FreeBSD/Linux Kernel Cross Reference
sys/kgssapi/gsstest.c
1 /*-
2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3 * Authors: Doug Rabson <dfr@rabson.org>
4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD: releng/11.2/sys/kgssapi/gsstest.c 193066 2009-05-29 21:27:12Z jamie $");
30
31 #include <sys/ctype.h>
32 #include <sys/param.h>
33 #include <sys/kernel.h>
34 #include <sys/kobj.h>
35 #include <sys/malloc.h>
36 #include <sys/module.h>
37 #include <sys/proc.h>
38 #include <sys/socketvar.h>
39 #include <sys/sysent.h>
40 #include <sys/sysproto.h>
41
42 #include <kgssapi/gssapi.h>
43 #include <kgssapi/gssapi_impl.h>
44 #include <rpc/rpc.h>
45 #include <rpc/rpc_com.h>
46 #include <rpc/rpcb_prot.h>
47 #include <rpc/rpcsec_gss.h>
48
49 static void
50 report_error(gss_OID mech, OM_uint32 maj, OM_uint32 min)
51 {
52 OM_uint32 maj_stat, min_stat;
53 OM_uint32 message_context;
54 gss_buffer_desc buf;
55
56 uprintf("major_stat=%d, minor_stat=%d\n", maj, min);
57 message_context = 0;
58 do {
59 maj_stat = gss_display_status(&min_stat, maj,
60 GSS_C_GSS_CODE, GSS_C_NO_OID, &message_context, &buf);
61 if (GSS_ERROR(maj_stat))
62 break;
63 uprintf("%.*s\n", (int)buf.length, (char *) buf.value);
64 gss_release_buffer(&min_stat, &buf);
65 } while (message_context);
66 if (mech && min) {
67 message_context = 0;
68 do {
69 maj_stat = gss_display_status(&min_stat, min,
70 GSS_C_MECH_CODE, mech, &message_context, &buf);
71 if (GSS_ERROR(maj_stat))
72 break;
73 uprintf("%.*s\n", (int)buf.length, (char *) buf.value);
74 gss_release_buffer(&min_stat, &buf);
75 } while (message_context);
76 }
77 }
78
79 #if 0
80 static void
81 send_token_to_peer(const gss_buffer_t token)
82 {
83 const uint8_t *p;
84 size_t i;
85
86 printf("send token:\n");
87 printf("%d ", (int) token->length);
88 p = (const uint8_t *) token->value;
89 for (i = 0; i < token->length; i++)
90 printf("%02x", *p++);
91 printf("\n");
92 }
93
94 static void
95 receive_token_from_peer(gss_buffer_t token)
96 {
97 char line[8192];
98 char *p;
99 uint8_t *q;
100 int len, val;
101
102 printf("receive token:\n");
103 fgets(line, sizeof(line), stdin);
104 if (line[strlen(line) - 1] != '\n') {
105 printf("token truncated\n");
106 exit(1);
107 }
108 p = line;
109 if (sscanf(line, "%d ", &len) != 1) {
110 printf("bad token\n");
111 exit(1);
112 }
113 p = strchr(p, ' ') + 1;
114 token->length = len;
115 token->value = malloc(len);
116 q = (uint8_t *) token->value;
117 while (len) {
118 if (sscanf(p, "%02x", &val) != 1) {
119 printf("bad token\n");
120 exit(1);
121 }
122 *q++ = val;
123 p += 2;
124 len--;
125 }
126 }
127 #endif
128
129 #if 0
130 void
131 server(int argc, char** argv)
132 {
133 OM_uint32 maj_stat, min_stat;
134 gss_buffer_desc input_token, output_token;
135 gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
136 gss_name_t client_name;
137 gss_OID mech_type;
138
139 if (argc != 1)
140 usage();
141
142 do {
143 receive_token_from_peer(&input_token);
144 maj_stat = gss_accept_sec_context(&min_stat,
145 &context_hdl,
146 GSS_C_NO_CREDENTIAL,
147 &input_token,
148 GSS_C_NO_CHANNEL_BINDINGS,
149 &client_name,
150 &mech_type,
151 &output_token,
152 NULL,
153 NULL,
154 NULL);
155 if (GSS_ERROR(maj_stat)) {
156 report_error(mech_type, maj_stat, min_stat);
157 }
158 if (output_token.length != 0) {
159 send_token_to_peer(&output_token);
160 gss_release_buffer(&min_stat, &output_token);
161 }
162 if (GSS_ERROR(maj_stat)) {
163 if (context_hdl != GSS_C_NO_CONTEXT)
164 gss_delete_sec_context(&min_stat,
165 &context_hdl,
166 GSS_C_NO_BUFFER);
167 break;
168 }
169 } while (maj_stat & GSS_S_CONTINUE_NEEDED);
170
171 if (client_name) {
172 gss_buffer_desc name_desc;
173 char buf[512];
174
175 gss_display_name(&min_stat, client_name, &name_desc, NULL);
176 memcpy(buf, name_desc.value, name_desc.length);
177 buf[name_desc.length] = 0;
178 gss_release_buffer(&min_stat, &name_desc);
179 printf("client name is %s\n", buf);
180 }
181
182 receive_token_from_peer(&input_token);
183 gss_unwrap(&min_stat, context_hdl, &input_token, &output_token,
184 NULL, NULL);
185 printf("%.*s\n", (int)output_token.length, (char *) output_token.value);
186 gss_release_buffer(&min_stat, &output_token);
187 }
188 #endif
189
190 /* 1.2.752.43.13.14 */
191 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
192 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
193
194 gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
195 #define ETYPE_DES_CBC_CRC 1
196
197 /*
198 * Create an initiator context and acceptor context in the kernel and
199 * use them to exchange signed and sealed messages.
200 */
201 static int
202 gsstest_1(struct thread *td)
203 {
204 OM_uint32 maj_stat, min_stat;
205 OM_uint32 smaj_stat, smin_stat;
206 int context_established = 0;
207 gss_ctx_id_t client_context = GSS_C_NO_CONTEXT;
208 gss_ctx_id_t server_context = GSS_C_NO_CONTEXT;
209 gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL;
210 gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
211 gss_name_t name = GSS_C_NO_NAME;
212 gss_name_t received_name = GSS_C_NO_NAME;
213 gss_buffer_desc name_desc;
214 gss_buffer_desc client_token, server_token, message_buf;
215 gss_OID mech, actual_mech, mech_type;
216 static gss_OID_desc krb5_desc =
217 {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
218 #if 0
219 static gss_OID_desc spnego_desc =
220 {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
221 static gss_OID_desc ntlm_desc =
222 {10, (void *)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"};
223 #endif
224 char enctype[sizeof(uint32_t)];
225
226 mech = GSS_C_NO_OID;
227
228 {
229 static char sbuf[512];
230 memcpy(sbuf, "nfs@", 4);
231 getcredhostname(td->td_ucred, sbuf + 4, sizeof(sbuf) - 4);
232 name_desc.value = sbuf;
233 }
234
235 name_desc.length = strlen((const char *) name_desc.value);
236 maj_stat = gss_import_name(&min_stat, &name_desc,
237 GSS_C_NT_HOSTBASED_SERVICE, &name);
238 if (GSS_ERROR(maj_stat)) {
239 printf("gss_import_name failed\n");
240 report_error(mech, maj_stat, min_stat);
241 goto out;
242 }
243
244 maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME,
245 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, &client_cred,
246 NULL, NULL);
247 if (GSS_ERROR(maj_stat)) {
248 printf("gss_acquire_cred (client) failed\n");
249 report_error(mech, maj_stat, min_stat);
250 goto out;
251 }
252
253 enctype[0] = (ETYPE_DES_CBC_CRC >> 24) & 0xff;
254 enctype[1] = (ETYPE_DES_CBC_CRC >> 16) & 0xff;
255 enctype[2] = (ETYPE_DES_CBC_CRC >> 8) & 0xff;
256 enctype[3] = ETYPE_DES_CBC_CRC & 0xff;
257 message_buf.length = sizeof(enctype);
258 message_buf.value = enctype;
259 maj_stat = gss_set_cred_option(&min_stat, &client_cred,
260 GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, &message_buf);
261 if (GSS_ERROR(maj_stat)) {
262 printf("gss_set_cred_option failed\n");
263 report_error(mech, maj_stat, min_stat);
264 goto out;
265 }
266
267 server_token.length = 0;
268 server_token.value = NULL;
269 while (!context_established) {
270 client_token.length = 0;
271 client_token.value = NULL;
272 maj_stat = gss_init_sec_context(&min_stat,
273 client_cred,
274 &client_context,
275 name,
276 mech,
277 GSS_C_MUTUAL_FLAG|GSS_C_CONF_FLAG|GSS_C_INTEG_FLAG,
278 0,
279 GSS_C_NO_CHANNEL_BINDINGS,
280 &server_token,
281 &actual_mech,
282 &client_token,
283 NULL,
284 NULL);
285 if (server_token.length)
286 gss_release_buffer(&smin_stat, &server_token);
287 if (GSS_ERROR(maj_stat)) {
288 printf("gss_init_sec_context failed\n");
289 report_error(mech, maj_stat, min_stat);
290 goto out;
291 }
292
293 if (client_token.length != 0) {
294 if (!server_cred) {
295 gss_OID_set_desc oid_set;
296 oid_set.count = 1;
297 oid_set.elements = &krb5_desc;
298 smaj_stat = gss_acquire_cred(&smin_stat,
299 name, 0, &oid_set, GSS_C_ACCEPT, &server_cred,
300 NULL, NULL);
301 if (GSS_ERROR(smaj_stat)) {
302 printf("gss_acquire_cred (server) failed\n");
303 report_error(mech_type, smaj_stat, smin_stat);
304 goto out;
305 }
306 }
307 smaj_stat = gss_accept_sec_context(&smin_stat,
308 &server_context,
309 server_cred,
310 &client_token,
311 GSS_C_NO_CHANNEL_BINDINGS,
312 &received_name,
313 &mech_type,
314 &server_token,
315 NULL,
316 NULL,
317 NULL);
318 if (GSS_ERROR(smaj_stat)) {
319 printf("gss_accept_sec_context failed\n");
320 report_error(mech_type, smaj_stat, smin_stat);
321 goto out;
322 }
323 gss_release_buffer(&min_stat, &client_token);
324 }
325 if (GSS_ERROR(maj_stat)) {
326 if (client_context != GSS_C_NO_CONTEXT)
327 gss_delete_sec_context(&min_stat,
328 &client_context,
329 GSS_C_NO_BUFFER);
330 break;
331 }
332
333 if (maj_stat == GSS_S_COMPLETE) {
334 context_established = 1;
335 }
336 }
337
338 message_buf.length = strlen("Hello world");
339 message_buf.value = (void *) "Hello world";
340
341 maj_stat = gss_get_mic(&min_stat, client_context,
342 GSS_C_QOP_DEFAULT, &message_buf, &client_token);
343 if (GSS_ERROR(maj_stat)) {
344 printf("gss_get_mic failed\n");
345 report_error(mech_type, maj_stat, min_stat);
346 goto out;
347 }
348 maj_stat = gss_verify_mic(&min_stat, server_context,
349 &message_buf, &client_token, NULL);
350 if (GSS_ERROR(maj_stat)) {
351 printf("gss_verify_mic failed\n");
352 report_error(mech_type, maj_stat, min_stat);
353 goto out;
354 }
355 gss_release_buffer(&min_stat, &client_token);
356
357 maj_stat = gss_wrap(&min_stat, client_context,
358 TRUE, GSS_C_QOP_DEFAULT, &message_buf, NULL, &client_token);
359 if (GSS_ERROR(maj_stat)) {
360 printf("gss_wrap failed\n");
361 report_error(mech_type, maj_stat, min_stat);
362 goto out;
363 }
364 maj_stat = gss_unwrap(&min_stat, server_context,
365 &client_token, &server_token, NULL, NULL);
366 if (GSS_ERROR(maj_stat)) {
367 printf("gss_unwrap failed\n");
368 report_error(mech_type, maj_stat, min_stat);
369 goto out;
370 }
371
372 if (message_buf.length != server_token.length
373 || memcmp(message_buf.value, server_token.value,
374 message_buf.length))
375 printf("unwrap result corrupt\n");
376
377 gss_release_buffer(&min_stat, &client_token);
378 gss_release_buffer(&min_stat, &server_token);
379
380 out:
381 if (client_context)
382 gss_delete_sec_context(&min_stat, &client_context,
383 GSS_C_NO_BUFFER);
384 if (server_context)
385 gss_delete_sec_context(&min_stat, &server_context,
386 GSS_C_NO_BUFFER);
387 if (client_cred)
388 gss_release_cred(&min_stat, &client_cred);
389 if (server_cred)
390 gss_release_cred(&min_stat, &server_cred);
391 if (name)
392 gss_release_name(&min_stat, &name);
393 if (received_name)
394 gss_release_name(&min_stat, &received_name);
395
396 return (0);
397 }
398
399 /*
400 * Interoperability with userland. This takes several steps:
401 *
402 * 1. Accept an initiator token from userland, return acceptor
403 * token. Repeat this step until both userland and kernel return
404 * GSS_S_COMPLETE.
405 *
406 * 2. Receive a signed message from userland and verify the
407 * signature. Return a signed reply to userland for it to verify.
408 *
409 * 3. Receive a wrapped message from userland and unwrap it. Return a
410 * wrapped reply to userland.
411 */
412 static int
413 gsstest_2(struct thread *td, int step, const gss_buffer_t input_token,
414 OM_uint32 *maj_stat_res, OM_uint32 *min_stat_res, gss_buffer_t output_token)
415 {
416 OM_uint32 maj_stat, min_stat;
417 static int context_established = 0;
418 static gss_ctx_id_t server_context = GSS_C_NO_CONTEXT;
419 static gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
420 static gss_name_t name = GSS_C_NO_NAME;
421 gss_buffer_desc name_desc;
422 gss_buffer_desc message_buf;
423 gss_OID mech_type = GSS_C_NO_OID;
424 char enctype[sizeof(uint32_t)];
425 int error = EINVAL;
426
427 maj_stat = GSS_S_FAILURE;
428 min_stat = 0;
429 switch (step) {
430
431 case 1:
432 if (server_context == GSS_C_NO_CONTEXT) {
433 static char sbuf[512];
434 memcpy(sbuf, "nfs@", 4);
435 getcredhostname(td->td_ucred, sbuf + 4,
436 sizeof(sbuf) - 4);
437 name_desc.value = sbuf;
438 name_desc.length = strlen((const char *)
439 name_desc.value);
440 maj_stat = gss_import_name(&min_stat, &name_desc,
441 GSS_C_NT_HOSTBASED_SERVICE, &name);
442 if (GSS_ERROR(maj_stat)) {
443 printf("gss_import_name failed\n");
444 report_error(mech_type, maj_stat, min_stat);
445 goto out;
446 }
447
448 maj_stat = gss_acquire_cred(&min_stat,
449 name, 0, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
450 &server_cred, NULL, NULL);
451 if (GSS_ERROR(maj_stat)) {
452 printf("gss_acquire_cred (server) failed\n");
453 report_error(mech_type, maj_stat, min_stat);
454 goto out;
455 }
456
457 enctype[0] = (ETYPE_DES_CBC_CRC >> 24) & 0xff;
458 enctype[1] = (ETYPE_DES_CBC_CRC >> 16) & 0xff;
459 enctype[2] = (ETYPE_DES_CBC_CRC >> 8) & 0xff;
460 enctype[3] = ETYPE_DES_CBC_CRC & 0xff;
461 message_buf.length = sizeof(enctype);
462 message_buf.value = enctype;
463 maj_stat = gss_set_cred_option(&min_stat, &server_cred,
464 GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, &message_buf);
465 if (GSS_ERROR(maj_stat)) {
466 printf("gss_set_cred_option failed\n");
467 report_error(mech_type, maj_stat, min_stat);
468 goto out;
469 }
470 }
471
472 maj_stat = gss_accept_sec_context(&min_stat,
473 &server_context,
474 server_cred,
475 input_token,
476 GSS_C_NO_CHANNEL_BINDINGS,
477 NULL,
478 &mech_type,
479 output_token,
480 NULL,
481 NULL,
482 NULL);
483 if (GSS_ERROR(maj_stat)) {
484 printf("gss_accept_sec_context failed\n");
485 report_error(mech_type, maj_stat, min_stat);
486 goto out;
487 }
488
489 if (maj_stat == GSS_S_COMPLETE) {
490 context_established = 1;
491 }
492 *maj_stat_res = maj_stat;
493 *min_stat_res = min_stat;
494 break;
495
496 case 2:
497 message_buf.length = strlen("Hello world");
498 message_buf.value = (void *) "Hello world";
499
500 maj_stat = gss_verify_mic(&min_stat, server_context,
501 &message_buf, input_token, NULL);
502 if (GSS_ERROR(maj_stat)) {
503 printf("gss_verify_mic failed\n");
504 report_error(mech_type, maj_stat, min_stat);
505 goto out;
506 }
507
508 maj_stat = gss_get_mic(&min_stat, server_context,
509 GSS_C_QOP_DEFAULT, &message_buf, output_token);
510 if (GSS_ERROR(maj_stat)) {
511 printf("gss_get_mic failed\n");
512 report_error(mech_type, maj_stat, min_stat);
513 goto out;
514 }
515 break;
516
517 case 3:
518 maj_stat = gss_unwrap(&min_stat, server_context,
519 input_token, &message_buf, NULL, NULL);
520 if (GSS_ERROR(maj_stat)) {
521 printf("gss_unwrap failed\n");
522 report_error(mech_type, maj_stat, min_stat);
523 goto out;
524 }
525 gss_release_buffer(&min_stat, &message_buf);
526
527 message_buf.length = strlen("Hello world");
528 message_buf.value = (void *) "Hello world";
529 maj_stat = gss_wrap(&min_stat, server_context,
530 TRUE, GSS_C_QOP_DEFAULT, &message_buf, NULL, output_token);
531 if (GSS_ERROR(maj_stat)) {
532 printf("gss_wrap failed\n");
533 report_error(mech_type, maj_stat, min_stat);
534 goto out;
535 }
536 break;
537
538 case 4:
539 maj_stat = gss_unwrap(&min_stat, server_context,
540 input_token, &message_buf, NULL, NULL);
541 if (GSS_ERROR(maj_stat)) {
542 printf("gss_unwrap failed\n");
543 report_error(mech_type, maj_stat, min_stat);
544 goto out;
545 }
546 gss_release_buffer(&min_stat, &message_buf);
547
548 message_buf.length = strlen("Hello world");
549 message_buf.value = (void *) "Hello world";
550 maj_stat = gss_wrap(&min_stat, server_context,
551 FALSE, GSS_C_QOP_DEFAULT, &message_buf, NULL, output_token);
552 if (GSS_ERROR(maj_stat)) {
553 printf("gss_wrap failed\n");
554 report_error(mech_type, maj_stat, min_stat);
555 goto out;
556 }
557 break;
558
559 case 5:
560 error = 0;
561 goto out;
562 }
563 *maj_stat_res = maj_stat;
564 *min_stat_res = min_stat;
565 return (0);
566
567 out:
568 *maj_stat_res = maj_stat;
569 *min_stat_res = min_stat;
570 if (server_context)
571 gss_delete_sec_context(&min_stat, &server_context,
572 GSS_C_NO_BUFFER);
573 if (server_cred)
574 gss_release_cred(&min_stat, &server_cred);
575 if (name)
576 gss_release_name(&min_stat, &name);
577
578 return (error);
579 }
580
581 /*
582 * Create an RPC client handle for the given (address,prog,vers)
583 * triple using UDP.
584 */
585 static CLIENT *
586 gsstest_get_rpc(struct sockaddr *sa, rpcprog_t prog, rpcvers_t vers)
587 {
588 struct thread *td = curthread;
589 const char* protofmly;
590 struct sockaddr_storage ss;
591 struct socket *so;
592 CLIENT *rpcb;
593 struct timeval timo;
594 RPCB parms;
595 char *uaddr;
596 enum clnt_stat stat = RPC_SUCCESS;
597 int rpcvers = RPCBVERS4;
598 bool_t do_tcp = FALSE;
599 struct portmap mapping;
600 u_short port = 0;
601
602 /*
603 * First we need to contact the remote RPCBIND service to find
604 * the right port.
605 */
606 memcpy(&ss, sa, sa->sa_len);
607 switch (ss.ss_family) {
608 case AF_INET:
609 ((struct sockaddr_in *)&ss)->sin_port = htons(111);
610 protofmly = "inet";
611 socreate(AF_INET, &so, SOCK_DGRAM, 0, td->td_ucred, td);
612 break;
613
614 #ifdef INET6
615 case AF_INET6:
616 ((struct sockaddr_in6 *)&ss)->sin6_port = htons(111);
617 protofmly = "inet6";
618 socreate(AF_INET6, &so, SOCK_DGRAM, 0, td->td_ucred, td);
619 break;
620 #endif
621
622 default:
623 /*
624 * Unsupported address family - fail.
625 */
626 return (NULL);
627 }
628
629 rpcb = clnt_dg_create(so, (struct sockaddr *)&ss,
630 RPCBPROG, rpcvers, 0, 0);
631 if (!rpcb)
632 return (NULL);
633
634 try_tcp:
635 parms.r_prog = prog;
636 parms.r_vers = vers;
637 if (do_tcp)
638 parms.r_netid = "tcp";
639 else
640 parms.r_netid = "udp";
641 parms.r_addr = "";
642 parms.r_owner = "";
643
644 /*
645 * Use the default timeout.
646 */
647 timo.tv_sec = 25;
648 timo.tv_usec = 0;
649 again:
650 switch (rpcvers) {
651 case RPCBVERS4:
652 case RPCBVERS:
653 /*
654 * Try RPCBIND 4 then 3.
655 */
656 uaddr = NULL;
657 stat = CLNT_CALL(rpcb, (rpcprog_t) RPCBPROC_GETADDR,
658 (xdrproc_t) xdr_rpcb, &parms,
659 (xdrproc_t) xdr_wrapstring, &uaddr, timo);
660 if (stat == RPC_PROGVERSMISMATCH) {
661 if (rpcvers == RPCBVERS4)
662 rpcvers = RPCBVERS;
663 else if (rpcvers == RPCBVERS)
664 rpcvers = PMAPVERS;
665 CLNT_CONTROL(rpcb, CLSET_VERS, &rpcvers);
666 goto again;
667 } else if (stat == RPC_SUCCESS) {
668 /*
669 * We have a reply from the remote RPCBIND - turn it
670 * into an appropriate address and make a new client
671 * that can talk to the remote service.
672 *
673 * XXX fixup IPv6 scope ID.
674 */
675 struct netbuf *a;
676 a = __rpc_uaddr2taddr_af(ss.ss_family, uaddr);
677 xdr_free((xdrproc_t) xdr_wrapstring, &uaddr);
678 if (!a) {
679 CLNT_DESTROY(rpcb);
680 return (NULL);
681 }
682 memcpy(&ss, a->buf, a->len);
683 free(a->buf, M_RPC);
684 free(a, M_RPC);
685 }
686 break;
687 case PMAPVERS:
688 /*
689 * Try portmap.
690 */
691 mapping.pm_prog = parms.r_prog;
692 mapping.pm_vers = parms.r_vers;
693 mapping.pm_prot = do_tcp ? IPPROTO_TCP : IPPROTO_UDP;
694 mapping.pm_port = 0;
695
696 stat = CLNT_CALL(rpcb, (rpcprog_t) PMAPPROC_GETPORT,
697 (xdrproc_t) xdr_portmap, &mapping,
698 (xdrproc_t) xdr_u_short, &port, timo);
699
700 if (stat == RPC_SUCCESS) {
701 switch (ss.ss_family) {
702 case AF_INET:
703 ((struct sockaddr_in *)&ss)->sin_port =
704 htons(port);
705 break;
706
707 #ifdef INET6
708 case AF_INET6:
709 ((struct sockaddr_in6 *)&ss)->sin6_port =
710 htons(port);
711 break;
712 #endif
713 }
714 }
715 break;
716 default:
717 panic("invalid rpcvers %d", rpcvers);
718 }
719 /*
720 * We may have a positive response from the portmapper, but
721 * the requested service was not found. Make sure we received
722 * a valid port.
723 */
724 switch (ss.ss_family) {
725 case AF_INET:
726 port = ((struct sockaddr_in *)&ss)->sin_port;
727 break;
728 #ifdef INET6
729 case AF_INET6:
730 port = ((struct sockaddr_in6 *)&ss)->sin6_port;
731 break;
732 #endif
733 }
734 if (stat != RPC_SUCCESS || !port) {
735 /*
736 * If we were able to talk to rpcbind or portmap, but the udp
737 * variant wasn't available, ask about tcp.
738 *
739 * XXX - We could also check for a TCP portmapper, but
740 * if the host is running a portmapper at all, we should be able
741 * to hail it over UDP.
742 */
743 if (stat == RPC_SUCCESS && !do_tcp) {
744 do_tcp = TRUE;
745 goto try_tcp;
746 }
747
748 /* Otherwise, bad news. */
749 printf("gsstest_get_rpc: failed to contact remote rpcbind, "
750 "stat = %d, port = %d\n",
751 (int) stat, port);
752 CLNT_DESTROY(rpcb);
753 return (NULL);
754 }
755
756 if (do_tcp) {
757 /*
758 * Destroy the UDP client we used to speak to rpcbind and
759 * recreate as a TCP client.
760 */
761 struct netconfig *nconf = NULL;
762
763 CLNT_DESTROY(rpcb);
764
765 switch (ss.ss_family) {
766 case AF_INET:
767 nconf = getnetconfigent("tcp");
768 break;
769 #ifdef INET6
770 case AF_INET6:
771 nconf = getnetconfigent("tcp6");
772 break;
773 #endif
774 }
775
776 rpcb = clnt_reconnect_create(nconf, (struct sockaddr *)&ss,
777 prog, vers, 0, 0);
778 } else {
779 /*
780 * Re-use the client we used to speak to rpcbind.
781 */
782 CLNT_CONTROL(rpcb, CLSET_SVC_ADDR, &ss);
783 CLNT_CONTROL(rpcb, CLSET_PROG, &prog);
784 CLNT_CONTROL(rpcb, CLSET_VERS, &vers);
785 }
786
787 return (rpcb);
788 }
789
790 /*
791 * RPCSEC_GSS client
792 */
793 static int
794 gsstest_3(struct thread *td)
795 {
796 struct sockaddr_in sin;
797 char service[128];
798 CLIENT *client;
799 AUTH *auth;
800 rpc_gss_options_ret_t options_ret;
801 enum clnt_stat stat;
802 struct timeval tv;
803 rpc_gss_service_t svc;
804 int i;
805
806 sin.sin_len = sizeof(sin);
807 sin.sin_family = AF_INET;
808 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
809 sin.sin_port = 0;
810
811 client = gsstest_get_rpc((struct sockaddr *) &sin, 123456, 1);
812 if (!client) {
813 uprintf("Can't connect to service\n");
814 return(1);
815 }
816
817 memcpy(service, "host@", 5);
818 getcredhostname(td->td_ucred, service + 5, sizeof(service) - 5);
819
820 auth = rpc_gss_seccreate(client, curthread->td_ucred,
821 service, "kerberosv5", rpc_gss_svc_privacy,
822 NULL, NULL, &options_ret);
823 if (!auth) {
824 gss_OID oid;
825 uprintf("Can't authorize to service (mech=%s)\n",
826 options_ret.actual_mechanism);
827 oid = GSS_C_NO_OID;
828 rpc_gss_mech_to_oid(options_ret.actual_mechanism, &oid);
829 report_error(oid, options_ret.major_status,
830 options_ret.minor_status);
831 CLNT_DESTROY(client);
832 return (1);
833 }
834
835 for (svc = rpc_gss_svc_none; svc <= rpc_gss_svc_privacy; svc++) {
836 const char *svc_names[] = {
837 "rpc_gss_svc_default",
838 "rpc_gss_svc_none",
839 "rpc_gss_svc_integrity",
840 "rpc_gss_svc_privacy"
841 };
842 int num;
843
844 rpc_gss_set_defaults(auth, svc, NULL);
845
846 client->cl_auth = auth;
847 tv.tv_sec = 5;
848 tv.tv_usec = 0;
849 for (i = 42; i < 142; i++) {
850 num = i;
851 stat = CLNT_CALL(client, 1,
852 (xdrproc_t) xdr_int, (char *) &num,
853 (xdrproc_t) xdr_int, (char *) &num, tv);
854 if (stat == RPC_SUCCESS) {
855 if (num != i + 100)
856 uprintf("unexpected reply %d\n", num);
857 } else {
858 uprintf("call failed, stat=%d\n", (int) stat);
859 break;
860 }
861 }
862 if (i == 142)
863 uprintf("call succeeded with %s\n", svc_names[svc]);
864 }
865
866 AUTH_DESTROY(auth);
867 CLNT_RELEASE(client);
868
869 return (0);
870 }
871
872 /*
873 * RPCSEC_GSS server
874 */
875 static rpc_gss_principal_t server_acl = NULL;
876 static bool_t server_new_context(struct svc_req *req, gss_cred_id_t deleg,
877 gss_ctx_id_t gss_context, rpc_gss_lock_t *lock, void **cookie);
878 static void server_program_1(struct svc_req *rqstp, register SVCXPRT *transp);
879
880 static int
881 gsstest_4(struct thread *td)
882 {
883 SVCPOOL *pool;
884 char principal[128 + 5];
885 const char **mechs;
886 static rpc_gss_callback_t cb;
887
888 memcpy(principal, "host@", 5);
889 getcredhostname(td->td_ucred, principal + 5, sizeof(principal) - 5);
890
891 mechs = rpc_gss_get_mechanisms();
892 while (*mechs) {
893 if (!rpc_gss_set_svc_name(principal, *mechs, GSS_C_INDEFINITE,
894 123456, 1)) {
895 rpc_gss_error_t e;
896
897 rpc_gss_get_error(&e);
898 printf("setting name for %s for %s failed: %d, %d\n",
899 principal, *mechs,
900 e.rpc_gss_error, e.system_error);
901 }
902 mechs++;
903 }
904
905 cb.program = 123456;
906 cb.version = 1;
907 cb.callback = server_new_context;
908 rpc_gss_set_callback(&cb);
909
910 pool = svcpool_create("gsstest", NULL);
911
912 svc_create(pool, server_program_1, 123456, 1, NULL);
913 svc_run(pool);
914
915 rpc_gss_clear_svc_name(123456, 1);
916 rpc_gss_clear_callback(&cb);
917
918 svcpool_destroy(pool);
919
920 return (0);
921 }
922
923 static void
924 server_program_1(struct svc_req *rqstp, register SVCXPRT *transp)
925 {
926 rpc_gss_rawcred_t *rcred;
927 rpc_gss_ucred_t *ucred;
928 int i, num;
929
930 if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) {
931 svcerr_weakauth(rqstp);
932 return;
933 }
934
935 if (!rpc_gss_getcred(rqstp, &rcred, &ucred, NULL)) {
936 svcerr_systemerr(rqstp);
937 return;
938 }
939
940 printf("svc=%d, mech=%s, uid=%d, gid=%d, gids={",
941 rcred->service, rcred->mechanism, ucred->uid, ucred->gid);
942 for (i = 0; i < ucred->gidlen; i++) {
943 if (i > 0) printf(",");
944 printf("%d", ucred->gidlist[i]);
945 }
946 printf("}\n");
947
948 switch (rqstp->rq_proc) {
949 case 0:
950 if (!svc_getargs(rqstp, (xdrproc_t) xdr_void, 0)) {
951 svcerr_decode(rqstp);
952 goto out;
953 }
954 if (!svc_sendreply(rqstp, (xdrproc_t) xdr_void, 0)) {
955 svcerr_systemerr(rqstp);
956 }
957 goto out;
958
959 case 1:
960 if (!svc_getargs(rqstp, (xdrproc_t) xdr_int,
961 (char *) &num)) {
962 svcerr_decode(rqstp);
963 goto out;
964 }
965 num += 100;
966 if (!svc_sendreply(rqstp, (xdrproc_t) xdr_int,
967 (char *) &num)) {
968 svcerr_systemerr(rqstp);
969 }
970 goto out;
971
972 default:
973 svcerr_noproc(rqstp);
974 goto out;
975 }
976
977 out:
978 svc_freereq(rqstp);
979 return;
980 }
981
982 static void
983 print_principal(rpc_gss_principal_t principal)
984 {
985 int i, len, n;
986 uint8_t *p;
987
988 len = principal->len;
989 p = (uint8_t *) principal->name;
990 while (len > 0) {
991 n = len;
992 if (n > 16)
993 n = 16;
994 for (i = 0; i < n; i++)
995 printf("%02x ", p[i]);
996 for (; i < 16; i++)
997 printf(" ");
998 printf("|");
999 for (i = 0; i < n; i++)
1000 printf("%c", isprint(p[i]) ? p[i] : '.');
1001 printf("|\n");
1002 len -= n;
1003 p += n;
1004 }
1005 }
1006
1007 static bool_t
1008 server_new_context(__unused struct svc_req *req,
1009 gss_cred_id_t deleg,
1010 __unused gss_ctx_id_t gss_context,
1011 rpc_gss_lock_t *lock,
1012 __unused void **cookie)
1013 {
1014 rpc_gss_rawcred_t *rcred = lock->raw_cred;
1015 OM_uint32 junk;
1016
1017 printf("new security context version=%d, mech=%s, qop=%s:\n",
1018 rcred->version, rcred->mechanism, rcred->qop);
1019 print_principal(rcred->client_principal);
1020
1021 if (server_acl) {
1022 if (rcred->client_principal->len != server_acl->len
1023 || memcmp(rcred->client_principal->name, server_acl->name,
1024 server_acl->len)) {
1025 return (FALSE);
1026 }
1027 }
1028 gss_release_cred(&junk, &deleg);
1029
1030 return (TRUE);
1031 }
1032
1033 /*
1034 * Hook up a syscall for gssapi testing.
1035 */
1036
1037 struct gsstest_args {
1038 int a_op;
1039 void *a_args;
1040 void *a_res;
1041 };
1042
1043 struct gsstest_2_args {
1044 int step; /* test step number */
1045 gss_buffer_desc input_token; /* token from userland */
1046 gss_buffer_desc output_token; /* buffer to receive reply token */
1047 };
1048 struct gsstest_2_res {
1049 OM_uint32 maj_stat; /* maj_stat from kernel */
1050 OM_uint32 min_stat; /* min_stat from kernel */
1051 gss_buffer_desc output_token; /* reply token (using space from gsstest_2_args.output) */
1052 };
1053
1054 static int
1055 gsstest(struct thread *td, struct gsstest_args *uap)
1056 {
1057 int error;
1058
1059 switch (uap->a_op) {
1060 case 1:
1061 return (gsstest_1(td));
1062
1063 case 2: {
1064 struct gsstest_2_args args;
1065 struct gsstest_2_res res;
1066 gss_buffer_desc input_token, output_token;
1067 OM_uint32 junk;
1068
1069 error = copyin(uap->a_args, &args, sizeof(args));
1070 if (error)
1071 return (error);
1072 input_token.length = args.input_token.length;
1073 input_token.value = malloc(input_token.length, M_GSSAPI,
1074 M_WAITOK);
1075 error = copyin(args.input_token.value, input_token.value,
1076 input_token.length);
1077 if (error) {
1078 gss_release_buffer(&junk, &input_token);
1079 return (error);
1080 }
1081 output_token.length = 0;
1082 output_token.value = NULL;
1083 gsstest_2(td, args.step, &input_token,
1084 &res.maj_stat, &res.min_stat, &output_token);
1085 gss_release_buffer(&junk, &input_token);
1086 if (output_token.length > args.output_token.length) {
1087 gss_release_buffer(&junk, &output_token);
1088 return (EOVERFLOW);
1089 }
1090 res.output_token.length = output_token.length;
1091 res.output_token.value = args.output_token.value;
1092 error = copyout(output_token.value, res.output_token.value,
1093 output_token.length);
1094 gss_release_buffer(&junk, &output_token);
1095 if (error)
1096 return (error);
1097
1098 return (copyout(&res, uap->a_res, sizeof(res)));
1099
1100 break;
1101 }
1102 case 3:
1103 return (gsstest_3(td));
1104 case 4:
1105 return (gsstest_4(td));
1106 }
1107
1108 return (EINVAL);
1109 }
1110
1111 /*
1112 * The `sysent' for the new syscall
1113 */
1114 static struct sysent gsstest_sysent = {
1115 3, /* sy_narg */
1116 (sy_call_t *) gsstest /* sy_call */
1117 };
1118
1119 /*
1120 * The offset in sysent where the syscall is allocated.
1121 */
1122 static int gsstest_offset = NO_SYSCALL;
1123
1124 /*
1125 * The function called at load/unload.
1126 */
1127
1128
1129 static int
1130 gsstest_load(struct module *module, int cmd, void *arg)
1131 {
1132 int error = 0;
1133
1134 switch (cmd) {
1135 case MOD_LOAD :
1136 break;
1137 case MOD_UNLOAD :
1138 break;
1139 default :
1140 error = EOPNOTSUPP;
1141 break;
1142 }
1143 return error;
1144 }
1145
1146 SYSCALL_MODULE(gsstest_syscall, &gsstest_offset, &gsstest_sysent,
1147 gsstest_load, NULL);
Cache object: 895ddca88e0868adfbe5bbb9ac44d3eb
|