From: Oliver Kurth <okurth@vmware.com>
Date: Tue, 4 Sep 2018 22:40:59 +0000 (-0700)
Subject: Add some key VMX debug messages
X-Git-Tag: stable-11.0.0~402
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef8b0bfcc4d7a37bfc92fca0c4f06d7499e58b42;p=thirdparty%2Fopen-vm-tools.git

Add some key VMX debug messages

Add some key debug-to-vmx messages to help debug SAML tokens.
Fix a potential issue in the logging code.
Always use a local version of htonll() since Visual Studio has
changed its mind about its existance in vs2017.
---

diff --git a/open-vm-tools/vgauth/common/vmxlog.c b/open-vm-tools/vgauth/common/vmxlog.c
index 8f4981d39..68366f631 100644
--- a/open-vm-tools/vgauth/common/vmxlog.c
+++ b/open-vm-tools/vgauth/common/vmxlog.c
@@ -186,13 +186,12 @@ struct sockaddr_vm {
 /* end code copied from vmci_sockets.h */
 
 
-#if !defined(_MSC_VER) || _MSC_VER <= 1900
 /*
- * htonll() for older compilers and non-Windows.
+ * Local version of htonll() which is missing in many environments.
  * Assumes the host is little-endian.
  */
 static uint64
-htonll(uint64 s)
+_vmxlog_htonll(uint64 s)
 {
    uint64 out;
    unsigned char *buf = (unsigned char *) &out;
@@ -208,7 +207,6 @@ htonll(uint64 s)
 
    return out;
 }
-#endif
 
 
 /*
@@ -259,7 +257,7 @@ MakePacket(const char *cmd,
    /* network byte order is important here */
    hdr.type = htonl(1);         // DMFIELDTYPE_INT64
    hdr.fieldId = htonl(1);      // GUESTRPCPKT_FIELD_TYPE
-   hdr.value = htonll(1);       // GUESTRPCPKT_TYPE_DATA
+   hdr.value = _vmxlog_htonll(1);       // GUESTRPCPKT_TYPE_DATA
 
    /*
     * this part of the data doesn't seem to care about network byte
@@ -438,13 +436,18 @@ SendRpciPacket(const char *packet,
     *
     * Possible optimization -- every N minutes, retry the new RPC.
     */
-   buf[ret] = '\0';
-   reply = &buf[18];
-   g_debug("%s: RPC returned '%s'\n", __FUNCTION__, reply);
-   if (g_strcmp0(reply, "disabled") == 0 ||
-       g_strcmp0(reply, "Unknown") == 0) {
-      g_warning("%s: RPC unknown or disabled\n", __FUNCTION__);
-      retVal = VMX_RPC_UNKNOWN;
+   if (ret >= 18 && ret < sizeof buf) {
+      buf[ret] = '\0';
+      reply = &buf[18];
+      g_debug("%s: RPC returned '%s'\n", __FUNCTION__, reply);
+      if (g_strcmp0(reply, "disabled") == 0 ||
+          g_strcmp0(reply, "Unknown") == 0) {
+         g_warning("%s: RPC unknown or disabled\n", __FUNCTION__);
+         retVal = VMX_RPC_UNKNOWN;
+      }
+   } else {
+      g_warning("%s: recv() returned %d\n", __FUNCTION__, ret);
+      retVal = VMX_RPC_ERROR;
    }
 
 done:
diff --git a/open-vm-tools/vgauth/common/vmxlog.h b/open-vm-tools/vgauth/common/vmxlog.h
index 963530e3d..00d1febab 100644
--- a/open-vm-tools/vgauth/common/vmxlog.h
+++ b/open-vm-tools/vgauth/common/vmxlog.h
@@ -34,9 +34,10 @@ void VMXLog_Shutdown(void);
 void VMXLog_Log(int level, const char *fmt, ...) PRINTF_DECL(2, 3);
 
 /*
- * XXX placeholder until we define levels for the new log RPC
+ * * XXX Future-proofing -- currently unused.
  */
-#define VMXLOG_LEVEL_INFO  1
+#define VMXLOG_LEVEL_INFO     1
+#define VMXLOG_LEVEL_WARNING  2
 
 void VMXLog_LogV(int level, const char *fmt, va_list args);
 
diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index a394c0ea7..bd1698fba 100644
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -44,6 +44,7 @@
 #include "prefs.h"
 #include "serviceInt.h"
 #include "certverify.h"
+#include "vmxlog.h"
 
 static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS;
 static xmlSchemaPtr gParsedSchemas = NULL;
@@ -766,6 +767,10 @@ CheckTimeAttr(const xmlNodePtr node,
       g_warning("%s: FAILED SAML assertion (timeStamp %s, delta %d) %s.\n",
                 __FUNCTION__, timeAttr, (int) diff,
                 notBefore ? "is not yet valid" : "has expired");
+      VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                 "%s: FAILED SAML assertion (timeStamp %s, delta %d) %s.\n",
+                __FUNCTION__, timeAttr, (int) diff,
+                notBefore ? "is not yet valid" : "has expired");
       retVal = FALSE;
       goto done;
    }
@@ -1263,6 +1268,8 @@ VerifySignature(xmlDocPtr doc,
     */
    if (dsigCtx->status != xmlSecDSigStatusSucceeded) {
       g_warning("Signature is INVALID\n");
+      VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                 "%s: signature is invalid\n", __FUNCTION__);
       goto done;
    }
 
diff --git a/open-vm-tools/vgauth/serviceImpl/verify.c b/open-vm-tools/vgauth/serviceImpl/verify.c
index e9a75313c..9cee156ef 100644
--- a/open-vm-tools/vgauth/serviceImpl/verify.c
+++ b/open-vm-tools/vgauth/serviceImpl/verify.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2011-2017 VMware, Inc. All rights reserved.
+ * Copyright (C) 2011-2018 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -27,6 +27,7 @@
 #include <string.h>
 #include "serviceInt.h"
 #include "certverify.h"
+#include "vmxlog.h"
 
 /*
  ******************************************************************************
@@ -147,6 +148,8 @@ ServiceVerifyAndCheckTrustCertChainForSubject(int numCerts,
           * No username, no mapped certs, no chance.
           */
          Warning("%s: no mapping entries or userName\n", __FUNCTION__);
+         VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                    "%s: no mapping entries or userName\n", __FUNCTION__);
          err = VGAUTH_E_AUTHENTICATION_DENIED;
          goto done;
       }
@@ -192,6 +195,9 @@ ServiceVerifyAndCheckTrustCertChainForSubject(int numCerts,
       if (NULL == queryUserName) {
          Warning("%s: no matching cert and subject found in mapping file\n",
                  __FUNCTION__);
+         VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                    "%s: no matching cert and subject found in mapping file\n",
+                    __FUNCTION__);
          err = VGAUTH_E_AUTHENTICATION_DENIED;
          goto done;
       }
@@ -205,6 +211,8 @@ ServiceVerifyAndCheckTrustCertChainForSubject(int numCerts,
     */
    if (!UsercheckUserExists(queryUserName)) {
       Warning("%s: User '%s' doesn't exist\n", __FUNCTION__, queryUserName);
+      VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                 "%s: User '%s' doesn't exist\n", __FUNCTION__, queryUserName);
       err = VGAUTH_E_AUTHENTICATION_DENIED;
       goto done;
    }
@@ -288,6 +296,8 @@ ServiceVerifyAndCheckTrustCertChainForSubject(int numCerts,
    if (numTrusted == 0) {
       err = VGAUTH_E_AUTHENTICATION_DENIED;
       Warning("%s: No trusted certs in chain\n", __FUNCTION__);
+      VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                 "%s: No trusted certs in chain\n", __FUNCTION__);
       goto done;
    }
 
@@ -313,6 +323,8 @@ ServiceVerifyAndCheckTrustCertChainForSubject(int numCerts,
                               numTrusted,
                               (const char **) trustedCerts);
    if (VGAUTH_E_OK != err) {
+      VMXLog_Log(VMXLOG_LEVEL_WARNING,
+                 "%s: cert chain validation failed\n", __FUNCTION__);
       goto done;
    }