[packages/nfs-utils.git] / nfs-utils-CITI_NFS4.patch



The complete set of CITI nfs-utils patches rolled into one patch.

Changes since 1.1.1-CITI_NFS4_ALL-1:

 * Update to nfs-utils-1.1.2

 * Patch from Olga Kornievskaia to read port number from the info
   file to support non-standard ports.

 * Patch to include the "other" DES encryption types when negotiating
   a context.

 * Patch originally from Vince Busam <vbusam@google.com> to support looking
   in multiple directories for credential caches to use when creating
   a context.

 * A TEMPORARY patch to read a krb5_info file to determine which
   encryption types the kernel gss_krb5 code supports.

 * A patch to send down a new context format for encryption types
   other than DES.

---

 utils/gssd/context.h       |    6 -
 utils/gssd/context_lucid.c |  132 +++++++++++++++++++---
 utils/gssd/context_mit.c   |  134 +++++++++++++++++-----
 utils/gssd/err_util.c      |    5 
 utils/gssd/err_util.h      |    1 
 utils/gssd/gssd.c          |   13 ++
 utils/gssd/gssd.h          |    4 
 utils/gssd/gssd.man        |    6 -
 utils/gssd/gssd_proc.c     |   25 +++-
 utils/gssd/krb5_util.c     |  263 ++++++++++++++++++++++++++++++++++-----------
 utils/gssd/krb5_util.h     |    5 
 11 files changed, 473 insertions(+), 121 deletions(-)

diff -puN utils/gssd/gssd.h~CITI_NFS4_ALL utils/gssd/gssd.h
--- nfs-utils-1.1.2/utils/gssd/gssd.h~CITI_NFS4_ALL	2008-04-30 14:49:15.862200000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.h	2008-04-30 14:49:17.073538000 -0400
@@ -50,6 +50,7 @@
 #define GSSD_DEFAULT_KEYTAB_FILE		"/etc/krb5.keytab"
 #define GSSD_SERVICE_NAME			"nfs"
 #define GSSD_SERVICE_NAME_LEN			3
+#define GSSD_MAX_CCACHE_SEARCH			16
 
 /*
  * The gss mechanisms that we can handle
@@ -61,7 +62,7 @@ enum {AUTHTYPE_KRB5, AUTHTYPE_SPKM3, AUT
 extern char			pipefs_dir[PATH_MAX];
 extern char			pipefs_nfsdir[PATH_MAX];
 extern char			keytabfile[PATH_MAX];
-extern char			ccachedir[PATH_MAX];
+extern char			*ccachesearch[];
 extern int			use_memcache;
 extern int			root_uses_machine_creds;
 
@@ -80,6 +81,7 @@ struct clnt_info {
 	int			krb5_poll_index;
 	int			spkm3_fd;
 	int			spkm3_poll_index;
+	int			port;
 };
 
 void init_client_list(void);
diff -puN utils/gssd/gssd_proc.c~CITI_NFS4_ALL utils/gssd/gssd_proc.c
--- nfs-utils-1.1.2/utils/gssd/gssd_proc.c~CITI_NFS4_ALL	2008-04-30 14:49:15.986076000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd_proc.c	2008-04-30 14:49:17.167444000 -0400
@@ -102,7 +102,7 @@ int pollsize;  /* the size of pollaray (
 /* XXX buffer problems: */
 static int
 read_service_info(char *info_file_name, char **servicename, char **servername,
-		  int *prog, int *vers, char **protocol) {
+		  int *prog, int *vers, char **protocol, int *port) {
 #define INFOBUFLEN 256
 	char		buf[INFOBUFLEN];
 	static char	dummy[128];
@@ -112,6 +112,8 @@ read_service_info(char *info_file_name, 
 	char		program[16];
 	char		version[16];
 	char		protoname[16];
+	char		cb_port[128];
+	char		*p;
 	in_addr_t	inaddr;
 	int		fd = -1;
 	struct hostent	*ent = NULL;
@@ -143,6 +145,10 @@ read_service_info(char *info_file_name, 
 		goto fail;
 	}
 
+	cb_port[0] = '\0';
+	if ((p = strstr(buf, "port")) != NULL)
+		sscanf(p, "port: %127s\n", cb_port);
+
 	/* check service, program, and version */
 	if(memcmp(service, "nfs", 3)) return -1;
 	*prog = atoi(program + 1); /* skip open paren */
@@ -163,6 +169,8 @@ read_service_info(char *info_file_name, 
 	if (!(*servicename = calloc(strlen(buf) + 1, 1)))
 		goto fail;
 	memcpy(*servicename, buf, strlen(buf));
+	if (cb_port[0] != '\0')
+		*port = atoi(cb_port);
 
 	if (!(*protocol = strdup(protoname)))
 		goto fail;
@@ -238,7 +246,7 @@ process_clnt_dir_files(struct clnt_info 
 	if ((clp->servicename == NULL) &&
 	     read_service_info(info_file_name, &clp->servicename,
 				&clp->servername, &clp->prog, &clp->vers,
-				&clp->protocol))
+				&clp->protocol, &clp->port))
 		return -1;
 	return 0;
 }
@@ -587,6 +595,8 @@ int create_auth_rpc_client(struct clnt_i
 			 clp->servername, uid);
 		goto out_fail;
 	}
+	if (clp->port)
+		((struct sockaddr_in *)a->ai_addr)->sin_port = htons(clp->port);
 	if (a->ai_protocol == IPPROTO_TCP) {
 		if ((rpc_clnt = clnttcp_create(
 					(struct sockaddr_in *) a->ai_addr,
@@ -675,6 +685,7 @@ handle_krb5_upcall(struct clnt_info *clp
 	gss_buffer_desc		token;
 	char			**credlist = NULL;
 	char			**ccname;
+	char			**dirname;
 	int			create_resp = -1;
 
 	printerr(1, "handling krb5 upcall\n");
@@ -691,10 +702,14 @@ handle_krb5_upcall(struct clnt_info *clp
 
 	if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
 		/* Tell krb5 gss which credentials cache to use */
-		gssd_setup_krb5_user_gss_ccache(uid, clp->servername);
+		for (dirname = ccachesearch; *dirname != NULL; dirname++) {
+			gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
 
-		create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
-						     AUTHTYPE_KRB5);
+			create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
+							     AUTHTYPE_KRB5);
+			if (create_resp == 0)
+				break;
+		}
 	}
 	if (create_resp != 0) {
 		if (uid == 0 && root_uses_machine_creds == 1) {
diff -puN utils/gssd/krb5_util.c~CITI_NFS4_ALL utils/gssd/krb5_util.c
--- nfs-utils-1.1.2/utils/gssd/krb5_util.c~CITI_NFS4_ALL	2008-04-30 14:49:16.274848000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.c	2008-04-30 14:49:17.571397000 -0400
@@ -97,6 +97,7 @@
 #include "config.h"
 #include <sys/param.h>
 #include <rpc/rpc.h>
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
@@ -108,6 +109,7 @@
 #include <dirent.h>
 #include <netdb.h>
 #include <ctype.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <time.h>
 #include <gssapi/gssapi.h>
@@ -126,12 +128,17 @@
 /* Global list of principals/cache file names for machine credentials */
 struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
 
+/* Encryption types supported by the kernel rpcsec_gss code */
+int num_krb5_enctypes = 0;
+krb5_enctype *krb5_enctypes = NULL;
+
 /*==========================*/
 /*===  Internal routines ===*/
 /*==========================*/
 
 static int select_krb5_ccache(const struct dirent *d);
-static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
+static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
+		struct dirent **d);
 static int gssd_get_single_krb5_cred(krb5_context context,
 		krb5_keytab kt, struct gssd_k5_kt_princ *ple);
 
@@ -159,7 +166,7 @@ select_krb5_ccache(const struct dirent *
 }
 
 /*
- * Look in the ccachedir for files that look like they
+ * Look in directory "dirname" for files that look like they
  * are Kerberos Credential Cache files for a given UID.  Return
  * non-zero and the dirent pointer for the entry most likely to be
  * what we want. Otherwise, return zero and no dirent pointer.
@@ -170,7 +177,7 @@ select_krb5_ccache(const struct dirent *
  *	1 => found an existing entry
  */
 static int
-gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d)
+gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
 {
 	struct dirent **namelist;
 	int n;
@@ -181,9 +188,10 @@ gssd_find_existing_krb5_ccache(uid_t uid
 
 	memset(&best_match_stat, 0, sizeof(best_match_stat));
 	*d = NULL;
-	n = scandir(ccachedir, &namelist, select_krb5_ccache, 0);
+	n = scandir(dirname, &namelist, select_krb5_ccache, 0);
 	if (n < 0) {
-		perror("scandir looking for krb5 credentials caches");
+		printerr(1, "Error doing scandir on directory '%s': %s\n",
+			dirname, strerror(errno));
 	}
 	else if (n > 0) {
 		char statname[1024];
@@ -191,7 +199,7 @@ gssd_find_existing_krb5_ccache(uid_t uid
 			printerr(3, "CC file '%s' being considered\n",
 				 namelist[i]->d_name);
 			snprintf(statname, sizeof(statname),
-				 "%s/%s", ccachedir, namelist[i]->d_name);
+				 "%s/%s", dirname, namelist[i]->d_name);
 			if (lstat(statname, &tmp_stat)) {
 				printerr(0, "Error doing stat on file '%s'\n",
 					 statname);
@@ -256,58 +264,6 @@ gssd_find_existing_krb5_ccache(uid_t uid
 	return found;
 }
 
-
-#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
-/*
- * this routine obtains a credentials handle via gss_acquire_cred()
- * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
- * types negotiated.
- *
- * XXX Should call some function to determine the enctypes supported
- * by the kernel. (Only need to do that once!)
- *
- * Returns:
- *	0 => all went well
- *     -1 => there was an error
- */
-
-int
-limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
-{
-	u_int maj_stat, min_stat;
-	gss_cred_id_t credh;
-	gss_OID_set_desc  desired_mechs;
-	krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC };
-	int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
-
-	/* We only care about getting a krb5 cred */
-	desired_mechs.count = 1;
-	desired_mechs.elements = &krb5oid;
-
-	maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
-				    &desired_mechs, GSS_C_INITIATE,
-				    &credh, NULL, NULL);
-
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_acquire_cred",
-			maj_stat, min_stat, &krb5oid);
-		return -1;
-	}
-
-	maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
-					     num_enctypes, &enctypes);
-	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_set_allowable_enctypes",
-			maj_stat, min_stat, &krb5oid);
-		gss_release_cred(&min_stat, &credh);
-		return -1;
-	}
-	sec->cred = credh;
-
-	return 0;
-}
-#endif	/* HAVE_SET_ALLOWABLE_ENCTYPES */
-
 /*
  * Obtain credentials via a key in the keytab given
  * a keytab handle and a gssd_k5_kt_princ structure.
@@ -404,7 +360,7 @@ gssd_get_single_krb5_cred(krb5_context c
 	    cache_type = "FILE";
 	snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s",
 		cache_type,
-		ccachedir, GSSD_DEFAULT_CRED_PREFIX,
+		ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
 		GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
 	ple->endtime = my_creds.times.endtime;
 	if (ple->ccname != NULL)
@@ -879,6 +835,56 @@ out:
 	return retval;
 }
 
+/*
+ * Parse the supported encryption type information
+ */
+static int
+parse_enctypes(char *enctypes)
+{
+	int n = 0;
+	char *curr, *comma;
+	int i;
+
+	/* Just in case this ever gets called more than once */
+	if (krb5_enctypes != NULL) {
+		free(krb5_enctypes);
+		krb5_enctypes = NULL;
+		num_krb5_enctypes = 0;
+	}
+
+	/* count the number of commas */
+	for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
+		comma = strchr(curr, ',');
+		if (comma != NULL)
+			n++;
+		else
+			break;
+	}
+	/* If no more commas and we're not at the end, there's one more value */
+	if (*curr != '\0')
+		n++;
+
+	/* Empty string, return an error */
+	if (n == 0)
+		return ENOENT;
+
+	/* Allocate space for enctypes array */
+	if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
+		return ENOMEM;
+	}
+
+	/* Now parse each value into the array */
+	for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
+		krb5_enctypes[i++] = atoi(curr);
+		comma = strchr(curr, ',');
+		if (comma == NULL)
+			break;
+	}
+
+	num_krb5_enctypes = n;
+	return 0;
+}
+
 /*==========================*/
 /*===  External routines ===*/
 /*==========================*/
@@ -892,7 +898,7 @@ out:
  *	void
  */
 void
-gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername)
+gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirname)
 {
 	char			buf[MAX_NETOBJ_SZ];
 	struct dirent		*d;
@@ -900,14 +906,13 @@ gssd_setup_krb5_user_gss_ccache(uid_t ui
 	printerr(2, "getting credentials for client with uid %u for "
 		    "server %s\n", uid, servername);
 	memset(buf, 0, sizeof(buf));
-	if (gssd_find_existing_krb5_ccache(uid, &d)) {
-		snprintf(buf, sizeof(buf), "FILE:%s/%s",
-			ccachedir, d->d_name);
+	if (gssd_find_existing_krb5_ccache(uid, dirname, &d)) {
+		snprintf(buf, sizeof(buf), "FILE:%s/%s", dirname, d->d_name);
 		free(d);
 	}
 	else
 		snprintf(buf, sizeof(buf), "FILE:%s/%s%u",
-			ccachedir, GSSD_DEFAULT_CRED_PREFIX, uid);
+			dirname, GSSD_DEFAULT_CRED_PREFIX, uid);
 	printerr(2, "using %s as credentials cache for client with "
 		    "uid %u for server %s\n", buf, uid, servername);
 	gssd_set_krb5_ccache_name(buf);
@@ -1129,3 +1134,133 @@ gssd_k5_err_msg(krb5_context context, kr
 		return error_message(code);
 #endif
 }
+
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+/*
+ * this routine obtains a credentials handle via gss_acquire_cred()
+ * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
+ * types negotiated.
+ *
+ * XXX Should call some function to determine the enctypes supported
+ * by the kernel. (Only need to do that once!)
+ *
+ * Returns:
+ *	0 => all went well
+ *     -1 => there was an error
+ */
+
+int
+limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
+{
+	u_int maj_stat, min_stat;
+	gss_cred_id_t credh;
+	gss_OID_set_desc  desired_mechs;
+	krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
+				    ENCTYPE_DES_CBC_MD5,
+				    ENCTYPE_DES_CBC_MD4 };
+	int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
+
+	/* We only care about getting a krb5 cred */
+	desired_mechs.count = 1;
+	desired_mechs.elements = &krb5oid;
+
+	maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
+				    &desired_mechs, GSS_C_INITIATE,
+				    &credh, NULL, NULL);
+
+	if (maj_stat != GSS_S_COMPLETE) {
+		if (get_verbosity() > 0)
+			pgsserr("gss_acquire_cred",
+				maj_stat, min_stat, &krb5oid);
+		return -1;
+	}
+
+	/*
+	 * If we failed for any reason to produce global
+	 * list of supported enctypes, use local default here.
+	 */
+	if (krb5_enctypes == NULL)
+		maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+					&krb5oid, num_enctypes, &enctypes);
+	else
+		maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+					&krb5oid, num_krb5_enctypes,
+					krb5_enctypes);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("gss_set_allowable_enctypes",
+			maj_stat, min_stat, &krb5oid);
+		gss_release_cred(&min_stat, &credh);
+		return -1;
+	}
+	sec->cred = credh;
+
+	return 0;
+}
+#endif	/* HAVE_SET_ALLOWABLE_ENCTYPES */
+
+/*
+ * Obtain supported enctypes from kernel.
+ * Set defaults if info is not available.
+ */
+void
+gssd_obtain_kernel_krb5_info(void)
+{
+	char enctype_file_name[128];
+	char buf[1024];
+	char enctypes[128];
+	int nscanned;
+	int fd;
+	int use_default_enctypes = 0;
+	int nbytes, numfields;
+	char default_enctypes[] = "1,3,2";
+	int code;
+
+	snprintf(enctype_file_name, sizeof(enctype_file_name),
+		 "%s/%s", pipefs_dir, "krb5_info");
+
+	if ((fd = open(enctype_file_name, O_RDONLY)) == -1) {
+		printerr(1, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "Unable to open '%s'. Unable to determine "
+			 "Kerberos encryption types supported by the "
+			 "kernel; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+	memset(buf, 0, sizeof(buf));
+	if ((nbytes = read(fd, buf, sizeof(buf)-1)) == -1) {
+		printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "Error reading Kerberos encryption type "
+			 "information file '%s'; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		close(fd);
+		goto do_the_parse;
+	}
+	close(fd);
+	numfields = sscanf(buf, "enctypes: %s\n%n", enctypes, &nscanned);
+	if (numfields < 1) {
+		printerr(0, "WARNING: gssd_obtain_kernel_krb5_info: "
+			 "error parsing Kerberos encryption type "
+			 "information from file '%s'; using defaults (%s).\n",
+			 enctype_file_name, default_enctypes);
+		use_default_enctypes = 1;
+		goto do_the_parse;
+	}
+	if (nbytes > nscanned) {
+		printerr(2, "gssd_obtain_kernel_krb5_info: "
+			 "Ignoring extra information, '%s', from '%s'\n",
+			 buf+nscanned, enctype_file_name);
+		goto do_the_parse;
+	}
+  do_the_parse:
+	if (use_default_enctypes)
+		strcpy(enctypes, default_enctypes);
+
+	if ((code = parse_enctypes(enctypes)) != 0) {
+		printerr(0, "ERROR: gssd_obtain_kernel_krb5_info: "
+			 "parse_enctypes%s failed with code %d\n",
+			 use_default_enctypes ? " (with default enctypes)" : "",
+			 code);
+	}
+}
diff -puN utils/gssd/err_util.c~CITI_NFS4_ALL utils/gssd/err_util.c
--- nfs-utils-1.1.2/utils/gssd/err_util.c~CITI_NFS4_ALL	2008-04-30 14:49:16.478848000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.c	2008-04-30 14:49:16.616849000 -0400
@@ -60,3 +60,8 @@ void printerr(int priority, char *format
 		xlog_backend(L_ERROR, format, args);
 	va_end(args);
 }
+
+int get_verbosity(void)
+{
+	return verbosity;
+}
diff -puN utils/gssd/err_util.h~CITI_NFS4_ALL utils/gssd/err_util.h
--- nfs-utils-1.1.2/utils/gssd/err_util.h~CITI_NFS4_ALL	2008-04-30 14:49:16.574848000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/err_util.h	2008-04-30 14:49:16.633848000 -0400
@@ -33,5 +33,6 @@
 
 void initerr(char *progname, int verbosity, int fg);
 void printerr(int priority, char *format, ...);
+int get_verbosity(void);
 
 #endif /* _ERR_UTIL_H_ */
diff -puN utils/gssd/gssd.c~CITI_NFS4_ALL utils/gssd/gssd.c
--- nfs-utils-1.1.2/utils/gssd/gssd.c~CITI_NFS4_ALL	2008-04-30 14:49:16.799812000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.c	2008-04-30 14:49:17.507397000 -0400
@@ -57,6 +57,7 @@ char pipefs_dir[PATH_MAX] = GSSD_PIPEFS_
 char pipefs_nfsdir[PATH_MAX] = GSSD_PIPEFS_DIR;
 char keytabfile[PATH_MAX] = GSSD_DEFAULT_KEYTAB_FILE;
 char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
+char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
 int  use_memcache = 0;
 int  root_uses_machine_creds = 1;
 
@@ -93,9 +94,11 @@ main(int argc, char *argv[])
 	int verbosity = 0;
 	int rpc_verbosity = 0;
 	int opt;
+	int i;
 	extern char *optarg;
 	char *progname;
 
+	memset(ccachesearch, 0, sizeof(ccachesearch));
 	while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) {
 		switch (opt) {
 			case 'f':
@@ -136,6 +139,13 @@ main(int argc, char *argv[])
 				break;
 		}
 	}
+
+	i = 0;
+	ccachesearch[i++] = strtok(ccachedir, ":");
+	do {
+		ccachesearch[i++] = strtok(NULL, ":");
+	} while (ccachesearch[i-1] != NULL && i < GSSD_MAX_CCACHE_SEARCH);
+
 	snprintf(pipefs_nfsdir, sizeof(pipefs_nfsdir), "%s/%s",
 		 pipefs_dir, GSSD_SERVICE_NAME);
 	if (pipefs_nfsdir[sizeof(pipefs_nfsdir)-1] != '\0')
@@ -165,6 +175,9 @@ main(int argc, char *argv[])
 	signal(SIGTERM, sig_die);
 	signal(SIGHUP, sig_hup);
 
+	/* Determine Kerberos information from the kernel */
+	gssd_obtain_kernel_krb5_info();
+
 	gssd_run();
 	printerr(0, "gssd_run returned!\n");
 	abort();
diff -puN utils/gssd/gssd.man~CITI_NFS4_ALL utils/gssd/gssd.man
--- nfs-utils-1.1.2/utils/gssd/gssd.man~CITI_NFS4_ALL	2008-04-30 14:49:16.899712000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/gssd.man	2008-04-30 14:49:17.121490000 -0400
@@ -74,7 +74,11 @@ where to look for the rpc_pipefs filesys
 .B -d directory
 Tells
 .B rpc.gssd
-where to look for kerberos credential files.  The default value is "/tmp".
+where to look for Kerberos credential files.  The default value is "/tmp".
+This can also be a colon separated list of directories to be searched
+for Kerberos credential files.  Note that if machine credentials are being
+stored in files, then the first directory on this list is where the
+machine credentials are stored.
 .TP
 .B -v
 Increases the verbosity of the output (can be specified multiple times).
diff -puN utils/gssd/krb5_util.h~CITI_NFS4_ALL utils/gssd/krb5_util.h
--- nfs-utils-1.1.2/utils/gssd/krb5_util.h~CITI_NFS4_ALL	2008-04-30 14:49:17.008603000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/krb5_util.h	2008-04-30 14:49:17.589397000 -0400
@@ -17,7 +17,8 @@ struct gssd_k5_kt_princ {
 };
 
 
-void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername);
+void gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername,
+				     char *dirname);
 int  gssd_get_krb5_machine_cred_list(char ***list);
 void gssd_free_krb5_machine_cred_list(char **list);
 void gssd_setup_krb5_machine_gss_ccache(char *servername);
@@ -26,6 +27,8 @@ int  gssd_refresh_krb5_machine_credentia
 					  struct gssd_k5_kt_princ *ple);
 const char *
 gssd_k5_err_msg(krb5_context context, krb5_error_code code);
+void gssd_obtain_kernel_krb5_info(void);
+
 
 #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
 int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid);
diff -puN utils/gssd/context.h~CITI_NFS4_ALL utils/gssd/context.h
--- nfs-utils-1.1.2/utils/gssd/context.h~CITI_NFS4_ALL	2008-04-30 14:49:17.768393000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/context.h	2008-04-30 14:49:18.056105000 -0400
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2004 The Regents of the University of Michigan.
+  Copyright (c) 2004,2008 The Regents of the University of Michigan.
   All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
@@ -36,6 +36,10 @@
 /* Hopefully big enough to hold any serialized context */
 #define MAX_CTX_LEN 4096
 
+/* New context format flag values */
+#define KRB5_CTX_FLAG_INITIATOR         0x00000001
+#define KRB5_CTX_FLAG_CFX               0x00000002
+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 
 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
 				 gss_OID mech);
diff -puN utils/gssd/context_lucid.c~CITI_NFS4_ALL utils/gssd/context_lucid.c
--- nfs-utils-1.1.2/utils/gssd/context_lucid.c~CITI_NFS4_ALL	2008-04-30 14:49:17.907254000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/context_lucid.c	2008-04-30 14:49:18.075086000 -0400
@@ -40,6 +40,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <string.h>
+#include <errno.h>
 #include "gss_util.h"
 #include "gss_oids.h"
 #include "err_util.h"
@@ -113,15 +114,13 @@ prepare_krb5_rfc1964_buffer(gss_krb5_luc
 	 * Note that the rfc1964 version only supports DES enctypes.
 	 */
 	if (lctx->rfc1964_kd.ctx_key.type != 4) {
-		printerr(1, "prepare_krb5_rfc1964_buffer: "
-			    "overriding heimdal keytype (%d => %d)\n",
-			    lctx->rfc1964_kd.ctx_key.type, 4);
+		printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
+			 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
 		lctx->rfc1964_kd.ctx_key.type = 4;
 	}
 #endif
-	printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "
-		 "enctype %d and length %d\n",
-		 lctx->rfc1964_kd.ctx_key.type,
+	printerr(2, "%s: serializing keys with enctype %d and length %d\n",
+		 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
 		 lctx->rfc1964_kd.ctx_key.length);
 
 	/* derive the encryption key and copy it into buffer */
@@ -152,15 +151,102 @@ out_err:
 	return -1;
 }
 
+/* Flags for version 2 context flags */
+#define KRB5_CTX_FLAG_INITIATOR		0x00000001
+#define KRB5_CTX_FLAG_CFX		0x00000002
+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004
+
+/*
+ * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
+ * to send to the kernel for newer encryption types -- or for DES3.
+ *
+ * The new format is:
+ *
+ *	u32 flags;
+ *	#define KRB5_CTX_FLAG_INITIATOR		0x00000001
+ *	#define KRB5_CTX_FLAG_CFX		0x00000002
+ *	#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004
+ *	s32 endtime;
+ *	u64 seq_send;
+ *	u32  enctype;			( encrption type of key )
+ *	raw key;			( raw key bytes (kernel will derive))
+ *
+ */
 static int
-prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,
-	gss_buffer_desc *buf)
+prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
+			    gss_buffer_desc *buf)
 {
-	printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");
-	return -1;
-}
+	char *p, *end;
+	uint32_t v2_flags = 0;
+	uint32_t enctype;
+	uint32_t keysize;
 
+	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
+		goto out_err;
+	p = buf->value;
+	end = buf->value + MAX_CTX_LEN;
 
+	/* Version 2 */
+	if (lctx->initiate)
+		v2_flags |= KRB5_CTX_FLAG_INITIATOR;
+	if (lctx->protocol != 0)
+		v2_flags |= KRB5_CTX_FLAG_CFX;
+	if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
+		v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
+
+	if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
+	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
+	if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
+
+	/* Protocol 0 here implies DES3 or RC4 */
+	printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
+	if (lctx->protocol == 0) {
+		enctype = lctx->rfc1964_kd.ctx_key.type;
+		keysize = lctx->rfc1964_kd.ctx_key.length;
+	} else {
+		if (lctx->cfx_kd.have_acceptor_subkey) {
+			enctype = lctx->cfx_kd.acceptor_subkey.type;
+			keysize = lctx->cfx_kd.acceptor_subkey.length;
+		} else {
+			enctype = lctx->cfx_kd.ctx_key.type;
+			keysize = lctx->cfx_kd.ctx_key.length;
+		}
+	}
+	printerr(2, "%s: serializing key with enctype %d and size %d\n",
+		 __FUNCTION__, enctype, keysize);
+
+	if (WRITE_BYTES(&p, end, enctype)) goto out_err;
+
+	if (lctx->protocol == 0) {
+		if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
+				lctx->rfc1964_kd.ctx_key.length))
+			goto out_err;
+	} else {
+		if (lctx->cfx_kd.have_acceptor_subkey) {
+			if (write_bytes(&p, end,
+					lctx->cfx_kd.acceptor_subkey.data,
+					lctx->cfx_kd.acceptor_subkey.length))
+				goto out_err;
+		} else {
+			if (write_bytes(&p, end, lctx->cfx_kd.ctx_key.data,
+					lctx->cfx_kd.ctx_key.length))
+				goto out_err;
+		}
+	}
+
+	buf->length = p - (char *)buf->value;
+	return 0;
+
+out_err:
+	printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
+		 __FUNCTION__);
+	if (buf->value) {
+		free(buf->value);
+		buf->value = NULL;
+	}
+	buf->length = 0;
+	return -1;
+}
 int
 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
 {
@@ -170,7 +256,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 	gss_krb5_lucid_context_v1_t *lctx = 0;
 	int retcode = 0;
 
-	printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
+	printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__);
 	maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
 						1, &return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {
@@ -192,11 +278,20 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 		break;
 	}
 
-	/* Now lctx points to a lucid context that we can send down to kernel */
-	if (lctx->protocol == 0)
+        /*
+	 * Now lctx points to a lucid context that we can send down to kernel
+	 *
+	 * Note: we send down different information to the kernel depending
+	 * on the protocol version and the enctyption type.
+	 * For protocol version 0 with all enctypes besides DES3, we use
+	 * the original format.  For protocol version != 0 or DES3, we
+	 * send down the new style information.
+	 */
+
+	if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
 		retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
 	else
-		retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
+		retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
 
 	maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {
@@ -206,8 +301,8 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 	}
 
 	if (retcode) {
-		printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
-			 "failed (retcode = %d)\n", retcode);
+		printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
+			 __FUNCTION__, retcode);
 		goto out_err;
 	}
 
@@ -217,4 +312,7 @@ out_err:
 	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
 	return -1;
 }
+
+
+
 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */
diff -puN utils/gssd/context_mit.c~CITI_NFS4_ALL utils/gssd/context_mit.c
--- nfs-utils-1.1.2/utils/gssd/context_mit.c~CITI_NFS4_ALL	2008-04-30 14:49:18.021140000 -0400
+++ nfs-utils-1.1.2-kwc/utils/gssd/context_mit.c	2008-04-30 14:49:18.097064000 -0400
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2004 The Regents of the University of Michigan.
+  Copyright (c) 2004-2006 The Regents of the University of Michigan.
   All rights reserved.
 
   Redistribution and use in source and binary forms, with or without
@@ -36,6 +36,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <string.h>
+#include <errno.h>
 #include <gssapi/gssapi.h>
 #include <rpc/rpc.h>
 #include <rpc/auth_gss.h>
@@ -50,8 +51,7 @@
 /* XXX argggg, there's gotta be a better way than just duplicating this
  * whole struct.  Unfortunately, this is in a "private" header file,
  * so this is our best choice at this point :-/
- *
- * XXX Does this match the Heimdal definition?  */
+ */
 
 typedef struct _krb5_gss_ctx_id_rec {
    unsigned int initiate : 1;   /* nonzero if initiating, zero if accepting */
@@ -154,48 +154,120 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 {
 	krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id;
 	char *p, *end;
-	static int constant_one = 1;
 	static int constant_zero = 0;
+	static int constant_one = 1;
+	static int constant_two = 2;
 	uint32_t word_seq_send;
+	u_int64_t seq_send_64bit;
+	uint32_t v2_flags = 0;
 
 	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
 		goto out_err;
 	p = buf->value;
 	end = buf->value + MAX_CTX_LEN;
 
-	if (kctx->initiate) {
-		if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-	}
-	else {
-		if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-	}
-	if (kctx->seed_init) {
-		if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
-	}
-	else {
-		if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
-	}
-	if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
+	switch (kctx->enc->enctype) {
+	case ENCTYPE_DES_CBC_CRC:
+	case ENCTYPE_DES_CBC_MD4:
+	case ENCTYPE_DES_CBC_MD5:
+	case ENCTYPE_DES_CBC_RAW:
+		/* Old format of context to the kernel */
+		if (kctx->initiate) {
+			if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
+		}
+		else {
+			if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+		}
+		if (kctx->seed_init) {
+			if (WRITE_BYTES(&p, end, constant_one)) goto out_err;
+		}
+		else {
+			if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
+		}
+		if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed)))
+			goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
+		word_seq_send = kctx->seq_send;
+		if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
+		if (write_oid(&p, end, kctx->mech_used)) goto out_err;
+
+		printerr(2, "serialize_krb5_ctx: serializing keys with "
+			 "enctype %d and length %d\n",
+			 kctx->enc->enctype, kctx->enc->length);
+
+		if (write_keyblock(&p, end, kctx->enc)) goto out_err;
+		if (write_keyblock(&p, end, kctx->seq)) goto out_err;
+		break;
+	case ENCTYPE_DES3_CBC_RAW:
+	case ENCTYPE_DES3_CBC_SHA1:
+	case ENCTYPE_ARCFOUR_HMAC:
+	case ENCTYPE_ARCFOUR_HMAC_EXP:
+	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+		/* New format of context to the kernel */
+		/* u32 flags;
+		 * #define KRB5_CTX_FLAG_INITIATOR        0x00000001
+		 * #define KRB5_CTX_FLAG_CFX              0x00000002
+		 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY  0x00000004
+		 * s32 endtime;
+		 * u64 seq_send;
+		 * u32  enctype;
+		 * rawkey data
+		 */
+
+		if (kctx->initiate)
+			v2_flags |= KRB5_CTX_FLAG_INITIATOR;
+		if (kctx->proto == 1)
+			v2_flags |= KRB5_CTX_FLAG_CFX;
+		if (kctx->have_acceptor_subkey)
+			v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
+		if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
+		if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
+
+		seq_send_64bit = kctx->seq_send;
+		if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err;
+
+		if (kctx->have_acceptor_subkey) {
+			if (WRITE_BYTES(&p, end, kctx->acceptor_subkey->enctype))
+				goto out_err;
+			printerr(2, "serialize_krb5_ctx: serializing subkey "
+				 "with enctype %d and size %d\n",
+				 kctx->acceptor_subkey->enctype,
+				 kctx->acceptor_subkey->length);
+
+			if (write_bytes(&p, end,
+					kctx->acceptor_subkey->contents,
+					kctx->acceptor_subkey->length))
+				goto out_err;
+		} else {
+			if (WRITE_BYTES(&p, end, kctx->enc->enctype))
+				goto out_err;
+			printerr(2, "serialize_krb5_ctx: serializing key "
+				 "with enctype %d and size %d\n",
+				 kctx->enc->enctype, kctx->enc->length);
+
+			if (write_bytes(&p, end, kctx->enc->contents,
+					kctx->enc->length))
+				goto out_err;
+		}
+		break;
+	default:
+		printerr(0, "ERROR: serialize_krb5_ctx: unsupported encryption "
+			 "algorithm %d\n", kctx->enc->enctype);
 		goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err;
-	if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err;
-	word_seq_send = kctx->seq_send;
-	if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err;
-	if (write_oid(&p, end, kctx->mech_used)) goto out_err;
-
-	printerr(2, "serialize_krb5_ctx: serializing keys with "
-		 "enctype %d and length %d\n",
-		 kctx->enc->enctype, kctx->enc->length);
-
-	if (write_keyblock(&p, end, kctx->enc)) goto out_err;
-	if (write_keyblock(&p, end, kctx->seq)) goto out_err;
+	}
 
 	buf->length = p - (char *)buf->value;
 	return 0;
+
 out_err:
 	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-	if (buf->value) free(buf->value);
+	if (buf->value) {
+		free(buf->value);
+	}
+	buf->value = NULL;
 	buf->length = 0;
 	return -1;
 }
_