X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fsvcgssd_proc.c;h=3894078e81568e4f78d0a18bef8cb5e2e7528191;hp=b3a6ae8cda53d351e2a236867094564e9df89b33;hb=bc8fdd5ebcabe57cacd382673ca9e4a79ff7b18e;hpb=660809fe7e597520d17deab9225f1b371c08d65c

diff --git a/utils/gssd/svcgssd_proc.c b/utils/gssd/svcgssd_proc.c
index b3a6ae8..3894078 100644
--- a/utils/gssd/svcgssd_proc.c
+++ b/utils/gssd/svcgssd_proc.c
@@ -33,6 +33,10 @@
 
 */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif	/* HAVE_CONFIG_H */
+
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <rpc/rpc.h>
@@ -45,12 +49,14 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <nfsidmap.h>
+#include <nfslib.h>
+#include <time.h>
 
 #include "svcgssd.h"
 #include "gss_util.h"
 #include "err_util.h"
 #include "context.h"
-#include "cacheio.h"
+#include "gss_oids.h"
 
 extern char * mech2file(gss_OID mech);
 #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel"
@@ -67,11 +73,13 @@ struct svc_cred {
 
 static int
 do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
-		gss_OID mech, gss_buffer_desc *context_token)
+		gss_OID mech, gss_buffer_desc *context_token,
+		int32_t endtime, char *client_name)
 {
 	FILE *f;
 	int i;
 	char *fname = NULL;
+	int err;
 
 	printerr(1, "doing downcall\n");
 	if ((fname = mech2file(mech)) == NULL)
@@ -85,19 +93,34 @@ do_svc_downcall(gss_buffer_desc *out_handle, struct svc_cred *cred,
 	}
 	qword_printhex(f, out_handle->value, out_handle->length);
 	/* XXX are types OK for the rest of this? */
-	qword_printint(f, 0x7fffffff); /*XXX need a better timeout */
+	/* For context cache, use the actual context endtime */
+	qword_printint(f, endtime);
 	qword_printint(f, cred->cr_uid);
 	qword_printint(f, cred->cr_gid);
 	qword_printint(f, cred->cr_ngroups);
-	for (i=0; i < cred->cr_ngroups; i++)
+	printerr(2, "mech: %s, hndl len: %d, ctx len %d, timeout: %d (%d from now), "
+		 "clnt: %s, uid: %d, gid: %d, num aux grps: %d:\n",
+		 fname, out_handle->length, context_token->length,
+		 endtime, endtime - time(0),
+		 client_name ? client_name : "<null>",
+		 cred->cr_uid, cred->cr_gid, cred->cr_ngroups);
+	for (i=0; i < cred->cr_ngroups; i++) {
 		qword_printint(f, cred->cr_groups[i]);
+		printerr(2, "  (%4d) %d\n", i+1, cred->cr_groups[i]);
+	}
 	qword_print(f, fname);
 	qword_printhex(f, context_token->value, context_token->length);
-	qword_eol(f);
+	if (client_name)
+		qword_print(f, client_name);
+	err = qword_eol(f);
+	if (err) {
+		printerr(1, "WARNING: error writing to downcall channel "
+			 "%s: %s\n", SVCGSSD_CONTEXT_CHANNEL, strerror(errno));
+	}
 	fclose(f);
-	return 0;
+	return err;
 out_err:
-	printerr(0, "WARNING: downcall failed\n");
+	printerr(1, "WARNING: downcall failed\n");
 	return -1;
 }
 
@@ -109,7 +132,7 @@ struct gss_verifier {
 #define RPCSEC_GSS_SEQ_WIN	5
 
 static int
-send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
+send_response(gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
 	      u_int32_t maj_stat, u_int32_t min_stat,
 	      gss_buffer_desc *out_handle, gss_buffer_desc *out_token)
 {
@@ -123,9 +146,10 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
 
 	qword_addhex(&bp, &blen, in_handle->value, in_handle->length);
 	qword_addhex(&bp, &blen, in_token->value, in_token->length);
-	qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */
-	qword_addint(&bp, &blen, maj_stat);
-	qword_addint(&bp, &blen, min_stat);
+	/* For init cache, only needed for a short time */
+	qword_addint(&bp, &blen, time(0) + 60);
+	qword_adduint(&bp, &blen, maj_stat);
+	qword_adduint(&bp, &blen, min_stat);
 	qword_addhex(&bp, &blen, out_handle->value, out_handle->length);
 	qword_addhex(&bp, &blen, out_token->value, out_token->length);
 	qword_addeol(&bp, &blen);
@@ -140,7 +164,7 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token,
 		return -1;
 	}
 	*bp = '\0';
-	printerr(1, "writing message: %s", buf);
+	printerr(3, "writing message: %s", buf);
 	if (write(g, buf, bp - buf) == -1) {
 		printerr(0, "WARNING: failed to write message\n");
 		close(g);
@@ -220,8 +244,23 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred)
 	nfs4_init_name_mapping(NULL); /* XXX: should only do this once */
 	res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid);
 	if (res < 0) {
-		printerr(0, "WARNING: get_ids: unable to map "
-			"name '%s' to a uid\n", sname);
+		/*
+		 * -ENOENT means there was no mapping, any other error
+		 * value means there was an error trying to do the
+		 * mapping.
+		 * If there was no mapping, we send down the value -1
+		 * to indicate that the anonuid/anongid for the export
+		 * should be used.
+		 */
+		if (res == -ENOENT) {
+			cred->cr_uid = -1;
+			cred->cr_gid = -1;
+			cred->cr_ngroups = 0;
+			res = 0;
+			goto out_free;
+		}
+		printerr(1, "WARNING: get_ids: failed to map name '%s' "
+			"to uid/gid: %s\n", sname, strerror(-res));
 		goto out_free;
 	}
 	cred->cr_uid = uid;
@@ -234,42 +273,112 @@ out:
 	return res;
 }
 
+#ifdef DEBUG
 void
-print_hexl(int pri, unsigned char *cp, int length)
+print_hexl(const char *description, unsigned char *cp, int length)
 {
 	int i, j, jm;
 	unsigned char c;
 
-	printerr(pri, "length %d\n",length);
-	printerr(pri, "\n");
+	printf("%s (length %d)\n", description, length);
 
 	for (i = 0; i < length; i += 0x10) {
-		printerr(pri, "  %04x: ", (u_int)i);
+		printf("  %04x: ", (u_int)i);
 		jm = length - i;
 		jm = jm > 16 ? 16 : jm;
 
 		for (j = 0; j < jm; j++) {
 			if ((j % 2) == 1)
-				printerr(pri,"%02x ", (u_int)cp[i+j]);
+				printf("%02x ", (u_int)cp[i+j]);
 			else
-				printerr(pri,"%02x", (u_int)cp[i+j]);
+				printf("%02x", (u_int)cp[i+j]);
 		}
 		for (; j < 16; j++) {
 			if ((j % 2) == 1)
-				printerr(pri,"   ");
+				printf("   ");
 			else
-				printerr(pri,"  ");
+				printf("  ");
 		}
-		printerr(pri," ");
+		printf(" ");
 
 		for (j = 0; j < jm; j++) {
 			c = cp[i+j];
 			c = isprint(c) ? c : '.';
-			printerr(pri,"%c", c);
+			printf("%c", c);
 		}
-		printerr(pri,"\n");
+		printf("\n");
 	}
 }
+#endif
+
+static int
+get_krb5_hostbased_name (gss_buffer_desc *name, char **hostbased_name)
+{
+	char *p, *sname = NULL;
+	if (strchr(name->value, '@') && strchr(name->value, '/')) {
+		if ((sname = calloc(name->length, 1)) == NULL) {
+			printerr(0, "ERROR: get_krb5_hostbased_name failed "
+				 "to allocate %d bytes\n", name->length);
+			return -1;
+		}
+		/* read in name and instance and replace '/' with '@' */
+		sscanf(name->value, "%[^@]", sname);
+		p = strrchr(sname, '/');
+		if (p == NULL) {    /* The '@' preceeded the '/' */
+			free(sname);
+			return -1;
+		}
+		*p = '@';
+	}
+	*hostbased_name = sname;
+	return 0;
+}
+
+static int
+get_hostbased_client_name(gss_name_t client_name, gss_OID mech,
+			  char **hostbased_name)
+{
+	u_int32_t	maj_stat, min_stat;
+	gss_buffer_desc	name;
+	gss_OID		name_type = GSS_C_NO_OID;
+	char		*cname;
+	int		res = -1;
+
+	*hostbased_name = NULL;	    /* preset in case we fail */
+
+	/* Get the client's gss authenticated name */
+	maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type);
+	if (maj_stat != GSS_S_COMPLETE) {
+		pgsserr("get_hostbased_client_name: gss_display_name",
+			maj_stat, min_stat, mech);
+		goto out_err;
+	}
+	if (name.length >= 0xffff) {	    /* don't overflow */
+		printerr(0, "ERROR: get_hostbased_client_name: "
+			 "received gss_name is too long (%d bytes)\n",
+			 name.length);
+		goto out_rel_buf;
+	}
+
+	/* For Kerberos, transform the NT_KRB5_PRINCIPAL name to
+	 * an NT_HOSTBASED_SERVICE name */
+	if (g_OID_equal(&krb5oid, mech)) {
+		if (get_krb5_hostbased_name(&name, &cname) == 0)
+			*hostbased_name = cname;
+	}
+
+	/* No support for SPKM3, just print a warning (for now) */
+	if (g_OID_equal(&spkm3oid, mech)) {
+		printerr(1, "WARNING: get_hostbased_client_name: "
+			 "no hostbased_name support for SPKM3\n");
+	}
+
+	res = 0;
+out_rel_buf:
+	gss_release_buffer(&min_stat, &name);
+out_err:
+	return res;
+}
 
 void
 handle_nullreq(FILE *f) {
@@ -289,7 +398,7 @@ handle_nullreq(FILE *f) {
 				null_token = {.value = NULL};
 	u_int32_t		ret_flags;
 	gss_ctx_id_t		ctx = GSS_C_NO_CONTEXT;
-	gss_name_t		client_name;
+	gss_name_t		client_name = NULL;
 	gss_OID			mech = GSS_C_NO_OID;
 	u_int32_t		maj_stat = GSS_S_FAILURE, min_stat = 0;
 	u_int32_t		ignore_min_stat;
@@ -297,6 +406,8 @@ handle_nullreq(FILE *f) {
 	static char		*lbuf = NULL;
 	static int		lbuflen = 0;
 	static char		*cp;
+	int32_t			ctx_endtime;
+	char			*hostbased_name = NULL;
 
 	printerr(1, "handling null request\n");
 
@@ -310,19 +421,15 @@ handle_nullreq(FILE *f) {
 
 	in_handle.length = (size_t) qword_get(&cp, in_handle.value,
 					      sizeof(in_handle_buf));
-	printerr(2, "in_handle: \n");
-	print_hexl(2, in_handle.value, in_handle.length);
+#ifdef DEBUG
+	print_hexl("in_handle", in_handle.value, in_handle.length);
+#endif
 
 	in_tok.length = (size_t) qword_get(&cp, in_tok.value,
 					   sizeof(in_tok_buf));
-	printerr(2, "in_tok: \n");
-	print_hexl(2, in_tok.value, in_tok.length);
-
-	if (in_tok.length < 0) {
-		printerr(0, "WARNING: handle_nullreq: "
-			    "failed parsing request\n");
-		goto out_err;
-	}
+#ifdef DEBUG
+	print_hexl("in_tok", in_tok.value, in_tok.length);
+#endif
 
 	if (in_handle.length != 0) { /* CONTINUE_INIT case */
 		if (in_handle.length != sizeof(ctx)) {
@@ -349,7 +456,7 @@ handle_nullreq(FILE *f) {
 		goto continue_needed;
 	}
 	else if (maj_stat != GSS_S_COMPLETE) {
-		printerr(0, "WARNING: gss_accept_sec_context failed\n");
+		printerr(1, "WARNING: gss_accept_sec_context failed\n");
 		pgsserr("handle_nullreq: gss_accept_sec_context",
 			maj_stat, min_stat, mech);
 		goto out_err;
@@ -357,11 +464,13 @@ handle_nullreq(FILE *f) {
 	if (get_ids(client_name, mech, &cred)) {
 		/* get_ids() prints error msg */
 		maj_stat = GSS_S_BAD_NAME; /* XXX ? */
-		gss_release_name(&ignore_min_stat, &client_name);
 		goto out_err;
 	}
-	gss_release_name(&ignore_min_stat, &client_name);
-
+	if (get_hostbased_client_name(client_name, mech, &hostbased_name)) {
+		/* get_hostbased_client_name() prints error msg */
+		maj_stat = GSS_S_BAD_NAME; /* XXX ? */
+		goto out_err;
+	}
 
 	/* Context complete. Pass handle_seq in out_handle to use
 	 * for context lookup in the kernel. */
@@ -371,7 +480,7 @@ handle_nullreq(FILE *f) {
 
 	/* kernel needs ctx to calculate verifier on null response, so
 	 * must give it context before doing null call: */
-	if (serialize_context_for_kernel(ctx, &ctx_token, mech)) {
+	if (serialize_context_for_kernel(ctx, &ctx_token, mech, &ctx_endtime)) {
 		printerr(0, "WARNING: handle_nullreq: "
 			    "serialize_context_for_kernel failed\n");
 		maj_stat = GSS_S_FAILURE;
@@ -380,22 +489,26 @@ handle_nullreq(FILE *f) {
 	/* We no longer need the gss context */
 	gss_delete_sec_context(&ignore_min_stat, &ctx, &ignore_out_tok);
 
-	do_svc_downcall(&out_handle, &cred, mech, &ctx_token);
+	do_svc_downcall(&out_handle, &cred, mech, &ctx_token, ctx_endtime,
+			hostbased_name);
 continue_needed:
-	send_response(f, &in_handle, &in_tok, maj_stat, min_stat,
+	send_response(&in_handle, &in_tok, maj_stat, min_stat,
 			&out_handle, &out_tok);
 out:
 	if (ctx_token.value != NULL)
 		free(ctx_token.value);
 	if (out_tok.value != NULL)
 		gss_release_buffer(&ignore_min_stat, &out_tok);
+	if (client_name)
+		gss_release_name(&ignore_min_stat, &client_name);
+	free(hostbased_name);
 	printerr(1, "finished handling null request\n");
 	return;
 
 out_err:
 	if (ctx != GSS_C_NO_CONTEXT)
 		gss_delete_sec_context(&ignore_min_stat, &ctx, &ignore_out_tok);
-	send_response(f, &in_handle, &in_tok, maj_stat, min_stat,
+	send_response(&in_handle, &in_tok, maj_stat, min_stat,
 			&null_token, &null_token);
 	goto out;
 }