summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec.c34
-rw-r--r--source4/auth/gensec/gensec.h7
-rw-r--r--source4/auth/gensec/gensec_krb5.c41
3 files changed, 21 insertions, 61 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 65bc5d2450..fa5c877363 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -864,39 +864,34 @@ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
}
/**
- * Set local and peer socket addresses onto a socket context on the GENSEC context
+ * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context
*
* This is so that kerberos can include these addresses in
* cryptographic tokens, to avoid certain attacks.
*/
-NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, const char *my_addr, int port)
+NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
{
- gensec_security->my_addr.addr = talloc_strdup(gensec_security, my_addr);
- if (my_addr && !gensec_security->my_addr.addr) {
+ gensec_security->my_addr = my_addr;
+ if (my_addr && !talloc_reference(gensec_security, my_addr)) {
return NT_STATUS_NO_MEMORY;
}
- gensec_security->my_addr.port = port;
return NT_STATUS_OK;
}
-NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, const char *peer_addr, int port)
+NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
{
- gensec_security->peer_addr.addr = talloc_strdup(gensec_security, peer_addr);
- if (peer_addr && !gensec_security->peer_addr.addr) {
+ gensec_security->peer_addr = peer_addr;
+ if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
return NT_STATUS_NO_MEMORY;
}
- gensec_security->peer_addr.port = port;
return NT_STATUS_OK;
}
-const char *gensec_get_my_addr(struct gensec_security *gensec_security, int *port)
+struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security)
{
- if (gensec_security->my_addr.addr) {
- if (port) {
- *port = gensec_security->my_addr.port;
- }
- return gensec_security->my_addr.addr;
+ if (gensec_security->my_addr) {
+ return gensec_security->my_addr;
}
/* We could add a 'set sockaddr' call, and do a lookup. This
@@ -904,13 +899,10 @@ const char *gensec_get_my_addr(struct gensec_security *gensec_security, int *por
return NULL;
}
-const char *gensec_get_peer_addr(struct gensec_security *gensec_security, int *port)
+struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
{
- if (gensec_security->peer_addr.addr) {
- if (port) {
- *port = gensec_security->peer_addr.port;
- }
- return gensec_security->peer_addr.addr;
+ if (gensec_security->peer_addr) {
+ return gensec_security->peer_addr;
}
/* We could add a 'set sockaddr' call, and do a lookup. This
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 67bec3a0f5..6821d7f2db 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -34,11 +34,6 @@ struct gensec_target {
const char *service;
};
-struct gensec_addr {
- const char *addr;
- int port;
-};
-
#define GENSEC_FEATURE_SESSION_KEY 0x00000001
#define GENSEC_FEATURE_SIGN 0x00000002
#define GENSEC_FEATURE_SEAL 0x00000004
@@ -118,7 +113,7 @@ struct gensec_security {
BOOL subcontext;
uint32_t want_features;
struct event_context *event_ctx;
- struct gensec_addr my_addr, peer_addr;
+ struct socket_address *my_addr, *peer_addr;
};
/* this structure is used by backends to determine the size of some critical types */
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 478ebcfbf0..98f7e726cc 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -87,8 +87,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
krb5_error_code ret;
struct gensec_krb5_state *gensec_krb5_state;
struct cli_credentials *creds;
- const char *my_addr, *peer_addr;
- int my_port, peer_port;
+ const struct socket_address *my_addr, *peer_addr;
krb5_address my_krb5_addr, peer_krb5_addr;
creds = gensec_get_credentials(gensec_security);
@@ -138,23 +137,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
return NT_STATUS_INTERNAL_ERROR;
}
- my_addr = gensec_get_my_addr(gensec_security, &my_port);
- if (my_addr) {
- struct sockaddr_in sock_addr;
- struct ipv4_addr addr;
-
- /* TODO: This really should be in a utility function somewhere */
- ZERO_STRUCT(sock_addr);
-#ifdef HAVE_SOCK_SIN_LEN
- sock_addr.sin_len = sizeof(sock_addr);
-#endif
- addr = interpret_addr2(my_addr);
- sock_addr.sin_addr.s_addr = addr.addr;
- sock_addr.sin_port = htons(my_port);
- sock_addr.sin_family = PF_INET;
-
+ my_addr = gensec_get_my_addr(gensec_security);
+ if (my_addr && my_addr->sockaddr) {
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- (struct sockaddr *)&sock_addr, &my_krb5_addr);
+ my_addr->sockaddr, &my_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
@@ -164,23 +150,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
}
}
- peer_addr = gensec_get_my_addr(gensec_security, &peer_port);
- if (peer_addr) {
- struct sockaddr_in sock_addr;
- struct ipv4_addr addr;
-
- /* TODO: This really should be in a utility function somewhere */
- ZERO_STRUCT(sock_addr);
-#ifdef HAVE_SOCK_SIN_LEN
- sock_addr.sin_len = sizeof(sock_addr);
-#endif
- addr = interpret_addr2(peer_addr);
- sock_addr.sin_addr.s_addr = addr.addr;
- sock_addr.sin_port = htons(peer_port);
- sock_addr.sin_family = PF_INET;
-
+ peer_addr = gensec_get_my_addr(gensec_security);
+ if (peer_addr && peer_addr->sockaddr) {
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- (struct sockaddr *)&sock_addr, &peer_krb5_addr);
+ peer_addr->sockaddr, &peer_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
generated by cgit (git 2.34.1) at 2024-12-02 03:03:40 +0000