1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
This is a cheap, non-very-portable way to make debugging a run-time option.
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 6598482..85e1c0d 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -34,6 +34,7 @@
#include <krb5/krb5.h>
#include <krb5/preauth_plugin.h>
#include <k5-int-pkinit.h>
+#include <autoconf.h>
#include <profile.h>
#include "pkinit_accessor.h"
@@ -96,12 +97,15 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */
#define pkiDebug printf
#else
/* Still evaluates for side effects. */
-static inline void pkiDebug (const char *fmt, ...) { }
+/* static inline void pkiDebug (const char *fmt, ...) { } */
+#define pkiDebug if (pkinit_debug_is_enabled()) printf
/* This is better if the compiler doesn't inline variadic functions
well, but gcc will warn about "left-hand operand of comma
expression has no effect". Still evaluates for side effects. */
/* #define pkiDebug (void) */
#endif
+extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc);
+extern int pkinit_debug_is_enabled(void);
/* Solaris compiler doesn't grok __FUNCTION__
* hack for now. Fix all the uses eventually. */
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 6888c1b..bb39fce 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context,
pkinit_req_context reqctx = (pkinit_req_context)request_context;
krb5_keyblock *armor_key = NULL;
+ pkinit_debug_init(context, &(request->server->realm), 0);
+
pkiDebug("pkinit_client_process %p %p %p %p\n",
context, plgctx, reqctx, request);
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index a6d7762..2b59fd0 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
fclose(f);
}
+
+/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass
+ in a context structure, which is where this flag would be better placed. */
+static __thread int pkinit_debug_enabled = 0;
+
+void
+pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc)
+{
+ pkinit_debug_enabled = -1;
+ if (kdc) {
+ pkinit_kdcdefault_boolean(context, realm, "pkinit_debug",
+ -1, &pkinit_debug_enabled);
+ }
+ if (pkinit_debug_enabled == -1) {
+ pkinit_libdefault_boolean(context, realm, "pkinit_debug",
+ 0, &pkinit_debug_enabled);
+ }
+ printf("pkinit_debug: %d\n", pkinit_debug_enabled);
+}
+
+int
+pkinit_debug_is_enabled(void)
+{
+ return (pkinit_debug_enabled == 1);
+}
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 5a7a5ad..d7a0a44 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context,
pkinit_kdc_context plgctx = NULL;
krb5_keyblock *armor_key = NULL;
+ pkinit_debug_init(context, &(request->server->realm), 1);
+
pkiDebug("pkinit_server_get_edata: entered!\n");
/* Remove (along with armor_key) when FAST PKINIT is settled. */
@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context,
int is_signed = 1;
krb5_keyblock *armor_key;
+ pkinit_debug_init(context, &(request->server->realm), 1);
+
pkiDebug("pkinit_verify_padata: entered!\n");
if (data == NULL || data->length <= 0 || data->contents == NULL)
return 0;
|
