From 3c1e2decf52f62a6034250c4c20a9007928363ae Mon Sep 17 00:00:00 2001
From: Jennifer Richards <jennifer@painless-security.com>
Date: Tue, 17 May 2016 15:38:31 -0400
Subject: [PATCH] Give useful tids error on bad gss-name (bug 1325953)

Return a meaningful error code from tids_auth_cb() when there is a
mismatch between the expected gss-name and the client name in a TID
request. Also print a helpful error message to the server log.
---
 tid/example/tids_main.c |  9 ++++++++-
 tid/tids.c              | 11 ++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/tid/example/tids_main.c b/tid/example/tids_main.c
index 015ec03..89b5d52 100644
--- a/tid/example/tids_main.c
+++ b/tid/example/tids_main.c
@@ -256,11 +256,18 @@ static int tids_req_handler (TIDS_INSTANCE *tids,
 
   return s_keylen;
 }
+
 static int auth_handler(gss_name_t gss_name, TR_NAME *client,
 			void *expected_client)
 {
   TR_NAME *expected_client_trname = (TR_NAME*) expected_client;
-  return tr_name_cmp(client, expected_client_trname);
+  int result=tr_name_cmp(client, expected_client_trname);
+  if (result != 0) {
+    tr_notice("Auth denied for incorrect gss-name ('%.*s' requested, expected '%.*s').",
+              client->len, client->buf,
+              expected_client_trname->len, expected_client_trname->buf);
+  }
+  return result;
 }
 
 /* command-line option setup */
diff --git a/tid/tids.c b/tid/tids.c
index 925ff62..b9e2430 100644
--- a/tid/tids.c
+++ b/tid/tids.c
@@ -122,15 +122,24 @@ static int tids_listen (TIDS_INSTANCE *tids, int port)
     return conn;
 }
 
+/* returns EACCES if authorization is denied */
 static int tids_auth_cb(gss_name_t clientName, gss_buffer_t displayName,
 			void *data)
 {
   struct tids_instance *inst = (struct tids_instance *) data;
   TR_NAME name ={(char *) displayName->value,
 		 displayName->length};
-  return inst->auth_handler(clientName, &name, inst->cookie);
+  int result=0;
+
+  if (0!=inst->auth_handler(clientName, &name, inst->cookie)) {
+    tr_debug("tids_auth_cb: client '%.*s' denied authorization.", name.len, name.buf);
+    result=EACCES; /* denied */
+  }
+
+  return result;
 }
 
+/* returns 0 on authorization success, 1 on failure, or -1 in case of error */
 static int tids_auth_connection (struct tids_instance *inst,
 				 int conn, gss_ctx_id_t *gssctx)
 {
-- 
2.1.4