[people/ms/ipfire-3.x.git] / krb5 / patches / krb5-1.6.3-kdc_listen_all.patch0

Provide an option to make the KDC also listen on loopback interfaces for
datagram requests.  Adds an internal symbol to libkrb5 which the KDC
needs if listening on loopback is enabled.

The default might be better changed from FALSE to TRUE so that the
default matches what we do with stream sockets.

FIXME: doesn't add documentation anywhere.

diff -up src/include/foreachaddr.h src/include/foreachaddr.h
--- src/include/foreachaddr.h	2004-05-05 18:44:46.000000000 -0400
+++ src/include/foreachaddr.h	2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
     ;
 
 #define foreach_localaddr krb5int_foreach_localaddr
+
+extern int
+krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
+			       int (*pass1fn) (/*@null@*/ void *,
+					       struct sockaddr *) /*@*/,
+			       /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+			       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+			       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+							  struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+    ;
+
+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
--- src/kdc/kdc_util.h	2008-04-04 16:28:18.000000000 -0400
+++ src/kdc/kdc_util.h	2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
 krb5_error_code setup_server_realm (krb5_principal);
 
 /* network.c */
+void process_listen_loopback (krb5_boolean);
 krb5_error_code listen_and_process (const char *);
 krb5_error_code setup_network (const char *);
 krb5_error_code closedown_network (const char *);
diff -up src/kdc/main.c src/kdc/main.c
--- src/kdc/main.c	2008-04-04 16:22:43.000000000 -0400
+++ src/kdc/main.c	2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
     krb5_enctype	menctype = ENCTYPE_UNKNOWN;
     kdc_realm_t		*rdatap;
     krb5_boolean	manual = FALSE;
+    krb5_boolean	listen_loopback = FALSE;
     char		*default_udp_ports = 0;
     char		*default_tcp_ports = 0;
     krb5_pointer	aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
 	if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
 	    v4mode = 0;
 #endif
+	hierarchy[1] = "kdc_listen_loopback";
+	if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
+	    listen_loopback = FALSE;
 	/* aprof_init can return 0 with aprof == NULL */
 	if (aprof)
 	     krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
     free(v4mode);
 #endif
 
+    process_listen_loopback(listen_loopback);
+
     /*
      * Check to see if we processed any realms.
      */
diff -up src/kdc/network.c src/kdc/network.c
--- src/kdc/network.c	2008-04-04 15:39:28.000000000 -0400
+++ src/kdc/network.c	2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
 #include "cm.h"
 
 static struct select_state sstate;
+static krb5_boolean listen_loopback;
 
 static krb5_error_code add_udp_port(int port)
 {
@@ -604,6 +605,12 @@ scan_for_newlines:
 }
 #endif
 
+void
+process_listen_loopback(krb5_boolean listen_loop)
+{
+    listen_loopback = listen_loop;
+}
+
 /* XXX */
 extern int krb5int_debug_sendto_kdc;
 extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
        so we might need only one UDP socket; fall back to binding
        sockets on each address only if IPV6_PKTINFO isn't
        supported.  */
-    if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
+    if (listen_loopback ?
+	foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
+	foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
 	return setup_data.retval;
     }
     setup_tcp_listener_ports(&setup_data);
diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- src/lib/krb5/os/localaddr.c	2005-04-13 12:55:43.000000000 -0400
+++ src/lib/krb5/os/localaddr.c	2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
 }
 #endif
 
+static krb5_boolean
+skip_loopback (struct sockaddr *addr, int flags)
+{
+#ifdef IFF_LOOPBACK
+    if (flags & IFF_LOOPBACK) {
+	return TRUE;
+    }
+#endif
+    return FALSE;
+}
+
 #ifndef HAVE_IFADDRS_H
 /*@-usereleased@*/ /* lclint doesn't understand realloc */
 static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
    indication, it should do it via some field pointed to by the DATA
    argument.  */
 
-#ifdef HAVE_IFADDRS_H
-
 int
 foreach_localaddr (/*@null@*/ void *data,
 		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
 		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
 		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
 					      struct sockaddr *) /*@*/)
+{
+    return foreach_localaddr_ext(data, pass1fn,
+				 &skip_loopback, betweenfn,
+				 pass2fn);
+}
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr_ext (/*@null@*/ void *data,
+		       int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		       /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+		       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+						  struct sockaddr *) /*@*/)
 #if defined(DEBUG) || defined(TEST)
      /*@modifies fileSystem@*/
 #endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
 #endif
 	if ((ifp->ifa_flags & IFF_UP) == 0)
 	    continue;
-	if (ifp->ifa_flags & IFF_LOOPBACK) {
+	if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
 	    /* Pretend it's not up, so the second pass will skip
 	       it.  */
 	    ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
 	for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
 	    if ((ifp2->ifa_flags & IFF_UP) == 0)
 		continue;
-	    if (ifp2->ifa_flags & IFF_LOOPBACK)
+	    if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
 		continue;
 	    if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
 		match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
 #elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
 
 int
-foreach_localaddr (/*@null@*/ void *data,
-		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
-		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
-		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
-					      struct sockaddr *) /*@*/)
+foreach_localaddr_ext (/*@null@*/ void *data,
+		       int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		       /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+		       /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		       /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+					          struct sockaddr *) /*@*/)
 #if defined(DEBUG) || defined(TEST)
      /*@modifies fileSystem@*/
 #endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
 	    }
 	    /*@=moduncon@*/
 
-#ifdef IFF_LOOPBACK
-	    /* None of the current callers want loopback addresses.  */
-	    if (lifreq.lifr_flags & IFF_LOOPBACK) {
-		Tprintf (("  loopback\n"));
+	    if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
+		if (skipfn && (skipfn == &skip_loopback))
+		    Tprintf (("  loopback\n"));
 		goto skip;
 	    }
-#endif
+
 	    /* Ignore interfaces that are down.  */
 	    if ((lifreq.lifr_flags & IFF_UP) == 0) {
 		Tprintf (("  down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
 	    }
 	    /*@=moduncon@*/
 
-#ifdef IFF_LOOPBACK
 	    /* None of the current callers want loopback addresses.  */
-	    if (lifreq.iflr_flags & IFF_LOOPBACK) {
-		Tprintf (("  loopback\n"));
+	    if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
+		if (skipfn && (skipfn == &skip_loopback))
+		    Tprintf (("  loopback\n"));
 		goto skip;
 	    }
-#endif
 	    /* Ignore interfaces that are down.  */
 	    if ((lifreq.iflr_flags & IFF_UP) == 0) {
 		Tprintf (("  down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
 	}
 	/*@=moduncon@*/
 
-#ifdef IFF_LOOPBACK
-	/* None of the current callers want loopback addresses.  */
-	if (ifreq.ifr_flags & IFF_LOOPBACK) {
-	    Tprintf (("  loopback\n"));
+	if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
+	    if (skipfn && (skipfn == &skip_loopback))
+		Tprintf (("  loopback\n"));
 	    goto skip;
 	}
-#endif
+
 	/* Ignore interfaces that are down.  */
 	if ((ifreq.ifr_flags & IFF_UP) == 0) {
 	    Tprintf (("  down\n"));
Commit	Line	Data
6cf77d05 SS	1	Provide an option to make the KDC also listen on loopback interfaces for
	2	datagram requests. Adds an internal symbol to libkrb5 which the KDC
	3	needs if listening on loopback is enabled.
	4
	5	The default might be better changed from FALSE to TRUE so that the
	6	default matches what we do with stream sockets.
	7
	8	FIXME: doesn't add documentation anywhere.
	9
	10	diff -up src/include/foreachaddr.h src/include/foreachaddr.h
	11	--- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400
	12	+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400
	13	@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/@null@/ vo
	14	;
	15
	16	#define foreach_localaddr krb5int_foreach_localaddr
	17	+
	18	+extern int
	19	+krb5int_foreach_localaddr_ext (/@null@/ void *data,
	20	+ int (pass1fn) (/@null@/ void ,
	21	+ struct sockaddr ) /@*/,
	22	+ /@null@/ krb5_boolean (skipfn) (/@null@/ struct sockaddr , int) /@/,
	23	+ /@null@/ int (betweenfn) (/@null@/ void ) /@/,
	24	+ /@null@/ int (pass2fn) (/@null@/ void ,
	25	+ struct sockaddr ) /@*/)
	26	+#if defined(DEBUG) \|\| defined(TEST)
	27	+ /@modifies fileSystem@/
	28	+#endif
	29	+ ;
	30	+
	31	+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
	32	diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
	33	--- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400
	34	+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400
	35	@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
	36	krb5_error_code setup_server_realm (krb5_principal);
	37
	38	/* network.c */
	39	+void process_listen_loopback (krb5_boolean);
	40	krb5_error_code listen_and_process (const char *);
	41	krb5_error_code setup_network (const char *);
	42	krb5_error_code closedown_network (const char *);
	43	diff -up src/kdc/main.c src/kdc/main.c
	44	--- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400
	45	+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400
	46	@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
	47	krb5_enctype menctype = ENCTYPE_UNKNOWN;
	48	kdc_realm_t *rdatap;
	49	krb5_boolean manual = FALSE;
	50	+ krb5_boolean listen_loopback = FALSE;
	51	char *default_udp_ports = 0;
	52	char *default_tcp_ports = 0;
	53	krb5_pointer aprof;
	54	@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
	55	if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
	56	v4mode = 0;
	57	#endif
	58	+ hierarchy[1] = "kdc_listen_loopback";
	59	+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
	60	+ listen_loopback = FALSE;
	61	/* aprof_init can return 0 with aprof == NULL */
	62	if (aprof)
	63	krb5_aprof_finish(aprof);
	64	@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
65	free(v4mode);
66	#endif
67
68	+ process_listen_loopback(listen_loopback);
69	+
70	/*
71	* Check to see if we processed any realms.
72	*/
73	diff -up src/kdc/network.c src/kdc/network.c
74	--- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400
75	+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400
76	@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
77	#include "cm.h"
78
79	static struct select_state sstate;
80	+static krb5_boolean listen_loopback;
81
82	static krb5_error_code add_udp_port(int port)
83	{
84	@@ -604,6 +605,12 @@ scan_for_newlines:
85	}
86	#endif
87
88	+void
89	+process_listen_loopback(krb5_boolean listen_loop)
90	+{
91	+ listen_loopback = listen_loop;
92	+}
93	+
94	/* XXX */
95	extern int krb5int_debug_sendto_kdc;
96	extern void (krb5int_sendtokdc_debug_handler)(const void, size_t);
97	@@ -662,7 +669,9 @@ setup_network(const char *prog)
98	so we might need only one UDP socket; fall back to binding
99	sockets on each address only if IPV6_PKTINFO isn't
100	supported. */
101	- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
102	+ if (listen_loopback ?
103	+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
104	+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
105	return setup_data.retval;
106	}
107	setup_tcp_listener_ports(&setup_data);
108	diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
109	--- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400
110	+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400
111	@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
112	}
113	#endif
114
115	+static krb5_boolean
116	+skip_loopback (struct sockaddr *addr, int flags)
117	+{
118	+#ifdef IFF_LOOPBACK
119	+ if (flags & IFF_LOOPBACK) {
120	+ return TRUE;
121	+ }
122	+#endif
123	+ return FALSE;
124	+}
125	+
126	#ifndef HAVE_IFADDRS_H
127	/@-usereleased@/ /* lclint doesn't understand realloc */
128	static /@null@/ void *
129	@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
130	indication, it should do it via some field pointed to by the DATA
131	argument. */
132
133	-#ifdef HAVE_IFADDRS_H
134	-
135	int
136	foreach_localaddr (/@null@/ void *data,
137	int (pass1fn) (/@null@/ void , struct sockaddr ) /@*/,
138	/@null@/ int (betweenfn) (/@null@/ void ) /@/,
139	/@null@/ int (pass2fn) (/@null@/ void ,
140	struct sockaddr ) /@*/)
141	+{
142	+ return foreach_localaddr_ext(data, pass1fn,
143	+ &skip_loopback, betweenfn,
144	+ pass2fn);
145	+}
146	+
147	+#ifdef HAVE_IFADDRS_H
148	+
149	+int
150	+foreach_localaddr_ext (/@null@/ void *data,
151	+ int (pass1fn) (/@null@/ void , struct sockaddr ) /@*/,
152	+ /@null@/ krb5_boolean (skipfn) (/@null@/ struct sockaddr , int) /@/,
153	+ /@null@/ int (betweenfn) (/@null@/ void ) /@/,
154	+ /@null@/ int (pass2fn) (/@null@/ void ,
155	+ struct sockaddr ) /@*/)
156	#if defined(DEBUG) \|\| defined(TEST)
157	/@modifies fileSystem@/
158	#endif
159	@@ -436,7 +460,7 @@ foreach_localaddr (/@null@/ void *data
160	#endif
161	if ((ifp->ifa_flags & IFF_UP) == 0)
162	continue;
163	- if (ifp->ifa_flags & IFF_LOOPBACK) {
164	+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
165	/* Pretend it's not up, so the second pass will skip
166	it. */
167	ifp->ifa_flags &= ~IFF_UP;
168	@@ -459,7 +483,7 @@ foreach_localaddr (/@null@/ void *data
169	for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
170	if ((ifp2->ifa_flags & IFF_UP) == 0)
171	continue;
172	- if (ifp2->ifa_flags & IFF_LOOPBACK)
173	+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
174	continue;
175	if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
176	match = 1;
177	@@ -488,11 +512,12 @@ foreach_localaddr (/@null@/ void *data
178	#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
179
180	int
181	-foreach_localaddr (/@null@/ void *data,
182	- int (pass1fn) (/@null@/ void , struct sockaddr ) /@*/,
183	- /@null@/ int (betweenfn) (/@null@/ void ) /@/,
184	- /@null@/ int (pass2fn) (/@null@/ void ,
185	- struct sockaddr ) /@*/)
186	+foreach_localaddr_ext (/@null@/ void *data,
187	+ int (pass1fn) (/@null@/ void , struct sockaddr ) /@*/,
188	+ /@null@/ int (skipfn) (/@null@/ struct sockaddr , int) /@/,
189	+ /@null@/ int (betweenfn) (/@null@/ void ) /@/,
190	+ /@null@/ int (pass2fn) (/@null@/ void ,
191	+ struct sockaddr ) /@*/)
192	#if defined(DEBUG) \|\| defined(TEST)
193	/@modifies fileSystem@/
194	#endif
195	@@ -583,13 +608,12 @@ foreach_localaddr (/@null@/ void *data
196	}
197	/@=moduncon@/
198
199	-#ifdef IFF_LOOPBACK
200	- /* None of the current callers want loopback addresses. */
201	- if (lifreq.lifr_flags & IFF_LOOPBACK) {
202	- Tprintf ((" loopback\n"));
203	+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
204	+ if (skipfn && (skipfn == &skip_loopback))
205	+ Tprintf ((" loopback\n"));
206	goto skip;
207	}
208	-#endif
209	+
210	/* Ignore interfaces that are down. */
211	if ((lifreq.lifr_flags & IFF_UP) == 0) {
212	Tprintf ((" down\n"));
213	@@ -755,13 +779,12 @@ foreach_localaddr (/@null@/ void *data
214	}
215	/@=moduncon@/
216
217	-#ifdef IFF_LOOPBACK
218	/* None of the current callers want loopback addresses. */
219	- if (lifreq.iflr_flags & IFF_LOOPBACK) {
220	- Tprintf ((" loopback\n"));
221	+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
222	+ if (skipfn && (skipfn == &skip_loopback))
223	+ Tprintf ((" loopback\n"));
224	goto skip;
225	}
226	-#endif
227	/* Ignore interfaces that are down. */
228	if ((lifreq.iflr_flags & IFF_UP) == 0) {
229	Tprintf ((" down\n"));
230	@@ -971,13 +994,12 @@ foreach_localaddr (/@null@/ void *data
231	}
232	/@=moduncon@/
233
234	-#ifdef IFF_LOOPBACK
235	- /* None of the current callers want loopback addresses. */
236	- if (ifreq.ifr_flags & IFF_LOOPBACK) {
237	- Tprintf ((" loopback\n"));
238	+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
239	+ if (skipfn && (skipfn == &skip_loopback))
240	+ Tprintf ((" loopback\n"));
241	goto skip;
242	}
243	-#endif
244	+
245	/* Ignore interfaces that are down. */
246	if ((ifreq.ifr_flags & IFF_UP) == 0) {
247	Tprintf ((" down\n"));