/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 1986, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
* $Id: svc_auth_gssapi.c,v 1.19 1994/10/27 12:38:51 jik Exp $
*/
/*
* Server side handling of RPCSEC_GSS flavor.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>
#include <rpc/rpc.h>
#include <rpc/rpcsec_defs.h>
#include <sys/file.h>
#include <fcntl.h>
#include <pwd.h>
#include <stdio.h>
#include <syslog.h>
/*
* Sequence window definitions.
*/
#define SEQ_ARR_SIZE 4
#define SEQ_WIN (SEQ_ARR_SIZE*32)
#define SEQ_HI_BIT 0x80000000
#define SEQ_LO_BIT 1
#define DIV_BY_32 5
#define SEQ_MASK 0x1f
#define SEQ_MAX 0x80000000
/* cache retransmit data */
typedef struct _retrans_entry {
uint32_t xid;
rpc_gss_init_res result;
struct _retrans_entry *next, *prev;
} retrans_entry;
/*
* Server side RPCSEC_GSS context information.
*/
typedef struct _svc_rpc_gss_data {
struct _svc_rpc_gss_data *next, *prev;
struct _svc_rpc_gss_data *lru_next, *lru_prev;
bool_t established;
gss_ctx_id_t context;
gss_name_t client_name;
gss_cred_id_t server_creds;
uint_t expiration;
uint_t seq_num;
uint_t seq_bits[SEQ_ARR_SIZE];
uint_t key;
OM_uint32 qop;
bool_t done_docallback;
bool_t locked;
rpc_gss_rawcred_t raw_cred;
rpc_gss_ucred_t u_cred;
bool_t u_cred_set;
void *cookie;
gss_cred_id_t deleg;
mutex_t clm;
int ref_cnt;
bool_t stale;
time_t time_secs_set;
retrans_entry *retrans_data;
} svc_rpc_gss_data;
/*
* Data structures used for LRU based context management.
*/
#define HASHMOD 256
#define HASHMASK 255
static svc_rpc_gss_data *clients[HASHMOD];
static svc_rpc_gss_data *lru_first, *lru_last;
static int num_gss_contexts = 0;
static int max_gss_contexts = 128;
static int sweep_interval = 10;
static int last_swept = 0;
static uint_t max_lifetime = GSS_C_INDEFINITE;
static int init_lifetime = 0;
static uint_t gid_timeout = 43200; /* 43200 secs = 12 hours */
/*
* lock used with context/lru variables
*/
static mutex_t ctx_mutex = DEFAULTMUTEX;
/*
* server credential management data and structures
*/
typedef struct svc_creds_list_s {
struct svc_creds_list_s *next;
gss_cred_id_t cred;
gss_name_t name;
rpcprog_t program;
rpcvers_t version;
gss_OID_set oid_set;
OM_uint32 req_time;
char *server_name;
mutex_t refresh_mutex;
} svc_creds_list_t;
static svc_creds_list_t *svc_creds_list;
static int svc_creds_count = 0;
/*
* lock used with server credential variables list
*
* server cred list locking guidelines:
* - Writer's lock holder has exclusive access to the list
* - Reader's lock holder(s) must also lock (refresh_mutex) each node
* before accessing that node's elements (ie. cred)
*/
static rwlock_t cred_lock = DEFAULTRWLOCK;
/*
* server callback list
*/
typedef struct cblist_s {
struct cblist_s *next;
rpc_gss_callback_t cb;
} cblist_t;
cblist_t *cblist = NULL;
/*
* lock used with callback variables
*/
static mutex_t cb_mutex = DEFAULTMUTEX;
/*
* forward declarations
*/
static bool_t svc_rpc_gss_wrap();
static bool_t svc_rpc_gss_unwrap();
static svc_rpc_gss_data *create_client();
static svc_rpc_gss_data *get_client();
static svc_rpc_gss_data *find_client();
static void destroy_client();
static void sweep_clients();
static void drop_lru_client();
static void insert_client();
static bool_t check_verf();
static bool_t rpc_gss_refresh_svc_cred();
static bool_t set_response_verf();
static void retrans_add(svc_rpc_gss_data *, uint32_t,
rpc_gss_init_res *);
static void retrans_del(struct _svc_rpc_gss_data *);
/*
* server side wrap/unwrap routines
*/
struct svc_auth_ops svc_rpc_gss_ops = {
svc_rpc_gss_wrap,
svc_rpc_gss_unwrap,
};
/*
* Fetch server side authentication structure.
*/
extern SVCAUTH *__svc_get_svcauth();
/*
* Cleanup routine for destroying context, called after service
* procedure is executed, for MT safeness.
*/
extern void *__svc_set_proc_cleanup_cb();
static void (*old_cleanup_cb)() = NULL;
static bool_t cleanup_cb_set = FALSE;
static void
ctx_cleanup(xprt)
SVCXPRT *xprt;
{
svc_rpc_gss_data *cl;
SVCAUTH *svcauth;
if (old_cleanup_cb != NULL)
(*old_cleanup_cb)(xprt);
/*
* First check if current context needs to be cleaned up.
*/
svcauth = __svc_get_svcauth(xprt);
/*LINTED*/
if ((cl = (svc_rpc_gss_data *)svcauth->svc_ah_private) != NULL) {
mutex_lock(&cl->clm);
if (--cl->ref_cnt == 0 && cl->stale) {
mutex_unlock(&cl->clm);
mutex_lock(&ctx_mutex);
destroy_client(cl);
mutex_unlock(&ctx_mutex);
} else
mutex_unlock(&cl->clm);
}
/*
* Check for other expired contexts.
*/
if ((time(0) - last_swept) > sweep_interval) {
mutex_lock(&ctx_mutex);
/*
* Check again, in case some other thread got in.
*/
if ((time(0) - last_swept) > sweep_interval)
sweep_clients();
mutex_unlock(&ctx_mutex);
}
}
/*
* Set server parameters.
*/
void
__rpc_gss_set_server_parms(init_cred_lifetime, max_cred_lifetime, cache_size)
int init_cred_lifetime;
int max_cred_lifetime;
int cache_size;
{
/*
* Ignore parameters unless greater than zero.
*/
mutex_lock(&ctx_mutex);
if (cache_size > 0)
max_gss_contexts = cache_size;
if (max_cred_lifetime > 0)
max_lifetime = (uint_t)max_cred_lifetime;
if (init_cred_lifetime > 0)
init_lifetime = init_cred_lifetime;
mutex_unlock(&ctx_mutex);
}
/*
* Shift the array arr of length arrlen right by nbits bits.
*/
static void
shift_bits(arr, arrlen, nbits)
uint_t *arr;
int arrlen;
int nbits;
{
int i, j;
uint_t lo, hi;
/*
* If the number of bits to be shifted exceeds SEQ_WIN, just
* zero out the array.
*/
if (nbits < SEQ_WIN) {
for (i = 0; i < nbits; i++) {
hi = 0;
for (j = 0; j < arrlen; j++) {
lo = arr[j] & SEQ_LO_BIT;
arr[j] >>= 1;
if (hi)
arr[j] |= SEQ_HI_BIT;
hi = lo;
}
}
} else {
for (j = 0; j < arrlen; j++)
arr[j] = 0;
}
}
/*
* Check that the received sequence number seq_num is valid.
*/
static bool_t
check_seq(cl, seq_num, kill_context)
svc_rpc_gss_data *cl;
uint_t seq_num;
bool_t *kill_context;
{
int i, j;
uint_t bit;
/*
* If it exceeds the maximum, kill context.
*/
if (seq_num >= SEQ_MAX) {
*kill_context = TRUE;
return (FALSE);
}
/*
* If greater than the last seen sequence number, just shift
* the sequence window so that it starts at the new sequence
* number and extends downwards by SEQ_WIN.
*/
if (seq_num > cl->seq_num) {
shift_bits(cl->seq_bits, SEQ_ARR_SIZE, seq_num - cl->seq_num);
cl->seq_bits[0] |= SEQ_HI_BIT;
cl->seq_num = seq_num;
return (TRUE);
}
/*
* If it is outside the sequence window, return failure.
*/
i = cl->seq_num - seq_num;
if (i >= SEQ_WIN)
return (FALSE);
/*
* If within sequence window, set the bit corresponding to it
* if not already seen; if already seen, return failure.
*/
j = SEQ_MASK - (i & SEQ_MASK);
bit = j > 0 ? (1 << j) : 1;
i >>= DIV_BY_32;
if (cl->seq_bits[i] & bit)
return (FALSE);
cl->seq_bits[i] |= bit;
return (TRUE);
}
/*
* Convert a name in gss exported type to rpc_gss_principal_t type.
*/
static bool_t
__rpc_gss_make_principal(principal, name)
rpc_gss_principal_t *principal;
gss_buffer_desc *name;
{
int plen;
char *s;
plen = RNDUP(name->length) + sizeof (int);
(*principal) = (rpc_gss_principal_t)malloc(plen);
if ((*principal) == NULL)
return (FALSE);
bzero((caddr_t)(*principal), plen);
(*principal)->len = RNDUP(name->length);
s = (*principal)->name;
memcpy(s, name->value, name->length);
return (TRUE);
}
/*
* Convert a name in internal form to the exported type.
*/
static bool_t
set_client_principal(g_name, r_name)
gss_name_t g_name;
rpc_gss_principal_t *r_name;
{
gss_buffer_desc name;
OM_uint32 major, minor;
bool_t ret = FALSE;
major = gss_export_name(&minor, g_name, &name);
if (major != GSS_S_COMPLETE)
return (FALSE);
ret = __rpc_gss_make_principal(r_name, &name);
(void) gss_release_buffer(&minor, &name);
return (ret);
}
/*
* Set server callback.
*/
bool_t
__rpc_gss_set_callback(cb)
rpc_gss_callback_t *cb;
{
cblist_t *cbl;
if (cb->callback == NULL)
return (FALSE);
if ((cbl = (cblist_t *)malloc(sizeof (*cbl))) == NULL)
return (FALSE);
cbl->cb = *cb;
mutex_lock(&cb_mutex);
cbl->next = cblist;
cblist = cbl;
mutex_unlock(&cb_mutex);
return (TRUE);
}
/*
* Locate callback (if specified) and call server. Release any
* delegated credentials unless passed to server and the server
* accepts the context. If a callback is not specified, accept
* the incoming context.
*/
static bool_t
do_callback(req, client_data)
struct svc_req *req;
svc_rpc_gss_data *client_data;
{
cblist_t *cbl;
bool_t ret = TRUE, found = FALSE;
rpc_gss_lock_t lock;
OM_uint32 minor;
mutex_lock(&cb_mutex);
for (cbl = cblist; cbl != NULL; cbl = cbl->next) {
if (req->rq_prog != cbl->cb.program ||
req->rq_vers != cbl->cb.version)
continue;
found = TRUE;
lock.locked = FALSE;
lock.raw_cred = &client_data->raw_cred;
ret = (*cbl->cb.callback)(req, client_data->deleg,
client_data->context, &lock, &client_data->cookie);
if (ret) {
client_data->locked = lock.locked;
client_data->deleg = GSS_C_NO_CREDENTIAL;
}
break;
}
if (!found) {
if (client_data->deleg != GSS_C_NO_CREDENTIAL) {
(void) gss_release_cred(&minor, &client_data->deleg);
client_data->deleg = GSS_C_NO_CREDENTIAL;
}
}
mutex_unlock(&cb_mutex);
return (ret);
}
/*
* Return caller credentials.
*/
bool_t
__rpc_gss_getcred(req, rcred, ucred, cookie)
struct svc_req *req;
rpc_gss_rawcred_t **rcred;
rpc_gss_ucred_t **ucred;
void **cookie;
{
SVCAUTH *svcauth;
svc_rpc_gss_data *client_data;
svc_rpc_gss_parms_t *gss_parms;
gss_OID oid;
OM_uint32 status;
int len = 0;
struct timeval now;
svcauth = __svc_get_svcauth(req->rq_xprt);
/*LINTED*/
client_data = (svc_rpc_gss_data *)svcauth->svc_ah_private;
gss_parms = &svcauth->svc_gss_parms;
mutex_lock(&client_data->clm);
if (rcred != NULL) {
svcauth->raw_cred = client_data->raw_cred;
svcauth->raw_cred.service = gss_parms->service;
svcauth->raw_cred.qop = __rpc_gss_num_to_qop(
svcauth->raw_cred.mechanism, gss_parms->qop_rcvd);
*rcred = &svcauth->raw_cred;
}
if (ucred != NULL) {
if (!client_data->u_cred_set) {
/*
* Double check making sure ucred is not set
* after acquiring the lock.
*/
if (!client_data->u_cred_set) {
if (!__rpc_gss_mech_to_oid(
(*rcred)->mechanism, &oid)) {
fprintf(stderr, dgettext(TEXT_DOMAIN,
"mech_to_oid failed in getcred.\n"));
*ucred = NULL;
} else {
status = gsscred_name_to_unix_cred(
client_data->client_name, oid,
&client_data->u_cred.uid,
&client_data->u_cred.gid,
&client_data->u_cred.gidlist,
&len);
if (status == GSS_S_COMPLETE) {
client_data->u_cred_set = TRUE;
client_data->u_cred.gidlen =
(short)len;
gettimeofday(&now,
(struct timezone *)NULL);
client_data->time_secs_set =
now.tv_sec;
*ucred = &client_data->u_cred;
} else
*ucred = NULL;
}
}
} else {
/*
* gid's already set;
* check if they have expired.
*/
gettimeofday(&now, (struct timezone *)NULL);
if ((now.tv_sec - client_data->time_secs_set)
> gid_timeout) {
/* Refresh gid's */
status = gss_get_group_info(
client_data->u_cred.uid,
&client_data->u_cred.gid,
&client_data->u_cred.gidlist,
&len);
if (status == GSS_S_COMPLETE) {
client_data->u_cred.gidlen =
(short)len;
gettimeofday(&now,
(struct timezone *)NULL);
client_data->time_secs_set = now.tv_sec;
*ucred = &client_data->u_cred;
} else {
client_data->u_cred_set = FALSE;
*ucred = NULL;
}
}
else
*ucred = &client_data->u_cred;
}
}
if (cookie != NULL)
*cookie = client_data->cookie;
mutex_unlock(&client_data->clm);
return (TRUE);
}
/*
* Server side authentication for RPCSEC_GSS.
*/
enum auth_stat
__svcrpcsec_gss(rqst, msg, no_dispatch)
struct svc_req *rqst;
struct rpc_msg *msg;
bool_t *no_dispatch;
{
XDR xdrs;
rpc_gss_creds creds;
rpc_gss_init_arg call_arg;
rpc_gss_init_res call_res, *retrans_result;
gss_buffer_desc output_token;
OM_uint32 gssstat, minor_stat, time_rec, ret_flags;
struct opaque_auth *cred;
svc_rpc_gss_data *client_data;
int ret;
svc_creds_list_t *sc;
SVCAUTH *svcauth;
svc_rpc_gss_parms_t *gss_parms;
gss_OID mech_type = GSS_C_NULL_OID;
/*
* Initialize response verifier to NULL verifier. If
* necessary, this will be changed later.
*/
rqst->rq_xprt->xp_verf.oa_flavor = AUTH_NONE;
rqst->rq_xprt->xp_verf.oa_base = NULL;
rqst->rq_xprt->xp_verf.oa_length = 0;
/*
* Need to null out results to start with.
*/
memset((char *)&call_res, 0, sizeof (call_res));
/*
* Pull out and check credential and verifier.
*/
cred = &msg->rm_call.cb_cred;
if (cred->oa_length == 0) {
return (AUTH_BADCRED);
}
xdrmem_create(&xdrs, cred->oa_base, cred->oa_length, XDR_DECODE);
memset((char *)&creds, 0, sizeof (creds));
if (!__xdr_rpc_gss_creds(&xdrs, &creds)) {
XDR_DESTROY(&xdrs);
ret = AUTH_BADCRED;
goto error;
}
XDR_DESTROY(&xdrs);
/*
* If this is a control message and proc is GSSAPI_INIT, then
* create a client handle for this client. Otherwise, look up
* the existing handle.
*/
if (creds.gss_proc == RPCSEC_GSS_INIT) {
if (creds.ctx_handle.length != 0) {
ret = AUTH_BADCRED;
goto error;
}
if ((client_data = create_client()) == NULL) {
ret = AUTH_FAILED;
goto error;
}
} else {
/*
* Only verify values for service parameter when proc
* not RPCSEC_GSS_INIT or RPCSEC_GSS_CONTINUE_INIT.
* RFC2203 says contents for sequence and service args
* are undefined for creation procs.
*
* Note: only need to check for *CONTINUE_INIT here because
* if() clause already checked for RPCSEC_GSS_INIT
*/
if (creds.gss_proc != RPCSEC_GSS_CONTINUE_INIT) {
switch (creds.service) {
case rpc_gss_svc_none:
case rpc_gss_svc_integrity:
case rpc_gss_svc_privacy:
break;
default:
ret = AUTH_BADCRED;
goto error;
}
}
if (creds.ctx_handle.length == 0) {
ret = AUTH_BADCRED;
goto error;
}
if ((client_data = get_client(&creds.ctx_handle)) == NULL) {
ret = RPCSEC_GSS_NOCRED;
goto error;
}
}
/*
* lock the client data until it's safe; if it's already stale,
* no more processing is possible
*/
mutex_lock(&client_data->clm);
if (client_data->stale) {
ret = RPCSEC_GSS_NOCRED;
goto error2;
}
/*
* Any response we send will use ctx_handle, so set it now;
* also set seq_window since this won't change.
*/
call_res.ctx_handle.length = sizeof (client_data->key);
call_res.ctx_handle.value = (char *)&client_data->key;
call_res.seq_window = SEQ_WIN;
/*
* Set the appropriate wrap/unwrap routine for RPCSEC_GSS.
*/
svcauth = __svc_get_svcauth(rqst->rq_xprt);
svcauth->svc_ah_ops = svc_rpc_gss_ops;
svcauth->svc_ah_private = (caddr_t)client_data;
/*
* Keep copy of parameters we'll need for response, for the
* sake of reentrancy (we don't want to look in the context
* data because when we are sending a response, another
* request may have come in.
*/
gss_parms = &svcauth->svc_gss_parms;
gss_parms->established = client_data->established;
gss_parms->service = creds.service;
gss_parms->qop_rcvd = (uint_t)client_data->qop;
gss_parms->context = (void *)client_data->context;
gss_parms->seq_num = creds.seq_num;
if (!client_data->established) {
if (creds.gss_proc == RPCSEC_GSS_DATA) {
ret = RPCSEC_GSS_FAILED;
client_data->stale = TRUE;
goto error2;
}
/*
* If the context is not established, then only GSSAPI_INIT
* and _CONTINUE requests are valid.
*/
if (creds.gss_proc != RPCSEC_GSS_INIT && creds.gss_proc !=
RPCSEC_GSS_CONTINUE_INIT) {
ret = RPCSEC_GSS_FAILED;
client_data->stale = TRUE;
goto error2;
}
/*
* call is for us, deserialize arguments
*/
memset(&call_arg, 0, sizeof (call_arg));
if (!svc_getargs(rqst->rq_xprt, __xdr_rpc_gss_init_arg,
(caddr_t)&call_arg)) {
ret = RPCSEC_GSS_FAILED;
client_data->stale = TRUE;
goto error2;
}
gssstat = GSS_S_FAILURE;
minor_stat = 0;
rw_rdlock(&cred_lock);
/*
* set next sc to point to the server cred
* if the client_data contains server_creds
*/
for (sc = svc_creds_list; sc != NULL; sc = sc->next) {
if (rqst->rq_prog != sc->program ||
rqst->rq_vers != sc->version)
continue;
mutex_lock(&sc->refresh_mutex);
gssstat = gss_accept_sec_context(&minor_stat,
&client_data->context,
sc->cred,
&call_arg,
GSS_C_NO_CHANNEL_BINDINGS,
&client_data->client_name,
&mech_type,
&output_token,
&ret_flags,
&time_rec,
NULL);
if (gssstat == GSS_S_CREDENTIALS_EXPIRED) {
if (rpc_gss_refresh_svc_cred(sc)) {
gssstat = gss_accept_sec_context(
&minor_stat,
&client_data->context,
sc->cred,
&call_arg,
GSS_C_NO_CHANNEL_BINDINGS,
&client_data->client_name,
&mech_type,
&output_token,
&ret_flags,
&time_rec,
NULL);
mutex_unlock(&sc->refresh_mutex);
} else {
mutex_unlock(&sc->refresh_mutex);
gssstat = GSS_S_NO_CRED;
break;
}
} else
mutex_unlock(&sc->refresh_mutex);
if (gssstat == GSS_S_COMPLETE) {
/*
* Server_creds was right - set it. Also
* set the raw and unix credentials at this
* point. This saves a lot of computation
* later when credentials are retrieved.
*/
/*
* XXX server_creds will prob be stale
* after rpc_gss_refresh_svc_cred(), but
* it appears not to ever be referenced
* anyways.
*/
mutex_lock(&sc->refresh_mutex);
client_data->server_creds = sc->cred;
client_data->raw_cred.version = creds.version;
client_data->raw_cred.service = creds.service;
client_data->raw_cred.svc_principal =
sc->server_name;
mutex_unlock(&sc->refresh_mutex);
if ((client_data->raw_cred.mechanism
= __rpc_gss_oid_to_mech(mech_type))
== NULL) {
gssstat = GSS_S_FAILURE;
(void) gss_release_buffer(&minor_stat,
&output_token);
} else if (!set_client_principal(client_data->
client_name, &client_data->
raw_cred.client_principal)) {
gssstat = GSS_S_FAILURE;
(void) gss_release_buffer(&minor_stat,
&output_token);
}
break;
}
if (gssstat == GSS_S_CONTINUE_NEEDED) {
/*
* XXX server_creds will prob be stale
* after rpc_gss_refresh_svc_cred(), but
* it appears not to ever be referenced
* anyways.
*/
mutex_lock(&sc->refresh_mutex);
client_data->server_creds = sc->cred;
mutex_unlock(&sc->refresh_mutex);
break;
}
/* Make sure to free output_token in case of failure. */
if (output_token.length != 0) {
(void) gss_release_buffer(&minor_stat,
&output_token);
}
}
rw_unlock(&cred_lock);
call_res.gss_major = gssstat;
call_res.gss_minor = minor_stat;
xdr_free(__xdr_rpc_gss_init_arg, (caddr_t)&call_arg);
if (gssstat != GSS_S_COMPLETE &&
gssstat != GSS_S_CONTINUE_NEEDED) {
/*
* We have a failure - send response and delete
* the context. Don't dispatch. Set ctx_handle
* to NULL and seq_window to 0.
*/
call_res.ctx_handle.length = 0;
call_res.ctx_handle.value = NULL;
call_res.seq_window = 0;
svc_sendreply(rqst->rq_xprt, __xdr_rpc_gss_init_res,
(caddr_t)&call_res);
*no_dispatch = TRUE;
ret = AUTH_OK;
client_data->stale = TRUE;
goto error2;
}
/*
* This step succeeded. Send a response, along with
* a token if there's one. Don't dispatch.
*/
if (output_token.length != 0) {
GSS_COPY_BUFFER(call_res.token, output_token);
}
/*
* set response verifier: checksum of SEQ_WIN
*/
if (gssstat == GSS_S_COMPLETE) {
if (!set_response_verf(rqst, msg, client_data,
(uint_t)SEQ_WIN)) {
ret = RPCSEC_GSS_FAILED;
client_data->stale = TRUE;
(void) gss_release_buffer(&minor_stat,
&output_token);
goto error2;
}
}
svc_sendreply(rqst->rq_xprt, __xdr_rpc_gss_init_res,
(caddr_t)&call_res);
/*
* Cache last response in case it is lost and the client
* retries on an established context.
*/
(void) retrans_add(client_data, msg->rm_xid, &call_res);
*no_dispatch = TRUE;
(void) gss_release_buffer(&minor_stat, &output_token);
/*
* If appropriate, set established to TRUE *after* sending
* response (otherwise, the client will receive the final
* token encrypted)
*/
if (gssstat == GSS_S_COMPLETE) {
/*
* Context is established. Set expiry time for
* context (the minimum of time_rec and max_lifetime).
*/
client_data->seq_num = 1;
if (time_rec == GSS_C_INDEFINITE) {
if (max_lifetime != GSS_C_INDEFINITE)
client_data->expiration =
max_lifetime + time(0);
else
client_data->expiration =
GSS_C_INDEFINITE;
} else if (max_lifetime == GSS_C_INDEFINITE ||
max_lifetime > time_rec)
client_data->expiration = time_rec + time(0);
else
client_data->expiration = max_lifetime +
time(0);
client_data->established = TRUE;
}
} else {
if ((creds.gss_proc != RPCSEC_GSS_DATA) &&
(creds.gss_proc != RPCSEC_GSS_DESTROY)) {
switch (creds.gss_proc) {
case RPCSEC_GSS_CONTINUE_INIT:
/*
* This is an established context. Continue to
* satisfy retried continue init requests out of
* the retransmit cache. Throw away any that don't
* have a matching xid or the cach is empty.
* Delete the retransmit cache once the client sends
* a data request.
*/
if (client_data->retrans_data &&
(client_data->retrans_data->xid == msg->rm_xid)) {
retrans_result = &client_data->retrans_data->result;
if (set_response_verf(rqst, msg, client_data,
(uint_t)retrans_result->seq_window)) {
gss_parms->established = FALSE;
svc_sendreply(rqst->rq_xprt,
__xdr_rpc_gss_init_res,
(caddr_t)retrans_result);
*no_dispatch = TRUE;
goto success;
}
}
/* fall thru to default */
default:
syslog(LOG_ERR, "_svcrpcsec_gss: non-data request "
"on an established context");
ret = AUTH_FAILED;
goto error2;
}
}
/*
* Once the context is established and there is no more
* retransmission of last continue init request, it is safe
* to delete the retransmit cache entry.
*/
if (client_data->retrans_data)
retrans_del(client_data);
/*
* Context is already established. Check verifier, and
* note parameters we will need for response in gss_parms.
*/
if (!check_verf(msg, client_data->context,
&gss_parms->qop_rcvd)) {
ret = RPCSEC_GSS_NOCRED;
goto error2;
}
/*
* Check and invoke callback if necessary.
*/
if (!client_data->done_docallback) {
client_data->done_docallback = TRUE;
client_data->qop = gss_parms->qop_rcvd;
client_data->raw_cred.qop = __rpc_gss_num_to_qop(
client_data->raw_cred.mechanism,
gss_parms->qop_rcvd);
client_data->raw_cred.service = creds.service;
if (!do_callback(rqst, client_data)) {
ret = AUTH_FAILED;
client_data->stale = TRUE;
goto error2;
}
}
/*
* If the context was locked, make sure that the client
* has not changed QOP.
*/
if (client_data->locked &&
gss_parms->qop_rcvd != client_data->qop) {
ret = AUTH_BADVERF;
goto error2;
}
/*
* Validate sequence number.
*/
if (!check_seq(client_data, creds.seq_num,
&client_data->stale)) {
if (client_data->stale)
ret = RPCSEC_GSS_FAILED;
else {
/*
* Operational error, drop packet silently.
* The client will recover after timing out,
* assuming this is a client error and not
* a relpay attack. Don't dispatch.
*/
ret = AUTH_OK;
*no_dispatch = TRUE;
}
goto error2;
}
/*
* set response verifier
*/
if (!set_response_verf(rqst, msg, client_data, creds.seq_num)) {
ret = RPCSEC_GSS_FAILED;
client_data->stale = TRUE;
goto error2;
}
/*
* If this is a control message RPCSEC_GSS_DESTROY, process
* the call; otherwise, return AUTH_OK so it will be
* dispatched to the application server.
*/
if (creds.gss_proc == RPCSEC_GSS_DESTROY) {
svc_sendreply(rqst->rq_xprt, xdr_void, NULL);
*no_dispatch = TRUE;
client_data->stale = TRUE;
} else {
/*
* This should be an RPCSEC_GSS_DATA request.
* If context is locked, make sure that the client
* has not changed the security service.
*/
if (client_data->locked &&
client_data->raw_cred.service != creds.service) {
ret = AUTH_FAILED;
goto error2;
}
/*
* Set client credentials to raw credential
* structure in context. This is okay, since
* this will not change during the lifetime of
* the context (so it's MT safe).
*/
rqst->rq_clntcred = (char *)&client_data->raw_cred;
}
}
success:
/*
* Success.
*/
if (creds.ctx_handle.length != 0)
xdr_free(__xdr_rpc_gss_creds, (caddr_t)&creds);
mutex_unlock(&client_data->clm);
return (AUTH_OK);
error2:
mutex_unlock(&client_data->clm);
error:
/*
* Failure.
*/
if (creds.ctx_handle.length != 0)
xdr_free(__xdr_rpc_gss_creds, (caddr_t)&creds);
return (ret);
}
/*
* Check verifier. The verifier is the checksum of the RPC header
* upto and including the credentials field.
*/
static bool_t
check_verf(msg, context, qop_state)
struct rpc_msg *msg;
gss_ctx_id_t context;
int *qop_state;
{
int *buf, *tmp;
int hdr[32];
struct opaque_auth *oa;
int len;
gss_buffer_desc msg_buf;
gss_buffer_desc tok_buf;
OM_uint32 gssstat, minor_stat;
/*
* We have to reconstruct the RPC header from the previously
* parsed information, since we haven't kept the header intact.
*/
oa = &msg->rm_call.cb_cred;
if (oa->oa_length > MAX_AUTH_BYTES)
return (FALSE);
/* 8 XDR units from the IXDR macro calls. */
if (sizeof (hdr) < (8 * BYTES_PER_XDR_UNIT +
RNDUP(oa->oa_length)))
return (FALSE);
buf = hdr;
IXDR_PUT_U_INT32(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
IXDR_PUT_U_INT32(buf, msg->rm_call.cb_rpcvers);
IXDR_PUT_U_INT32(buf, msg->rm_call.cb_prog);
IXDR_PUT_U_INT32(buf, msg->rm_call.cb_vers);
IXDR_PUT_U_INT32(buf, msg->rm_call.cb_proc);
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_U_INT32(buf, oa->oa_length);
if (oa->oa_length) {
len = RNDUP(oa->oa_length);
tmp = buf;
buf += len / sizeof (int);
*(buf - 1) = 0;
(void) memcpy((caddr_t)tmp, oa->oa_base, oa->oa_length);
}
len = ((char *)buf) - (char *)hdr;
msg_buf.length = len;
msg_buf.value = (char *)hdr;
oa = &msg->rm_call.cb_verf;
tok_buf.length = oa->oa_length;
tok_buf.value = oa->oa_base;
gssstat = gss_verify(&minor_stat, context, &msg_buf, &tok_buf,
qop_state);
if (gssstat != GSS_S_COMPLETE)
return (FALSE);
return (TRUE);
}
/*
* Set response verifier. This is the checksum of the given number.
* (e.g. sequence number or sequence window)
*/
static bool_t
set_response_verf(rqst, msg, cl, num)
struct svc_req *rqst;
struct rpc_msg *msg;
svc_rpc_gss_data *cl;
uint_t num;
{
OM_uint32 minor;
gss_buffer_desc in_buf, out_buf;
uint_t num_net;
num_net = (uint_t)htonl(num);
in_buf.length = sizeof (num);
in_buf.value = (char *)&num_net;
if (gss_sign(&minor, cl->context, cl->qop, &in_buf,
&out_buf) != GSS_S_COMPLETE)
return (FALSE);
rqst->rq_xprt->xp_verf.oa_flavor = RPCSEC_GSS;
rqst->rq_xprt->xp_verf.oa_base = msg->rm_call.cb_verf.oa_base;
rqst->rq_xprt->xp_verf.oa_length = out_buf.length;
memcpy(rqst->rq_xprt->xp_verf.oa_base, out_buf.value,
out_buf.length);
(void) gss_release_buffer(&minor, &out_buf);
return (TRUE);
}
/*
* Create client context.
*/
static svc_rpc_gss_data *
create_client()
{
svc_rpc_gss_data *client_data;
static uint_t key = 1;
client_data = (svc_rpc_gss_data *) malloc(sizeof (*client_data));
if (client_data == NULL)
return (NULL);
memset((char *)client_data, 0, sizeof (*client_data));
/*
* set up client data structure
*/
client_data->established = FALSE;
client_data->locked = FALSE;
client_data->u_cred_set = FALSE;
client_data->context = GSS_C_NO_CONTEXT;
client_data->expiration = init_lifetime + time(0);
client_data->ref_cnt = 1;
client_data->qop = GSS_C_QOP_DEFAULT;
client_data->done_docallback = FALSE;
client_data->stale = FALSE;
client_data->time_secs_set = 0;
client_data->retrans_data = NULL;
mutex_init(&client_data->clm, USYNC_THREAD, NULL);
/*
* Check totals. If we've hit the limit, we destroy a context
* based on LRU method.
*/
mutex_lock(&ctx_mutex);
if (num_gss_contexts >= max_gss_contexts) {
/*
* now try on LRU basis
*/
drop_lru_client();
if (num_gss_contexts >= max_gss_contexts) {
mutex_unlock(&ctx_mutex);
free((char *)client_data);
return (NULL);
}
}
/*
* The client context handle is a 32-bit key (unsigned int).
* The key is incremented until there is no duplicate for it.
*/
for (;;) {
client_data->key = key++;
if (find_client(client_data->key) == NULL) {
insert_client(client_data);
/*
* Set cleanup callback if we haven't.
*/
if (!cleanup_cb_set) {
old_cleanup_cb =
(void (*)()) __svc_set_proc_cleanup_cb(
(void *)ctx_cleanup);
cleanup_cb_set = TRUE;
}
mutex_unlock(&ctx_mutex);
return (client_data);
}
}
/*NOTREACHED*/
}
/*
* Insert client context into hash list and LRU list.
*/
static void
insert_client(client_data)
svc_rpc_gss_data *client_data;
{
svc_rpc_gss_data *cl;
int index = (client_data->key & HASHMASK);
client_data->prev = NULL;
cl = clients[index];
if ((client_data->next = cl) != NULL)
cl->prev = client_data;
clients[index] = client_data;
client_data->lru_prev = NULL;
if ((client_data->lru_next = lru_first) != NULL)
lru_first->lru_prev = client_data;
else
lru_last = client_data;
lru_first = client_data;
num_gss_contexts++;
}
/*
* Fetch a client, given the client context handle. Move it to the
* top of the LRU list since this is the most recently used context.
*/
static svc_rpc_gss_data *
get_client(ctx_handle)
gss_buffer_t ctx_handle;
{
uint_t key = *(uint_t *)ctx_handle->value;
svc_rpc_gss_data *cl;
mutex_lock(&ctx_mutex);
if ((cl = find_client(key)) != NULL) {
mutex_lock(&cl->clm);
if (cl->stale) {
mutex_unlock(&cl->clm);
mutex_unlock(&ctx_mutex);
return (NULL);
}
cl->ref_cnt++;
mutex_unlock(&cl->clm);
if (cl != lru_first) {
cl->lru_prev->lru_next = cl->lru_next;
if (cl->lru_next != NULL)
cl->lru_next->lru_prev = cl->lru_prev;
else
lru_last = cl->lru_prev;
cl->lru_prev = NULL;
cl->lru_next = lru_first;
lru_first->lru_prev = cl;
lru_first = cl;
}
}
mutex_unlock(&ctx_mutex);
return (cl);
}
/*
* Given the client context handle, find the context corresponding to it.
* Don't change its LRU state since it may not be used.
*/
static svc_rpc_gss_data *
find_client(key)
uint_t key;
{
int index = (key & HASHMASK);
svc_rpc_gss_data *cl;
for (cl = clients[index]; cl != NULL; cl = cl->next) {
if (cl->key == key)
break;
}
return (cl);
}
/*
* Destroy a client context.
*/
static void
destroy_client(client_data)
svc_rpc_gss_data *client_data;
{
OM_uint32 minor;
int index = (client_data->key & HASHMASK);
/*
* remove from hash list
*/
if (client_data->prev == NULL)
clients[index] = client_data->next;
else
client_data->prev->next = client_data->next;
if (client_data->next != NULL)
client_data->next->prev = client_data->prev;
/*
* remove from LRU list
*/
if (client_data->lru_prev == NULL)
lru_first = client_data->lru_next;
else
client_data->lru_prev->lru_next = client_data->lru_next;
if (client_data->lru_next != NULL)
client_data->lru_next->lru_prev = client_data->lru_prev;
else
lru_last = client_data->lru_prev;
/*
* If there is a GSS context, clean up GSS state.
*/
if (client_data->context != GSS_C_NO_CONTEXT) {
(void) gss_delete_sec_context(&minor, &client_data->context,
NULL);
if (client_data->client_name)
(void) gss_release_name(&minor, &client_data->client_name);
if (client_data->raw_cred.client_principal)
free((char *)client_data->raw_cred.client_principal);
if (client_data->u_cred.gidlist != NULL)
free((char *)client_data->u_cred.gidlist);
if (client_data->deleg != GSS_C_NO_CREDENTIAL)
(void) gss_release_cred(&minor, &client_data->deleg);
}
if (client_data->retrans_data != NULL)
retrans_del(client_data);
free(client_data);
num_gss_contexts--;
}
/*
* Check for expired client contexts.
*/
static void
sweep_clients()
{
svc_rpc_gss_data *cl, *next;
int index;
for (index = 0; index < HASHMOD; index++) {
cl = clients[index];
while (cl) {
next = cl->next;
mutex_lock(&cl->clm);
if ((cl->expiration != GSS_C_INDEFINITE &&
cl->expiration <= time(0)) || cl->stale) {
cl->stale = TRUE;
if (cl->ref_cnt == 0) {
mutex_unlock(&cl->clm);
destroy_client(cl);
} else
mutex_unlock(&cl->clm);
} else
mutex_unlock(&cl->clm);
cl = next;
}
}
last_swept = time(0);
}
/*
* Drop the least recently used client context, if possible.
*/
static void
drop_lru_client()
{
mutex_lock(&lru_last->clm);
lru_last->stale = TRUE;
mutex_unlock(&lru_last->clm);
if (lru_last->ref_cnt == 0)
destroy_client(lru_last);
else
sweep_clients();
}
/*
* find service credentials
* return cred if found,
* other wise, NULL
*/
svc_creds_list_t *
find_svc_cred(char *service_name, uint_t program, uint_t version) {
svc_creds_list_t *sc;
if (!svc_creds_list)
return (NULL);
for (sc = svc_creds_list; sc != NULL; sc = sc->next) {
if (program != sc->program || version != sc->version)
continue;
if (strcmp(service_name, sc->server_name) != 0)
continue;
return (sc);
}
return (NULL);
}
/*
* Set the server principal name.
*/
bool_t
__rpc_gss_set_svc_name(server_name, mech, req_time, program, version)
char *server_name;
char *mech;
OM_uint32 req_time;
uint_t program;
uint_t version;
{
gss_name_t name;
svc_creds_list_t *svc_cred;
gss_OID mechanism;
gss_OID_set_desc oid_set_desc;
gss_OID_set oid_set;
OM_uint32 ret_time;
OM_uint32 major, minor;
gss_buffer_desc name_buf;
if (!__rpc_gss_mech_to_oid(mech, &mechanism)) {
return (FALSE);
}
name_buf.value = server_name;
name_buf.length = strlen(server_name);
major = gss_import_name(&minor, &name_buf,
(gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &name);
if (major != GSS_S_COMPLETE) {
return (FALSE);
}
/* Check if there is already an entry in the svc_creds_list. */
rw_wrlock(&cred_lock);
if (svc_cred = find_svc_cred(server_name, program, version)) {
major = gss_add_cred(&minor, svc_cred->cred, name,
mechanism, GSS_C_ACCEPT,
0, req_time, NULL,
&oid_set, NULL,
&ret_time);
(void) gss_release_name(&minor, &name);
if (major == GSS_S_COMPLETE) {
/*
* Successfully added the mech to the cred handle
* free the existing oid_set in svc_cred
*/
gss_release_oid_set(&minor, &svc_cred->oid_set);
svc_cred->oid_set = oid_set;
rw_unlock(&cred_lock);
return (TRUE);
} else if (major == GSS_S_DUPLICATE_ELEMENT) {
rw_unlock(&cred_lock);
return (TRUE);
} else if (major == GSS_S_CREDENTIALS_EXPIRED) {
if (rpc_gss_refresh_svc_cred(svc_cred)) {
rw_unlock(&cred_lock);
return (TRUE);
} else {
rw_unlock(&cred_lock);
return (FALSE);
}
} else {
rw_unlock(&cred_lock);
return (FALSE);
}
} else {
svc_cred = (svc_creds_list_t *)malloc(sizeof (*svc_cred));
if (svc_cred == NULL) {
(void) gss_release_name(&minor, &name);
rw_unlock(&cred_lock);
return (FALSE);
}
oid_set_desc.count = 1;
oid_set_desc.elements = mechanism;
major = gss_acquire_cred(&minor, name, req_time,
&oid_set_desc,
GSS_C_ACCEPT,
&svc_cred->cred,
&oid_set, &ret_time);
if (major != GSS_S_COMPLETE) {
(void) gss_release_name(&minor, &name);
free(svc_cred);
rw_unlock(&cred_lock);
return (FALSE);
}
svc_cred->name = name;
svc_cred->program = program;
svc_cred->version = version;
svc_cred->req_time = req_time;
svc_cred->oid_set = oid_set;
svc_cred->server_name = strdup(server_name);
if (svc_cred->server_name == NULL) {
(void) gss_release_name(&minor, &name);
free((char *)svc_cred);
rw_unlock(&cred_lock);
return (FALSE);
}
mutex_init(&svc_cred->refresh_mutex, USYNC_THREAD, NULL);
svc_cred->next = svc_creds_list;
svc_creds_list = svc_cred;
svc_creds_count++;
rw_unlock(&cred_lock);
return (TRUE);
}
}
/*
* Refresh server credentials.
*/
static bool_t
rpc_gss_refresh_svc_cred(svc_cred)
svc_creds_list_t *svc_cred;
{
OM_uint32 major, minor;
gss_OID_set oid_set;
OM_uint32 ret_time;
(void) gss_release_cred(&minor, &svc_cred->cred);
svc_cred->cred = GSS_C_NO_CREDENTIAL;
major = gss_acquire_cred(&minor, svc_cred->name, svc_cred->req_time,
svc_cred->oid_set, GSS_C_ACCEPT, &svc_cred->cred, &oid_set,
&ret_time);
if (major != GSS_S_COMPLETE) {
return (FALSE);
}
gss_release_oid_set(&minor, &svc_cred->oid_set);
svc_cred->oid_set = oid_set;
return (TRUE);
}
/*
* Encrypt the serialized arguments from xdr_func applied to xdr_ptr
* and write the result to xdrs.
*/
static bool_t
svc_rpc_gss_wrap(auth, out_xdrs, xdr_func, xdr_ptr)
SVCAUTH *auth;
XDR *out_xdrs;
bool_t (*xdr_func)();
caddr_t xdr_ptr;
{
svc_rpc_gss_parms_t *gss_parms = &auth->svc_gss_parms;
/*
* If context is not established, or if neither integrity nor
* privacy service is used, don't wrap - just XDR encode.
* Otherwise, wrap data using service and QOP parameters.
*/
if (!gss_parms->established ||
gss_parms->service == rpc_gss_svc_none)
return ((*xdr_func)(out_xdrs, xdr_ptr));
return (__rpc_gss_wrap_data(gss_parms->service,
(OM_uint32)gss_parms->qop_rcvd,
(gss_ctx_id_t)gss_parms->context,
gss_parms->seq_num,
out_xdrs, xdr_func, xdr_ptr));
}
/*
* Decrypt the serialized arguments and XDR decode them.
*/
static bool_t
svc_rpc_gss_unwrap(auth, in_xdrs, xdr_func, xdr_ptr)
SVCAUTH *auth;
XDR *in_xdrs;
bool_t (*xdr_func)();
caddr_t xdr_ptr;
{
svc_rpc_gss_parms_t *gss_parms = &auth->svc_gss_parms;
/*
* If context is not established, or if neither integrity nor
* privacy service is used, don't unwrap - just XDR decode.
* Otherwise, unwrap data.
*/
if (!gss_parms->established ||
gss_parms->service == rpc_gss_svc_none)
return ((*xdr_func)(in_xdrs, xdr_ptr));
return (__rpc_gss_unwrap_data(gss_parms->service,
(gss_ctx_id_t)gss_parms->context,
gss_parms->seq_num,
gss_parms->qop_rcvd,
in_xdrs, xdr_func, xdr_ptr));
}
int
__rpc_gss_svc_max_data_length(req, max_tp_unit_len)
struct svc_req *req;
int max_tp_unit_len;
{
SVCAUTH *svcauth;
svc_rpc_gss_parms_t *gss_parms;
svcauth = __svc_get_svcauth(req->rq_xprt);
gss_parms = &svcauth->svc_gss_parms;
if (!gss_parms->established || max_tp_unit_len <= 0)
return (0);
return (__find_max_data_length(gss_parms->service,
(gss_ctx_id_t)gss_parms->context,
gss_parms->qop_rcvd, max_tp_unit_len));
}
/*
* Add retransmit entry to the context cache entry for a new xid.
* If there is already an entry, delete it before adding the new one.
*/
static void retrans_add(client, xid, result)
svc_rpc_gss_data *client;
uint32_t xid;
rpc_gss_init_res *result;
{
retrans_entry *rdata;
if (client->retrans_data && client->retrans_data->xid == xid)
return;
rdata = (retrans_entry *) malloc(sizeof (*rdata));
if (rdata == NULL)
return;
rdata->xid = xid;
rdata->result = *result;
if (result->token.length != 0) {
GSS_DUP_BUFFER(rdata->result.token, result->token);
}
if (client->retrans_data)
retrans_del(client);
client->retrans_data = rdata;
}
/*
* Delete the retransmit data from the context cache entry.
*/
static void retrans_del(client)
svc_rpc_gss_data *client;
{
retrans_entry *rdata;
OM_uint32 minor_stat;
if (client->retrans_data == NULL)
return;
rdata = client->retrans_data;
if (rdata->result.token.length != 0) {
(void) gss_release_buffer(&minor_stat, &rdata->result.token);
}
free((caddr_t)rdata);
client->retrans_data = NULL;
}