From eba8c4909ec7ba0d7054d5d1b1061319e9970cc7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 28 Apr 2014 03:58:32 -0400
Subject: Improve krb5_rd_req decryption failure errors

When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error.  Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.

Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages.  Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.

ticket: 7232
---
 src/include/k5-trace.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/include')

diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 71ce73eb0..dfd34f634 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -301,6 +301,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
 #define TRACE_RD_REQ_DECRYPT_SPECIFIC(c, princ, keyblock)               \
     TRACE(c, "Decrypted AP-REQ with specified server principal {princ}: " \
           "{keyblock}", princ, keyblock)
+#define TRACE_RD_REQ_DECRYPT_FAIL(c, err)                       \
+    TRACE(c, "Failed to decrypt AP-REQ ticket: {kerr}", err)
 #define TRACE_RD_REQ_NEGOTIATED_ETYPE(c, etype)                     \
     TRACE(c, "Negotiated enctype based on authenticator: {etype}",  \
           etype)
-- 
cgit