From 26e3e1459e76a542dbc33896e2e42cd09d2d9198 Mon Sep 17 00:00:00 2001
From: Jennifer Richards <jennifer@painless-security.com>
Date: Thu, 26 Apr 2018 12:05:15 -0400
Subject: [PATCH] Log incoming IP address when accepting a connection

---
 common/tr_socket.c  | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 include/tr_socket.h |  2 ++
 mon/mons.c          |  4 ++--
 tid/tids.c          |  4 ++--
 tr/tr_trp.c         |  8 +++++--
 trp/trp_conn.c      |  5 +++--
 6 files changed, 76 insertions(+), 8 deletions(-)

diff --git a/common/tr_socket.c b/common/tr_socket.c
index 7f1c917..1bb3cc2 100644
--- a/common/tr_socket.c
+++ b/common/tr_socket.c
@@ -40,6 +40,7 @@
 
 #include <tr_debug.h>
 #include <tr_socket.h>
+#include <errno.h>
 
 /**
  * Open sockets on all interface addresses
@@ -137,3 +138,63 @@ nfds_t tr_sock_listen_all(unsigned int port, int *fd_out, nfds_t max_fd)
   return n_opened;
 }
 
+/**
+ * Extract a string-formatted socket address from a struct sockaddr
+ *
+ * @param s
+ * @param dst pointer to allocated space of at least INET6_ADDRSLEN bytes
+ * @param dst_len size of space allocated at dst
+ * @return pointer to dst or null on error
+ */
+static const char *tr_sock_ip_address(struct sockaddr *s, char *dst, size_t dst_len)
+{
+  switch (s->sa_family) {
+    case AF_INET:
+      inet_ntop(AF_INET,
+                &(((struct sockaddr_in *)s)->sin_addr),
+                dst,
+                (socklen_t) dst_len);
+      break;
+
+    case AF_INET6:
+      inet_ntop(AF_INET6,
+                &(((struct sockaddr_in6 *)s)->sin6_addr),
+                dst,
+                (socklen_t) dst_len);
+      break;
+
+    default:
+      snprintf(dst, dst_len, "addr family %u", s->sa_family);
+      break;
+  }
+
+  return dst;
+}
+
+/**
+ * Accept a socket connection
+ *
+ * @param sock
+ * @return -1 on error, connection fd on success
+ */
+int tr_sock_accept(int sock)
+{
+  int conn = -1;
+  struct sockaddr_storage peeraddr;
+  socklen_t addr_len = sizeof(peeraddr);
+  char peeraddr_string[INET6_ADDRSTRLEN];
+  char err[80];
+
+  if (0 > (conn = accept(sock, (struct sockaddr *)&(peeraddr), &addr_len))) {
+    if (strerror_r(errno, err, sizeof(err)))
+      snprintf(err, sizeof(err), "errno = %d", errno);
+    tr_err("tr_sock_accept: Unable to accept connection: %s", err);
+  } else {
+    tr_notice("tr_sock_accept: Incoming connection on fd %d from %s",
+              conn,
+              tr_sock_ip_address((struct sockaddr *)&peeraddr,
+                                 peeraddr_string,
+                                 sizeof(peeraddr_string)));
+  }
+  return conn;
+}
diff --git a/include/tr_socket.h b/include/tr_socket.h
index 064c6fc..e90a912 100644
--- a/include/tr_socket.h
+++ b/include/tr_socket.h
@@ -37,7 +37,9 @@
 
 #include <stdlib.h>
 #include <poll.h> // for nfds_t
+#include <sys/socket.h>
 
 nfds_t tr_sock_listen_all(unsigned int port, int *fd_out, nfds_t max_fd);
+int tr_sock_accept(int sock);
 
 #endif //TRUST_ROUTER_TR_SOCKET_H
diff --git a/mon/mons.c b/mon/mons.c
index f2e69c5..cb70d3b 100644
--- a/mon/mons.c
+++ b/mon/mons.c
@@ -225,8 +225,8 @@ int mons_accept(MONS_INSTANCE *mons, int listen)
   int conn=-1;
   int pid=-1;
 
-  if (0 > (conn = accept(listen, NULL, NULL))) {
-    perror("Error from monitoring interface accept()");
+  if (0 > (conn = tr_sock_accept(listen))) {
+    tr_err("mons_accept: Error accepting connection");
     return 1;
   }
 
diff --git a/tid/tids.c b/tid/tids.c
index 6a5b172..e780a22 100644
--- a/tid/tids.c
+++ b/tid/tids.c
@@ -399,8 +399,8 @@ int tids_accept(TIDS_INSTANCE *tids, int listen)
   int pipe_fd[2];
   struct tid_process tp = {0};
 
-  if (0 > (conn = accept(listen, NULL, NULL))) {
-    perror("Error from TIDS Server accept()");
+  if (0 > (conn = tr_sock_accept(listen))) {
+    tr_err("tids_accept: Error accepting connection");
     return 1;
   }
 
diff --git a/tr/tr_trp.c b/tr/tr_trp.c
index e075d58..ed276b0 100644
--- a/tr/tr_trp.c
+++ b/tr/tr_trp.c
@@ -114,7 +114,7 @@ static int tr_trps_gss_handler(gss_name_t client_name, gss_buffer_t gss_name,
 
   tr_debug("tr_trps_gss_handler()");
 
-  if ((!client_name) || (!gss_name) || (!trps) || (!cfg_mgr)) {
+  if ((!client_name) || (!trps) || (!cfg_mgr)) {
     tr_debug("tr_trps_gss_handler: Bad parameters.");
     return -1;
   }
@@ -881,7 +881,11 @@ void tr_config_changed(TR_CFG *new_cfg, void *cookie)
     tr_debug("tr_config_changed: freeing tr->mons->authorized_gss_names");
     tr_gss_names_free(tr->mons->authorized_gss_names);
   }
-  tr->mons->authorized_gss_names = tr_gss_names_dup(tr->mons, new_cfg->internal->monitoring_credentials);
+  if (new_cfg->internal->monitoring_credentials != NULL) {
+    tr->mons->authorized_gss_names = tr_gss_names_dup(tr->mons, new_cfg->internal->monitoring_credentials);
+  } else {
+    tr->mons->authorized_gss_names = tr_gss_names_new(tr->mons);
+  }
   if (tr->mons->authorized_gss_names == NULL) {
     tr_err("tr_config_changed: Error configuring monitoring credentials");
   }
diff --git a/trp/trp_conn.c b/trp/trp_conn.c
index 64ddf3c..35ea2cb 100644
--- a/trp/trp_conn.c
+++ b/trp/trp_conn.c
@@ -40,6 +40,7 @@
 
 #include <tr_debug.h>
 #include <trp_internal.h>
+#include <tr_socket.h>
 
 /* Threading note: mutex lock is only used for protecting get_status() and set_status().
  * If needed, locking for other operations (notably adding/removing connections) must be managed
@@ -344,10 +345,10 @@ TRP_CONNECTION *trp_connection_accept(TALLOC_CTX *mem_ctx, int listen, TR_NAME *
   int conn_fd=-1;
   TRP_CONNECTION *conn=NULL;
 
-  conn_fd = accept(listen, NULL, NULL);
+  conn_fd = tr_sock_accept(listen);
 
   if (0 > conn_fd) {
-    tr_notice("trp_connection_accept: accept() returned error.");
+    tr_notice("trp_connection_accept: Error accepting connection.");
     return NULL;
   }
   conn=trp_connection_new(mem_ctx);
-- 
2.1.4