From: Jeff Layton <jlayton@redhat.com>
To: steved@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH v2 6/6] gssd: scrape the acceptor name out of the context
Date: Tue, 15 Apr 2014 11:19:32 -0400 [thread overview]
Message-ID: <1397575172-28377-7-git-send-email-jlayton@redhat.com> (raw)
In-Reply-To: <1397575172-28377-1-git-send-email-jlayton@redhat.com>
...and pass it to the kernel in the downcall. Legacy kernels will just
ignore the extra data, but with a proposed kernel patch the kernel will
grab this info and use it to verify requests on the v4.0 callback
channel.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
utils/gssd/gssd_proc.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index e26935dcfc8f..69bb3c6f11b3 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -77,6 +77,7 @@
#include "context.h"
#include "nfsrpc.h"
#include "nfslib.h"
+#include "gss_names.h"
/*
* pollarray:
@@ -683,16 +684,19 @@ parse_enctypes(char *enctypes)
static void
do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
- gss_buffer_desc *context_token, OM_uint32 lifetime_rec)
+ gss_buffer_desc *context_token, OM_uint32 lifetime_rec,
+ gss_buffer_desc *acceptor)
{
char *buf = NULL, *p = NULL, *end = NULL;
unsigned int timeout = context_timeout;
unsigned int buf_size = 0;
- printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec);
+ printerr(1, "doing downcall: lifetime_rec=%u acceptor=%.*s\n",
+ lifetime_rec, acceptor->length, acceptor->value);
buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) +
sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length +
- sizeof(context_token->length) + context_token->length;
+ sizeof(context_token->length) + context_token->length +
+ acceptor->length;
p = buf = malloc(buf_size);
if (!buf)
goto out_err;
@@ -707,6 +711,7 @@ do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err;
if (write_buffer(&p, end, &pd->pd_ctx_hndl)) goto out_err;
if (write_buffer(&p, end, context_token)) goto out_err;
+ if (write_buffer(&p, end, acceptor)) goto out_err;
if (write(k5_fd, buf, p - buf) < p - buf) goto out_err;
free(buf);
@@ -1034,6 +1039,9 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
gss_cred_id_t gss_cred;
OM_uint32 maj_stat, min_stat, lifetime_rec;
pid_t pid;
+ gss_name_t gacceptor = GSS_C_NO_NAME;
+ gss_OID mech;
+ gss_buffer_desc acceptor = {0};
pid = fork();
switch(pid) {
@@ -1174,16 +1182,24 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
goto out_return_error;
}
- /* Grab the context lifetime to pass to the kernel. */
- maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL,
- &lifetime_rec, NULL, NULL, NULL, NULL);
+ /* Grab the context lifetime and acceptor name out of the ctx. */
+ maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, &gacceptor,
+ &lifetime_rec, &mech, NULL, NULL, NULL);
- if (maj_stat) {
- printerr(1, "WARNING: Failed to inquire context for lifetme "
- "maj_stat %u\n", maj_stat);
+ if (maj_stat != GSS_S_COMPLETE) {
+ printerr(1, "WARNING: Failed to inquire context "
+ "maj_stat (0x%x)\n", maj_stat);
lifetime_rec = 0;
+ } else {
+ get_hostbased_client_buffer(gacceptor, mech, &acceptor);
+ gss_release_name(&min_stat, &gacceptor);
}
+ /*
+ * The serialization can mean turning pd.pd_ctx into a lucid context. If
+ * that happens then the pd.pd_ctx will be unusable, so we must never
+ * try to use it after this point.
+ */
if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) {
printerr(0, "WARNING: Failed to serialize krb5 context for "
"user with uid %d for server %s\n",
@@ -1191,9 +1207,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
goto out_return_error;
}
- do_downcall(fd, uid, &pd, &token, lifetime_rec);
+ do_downcall(fd, uid, &pd, &token, lifetime_rec, &acceptor);
out:
+ gss_release_buffer(&min_stat, &acceptor);
if (token.value)
free(token.value);
#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA
--
1.9.0
next prev parent reply other threads:[~2014-04-15 15:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-15 15:19 [PATCH v2 0/6] gssd: add the GSSAPI acceptor name to the info passed in downcall Jeff Layton
2014-04-15 15:19 ` [PATCH v2 1/6] gssd: handle malloc failure appropriately in do_downcall Jeff Layton
2014-04-15 15:19 ` [PATCH v2 2/6] gssd: make do_downcall a void return Jeff Layton
2014-04-15 15:19 ` [PATCH v2 3/6] gssd: move hostbased name routines into separate file Jeff Layton
2014-04-15 15:19 ` [PATCH v2 4/6] gssd: add new routine for generating a hostbased principal in a gss_buffer_t Jeff Layton
2014-04-15 15:19 ` [PATCH v2 5/6] gssd: explicitly set lifetime_rec to 0 when gss_inquire_context fails Jeff Layton
2014-04-15 15:19 ` Jeff Layton [this message]
2014-04-30 16:30 ` [PATCH v2 0/6] gssd: add the GSSAPI acceptor name to the info passed in downcall Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1397575172-28377-7-git-send-email-jlayton@redhat.com \
--to=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).