experiment: include TOKEN_ORIGIN data into NFS session hash
Posted by Anonymous on Thu 18th Apr 2024 18:19
raw | new post

# experiment: include TOKEN_ORIGIN data into NFS session hash
diff --git a/daemon/nfs41_client.c b/daemon/nfs41_client.c
index d0306a0..97713bf 100644
--- a/daemon/nfs41_client.c
+++ b/daemon/nfs41_client.c
@@ -3,6 +3,7 @@
  *
  * Olga Kornievskaia <aglo@umich.edu>
  * Casey Bodley <cbodley@umich.edu>
+ * Roland Mainz <roland.mainz@nrubsig.org>
  *
  * This library is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published by
@@ -26,6 +27,7 @@
 #include <iphlpapi.h> /* for GetAdaptersAddresses() */
 #include <wincrypt.h> /* for Crypt*() functions */
 #include <winsock2.h> /* for hostent struct */
+#include <processthreadsapi.h>

 #include "tree.h"
 #include "delegation.h"
@@ -370,13 +372,44 @@ int nfs41_client_owner(
     int status;
     char username[UNLEN + 1];
     DWORD len = UNLEN + 1;
+    LUID originatinglogonsession = { 0 };

     if (!GetUserNameA(username, &len)) {
         status = GetLastError();
-        eprintf("GetUserName() failed with %d\n", status);
+        eprintf("nfs41_client_owner: "
+            "GetUserName() failed with %d\n", status);
         goto out;
     }

+#if 0
+    /*
+     * Just using the Windows username is not sufficient - DOS
+     * devices are virtualized based off of the LSA logon
+     * session ID a token has associated with it (otherwise
+     * known as an authentication ID; this value is actually
+     * a bit more granular than the Terminal Server session ID),
+     * which means an user can have multiple logons (e.g. GUI and ssh,
+     * and/or user logons with and without Admin rights etc) with
+     * separate DOS namespaces.
+     *
+     * So we need to add the LSA logon session ID from the
+     * "effective thread token" (thread token when impersonating
+     * an user, or process token if not)
+     */
+    if (!gettokenoriginatinglogonsession(GetCurrentThreadToken()/*GetCurrentThreadEffectiveToken()*/,
+        &originatinglogonsession)) {
+        eprintf("nfs41_client_owner: "
+            "gettokenoriginatinglogonsession() failed\n");
+        //goto out;
+    }
+#endif
+
+    DPRINTF(0, ("nfs41_client_owner: username='%s' "
+        "originatinglogonsession={ 0x%lx, 0x%lx }\n",
+        username,
+        (long)originatinglogonsession.LowPart,
+        (long)originatinglogonsession.HighPart));
+
     /* owner.verifier = "time created" */
     memcpy(owner->co_verifier, &time_created, sizeof(time_created));

@@ -405,6 +438,25 @@ int nfs41_client_owner(
         goto out_hash;
     }

+    /*
+     * |originatinglogonsession| is a |struct _LUID| which can contain
+     * padding bytes with random values, so we need to hash each
+     * member separately
+     */
+    if (!CryptHashData(hash, (const BYTE*)&originatinglogonsession.LowPart,
+        sizeof(originatinglogonsession.LowPart), 0)) {
+        status = GetLastError();
+        eprintf("CryptHashData() failed with %d\n", status);
+        goto out_hash;
+    }
+
+    if (!CryptHashData(hash, (const BYTE*)&originatinglogonsession.HighPart,
+        sizeof(originatinglogonsession.HighPart), 0)) {
+        status = GetLastError();
+        eprintf("CryptHashData() failed with %d\n", status);
+        goto out_hash;
+    }
+
     if (!CryptHashData(hash, (const BYTE*)name, (DWORD)strlen(name), 0)) {
         status = GetLastError();
         eprintf("CryptHashData() failed with %d\n", status);
diff --git a/daemon/nfs41_session.c b/daemon/nfs41_session.c
index 6f4654d..98a2ccb 100644
--- a/daemon/nfs41_session.c
+++ b/daemon/nfs41_session.c
@@ -409,10 +409,10 @@ int nfs41_session_set_lease(

     session->lease_time = lease_time;
     session->renew.cancel_event = CreateEventA(NULL, TRUE, FALSE,
-        "renew.cancel_event");
+        NULL);
     if (!valid_handle(session->renew.cancel_event)) {
         status = GetLastError();
-        eprintf("nfs41_session_set_lease: CreateEventA() failed %d\n",
+        eprintf("nfs41_session_set_lease: CreateEventA() failed, status=%d\n",
             status);
         goto out;
     }
diff --git a/daemon/util.c b/daemon/util.c
index 741a653..8bed743 100644
--- a/daemon/util.c
+++ b/daemon/util.c
@@ -717,3 +717,21 @@ bool getwinntversionnnumbers(

     return true;
 }
+
+bool gettokenoriginatinglogonsession(HANDLE tok, LUID *pluid)
+{
+    DWORD returnedLength;
+    TOKEN_ORIGIN torigin;
+
+    if (!GetTokenInformation(tok, TokenOrigin, &torigin,
+        sizeof(torigin), &returnedLength)) {
+        eprintf("gettokenoriginatinglogonsession: "
+            "GetTokenInformation(tok=0x%p) failed, status=%d\n",
+            (void *)tok, (int)GetLastError());
+        return false;
+    }
+
+    (void)memcpy(pluid, &torigin.OriginatingLogonSession, sizeof(LUID));
+
+    return true;
+}
diff --git a/daemon/util.h b/daemon/util.h
index b1bdc8a..710728f 100644
--- a/daemon/util.h
+++ b/daemon/util.h
@@ -284,4 +284,6 @@ bool_t waitcriticalsection(LPCRITICAL_SECTION cs);

 bool getwinntversionnnumbers(DWORD *MajorVersionPtr, DWORD *MinorVersionPtr, DWORD *BuildNumberPtr);

+bool gettokenoriginatinglogonsession(HANDLE tok, LUID *pluid);
+
 #endif /* !__NFS41_DAEMON_UTIL_H__ */