1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-29 11:21:54 +03:00
Commit Graph

37 Commits

Author SHA1 Message Date
Jelmer Vernooij
f679def4f2 s4: Fix a few warnings. 2010-01-21 16:15:11 +13:00
Andrew Tridgell
81eb31f07b s4: spelling error 2009-10-18 15:56:16 +11:00
Andrew Tridgell
bb7e6f0f51 Worked around a problem with select/poll/epoll and gnutls
Our packet layer relies on the event system reliably telling us when a
packet is available. When we are using a socket layer like TLS then
things get a bit trickier, as there may be bytes in the encryption
buffer which could be read even if there are no bytes at the socket
level. The GNUTLS library is supposed to prevent this happening by
always leaving some data at the socket level when there is data to be
processed in its buffers, but it seems that this is not always
reliable.

To work around this I have added a new packet option
packet_set_unreliable_select() which tells the packet layer to not
assume that the socket layer has a reliable select, and to instead
keep trying to read from the socket until it gets back no data. This
option is set for the ldap client and server when TLS is negotiated.

This seems to fix the problems with the ldaps tests.
2009-02-18 17:37:45 +11:00
Stefan Metzmacher
79ae2de001 s4:lib/stream: s/private/private_data
metze
2009-02-02 13:08:26 +01:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Stefan Metzmacher
081f8883ba s4: fix LIBEVENTS dependencies and use more forward declarations
We should only include events.h where we really need it
and prefer forward declarations of 'struct event_context'

metze
2008-12-17 11:04:45 +01:00
Jelmer Vernooij
9565999755 Fix include paths to new location of libutil. 2008-10-11 21:31:42 +02:00
Stefan Metzmacher
8350a23093 packet: make it possible to free the packet_context from the send_callback
metze
(cherry picked from commit 20795c4a0d5f75561561470231de1a2fad2906ff)
(This used to be commit 5d5b4e4ab2)
2008-07-07 21:42:10 +02:00
Jelmer Vernooij
333c169529 Use variables for source directory in remaining subsystems.
(This used to be commit 6b6b2196a8)
2008-05-18 20:30:46 +02:00
Jelmer Vernooij
b29d47edcf Move object file lists to the Makefile.
(This used to be commit a7e6d2a183)
2008-03-03 18:25:28 +01:00
Jelmer Vernooij
719a4ae0d3 r25522: Convert to standard bool types.
(This used to be commit 5e814287ba)
2007-10-10 15:07:47 -05:00
Jelmer Vernooij
0b91f39164 r24780: More work allowing libutil to be used by external users.
(This used to be commit 31993cf67b)
2007-10-10 15:03:10 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb)
2007-10-10 14:10:18 -05:00
Andrew Tridgell
971d30bb20 r15854: more talloc_set_destructor() typesafe fixes
(This used to be commit 61c6100617)
2007-10-10 14:08:32 -05:00
Andrew Bartlett
742c110cd6 r15400: Move the TLS code behind the socket interface.
This reduces caller complexity, because the TLS code is now called
just like any other socket.  (A new socket context is returned by the
tls_init_server and tls_init_client routines).

When TLS is not available, the original socket is returned.

Andrew Bartlett
(This used to be commit 09b2f30dfa)
2007-10-10 14:05:32 -05:00
Andrew Bartlett
c2cc10c786 r15356: Remove unused 'flags' argument from socket_send() and friends.
This is in preperation for making TLS a socket library.

Andrew Bartlett
(This used to be commit a312812b92)
2007-10-10 14:05:25 -05:00
Jelmer Vernooij
8d137d9785 r15295: Fix some dependencies
Move unistr-specific code to lib/charset/. Remove _m from some places where it's not needed.
(This used to be commit 03224e1124)
2007-10-10 14:05:03 -05:00
Jelmer Vernooij
71b4fd9792 r14477: Remove the NOPROTO property - it's no longer used as proto.h is gone.
(This used to be commit 9c37f847d3)
2007-10-10 13:57:30 -05:00
Stefan Metzmacher
556f6c4346 r13962: make functions public
metze
(This used to be commit fd84583ab4)
2007-10-10 13:52:32 -05:00
Jelmer Vernooij
78c50015bb r12694: Move some headers to the directory of the subsystem they belong to.
(This used to be commit c722f665c9)
2007-10-10 13:49:39 -05:00
Jelmer Vernooij
d8e35f8828 r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not using
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583ed)
2007-10-10 13:47:45 -05:00
Tim Potter
03d301ead5 r11967: Fix more 64-bit warnings.
(This used to be commit 9c4436a124)
2007-10-10 13:46:52 -05:00
Andrew Tridgell
69c531b75c r11870: fixed the problem volker reported with the RPX-XPLOGIN test. The
problem was caused by a callback destroying the packet processing
context while that context was being used in packet_recv()

This is the first time we have used the ability of talloc destructors
to 'refuse' a free request. It works well in this case as it makes the
composite API simpler to use for other code, and isolates the
complexity of having callbacks destroying the packet context to the
packet.c code.
(This used to be commit b1b2d86541)
2007-10-10 13:46:38 -05:00
Andrew Tridgell
614950aed3 r11713: separate out the setting of the fde in the packet context from the
enabling of packet serialisation
(This used to be commit 6a47cd65a8)
2007-10-10 13:46:17 -05:00
Andrew Tridgell
763d862fee r11712: avoid changing the fde flags unless really needed
(This used to be commit 48e6424b0c)
2007-10-10 13:46:16 -05:00
Stefan Metzmacher
f0c7fca780 r11642: add some error checks
metze
(This used to be commit 9d6406d8da)
2007-10-10 13:46:05 -05:00
Andrew Tridgell
872b821fca r11636: a bit neater solution to the nt_cancel problem
(This used to be commit ba7864b07e)
2007-10-10 13:46:03 -05:00
Andrew Tridgell
1aa141dbd5 r11630: another fix for over-reading in the packet code. This time get the
sign of the comparison right :-)
(This used to be commit 7e40077aa7)
2007-10-10 13:46:02 -05:00
Andrew Tridgell
78422169b2 r11629: fixed a bug found with the socket:testnonblock code. With randomised
under-reads we could end up supplying a buffer to the client that has
an incorrect length
(This used to be commit 9c95015b9c)
2007-10-10 13:46:01 -05:00
Andrew Tridgell
79b3a3afb5 r11627: give the caller much more control over the stream to packet process,
allowing it to specify the initial read size (thus preventing
over-reading) and to stop the recv process when needed. This is used
by the dcerpc socket code, which relies on not getting packets when it
isn't ready for them
(This used to be commit f869fd674e)
2007-10-10 13:46:01 -05:00
Andrew Tridgell
a9d0bf8045 r11618: added a generic '32 bit length prefix' full packet helper to the packet code
(This used to be commit b4dbe55105)
2007-10-10 13:45:59 -05:00
Andrew Tridgell
fc5a11829d r11605: added handling of the send queue to the generic packet handling code
(This used to be commit f98d499b2e)
2007-10-10 13:45:57 -05:00
Andrew Tridgell
a3fcb93df1 r11602: added packet_set_serialise() to allow the generic packet layer to
handle optional request serialisation (this is something that is
commonly needed on stream connections)
(This used to be commit d860eb7956)
2007-10-10 13:45:57 -05:00
Andrew Tridgell
8752e38c05 r11595: added a helper layer to parse streams into individual packets. This is
something that Andrew Bartlett has been asking for for a while, and
when I started having to re-invent this packet parsing code yet again
for SMB2 I decided it was time to do it generically

you use it by providing a "is this a full packet yet?" helper function
to the packet_*() functions, which then handle all the logic of
partial packet buffering.

This also goes to great lengths to operate efficiently, minimising the
number of recv system calls.
(This used to be commit e6c47b954a)
2007-10-10 13:45:55 -05:00