need more testing support for MS

This should allow use of the CFX_EXERCISE code to better check interoperability
of MS and MIT code with regard to future extensibility.

* init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't crash on null
pointer in debugging code.
(new_connection): Disable CFX_EXERCISE unknown-token-id case detection.

* accept_sec_context.c (krb5_gss_accept_sec_context) [CFX_EXERCISE]: Log to
/tmp/gsslog whether delegation or extra option bytes were present.

ticket: new
target_version: 1.3.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15983 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 43 insertions, 3 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 669fbc25f..f29dfe00c 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,14 @@
+2004-01-27  Ken Raeburn  <raeburn@mit.edu>
+
+	* init_sec_context.c (make_gss_checksum) [CFX_EXERCISE]: Don't
+	crash on null pointer in debugging code.
+	(new_connection): Disable CFX_EXERCISE unknown-token-id case
+	detection.
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context)
+	[CFX_EXERCISE]: Log to /tmp/gsslog whether delegation or extra
+	option bytes were present.
+
 2004-01-05  Ken Raeburn  <raeburn@mit.edu>
 
 	* init_sec_context.c: Include auth_con.h if CFX_EXERCISE is
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index c27d82363..6ab291b1b 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -567,7 +567,35 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 
 	   } /* if i >= 4 */
 	   /* ignore any additional trailing data, for now */
-       } /* if */
+#ifdef CFX_EXERCISE
+	   {
+	       FILE *f = fopen("/tmp/gsslog", "a");
+	       if (f) {
+		   fprintf(f,
+			   "initial context token with delegation, %d extra bytes\n",
+			   i);
+		   fclose(f);
+	       }
+	   }
+#endif
+       } else {
+#ifdef CFX_EXERCISE
+	   {
+	       FILE *f = fopen("/tmp/gsslog", "a");
+	       if (f) {
+		   if (gss_flags & GSS_C_DELEG_FLAG)
+		       fprintf(f,
+			       "initial context token, delegation flag but too small\n");
+		   else
+		       /* no deleg flag, length might still be too big */
+		       fprintf(f,
+			       "initial context token, %d extra bytes\n",
+			       authdat->checksum->length - 24);
+		   fclose(f);
+	       }
+	   }
+#endif
+       }
    }
 
    /* create the ctx struct and start filling it in */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 20d416fe3..2dd320cd8 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -194,7 +194,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
 	data->checksum_data.length = 24;
     }
 #ifdef CFX_EXERCISE
-    if (data->ctx->auth_context->keyblock->enctype == 18) {
+    if (data->ctx->auth_context->keyblock != NULL
+	&& data->ctx->auth_context->keyblock->enctype == 18) {
 	srand(time(0) ^ getpid());
 	/* Our ftp client code stupidly assumes a base64-encoded
 	   version of the token will fit in 10K, so don't make this
@@ -477,7 +478,7 @@ new_connection(
    /* complain if the input token is non-null */
 
    if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
-#ifdef CFX_EXERCISE
+#if 0 /* def CFX_EXERCISE */
        if (*context_handle != GSS_C_NO_CONTEXT
 	   && ((krb5_gss_ctx_id_t)*context_handle)->testing_unknown_tokid) {
 	   /* XXX Should check for a KRB_ERROR message that we can