The complete set of CITI nfs-utils patches rolled into one patch. Changes since 1.1.1-CITI_NFS4_ALL-1: * Update to nfs-utils-1.1.2 * Patch from Olga Kornievskaia to read port number from the info file to support non-standard ports. * Patch to include the "other" DES encryption types when negotiating a context. * Patch originally from Vince Busam to support looking in multiple directories for credential caches to use when creating a context. * A TEMPORARY patch to read a krb5_info file to determine which encryption types the kernel gss_krb5 code supports. * A patch to send down a new context format for encryption types other than DES. --- utils/gssd/context.h | 6 - utils/gssd/context_lucid.c | 132 +++++++++++++++++++--- utils/gssd/context_mit.c | 134 +++++++++++++++++----- utils/gssd/err_util.c | 5 utils/gssd/err_util.h | 1 utils/gssd/gssd.c | 13 ++ utils/gssd/gssd.h | 4 utils/gssd/gssd.man | 6 - utils/gssd/gssd_proc.c | 25 +++- utils/gssd/krb5_util.c | 263 ++++++++++++++++++++++++++++++++++----------- utils/gssd/krb5_util.h | 5 11 files changed, 473 insertions(+), 121 deletions(-) diff -puN utils/gssd/gssd.h~CITI_NFS4_ALL utils/gssd/gssd.h --- nfs-utils-1.1.2/utils/gssd/gssd.h~CITI_NFS4_ALL 2008-04-30 14:49:15.862200000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.h 2008-04-30 14:49:17.073538000 -0400 @@ -50,6 +50,7 @@ #define GSSD_DEFAULT_KEYTAB_FILE "/etc/krb5.keytab" #define GSSD_SERVICE_NAME "nfs" #define GSSD_SERVICE_NAME_LEN 3 +#define GSSD_MAX_CCACHE_SEARCH 16 /* * The gss mechanisms that we can handle @@ -61,7 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUT extern char pipefs_dir[PATH_MAX]; extern char pipefs_nfsdir[PATH_MAX]; extern char keytabfile[PATH_MAX]; -extern char ccachedir[PATH_MAX]; +extern char *ccachesearch[]; extern int use_memcache; extern int root_uses_machine_creds; @@ -80,6 +81,7 @@ struct clnt_info { int krb5_poll_index; int spkm3_fd; int spkm3_poll_index; + int port; }; void init_client_list(void); diff -puN utils/gssd/gssd_proc.c~CITI_NFS4_ALL utils/gssd/gssd_proc.c --- nfs-utils-1.1.2/utils/gssd/gssd_proc.c~CITI_NFS4_ALL 2008-04-30 14:49:15.986076000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/gssd_proc.c 2008-04-30 14:49:17.167444000 -0400 @@ -102,7 +102,7 @@ int pollsize; /* the size of pollaray ( /* XXX buffer problems: */ static int read_service_info(char *info_file_name, char **servicename, char **servername, - int *prog, int *vers, char **protocol) { + int *prog, int *vers, char **protocol, int *port) { #define INFOBUFLEN 256 char buf[INFOBUFLEN]; static char dummy[128]; @@ -112,6 +112,8 @@ read_service_info(char *info_file_name, char program[16]; char version[16]; char protoname[16]; + char cb_port[128]; + char *p; in_addr_t inaddr; int fd = -1; struct hostent *ent = NULL; @@ -143,6 +145,10 @@ read_service_info(char *info_file_name, goto fail; } + cb_port[0] = '\0'; + if ((p = strstr(buf, "port")) != NULL) + sscanf(p, "port: %127s\n", cb_port); + /* check service, program, and version */ if(memcmp(service, "nfs", 3)) return -1; *prog = atoi(program + 1); /* skip open paren */ @@ -163,6 +169,8 @@ read_service_info(char *info_file_name, if (!(*servicename = calloc(strlen(buf) + 1, 1))) goto fail; memcpy(*servicename, buf, strlen(buf)); + if (cb_port[0] != '\0') + *port = atoi(cb_port); if (!(*protocol = strdup(protoname))) goto fail; @@ -238,7 +246,7 @@ process_clnt_dir_files(struct clnt_info if ((clp->servicename == NULL) && read_service_info(info_file_name, &clp->servicename, &clp->servername, &clp->prog, &clp->vers, - &clp->protocol)) + &clp->protocol, &clp->port)) return -1; return 0; } @@ -587,6 +595,8 @@ int create_auth_rpc_client(struct clnt_i clp->servername, uid); goto out_fail; } + if (clp->port) + ((struct sockaddr_in *)a->ai_addr)->sin_port = htons(clp->port); if (a->ai_protocol == IPPROTO_TCP) { if ((rpc_clnt = clnttcp_create( (struct sockaddr_in *) a->ai_addr, @@ -675,6 +685,7 @@ handle_krb5_upcall(struct clnt_info *clp gss_buffer_desc token; char **credlist = NULL; char **ccname; + char **dirname; int create_resp = -1; printerr(1, "handling krb5 upcall\n"); @@ -691,10 +702,14 @@ handle_krb5_upcall(struct clnt_info *clp if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) { /* Tell krb5 gss which credentials cache to use */ - gssd_setup_krb5_user_gss_ccache(uid, clp->servername); + for (dirname = ccachesearch; *dirname != NULL; dirname++) { + gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); - create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, - AUTHTYPE_KRB5); + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, + AUTHTYPE_KRB5); + if (create_resp == 0) + break; + } } if (create_resp != 0) { if (uid == 0 && root_uses_machine_creds == 1) { diff -puN utils/gssd/krb5_util.c~CITI_NFS4_ALL utils/gssd/krb5_util.c --- nfs-utils-1.1.2/utils/gssd/krb5_util.c~CITI_NFS4_ALL 2008-04-30 14:49:16.274848000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.c 2008-04-30 14:49:17.571397000 -0400 @@ -97,6 +97,7 @@ #include "config.h" #include #include +#include #include #include #include @@ -108,6 +109,7 @@ #include #include #include +#include #include #include #include @@ -126,12 +128,17 @@ /* Global list of principals/cache file names for machine credentials */ struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL; +/* Encryption types supported by the kernel rpcsec_gss code */ +int num_krb5_enctypes = 0; +krb5_enctype *krb5_enctypes = NULL; + /*==========================*/ /*=== Internal routines ===*/ /*==========================*/ static int select_krb5_ccache(const struct dirent *d); -static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d); +static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, + struct dirent **d); static int gssd_get_single_krb5_cred(krb5_context context, krb5_keytab kt, struct gssd_k5_kt_princ *ple); @@ -159,7 +166,7 @@ select_krb5_ccache(const struct dirent * } /* - * Look in the ccachedir for files that look like they + * Look in directory "dirname" for files that look like they * are Kerberos Credential Cache files for a given UID. Return * non-zero and the dirent pointer for the entry most likely to be * what we want. Otherwise, return zero and no dirent pointer. @@ -170,7 +177,7 @@ select_krb5_ccache(const struct dirent * * 1 => found an existing entry */ static int -gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d) +gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d) { struct dirent **namelist; int n; @@ -181,9 +188,10 @@ gssd_find_existing_krb5_ccache(uid_t uid memset(&best_match_stat, 0, sizeof(best_match_stat)); *d = NULL; - n = scandir(ccachedir, &namelist, select_krb5_ccache, 0); + n = scandir(dirname, &namelist, select_krb5_ccache, 0); if (n < 0) { - perror("scandir looking for krb5 credentials caches"); + printerr(1, "Error doing scandir on directory '%s': %s\n", + dirname, strerror(errno)); } else if (n > 0) { char statname[1024]; @@ -191,7 +199,7 @@ gssd_find_existing_krb5_ccache(uid_t uid printerr(3, "CC file '%s' being considered\n", namelist[i]->d_name); snprintf(statname, sizeof(statname), - "%s/%s", ccachedir, namelist[i]->d_name); + "%s/%s", dirname, namelist[i]->d_name); if (lstat(statname, &tmp_stat)) { printerr(0, "Error doing stat on file '%s'\n", statname); @@ -256,58 +264,6 @@ gssd_find_existing_krb5_ccache(uid_t uid return found; } - -#ifdef HAVE_SET_ALLOWABLE_ENCTYPES -/* - * this routine obtains a credentials handle via gss_acquire_cred() - * then calls gss_krb5_set_allowable_enctypes() to limit the encryption - * types negotiated. - * - * XXX Should call some function to determine the enctypes supported - * by the kernel. (Only need to do that once!) - * - * Returns: - * 0 => all went well - * -1 => there was an error - */ - -int -limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) -{ - u_int maj_stat, min_stat; - gss_cred_id_t credh; - gss_OID_set_desc desired_mechs; - krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC }; - int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); - - /* We only care about getting a krb5 cred */ - desired_mechs.count = 1; - desired_mechs.elements = &krb5oid; - - maj_stat = gss_acquire_cred(&min_stat, NULL, 0, - &desired_mechs, GSS_C_INITIATE, - &credh, NULL, NULL); - - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_acquire_cred", - maj_stat, min_stat, &krb5oid); - return -1; - } - - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid, - num_enctypes, &enctypes); - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_set_allowable_enctypes", - maj_stat, min_stat, &krb5oid); - gss_release_cred(&min_stat, &credh); - return -1; - } - sec->cred = credh; - - return 0; -} -#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */ - /* * Obtain credentials via a key in the keytab given * a keytab handle and a gssd_k5_kt_princ structure. @@ -404,7 +360,7 @@ gssd_get_single_krb5_cred(krb5_context c cache_type = "FILE"; snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s", cache_type, - ccachedir, GSSD_DEFAULT_CRED_PREFIX, + ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX, GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm); ple->endtime = my_creds.times.endtime; if (ple->ccname != NULL) @@ -879,6 +835,56 @@ out: return retval; } +/* + * Parse the supported encryption type information + */ +static int +parse_enctypes(char *enctypes) +{ + int n = 0; + char *curr, *comma; + int i; + + /* Just in case this ever gets called more than once */ + if (krb5_enctypes != NULL) { + free(krb5_enctypes); + krb5_enctypes = NULL; + num_krb5_enctypes = 0; + } + + /* count the number of commas */ + for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) { + comma = strchr(curr, ','); + if (comma != NULL) + n++; + else + break; + } + /* If no more commas and we're not at the end, there's one more value */ + if (*curr != '\0') + n++; + + /* Empty string, return an error */ + if (n == 0) + return ENOENT; + + /* Allocate space for enctypes array */ + if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) { + return ENOMEM; + } + + /* Now parse each value into the array */ + for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) { + krb5_enctypes[i++] = atoi(curr); + comma = strchr(curr, ','); + if (comma == NULL) + break; + } + + num_krb5_enctypes = n; + return 0; +} + /*==========================*/ /*=== External routines ===*/ /*==========================*/ @@ -892,7 +898,7 @@ out: * void */ void -gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername) +gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirname) { char buf[MAX_NETOBJ_SZ]; struct dirent *d; @@ -900,14 +906,13 @@ gssd_setup_krb5_user_gss_ccache(uid_t ui printerr(2, "getting credentials for client with uid %u for " "server %s\n", uid, servername); memset(buf, 0, sizeof(buf)); - if (gssd_find_existing_krb5_ccache(uid, &d)) { - snprintf(buf, sizeof(buf), "FILE:%s/%s", - ccachedir, d->d_name); + if (gssd_find_existing_krb5_ccache(uid, dirname, &d)) { + snprintf(buf, sizeof(buf), "FILE:%s/%s", dirname, d->d_name); free(d); } else snprintf(buf, sizeof(buf), "FILE:%s/%s%u", - ccachedir, GSSD_DEFAULT_CRED_PREFIX, uid); + dirname, GSSD_DEFAULT_CRED_PREFIX, uid); printerr(2, "using %s as credentials cache for client with " "uid %u for server %s\n", buf, uid, servername); gssd_set_krb5_ccache_name(buf); @@ -1129,3 +1134,133 @@ gssd_k5_err_msg(krb5_context context, kr return error_message(code); #endif } + +#ifdef HAVE_SET_ALLOWABLE_ENCTYPES +/* + * this routine obtains a credentials handle via gss_acquire_cred() + * then calls gss_krb5_set_allowable_enctypes() to limit the encryption + * types negotiated. + * + * XXX Should call some function to determine the enctypes supported + * by the kernel. (Only need to do that once!) + * + * Returns: + * 0 => all went well + * -1 => there was an error + */ + +int +limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) +{ + u_int maj_stat, min_stat; + gss_cred_id_t credh; + gss_OID_set_desc desired_mechs; + krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_MD4 }; + int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); + + /* We only care about getting a krb5 cred */ + desired_mechs.count = 1; + desired_mechs.elements = &krb5oid; + + maj_stat = gss_acquire_cred(&min_stat, NULL, 0, + &desired_mechs, GSS_C_INITIATE, + &credh, NULL, NULL); + + if (maj_stat != GSS_S_COMPLETE) { + if (get_verbosity() > 0) + pgsserr("gss_acquire_cred", + maj_stat, min_stat, &krb5oid); + return -1; + } + + /* + * If we failed for any reason to produce global + * list of supported enctypes, use local default here. + */ + if (krb5_enctypes == NULL) + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_enctypes, &enctypes); + else + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_krb5_enctypes, + krb5_enctypes); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_set_allowable_enctypes", + maj_stat, min_stat, &krb5oid); + gss_release_cred(&min_stat, &credh); + return -1; + } + sec->cred = credh; + + return 0; +} +#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */ + +/* + * Obtain supported enctypes from kernel. + * Set defaults if info is not available. + */ +void +gssd_obtain_kernel_krb5_info(void) +{ + char enctype_file_name[128]; + char buf[1024]; + char enctypes[128]; + int nscanned; + int fd; + int use_default_enctypes = 0; + int nbytes, numfields; + char default_enctypes[] = "1,3,2"; + int code; + + snprintf(enctype_file_name, sizeof(enctype_file_name), + "%s/%s", pipefs_dir, "krb5_info"); + + if ((fd = open(enctype_file_name, O_RDONLY)) == -1) { + printerr(1, "WARNING: gssd_obtain_kernel_krb5_info: " + "Unable to open '%s'. Unable to determine " + "Kerberos encryption types supported by the " + "kernel; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + goto do_the_parse; + } + memset(buf, 0, sizeof(buf)); + if ((nbytes = read(fd, buf, sizeof(buf)-1)) == -1) { + printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: " + "Error reading Kerberos encryption type " + "information file '%s'; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + close(fd); + goto do_the_parse; + } + close(fd); + numfields = sscanf(buf, "enctypes: %s\n%n", enctypes, &nscanned); + if (numfields < 1) { + printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: " + "error parsing Kerberos encryption type " + "information from file '%s'; using defaults (%s).\n", + enctype_file_name, default_enctypes); + use_default_enctypes = 1; + goto do_the_parse; + } + if (nbytes > nscanned) { + printerr(2, "gssd_obtain_kernel_krb5_info: " + "Ignoring extra information, '%s', from '%s'\n", + buf+nscanned, enctype_file_name); + goto do_the_parse; + } + do_the_parse: + if (use_default_enctypes) + strcpy(enctypes, default_enctypes); + + if ((code = parse_enctypes(enctypes)) != 0) { + printerr(0, "ERROR: gssd_obtain_kernel_krb5_info: " + "parse_enctypes%s failed with code %d\n", + use_default_enctypes ? " (with default enctypes)" : "", + code); + } +} diff -puN utils/gssd/err_util.c~CITI_NFS4_ALL utils/gssd/err_util.c --- nfs-utils-1.1.2/utils/gssd/err_util.c~CITI_NFS4_ALL 2008-04-30 14:49:16.478848000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.c 2008-04-30 14:49:16.616849000 -0400 @@ -60,3 +60,8 @@ void printerr(int priority, char *format xlog_backend(L_ERROR, format, args); va_end(args); } + +int get_verbosity(void) +{ + return verbosity; +} diff -puN utils/gssd/err_util.h~CITI_NFS4_ALL utils/gssd/err_util.h --- nfs-utils-1.1.2/utils/gssd/err_util.h~CITI_NFS4_ALL 2008-04-30 14:49:16.574848000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.h 2008-04-30 14:49:16.633848000 -0400 @@ -33,5 +33,6 @@ void initerr(char *progname, int verbosity, int fg); void printerr(int priority, char *format, ...); +int get_verbosity(void); #endif /* _ERR_UTIL_H_ */ diff -puN utils/gssd/gssd.c~CITI_NFS4_ALL utils/gssd/gssd.c --- nfs-utils-1.1.2/utils/gssd/gssd.c~CITI_NFS4_ALL 2008-04-30 14:49:16.799812000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.c 2008-04-30 14:49:17.507397000 -0400 @@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_ char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR; char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE; char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR; +char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1]; int use_memcache = 0; int root_uses_machine_creds = 1; @@ -93,9 +94,11 @@ main(int argc, char *argv[]) int verbosity = 0; int rpc_verbosity = 0; int opt; + int i; extern char *optarg; char *progname; + memset(ccachesearch, 0, sizeof(ccachesearch)); while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) { switch (opt) { case 'f': @@ -136,6 +139,13 @@ main(int argc, char *argv[]) break; } } + + i = 0; + ccachesearch[i++] = strtok(ccachedir, ":"); + do { + ccachesearch[i++] = strtok(NULL, ":"); + } while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH); + snprintf(pipefs_nfsdir, sizeof(pipefs_nfsdir), "%s/%s", pipefs_dir, GSSD_SERVICE_NAME); if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0') @@ -165,6 +175,9 @@ main(int argc, char *argv[]) signal(SIGTERM, sig_die); signal(SIGHUP, sig_hup); + /* Determine Kerberos information from the kernel */ + gssd_obtain_kernel_krb5_info(); + gssd_run(); printerr(0, "gssd_run returned!\n"); abort(); diff -puN utils/gssd/gssd.man~CITI_NFS4_ALL utils/gssd/gssd.man --- nfs-utils-1.1.2/utils/gssd/gssd.man~CITI_NFS4_ALL 2008-04-30 14:49:16.899712000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.man 2008-04-30 14:49:17.121490000 -0400 @@ -74,7 +74,11 @@ where to look for the rpc_pipefs filesys .B -d directory Tells .B rpc.gssd -where to look for kerberos credential files. The default value is "/tmp". +where to look for Kerberos credential files. The default value is "/tmp". +This can also be a colon separated list of directories to be searched +for Kerberos credential files. Note that if machine credentials are being +stored in files, then the first directory on this list is where the +machine credentials are stored. .TP .B -v Increases the verbosity of the output (can be specified multiple times). diff -puN utils/gssd/krb5_util.h~CITI_NFS4_ALL utils/gssd/krb5_util.h --- nfs-utils-1.1.2/utils/gssd/krb5_util.h~CITI_NFS4_ALL 2008-04-30 14:49:17.008603000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.h 2008-04-30 14:49:17.589397000 -0400 @@ -17,7 +17,8 @@ struct gssd_k5_kt_princ { }; -void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername); +void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, + char *dirname); int gssd_get_krb5_machine_cred_list(char ***list); void gssd_free_krb5_machine_cred_list(char **list); void gssd_setup_krb5_machine_gss_ccache(char *servername); @@ -26,6 +27,8 @@ int gssd_refresh_krb5_machine_credentia struct gssd_k5_kt_princ *ple); const char * gssd_k5_err_msg(krb5_context context, krb5_error_code code); +void gssd_obtain_kernel_krb5_info(void); + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid); diff -puN utils/gssd/context.h~CITI_NFS4_ALL utils/gssd/context.h --- nfs-utils-1.1.2/utils/gssd/context.h~CITI_NFS4_ALL 2008-04-30 14:49:17.768393000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/context.h 2008-04-30 14:49:18.056105000 -0400 @@ -1,5 +1,5 @@ /* - Copyright (c) 2004 The Regents of the University of Michigan. + Copyright (c) 2004,2008 The Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -36,6 +36,10 @@ /* Hopefully big enough to hold any serialized context */ #define MAX_CTX_LEN 4096 +/* New context format flag values */ +#define KRB5_CTX_FLAG_INITIATOR 0x00000001 +#define KRB5_CTX_FLAG_CFX 0x00000002 +#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf, gss_OID mech); diff -puN utils/gssd/context_lucid.c~CITI_NFS4_ALL utils/gssd/context_lucid.c --- nfs-utils-1.1.2/utils/gssd/context_lucid.c~CITI_NFS4_ALL 2008-04-30 14:49:17.907254000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/context_lucid.c 2008-04-30 14:49:18.075086000 -0400 @@ -40,6 +40,7 @@ #include #include #include +#include #include "gss_util.h" #include "gss_oids.h" #include "err_util.h" @@ -113,15 +114,13 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc * Note that the rfc1964 version only supports DES enctypes. */ if (lctx->rfc1964_kd.ctx_key.type != 4) { - printerr(1, "prepare_krb5_rfc1964_buffer: " - "overriding heimdal keytype (%d => %d)\n", - lctx->rfc1964_kd.ctx_key.type, 4); + printerr(2, "%s: overriding heimdal keytype (%d => %d)\n", + __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4); lctx->rfc1964_kd.ctx_key.type = 4; } #endif - printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with " - "enctype %d and length %d\n", - lctx->rfc1964_kd.ctx_key.type, + printerr(2, "%s: serializing keys with enctype %d and length %d\n", + __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, lctx->rfc1964_kd.ctx_key.length); /* derive the encryption key and copy it into buffer */ @@ -152,15 +151,102 @@ out_err: return -1; } +/* Flags for version 2 context flags */ +#define KRB5_CTX_FLAG_INITIATOR 0x00000001 +#define KRB5_CTX_FLAG_CFX 0x00000002 +#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + +/* + * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx), + * to send to the kernel for newer encryption types -- or for DES3. + * + * The new format is: + * + * u32 flags; + * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 + * #define KRB5_CTX_FLAG_CFX 0x00000002 + * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + * s32 endtime; + * u64 seq_send; + * u32 enctype; ( encrption type of key ) + * raw key; ( raw key bytes (kernel will derive)) + * + */ static int -prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx, - gss_buffer_desc *buf) +prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx, + gss_buffer_desc *buf) { - printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n"); - return -1; -} + char *p, *end; + uint32_t v2_flags = 0; + uint32_t enctype; + uint32_t keysize; + if (!(buf->value = calloc(1, MAX_CTX_LEN))) + goto out_err; + p = buf->value; + end = buf->value + MAX_CTX_LEN; + /* Version 2 */ + if (lctx->initiate) + v2_flags |= KRB5_CTX_FLAG_INITIATOR; + if (lctx->protocol != 0) + v2_flags |= KRB5_CTX_FLAG_CFX; + if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1) + v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY; + + if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; + if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; + if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err; + + /* Protocol 0 here implies DES3 or RC4 */ + printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol); + if (lctx->protocol == 0) { + enctype = lctx->rfc1964_kd.ctx_key.type; + keysize = lctx->rfc1964_kd.ctx_key.length; + } else { + if (lctx->cfx_kd.have_acceptor_subkey) { + enctype = lctx->cfx_kd.acceptor_subkey.type; + keysize = lctx->cfx_kd.acceptor_subkey.length; + } else { + enctype = lctx->cfx_kd.ctx_key.type; + keysize = lctx->cfx_kd.ctx_key.length; + } + } + printerr(2, "%s: serializing key with enctype %d and size %d\n", + __FUNCTION__, enctype, keysize); + + if (WRITE_BYTES(&p, end, enctype)) goto out_err; + + if (lctx->protocol == 0) { + if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, + lctx->rfc1964_kd.ctx_key.length)) + goto out_err; + } else { + if (lctx->cfx_kd.have_acceptor_subkey) { + if (write_bytes(&p, end, + lctx->cfx_kd.acceptor_subkey.data, + lctx->cfx_kd.acceptor_subkey.length)) + goto out_err; + } else { + if (write_bytes(&p, end, lctx->cfx_kd.ctx_key.data, + lctx->cfx_kd.ctx_key.length)) + goto out_err; + } + } + + buf->length = p - (char *)buf->value; + return 0; + +out_err: + printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n", + __FUNCTION__); + if (buf->value) { + free(buf->value); + buf->value = NULL; + } + buf->length = 0; + return -1; +} int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) { @@ -170,7 +256,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss gss_krb5_lucid_context_v1_t *lctx = 0; int retcode = 0; - printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n"); + printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__); maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx, 1, &return_ctx); if (maj_stat != GSS_S_COMPLETE) { @@ -192,11 +278,20 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss break; } - /* Now lctx points to a lucid context that we can send down to kernel */ - if (lctx->protocol == 0) + /* + * Now lctx points to a lucid context that we can send down to kernel + * + * Note: we send down different information to the kernel depending + * on the protocol version and the enctyption type. + * For protocol version 0 with all enctypes besides DES3, we use + * the original format. For protocol version != 0 or DES3, we + * send down the new style information. + */ + + if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4) retcode = prepare_krb5_rfc1964_buffer(lctx, buf); else - retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf); + retcode = prepare_krb5_rfc4121_buffer(lctx, buf); maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); if (maj_stat != GSS_S_COMPLETE) { @@ -206,8 +301,8 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss } if (retcode) { - printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer " - "failed (retcode = %d)\n", retcode); + printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n", + __FUNCTION__, retcode); goto out_err; } @@ -217,4 +312,7 @@ out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); return -1; } + + + #endif /* HAVE_LUCID_CONTEXT_SUPPORT */ diff -puN utils/gssd/context_mit.c~CITI_NFS4_ALL utils/gssd/context_mit.c --- nfs-utils-1.1.2/utils/gssd/context_mit.c~CITI_NFS4_ALL 2008-04-30 14:49:18.021140000 -0400 +++ nfs-utils-1.1.2-kwc/utils/gssd/context_mit.c 2008-04-30 14:49:18.097064000 -0400 @@ -1,5 +1,5 @@ /* - Copyright (c) 2004 The Regents of the University of Michigan. + Copyright (c) 2004-2006 The Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -50,8 +51,7 @@ /* XXX argggg, there's gotta be a better way than just duplicating this * whole struct. Unfortunately, this is in a "private" header file, * so this is our best choice at this point :-/ - * - * XXX Does this match the Heimdal definition? */ + */ typedef struct _krb5_gss_ctx_id_rec { unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ @@ -154,48 +154,120 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss { krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id; char *p, *end; - static int constant_one = 1; static int constant_zero = 0; + static int constant_one = 1; + static int constant_two = 2; uint32_t word_seq_send; + u_int64_t seq_send_64bit; + uint32_t v2_flags = 0; if (!(buf->value = calloc(1, MAX_CTX_LEN))) goto out_err; p = buf->value; end = buf->value + MAX_CTX_LEN; - if (kctx->initiate) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (kctx->seed_init) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) + switch (kctx->enc->enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_RAW: + /* Old format of context to the kernel */ + if (kctx->initiate) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (kctx->seed_init) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) + goto out_err; + if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + word_seq_send = kctx->seq_send; + if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; + if (write_oid(&p, end, kctx->mech_used)) goto out_err; + + printerr(2, "serialize_krb5_ctx: serializing keys with " + "enctype %d and length %d\n", + kctx->enc->enctype, kctx->enc->length); + + if (write_keyblock(&p, end, kctx->enc)) goto out_err; + if (write_keyblock(&p, end, kctx->seq)) goto out_err; + break; + case ENCTYPE_DES3_CBC_RAW: + case ENCTYPE_DES3_CBC_SHA1: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: + /* New format of context to the kernel */ + /* u32 flags; + * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 + * #define KRB5_CTX_FLAG_CFX 0x00000002 + * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + * s32 endtime; + * u64 seq_send; + * u32 enctype; + * rawkey data + */ + + if (kctx->initiate) + v2_flags |= KRB5_CTX_FLAG_INITIATOR; + if (kctx->proto == 1) + v2_flags |= KRB5_CTX_FLAG_CFX; + if (kctx->have_acceptor_subkey) + v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY; + if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + + seq_send_64bit = kctx->seq_send; + if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err; + + if (kctx->have_acceptor_subkey) { + if (WRITE_BYTES(&p, end, kctx->acceptor_subkey->enctype)) + goto out_err; + printerr(2, "serialize_krb5_ctx: serializing subkey " + "with enctype %d and size %d\n", + kctx->acceptor_subkey->enctype, + kctx->acceptor_subkey->length); + + if (write_bytes(&p, end, + kctx->acceptor_subkey->contents, + kctx->acceptor_subkey->length)) + goto out_err; + } else { + if (WRITE_BYTES(&p, end, kctx->enc->enctype)) + goto out_err; + printerr(2, "serialize_krb5_ctx: serializing key " + "with enctype %d and size %d\n", + kctx->enc->enctype, kctx->enc->length); + + if (write_bytes(&p, end, kctx->enc->contents, + kctx->enc->length)) + goto out_err; + } + break; + default: + printerr(0, "ERROR: serialize_krb5_ctx: unsupported encryption " + "algorithm %d\n", kctx->enc->enctype); goto out_err; - if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; - word_seq_send = kctx->seq_send; - if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; - if (write_oid(&p, end, kctx->mech_used)) goto out_err; - - printerr(2, "serialize_krb5_ctx: serializing keys with " - "enctype %d and length %d\n", - kctx->enc->enctype, kctx->enc->length); - - if (write_keyblock(&p, end, kctx->enc)) goto out_err; - if (write_keyblock(&p, end, kctx->seq)) goto out_err; + } buf->length = p - (char *)buf->value; return 0; + out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); - if (buf->value) free(buf->value); + if (buf->value) { + free(buf->value); + } + buf->value = NULL; buf->length = 0; return -1; } _