The complete set of CITI nfs-utils patches rolled into one patch. Changes since 1.0.8-rc4-CITI_NFS4_ALL-3: * Update to the final nfs-utils-1.0.8 * Check for problems with the gssapi library in gssd and svcgssd early on, so we can give a good error message and bail out. * Add temporary patch to svcgssd to use default values when the mapping of the gss principal to uid/gid fails. This may need to somehow coordinate with the anonuid/anongid values for the export. --- nfs-utils-1.0.8-kwc/utils/gssd/context_mit.c | 507 ++++++++++++++++++++++++-- nfs-utils-1.0.8-kwc/utils/gssd/gss_util.c | 25 + nfs-utils-1.0.8-kwc/utils/gssd/gss_util.h | 1 nfs-utils-1.0.8-kwc/utils/gssd/gssd.c | 5 nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.c | 221 +++++++++-- nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.h | 2 nfs-utils-1.0.8-kwc/utils/gssd/svcgssd.c | 5 nfs-utils-1.0.8-kwc/utils/gssd/svcgssd_proc.c | 17 nfs-utils-1.0.8-kwc/utils/gssd/write_bytes.h | 13 9 files changed, 714 insertions(+), 82 deletions(-) diff -puN utils/gssd/gssd.c~CITI_NFS4_ALL utils/gssd/gssd.c --- nfs-utils-1.0.8/utils/gssd/gssd.c~CITI_NFS4_ALL 2006-04-20 12:41:15.668400000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/gssd.c 2006-04-20 12:41:16.486965000 -0400 @@ -145,6 +145,9 @@ main(int argc, char *argv[]) "support setting debug level\n"); #endif + if (gssd_check_mechs() != 0) + errx(1, "Problem with gssapi library"); + if (!fg && daemon(0, 0) < 0) errx(1, "fork"); @@ -154,6 +157,8 @@ main(int argc, char *argv[]) /* Process keytab file and get machine credentials */ gssd_refresh_krb5_machine_creds(); + /* Determine Kerberos information from the kernel */ + gssd_obtain_kernel_krb5_info(); gssd_run(); printerr(0, "gssd_run returned!\n"); diff -puN utils/gssd/gss_util.c~CITI_NFS4_ALL utils/gssd/gss_util.c --- nfs-utils-1.0.8/utils/gssd/gss_util.c~CITI_NFS4_ALL 2006-04-20 12:41:15.770298000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/gss_util.c 2006-04-20 12:41:16.001067000 -0400 @@ -224,3 +224,28 @@ gssd_acquire_cred(char *server_name) return (maj_stat == GSS_S_COMPLETE); } + +int gssd_check_mechs(void) +{ + u_int32_t maj_stat, min_stat; + gss_OID_set supported_mechs = GSS_C_NO_OID_SET; + int retval = -1; + + maj_stat = gss_indicate_mechs(&min_stat, &supported_mechs); + if (maj_stat != GSS_S_COMPLETE) { + printerr(0, "Unable to obtain list of supported mechanisms. " + "Check that gss library is properly configured.\n"); + goto out; + } + if (supported_mechs == GSS_C_NO_OID_SET || + supported_mechs->count == 0) { + printerr(0, "Unable to obtain list of supported mechanisms. " + "Check that gss library is properly configured.\n"); + goto out; + } + maj_stat = gss_release_oid_set(&min_stat, &supported_mechs); + retval = 0; +out: + return retval; +} + diff -puN utils/gssd/gss_util.h~CITI_NFS4_ALL utils/gssd/gss_util.h --- nfs-utils-1.0.8/utils/gssd/gss_util.h~CITI_NFS4_ALL 2006-04-20 12:41:15.865203000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/gss_util.h 2006-04-20 12:41:16.011057000 -0400 @@ -40,5 +40,6 @@ extern gss_cred_id_t gssd_creds; int gssd_acquire_cred(char *server_name); void pgsserr(char *msg, u_int32_t maj_stat, u_int32_t min_stat, const gss_OID mech); +int gssd_check_mechs(void); #endif /* _GSS_UTIL_H_ */ diff -puN utils/gssd/svcgssd.c~CITI_NFS4_ALL utils/gssd/svcgssd.c --- nfs-utils-1.0.8/utils/gssd/svcgssd.c~CITI_NFS4_ALL 2006-04-20 12:41:15.961107000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/svcgssd.c 2006-04-20 12:41:16.021047000 -0400 @@ -204,6 +204,11 @@ main(int argc, char *argv[]) "support setting debug level\n"); #endif + if (gssd_check_mechs() != 0) { + printerr(0, "ERROR: Problem with gssapi library\n"); + exit(1); + } + if (!fg) mydaemon(0, 0); diff -puN utils/gssd/krb5_util.c~CITI_NFS4_ALL utils/gssd/krb5_util.c --- nfs-utils-1.0.8/utils/gssd/krb5_util.c~CITI_NFS4_ALL 2006-04-20 12:41:16.230965000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.c 2006-04-20 12:41:16.503965000 -0400 @@ -97,6 +97,7 @@ #include "config.h" #include #include +#include #include #include #include @@ -105,6 +106,7 @@ #include #include #include +#include #include #include #include @@ -123,6 +125,10 @@ /* Global list of principals/cache file names for machine credentials */ struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL; +/* Encryption types supported by the kernel rpcsec_gss code */ +int num_krb5_enctypes = 0; +krb5_enctype *krb5_enctypes = NULL; + /*==========================*/ /*=== Internal routines ===*/ /*==========================*/ @@ -261,51 +267,6 @@ gssd_find_existing_krb5_ccache(uid_t uid } -#ifdef HAVE_SET_ALLOWABLE_ENCTYPES -/* - * this routine obtains a credentials handle via gss_acquire_cred() - * then calls gss_krb5_set_allowable_enctypes() to limit the encryption - * types negotiated. - * - * XXX Should call some function to determine the enctypes supported - * by the kernel. (Only need to do that once!) - * - * Returns: - * 0 => all went well - * -1 => there was an error - */ - -int -limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) -{ - u_int maj_stat, min_stat; - gss_cred_id_t credh; - krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC }; - int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); - - maj_stat = gss_acquire_cred(&min_stat, NULL, 0, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &credh, NULL, NULL); - - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_acquire_cred", - maj_stat, min_stat, &krb5oid); - return -1; - } - - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid, - num_enctypes, &enctypes); - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_set_allowable_enctypes", - maj_stat, min_stat, &krb5oid); - return -1; - } - sec->cred = credh; - - return 0; -} -#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */ - /* * Obtain credentials via a key in the keytab given * a keytab handle and a gssd_k5_kt_princ structure. @@ -603,6 +564,56 @@ gssd_set_krb5_ccache_name(char *ccname) #endif } +/* + * Parse the supported encryption type information + */ +static int +parse_enctypes(char *enctypes) +{ + int n = 0; + char *curr, *comma; + int i; + + /* Just in case this ever gets called more than once */ + if (krb5_enctypes != NULL) { + free(krb5_enctypes); + krb5_enctypes = NULL; + num_krb5_enctypes = 0; + } + + /* count the number of commas */ + for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) { + comma = strchr(curr, ','); + if (comma != NULL) + n++; + else + break; + } + /* If no more commas and we're not at the end, there's one more value */ + if (*curr != '\0') + n++; + + /* Empty string, return an error */ + if (n == 0) + return ENOENT; + + /* Allocate space for enctypes array */ + if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) { + return ENOMEM; + } + + /* Now parse each value into the array */ + for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) { + krb5_enctypes[i++] = atoi(curr); + comma = strchr(curr, ','); + if (comma == NULL) + break; + } + + num_krb5_enctypes = n; + return 0; +} + /*==========================*/ /*=== External routines ===*/ /*==========================*/ @@ -854,3 +865,123 @@ gssd_destroy_krb5_machine_creds(void) krb5_free_context(context); } +#ifdef HAVE_SET_ALLOWABLE_ENCTYPES +/* + * this routine obtains a credentials handle via gss_acquire_cred() + * then calls gss_krb5_set_allowable_enctypes() to limit the encryption + * types negotiated. + * + * Returns: + * 0 => all went well + * -1 => there was an error + */ + +int +limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) +{ + u_int maj_stat, min_stat; + gss_cred_id_t credh; + gss_OID_set_desc desired_mechs; + krb5_enctype enctypes[] = {ENCTYPE_DES_CBC_CRC}; + int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); + + /* We only care about getting a krb5 cred */ + desired_mechs.count = 1; + desired_mechs.elements = &krb5oid; + + maj_stat = gss_acquire_cred(&min_stat, NULL, 0, + &desired_mechs, GSS_C_INITIATE, + &credh, NULL, NULL); + + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_acquire_cred", + maj_stat, min_stat, &krb5oid); + return -1; + } + + /* + * If we failed for any reason to produce global + * list of supported enctypes, use local default here. + */ + if (krb5_enctypes == NULL) + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_enctypes, &enctypes); + else + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_krb5_enctypes, + krb5_enctypes); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_set_allowable_enctypes", + maj_stat, min_stat, &krb5oid); + return -1; + } + sec->cred = credh; + + return 0; +} +#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */ + +/* + * Obtain supported enctypes from kernel. + * Set defaults if info is not available. + */ +void +gssd_obtain_kernel_krb5_info(void) +{ + char enctype_file_name[128]; + char buf[1024]; + char enctypes[128]; + char extrainfo[1024]; + int fd; + int use_default_enctypes = 0; + int nbytes, numfields; + char default_enctypes[] = "1,3,2"; + int code; + + snprintf(enctype_file_name, sizeof(enctype_file_name), + "%s/%s", pipefsdir, "krb5_info"); + + if ((fd = open(enctype_file_name, O_RDONLY)) == -1) { + printerr(1, "WARNING: gssd_obtain_kernel_krb5_info: " + "Unable to open '%s'. Unable to determine " + "Kerberos encryption types supported by the " + "kernel; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + goto do_the_parse; + } + if ((nbytes = read(fd, buf, sizeof(buf))) == -1) { + printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: " + "Error reading Kerberos encryption type " + "information file '%s'; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + goto do_the_parse; + } + numfields = sscanf(buf, "enctypes: %s\n%s", enctypes, extrainfo); + if (numfields < 1) { + printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: " + "error parsing Kerberos encryption type " + "information from file '%s'; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + goto do_the_parse; + } + if (numfields > 1) { + printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: " + "Extra information, '%s', from '%s' is ignored\n", + enctype_file_name, extrainfo); + use_default_enctypes = 1; + goto do_the_parse; + } + do_the_parse: + if (use_default_enctypes) + strcpy(enctypes, default_enctypes); + + if ((code = parse_enctypes(enctypes)) != 0) { + printerr(0, "ERROR: gssd_obtain_kernel_krb5_info: " + "parse_enctypes%s failed with code %d\n", + use_default_enctypes ? " (with default enctypes)" : "", + code); + } +} diff -puN utils/gssd/krb5_util.h~CITI_NFS4_ALL utils/gssd/krb5_util.h --- nfs-utils-1.0.8/utils/gssd/krb5_util.h~CITI_NFS4_ALL 2006-04-20 12:41:16.461965000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/krb5_util.h 2006-04-20 12:41:16.513965000 -0400 @@ -22,6 +22,8 @@ int gssd_refresh_krb5_machine_creds(voi void gssd_free_krb5_machine_cred_list(char **list); void gssd_setup_krb5_machine_gss_ccache(char *servername); void gssd_destroy_krb5_machine_creds(void); +void gssd_obtain_kernel_krb5_info(void); + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid); diff -puN utils/gssd/context_mit.c~CITI_NFS4_ALL utils/gssd/context_mit.c --- nfs-utils-1.0.8/utils/gssd/context_mit.c~CITI_NFS4_ALL 2006-04-20 12:41:16.770847000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/context_mit.c 2006-04-20 12:41:16.894723000 -0400 @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -43,9 +44,53 @@ #ifdef HAVE_KRB5 #include +/* for 3DES */ +#define KG_USAGE_SEAL 22 +#define KG_USAGE_SIGN 23 +#define KG_USAGE_SEQ 24 + +/* for rfc???? */ +#define KG_USAGE_ACCEPTOR_SEAL 22 +#define KG_USAGE_ACCEPTOR_SIGN 23 +#define KG_USAGE_INITIATOR_SEAL 24 +#define KG_USAGE_INITIATOR_SIGN 25 + +/* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */ +enum seal_alg { + SEAL_ALG_NONE = 0xffff, + SEAL_ALG_DES = 0x0000, + SEAL_ALG_1 = 0x0001, /* not published */ + SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ + SEAL_ALG_DES3KD = 0x0002 +}; + +#define KEY_USAGE_SEED_ENCRYPTION 0xAA +#define KEY_USAGE_SEED_INTEGRITY 0x55 +#define KEY_USAGE_SEED_CHECKSUM 0x99 +#define K5CLENGTH 5 + +/* Flags for version 2 context flags */ +#define KRB5_CTX_FLAG_INITIATOR 0x00000001 +#define KRB5_CTX_FLAG_CFX 0x00000002 +#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + +/* + * XXX Hack alert. We don't have "legal" access to these + * structures located in libk5crypto + */ +extern void krb5int_enc_arcfour; +extern void krb5int_enc_des3; +extern void krb5int_enc_aes128; +extern void krb5int_enc_aes256; +extern int krb5_derive_key(); + +void *get_enc_provider(); + /* XXX spkm3 seems to actually want it this big, yipes. */ #define MAX_CTX_LEN 4096 + + #ifdef HAVE_LUCID_CONTEXT_SUPPORT /* Don't use the private structure, use the exported lucid structure */ @@ -144,6 +189,96 @@ write_lucid_keyblock(char **p, char *end return 0; } +static void +key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout) +{ + memset(kout, '\0', sizeof(kout)); + kout->enctype = lin->type; + kout->length = lin->length; + kout->contents = lin->data; +} + +static void +key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout) +{ + memset(lout, '\0', sizeof(lout)); + lout->type = kin->enctype; + lout->length = kin->length; + lout->data = kin->contents; +} + +/* + * Function to derive a new key from a given key and given constant data. + */ +static krb5_error_code +derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out, + int usage, char extra) +{ + krb5_error_code code; + unsigned char constant_data[K5CLENGTH]; + krb5_data datain; + int keylength; + void *enc; + krb5_keyblock kin, kout; /* must send krb5_keyblock, not lucid! */ + + /* + * XXX Hack alert. We don't have "legal" access to these + * values and structures located in libk5crypto + */ + switch (in->type) { + case ENCTYPE_DES3_CBC_RAW: + keylength = 24; + enc = &krb5int_enc_des3; + break; + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: + keylength = 16; + enc = &krb5int_enc_aes128; + break; + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: + keylength = 32; + enc = &krb5int_enc_aes256; + break; + default: + code = KRB5_BAD_ENCTYPE; + goto out; + } + + /* allocate memory for output key */ + if ((out->data = malloc(keylength)) == NULL) { + code = ENOMEM; + goto out; + } + out->length = keylength; + out->type = in->type; + + /* Convert to correct format for call to krb5_derive_key */ + key_lucid_to_krb5(in, &kin); + key_lucid_to_krb5(out, &kout); + + datain.data = (char *) constant_data; + datain.length = K5CLENGTH; + + datain.data[0] = (usage>>24)&0xff; + datain.data[1] = (usage>>16)&0xff; + datain.data[2] = (usage>>8)&0xff; + datain.data[3] = usage&0xff; + + datain.data[4] = (char) extra; + + if ((code = krb5_derive_key(enc, &kin, &kout, &datain))) { + free(out->data); + out->data = NULL; + goto out; + } + key_krb5_to_lucid(&kout, out); + + out: + if (code) + printerr(0, "ERROR: derive_key_lucid returning error %d (%s)\n", + code, error_message(code)); + return (code); +} + static int prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *buf) @@ -183,7 +318,7 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */ if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err; - if (write_buffer(&p, end, (gss_buffer_desc*)&krb5oid)) goto out_err; + if (write_oid(&p, end, &krb5oid)) goto out_err; printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with " "enctype %d and length %d\n", @@ -212,17 +347,180 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc return 0; out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); - if (buf->value) free(buf->value); + if (buf->value) { + free(buf->value); + buf->value = NULL; + } buf->length = 0; - if (enc_key.data) free(enc_key.data); + if (enc_key.data) { + free(enc_key.data); + enc_key.data = NULL; + } return -1; } +/* + * Prepare a new-style buffer to send to the kernel for newer encryption + * types -- or for DES3. + * + * The new format is: + * + * u32 version; This is two (2) + * s32 endtime; + * u32 flags; + * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 + * #define KRB5_CTX_FLAG_CFX 0x00000002 + * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + * u64 seq_send; + * u32 enctype; ( encrption type of keys ) + * u32 size_of_each_key; ( size of each key in bytes ) + * u32 number_of_keys; ( N -- should always be 3 for now ) + * keydata-1; ( Ke ) + * keydata-2; ( Ki ) + * keydata-3; ( Kc ) + * + */ static int -prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx, +prepare_krb5_ctx_v2_buffer(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *buf) { - printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n"); + char *p, *end; + static uint32_t version = 2; + uint32_t v2_flags = 0; + gss_krb5_lucid_key_t enc_key; + gss_krb5_lucid_key_t derived_key; + gss_buffer_desc fakeoid; + uint32_t enctype; + uint32_t keysize; + uint32_t numkeys; + + memset(&enc_key, 0, sizeof(enc_key)); + memset(&fakeoid, 0, sizeof(fakeoid)); + + if (!(buf->value = calloc(1, MAX_CTX_LEN))) + goto out_err; + p = buf->value; + end = buf->value + MAX_CTX_LEN; + + /* Version 2 */ + if (WRITE_BYTES(&p, end , version)) goto out_err; + if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; + + if (lctx->initiate) + v2_flags |= KRB5_CTX_FLAG_INITIATOR; + if (lctx->protocol != 0) + v2_flags |= KRB5_CTX_FLAG_CFX; + if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1) + v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY; + + if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; + + if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err; + + /* Protocol 0 here implies DES3 or RC4 */ + if (lctx->protocol == 0) { + enctype = lctx->rfc1964_kd.ctx_key.type; + keysize = lctx->rfc1964_kd.ctx_key.length; + numkeys = 3; /* XXX is always gonna be three? */ + } else { + if (lctx->cfx_kd.have_acceptor_subkey) { + enctype = lctx->cfx_kd.acceptor_subkey.type; + keysize = lctx->cfx_kd.acceptor_subkey.length; + } else { + enctype = lctx->cfx_kd.ctx_key.type; + keysize = lctx->cfx_kd.ctx_key.length; + } + numkeys = 3; + } + printerr(2, "prepare_krb5_ctx_v2_buffer: serializing %d keys with " + "enctype %d and size %d\n", numkeys, enctype, keysize); + if (WRITE_BYTES(&p, end, enctype)) goto out_err; + if (WRITE_BYTES(&p, end, keysize)) goto out_err; + if (WRITE_BYTES(&p, end, numkeys)) goto out_err; + + if (lctx->protocol == 0) { + /* derive and send down: Ke, Ki, and Kc */ + /* Ke */ + if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, + lctx->rfc1964_kd.ctx_key.length)) + goto out_err; + + /* Ki */ + if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, + lctx->rfc1964_kd.ctx_key.length)) + goto out_err; + + /* Kc */ + if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, + &derived_key, + KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) + goto out_err; + if (write_bytes(&p, end, derived_key.data, + derived_key.length)) + goto out_err; + free(derived_key.data); + } else { + gss_krb5_lucid_key_t *keyptr; + uint32_t sign_usage, seal_usage; + + if (lctx->cfx_kd.have_acceptor_subkey) + keyptr = &lctx->cfx_kd.acceptor_subkey; + else + keyptr = &lctx->cfx_kd.ctx_key; + + if (lctx->initiate == 1) { + sign_usage = KG_USAGE_INITIATOR_SIGN; + seal_usage = KG_USAGE_INITIATOR_SEAL; + } else { + sign_usage = KG_USAGE_ACCEPTOR_SIGN; + seal_usage = KG_USAGE_ACCEPTOR_SEAL; + } + + /* derive and send down: Ke, Ki, and Kc */ + + /* Ke */ + if (derive_key_lucid(keyptr, &derived_key, + seal_usage, KEY_USAGE_SEED_ENCRYPTION)) + goto out_err; + if (write_bytes(&p, end, derived_key.data, + derived_key.length)) + goto out_err; + free(derived_key.data); + + /* Ki */ + if (derive_key_lucid(keyptr, &derived_key, + seal_usage, KEY_USAGE_SEED_INTEGRITY)) + goto out_err; + if (write_bytes(&p, end, derived_key.data, + derived_key.length)) + goto out_err; + free(derived_key.data); + + /* Kc */ + if (derive_key_lucid(keyptr, &derived_key, + sign_usage, KEY_USAGE_SEED_CHECKSUM)) + goto out_err; + if (write_bytes(&p, end, derived_key.data, + derived_key.length)) + goto out_err; + free(derived_key.data); + } + + buf->length = p - (char *)buf->value; + return 0; + +out_err: + printerr(0, "ERROR: prepare_krb5_ctx_v2_buffer: " + "failed serializing krb5 context for kernel\n"); + if (buf->value) { + free(buf->value); + buf->value = NULL; + } + buf->length = 0; + if (enc_key.data) { + free(enc_key.data); + enc_key.data = NULL; + } return -1; } @@ -258,11 +556,21 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss break; } - /* Now lctx points to a lucid context that we can send down to kernel */ - if (lctx->protocol == 0) + /* + * Now lctx points to a lucid context that we can send down to kernel + * + * Note: we send down different information to the kernel depending + * on the protocol version and the enctyption type. + * For protocol version 0 with all enctypes besides DES3, we use + * the original format. For protocol version != 0 or DES3, we + * send down the new style information. + */ + + if (lctx->protocol == 0 && + lctx->rfc1964_kd.ctx_key.type == ENCTYPE_DES_CBC_RAW) retcode = prepare_krb5_rfc1964_buffer(lctx, buf); else - retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf); + retcode = prepare_krb5_ctx_v2_buffer(lctx, buf); maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); if (maj_stat != GSS_S_COMPLETE) { @@ -300,6 +608,66 @@ write_keyblock(char **p, char *end, stru } /* + * Function to derive a new key from a given key and given constant data. + */ +static krb5_error_code +derive_key(const krb5_keyblock *in, krb5_keyblock *out, int usage, char extra) +{ + krb5_error_code code; + unsigned char constant_data[K5CLENGTH]; + krb5_data datain; + int keylength; + void *enc; + + /* + * XXX Hack alert. We don't have "legal" access to these + * values and structures located in libk5crypto + */ + switch (in->enctype) { + case ENCTYPE_DES3_CBC_RAW: + keylength = 24; + enc = &krb5int_enc_des3; + break; + case ENCTYPE_ARCFOUR_HMAC: + keylength = 16; + enc = &krb5int_enc_arcfour; + break; + default: + code = KRB5_BAD_ENCTYPE; + goto out; + } + + /* allocate memory for output key */ + if ((out->contents = malloc(keylength)) == NULL) { + code = ENOMEM; + goto out; + } + out->length = keylength; + out->enctype = in->enctype; + + datain.data = (char *) constant_data; + datain.length = K5CLENGTH; + + datain.data[0] = (usage>>24)&0xff; + datain.data[1] = (usage>>16)&0xff; + datain.data[2] = (usage>>8)&0xff; + datain.data[3] = usage&0xff; + + datain.data[4] = (char) extra; + + if ((code = krb5_derive_key(enc, in, out, &datain))) { + free(out->contents); + out->contents = NULL; + } + + out: + if (code) + printerr(0, "ERROR: derive_key returning error %d (%s)\n", + code, error_message(code)); + return (code); +} + +/* * We really shouldn't know about glue-layer context structure, but * we need to get at the real krb5 context pointer. This should be * removed as soon as we say there is no support for MIT Kerberos @@ -315,45 +683,114 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss { krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id; char *p, *end; - static int constant_one = 1; static int constant_zero = 0; + static int constant_one = 1; + static int constant_two = 2; uint32_t word_seq_send; + u_int64_t seq_send_64bit; + uint32_t v2_flags = 0; + krb5_keyblock derived_key; + uint32_t numkeys; if (!(buf->value = calloc(1, MAX_CTX_LEN))) goto out_err; p = buf->value; end = buf->value + MAX_CTX_LEN; - if (kctx->initiate) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (kctx->seed_init) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) - goto out_err; - if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; - word_seq_send = kctx->seq_send; - if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; - if (write_buffer(&p, end, kctx->mech_used)) goto out_err; - - printerr(2, "serialize_krb5_ctx: serializing keys with " - "enctype %d and length %d\n", - kctx->enc->enctype, kctx->enc->length); + switch (kctx->sealalg) { + case SEAL_ALG_DES: + /* Versions 0 and 1 */ + if (kctx->initiate) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (kctx->seed_init) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) + goto out_err; + if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + word_seq_send = kctx->seq_send; + if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; + if (write_buffer(&p, end, kctx->mech_used)) goto out_err; + + printerr(2, "serialize_krb5_ctx: serializing keys with " + "enctype %d and length %d\n", + kctx->enc->enctype, kctx->enc->length); - if (write_keyblock(&p, end, kctx->enc)) goto out_err; - if (write_keyblock(&p, end, kctx->seq)) goto out_err; + if (write_keyblock(&p, end, kctx->enc)) goto out_err; + if (write_keyblock(&p, end, kctx->seq)) goto out_err; + break; + case SEAL_ALG_MICROSOFT_RC4: + case SEAL_ALG_DES3KD: + /* u32 version; ( 2 ) + * s32 endtime; + * u32 flags; + * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 + * #define KRB5_CTX_FLAG_CFX 0x00000002 + * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + * u64 seq_send; + * u32 enctype; + * u32 size_of_each_key; ( size in bytes ) + * u32 number_of_keys; ( N (assumed to be 3 for now) ) + * keydata-1; ( Ke (Kenc for DES3) ) + * keydata-2; ( Ki (Kseq for DES3) ) + * keydata-3; ( Kc (derived checksum key) ) + */ + /* Version 2 */ + if (WRITE_BYTES(&p, end , constant_two)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + + /* Only applicable flag for is initiator */ + if (kctx->initiate) v2_flags |= KRB5_CTX_FLAG_INITIATOR; + if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; + + seq_send_64bit = kctx->seq_send; + if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err; + + if (WRITE_BYTES(&p, end, kctx->enc->enctype)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->enc->length)) goto out_err; + numkeys = 3; + if (WRITE_BYTES(&p, end, numkeys)) goto out_err; + printerr(2, "serialize_krb5_ctx: serializing %d keys with " + "enctype %d and size %d\n", + numkeys, kctx->enc->enctype, kctx->enc->length); + + /* Ke */ + if (write_bytes(&p, end, kctx->enc->contents, + kctx->enc->length)) + goto out_err; + + /* Ki */ + if (write_bytes(&p, end, kctx->enc->contents, + kctx->enc->length)) + goto out_err; + + /* Kc */ + if (derive_key(kctx->seq, &derived_key, + KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) + goto out_err; + if (write_bytes(&p, end, derived_key.contents, + derived_key.length)) + goto out_err; + free(derived_key.contents); + break; + default: + printerr(0, "ERROR: serialize_krb5_ctx: unsupported seal " + "algorithm %d\n", kctx->sealalg); + goto out_err; + } buf->length = p - (char *)buf->value; return 0; + out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); if (buf->value) free(buf->value); diff -puN utils/gssd/write_bytes.h~CITI_NFS4_ALL utils/gssd/write_bytes.h --- nfs-utils-1.0.8/utils/gssd/write_bytes.h~CITI_NFS4_ALL 2006-04-20 12:41:16.867750000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/write_bytes.h 2006-04-20 12:41:16.905712000 -0400 @@ -63,6 +63,19 @@ write_buffer(char **p, char *end, gss_bu return 0; } +inline static int +write_oid(char **p, char *end, gss_OID_desc *arg) +{ + int len = (int)arg->length; /* make an int out of size_t */ + if (WRITE_BYTES(p, end, len)) + return -1; + if (*p + arg->length > end) + return -1; + memcpy(*p, arg->elements, len); + *p += len; + return 0; +} + static inline int get_bytes(char **ptr, const char *end, void *res, int len) { diff -puN utils/gssd/svcgssd_proc.c~CITI_NFS4_ALL utils/gssd/svcgssd_proc.c --- nfs-utils-1.0.8/utils/gssd/svcgssd_proc.c~CITI_NFS4_ALL 2006-04-20 12:41:17.109514000 -0400 +++ nfs-utils-1.0.8-kwc/utils/gssd/svcgssd_proc.c 2006-04-20 12:41:17.133514000 -0400 @@ -220,8 +220,21 @@ get_ids(gss_name_t client_name, gss_OID nfs4_init_name_mapping(NULL); /* XXX: should only do this once */ res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid); if (res < 0) { - printerr(0, "WARNING: get_ids: unable to map " - "name '%s' to a uid\n", sname); + /* + * -ENOENT means there was no mapping, any other error + * value means there was an error trying to do the + * mapping. + */ + if (res == -ENOENT) { + cred->cr_uid = -2; /* XXX */ + cred->cr_gid = -2; /* XXX */ + cred->cr_groups[0] = -2;/* XXX */ + cred->cr_ngroups = 1; + res = 0; + goto out_free; + } + printerr(0, "WARNING: get_ids: failed to map name '%s' " + "to uid/gid: %s\n", sname, strerror(-res)); goto out_free; } cred->cr_uid = uid; _