diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-11-25 11:33:35 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-11-25 17:03:09 -0500 |
| commit | 4c57a429760a3b3aa89938a13708742675f9548b (patch) | |
| tree | e6c36be1bba678f05e85cb570e99a81f65c947e1 /src/lib/rpc | |
| parent | 32a770ac1851339621185cdca187d8c1cc27adaf (diff) | |
| download | krb5-4c57a429760a3b3aa89938a13708742675f9548b.tar.gz krb5-4c57a429760a3b3aa89938a13708742675f9548b.tar.xz krb5-4c57a429760a3b3aa89938a13708742675f9548b.zip | |
Add new versions of log_badauth gssrpc callbacks
libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.
ticket: 7770
Diffstat (limited to 'src/lib/rpc')
| -rw-r--r-- | src/lib/rpc/libgssrpc.exports | 2 | ||||
| -rw-r--r-- | src/lib/rpc/svc_auth_gss.c | 27 | ||||
| -rw-r--r-- | src/lib/rpc/svc_auth_gssapi.c | 26 |
3 files changed, 44 insertions, 11 deletions
diff --git a/src/lib/rpc/libgssrpc.exports b/src/lib/rpc/libgssrpc.exports index e6509d90c..79e69612d 100644 --- a/src/lib/rpc/libgssrpc.exports +++ b/src/lib/rpc/libgssrpc.exports @@ -60,10 +60,12 @@ gssrpc_svc_sendreply gssrpc_svc_unregister gssrpc_svcauth_gss_get_principal gssrpc_svcauth_gss_set_log_badauth_func +gssrpc_svcauth_gss_set_log_badauth2_func gssrpc_svcauth_gss_set_log_badverf_func gssrpc_svcauth_gss_set_log_miscerr_func gssrpc_svcauth_gss_set_svc_name gssrpc_svcauth_gssapi_set_log_badauth_func +gssrpc_svcauth_gssapi_set_log_badauth2_func gssrpc_svcauth_gssapi_set_log_badverf_func gssrpc_svcauth_gssapi_set_log_miscerr_func gssrpc_svcauth_gssapi_set_names diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index 68498daa8..8da70032a 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -80,6 +80,8 @@ typedef struct gss_union_ctx_id_t { static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; +static auth_gssapi_log_badauth2_func log_badauth2 = NULL; +static caddr_t log_badauth2_data = NULL; static auth_gssapi_log_badverf_func log_badverf = NULL; static caddr_t log_badverf_data = NULL; static auth_gssapi_log_miscerr_func log_miscerr = NULL; @@ -186,6 +188,16 @@ svcauth_gss_release_cred(void) return (TRUE); } +/* Invoke log_badauth callbacks for an authentication failure. */ +static void +badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt) +{ + if (log_badauth != NULL) + (*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data); + if (log_badauth2 != NULL) + (*log_badauth2)(maj, minor, xprt, log_badauth2_data); +} + static bool_t svcauth_gss_accept_sec_context(struct svc_req *rqst, struct rpc_gss_init_res *gr) @@ -226,12 +238,7 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, log_status("accept_sec_context", gr->gr_major, gr->gr_minor); if (gr->gr_major != GSS_S_COMPLETE && gr->gr_major != GSS_S_CONTINUE_NEEDED) { - if (log_badauth != NULL) { - (*log_badauth)(gr->gr_major, - gr->gr_minor, - &rqst->rq_xprt->xp_raddr, - log_badauth_data); - } + badauth(gr->gr_major, gr->gr_minor, rqst->rq_xprt); gd->ctx = GSS_C_NO_CONTEXT; goto errout; } @@ -673,6 +680,14 @@ void svcauth_gss_set_log_badauth_func( log_badauth_data = data; } +void +svcauth_gss_set_log_badauth2_func(auth_gssapi_log_badauth2_func func, + caddr_t data) +{ + log_badauth2 = func; + log_badauth2_data = data; +} + /* * Function: svcauth_gss_set_log_badverf_func * diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index 9688b8cd7..e3af08fb6 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -125,6 +125,8 @@ static int server_creds_count = 0; static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; +static auth_gssapi_log_badauth2_func log_badauth2 = NULL; +static caddr_t log_badauth2_data = NULL; static auth_gssapi_log_badverf_func log_badverf = NULL; static caddr_t log_badverf_data = NULL; static auth_gssapi_log_miscerr_func log_miscerr = NULL; @@ -141,6 +143,16 @@ typedef struct _client_list { static client_list *clients = NULL; +/* Invoke log_badauth callbacks for an authentication failure. */ +static void +badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt) +{ + if (log_badauth != NULL) + (*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data); + if (log_badauth2 != NULL) + (*log_badauth2)(maj, minor, xprt, log_badauth2_data); +} + enum auth_stat gssrpc__svcauth_gssapi( register struct svc_req *rqst, register struct rpc_msg *msg, @@ -443,11 +455,7 @@ enum auth_stat gssrpc__svcauth_gssapi( call_res.gss_major, call_res.gss_minor)); - if (log_badauth != NULL) - (*log_badauth)(call_res.gss_major, - call_res.gss_minor, - &rqst->rq_xprt->xp_raddr, - log_badauth_data); + badauth(call_res.gss_major, call_res.gss_minor, rqst->rq_xprt); gss_release_buffer(&minor_stat, &output_token); svc_sendreply(rqst->rq_xprt, xdr_authgssapi_init_res, @@ -1027,6 +1035,14 @@ void svcauth_gssapi_set_log_badauth_func( log_badauth_data = data; } +void +svcauth_gssapi_set_log_badauth2_func(auth_gssapi_log_badauth2_func func, + caddr_t data) +{ + log_badauth2 = func; + log_badauth2_data = data; +} + /* * Function: svcauth_gssapi_set_log_badverf_func * |