Context Navigation

source: branches/samba-3.2.x/source/client/cifs.upcall.c@ 621

Visit:

Last change on this file since 621 was 204, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 branch to 3.2.4
File size: 10.0 KB

Line
1	/*
2	* CIFS user-space helper.
3	* Copyright (C) Igor Mammedov (niallain@gmail.com) 2007
4	*
5	* Used by /sbin/request-key for handling
6	* cifs upcall for kerberos authorization of access to share and
7	* cifs upcall for DFS srver name resolving (IPv4/IPv6 aware).
8	* You should have keyutils installed and add something like the
9	* following lines to /etc/request-key.conf file:
10
11	create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
12	create dns_resolver * * /usr/local/sbin/cifs.upcall %k
13
14	* This program is free software; you can redistribute it and/or modify
15	* it under the terms of the GNU General Public License as published by
16	* the Free Software Foundation; either version 2 of the License, or
17	* (at your option) any later version.
18	* This program is distributed in the hope that it will be useful,
19	* but WITHOUT ANY WARRANTY; without even the implied warranty of
20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21	* GNU General Public License for more details.
22	* You should have received a copy of the GNU General Public License
23	* along with this program; if not, write to the Free Software
24	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25	*/
26
27	#include "includes.h"
28	#include <keyutils.h>
29
30	#include "cifs_spnego.h"
31
32	const char *CIFSSPNEGO_VERSION = "1.2";
33	static const char *prog = "cifs.upcall";
34	typedef enum _secType {
35	NONE = 0,
36	KRB5,
37	MS_KRB5
38	} secType_t;
39
40	/*
41	* Prepares AP-REQ data for mechToken and gets session key
42	* Uses credentials from cache. It will not ask for password
43	* you should receive credentials for yuor name manually using
44	* kinit or whatever you wish.
45	*
46	* in:
47	* oid - string with OID/ Could be OID_KERBEROS5
48	* or OID_KERBEROS5_OLD
49	* principal - Service name.
50	* Could be "cifs/FQDN" for KRB5 OID
51	* or for MS_KRB5 OID style server principal
52	* like "pdc$@YOUR.REALM.NAME"
53	*
54	* out:
55	* secblob - pointer for spnego wrapped AP-REQ data to be stored
56	* sess_key- pointer for SessionKey data to be stored
57	*
58	* ret: 0 - success, others - failure
59	*/
60	static int
61	handle_krb5_mech(const char oid, const char principal,
62	DATA_BLOB * secblob, DATA_BLOB * sess_key)
63	{
64	int retval;
65	DATA_BLOB tkt, tkt_wrapped;
66
67	/* get a kerberos ticket for the service and extract the session key */
68	retval = cli_krb5_get_ticket(principal, 0,
69	&tkt, sess_key, 0, NULL, NULL);
70
71	if (retval)
72	return retval;
73
74	/* wrap that up in a nice GSS-API wrapping */
75	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
76
77	/* and wrap that in a shiny SPNEGO wrapper */
78	*secblob = gen_negTokenInit(oid, tkt_wrapped);
79
80	data_blob_free(&tkt_wrapped);
81	data_blob_free(&tkt);
82	return retval;
83	}
84
85	#define DKD_HAVE_HOSTNAME 1
86	#define DKD_HAVE_VERSION 2
87	#define DKD_HAVE_SEC 4
88	#define DKD_HAVE_IPV4 8
89	#define DKD_HAVE_IPV6 16
90	#define DKD_HAVE_UID 32
91	#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME\|DKD_HAVE_VERSION\|DKD_HAVE_SEC)
92
93	static int
94	decode_key_description(const char desc, int ver, secType_t * sec,
95	char *hostname, uid_t uid)
96	{
97	int retval = 0;
98	char *pos;
99	const char *tkn = desc;
100
101	do {
102	pos = index(tkn, ';');
103	if (strncmp(tkn, "host=", 5) == 0) {
104	int len;
105
106	if (pos == NULL) {
107	len = strlen(tkn);
108	} else {
109	len = pos - tkn;
110	}
111	len -= 4;
112	SAFE_FREE(*hostname);
113	*hostname = SMB_XMALLOC_ARRAY(char, len);
114	strlcpy(*hostname, tkn + 5, len);
115	retval \|= DKD_HAVE_HOSTNAME;
116	} else if (strncmp(tkn, "ipv4=", 5) == 0) {
117	/* BB: do we need it if we have hostname already? */
118	} else if (strncmp(tkn, "ipv6=", 5) == 0) {
119	/* BB: do we need it if we have hostname already? */
120	} else if (strncmp(tkn, "sec=", 4) == 0) {
121	if (strncmp(tkn + 4, "krb5", 4) == 0) {
122	retval \|= DKD_HAVE_SEC;
123	*sec = KRB5;
124	} else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
125	retval \|= DKD_HAVE_SEC;
126	*sec = MS_KRB5;
127	}
128	} else if (strncmp(tkn, "uid=", 4) == 0) {
129	errno = 0;
130	*uid = strtol(tkn + 4, NULL, 16);
131	if (errno != 0) {
132	syslog(LOG_WARNING, "Invalid uid format: %s",
133	strerror(errno));
134	return 1;
135	} else {
136	retval \|= DKD_HAVE_UID;
137	}
138	} else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */
139	errno = 0;
140	*ver = strtol(tkn + 4, NULL, 16);
141	if (errno != 0) {
142	syslog(LOG_WARNING,
143	"Invalid version format: %s",
144	strerror(errno));
145	return 1;
146	} else {
147	retval \|= DKD_HAVE_VERSION;
148	}
149	}
150	if (pos == NULL)
151	break;
152	tkn = pos + 1;
153	} while (tkn);
154	return retval;
155	}
156
157	static int
158	cifs_resolver(const key_serial_t key, const char *key_descr)
159	{
160	int c;
161	struct addrinfo *addr;
162	char ip[INET6_ADDRSTRLEN];
163	void *p;
164	const char *keyend = key_descr;
165	/* skip next 4 ';' delimiters to get to description */
166	for (c = 1; c <= 4; c++) {
167	keyend = index(keyend+1, ';');
168	if (!keyend) {
169	syslog(LOG_WARNING, "invalid key description: %s",
170	key_descr);
171	return 1;
172	}
173	}
174	keyend++;
175
176	/* resolve name to ip */
177	c = getaddrinfo(keyend, NULL, NULL, &addr);
178	if (c) {
179	syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
180	keyend, gai_strerror(c));
181	return 1;
182	}
183
184	/* conver ip to string form */
185	if (addr->ai_family == AF_INET) {
186	p = &(((struct sockaddr_in *)addr->ai_addr)->sin_addr);
187	} else {
188	p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
189	}
190	if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
191	syslog(LOG_WARNING, "%s: inet_ntop: %s",
192	__FUNCTION__, strerror(errno));
193	freeaddrinfo(addr);
194	return 1;
195	}
196
197	/* setup key */
198	c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
199	if (c == -1) {
200	syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
201	__FUNCTION__, strerror(errno));
202	freeaddrinfo(addr);
203	return 1;
204	}
205
206	freeaddrinfo(addr);
207	return 0;
208	}
209
210	static void
211	usage(void)
212	{
213	syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
214	fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
215	}
216
217	int main(const int argc, char *const argv[])
218	{
219	struct cifs_spnego_msg *keydata = NULL;
220	DATA_BLOB secblob = data_blob_null;
221	DATA_BLOB sess_key = data_blob_null;
222	secType_t sectype = NONE;
223	key_serial_t key = 0;
224	size_t datalen;
225	long rc = 1;
226	uid_t uid = 0;
227	int kernel_upcall_version = 0;
228	int c, use_cifs_service_prefix = 0;
229	char buf, hostname = NULL;
230	const char *oid;
231
232	openlog(prog, 0, LOG_DAEMON);
233
234	while ((c = getopt(argc, argv, "cv")) != -1) {
235	switch (c) {
236	case 'c':{
237	use_cifs_service_prefix = 1;
238	break;
239	}
240	case 'v':{
241	printf("version: %s\n", CIFSSPNEGO_VERSION);
242	goto out;
243	}
244	default:{
245	syslog(LOG_WARNING, "unknown option: %c", c);
246	goto out;
247	}
248	}
249	}
250
251	/* is there a key? */
252	if (argc <= optind) {
253	usage();
254	goto out;
255	}
256
257	/* get key and keyring values */
258	errno = 0;
259	key = strtol(argv[optind], NULL, 10);
260	if (errno != 0) {
261	key = 0;
262	syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
263	goto out;
264	}
265
266	rc = keyctl_describe_alloc(key, &buf);
267	if (rc == -1) {
268	syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
269	strerror(errno));
270	rc = 1;
271	goto out;
272	}
273
274	if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) \|\|
275	(strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
276	rc = cifs_resolver(key, buf);
277	goto out;
278	}
279
280	rc = decode_key_description(buf, &kernel_upcall_version, &sectype,
281	&hostname, &uid);
282	if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
283	syslog(LOG_WARNING,
284	"unable to get from description necessary params");
285	rc = 1;
286	SAFE_FREE(buf);
287	goto out;
288	}
289	SAFE_FREE(buf);
290
291	if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
292	syslog(LOG_WARNING,
293	"incompatible kernel upcall version: 0x%x",
294	kernel_upcall_version);
295	rc = 1;
296	goto out;
297	}
298
299	if (rc & DKD_HAVE_UID) {
300	rc = setuid(uid);
301	if (rc == -1) {
302	syslog(LOG_WARNING, "setuid: %s", strerror(errno));
303	goto out;
304	}
305	}
306
307	/* BB: someday upcall SPNEGO blob could be checked here to decide
308	* what mech to use */
309
310	// do mech specific authorization
311	switch (sectype) {
312	case MS_KRB5:
313	case KRB5:{
314	char *princ;
315	size_t len;
316
317	/* for "cifs/" service name + terminating 0 */
318	len = strlen(hostname) + 5 + 1;
319	princ = SMB_XMALLOC_ARRAY(char, len);
320	if (!princ) {
321	rc = 1;
322	break;
323	}
324	if (use_cifs_service_prefix) {
325	strlcpy(princ, "cifs/", len);
326	} else {
327	strlcpy(princ, "host/", len);
328	}
329	strlcpy(princ + 5, hostname, len - 5);
330
331	if (sectype == MS_KRB5)
332	oid = OID_KERBEROS5_OLD;
333	else
334	oid = OID_KERBEROS5;
335
336	rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
337	SAFE_FREE(princ);
338	break;
339	}
340	default:{
341	syslog(LOG_WARNING, "sectype: %d is not implemented",
342	sectype);
343	rc = 1;
344	break;
345	}
346	}
347
348	if (rc) {
349	goto out;
350	}
351
352	/* pack SecurityBLob and SessionKey into downcall packet */
353	datalen =
354	sizeof(struct cifs_spnego_msg) + secblob.length + sess_key.length;
355	keydata = (struct cifs_spnego_msg*)SMB_XMALLOC_ARRAY(char, datalen);
356	if (!keydata) {
357	rc = 1;
358	goto out;
359	}
360	keydata->version = kernel_upcall_version;
361	keydata->flags = 0;
362	keydata->sesskey_len = sess_key.length;
363	keydata->secblob_len = secblob.length;
364	memcpy(&(keydata->data), sess_key.data, sess_key.length);
365	memcpy(&(keydata->data) + keydata->sesskey_len,
366	secblob.data, secblob.length);
367
368	/* setup key */
369	rc = keyctl_instantiate(key, keydata, datalen, 0);
370	if (rc == -1) {
371	syslog(LOG_WARNING, "keyctl_instantiate: %s", strerror(errno));
372	goto out;
373	}
374
375	/* BB: maybe we need use timeout for key: for example no more then
376	* ticket lifietime? */
377	/* keyctl_set_timeout( key, 60); */
378	out:
379	/*
380	* on error, negatively instantiate the key ourselves so that we can
381	* make sure the kernel doesn't hang it off of a searchable keyring
382	* and interfere with the next attempt to instantiate the key.
383	*/
384	if (rc != 0 && key == 0)
385	keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
386	data_blob_free(&secblob);
387	data_blob_free(&sess_key);
388	SAFE_FREE(hostname);
389	SAFE_FREE(keydata);
390	return rc;
391	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: