Add new versions of log_badauth gssrpc callbacks

libgssrpc supports two callbacks for gss_accept_sec_context failures on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are IPv4-specific. Provide an alternate version which supplies the transport handle instead of the address, so that we can get the address via the file descriptor for TCP connections. ticket: 7770
krb5 · Nov 25, 2013 · 4c57a42 · 4c57a42
1 parent 32a770a
commit 4c57a42
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 11 deletions.
diff --git a/src/include/gssrpc/auth_gssapi.h b/src/include/gssrpc/auth_gssapi.h
@@ -54,6 +54,14 @@ typedef void (*auth_gssapi_log_badauth_func)
 		struct sockaddr_in *raddr,
 		caddr_t data);
 
+/* auth_gssapi_log_badauth_func is IPv4-specific; this version gives the
+ * transport handle so the fd can be used to get the address. */
+typedef void (*auth_gssapi_log_badauth2_func)
+     (OM_uint32 major,
+		OM_uint32 minor,
+		SVCXPRT *xprt,
+		caddr_t data);
+
 typedef void (*auth_gssapi_log_badverf_func)
      (gss_name_t client,
 		gss_name_t server,
@@ -117,6 +125,9 @@ void svcauth_gssapi_unset_names
 void svcauth_gssapi_set_log_badauth_func
 (auth_gssapi_log_badauth_func func,
 	   caddr_t data);
+void svcauth_gssapi_set_log_badauth2_func
+(auth_gssapi_log_badauth2_func func,
+	   caddr_t data);
 void svcauth_gssapi_set_log_badverf_func
 (auth_gssapi_log_badverf_func func,
 	   caddr_t data);
@@ -126,6 +137,8 @@ void svcauth_gssapi_set_log_miscerr_func
 
 void svcauth_gss_set_log_badauth_func(auth_gssapi_log_badauth_func,
 				      caddr_t);
+void svcauth_gss_set_log_badauth2_func(auth_gssapi_log_badauth2_func,
+				       caddr_t);
 void svcauth_gss_set_log_badverf_func(auth_gssapi_log_badverf_func,
 				      caddr_t);
 void svcauth_gss_set_log_miscerr_func(auth_gssapi_log_miscerr_func,

diff --git a/src/include/gssrpc/rename.h b/src/include/gssrpc/rename.h
@@ -125,10 +125,12 @@
 #define svcauth_gssapi_set_names	gssrpc_svcauth_gssapi_set_names
 #define svcauth_gssapi_unset_names	gssrpc_svcauth_gssapi_unset_names
 #define svcauth_gssapi_set_log_badauth_func	gssrpc_svcauth_gssapi_set_log_badauth_func
+#define svcauth_gssapi_set_log_badauth2_func	gssrpc_svcauth_gssapi_set_log_badauth2_func
 #define svcauth_gssapi_set_log_badverf_func	gssrpc_svcauth_gssapi_set_log_badverf_func
 #define svcauth_gssapi_set_log_miscerr_func	gssrpc_svcauth_gssapi_set_log_miscerr_func
 
 #define svcauth_gss_set_log_badauth_func	gssrpc_svcauth_gss_set_log_badauth_func
+#define svcauth_gss_set_log_badauth2_func	gssrpc_svcauth_gss_set_log_badauth2_func
 #define svcauth_gss_set_log_badverf_func	gssrpc_svcauth_gss_set_log_badverf_func
 #define svcauth_gss_set_log_miscerr_func	gssrpc_svcauth_gss_set_log_miscerr_func
 

diff --git a/src/lib/rpc/libgssrpc.exports b/src/lib/rpc/libgssrpc.exports
@@ -60,10 +60,12 @@ gssrpc_svc_sendreply
 gssrpc_svc_unregister
 gssrpc_svcauth_gss_get_principal
 gssrpc_svcauth_gss_set_log_badauth_func
+gssrpc_svcauth_gss_set_log_badauth2_func
 gssrpc_svcauth_gss_set_log_badverf_func
 gssrpc_svcauth_gss_set_log_miscerr_func
 gssrpc_svcauth_gss_set_svc_name
 gssrpc_svcauth_gssapi_set_log_badauth_func
+gssrpc_svcauth_gssapi_set_log_badauth2_func
 gssrpc_svcauth_gssapi_set_log_badverf_func
 gssrpc_svcauth_gssapi_set_log_miscerr_func
 gssrpc_svcauth_gssapi_set_names

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
@@ -80,6 +80,8 @@ typedef struct gss_union_ctx_id_t {
 
 static auth_gssapi_log_badauth_func log_badauth = NULL;
 static caddr_t log_badauth_data = NULL;
+static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
+static caddr_t log_badauth2_data = NULL;
 static auth_gssapi_log_badverf_func log_badverf = NULL;
 static caddr_t log_badverf_data = NULL;
 static auth_gssapi_log_miscerr_func log_miscerr = NULL;
@@ -186,6 +188,16 @@ svcauth_gss_release_cred(void)
 	return (TRUE);
 }
 
+/* Invoke log_badauth callbacks for an authentication failure. */
+static void
+badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt)
+{
+	if (log_badauth != NULL)
+		(*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data);
+	if (log_badauth2 != NULL)
+		(*log_badauth2)(maj, minor, xprt, log_badauth2_data);
+}
+
 static bool_t
 svcauth_gss_accept_sec_context(struct svc_req *rqst,
 			       struct rpc_gss_init_res *gr)
@@ -226,12 +238,7 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,
 	log_status("accept_sec_context", gr->gr_major, gr->gr_minor);
 	if (gr->gr_major != GSS_S_COMPLETE &&
 	    gr->gr_major != GSS_S_CONTINUE_NEEDED) {
-		if (log_badauth != NULL) {
-			(*log_badauth)(gr->gr_major,
-				       gr->gr_minor,
-				       &rqst->rq_xprt->xp_raddr,
-				       log_badauth_data);
-		}
+		badauth(gr->gr_major, gr->gr_minor, rqst->rq_xprt);
 		gd->ctx = GSS_C_NO_CONTEXT;
 		goto errout;
 	}
@@ -673,6 +680,14 @@ void svcauth_gss_set_log_badauth_func(
 	log_badauth_data = data;
 }
 
+void
+svcauth_gss_set_log_badauth2_func(auth_gssapi_log_badauth2_func func,
+				  caddr_t data)
+{
+	log_badauth2 = func;
+	log_badauth2_data = data;
+}
+
 /*
  * Function: svcauth_gss_set_log_badverf_func
  *

diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
@@ -125,6 +125,8 @@ static int server_creds_count = 0;
 
 static auth_gssapi_log_badauth_func log_badauth = NULL;
 static caddr_t log_badauth_data = NULL;
+static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
+static caddr_t log_badauth2_data = NULL;
 static auth_gssapi_log_badverf_func log_badverf = NULL;
 static caddr_t log_badverf_data = NULL;
 static auth_gssapi_log_miscerr_func log_miscerr = NULL;
@@ -141,6 +143,16 @@ typedef struct _client_list {
 static client_list *clients = NULL;
 
 
+/* Invoke log_badauth callbacks for an authentication failure. */
+static void
+badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt)
+{
+     if (log_badauth != NULL)
+	  (*log_badauth)(maj, minor, &xprt->xp_raddr, log_badauth_data);
+     if (log_badauth2 != NULL)
+	  (*log_badauth2)(maj, minor, xprt, log_badauth2_data);
+}
+
 enum auth_stat gssrpc__svcauth_gssapi(
      register struct svc_req *rqst,
      register struct rpc_msg *msg,
@@ -443,11 +455,7 @@ enum auth_stat gssrpc__svcauth_gssapi(
 					   call_res.gss_major,
 					   call_res.gss_minor));
 
-	       if (log_badauth != NULL)
-		    (*log_badauth)(call_res.gss_major,
-				   call_res.gss_minor,
-				   &rqst->rq_xprt->xp_raddr,
-				   log_badauth_data);
+	       badauth(call_res.gss_major, call_res.gss_minor, rqst->rq_xprt);
 
 	       gss_release_buffer(&minor_stat, &output_token);
 	       svc_sendreply(rqst->rq_xprt, xdr_authgssapi_init_res,
@@ -1027,6 +1035,14 @@ void svcauth_gssapi_set_log_badauth_func(
      log_badauth_data = data;
 }
 
+void
+svcauth_gssapi_set_log_badauth2_func(auth_gssapi_log_badauth2_func func,
+				     caddr_t data)
+{
+     log_badauth2 = func;
+     log_badauth2_data = data;
+}
+
 /*
  * Function: svcauth_gssapi_set_log_badverf_func
  *