summaryrefslogtreecommitdiffstats
path: root/contrib/serf/auth
diff options
context:
space:
mode:
authorpeter <peter@FreeBSD.org>2014-02-22 01:19:47 +0000
committerpeter <peter@FreeBSD.org>2014-02-22 01:19:47 +0000
commit82dd8026220ee755d559cd8da9da2de16fc9348d (patch)
tree4208a813b452bc9bff3278b1d4031fe29b554c02 /contrib/serf/auth
parentac414654b33e4621cdb49e5b3020a09ad534e289 (diff)
downloadFreeBSD-src-82dd8026220ee755d559cd8da9da2de16fc9348d.zip
FreeBSD-src-82dd8026220ee755d559cd8da9da2de16fc9348d.tar.gz
Update serf-1.3.0 -> 1.3.4 - fixes multiple issues (see the CHANGES file)
including an SSL issue that turned up in the cluster with svn-1.8.8.
Diffstat (limited to 'contrib/serf/auth')
-rw-r--r--contrib/serf/auth/auth.c35
-rw-r--r--contrib/serf/auth/auth.h6
-rw-r--r--contrib/serf/auth/auth_basic.c2
-rw-r--r--contrib/serf/auth/auth_digest.c68
-rw-r--r--contrib/serf/auth/auth_spnego.c161
-rw-r--r--contrib/serf/auth/auth_spnego.h17
-rw-r--r--contrib/serf/auth/auth_spnego_gss.c16
-rw-r--r--contrib/serf/auth/auth_spnego_sspi.c7
8 files changed, 228 insertions, 84 deletions
diff --git a/contrib/serf/auth/auth.c b/contrib/serf/auth/auth.c
index 6b7d395..6ba3ba5 100644
--- a/contrib/serf/auth/auth.c
+++ b/contrib/serf/auth/auth.c
@@ -23,7 +23,8 @@
#include <apr_lib.h>
static apr_status_t
-default_auth_response_handler(peer_t peer,
+default_auth_response_handler(const serf__authn_scheme_t *scheme,
+ peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
@@ -151,6 +152,17 @@ static int handle_auth_headers(int code,
if (!auth_hdr)
continue;
+ if (code == 401) {
+ authn_info = serf__get_authn_info_for_server(conn);
+ } else {
+ authn_info = &ctx->proxy_authn_info;
+ }
+
+ if (authn_info->failed_authn_types & scheme->type) {
+ /* Skip this authn type since we already tried it before. */
+ continue;
+ }
+
/* Found a matching scheme */
status = APR_SUCCESS;
@@ -159,11 +171,6 @@ static int handle_auth_headers(int code,
serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
"... matched: %s\n", scheme->name);
- if (code == 401) {
- authn_info = serf__get_authn_info_for_server(conn);
- } else {
- authn_info = &ctx->proxy_authn_info;
- }
/* If this is the first time we use this scheme on this context and/or
this connection, make sure to initialize the authentication handler
first. */
@@ -198,6 +205,12 @@ static int handle_auth_headers(int code,
*/
serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
"%s authentication failed.\n", scheme->name);
+
+ /* Clear per-request auth_baton when switching to next auth scheme. */
+ request->auth_baton = NULL;
+
+ /* Remember failed auth types to skip in future. */
+ authn_info->failed_authn_types |= scheme->type;
}
return status;
@@ -221,7 +234,7 @@ static int store_header_in_dict(void *baton,
char *auth_name, *c;
/* We're only interested in xxxx-Authenticate headers. */
- if (strcmp(key, ab->header) != 0)
+ if (strcasecmp(key, ab->header) != 0)
return 0;
/* Extract the authentication scheme name. */
@@ -378,16 +391,16 @@ apr_status_t serf__handle_auth_response(int *consumed_response,
authn_info = serf__get_authn_info_for_server(conn);
if (authn_info->scheme) {
validate_resp = authn_info->scheme->validate_response_func;
- resp_status = validate_resp(HOST, sl.code, conn, request, response,
- pool);
+ resp_status = validate_resp(authn_info->scheme, HOST, sl.code,
+ conn, request, response, pool);
}
/* Validate the response proxy authn headers. */
authn_info = &ctx->proxy_authn_info;
if (!resp_status && authn_info->scheme) {
validate_resp = authn_info->scheme->validate_response_func;
- resp_status = validate_resp(PROXY, sl.code, conn, request, response,
- pool);
+ resp_status = validate_resp(authn_info->scheme, PROXY, sl.code,
+ conn, request, response, pool);
}
if (resp_status) {
diff --git a/contrib/serf/auth/auth.h b/contrib/serf/auth/auth.h
index ea14115..7d04375 100644
--- a/contrib/serf/auth/auth.h
+++ b/contrib/serf/auth/auth.h
@@ -78,7 +78,8 @@ apr_status_t serf__setup_request_digest_auth(peer_t peer,
const char *method,
const char *uri,
serf_bucket_t *hdrs_bkt);
-apr_status_t serf__validate_response_digest_auth(peer_t peer,
+apr_status_t serf__validate_response_digest_auth(const serf__authn_scheme_t *scheme,
+ peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
@@ -108,7 +109,8 @@ apr_status_t serf__setup_request_spnego_auth(peer_t peer,
const char *method,
const char *uri,
serf_bucket_t *hdrs_bkt);
-apr_status_t serf__validate_response_spnego_auth(peer_t peer,
+apr_status_t serf__validate_response_spnego_auth(const serf__authn_scheme_t *scheme,
+ peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
diff --git a/contrib/serf/auth/auth_basic.c b/contrib/serf/auth/auth_basic.c
index 53b5d95..dcee4a4 100644
--- a/contrib/serf/auth/auth_basic.c
+++ b/contrib/serf/auth/auth_basic.c
@@ -48,7 +48,7 @@ serf__handle_basic_auth(int code,
apr_status_t status;
apr_pool_t *cred_pool;
char *username, *password, *realm_name;
- const char *eq, *realm;
+ const char *eq, *realm = NULL;
/* Can't do Basic authentication if there's no callback to get
username & password. */
diff --git a/contrib/serf/auth/auth_digest.c b/contrib/serf/auth/auth_digest.c
index 7403386..b2c7dec 100644
--- a/contrib/serf/auth/auth_digest.c
+++ b/contrib/serf/auth/auth_digest.c
@@ -96,8 +96,9 @@ random_cnonce(apr_pool_t *pool)
return hex_encode((unsigned char*)buf, pool);
}
-static const char *
-build_digest_ha1(const char *username,
+static apr_status_t
+build_digest_ha1(const char **out_ha1,
+ const char *username,
const char *password,
const char *realm_name,
apr_pool_t *pool)
@@ -113,12 +114,17 @@ build_digest_ha1(const char *username,
realm_name,
password);
status = apr_md5(ha1, tmp, strlen(tmp));
+ if (status)
+ return status;
+
+ *out_ha1 = hex_encode(ha1, pool);
- return hex_encode(ha1, pool);
+ return APR_SUCCESS;
}
-static const char *
-build_digest_ha2(const char *uri,
+static apr_status_t
+build_digest_ha2(const char **out_ha2,
+ const char *uri,
const char *method,
const char *qop,
apr_pool_t *pool)
@@ -134,17 +140,21 @@ build_digest_ha2(const char *uri,
method,
uri);
status = apr_md5(ha2, tmp, strlen(tmp));
+ if (status)
+ return status;
+
+ *out_ha2 = hex_encode(ha2, pool);
- return hex_encode(ha2, pool);
+ return APR_SUCCESS;
} else {
/* TODO: auth-int isn't supported! */
+ return APR_ENOTIMPL;
}
-
- return NULL;
}
-static const char *
-build_auth_header(digest_authn_info_t *digest_info,
+static apr_status_t
+build_auth_header(const char **out_header,
+ digest_authn_info_t *digest_info,
const char *path,
const char *method,
apr_pool_t *pool)
@@ -156,7 +166,9 @@ build_auth_header(digest_authn_info_t *digest_info,
const char *response_hdr_hex;
apr_status_t status;
- ha2 = build_digest_ha2(path, method, digest_info->qop, pool);
+ status = build_digest_ha2(&ha2, path, method, digest_info->qop, pool);
+ if (status)
+ return status;
hdr = apr_psprintf(pool,
"Digest realm=\"%s\","
@@ -194,6 +206,9 @@ build_auth_header(digest_authn_info_t *digest_info,
}
status = apr_md5(response_hdr, response, strlen(response));
+ if (status)
+ return status;
+
response_hdr_hex = hex_encode(response_hdr, pool);
hdr = apr_psprintf(pool, "%s, response=\"%s\"", hdr, response_hdr_hex);
@@ -207,7 +222,9 @@ build_auth_header(digest_authn_info_t *digest_info,
digest_info->algorithm);
}
- return hdr;
+ *out_header = hdr;
+
+ return APR_SUCCESS;
}
apr_status_t
@@ -330,8 +347,8 @@ serf__handle_digest_auth(int code,
digest_info->username = apr_pstrdup(digest_info->pool, username);
digest_info->digest_nc++;
- digest_info->ha1 = build_digest_ha1(username, password, digest_info->realm,
- digest_info->pool);
+ status = build_digest_ha1(&digest_info->ha1, username, password,
+ digest_info->realm, digest_info->pool);
apr_pool_destroy(cred_pool);
@@ -339,7 +356,7 @@ serf__handle_digest_auth(int code,
likes. */
serf_connection_set_max_outstanding_requests(conn, 0);
- return APR_SUCCESS;
+ return status;
}
apr_status_t
@@ -387,7 +404,7 @@ serf__setup_request_digest_auth(peer_t peer,
serf_context_t *ctx = conn->ctx;
serf__authn_info_t *authn_info;
digest_authn_info_t *digest_info;
- apr_status_t status = APR_SUCCESS;
+ apr_status_t status;
if (peer == HOST) {
authn_info = serf__get_authn_info_for_server(conn);
@@ -421,8 +438,10 @@ serf__setup_request_digest_auth(peer_t peer,
/* Build a new Authorization header. */
digest_info->header = (peer == HOST) ? "Authorization" :
"Proxy-Authorization";
- value = build_auth_header(digest_info, path, method,
- conn->pool);
+ status = build_auth_header(&value, digest_info, path, method,
+ conn->pool);
+ if (status)
+ return status;
serf_bucket_headers_setn(hdrs_bkt, digest_info->header,
value);
@@ -431,14 +450,15 @@ serf__setup_request_digest_auth(peer_t peer,
/* Store the uri of this request on the serf_request_t object, to make
it available when validating the Authentication-Info header of the
matching response. */
- request->auth_baton = path;
+ request->auth_baton = (void *)path;
}
- return status;
+ return APR_SUCCESS;
}
apr_status_t
-serf__validate_response_digest_auth(peer_t peer,
+serf__validate_response_digest_auth(const serf__authn_scheme_t *scheme,
+ peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
@@ -453,6 +473,7 @@ serf__validate_response_digest_auth(peer_t peer,
const char *nc_str = NULL;
serf_bucket_t *hdrs;
serf_context_t *ctx = conn->ctx;
+ apr_status_t status;
hdrs = serf_bucket_response_get_headers(response);
@@ -516,7 +537,10 @@ serf__validate_response_digest_auth(peer_t peer,
}
digest_info = authn_info->baton;
- ha2 = build_digest_ha2(req_uri, "", qop, pool);
+ status = build_digest_ha2(&ha2, req_uri, "", qop, pool);
+ if (status)
+ return status;
+
tmp = apr_psprintf(pool, "%s:%s:%s:%s:%s:%s",
digest_info->ha1, digest_info->nonce, nc_str,
digest_info->cnonce, digest_info->qop, ha2);
diff --git a/contrib/serf/auth/auth_spnego.c b/contrib/serf/auth/auth_spnego.c
index 4d22ec1..c0ad27e 100644
--- a/contrib/serf/auth/auth_spnego.c
+++ b/contrib/serf/auth/auth_spnego.c
@@ -181,7 +181,8 @@ typedef struct
claim to be. The session key can only be used with the HTTP service
on the target host. */
static apr_status_t
-gss_api_get_credentials(char *token, apr_size_t token_len,
+gss_api_get_credentials(serf_connection_t *conn,
+ char *token, apr_size_t token_len,
const char *hostname,
const char **buf, apr_size_t *buf_len,
gss_authn_info_t *gss_info)
@@ -202,6 +203,7 @@ gss_api_get_credentials(char *token, apr_size_t token_len,
/* Establish a security context to the server. */
status = serf__spnego_init_sec_context(
+ conn,
gss_info->gss_ctx,
KRB_HTTP_SERVICE, hostname,
&input_buf,
@@ -212,7 +214,11 @@ gss_api_get_credentials(char *token, apr_size_t token_len,
switch(status) {
case APR_SUCCESS:
- gss_info->state = gss_api_auth_completed;
+ if (output_buf.length == 0) {
+ gss_info->state = gss_api_auth_completed;
+ } else {
+ gss_info->state = gss_api_auth_in_progress;
+ }
break;
case APR_EAGAIN:
gss_info->state = gss_api_auth_in_progress;
@@ -242,6 +248,7 @@ do_auth(peer_t peer,
int code,
gss_authn_info_t *gss_info,
serf_connection_t *conn,
+ serf_request_t *request,
const char *auth_hdr,
apr_pool_t *pool)
{
@@ -306,6 +313,14 @@ do_auth(peer_t peer,
break;
}
+ if (request->auth_baton && !token) {
+ /* We provided token with this request, but server responded with empty
+ authentication header. This means server rejected our credentials.
+ XXX: Probably we need separate error code for this case like
+ SERF_ERROR_AUTHN_CREDS_REJECTED? */
+ return SERF_ERROR_AUTHN_FAILED;
+ }
+
/* If the server didn't provide us with a token, start with a new initial
step in the SPNEGO authentication. */
if (!token) {
@@ -314,14 +329,16 @@ do_auth(peer_t peer,
}
if (peer == HOST) {
- status = gss_api_get_credentials(token, token_len,
+ status = gss_api_get_credentials(conn,
+ token, token_len,
conn->host_info.hostname,
&tmp, &tmp_len,
gss_info);
} else {
char *proxy_host;
apr_getnameinfo(&proxy_host, conn->ctx->proxy_address, 0);
- status = gss_api_get_credentials(token, token_len, proxy_host,
+ status = gss_api_get_credentials(conn,
+ token, token_len, proxy_host,
&tmp, &tmp_len,
gss_info);
}
@@ -357,24 +374,32 @@ serf__init_spnego_connection(const serf__authn_scheme_t *scheme,
serf_connection_t *conn,
apr_pool_t *pool)
{
- gss_authn_info_t *gss_info;
- apr_status_t status;
-
- gss_info = apr_pcalloc(conn->pool, sizeof(*gss_info));
- gss_info->pool = conn->pool;
- gss_info->state = gss_api_auth_not_started;
- gss_info->pstate = pstate_init;
- status = serf__spnego_create_sec_context(&gss_info->gss_ctx, scheme,
- gss_info->pool, pool);
-
- if (status) {
- return status;
- }
+ serf_context_t *ctx = conn->ctx;
+ serf__authn_info_t *authn_info;
+ gss_authn_info_t *gss_info = NULL;
+ /* For proxy authentication, reuse the gss context for all connections.
+ For server authentication, create a new gss context per connection. */
if (code == 401) {
- conn->authn_baton = gss_info;
+ authn_info = &conn->authn_info;
} else {
- conn->proxy_authn_baton = gss_info;
+ authn_info = &ctx->proxy_authn_info;
+ }
+ gss_info = authn_info->baton;
+
+ if (!gss_info) {
+ apr_status_t status;
+
+ gss_info = apr_pcalloc(conn->pool, sizeof(*gss_info));
+ gss_info->pool = conn->pool;
+ gss_info->state = gss_api_auth_not_started;
+ gss_info->pstate = pstate_init;
+ status = serf__spnego_create_sec_context(&gss_info->gss_ctx, scheme,
+ gss_info->pool, pool);
+ if (status) {
+ return status;
+ }
+ authn_info->baton = gss_info;
}
/* Make serf send the initial requests one by one */
@@ -397,13 +422,15 @@ serf__handle_spnego_auth(int code,
apr_pool_t *pool)
{
serf_connection_t *conn = request->conn;
- gss_authn_info_t *gss_info = (code == 401) ? conn->authn_baton :
- conn->proxy_authn_baton;
+ serf_context_t *ctx = conn->ctx;
+ gss_authn_info_t *gss_info = (code == 401) ? conn->authn_info.baton :
+ ctx->proxy_authn_info.baton;
return do_auth(code == 401 ? HOST : PROXY,
code,
gss_info,
request->conn,
+ request,
auth_hdr,
pool);
}
@@ -418,8 +445,9 @@ serf__setup_request_spnego_auth(peer_t peer,
const char *uri,
serf_bucket_t *hdrs_bkt)
{
- gss_authn_info_t *gss_info = (peer == HOST) ? conn->authn_baton :
- conn->proxy_authn_baton;
+ serf_context_t *ctx = conn->ctx;
+ gss_authn_info_t *gss_info = (peer == HOST) ? conn->authn_info.baton :
+ ctx->proxy_authn_info.baton;
/* If we have an ongoing authentication handshake, the handler of the
previous response will have created the authn headers for this request
@@ -431,6 +459,10 @@ serf__setup_request_spnego_auth(peer_t peer,
serf_bucket_headers_setn(hdrs_bkt, gss_info->header,
gss_info->value);
+ /* Remember that we're using this request for authentication
+ handshake. */
+ request->auth_baton = (void*) TRUE;
+
/* We should send each token only once. */
gss_info->header = NULL;
gss_info->value = NULL;
@@ -469,6 +501,7 @@ serf__setup_request_spnego_auth(peer_t peer,
code,
gss_info,
conn,
+ request,
0l, /* no response authn header */
conn->pool);
if (status)
@@ -476,6 +509,11 @@ serf__setup_request_spnego_auth(peer_t peer,
serf_bucket_headers_setn(hdrs_bkt, gss_info->header,
gss_info->value);
+
+ /* Remember that we're using this request for authentication
+ handshake. */
+ request->auth_baton = (void*) TRUE;
+
/* We should send each token only once. */
gss_info->header = NULL;
gss_info->value = NULL;
@@ -486,19 +524,70 @@ serf__setup_request_spnego_auth(peer_t peer,
return APR_SUCCESS;
}
+/**
+ * Baton passed to the get_auth_header callback function.
+ */
+typedef struct {
+ const char *hdr_name;
+ const char *auth_name;
+ const char *hdr_value;
+ apr_pool_t *pool;
+} get_auth_header_baton_t;
+
+static int
+get_auth_header_cb(void *baton,
+ const char *key,
+ const char *header)
+{
+ get_auth_header_baton_t *b = baton;
+
+ /* We're only interested in xxxx-Authenticate headers. */
+ if (strcasecmp(key, b->hdr_name) != 0)
+ return 0;
+
+ /* Check if header value starts with interesting auth name. */
+ if (strncmp(header, b->auth_name, strlen(b->auth_name)) == 0) {
+ /* Save interesting header value and stop iteration. */
+ b->hdr_value = apr_pstrdup(b->pool, header);
+ return 1;
+ }
+
+ return 0;
+}
+
+static const char *
+get_auth_header(serf_bucket_t *hdrs,
+ const char *hdr_name,
+ const char *auth_name,
+ apr_pool_t *pool)
+{
+ get_auth_header_baton_t b;
+
+ b.auth_name = hdr_name;
+ b.hdr_name = auth_name;
+ b.hdr_value = NULL;
+ b.pool = pool;
+
+ serf_bucket_headers_do(hdrs, get_auth_header_cb, &b);
+
+ return b.hdr_value;
+}
+
/* Function is called when 2xx responses are received. Normally we don't
* have to do anything, except for the first response after the
* authentication handshake. This specific response includes authentication
* data which should be validated by the client (mutual authentication).
*/
apr_status_t
-serf__validate_response_spnego_auth(peer_t peer,
+serf__validate_response_spnego_auth(const serf__authn_scheme_t *scheme,
+ peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
serf_bucket_t *response,
apr_pool_t *pool)
{
+ serf_context_t *ctx = conn->ctx;
gss_authn_info_t *gss_info;
const char *auth_hdr_name;
@@ -511,10 +600,10 @@ serf__validate_response_spnego_auth(peer_t peer,
"Validate Negotiate response header.\n");
if (peer == HOST) {
- gss_info = conn->authn_baton;
+ gss_info = conn->authn_info.baton;
auth_hdr_name = "WWW-Authenticate";
} else {
- gss_info = conn->proxy_authn_baton;
+ gss_info = ctx->proxy_authn_info.baton;
auth_hdr_name = "Proxy-Authenticate";
}
@@ -524,11 +613,23 @@ serf__validate_response_spnego_auth(peer_t peer,
apr_status_t status;
hdrs = serf_bucket_response_get_headers(response);
- auth_hdr_val = serf_bucket_headers_get(hdrs, auth_hdr_name);
+ auth_hdr_val = get_auth_header(hdrs, auth_hdr_name, scheme->name,
+ pool);
+
+ if (auth_hdr_val) {
+ status = do_auth(peer, code, gss_info, conn, request, auth_hdr_val,
+ pool);
+ if (status) {
+ return status;
+ }
+ } else {
+ /* No Authenticate headers, nothing to validate: authentication
+ completed.*/
+ gss_info->state = gss_api_auth_completed;
- status = do_auth(peer, code, gss_info, conn, auth_hdr_val, pool);
- if (status)
- return status;
+ serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
+ "SPNEGO handshake completed.\n");
+ }
}
if (gss_info->state == gss_api_auth_completed) {
diff --git a/contrib/serf/auth/auth_spnego.h b/contrib/serf/auth/auth_spnego.h
index 5af3b09..8635629 100644
--- a/contrib/serf/auth/auth_spnego.h
+++ b/contrib/serf/auth/auth_spnego.h
@@ -88,14 +88,15 @@ serf__spnego_create_sec_context(serf__spnego_context_t **ctx_p,
* Other returns values indicates error.
*/
apr_status_t
-serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
- const char *service,
- const char *hostname,
- serf__spnego_buffer_t *input_buf,
- serf__spnego_buffer_t *output_buf,
- apr_pool_t *result_pool,
- apr_pool_t *scratch_pool
- );
+serf__spnego_init_sec_context(serf_connection_t *conn,
+ serf__spnego_context_t *ctx,
+ const char *service,
+ const char *hostname,
+ serf__spnego_buffer_t *input_buf,
+ serf__spnego_buffer_t *output_buf,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool
+ );
/*
* Reset a previously created security context so we can start with a new one.
diff --git a/contrib/serf/auth/auth_spnego_gss.c b/contrib/serf/auth/auth_spnego_gss.c
index aa3ebc6..0f33385 100644
--- a/contrib/serf/auth/auth_spnego_gss.c
+++ b/contrib/serf/auth/auth_spnego_gss.c
@@ -43,7 +43,7 @@ struct serf__spnego_context_t
};
static void
-log_error(int verbose_flag, const char *filename,
+log_error(int verbose_flag, apr_socket_t *skt,
serf__spnego_context_t *ctx,
OM_uint32 err_maj_stat,
OM_uint32 err_min_stat,
@@ -70,7 +70,7 @@ log_error(int verbose_flag, const char *filename,
&stat_buff);
}
- serf__log(verbose_flag, filename,
+ serf__log_skt(verbose_flag, __FILE__, skt,
"%s (%x,%d): %s\n", msg,
err_maj_stat, err_min_stat, stat_buff.value);
}
@@ -89,7 +89,7 @@ cleanup_ctx(void *data)
gss_maj_stat = gss_delete_sec_context(&gss_min_stat, &ctx->gss_ctx,
GSS_C_NO_BUFFER);
if(GSS_ERROR(gss_maj_stat)) {
- log_error(AUTH_VERBOSE, __FILE__, ctx,
+ log_error(AUTH_VERBOSE, NULL, ctx,
gss_maj_stat, gss_min_stat,
"Error cleaning up GSS security context");
return SERF_ERROR_AUTHN_FAILED;
@@ -146,7 +146,8 @@ serf__spnego_reset_sec_context(serf__spnego_context_t *ctx)
}
apr_status_t
-serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
+serf__spnego_init_sec_context(serf_connection_t *conn,
+ serf__spnego_context_t *ctx,
const char *service,
const char *hostname,
serf__spnego_buffer_t *input_buf,
@@ -166,12 +167,13 @@ serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
/* TODO: should be shared between multiple requests. */
bufdesc.value = apr_pstrcat(scratch_pool, service, "@", hostname, NULL);
bufdesc.length = strlen(bufdesc.value);
- serf__log(AUTH_VERBOSE, __FILE__, "Get principal for %s\n", bufdesc.value);
+ serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
+ "Get principal for %s\n", bufdesc.value);
gss_maj_stat = gss_import_name (&gss_min_stat, &bufdesc,
GSS_C_NT_HOSTBASED_SERVICE,
&host_gss_name);
if(GSS_ERROR(gss_maj_stat)) {
- log_error(AUTH_VERBOSE, __FILE__, ctx,
+ log_error(AUTH_VERBOSE, conn->skt, ctx,
gss_maj_stat, gss_min_stat,
"Error converting principal name to GSS internal format ");
return SERF_ERROR_AUTHN_FAILED;
@@ -214,7 +216,7 @@ serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
case GSS_S_CONTINUE_NEEDED:
return APR_EAGAIN;
default:
- log_error(AUTH_VERBOSE, __FILE__, ctx,
+ log_error(AUTH_VERBOSE, conn->skt, ctx,
gss_maj_stat, gss_min_stat,
"Error during Kerberos handshake");
return SERF_ERROR_AUTHN_FAILED;
diff --git a/contrib/serf/auth/auth_spnego_sspi.c b/contrib/serf/auth/auth_spnego_sspi.c
index ef13428..2f75f7a 100644
--- a/contrib/serf/auth/auth_spnego_sspi.c
+++ b/contrib/serf/auth/auth_spnego_sspi.c
@@ -192,7 +192,8 @@ serf__spnego_reset_sec_context(serf__spnego_context_t *ctx)
}
apr_status_t
-serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
+serf__spnego_init_sec_context(serf_connection_t *conn,
+ serf__spnego_context_t *ctx,
const char *service,
const char *hostname,
serf__spnego_buffer_t *input_buf,
@@ -219,8 +220,8 @@ serf__spnego_init_sec_context(serf__spnego_context_t *ctx,
ctx->target_name = apr_pstrcat(scratch_pool, service, "/", canonname,
NULL);
- serf__log(AUTH_VERBOSE, __FILE__,
- "Using SPN '%s' for '%s'\n", ctx->target_name, hostname);
+ serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
+ "Using SPN '%s' for '%s'\n", ctx->target_name, hostname);
}
else if (ctx->authn_type == SERF_AUTHN_NTLM)
{
OpenPOWER on IntegriCloud