[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Dec 16 13:15:03 MST 2009
The branch, master has been updated
via fae70e1... s4:gensec: allow clearing local and remote address by passing NULL
via c457d54... s4-gensec: Remove obsolete socket_address vars and fns.
via 1e54888... s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.
via ac2d31e... s4-gensec: Replace gensec_set_peer_addr with new tsocket based fn.
via 8ca8804... s4-gensec: Replace gensec_get_my_addr with new tsocket based fn.
via 226a9db... s4-gensec: Replace gensec_set_my_addr() with new tsocket based fn.
via 743e636... s4-gensec: Added remote and local setter/getter using tsocket.
from 8f4d4a6... Final part of the fix for 6837 - "Too many open files" when trying to access large number of files
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fae70e1f54fb0bcc6c39caad70ed69a626640381
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 16 20:34:15 2009 +0100
s4:gensec: allow clearing local and remote address by passing NULL
metze
commit c457d54434ce0f475a53d3205d703b9370f7c264
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 18:07:07 2009 +0100
s4-gensec: Remove obsolete socket_address vars and fns.
commit 1e5488859a66d25a0dedf0e2f9b545fb7acf1fa2
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 16:41:21 2009 +0100
s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.
commit ac2d31e24cfa24f6674b645b3661a1a2ce9ab060
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 16:12:13 2009 +0100
s4-gensec: Replace gensec_set_peer_addr with new tsocket based fn.
commit 8ca88042f0f4dae9f0207ec5de3074f26a2ef9cb
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 16:06:55 2009 +0100
s4-gensec: Replace gensec_get_my_addr with new tsocket based fn.
commit 226a9db2d9e0e15c14fb286761bff68253028a0c
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 15:52:30 2009 +0100
s4-gensec: Replace gensec_set_my_addr() with new tsocket based fn.
commit 743e6363d54cf45a14de517e297faaa8258caaec
Author: Andreas Schneider <asn at redhat.com>
Date: Wed Dec 16 13:27:20 2009 +0100
s4-gensec: Added remote and local setter/getter using tsocket.
-----------------------------------------------------------------------
Summary of changes:
source4/auth/auth.h | 2 +-
source4/auth/gensec/config.mk | 2 +-
source4/auth/gensec/cyrus_sasl.c | 25 ++++----
source4/auth/gensec/gensec.c | 101 ++++++++++++++++++++++++---------
source4/auth/gensec/gensec.h | 13 +++-
source4/auth/gensec/gensec_krb5.c | 41 ++++++++++----
source4/auth/ntlm/auth_unix.c | 6 +-
source4/auth/ntlm/config.mk | 2 +-
source4/auth/ntlmssp/ntlmssp_server.c | 3 +-
source4/kdc/kpasswdd.c | 20 +------
10 files changed, 137 insertions(+), 78 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 49cf161..c31ed2f 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -57,7 +57,7 @@ enum auth_password_state {
struct auth_usersupplied_info
{
const char *workstation_name;
- struct socket_address *remote_host;
+ const struct tsocket_address *remote_host;
uint32_t logon_parameters;
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index aa52b18..f7cbd5b 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -2,7 +2,7 @@
# Start SUBSYSTEM gensec
[LIBRARY::gensec]
PUBLIC_DEPENDENCIES = \
- CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba_socket LIBPACKET
+ CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba_socket LIBPACKET LIBTSOCKET
# End SUBSYSTEM gensec
#################################
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index da96d23..f563867 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -20,6 +20,7 @@
*/
#include "includes.h"
+#include "lib/tsocket/tsocket.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_proto.h"
@@ -117,8 +118,8 @@ static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security
struct gensec_sasl_state *gensec_sasl_state;
const char *service = gensec_get_target_service(gensec_security);
const char *target_name = gensec_get_target_hostname(gensec_security);
- struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
- struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
+ const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
+ const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
char *local_addr = NULL;
char *remote_addr = NULL;
int sasl_ret;
@@ -153,18 +154,18 @@ static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security
gensec_security->private_data = gensec_sasl_state;
- if (local_socket_addr) {
- local_addr = talloc_asprintf(gensec_sasl_state,
- "%s;%d",
- local_socket_addr->addr,
- local_socket_addr->port);
+ if (tlocal_addr) {
+ local_addr = talloc_asprintf(gensec_sasl_state,
+ "%s;%d",
+ tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
+ tsocket_address_inet_port(tlocal_addr));
}
- if (remote_socket_addr) {
- remote_addr = talloc_asprintf(gensec_sasl_state,
- "%s;%d",
- remote_socket_addr->addr,
- remote_socket_addr->port);
+ if (tremote_addr) {
+ remote_addr = talloc_asprintf(gensec_sasl_state,
+ "%s;%d",
+ tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
+ tsocket_address_inet_port(tremote_addr));
}
gensec_sasl_state->step = 0;
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 68f8188..ecd0778 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -21,7 +21,10 @@
*/
#include "includes.h"
+#include "system/network.h"
#include "lib/events/events.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
@@ -518,11 +521,11 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
(*gensec_security)->ops = NULL;
+ (*gensec_security)->local_addr = NULL;
+ (*gensec_security)->remote_addr = NULL;
(*gensec_security)->private_data = NULL;
ZERO_STRUCT((*gensec_security)->target);
- ZERO_STRUCT((*gensec_security)->peer_addr);
- ZERO_STRUCT((*gensec_security)->my_addr);
(*gensec_security)->subcontext = false;
(*gensec_security)->want_features = 0;
@@ -1159,57 +1162,101 @@ _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_s
return NULL;
}
-/**
- * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
*
* This is so that kerberos can include these addresses in
* cryptographic tokens, to avoid certain attacks.
*/
-_PUBLIC_ NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The local address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *local)
{
- gensec_security->my_addr = my_addr;
- if (my_addr && !talloc_reference(gensec_security, my_addr)) {
+ TALLOC_FREE(gensec_security->local_addr);
+
+ if (local == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+ if (gensec_security->local_addr == NULL) {
return NT_STATUS_NO_MEMORY;
}
+
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param gensec_security The gensec security context to use.
+ *
+ * @param remote The remote address to set.
+ *
+ * @return On success NT_STATUS_OK is returned or an NT_STATUS
+ * error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *remote)
{
- gensec_security->peer_addr = peer_addr;
- if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
+ TALLOC_FREE(gensec_security->remote_addr);
+
+ if (remote == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+ if (gensec_security->remote_addr == NULL) {
return NT_STATUS_NO_MEMORY;
}
+
return NT_STATUS_OK;
}
-struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security)
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
{
- if (gensec_security->my_addr) {
- return gensec_security->my_addr;
+ if (gensec_security == NULL) {
+ return NULL;
}
-
- /* We could add a 'set sockaddr' call, and do a lookup. This
- * would avoid needing to do system calls if nothing asks. */
- return NULL;
+ return gensec_security->local_addr;
}
-_PUBLIC_ struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param gensec_security The security context to get the address from.
+ *
+ * @return The address as tsocket_address which could be NULL if
+ * no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
{
- if (gensec_security->peer_addr) {
- return gensec_security->peer_addr;
+ if (gensec_security == NULL) {
+ return NULL;
}
-
- /* We could add a 'set sockaddr' call, and do a lookup. This
- * would avoid needing to do system calls if nothing asks.
- * However, this is not appropriate for the peer addres on
- * datagram sockets */
- return NULL;
+ return gensec_security->remote_addr;
}
-
/**
* Set the target principal (assuming it it known, say from the SPNEGO reply)
* - ensures it is talloc()ed
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 8c1716e..2ea2402 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -169,7 +169,7 @@ struct gensec_security {
bool subcontext;
uint32_t want_features;
struct tevent_context *event_ctx;
- struct socket_address *my_addr, *peer_addr;
+ struct tsocket_address *local_addr, *remote_addr;
struct gensec_settings *settings;
/* When we are a server, this may be filled in to provide an
@@ -250,7 +250,6 @@ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid);
const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
-struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security);
NTSTATUS gensec_init(struct loadparm_context *lp_ctx);
NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
@@ -288,8 +287,14 @@ struct netlogon_creds_CredentialState;
NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_CredentialState **creds);
-NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr);
-NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr);
+
+
+NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *local);
+NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+ const struct tsocket_address *remote);
+const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security);
+const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security);
NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
const char *name);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index ee5f9c3..46b8181 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -28,6 +28,7 @@
#include "auth/kerberos/kerberos.h"
#include "auth/auth.h"
#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
@@ -89,7 +90,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
krb5_error_code ret;
struct gensec_krb5_state *gensec_krb5_state;
struct cli_credentials *creds;
- const struct socket_address *my_addr, *peer_addr;
+ const struct tsocket_address *tlocal_addr, *tremote_addr;
krb5_address my_krb5_addr, peer_krb5_addr;
creds = gensec_get_credentials(gensec_security);
@@ -141,10 +142,19 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
return NT_STATUS_INTERNAL_ERROR;
}
- my_addr = gensec_get_my_addr(gensec_security);
- if (my_addr && my_addr->sockaddr) {
- ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- my_addr->sockaddr, &my_krb5_addr);
+ tlocal_addr = gensec_get_local_address(gensec_security);
+ if (tlocal_addr) {
+ ssize_t socklen;
+ struct sockaddr_storage ss;
+
+ socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
+ (struct sockaddr *) &ss,
+ sizeof(struct sockaddr_storage));
+ if (socklen < 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+ (const struct sockaddr *) &ss, &my_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
@@ -154,10 +164,19 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
}
}
- peer_addr = gensec_get_peer_addr(gensec_security);
- if (peer_addr && peer_addr->sockaddr) {
- ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
- peer_addr->sockaddr, &peer_krb5_addr);
+ tremote_addr = gensec_get_remote_address(gensec_security);
+ if (tremote_addr) {
+ ssize_t socklen;
+ struct sockaddr_storage ss;
+
+ socklen = tsocket_address_bsd_sockaddr(tremote_addr,
+ (struct sockaddr *) &ss,
+ sizeof(struct sockaddr_storage));
+ if (socklen < 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+ (const struct sockaddr *) &ss, &peer_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
@@ -169,8 +188,8 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
- my_addr ? &my_krb5_addr : NULL,
- peer_addr ? &peer_krb5_addr : NULL);
+ tlocal_addr ? &my_krb5_addr : NULL,
+ tremote_addr ? &peer_krb5_addr : NULL);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index 1717b9d..aa68bb1 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -23,7 +23,8 @@
#include "auth/auth.h"
#include "auth/ntlm/auth_proto.h"
#include "system/passwd.h" /* needed by some systems for struct passwd */
-#include "lib/socket/socket.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
#include "auth/ntlm/pam_errors.h"
#include "param/param.h"
@@ -458,7 +459,8 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, struct loadparm_context *lp
* if true set up a crack name routine.
*/
- nt_status = smb_pam_start(&pamh, user_info->mapped.account_name, user_info->remote_host ? user_info->remote_host->addr : NULL, pamconv);
+ nt_status = smb_pam_start(&pamh, user_info->mapped.account_name,
+ user_info->remote_host ? tsocket_address_inet_addr_string(user_info->remote_host, ctx) : NULL, pamconv);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk
index cb9c3b6..a0d668f 100644
--- a/source4/auth/ntlm/config.mk
+++ b/source4/auth/ntlm/config.mk
@@ -57,7 +57,7 @@ auth_developer_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_developer.o)
[MODULE::auth_unix]
INIT_FUNCTION = auth_unix_init
SUBSYSTEM = auth
-PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER UID_WRAPPER
+PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER UID_WRAPPER LIBTSOCKET
auth_unix_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_unix.o)
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 63cbf68..94de920 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "system/network.h"
+#include "lib/tsocket/tsocket.h"
#include "auth/ntlmssp/ntlmssp.h"
#include "../libcli/auth/libcli_auth.h"
#include "../lib/crypto/crypto.h"
@@ -666,7 +667,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
user_info->client.account_name = gensec_ntlmssp_state->user;
user_info->client.domain_name = gensec_ntlmssp_state->domain;
user_info->workstation_name = gensec_ntlmssp_state->workstation;
- user_info->remote_host = gensec_get_peer_addr(gensec_ntlmssp_state->gensec_security);
+ user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp_state->gensec_security);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = gensec_ntlmssp_state->lm_resp;
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 18adf0a..9b3336a 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -436,9 +436,6 @@ bool kpasswdd_process(struct kdc_server *kdc,
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
- struct sockaddr_storage ss;
- ssize_t socklen;
- struct socket_address *socket_address;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
char *keytab_name;
@@ -527,27 +524,14 @@ bool kpasswdd_process(struct kdc_server *kdc,
* older MIT clients need this, we might have to insert more
* complex code */
- nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
+ nt_status = gensec_set_local_address(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
#endif
- socklen = tsocket_address_bsd_sockaddr(my_addr, (struct sockaddr *) &ss,
- sizeof(struct sockaddr_storage));
- if (socklen < 0) {
- talloc_free(tmp_ctx);
- return false;
- }
- socket_address = socket_address_from_sockaddr(tmp_ctx,
- (struct sockaddr *) &ss, socklen);
- if (socket_address == NULL) {
- talloc_free(tmp_ctx);
- return false;
- }
-
- nt_status = gensec_set_my_addr(gensec_security, socket_address);
+ nt_status = gensec_set_local_address(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list