diff --git a/sys/sys/mount.h b/sys/sys/mount.h index 00b0473..5f6c6d2 100644 --- a/sys/sys/mount.h +++ b/sys/sys/mount.h @@ -283,7 +283,7 @@ struct mount { #define MNT_EXPORTED 0x00000100 /* file system is exported */ #define MNT_DEFEXPORTED 0x00000200 /* exported to the world */ #define MNT_EXPORTANON 0x00000400 /* use anon uid mapping for everyone */ -#define MNT_EXKERB 0x00000800 /* exported with Kerberos uid mapping */ +#define MNT_UNUSED 0x00000800 #define MNT_EXPUBLIC 0x20000000 /* public export (WebNFS) */ /* @@ -305,7 +305,7 @@ struct mount { #define MNT_VISFLAGMASK (MNT_RDONLY | MNT_SYNCHRONOUS | MNT_NOEXEC | \ MNT_NOSUID | MNT_NODEV | MNT_UNION | \ MNT_ASYNC | MNT_EXRDONLY | MNT_EXPORTED | \ - MNT_DEFEXPORTED | MNT_EXPORTANON| MNT_EXKERB | \ + MNT_DEFEXPORTED | MNT_EXPORTANON| MNT_UNUSED | \ MNT_LOCAL | MNT_USER | MNT_QUOTA | \ MNT_ROOTFS | MNT_NOATIME | MNT_NOCLUSTERR| \ MNT_NOCLUSTERW | MNT_SUIDDIR | MNT_SOFTDEP | \ diff --git a/sys/vfs/nfs/nfs.h b/sys/vfs/nfs/nfs.h index fcb8bdf..b3b4cf7 100644 --- a/sys/vfs/nfs/nfs.h +++ b/sys/vfs/nfs/nfs.h @@ -164,7 +164,7 @@ struct nfs_args { #define NFSMNT_NOCONN 0x00000080 /* Don't Connect the socket */ #define NFSMNT_FORCE 0x00000100 /* Forced unmount */ #define NFSMNT_NFSV3 0x00000200 /* Use NFS Version 3 protocol */ -#define NFSMNT_KERB 0x00000400 /* Use Kerberos authentication */ +#define NFSMNT_UNUSED 0x00000400 /* Unused */ #define NFSMNT_DUMBTIMR 0x00000800 /* Don't estimate rtt dynamically */ #define NFSMNT_CACHE 0x00001000 /* enable swapcache */ #define NFSMNT_READAHEAD 0x00002000 /* set read ahead */ @@ -692,7 +692,7 @@ int nfs_loadattrcache (struct vnode *, struct mbuf **, caddr_t *, int nfs_namei (struct nlookupdata *, struct ucred *, int, struct vnode **, struct vnode **, fhandle_t *, int, struct nfssvc_sock *, struct sockaddr *, struct mbuf **, - caddr_t *, struct vnode **, struct thread *, int, int); + caddr_t *, struct vnode **, struct thread *, int); void nfsrv_initcache (void); int nfs_getauth (struct nfsmount *, struct nfsreq *, struct ucred *, char **, int *, char *, int *, NFSKERBKEY_T); @@ -736,7 +736,7 @@ int nfsrv_create (struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, struct thread *td, struct mbuf **mrq); int nfsrv_fhtovp (fhandle_t *, int, struct mount **, struct vnode **, struct ucred *, struct nfssvc_sock *, - struct sockaddr *, int *, int, int); + struct sockaddr *, int *, int); int nfsrv_setpublicfs (struct mount *, struct netexport *, struct export_args *); int nfs_ispublicfh (fhandle_t *); diff --git a/sys/vfs/nfs/nfs_serv.c b/sys/vfs/nfs/nfs_serv.c index 25605f4..0efc1d9 100644 --- a/sys/vfs/nfs/nfs_serv.c +++ b/sys/vfs/nfs/nfs_serv.c @@ -229,8 +229,7 @@ nfsrv3_access(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, fhp = &nfh.fh_generic; NEGREPLYOUT(nfsm_srvmtofh(&info, nfsd, fhp, &error)); NULLOUT(tl = nfsm_dissect(&info, NFSX_UNSIGNED)); - error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, - (nfsd->nd_flag & ND_KERBAUTH), TRUE); + error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, NFSX_UNSIGNED, &error)); nfsm_srvpostop_attr(&info, nfsd, 1, NULL); @@ -299,7 +298,7 @@ nfsrv_getattr(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, fhp = &nfh.fh_generic; NEGREPLYOUT(nfsm_srvmtofh(&info, nfsd, fhp, &error)); error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, 0, &error)); error = 0; @@ -403,8 +402,7 @@ nfsrv_setattr(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, /* * Now that we have all the fields, lets do it. */ - error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, - (nfsd->nd_flag & ND_KERBAUTH), TRUE); + error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, 2 * NFSX_UNSIGNED, &error)); @@ -521,7 +519,7 @@ nfsrv_lookup(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, 0, NULL, &vp, fhp, len, slp, nam, &info.md, &info.dpos, - &dirp, td, (nfsd->nd_flag & ND_KERBAUTH), pubflag); + &dirp, td, pubflag); /* * namei failure, only dirp to cleanup. Clear out garbarge from @@ -737,8 +735,7 @@ nfsrv_readlink(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, uiop->uio_rw = UIO_READ; uiop->uio_segflg = UIO_SYSSPACE; uiop->uio_td = NULL; - error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, 2 * NFSX_UNSIGNED, &error)); @@ -840,8 +837,7 @@ nfsrv_read(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, * as well. */ - error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, TRUE); if (error) { vp = NULL; NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, @@ -1087,8 +1083,7 @@ nfsrv_write(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = 0; goto nfsmout; } - error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, &rdonly, TRUE); if (error) { vp = NULL; NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, @@ -1387,9 +1382,9 @@ loop1: nfsd->nd_mrep = NULL; cred = &nfsd->nd_cr; forat_ret = aftat_ret = 1; - error = nfsrv_fhtovp(&nfsd->nd_fh, 1, &mp, &vp, cred, slp, + error = nfsrv_fhtovp(&nfsd->nd_fh, 1, &mp, &vp, cred, slp, nfsd->nd_nam, &rdonly, - (nfsd->nd_flag & ND_KERBAUTH), TRUE); + TRUE); if (!error) { if (info.v3) forat_ret = VOP_GETATTR(vp, &forat); @@ -1641,7 +1636,7 @@ nfsrv_create(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, */ error = nfs_namei(&nd, cred, NLC_CREATE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); mp = vfs_getvfs(&fhp->fh_fsid); if (dirp) { @@ -1921,7 +1916,7 @@ nfsrv_mknod(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_CREATE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) dirfor_ret = VOP_GETATTR(dirp, &dirfor); if (error) { @@ -2064,7 +2059,7 @@ nfsrv_remove(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_DELETE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) { if (info.v3) dirfor_ret = VOP_GETATTR(dirp, &dirfor); @@ -2172,7 +2167,7 @@ nfsrv_rename(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&fromnd, cred, NLC_RENAME_SRC, NULL, NULL, ffhp, len, slp, nam, &info.md, &info.dpos, &fdirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (fdirp) { if (info.v3) fdirfor_ret = VOP_GETATTR(fdirp, &fdirfor); @@ -2201,7 +2196,7 @@ nfsrv_rename(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&tond, cred, NLC_RENAME_DST, NULL, NULL, tfhp, len2, slp, nam, &info.md, &info.dpos, &tdirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (tdirp) { if (info.v3) tdirfor_ret = VOP_GETATTR(tdirp, &tdirfor); @@ -2393,7 +2388,7 @@ nfsrv_link(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, NEGREPLYOUT(len = nfsm_srvnamesiz(&info, &error)); error = nfsrv_fhtovp(fhp, FALSE, &xmp, &xp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, NFSX_POSTOPATTR(info.v3) + @@ -2413,7 +2408,7 @@ nfsrv_link(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_CREATE, &dvp, &vp, dfhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) { if (info.v3) dirfor_ret = VOP_GETATTR(dirp, &dirfor); @@ -2512,7 +2507,7 @@ nfsrv_symlink(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_CREATE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) { if (info.v3) dirfor_ret = VOP_GETATTR(dirp, &dirfor); @@ -2647,7 +2642,7 @@ nfsrv_mkdir(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_CREATE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) { if (info.v3) dirfor_ret = VOP_GETATTR(dirp, &dirfor); @@ -2772,7 +2767,7 @@ nfsrv_rmdir(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, error = nfs_namei(&nd, cred, NLC_DELETE, &dvp, &vp, fhp, len, slp, nam, &info.md, &info.dpos, &dirp, - td, (nfsd->nd_flag & ND_KERBAUTH), FALSE); + td, FALSE); if (dirp) { if (info.v3) dirfor_ret = VOP_GETATTR(dirp, &dirfor); @@ -2937,7 +2932,7 @@ nfsrv_readdir(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, siz = xfer; fullsiz = siz; error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (!error && vp->v_type != VDIR) { error = ENOTDIR; vput(vp); @@ -3239,7 +3234,7 @@ nfsrv_readdirplus(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, siz = xfer; fullsiz = siz; error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (!error && vp->v_type != VDIR) { error = ENOTDIR; vput(vp); @@ -3564,7 +3559,7 @@ nfsrv_commit(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, tl += 2; cnt = fxdr_unsigned(int, *tl); error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, 2 * NFSX_UNSIGNED, &error)); @@ -3710,7 +3705,7 @@ nfsrv_statfs(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, fhp = &nfh.fh_generic; NEGREPLYOUT(nfsm_srvmtofh(&info, nfsd, fhp, &error)); error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, NFSX_UNSIGNED, &error)); nfsm_srvpostop_attr(&info, nfsd, getret, &at); @@ -3792,7 +3787,7 @@ nfsrv_fsinfo(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, fhp = &nfh.fh_generic; NEGREPLYOUT(nfsm_srvmtofh(&info, nfsd, fhp, &error)); error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, NFSX_UNSIGNED, &error)); nfsm_srvpostop_attr(&info, nfsd, getret, &at); @@ -3869,7 +3864,7 @@ nfsrv_pathconf(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, fhp = &nfh.fh_generic; NEGREPLYOUT(nfsm_srvmtofh(&info, nfsd, fhp, &error)); error = nfsrv_fhtovp(fhp, 1, &mp, &vp, cred, slp, nam, - &rdonly, (nfsd->nd_flag & ND_KERBAUTH), TRUE); + &rdonly, TRUE); if (error) { NEGKEEPOUT(nfsm_reply(&info, nfsd, slp, NFSX_UNSIGNED, &error)); nfsm_srvpostop_attr(&info, nfsd, getret, &at); diff --git a/sys/vfs/nfs/nfs_socket.c b/sys/vfs/nfs/nfs_socket.c index 8c81b5d..facbf18 100644 --- a/sys/vfs/nfs/nfs_socket.c +++ b/sys/vfs/nfs/nfs_socket.c @@ -1185,8 +1185,7 @@ nfs_request_auth(struct nfsreq *rep) { struct nfsmount *nmp = rep->r_nmp; struct mbuf *m; - char nickv[RPCX_NICKVERF]; - int error = 0, auth_len, auth_type; + int auth_len, auth_type; int verf_len; u_int32_t xid; char *auth_str, *verf_str; @@ -1196,34 +1195,17 @@ nfs_request_auth(struct nfsreq *rep) rep->r_failed_auth = 0; /* - * Get the RPC header with authorization. + * We only support RPCAUTH_UNIX */ verf_str = auth_str = NULL; - if (nmp->nm_flag & NFSMNT_KERB) { - verf_str = nickv; - verf_len = sizeof (nickv); - auth_type = RPCAUTH_KERB4; - bzero((caddr_t)rep->r_key, sizeof(rep->r_key)); - if (rep->r_failed_auth || - nfs_getnickauth(nmp, cred, &auth_str, &auth_len, - verf_str, verf_len)) { - error = nfs_getauth(nmp, rep, cred, &auth_str, - &auth_len, verf_str, &verf_len, rep->r_key); - if (error) { - m_freem(rep->r_mrest); - rep->r_mrest = NULL; - kfree((caddr_t)rep, M_NFSREQ); - return (error); - } - } - } else { - auth_type = RPCAUTH_UNIX; - if (cred->cr_ngroups < 1) - panic("nfsreq nogrps"); - auth_len = ((((cred->cr_ngroups - 1) > nmp->nm_numgrps) ? - nmp->nm_numgrps : (cred->cr_ngroups - 1)) << 2) + - 5 * NFSX_UNSIGNED; - } + verf_len = RPCX_NICKVERF; + auth_type = RPCAUTH_UNIX; + if (cred->cr_ngroups < 1) + panic("nfsreq nogrps"); + auth_len = ((((cred->cr_ngroups - 1) > nmp->nm_numgrps) ? + nmp->nm_numgrps : (cred->cr_ngroups - 1)) << 2) + + 5 * NFSX_UNSIGNED; + if (rep->r_mrest) nfs_checkpkt(rep->r_mrest, rep->r_mrest_len); m = nfsm_rpchead(cred, nmp->nm_flag, rep->r_procnum, auth_type, @@ -1466,19 +1448,6 @@ nfs_request_processreply(nfsm_info_t info, int error) if (*tl++ == rpc_msgdenied) { if (*tl == rpc_mismatch) { error = EOPNOTSUPP; - } else if ((nmp->nm_flag & NFSMNT_KERB) && - *tl++ == rpc_autherr) { - if (req->r_failed_auth == 0) { - req->r_failed_auth++; - req->r_mheadend->m_next = NULL; - m_freem(info->mrep); - info->mrep = NULL; - m_freem(req->r_mreq); - req->r_mreq = NULL; - return (ENEEDAUTH); - } else { - error = EAUTH; - } } else { error = EACCES; } @@ -1496,14 +1465,9 @@ nfs_request_processreply(nfsm_info_t info, int error) */ verf_type = fxdr_unsigned(int, *tl++); i = fxdr_unsigned(int32_t, *tl); - if ((nmp->nm_flag & NFSMNT_KERB) && verf_type == RPCAUTH_KERB4) { - error = nfs_savenickauth(nmp, req->r_cred, i, req->r_key, - &info->md, &info->dpos, info->mrep); - if (error) - goto nfsmout; - } else if (i > 0) { + if (i > 0) ERROROUT(nfsm_adv(info, nfsm_rndup(i))); - } + NULLOUT(tl = nfsm_dissect(info, NFSX_UNSIGNED)); /* 0 == ok */ if (*tl == 0) { @@ -1628,45 +1592,12 @@ nfs_rephead(int siz, struct nfsrv_descript *nd, struct nfssvc_sock *slp, /* * For Kerberos authentication, we must send the nickname - * verifier back, otherwise just RPCAUTH_NULL. + * verifier back but since we don't support it just + * return RPCAUTH_NULL. */ - if (nd->nd_flag & ND_KERBFULL) { - struct nfsuid *nuidp; - struct timeval ktvout; - - for (nuidp = NUIDHASH(slp, nd->nd_cr.cr_uid)->lh_first; - nuidp != NULL; nuidp = nuidp->nu_hash.le_next) { - if (nuidp->nu_cr.cr_uid == nd->nd_cr.cr_uid && - (!nd->nd_nam2 || netaddr_match(NU_NETFAM(nuidp), - &nuidp->nu_haddr, nd->nd_nam2))) - break; - } - if (nuidp) { - /* - * Encrypt the timestamp in ecb mode using the - * session key. - */ -#ifdef NFSKERB - XXX -#else - ktvout.tv_sec = 0; - ktvout.tv_usec = 0; -#endif + *tl++ = 0; + *tl++ = 0; - *tl++ = rpc_auth_kerb; - *tl++ = txdr_unsigned(3 * NFSX_UNSIGNED); - *tl = ktvout.tv_sec; - tl = nfsm_build(&info, 3 * NFSX_UNSIGNED); - *tl++ = ktvout.tv_usec; - *tl++ = txdr_unsigned(nuidp->nu_cr.cr_uid); - } else { - *tl++ = 0; - *tl++ = 0; - } - } else { - *tl++ = 0; - *tl++ = 0; - } switch (err) { case EPROGUNAVAIL: *tl = txdr_unsigned(RPC_PROGUNAVAIL); @@ -2283,14 +2214,8 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header) { int len, i; u_int32_t *tl; - struct uio uio; - struct iovec iov; - caddr_t cp; u_int32_t nfsvers, auth_type; - uid_t nickuid; - int error = 0, ticklen; - struct nfsuid *nuidp; - struct timeval tvin, tvout; + int error = 0; struct nfsm_info info; #if 0 /* until encrypted keys are implemented */ NFSKERBKEYSCHED_T keys; /* stores key schedule */ @@ -2390,108 +2315,6 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header) if (len > 0) { ERROROUT(nfsm_adv(&info, nfsm_rndup(len))); } - } else if (auth_type == rpc_auth_kerb) { - switch (fxdr_unsigned(int, *tl++)) { - case RPCAKN_FULLNAME: - ticklen = fxdr_unsigned(int, *tl); - *((u_int32_t *)nfsd->nfsd_authstr) = *tl; - uio.uio_resid = nfsm_rndup(ticklen) + NFSX_UNSIGNED; - nfsd->nfsd_authlen = uio.uio_resid + NFSX_UNSIGNED; - if (uio.uio_resid > (len - 2 * NFSX_UNSIGNED)) { - m_freem(info.mrep); - return (EBADRPC); - } - uio.uio_offset = 0; - uio.uio_iov = &iov; - uio.uio_iovcnt = 1; - uio.uio_segflg = UIO_SYSSPACE; - iov.iov_base = (caddr_t)&nfsd->nfsd_authstr[4]; - iov.iov_len = RPCAUTH_MAXSIZ - 4; - ERROROUT(nfsm_mtouio(&info, &uio, uio.uio_resid)); - NULLOUT(tl = nfsm_dissect(&info, 2 * NFSX_UNSIGNED)); - if (*tl++ != rpc_auth_kerb || - fxdr_unsigned(int, *tl) != 4 * NFSX_UNSIGNED) { - kprintf("Bad kerb verifier\n"); - nd->nd_repstat = (NFSERR_AUTHERR|AUTH_BADVERF); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - NULLOUT(cp = nfsm_dissect(&info, 4 * NFSX_UNSIGNED)); - tl = (u_int32_t *)cp; - if (fxdr_unsigned(int, *tl) != RPCAKN_FULLNAME) { - kprintf("Not fullname kerb verifier\n"); - nd->nd_repstat = (NFSERR_AUTHERR|AUTH_BADVERF); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - cp += NFSX_UNSIGNED; - bcopy(cp, nfsd->nfsd_verfstr, 3 * NFSX_UNSIGNED); - nfsd->nfsd_verflen = 3 * NFSX_UNSIGNED; - nd->nd_flag |= ND_KERBFULL; - nfsd->nfsd_flag |= NFSD_NEEDAUTH; - break; - case RPCAKN_NICKNAME: - if (len != 2 * NFSX_UNSIGNED) { - kprintf("Kerb nickname short\n"); - nd->nd_repstat = (NFSERR_AUTHERR|AUTH_BADCRED); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - nickuid = fxdr_unsigned(uid_t, *tl); - NULLOUT(tl = nfsm_dissect(&info, 2 * NFSX_UNSIGNED)); - if (*tl++ != rpc_auth_kerb || - fxdr_unsigned(int, *tl) != 3 * NFSX_UNSIGNED) { - kprintf("Kerb nick verifier bad\n"); - nd->nd_repstat = (NFSERR_AUTHERR|AUTH_BADVERF); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - NULLOUT(tl = nfsm_dissect(&info, 3 * NFSX_UNSIGNED)); - tvin.tv_sec = *tl++; - tvin.tv_usec = *tl; - - for (nuidp = NUIDHASH(nfsd->nfsd_slp,nickuid)->lh_first; - nuidp != NULL; nuidp = nuidp->nu_hash.le_next) { - if (nuidp->nu_cr.cr_uid == nickuid && - (!nd->nd_nam2 || - netaddr_match(NU_NETFAM(nuidp), - &nuidp->nu_haddr, nd->nd_nam2))) - break; - } - if (!nuidp) { - nd->nd_repstat = - (NFSERR_AUTHERR|AUTH_REJECTCRED); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - - /* - * Now, decrypt the timestamp using the session key - * and validate it. - */ -#ifdef NFSKERB - XXX -#else - tvout.tv_sec = 0; - tvout.tv_usec = 0; -#endif - - tvout.tv_sec = fxdr_unsigned(long, tvout.tv_sec); - tvout.tv_usec = fxdr_unsigned(long, tvout.tv_usec); - if (nuidp->nu_expire != time_uptime || - nuidp->nu_timestamp.tv_sec > tvout.tv_sec || - (nuidp->nu_timestamp.tv_sec == tvout.tv_sec && - nuidp->nu_timestamp.tv_usec > tvout.tv_usec)) { - nuidp->nu_expire = 0; - nd->nd_repstat = - (NFSERR_AUTHERR|AUTH_REJECTVERF); - nd->nd_procnum = NFSPROC_NOOP; - return (0); - } - nfsrv_setcred(&nuidp->nu_cr, &nd->nd_cr); - nd->nd_flag |= ND_KERBNICK; - break; - } } else { nd->nd_repstat = (NFSERR_AUTHERR | AUTH_REJECTCRED); nd->nd_procnum = NFSPROC_NOOP; diff --git a/sys/vfs/nfs/nfs_subs.c b/sys/vfs/nfs/nfs_subs.c index 06e0b03..3eabe45 100644 --- a/sys/vfs/nfs/nfs_subs.c +++ b/sys/vfs/nfs/nfs_subs.c @@ -984,7 +984,7 @@ nfs_namei(struct nlookupdata *nd, struct ucred *cred, int nflags, fhandle_t *fhp, int len, struct nfssvc_sock *slp, struct sockaddr *nam, struct mbuf **mdp, caddr_t *dposp, struct vnode **dirpp, struct thread *td, - int kerbflag, int pubflag) + int pubflag) { int i, rem; struct mbuf *md; @@ -1038,7 +1038,7 @@ nfs_namei(struct nlookupdata *nd, struct ucred *cred, int nflags, * but not locked. */ error = nfsrv_fhtovp(fhp, FALSE, &mp, &dp, cred, slp, - nam, &rdonly, kerbflag, pubflag); + nam, &rdonly, pubflag); if (error) goto out; if (dp->v_type != VDIR) { @@ -1197,7 +1197,7 @@ int nfsrv_fhtovp(fhandle_t *fhp, int lockflag, struct mount **mpp, struct vnode **vpp, struct ucred *cred, struct nfssvc_sock *slp, struct sockaddr *nam, - int *rdonlyp, int kerbflag, int pubflag) + int *rdonlyp, int pubflag) { struct mount *mp; int i; @@ -1221,7 +1221,7 @@ nfsrv_fhtovp(fhandle_t *fhp, int lockflag, return (ESTALE); error = VFS_CHECKEXP(mp, nam, &exflags, &credanon); if (error) - return (error); + return (error); error = VFS_FHTOVP(mp, NULL, &fhp->fh_fid, vpp); if (error) return (ESTALE); @@ -1236,20 +1236,7 @@ nfsrv_fhtovp(fhandle_t *fhp, int lockflag, } } #endif - /* - * Check/setup credentials. - */ - if (exflags & MNT_EXKERB) { - if (!kerbflag) { - vput(*vpp); - *vpp = NULL; - return (NFSERR_AUTHERR | AUTH_TOOWEAK); - } - } else if (kerbflag) { - vput(*vpp); - *vpp = NULL; - return (NFSERR_AUTHERR | AUTH_TOOWEAK); - } else if (cred->cr_uid == 0 || (exflags & MNT_EXPORTANON)) { + if (cred->cr_uid == 0 || (exflags & MNT_EXPORTANON)) { cred->cr_uid = credanon->cr_uid; for (i = 0; i < credanon->cr_ngroups && i < NGROUPS; i++) cred->cr_groups[i] = credanon->cr_groups[i]; diff --git a/sys/vfs/nfs/nfs_syscalls.c b/sys/vfs/nfs/nfs_syscalls.c index 2864ce6..46201bc 100644 --- a/sys/vfs/nfs/nfs_syscalls.c +++ b/sys/vfs/nfs/nfs_syscalls.c @@ -1139,12 +1139,8 @@ nfs_getnickauth(struct nfsmount *nmp, struct ucred *cred, char **auth_str, * Now encrypt the timestamp verifier in ecb mode using the session * key. */ -#ifdef NFSKERB - XXX -#else ktvout.tv_sec = 0; ktvout.tv_usec = 0; -#endif *verfp++ = ktvout.tv_sec; *verfp++ = ktvout.tv_usec; @@ -1180,12 +1176,9 @@ nfs_savenickauth(struct nfsmount *nmp, struct ucred *cred, int len, /* * Decrypt the timestamp in ecb mode. */ -#ifdef NFSKERB - XXX -#else ktvout.tv_sec = 0; ktvout.tv_usec = 0; -#endif + ktvout.tv_sec = fxdr_unsigned(long, ktvout.tv_sec); ktvout.tv_usec = fxdr_unsigned(long, ktvout.tv_usec); deltasec = time_second - ktvout.tv_sec; diff --git a/sys/vfs/nfs/nfs_vfsops.c b/sys/vfs/nfs/nfs_vfsops.c index 3d0879c..2bee952 100644 --- a/sys/vfs/nfs/nfs_vfsops.c +++ b/sys/vfs/nfs/nfs_vfsops.c @@ -1228,8 +1228,6 @@ nfs_unmount(struct mount *mp, int mntflags) * We are now committed to the unmount. * For NQNFS, let the server daemon free the nfsmount structure. */ - if (nmp->nm_flag & NFSMNT_KERB) - nmp->nm_state |= NFSSTA_DISMNT; nfssvc_iod_stop1(nmp); nfs_disconnect(nmp); nfssvc_iod_stop2(nmp); @@ -1240,9 +1238,8 @@ nfs_unmount(struct mount *mp, int mntflags) lwkt_reltoken(&nmp->nm_token); - if ((nmp->nm_flag & NFSMNT_KERB) == 0) { - nfs_free_mount(nmp); - } + nfs_free_mount(nmp); + return (0); } diff --git a/sys/vfs/nfs/nfsm_subs.c b/sys/vfs/nfs/nfsm_subs.c index 2240b5b..cf0aedb 100644 --- a/sys/vfs/nfs/nfsm_subs.c +++ b/sys/vfs/nfs/nfsm_subs.c @@ -195,27 +195,7 @@ nfsm_rpchead(struct ucred *cr, int nmflag, int procid, int auth_type, *tl++ = txdr_unsigned(cr->cr_groups[i]); break; case RPCAUTH_KERB4: - siz = auth_len; - while (siz > 0) { - if (M_TRAILINGSPACE(info.mb) == 0) { - mb2 = m_getl(siz, MB_WAIT, MT_DATA, 0, NULL); - mb2->m_len = 0; - info.mb->m_next = mb2; - info.mb = mb2; - info.bpos = mtod(info.mb, caddr_t); - } - i = min(siz, M_TRAILINGSPACE(info.mb)); - bcopy(auth_str, info.bpos, i); - info.mb->m_len += i; - auth_str += i; - info.bpos += i; - siz -= i; - } - if ((siz = (nfsm_rndup(auth_len) - auth_len)) > 0) { - for (i = 0; i < siz; i++) - *info.bpos++ = '\0'; - info.mb->m_len += siz; - } + /* Unsupported */ break; }