From: Steve Dickson <SteveD@redhat.com>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 2/3] Try to use kernel function to determine supported Kerberos enctypes.
Date: Wed, 14 Apr 2010 16:05:30 -0400 [thread overview]
Message-ID: <4BC6200A.6060504@RedHat.com> (raw)
In-Reply-To: <z2j4d569c331004141258y2f16a82ga1aa7826d665b3a9-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 04/14/2010 03:58 PM, Kevin Coffman wrote:
> On Wed, Apr 14, 2010 at 3:18 PM, <steved@redhat.com> wrote:
>> From: Kevin Coffman <kwc@citi.umich.edu>
>>
>> This patch replaces a hard-coded list with a function to obtain
>> the Kerberos encryption types that the kernel's rpcsec_gss code
>> can support. Defaults to old behavior if kernel does not supply
>> information.
>>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>> ---
>> utils/gssd/gssd_proc.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++-
>> utils/gssd/krb5_util.c | 16 ++++++++-
>> 2 files changed, 94 insertions(+), 3 deletions(-)
>>
>> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
>> index be4fb11..12e11d5 100644
>> --- a/utils/gssd/gssd_proc.c
>> +++ b/utils/gssd/gssd_proc.c
>> @@ -600,6 +600,67 @@ update_client_list(void)
>> return retval;
>> }
>>
>> +/* Encryption types supported by the kernel rpcsec_gss code */
>> +int num_krb5_enctypes = 0;
>> +krb5_enctype *krb5_enctypes = NULL;
>> +
>> +/*
>> + * Parse the supported encryption type information
>> + */
>> +static int
>> +parse_enctypes(char *enctypes)
>> +{
>> + int n = 0;
>> + char *curr, *comma;
>> + int i;
>> + static char *cached_types;
>> +
>> + if (cached_types && strcmp(cached_types, enctypes) == 0)
>> + return 0;
>> + free(cached_types);
>> +
>> + if (krb5_enctypes != NULL) {
>> + free(krb5_enctypes);
>> + krb5_enctypes = NULL;
>> + num_krb5_enctypes = 0;
>> + }
>> +
>> + /* count the number of commas */
>> + for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
>> + comma = strchr(curr, ',');
>> + if (comma != NULL)
>> + n++;
>> + else
>> + break;
>> + }
>> + /* If no more commas and we're not at the end, there's one more value */
>> + if (*curr != '\0')
>> + n++;
>> +
>> + /* Empty string, return an error */
>> + if (n == 0)
>> + return ENOENT;
>> +
>> + /* Allocate space for enctypes array */
>> + if ((krb5_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
>> + return ENOMEM;
>> + }
>> +
>> + /* Now parse each value into the array */
>> + for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
>> + krb5_enctypes[i++] = atoi(curr);
>> + comma = strchr(curr, ',');
>> + if (comma == NULL)
>> + break;
>> + }
>> +
>> + num_krb5_enctypes = n;
>> + if (cached_types = malloc(strlen(enctypes)+1))
>> + strcpy(cached_types, enctypes);
>> +
>> + return 0;
>> +}
>> +
>> static int
>> do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
>> gss_buffer_desc *context_token)
>> @@ -1128,11 +1189,12 @@ handle_gssd_upcall(struct clnt_info *clp)
>> {
>> uid_t uid;
>> char *lbuf = NULL;
>> - int lbuflen = 0;
>> + int lbuflen = 0, code;
>> char *p;
>> char *mech = NULL;
>> char *target = NULL;
>> char *service = NULL;
>> + char *enctypes = NULL;
>>
>> printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
>>
>> @@ -1176,6 +1238,23 @@ handle_gssd_upcall(struct clnt_info *clp)
>> goto out;
>> }
>>
>> + /* read supported encryption types if supplied */
>> + if ((p = strstr(lbuf, "enctypes=")) != NULL) {
>> + enctypes = malloc(lbuflen);
>> + if (!enctypes)
>> + goto out;
>> + if (sscanf(p, "enctypes=%s", enctypes) != 1) {
>> + printerr(0, "WARNING: handle_gssd_upcall: "
>> + "failed to parse target name "
>> + "in upcall string '%s'\n", lbuf);
>> + goto out;
>> + }
>> + if (parse_enctypes(enctypes) != 0) {
>> + printerr(0, "WARNING: handle_gssd_upcall: "
>> + "parsing encryption types failed: errno %d\n", code);
>> + }
>> + }
>> +
>> /* read target name */
>> if ((p = strstr(lbuf, "target=")) != NULL) {
>> target = malloc(lbuflen);
>> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
>> index 1c10bd4..0f56b1d 100644
>> --- a/utils/gssd/krb5_util.c
>> +++ b/utils/gssd/krb5_util.c
>> @@ -1274,6 +1274,8 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
>> ENCTYPE_DES_CBC_MD5,
>> ENCTYPE_DES_CBC_MD4 };
>> int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
>> + extern int num_krb5_enctypes;
>> + extern krb5_enctype *krb5_enctypes;
>>
>> /* We only care about getting a krb5 cred */
>> desired_mechs.count = 1;
>> @@ -1290,8 +1292,18 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
>> return -1;
>> }
>>
>> - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
>> - num_enctypes, &enctypes);
>> + /*
>> + * If we failed for any reason to produce global
>> + * list of supported enctypes, use local default here.
>> + */
>> + if (krb5_enctypes == NULL)
>> + maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
>> + &krb5oid, num_enctypes, &enctypes);
>> + else
>> + maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
>> + &krb5oid, num_krb5_enctypes,
>> + krb5_enctypes);
>> +
>> if (maj_stat != GSS_S_COMPLETE) {
>> pgsserr("gss_set_allowable_enctypes",
>> maj_stat, min_stat, &krb5oid);
>> --
>
> Hi Steve,
>
> The global krb5_enctypes array was used when the list was being read
> once from a file. With the list now coming up with each request in
> the updated upcall, I think the list obtained in the upcall should be
> added to the clnt_info structure and then passed to the
> limit_krb5_enctypes function as a parameter.
Six of one.... half a dozen of another... ;-)
But I do see there is a memory leak... I don't free the enctypes
buffer in handle_gssd_upcall() :-\
I'll repost in a bit...
steved.
next prev parent reply other threads:[~2010-04-14 20:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-14 19:18 [PATCH 0/3] nfs-utils: Adds support for more encryption types steved
2010-04-14 19:18 ` [PATCH 1/3] gssd: move function limit_krb5_enctypes into the exported functions area steved
2010-04-14 19:18 ` [PATCH 2/3] Try to use kernel function to determine supported Kerberos enctypes steved
2010-04-14 19:58 ` Kevin Coffman
[not found] ` <z2j4d569c331004141258y2f16a82ga1aa7826d665b3a9-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-14 20:05 ` Steve Dickson [this message]
2010-04-15 11:58 ` Steve Dickson
2010-04-15 13:25 ` Kevin Coffman
2010-04-15 12:45 ` [PATCH 2/3] Try to use kernel function to determine supported Kerberos enctypes (Updated) Steve Dickson
2010-04-14 19:18 ` [PATCH 3/3] Add support for non-DES encryption types steved
2010-04-16 17:53 ` [PATCH 0/3] nfs-utils: Adds support for more " Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BC6200A.6060504@RedHat.com \
--to=steved@redhat.com \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox