From patchwork Thu Sep 13 14:08:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10599631 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EE2C515A7 for ; Thu, 13 Sep 2018 14:09:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF5EA2AFE5 for ; Thu, 13 Sep 2018 14:09:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D35EC2AFEA; Thu, 13 Sep 2018 14:09:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 411A52AFED for ; Thu, 13 Sep 2018 14:09:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730386AbeIMTSl (ORCPT ); Thu, 13 Sep 2018 15:18:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49054 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727566AbeIMTSl (ORCPT ); Thu, 13 Sep 2018 15:18:41 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 70E41309B69A; Thu, 13 Sep 2018 14:09:01 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-123-84.rdu2.redhat.com [10.10.123.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id 50D762010CAA; Thu, 13 Sep 2018 14:09:00 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 3/3] Remove the dependency on MIT Kerberos From: David Howells To: keyrings@vger.kernel.org Cc: dhowells@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-security-module@vger.kernel.org Date: Thu, 13 Sep 2018 15:08:59 +0100 Message-ID: <153684773962.10049.5588679375049584208.stgit@warthog.procyon.org.uk> In-Reply-To: <153684771698.10049.12488548190876920608.stgit@warthog.procyon.org.uk> References: <153684771698.10049.12488548190876920608.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 13 Sep 2018 14:09:01 +0000 (UTC) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Remove the dependency on MIT Kerberos as not everyone has it available. With the "use best match" change to /sbin/request-key, the kafs-client package can install a more specific handler for dns_resolver afsdb:* requests in front of the default one. This means that the dns resolver program only needs to look up DNS records and can ignore any static kafs configuration. Signed-off-by: David Howells --- Makefile | 2 dns.afsdb.c | 268 ++++++++------------------------------------------------- keyutils.spec | 2 3 files changed, 37 insertions(+), 235 deletions(-) diff --git a/Makefile b/Makefile index 5ce6746..96b5df7 100644 --- a/Makefile +++ b/Makefile @@ -153,7 +153,7 @@ request-key: request-key.o $(LIB_DEPENDENCY) key.dns_resolver: key.dns_resolver.o dns.afsdb.o $(LIB_DEPENDENCY) $(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ \ - key.dns_resolver.o dns.afsdb.o -lkrb5 -lcom_err -lkeyutils -lresolv + key.dns_resolver.o dns.afsdb.o -lkeyutils -lresolv key.dns_resolver.o: key.dns_resolver.c key.dns.h dns.afsdb.o: dns.afsdb.c key.dns.h diff --git a/dns.afsdb.c b/dns.afsdb.c index 4e24815..064d9c8 100644 --- a/dns.afsdb.c +++ b/dns.afsdb.c @@ -36,179 +36,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "key.dns.h" -#include -static const char *afs_cellservdb[] = { - "/etc/kafs/cellservdb.conf", - "/usr/share/kafs/cellservdb.conf", - NULL -}; - -static profile_t afs_conf; -static bool afs_cell_in_conf; -static bool afs_prefer_dns; static unsigned long afs_ttl = ULONG_MAX; -/* - * Check that a configured address is valid and add it to the list of addresses - * if okay. - */ -static void afs_conf_add_address(char *addr) -{ - char *p, *q, *port = NULL; - size_t plen = 0; - - if (!addr[0]) - return; - - if (addr[0] == '[') { - /* IPv6 */ - struct in6_addr in6; - - p = strchr(addr + 1, ']'); - if (!p) - return; - *p = 0; - if (inet_pton(AF_INET6, addr + 1, &in6) == 0) - return; - *p++ = ']'; - } else { - struct in_addr in; - - p = strchr(addr, ':'); - if (p) - *p = 0; - if (inet_pton(AF_INET, addr, &in) == 0) - return; - if (p) - *p = ':'; - } - - /* See if there's a port specifier as well */ - if (p && *p) { - if (*p != ':') - return; - p++; - port = p; - plen = strlen(port); - if (plen > 5) - return; - strtoul(p, &q, 10); - if (q != port + plen) - return; - } - - append_address_to_payload(addr); -} - -/* - * Parse the cell database file - */ -static void afs_conf_find_cell(const char *cell) -{ - const char *filter[6]; - char **list; - long res; - int tmp; - - /* Parse the cell database file */ - res = profile_init(afs_cellservdb, &afs_conf); - if (res != 0) { - afs_prefer_dns = true; - goto error; - } - - /* Check to see if the named cell is in the list */ - filter[0] = "cells"; - filter[1] = cell; - filter[2] = NULL; - - res = profile_get_subsection_names(afs_conf, filter, &list); - if (res != 0) { - afs_prefer_dns = true; - goto error; - } - - if (!list[0]) { - info("cell not configured\n"); - afs_cell_in_conf = false; - afs_prefer_dns = true; - } else { - afs_cell_in_conf = true; - - /* Retrieve the use_dns value for the cell */ - res = profile_get_boolean(afs_conf, "cells", cell, "use_dns", 1, &tmp); - if (res != 0) { - afs_prefer_dns = true; - goto error; - } - - if (tmp) - afs_prefer_dns = true; - else - info("cell sets use_dns=no"); - } - - return; - -error: - _error("cellservdb: %s", error_message(res)); -} - -/* - * Get list of server names from the config file. - */ -static char **afs_conf_list_servers(const char *cell) -{ - const char *filter[] = { - "cells", - cell, - "servers", - NULL - }; - char **servers; - long res; - - res = profile_get_subsection_names(afs_conf, filter, &servers); - if (res != 0) - goto error; - - return servers; - -error: - _error("cellservdb: %s", error_message(res)); - return NULL; -} - -/* - * Get list of addresses for a server from the config file. - */ -static int afs_conf_list_addresses(const char *cell, const char *server) -{ - const char *filter[] = { - "cells", - cell, - "servers", - server, - "address", - NULL - }; - char **list, **p; - long res; - - res = profile_get_values(afs_conf, filter, &list); - if (res != 0) - goto error; - - for (p = list; *p; p++) - afs_conf_add_address(*p); - return 0; - -error: - _error("cellservdb: %s", error_message(res)); - return -1; -} - /* * */ @@ -377,40 +207,6 @@ static void srv_hosts_to_addrs(ns_msg handle, ns_sect section) info("ttl: %u", ttl); } -/* - * Instantiate the key. - */ -static __attribute__((noreturn)) -void afs_instantiate(const char *cell) -{ - int ret; - - /* set the key's expiry time from the minimum TTL encountered */ - if (!debug_mode) { - ret = keyctl_set_timeout(key, afs_ttl); - if (ret == -1) - error("%s: keyctl_set_timeout: %m", __func__); - } - - /* handle a lack of results */ - if (payload_index == 0) - nsError(NO_DATA, cell); - - /* must include a NUL char at the end of the payload */ - payload[payload_index].iov_base = ""; - payload[payload_index++].iov_len = 1; - dump_payload(); - - /* load the key with data key */ - if (!debug_mode) { - ret = keyctl_instantiate_iov(key, payload, payload_index, 0); - if (ret == -1) - error("%s: keyctl_instantiate: %m", __func__); - } - - exit(0); -} - /* * Look up an AFSDB record to get the VL server addresses. */ @@ -487,45 +283,53 @@ static int dns_query_VL_SRV(const char *cell) return 0; } +/* + * Instantiate the key. + */ +static __attribute__((noreturn)) +void afs_instantiate(const char *cell) +{ + int ret; + + /* set the key's expiry time from the minimum TTL encountered */ + if (!debug_mode) { + ret = keyctl_set_timeout(key, afs_ttl); + if (ret == -1) + error("%s: keyctl_set_timeout: %m", __func__); + } + + /* handle a lack of results */ + if (payload_index == 0) + nsError(NO_DATA, cell); + + /* must include a NUL char at the end of the payload */ + payload[payload_index].iov_base = ""; + payload[payload_index++].iov_len = 1; + dump_payload(); + + /* load the key with data key */ + if (!debug_mode) { + ret = keyctl_instantiate_iov(key, payload, payload_index, 0); + if (ret == -1) + error("%s: keyctl_instantiate: %m", __func__); + } + + exit(0); +} + /* * Look up VL servers for AFS. */ void afs_look_up_VL_servers(const char *cell, char *options) { - char **servers; - /* Is the IP address family limited? */ if (strcmp(options, "ipv4") == 0) mask = INET_IP4_ONLY; else if (strcmp(options, "ipv6") == 0) mask = INET_IP6_ONLY; - afs_conf_find_cell(cell); - - if (afs_prefer_dns) { - if (dns_query_VL_SRV(cell) == 0) - goto instantiate; - if (dns_query_AFSDB(cell) == 0) - goto instantiate; - } - - if (!afs_cell_in_conf) - goto instantiate; /* Record a negative result */ - - servers = afs_conf_list_servers(cell); - if (!servers) { - debug("conf: no servers"); - goto instantiate; /* Record a negative result */ - } - - for (; *servers; servers++) { - char *server = *servers; - - debug("conf server %s", server); - if (dns_resolver(server, NULL) < 0) - afs_conf_list_addresses(cell, server); - } + if (dns_query_VL_SRV(cell) != 0) + dns_query_AFSDB(cell); -instantiate: afs_instantiate(cell); } diff --git a/keyutils.spec b/keyutils.spec index 4303f94..544fe7c 100644 --- a/keyutils.spec +++ b/keyutils.spec @@ -17,9 +17,7 @@ Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2 BuildRequires: gcc BuildRequires: glibc-kernheaders >= 2.4-9.1.92 -BuildRequires: krb5-devel Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: krb5-libs %description Utilities to control the kernel key management facility and to provide