Imported Upstream version 1.2.4

[nfs-utils.git] / utils / gssd / svcgssd_proc.c

diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index 794c2f42ec9bbf1cbc92b8e42356dae874ab2977..c714d99dd654aaff3b3369bebcbc0df0946284dd 100644 (file)
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -33,6 +33,10 @@
 
 */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif /* HAVE_CONFIG_H */
+
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <rpc/rpc.h>
@@ -46,11 +50,15 @@
 #include <errno.h>
 #include <nfsidmap.h>
 #include <nfslib.h>
+#include <time.h>
 
 #include "svcgssd.h"
 #include "gss_util.h"
 #include "err_util.h"
 #include "context.h"
+#include "misc.h"
+#include "gss_oids.h"
+#include "svcgssd_krb5.h"
 
 extern char * mech2file(gss_OID mech);
 #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel"
@@ -64,10 +72,12 @@ struct svc_cred {
        int     cr_ngroups;
        gid_t   cr_groups[NGROUPS];
 };
+static char vbuf[RPC_CHAN_BUF_SIZE];
 
 static int
 do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
-               gss_OID mech, gss_buffer_desc *context_token)
+               gss_OID mech, gss_buffer_desc *context_token,
+               int32_t endtime, char *client_name)
 {
        FILE *f;
        int i;
@@ -84,15 +94,19 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
                             SVCGSSD_CONTEXT_CHANNEL, strerror(errno));
                goto out_err;
        }
+       setvbuf(f, vbuf, _IOLBF, RPC_CHAN_BUF_SIZE);
        qword_printhex(f, out_handle->value, out_handle->length);
        /* XXX are types OK for the rest of this? */
-       qword_printint(f, 0x7fffffff); /*XXX need a better timeout */
+       /* For context cache, use the actual context endtime */
+       qword_printint(f, endtime);
        qword_printint(f, cred->cr_uid);
        qword_printint(f, cred->cr_gid);
        qword_printint(f, cred->cr_ngroups);
-       printerr(2, "mech: %s, hndl len: %d, ctx len %d, timeout: %d, "
-                "uid: %d, gid: %d, num aux grps: %d:\n",
-                fname, out_handle->length, context_token->length, 0x7fffffff,
+       printerr(2, "mech: %s, hndl len: %d, ctx len %d, timeout: %d (%d from now), "
+                "clnt: %s, uid: %d, gid: %d, num aux grps: %d:\n",
+                fname, out_handle->length, context_token->length,
+                endtime, endtime - time(0),
+                client_name ? client_name : "<null>",
                 cred->cr_uid, cred->cr_gid, cred->cr_ngroups);
        for (i=0; i < cred->cr_ngroups; i++) {
                qword_printint(f, cred->cr_groups[i]);
@@ -100,11 +114,17 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
        }
        qword_print(f, fname);
        qword_printhex(f, context_token->value, context_token->length);
+       if (client_name)
+               qword_print(f, client_name);
        err = qword_eol(f);
+       if (err) {
+               printerr(1, "WARNING: error writing to downcall channel "
+                        "%s: %s\n", SVCGSSD_CONTEXT_CHANNEL, strerror(errno));
+       }
        fclose(f);
        return err;
 out_err:
-       printerr(0, "WARNING: downcall failed\n");
+       printerr(1, "WARNING: downcall failed\n");
        return -1;
 }
 
@@ -116,7 +136,7 @@ struct gss_verifier {
 #define RPCSEC_GSS_SEQ_WIN     5
 
 static int
-send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
+send_response(gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
              u_int32_t maj_stat, u_int32_t min_stat,
              gss_buffer_desc *out_handle, gss_buffer_desc *out_token)
 {
@@ -130,7 +150,8 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
 
        qword_addhex(&bp, &blen, in_handle->value, in_handle->length);
        qword_addhex(&bp, &blen, in_token->value, in_token->length);
-       qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */
+       /* For init cache, only needed for a short time */
+       qword_addint(&bp, &blen, time(0) + 60);
        qword_adduint(&bp, &blen, maj_stat);
        qword_adduint(&bp, &blen, min_stat);
        qword_addhex(&bp, &blen, out_handle->value, out_handle->length);
@@ -224,7 +245,7 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
                        "file for name '%s'\n", sname);
                goto out_free;
        }
-       nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
+
        res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
        if (res < 0) {
                /*
@@ -242,7 +263,7 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
                        res = 0;
                        goto out_free;
                }
-               printerr(0, "WARNING: get_ids: failed to map name '%s' "
+               printerr(1, "WARNING: get_ids: failed to map name '%s' "
                        "to uid/gid: %s\n", sname, strerror(-res));
                goto out_free;
        }
@@ -294,6 +315,75 @@ print_hexl(const char *description, unsigned char *cp, int length)
 }
 #endif
 
+static int
+get_krb5_hostbased_name (gss_buffer_desc *name, char **hostbased_name)
+{
+       char *p, *sname = NULL;
+       if (strchr(name->value, '@') && strchr(name->value, '/')) {
+               if ((sname = calloc(name->length, 1)) == NULL) {
+                       printerr(0, "ERROR: get_krb5_hostbased_name failed "
+                                "to allocate %d bytes\n", name->length);
+                       return -1;
+               }
+               /* read in name and instance and replace '/' with '@' */
+               sscanf(name->value, "%[^@]", sname);
+               p = strrchr(sname, '/');
+               if (p == NULL) {    /* The '@' preceeded the '/' */
+                       free(sname);
+                       return -1;
+               }
+               *p = '@';
+       }
+       *hostbased_name = sname;
+       return 0;
+}
+
+static int
+get_hostbased_client_name(gss_name_t client_name, gss_OID mech,
+                         char **hostbased_name)
+{
+       u_int32_t       maj_stat, min_stat;
+       gss_buffer_desc name;
+       gss_OID         name_type = GSS_C_NO_OID;
+       char            *cname;
+       int             res = -1;
+
+       *hostbased_name = NULL;     /* preset in case we fail */
+
+       /* Get the client's gss authenticated name */
+       maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
+       if (maj_stat != GSS_S_COMPLETE) {
+               pgsserr("get_hostbased_client_name: gss_display_name",
+                       maj_stat, min_stat, mech);
+               goto out_err;
+       }
+       if (name.length >= 0xffff) {        /* don't overflow */
+               printerr(0, "ERROR: get_hostbased_client_name: "
+                        "received gss_name is too long (%d bytes)\n",
+                        name.length);
+               goto out_rel_buf;
+       }
+
+       /* For Kerberos, transform the NT_KRB5_PRINCIPAL name to
+        * an NT_HOSTBASED_SERVICE name */
+       if (g_OID_equal(&krb5oid, mech)) {
+               if (get_krb5_hostbased_name(&name, &cname) == 0)
+                       *hostbased_name = cname;
+       }
+
+       /* No support for SPKM3, just print a warning (for now) */
+       if (g_OID_equal(&spkm3oid, mech)) {
+               printerr(1, "WARNING: get_hostbased_client_name: "
+                        "no hostbased_name support for SPKM3\n");
+       }
+
+       res = 0;
+out_rel_buf:
+       gss_release_buffer(&min_stat, &name);
+out_err:
+       return res;
+}
+
 void
 handle_nullreq(FILE *f) {
        /* XXX initialize to a random integer to reduce chances of unnecessary
@@ -312,7 +402,7 @@ handle_nullreq(FILE *f) {
                                null_token = {.value = NULL};
        u_int32_t               ret_flags;
        gss_ctx_id_t            ctx = GSS_C_NO_CONTEXT;
-       gss_name_t              client_name;
+       gss_name_t              client_name = NULL;
        gss_OID                 mech = GSS_C_NO_OID;
        u_int32_t               maj_stat = GSS_S_FAILURE, min_stat = 0;
        u_int32_t               ignore_min_stat;
@@ -320,6 +410,8 @@ handle_nullreq(FILE *f) {
        static char             *lbuf = NULL;
        static int              lbuflen = 0;
        static char             *cp;
+       int32_t                 ctx_endtime;
+       char                    *hostbased_name = NULL;
 
        printerr(1, "handling null request\n");
 
@@ -343,12 +435,6 @@ handle_nullreq(FILE *f) {
        print_hexl("in_tok", in_tok.value, in_tok.length);
 #endif
 
-       if (in_tok.length < 0) {
-               printerr(0, "WARNING: handle_nullreq: "
-                           "failed parsing request\n");
-               goto out_err;
-       }
-
        if (in_handle.length != 0) { /* CONTINUE_INIT case */
                if (in_handle.length != sizeof(ctx)) {
                        printerr(0, "WARNING: handle_nullreq: "
@@ -361,6 +447,10 @@ handle_nullreq(FILE *f) {
                memcpy(&ctx, in_handle.value, in_handle.length);
        }
 
+       if (svcgssd_limit_krb5_enctypes()) {
+               goto out_err;
+       }
+
        maj_stat = gss_accept_sec_context(&min_stat, &ctx, gssd_creds,
                        &in_tok, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
                        &mech, &out_tok, &ret_flags, NULL, NULL);
@@ -374,7 +464,7 @@ handle_nullreq(FILE *f) {
                goto continue_needed;
        }
        else if (maj_stat != GSS_S_COMPLETE) {
-               printerr(0, "WARNING: gss_accept_sec_context failed\n");
+               printerr(1, "WARNING: gss_accept_sec_context failed\n");
                pgsserr("handle_nullreq: gss_accept_sec_context",
                        maj_stat, min_stat, mech);
                goto out_err;
@@ -382,11 +472,13 @@ handle_nullreq(FILE *f) {
        if (get_ids(client_name, mech, &cred)) {
                /* get_ids() prints error msg */
                maj_stat = GSS_S_BAD_NAME; /* XXX ? */
-               gss_release_name(&ignore_min_stat, &client_name);
                goto out_err;
        }
-       gss_release_name(&ignore_min_stat, &client_name);
-
+       if (get_hostbased_client_name(client_name, mech, &hostbased_name)) {
+               /* get_hostbased_client_name() prints error msg */
+               maj_stat = GSS_S_BAD_NAME; /* XXX ? */
+               goto out_err;
+       }
 
        /* Context complete. Pass handle_seq in out_handle to use
         * for context lookup in the kernel. */
@@ -396,7 +488,7 @@ handle_nullreq(FILE *f) {
 
        /* kernel needs ctx to calculate verifier on null response, so
         * must give it context before doing null call: */
-       if (serialize_context_for_kernel(ctx, &ctx_token, mech)) {
+       if (serialize_context_for_kernel(ctx, &ctx_token, mech, &ctx_endtime)) {
                printerr(0, "WARNING: handle_nullreq: "
                            "serialize_context_for_kernel failed\n");
                maj_stat = GSS_S_FAILURE;
@@ -405,22 +497,26 @@ handle_nullreq(FILE *f) {
        /* We no longer need the gss context */
        gss_delete_sec_context(&ignore_min_stat, &ctx, &ignore_out_tok);
 
-       do_svc_downcall(&out_handle, &cred, mech, &ctx_token);
+       do_svc_downcall(&out_handle, &cred, mech, &ctx_token, ctx_endtime,
+                       hostbased_name);
 continue_needed:
-       send_response(f, &in_handle, &in_tok, maj_stat, min_stat,
+       send_response(&in_handle, &in_tok, maj_stat, min_stat,
                        &out_handle, &out_tok);
 out:
        if (ctx_token.value != NULL)
                free(ctx_token.value);
        if (out_tok.value != NULL)
                gss_release_buffer(&ignore_min_stat, &out_tok);
+       if (client_name)
+               gss_release_name(&ignore_min_stat, &client_name);
+       free(hostbased_name);
        printerr(1, "finished handling null request\n");
        return;
 
 out_err:
        if (ctx != GSS_C_NO_CONTEXT)
                gss_delete_sec_context(&ignore_min_stat, &ctx, &ignore_out_tok);
-       send_response(f, &in_handle, &in_tok, maj_stat, min_stat,
+       send_response(&in_handle, &in_tok, maj_stat, min_stat,
                        &null_token, &null_token);
        goto out;
 }