| Message ID | 1315322512-10652-1-git-send-email-martin.wilck@ts.fujitsu.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, 6 Sep 2011 17:21:52 +0200 Martin Wilck <martin.wilck@ts.fujitsu.com> wrote: > The current cifs implementation discards a principal name found > in the CIFS server's SecBlob. This patch adds the principal name > into the data used for the request_key call. Combined with a separate > cifs-utils patch, this enables cifs mounts using kerberos on servers > that use different principal names than the default cifs/<hostname> > or host/<hostname> which are tried by cifs.upcall. > > Signed-off-by: Martin Wilck <martin.wilck@ts.fujitsu.com> > --- > fs/cifs/asn1.c | 28 ++++++++++++++++++++++++---- > fs/cifs/cifs_spnego.c | 10 ++++++++++ > fs/cifs/cifs_spnego.h | 2 +- > fs/cifs/cifsglob.h | 1 + > fs/cifs/connect.c | 3 +++ > 5 files changed, 39 insertions(+), 5 deletions(-) > > diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c > index cfd1ce3..5ab23f2 100644 > --- a/fs/cifs/asn1.c > +++ b/fs/cifs/asn1.c > @@ -369,7 +369,7 @@ static unsigned char asn1_ulong_decode(struct asn1_ctx *ctx, > *integer |= ch; > } > return 1; > -} > +} */ > > static unsigned char > asn1_octets_decode(struct asn1_ctx *ctx, > @@ -395,7 +395,7 @@ asn1_octets_decode(struct asn1_ctx *ctx, > (*len)++; > } > return 1; > -} */ > +} > > static unsigned char > asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid) > @@ -496,9 +496,9 @@ decode_negTokenInit(unsigned char *security_blob, int length, > { > struct asn1_ctx ctx; > unsigned char *end; > - unsigned char *sequence_end; > + unsigned char *sequence_end, *principal; > unsigned long *oid = NULL; > - unsigned int cls, con, tag, oidlen, rc; > + unsigned int cls, con, tag, oidlen, rc, princlen; > > /* cifs_dump_mem(" Received SecBlob ", security_blob, length); */ > > @@ -661,6 +661,26 @@ decode_negTokenInit(unsigned char *security_blob, int length, > } > cFYI(1, "Need to call asn1_octets_decode() function for %s", > ctx.pointer); /* is this UTF-8 or ASCII? */ > + if (asn1_octets_decode(&ctx, end, &principal, &princlen) == 0) { > + cFYI(1, "Error decoding principal name exit10"); > + return 0; > + } else if (princlen == 0) { > + cFYI(1, "Empty principal name"); > + } else if (!strcmp(principal, "not_defined_in_RFC4178@please_ignore")) { > + cFYI(1, "Ignoring principal name"); > + } else { > + server->principal = kmalloc(princlen+1, GFP_ATOMIC); ^^^^^^^^^^ I don't think GFP_ATOMIC is really necessary here. > + if (server->principal != NULL) { > + memcpy(server->principal, principal, princlen); > + server->principal[princlen] = '\0'; > + cFYI(1, "Got principal: %s", server->principal); > + } else { > + kfree(principal); > + cFYI(1, "Error allocating memory exit 11"); > + return 0; > + } > + } > + kfree(principal); > decode_negtoken_exit: > return 1; > } > diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c > index 2272fd5..356a8a6 100644 > --- a/fs/cifs/cifs_spnego.c > +++ b/fs/cifs/cifs_spnego.c > @@ -93,6 +93,9 @@ struct key_type cifs_spnego_key_type = { > /* strlen of ";pid=0x" */ > #define PID_KEY_LEN 7 > > +/* strlen of ";pri=" */ > +#define PRINC_KEY_LEN 5 > + > /* get a key struct with a SPNEGO security blob, suitable for session setup */ > struct key * > cifs_get_spnego_key(struct cifs_ses *sesInfo) > @@ -109,6 +112,8 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo) > host=hostname sec=mechanism uid=0xFF user=username */ > desc_len = MAX_VER_STR_LEN + > HOST_KEY_LEN + strlen(hostname) + > + (server->principal ? > + PRINC_KEY_LEN + strlen(server->principal) : 0) + > IP_KEY_LEN + INET6_ADDRSTRLEN + > MAX_MECH_STR_LEN + > UID_KEY_LEN + (sizeof(uid_t) * 2) + > @@ -128,6 +133,11 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo) > hostname); > dp = description + strlen(description); > > + if (server->principal) { > + sprintf(dp, "pri=%s;", server->principal); > + dp = description + strlen(description); > + } > + > /* add the server address */ > if (server->dstaddr.ss_family == AF_INET) > sprintf(dp, "ip4=%pI4", &sa->sin_addr); > diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h > index 31bef9e..bae1877 100644 > --- a/fs/cifs/cifs_spnego.h > +++ b/fs/cifs/cifs_spnego.h > @@ -23,7 +23,7 @@ > #ifndef _CIFS_SPNEGO_H > #define _CIFS_SPNEGO_H > > -#define CIFS_SPNEGO_UPCALL_VERSION 2 > +#define CIFS_SPNEGO_UPCALL_VERSION 3 > ^^^^^^^^ Again, no need to rev the upcall format. > /* > * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION. > diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h > index 95dad9d..86de4fb 100644 > --- a/fs/cifs/cifsglob.h > +++ b/fs/cifs/cifsglob.h > @@ -238,6 +238,7 @@ struct TCP_Server_Info { > char server_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL]; > enum statusEnum tcpStatus; /* what we think the status is */ > char *hostname; /* hostname portion of UNC string */ > + char *principal; > struct socket *ssocket; > struct sockaddr_storage dstaddr; > struct sockaddr_storage srcaddr; /* locally bind to this IP */ > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index f4af4cc..6fdca9f 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -618,6 +618,8 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) > } > > kfree(server->hostname); > + if (server->principal != NULL) > + kfree(server->principal); It's safe to kfree a NULL pointer. > kfree(server); > > length = atomic_dec_return(&tcpSesAllocCount); > @@ -1780,6 +1782,7 @@ cifs_get_tcp_session(struct smb_vol *volume_info) > rc = PTR_ERR(tcp_ses->hostname); > goto out_err_crypto_release; > } > + tcp_ses->principal = NULL; > > tcp_ses->noblocksnd = volume_info->noblocksnd; > tcp_ses->noautotune = volume_info->noautotune;
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c index cfd1ce3..5ab23f2 100644 --- a/fs/cifs/asn1.c +++ b/fs/cifs/asn1.c @@ -369,7 +369,7 @@ static unsigned char asn1_ulong_decode(struct asn1_ctx *ctx, *integer |= ch; } return 1; -} +} */ static unsigned char asn1_octets_decode(struct asn1_ctx *ctx, @@ -395,7 +395,7 @@ asn1_octets_decode(struct asn1_ctx *ctx, (*len)++; } return 1; -} */ +} static unsigned char asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid) @@ -496,9 +496,9 @@ decode_negTokenInit(unsigned char *security_blob, int length, { struct asn1_ctx ctx; unsigned char *end; - unsigned char *sequence_end; + unsigned char *sequence_end, *principal; unsigned long *oid = NULL; - unsigned int cls, con, tag, oidlen, rc; + unsigned int cls, con, tag, oidlen, rc, princlen; /* cifs_dump_mem(" Received SecBlob ", security_blob, length); */ @@ -661,6 +661,26 @@ decode_negTokenInit(unsigned char *security_blob, int length, } cFYI(1, "Need to call asn1_octets_decode() function for %s", ctx.pointer); /* is this UTF-8 or ASCII? */ + if (asn1_octets_decode(&ctx, end, &principal, &princlen) == 0) { + cFYI(1, "Error decoding principal name exit10"); + return 0; + } else if (princlen == 0) { + cFYI(1, "Empty principal name"); + } else if (!strcmp(principal, "not_defined_in_RFC4178@please_ignore")) { + cFYI(1, "Ignoring principal name"); + } else { + server->principal = kmalloc(princlen+1, GFP_ATOMIC); + if (server->principal != NULL) { + memcpy(server->principal, principal, princlen); + server->principal[princlen] = '\0'; + cFYI(1, "Got principal: %s", server->principal); + } else { + kfree(principal); + cFYI(1, "Error allocating memory exit 11"); + return 0; + } + } + kfree(principal); decode_negtoken_exit: return 1; } diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 2272fd5..356a8a6 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -93,6 +93,9 @@ struct key_type cifs_spnego_key_type = { /* strlen of ";pid=0x" */ #define PID_KEY_LEN 7 +/* strlen of ";pri=" */ +#define PRINC_KEY_LEN 5 + /* get a key struct with a SPNEGO security blob, suitable for session setup */ struct key * cifs_get_spnego_key(struct cifs_ses *sesInfo) @@ -109,6 +112,8 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo) host=hostname sec=mechanism uid=0xFF user=username */ desc_len = MAX_VER_STR_LEN + HOST_KEY_LEN + strlen(hostname) + + (server->principal ? + PRINC_KEY_LEN + strlen(server->principal) : 0) + IP_KEY_LEN + INET6_ADDRSTRLEN + MAX_MECH_STR_LEN + UID_KEY_LEN + (sizeof(uid_t) * 2) + @@ -128,6 +133,11 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo) hostname); dp = description + strlen(description); + if (server->principal) { + sprintf(dp, "pri=%s;", server->principal); + dp = description + strlen(description); + } + /* add the server address */ if (server->dstaddr.ss_family == AF_INET) sprintf(dp, "ip4=%pI4", &sa->sin_addr); diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h index 31bef9e..bae1877 100644 --- a/fs/cifs/cifs_spnego.h +++ b/fs/cifs/cifs_spnego.h @@ -23,7 +23,7 @@ #ifndef _CIFS_SPNEGO_H #define _CIFS_SPNEGO_H -#define CIFS_SPNEGO_UPCALL_VERSION 2 +#define CIFS_SPNEGO_UPCALL_VERSION 3 /* * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION. diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 95dad9d..86de4fb 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -238,6 +238,7 @@ struct TCP_Server_Info { char server_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL]; enum statusEnum tcpStatus; /* what we think the status is */ char *hostname; /* hostname portion of UNC string */ + char *principal; struct socket *ssocket; struct sockaddr_storage dstaddr; struct sockaddr_storage srcaddr; /* locally bind to this IP */ diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index f4af4cc..6fdca9f 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -618,6 +618,8 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) } kfree(server->hostname); + if (server->principal != NULL) + kfree(server->principal); kfree(server); length = atomic_dec_return(&tcpSesAllocCount); @@ -1780,6 +1782,7 @@ cifs_get_tcp_session(struct smb_vol *volume_info) rc = PTR_ERR(tcp_ses->hostname); goto out_err_crypto_release; } + tcp_ses->principal = NULL; tcp_ses->noblocksnd = volume_info->noblocksnd; tcp_ses->noautotune = volume_info->noautotune;
The current cifs implementation discards a principal name found in the CIFS server's SecBlob. This patch adds the principal name into the data used for the request_key call. Combined with a separate cifs-utils patch, this enables cifs mounts using kerberos on servers that use different principal names than the default cifs/<hostname> or host/<hostname> which are tried by cifs.upcall. Signed-off-by: Martin Wilck <martin.wilck@ts.fujitsu.com> --- fs/cifs/asn1.c | 28 ++++++++++++++++++++++++---- fs/cifs/cifs_spnego.c | 10 ++++++++++ fs/cifs/cifs_spnego.h | 2 +- fs/cifs/cifsglob.h | 1 + fs/cifs/connect.c | 3 +++ 5 files changed, 39 insertions(+), 5 deletions(-)