gss-proxy.git/proxy/src/client/gpm_common.c, branch master-impersonation gssproxy wip repository Fix socket error handling. 2013-05-16T10:11:43+00:00 Simo Sorce simo@redhat.com 2013-05-15T17:22:05+00:00 4d95d30532e2509a07285614b2f17a26dcb44725 1. Grab the socket lock for the whole conversation. We need to keep the lock until the whole conversation is over. Otherwise we may have concurrency issues where communication gets intermixed and errors in one thread can cause a thread to hang. Here is what we observed: thread 1: grabs lock and send a request. thread 2: grabs lock and sends a request server: thread 2 request causes a fatal error and the server close the connection thread 2: grabs the lock and waits for a reply. thread 2: gets the error and returns to caller with it (connection is closed). thread 1: grabs the lock (which reopens the closed channel) and reads ... ... forever as the server has already killed all the previous state. 2. Fail immediately on short reads for the initial 4 byte length header. If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the cases what we are witnessing here is a fatal error from the proxy that closed the socket. Reopening the scket cannot accomplish anything as the request sent down the channel is tied to the specific socket, so once the socket is closed there is no hope to ever get back a reply. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
1. Grab the socket lock for the whole conversation.

We need to keep the lock until the whole conversation is over.
Otherwise we may have concurrency issues where communication gets intermixed
and errors in one thread can cause a thread to hang.

Here is what we observed:

thread 1: grabs lock and send a request.
thread 2: grabs lock and sends a request
server: thread 2 request causes a fatal error and the server close the
connection
thread 2: grabs the lock and waits for a reply.
thread 2: gets the error and returns to caller with it (connection is closed).
thread 1: grabs the lock (which reopens the closed channel) and reads ...
... forever as the server has already killed all the previous state.

2. Fail immediately on short reads for the initial 4 byte length header.

If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the
cases what we are witnessing here is a fatal error from the proxy that closed
the socket. Reopening the scket cannot accomplish anything as the request sent
down the channel is tied to the specific socket, so once the socket is closed
there is no hope to ever get back a reply.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Add support for per-service sockets 2013-04-23T19:02:50+00:00 Simo Sorce simo@redhat.com 2013-04-12T21:09:06+00:00 edf939632c9a1dbab4e769f0c23fe393d7fc8a6a This way different processes running as the same user can be configured as different servervices Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
This way different processes running as the same user can be configured as
different servervices

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Use send() in client library to avoid SIGPIPE 2013-04-03T20:39:11+00:00 Simo Sorce simo@redhat.com 2013-04-03T20:31:14+00:00 212d8f424125cdd40c154b2f09a219d4d0325b8d The client library lives in applications that may not be blocking or ignoring SIGPIPE. Using write() can cause SIGPIPE to be raised in the application if the proxy is restarted. If the application does not catch the signal then it is terminated. Make sure this does not happen by using send() with the MSG_NOSIGNAL flag. Signed-off-by: Simo Sorce <simo@redhat.com> 
The client library lives in applications that may not be blocking or ignoring
SIGPIPE. Using write() can cause SIGPIPE to be raised in the application if the
proxy is restarted. If the application does not catch the signal then it is
terminated.

Make sure this does not happen by using send() with the MSG_NOSIGNAL flag.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix reporting of wrong error codes 2013-04-03T20:39:11+00:00 Simo Sorce simo@redhat.com 2013-04-03T18:38:58+00:00 b5fd9388baba101a3ae7b8a2f88164af2083a0a7 Found by Coverity as 'Argument cannot be negative' type of error. Signed-off-by: Simo Sorce <simo@redhat.com> 
Found by Coverity as 'Argument cannot be negative' type of error.

Signed-off-by: Simo Sorce <simo@redhat.com>
Make socket path a configure option 2013-03-22T15:34:37+00:00 Simo Sorce simo@redhat.com 2013-03-21T16:28:02+00:00 e9623f5f05053f215c71dbf37d034ae98f1f1c36 The kernel uses the fixed path named /var/run/gssproxy.sock Make this default a configure time option and default to it. Also remove the option to change the socket at configure time, neither the kernel nor proxymech.so can cope with a change anyway. 
The kernel uses the fixed path named /var/run/gssproxy.sock
Make this default a configure time option and default to it.
Also remove the option to change the socket at configure time,
neither the kernel nor proxymech.so can cope with a change anyway.
Fix includes 2013-03-14T17:42:45+00:00 Simo Sorce simo@redhat.com 2013-03-01T01:01:56+00:00 daafe38cf4461fe38e7e1a16284dcca8d145b2ec These includes are necessary when switching to gssrpc because they are not automatically dragged in via dependencies in system rpc.h 
These includes are necessary when switching to gssrpc because they
are not automatically dragged in via dependencies in system rpc.h
Add function to return a special mech 2012-10-25T19:52:37+00:00 Simo Sorce simo@redhat.com 2012-05-17T04:31:14+00:00 6349fcfdbf2668af203b9ca60efece64b7feba85 When the interposer wants to call the mechglue and have it call a real mechanism it does so by providing a speecial mechanism oid. This is an oid composed of the procy plugin oid and the real mechanism oid that the mechglue transforms back into a real OID before selecting the appropriate mechanism. 
When the interposer wants to call the mechglue and have it call a real
mechanism it does so by providing a speecial mechanism oid.
This is an oid composed of the procy plugin oid and the real mechanism oid
that the mechglue transforms back into a real OID before selecting the
appropriate mechanism.
Move client lib files in their own directory 2012-08-31T20:26:38+00:00 Simo Sorce simo@redhat.com 2012-07-31T22:15:12+00:00 1919bf9c7a8c0995e4a4bc0483732084b3b5f241 Make space for the actual mechglue plugin interface. The mechglue interface will use the client library to communicate with the gss-proxy but will reimplement all GSSAPI SPI as wrappers in order to properly handle fallbacks to local mechanism and other input/output transformations. 
Make space for the actual mechglue plugin interface. The mechglue interface
will use the client library to communicate with the gss-proxy but will
reimplement all GSSAPI SPI as wrappers in order to properly handle fallbacks to
local mechanism and other input/output transformations.