krb5 commit [krb5-1.12]: Add new versions of log_badauth gssrpc callbacks
Tom Yu
tlyu at MIT.EDU
Tue Nov 26 17:26:29 EST 2013
https://github.com/krb5/krb5/commit/dca3c14c0b43a4de724e3533ca2f0a909b7c695f
commit dca3c14c0b43a4de724e3533ca2f0a909b7c695f
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Nov 25 11:33:35 2013 -0500
Add new versions of log_badauth gssrpc callbacks
libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.
(cherry picked from commit 4c57a429760a3b3aa89938a13708742675f9548b)
ticket: 7770
src/include/gssrpc/auth_gssapi.h | 13 +++++++++++++
src/include/gssrpc/rename.h | 2 ++
src/lib/rpc/libgssrpc.exports | 2 ++
src/lib/rpc/svc_auth_gss.c | 27 +++++++++++++++++++++------
src/lib/rpc/svc_auth_gssapi.c | 26 +++++++++++++++++++++-----
5 files changed, 59 insertions(+), 11 deletions(-)
diff --git a/src/include/gssrpc/auth_gssapi.h b/src/include/gssrpc/auth_gssapi.h
index d842930..9d94853 100644
--- a/src/include/gssrpc/auth_gssapi.h
+++ b/src/include/gssrpc/auth_gssapi.h
@@ -54,6 +54,14 @@ typedef void (*auth_gssapi_log_badauth_func)
struct sockaddr_in *raddr,
caddr_t data);
+/* auth_gssapi_log_badauth_func is IPv4-specific; this version gives the
+ * transport handle so the fd can be used to get the address. */
+typedef void (*auth_gssapi_log_badauth2_func)
+ (OM_uint32 major,
+ OM_uint32 minor,
+ SVCXPRT *xprt,
+ caddr_t data);
+
typedef void (*auth_gssapi_log_badverf_func)
(gss_name_t client,
gss_name_t server,
@@ -117,6 +125,9 @@ void svcauth_gssapi_unset_names
void svcauth_gssapi_set_log_badauth_func
(auth_gssapi_log_badauth_func func,
caddr_t data);
+void svcauth_gssapi_set_log_badauth2_func
+(auth_gssapi_log_badauth2_func func,
+ caddr_t data);
void svcauth_gssapi_set_log_badverf_func
(auth_gssapi_log_badverf_func func,
caddr_t data);
@@ -126,6 +137,8 @@ void svcauth_gssapi_set_log_miscerr_func
void svcauth_gss_set_log_badauth_func(auth_gssapi_log_badauth_func,
caddr_t);
+void svcauth_gss_set_log_badauth2_func(auth_gssapi_log_badauth2_func,
+ caddr_t);
void svcauth_gss_set_log_badverf_func(auth_gssapi_log_badverf_func,
caddr_t);
void svcauth_gss_set_log_miscerr_func(auth_gssapi_log_miscerr_func,
diff --git a/src/include/gssrpc/rename.h b/src/include/gssrpc/rename.h
index 318be1a..ecec66a 100644
--- a/src/include/gssrpc/rename.h
+++ b/src/include/gssrpc/rename.h
@@ -125,10 +125,12 @@
#define svcauth_gssapi_set_names gssrpc_svcauth_gssapi_set_names
#define svcauth_gssapi_unset_names gssrpc_svcauth_gssapi_unset_names
#define svcauth_gssapi_set_log_badauth_func gssrpc_svcauth_gssapi_set_log_badauth_func
+#define svcauth_gssapi_set_log_badauth2_func gssrpc_svcauth_gssapi_set_log_badauth2_func
#define svcauth_gssapi_set_log_badverf_func gssrpc_svcauth_gssapi_set_log_badverf_func
#define svcauth_gssapi_set_log_miscerr_func gssrpc_svcauth_gssapi_set_log_miscerr_func
#define svcauth_gss_set_log_badauth_func gssrpc_svcauth_gss_set_log_badauth_func
+#define svcauth_gss_set_log_badauth2_func gssrpc_svcauth_gss_set_log_badauth2_func
#define svcauth_gss_set_log_badverf_func gssrpc_svcauth_gss_set_log_badverf_func
#define svcauth_gss_set_log_miscerr_func gssrpc_svcauth_gss_set_log_miscerr_func
diff --git a/src/lib/rpc/libgssrpc.exports b/src/lib/rpc/libgssrpc.exports
index e6509d9..79e6961 100644
--- a/src/lib/rpc/libgssrpc.exports
+++ b/src/lib/rpc/libgssrpc.exports
@@ -60,10 +60,12 @@ gssrpc_svc_sendreply
gssrpc_svc_unregister
gssrpc_svcauth_gss_get_principal
gssrpc_svcauth_gss_set_log_badauth_func
+gssrpc_svcauth_gss_set_log_badauth2_func
gssrpc_svcauth_gss_set_log_badverf_func
gssrpc_svcauth_gss_set_log_miscerr_func
gssrpc_svcauth_gss_set_svc_name
gssrpc_svcauth_gssapi_set_log_badauth_func
+gssrpc_svcauth_gssapi_set_log_badauth2_func
gssrpc_svcauth_gssapi_set_log_badverf_func
gssrpc_svcauth_gssapi_set_log_miscerr_func
gssrpc_svcauth_gssapi_set_names
diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index 68498da..8da7003 100644
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -80,6 +80,8 @@ typedef struct gss_union_ctx_id_t {
static auth_gssapi_log_badauth_func log_badauth = NULL;
static caddr_t log_badauth_data = NULL;
+static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
+static caddr_t log_badauth2_data = NULL;
static auth_gssapi_log_badverf_func log_badverf = NULL;
static caddr_t log_badverf_data = NULL;
static auth_gssapi_log_miscerr_func log_miscerr = NULL;
@@ -186,6 +188,16 @@ svcauth_gss_release_cred(void)
return (TRUE);
}
+/* Invoke log_badauth callbacks for an authentication failure. */
+static void
+badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt)
+{
+ if (log_badauth != NULL)
+ (*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data);
+ if (log_badauth2 != NULL)
+ (*log_badauth2)(maj, minor, xprt, log_badauth2_data);
+}
+
static bool_t
svcauth_gss_accept_sec_context(struct svc_req *rqst,
struct rpc_gss_init_res *gr)
@@ -226,12 +238,7 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,
log_status("accept_sec_context", gr->gr_major, gr->gr_minor);
if (gr->gr_major != GSS_S_COMPLETE &&
gr->gr_major != GSS_S_CONTINUE_NEEDED) {
- if (log_badauth != NULL) {
- (*log_badauth)(gr->gr_major,
- gr->gr_minor,
- &rqst->rq_xprt->xp_raddr,
- log_badauth_data);
- }
+ badauth(gr->gr_major, gr->gr_minor, rqst->rq_xprt);
gd->ctx = GSS_C_NO_CONTEXT;
goto errout;
}
@@ -673,6 +680,14 @@ void svcauth_gss_set_log_badauth_func(
log_badauth_data = data;
}
+void
+svcauth_gss_set_log_badauth2_func(auth_gssapi_log_badauth2_func func,
+ caddr_t data)
+{
+ log_badauth2 = func;
+ log_badauth2_data = data;
+}
+
/*
* Function: svcauth_gss_set_log_badverf_func
*
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 9688b8c..e3af08f 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -125,6 +125,8 @@ static int server_creds_count = 0;
static auth_gssapi_log_badauth_func log_badauth = NULL;
static caddr_t log_badauth_data = NULL;
+static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
+static caddr_t log_badauth2_data = NULL;
static auth_gssapi_log_badverf_func log_badverf = NULL;
static caddr_t log_badverf_data = NULL;
static auth_gssapi_log_miscerr_func log_miscerr = NULL;
@@ -141,6 +143,16 @@ typedef struct _client_list {
static client_list *clients = NULL;
+/* Invoke log_badauth callbacks for an authentication failure. */
+static void
+badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt)
+{
+ if (log_badauth != NULL)
+ (*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data);
+ if (log_badauth2 != NULL)
+ (*log_badauth2)(maj, minor, xprt, log_badauth2_data);
+}
+
enum auth_stat gssrpc__svcauth_gssapi(
register struct svc_req *rqst,
register struct rpc_msg *msg,
@@ -443,11 +455,7 @@ enum auth_stat gssrpc__svcauth_gssapi(
call_res.gss_major,
call_res.gss_minor));
- if (log_badauth != NULL)
- (*log_badauth)(call_res.gss_major,
- call_res.gss_minor,
- &rqst->rq_xprt->xp_raddr,
- log_badauth_data);
+ badauth(call_res.gss_major, call_res.gss_minor, rqst->rq_xprt);
gss_release_buffer(&minor_stat, &output_token);
svc_sendreply(rqst->rq_xprt, xdr_authgssapi_init_res,
@@ -1027,6 +1035,14 @@ void svcauth_gssapi_set_log_badauth_func(
log_badauth_data = data;
}
+void
+svcauth_gssapi_set_log_badauth2_func(auth_gssapi_log_badauth2_func func,
+ caddr_t data)
+{
+ log_badauth2 = func;
+ log_badauth2_data = data;
+}
+
/*
* Function: svcauth_gssapi_set_log_badverf_func
*
More information about the cvs-krb5
mailing list