Context Navigation

source: branches/samba-3.2.x/source/client/cifs.upcall.c

Visit:

Last change on this file was 204, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 branch to 3.2.4
File size: 10.0 KB

Rev	Line
[204]	1	/*
	2	* CIFS user-space helper.
	3	* Copyright (C) Igor Mammedov (niallain@gmail.com) 2007
	4	*
	5	* Used by /sbin/request-key for handling
	6	* cifs upcall for kerberos authorization of access to share and
	7	* cifs upcall for DFS srver name resolving (IPv4/IPv6 aware).
	8	* You should have keyutils installed and add something like the
	9	* following lines to /etc/request-key.conf file:
	10
	11	create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
	12	create dns_resolver * * /usr/local/sbin/cifs.upcall %k
	13
	14	* This program is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU General Public License as published by
	16	* the Free Software Foundation; either version 2 of the License, or
	17	* (at your option) any later version.
	18	* This program is distributed in the hope that it will be useful,
	19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	* GNU General Public License for more details.
	22	* You should have received a copy of the GNU General Public License
	23	* along with this program; if not, write to the Free Software
	24	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	25	*/
	26
	27	#include "includes.h"
	28	#include <keyutils.h>
	29
	30	#include "cifs_spnego.h"
	31
	32	const char *CIFSSPNEGO_VERSION = "1.2";
	33	static const char *prog = "cifs.upcall";
	34	typedef enum _secType {
	35	NONE = 0,
	36	KRB5,
	37	MS_KRB5
	38	} secType_t;
	39
	40	/*
	41	* Prepares AP-REQ data for mechToken and gets session key
	42	* Uses credentials from cache. It will not ask for password
	43	* you should receive credentials for yuor name manually using
	44	* kinit or whatever you wish.
	45	*
	46	* in:
	47	* oid - string with OID/ Could be OID_KERBEROS5
	48	* or OID_KERBEROS5_OLD
	49	* principal - Service name.
	50	* Could be "cifs/FQDN" for KRB5 OID
	51	* or for MS_KRB5 OID style server principal
	52	* like "pdc$@YOUR.REALM.NAME"
	53	*
	54	* out:
	55	* secblob - pointer for spnego wrapped AP-REQ data to be stored
	56	* sess_key- pointer for SessionKey data to be stored
	57	*
	58	* ret: 0 - success, others - failure
	59	*/
	60	static int
	61	handle_krb5_mech(const char oid, const char principal,
	62	DATA_BLOB * secblob, DATA_BLOB * sess_key)
	63	{
	64	int retval;
	65	DATA_BLOB tkt, tkt_wrapped;
	66
	67	/* get a kerberos ticket for the service and extract the session key */
	68	retval = cli_krb5_get_ticket(principal, 0,
	69	&tkt, sess_key, 0, NULL, NULL);
	70
	71	if (retval)
	72	return retval;
	73
	74	/* wrap that up in a nice GSS-API wrapping */
	75	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
	76
	77	/* and wrap that in a shiny SPNEGO wrapper */
	78	*secblob = gen_negTokenInit(oid, tkt_wrapped);
	79
	80	data_blob_free(&tkt_wrapped);
	81	data_blob_free(&tkt);
	82	return retval;
	83	}
	84
	85	#define DKD_HAVE_HOSTNAME 1
	86	#define DKD_HAVE_VERSION 2
	87	#define DKD_HAVE_SEC 4
	88	#define DKD_HAVE_IPV4 8
	89	#define DKD_HAVE_IPV6 16
	90	#define DKD_HAVE_UID 32
	91	#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME\|DKD_HAVE_VERSION\|DKD_HAVE_SEC)
	92
	93	static int
	94	decode_key_description(const char desc, int ver, secType_t * sec,
	95	char *hostname, uid_t uid)
	96	{
	97	int retval = 0;
	98	char *pos;
	99	const char *tkn = desc;
	100
	101	do {
	102	pos = index(tkn, ';');
	103	if (strncmp(tkn, "host=", 5) == 0) {
	104	int len;
	105
	106	if (pos == NULL) {
	107	len = strlen(tkn);
	108	} else {
	109	len = pos - tkn;
	110	}
	111	len -= 4;
	112	SAFE_FREE(*hostname);
	113	*hostname = SMB_XMALLOC_ARRAY(char, len);
	114	strlcpy(*hostname, tkn + 5, len);
	115	retval \|= DKD_HAVE_HOSTNAME;
	116	} else if (strncmp(tkn, "ipv4=", 5) == 0) {
	117	/* BB: do we need it if we have hostname already? */
	118	} else if (strncmp(tkn, "ipv6=", 5) == 0) {
	119	/* BB: do we need it if we have hostname already? */
	120	} else if (strncmp(tkn, "sec=", 4) == 0) {
	121	if (strncmp(tkn + 4, "krb5", 4) == 0) {
	122	retval \|= DKD_HAVE_SEC;
	123	*sec = KRB5;
	124	} else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
	125	retval \|= DKD_HAVE_SEC;
	126	*sec = MS_KRB5;
	127	}
	128	} else if (strncmp(tkn, "uid=", 4) == 0) {
	129	errno = 0;
	130	*uid = strtol(tkn + 4, NULL, 16);
	131	if (errno != 0) {
	132	syslog(LOG_WARNING, "Invalid uid format: %s",
	133	strerror(errno));
	134	return 1;
	135	} else {
	136	retval \|= DKD_HAVE_UID;
	137	}
	138	} else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */
	139	errno = 0;
	140	*ver = strtol(tkn + 4, NULL, 16);
	141	if (errno != 0) {
	142	syslog(LOG_WARNING,
	143	"Invalid version format: %s",
	144	strerror(errno));
	145	return 1;
	146	} else {
	147	retval \|= DKD_HAVE_VERSION;
	148	}
	149	}
	150	if (pos == NULL)
	151	break;
	152	tkn = pos + 1;
	153	} while (tkn);
	154	return retval;
	155	}
	156
	157	static int
	158	cifs_resolver(const key_serial_t key, const char *key_descr)
	159	{
	160	int c;
	161	struct addrinfo *addr;
	162	char ip[INET6_ADDRSTRLEN];
	163	void *p;
	164	const char *keyend = key_descr;
	165	/* skip next 4 ';' delimiters to get to description */
	166	for (c = 1; c <= 4; c++) {
	167	keyend = index(keyend+1, ';');
	168	if (!keyend) {
	169	syslog(LOG_WARNING, "invalid key description: %s",
	170	key_descr);
	171	return 1;
	172	}
	173	}
	174	keyend++;
	175
	176	/* resolve name to ip */
	177	c = getaddrinfo(keyend, NULL, NULL, &addr);
	178	if (c) {
	179	syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
	180	keyend, gai_strerror(c));
	181	return 1;
	182	}
	183
	184	/* conver ip to string form */
	185	if (addr->ai_family == AF_INET) {
	186	p = &(((struct sockaddr_in *)addr->ai_addr)->sin_addr);
	187	} else {
	188	p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
	189	}
	190	if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
	191	syslog(LOG_WARNING, "%s: inet_ntop: %s",
	192	__FUNCTION__, strerror(errno));
	193	freeaddrinfo(addr);
	194	return 1;
	195	}
	196
	197	/* setup key */
	198	c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
	199	if (c == -1) {
	200	syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
	201	__FUNCTION__, strerror(errno));
	202	freeaddrinfo(addr);
	203	return 1;
	204	}
	205
	206	freeaddrinfo(addr);
	207	return 0;
	208	}
	209
	210	static void
	211	usage(void)
	212	{
	213	syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
	214	fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
	215	}
	216
	217	int main(const int argc, char *const argv[])
	218	{
	219	struct cifs_spnego_msg *keydata = NULL;
	220	DATA_BLOB secblob = data_blob_null;
	221	DATA_BLOB sess_key = data_blob_null;
	222	secType_t sectype = NONE;
	223	key_serial_t key = 0;
	224	size_t datalen;
	225	long rc = 1;
	226	uid_t uid = 0;
	227	int kernel_upcall_version = 0;
	228	int c, use_cifs_service_prefix = 0;
	229	char buf, hostname = NULL;
	230	const char *oid;
	231
	232	openlog(prog, 0, LOG_DAEMON);
	233
	234	while ((c = getopt(argc, argv, "cv")) != -1) {
	235	switch (c) {
	236	case 'c':{
	237	use_cifs_service_prefix = 1;
	238	break;
	239	}
	240	case 'v':{
	241	printf("version: %s\n", CIFSSPNEGO_VERSION);
	242	goto out;
	243	}
	244	default:{
	245	syslog(LOG_WARNING, "unknown option: %c", c);
	246	goto out;
	247	}
	248	}
	249	}
	250
	251	/* is there a key? */
	252	if (argc <= optind) {
	253	usage();
	254	goto out;
	255	}
	256
	257	/* get key and keyring values */
	258	errno = 0;
	259	key = strtol(argv[optind], NULL, 10);
	260	if (errno != 0) {
	261	key = 0;
	262	syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
	263	goto out;
	264	}
	265
	266	rc = keyctl_describe_alloc(key, &buf);
	267	if (rc == -1) {
	268	syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
	269	strerror(errno));
	270	rc = 1;
	271	goto out;
	272	}
	273
	274	if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) \|\|
	275	(strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
	276	rc = cifs_resolver(key, buf);
	277	goto out;
	278	}
	279
	280	rc = decode_key_description(buf, &kernel_upcall_version, &sectype,
	281	&hostname, &uid);
	282	if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
	283	syslog(LOG_WARNING,
	284	"unable to get from description necessary params");
	285	rc = 1;
	286	SAFE_FREE(buf);
	287	goto out;
	288	}
	289	SAFE_FREE(buf);
	290
	291	if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
	292	syslog(LOG_WARNING,
	293	"incompatible kernel upcall version: 0x%x",
	294	kernel_upcall_version);
	295	rc = 1;
	296	goto out;
	297	}
	298
	299	if (rc & DKD_HAVE_UID) {
	300	rc = setuid(uid);
	301	if (rc == -1) {
	302	syslog(LOG_WARNING, "setuid: %s", strerror(errno));
	303	goto out;
	304	}
	305	}
	306
	307	/* BB: someday upcall SPNEGO blob could be checked here to decide
	308	* what mech to use */
	309
	310	// do mech specific authorization
	311	switch (sectype) {
	312	case MS_KRB5:
	313	case KRB5:{
	314	char *princ;
	315	size_t len;
	316
	317	/* for "cifs/" service name + terminating 0 */
	318	len = strlen(hostname) + 5 + 1;
	319	princ = SMB_XMALLOC_ARRAY(char, len);
	320	if (!princ) {
	321	rc = 1;
	322	break;
	323	}
	324	if (use_cifs_service_prefix) {
	325	strlcpy(princ, "cifs/", len);
	326	} else {
	327	strlcpy(princ, "host/", len);
	328	}
	329	strlcpy(princ + 5, hostname, len - 5);
	330
	331	if (sectype == MS_KRB5)
	332	oid = OID_KERBEROS5_OLD;
	333	else
	334	oid = OID_KERBEROS5;
	335
	336	rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
	337	SAFE_FREE(princ);
	338	break;
	339	}
	340	default:{
	341	syslog(LOG_WARNING, "sectype: %d is not implemented",
	342	sectype);
	343	rc = 1;
	344	break;
	345	}
	346	}
	347
	348	if (rc) {
	349	goto out;
	350	}
	351
	352	/* pack SecurityBLob and SessionKey into downcall packet */
	353	datalen =
	354	sizeof(struct cifs_spnego_msg) + secblob.length + sess_key.length;
	355	keydata = (struct cifs_spnego_msg*)SMB_XMALLOC_ARRAY(char, datalen);
	356	if (!keydata) {
	357	rc = 1;
	358	goto out;
	359	}
	360	keydata->version = kernel_upcall_version;
	361	keydata->flags = 0;
	362	keydata->sesskey_len = sess_key.length;
	363	keydata->secblob_len = secblob.length;
	364	memcpy(&(keydata->data), sess_key.data, sess_key.length);
	365	memcpy(&(keydata->data) + keydata->sesskey_len,
	366	secblob.data, secblob.length);
	367
	368	/* setup key */
	369	rc = keyctl_instantiate(key, keydata, datalen, 0);
	370	if (rc == -1) {
	371	syslog(LOG_WARNING, "keyctl_instantiate: %s", strerror(errno));
	372	goto out;
	373	}
	374
	375	/* BB: maybe we need use timeout for key: for example no more then
	376	* ticket lifietime? */
	377	/* keyctl_set_timeout( key, 60); */
	378	out:
	379	/*
	380	* on error, negatively instantiate the key ourselves so that we can
	381	* make sure the kernel doesn't hang it off of a searchable keyring
	382	* and interfere with the next attempt to instantiate the key.
	383	*/
	384	if (rc != 0 && key == 0)
	385	keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
	386	data_blob_free(&secblob);
	387	data_blob_free(&sess_key);
	388	SAFE_FREE(hostname);
	389	SAFE_FREE(keydata);
	390	return rc;
	391	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: