From: Chuck Lever Date: Mon, 9 Feb 2015 15:47:30 +0000 (-0500) Subject: Add utility rpc_gss_*() APIs X-Git-Tag: libtirpc-0-2-6-rc4~14 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=966ec78061543c83d6a664a30cbe26aac6fa9d6b;p=libtirpc Add utility rpc_gss_*() APIs These are utility functions used by both client and server consumers of RPCSEC GSS. The man pages, written by Doug Rabson, come from FreeBSD, with some adjustments by me. The following functions are added: rpc_gss_get_error(3t), rpc_gss_get_mechanisms(3t), rpc_gss_get_mech_info(3t), rpc_gss_get_versions(3t) rpc_gss_is_installed(3t), rpc_gss_mech_to_oid(3t), and rpc_gss_qop_to_num(3t) This is a relatively simple patch, but there are a couple of important design points to call out. 1. Don't add a new DLL Solaris and FreeBSD keep a dynamic library separate from libtirpc for RPCSEC_GSS support, called librpcsec_gss. Our existing RPCSEC_GSS support, though unfinished, is already built into our fork of the libtirpc library. This patch continues with that approach by adding these new functions in libtirpc instead of introducing another library. 2. Don't bother with /etc/gss/{mech,qop} The Solaris gssapi implementation uses the files /etc/gss/{mech,qop} to define supported GSS mechanisms. The rpc_gss_*() API provides the utility functions added in this patch so that RPC consumers can easily discover what GSS mechanisms are available. FreeBSD and Linux use the MIT gssapi implementation, which does not use /etc/gss/{mech,qop} . The FreeBSD implementation of the rpc_gss_*() API emulates support for these configuration files, rather than invoking gssapi functions that don't exist in the MIT gssapi library. For Linux, I don't see a need for the extra config files: o Our fork of libtirpc will support only the Kerberos GSS mechanism for the foreseeable future. o It's easy to add another GSS mechanism in the static data structures, and that should be done only after thorough testing. o It should be a simple change to add support for /etc/gss/* if we find we need it. o Consumers of the rpc_gss_*() API ported from FreeBSD or Solaris should see exactly the same result when calling the new utility functions. Signed-off-by: Chuck Lever Signed-off-by: Steve Dickson --- diff --git a/man/Makefile.am b/man/Makefile.am index f0691b1..66647f0 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -7,7 +7,10 @@ CLIENT_MANS = rpc_clnt_auth.3t rpc_clnt_calls.3t rpc_clnt_create.3t \ SERVER_MANS = rpc_svc_calls.3t rpc_svc_create.3t rpc_svc_err.3t \ rpc_svc_reg.3t GENERIC_MANS = rpc.3t rpc_xdr.3t -RPCSEC_MANS = rpcsec_gss.3t +RPCSEC_MANS = rpcsec_gss.3t rpc_gss_get_error.3t \ + rpc_gss_get_mechanisms.3t rpc_gss_get_mech_info.3t \ + rpc_gss_get_versions.3t rpc_gss_is_installed.3t \ + rpc_gss_mech_to_oid.3t rpc_gss_qop_to_num.3t dist_man5_MANS = netconfig.5 dist_man3_MANS = $(LOOKUP_MANS) $(NETCONFIG_MANS) \ diff --git a/man/rpc_gss_get_error.3t b/man/rpc_gss_get_error.3t new file mode 100644 index 0000000..2843a71 --- /dev/null +++ b/man/rpc_gss_get_error.3t @@ -0,0 +1,55 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_GET_ERROR 3 +.Os +.Sh NAME +.Nm rpc_gss_get_error +.Nd "Get error details" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft void +.Fn rpc_gss_get_error "rpc_gss_error_t *error" +.Sh DESCRIPTION +Get details of the last RPCSEC_GSS error. +.Sh PARAMETERS +.Bl -tag -width ".It error" +.It error +A pointer to a structure where the error details will be returned +.El +.Sh AVAILABILITY +The +.Fn rpc_gss_get_error +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_get_mech_info.3t b/man/rpc_gss_get_mech_info.3t new file mode 100644 index 0000000..1f3ba04 --- /dev/null +++ b/man/rpc_gss_get_mech_info.3t @@ -0,0 +1,65 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_GET_MECH_INFO 3 +.Os +.Sh NAME +.Nm rpc_gss_get_mech_info +.Nd "Get extra information about a security mechanism" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft const char ** +.Fn rpc_gss_get_mech_info "const char *mech" "rpc_gss_service_t *service" +.Sh DESCRIPTION +This function looks up a mechanism by name by reading the file +/etc/gss/mech and queries it for its capabilities. +.Sh PARAMETERS +.Bl -tag -width ".It service" +.It mech +The mechanism to search for +.It service +If the mechanism is found, the maximum supported service type is +returned in +.Fa *service +.El +.Sh RETURN VALUES +If the mechanism is found, +a list of the supported qualities of protection is returned, +otherwise +.Dv NULL . +.Sh AVAILABILITY +The +.Fn rpc_gss_get_mech_info +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_get_mechanisms.3t b/man/rpc_gss_get_mechanisms.3t new file mode 100644 index 0000000..47af364 --- /dev/null +++ b/man/rpc_gss_get_mechanisms.3t @@ -0,0 +1,52 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_GET_MECHANISMS 3 +.Os +.Sh NAME +.Nm rpc_gss_get_mechanisms +.Nd "Get installed mechanisms" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft const char ** +.Fn rpc_gss_get_mechanisms "void" +.Sh DESCRIPTION +Return a +.Dv NULL +terminated list of installed security mechanisms. +.Sh AVAILABILITY +The +.Fn rpc_gss_get_mechanisms +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_get_versions.3t b/man/rpc_gss_get_versions.3t new file mode 100644 index 0000000..3230e5e --- /dev/null +++ b/man/rpc_gss_get_versions.3t @@ -0,0 +1,61 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_GET_VERSIONS 3 +.Os +.Sh NAME +.Nm rpc_gss_get_versions +.Nd "Get supported protocol version" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft bool_t +.Fn rpc_gss_get_versions "u_int *vers_hi" "u_int *vers_lo" +.Sh DESCRIPTION +Return the highest and lowest supported versions of the RPCSEC_GSS protocol. +.Sh PARAMETERS +.Bl -tag -width ".It vers_lo" +.It vers_hi +The value of +.Fa *vers_hi +is set to the highest supported protocol version +.It vers_lo +The value of +.Fa *vers_lo +is set to the lowest supported protocol version +.El +.Sh AVAILABILITY +The +.Fn rpc_gss_get_versions +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_is_installed.3t b/man/rpc_gss_is_installed.3t new file mode 100644 index 0000000..274a1f0 --- /dev/null +++ b/man/rpc_gss_is_installed.3t @@ -0,0 +1,62 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_IS_INSTALLED 3 +.Os +.Sh NAME +.Nm rpc_gss_is_installed +.Nd "Query for the presence os a security mechanism" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft bool_t +.Fn rpc_gss_is_installed "const char *mech" +.Sh DESCRIPTION +This function looks up a mechanism by name by reading the file +/etc/gss/mech. +.Sh PARAMETERS +.Bl -tag -width ".It mech" +.It mech +The mechanism to search for +.El +.Sh RETURN VALUES +Returns +.Dv TRUE +if the mechanism is installed, +.Dv FALSE +otherwise. +.Sh AVAILABILITY +The +.Fn rpc_gss_is_installed +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_mech_to_oid.3t b/man/rpc_gss_mech_to_oid.3t new file mode 100644 index 0000000..8bbe616 --- /dev/null +++ b/man/rpc_gss_mech_to_oid.3t @@ -0,0 +1,65 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_MECH_TO_OID 3 +.Os +.Sh NAME +.Nm rpc_gss_mech_to_oid +.Nd "Convert a mechanism name to a GSS-API oid" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft bool_t +.Fn rpc_gss_mech_to_oid "const char *mech" "gss_OID *oid_ret" +.Sh DESCRIPTION +This function looks up a mechanism by name by reading the file +/etc/gss/mech. +.Sh PARAMETERS +.Bl -tag -width ".It oid_ret" +.It mech +The mechanism name to search for +.It oid_ret +If the mechanism is found, the corresponding GSS-API oid is returned +in +.Fa *oid_ret +.El +.Sh RETURN VALUES +If the mechanism is found, +.Dv TRUE +is returned, otherwise +.Dv FALSE . +.Sh AVAILABILITY +The +.Fn rpc_gss_mech_to_oid +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/man/rpc_gss_qop_to_num.3t b/man/rpc_gss_qop_to_num.3t new file mode 100644 index 0000000..3968216 --- /dev/null +++ b/man/rpc_gss_qop_to_num.3t @@ -0,0 +1,67 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd January 26, 2010 +.Dt RPC_GSS_QOP_TO_NUM 3 +.Os +.Sh NAME +.Nm rpc_gss_qop_to_num +.Nd "Convert a quality of protection name to number" +.Sh SYNOPSIS +.In rpc/rpcsec_gss.h +.Ft bool_t +.Fn rpc_gss_qop_to_num "const char *qop" "const char *mech" "u_int *num_ret" +.Sh DESCRIPTION +This function looks up a quality of protection by name by reading the file +/etc/gss/qop. +.Sh PARAMETERS +.Bl -tag -width ".It number_ret" +.It qop +The quality of protection to search for +.It mech +The mechanism name to search for +.It number_ret +If the quality of protection is found, the corresponding number is +returned in +.Fa *num_ret +.El +.Sh RETURN VALUES +If the value is found, +.Dv TRUE +is returned, otherwise +.Dv FALSE . +.Sh AVAILABILITY +The +.Fn rpc_gss_qop_to_num +function is part of libtirpc. +.Sh SEE ALSO +.Xr rpc 3 , +.Xr gssapi 3 , +.Xr rpcsec_gss 3 +.Sh AUTHORS +This +manual page was written by +.An Doug Rabson Aq dfr@FreeBSD.org . diff --git a/src/Makefile.am b/src/Makefile.am index 26ccbdf..8e37b40 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -59,7 +59,8 @@ libtirpc_la_SOURCES += xdr.c xdr_rec.c xdr_array.c xdr_float.c xdr_mem.c xdr_ref ## Secure-RPC if GSS - libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c + libtirpc_la_SOURCES += auth_gss.c authgss_prot.c svc_auth_gss.c \ + rpc_gss_utils.c libtirpc_la_LDFLAGS += $(GSSAPI_LIBS) libtirpc_la_CFLAGS += -DHAVE_RPCSEC_GSS $(GSSAPI_CFLAGS) endif diff --git a/src/mt_misc.c b/src/mt_misc.c index a50f385..7850ce7 100644 --- a/src/mt_misc.c +++ b/src/mt_misc.c @@ -83,6 +83,7 @@ thread_key_t tcp_key = KEY_INITIALIZER; thread_key_t udp_key = KEY_INITIALIZER; thread_key_t nc_key = KEY_INITIALIZER; thread_key_t rce_key = KEY_INITIALIZER; +thread_key_t rg_key = KEY_INITIALIZER; /* xprtlist (svc_generic.c) */ pthread_mutex_t xprtlist_lock = PTHREAD_MUTEX_INITIALIZER; @@ -142,6 +143,8 @@ void tsd_key_delete(void) pthread_key_delete(nc_key); if (rce_key != KEY_INITIALIZER) pthread_key_delete(rce_key); + if (rg_key != KEY_INITIALIZER) + pthread_key_delete(rce_key); return; } diff --git a/src/rpc_gss_utils.c b/src/rpc_gss_utils.c new file mode 100644 index 0000000..9a7fed3 --- /dev/null +++ b/src/rpc_gss_utils.c @@ -0,0 +1,450 @@ +/* + * Copyright (c) 2013, Oracle America, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * - Neither the name of "Oracle America, Inc." nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include + +#include +#include + +#include + +/* Internal only */ +void rpc_gss_set_error(int); +void rpc_gss_clear_error(void); +bool_t rpc_gss_oid_to_mech(rpc_gss_OID, char **); + +/* + * Return the static "_rpc_gss_error" if we are the main thread + * (including non-threaded programs), or if an allocation fails. + */ +static rpc_gss_error_t * +__rpc_gss_error(void) +{ + static rpc_gss_error_t _rpc_gss_error = { 0, 0 }; + extern thread_key_t rg_key; + rpc_gss_error_t *result; + + if (rg_key == KEY_INITIALIZER) { + static mutex_t _rpc_gss_error_lock = MUTEX_INITIALIZER; + int err = 0; + + mutex_lock(&_rpc_gss_error_lock); + if (rg_key == KEY_INITIALIZER) + err = thr_keycreate(&rg_key, free); + mutex_unlock(&_rpc_gss_error_lock); + + if (err != 0) + return &_rpc_gss_error; + } + + result = thr_getspecific(rg_key); + if (result == NULL) { + result = calloc(1, sizeof(*result)); + if (result == NULL) + return &_rpc_gss_error; + + if (thr_setspecific(rg_key, result) != 0) { + free(result); + return &_rpc_gss_error; + } + } + + return result; +} + +/* + * External API: Retrieve thread-specific error values + * + * error: address of rpc_gss_error_t structure to fill in + */ +void +rpc_gss_get_error(rpc_gss_error_t *result) +{ + rpc_gss_error_t *error = __rpc_gss_error(); + + result->rpc_gss_error = error->rpc_gss_error; + result->system_error = error->system_error; +} + +/* + * Internal only: Set thread-specific error value + * + * system_error: new value for thread's .system_error field. + * .rpc_gss_error is always set to RPC_GSS_ER_SYSTEMERROR. + */ +void +rpc_gss_set_error(int system_error) +{ + rpc_gss_error_t *error = __rpc_gss_error(); + + error->rpc_gss_error = RPC_GSS_ER_SYSTEMERROR; + error->system_error = system_error; +} + +/* + * Internal only: Clear thread-specific error values + */ +void +rpc_gss_clear_error(void) +{ + rpc_gss_error_t *error = __rpc_gss_error(); + + error->rpc_gss_error = RPC_GSS_ER_SUCCESS; + error->system_error = 0; +} + +/* + * On Solaris, the GSS-API implementation consults the files + * /etc/gss/mech and /etc/gss/qop for a mapping of mechanism + * names to OIDs, and QOP names to numbers. + * + * GNU's GSS-API has no such database. We emulate it here + * with a built-in table of supported mechanisms and qops, + * since the set of supported mechanisms is unlikely to + * change often. + */ + +struct _rpc_gss_qop { + char *qi_name; + unsigned int qi_num; +}; + +struct _rpc_gss_mechanism { + char *mi_name; + rpc_gss_OID_desc mi_oid; + char **mi_qop_names; + struct _rpc_gss_qop **mi_qops; +}; + + +static struct _rpc_gss_qop _rpc_gss_qop_default = { + .qi_name = "GSS_C_QOP_DEFAULT", + .qi_num = GSS_C_QOP_DEFAULT, +}; + +static struct _rpc_gss_qop *_rpc_gss_krb5_qops[] = { + &_rpc_gss_qop_default, + NULL, +}; + +static char *_rpc_gss_krb5_qop_names[] = { + "GSS_C_QOP_DEFAULT", + NULL, +}; + +static struct _rpc_gss_mechanism _rpc_gss_mech_kerberos_v5 = { + .mi_name = "kerberos_v5", + .mi_oid = { 9, "\052\206\110\206\367\022\001\002\002" }, + .mi_qop_names = _rpc_gss_krb5_qop_names, + .mi_qops = _rpc_gss_krb5_qops, +}; + +static struct _rpc_gss_mechanism *_rpc_gss_mechanisms[] = { + &_rpc_gss_mech_kerberos_v5, + NULL, +}; + +static char *_rpc_gss_mechanism_names[] = { + "kerberos_v5", + NULL, +}; + +static struct _rpc_gss_mechanism * +_rpc_gss_find_mechanism(char *mechanism) +{ + unsigned int i; + + for (i = 0; _rpc_gss_mechanisms[i] != NULL; i++) + if (strcmp(mechanism, _rpc_gss_mechanisms[i]->mi_name) == 0) + return _rpc_gss_mechanisms[i]; + return NULL; +} + +static struct _rpc_gss_mechanism * +_rpc_gss_find_oid(rpc_gss_OID oid) +{ + unsigned int i; + + for (i = 0; _rpc_gss_mechanisms[i] != NULL; i++) + if (g_OID_equal(oid, &_rpc_gss_mechanisms[i]->mi_oid)) + return _rpc_gss_mechanisms[i]; + return NULL; +} + +static struct _rpc_gss_qop * +_rpc_gss_find_qop_by_name(struct _rpc_gss_mechanism *m, char *qop) +{ + unsigned int i; + + for (i = 0; m->mi_qops[i] != NULL; i++) + if (strcmp(qop, m->mi_qops[i]->qi_name) == 0) + return m->mi_qops[i]; + return NULL; +} + +static struct _rpc_gss_qop * +_rpc_gss_find_qop_by_num(struct _rpc_gss_mechanism *m, u_int num) +{ + unsigned int i; + + for (i = 0; m->mi_qops[i] != NULL; i++) + if (num == m->mi_qops[i]->qi_num) + return m->mi_qops[i]; + return NULL; +} + +/* + * External API: Return array of security mechanism names + * + * Returns NULL-terminated array of pointers to NUL-terminated C + * strings, each containing a mechanism name. This is statically + * allocated memory. Caller must not free this array. + */ +char ** +rpc_gss_get_mechanisms(void) +{ + rpc_gss_clear_error(); + return (char **)_rpc_gss_mechanism_names; +} + +/* + * External API: Return array of qop names for a security mechanism + * + * mechanism: NUL-terminated C string containing mechanism name + * dummy: address of a service enum + * + * Returns NULL-terminated array of pointers to NUL-terminated C + * strings, each containing a qop name. This is statically + * allocated memory. Caller must not free this array. + */ +char ** +rpc_gss_get_mech_info(char *mechanism, rpc_gss_service_t *dummy) +{ + struct _rpc_gss_mechanism *m; + + if (mechanism == NULL || dummy == NULL) { + rpc_gss_set_error(EINVAL); + return NULL; + } + + m = _rpc_gss_find_mechanism(mechanism); + if (m == NULL) { + rpc_gss_set_error(ENOENT); + return NULL; + } + + rpc_gss_clear_error(); + *dummy = rpcsec_gss_svc_privacy; + return (char **)m->mi_qop_names; +} + +/* + * External API: Return range of supported RPCSEC_GSS versions + * + * high: address of highest supported version to fill in + * low: address of lowest supported version to fill in + * + * Returns TRUE if successful, or FALSE if an error occurs. + */ +bool_t +rpc_gss_get_versions(u_int *high, u_int *low) +{ + if (high == NULL || low == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + rpc_gss_clear_error(); + *high = *low = RPCSEC_GSS_VERSION; + return TRUE; +} + +/* + * External API: Check if a security mechanism is supported + * + * mechanism: NUL-terminated C string containing mechanism name + * + * Returns TRUE if the mechanism name is recognized and supported, + * otherwise FALSE is returned. + */ +bool_t +rpc_gss_is_installed(char *mechanism) +{ + struct _rpc_gss_mechanism *m; + + if (mechanism == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + rpc_gss_clear_error(); + m = _rpc_gss_find_mechanism(mechanism); + if (m == NULL) + return FALSE; + return TRUE; +} + +/* + * External API: Return the OID for a given security mechanism + * + * mechanism: NUL-terminated C string containing mechanism name + * oid: address of OID buffer to fill in + * + * Returns TRUE if the mechanism name is recognized and supported, + * otherwise FALSE is returned. + */ +bool_t +rpc_gss_mech_to_oid(char *mechanism, rpc_gss_OID *result) +{ + struct _rpc_gss_mechanism *m; + + if (mechanism == NULL || result == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + m = _rpc_gss_find_mechanism(mechanism); + if (m == NULL) { + rpc_gss_set_error(ENOENT); + return FALSE; + } + + *result = &m->mi_oid; + rpc_gss_clear_error(); + return TRUE; +} + +/* + * Internal only: Return the mechanism name for a given OID + * + * oid: GSS mechanism OID + * mechanism: address of a char * to fill in. This is statically + * allocated memory. Caller must not free this memory. + * + * Returns TRUE if the OID is a recognized and supported mechanism, + * otherwise FALSE is returned. + */ +bool_t +rpc_gss_oid_to_mech(rpc_gss_OID oid, char **mechanism) +{ + struct _rpc_gss_mechanism *m; + + if (oid == NULL || mechanism == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + m = _rpc_gss_find_oid(oid); + if (m == NULL) { + rpc_gss_set_error(ENOENT); + return FALSE; + } + + *mechanism = m->mi_name; + rpc_gss_clear_error(); + return TRUE; +} + +/* + * External API: Return the QOP number for a given QOP and mechanism name + * + * qop: NUL-terminated C string containing qop name + * mechanism: NUL-terminated C string containing mechanism name + * num: address of QOP buffer to fill in + * + * Returns TRUE if the qop and mechanism name are recognized and + * supported, otherwise FALSE is returned. + */ +bool_t +rpc_gss_qop_to_num(char *qop, char *mechanism, u_int *num) +{ + struct _rpc_gss_mechanism *m; + struct _rpc_gss_qop *q; + + if (qop == NULL || mechanism == NULL || num == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + m = _rpc_gss_find_mechanism(mechanism); + if (m == NULL) + goto out_err; + + q = _rpc_gss_find_qop_by_name(m, qop); + if (q == NULL) + goto out_err; + + *num = q->qi_num; + rpc_gss_clear_error(); + return TRUE; + +out_err: + rpc_gss_set_error(ENOENT); + return FALSE; +} + +/* + * Internal only: Return the QOP name for a given mechanism and QOP number + * + * mechanism: NUL-terminated C string containing security mechanism name + * num: QOP number + * qop: address of a char * to fill in. This is statically + * allocated memory. Caller must not free this memory. + * + * Returns TRUE if the QOP and mechanism are recognized and supported, + * otherwise FALSE is returned. + */ +bool_t +rpc_gss_num_to_qop(char *mechanism, u_int num, char **qop) +{ + struct _rpc_gss_mechanism *m; + struct _rpc_gss_qop *q; + + if (mechanism == NULL || qop == NULL) { + rpc_gss_set_error(EINVAL); + return FALSE; + } + + m = _rpc_gss_find_mechanism(mechanism); + if (m == NULL) + goto out_err; + + q = _rpc_gss_find_qop_by_num(m, num); + if (q == NULL) + goto out_err; + + *qop = q->qi_name; + rpc_gss_clear_error(); + return TRUE; + +out_err: + rpc_gss_set_error(ENOENT); + return FALSE; +}