From 20b7ce48d8249e39eae58859bacd4d715b4623dd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 10 Aug 2014 11:45:49 -0400 Subject: Add more custom error message This should make error reporting a little bit better. --- src/external.c | 8 ++--- src/gss_auth.c | 20 +++++-------- src/gss_creds.c | 20 +++++++------ src/gss_err.c | 30 +++++++++++++++++-- src/gss_names.c | 26 ++++++++-------- src/gss_sec_ctx.c | 86 ++++++++++++++++++++++++++--------------------------- src/gss_serialize.c | 30 +++++++++---------- src/gss_signseal.c | 26 ++++++++-------- src/ntlm_common.h | 26 ++++++++++++++++ src/winbind.c | 14 ++++----- 10 files changed, 168 insertions(+), 118 deletions(-) (limited to 'src') diff --git a/src/external.c b/src/external.c index da32570..c7c2b5d 100644 --- a/src/external.c +++ b/src/external.c @@ -13,7 +13,7 @@ uint32_t external_netbios_get_names(char **computer, char **domain) #if HAVE_WBCLIENT return winbind_get_names(computer, domain); #else - return ENOSYS; + return ERR_NOTAVAIL; #endif } @@ -23,7 +23,7 @@ uint32_t external_get_creds(struct gssntlm_name *name, #if HAVE_WBCLIENT return winbind_get_creds(name, cred); #else - return ENOSYS; + return ERR_NOTAVAIL; #endif } @@ -40,7 +40,7 @@ uint32_t external_cli_auth(struct gssntlm_ctx *ctx, &ctx->nego_msg, &ctx->chal_msg, &ctx->auth_msg, &ctx->exported_session_key); #else - return ENOSYS; + return ERR_NOTAVAIL; #endif } @@ -75,6 +75,6 @@ uint32_t external_srv_auth(struct gssntlm_ctx *ctx, ctx->workstation, chal_ptr, nt_chal_resp, lm_chal_resp, session_base_key); #else - return ENOSYS; + return ERR_NOTAVAIL; #endif } diff --git a/src/gss_auth.c b/src/gss_auth.c index fd1139c..8eae17c 100644 --- a/src/gss_auth.c +++ b/src/gss_auth.c @@ -53,7 +53,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status, if (target_info->length == 0 && input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { - set_GSSERRS(0, GSS_S_BAD_BINDINGS); + set_GSSERRS(ERR_NOBINDINGS, GSS_S_BAD_BINDINGS); goto done; } @@ -67,7 +67,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status, input_chan_bindings->acceptor_addrtype != 0 || input_chan_bindings->acceptor_address.length != 0 || input_chan_bindings->application_data.length == 0) { - set_GSSERRS(EINVAL, GSS_S_BAD_BINDINGS); + set_GSSERRS(ERR_BADARG, GSS_S_BAD_BINDINGS); goto done; } cb.length = input_chan_bindings->application_data.length; @@ -88,11 +88,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status, &cb, &client_target_info, &srv_time, add_mic_ptr); if (retmin) { - if (retmin == ERR_DECODE) { - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); - } else { - set_GSSERR(0); - } + set_GSSERR(retmin); goto done; } @@ -100,7 +96,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status, long int tdiff; tdiff = ntlm_timestamp_now() - srv_time; if ((tdiff / 10000000) > MAX_CHALRESP_LIFETIME) { - set_GSSERRS(EINVAL, GSS_S_CONTEXT_EXPIRED); + set_GSSERRS(ERR_TIMESKEW, GSS_S_CONTEXT_EXPIRED); goto done; } } @@ -291,7 +287,7 @@ uint32_t gssntlm_cli_auth(uint32_t *minor_status, break; default: - set_GSSERR(EINVAL); + set_GSSERR(ERR_NOUSRCRED); } done: @@ -326,13 +322,13 @@ uint32_t gssntlm_srv_auth(uint32_t *minor_status, int retries; if (key_exchange_key->length != 16) { - return GSSERRS(EINVAL, GSS_S_FAILURE); + return GSSERRS(ERR_KEYLEN, GSS_S_FAILURE); } ntlm_v1 = is_ntlm_v1(nt_chal_resp); if (ntlm_v1 && !gssntlm_sec_lm_ok(ctx) && !gssntlm_sec_ntlm_ok(ctx)) { - return GSSERRS(EPERM, GSS_S_FAILURE); + return GSSERRS(ERR_NONTLMV1, GSS_S_FAILURE); } ext_sec = (ctx->neg_flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY); @@ -427,7 +423,7 @@ uint32_t gssntlm_srv_auth(uint32_t *minor_status, break; default: - set_GSSERR(EINVAL); + set_GSSERR(ERR_NOUSRCRED); goto done; } diff --git a/src/gss_creds.c b/src/gss_creds.c index 530de7b..b6ac11d 100644 --- a/src/gss_creds.c +++ b/src/gss_creds.c @@ -354,7 +354,7 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status, cred_usage = GSS_C_INITIATE; break; default: - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_BADCRED, GSS_S_CRED_UNAVAIL); goto done; } } @@ -362,7 +362,7 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status, if (cred_usage == GSS_C_INITIATE) { if (name != NULL && name->type != GSSNTLM_NAME_USER) { - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_NOUSRNAME, GSS_S_BAD_NAMETYPE); goto done; } @@ -375,20 +375,22 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status, } } if (retmin) { - set_GSSERRS(retmin, GSS_S_CRED_UNAVAIL); + set_GSSERR(retmin); } } else if (cred_usage == GSS_C_ACCEPT) { if (name != NULL && name->type != GSSNTLM_NAME_SERVER) { - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_NOSRVNAME, GSS_S_BAD_NAMETYPE); goto done; } retmin = get_server_creds(name, cred); if (retmin) { - set_GSSERRS(retmin, GSS_S_CRED_UNAVAIL); + set_GSSERR(retmin); } + } else if (cred_usage == GSS_C_BOTH) { + set_GSSERRS(ERR_NOTSUPPORTED, GSS_S_CRED_UNAVAIL); } else { - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_BADARG, GSS_S_CRED_UNAVAIL); } set_GSSERRS(0, GSS_S_COMPLETE); @@ -480,14 +482,14 @@ uint32_t gssntlm_inquire_cred(uint32_t *minor_status, uint32_t maj, min; if (cred_handle == GSS_C_NO_CREDENTIAL) { - set_GSSERRS(0, GSS_S_NO_CRED); + set_GSSERRS(ERR_NOARG, GSS_S_NO_CRED); goto done; } cred = (struct gssntlm_cred *)cred_handle; if (cred->type == GSSNTLM_CRED_NONE) { - set_GSSERRS(0, GSS_S_NO_CRED); + set_GSSERRS(ERR_BADARG, GSS_S_NO_CRED); goto done; } @@ -592,7 +594,7 @@ uint32_t gssntlm_inquire_cred_by_mech(uint32_t *minor_status, if (acceptor_lifetime) *acceptor_lifetime = lifetime; break; default: - return GSSERRS(EINVAL, GSS_S_FAILURE); + return GSSERRS(ERR_BADARG, GSS_S_FAILURE); } if (cred_usage) *cred_usage = usage; diff --git a/src/gss_err.c b/src/gss_err.c index ad2fcec..cccc0e4 100644 --- a/src/gss_err.c +++ b/src/gss_err.c @@ -18,6 +18,32 @@ static const char *err_strs[] = { _("Failed to decode data"), /* ERR_DECODE */ _("Failed to encode data"), /* ERR_ENCODE */ _("Crypto routine failure"), /* ERR_CRYPTO */ + _("A required argument is missing"), /* ERR_NOARG */ + _("Invalid value in argument"), /* ERR_BADARG */ + _("Name is empty"), /* ERR_NONAME */ + _("Not a server name"), /* ERR_NOSRVNAME */ + _("Not a user name"), /* ERR_NOUSRNAME */ + _("Bad LM compatibility Level"), /* ERR_BADLMLEVEL */ + _("An impossible error occurred"), /* ERR_IMPOSSIBLE */ + _("Invalid or incomplete context"), /* ERR_BADCTX */ + _("Wrong context type"), /* ERR_WRONGCTX */ + _("Wrong message type"), /* ERR_WRONGMSG */ + _("A required Negotiate flag was no provided"), /* ERR_REQNEGFLAG */ + _("Failed to negotiate a common set of flags"), /* ERR_FAILNEGFLAGS */ + _("Invalid combinations of negotiate flags"), /* ERR_BADNEGFLAGS */ + _("Not a server credential type"), /* ERR_NOSRVCRED */ + _("Not a user redential type"), /* ERR_NOUSRCRED */ + _("Invalid or unknown credential"), /* ERR_BADCRED */ + _("Empty or missing token"), /* ERR_NOTOKEN */ + _("Feature not supported"), /* ERR_NOTSUPPORTED */ + _("Feature not available"), /* ERR_NOTAVAIL */ + _("Name is too long"), /* ERR_NAMETOOLONG */ + _("Required channel bingings are not available"), /* ERR_NOBINDINGS */ + _("Server and client clocks are too far apart"), /* ERR_TIMESKEW */ + _("Expired"), /* ERR_EXPIRED */ + _("Invalid key length"), /* ERR_KEYLEN */ + _("NTLM version 1 not allowed"), /* ERR_NONTLMV1 */ + _("User not found"), /* ERR_NOUSRFOUND */ }; #define UNKNOWN_ERROR err_strs[0] @@ -36,11 +62,11 @@ uint32_t gssntlm_display_status(uint32_t *minor_status, int err; if (!status_string) { - return GSSERRS(EINVAL, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (status_type != GSS_C_MECH_CODE) { - return GSSERRS(EINVAL, GSS_S_BAD_STATUS); + return GSSERRS(ERR_BADARG, GSS_S_BAD_STATUS); } *minor_status = 0; diff --git a/src/gss_names.c b/src/gss_names.c index 1c2f25e..09618a4 100644 --- a/src/gss_names.c +++ b/src/gss_names.c @@ -88,7 +88,7 @@ static uint32_t get_enterprise_name(uint32_t *minor_status, char *e; if (len > MAX_NAME_LEN) { - return GSSERRS(EINVAL, GSS_S_BAD_NAME); + return GSSERRS(ERR_NAMETOOLONG, GSS_S_BAD_NAME); } buf = alloca(len + 1); @@ -121,7 +121,7 @@ static uint32_t uid_to_name(uint32_t *minor_status, uid_t uid, char **name) pw = getpwuid(uid); if (pw) { - return GSSERRS(ENOENT, GSS_S_FAILURE); + return GSSERRS(ERR_NOUSRFOUND, GSS_S_FAILURE); } *name = strdup(pw->pw_name); if (!*name) { @@ -149,7 +149,7 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status, /* TODO: check mech_type == gssntlm_oid */ if (mech_type == GSS_C_NO_OID) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } name = calloc(1, sizeof(struct gssntlm_name)); @@ -245,7 +245,7 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status, name->data.user.domain = NULL; if (input_name_buffer->length > 12) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_BADARG); goto done; } memcpy(struid, input_name_buffer->value, input_name_buffer->length); @@ -253,7 +253,7 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status, errno = 0; uid = strtol(struid, NULL, 10); if (errno) { - set_GSSERR(errno); + set_GSSERR(ERR_BADARG); goto done; } retmaj = uid_to_name(&retmin, uid, &name->data.user.name); @@ -262,9 +262,9 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status, set_GSSERRS(0, GSS_S_COMPLETE); } else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { /* TODO */ - set_GSSERRS(0, GSS_S_UNAVAILABLE); + set_GSSERRS(ERR_NOTSUPPORTED, GSS_S_BAD_NAMETYPE); } else { - set_GSSERRS(EINVAL, GSS_S_BAD_MECH); + set_GSSERRS(ERR_BADARG, GSS_S_BAD_NAMETYPE); } done: @@ -348,7 +348,7 @@ uint32_t gssntlm_duplicate_name(uint32_t *minor_status, uint32_t retmaj; if (input_name == GSS_C_NO_NAME || dest_name == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } in = (struct gssntlm_name *)input_name; @@ -407,7 +407,7 @@ uint32_t gssntlm_release_name(uint32_t *minor_status, uint32_t retmin; if (!input_name) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } gssntlm_int_release_name((struct gssntlm_name *)*input_name); @@ -428,7 +428,7 @@ uint32_t gssntlm_display_name(uint32_t *minor_status, int ret; if (input_name == GSS_C_NO_NAME || output_name_buffer == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } in = (struct gssntlm_name *)input_name; @@ -436,7 +436,7 @@ uint32_t gssntlm_display_name(uint32_t *minor_status, switch (in->type) { case GSSNTLM_NAME_NULL: - return GSSERRS(0, GSS_S_BAD_NAME); + return GSSERRS(ERR_BADARG, GSS_S_BAD_NAME); case GSSNTLM_NAME_ANON: out->value = strdup("NT AUTHORITY\\ANONYMOUS LOGON"); if (!out->value) { @@ -503,7 +503,7 @@ uint32_t gssntlm_localname(uint32_t *minor_status, in = (struct gssntlm_name *)name; if (in->type != GSSNTLM_NAME_USER) { - set_GSSERR(EINVAL); + set_GSSERRS(ERR_BADARG, GSS_S_BAD_NAME); goto done; } @@ -584,7 +584,7 @@ uint32_t netbios_get_names(char *computer_name, nb_domain_name ? NULL : &nb_domain_name); if ((ret != 0) && (ret != ENOENT) && - (ret != ENOSYS)) { + (ret != ERR_NOTAVAIL)) { goto done; } } diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index f16d613..5995a43 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -68,17 +68,17 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if (target_name) { server = (struct gssntlm_name *)target_name; if (server->type != GSSNTLM_NAME_SERVER) { - return GSSERRS(0, GSS_S_BAD_NAMETYPE); + return GSSERRS(ERR_NOSRVNAME, GSS_S_BAD_NAMETYPE); } if (!server->data.server.name || !server->data.server.name[0]) { - return GSSERRS(0, GSS_S_BAD_NAME); + return GSSERRS(ERR_NONAME, GSS_S_BAD_NAME); } } if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { if (req_flags & GSS_C_ANON_FLAG) { - set_GSSERRS(0, GSS_S_UNAVAILABLE); + set_GSSERRS(ERR_NOARG, GSS_S_UNAVAILABLE); goto done; } else { retmaj = gssntlm_acquire_cred(&retmin, @@ -92,7 +92,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, cred = (struct gssntlm_cred *)claimant_cred_handle; if (cred->type != GSSNTLM_CRED_USER && cred->type != GSSNTLM_CRED_EXTERNAL) { - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_NOARG, GSS_S_CRED_UNAVAIL); goto done; } } @@ -195,7 +195,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, lm_compat_lvl = gssntlm_get_lm_compatibility_level(); ctx->sec_req = gssntlm_required_security(lm_compat_lvl, ctx); if (ctx->sec_req == 0xff) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_BADLMLVL); goto done; } if (!gssntlm_sec_lm_ok(ctx)) { @@ -232,7 +232,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, } else { if (input_token && input_token->length != 0) { - set_GSSERRS(EINVAL, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); goto done; } @@ -263,13 +263,13 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if (ctx == NULL) { /* this should not happen */ - set_GSSERR(EFAULT); + set_GSSERR(ERR_IMPOSSIBLE); goto done; } else { if (!gssntlm_role_is_client(ctx)) { - set_GSSERRS(0, GSS_S_NO_CONTEXT); + set_GSSERRS(ERR_WRONGCTX, GSS_S_NO_CONTEXT); goto done; } @@ -289,7 +289,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if (msg_type != CHALLENGE_MESSAGE || ctx->stage != NTLMSSP_STAGE_NEGOTIATE) { - set_GSSERRS(0, GSS_S_NO_CONTEXT); + set_GSSERRS(ERR_WRONGMSG, GSS_S_NO_CONTEXT); goto done; } @@ -327,36 +327,36 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_128) && (!(ctx->neg_flags & NTLMSSP_NEGOTIATE_56)) && (!(in_flags & NTLMSSP_NEGOTIATE_128))) { - set_GSSERR(0); + set_GSSERR(ERR_REQNEGFLAG); goto done; } if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_SEAL) && (!(in_flags & NTLMSSP_NEGOTIATE_SEAL))) { - set_GSSERR(0); + set_GSSERR(ERR_REQNEGFLAG); goto done; } if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_SIGN) && (!(in_flags & NTLMSSP_NEGOTIATE_SIGN))) { - set_GSSERR(0); + set_GSSERR(ERR_REQNEGFLAG); goto done; } if (!(in_flags & (NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_UNICODE))) { /* no common understanding */ - set_GSSERR(0); + set_GSSERR(ERR_FAILNEGFLAGS); goto done; } if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { if (!(in_flags & NTLMSSP_NEGOTIATE_DATAGRAM)) { /* no common understanding */ - set_GSSERR(0); + set_GSSERR(ERR_FAILNEGFLAGS); goto done; } if (!(in_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { /* no common understanding */ - set_GSSERR(0); + set_GSSERR(ERR_FAILNEGFLAGS); goto done; } if ((in_flags & NTLMSSP_NEGOTIATE_OEM) && @@ -375,7 +375,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if (in_flags & (NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_TARGET_TYPE_SERVER | NTLMSSP_TARGET_TYPE_DOMAIN)) { - set_GSSERR(0); + set_GSSERR(ERR_BADNEGFLAGS); goto done; } else { in_flags &= ~NTLMSSP_NEGOTIATE_UNICODE; @@ -458,11 +458,11 @@ uint32_t gssntlm_delete_sec_context(uint32_t *minor_status, int ret; if (!context_handle) { - set_GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + set_GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); goto done; } if (*context_handle == NULL) { - set_GSSERRS(0, GSS_S_NO_CONTEXT); + set_GSSERRS(ERR_NOARG, GSS_S_NO_CONTEXT); goto done; } @@ -503,14 +503,14 @@ uint32_t gssntlm_context_time(uint32_t *minor_status, uint32_t retmaj; if (context_handle == GSS_C_NO_CONTEXT) { - set_GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + set_GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); goto done; } ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, &now); if (retmaj) { - set_GSSERRS(0, retmaj); + set_GSSERRS(ERR_BADCTX, retmaj); goto done; } @@ -565,10 +565,10 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, struct ntlm_buffer av_cb = { 0 }; if (context_handle == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (output_token == GSS_C_NO_BUFFER) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_WRITE); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_WRITE); } if (src_name) *src_name = GSS_C_NO_NAME; @@ -580,11 +580,11 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, if (acceptor_cred_handle) { cred = (struct gssntlm_cred *)acceptor_cred_handle; if (cred->type != GSSNTLM_CRED_SERVER) { - set_GSSERRS(0, GSS_S_DEFECTIVE_CREDENTIAL); + set_GSSERRS(ERR_NOSRVCRED, GSS_S_DEFECTIVE_CREDENTIAL); goto done; } if (cred->cred.server.name.type != GSSNTLM_NAME_SERVER) { - set_GSSERRS(0, GSS_S_DEFECTIVE_CREDENTIAL); + set_GSSERRS(ERR_NOSRVNAME, GSS_S_DEFECTIVE_CREDENTIAL); goto done; } retmaj = gssntlm_duplicate_name(&retmin, @@ -645,7 +645,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, lm_compat_lvl = gssntlm_get_lm_compatibility_level(); ctx->sec_req = gssntlm_required_security(lm_compat_lvl, ctx); if (ctx->sec_req == 0xff) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_BADLMLVL); goto done; } @@ -706,7 +706,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ctx->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; } else if (!(ctx->neg_flags & NTLMSSP_NEGOTIATE_OEM)) { /* no agreement */ - set_GSSERR(0); + set_GSSERR(ERR_FAILNEGFLAGS); goto done; } @@ -784,13 +784,13 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)(*context_handle); if (!gssntlm_role_is_server(ctx)) { - set_GSSERRS(EINVAL, GSS_S_NO_CONTEXT); + set_GSSERRS(ERR_WRONGCTX, GSS_S_NO_CONTEXT); goto done; } if ((input_token == GSS_C_NO_BUFFER) || (input_token->length == 0)) { - set_GSSERRS(EINVAL, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_NOTOKEN, GSS_S_DEFECTIVE_TOKEN); goto done; } @@ -810,7 +810,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, if (msg_type != AUTHENTICATE_MESSAGE || ctx->stage != NTLMSSP_STAGE_CHALLENGE) { - set_GSSERRS(0, GSS_S_NO_CONTEXT); + set_GSSERRS(ERR_WRONGMSG, GSS_S_NO_CONTEXT); goto done; } @@ -837,7 +837,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, if ((ctx->neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM) && !(ctx->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { - set_GSSERRS(EINVAL, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADNEGFLAGS, GSS_S_DEFECTIVE_TOKEN); goto done; } @@ -847,7 +847,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, (lm_chal_resp.length == 0))) { /* Anonymous auth */ /* FIXME: not supported for now */ - set_GSSERR(EINVAL); + set_GSSERR(ERR_NOTSUPPORTED); goto done; } else { @@ -867,7 +867,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, ulen = strlen(usr_name); dlen = strlen(dom_name); if (ulen + dlen + 2 > 1024) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_NAMETOOLONG); goto done; } strncpy(useratdom, usr_name, ulen); @@ -898,7 +898,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, /* We can't handle winbind credentials yet */ if (usr_cred->type != GSSNTLM_CRED_USER && usr_cred->type != GSSNTLM_CRED_EXTERNAL) { - set_GSSERRS(EINVAL, GSS_S_CRED_UNAVAIL); + set_GSSERRS(ERR_NOUSRCRED, GSS_S_DEFECTIVE_CREDENTIAL); goto done; } @@ -946,7 +946,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, input_chan_bindings->acceptor_addrtype != 0 || input_chan_bindings->acceptor_address.length != 0 || input_chan_bindings->application_data.length == 0) { - set_GSSERRS(EINVAL, GSS_S_BAD_BINDINGS); + set_GSSERRS(ERR_BADARG, GSS_S_BAD_BINDINGS); goto done; } unhashed_cb.length = input_chan_bindings->application_data.length; @@ -1026,7 +1026,7 @@ uint32_t gssntlm_inquire_context(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; if (!ctx) { - return GSSERRS(0, GSS_S_NO_CONTEXT); + return GSSERRS(ERR_NOARG, GSS_S_NO_CONTEXT); } if (src_name) { @@ -1101,10 +1101,10 @@ uint32_t gssntlm_set_sec_context_option(uint32_t *minor_status, uint32_t retmaj; if (context_handle == NULL || *context_handle == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (desired_object == GSS_C_NO_OID) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } ctx = (struct gssntlm_ctx *)*context_handle; @@ -1114,7 +1114,7 @@ uint32_t gssntlm_set_sec_context_option(uint32_t *minor_status, if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { if (value->length != 4) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_BADARG); goto done; } @@ -1124,12 +1124,12 @@ uint32_t gssntlm_set_sec_context_option(uint32_t *minor_status, set_GSSERRS(0, GSS_S_COMPLETE); goto done; } else { - set_GSSERRS(EACCES, GSS_S_UNAUTHORIZED); + set_GSSERRS(ERR_WRONGCTX, GSS_S_FAILURE); goto done; } } - set_GSSERRS(EINVAL, GSS_S_UNAVAILABLE); + set_GSSERRS(ERR_BADARG, GSS_S_UNAVAILABLE); done: return GSSERR(); @@ -1151,13 +1151,13 @@ uint32_t gssntlm_inquire_sec_context_by_oid(uint32_t *minor_status, uint8_t mic_set; if (context_handle == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (desired_object == GSS_C_NO_OID) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (!data_set) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_WRITE); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_WRITE); } ctx = (struct gssntlm_ctx *)context_handle; diff --git a/src/gss_serialize.c b/src/gss_serialize.c index 5ea47fe..bd2ee27 100644 --- a/src/gss_serialize.c +++ b/src/gss_serialize.c @@ -253,18 +253,18 @@ uint32_t gssntlm_export_sec_context(uint32_t *minor_status, int ret; if (context_handle == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (interprocess_token == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_WRITE); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_WRITE); } ctx = (struct gssntlm_ctx *)*context_handle; - if (ctx == NULL) return GSSERRS(0, GSS_S_NO_CONTEXT); + if (ctx == NULL) return GSSERRS(ERR_BADARG, GSS_S_NO_CONTEXT); if (ctx->expiration_time && ctx->expiration_time < time(NULL)) { - return GSSERRS(0, GSS_S_CONTEXT_EXPIRED); + return GSSERRS(ERR_EXPIRED, GSS_S_CONTEXT_EXPIRED); } /* serialize context */ @@ -459,11 +459,11 @@ static uint32_t import_data_buffer(uint32_t *minor_status, } } else { if (!*len) { - set_GSSERR(EINVAL); + set_GSSERR(ERR_BADARG); goto done; } if (rm->len > *len) { - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); goto done; } memcpy(*dest, ptr, rm->len); @@ -536,7 +536,7 @@ static uint32_t import_name(uint32_t *minor_status, break; default: - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); break; } @@ -814,12 +814,12 @@ uint32_t gssntlm_export_cred(uint32_t *minor_status, int ret; if (token == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_WRITE); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_WRITE); } cred = (struct gssntlm_cred *)cred_handle; if (cred_handle == NULL) { - return GSSERRS(0, GSS_S_NO_CRED); + return GSSERRS(ERR_NOARG, GSS_S_NO_CRED); } state.exp_size = NEW_SIZE(0, sizeof(struct export_cred)); @@ -912,15 +912,15 @@ uint32_t gssntlm_import_cred(uint32_t *minor_status, uint32_t retmin; if (token == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (token->length < sizeof(struct export_cred)) { - return GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + return GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); } if (cred_handle == NULL) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_WRITE); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_WRITE); } cred = calloc(1, sizeof(struct gssntlm_cred)); @@ -936,7 +936,7 @@ uint32_t gssntlm_import_cred(uint32_t *minor_status, state.exp_ptr = 0; if (ecred->version != le16toh(1)) { - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); goto done; } @@ -954,7 +954,7 @@ uint32_t gssntlm_import_cred(uint32_t *minor_status, if (retmaj != GSS_S_COMPLETE) goto done; if (ecred->nt_hash.len > 16 || ecred->lm_hash.len > 16) { - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); goto done; } @@ -983,7 +983,7 @@ uint32_t gssntlm_import_cred(uint32_t *minor_status, if (retmaj != GSS_S_COMPLETE) goto done; break; default: - set_GSSERRS(0, GSS_S_DEFECTIVE_TOKEN); + set_GSSERRS(ERR_BADARG, GSS_S_DEFECTIVE_TOKEN); break; } diff --git a/src/gss_signseal.c b/src/gss_signseal.c index b74fe28..e765b1d 100644 --- a/src/gss_signseal.c +++ b/src/gss_signseal.c @@ -37,13 +37,13 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, NULL); if (retmaj != GSS_S_COMPLETE) { - return GSSERRS(0, retmaj); + return GSSERRS(ERR_BADCTX, retmaj); } if (qop_req != GSS_C_QOP_DEFAULT) { - return GSSERRS(0, GSS_S_BAD_QOP); + return GSSERRS(ERR_BADARG, GSS_S_BAD_QOP); } if (!message_buffer->value || message_buffer->length == 0) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_BADARG, GSS_S_CALL_INACCESSIBLE_READ); } message_token->value = malloc(NTLM_SIGNATURE_SIZE); @@ -82,10 +82,10 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, NULL); if (retmaj != GSS_S_COMPLETE) { - return GSSERRS(0, retmaj); + return GSSERRS(ERR_BADCTX, retmaj); } if (!message_buffer->value || message_buffer->length == 0) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ); } if (qop_state) { *qop_state = GSS_C_QOP_DEFAULT; @@ -125,13 +125,13 @@ uint32_t gssntlm_wrap(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, NULL); if (retmaj != GSS_S_COMPLETE) { - return GSSERRS(0, retmaj); + return GSSERRS(ERR_BADCTX, retmaj); } if (qop_req != GSS_C_QOP_DEFAULT) { - return GSSERRS(0, GSS_S_BAD_QOP); + return GSSERRS(ERR_BADARG, GSS_S_BAD_QOP); } if (!input_message_buffer->value || input_message_buffer->length == 0) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_BADARG, GSS_S_CALL_INACCESSIBLE_READ); } if (conf_state) { *conf_state = 0; @@ -181,10 +181,10 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, NULL); if (retmaj != GSS_S_COMPLETE) { - return GSSERRS(0, retmaj); + return GSSERRS(ERR_BADCTX, retmaj); } if (!input_message_buffer->value || input_message_buffer->length == 0) { - return GSSERRS(0, GSS_S_CALL_INACCESSIBLE_READ); + return GSSERRS(ERR_BADARG, GSS_S_CALL_INACCESSIBLE_READ); } if (conf_state) { *conf_state = 0; @@ -208,7 +208,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, &message, &output, &signature); if (retmin) { safefree(output_message_buffer->value); - return GSSERRS(0, GSS_S_FAILURE); + return GSSERRS(retmin, GSS_S_FAILURE); } if (memcmp(input_message_buffer->value, @@ -233,11 +233,11 @@ uint32_t gssntlm_wrap_size_limit(uint32_t *minor_status, ctx = (struct gssntlm_ctx *)context_handle; retmaj = gssntlm_context_is_valid(ctx, NULL); if (retmaj != GSS_S_COMPLETE) { - return GSSERRS(0, retmaj); + return GSSERRS(ERR_BADCTX, retmaj); } if (qop_req != GSS_C_QOP_DEFAULT) { - return GSSERRS(0, GSS_S_BAD_QOP); + return GSSERRS(ERR_BADARG, GSS_S_BAD_QOP); } if (req_output_size < 16) { diff --git a/src/ntlm_common.h b/src/ntlm_common.h index 5cfb36c..693aaac 100644 --- a/src/ntlm_common.h +++ b/src/ntlm_common.h @@ -26,6 +26,32 @@ enum ntlm_err_code { ERR_DECODE, ERR_ENCODE, ERR_CRYPTO, + ERR_NOARG, + ERR_BADARG, + ERR_NONAME, + ERR_NOSRVNAME, + ERR_NOUSRNAME, + ERR_BADLMLVL, + ERR_IMPOSSIBLE, + ERR_BADCTX, + ERR_WRONGCTX, + ERR_WRONGMSG, + ERR_REQNEGFLAG, + ERR_FAILNEGFLAGS, + ERR_BADNEGFLAGS, + ERR_NOSRVCRED, + ERR_NOUSRCRED, + ERR_BADCRED, + ERR_NOTOKEN, + ERR_NOTSUPPORTED, + ERR_NOTAVAIL, + ERR_NAMETOOLONG, + ERR_NOBINDINGS, + ERR_TIMESKEW, + ERR_EXPIRED, + ERR_KEYLEN, + ERR_NONTLMV1, + ERR_NOUSRFOUND, ERR_LAST }; #define NTLM_ERR_MASK 0x4E54FFFF diff --git a/src/winbind.c b/src/winbind.c index d731fd8..ffdaf44 100644 --- a/src/winbind.c +++ b/src/winbind.c @@ -14,7 +14,7 @@ uint32_t winbind_get_names(char **computer, char **domain) { struct wbcInterfaceDetails *details = NULL; wbcErr wbc_status; - int ret = ENOENT; + int ret = ERR_NOTAVAIL; wbc_status = wbcInterfaceDetails(&details); if (!WBC_ERROR_IS_OK(wbc_status)) goto done; @@ -56,7 +56,7 @@ uint32_t winbind_get_creds(struct gssntlm_name *name, struct wbcCredentialCacheInfo *result; struct wbcInterfaceDetails *details = NULL; wbcErr wbc_status; - int ret = ENOENT; + int ret = ERR_NOTAVAIL; if (name && name->data.user.domain) { params.domain_name = name->data.user.domain; @@ -124,13 +124,13 @@ uint32_t winbind_cli_auth(char *user, char *domain, struct wire_auth_msg *w_auth_msg; struct wire_chal_msg *w_chal_msg; wbcErr wbc_status; - int ret = EINVAL; + int ret; int i; if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { /* Winbind doesn't support this (yet). We'd want to pass our * own client_target_info in with the request. */ - ret = EINVAL; + ret = ERR_NOTSUPPORTED; goto done; } @@ -166,7 +166,7 @@ uint32_t winbind_cli_auth(char *user, char *domain, wbc_status = wbcCredentialCache(¶ms, &result, NULL); if (!WBC_ERROR_IS_OK(wbc_status)) { - ret = ENOENT; + ret = ERR_NOTAVAIL; goto done; } for (i = 0; i < result->num_blobs; i++) { @@ -179,7 +179,7 @@ uint32_t winbind_cli_auth(char *user, char *domain, if (!auth_blob || auth_blob->blob.length < sizeof(*auth_msg) || !sesskey_blob || sesskey_blob->blob.length != 16 ) { - ret = EIO; + ret = ERR_KEYLEN; goto done; } /* We need to 'correct' the flags in the auth message that @@ -219,7 +219,7 @@ uint32_t winbind_srv_auth(char *user, char *domain, wbcErr wbc_status; if (ntlmv2_key->length != 16) { - return EINVAL; + return ERR_KEYLEN; } wbc_params.account_name = user; -- cgit