summaryrefslogtreecommitdiffstats
path: root/sys/rpc
diff options
context:
space:
mode:
Diffstat (limited to 'sys/rpc')
-rw-r--r--sys/rpc/rpcsec_gss.h34
-rw-r--r--sys/rpc/rpcsec_gss/rpcsec_gss.c111
2 files changed, 127 insertions, 18 deletions
diff --git a/sys/rpc/rpcsec_gss.h b/sys/rpc/rpcsec_gss.h
index 94696f3..7466d60 100644
--- a/sys/rpc/rpcsec_gss.h
+++ b/sys/rpc/rpcsec_gss.h
@@ -153,9 +153,9 @@ typedef AUTH *rpc_gss_secfind_ftype(CLIENT *clnt, struct ucred *cred,
rpc_gss_service_t service);
typedef void rpc_gss_secpurge_ftype(CLIENT *clnt);
typedef AUTH *rpc_gss_seccreate_ftype(CLIENT *clnt, struct ucred *cred,
- const char *principal, const char *mechanism,
- rpc_gss_service_t service, const char *qop,
- rpc_gss_options_req_t *options_req,
+ const char *clnt_principal, const char *principal,
+ const char *mechanism, rpc_gss_service_t service,
+ const char *qop, rpc_gss_options_req_t *options_req,
rpc_gss_options_ret_t *options_ret);
typedef bool_t rpc_gss_set_defaults_ftype(AUTH *auth,
rpc_gss_service_t service, const char *qop);
@@ -183,6 +183,7 @@ typedef bool_t rpc_gss_get_principal_name_ftype(rpc_gss_principal_t *principal,
const char *domain);
typedef int rpc_gss_svc_max_data_length_ftype(struct svc_req *req,
int max_tp_unit_len);
+typedef void rpc_gss_refresh_auth_ftype(AUTH *auth);
struct rpc_gss_entries {
rpc_gss_secfind_ftype *rpc_gss_secfind;
@@ -204,6 +205,7 @@ struct rpc_gss_entries {
rpc_gss_clear_callback_ftype *rpc_gss_clear_callback;
rpc_gss_get_principal_name_ftype *rpc_gss_get_principal_name;
rpc_gss_svc_max_data_length_ftype *rpc_gss_svc_max_data_length;
+ rpc_gss_refresh_auth_ftype *rpc_gss_refresh_auth;
};
extern struct rpc_gss_entries rpc_gss_entries;
@@ -229,16 +231,17 @@ rpc_gss_secpurge_call(CLIENT *clnt)
}
static __inline AUTH *
-rpc_gss_seccreate_call(CLIENT *clnt, struct ucred *cred, const char *principal,
- const char *mechanism, rpc_gss_service_t service, const char *qop,
+rpc_gss_seccreate_call(CLIENT *clnt, struct ucred *cred,
+ const char *clnt_principal, const char *principal, const char *mechanism,
+ rpc_gss_service_t service, const char *qop,
rpc_gss_options_req_t *options_req, rpc_gss_options_ret_t *options_ret)
{
AUTH *ret = NULL;
if (rpc_gss_entries.rpc_gss_seccreate != NULL)
ret = (*rpc_gss_entries.rpc_gss_seccreate)(clnt, cred,
- principal, mechanism, service, qop, options_req,
- options_ret);
+ clnt_principal, principal, mechanism, service, qop,
+ options_req, options_ret);
return (ret);
}
@@ -406,14 +409,29 @@ rpc_gss_svc_max_data_length_call(struct svc_req *req, int max_tp_unit_len)
return (ret);
}
+static __inline void
+rpc_gss_refresh_auth_call(AUTH *auth)
+{
+
+ if (rpc_gss_entries.rpc_gss_refresh_auth != NULL)
+ (*rpc_gss_entries.rpc_gss_refresh_auth)(auth);
+}
+
AUTH *rpc_gss_secfind(CLIENT *clnt, struct ucred *cred,
const char *principal, gss_OID mech_oid, rpc_gss_service_t service);
void rpc_gss_secpurge(CLIENT *clnt);
-#endif
+void rpc_gss_refresh_auth(AUTH *auth);
+AUTH *rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred,
+ const char *clnt_principal, const char *principal,
+ const char *mechanism, rpc_gss_service_t service,
+ const char *qop, rpc_gss_options_req_t *options_req,
+ rpc_gss_options_ret_t *options_ret);
+#else /* !_KERNEL */
AUTH *rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred,
const char *principal, const char *mechanism, rpc_gss_service_t service,
const char *qop, rpc_gss_options_req_t *options_req,
rpc_gss_options_ret_t *options_ret);
+#endif /* _KERNEL */
bool_t rpc_gss_set_defaults(AUTH *auth, rpc_gss_service_t service,
const char *qop);
int rpc_gss_max_data_length(AUTH *handle, int max_tp_unit_len);
diff --git a/sys/rpc/rpcsec_gss/rpcsec_gss.c b/sys/rpc/rpcsec_gss/rpcsec_gss.c
index ec0c595..c8a84eb 100644
--- a/sys/rpc/rpcsec_gss/rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/rpcsec_gss.c
@@ -82,6 +82,8 @@ __FBSDID("$FreeBSD$");
#include <rpc/rpc.h>
#include <rpc/rpcsec_gss.h>
+#include <kgssapi/krb5/kcrypto.h>
+
#include "rpcsec_gss_int.h"
static void rpc_gss_nextverf(AUTH*);
@@ -122,6 +124,7 @@ struct rpc_gss_data {
AUTH *gd_auth; /* link back to AUTH */
struct ucred *gd_ucred; /* matching local cred */
char *gd_principal; /* server principal name */
+ char *gd_clntprincipal; /* client principal name */
rpc_gss_options_req_t gd_options; /* GSS context options */
enum rpcsec_gss_state gd_state; /* connection state */
gss_buffer_desc gd_verf; /* save GSS_S_COMPLETE
@@ -153,7 +156,7 @@ static struct sx rpc_gss_lock;
static int rpc_gss_count;
static AUTH *rpc_gss_seccreate_int(CLIENT *, struct ucred *, const char *,
- gss_OID, rpc_gss_service_t, u_int, rpc_gss_options_req_t *,
+ const char *, gss_OID, rpc_gss_service_t, u_int, rpc_gss_options_req_t *,
rpc_gss_options_ret_t *);
static void
@@ -251,8 +254,8 @@ again:
/*
* We missed in the cache - create a new association.
*/
- auth = rpc_gss_seccreate_int(clnt, cred, principal, mech_oid, service,
- GSS_C_QOP_DEFAULT, NULL, NULL);
+ auth = rpc_gss_seccreate_int(clnt, cred, NULL, principal, mech_oid,
+ service, GSS_C_QOP_DEFAULT, NULL, NULL);
if (!auth)
return (NULL);
@@ -304,9 +307,10 @@ rpc_gss_secpurge(CLIENT *clnt)
}
AUTH *
-rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred, const char *principal,
- const char *mechanism, rpc_gss_service_t service, const char *qop,
- rpc_gss_options_req_t *options_req, rpc_gss_options_ret_t *options_ret)
+rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred, const char *clnt_principal,
+ const char *principal, const char *mechanism, rpc_gss_service_t service,
+ const char *qop, rpc_gss_options_req_t *options_req,
+ rpc_gss_options_ret_t *options_ret)
{
gss_OID oid;
u_int qop_num;
@@ -324,13 +328,33 @@ rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred, const char *principal,
qop_num = GSS_C_QOP_DEFAULT;
}
- return (rpc_gss_seccreate_int(clnt, cred, principal, oid, service,
- qop_num, options_req, options_ret));
+ return (rpc_gss_seccreate_int(clnt, cred, clnt_principal, principal,
+ oid, service, qop_num, options_req, options_ret));
+}
+
+void
+rpc_gss_refresh_auth(AUTH *auth)
+{
+ struct rpc_gss_data *gd;
+ rpc_gss_options_ret_t options;
+
+ gd = AUTH_PRIVATE(auth);
+ /*
+ * If the state != ESTABLISHED, try and initialize
+ * the authenticator again. This will happen if the
+ * user's credentials have expired. It may succeed now,
+ * if they have done a kinit or similar.
+ */
+ if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
+ memset(&options, 0, sizeof (options));
+ (void) rpc_gss_init(auth, &options);
+ }
}
static AUTH *
-rpc_gss_seccreate_int(CLIENT *clnt, struct ucred *cred, const char *principal,
- gss_OID mech_oid, rpc_gss_service_t service, u_int qop_num,
+rpc_gss_seccreate_int(CLIENT *clnt, struct ucred *cred,
+ const char *clnt_principal, const char *principal, gss_OID mech_oid,
+ rpc_gss_service_t service, u_int qop_num,
rpc_gss_options_req_t *options_req, rpc_gss_options_ret_t *options_ret)
{
AUTH *auth;
@@ -379,6 +403,10 @@ rpc_gss_seccreate_int(CLIENT *clnt, struct ucred *cred, const char *principal,
gd->gd_auth = auth;
gd->gd_ucred = crdup(cred);
gd->gd_principal = strdup(principal, M_RPC);
+ if (clnt_principal != NULL)
+ gd->gd_clntprincipal = strdup(clnt_principal, M_RPC);
+ else
+ gd->gd_clntprincipal = NULL;
if (options_req) {
@@ -719,6 +747,8 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
OM_uint32 maj_stat, min_stat, call_stat;
const char *mech;
struct rpc_callextra ext;
+ gss_OID mech_oid;
+ gss_OID_set mechlist;
rpc_gss_log_debug("in rpc_gss_refresh()");
@@ -745,6 +775,65 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
gd->gd_cred.gc_seq = 0;
+ /*
+ * For KerberosV, if there is a client principal name, that implies
+ * that this is a host based initiator credential in the default
+ * keytab file. For this case, it is necessary to do a
+ * gss_acquire_cred(). When this is done, the gssd daemon will
+ * do the equivalent of "kinit -k" to put a TGT for the name in
+ * the credential cache file for the gssd daemon.
+ */
+ if (gd->gd_clntprincipal != NULL &&
+ rpc_gss_mech_to_oid("kerberosv5", &mech_oid) &&
+ gd->gd_mech == mech_oid) {
+ /* Get rid of any old credential. */
+ if (gd->gd_options.my_cred != GSS_C_NO_CREDENTIAL) {
+ gss_release_cred(&min_stat, &gd->gd_options.my_cred);
+ gd->gd_options.my_cred = GSS_C_NO_CREDENTIAL;
+ }
+
+ /*
+ * The mechanism must be set to KerberosV for acquisition
+ * of credentials to work reliably.
+ */
+ maj_stat = gss_create_empty_oid_set(&min_stat, &mechlist);
+ if (maj_stat != GSS_S_COMPLETE) {
+ options_ret->major_status = maj_stat;
+ options_ret->minor_status = min_stat;
+ goto out;
+ }
+ maj_stat = gss_add_oid_set_member(&min_stat, gd->gd_mech,
+ &mechlist);
+ if (maj_stat != GSS_S_COMPLETE) {
+ options_ret->major_status = maj_stat;
+ options_ret->minor_status = min_stat;
+ gss_release_oid_set(&min_stat, &mechlist);
+ goto out;
+ }
+
+ principal_desc.value = (void *)gd->gd_clntprincipal;
+ principal_desc.length = strlen(gd->gd_clntprincipal);
+ maj_stat = gss_import_name(&min_stat, &principal_desc,
+ GSS_C_NT_HOSTBASED_SERVICE, &name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ options_ret->major_status = maj_stat;
+ options_ret->minor_status = min_stat;
+ gss_release_oid_set(&min_stat, &mechlist);
+ goto out;
+ }
+ /* Acquire the credentials. */
+ maj_stat = gss_acquire_cred(&min_stat, name, 0,
+ mechlist, GSS_C_INITIATE,
+ &gd->gd_options.my_cred, NULL, NULL);
+ gss_release_name(&min_stat, &name);
+ gss_release_oid_set(&min_stat, &mechlist);
+ if (maj_stat != GSS_S_COMPLETE) {
+ options_ret->major_status = maj_stat;
+ options_ret->minor_status = min_stat;
+ goto out;
+ }
+ }
+
principal_desc.value = (void *)gd->gd_principal;
principal_desc.length = strlen(gd->gd_principal);
maj_stat = gss_import_name(&min_stat, &principal_desc,
@@ -1036,6 +1125,8 @@ rpc_gss_destroy(AUTH *auth)
CLNT_RELEASE(gd->gd_clnt);
crfree(gd->gd_ucred);
free(gd->gd_principal, M_RPC);
+ if (gd->gd_clntprincipal != NULL)
+ free(gd->gd_clntprincipal, M_RPC);
if (gd->gd_verf.value)
xdr_free((xdrproc_t) xdr_gss_buffer_desc,
(char *) &gd->gd_verf);
OpenPOWER on IntegriCloud