]>
Commit | Line | Data |
---|---|---|
6cf77d05 SS |
1 | Provide an option to make the KDC also listen on loopback interfaces for |
2 | datagram requests. Adds an internal symbol to libkrb5 which the KDC | |
3 | needs if listening on loopback is enabled. | |
4 | ||
5 | The default might be better changed from FALSE to TRUE so that the | |
6 | default matches what we do with stream sockets. | |
7 | ||
8 | FIXME: doesn't add documentation anywhere. | |
9 | ||
10 | diff -up src/include/foreachaddr.h src/include/foreachaddr.h | |
11 | --- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400 | |
12 | +++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400 | |
13 | @@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo | |
14 | ; | |
15 | ||
16 | #define foreach_localaddr krb5int_foreach_localaddr | |
17 | + | |
18 | +extern int | |
19 | +krb5int_foreach_localaddr_ext (/*@null@*/ void *data, | |
20 | + int (*pass1fn) (/*@null@*/ void *, | |
21 | + struct sockaddr *) /*@*/, | |
22 | + /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, | |
23 | + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, | |
24 | + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, | |
25 | + struct sockaddr *) /*@*/) | |
26 | +#if defined(DEBUG) || defined(TEST) | |
27 | + /*@modifies fileSystem@*/ | |
28 | +#endif | |
29 | + ; | |
30 | + | |
31 | +#define foreach_localaddr_ext krb5int_foreach_localaddr_ext | |
32 | diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h | |
33 | --- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400 | |
34 | +++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400 | |
35 | @@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k | |
36 | krb5_error_code setup_server_realm (krb5_principal); | |
37 | ||
38 | /* network.c */ | |
39 | +void process_listen_loopback (krb5_boolean); | |
40 | krb5_error_code listen_and_process (const char *); | |
41 | krb5_error_code setup_network (const char *); | |
42 | krb5_error_code closedown_network (const char *); | |
43 | diff -up src/kdc/main.c src/kdc/main.c | |
44 | --- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400 | |
45 | +++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400 | |
46 | @@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext, | |
47 | krb5_enctype menctype = ENCTYPE_UNKNOWN; | |
48 | kdc_realm_t *rdatap; | |
49 | krb5_boolean manual = FALSE; | |
50 | + krb5_boolean listen_loopback = FALSE; | |
51 | char *default_udp_ports = 0; | |
52 | char *default_tcp_ports = 0; | |
53 | krb5_pointer aprof; | |
54 | @@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext, | |
55 | if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode)) | |
56 | v4mode = 0; | |
57 | #endif | |
58 | + hierarchy[1] = "kdc_listen_loopback"; | |
59 | + if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback)) | |
60 | + listen_loopback = FALSE; | |
61 | /* aprof_init can return 0 with aprof == NULL */ | |
62 | if (aprof) | |
63 | krb5_aprof_finish(aprof); | |
64 | @@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext, | |
65 | free(v4mode); | |
66 | #endif | |
67 | ||
68 | + process_listen_loopback(listen_loopback); | |
69 | + | |
70 | /* | |
71 | * Check to see if we processed any realms. | |
72 | */ | |
73 | diff -up src/kdc/network.c src/kdc/network.c | |
74 | --- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400 | |
75 | +++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400 | |
76 | @@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p | |
77 | #include "cm.h" | |
78 | ||
79 | static struct select_state sstate; | |
80 | +static krb5_boolean listen_loopback; | |
81 | ||
82 | static krb5_error_code add_udp_port(int port) | |
83 | { | |
84 | @@ -604,6 +605,12 @@ scan_for_newlines: | |
85 | } | |
86 | #endif | |
87 | ||
88 | +void | |
89 | +process_listen_loopback(krb5_boolean listen_loop) | |
90 | +{ | |
91 | + listen_loopback = listen_loop; | |
92 | +} | |
93 | + | |
94 | /* XXX */ | |
95 | extern int krb5int_debug_sendto_kdc; | |
96 | extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); | |
97 | @@ -662,7 +669,9 @@ setup_network(const char *prog) | |
98 | so we might need only one UDP socket; fall back to binding | |
99 | sockets on each address only if IPV6_PKTINFO isn't | |
100 | supported. */ | |
101 | - if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { | |
102 | + if (listen_loopback ? | |
103 | + foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) : | |
104 | + foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { | |
105 | return setup_data.retval; | |
106 | } | |
107 | setup_tcp_listener_ports(&setup_data); | |
108 | diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c | |
109 | --- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400 | |
110 | +++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400 | |
111 | @@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons | |
112 | } | |
113 | #endif | |
114 | ||
115 | +static krb5_boolean | |
116 | +skip_loopback (struct sockaddr *addr, int flags) | |
117 | +{ | |
118 | +#ifdef IFF_LOOPBACK | |
119 | + if (flags & IFF_LOOPBACK) { | |
120 | + return TRUE; | |
121 | + } | |
122 | +#endif | |
123 | + return FALSE; | |
124 | +} | |
125 | + | |
126 | #ifndef HAVE_IFADDRS_H | |
127 | /*@-usereleased@*/ /* lclint doesn't understand realloc */ | |
128 | static /*@null@*/ void * | |
129 | @@ -413,14 +424,27 @@ get_linux_ipv6_addrs () | |
130 | indication, it should do it via some field pointed to by the DATA | |
131 | argument. */ | |
132 | ||
133 | -#ifdef HAVE_IFADDRS_H | |
134 | - | |
135 | int | |
136 | foreach_localaddr (/*@null@*/ void *data, | |
137 | int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, | |
138 | /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, | |
139 | /*@null@*/ int (*pass2fn) (/*@null@*/ void *, | |
140 | struct sockaddr *) /*@*/) | |
141 | +{ | |
142 | + return foreach_localaddr_ext(data, pass1fn, | |
143 | + &skip_loopback, betweenfn, | |
144 | + pass2fn); | |
145 | +} | |
146 | + | |
147 | +#ifdef HAVE_IFADDRS_H | |
148 | + | |
149 | +int | |
150 | +foreach_localaddr_ext (/*@null@*/ void *data, | |
151 | + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, | |
152 | + /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, | |
153 | + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, | |
154 | + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, | |
155 | + struct sockaddr *) /*@*/) | |
156 | #if defined(DEBUG) || defined(TEST) | |
157 | /*@modifies fileSystem@*/ | |
158 | #endif | |
159 | @@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data | |
160 | #endif | |
161 | if ((ifp->ifa_flags & IFF_UP) == 0) | |
162 | continue; | |
163 | - if (ifp->ifa_flags & IFF_LOOPBACK) { | |
164 | + if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) { | |
165 | /* Pretend it's not up, so the second pass will skip | |
166 | it. */ | |
167 | ifp->ifa_flags &= ~IFF_UP; | |
168 | @@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data | |
169 | for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) { | |
170 | if ((ifp2->ifa_flags & IFF_UP) == 0) | |
171 | continue; | |
172 | - if (ifp2->ifa_flags & IFF_LOOPBACK) | |
173 | + if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags)) | |
174 | continue; | |
175 | if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) { | |
176 | match = 1; | |
177 | @@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data | |
178 | #elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */ | |
179 | ||
180 | int | |
181 | -foreach_localaddr (/*@null@*/ void *data, | |
182 | - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, | |
183 | - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, | |
184 | - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, | |
185 | - struct sockaddr *) /*@*/) | |
186 | +foreach_localaddr_ext (/*@null@*/ void *data, | |
187 | + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, | |
188 | + /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/, | |
189 | + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, | |
190 | + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, | |
191 | + struct sockaddr *) /*@*/) | |
192 | #if defined(DEBUG) || defined(TEST) | |
193 | /*@modifies fileSystem@*/ | |
194 | #endif | |
195 | @@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data | |
196 | } | |
197 | /*@=moduncon@*/ | |
198 | ||
199 | -#ifdef IFF_LOOPBACK | |
200 | - /* None of the current callers want loopback addresses. */ | |
201 | - if (lifreq.lifr_flags & IFF_LOOPBACK) { | |
202 | - Tprintf ((" loopback\n")); | |
203 | + if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags)) | |
204 | + if (skipfn && (skipfn == &skip_loopback)) | |
205 | + Tprintf ((" loopback\n")); | |
206 | goto skip; | |
207 | } | |
208 | -#endif | |
209 | + | |
210 | /* Ignore interfaces that are down. */ | |
211 | if ((lifreq.lifr_flags & IFF_UP) == 0) { | |
212 | Tprintf ((" down\n")); | |
213 | @@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data | |
214 | } | |
215 | /*@=moduncon@*/ | |
216 | ||
217 | -#ifdef IFF_LOOPBACK | |
218 | /* None of the current callers want loopback addresses. */ | |
219 | - if (lifreq.iflr_flags & IFF_LOOPBACK) { | |
220 | - Tprintf ((" loopback\n")); | |
221 | + if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags)) | |
222 | + if (skipfn && (skipfn == &skip_loopback)) | |
223 | + Tprintf ((" loopback\n")); | |
224 | goto skip; | |
225 | } | |
226 | -#endif | |
227 | /* Ignore interfaces that are down. */ | |
228 | if ((lifreq.iflr_flags & IFF_UP) == 0) { | |
229 | Tprintf ((" down\n")); | |
230 | @@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data | |
231 | } | |
232 | /*@=moduncon@*/ | |
233 | ||
234 | -#ifdef IFF_LOOPBACK | |
235 | - /* None of the current callers want loopback addresses. */ | |
236 | - if (ifreq.ifr_flags & IFF_LOOPBACK) { | |
237 | - Tprintf ((" loopback\n")); | |
238 | + if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags)) | |
239 | + if (skipfn && (skipfn == &skip_loopback)) | |
240 | + Tprintf ((" loopback\n")); | |
241 | goto skip; | |
242 | } | |
243 | -#endif | |
244 | + | |
245 | /* Ignore interfaces that are down. */ | |
246 | if ((ifreq.ifr_flags & IFF_UP) == 0) { | |
247 | Tprintf ((" down\n")); |