From: Oliver Kurth Date: Tue, 26 May 2020 22:32:56 +0000 (-0700) Subject: Improve logging on signature verification X-Git-Tag: stable-11.2.0~211 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80ce8edc04fcd3253174be476b0f09bdf5527bf5;p=thirdparty%2Fopen-vm-tools.git Improve logging on signature verification If xmlsec and vgauth are built inconsistently, xmlSecSize can differ between the two, which results in a key datastructure being a different size, and vgauth ends up looking in the wrong place in memory for the signature check status. Log the status, so that if its not one of the two expected values, we have some ideas of what went wrong. --- diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c index 2906d2932..d5bb4f8b9 100644 --- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2016-2019 VMware, Inc. All rights reserved. + * Copyright (C) 2016-2020 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -1297,11 +1297,22 @@ VerifySignature(xmlDocPtr doc, /* * Check status to verify the signature is correct. * + * This check can fail due to build issues. If xmlSecSize is + * different between this layer and the xmlsec library, + * dsigCtx->status can be at the wrong offset. So + * dump the value of status, which should be either + * 1 (xmlSecDSigStatusSucceeded) or 2 (xmlSecDSigStatusInvalid). + * If its something else, that's a sign there's a + * build issue and XMLSEC_NO_SIZE_T may be set at one layer but + * not the other. + * */ if (dsigCtx->status != xmlSecDSigStatusSucceeded) { - g_warning("Signature is INVALID\n"); + g_warning("%s: Signature is invalid (got %d)\n", + __FUNCTION__, dsigCtx->status); VMXLog_Log(VMXLOG_LEVEL_WARNING, - "%s: signature is invalid\n", __FUNCTION__); + "%s: signature is invalid (got %d)\n", __FUNCTION__, + dsigCtx->status); goto done; }