+++ /dev/null
-
-
-The complete set of CITI nfs-utils patches rolled into one patch.
-
-Changes since 1.1.1-CITI_NFS4_ALL-1:
-
- * Update to nfs-utils-1.1.2
-
- * Patch from Olga Kornievskaia to read port number from the info
- file to support non-standard ports.
-
- * Patch to include the "other" DES encryption types when negotiating
- a context.
-
- * Patch originally from Vince Busam <vbusam@google.com> to support looking
- in multiple directories for credential caches to use when creating
- a context.
-
- * A TEMPORARY patch to read a krb5_info file to determine which
- encryption types the kernel gss_krb5 code supports.
-
- * A patch to send down a new context format for encryption types
- other than DES.
-
----
-
- utils/gssd/context.h | 6 -
- utils/gssd/context_lucid.c | 132 +++++++++++++++++++---
- utils/gssd/context_mit.c | 134 +++++++++++++++++-----
- utils/gssd/err_util.c | 5
- utils/gssd/err_util.h | 1
- utils/gssd/gssd.c | 13 ++
- utils/gssd/gssd.h | 4
- utils/gssd/gssd.man | 6 -
- utils/gssd/gssd_proc.c | 25 +++-
- utils/gssd/krb5_util.c | 263 ++++++++++++++++++++++++++++++++++-----------
- utils/gssd/krb5_util.h | 5
- 11 files changed, 473 insertions(+), 121 deletions(-)
-
-diff -puN utils/gssd/gssd.h~CITI_NFS4_ALL utils/gssd/gssd.h
---- nfs-utils-1.1.2/utils/gssd/gssd.h~CITI_NFS4_ALL 2008-04-30 14:49:15.862200000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.h 2008-04-30 14:49:17.073538000 -0400
-@@ -50,6 +50,7 @@
- #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab"
- #define GSSD_SERVICE_NAME "nfs"
- #define GSSD_SERVICE_NAME_LEN 3
-+#define GSSD_MAX_CCACHE_SEARCH 16
-
- /*
- * The gss mechanisms that we can handle
-@@ -61,7 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUT
- extern char pipefs_dir[PATH_MAX];
- extern char pipefs_nfsdir[PATH_MAX];
- extern char keytabfile[PATH_MAX];
--extern char ccachedir[PATH_MAX];
-+extern char *ccachesearch[];
- extern int use_memcache;
- extern int root_uses_machine_creds;
-
-@@ -80,6 +81,7 @@ struct clnt_info {
- int krb5_poll_index;
- int spkm3_fd;
- int spkm3_poll_index;
-+ int port;
- };
-
- void init_client_list(void);
-diff -puN utils/gssd/gssd_proc.c~CITI_NFS4_ALL utils/gssd/gssd_proc.c
---- nfs-utils-1.1.2/utils/gssd/gssd_proc.c~CITI_NFS4_ALL 2008-04-30 14:49:15.986076000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd_proc.c 2008-04-30 14:49:17.167444000 -0400
-@@ -102,7 +102,7 @@ int pollsize; /* the size of pollaray (
- /* XXX buffer problems: */
- static int
- read_service_info(char *info_file_name, char **servicename, char **servername,
-- int *prog, int *vers, char **protocol) {
-+ int *prog, int *vers, char **protocol, int *port) {
- #define INFOBUFLEN 256
- char buf[INFOBUFLEN];
- static char dummy[128];
-@@ -112,6 +112,8 @@ read_service_info(char *info_file_name,
- char program[16];
- char version[16];
- char protoname[16];
-+ char cb_port[128];
-+ char *p;
- in_addr_t inaddr;
- int fd = -1;
- struct hostent *ent = NULL;
-@@ -143,6 +145,10 @@ read_service_info(char *info_file_name,
- goto fail;
- }
-
-+ cb_port[0] = '\0';
-+ if ((p = strstr(buf, "port")) != NULL)
-+ sscanf(p, "port: %127s\n", cb_port);
-+
- /* check service, program, and version */
- if(memcmp(service, "nfs", 3)) return -1;
- *prog = atoi(program + 1); /* skip open paren */
-@@ -163,6 +169,8 @@ read_service_info(char *info_file_name,
- if (!(*servicename = calloc(strlen(buf) + 1, 1)))
- goto fail;
- memcpy(*servicename, buf, strlen(buf));
-+ if (cb_port[0] != '\0')
-+ *port = atoi(cb_port);
-
- if (!(*protocol = strdup(protoname)))
- goto fail;
-@@ -238,7 +246,7 @@ process_clnt_dir_files(struct clnt_info
- if ((clp->servicename == NULL) &&
- read_service_info(info_file_name, &clp->servicename,
- &clp->servername, &clp->prog, &clp->vers,
-- &clp->protocol))
-+ &clp->protocol, &clp->port))
- return -1;
- return 0;
- }
-@@ -587,6 +595,8 @@ int create_auth_rpc_client(struct clnt_i
- clp->servername, uid);
- goto out_fail;
- }
-+ if (clp->port)
-+ ((struct sockaddr_in *)a->ai_addr)->sin_port = htons(clp->port);
- if (a->ai_protocol == IPPROTO_TCP) {
- if ((rpc_clnt = clnttcp_create(
- (struct sockaddr_in *) a->ai_addr,
-@@ -675,6 +685,7 @@ handle_krb5_upcall(struct clnt_info *clp
- gss_buffer_desc token;
- char **credlist = NULL;
- char **ccname;
-+ char **dirname;
- int create_resp = -1;
-
- printerr(1, "handling krb5 upcall\n");
-@@ -691,10 +702,14 @@ handle_krb5_upcall(struct clnt_info *clp
-
- if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
- /* Tell krb5 gss which credentials cache to use */
-- gssd_setup_krb5_user_gss_ccache(uid, clp->servername);
-+ for (dirname = ccachesearch; *dirname != NULL; dirname++) {
-+ gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
-
-- create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
-- AUTHTYPE_KRB5);
-+ create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
-+ AUTHTYPE_KRB5);
-+ if (create_resp == 0)
-+ break;
-+ }
- }
- if (create_resp != 0) {
- if (uid == 0 && root_uses_machine_creds == 1) {
-diff -puN utils/gssd/krb5_util.c~CITI_NFS4_ALL utils/gssd/krb5_util.c
---- nfs-utils-1.1.2/utils/gssd/krb5_util.c~CITI_NFS4_ALL 2008-04-30 14:49:16.274848000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.c 2008-04-30 14:49:17.571397000 -0400
-@@ -97,6 +97,7 @@
- #include "config.h"
- #include <sys/param.h>
- #include <rpc/rpc.h>
-+#include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
-@@ -108,6 +109,7 @@
- #include <dirent.h>
- #include <netdb.h>
- #include <ctype.h>
-+#include <fcntl.h>
- #include <errno.h>
- #include <time.h>
- #include <gssapi/gssapi.h>
-@@ -126,12 +128,17 @@
- /* Global list of principals/cache file names for machine credentials */
- struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
-
-+/* Encryption types supported by the kernel rpcsec_gss code */
-+int num_krb5_enctypes = 0;
-+krb5_enctype *krb5_enctypes = NULL;
-+
- /*==========================*/
- /*=== Internal routines ===*/
- /*==========================*/
-
- static int select_krb5_ccache(const struct dirent *d);
--static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
-+static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
-+ struct dirent **d);
- static int gssd_get_single_krb5_cred(krb5_context context,
- krb5_keytab kt, struct gssd_k5_kt_princ *ple);
-
-@@ -159,7 +166,7 @@ select_krb5_ccache(const struct dirent *
- }
-
- /*
-- * Look in the ccachedir for files that look like they
-+ * Look in directory "dirname" for files that look like they
- * are Kerberos Credential Cache files for a given UID. Return
- * non-zero and the dirent pointer for the entry most likely to be
- * what we want. Otherwise, return zero and no dirent pointer.
-@@ -170,7 +177,7 @@ select_krb5_ccache(const struct dirent *
- * 1 => found an existing entry
- */
- static int
--gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d)
-+gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
- {
- struct dirent **namelist;
- int n;
-@@ -181,9 +188,10 @@ gssd_find_existing_krb5_ccache(uid_t uid
-
- memset(&best_match_stat, 0, sizeof(best_match_stat));
- *d = NULL;
-- n = scandir(ccachedir, &namelist, select_krb5_ccache, 0);
-+ n = scandir(dirname, &namelist, select_krb5_ccache, 0);
- if (n < 0) {
-- perror("scandir looking for krb5 credentials caches");
-+ printerr(1, "Error doing scandir on directory '%s': %s\n",
-+ dirname, strerror(errno));
- }
- else if (n > 0) {
- char statname[1024];
-@@ -191,7 +199,7 @@ gssd_find_existing_krb5_ccache(uid_t uid
- printerr(3, "CC file '%s' being considered\n",
- namelist[i]->d_name);
- snprintf(statname, sizeof(statname),
-- "%s/%s", ccachedir, namelist[i]->d_name);
-+ "%s/%s", dirname, namelist[i]->d_name);
- if (lstat(statname, &tmp_stat)) {
- printerr(0, "Error doing stat on file '%s'\n",
- statname);
-@@ -256,58 +264,6 @@ gssd_find_existing_krb5_ccache(uid_t uid
- return found;
- }
-
--
--#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
--/*
-- * this routine obtains a credentials handle via gss_acquire_cred()
-- * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
-- * types negotiated.
-- *
-- * XXX Should call some function to determine the enctypes supported
-- * by the kernel. (Only need to do that once!)
-- *
-- * Returns:
-- * 0 => all went well
-- * -1 => there was an error
-- */
--
--int
--limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
--{
-- u_int maj_stat, min_stat;
-- gss_cred_id_t credh;
-- gss_OID_set_desc desired_mechs;
-- krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC };
-- int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
--
-- /* We only care about getting a krb5 cred */
-- desired_mechs.count = 1;
-- desired_mechs.elements = &krb5oid;
--
-- maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
-- &desired_mechs, GSS_C_INITIATE,
-- &credh, NULL, NULL);
--
-- if (maj_stat != GSS_S_COMPLETE) {
-- pgsserr("gss_acquire_cred",
-- maj_stat, min_stat, &krb5oid);
-- return -1;
-- }
--
-- maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
-- num_enctypes, &enctypes);
-- if (maj_stat != GSS_S_COMPLETE) {
-- pgsserr("gss_set_allowable_enctypes",
-- maj_stat, min_stat, &krb5oid);
-- gss_release_cred(&min_stat, &credh);
-- return -1;
-- }
-- sec->cred = credh;
--
-- return 0;
--}
--#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */
--
- /*
- * Obtain credentials via a key in the keytab given
- * a keytab handle and a gssd_k5_kt_princ structure.
-@@ -404,7 +360,7 @@ gssd_get_single_krb5_cred(krb5_context c
- cache_type = "FILE";
- snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s",
- cache_type,
-- ccachedir, GSSD_DEFAULT_CRED_PREFIX,
-+ ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
- GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
- ple->endtime = my_creds.times.endtime;
- if (ple->ccname != NULL)
-@@ -879,6 +835,56 @@ out:
- return retval;
- }
-
-+/*
-+ * Parse the supported encryption type information
-+ */
-+static int
-+parse_enctypes(char *enctypes)
-+{
-+ int n = 0;
-+ char *curr, *comma;
-+ int i;
-+
-+ /* Just in case this ever gets called more than once */
-+ if (krb5_enctypes != NULL) {
-+ free(krb5_enctypes);
-+ krb5_enctypes = NULL;
-+ num_krb5_enctypes = 0;
-+ }
-+
-+ /* count the number of commas */
-+ for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
-+ comma = strchr(curr, ',');
-+ if (comma != NULL)
-+ n++;
-+ else
-+ break;
-+ }
-+ /* If no more commas and we're not at the end, there's one more value */
-+ if (*curr != '\0')
-+ n++;
-+
-+ /* Empty string, return an error */
-+ if (n == 0)
-+ return ENOENT;
-+
-+ /* Allocate space for enctypes array */
-+ if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
-+ return ENOMEM;
-+ }
-+
-+ /* Now parse each value into the array */
-+ for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
-+ krb5_enctypes[i++] = atoi(curr);
-+ comma = strchr(curr, ',');
-+ if (comma == NULL)
-+ break;
-+ }
-+
-+ num_krb5_enctypes = n;
-+ return 0;
-+}
-+
- /*==========================*/
- /*=== External routines ===*/
- /*==========================*/
-@@ -892,7 +898,7 @@ out:
- * void
- */
- void
--gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername)
-+gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirname)
- {
- char buf[MAX_NETOBJ_SZ];
- struct dirent *d;
-@@ -900,14 +906,13 @@ gssd_setup_krb5_user_gss_ccache(uid_t ui
- printerr(2, "getting credentials for client with uid %u for "
- "server %s\n", uid, servername);
- memset(buf, 0, sizeof(buf));
-- if (gssd_find_existing_krb5_ccache(uid, &d)) {
-- snprintf(buf, sizeof(buf), "FILE:%s/%s",
-- ccachedir, d->d_name);
-+ if (gssd_find_existing_krb5_ccache(uid, dirname, &d)) {
-+ snprintf(buf, sizeof(buf), "FILE:%s/%s", dirname, d->d_name);
- free(d);
- }
- else
- snprintf(buf, sizeof(buf), "FILE:%s/%s%u",
-- ccachedir, GSSD_DEFAULT_CRED_PREFIX, uid);
-+ dirname, GSSD_DEFAULT_CRED_PREFIX, uid);
- printerr(2, "using %s as credentials cache for client with "
- "uid %u for server %s\n", buf, uid, servername);
- gssd_set_krb5_ccache_name(buf);
-@@ -1129,3 +1134,133 @@ gssd_k5_err_msg(krb5_context context, kr
- return error_message(code);
- #endif
- }
-+
-+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
-+/*
-+ * this routine obtains a credentials handle via gss_acquire_cred()
-+ * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
-+ * types negotiated.
-+ *
-+ * XXX Should call some function to determine the enctypes supported
-+ * by the kernel. (Only need to do that once!)
-+ *
-+ * Returns:
-+ * 0 => all went well
-+ * -1 => there was an error
-+ */
-+
-+int
-+limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
-+{
-+ u_int maj_stat, min_stat;
-+ gss_cred_id_t credh;
-+ gss_OID_set_desc desired_mechs;
-+ krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
-+ ENCTYPE_DES_CBC_MD5,
-+ ENCTYPE_DES_CBC_MD4 };
-+ int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
-+
-+ /* We only care about getting a krb5 cred */
-+ desired_mechs.count = 1;
-+ desired_mechs.elements = &krb5oid;
-+
-+ maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
-+ &desired_mechs, GSS_C_INITIATE,
-+ &credh, NULL, NULL);
-+
-+ if (maj_stat != GSS_S_COMPLETE) {
-+ if (get_verbosity() > 0)
-+ pgsserr("gss_acquire_cred",
-+ maj_stat, min_stat, &krb5oid);
-+ return -1;
-+ }
-+
-+ /*
-+ * If we failed for any reason to produce global
-+ * list of supported enctypes, use local default here.
-+ */
-+ if (krb5_enctypes == NULL)
-+ maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
-+ &krb5oid, num_enctypes, &enctypes);
-+ else
-+ maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
-+ &krb5oid, num_krb5_enctypes,
-+ krb5_enctypes);
-+ if (maj_stat != GSS_S_COMPLETE) {
-+ pgsserr("gss_set_allowable_enctypes",
-+ maj_stat, min_stat, &krb5oid);
-+ gss_release_cred(&min_stat, &credh);
-+ return -1;
-+ }
-+ sec->cred = credh;
-+
-+ return 0;
-+}
-+#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */
-+
-+/*
-+ * Obtain supported enctypes from kernel.
-+ * Set defaults if info is not available.
-+ */
-+void
-+gssd_obtain_kernel_krb5_info(void)
-+{
-+ char enctype_file_name[128];
-+ char buf[1024];
-+ char enctypes[128];
-+ int nscanned;
-+ int fd;
-+ int use_default_enctypes = 0;
-+ int nbytes, numfields;
-+ char default_enctypes[] = "1,3,2";
-+ int code;
-+
-+ snprintf(enctype_file_name, sizeof(enctype_file_name),
-+ "%s/%s", pipefs_dir, "krb5_info");
-+
-+ if ((fd = open(enctype_file_name, O_RDONLY)) == -1) {
-+ printerr(1, "WARNING: gssd_obtain_kernel_krb5_info: "
-+ "Unable to open '%s'. Unable to determine "
-+ "Kerberos encryption types supported by the "
-+ "kernel; using defaults (%s).\n",
-+ enctype_file_name, default_enctypes);
-+ use_default_enctypes = 1;
-+ goto do_the_parse;
-+ }
-+ memset(buf, 0, sizeof(buf));
-+ if ((nbytes = read(fd, buf, sizeof(buf)-1)) == -1) {
-+ printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
-+ "Error reading Kerberos encryption type "
-+ "information file '%s'; using defaults (%s).\n",
-+ enctype_file_name, default_enctypes);
-+ use_default_enctypes = 1;
-+ close(fd);
-+ goto do_the_parse;
-+ }
-+ close(fd);
-+ numfields = sscanf(buf, "enctypes: %s\n%n", enctypes, &nscanned);
-+ if (numfields < 1) {
-+ printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
-+ "error parsing Kerberos encryption type "
-+ "information from file '%s'; using defaults (%s).\n",
-+ enctype_file_name, default_enctypes);
-+ use_default_enctypes = 1;
-+ goto do_the_parse;
-+ }
-+ if (nbytes > nscanned) {
-+ printerr(2, "gssd_obtain_kernel_krb5_info: "
-+ "Ignoring extra information, '%s', from '%s'\n",
-+ buf+nscanned, enctype_file_name);
-+ goto do_the_parse;
-+ }
-+ do_the_parse:
-+ if (use_default_enctypes)
-+ strcpy(enctypes, default_enctypes);
-+
-+ if ((code = parse_enctypes(enctypes)) != 0) {
-+ printerr(0, "ERROR: gssd_obtain_kernel_krb5_info: "
-+ "parse_enctypes%s failed with code %d\n",
-+ use_default_enctypes ? " (with default enctypes)" : "",
-+ code);
-+ }
-+}
-diff -puN utils/gssd/err_util.c~CITI_NFS4_ALL utils/gssd/err_util.c
---- nfs-utils-1.1.2/utils/gssd/err_util.c~CITI_NFS4_ALL 2008-04-30 14:49:16.478848000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.c 2008-04-30 14:49:16.616849000 -0400
-@@ -60,3 +60,8 @@ void printerr(int priority, char *format
- xlog_backend(L_ERROR, format, args);
- va_end(args);
- }
-+
-+int get_verbosity(void)
-+{
-+ return verbosity;
-+}
-diff -puN utils/gssd/err_util.h~CITI_NFS4_ALL utils/gssd/err_util.h
---- nfs-utils-1.1.2/utils/gssd/err_util.h~CITI_NFS4_ALL 2008-04-30 14:49:16.574848000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.h 2008-04-30 14:49:16.633848000 -0400
-@@ -33,5 +33,6 @@
-
- void initerr(char *progname, int verbosity, int fg);
- void printerr(int priority, char *format, ...);
-+int get_verbosity(void);
-
- #endif /* _ERR_UTIL_H_ */
-diff -puN utils/gssd/gssd.c~CITI_NFS4_ALL utils/gssd/gssd.c
---- nfs-utils-1.1.2/utils/gssd/gssd.c~CITI_NFS4_ALL 2008-04-30 14:49:16.799812000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.c 2008-04-30 14:49:17.507397000 -0400
-@@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_
- char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
- char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
- char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
-+char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
- int use_memcache = 0;
- int root_uses_machine_creds = 1;
-
-@@ -93,9 +94,11 @@ main(int argc, char *argv[])
- int verbosity = 0;
- int rpc_verbosity = 0;
- int opt;
-+ int i;
- extern char *optarg;
- char *progname;
-
-+ memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) {
- switch (opt) {
- case 'f':
-@@ -136,6 +139,13 @@ main(int argc, char *argv[])
- break;
- }
- }
-+
-+ i = 0;
-+ ccachesearch[i++] = strtok(ccachedir, ":");
-+ do {
-+ ccachesearch[i++] = strtok(NULL, ":");
-+ } while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH);
-+
- snprintf(pipefs_nfsdir, sizeof(pipefs_nfsdir), "%s/%s",
- pipefs_dir, GSSD_SERVICE_NAME);
- if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0')
-@@ -165,6 +175,9 @@ main(int argc, char *argv[])
- signal(SIGTERM, sig_die);
- signal(SIGHUP, sig_hup);
-
-+ /* Determine Kerberos information from the kernel */
-+ gssd_obtain_kernel_krb5_info();
-+
- gssd_run();
- printerr(0, "gssd_run returned!\n");
- abort();
-diff -puN utils/gssd/gssd.man~CITI_NFS4_ALL utils/gssd/gssd.man
---- nfs-utils-1.1.2/utils/gssd/gssd.man~CITI_NFS4_ALL 2008-04-30 14:49:16.899712000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.man 2008-04-30 14:49:17.121490000 -0400
-@@ -74,7 +74,11 @@ where to look for the rpc_pipefs filesys
- .B -d directory
- Tells
- .B rpc.gssd
--where to look for kerberos credential files. The default value is "/tmp".
-+where to look for Kerberos credential files. The default value is "/tmp".
-+This can also be a colon separated list of directories to be searched
-+for Kerberos credential files. Note that if machine credentials are being
-+stored in files, then the first directory on this list is where the
-+machine credentials are stored.
- .TP
- .B -v
- Increases the verbosity of the output (can be specified multiple times).
-diff -puN utils/gssd/krb5_util.h~CITI_NFS4_ALL utils/gssd/krb5_util.h
---- nfs-utils-1.1.2/utils/gssd/krb5_util.h~CITI_NFS4_ALL 2008-04-30 14:49:17.008603000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.h 2008-04-30 14:49:17.589397000 -0400
-@@ -17,7 +17,8 @@ struct gssd_k5_kt_princ {
- };
-
-
--void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername);
-+void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername,
-+ char *dirname);
- int gssd_get_krb5_machine_cred_list(char ***list);
- void gssd_free_krb5_machine_cred_list(char **list);
- void gssd_setup_krb5_machine_gss_ccache(char *servername);
-@@ -26,6 +27,8 @@ int gssd_refresh_krb5_machine_credentia
- struct gssd_k5_kt_princ *ple);
- const char *
- gssd_k5_err_msg(krb5_context context, krb5_error_code code);
-+void gssd_obtain_kernel_krb5_info(void);
-+
-
- #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
- int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid);
-diff -puN utils/gssd/context.h~CITI_NFS4_ALL utils/gssd/context.h
---- nfs-utils-1.1.2/utils/gssd/context.h~CITI_NFS4_ALL 2008-04-30 14:49:17.768393000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/context.h 2008-04-30 14:49:18.056105000 -0400
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 2004 The Regents of the University of Michigan.
-+ Copyright (c) 2004,2008 The Regents of the University of Michigan.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
-@@ -36,6 +36,10 @@
- /* Hopefully big enough to hold any serialized context */
- #define MAX_CTX_LEN 4096
-
-+/* New context format flag values */
-+#define KRB5_CTX_FLAG_INITIATOR 0x00000001
-+#define KRB5_CTX_FLAG_CFX 0x00000002
-+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
-
- int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
- gss_OID mech);
-diff -puN utils/gssd/context_lucid.c~CITI_NFS4_ALL utils/gssd/context_lucid.c
---- nfs-utils-1.1.2/utils/gssd/context_lucid.c~CITI_NFS4_ALL 2008-04-30 14:49:17.907254000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/context_lucid.c 2008-04-30 14:49:18.075086000 -0400
-@@ -40,6 +40,7 @@
- #include <stdio.h>
- #include <syslog.h>
- #include <string.h>
-+#include <errno.h>
- #include "gss_util.h"
- #include "gss_oids.h"
- #include "err_util.h"
-@@ -113,15 +114,13 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc
- * Note that the rfc1964 version only supports DES enctypes.
- */
- if (lctx->rfc1964_kd.ctx_key.type != 4) {
-- printerr(1, "prepare_krb5_rfc1964_buffer: "
-- "overriding heimdal keytype (%d => %d)\n",
-- lctx->rfc1964_kd.ctx_key.type, 4);
-+ printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
-+ __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
- lctx->rfc1964_kd.ctx_key.type = 4;
- }
- #endif
-- printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
-- "enctype %d and length %d\n",
-- lctx->rfc1964_kd.ctx_key.type,
-+ printerr(2, "%s: serializing keys with enctype %d and length %d\n",
-+ __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
- lctx->rfc1964_kd.ctx_key.length);
-
- /* derive the encryption key and copy it into buffer */
-@@ -152,15 +151,102 @@ out_err:
- return -1;
- }
-
-+/* Flags for version 2 context flags */
-+#define KRB5_CTX_FLAG_INITIATOR 0x00000001
-+#define KRB5_CTX_FLAG_CFX 0x00000002
-+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
-+
-+/*
-+ * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
-+ * to send to the kernel for newer encryption types -- or for DES3.
-+ *
-+ * The new format is:
-+ *
-+ * u32 flags;
-+ * #define KRB5_CTX_FLAG_INITIATOR 0x00000001
-+ * #define KRB5_CTX_FLAG_CFX 0x00000002
-+ * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
-+ * s32 endtime;
-+ * u64 seq_send;
-+ * u32 enctype; ( encrption type of key )
-+ * raw key; ( raw key bytes (kernel will derive))
-+ *
-+ */
- static int
--prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
-- gss_buffer_desc *buf)
-+prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
-+ gss_buffer_desc *buf)
- {
-- printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
-- return -1;
--}
-+ char *p, *end;
-+ uint32_t v2_flags = 0;
-+ uint32_t enctype;
-+ uint32_t keysize;
-
-+ if (!(buf->value = calloc(1, MAX_CTX_LEN)))
-+ goto out_err;
-+ p = buf->value;
-+ end = buf->value + MAX_CTX_LEN;
-
-+ /* Version 2 */
-+ if (lctx->initiate)
-+ v2_flags |= KRB5_CTX_FLAG_INITIATOR;
-+ if (lctx->protocol != 0)
-+ v2_flags |= KRB5_CTX_FLAG_CFX;
-+ if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
-+ v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
-+
-+ if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
-+ if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
-+ if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
-+
-+ /* Protocol 0 here implies DES3 or RC4 */
-+ printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
-+ if (lctx->protocol == 0) {
-+ enctype = lctx->rfc1964_kd.ctx_key.type;
-+ keysize = lctx->rfc1964_kd.ctx_key.length;
-+ } else {
-+ if (lctx->cfx_kd.have_acceptor_subkey) {
-+ enctype = lctx->cfx_kd.acceptor_subkey.type;
-+ keysize = lctx->cfx_kd.acceptor_subkey.length;
-+ } else {
-+ enctype = lctx->cfx_kd.ctx_key.type;
-+ keysize = lctx->cfx_kd.ctx_key.length;
-+ }
-+ }
-+ printerr(2, "%s: serializing key with enctype %d and size %d\n",
-+ __FUNCTION__, enctype, keysize);
-+
-+ if (WRITE_BYTES(&p, end, enctype)) goto out_err;
-+
-+ if (lctx->protocol == 0) {
-+ if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
-+ lctx->rfc1964_kd.ctx_key.length))
-+ goto out_err;
-+ } else {
-+ if (lctx->cfx_kd.have_acceptor_subkey) {
-+ if (write_bytes(&p, end,
-+ lctx->cfx_kd.acceptor_subkey.data,
-+ lctx->cfx_kd.acceptor_subkey.length))
-+ goto out_err;
-+ } else {
-+ if (write_bytes(&p, end, lctx->cfx_kd.ctx_key.data,
-+ lctx->cfx_kd.ctx_key.length))
-+ goto out_err;
-+ }
-+ }
-+
-+ buf->length = p - (char *)buf->value;
-+ return 0;
-+
-+out_err:
-+ printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
-+ __FUNCTION__);
-+ if (buf->value) {
-+ free(buf->value);
-+ buf->value = NULL;
-+ }
-+ buf->length = 0;
-+ return -1;
-+}
- int
- serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
- {
-@@ -170,7 +256,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
- gss_krb5_lucid_context_v1_t *lctx = 0;
- int retcode = 0;
-
-- printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
-+ printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__);
- maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
- 1, &return_ctx);
- if (maj_stat != GSS_S_COMPLETE) {
-@@ -192,11 +278,20 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
- break;
- }
-
-- /* Now lctx points to a lucid context that we can send down to kernel */
-- if (lctx->protocol == 0)
-+ /*
-+ * Now lctx points to a lucid context that we can send down to kernel
-+ *
-+ * Note: we send down different information to the kernel depending
-+ * on the protocol version and the enctyption type.
-+ * For protocol version 0 with all enctypes besides DES3, we use
-+ * the original format. For protocol version != 0 or DES3, we
-+ * send down the new style information.
-+ */
-+
-+ if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
- retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
- else
-- retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
-+ retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
-
- maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
- if (maj_stat != GSS_S_COMPLETE) {
-@@ -206,8 +301,8 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
- }
-
- if (retcode) {
-- printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
-- "failed (retcode = %d)\n", retcode);
-+ printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
-+ __FUNCTION__, retcode);
- goto out_err;
- }
-
-@@ -217,4 +312,7 @@ out_err:
- printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
- return -1;
- }
-+
-+
-+
- #endif /* HAVE_LUCID_CONTEXT_SUPPORT */
-diff -puN utils/gssd/context_mit.c~CITI_NFS4_ALL utils/gssd/context_mit.c
---- nfs-utils-1.1.2/utils/gssd/context_mit.c~CITI_NFS4_ALL 2008-04-30 14:49:18.021140000 -0400
-+++ nfs-utils-1.1.2-kwc/utils/gssd/context_mit.c 2008-04-30 14:49:18.097064000 -0400
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 2004 The Regents of the University of Michigan.
-+ Copyright (c) 2004-2006 The Regents of the University of Michigan.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
-@@ -36,6 +36,7 @@
- #include <stdio.h>
- #include <syslog.h>
- #include <string.h>
-+#include <errno.h>
- #include <gssapi/gssapi.h>
- #include <rpc/rpc.h>
- #include <rpc/auth_gss.h>
-@@ -50,8 +51,7 @@
- /* XXX argggg, there's gotta be a better way than just duplicating this
- * whole struct. Unfortunately, this is in a "private" header file,
- * so this is our best choice at this point :-/
-- *
-- * XXX Does this match the Heimdal definition? */
-+ */
-
- typedef struct _krb5_gss_ctx_id_rec {
- unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
-@@ -154,48 +154,120 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
- {
- krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id;
- char *p, *end;
-- static int constant_one = 1;
- static int constant_zero = 0;
-+ static int constant_one = 1;
-+ static int constant_two = 2;
- uint32_t word_seq_send;
-+ u_int64_t seq_send_64bit;
-+ uint32_t v2_flags = 0;
-
- if (!(buf->value = calloc(1, MAX_CTX_LEN)))
- goto out_err;
- p = buf->value;
- end = buf->value + MAX_CTX_LEN;
-
-- if (kctx->initiate) {
-- if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-- }
-- else {
-- if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-- }
-- if (kctx->seed_init) {
-- if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-- }
-- else {
-- if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-- }
-- if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
-+ switch (kctx->enc->enctype) {
-+ case ENCTYPE_DES_CBC_CRC:
-+ case ENCTYPE_DES_CBC_MD4:
-+ case ENCTYPE_DES_CBC_MD5:
-+ case ENCTYPE_DES_CBC_RAW:
-+ /* Old format of context to the kernel */
-+ if (kctx->initiate) {
-+ if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-+ }
-+ else {
-+ if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-+ }
-+ if (kctx->seed_init) {
-+ if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-+ }
-+ else {
-+ if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-+ }
-+ if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
-+ goto out_err;
-+ if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
-+ if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
-+ if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
-+ word_seq_send = kctx->seq_send;
-+ if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
-+ if (write_oid(&p, end, kctx->mech_used)) goto out_err;
-+
-+ printerr(2, "serialize_krb5_ctx: serializing keys with "
-+ "enctype %d and length %d\n",
-+ kctx->enc->enctype, kctx->enc->length);
-+
-+ if (write_keyblock(&p, end, kctx->enc)) goto out_err;
-+ if (write_keyblock(&p, end, kctx->seq)) goto out_err;
-+ break;
-+ case ENCTYPE_DES3_CBC_RAW:
-+ case ENCTYPE_DES3_CBC_SHA1:
-+ case ENCTYPE_ARCFOUR_HMAC:
-+ case ENCTYPE_ARCFOUR_HMAC_EXP:
-+ case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
-+ case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-+ /* New format of context to the kernel */
-+ /* u32 flags;
-+ * #define KRB5_CTX_FLAG_INITIATOR 0x00000001
-+ * #define KRB5_CTX_FLAG_CFX 0x00000002
-+ * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
-+ * s32 endtime;
-+ * u64 seq_send;
-+ * u32 enctype;
-+ * rawkey data
-+ */
-+
-+ if (kctx->initiate)
-+ v2_flags |= KRB5_CTX_FLAG_INITIATOR;
-+ if (kctx->proto == 1)
-+ v2_flags |= KRB5_CTX_FLAG_CFX;
-+ if (kctx->have_acceptor_subkey)
-+ v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
-+ if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
-+ if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
-+
-+ seq_send_64bit = kctx->seq_send;
-+ if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err;
-+
-+ if (kctx->have_acceptor_subkey) {
-+ if (WRITE_BYTES(&p, end, kctx->acceptor_subkey->enctype))
-+ goto out_err;
-+ printerr(2, "serialize_krb5_ctx: serializing subkey "
-+ "with enctype %d and size %d\n",
-+ kctx->acceptor_subkey->enctype,
-+ kctx->acceptor_subkey->length);
-+
-+ if (write_bytes(&p, end,
-+ kctx->acceptor_subkey->contents,
-+ kctx->acceptor_subkey->length))
-+ goto out_err;
-+ } else {
-+ if (WRITE_BYTES(&p, end, kctx->enc->enctype))
-+ goto out_err;
-+ printerr(2, "serialize_krb5_ctx: serializing key "
-+ "with enctype %d and size %d\n",
-+ kctx->enc->enctype, kctx->enc->length);
-+
-+ if (write_bytes(&p, end, kctx->enc->contents,
-+ kctx->enc->length))
-+ goto out_err;
-+ }
-+ break;
-+ default:
-+ printerr(0, "ERROR: serialize_krb5_ctx: unsupported encryption "
-+ "algorithm %d\n", kctx->enc->enctype);
- goto out_err;
-- if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
-- if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
-- if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
-- word_seq_send = kctx->seq_send;
-- if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
-- if (write_oid(&p, end, kctx->mech_used)) goto out_err;
--
-- printerr(2, "serialize_krb5_ctx: serializing keys with "
-- "enctype %d and length %d\n",
-- kctx->enc->enctype, kctx->enc->length);
--
-- if (write_keyblock(&p, end, kctx->enc)) goto out_err;
-- if (write_keyblock(&p, end, kctx->seq)) goto out_err;
-+ }
-
- buf->length = p - (char *)buf->value;
- return 0;
-+
- out_err:
- printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-- if (buf->value) free(buf->value);
-+ if (buf->value) {
-+ free(buf->value);
-+ }
-+ buf->value = NULL;
- buf->length = 0;
- return -1;
- }
-_
projects / packages / nfs-utils.git / commitdiff