This is a cheap, non-very-portable way to make debugging a run-time option. diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 6598482..85e1c0d 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -34,6 +34,7 @@ #include #include #include +#include #include #include "pkinit_accessor.h" @@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ #define pkiDebug printf #else /* Still evaluates for side effects. */ -static inline void pkiDebug (const char *fmt, ...) { } +/* static inline void pkiDebug (const char *fmt, ...) { } */ +#define pkiDebug if (pkinit_debug_is_enabled()) printf /* This is better if the compiler doesn't inline variadic functions well, but gcc will warn about "left-hand operand of comma expression has no effect". Still evaluates for side effects. */ /* #define pkiDebug (void) */ #endif +extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc); +extern int pkinit_debug_is_enabled(void); /* Solaris compiler doesn't grok __FUNCTION__ * hack for now. Fix all the uses eventually. */ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 6888c1b..bb39fce 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context, pkinit_req_context reqctx = (pkinit_req_context)request_context; krb5_keyblock *armor_key = NULL; + pkinit_debug_init(context, &(request->server->realm), 0); + pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index a6d7762..2b59fd0 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename) fclose(f); } + +/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass + in a context structure, which is where this flag would be better placed. */ +static __thread int pkinit_debug_enabled = 0; + +void +pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc) +{ + pkinit_debug_enabled = -1; + if (kdc) { + pkinit_kdcdefault_boolean(context, realm, "pkinit_debug", + -1, &pkinit_debug_enabled); + } + if (pkinit_debug_enabled == -1) { + pkinit_libdefault_boolean(context, realm, "pkinit_debug", + 0, &pkinit_debug_enabled); + } + printf("pkinit_debug: %d\n", pkinit_debug_enabled); +} + +int +pkinit_debug_is_enabled(void) +{ + return (pkinit_debug_enabled == 1); +} diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 5a7a5ad..d7a0a44 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context, pkinit_kdc_context plgctx = NULL; krb5_keyblock *armor_key = NULL; + pkinit_debug_init(context, &(request->server->realm), 1); + pkiDebug("pkinit_server_get_edata: entered!\n"); /* Remove (along with armor_key) when FAST PKINIT is settled. */ @@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context, int is_signed = 1; krb5_keyblock *armor_key; + pkinit_debug_init(context, &(request->server->realm), 1); + pkiDebug("pkinit_verify_padata: entered!\n"); if (data == NULL || data->length <= 0 || data->contents == NULL) return 0;