Add some new authentication error codes for specific errors.

This might make it a bit cleaner to handle new authentication types;
clients will still have to check for PCAP_ERR_AUTH with particular error
strings to detect "that authentication type isn't supported by the
server", but at least they can check first for
PCAP_ERR_AUTH_TYPE_NOTSUP.

Also add PCAP_ERR_AUTH_FAILED for authentication failures and
PCAP_ERR_TLS_REQUIRED for "the server requires TLS".  PCAP_ERR_AUTH is
used for all other errors, including internal errors.

While we're at it, fix one case where the wrong error code was returned
for "set sampling" request errors.

1 files changed, 24 insertions, 8 deletions

diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c
index b7059b83..ab1a6a00 100644
--- a/rpcapd/daemon.c
+++ b/rpcapd/daemon.c
@@ -312,8 +312,8 @@ daemon_serviceloop(SOCKET sockctrl, int isactive, char *passiveClients,
 			// that we require TLS.
 			//
 			if (rpcap_senderror(sockctrl, NULL, header.ver,
-			    PCAP_ERR_AUTH, "TLS is required by this server",
-			    errbuf) == -1)
+			    PCAP_ERR_TLS_REQUIRED,
+			    "TLS is required by this server", errbuf) == -1)
 			{
 				// That failed; log a message and give up.
 				rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf);
@@ -1222,8 +1222,16 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen)
 			if (!pars->nullAuthAllowed)
 			{
 				// Send the client an error reply.
-				pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Authentication failed; NULL authentication not permitted.");
-				goto error;
+				pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE,
+				    "Authentication failed; NULL authentication not permitted.");
+				if (rpcap_senderror(pars->sockctrl, pars->ssl,
+				    0, PCAP_ERR_AUTH_FAILED, errmsgbuf, errbuf) == -1)
+				{
+					// That failed; log a message and give up.
+					rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf);
+					return -1;
+				}
+				goto error_noreply;
 			}
 			break;
 		}
@@ -1287,7 +1295,7 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen)
 				free(username);
 				free(passwd);
 				if (rpcap_senderror(pars->sockctrl, pars->ssl,
-				    0, PCAP_ERR_AUTH, errmsgbuf, errbuf) == -1)
+				    0, PCAP_ERR_AUTH_FAILED, errmsgbuf, errbuf) == -1)
 				{
 					// That failed; log a message and give up.
 					rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf);
@@ -1314,8 +1322,16 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen)
 			}
 
 		default:
-			pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
-			goto error;
+			pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE,
+			    "Authentication type not recognized.");
+			if (rpcap_senderror(pars->sockctrl, pars->ssl,
+			    0, PCAP_ERR_AUTH_TYPE_NOTSUP, errmsgbuf, errbuf) == -1)
+			{
+				// That failed; log a message and give up.
+				rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf);
+				return -1;
+			}
+			goto error_noreply;
 	}
 
 	// The authentication succeeded; let the client know.
@@ -2326,7 +2342,7 @@ daemon_msg_setsampling_req(uint8 ver, struct daemon_slpars *pars, uint32 plen,
 	return 0;
 
 error:
-	if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_AUTH,
+	if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_SETSAMPLING,
 	    errmsgbuf, errbuf) == -1)
 	{
 		// That failed; log a message and give up.