2 files changed, 87 insertions, 31 deletions

diff --git a/sbin/nfsd/nfsd.8 b/sbin/nfsd/nfsd.8
index 4b30b85a540..ccb2cb8e974 100644
--- a/sbin/nfsd/nfsd.8
+++ b/sbin/nfsd/nfsd.8
@@ -1,4 +1,5 @@
-.\"	$NetBSD: nfsd.8,v 1.6 1995/03/18 14:58:59 cgd Exp $
+.\"   $OpenBSD: nfsd.8,v 1.2 1996/03/21 00:16:20 niklas Exp $
+.\"   $NetBSD: nfsd.8,v 1.7 1996/02/18 11:58:24 fvdl Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -31,9 +32,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	@(#)nfsd.8	8.3 (Berkeley) 2/22/94
+.\"	@(#)nfsd.8	8.4 (Berkeley) 3/29/95
 .\"
-.Dd February 22, 1994
+.Dd March 29, 1995
 .Dt NFSD 8
 .Os
 .Sh NAME
@@ -100,7 +101,8 @@ listens for service requests at the port indicated in the
 .Tn NFS
 server specification; see
 .%T "Network File System Protocol Specification" ,
-RFC1094.
+RFC1094 and
+.%T "NFS: Network File System Version 3 Protocol Specification" .
 .Pp
 The
 .Nm nfsd
diff --git a/sbin/nfsd/nfsd.c b/sbin/nfsd/nfsd.c
index e55a7d171a9..eaedfdf30b8 100644
--- a/sbin/nfsd/nfsd.c
+++ b/sbin/nfsd/nfsd.c
@@ -1,4 +1,5 @@
-/*	$NetBSD: nfsd.c,v 1.17 1995/05/28 05:31:45 jtc Exp $	*/
+/*	$OpenBSD: nfsd.c,v 1.2 1996/03/21 00:16:22 niklas Exp $	*/
+/*	$NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993, 1994
@@ -44,14 +45,13 @@ static char copyright[] =
 
 #ifndef lint
 #if 0
-static char sccsid[] = "@(#)nfsd.c	8.7 (Berkeley) 2/22/94";
+static char sccsid[] = "@(#)nfsd.c	8.9 (Berkeley) 3/29/95";
 #else
-static char rcsid[] = "$NetBSD: nfsd.c,v 1.17 1995/05/28 05:31:45 jtc Exp $";
+static char rcsid[] = "$NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $";
 #endif
-#endif not lint
+#endif /* not lint */
 
 #include <sys/param.h>
-#include <syslog.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -69,10 +69,10 @@ static char rcsid[] = "$NetBSD: nfsd.c,v 1.17 1995/05/28 05:31:45 jtc Exp $";
 #include <netiso/iso.h>
 #endif
 #include <nfs/rpcv2.h>
-#include <nfs/nfsv2.h>
+#include <nfs/nfsproto.h>
 #include <nfs/nfs.h>
 
-#ifdef KERBEROS
+#ifdef NFSKERB
 #include <kerberosIV/des.h>
 #include <kerberosIV/krb.h>
 #endif
@@ -86,6 +86,7 @@ static char rcsid[] = "$NetBSD: nfsd.c,v 1.17 1995/05/28 05:31:45 jtc Exp $";
 #include <stdio.h>
 #include <stdlib.h>
 #include <strings.h>
+#include <syslog.h>
 #include <unistd.h>
 
 /* Global defs */
@@ -98,11 +99,16 @@ int	debug = 0;
 
 struct	nfsd_srvargs nsd;
 
-#ifdef KERBEROS
+#ifdef NFSKERB
 char		lnam[ANAME_SZ];
 KTEXT_ST	kt;
-AUTH_DAT	auth;
+AUTH_DAT	kauth;
 char		inst[INST_SZ];
+struct nfsrpc_fullblock kin, kout;
+struct nfsrpc_fullverf kverf;
+NFSKERBKEY_T	kivec;
+struct timeval	ktv;
+NFSKERBKEYSCHED_T kerb_keysched;
 #endif
 
 void	nonfs __P((int));
@@ -142,6 +148,7 @@ main(argc, argv, envp)
 #ifdef ISO
 	struct sockaddr_iso isoaddr, isopeer;
 #endif
+	struct timeval ktv;
 	fd_set ready, sockbits;
 	int ch, cltpflag, connect_type_cnt, i, len, maxsock, msgsock;
 	int nfsdcnt, nfssvc_flag, on, reregister, sock, tcpflag, tcpsock;
@@ -224,10 +231,12 @@ main(argc, argv, envp)
 
 	if (reregister) {
 		if (udpflag &&
-		    !pmap_set(RPCPROG_NFS, NFS_VER2, IPPROTO_UDP, NFS_PORT))
+		    (!pmap_set(RPCPROG_NFS, 2, IPPROTO_UDP, NFS_PORT) ||
+		     !pmap_set(RPCPROG_NFS, 3, IPPROTO_UDP, NFS_PORT)))
 			err(1, "can't register with portmap for UDP.");
 		if (tcpflag &&
-		    !pmap_set(RPCPROG_NFS, NFS_VER2, IPPROTO_TCP, NFS_PORT))
+		    (!pmap_set(RPCPROG_NFS, 2, IPPROTO_TCP, NFS_PORT) ||
+		     !pmap_set(RPCPROG_NFS, 3, IPPROTO_TCP, NFS_PORT)))
 			err(1, "can't register with portmap for TCP.");
 		exit(0);
 	}
@@ -247,8 +256,14 @@ main(argc, argv, envp)
 		setproctitle("server");
 		nfssvc_flag = NFSSVC_NFSD;
 		nsd.nsd_nfsd = NULL;
-#ifdef KERBEROS
-		nsd.nsd_authstr = (char *)kt.dat;
+#ifdef NFSKERB
+		if (sizeof (struct nfsrpc_fullverf) != RPCX_FULLVERF ||
+		    sizeof (struct nfsrpc_fullblock) != RPCX_FULLBLOCK)
+		    syslog(LOG_ERR, "Yikes NFSKERB structs not packed!");
+		nsd.nsd_authstr = (u_char *)&kt;
+		nsd.nsd_authlen = sizeof (kt);
+		nsd.nsd_verfstr = (u_char *)&kverf;
+		nsd.nsd_verflen = sizeof (kverf);
 #endif
 		while (nfssvc(nfssvc_flag, &nsd) < 0) {
 			if (errno != ENEEDAUTH) {
@@ -256,14 +271,27 @@ main(argc, argv, envp)
 				exit(1);
 			}
 			nfssvc_flag = NFSSVC_NFSD | NFSSVC_AUTHINFAIL;
-#ifdef KERBEROS
-			kt.length = nsd.nsd_authlen;
-			kt.mbz = 0;
-			(void)strcpy(inst, "*");
-			if (krb_rd_req(&kt, "rcmd",
-			    inst, nsd.nsd_haddr, &auth, "") == RD_AP_OK &&
-			    krb_kntoln(&auth, lnam) == KSUCCESS &&
-			    (pwd = getpwnam(lnam)) != NULL) {
+#ifdef NFSKERB
+			/*
+			 * Get the Kerberos ticket out of the authenticator
+			 * verify it and convert the principal name to a user
+			 * name. The user name is then converted to a set of
+			 * user credentials via the password and group file.
+			 * Finally, decrypt the timestamp and validate it.
+			 * For more info see the IETF Draft "Authentication
+			 * in ONC RPC".
+			 */
+			kt.length = ntohl(kt.length);
+			if (gettimeofday(&ktv, (struct timezone *)0) == 0 &&
+			    kt.length > 0 && kt.length <=
+			    (RPCAUTH_MAXSIZ - 3 * NFSX_UNSIGNED)) {
+			    kin.w1 = NFS_KERBW1(kt);
+			    kt.mbz = 0;
+			    (void)strcpy(inst, "*");
+			    if (krb_rd_req(&kt, NFS_KERBSRV,
+				inst, nsd.nsd_haddr, &kauth, "") == RD_AP_OK &&
+				krb_kntoln(&kauth, lnam) == KSUCCESS &&
+				(pwd = getpwnam(lnam)) != NULL) {
 				cr = &nsd.nsd_cr;
 				cr->cr_uid = pwd->pw_uid;
 				cr->cr_groups[0] = pwd->pw_gid;
@@ -284,9 +312,34 @@ main(argc, argv, envp)
 						break;
 				}
 				endgrent();
-				nfssvc_flag = NFSSVC_NFSD | NFSSVC_AUTHIN;
+
+				/*
+				 * Get the timestamp verifier out of the
+				 * authenticator and verifier strings.
+				 */
+				kin.t1 = kverf.t1;
+				kin.t2 = kverf.t2;
+				kin.w2 = kverf.w2;
+				bzero((caddr_t)kivec, sizeof (kivec));
+				bcopy((caddr_t)kauth.session,
+				    (caddr_t)nsd.nsd_key,sizeof(kauth.session));
+
+				/*
+				 * Decrypt the timestamp verifier in CBC mode.
+				 */
+				XXX
+
+				/*
+				 * Validate the timestamp verifier, to
+				 * check that the session key is ok.
+				 */
+				nsd.nsd_timestamp.tv_sec = ntohl(kout.t1);
+				nsd.nsd_timestamp.tv_usec = ntohl(kout.t2);
+				nsd.nsd_ttl = ntohl(kout.w1);
+				if ((nsd.nsd_ttl - 1) == ntohl(kout.w2))
+				    nfssvc_flag = NFSSVC_NFSD | NFSSVC_AUTHIN;
 			}
-#endif /* KERBEROS */
+#endif /* NFSKERB */
 		}
 		exit(0);
 	}
@@ -306,7 +359,8 @@ main(argc, argv, envp)
 			syslog(LOG_ERR, "can't bind udp addr");
 			exit(1);
 		}
-		if (!pmap_set(RPCPROG_NFS, NFS_VER2, IPPROTO_UDP, NFS_PORT)) {
+		if (!pmap_set(RPCPROG_NFS, 2, IPPROTO_UDP, NFS_PORT) ||
+		    !pmap_set(RPCPROG_NFS, 3, IPPROTO_UDP, NFS_PORT)) {
 			syslog(LOG_ERR, "can't register with udp portmap");
 			exit(1);
 		}
@@ -386,7 +440,8 @@ main(argc, argv, envp)
 			syslog(LOG_ERR, "listen failed");
 			exit(1);
 		}
-		if (!pmap_set(RPCPROG_NFS, NFS_VER2, IPPROTO_TCP, NFS_PORT)) {
+		if (!pmap_set(RPCPROG_NFS, 2, IPPROTO_TCP, NFS_PORT) ||
+		    !pmap_set(RPCPROG_NFS, 3, IPPROTO_TCP, NFS_PORT)) {
 			syslog(LOG_ERR, "can't register tcp with portmap");
 			exit(1);
 		}
@@ -549,7 +604,6 @@ main(argc, argv, envp)
 void
 usage()
 {
-
 	(void)fprintf(stderr, "usage: nfsd %s\n", USAGE);
 	exit(1);
 }
@@ -567,5 +621,5 @@ reapchild(signo)
 	int signo;
 {
 
-	while (wait3((int *)0, WNOHANG, (struct rusage *)0) > 0);
+	while (wait3(NULL, WNOHANG, NULL) > 0);
 }