From: David Howells Date: Wed, 30 Sep 2020 08:22:46 +0000 (+0100) Subject: Add OpenAFS rxgk support to gssapi test and partially to gssapi aklog X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a65e9aa7f13e7af105fbdd99fdd55c18bcfed78a;p=users%2Fdhowells%2Fkafs-utils.git Add OpenAFS rxgk support to gssapi test and partially to gssapi aklog For example: # kafs gssapi test -server localhost -kvno 2 -enctype 26 -tenctype 25 -openafs Success! 01020304 05060708 09101112 13141516 # kafs gssapi test -server localhost -kvno 2 -enctype 26 -tenctype 25 -yfs Success! 01020304 05060708 09101112 13141516 --- diff --git a/kafs/gssapi_aklog.C b/kafs/gssapi_aklog.C index 5a43cdf..8f64d5a 100644 --- a/kafs/gssapi_aklog.C +++ b/kafs/gssapi_aklog.C @@ -274,6 +274,20 @@ static void rxgk_add_key(kafs::Context *ctx, token.ygk.ticket = client_info.token; token.ygk.ticket.del_buffer = false; break; + + case kafs::afs::AFSTOKEN_UNION_GK: + token.gk.gk_viceid = 0; + token.gk.gk_enctype = client_info.enctype; + token.gk.gk_level = client_info.level; + token.gk.gk_lifetime = client_info.lifetime; + token.gk.gk_bytelife = client_info.bytelife; + token.gk.gk_expiration = client_info.expiration; + token.gk.gk_token = client_info.token; + token.gk.gk_token.del_buffer = false; + token.gk.gk_k0 = K0; + token.gk.gk_k0.del_buffer = false; + break; + default: throw std::runtime_error("Unknown security type"); } @@ -324,7 +338,10 @@ static void rxgk_add_key(kafs::Context *ctx, * ARG: "[-noauth]" - Auth * ARG: "[-localauth]" - Auth * ARG: "[-verbose]" + * ARG: "[-openafs]" + * ARG: "[-yfs]" * ARG: "[-encrypt]" - Auth + * NOCOMBINE: openafs, yfs * * Authenticate via GSSAPI to get tokens for the RxGK security class. */ @@ -333,7 +350,9 @@ void COMMAND_gssapi_aklog( std::string &a_principal, std::vector &a_enctypes, std::vector &a_levels, - bool a_verbose) + bool a_verbose, + bool a_openafs, + bool a_yfs) { gss_buffer_desc token_for_gssapi = GSS_C_EMPTY_BUFFER; gss_buffer_desc token_for_rxgk = GSS_C_EMPTY_BUFFER; @@ -343,6 +362,12 @@ void COMMAND_gssapi_aklog( gss_OID actual_mech = GSS_C_NO_OID; OM_uint32 major, minor, req_flags, ret_flags; bool anon = false; + unsigned int sec_type = kafs::afs::AFSTOKEN_UNION_YFSGK; + + if (a_yfs) + sec_type = kafs::afs::AFSTOKEN_UNION_YFSGK; + else if (a_openafs) + sec_type = kafs::afs::AFSTOKEN_UNION_GK; ref vlservice = new kafs::VL_service(ctx); rxrpc::Opaque opaque_cache, rxgk_info, K0; @@ -482,8 +507,7 @@ void COMMAND_gssapi_aklog( rxgk_check_mic(gssctx, rxgk_params, client_info, a_verbose); rxgk_derive_K0(gssctx, rxgk_params, client_info, K0, a_verbose); - rxgk_add_key(ctx, client_info, K0, a_verbose, - kafs::afs::AFSTOKEN_UNION_YFSGK); + rxgk_add_key(ctx, client_info, K0, a_verbose, sec_type); verbose_gss("Negotiation successful\n"); } catch (...) { diff --git a/kafs/gssapi_test.C b/kafs/gssapi_test.C index 76f1ed2..0a7cd05 100644 --- a/kafs/gssapi_test.C +++ b/kafs/gssapi_test.C @@ -200,6 +200,20 @@ static void rxgk_add_key(kafs::Context *ctx, token.ygk.ticket = client_info.token; token.ygk.ticket.del_buffer = false; break; + + case kafs::afs::AFSTOKEN_UNION_GK: + token.gk.gk_viceid = 0; + token.gk.gk_enctype = client_info.enctype; + token.gk.gk_level = client_info.level; + token.gk.gk_lifetime = client_info.lifetime; + token.gk.gk_bytelife = client_info.bytelife; + token.gk.gk_expiration = client_info.expiration; + token.gk.gk_token = client_info.token; + token.gk.gk_token.del_buffer = false; + token.gk.gk_k0 = K0; + token.gk.gk_k0.del_buffer = false; + break; + default: throw std::runtime_error("Unknown security type"); } @@ -250,7 +264,10 @@ static void rxgk_add_key(kafs::Context *ctx, * ARG: "[-tenctype ]" * ARG: "[-kvno ]" * ARG: "[-verbose]" + * ARG: "[-openafs]" + * ARG: "[-yfs]" * ARG: "[-encrypt]" - Auth + * NOCOMBINE: openafs, yfs * * Forge a ticket and poke the server by RxGK. */ @@ -261,15 +278,23 @@ void COMMAND_gssapi_test( std::string &a_level, std::string &a_tenctype, std::string &a_kvno, - bool a_verbose) + bool a_verbose, + bool a_openafs, + bool a_yfs) { rxrpc::security_auth_level rxlevel = rxrpc::security_encrypt; RXGK_ClientInfo client_info; rxrpc::Opaque ticket_key, K0; + unsigned int sec_type = kafs::afs::AFSTOKEN_UNION_YFSGK; unsigned int kvno = 1; int tenctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96; int tklen, k0len, i; + if (a_yfs) + sec_type = kafs::afs::AFSTOKEN_UNION_YFSGK; + else if (a_openafs) + sec_type = kafs::afs::AFSTOKEN_UNION_GK; + client_info.expiration = 0; client_info.level = kafs::afs::RXGK_LEVEL_CRYPT; client_info.lifetime = 0; @@ -335,7 +360,7 @@ void COMMAND_gssapi_test( kvno = stoi(a_kvno); forge_rxgk_ticket(ctx, client_info, ticket_key, K0, tenctype, kvno, client_info.token); - rxgk_add_key(ctx, client_info, K0, a_verbose, kafs::afs::AFSTOKEN_UNION_YFSGK); + rxgk_add_key(ctx, client_info, K0, a_verbose, sec_type); rxrpc::find_transport(); @@ -345,7 +370,7 @@ void COMMAND_gssapi_test( rxrpc::Call_params params; params.endpoint = ctx->endpoint; - + ref site = kafs::resolve_server_spec(ctx, a_server); params.peer = site->vs_addrs[0]; params.peer.srx_service = RX_PERF_SERVICE;