Commit Graph

19 Commits

Author SHA1 Message Date
Conrad Meyer
be0edef163 kgssapi: Don't leak memory in error cases
Reported by:	Coverity
CIDs:		1007046, 1007047, 1007048
Sponsored by:	EMC / Isilon Storage Division
2016-04-26 18:11:45 +00:00
Pedro F. Giffuni
55e0987aea sys: extend use of the howmany() macro when available.
We have a howmany() macro in the <sys/param.h> header that is
convenient to re-use as it makes things easier to read.
2016-04-26 15:38:17 +00:00
Conrad Meyer
9d77679a40 kgssapi(4): Don't allow user-provided arguments to overrun stack buffer
An over-long path argument to gssd_syscall could overrun the stack sockaddr_un
buffer.  Fix gssd_syscall to not permit that.

If an over-long path is provided, gssd_syscall now returns EINVAL.

It looks like PRIV_NFS_DAEMON isn't granted anywhere, so my best guess is that
this is likely only triggerable by root.

Reported by:	Coverity
CID:		1006751
Sponsored by:	EMC / Isilon Storage Division
2016-04-20 05:02:13 +00:00
Pedro F. Giffuni
74b8d63dcc Cleanup unnecessary semicolons from the kernel.
Found with devel/coccinelle.
2016-04-10 23:07:00 +00:00
Conrad Meyer
92deafc3a3 kcrypto_aes: Use separate sessions for AES and SHA1
Some hardware supports AES acceleration but not SHA1, e.g., AES-NI
extensions.  It is useful to have accelerated AES even if SHA1 must be
software.

Suggested by:	asomers
Reviewed by:	asomers, dfr
Sponsored by:	EMC / Isilon Storage Division
Differential Revision:	https://reviews.freebsd.org/D5146
2016-02-02 00:14:51 +00:00
Josh Paetzel
21d7e927b5 Unset the gss kernel state when gssd exits
When gssd exits it leaves the kernel state set by
gssd_syscall().  nfsd sees this and waits endlessly
in an unkillable state for gssd to come back.  If you
had acidentally started gssd then stopped it, then
started nfsd you'd be in a bad way until you either
restarted gssd or rebooted the system.  This change
fixes that by setting the kernel state to "" when
gssd exits.
Reviewed by:	rmacklem
MFC after:	1 week
Sponsored by:	iXsystems
2016-01-01 17:06:16 +00:00
Mateusz Guzik
e015b1ab0a Avoid dynamic syscall overhead for statically compiled modules.
The kernel tracks syscall users so that modules can safely unregister them.

But if the module is not unloadable or was compiled into the kernel, there is
no need to do this.

Achieve this by adding SY_THR_STATIC_KLD macro which expands to SY_THR_STATIC
during kernel build and 0 otherwise.

Reviewed by:	kib (previous version)
MFC after:	2 weeks
2014-10-26 19:42:44 +00:00
Rick Macklem
88a2437a65 Add support for host-based (Kerberos 5 service principal) initiator
credentials to the kernel rpc. Modify the NFSv4 client to add
support for the gssname and allgssname mount options to use this
capability. Requires the gssd daemon to be running with the "-h" option.

Reviewed by:	jhb
2013-07-09 01:05:28 +00:00
Rick Macklem
58217793a2 Isilon reported that sec=krb5p NFS mounts had a problem when m_len == 0
for the last mbuf of the list with an encrypted message. This patch replaces
the KASSERT() with code that handles this case.

Reported by:	john.gemignani@isilon.com
Reviewed by:	jhb
MFC after:	2 weeks
2013-05-01 22:07:55 +00:00
Rick Macklem
13870d5d7b Piete.Brooks at cl.cam.ac.uk reported via email a crash which was
caused by use of an invalid kgss_gssd_handle during an upcall to
the gssd daemon when it has exited. This patch seems to avoid the
crashes by holding a reference count on the kgss_gssd_handle until
the upcall is done. It also adds a new mutex kgss_gssd_lock used to
make manipulation of kgss_gssd_handle SMP safe.

Tested by:	Illias A. Marinos, Herbert Poeckl
Reviewed by:	jhb
MFC after:	2 weeks
2012-12-18 00:25:48 +00:00
Christian Brueffer
e275052c56 Add missing break statement to make sure all 3DES etypes really are treated
the same.

CID:		3624
Found with:	Coverity Prevent(tm)
Reviewed by:	dfr
MFC after:	1 week
2011-10-10 09:13:07 +00:00
Kip Macy
8451d0dd78 In order to maximize the re-usability of kernel code in user space this
patch modifies makesyscalls.sh to prefix all of the non-compatibility
calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel
entry points and all places in the code that use them. It also
fixes an additional name space collision between the kernel function
psignal and the libc function of the same name by renaming the kernel
psignal kern_psignal(). By introducing this change now we will ease future
MFCs that change syscalls.

Reviewed by:	rwatson
Approved by:	re (bz)
2011-09-16 13:58:51 +00:00
Zack Kirsch
dcded131e1 Add a small comment about unloading the kgsappi module.
Reviewed by:    rmacklem
Approved by:    zml (mentor)
MFC after:      2 weeks
2011-07-16 08:05:49 +00:00
Rick Macklem
7e7fd7d177 Fix the kgssapi so that it can be loaded as a module. Currently
the NFS subsystems use five of the rpcsec_gss/kgssapi entry points,
but since it was not obvious which others might be useful, all
nineteen were included. Basically the nineteen entry points are
set in a structure called rpc_gss_entries and inline functions
defined in sys/rpc/rpcsec_gss.h check for the entry points being
non-NULL and then call them. A default value is returned otherwise.
Requested by rwatson.

Reviewed by:	jhb
MFC after:	2 weeks
2011-06-19 22:08:55 +00:00
Rick Macklem
f0557704cf When the KOBJMETHOD() macro was updated, it resulted in the
compiler doing argument type checking. Since the prototypes in
kgss_if.h used the generic gss_ctx_id_t for the context argument,
but the functions in sys/kgssapi/krb5/krb5_mech.c used the
KerberosV specific context argument, the file would no longer build.
This patch fixes it so it will build by replacing the argument with
a gss_ctx_id_t one and setting a local "struct krb5_context *" variable
to it for use by the function.

Reviewed by:	dfr
Approved by:	kib (mentor)
2009-06-14 17:33:46 +00:00
Jamie Gritton
76ca6f88da Place hostnames and similar information fully under the prison system.
The system hostname is now stored in prison0, and the global variable
"hostname" has been removed, as has the hostname_mtx mutex.  Jails may
have their own host information, or they may inherit it from the
parent/system.  The proper way to read the hostname is via
getcredhostname(), which will copy either the hostname associated with
the passed cred, or the system hostname if you pass NULL.  The system
hostname can still be accessed directly (and without locking) at
prison0.pr_host, but that should be avoided where possible.

The "similar information" referred to is domainname, hostid, and
hostuuid, which have also become prison parameters and had their
associated global variables removed.

Approved by:	bz (mentor)
2009-05-29 21:27:12 +00:00
Doug Rabson
57d8181b40 Fix build of KGSSAPI bits post-vimage. 2009-05-24 11:10:27 +00:00
Doug Rabson
44ab20591b Call svc_freereq() before returning from the service proc. 2008-11-12 15:31:05 +00:00
Doug Rabson
a9148abd9d Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00