Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 228611 Details for
Bug 315311
Add Kerberos support to CIFS mounts
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch 5 -- add upcalls using keyctl for CIFS auth
linux-kernel-test.patch (text/plain), 16.34 KB, created by
Jeff Layton
on 2007-10-16 11:51:39 UTC
(
hide
)
Description:
patch 5 -- add upcalls using keyctl for CIFS auth
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2007-10-16 11:51:39 UTC
Size:
16.34 KB
patch
obsolete
>diff --git a/fs/cifs/Makefile b/fs/cifs/Makefile >index ff6ba8d..0a6d9a5 100644 >--- a/fs/cifs/Makefile >+++ b/fs/cifs/Makefile >@@ -3,4 +3,4 @@ > # > obj-$(CONFIG_CIFS) += cifs.o > >-cifs-objs := cifsfs.o cifssmb.o cifs_debug.o connect.o dir.o file.o inode.o link.o misc.o netmisc.o smbdes.o smbencrypt.o transport.o asn1.o md4.o md5.o cifs_unicode.o nterr.o xattr.o cifsencrypt.o fcntl.o readdir.o ioctl.o sess.o export.o cifsacl.o >+cifs-objs := cifsfs.o cifssmb.o cifs_debug.o connect.o dir.o file.o inode.o link.o misc.o netmisc.o smbdes.o smbencrypt.o transport.o asn1.o md4.o md5.o cifs_unicode.o nterr.o xattr.o cifsencrypt.o fcntl.o readdir.o ioctl.o sess.o export.o cifsacl.o cifsauth.o >diff --git a/fs/cifs/cifsauth.c b/fs/cifs/cifsauth.c >new file mode 100644 >index 0000000..6a88921 >--- /dev/null >+++ b/fs/cifs/cifsauth.c >@@ -0,0 +1,175 @@ >+/* >+ * fs/cifs/cifsauth.c -- auth management for CIFS >+ * >+ * Copyright (c) 2007 Red Hat, Inc. >+ * Author(s): Jeff Layton (jlayton@redhat.com) >+ * >+ * This library is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU Lesser General Public License as published >+ * by the Free Software Foundation; either version 2.1 of the License, or >+ * (at your option) any later version. >+ * >+ * This library is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See >+ * the GNU Lesser General Public License for more details. >+ * >+ * You should have received a copy of the GNU Lesser General Public License >+ * along with this library; if not, write to the Free Software >+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA >+ */ >+ >+#include <linux/list.h> >+#include <linux/string.h> >+#include <keys/user-type.h> >+#include "cifsglob.h" >+#include "cifs_debug.h" >+ >+/* >+ * create a new SPNEGO blob key >+ */ >+static int >+cifs_spnego_instantiate(struct key *key, const void *data, size_t datalen) >+{ >+ char *payload; >+ int ret; >+ >+ ret = -ENOMEM; >+ payload = kmalloc(datalen, GFP_KERNEL); >+ if (!payload) >+ goto error; >+ >+ /* attach the data */ >+ memcpy(payload, data, datalen); >+ rcu_assign_pointer(key->payload.data, payload); >+ ret = 0; >+ >+error: >+ return ret; >+} >+ >+static void >+cifs_spnego_destroy(struct key *key) >+{ >+ kfree(key->payload.data); >+} >+ >+ >+/* >+ * keytype for CIFS spnego keys >+ */ >+struct key_type cifs_spnego_key_type = { >+ .name = "cifs.spnego", >+ .instantiate = cifs_spnego_instantiate, >+ .match = user_match, >+ .destroy = cifs_spnego_destroy, >+ .describe = user_describe, >+}; >+ >+/* >+ * encode a blob into a null terminated string so that it can be passed to >+ * userspace. The main concern is NULL bytes embedded in the data. Bytes are >+ * translated like this: >+ * >+ * input output >+ * ------ ------------- >+ * 0xff 0xff + 0x01 >+ * 0x00 0xff + 0x02 >+ * >+ * any other byte is passed as-is. Userspace programs getting this string >+ * will need to do the reverse conversion. >+ */ >+static unsigned char * >+cifs_encode_blob(const unsigned char *input, size_t inlen) >+{ >+ unsigned int special_chars = 0; >+ unsigned char *output, *op; >+ int i; >+ >+ /* get a count of number of special chars */ >+ for (i = 0; i < inlen; ++i) >+ if (input[i] == 0xff or input[i] == 0x00) >+ ++special_chars; >+ >+ output = kmalloc((inlen + special_chars + 1), GFP_KERNEL); >+ if (output == NULL) >+ return ERR_PTR(-ENOMEM); >+ >+ /* now do the conversion */ >+ op = output; >+ for (i = 0; i < inlen; ++i) { >+ if (input[i] == 0xff) { >+ *op = 0xff; >+ ++op; >+ *op = 0x01; >+ } else if (input[i] == 0x00) { >+ *op = 0xff; >+ ++op; >+ *op = 0x02; >+ } else >+ *op = input[i]; >+ ++op; >+ } >+ *op = '\0'; >+ >+ return output; >+} >+ >+/* >+ * given a SPNEGO security blob and session info, get a key struct with a new >+ * SPNEGO security blob, suitable for session setup >+ */ >+int >+cifs_spnego_convert(struct cifsSesInfo *sesInfo, const unsigned char *secblob, >+ size_t len) >+{ >+ struct key *key; >+ struct TCP_Server_Info *server = sesInfo->server; >+ char *description = NULL; >+ unsigned char *outblob = NULL; >+ int error; >+ >+ error = -ENOMEM; >+ /* 8 bytes for uid, 32 for addr, 1 for colon, 1 for NULL */ >+ description = kzalloc((8 + 32 + 1 + 1), GFP_KERNEL); >+ if (description == NULL) >+ goto out; >+ >+ outblob = cifs_encode_blob(secblob, len); >+ if (IS_ERR(outblob)) { >+ error = PTR_ERR(outblob); >+ outblob = NULL; >+ goto out; >+ } >+ >+ error = -EINVAL; >+ if (server->addr.sockAddr.sin_family == AF_INET) >+ sprintf(description, "%8.8x:" NIPQUAD_FMT, sesInfo->linux_uid, >+ NIPQUAD(server->addr.sockAddr.sin_addr)); >+ else if (server->addr.sockAddr.sin_family == AF_INET6) >+ sprintf(description, "%8.8x:" NIP6_SEQFMT, sesInfo->linux_uid, >+ NIP6(server->addr.sockAddr6.sin6_addr)); >+ else >+ goto out; >+ >+ if (sesInfo->spnego_key != NULL) { >+ key_put(sesInfo->spnego_key); >+ sesInfo->spnego_key = NULL; >+ } >+ >+ key = request_key(&cifs_spnego_key_type, description, outblob); >+ if (IS_ERR(key)) { >+ error = PTR_ERR(key); >+ goto out; >+ } >+ >+ sesInfo->spnego_key = key; >+ error = 0; >+ cifs_dump_mem("SPNEGO blob:", key->payload.data, key->datalen); >+out: >+ if (description) >+ kfree(description); >+ if (outblob) >+ kfree(outblob); >+ return error; >+} >diff --git a/fs/cifs/cifsauth.h b/fs/cifs/cifsauth.h >new file mode 100644 >index 0000000..1a8b932 >--- /dev/null >+++ b/fs/cifs/cifsauth.h >@@ -0,0 +1,34 @@ >+/* >+ * fs/cifs/cifsauth.h -- auth management for CIFS >+ * >+ * Copyright (c) 2007 Red Hat, Inc. >+ * Author(s): Jeff Layton (jlayton@redhat.com) >+ * >+ * This library is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU Lesser General Public License as published >+ * by the Free Software Foundation; either version 2.1 of the License, or >+ * (at your option) any later version. >+ * >+ * This library is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See >+ * the GNU Lesser General Public License for more details. >+ * >+ * You should have received a copy of the GNU Lesser General Public License >+ * along with this library; if not, write to the Free Software >+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA >+ */ >+ >+#ifndef _CIFSAUTH_H >+#define _CIFSAUTH_H >+ >+struct cifs_spnego_reply { >+ uint32_t len; >+ uint8_t data[1]; >+}; >+ >+extern struct key_type cifs_spnego_key_type; >+ >+extern int cifs_spnego_convert(struct cifsSesInfo *sesInfo, const char *secblob, size_t len); >+ >+#endif /* _CIFSAUTH_H */ >diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c >index abca6b0..219bcd1 100644 >--- a/fs/cifs/cifsfs.c >+++ b/fs/cifs/cifsfs.c >@@ -42,6 +42,7 @@ > #include "cifsproto.h" > #include "cifs_debug.h" > #include "cifs_fs_sb.h" >+#include "cifsauth.h" > #include <linux/mm.h> > #define CIFS_MAGIC_NUMBER 0xFF534D42 /* the first four bytes of SMB PDUs */ > >@@ -1006,11 +1007,15 @@ init_cifs(void) > if (rc) > goto out_destroy_request_bufs; > >+ rc = register_key_type(&cifs_spnego_key_type); >+ if (rc) >+ goto out_unregister_filesystem; >+ > oplockThread = kthread_run(cifs_oplock_thread, NULL, "cifsoplockd"); > if (IS_ERR(oplockThread)) { > rc = PTR_ERR(oplockThread); > cERROR(1, ("error %d create oplock thread", rc)); >- goto out_unregister_filesystem; >+ goto out_unregister_key_type; > } > > dnotifyThread = kthread_run(cifs_dnotify_thread, NULL, "cifsdnotifyd"); >@@ -1024,6 +1029,8 @@ init_cifs(void) > > out_stop_oplock_thread: > kthread_stop(oplockThread); >+ out_unregister_key_type: >+ unregister_key_type(&cifs_spnego_key_type); > out_unregister_filesystem: > unregister_filesystem(&cifs_fs_type); > out_destroy_request_bufs: >@@ -1046,6 +1053,7 @@ exit_cifs(void) > #ifdef CONFIG_PROC_FS > cifs_proc_clean(); > #endif >+ unregister_key_type(&cifs_spnego_key_type); > unregister_filesystem(&cifs_fs_type); > cifs_destroy_inodecache(); > cifs_destroy_mids(); >diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h >index 61d6173..7a71f44 100644 >--- a/fs/cifs/cifsglob.h >+++ b/fs/cifs/cifsglob.h >@@ -227,6 +227,7 @@ struct cifsSesInfo { > char userName[MAX_USERNAME_SIZE + 1]; > char *domainName; > char *password; >+ struct key *spnego_key; /* security key */ > }; > /* no more than one of the following three session flags may be set */ > #define CIFS_SES_NT4 1 >@@ -495,9 +496,9 @@ require use of the stronger protocol */ > #ifdef CONFIG_CIFS_WEAK_PW_HASH > #define CIFSSEC_MUST_LANMAN 0x10010 > #define CIFSSEC_MUST_PLNTXT 0x20020 >-#define CIFSSEC_MASK 0x37037 /* current flags supported if weak */ >+#define CIFSSEC_MASK 0x3f03f /* current flags supported if weak */ > #else >-#define CIFSSEC_MASK 0x07007 /* flags supported if no weak config */ >+#define CIFSSEC_MASK 0x0f00f /* flags supported if no weak config */ > #endif /* WEAK_PW_HASH */ > #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ > >diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c >index b179836..f52d961 100644 >--- a/fs/cifs/cifssmb.c >+++ b/fs/cifs/cifssmb.c >@@ -38,6 +38,7 @@ > #include "cifsproto.h" > #include "cifs_unicode.h" > #include "cifs_debug.h" >+#include "cifsauth.h" > > #ifdef CONFIG_CIFS_POSIX > static struct { >@@ -621,33 +622,35 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) > if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) && > (server->capabilities & CAP_EXTENDED_SECURITY)) { > count = pSMBr->ByteCount; >- if (count < 16) >+ if (count < 16) { > rc = -EIO; >- else if (count == 16) { >- server->secType = RawNTLMSSP; >- if (server->socketUseCount.counter > 1) { >- if (memcmp(server->server_GUID, >- pSMBr->u.extended_response. >- GUID, 16) != 0) { >- cFYI(1, ("server UID changed")); >- memcpy(server->server_GUID, >- pSMBr->u.extended_response.GUID, >- 16); >- } >- } else >+ goto neg_err_exit; >+ } >+ >+ if (server->socketUseCount.counter > 1) { >+ if (memcmp(server->server_GUID, >+ pSMBr->u.extended_response. >+ GUID, 16) != 0) { >+ cFYI(1, ("server UID changed")); > memcpy(server->server_GUID, >- pSMBr->u.extended_response.GUID, 16); >+ pSMBr->u.extended_response.GUID, >+ 16); >+ } >+ } else >+ memcpy(server->server_GUID, >+ pSMBr->u.extended_response.GUID, 16); >+ >+ if (count == 16) { >+ server->secType = RawNTLMSSP; > } else { >- rc = decode_negTokenInit(pSMBr->u.extended_response. >+ rc = cifs_spnego_convert(ses, >+ pSMBr->u.extended_response. > SecurityBlob, >- count - 16, >- &server->secType); >- if (rc == 1) { >- /* BB Need to fill struct for sessetup here */ >- rc = -EOPNOTSUPP; >- } else { >- rc = -EINVAL; >- } >+ count - 16); >+ /* FIXME: could also be NTLMSSP */ >+ server->secType = Kerberos; >+ if (rc) >+ goto neg_err_exit; > } > } else > server->capabilities &= ~CAP_EXTENDED_SECURITY; >@@ -661,8 +664,8 @@ signing_check: > cFYI(1, ("Signing disabled")); > if (server->secMode & SECMODE_SIGN_REQUIRED) > cERROR(1, ("Server requires " >- "/proc/fs/cifs/PacketSigningEnabled " >- "to be on")); >+ "packet signing to be enabled in " >+ "/proc/fs/cifs/SecurityFlags.")); > server->secMode &= > ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED); > } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) { >diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c >index 51ec681..3b01968 100644 >--- a/fs/cifs/misc.c >+++ b/fs/cifs/misc.c >@@ -97,6 +97,8 @@ sesInfoFree(struct cifsSesInfo *buf_to_free) > atomic_dec(&sesInfoAllocCount); > list_del(&buf_to_free->cifsSessionList); > write_unlock(&GlobalSMBSeslock); >+ if (buf_to_free->spnego_key) >+ key_put(buf_to_free->spnego_key); > kfree(buf_to_free->serverOS); > kfree(buf_to_free->serverDomain); > kfree(buf_to_free->serverNOS); >diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c >index 78797c0..dae177a 100644 >--- a/fs/cifs/sess.c >+++ b/fs/cifs/sess.c >@@ -74,6 +74,52 @@ static __u32 cifs_ssetup_hdr(struct cifsSesInfo *ses, SESSION_SETUP_ANDX *pSMB) > return capabilities; > } > >+static void >+unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) >+{ >+ char *bcc_ptr = *pbcc_area; >+ int bytes_ret = 0; >+ >+ /* Copy OS version */ >+ bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32, >+ nls_cp); >+ bcc_ptr += 2 * bytes_ret; >+ bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release, >+ 32, nls_cp); >+ bcc_ptr += 2 * bytes_ret; >+ bcc_ptr += 2; /* trailing null */ >+ >+ bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, >+ 32, nls_cp); >+ bcc_ptr += 2 * bytes_ret; >+ bcc_ptr += 2; /* trailing null */ >+ >+ *pbcc_area = bcc_ptr; >+} >+ >+static void unicode_domain_string(char **pbcc_area, struct cifsSesInfo *ses, >+ const struct nls_table *nls_cp) >+{ >+ char *bcc_ptr = *pbcc_area; >+ int bytes_ret = 0; >+ >+ /* copy domain */ >+ if (ses->domainName == NULL) { >+ /* Sending null domain better than using a bogus domain name (as >+ we did briefly in 2.6.18) since server will use its default */ >+ *bcc_ptr = 0; >+ *(bcc_ptr+1) = 0; >+ bytes_ret = 0; >+ } else >+ bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName, >+ 256, nls_cp); >+ bcc_ptr += 2 * bytes_ret; >+ bcc_ptr += 2; /* account for null terminator */ >+ >+ *pbcc_area = bcc_ptr; >+} >+ >+ > static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, > const struct nls_table *nls_cp) > { >@@ -99,32 +145,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, > } > bcc_ptr += 2 * bytes_ret; > bcc_ptr += 2; /* account for null termination */ >- /* copy domain */ >- if (ses->domainName == NULL) { >- /* Sending null domain better than using a bogus domain name (as >- we did briefly in 2.6.18) since server will use its default */ >- *bcc_ptr = 0; >- *(bcc_ptr+1) = 0; >- bytes_ret = 0; >- } else >- bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->domainName, >- 256, nls_cp); >- bcc_ptr += 2 * bytes_ret; >- bcc_ptr += 2; /* account for null terminator */ > >- /* Copy OS version */ >- bytes_ret = cifs_strtoUCS((__le16 *)bcc_ptr, "Linux version ", 32, >- nls_cp); >- bcc_ptr += 2 * bytes_ret; >- bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, init_utsname()->release, >- 32, nls_cp); >- bcc_ptr += 2 * bytes_ret; >- bcc_ptr += 2; /* trailing null */ >- >- bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, CIFS_NETWORK_OPSYS, >- 32, nls_cp); >- bcc_ptr += 2 * bytes_ret; >- bcc_ptr += 2; /* trailing null */ >+ unicode_domain_string(&bcc_ptr, ses, nls_cp); >+ unicode_oslm_strings(&bcc_ptr, nls_cp); > > *pbcc_area = bcc_ptr; > } >@@ -318,7 +341,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, > __u32 capabilities; > int count; > int resp_buf_type = 0; >- struct kvec iov[2]; >+ struct kvec iov[3]; > enum securityEnum type; > __u16 action; > int bytes_remaining; >@@ -372,6 +395,9 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, > > ses->flags &= ~CIFS_SES_LANMAN; > >+ iov[1].iov_base = NULL; >+ iov[1].iov_len = 0; >+ > if (type == LANMAN) { > #ifdef CONFIG_CIFS_WEAK_PW_HASH > char lnm_session_key[CIFS_SESS_KEY_SIZE]; >@@ -476,21 +502,35 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, > unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); > } else > ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); >- } else /* NTLMSSP or SPNEGO */ { >+ } else if (type == Kerberos) { > pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC; > capabilities |= CAP_EXTENDED_SECURITY; > pSMB->req.Capabilities = cpu_to_le32(capabilities); >- /* BB set password lengths */ >+ iov[1].iov_base = ses->spnego_key->payload.data; >+ iov[1].iov_len = ses->spnego_key->datalen; >+ pSMB->req.SecurityBlobLength = cpu_to_le16(iov[1].iov_len); >+ >+ if (ses->capabilities & CAP_UNICODE) { >+ /* unicode strings must be word aligned */ >+ if (iov[0].iov_len % 2) { >+ *bcc_ptr = 0; >+ bcc_ptr++; >+ } >+ unicode_oslm_strings(&bcc_ptr, nls_cp); >+ unicode_domain_string(&bcc_ptr, ses, nls_cp); >+ } >+ /* FIXME: What do we do here if unicode isn't enabled? */ > } > >- count = (long) bcc_ptr - (long) str_area; >+ iov[2].iov_base = str_area; >+ iov[2].iov_len = (long) bcc_ptr - (long) str_area; >+ >+ count = iov[1].iov_len + iov[2].iov_len; > smb_buf->smb_buf_length += count; > > BCC_LE(smb_buf) = cpu_to_le16(count); > >- iov[1].iov_base = str_area; >- iov[1].iov_len = count; >- rc = SendReceive2(xid, ses, iov, 2 /* num_iovecs */, &resp_buf_type, 0); >+ rc = SendReceive2(xid, ses, iov, 3 /* num_iovecs */, &resp_buf_type, 0); > /* SMB request buf freed in SendReceive2 */ > > cFYI(1, ("ssetup rc from sendrecv2 is %d", rc));
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 315311
:
215841
|
217871
|
218261
|
218271
|
228611
|
232741
|
236521
|
237721
|
248401