X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd_proc.c;h=c17ab3bf914526f433fb6c76ace1daa63c10d921;hp=c301d467d26c88e039570153deb7137bdf979aba;hb=95894ff4467995659c4ce5e2523f3c8058d9c676;hpb=b8ba21cedc6aac3b2847217caf55885bb1a74805 diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index c301d46..c17ab3b 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -104,7 +105,7 @@ struct pollfd * pollarray; -int pollsize; /* the size of pollaray (in pollfd's) */ +unsigned long pollsize; /* the size of pollaray (in pollfd's) */ /* * convert a presentation address string to a sockaddr_storage struct. Returns @@ -250,21 +251,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername, if ((p = strstr(buf, "port")) != NULL) sscanf(p, "port: %127s\n", port); - /* check service, program, and version */ - if (memcmp(service, "nfs", 3) != 0) - return -1; + /* get program, and version numbers */ *prog = atoi(program + 1); /* skip open paren */ *vers = atoi(version); - if (strlen(service) == 3 ) { - if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) && - (*vers != 4))) - goto fail; - } else if (memcmp(service, "nfs4_cb", 7) == 0) { - if (*vers != 1) - goto fail; - } - if (!addrstr_to_sockaddr(addr, address, port)) goto fail; @@ -299,15 +289,11 @@ destroy_client(struct clnt_info *clp) if (clp->krb5_poll_index != -1) memset(&pollarray[clp->krb5_poll_index], 0, sizeof(struct pollfd)); - if (clp->spkm3_poll_index != -1) - memset(&pollarray[clp->spkm3_poll_index], 0, - sizeof(struct pollfd)); if (clp->gssd_poll_index != -1) memset(&pollarray[clp->gssd_poll_index], 0, sizeof(struct pollfd)); if (clp->dir_fd != -1) close(clp->dir_fd); if (clp->krb5_fd != -1) close(clp->krb5_fd); - if (clp->spkm3_fd != -1) close(clp->spkm3_fd); if (clp->gssd_fd != -1) close(clp->gssd_fd); free(clp->dirname); free(clp->servicename); @@ -327,10 +313,8 @@ insert_new_clnt(void) goto out; } clp->krb5_poll_index = -1; - clp->spkm3_poll_index = -1; clp->gssd_poll_index = -1; clp->krb5_fd = -1; - clp->spkm3_fd = -1; clp->gssd_fd = -1; clp->dir_fd = -1; @@ -346,6 +330,25 @@ process_clnt_dir_files(struct clnt_info * clp) char gname[PATH_MAX]; char info_file_name[PATH_MAX]; + if (clp->gssd_close_me) { + printerr(2, "Closing 'gssd' pipe for %s\n", clp->dirname); + close(clp->gssd_fd); + memset(&pollarray[clp->gssd_poll_index], 0, + sizeof(struct pollfd)); + clp->gssd_fd = -1; + clp->gssd_poll_index = -1; + clp->gssd_close_me = 0; + } + if (clp->krb5_close_me) { + printerr(2, "Closing 'krb5' pipe for %s\n", clp->dirname); + close(clp->krb5_fd); + memset(&pollarray[clp->krb5_poll_index], 0, + sizeof(struct pollfd)); + clp->krb5_fd = -1; + clp->krb5_poll_index = -1; + clp->krb5_close_me = 0; + } + if (clp->gssd_fd == -1) { snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname); clp->gssd_fd = open(gname, O_RDWR); @@ -355,30 +358,22 @@ process_clnt_dir_files(struct clnt_info * clp) snprintf(name, sizeof(name), "%s/krb5", clp->dirname); clp->krb5_fd = open(name, O_RDWR); } - if (clp->spkm3_fd == -1) { - snprintf(name, sizeof(name), "%s/spkm3", clp->dirname); - clp->spkm3_fd = open(name, O_RDWR); - } /* If we opened a gss-specific pipe, let's try opening * the new upcall pipe again. If we succeed, close * gss-specific pipe(s). */ - if (clp->krb5_fd != -1 || clp->spkm3_fd != -1) { + if (clp->krb5_fd != -1) { clp->gssd_fd = open(gname, O_RDWR); if (clp->gssd_fd != -1) { if (clp->krb5_fd != -1) close(clp->krb5_fd); clp->krb5_fd = -1; - if (clp->spkm3_fd != -1) - close(clp->spkm3_fd); - clp->spkm3_fd = -1; } } } - if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1) && - (clp->gssd_fd == -1)) + if ((clp->krb5_fd == -1) && (clp->gssd_fd == -1)) return -1; snprintf(info_file_name, sizeof(info_file_name), "%s/info", clp->dirname); @@ -393,10 +388,10 @@ process_clnt_dir_files(struct clnt_info * clp) static int get_poll_index(int *ind) { - int i; + unsigned int i; *ind = -1; - for (i=0; ikrb5_poll_index].events |= POLLIN; } - if ((clp->spkm3_fd != -1) && (clp->spkm3_poll_index == -1)) { - if (get_poll_index(&clp->spkm3_poll_index)) { - printerr(0, "ERROR: Too many spkm3 clients\n"); - return -1; - } - pollarray[clp->spkm3_poll_index].fd = clp->spkm3_fd; - pollarray[clp->spkm3_poll_index].events |= POLLIN; - } - return 0; } @@ -487,9 +473,13 @@ fail_keep_client: void init_client_list(void) { + struct rlimit rlim; TAILQ_INIT(&clnt_list); /* Eventually plan to grow/shrink poll array: */ pollsize = FD_ALLOC_BLOCK; + if (getrlimit(RLIMIT_NOFILE, &rlim) < 0 && + rlim.rlim_cur != RLIM_INFINITY) + pollsize = rlim.rlim_cur; pollarray = calloc(pollsize, sizeof(struct pollfd)); } @@ -571,9 +561,8 @@ process_pipedir(char *pipe_name) update_old_clients(namelist, j, pipe_name); for (i=0; i < j; i++) { - if (i < FD_ALLOC_BLOCK - && !strncmp(namelist[i]->d_name, "clnt", 4) - && !find_client(namelist[i]->d_name, pipe_name)) + if (!strncmp(namelist[i]->d_name, "clnt", 4) + && !find_client(namelist[i]->d_name, pipe_name)) process_clnt_dir(namelist[i]->d_name, pipe_name); free(namelist[i]); } @@ -663,19 +652,22 @@ parse_enctypes(char *enctypes) static int do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, - gss_buffer_desc *context_token) + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) { char *buf = NULL, *p = NULL, *end = NULL; unsigned int timeout = context_timeout; unsigned int buf_size = 0; - printerr(1, "doing downcall\n"); + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + sizeof(context_token->length) + context_token->length; p = buf = malloc(buf_size); end = buf + buf_size; + /* context_timeout set by -t option overrides context lifetime */ + if (timeout == 0) + timeout = lifetime_rec; if (WRITE_BYTES(&p, end, uid)) goto out_err; if (WRITE_BYTES(&p, end, timeout)) goto out_err; if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; @@ -803,11 +795,12 @@ set_port: * Create an RPC connection and establish an authenticated * gss context with a server. */ -int create_auth_rpc_client(struct clnt_info *clp, - CLIENT **clnt_return, - AUTH **auth_return, - uid_t uid, - int authtype) +static int +create_auth_rpc_client(struct clnt_info *clp, + CLIENT **clnt_return, + AUTH **auth_return, + uid_t uid, + int authtype) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -839,13 +832,6 @@ int create_auth_rpc_client(struct clnt_info *clp, sec.mech = (gss_OID)&krb5oid; sec.req_flags = GSS_C_MUTUAL_FLAG; } - else if (authtype == AUTHTYPE_SPKM3) { - sec.mech = (gss_OID)&spkm3oid; - /* XXX sec.req_flags = GSS_C_ANON_FLAG; - * Need a way to switch.... - */ - sec.req_flags = GSS_C_MUTUAL_FLAG; - } else { printerr(0, "ERROR: Invalid authentication type (%d) " "in create_auth_rpc_client\n", authtype); @@ -919,9 +905,8 @@ int create_auth_rpc_client(struct clnt_info *clp, auth = authgss_create_default(rpc_clnt, clp->servicename, &sec); if (!auth) { /* Our caller should print appropriate message */ - printerr(2, "WARNING: Failed to create %s context for " + printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", - (authtype == AUTHTYPE_KRB5 ? "krb5":"spkm3"), uid, clp->servername); goto out_fail; } @@ -966,15 +951,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); - if (tgtname) { - if (clp->servicename) { - free(clp->servicename); - clp->servicename = strdup(tgtname); - } - } token.length = 0; token.value = NULL; memset(&pd, 0, sizeof(struct authgss_private_data)); @@ -1023,7 +1003,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, int success = 0; do { gssd_refresh_krb5_machine_credential(clp->servername, - NULL, service); + NULL, service, + tgtname); /* * Get a list of credential cache names and try each * of them until one works or we've tried them all @@ -1076,6 +1057,15 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } + /* Grab the context lifetime to pass to the kernel. lifetime_rec + * is set to zero on error */ + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, + &lifetime_rec, NULL, NULL, NULL, NULL); + + if (maj_stat) + printerr(1, "WARNING: Failed to inquire context for lifetme " + "maj_stat %u\n", maj_stat); + if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", @@ -1083,12 +1073,12 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } - do_downcall(fd, uid, &pd, &token); + do_downcall(fd, uid, &pd, &token, lifetime_rec); out: if (token.value) free(token.value); -#ifndef HAVE_LIBTIRPC +#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA if (pd.pd_ctx_hndl.length != 0) authgss_free_private_data(&pd); #endif @@ -1103,59 +1093,6 @@ out_return_error: goto out; } -/* - * this code uses the userland rpcsec gss library to create an spkm3 - * context on behalf of the kernel - */ -static void -process_spkm3_upcall(struct clnt_info *clp, uid_t uid, int fd) -{ - CLIENT *rpc_clnt = NULL; - AUTH *auth = NULL; - struct authgss_private_data pd; - gss_buffer_desc token; - - printerr(2, "handling spkm3 upcall (%s)\n", clp->dirname); - - token.length = 0; - token.value = NULL; - - if (create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, AUTHTYPE_SPKM3)) { - printerr(0, "WARNING: Failed to create spkm3 context for " - "user with uid %d\n", uid); - goto out_return_error; - } - - if (!authgss_get_private_data(auth, &pd)) { - printerr(0, "WARNING: Failed to obtain authentication " - "data for user with uid %d for server %s\n", - uid, clp->servername); - goto out_return_error; - } - - if (serialize_context_for_kernel(pd.pd_ctx, &token, &spkm3oid, NULL)) { - printerr(0, "WARNING: Failed to serialize spkm3 context for " - "user with uid %d for server\n", - uid, clp->servername); - goto out_return_error; - } - - do_downcall(fd, uid, &pd, &token); - -out: - if (token.value) - free(token.value); - if (auth) - AUTH_DESTROY(auth); - if (rpc_clnt) - clnt_destroy(rpc_clnt); - return; - -out_return_error: - do_error_downcall(fd, uid, -1); - goto out; -} - void handle_krb5_upcall(struct clnt_info *clp) { @@ -1167,21 +1104,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); -} - -void -handle_spkm3_upcall(struct clnt_info *clp) -{ - uid_t uid; - - if (read(clp->spkm3_fd, &uid, sizeof(uid)) < (ssize_t)sizeof(uid)) { - printerr(0, "WARNING: failed reading uid from spkm3 " - "upcall pipe: %s\n", strerror(errno)); - return; - } - - return process_spkm3_upcall(clp, uid, clp->spkm3_fd); + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); } void @@ -1245,7 +1168,7 @@ handle_gssd_upcall(struct clnt_info *clp) goto out; if (sscanf(p, "enctypes=%s", enctypes) != 1) { printerr(0, "WARNING: handle_gssd_upcall: " - "failed to parse target name " + "failed to parse encryption types " "in upcall string '%s'\n", lbuf); goto out; } @@ -1292,8 +1215,6 @@ handle_gssd_upcall(struct clnt_info *clp) if (strcmp(mech, "krb5") == 0) process_krb5_upcall(clp, uid, clp->gssd_fd, target, service); - else if (strcmp(mech, "spkm3") == 0) - process_spkm3_upcall(clp, uid, clp->gssd_fd); else printerr(0, "WARNING: handle_gssd_upcall: " "received unknown gss mech '%s'\n", mech);