From 1185b03b275a093a6dda84fc7d8cf3b983c9a07f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Wed, 7 Jul 2021 20:06:48 +0200 Subject: [PATCH] krb5_wrap: Add TRACE SUPPORT for keys operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The trace looks like below. Useful is the last filed - hex dump of the data - allows to search for all manipulations. KEYTAB_TRACE sync_pw2keytabs_process_keytab:622 add ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM 14 17 C66D244CB26005C7D6FF9FC00FCBBE4A BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher --- lib/krb5_wrap/krb5_samba.h | 111 +++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 6c04cb00f62..d7ab06c951f 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -25,6 +25,8 @@ #include "lib/util/data_blob.h" #include "libcli/util/ntstatus.h" +#include "lib/util/talloc_stack.h" +#include "lib/util/debug.h" #ifdef HAVE_KRB5 @@ -189,6 +191,115 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, krb5_const_principal principal, char **unix_name); +static inline void samba_trace_keytab_entry(krb5_context context, + krb5_keytab_entry kt_entry, + const char *func, + int line, + const char *op) +{ + char *princ_s = NULL; +#define MAX_KEYLEN 64 + char tmp[2 * MAX_KEYLEN + 1] = { 0, }; + krb5_enctype enctype = 0; + krb5_keyblock *key = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + krb5_error_code code; + const uint8_t *ptr = NULL; + unsigned len; + int i; + + code = smb_krb5_unparse_name(frame, + context, + kt_entry.principal, + &princ_s); + if (code != 0) { + goto out; + } + enctype = KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry)); + key = KRB5_KT_KEY(&kt_entry); +#ifdef DEBUG_PASSWORD + ptr = (const uint8_t *) KRB5_KEY_DATA(key); + len = KRB5_KEY_LENGTH(key); + + for (i = 0; i < len && i < MAX_KEYLEN; i++) { + snprintf(&tmp[2 * i], 3, "%02X", ptr[i]); + } +#else + tmp[0] = 0; +#endif + DEBUG(10,("KEYTAB_TRACE %36s:%-4d %3s %78s %3d %2d %s\n", + func, + line, + op, + princ_s, + kt_entry.vno, + enctype, + tmp)); +out: + TALLOC_FREE(frame); +} + +#if defined(__GNUC__) && defined(DEVELOPER) +/* http://gcc.gnu.org/onlinedocs/gcc/Statement-Exprs.html */ + +#define samba_krb5_kt_add_entry(context, id, entry) \ + ({ \ + krb5_error_code _code; \ + _code = krb5_kt_add_entry((context), (id), (entry)); \ + if (CHECK_DEBUGLVL(10)) { \ + samba_trace_keytab_entry((context), \ + *(entry), \ + __func__, \ + __LINE__, \ + _code == 0 ? "add" \ + : "add FAILED"); \ + } \ + _code; \ + }) + +#define samba_krb5_kt_remove_entry(context, id, entry) \ + ({ \ + krb5_error_code _code; \ + _code = krb5_kt_remove_entry((context), (id), (entry)); \ + if (CHECK_DEBUGLVL(10)) { \ + samba_trace_keytab_entry((context), \ + *(entry), \ + __func__, \ + __LINE__, \ + _code == 0 ? "rem" \ + : "rem FAILED"); \ + } \ + _code; \ + }) + +#define samba_krb5_kt_next_entry(context, id, entry, cursor) \ + ({ \ + krb5_error_code _code; \ + _code = krb5_kt_next_entry((context), \ + (id), \ + (entry), \ + (cursor)); \ + if (_code == 0 && CHECK_DEBUGLVL(10)) { \ + samba_trace_keytab_entry((context), \ + *(entry), \ + __func__, \ + __LINE__, \ + "nxt"); \ + } \ + _code; \ + }) + +#else + +#define samba_krb5_kt_add_entry(context, id, entry) \ + krb5_kt_add_entry((context), (id), (entry)) +#define samba_krb5_kt_remove_entry(context, id, entry) \ + krb5_kt_remove_entry((context), (id), (entry)) +#define samba_krb5_kt_next_entry(context, id, entry, cursor) \ + krb5_kt_next_entry((context), (id), (entry), (cursor)) + +#endif + krb5_error_code smb_krb5_init_context_common(krb5_context *_krb5_context); /*