TR_NAME name ={(char *) displayName->value, (int) displayName->length};
int result=0;
+ tr_debug("tr_gss_auth_cb: Calling auth handler for %.*s.", name.len, name.buf);
if (cookie->auth_cb(clientName, &name, cookie->auth_cookie)) {
tr_debug("tr_gss_auth_cb: client '%.*s' denied authorization.", name.len, name.buf);
result=EACCES; /* denied */
* Handle GSS authentication and authorization
*
* @param conn connection file descriptor
- * @param acceptor_name name of acceptor to present to initiator
- * @param acceptor_realm realm of acceptor to present to initiator
+ * @param acceptor_service name of acceptor to present to initiator
+ * @param acceptor_hostname hostname of acceptor to present to initiator
* @param gssctx GSS context
* @param auth_cb authorization callback
* @param auth_cookie generic data to pass to the authorization callback
* @return 0 on successful auth, 1 on disallowed auth, -1 on error
*/
static int tr_gss_auth_connection(int conn,
- const char *acceptor_name,
- const char *acceptor_realm,
+ const char *acceptor_service,
+ const char *acceptor_hostname,
gss_ctx_id_t *gssctx,
TR_GSS_AUTH_FN auth_cb,
void *auth_cookie)
gss_buffer_desc nameBuffer = {0, NULL};
TR_GSS_COOKIE *cookie = NULL;
- nameBuffer.value = talloc_asprintf(NULL, "%s@%s", acceptor_name, acceptor_realm);
+ nameBuffer.value = talloc_asprintf(NULL, "%s@%s", acceptor_service, acceptor_hostname);
if (nameBuffer.value == NULL) {
tr_err("tr_gss_auth_connection: Error allocating acceptor name.");
return -1;
cookie->auth_cookie=auth_cookie;
/* Now call gsscon with *our* auth callback and cookie */
+ tr_debug("tr_gss_auth_connection: Beginning passive authentication as %.*s",
+ nameBuffer.length, nameBuffer.value);
rc = gsscon_passive_authenticate(conn, nameBuffer, gssctx, tr_gss_auth_cb, cookie);
talloc_free(cookie);
talloc_free(nameBuffer.value);
return -1;
}
+ tr_debug("tr_gss_auth_connection: Authentication succeeded, now authorizing.");
rc = gsscon_authorize(*gssctx, &auth, &autherr);
if (rc) {
tr_debug("tr_gss_auth_connection: Error from gsscon_authorize, rc = %d, autherr = %d.",
* callback to get a response, sends that, then returns.
*
* @param conn connection file descriptor
- * @param acceptor_name acceptor name to present
- * @param acceptor_realm acceptor realm to present
+ * @param acceptor_service acceptor name to present
+ * @param acceptor_hostname acceptor hostname to present
* @param auth_cb callback for authorization
* @param auth_cookie cookie for the auth_cb
* @param req_cb callback to handle the request and produce the response
* @param req_cookie cookie for the req_cb
*/
-void tr_gss_handle_connection(int conn,
- const char *acceptor_name,
- const char *acceptor_realm,
- TR_GSS_AUTH_FN auth_cb,
- void *auth_cookie,
- TR_GSS_HANDLE_REQ_FN req_cb,
- void *req_cookie)
+TR_GSS_RC tr_gss_handle_connection(int conn,
+ const char *acceptor_service,
+ const char *acceptor_hostname,
+ TR_GSS_AUTH_FN auth_cb,
+ void *auth_cookie,
+ TR_GSS_HANDLE_REQ_FN req_cb,
+ void *req_cookie)
{
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT;
char *req_str = NULL;
+ size_t req_len = 0;
+ TR_MSG *req_msg = NULL;
+ TR_MSG *resp_msg = NULL;
char *resp_str = NULL;
+ TR_GSS_RC rc = TR_GSS_ERROR;
+
+ tr_debug("tr_gss_handle_connection: Attempting to accept %s connection on fd %d.",
+ acceptor_service, conn);
if (tr_gss_auth_connection(conn,
- acceptor_name,
- acceptor_realm,
+ acceptor_service,
+ acceptor_hostname,
&gssctx,
auth_cb,
auth_cookie)) {
tr_debug("tr_gss_handle_connection: Connection authorized");
// TODO: should there be a timeout on this?
- while (1) { /* continue until an error breaks us out */
+ do {
+ /* continue until an error breaks us out */
// try to read a request
req_str = tr_gss_read_req(tmp_ctx, conn, gssctx);
- if ( req_str == NULL) {
+ if (req_str == NULL) {
// an error occurred, give up
tr_notice("tr_gss_handle_connection: Error reading request");
goto cleanup;
- } else if (strlen(req_str) > 0) {
- // we got a request message, exit the loop and process it
- break;
}
- // no error, but no message, keep waiting for one
- talloc_free(req_str); // this would be cleaned up anyway, but may as well free it
+ req_len = strlen(req_str);
+
+ /* If we got no characters, we will loop again. Free the empty response for the next loop. */
+ if (req_len == 0)
+ talloc_free(req_str);
+
+ } while (req_len == 0);
+
+ /* Decode the request */
+ req_msg = tr_msg_decode(tmp_ctx, req_str, req_len);
+ if (req_msg == NULL) {
+ tr_notice("tr_gss_handle_connection: Error decoding response");
+ goto cleanup;
}
/* Hand off the request for processing and get the response */
- resp_str = req_cb(tmp_ctx, req_str, req_cookie);
+ resp_msg = req_cb(tmp_ctx, req_msg, req_cookie);
- if (resp_str == NULL) {
+ if (resp_msg == NULL) {
// no response, clean up
goto cleanup;
}
+ /* Encode the response */
+ resp_str = tr_msg_encode(tmp_ctx, resp_msg);
+ if (resp_str == NULL) {
+ /* We apparently can't encode a response, so just return */
+ tr_err("tr_gss_handle_connection: Error encoding response");
+ goto cleanup;
+ }
+
// send the response
if (tr_gss_write_resp(conn, gssctx, resp_str)) {
- tr_notice("tr_gss_handle_connection: Error writing response");
+ tr_err("tr_gss_handle_connection: Error writing response");
+ goto cleanup;
}
+ /* we successfully sent a response */
+ rc = TR_GSS_SUCCESS;
+
cleanup:
talloc_free(tmp_ctx);
+ return rc;
}
projects / trust_router.git / blobdiff