summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr/src/cmd/smbsrv/smbd/smbd_logon.c46
-rw-r--r--usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c23
-rw-r--r--usr/src/uts/common/Makefile.files10
-rw-r--r--usr/src/uts/common/ktli/t_koptmgmt.c154
-rw-r--r--usr/src/uts/intel/ia32/ml/modstubs.s1
-rw-r--r--usr/src/uts/sparc/ml/modstubs.s1
6 files changed, 203 insertions, 32 deletions
diff --git a/usr/src/cmd/smbsrv/smbd/smbd_logon.c b/usr/src/cmd/smbsrv/smbd/smbd_logon.c
index fa7dae801b..ab6d4c2f7e 100644
--- a/usr/src/cmd/smbsrv/smbd/smbd_logon.c
+++ b/usr/src/cmd/smbsrv/smbd/smbd_logon.c
@@ -20,7 +20,7 @@
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
*/
#include <sys/types.h>
@@ -81,9 +81,9 @@ static smb_audit_t *smbd_audit_unlink(uint32_t);
smb_token_t *
smbd_user_auth_logon(smb_logon_t *user_info)
{
- smb_token_t *token;
+ smb_token_t *token = NULL;
smb_audit_t *entry;
- adt_session_data_t *ah;
+ adt_session_data_t *ah = NULL;
adt_event_data_t *event;
smb_logon_t tmp_user;
au_tid_addr_t termid;
@@ -95,6 +95,8 @@ smbd_user_auth_logon(smb_logon_t *user_info)
char *sid;
int status;
int retval;
+ char *p;
+ char *buf = NULL;
if (user_info->lg_username == NULL ||
user_info->lg_domain == NULL ||
@@ -109,7 +111,20 @@ smbd_user_auth_logon(smb_logon_t *user_info)
} else {
tmp_user.lg_e_username = tmp_user.lg_username;
}
- tmp_user.lg_e_domain = tmp_user.lg_domain;
+
+ /* Handle user@domain format. */
+ if (tmp_user.lg_domain[0] == '\0' &&
+ (p = strchr(tmp_user.lg_e_username, '@')) != NULL) {
+ buf = strdup(tmp_user.lg_e_username);
+ if (buf == NULL)
+ goto errout;
+ p = buf + (p - tmp_user.lg_e_username);
+ *p = '\0';
+ tmp_user.lg_e_domain = p + 1;
+ tmp_user.lg_e_username = buf;
+ } else {
+ tmp_user.lg_e_domain = tmp_user.lg_domain;
+ }
if ((token = smb_logon(&tmp_user)) == NULL) {
uid = ADT_NO_ATTRIB;
@@ -132,16 +147,13 @@ smbd_user_auth_logon(smb_logon_t *user_info)
if (adt_start_session(&ah, NULL, 0)) {
syslog(LOG_AUTH | LOG_ALERT, "adt_start_session: %m");
- smb_token_destroy(token);
- return (NULL);
+ goto errout;
}
if ((event = adt_alloc_event(ah, ADT_smbd_session)) == NULL) {
syslog(LOG_AUTH | LOG_ALERT,
"adt_alloc_event(ADT_smbd_session): %m");
- (void) adt_end_session(ah);
- smb_token_destroy(token);
- return (NULL);
+ goto errout;
}
(void) memset(&termid, 0, sizeof (au_tid_addr_t));
@@ -160,9 +172,7 @@ smbd_user_auth_logon(smb_logon_t *user_info)
if (adt_set_user(ah, uid, gid, uid, gid, NULL, ADT_NEW)) {
syslog(LOG_AUTH | LOG_ALERT, "adt_set_user: %m");
adt_free_event(event);
- (void) adt_end_session(ah);
- smb_token_destroy(token);
- return (NULL);
+ goto errout;
}
event->adt_smbd_session.domain = domain;
@@ -177,9 +187,7 @@ smbd_user_auth_logon(smb_logon_t *user_info)
if (token) {
if ((entry = malloc(sizeof (smb_audit_t))) == NULL) {
syslog(LOG_ERR, "smbd_user_auth_logon: %m");
- (void) adt_end_session(ah);
- smb_token_destroy(token);
- return (NULL);
+ goto errout;
}
entry->sa_handle = ah;
@@ -193,7 +201,15 @@ smbd_user_auth_logon(smb_logon_t *user_info)
token->tkn_audit_sid = entry->sa_audit_sid;
}
+ free(buf);
+
return (token);
+
+errout:
+ free(buf);
+ (void) adt_end_session(ah);
+ smb_token_destroy(token);
+ return (NULL);
}
/*
diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 3ae2f2a362..1dc79baa0a 100644
--- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1765,7 +1765,7 @@ cleanup:
free(enc_data);
if (encerts != NULL)
sk_X509_free(encerts);
-
+
return retval;
}
@@ -1911,7 +1911,7 @@ cms_envelopeddata_verify(krb5_context context,
if (!retval)
pkiDebug("PKCS7 Verification Success\n");
- else {
+ else {
pkiDebug("PKCS7 Verification Failure\n");
goto cleanup;
}
@@ -2842,7 +2842,7 @@ pkinit_create_sequence_of_principal_identifiers(
if (retval) {
pkiDebug("create_krb5_trustedCertifiers failed\n");
goto cleanup;
- }
+ }
break;
case TD_INVALID_CERTIFICATES:
retval = create_krb5_invalidCertificates(context, plg_cryptoctx,
@@ -2850,7 +2850,7 @@ pkinit_create_sequence_of_principal_identifiers(
if (retval) {
pkiDebug("create_krb5_invalidCertificates failed\n");
goto cleanup;
- }
+ }
break;
default:
retval = -1;
@@ -3862,7 +3862,7 @@ pkinit_choose_tokens(krb5_context context,
} else {
char *cp = reply.data;
/* reply better be digits */
- while (*cp != NULL) {
+ while (*cp != '\0') {
if (!isdigit(*cp++))
return (EINVAL);
}
@@ -4106,7 +4106,7 @@ pkinit_open_session(krb5_context context,
CK_SLOT_ID_PTR slotlist = NULL, tmpslotlist = NULL;
CK_TOKEN_INFO tinfo;
krb5_boolean tokenmatch = FALSE;
- CK_SESSION_HANDLE tmpsession = NULL;
+ CK_SESSION_HANDLE tmpsession = CK_INVALID_HANDLE;
struct _token_choices token_choices;
int choice = 0;
@@ -4610,7 +4610,7 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx,
cert = sk_X509_value(id_cryptoctx->my_certs, 0);
priv = X509_get_pubkey(cert);
if (priv == NULL) {
- pkiDebug("Failed to extract pub key from cert\n");
+ pkiDebug("Failed to extract pub key from cert\n");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
@@ -5915,7 +5915,7 @@ crypto_cert_select(krb5_context context,
if (cd->idctx->my_certs != NULL) {
sk_X509_pop_free(cd->idctx->my_certs, X509_free);
}
- cd->idctx->my_certs = sk_X509_new_null();
+ cd->idctx->my_certs = sk_X509_new_null();
sk_X509_push(cd->idctx->my_certs, cd->cred->cert);
cd->idctx->creds[cd->index]->cert = NULL; /* Don't free it twice */
cd->idctx->cert_index = 0;
@@ -5969,7 +5969,7 @@ crypto_cert_select_default(krb5_context context,
if (id_cryptoctx->my_certs != NULL) {
sk_X509_pop_free(id_cryptoctx->my_certs, X509_free);
}
- id_cryptoctx->my_certs = sk_X509_new_null();
+ id_cryptoctx->my_certs = sk_X509_new_null();
sk_X509_push(id_cryptoctx->my_certs, id_cryptoctx->creds[0]->cert);
id_cryptoctx->creds[0]->cert = NULL; /* Don't free it twice */
id_cryptoctx->cert_index = 0;
@@ -6311,7 +6311,7 @@ if (longhorn == 0) { /* XXX Longhorn doesn't like this */
if ((p = krb5_cas[i]->subjectKeyIdentifier.data =
(unsigned char *)malloc((size_t) len)) == NULL)
goto cleanup;
- i2d_ASN1_OCTET_STRING(ikeyid, &p);
+ i2d_ASN1_OCTET_STRING(ikeyid, &p);
krb5_cas[i]->subjectKeyIdentifier.length = len;
}
if (ikeyid != NULL)
@@ -6626,7 +6626,7 @@ pkinit_process_td_trusted_certifiers(
pkiDebug("#%d cert = %s is trusted by kdc\n", i, buf);
else
pkiDebug("#%d cert = %s is invalid\n", i, buf);
- sk_X509_NAME_push(sk_xn, xn);
+ sk_X509_NAME_push(sk_xn, xn);
}
if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) {
@@ -6736,7 +6736,6 @@ pkcs7_dataDecode(krb5_context context,
PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
goto cleanup;
}
-
}
/* If we haven't got a certificate try each ri in turn */
diff --git a/usr/src/uts/common/Makefile.files b/usr/src/uts/common/Makefile.files
index c963c34ce4..942a28069b 100644
--- a/usr/src/uts/common/Makefile.files
+++ b/usr/src/uts/common/Makefile.files
@@ -838,7 +838,7 @@ SCSI_VHCI_F_TPGS_OBJS += tpgs.o
SCSI_VHCI_F_ASYM_SUN_OBJS += asym_sun.o
-SCSI_VHCI_F_SYM_HDS_OBJS += sym_hds.o
+SCSI_VHCI_F_SYM_HDS_OBJS += sym_hds.o
SCSI_VHCI_F_TAPE_OBJS += tape.o
@@ -1120,7 +1120,7 @@ NFS_OBJS += nfs_client.o nfs_common.o nfs_dump.o \
nfs_xdr.o nfs_sys.o nfs_strerror.o \
nfs3_vfsops.o nfs3_vnops.o nfs3_xdr.o \
nfs_acl_vnops.o nfs_acl_xdr.o nfs4_vfsops.o \
- nfs4_vnops.o nfs4_xdr.o nfs4_idmap.o \
+ nfs4_vnops.o nfs4_xdr.o nfs4_idmap.o \
nfs4_shadow.o nfs4_subr.o \
nfs4_attr.o nfs4_rnode.o nfs4_client.o \
nfs4_acache.o nfs4_common.o nfs4_client_state.o \
@@ -1288,7 +1288,7 @@ UDFS_OBJS += udf_alloc.o udf_bmap.o udf_dir.o \
udf_inode.o udf_subr.o udf_vfsops.o \
udf_vnops.o
-UFS_OBJS += ufs_alloc.o ufs_bmap.o ufs_dir.o ufs_xattr.o \
+UFS_OBJS += ufs_alloc.o ufs_bmap.o ufs_dir.o ufs_xattr.o \
ufs_inode.o ufs_subr.o ufs_tables.o ufs_vfsops.o \
ufs_vnops.o quota.o quotacalls.o quota_ufs.o \
ufs_filio.o ufs_lockfs.o ufs_thread.o ufs_trans.o \
@@ -1524,8 +1524,8 @@ KLMOPS_OBJS += klmops.o
TLIMOD_OBJS += tlimod.o t_kalloc.o t_kbind.o t_kclose.o \
t_kconnect.o t_kfree.o t_kgtstate.o t_kopen.o \
- t_krcvudat.o t_ksndudat.o t_kspoll.o t_kunbind.o \
- t_kutil.o
+ t_koptmgmt.o t_krcvudat.o t_ksndudat.o t_kspoll.o \
+ t_kunbind.o t_kutil.o
RLMOD_OBJS += rlmod.o
diff --git a/usr/src/uts/common/ktli/t_koptmgmt.c b/usr/src/uts/common/ktli/t_koptmgmt.c
new file mode 100644
index 0000000000..e217c4dfcb
--- /dev/null
+++ b/usr/src/uts/common/ktli/t_koptmgmt.c
@@ -0,0 +1,154 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License"). You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
+/* All Rights Reserved */
+
+/*
+ * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
+ */
+
+/*
+ * kTLI variant of t_optmgmt(3NSL)
+ * Returns 0 on success or an errno value.
+ * Similar to libnsl t_optmgmt.c
+ *
+ * Note: This expects the caller's struct t_optmgmt to contain the
+ * XTI version of struct T_opthdr (used with T_OPTMGMT_REQ == 27)
+ * not the old "struct opthdr" (used with T_SVR4_OPTMGMT_REQ == 9)
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/proc.h>
+#include <sys/file.h>
+#include <sys/user.h>
+#include <sys/vnode.h>
+#include <sys/errno.h>
+#include <sys/stream.h>
+#include <sys/ioctl.h>
+#include <sys/stropts.h>
+#include <sys/strsubr.h>
+#define _SUN_TPI_VERSION 2
+#include <sys/tihdr.h>
+#include <sys/timod.h>
+#include <sys/tiuser.h>
+#include <sys/t_kuser.h>
+#include <sys/kmem.h>
+
+int
+t_koptmgmt(TIUSER *tiptr, struct t_optmgmt *req, struct t_optmgmt *ret)
+{
+ struct strioctl strioc;
+ struct T_optmgmt_req *opt_req;
+ struct T_optmgmt_ack *opt_ack;
+ file_t *fp;
+ vnode_t *vp;
+ char *ctlbuf = NULL;
+ char *opt_data;
+ t_scalar_t optlen;
+ int ctlsize;
+ int retval;
+ int error;
+
+ fp = tiptr->fp;
+ vp = fp->f_vnode;
+
+ optlen = req->opt.len;
+ if (optlen > 0) {
+ if (req->opt.buf == NULL)
+ return (EINVAL);
+ if (optlen < (t_scalar_t)sizeof (struct T_opthdr)) {
+ /* option buffer should atleast have an t_opthdr */
+ return (EINVAL);
+ }
+ /* sanity limit */
+ if (optlen > 4096) {
+ return (EINVAL);
+ }
+ }
+
+ ctlsize = sizeof (*opt_req) + optlen;
+ ctlbuf = kmem_alloc(ctlsize, KM_SLEEP);
+
+ /* LINTED E_BAD_PTR_CAST_ALIGN */
+ opt_req = (struct T_optmgmt_req *)ctlbuf;
+ opt_req->PRIM_type = T_OPTMGMT_REQ;
+ opt_req->MGMT_flags = req->flags;
+ opt_req->OPT_length = optlen;
+ opt_req->OPT_offset = sizeof (*opt_req);
+ if (optlen > 0) {
+ opt_data = ctlbuf + sizeof (*opt_req);
+ bcopy(req->opt.buf, opt_data, optlen);
+ }
+
+ strioc.ic_cmd = TI_OPTMGMT;
+ strioc.ic_timout = 0;
+ strioc.ic_dp = ctlbuf;
+ strioc.ic_len = ctlsize;
+
+ error = strdoioctl(vp->v_stream, &strioc, FNATIVE, K_TO_K,
+ fp->f_cred, &retval);
+ if (error)
+ goto errout;
+
+ if (retval) {
+ if ((retval & 0xff) == TSYSERR)
+ error = (retval >> 8) & 0xff;
+ else
+ error = t_tlitosyserr(retval & 0xff);
+ goto errout;
+ }
+
+ if (strioc.ic_len < sizeof (struct T_optmgmt_ack)) {
+ error = EPROTO;
+ goto errout;
+ }
+
+ /* LINTED pointer cast */
+ opt_ack = (struct T_optmgmt_ack *)ctlbuf;
+ if (opt_ack->PRIM_type != T_OPTMGMT_ACK) {
+ error = EPROTO;
+ goto errout;
+ }
+
+ if (ret->opt.maxlen > 0) {
+ if (opt_ack->OPT_length > ret->opt.maxlen) {
+ error = EMSGSIZE;
+ goto errout;
+ }
+ ret->opt.len = opt_ack->OPT_offset;
+ opt_data = ctlbuf + opt_ack->OPT_offset;
+ bcopy(opt_data, ret->opt.buf, ret->opt.len);
+ }
+ ret->flags = opt_ack->MGMT_flags;
+
+errout:
+ if (ctlbuf != NULL)
+ kmem_free(ctlbuf, ctlsize);
+ return (error);
+}
diff --git a/usr/src/uts/intel/ia32/ml/modstubs.s b/usr/src/uts/intel/ia32/ml/modstubs.s
index 040c5f0ea5..9ee2ba6908 100644
--- a/usr/src/uts/intel/ia32/ml/modstubs.s
+++ b/usr/src/uts/intel/ia32/ml/modstubs.s
@@ -642,6 +642,7 @@ fcnname/**/_info: \
NO_UNLOAD_STUB(tlimod, t_kclose, nomod_zero);
NO_UNLOAD_STUB(tlimod, t_kspoll, nomod_zero);
NO_UNLOAD_STUB(tlimod, t_kfree, nomod_zero);
+ NO_UNLOAD_STUB(tlimod, t_koptmgmt, nomod_zero);
END_MODULE(tlimod);
#endif
diff --git a/usr/src/uts/sparc/ml/modstubs.s b/usr/src/uts/sparc/ml/modstubs.s
index 1641c734da..e3db778fed 100644
--- a/usr/src/uts/sparc/ml/modstubs.s
+++ b/usr/src/uts/sparc/ml/modstubs.s
@@ -527,6 +527,7 @@ stubs_base:
NO_UNLOAD_STUB(tlimod, t_kclose, nomod_zero);
NO_UNLOAD_STUB(tlimod, t_kspoll, nomod_zero);
NO_UNLOAD_STUB(tlimod, t_kfree, nomod_zero);
+ NO_UNLOAD_STUB(tlimod, t_koptmgmt, nomod_zero);
END_MODULE(tlimod);
#endif