Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.2.x/source/client/cifs.upcall.c@ 203

Visit:

Last change on this file since 203 was 203, checked in by Herwig Bauernfeind, 16 years ago
Missing 3.2.2 client and HOWTO files
File size: 9.4 KB

Line
1	/*
2	* CIFS user-space helper.
3	* Copyright (C) Igor Mammedov (niallain@gmail.com) 2007
4	*
5	* Used by /sbin/request-key for handling
6	* cifs upcall for kerberos authorization of access to share and
7	* cifs upcall for DFS srver name resolving (IPv4/IPv6 aware).
8	* You should have keyutils installed and add something like the
9	* following lines to /etc/request-key.conf file:
10
11	create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
12	create dns_resolver * * /usr/local/sbin/cifs.upcall %k
13
14	* This program is free software; you can redistribute it and/or modify
15	* it under the terms of the GNU General Public License as published by
16	* the Free Software Foundation; either version 2 of the License, or
17	* (at your option) any later version.
18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.
22	* You should have received a copy of the GNU General Public License
23	* along with this program; if not, write to the Free Software
24	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25	*/
26
27	#include "includes.h"
28	#include <keyutils.h>
29
30	#include "cifs_spnego.h"
31
32	const char *CIFSSPNEGO_VERSION = "1.1";
33	static const char *prog = "cifs.upcall";
34	typedef enum _secType {
35	KRB5,
36	MS_KRB5
37	} secType_t;
38
39	/*
40	* Prepares AP-REQ data for mechToken and gets session key
41	* Uses credentials from cache. It will not ask for password
42	* you should receive credentials for yuor name manually using
43	* kinit or whatever you wish.
44	*
45	* in:
46	* oid - string with OID/ Could be OID_KERBEROS5
47	* or OID_KERBEROS5_OLD
48	* principal - Service name.
49	* Could be "cifs/FQDN" for KRB5 OID
50	* or for MS_KRB5 OID style server principal
51	* like "pdc$@YOUR.REALM.NAME"
52	*
53	* out:
54	* secblob - pointer for spnego wrapped AP-REQ data to be stored
55	* sess_key- pointer for SessionKey data to be stored
56	*
57	* ret: 0 - success, others - failure
58	*/
59	int handle_krb5_mech(const char oid, const char principal,
60	DATA_BLOB * secblob, DATA_BLOB * sess_key)
61	{
62	int retval;
63	DATA_BLOB tkt, tkt_wrapped;
64
65	/* get a kerberos ticket for the service and extract the session key */
66	retval = cli_krb5_get_ticket(principal, 0,
67	&tkt, sess_key, 0, NULL, NULL);
68
69	if (retval)
70	return retval;
71
72	/* wrap that up in a nice GSS-API wrapping */
73	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
74
75	/* and wrap that in a shiny SPNEGO wrapper */
76	*secblob = gen_negTokenInit(OID_KERBEROS5, tkt_wrapped);
77
78	data_blob_free(&tkt_wrapped);
79	data_blob_free(&tkt);
80	return retval;
81	}
82
83	#define DKD_HAVE_HOSTNAME 1
84	#define DKD_HAVE_VERSION 2
85	#define DKD_HAVE_SEC 4
86	#define DKD_HAVE_IPV4 8
87	#define DKD_HAVE_IPV6 16
88	#define DKD_HAVE_UID 32
89	#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME\|DKD_HAVE_VERSION\|DKD_HAVE_SEC)
90
91	int decode_key_description(const char desc, int ver, secType_t * sec,
92	char *hostname, uid_t uid)
93	{
94	int retval = 0;
95	char *pos;
96	const char *tkn = desc;
97
98	do {
99	pos = index(tkn, ';');
100	if (strncmp(tkn, "host=", 5) == 0) {
101	int len;
102
103	if (pos == NULL) {
104	len = strlen(tkn);
105	} else {
106	len = pos - tkn;
107	}
108	len -= 4;
109	SAFE_FREE(*hostname);
110	*hostname = SMB_XMALLOC_ARRAY(char, len);
111	strlcpy(*hostname, tkn + 5, len);
112	retval \|= DKD_HAVE_HOSTNAME;
113	} else if (strncmp(tkn, "ipv4=", 5) == 0) {
114	/* BB: do we need it if we have hostname already? */
115	} else if (strncmp(tkn, "ipv6=", 5) == 0) {
116	/* BB: do we need it if we have hostname already? */
117	} else if (strncmp(tkn, "sec=", 4) == 0) {
118	if (strncmp(tkn + 4, "krb5", 4) == 0) {
119	retval \|= DKD_HAVE_SEC;
120	*sec = KRB5;
121	}
122	} else if (strncmp(tkn, "uid=", 4) == 0) {
123	errno = 0;
124	*uid = strtol(tkn + 4, NULL, 16);
125	if (errno != 0) {
126	syslog(LOG_WARNING, "Invalid uid format: %s",
127	strerror(errno));
128	return 1;
129	} else {
130	retval \|= DKD_HAVE_UID;
131	}
132	} else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */
133	errno = 0;
134	*ver = strtol(tkn + 4, NULL, 16);
135	if (errno != 0) {
136	syslog(LOG_WARNING,
137	"Invalid version format: %s",
138	strerror(errno));
139	return 1;
140	} else {
141	retval \|= DKD_HAVE_VERSION;
142	}
143	}
144	if (pos == NULL)
145	break;
146	tkn = pos + 1;
147	} while (tkn);
148	return retval;
149	}
150
151	int cifs_resolver(const key_serial_t key, const char *key_descr)
152	{
153	int c;
154	struct addrinfo *addr;
155	char ip[INET6_ADDRSTRLEN];
156	void *p;
157	const char *keyend = key_descr;
158	/* skip next 4 ';' delimiters to get to description */
159	for (c = 1; c <= 4; c++) {
160	keyend = index(keyend+1, ';');
161	if (!keyend) {
162	syslog(LOG_WARNING, "invalid key description: %s",
163	key_descr);
164	return 1;
165	}
166	}
167	keyend++;
168
169	/* resolve name to ip */
170	c = getaddrinfo(keyend, NULL, NULL, &addr);
171	if (c) {
172	syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
173	keyend, gai_strerror(c));
174	return 1;
175	}
176
177	/* conver ip to string form */
178	if (addr->ai_family == AF_INET) {
179	p = &(((struct sockaddr_in *)addr->ai_addr)->sin_addr);
180	} else {
181	p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
182	}
183	if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
184	syslog(LOG_WARNING, "%s: inet_ntop: %s",
185	__FUNCTION__, strerror(errno));
186	freeaddrinfo(addr);
187	return 1;
188	}
189
190	/* setup key */
191	c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
192	if (c == -1) {
193	syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
194	__FUNCTION__, strerror(errno));
195	freeaddrinfo(addr);
196	return 1;
197	}
198
199	freeaddrinfo(addr);
200	return 0;
201	}
202
203	void
204	usage(void)
205	{
206	syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
207	fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
208	}
209
210	int main(const int argc, char *const argv[])
211	{
212	struct cifs_spnego_msg *keydata = NULL;
213	DATA_BLOB secblob = data_blob_null;
214	DATA_BLOB sess_key = data_blob_null;
215	secType_t sectype;
216	key_serial_t key = 0;
217	size_t datalen;
218	long rc = 1;
219	uid_t uid;
220	int kernel_upcall_version;
221	int c, use_cifs_service_prefix = 0;
222	char buf, hostname = NULL;
223
224	openlog(prog, 0, LOG_DAEMON);
225
226	while ((c = getopt(argc, argv, "cv")) != -1) {
227	switch (c) {
228	case 'c':{
229	use_cifs_service_prefix = 1;
230	break;
231	}
232	case 'v':{
233	printf("version: %s\n", CIFSSPNEGO_VERSION);
234	goto out;
235	}
236	default:{
237	syslog(LOG_WARNING, "unknown option: %c", c);
238	goto out;
239	}
240	}
241	}
242
243	/* is there a key? */
244	if (argc <= optind) {
245	usage();
246	goto out;
247	}
248
249	/* get key and keyring values */
250	errno = 0;
251	key = strtol(argv[optind], NULL, 10);
252	if (errno != 0) {
253	key = 0;
254	syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
255	goto out;
256	}
257
258	rc = keyctl_describe_alloc(key, &buf);
259	if (rc == -1) {
260	syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
261	strerror(errno));
262	rc = 1;
263	goto out;
264	}
265
266	if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) \|\|
267	(strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
268	rc = cifs_resolver(key, buf);
269	goto out;
270	}
271
272	rc = decode_key_description(buf, &kernel_upcall_version, &sectype,
273	&hostname, &uid);
274	if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
275	syslog(LOG_WARNING,
276	"unable to get from description necessary params");
277	rc = 1;
278	SAFE_FREE(buf);
279	goto out;
280	}
281	SAFE_FREE(buf);
282
283	if (kernel_upcall_version != CIFS_SPNEGO_UPCALL_VERSION) {
284	syslog(LOG_WARNING,
285	"incompatible kernel upcall version: 0x%x",
286	kernel_upcall_version);
287	rc = 1;
288	goto out;
289	}
290
291	if (rc & DKD_HAVE_UID) {
292	rc = setuid(uid);
293	if (rc == -1) {
294	syslog(LOG_WARNING, "setuid: %s", strerror(errno));
295	goto out;
296	}
297	}
298
299	/* BB: someday upcall SPNEGO blob could be checked here to decide
300	* what mech to use */
301
302	// do mech specific authorization
303	switch (sectype) {
304	case KRB5:{
305	char *princ;
306	size_t len;
307
308	/* for "cifs/" service name + terminating 0 */
309	len = strlen(hostname) + 5 + 1;
310	princ = SMB_XMALLOC_ARRAY(char, len);
311	if (!princ) {
312	rc = 1;
313	break;
314	}
315	if (use_cifs_service_prefix) {
316	strlcpy(princ, "cifs/", len);
317	} else {
318	strlcpy(princ, "host/", len);
319	}
320	strlcpy(princ + 5, hostname, len - 5);
321
322	rc = handle_krb5_mech(OID_KERBEROS5, princ,
323	&secblob, &sess_key);
324	SAFE_FREE(princ);
325	break;
326	}
327	default:{
328	syslog(LOG_WARNING, "sectype: %d is not implemented",
329	sectype);
330	rc = 1;
331	break;
332	}
333	}
334
335	if (rc) {
336	goto out;
337	}
338
339	/* pack SecurityBLob and SessionKey into downcall packet */
340	datalen =
341	sizeof(struct cifs_spnego_msg) + secblob.length + sess_key.length;
342	keydata = (struct cifs_spnego_msg*)SMB_XMALLOC_ARRAY(char, datalen);
343	if (!keydata) {
344	rc = 1;
345	goto out;
346	}
347	keydata->version = CIFS_SPNEGO_UPCALL_VERSION;
348	keydata->flags = 0;
349	keydata->sesskey_len = sess_key.length;
350	keydata->secblob_len = secblob.length;
351	memcpy(&(keydata->data), sess_key.data, sess_key.length);
352	memcpy(&(keydata->data) + keydata->sesskey_len,
353	secblob.data, secblob.length);
354
355	/* setup key */
356	rc = keyctl_instantiate(key, keydata, datalen, 0);
357	if (rc == -1) {
358	syslog(LOG_WARNING, "keyctl_instantiate: %s", strerror(errno));
359	goto out;
360	}
361
362	/* BB: maybe we need use timeout for key: for example no more then
363	* ticket lifietime? */
364	/* keyctl_set_timeout( key, 60); */
365	out:
366	/*
367	* on error, negatively instantiate the key ourselves so that we can
368	* make sure the kernel doesn't hang it off of a searchable keyring
369	* and interfere with the next attempt to instantiate the key.
370	*/
371	if (rc != 0 && key == 0)
372	keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
373	data_blob_free(&secblob);
374	data_blob_free(&sess_key);
375	SAFE_FREE(hostname);
376	SAFE_FREE(keydata);
377	return rc;
378	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: