diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-01-09 22:12:53 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:49:57 -0500 |
| commit | f55ea8bb3dca868e21663cd90eaea7a35cd7886c (patch) | |
| tree | 80aab2a3f10310e1946821603752cd407e435214 /source4/auth | |
| parent | 806b3fdbc12b3284ab9872a4ecae3a7ee34ea171 (diff) | |
| download | samba-f55ea8bb3dca868e21663cd90eaea7a35cd7886c.tar.gz samba-f55ea8bb3dca868e21663cd90eaea7a35cd7886c.tar.bz2 samba-f55ea8bb3dca868e21663cd90eaea7a35cd7886c.zip | |
r12804: This patch reworks the Samba4 sockets layer to use a socket_address
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/auth.h | 2 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.c | 34 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.h | 7 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 41 | ||||
| -rw-r--r-- | source4/auth/kerberos/config.mk | 2 | ||||
| -rw-r--r-- | source4/auth/kerberos/krb5_init_context.c | 31 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 3 |
7 files changed, 31 insertions, 89 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 9aa6d29c6e..80360a7cb4 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -50,7 +50,7 @@ enum auth_password_state { struct auth_usersupplied_info { const char *workstation_name; - const char *remote_host; + struct socket_address *remote_host; uint32_t logon_parameters; diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 65bc5d2450..fa5c877363 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -864,39 +864,34 @@ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) } /** - * Set local and peer socket addresses onto a socket context on the GENSEC context + * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context * * This is so that kerberos can include these addresses in * cryptographic tokens, to avoid certain attacks. */ -NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, const char *my_addr, int port) +NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr) { - gensec_security->my_addr.addr = talloc_strdup(gensec_security, my_addr); - if (my_addr && !gensec_security->my_addr.addr) { + gensec_security->my_addr = my_addr; + if (my_addr && !talloc_reference(gensec_security, my_addr)) { return NT_STATUS_NO_MEMORY; } - gensec_security->my_addr.port = port; return NT_STATUS_OK; } -NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, const char *peer_addr, int port) +NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr) { - gensec_security->peer_addr.addr = talloc_strdup(gensec_security, peer_addr); - if (peer_addr && !gensec_security->peer_addr.addr) { + gensec_security->peer_addr = peer_addr; + if (peer_addr && !talloc_reference(gensec_security, peer_addr)) { return NT_STATUS_NO_MEMORY; } - gensec_security->peer_addr.port = port; return NT_STATUS_OK; } -const char *gensec_get_my_addr(struct gensec_security *gensec_security, int *port) +struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security) { - if (gensec_security->my_addr.addr) { - if (port) { - *port = gensec_security->my_addr.port; - } - return gensec_security->my_addr.addr; + if (gensec_security->my_addr) { + return gensec_security->my_addr; } /* We could add a 'set sockaddr' call, and do a lookup. This @@ -904,13 +899,10 @@ const char *gensec_get_my_addr(struct gensec_security *gensec_security, int *por return NULL; } -const char *gensec_get_peer_addr(struct gensec_security *gensec_security, int *port) +struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security) { - if (gensec_security->peer_addr.addr) { - if (port) { - *port = gensec_security->peer_addr.port; - } - return gensec_security->peer_addr.addr; + if (gensec_security->peer_addr) { + return gensec_security->peer_addr; } /* We could add a 'set sockaddr' call, and do a lookup. This diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 67bec3a0f5..6821d7f2db 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -34,11 +34,6 @@ struct gensec_target { const char *service; }; -struct gensec_addr { - const char *addr; - int port; -}; - #define GENSEC_FEATURE_SESSION_KEY 0x00000001 #define GENSEC_FEATURE_SIGN 0x00000002 #define GENSEC_FEATURE_SEAL 0x00000004 @@ -118,7 +113,7 @@ struct gensec_security { BOOL subcontext; uint32_t want_features; struct event_context *event_ctx; - struct gensec_addr my_addr, peer_addr; + struct socket_address *my_addr, *peer_addr; }; /* this structure is used by backends to determine the size of some critical types */ diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 478ebcfbf0..98f7e726cc 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -87,8 +87,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) krb5_error_code ret; struct gensec_krb5_state *gensec_krb5_state; struct cli_credentials *creds; - const char *my_addr, *peer_addr; - int my_port, peer_port; + const struct socket_address *my_addr, *peer_addr; krb5_address my_krb5_addr, peer_krb5_addr; creds = gensec_get_credentials(gensec_security); @@ -138,23 +137,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) return NT_STATUS_INTERNAL_ERROR; } - my_addr = gensec_get_my_addr(gensec_security, &my_port); - if (my_addr) { - struct sockaddr_in sock_addr; - struct ipv4_addr addr; - - /* TODO: This really should be in a utility function somewhere */ - ZERO_STRUCT(sock_addr); -#ifdef HAVE_SOCK_SIN_LEN - sock_addr.sin_len = sizeof(sock_addr); -#endif - addr = interpret_addr2(my_addr); - sock_addr.sin_addr.s_addr = addr.addr; - sock_addr.sin_port = htons(my_port); - sock_addr.sin_family = PF_INET; - + my_addr = gensec_get_my_addr(gensec_security); + if (my_addr && my_addr->sockaddr) { ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, - (struct sockaddr *)&sock_addr, &my_krb5_addr); + my_addr->sockaddr, &my_krb5_addr); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, @@ -164,23 +150,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) } } - peer_addr = gensec_get_my_addr(gensec_security, &peer_port); - if (peer_addr) { - struct sockaddr_in sock_addr; - struct ipv4_addr addr; - - /* TODO: This really should be in a utility function somewhere */ - ZERO_STRUCT(sock_addr); -#ifdef HAVE_SOCK_SIN_LEN - sock_addr.sin_len = sizeof(sock_addr); -#endif - addr = interpret_addr2(peer_addr); - sock_addr.sin_addr.s_addr = addr.addr; - sock_addr.sin_port = htons(peer_port); - sock_addr.sin_family = PF_INET; - + peer_addr = gensec_get_my_addr(gensec_security); + if (peer_addr && peer_addr->sockaddr) { ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, - (struct sockaddr *)&sock_addr, &peer_krb5_addr); + peer_addr->sockaddr, &peer_krb5_addr); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk index 93b45ddedc..ebd527c74b 100644 --- a/source4/auth/kerberos/config.mk +++ b/source4/auth/kerberos/config.mk @@ -8,6 +8,6 @@ OBJ_FILES = kerberos.o \ kerberos_pac.o \ gssapi_parse.o \ krb5_init_context.o -REQUIRED_SUBSYSTEMS = HEIMDAL_KRB5 NDR_KRB5PAC +REQUIRED_SUBSYSTEMS = HEIMDAL_KRB5 NDR_KRB5PAC SOCKET # End SUBSYSTEM KERBEROS ################################# diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index 895553ccee..fe6ff2f12a 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -235,11 +235,10 @@ static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, { krb5_error_code ret; NTSTATUS status; - char *remote_addr; + struct socket_address *remote_addr; const char *name; struct addrinfo *ai, *a; struct smb_krb5_socket *smb_krb5; - int port; struct event_context *ev = talloc_get_type(data, struct event_context); @@ -292,31 +291,13 @@ static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, talloc_steal(smb_krb5, smb_krb5->sock); - switch (a->ai_family) { - case PF_INET: - remote_addr = talloc_strdup(smb_krb5, inet_ntoa(((struct sockaddr_in *)a->ai_addr)->sin_addr)); - port = ntohs(((struct sockaddr_in *)a->ai_addr)->sin_port); - break; - case PF_INET6: - { - char addr[128]; - const char *ret_addr; - ret_addr = inet_ntop(AF_INET6, &((struct sockaddr_in6 *)a->ai_addr)->sin6_addr, addr, sizeof(addr)); - if (ret_addr == NULL) { - talloc_free(smb_krb5); - return EINVAL; - } - - remote_addr = talloc_strdup(smb_krb5, ret_addr); - port = ntohs(((struct sockaddr_in6 *)a->ai_addr)->sin6_port); - break; - } - default: + remote_addr = socket_address_from_sockaddr(smb_krb5, a->ai_addr, a->ai_addrlen); + if (!remote_addr) { talloc_free(smb_krb5); - return EINVAL; + continue; } - - status = socket_connect_ev(smb_krb5->sock, NULL, 0, remote_addr, port, 0, ev); + + status = socket_connect_ev(smb_krb5->sock, NULL, remote_addr, 0, ev); if (!NT_STATUS_IS_OK(status)) { talloc_free(smb_krb5); continue; diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index ec3c9ba188..dac1f48f4b 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -695,7 +695,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ user_info->client.account_name = gensec_ntlmssp_state->user; user_info->client.domain_name = gensec_ntlmssp_state->domain; user_info->workstation_name = gensec_ntlmssp_state->workstation; - + user_info->remote_host = gensec_get_peer_addr(gensec_ntlmssp_state->gensec_security); + user_info->password_state = AUTH_PASSWORD_RESPONSE; user_info->password.response.lanman = gensec_ntlmssp_state->lm_resp; user_info->password.response.lanman.data = talloc_steal(user_info, gensec_ntlmssp_state->lm_resp.data); |