projects / trust_router.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4316c0e)
Give useful tids error on bad gss-name (bug 1325953)
authorJennifer Richards <jennifer@painless-security.com>
Tue, 17 May 2016 19:38:31 +0000 (15:38 -0400)
committerJennifer Richards <jennifer@painless-security.com>
Tue, 17 May 2016 19:38:31 +0000 (15:38 -0400)
Return a meaningful error code from tids_auth_cb() when there is a
mismatch between the expected gss-name and the client name in a TID
request. Also print a helpful error message to the server log.

tid/example/tids_main.c patch | blob | history
tid/tids.c patch | blob | history

diff --git a/tid/example/tids_main.c b/tid/example/tids_main.c
index 015ec03..89b5d52 100644 (file)
--- a/tid/example/tids_main.c
+++ b/tid/example/tids_main.c
@@ -256,11 +256,18 @@ static int tids_req_handler (TIDS_INSTANCE *tids,
 
   return s_keylen;
 }
+
 static int auth_handler(gss_name_t gss_name, TR_NAME *client,
                        void *expected_client)
 {
   TR_NAME *expected_client_trname = (TR_NAME*) expected_client;
-  return tr_name_cmp(client, expected_client_trname);
+  int result=tr_name_cmp(client, expected_client_trname);
+  if (result != 0) {
+    tr_notice("Auth denied for incorrect gss-name ('%.*s' requested, expected '%.*s').",
+              client->len, client->buf,
+              expected_client_trname->len, expected_client_trname->buf);
+  }
+  return result;
 }
 
 /* command-line option setup */
diff --git a/tid/tids.c b/tid/tids.c
index 925ff62..b9e2430 100644 (file)
--- a/tid/tids.c
+++ b/tid/tids.c
@@ -122,15 +122,24 @@ static int tids_listen (TIDS_INSTANCE *tids, int port)
     return conn;
 }
 
+/* returns EACCES if authorization is denied */
 static int tids_auth_cb(gss_name_t clientName, gss_buffer_t displayName,
                        void *data)
 {
   struct tids_instance *inst = (struct tids_instance *) data;
   TR_NAME name ={(char *) displayName->value,
                 displayName->length};
-  return inst->auth_handler(clientName, &name, inst->cookie);
+  int result=0;
+
+  if (0!=inst->auth_handler(clientName, &name, inst->cookie)) {
+    tr_debug("tids_auth_cb: client '%.*s' denied authorization.", name.len, name.buf);
+    result=EACCES; /* denied */
+  }
+
+  return result;
 }
 
+/* returns 0 on authorization success, 1 on failure, or -1 in case of error */
 static int tids_auth_connection (struct tids_instance *inst,
                                 int conn, gss_ctx_id_t *gssctx)
 {
Moonshot Trust Router