From nobody Thu Jan 09 04:04:55 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YTB542KRLz5kdt6; Thu, 09 Jan 2025 04:04:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YTB536k9Jz41rs; Thu, 9 Jan 2025 04:04:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736395495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LDMBGyKNK8VWK+Y2tRnJTLXN7QqAaGwFLF3Z2ngAZrM=; b=SQuvSGFQptyDkcktDnGFS+20Z+TeKIIdBw6ffQ4WGEPA5X/FPvShpoqZPSy8PBaXJf92Ol bI61PfJitSAIssbjgyRDhGo9ZY+eG++DNOyqhVEQvEqJXBaNbP19k+vwtIdJi8bkY817bc Jvl5NtqP9pvXYxjc1wPQMkKx6AqRy6XCyubBSrs2jZPTIKpogjsTtCC137NVzMX0SmNSwV j/czRvPC68/1SjygUaAveDgq0FNyebXlH+Gl8DDD4mdkZ7J2CXuIehA42wJYxy++lZ5gJp Jv3x6/MDEZIOvyvMoMPiN0K5EM/6BZSw2e0yiQgXHZQx8nKocGGNEVuNNhQRnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736395495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LDMBGyKNK8VWK+Y2tRnJTLXN7QqAaGwFLF3Z2ngAZrM=; b=wYA442xJ9ik88ix+IxDMSXn1/CZDn7U3uhYiY6Y+UD+GijVGvsnR2s7KFJf7K9HroS6nsV wacsYCxC5RJMMOWU2tgXcVJDcpvebqqii7eWr1txgWqJa63TGGw1b4L8h3n1belQGNtK6v bdQFtJnKWijbfmKKw73CznyM8moGieoGGEpZ4lTkmWWIWv4Ue1bPUvXSvTFsGLIw4uhnm3 5JKVXMN979hzqBhQqfStwJt+XhtYdXbJfOd5E1w56xgoTX2VZ7SJLQ7V9yYOburnBvEuwq HIlWhua15HiX5FiaHf7uidDCIpbqihAf0zubZxzjerq983I+4jEECFzoR7mjSw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736395495; a=rsa-sha256; cv=none; b=w6EoSHGYQIwvwLFXKZztJmnguKSYhG3LyCULBwB7F6Krx7pRVXMREYP4egvo1YqipMevBb kzNZTMr8GnEks2JmHziaFJzWOMehkJzS0NRtTc0oY/DWFQ38MnvyA9B3R6vIDRqOb99gKS hEjQ2JrjxamNjOMTZ/Chn1X/JoyDkRWyDwc2bWuOKV961ypFRV1t4dbif2wNtkNwTpn5YZ h1KYxkFeTY9NbdhnwdglVtIZ1vfcAsb7//x7CA+AfAXP68nWpc5uaR1nUqn3VEFj2o3Czw qp7NKJ8XJsuiTWOryUH11c46RDTO/eftLv/5omyA9zVEpLPCg/z3UujI9jN0JA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YTB53668gz1Pbp; Thu, 09 Jan 2025 04:04:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50944tBv031169; Thu, 9 Jan 2025 04:04:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50944tHK031166; Thu, 9 Jan 2025 04:04:55 GMT (envelope-from git) Date: Thu, 9 Jan 2025 04:04:55 GMT Message-Id: <202501090404.50944tHK031166@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: 2834fd2ad58b - main - kgssapi: remove the debug module List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2834fd2ad58b42c45aa02d0cd21fc1c04b3c278a Auto-Submitted: auto-generated The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=2834fd2ad58b42c45aa02d0cd21fc1c04b3c278a commit 2834fd2ad58b42c45aa02d0cd21fc1c04b3c278a Author: Gleb Smirnoff AuthorDate: 2025-01-09 04:00:12 +0000 Commit: Gleb Smirnoff CommitDate: 2025-01-09 04:00:12 +0000 kgssapi: remove the debug module Its build was disabled since original bulk check-in in 2008. Today it fails to compile due to multiple errors. I also tried to build it on stable/10, and that failed, too. I guess it wasn't buildable since initial check-in. --- sys/conf/files | 1 - sys/conf/options | 1 - sys/kgssapi/gsstest.c | 1145 ------------------------------------------------- 3 files changed, 1147 deletions(-) diff --git a/sys/conf/files b/sys/conf/files index 428a2805768c..d358737c5613 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -4038,7 +4038,6 @@ kgssapi/krb5/krb5_mech.c optional kgssapi kgssapi/krb5/kcrypto.c optional kgssapi kgssapi/krb5/kcrypto_aes.c optional kgssapi kgssapi/kgss_if.m optional kgssapi -kgssapi/gsstest.c optional kgssapi_debug # These files in libkern/ are those needed by all architectures. Some # of the files in libkern/ are only needed on some architectures, e.g., # libkern/divdi3.c is needed by i386 but not alpha. Also, some of these diff --git a/sys/conf/options b/sys/conf/options index 438d0e81889c..c467dc9995c2 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -290,7 +290,6 @@ TARFS_DEBUG opt_tarfs.h # In-kernel GSS-API KGSSAPI opt_kgssapi.h -KGSSAPI_DEBUG opt_kgssapi.h # These static filesystems have one slightly bogus static dependency in # sys/i386/i386/autoconf.c. If any of these filesystems are diff --git a/sys/kgssapi/gsstest.c b/sys/kgssapi/gsstest.c deleted file mode 100644 index e47b25042d1c..000000000000 --- a/sys/kgssapi/gsstest.c +++ /dev/null @@ -1,1145 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-2-Clause - * - * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ - * Authors: Doug Rabson - * Developed with Red Inc: Alfred Perlstein - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -static void -report_error(gss_OID mech, OM_uint32 maj, OM_uint32 min) -{ - OM_uint32 maj_stat, min_stat; - OM_uint32 message_context; - gss_buffer_desc buf; - - uprintf("major_stat=%d, minor_stat=%d\n", maj, min); - message_context = 0; - do { - maj_stat = gss_display_status(&min_stat, maj, - GSS_C_GSS_CODE, GSS_C_NO_OID, &message_context, &buf); - if (GSS_ERROR(maj_stat)) - break; - uprintf("%.*s\n", (int)buf.length, (char *) buf.value); - gss_release_buffer(&min_stat, &buf); - } while (message_context); - if (mech && min) { - message_context = 0; - do { - maj_stat = gss_display_status(&min_stat, min, - GSS_C_MECH_CODE, mech, &message_context, &buf); - if (GSS_ERROR(maj_stat)) - break; - uprintf("%.*s\n", (int)buf.length, (char *) buf.value); - gss_release_buffer(&min_stat, &buf); - } while (message_context); - } -} - -#if 0 -static void -send_token_to_peer(const gss_buffer_t token) -{ - const uint8_t *p; - size_t i; - - printf("send token:\n"); - printf("%d ", (int) token->length); - p = (const uint8_t *) token->value; - for (i = 0; i < token->length; i++) - printf("%02x", *p++); - printf("\n"); -} - -static void -receive_token_from_peer(gss_buffer_t token) -{ - char line[8192]; - char *p; - uint8_t *q; - int len, val; - - printf("receive token:\n"); - fgets(line, sizeof(line), stdin); - if (line[strlen(line) - 1] != '\n') { - printf("token truncated\n"); - exit(1); - } - p = line; - if (sscanf(line, "%d ", &len) != 1) { - printf("bad token\n"); - exit(1); - } - p = strchr(p, ' ') + 1; - token->length = len; - token->value = malloc(len); - q = (uint8_t *) token->value; - while (len) { - if (sscanf(p, "%02x", &val) != 1) { - printf("bad token\n"); - exit(1); - } - *q++ = val; - p += 2; - len--; - } -} -#endif - -#if 0 -void -server(int argc, char** argv) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc input_token, output_token; - gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; - gss_name_t client_name; - gss_OID mech_type; - - if (argc != 1) - usage(); - - do { - receive_token_from_peer(&input_token); - maj_stat = gss_accept_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_CREDENTIAL, - &input_token, - GSS_C_NO_CHANNEL_BINDINGS, - &client_name, - &mech_type, - &output_token, - NULL, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) { - report_error(mech_type, maj_stat, min_stat); - } - if (output_token.length != 0) { - send_token_to_peer(&output_token); - gss_release_buffer(&min_stat, &output_token); - } - if (GSS_ERROR(maj_stat)) { - if (context_hdl != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &context_hdl, - GSS_C_NO_BUFFER); - break; - } - } while (maj_stat & GSS_S_CONTINUE_NEEDED); - - if (client_name) { - gss_buffer_desc name_desc; - char buf[512]; - - gss_display_name(&min_stat, client_name, &name_desc, NULL); - memcpy(buf, name_desc.value, name_desc.length); - buf[name_desc.length] = 0; - gss_release_buffer(&min_stat, &name_desc); - printf("client name is %s\n", buf); - } - - receive_token_from_peer(&input_token); - gss_unwrap(&min_stat, context_hdl, &input_token, &output_token, - NULL, NULL); - printf("%.*s\n", (int)output_token.length, (char *) output_token.value); - gss_release_buffer(&min_stat, &output_token); -} -#endif - -/* 1.2.752.43.13.14 */ -static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = -{6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"}; - -gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc; -#define ETYPE_DES_CBC_CRC 1 - -/* - * Create an initiator context and acceptor context in the kernel and - * use them to exchange signed and sealed messages. - */ -static int -gsstest_1(struct thread *td) -{ - OM_uint32 maj_stat, min_stat; - OM_uint32 smaj_stat, smin_stat; - int context_established = 0; - gss_ctx_id_t client_context = GSS_C_NO_CONTEXT; - gss_ctx_id_t server_context = GSS_C_NO_CONTEXT; - gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; - gss_name_t name = GSS_C_NO_NAME; - gss_name_t received_name = GSS_C_NO_NAME; - gss_buffer_desc name_desc; - gss_buffer_desc client_token, server_token, message_buf; - gss_OID mech, actual_mech, mech_type; - static gss_OID_desc krb5_desc = - {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; -#if 0 - static gss_OID_desc spnego_desc = - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; - static gss_OID_desc ntlm_desc = - {10, (void *)"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"}; -#endif - char enctype[sizeof(uint32_t)]; - - mech = GSS_C_NO_OID; - - { - static char sbuf[512]; - memcpy(sbuf, "nfs@", 4); - getcredhostname(td->td_ucred, sbuf + 4, sizeof(sbuf) - 4); - name_desc.value = sbuf; - } - - name_desc.length = strlen((const char *) name_desc.value); - maj_stat = gss_import_name(&min_stat, &name_desc, - GSS_C_NT_HOSTBASED_SERVICE, &name); - if (GSS_ERROR(maj_stat)) { - printf("gss_import_name failed\n"); - report_error(mech, maj_stat, min_stat); - goto out; - } - - maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, - 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, &client_cred, - NULL, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_acquire_cred (client) failed\n"); - report_error(mech, maj_stat, min_stat); - goto out; - } - - enctype[0] = (ETYPE_DES_CBC_CRC >> 24) & 0xff; - enctype[1] = (ETYPE_DES_CBC_CRC >> 16) & 0xff; - enctype[2] = (ETYPE_DES_CBC_CRC >> 8) & 0xff; - enctype[3] = ETYPE_DES_CBC_CRC & 0xff; - message_buf.length = sizeof(enctype); - message_buf.value = enctype; - maj_stat = gss_set_cred_option(&min_stat, &client_cred, - GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, &message_buf); - if (GSS_ERROR(maj_stat)) { - printf("gss_set_cred_option failed\n"); - report_error(mech, maj_stat, min_stat); - goto out; - } - - server_token.length = 0; - server_token.value = NULL; - while (!context_established) { - client_token.length = 0; - client_token.value = NULL; - maj_stat = gss_init_sec_context(&min_stat, - client_cred, - &client_context, - name, - mech, - GSS_C_MUTUAL_FLAG|GSS_C_CONF_FLAG|GSS_C_INTEG_FLAG, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &server_token, - &actual_mech, - &client_token, - NULL, - NULL); - if (server_token.length) - gss_release_buffer(&smin_stat, &server_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_init_sec_context failed\n"); - report_error(mech, maj_stat, min_stat); - goto out; - } - - if (client_token.length != 0) { - if (!server_cred) { - gss_OID_set_desc oid_set; - oid_set.count = 1; - oid_set.elements = &krb5_desc; - smaj_stat = gss_acquire_cred(&smin_stat, - name, 0, &oid_set, GSS_C_ACCEPT, &server_cred, - NULL, NULL); - if (GSS_ERROR(smaj_stat)) { - printf("gss_acquire_cred (server) failed\n"); - report_error(mech_type, smaj_stat, smin_stat); - goto out; - } - } - smaj_stat = gss_accept_sec_context(&smin_stat, - &server_context, - server_cred, - &client_token, - GSS_C_NO_CHANNEL_BINDINGS, - &received_name, - &mech_type, - &server_token, - NULL, - NULL, - NULL); - if (GSS_ERROR(smaj_stat)) { - printf("gss_accept_sec_context failed\n"); - report_error(mech_type, smaj_stat, smin_stat); - goto out; - } - gss_release_buffer(&min_stat, &client_token); - } - if (GSS_ERROR(maj_stat)) { - if (client_context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, - &client_context, - GSS_C_NO_BUFFER); - break; - } - - if (maj_stat == GSS_S_COMPLETE) { - context_established = 1; - } - } - - message_buf.length = strlen("Hello world"); - message_buf.value = (void *) "Hello world"; - - maj_stat = gss_get_mic(&min_stat, client_context, - GSS_C_QOP_DEFAULT, &message_buf, &client_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_get_mic failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - maj_stat = gss_verify_mic(&min_stat, server_context, - &message_buf, &client_token, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_verify_mic failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - gss_release_buffer(&min_stat, &client_token); - - maj_stat = gss_wrap(&min_stat, client_context, - TRUE, GSS_C_QOP_DEFAULT, &message_buf, NULL, &client_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_wrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - maj_stat = gss_unwrap(&min_stat, server_context, - &client_token, &server_token, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_unwrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - - if (message_buf.length != server_token.length - || memcmp(message_buf.value, server_token.value, - message_buf.length)) - printf("unwrap result corrupt\n"); - - gss_release_buffer(&min_stat, &client_token); - gss_release_buffer(&min_stat, &server_token); - -out: - if (client_context) - gss_delete_sec_context(&min_stat, &client_context, - GSS_C_NO_BUFFER); - if (server_context) - gss_delete_sec_context(&min_stat, &server_context, - GSS_C_NO_BUFFER); - if (client_cred) - gss_release_cred(&min_stat, &client_cred); - if (server_cred) - gss_release_cred(&min_stat, &server_cred); - if (name) - gss_release_name(&min_stat, &name); - if (received_name) - gss_release_name(&min_stat, &received_name); - - return (0); -} - -/* - * Interoperability with userland. This takes several steps: - * - * 1. Accept an initiator token from userland, return acceptor - * token. Repeat this step until both userland and kernel return - * GSS_S_COMPLETE. - * - * 2. Receive a signed message from userland and verify the - * signature. Return a signed reply to userland for it to verify. - * - * 3. Receive a wrapped message from userland and unwrap it. Return a - * wrapped reply to userland. - */ -static int -gsstest_2(struct thread *td, int step, const gss_buffer_t input_token, - OM_uint32 *maj_stat_res, OM_uint32 *min_stat_res, gss_buffer_t output_token) -{ - OM_uint32 maj_stat, min_stat; - static int context_established = 0; - static gss_ctx_id_t server_context = GSS_C_NO_CONTEXT; - static gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; - static gss_name_t name = GSS_C_NO_NAME; - gss_buffer_desc name_desc; - gss_buffer_desc message_buf; - gss_OID mech_type = GSS_C_NO_OID; - char enctype[sizeof(uint32_t)]; - int error = EINVAL; - - maj_stat = GSS_S_FAILURE; - min_stat = 0; - switch (step) { - case 1: - if (server_context == GSS_C_NO_CONTEXT) { - static char sbuf[512]; - memcpy(sbuf, "nfs@", 4); - getcredhostname(td->td_ucred, sbuf + 4, - sizeof(sbuf) - 4); - name_desc.value = sbuf; - name_desc.length = strlen((const char *) - name_desc.value); - maj_stat = gss_import_name(&min_stat, &name_desc, - GSS_C_NT_HOSTBASED_SERVICE, &name); - if (GSS_ERROR(maj_stat)) { - printf("gss_import_name failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - - maj_stat = gss_acquire_cred(&min_stat, - name, 0, GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_cred, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_acquire_cred (server) failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - - enctype[0] = (ETYPE_DES_CBC_CRC >> 24) & 0xff; - enctype[1] = (ETYPE_DES_CBC_CRC >> 16) & 0xff; - enctype[2] = (ETYPE_DES_CBC_CRC >> 8) & 0xff; - enctype[3] = ETYPE_DES_CBC_CRC & 0xff; - message_buf.length = sizeof(enctype); - message_buf.value = enctype; - maj_stat = gss_set_cred_option(&min_stat, &server_cred, - GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, &message_buf); - if (GSS_ERROR(maj_stat)) { - printf("gss_set_cred_option failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - } - - maj_stat = gss_accept_sec_context(&min_stat, - &server_context, - server_cred, - input_token, - GSS_C_NO_CHANNEL_BINDINGS, - NULL, - &mech_type, - output_token, - NULL, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_accept_sec_context failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - - if (maj_stat == GSS_S_COMPLETE) { - context_established = 1; - } - *maj_stat_res = maj_stat; - *min_stat_res = min_stat; - break; - - case 2: - message_buf.length = strlen("Hello world"); - message_buf.value = (void *) "Hello world"; - - maj_stat = gss_verify_mic(&min_stat, server_context, - &message_buf, input_token, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_verify_mic failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - - maj_stat = gss_get_mic(&min_stat, server_context, - GSS_C_QOP_DEFAULT, &message_buf, output_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_get_mic failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - break; - - case 3: - maj_stat = gss_unwrap(&min_stat, server_context, - input_token, &message_buf, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_unwrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - gss_release_buffer(&min_stat, &message_buf); - - message_buf.length = strlen("Hello world"); - message_buf.value = (void *) "Hello world"; - maj_stat = gss_wrap(&min_stat, server_context, - TRUE, GSS_C_QOP_DEFAULT, &message_buf, NULL, output_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_wrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - break; - - case 4: - maj_stat = gss_unwrap(&min_stat, server_context, - input_token, &message_buf, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - printf("gss_unwrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - gss_release_buffer(&min_stat, &message_buf); - - message_buf.length = strlen("Hello world"); - message_buf.value = (void *) "Hello world"; - maj_stat = gss_wrap(&min_stat, server_context, - FALSE, GSS_C_QOP_DEFAULT, &message_buf, NULL, output_token); - if (GSS_ERROR(maj_stat)) { - printf("gss_wrap failed\n"); - report_error(mech_type, maj_stat, min_stat); - goto out; - } - break; - - case 5: - error = 0; - goto out; - } - *maj_stat_res = maj_stat; - *min_stat_res = min_stat; - return (0); - -out: - *maj_stat_res = maj_stat; - *min_stat_res = min_stat; - if (server_context) - gss_delete_sec_context(&min_stat, &server_context, - GSS_C_NO_BUFFER); - if (server_cred) - gss_release_cred(&min_stat, &server_cred); - if (name) - gss_release_name(&min_stat, &name); - - return (error); -} - -/* - * Create an RPC client handle for the given (address,prog,vers) - * triple using UDP. - */ -static CLIENT * -gsstest_get_rpc(struct sockaddr *sa, rpcprog_t prog, rpcvers_t vers) -{ - struct thread *td = curthread; - const char* protofmly; - struct sockaddr_storage ss; - struct socket *so; - CLIENT *rpcb; - struct timeval timo; - RPCB parms; - char *uaddr; - enum clnt_stat stat = RPC_SUCCESS; - int rpcvers = RPCBVERS4; - bool_t do_tcp = FALSE; - struct portmap mapping; - u_short port = 0; - - /* - * First we need to contact the remote RPCBIND service to find - * the right port. - */ - memcpy(&ss, sa, sa->sa_len); - switch (ss.ss_family) { - case AF_INET: - ((struct sockaddr_in *)&ss)->sin_port = htons(111); - protofmly = "inet"; - socreate(AF_INET, &so, SOCK_DGRAM, 0, td->td_ucred, td); - break; - -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)&ss)->sin6_port = htons(111); - protofmly = "inet6"; - socreate(AF_INET6, &so, SOCK_DGRAM, 0, td->td_ucred, td); - break; -#endif - - default: - /* - * Unsupported address family - fail. - */ - return (NULL); - } - - rpcb = clnt_dg_create(so, (struct sockaddr *)&ss, - RPCBPROG, rpcvers, 0, 0); - if (!rpcb) - return (NULL); - -try_tcp: - parms.r_prog = prog; - parms.r_vers = vers; - if (do_tcp) - parms.r_netid = "tcp"; - else - parms.r_netid = "udp"; - parms.r_addr = ""; - parms.r_owner = ""; - - /* - * Use the default timeout. - */ - timo.tv_sec = 25; - timo.tv_usec = 0; -again: - switch (rpcvers) { - case RPCBVERS4: - case RPCBVERS: - /* - * Try RPCBIND 4 then 3. - */ - uaddr = NULL; - stat = CLNT_CALL(rpcb, (rpcprog_t) RPCBPROC_GETADDR, - (xdrproc_t) xdr_rpcb, &parms, - (xdrproc_t) xdr_wrapstring, &uaddr, timo); - if (stat == RPC_PROGVERSMISMATCH) { - if (rpcvers == RPCBVERS4) - rpcvers = RPCBVERS; - else if (rpcvers == RPCBVERS) - rpcvers = PMAPVERS; - CLNT_CONTROL(rpcb, CLSET_VERS, &rpcvers); - goto again; - } else if (stat == RPC_SUCCESS) { - /* - * We have a reply from the remote RPCBIND - turn it - * into an appropriate address and make a new client - * that can talk to the remote service. - * - * XXX fixup IPv6 scope ID. - */ - struct netbuf *a; - a = __rpc_uaddr2taddr_af(ss.ss_family, uaddr); - xdr_free((xdrproc_t) xdr_wrapstring, &uaddr); - if (!a) { - CLNT_DESTROY(rpcb); - return (NULL); - } - memcpy(&ss, a->buf, a->len); - free(a->buf, M_RPC); - free(a, M_RPC); - } - break; - case PMAPVERS: - /* - * Try portmap. - */ - mapping.pm_prog = parms.r_prog; - mapping.pm_vers = parms.r_vers; - mapping.pm_prot = do_tcp ? IPPROTO_TCP : IPPROTO_UDP; - mapping.pm_port = 0; - - stat = CLNT_CALL(rpcb, (rpcprog_t) PMAPPROC_GETPORT, - (xdrproc_t) xdr_portmap, &mapping, - (xdrproc_t) xdr_u_short, &port, timo); - - if (stat == RPC_SUCCESS) { - switch (ss.ss_family) { - case AF_INET: - ((struct sockaddr_in *)&ss)->sin_port = - htons(port); - break; - -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)&ss)->sin6_port = - htons(port); - break; -#endif - } - } - break; - default: - panic("invalid rpcvers %d", rpcvers); - } - /* - * We may have a positive response from the portmapper, but - * the requested service was not found. Make sure we received - * a valid port. - */ - switch (ss.ss_family) { - case AF_INET: - port = ((struct sockaddr_in *)&ss)->sin_port; - break; -#ifdef INET6 - case AF_INET6: - port = ((struct sockaddr_in6 *)&ss)->sin6_port; - break; -#endif - } - if (stat != RPC_SUCCESS || !port) { - /* - * If we were able to talk to rpcbind or portmap, but the udp - * variant wasn't available, ask about tcp. - * - * XXX - We could also check for a TCP portmapper, but - * if the host is running a portmapper at all, we should be able - * to hail it over UDP. - */ - if (stat == RPC_SUCCESS && !do_tcp) { - do_tcp = TRUE; - goto try_tcp; - } - - /* Otherwise, bad news. */ - printf("gsstest_get_rpc: failed to contact remote rpcbind, " - "stat = %d, port = %d\n", - (int) stat, port); - CLNT_DESTROY(rpcb); - return (NULL); - } - - if (do_tcp) { - /* - * Destroy the UDP client we used to speak to rpcbind and - * recreate as a TCP client. - */ - struct netconfig *nconf = NULL; - - CLNT_DESTROY(rpcb); - - switch (ss.ss_family) { - case AF_INET: - nconf = getnetconfigent("tcp"); - break; -#ifdef INET6 - case AF_INET6: - nconf = getnetconfigent("tcp6"); - break; -#endif - } - - rpcb = clnt_reconnect_create(nconf, (struct sockaddr *)&ss, - prog, vers, 0, 0); - } else { - /* - * Re-use the client we used to speak to rpcbind. - */ - CLNT_CONTROL(rpcb, CLSET_SVC_ADDR, &ss); - CLNT_CONTROL(rpcb, CLSET_PROG, &prog); - CLNT_CONTROL(rpcb, CLSET_VERS, &vers); - } - - return (rpcb); -} - -/* - * RPCSEC_GSS client - */ -static int -gsstest_3(struct thread *td) -{ - struct sockaddr_in sin; - char service[128]; - CLIENT *client; - AUTH *auth; - rpc_gss_options_ret_t options_ret; - enum clnt_stat stat; - struct timeval tv; - rpc_gss_service_t svc; - int i; - - sin.sin_len = sizeof(sin); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); - sin.sin_port = 0; - - client = gsstest_get_rpc((struct sockaddr *) &sin, 123456, 1); - if (!client) { - uprintf("Can't connect to service\n"); - return(1); - } - - memcpy(service, "host@", 5); - getcredhostname(td->td_ucred, service + 5, sizeof(service) - 5); - - auth = rpc_gss_seccreate(client, curthread->td_ucred, - service, "kerberosv5", rpc_gss_svc_privacy, - NULL, NULL, &options_ret); - if (!auth) { - gss_OID oid; - uprintf("Can't authorize to service (mech=%s)\n", - options_ret.actual_mechanism); - oid = GSS_C_NO_OID; - rpc_gss_mech_to_oid(options_ret.actual_mechanism, &oid); - report_error(oid, options_ret.major_status, - options_ret.minor_status); - CLNT_DESTROY(client); - return (1); - } - - for (svc = rpc_gss_svc_none; svc <= rpc_gss_svc_privacy; svc++) { - const char *svc_names[] = { - "rpc_gss_svc_default", - "rpc_gss_svc_none", - "rpc_gss_svc_integrity", - "rpc_gss_svc_privacy" - }; - int num; - - rpc_gss_set_defaults(auth, svc, NULL); - - client->cl_auth = auth; - tv.tv_sec = 5; - tv.tv_usec = 0; - for (i = 42; i < 142; i++) { - num = i; - stat = CLNT_CALL(client, 1, - (xdrproc_t) xdr_int, (char *) &num, - (xdrproc_t) xdr_int, (char *) &num, tv); - if (stat == RPC_SUCCESS) { - if (num != i + 100) - uprintf("unexpected reply %d\n", num); - } else { - uprintf("call failed, stat=%d\n", (int) stat); - break; - } - } - if (i == 142) - uprintf("call succeeded with %s\n", svc_names[svc]); - } - - AUTH_DESTROY(auth); - CLNT_RELEASE(client); - - return (0); -} - -/* - * RPCSEC_GSS server - */ -static rpc_gss_principal_t server_acl = NULL; -static bool_t server_new_context(struct svc_req *req, gss_cred_id_t deleg, - gss_ctx_id_t gss_context, rpc_gss_lock_t *lock, void **cookie); -static void server_program_1(struct svc_req *rqstp, register SVCXPRT *transp); - -static int -gsstest_4(struct thread *td) -{ - SVCPOOL *pool; - char principal[128 + 5]; - const char **mechs; - static rpc_gss_callback_t cb; - - memcpy(principal, "host@", 5); - getcredhostname(td->td_ucred, principal + 5, sizeof(principal) - 5); - - mechs = rpc_gss_get_mechanisms(); - while (*mechs) { - if (!rpc_gss_set_svc_name(principal, *mechs, GSS_C_INDEFINITE, - 123456, 1)) { - rpc_gss_error_t e; - - rpc_gss_get_error(&e); - printf("setting name for %s for %s failed: %d, %d\n", - principal, *mechs, - e.rpc_gss_error, e.system_error); - } - mechs++; - } - - cb.program = 123456; - cb.version = 1; - cb.callback = server_new_context; - rpc_gss_set_callback(&cb); - - pool = svcpool_create("gsstest", NULL); - - svc_create(pool, server_program_1, 123456, 1, NULL); - svc_run(pool); - - rpc_gss_clear_svc_name(123456, 1); - rpc_gss_clear_callback(&cb); - - svcpool_destroy(pool); - - return (0); -} - -static void -server_program_1(struct svc_req *rqstp, register SVCXPRT *transp) -{ - rpc_gss_rawcred_t *rcred; - rpc_gss_ucred_t *ucred; - int i, num; - - if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) { - svcerr_weakauth(rqstp); - return; - } - - if (!rpc_gss_getcred(rqstp, &rcred, &ucred, NULL)) { - svcerr_systemerr(rqstp); *** 210 LINES SKIPPED ***