remap mechanism-specific status codes in mechglue/spnego

This patch creates a mapping in the mechglue/spnego code to modify
mechanism status codes when passing them back to the application, so
that mechglue's display_status dispatcher can determine the correct
mechanism to dispatch to.

This is part of the "get enhanced error messages from gssapi
applications" project; ticket 5590 has updates to the Kerberos 5
mechanism to extract enhanced error messages (when there are any) from
the Kerberos library.


util/gen.pl, util/t_*.pm: New code generation script and templates.

lib/gssapi/generic: Add a new, global mapping that enumerates the
{mechOID,status} pairs as they're seen, allowing a magic mechOID value
to indicate com_err error codes from mechglue and spnego, and
reserving status code 0 for unknown errors.  Preload the Kerberos
"wrong principal" error code once for each mechanism OID used for
Kerberos, so the entries get fixed positions (1-3) in the table.

lib/gssapi/gss_libinit.c: Call the initializer and destructor
functions.

lib/gssapi/mechglue, lib/gssapi/spnego: Enter all mechanism-generated
or locally-generated status codes into the mapping table, and return
the table index to the application.  Do the reverse in display_status,
to get the messages from the mechanism..

lib/rpc: Define new function gssrpcint_printf to use for debugging
instead of printf, to redirect output away from dejagnu; add a couple
more debugging calls.  Check for minor status codes 1-3 now instead of
KRB5KRB_AP_WRONG_PRINC.

tests/dejagnu/krb-standalone/gssftp.exp: Test getting more detailed
error messages back, by having the ftp client attempt to authenticate
to a non-existent service, and examining the error message for the
service principal name.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19831 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 48 insertions, 1 deletions

diff --git a/src/tests/dejagnu/krb-standalone/gssftp.exp b/src/tests/dejagnu/krb-standalone/gssftp.exp
index ac1126e1b..90fe9034f 100644
--- a/src/tests/dejagnu/krb-standalone/gssftp.exp
+++ b/src/tests/dejagnu/krb-standalone/gssftp.exp
@@ -189,7 +189,54 @@ proc ftp_test { } {
     }
 
     #
-    # set KRB5_KTNAME
+    # set KRB5_KTNAME *incorrectly*
+    #
+    set env(KRB5_KTNAME) FILE:$tmppwd/srvtabxx
+    verbose "KRB5_KTNAME=$env(KRB5_KTNAME)"
+
+    # Force some auth errors.
+    set testname "ftp auth errors"
+
+    # Start the ftp daemon.
+    start_ftp_daemon
+
+    # Try connecting.
+    spawn $FTP -d -v $hostname [expr 8 + $portbase]
+    expect_after {
+	-re "--->\[^\r\n\]*\r\n" { exp_continue }
+	-re "encoding \[0-9\]* bytes MIC \[a-zA-Z/+\]*" { exp_continue }
+	-re "sealed \[A-Z()\]*" { exp_continue }
+	-re "secure_command\[A-Z()\]*" { exp_continue }
+	timeout {
+	    fail "$testname (timeout)"
+	    catch "expect_after"
+	    return
+	}
+	eof {
+	    fail "$testname (eof)"
+	    catch "expect_after"
+	    return
+	}
+    }
+    expect -nocase "connected to $hostname"
+    expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready."
+    expect -re "Using authentication type GSSAPI; ADAT must follow"
+    expect "GSSAPI accepted as authentication type"
+    expect -re "Trying to authenticate to <ftp@.*>"
+    # The ftp client doesn't print the gssapi error except on the last attempt.
+#    expect "GSSAPI error major: Unspecified GSS failure."
+#    expect -re "GSSAPI error minor: Key table file '.*' not found"
+    expect -re "Trying to authenticate to <host@.*>"
+    expect "GSSAPI error major: Unspecified GSS failure."
+    expect -re "GSSAPI error minor: Server host/.* not found in Kerberos database"
+    expect -re "Name (.*): "
+    close -i $spawn_id
+    wait -i $spawn_id
+    wait -i $ftpd_spawn_id
+    catch "close -i $ftpd_spawn_id"
+
+    #
+    # set KRB5_KTNAME correctly now
     #
     set env(KRB5_KTNAME) FILE:$tmppwd/srvtab
     verbose "KRB5_KTNAME=$env(KRB5_KTNAME)"