc;
gss_buffer_desc status_string;
do {
rc = gss_display_status(&minor_return_status, min_status, GSS_C_MECH_CODE,
&krb_mech_OID, &more, &status_string);
if (status_string.length > 0) {
printf("Minor status (krb mech): %s\n", status_string.value);
} else {
krb5_context kcontext;
printf("Warning: gss_display_status() returned error 0x%x for "
"the minor status arg 0x%x.\n", rc, min_status);
(void) gss_display_status(&minor_return_status, rc, GSS_C_GSS_CODE,
GSS_C_NULL_OID, &more, &status_string);
if (status_string.length > 0) {
printf("Here is the error message from gss_display_status(): %s\n",
status_string.value);
}
krb5_init_context(&kcontext);
printf("\nNow trying minor status code (converted to signed long) %ld with "
"libkrb5 error_message():\n\"%s\"\n", min_status,
error_message(min_status));
}
gss_release_buffer(&minor_return_status, &status_string);
} while (more != 0);
}
Here is the output when compiled using MIT libs:
Warning: gss_display_status() returned error 0x50000 for the minor status arg 0x96c73ac2.
Here is the error message from gss_display_status(): An invalid status code was supplied
Now trying minor status code (converted to signed long) -1765328190 with libkrb5 error_message():
"Credentials cache permissions incorrect"
========================================================================================
I would expect that gss_display_status() would return the same error
string as returned by libkrb5:error_message().
Here is the truss output I took of the test program:
/1 at 1: -> libgssapi_krb5:gss_display_status(0xfeffe260, 0x96c73ac2, 0x2, 0x8060f68)
/1 at 1: -> libgssapi_krb5:gssint_mecherrmap_get(0x96c73ac2, 0xfeffe210, 0xfeffe208, 0xfe6873bd)
/1 at 1: -> libgssapi_krb5:k5_mutex_lock(0xfe6c82a4, 0xfe7ba864, 0xfe7eb018, 0xfe682c21)
/1 at 1: <- libgssapi_krb5:k5_mutex_lock() = 0
/1 at 1: -> libgssapi_krb5:mecherrmap_findleft(0xfe6c8ef4, 0x96c73ac2, 0xfe7eb018, 0xfe682c21)
/1 at 1: -> libgssapi_krb5:mecherrmap_size(0xfe6c8ef4, 0xfe7eb018, 0xfeffe1b8, 0xfe682be0)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_size(0xfe6c8ef4, 0xfe6c79a0, 0xfeffe198, 0xfe5897ce)
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_findleft() = 0
/1 at 1: <- libgssapi_krb5:gssint_mecherrmap_get() = 22
/1 at 1: -> libgssapi_krb5:gssint_mecherrmap_map_errcode(0x16, 0xfeffe210, 0xfeffe208, 0xfe6873bd)
/1 at 1: -> libgssapi_krb5:gssint_mecherrmap_map(0x16, 0xfe6c8eec, 0x0, 0xfe682bf4)
/1 at 1: -> libgssapi_krb5:k5_mutex_lock(0xfe6c82a4, 0x8, 0xfe678c81, 0xfe68256f)
/1 at 1: <- libgssapi_krb5:k5_mutex_lock() = 0
/1 at 1: -> libgssapi_krb5:mecherrmap_findright(0xfe6c8ef4, 0x0, 0x0, 0x16)
/1 at 1: -> libgssapi_krb5:mecherrmap_size(0xfe6c8ef4, 0x7, 0xfeffe168, 0xfe682be0)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_size(0xfe6c8ef4, 0xfe6c79a0, 0xfeffe148, 0xfe5897ce)
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_findright() = 0
/1 at 1: -> libgssapi_krb5:mecherrmap_findleft(0xfe6c8ef4, 0x16, 0x0, 0x16)
/1 at 1: -> libgssapi_krb5:mecherrmap_size(0xfe6c8ef4, 0x7, 0xfeffe168, 0xfe682be0)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_size(0xfe6c8ef4, 0xfe6c79a0, 0xfeffe148, 0xfe5897ce)
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_size() = 0
/1 at 1: <- libgssapi_krb5:mecherrmap_findleft() = 0
/1 at 1: -> libgssapi_krb5:mecherror_copy(0xfeffe190, 0x0, 0x0, 0x16)
/1 at 1: <- libgssapi_krb5:mecherror_copy() = 0
/1 at 1: -> libgssapi_krb5:mecherrmap_add(0xfe6c8ef4, 0x16, 0x0, 0x0)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_grow(0xfe6c8ef4, 0x1, 0xfeffe138, 0xfe6826e9)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_max_size(0xfe6c8ef4, 0xfe7f8910, 0xfeffe1c0, 0xfe6828a2)
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_max_size() = 0xfffffff
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_grow() = 0
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_set(0xfe6c8ef4, 0x0, 0x16, 0x0)
/1 at 1: -> libgssapi_krb5:mecherrmap__pairarray_getaddr(0xfe6c8ef4, 0x0, 0x10, 0xfe6828a2)
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_getaddr() = 0x8060f80
/1 at 1: <- libgssapi_krb5:mecherrmap__pairarray_set() = 22
/1 at 1: <- libgssapi_krb5:mecherrmap_add() = 0
/1 at 1: <- libgssapi_krb5:gssint_mecherrmap_map() = 22
/1 at 1: <- libgssapi_krb5:gssint_mecherrmap_map_errcode() = 22
/1 at 1: <- libgssapi_krb5:gss_display_status() = 0x50000
gssint_mecherrmap_get() is passing the global variable m, defined in
src/lib/gssapi/generic/util_errmap.c, to mecherrmap_findleft() but I
don't believe it has been initialized. AFAICT, m is initialized by
gssint_mecherrmap_init() yet I don't see that call in the truss output.
Thoughts?
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the krbdev
mailing list