summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-28 01:09:10 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:39:04 -0500
commit8407a1a8665e188d9dc6774ce1535802e4e3cb29 (patch)
treea3823cbe5ff8762794eda3aba80d8acf9f0573f0 /source4/auth/kerberos
parent0b2c6aec9217c40324dddcc2fef376f5a8c5c27d (diff)
downloadsamba-8407a1a8665e188d9dc6774ce1535802e4e3cb29.tar.gz
samba-8407a1a8665e188d9dc6774ce1535802e4e3cb29.tar.bz2
samba-8407a1a8665e188d9dc6774ce1535802e4e3cb29.zip
r10561: This patch takes over KDC socket routines in Heimdal, and directs them
at the Samba4 socket layer. The intention here is to ensure that other events may be processed while heimdal is waiting on the KDC. The interface is designed to be sufficiently flexible, so that the plugin may choose how to time communication with the KDC (ie multiple outstanding requests, looking for a functional KDC). I've hacked the socket layer out of cldap.c to handle this very specific case of one udp packet and reply. Likewise I also handle TCP, stolen from the winbind code. This same plugin system might also be useful for a self-contained testing mode in Heimdal, in conjunction with libkdc. I would suggest using socket-wrapper instead however. Andrew Bartlett (This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/krb5_init_context.c353
1 files changed, 351 insertions, 2 deletions
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 62260702d5..673dbe62f7 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -3,7 +3,9 @@
Wrapper for krb5_init_context
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-
+ Copyright (C) Andrew Tridgell 2005
+ Copyright (C) Stefan Metzmacher 2004
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -22,6 +24,28 @@
#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
+#include "system/network.h"
+#include "system/select.h"
+#include "system/filesys.h"
+#include "lib/socket/socket.h"
+#include "lib/events/events.h"
+/*
+ context structure for operations on cldap packets
+*/
+struct smb_krb5_socket {
+ struct socket_context *sock;
+
+ /* the fd event */
+ struct fd_event *fde;
+
+ BOOL timeout;
+ NTSTATUS status;
+ DATA_BLOB request, reply, partial;
+
+ size_t partial_read;
+
+ krb5_krbhst_info *hi;
+};
static int smb_krb5_context_destroy_1(void *ptr)
{
@@ -51,11 +75,324 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p
DEBUG(3, ("Kerberos: %s\n", msg));
}
+/*
+ handle recv events on a smb_krb5 socket
+*/
+static void smb_krb5_socket_recv(struct smb_krb5_socket *smb_krb5)
+{
+ TALLOC_CTX *tmp_ctx = talloc_new(smb_krb5);
+ NTSTATUS status;
+ DATA_BLOB blob;
+ size_t nread, dsize;
+
+ switch (smb_krb5->hi->proto) {
+ case KRB5_KRBHST_UDP:
+ status = socket_pending(smb_krb5->sock, &dsize);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return;
+ }
+
+ blob = data_blob_talloc(tmp_ctx, NULL, dsize);
+ if (blob.data == NULL) {
+ talloc_free(tmp_ctx);
+ return;
+ }
+
+ status = socket_recv(smb_krb5->sock, blob.data, blob.length, &nread, 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return;
+ }
+ blob.length = nread;
+
+ DEBUG(2,("Received smb_krb5 packet of length %d\n",
+ (int)blob.length));
+
+ talloc_steal(smb_krb5, blob.data);
+ smb_krb5->reply = blob;
+ talloc_free(tmp_ctx);
+ break;
+ case KRB5_KRBHST_TCP:
+ if (smb_krb5->partial.length == 0) {
+ smb_krb5->partial = data_blob_talloc(smb_krb5, NULL, 4);
+ if (!smb_krb5->partial.data) {
+ smb_krb5->status = NT_STATUS_NO_MEMORY;
+ return;
+ }
+
+ smb_krb5->partial_read = 0;
+ }
+
+ /* read in the packet length */
+ if (smb_krb5->partial_read < 4) {
+ uint32_t packet_length;
+
+ status = socket_recv(smb_krb5->sock,
+ smb_krb5->partial.data + smb_krb5->partial_read,
+ 4 - smb_krb5->partial_read,
+ &nread, 0);
+ if (NT_STATUS_IS_ERR(status)) {
+ smb_krb5->status = status;
+ return;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return;
+ }
+
+ smb_krb5->partial_read += nread;
+ if (smb_krb5->partial_read != 4) {
+ return;
+ }
+
+ packet_length = RIVAL(smb_krb5->partial.data, 0);
+
+ smb_krb5->partial.data = talloc_realloc(smb_krb5, smb_krb5->partial.data,
+ uint8_t, packet_length + 4);
+ if (!smb_krb5->partial.data) {
+ smb_krb5->status = NT_STATUS_NO_MEMORY;
+ return;
+ }
+
+ smb_krb5->partial.length = packet_length + 4;
+ }
+
+ /* read in the body */
+ status = socket_recv(smb_krb5->sock,
+ smb_krb5->partial.data + smb_krb5->partial_read,
+ smb_krb5->partial.length - smb_krb5->partial_read,
+ &nread, 0);
+ if (NT_STATUS_IS_ERR(status)) {
+ smb_krb5->status = status;
+ return;
+ }
+ if (!NT_STATUS_IS_OK(status)) return;
+
+ smb_krb5->partial_read += nread;
+
+ if (smb_krb5->partial_read != smb_krb5->partial.length) return;
+
+ smb_krb5->reply = data_blob_talloc(smb_krb5, smb_krb5->partial.data + 4, smb_krb5->partial.length - 4);
+ break;
+ case KRB5_KRBHST_HTTP:
+ return;
+ }
+}
+
+/*
+ handle request timeouts
+*/
+static void smb_krb5_request_timeout(struct event_context *event_ctx,
+ struct timed_event *te, struct timeval t,
+ void *private)
+{
+ struct smb_krb5_socket *smb_krb5 = talloc_get_type(private, struct smb_krb5_socket);
+ DEBUG(2,("Timed out smb_krb5 packet\n"));
+ smb_krb5->timeout = True;
+}
+
+/*
+ handle send events on a smb_krb5 socket
+*/
+static void smb_krb5_socket_send(struct smb_krb5_socket *smb_krb5)
+{
+ NTSTATUS status;
+
+ size_t len;
+
+ len = smb_krb5->request.length;
+ status = socket_send(smb_krb5->sock, &smb_krb5->request, &len, 0);
+
+ if (!NT_STATUS_IS_OK(status)) return;
+
+ EVENT_FD_READABLE(smb_krb5->fde);
+
+ EVENT_FD_NOT_WRITEABLE(smb_krb5->fde);
+ return;
+}
+
+
+/*
+ handle fd events on a smb_krb5_socket
+*/
+static void smb_krb5_socket_handler(struct event_context *ev, struct fd_event *fde,
+ uint16_t flags, void *private)
+{
+ struct smb_krb5_socket *smb_krb5 = talloc_get_type(private, struct smb_krb5_socket);
+ if (flags & EVENT_FD_WRITE) {
+ smb_krb5_socket_send(smb_krb5);
+ }
+ if (flags & EVENT_FD_READ) {
+ smb_krb5_socket_recv(smb_krb5);
+ }
+}
+
+
+static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
+ void *data,
+ krb5_krbhst_info *hi,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf)
+{
+ krb5_error_code ret;
+ NTSTATUS status;
+ char *remote_addr;
+ const char *name;
+ struct addrinfo *ai, *a;
+ struct smb_krb5_socket *smb_krb5;
+ int port;
+
+ struct event_context *ev = talloc_get_type(data, struct event_context);
+
+ DATA_BLOB send_blob = data_blob_const(send_buf->data, send_buf->length);
+
+ ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
+ if (ret) {
+ return ret;
+ }
+
+ for (a = ai; a; a = ai->ai_next) {
+ smb_krb5 = talloc(NULL, struct smb_krb5_socket);
+ if (!smb_krb5) {
+ return ENOMEM;
+ }
+ smb_krb5->hi = hi;
+
+ switch (a->ai_family) {
+ case PF_INET:
+ name = "ipv4";
+ break;
+ case PF_INET6:
+ name = "ipv6";
+ break;
+ default:
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+
+ status = NT_STATUS_INVALID_PARAMETER;
+ switch (hi->proto) {
+ case KRB5_KRBHST_UDP:
+ status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0);
+ break;
+ case KRB5_KRBHST_TCP:
+ status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
+ break;
+ case KRB5_KRBHST_HTTP:
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(smb_krb5);
+ continue;
+ }
+
+ talloc_steal(smb_krb5, smb_krb5->sock);
+
+ switch (a->ai_family) {
+ case PF_INET:
+ remote_addr = talloc_strdup(smb_krb5, inet_ntoa(((struct sockaddr_in *)a->ai_addr)->sin_addr));
+ port = ntohs(((struct sockaddr_in *)a->ai_addr)->sin_port);
+ break;
+ case PF_INET6:
+ {
+ char addr[128];
+ const char *ret_addr;
+ ret_addr = inet_ntop(AF_INET6, &((struct sockaddr_in6 *)a->ai_addr)->sin6_addr, addr, sizeof(addr));
+ if (ret_addr == NULL) {
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+
+ remote_addr = talloc_strdup(smb_krb5, ret_addr);
+ port = ntohs(((struct sockaddr_in6 *)a->ai_addr)->sin6_port);
+ break;
+ }
+ default:
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+
+ status = socket_connect_ev(smb_krb5->sock, NULL, 0, remote_addr, port, 0, ev);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(smb_krb5);
+ continue;
+ }
+ talloc_free(remote_addr);
+
+ smb_krb5->fde = event_add_fd(ev, smb_krb5,
+ socket_get_fd(smb_krb5->sock), 0,
+ smb_krb5_socket_handler, smb_krb5);
+
+ event_add_timed(ev, smb_krb5,
+ timeval_current_ofs(context->kdc_timeout, 0),
+ smb_krb5_request_timeout, smb_krb5);
+
+ EVENT_FD_WRITEABLE(smb_krb5->fde);
+
+ switch (hi->proto) {
+ case KRB5_KRBHST_UDP:
+ smb_krb5->request = send_blob;
+ break;
+ case KRB5_KRBHST_TCP:
+ smb_krb5->request = data_blob_talloc(smb_krb5, NULL, send_blob.length + 4);
+ RSIVAL(smb_krb5->request.data, 0, send_blob.length);
+ memcpy(smb_krb5->request.data+4, send_blob.data, send_blob.length);
+ break;
+ case KRB5_KRBHST_HTTP:
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+ smb_krb5->timeout = False;
+ smb_krb5->status = NT_STATUS_OK;
+ smb_krb5->reply = data_blob(NULL, 0);
+ smb_krb5->partial = data_blob(NULL, 0);
+
+ while (!smb_krb5->timeout && (NT_STATUS_IS_OK(smb_krb5->status)) && !smb_krb5->reply.length) {
+ if (event_loop_once(ev) != 0) {
+ talloc_free(smb_krb5);
+ return EINVAL;
+ }
+ }
+ if (!NT_STATUS_IS_OK(smb_krb5->status)) {
+ DEBUG(2,("Error reading smb_krb5 reply packet: %s\n", nt_errstr(smb_krb5->status)));
+ talloc_free(smb_krb5);
+ continue;
+ }
+
+ if (smb_krb5->timeout) {
+ talloc_free(smb_krb5);
+ continue;
+ }
+
+ ret = krb5_data_copy(recv_buf, smb_krb5->reply.data, smb_krb5->reply.length);
+ if (ret) {
+ talloc_free(smb_krb5);
+ return ret;
+ }
+ talloc_free(smb_krb5);
+
+ break;
+ }
+ if (a) {
+ return 0;
+ }
+ return KRB5_KDC_UNREACH;
+}
+
+/* NO internal data, so nothing to free */
+static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data)
+{
+ return;
+}
+
+
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
+ struct event_context *ev;
initialize_krb5_error_table();
@@ -115,13 +452,25 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
+ ev = event_context_find(*smb_krb5_context);
+ /* Set use of our socket lib */
+ ret = krb5_set_send_recv_func((*smb_krb5_context)->krb5_context,
+ smb_krb5_send_and_recv_func,
+ smb_krb5_send_and_recv_close_func, ev);
+ if (ret) {
+ DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
+ smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
/* Set options in kerberos */
(*smb_krb5_context)->krb5_context->fdns = FALSE;
-
+
return 0;
}