X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fcontext_mit.c;h=fad67569f47accdc6adc49bb0a59a025c5dd9973;hp=ba94fd86a628caf69fd1d9403e90338fb17c5c46;hb=fb06ed9fc1fa11a95544fb2d89adb6c51ef5d946;hpb=2ca793c93c09d0bc180b8eed9819206fd42aff21 diff --git a/utils/gssd/context_mit.c b/utils/gssd/context_mit.c index ba94fd8..fad6756 100644 --- a/utils/gssd/context_mit.c +++ b/utils/gssd/context_mit.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2004 The Regents of the University of Michigan. + Copyright (c) 2004-2006 The Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,10 +28,17 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#ifdef HAVE_CONFIG_H +#include +#endif /* HAVE_CONFIG_H */ + +#ifndef HAVE_LUCID_CONTEXT_SUPPORT +#ifdef HAVE_KRB5 + #include #include #include +#include #include #include #include @@ -40,23 +47,13 @@ #include "err_util.h" #include "context.h" -#ifdef HAVE_KRB5 #include -/* XXX spkm3 seems to actually want it this big, yipes. */ -#define MAX_CTX_LEN 4096 - -#ifdef HAVE_LUCID_CONTEXT_SUPPORT - -/* Don't use the private structure, use the exported lucid structure */ -#include - -#elif (KRB5_VERSION > 131) +#if (KRB5_VERSION > 131) /* XXX argggg, there's gotta be a better way than just duplicating this * whole struct. Unfortunately, this is in a "private" header file, * so this is our best choice at this point :-/ - * - * XXX Does this match the Heimdal definition? */ + */ typedef struct _krb5_gss_ctx_id_rec { unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ @@ -86,7 +83,7 @@ typedef struct _krb5_gss_ctx_id_rec { uint64_t seq_recv; /* gssint_uint64 */ void *seqstate; krb5_auth_context auth_context; - gss_buffer_desc *mech_used; /* gss_OID_desc */ + gss_OID_desc *mech_used; /* gss_OID_desc */ /* Protocol spec revision 0 => RFC 1964 with 3DES and RC4 enhancements 1 => draft-ietf-krb-wg-gssapi-cfx-01 @@ -123,7 +120,7 @@ typedef struct _krb5_gss_ctx_id_rec { int established; int big_endian; krb5_auth_context auth_context; - gss_buffer_desc *mech_used; + gss_OID_desc *mech_used; int nctypes; krb5_cksumtype *ctypes; } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; @@ -131,157 +128,6 @@ typedef struct _krb5_gss_ctx_id_rec { #endif /* KRB5_VERSION */ -#ifdef HAVE_LUCID_CONTEXT_SUPPORT /* Lucid context support */ -static int -write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key) -{ - gss_buffer_desc tmp; - - if (WRITE_BYTES(p, end, key->type)) return -1; - tmp.length = key->length; - tmp.value = key->data; - if (write_buffer(p, end, &tmp)) return -1; - return 0; -} - -static int -prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx, - gss_buffer_desc *buf) -{ - char *p, *end; - static int constant_zero = 0; - unsigned char fakeseed[16]; - uint32_t word_send_seq; - gss_krb5_lucid_key_t enc_key; - int i; - char *skd, *dkd; - gss_buffer_desc fakeoid; - - /* - * The new Kerberos interface to get the gss context - * does not include the seed or seed_init fields - * because we never really use them. But for now, - * send down a fake buffer so we can use the same - * interface to the kernel. - */ - memset(&enc_key, 0, sizeof(enc_key)); - memset(&fakeoid, 0, sizeof(fakeoid)); - - if (!(buf->value = calloc(1, MAX_CTX_LEN))) - goto out_err; - p = buf->value; - end = buf->value + MAX_CTX_LEN; - - if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err; - - /* seed_init and seed not used by kernel anyway */ - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - if (write_bytes(&p, end, &fakeseed, 16)) goto out_err; - - if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err; - if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err; - if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; - word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */ - if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err; - if (write_buffer(&p, end, (gss_buffer_desc*)&krb5oid)) goto out_err; - - /* derive the encryption key and copy it into buffer */ - enc_key.type = lctx->rfc1964_kd.ctx_key.type; - enc_key.length = lctx->rfc1964_kd.ctx_key.length; - if ((enc_key.data = calloc(1, enc_key.length)) == NULL) - goto out_err; - skd = (char *) lctx->rfc1964_kd.ctx_key.data; - dkd = (char *) enc_key.data; - for (i = 0; i < enc_key.length; i++) - dkd[i] = skd[i] ^ 0xf0; - if (write_lucid_keyblock(&p, end, &enc_key)) { - free(enc_key.data); - goto out_err; - } - free(enc_key.data); - - if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key)) - goto out_err; - - buf->length = p - (char *)buf->value; - return 0; -out_err: - printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); - if (buf->value) free(buf->value); - buf->length = 0; - if (enc_key.data) free(enc_key.data); - return -1; -} - -static int -prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx, - gss_buffer_desc *buf) -{ - printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n"); - return -1; -} - - -int -serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) -{ - OM_uint32 maj_stat, min_stat; - void *return_ctx = 0; - OM_uint32 vers; - gss_krb5_lucid_context_v1_t *lctx = 0; - int retcode = 0; - - printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n"); - maj_stat = gss_export_lucid_sec_context(&min_stat, ctx, - 1, &return_ctx); - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_export_lucid_sec_context", - maj_stat, min_stat, &krb5oid); - goto out_err; - } - - /* Check the version returned, we only support v1 right now */ - vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; - switch (vers) { - case 1: - lctx = (gss_krb5_lucid_context_v1_t *) return_ctx; - break; - default: - printerr(0, "ERROR: unsupported lucid sec context version %d\n", - vers); - goto out_err; - break; - } - - /* Now lctx points to a lucid context that we can send down to kernel */ - if (lctx->protocol == 0) - retcode = prepare_krb5_rfc1964_buffer(lctx, buf); - else - retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf); - - maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_export_lucid_sec_context", - maj_stat, min_stat, &krb5oid); - printerr(0, "WARN: failed to free lucid sec context\n"); - } - - if (retcode) { - printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer " - "failed (retcode = %d)\n", retcode); - goto out_err; - } - - return 0; - -out_err: - printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); - return -1; -} - - -#else /* HAVE_LUCID_CONTEXT_SUPPORT */ - static int write_keyblock(char **p, char *end, struct _krb5_keyblock *arg) { @@ -294,51 +140,141 @@ write_keyblock(char **p, char *end, struct _krb5_keyblock *arg) return 0; } +/* + * We really shouldn't know about glue-layer context structure, but + * we need to get at the real krb5 context pointer. This should be + * removed as soon as we say there is no support for MIT Kerberos + * prior to 1.4 -- which gives us "legal" access to the context info. + */ +typedef struct gss_union_ctx_id_t { + gss_OID mech_type; + gss_ctx_id_t internal_ctx_id; +} gss_union_ctx_id_desc, *gss_union_ctx_id_t; + int -serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) +serialize_krb5_ctx(gss_ctx_id_t *ctx, gss_buffer_desc *buf, int32_t *endtime) { - krb5_gss_ctx_id_t kctx = (krb5_gss_ctx_id_t)ctx; + krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)(*ctx))->internal_ctx_id; char *p, *end; - static int constant_one = 1; static int constant_zero = 0; + static int constant_one = 1; + static int constant_two = 2; uint32_t word_seq_send; + u_int64_t seq_send_64bit; + uint32_t v2_flags = 0; if (!(buf->value = calloc(1, MAX_CTX_LEN))) goto out_err; p = buf->value; end = buf->value + MAX_CTX_LEN; - if (kctx->initiate) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (kctx->seed_init) { - if (WRITE_BYTES(&p, end, constant_one)) goto out_err; - } - else { - if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; - } - if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) + switch (kctx->enc->enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_RAW: + /* Old format of context to the kernel */ + if (kctx->initiate) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (kctx->seed_init) { + if (WRITE_BYTES(&p, end, constant_one)) goto out_err; + } + else { + if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; + } + if (write_bytes(&p, end, &kctx->seed, sizeof(kctx->seed))) + goto out_err; + if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + if (endtime) + *endtime = kctx->endtime; + word_seq_send = kctx->seq_send; + if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; + if (write_oid(&p, end, kctx->mech_used)) goto out_err; + + printerr(2, "serialize_krb5_ctx: serializing keys with " + "enctype %d and length %d\n", + kctx->enc->enctype, kctx->enc->length); + + if (write_keyblock(&p, end, kctx->enc)) goto out_err; + if (write_keyblock(&p, end, kctx->seq)) goto out_err; + break; + case ENCTYPE_DES3_CBC_RAW: + case ENCTYPE_DES3_CBC_SHA1: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: + /* New format of context to the kernel */ + /* u32 flags; + * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 + * #define KRB5_CTX_FLAG_CFX 0x00000002 + * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 + * s32 endtime; + * u64 seq_send; + * u32 enctype; + * rawkey data + */ + + if (kctx->initiate) + v2_flags |= KRB5_CTX_FLAG_INITIATOR; + if (kctx->proto == 1) + v2_flags |= KRB5_CTX_FLAG_CFX; + if (kctx->have_acceptor_subkey) + v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY; + if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; + if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; + + seq_send_64bit = kctx->seq_send; + if (WRITE_BYTES(&p, end, seq_send_64bit)) goto out_err; + + if (kctx->have_acceptor_subkey) { + if (WRITE_BYTES(&p, end, kctx->acceptor_subkey->enctype)) + goto out_err; + printerr(2, "serialize_krb5_ctx: serializing subkey " + "with enctype %d and size %d\n", + kctx->acceptor_subkey->enctype, + kctx->acceptor_subkey->length); + + if (write_bytes(&p, end, + kctx->acceptor_subkey->contents, + kctx->acceptor_subkey->length)) + goto out_err; + } else { + if (WRITE_BYTES(&p, end, kctx->enc->enctype)) + goto out_err; + printerr(2, "serialize_krb5_ctx: serializing key " + "with enctype %d and size %d\n", + kctx->enc->enctype, kctx->enc->length); + + if (write_bytes(&p, end, kctx->enc->contents, + kctx->enc->length)) + goto out_err; + } + break; + default: + printerr(0, "ERROR: serialize_krb5_ctx: unsupported encryption " + "algorithm %d\n", kctx->enc->enctype); goto out_err; - if (WRITE_BYTES(&p, end, kctx->signalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->sealalg)) goto out_err; - if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; - word_seq_send = kctx->seq_send; - if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; - if (write_buffer(&p, end, kctx->mech_used)) goto out_err; - if (write_keyblock(&p, end, kctx->enc)) goto out_err; - if (write_keyblock(&p, end, kctx->seq)) goto out_err; + } buf->length = p - (char *)buf->value; return 0; + out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); - if (buf->value) free(buf->value); + if (buf->value) { + free(buf->value); + } + buf->value = NULL; buf->length = 0; return -1; } -#endif /* HAVE_LUCID_CONTEXT_SUPPORT */ #endif /* HAVE_KRB5 */ +#endif /* HAVE_LUCID_CONTEXT_SUPPORT */