diff options
-rw-r--r-- | usr/src/cmd/smbsrv/smbd/smbd_logon.c | 46 | ||||
-rw-r--r-- | usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 23 | ||||
-rw-r--r-- | usr/src/uts/common/Makefile.files | 10 | ||||
-rw-r--r-- | usr/src/uts/common/ktli/t_koptmgmt.c | 154 | ||||
-rw-r--r-- | usr/src/uts/intel/ia32/ml/modstubs.s | 1 | ||||
-rw-r--r-- | usr/src/uts/sparc/ml/modstubs.s | 1 |
6 files changed, 203 insertions, 32 deletions
diff --git a/usr/src/cmd/smbsrv/smbd/smbd_logon.c b/usr/src/cmd/smbsrv/smbd/smbd_logon.c index fa7dae801b..ab6d4c2f7e 100644 --- a/usr/src/cmd/smbsrv/smbd/smbd_logon.c +++ b/usr/src/cmd/smbsrv/smbd/smbd_logon.c @@ -20,7 +20,7 @@ */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2014 Nexenta Systems, Inc. All rights reserved. + * Copyright 2017 Nexenta Systems, Inc. All rights reserved. */ #include <sys/types.h> @@ -81,9 +81,9 @@ static smb_audit_t *smbd_audit_unlink(uint32_t); smb_token_t * smbd_user_auth_logon(smb_logon_t *user_info) { - smb_token_t *token; + smb_token_t *token = NULL; smb_audit_t *entry; - adt_session_data_t *ah; + adt_session_data_t *ah = NULL; adt_event_data_t *event; smb_logon_t tmp_user; au_tid_addr_t termid; @@ -95,6 +95,8 @@ smbd_user_auth_logon(smb_logon_t *user_info) char *sid; int status; int retval; + char *p; + char *buf = NULL; if (user_info->lg_username == NULL || user_info->lg_domain == NULL || @@ -109,7 +111,20 @@ smbd_user_auth_logon(smb_logon_t *user_info) } else { tmp_user.lg_e_username = tmp_user.lg_username; } - tmp_user.lg_e_domain = tmp_user.lg_domain; + + /* Handle user@domain format. */ + if (tmp_user.lg_domain[0] == '\0' && + (p = strchr(tmp_user.lg_e_username, '@')) != NULL) { + buf = strdup(tmp_user.lg_e_username); + if (buf == NULL) + goto errout; + p = buf + (p - tmp_user.lg_e_username); + *p = '\0'; + tmp_user.lg_e_domain = p + 1; + tmp_user.lg_e_username = buf; + } else { + tmp_user.lg_e_domain = tmp_user.lg_domain; + } if ((token = smb_logon(&tmp_user)) == NULL) { uid = ADT_NO_ATTRIB; @@ -132,16 +147,13 @@ smbd_user_auth_logon(smb_logon_t *user_info) if (adt_start_session(&ah, NULL, 0)) { syslog(LOG_AUTH | LOG_ALERT, "adt_start_session: %m"); - smb_token_destroy(token); - return (NULL); + goto errout; } if ((event = adt_alloc_event(ah, ADT_smbd_session)) == NULL) { syslog(LOG_AUTH | LOG_ALERT, "adt_alloc_event(ADT_smbd_session): %m"); - (void) adt_end_session(ah); - smb_token_destroy(token); - return (NULL); + goto errout; } (void) memset(&termid, 0, sizeof (au_tid_addr_t)); @@ -160,9 +172,7 @@ smbd_user_auth_logon(smb_logon_t *user_info) if (adt_set_user(ah, uid, gid, uid, gid, NULL, ADT_NEW)) { syslog(LOG_AUTH | LOG_ALERT, "adt_set_user: %m"); adt_free_event(event); - (void) adt_end_session(ah); - smb_token_destroy(token); - return (NULL); + goto errout; } event->adt_smbd_session.domain = domain; @@ -177,9 +187,7 @@ smbd_user_auth_logon(smb_logon_t *user_info) if (token) { if ((entry = malloc(sizeof (smb_audit_t))) == NULL) { syslog(LOG_ERR, "smbd_user_auth_logon: %m"); - (void) adt_end_session(ah); - smb_token_destroy(token); - return (NULL); + goto errout; } entry->sa_handle = ah; @@ -193,7 +201,15 @@ smbd_user_auth_logon(smb_logon_t *user_info) token->tkn_audit_sid = entry->sa_audit_sid; } + free(buf); + return (token); + +errout: + free(buf); + (void) adt_end_session(ah); + smb_token_destroy(token); + return (NULL); } /* diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 3ae2f2a362..1dc79baa0a 100644 --- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1765,7 +1765,7 @@ cleanup: free(enc_data); if (encerts != NULL) sk_X509_free(encerts); - + return retval; } @@ -1911,7 +1911,7 @@ cms_envelopeddata_verify(krb5_context context, if (!retval) pkiDebug("PKCS7 Verification Success\n"); - else { + else { pkiDebug("PKCS7 Verification Failure\n"); goto cleanup; } @@ -2842,7 +2842,7 @@ pkinit_create_sequence_of_principal_identifiers( if (retval) { pkiDebug("create_krb5_trustedCertifiers failed\n"); goto cleanup; - } + } break; case TD_INVALID_CERTIFICATES: retval = create_krb5_invalidCertificates(context, plg_cryptoctx, @@ -2850,7 +2850,7 @@ pkinit_create_sequence_of_principal_identifiers( if (retval) { pkiDebug("create_krb5_invalidCertificates failed\n"); goto cleanup; - } + } break; default: retval = -1; @@ -3862,7 +3862,7 @@ pkinit_choose_tokens(krb5_context context, } else { char *cp = reply.data; /* reply better be digits */ - while (*cp != NULL) { + while (*cp != '\0') { if (!isdigit(*cp++)) return (EINVAL); } @@ -4106,7 +4106,7 @@ pkinit_open_session(krb5_context context, CK_SLOT_ID_PTR slotlist = NULL, tmpslotlist = NULL; CK_TOKEN_INFO tinfo; krb5_boolean tokenmatch = FALSE; - CK_SESSION_HANDLE tmpsession = NULL; + CK_SESSION_HANDLE tmpsession = CK_INVALID_HANDLE; struct _token_choices token_choices; int choice = 0; @@ -4610,7 +4610,7 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx, cert = sk_X509_value(id_cryptoctx->my_certs, 0); priv = X509_get_pubkey(cert); if (priv == NULL) { - pkiDebug("Failed to extract pub key from cert\n"); + pkiDebug("Failed to extract pub key from cert\n"); return KRB5KDC_ERR_PREAUTH_FAILED; } @@ -5915,7 +5915,7 @@ crypto_cert_select(krb5_context context, if (cd->idctx->my_certs != NULL) { sk_X509_pop_free(cd->idctx->my_certs, X509_free); } - cd->idctx->my_certs = sk_X509_new_null(); + cd->idctx->my_certs = sk_X509_new_null(); sk_X509_push(cd->idctx->my_certs, cd->cred->cert); cd->idctx->creds[cd->index]->cert = NULL; /* Don't free it twice */ cd->idctx->cert_index = 0; @@ -5969,7 +5969,7 @@ crypto_cert_select_default(krb5_context context, if (id_cryptoctx->my_certs != NULL) { sk_X509_pop_free(id_cryptoctx->my_certs, X509_free); } - id_cryptoctx->my_certs = sk_X509_new_null(); + id_cryptoctx->my_certs = sk_X509_new_null(); sk_X509_push(id_cryptoctx->my_certs, id_cryptoctx->creds[0]->cert); id_cryptoctx->creds[0]->cert = NULL; /* Don't free it twice */ id_cryptoctx->cert_index = 0; @@ -6311,7 +6311,7 @@ if (longhorn == 0) { /* XXX Longhorn doesn't like this */ if ((p = krb5_cas[i]->subjectKeyIdentifier.data = (unsigned char *)malloc((size_t) len)) == NULL) goto cleanup; - i2d_ASN1_OCTET_STRING(ikeyid, &p); + i2d_ASN1_OCTET_STRING(ikeyid, &p); krb5_cas[i]->subjectKeyIdentifier.length = len; } if (ikeyid != NULL) @@ -6626,7 +6626,7 @@ pkinit_process_td_trusted_certifiers( pkiDebug("#%d cert = %s is trusted by kdc\n", i, buf); else pkiDebug("#%d cert = %s is invalid\n", i, buf); - sk_X509_NAME_push(sk_xn, xn); + sk_X509_NAME_push(sk_xn, xn); } if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) { @@ -6736,7 +6736,6 @@ pkcs7_dataDecode(krb5_context context, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); goto cleanup; } - } /* If we haven't got a certificate try each ri in turn */ diff --git a/usr/src/uts/common/Makefile.files b/usr/src/uts/common/Makefile.files index c963c34ce4..942a28069b 100644 --- a/usr/src/uts/common/Makefile.files +++ b/usr/src/uts/common/Makefile.files @@ -838,7 +838,7 @@ SCSI_VHCI_F_TPGS_OBJS += tpgs.o SCSI_VHCI_F_ASYM_SUN_OBJS += asym_sun.o -SCSI_VHCI_F_SYM_HDS_OBJS += sym_hds.o +SCSI_VHCI_F_SYM_HDS_OBJS += sym_hds.o SCSI_VHCI_F_TAPE_OBJS += tape.o @@ -1120,7 +1120,7 @@ NFS_OBJS += nfs_client.o nfs_common.o nfs_dump.o \ nfs_xdr.o nfs_sys.o nfs_strerror.o \ nfs3_vfsops.o nfs3_vnops.o nfs3_xdr.o \ nfs_acl_vnops.o nfs_acl_xdr.o nfs4_vfsops.o \ - nfs4_vnops.o nfs4_xdr.o nfs4_idmap.o \ + nfs4_vnops.o nfs4_xdr.o nfs4_idmap.o \ nfs4_shadow.o nfs4_subr.o \ nfs4_attr.o nfs4_rnode.o nfs4_client.o \ nfs4_acache.o nfs4_common.o nfs4_client_state.o \ @@ -1288,7 +1288,7 @@ UDFS_OBJS += udf_alloc.o udf_bmap.o udf_dir.o \ udf_inode.o udf_subr.o udf_vfsops.o \ udf_vnops.o -UFS_OBJS += ufs_alloc.o ufs_bmap.o ufs_dir.o ufs_xattr.o \ +UFS_OBJS += ufs_alloc.o ufs_bmap.o ufs_dir.o ufs_xattr.o \ ufs_inode.o ufs_subr.o ufs_tables.o ufs_vfsops.o \ ufs_vnops.o quota.o quotacalls.o quota_ufs.o \ ufs_filio.o ufs_lockfs.o ufs_thread.o ufs_trans.o \ @@ -1524,8 +1524,8 @@ KLMOPS_OBJS += klmops.o TLIMOD_OBJS += tlimod.o t_kalloc.o t_kbind.o t_kclose.o \ t_kconnect.o t_kfree.o t_kgtstate.o t_kopen.o \ - t_krcvudat.o t_ksndudat.o t_kspoll.o t_kunbind.o \ - t_kutil.o + t_koptmgmt.o t_krcvudat.o t_ksndudat.o t_kspoll.o \ + t_kunbind.o t_kutil.o RLMOD_OBJS += rlmod.o diff --git a/usr/src/uts/common/ktli/t_koptmgmt.c b/usr/src/uts/common/ktli/t_koptmgmt.c new file mode 100644 index 0000000000..e217c4dfcb --- /dev/null +++ b/usr/src/uts/common/ktli/t_koptmgmt.c @@ -0,0 +1,154 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License, Version 1.0 only + * (the "License"). You may not use this file except in compliance + * with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ + +/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ +/* All Rights Reserved */ + +/* + * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * Copyright 2018 Nexenta Systems, Inc. All rights reserved. + */ + +/* + * kTLI variant of t_optmgmt(3NSL) + * Returns 0 on success or an errno value. + * Similar to libnsl t_optmgmt.c + * + * Note: This expects the caller's struct t_optmgmt to contain the + * XTI version of struct T_opthdr (used with T_OPTMGMT_REQ == 27) + * not the old "struct opthdr" (used with T_SVR4_OPTMGMT_REQ == 9) + */ + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/proc.h> +#include <sys/file.h> +#include <sys/user.h> +#include <sys/vnode.h> +#include <sys/errno.h> +#include <sys/stream.h> +#include <sys/ioctl.h> +#include <sys/stropts.h> +#include <sys/strsubr.h> +#define _SUN_TPI_VERSION 2 +#include <sys/tihdr.h> +#include <sys/timod.h> +#include <sys/tiuser.h> +#include <sys/t_kuser.h> +#include <sys/kmem.h> + +int +t_koptmgmt(TIUSER *tiptr, struct t_optmgmt *req, struct t_optmgmt *ret) +{ + struct strioctl strioc; + struct T_optmgmt_req *opt_req; + struct T_optmgmt_ack *opt_ack; + file_t *fp; + vnode_t *vp; + char *ctlbuf = NULL; + char *opt_data; + t_scalar_t optlen; + int ctlsize; + int retval; + int error; + + fp = tiptr->fp; + vp = fp->f_vnode; + + optlen = req->opt.len; + if (optlen > 0) { + if (req->opt.buf == NULL) + return (EINVAL); + if (optlen < (t_scalar_t)sizeof (struct T_opthdr)) { + /* option buffer should atleast have an t_opthdr */ + return (EINVAL); + } + /* sanity limit */ + if (optlen > 4096) { + return (EINVAL); + } + } + + ctlsize = sizeof (*opt_req) + optlen; + ctlbuf = kmem_alloc(ctlsize, KM_SLEEP); + + /* LINTED E_BAD_PTR_CAST_ALIGN */ + opt_req = (struct T_optmgmt_req *)ctlbuf; + opt_req->PRIM_type = T_OPTMGMT_REQ; + opt_req->MGMT_flags = req->flags; + opt_req->OPT_length = optlen; + opt_req->OPT_offset = sizeof (*opt_req); + if (optlen > 0) { + opt_data = ctlbuf + sizeof (*opt_req); + bcopy(req->opt.buf, opt_data, optlen); + } + + strioc.ic_cmd = TI_OPTMGMT; + strioc.ic_timout = 0; + strioc.ic_dp = ctlbuf; + strioc.ic_len = ctlsize; + + error = strdoioctl(vp->v_stream, &strioc, FNATIVE, K_TO_K, + fp->f_cred, &retval); + if (error) + goto errout; + + if (retval) { + if ((retval & 0xff) == TSYSERR) + error = (retval >> 8) & 0xff; + else + error = t_tlitosyserr(retval & 0xff); + goto errout; + } + + if (strioc.ic_len < sizeof (struct T_optmgmt_ack)) { + error = EPROTO; + goto errout; + } + + /* LINTED pointer cast */ + opt_ack = (struct T_optmgmt_ack *)ctlbuf; + if (opt_ack->PRIM_type != T_OPTMGMT_ACK) { + error = EPROTO; + goto errout; + } + + if (ret->opt.maxlen > 0) { + if (opt_ack->OPT_length > ret->opt.maxlen) { + error = EMSGSIZE; + goto errout; + } + ret->opt.len = opt_ack->OPT_offset; + opt_data = ctlbuf + opt_ack->OPT_offset; + bcopy(opt_data, ret->opt.buf, ret->opt.len); + } + ret->flags = opt_ack->MGMT_flags; + +errout: + if (ctlbuf != NULL) + kmem_free(ctlbuf, ctlsize); + return (error); +} diff --git a/usr/src/uts/intel/ia32/ml/modstubs.s b/usr/src/uts/intel/ia32/ml/modstubs.s index 040c5f0ea5..9ee2ba6908 100644 --- a/usr/src/uts/intel/ia32/ml/modstubs.s +++ b/usr/src/uts/intel/ia32/ml/modstubs.s @@ -642,6 +642,7 @@ fcnname/**/_info: \ NO_UNLOAD_STUB(tlimod, t_kclose, nomod_zero); NO_UNLOAD_STUB(tlimod, t_kspoll, nomod_zero); NO_UNLOAD_STUB(tlimod, t_kfree, nomod_zero); + NO_UNLOAD_STUB(tlimod, t_koptmgmt, nomod_zero); END_MODULE(tlimod); #endif diff --git a/usr/src/uts/sparc/ml/modstubs.s b/usr/src/uts/sparc/ml/modstubs.s index 1641c734da..e3db778fed 100644 --- a/usr/src/uts/sparc/ml/modstubs.s +++ b/usr/src/uts/sparc/ml/modstubs.s @@ -527,6 +527,7 @@ stubs_base: NO_UNLOAD_STUB(tlimod, t_kclose, nomod_zero); NO_UNLOAD_STUB(tlimod, t_kspoll, nomod_zero); NO_UNLOAD_STUB(tlimod, t_kfree, nomod_zero); + NO_UNLOAD_STUB(tlimod, t_koptmgmt, nomod_zero); END_MODULE(tlimod); #endif |