1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * Copyright (c) 1990 The Regents of the University of California. 4 * 5 * Copyright (c) 2008 Doug Rabson 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 /* 30 svc_rpcsec_gss.c 31 32 Copyright (c) 2000 The Regents of the University of Michigan. 33 All rights reserved. 34 35 Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>. 36 All rights reserved, all wrongs reversed. 37 38 Redistribution and use in source and binary forms, with or without 39 modification, are permitted provided that the following conditions 40 are met: 41 42 1. Redistributions of source code must retain the above copyright 43 notice, this list of conditions and the following disclaimer. 44 2. Redistributions in binary form must reproduce the above copyright 45 notice, this list of conditions and the following disclaimer in the 46 documentation and/or other materials provided with the distribution. 47 3. Neither the name of the University nor the names of its 48 contributors may be used to endorse or promote products derived 49 from this software without specific prior written permission. 50 51 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 52 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 53 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 54 DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 55 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 56 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 57 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 58 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 59 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 60 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 61 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 62 63 $Id: svc_auth_gss.c,v 1.27 2002/01/15 15:43:00 andros Exp $ 64 */ 65 66 #include <sys/cdefs.h> 67 __FBSDID("$FreeBSD$"); 68 69 #include <sys/param.h> 70 #include <sys/systm.h> 71 #include <sys/jail.h> 72 #include <sys/kernel.h> 73 #include <sys/kobj.h> 74 #include <sys/lock.h> 75 #include <sys/malloc.h> 76 #include <sys/mbuf.h> 77 #include <sys/mutex.h> 78 #include <sys/proc.h> 79 #include <sys/sx.h> 80 #include <sys/ucred.h> 81 82 #include <rpc/rpc.h> 83 #include <rpc/rpcsec_gss.h> 84 85 #include "rpcsec_gss_int.h" 86 87 static bool_t svc_rpc_gss_wrap(SVCAUTH *, struct mbuf **); 88 static bool_t svc_rpc_gss_unwrap(SVCAUTH *, struct mbuf **); 89 static void svc_rpc_gss_release(SVCAUTH *); 90 static enum auth_stat svc_rpc_gss(struct svc_req *, struct rpc_msg *); 91 static int rpc_gss_svc_getcred(struct svc_req *, struct ucred **, int *); 92 93 static const struct svc_auth_ops svc_auth_gss_ops = { 94 .svc_ah_wrap = svc_rpc_gss_wrap, 95 .svc_ah_unwrap = svc_rpc_gss_unwrap, 96 .svc_ah_release = svc_rpc_gss_release, 97 }; 98 99 struct sx svc_rpc_gss_lock; 100 101 struct svc_rpc_gss_callback { 102 SLIST_ENTRY(svc_rpc_gss_callback) cb_link; 103 rpc_gss_callback_t cb_callback; 104 }; 105 static SLIST_HEAD(svc_rpc_gss_callback_list, svc_rpc_gss_callback) 106 svc_rpc_gss_callbacks = SLIST_HEAD_INITIALIZER(svc_rpc_gss_callbacks); 107 108 struct svc_rpc_gss_svc_name { 109 SLIST_ENTRY(svc_rpc_gss_svc_name) sn_link; 110 char *sn_principal; 111 gss_OID sn_mech; 112 u_int sn_req_time; 113 gss_cred_id_t sn_cred; 114 u_int sn_program; 115 u_int sn_version; 116 }; 117 static SLIST_HEAD(svc_rpc_gss_svc_name_list, svc_rpc_gss_svc_name) 118 svc_rpc_gss_svc_names = SLIST_HEAD_INITIALIZER(svc_rpc_gss_svc_names); 119 120 enum svc_rpc_gss_client_state { 121 CLIENT_NEW, /* still authenticating */ 122 CLIENT_ESTABLISHED, /* context established */ 123 CLIENT_STALE /* garbage to collect */ 124 }; 125 126 #define SVC_RPC_GSS_SEQWINDOW 128 127 128 struct svc_rpc_gss_clientid { 129 unsigned long ci_hostid; 130 uint32_t ci_boottime; 131 uint32_t ci_id; 132 }; 133 134 struct svc_rpc_gss_client { 135 TAILQ_ENTRY(svc_rpc_gss_client) cl_link; 136 TAILQ_ENTRY(svc_rpc_gss_client) cl_alllink; 137 volatile u_int cl_refs; 138 struct sx cl_lock; 139 struct svc_rpc_gss_clientid cl_id; 140 time_t cl_expiration; /* when to gc */ 141 enum svc_rpc_gss_client_state cl_state; /* client state */ 142 bool_t cl_locked; /* fixed service+qop */ 143 gss_ctx_id_t cl_ctx; /* context id */ 144 gss_cred_id_t cl_creds; /* delegated creds */ 145 gss_name_t cl_cname; /* client name */ 146 struct svc_rpc_gss_svc_name *cl_sname; /* server name used */ 147 rpc_gss_rawcred_t cl_rawcred; /* raw credentials */ 148 rpc_gss_ucred_t cl_ucred; /* unix-style credentials */ 149 struct ucred *cl_cred; /* kernel-style credentials */ 150 int cl_rpcflavor; /* RPC pseudo sec flavor */ 151 bool_t cl_done_callback; /* TRUE after call */ 152 void *cl_cookie; /* user cookie from callback */ 153 gid_t cl_gid_storage[NGROUPS]; 154 gss_OID cl_mech; /* mechanism */ 155 gss_qop_t cl_qop; /* quality of protection */ 156 uint32_t cl_seqlast; /* sequence window origin */ 157 uint32_t cl_seqmask[SVC_RPC_GSS_SEQWINDOW/32]; /* bitmask of seqnums */ 158 }; 159 TAILQ_HEAD(svc_rpc_gss_client_list, svc_rpc_gss_client); 160 161 /* 162 * This structure holds enough information to unwrap arguments or wrap 163 * results for a given request. We use the rq_clntcred area for this 164 * (which is a per-request buffer). 165 */ 166 struct svc_rpc_gss_cookedcred { 167 struct svc_rpc_gss_client *cc_client; 168 rpc_gss_service_t cc_service; 169 uint32_t cc_seq; 170 }; 171 172 #define CLIENT_HASH_SIZE 256 173 #define CLIENT_MAX 1024 174 u_int svc_rpc_gss_client_max = CLIENT_MAX; 175 u_int svc_rpc_gss_client_hash_size = CLIENT_HASH_SIZE; 176 177 SYSCTL_NODE(_kern, OID_AUTO, rpc, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 178 "RPC"); 179 SYSCTL_NODE(_kern_rpc, OID_AUTO, gss, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 180 "GSS"); 181 182 SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_max, CTLFLAG_RW, 183 &svc_rpc_gss_client_max, 0, 184 "Max number of rpc-gss clients"); 185 186 SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_hash, CTLFLAG_RDTUN, 187 &svc_rpc_gss_client_hash_size, 0, 188 "Size of rpc-gss client hash table"); 189 190 static u_int svc_rpc_gss_lifetime_max = 0; 191 SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, lifetime_max, CTLFLAG_RW, 192 &svc_rpc_gss_lifetime_max, 0, 193 "Maximum lifetime (seconds) of rpc-gss clients"); 194 195 static u_int svc_rpc_gss_client_count; 196 SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_count, CTLFLAG_RD, 197 &svc_rpc_gss_client_count, 0, 198 "Number of rpc-gss clients"); 199 200 struct svc_rpc_gss_client_list *svc_rpc_gss_client_hash; 201 struct svc_rpc_gss_client_list svc_rpc_gss_clients; 202 static uint32_t svc_rpc_gss_next_clientid = 1; 203 204 static void 205 svc_rpc_gss_init(void *arg) 206 { 207 int i; 208 209 svc_rpc_gss_client_hash = mem_alloc(sizeof(struct svc_rpc_gss_client_list) * svc_rpc_gss_client_hash_size); 210 for (i = 0; i < svc_rpc_gss_client_hash_size; i++) 211 TAILQ_INIT(&svc_rpc_gss_client_hash[i]); 212 TAILQ_INIT(&svc_rpc_gss_clients); 213 svc_auth_reg(RPCSEC_GSS, svc_rpc_gss, rpc_gss_svc_getcred); 214 sx_init(&svc_rpc_gss_lock, "gsslock"); 215 } 216 SYSINIT(svc_rpc_gss_init, SI_SUB_KMEM, SI_ORDER_ANY, svc_rpc_gss_init, NULL); 217 218 bool_t 219 rpc_gss_set_callback(rpc_gss_callback_t *cb) 220 { 221 struct svc_rpc_gss_callback *scb; 222 223 scb = mem_alloc(sizeof(struct svc_rpc_gss_callback)); 224 if (!scb) { 225 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, ENOMEM); 226 return (FALSE); 227 } 228 scb->cb_callback = *cb; 229 sx_xlock(&svc_rpc_gss_lock); 230 SLIST_INSERT_HEAD(&svc_rpc_gss_callbacks, scb, cb_link); 231 sx_xunlock(&svc_rpc_gss_lock); 232 233 return (TRUE); 234 } 235 236 void 237 rpc_gss_clear_callback(rpc_gss_callback_t *cb) 238 { 239 struct svc_rpc_gss_callback *scb; 240 241 sx_xlock(&svc_rpc_gss_lock); 242 SLIST_FOREACH(scb, &svc_rpc_gss_callbacks, cb_link) { 243 if (scb->cb_callback.program == cb->program 244 && scb->cb_callback.version == cb->version 245 && scb->cb_callback.callback == cb->callback) { 246 SLIST_REMOVE(&svc_rpc_gss_callbacks, scb, 247 svc_rpc_gss_callback, cb_link); 248 sx_xunlock(&svc_rpc_gss_lock); 249 mem_free(scb, sizeof(*scb)); 250 return; 251 } 252 } 253 sx_xunlock(&svc_rpc_gss_lock); 254 } 255 256 static bool_t 257 rpc_gss_acquire_svc_cred(struct svc_rpc_gss_svc_name *sname) 258 { 259 OM_uint32 maj_stat, min_stat; 260 gss_buffer_desc namebuf; 261 gss_name_t name; 262 gss_OID_set_desc oid_set; 263 264 oid_set.count = 1; 265 oid_set.elements = sname->sn_mech; 266 267 namebuf.value = (void *) sname->sn_principal; 268 namebuf.length = strlen(sname->sn_principal); 269 270 maj_stat = gss_import_name(&min_stat, &namebuf, 271 GSS_C_NT_HOSTBASED_SERVICE, &name); 272 if (maj_stat != GSS_S_COMPLETE) 273 return (FALSE); 274 275 if (sname->sn_cred != GSS_C_NO_CREDENTIAL) 276 gss_release_cred(&min_stat, &sname->sn_cred); 277 278 maj_stat = gss_acquire_cred(&min_stat, name, 279 sname->sn_req_time, &oid_set, GSS_C_ACCEPT, &sname->sn_cred, 280 NULL, NULL); 281 if (maj_stat != GSS_S_COMPLETE) { 282 gss_release_name(&min_stat, &name); 283 return (FALSE); 284 } 285 gss_release_name(&min_stat, &name); 286 287 return (TRUE); 288 } 289 290 bool_t 291 rpc_gss_set_svc_name(const char *principal, const char *mechanism, 292 u_int req_time, u_int program, u_int version) 293 { 294 struct svc_rpc_gss_svc_name *sname; 295 gss_OID mech_oid; 296 297 if (!rpc_gss_mech_to_oid(mechanism, &mech_oid)) 298 return (FALSE); 299 300 sname = mem_alloc(sizeof(*sname)); 301 if (!sname) 302 return (FALSE); 303 sname->sn_principal = strdup(principal, M_RPC); 304 sname->sn_mech = mech_oid; 305 sname->sn_req_time = req_time; 306 sname->sn_cred = GSS_C_NO_CREDENTIAL; 307 sname->sn_program = program; 308 sname->sn_version = version; 309 310 if (!rpc_gss_acquire_svc_cred(sname)) { 311 free(sname->sn_principal, M_RPC); 312 mem_free(sname, sizeof(*sname)); 313 return (FALSE); 314 } 315 316 sx_xlock(&svc_rpc_gss_lock); 317 SLIST_INSERT_HEAD(&svc_rpc_gss_svc_names, sname, sn_link); 318 sx_xunlock(&svc_rpc_gss_lock); 319 320 return (TRUE); 321 } 322 323 void 324 rpc_gss_clear_svc_name(u_int program, u_int version) 325 { 326 OM_uint32 min_stat; 327 struct svc_rpc_gss_svc_name *sname; 328 329 sx_xlock(&svc_rpc_gss_lock); 330 SLIST_FOREACH(sname, &svc_rpc_gss_svc_names, sn_link) { 331 if (sname->sn_program == program 332 && sname->sn_version == version) { 333 SLIST_REMOVE(&svc_rpc_gss_svc_names, sname, 334 svc_rpc_gss_svc_name, sn_link); 335 sx_xunlock(&svc_rpc_gss_lock); 336 gss_release_cred(&min_stat, &sname->sn_cred); 337 free(sname->sn_principal, M_RPC); 338 mem_free(sname, sizeof(*sname)); 339 return; 340 } 341 } 342 sx_xunlock(&svc_rpc_gss_lock); 343 } 344 345 bool_t 346 rpc_gss_get_principal_name(rpc_gss_principal_t *principal, 347 const char *mech, const char *name, const char *node, const char *domain) 348 { 349 OM_uint32 maj_stat, min_stat; 350 gss_OID mech_oid; 351 size_t namelen; 352 gss_buffer_desc buf; 353 gss_name_t gss_name, gss_mech_name; 354 rpc_gss_principal_t result; 355 356 if (!rpc_gss_mech_to_oid(mech, &mech_oid)) 357 return (FALSE); 358 359 /* 360 * Construct a gss_buffer containing the full name formatted 361 * as "name/node@domain" where node and domain are optional. 362 */ 363 namelen = strlen(name) + 1; 364 if (node) { 365 namelen += strlen(node) + 1; 366 } 367 if (domain) { 368 namelen += strlen(domain) + 1; 369 } 370 371 buf.value = mem_alloc(namelen); 372 buf.length = namelen; 373 strcpy((char *) buf.value, name); 374 if (node) { 375 strcat((char *) buf.value, "/"); 376 strcat((char *) buf.value, node); 377 } 378 if (domain) { 379 strcat((char *) buf.value, "@"); 380 strcat((char *) buf.value, domain); 381 } 382 383 /* 384 * Convert that to a gss_name_t and then convert that to a 385 * mechanism name in the selected mechanism. 386 */ 387 maj_stat = gss_import_name(&min_stat, &buf, 388 GSS_C_NT_USER_NAME, &gss_name); 389 mem_free(buf.value, buf.length); 390 if (maj_stat != GSS_S_COMPLETE) { 391 rpc_gss_log_status("gss_import_name", mech_oid, maj_stat, min_stat); 392 return (FALSE); 393 } 394 maj_stat = gss_canonicalize_name(&min_stat, gss_name, mech_oid, 395 &gss_mech_name); 396 if (maj_stat != GSS_S_COMPLETE) { 397 rpc_gss_log_status("gss_canonicalize_name", mech_oid, maj_stat, 398 min_stat); 399 gss_release_name(&min_stat, &gss_name); 400 return (FALSE); 401 } 402 gss_release_name(&min_stat, &gss_name); 403 404 /* 405 * Export the mechanism name and use that to construct the 406 * rpc_gss_principal_t result. 407 */ 408 maj_stat = gss_export_name(&min_stat, gss_mech_name, &buf); 409 if (maj_stat != GSS_S_COMPLETE) { 410 rpc_gss_log_status("gss_export_name", mech_oid, maj_stat, min_stat); 411 gss_release_name(&min_stat, &gss_mech_name); 412 return (FALSE); 413 } 414 gss_release_name(&min_stat, &gss_mech_name); 415 416 result = mem_alloc(sizeof(int) + buf.length); 417 if (!result) { 418 gss_release_buffer(&min_stat, &buf); 419 return (FALSE); 420 } 421 result->len = buf.length; 422 memcpy(result->name, buf.value, buf.length); 423 gss_release_buffer(&min_stat, &buf); 424 425 *principal = result; 426 return (TRUE); 427 } 428 429 bool_t 430 rpc_gss_getcred(struct svc_req *req, rpc_gss_rawcred_t **rcred, 431 rpc_gss_ucred_t **ucred, void **cookie) 432 { 433 struct svc_rpc_gss_cookedcred *cc; 434 struct svc_rpc_gss_client *client; 435 436 if (req->rq_cred.oa_flavor != RPCSEC_GSS) 437 return (FALSE); 438 439 cc = req->rq_clntcred; 440 client = cc->cc_client; 441 if (rcred) 442 *rcred = &client->cl_rawcred; 443 if (ucred) 444 *ucred = &client->cl_ucred; 445 if (cookie) 446 *cookie = client->cl_cookie; 447 return (TRUE); 448 } 449 450 /* 451 * This simpler interface is used by svc_getcred to copy the cred data 452 * into a kernel cred structure. 453 */ 454 static int 455 rpc_gss_svc_getcred(struct svc_req *req, struct ucred **crp, int *flavorp) 456 { 457 struct ucred *cr; 458 struct svc_rpc_gss_cookedcred *cc; 459 struct svc_rpc_gss_client *client; 460 rpc_gss_ucred_t *uc; 461 462 if (req->rq_cred.oa_flavor != RPCSEC_GSS) 463 return (FALSE); 464 465 cc = req->rq_clntcred; 466 client = cc->cc_client; 467 468 if (flavorp) 469 *flavorp = client->cl_rpcflavor; 470 471 if (client->cl_cred) { 472 *crp = crhold(client->cl_cred); 473 return (TRUE); 474 } 475 476 uc = &client->cl_ucred; 477 cr = client->cl_cred = crget(); 478 cr->cr_uid = cr->cr_ruid = cr->cr_svuid = uc->uid; 479 cr->cr_rgid = cr->cr_svgid = uc->gid; 480 crsetgroups(cr, uc->gidlen, uc->gidlist); 481 cr->cr_prison = &prison0; 482 prison_hold(cr->cr_prison); 483 *crp = crhold(cr); 484 485 return (TRUE); 486 } 487 488 int 489 rpc_gss_svc_max_data_length(struct svc_req *req, int max_tp_unit_len) 490 { 491 struct svc_rpc_gss_cookedcred *cc = req->rq_clntcred; 492 struct svc_rpc_gss_client *client = cc->cc_client; 493 int want_conf; 494 OM_uint32 max; 495 OM_uint32 maj_stat, min_stat; 496 int result; 497 498 switch (client->cl_rawcred.service) { 499 case rpc_gss_svc_none: 500 return (max_tp_unit_len); 501 break; 502 503 case rpc_gss_svc_default: 504 case rpc_gss_svc_integrity: 505 want_conf = FALSE; 506 break; 507 508 case rpc_gss_svc_privacy: 509 want_conf = TRUE; 510 break; 511 512 default: 513 return (0); 514 } 515 516 maj_stat = gss_wrap_size_limit(&min_stat, client->cl_ctx, want_conf, 517 client->cl_qop, max_tp_unit_len, &max); 518 519 if (maj_stat == GSS_S_COMPLETE) { 520 result = (int) max; 521 if (result < 0) 522 result = 0; 523 return (result); 524 } else { 525 rpc_gss_log_status("gss_wrap_size_limit", client->cl_mech, 526 maj_stat, min_stat); 527 return (0); 528 } 529 } 530 531 static struct svc_rpc_gss_client * 532 svc_rpc_gss_find_client(struct svc_rpc_gss_clientid *id) 533 { 534 struct svc_rpc_gss_client *client; 535 struct svc_rpc_gss_client_list *list; 536 struct timeval boottime; 537 unsigned long hostid; 538 539 rpc_gss_log_debug("in svc_rpc_gss_find_client(%d)", id->ci_id); 540 541 getcredhostid(curthread->td_ucred, &hostid); 542 getboottime(&boottime); 543 if (id->ci_hostid != hostid || id->ci_boottime != boottime.tv_sec) 544 return (NULL); 545 546 list = &svc_rpc_gss_client_hash[id->ci_id % svc_rpc_gss_client_hash_size]; 547 sx_xlock(&svc_rpc_gss_lock); 548 TAILQ_FOREACH(client, list, cl_link) { 549 if (client->cl_id.ci_id == id->ci_id) { 550 /* 551 * Move this client to the front of the LRU 552 * list. 553 */ 554 TAILQ_REMOVE(&svc_rpc_gss_clients, client, cl_alllink); 555 TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client, 556 cl_alllink); 557 refcount_acquire(&client->cl_refs); 558 break; 559 } 560 } 561 sx_xunlock(&svc_rpc_gss_lock); 562 563 return (client); 564 } 565 566 static struct svc_rpc_gss_client * 567 svc_rpc_gss_create_client(void) 568 { 569 struct svc_rpc_gss_client *client; 570 struct svc_rpc_gss_client_list *list; 571 struct timeval boottime; 572 unsigned long hostid; 573 574 rpc_gss_log_debug("in svc_rpc_gss_create_client()"); 575 576 client = mem_alloc(sizeof(struct svc_rpc_gss_client)); 577 memset(client, 0, sizeof(struct svc_rpc_gss_client)); 578 579 /* 580 * Set the initial value of cl_refs to two. One for the caller 581 * and the other to hold onto the client structure until it expires. 582 */ 583 refcount_init(&client->cl_refs, 2); 584 sx_init(&client->cl_lock, "GSS-client"); 585 getcredhostid(curthread->td_ucred, &hostid); 586 client->cl_id.ci_hostid = hostid; 587 getboottime(&boottime); 588 client->cl_id.ci_boottime = boottime.tv_sec; 589 client->cl_id.ci_id = svc_rpc_gss_next_clientid++; 590 591 /* 592 * Start the client off with a short expiration time. We will 593 * try to get a saner value from the client creds later. 594 */ 595 client->cl_state = CLIENT_NEW; 596 client->cl_locked = FALSE; 597 client->cl_expiration = time_uptime + 5*60; 598 599 list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % svc_rpc_gss_client_hash_size]; 600 sx_xlock(&svc_rpc_gss_lock); 601 TAILQ_INSERT_HEAD(list, client, cl_link); 602 TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client, cl_alllink); 603 svc_rpc_gss_client_count++; 604 sx_xunlock(&svc_rpc_gss_lock); 605 return (client); 606 } 607 608 static void 609 svc_rpc_gss_destroy_client(struct svc_rpc_gss_client *client) 610 { 611 OM_uint32 min_stat; 612 613 rpc_gss_log_debug("in svc_rpc_gss_destroy_client()"); 614 615 if (client->cl_ctx) 616 gss_delete_sec_context(&min_stat, 617 &client->cl_ctx, GSS_C_NO_BUFFER); 618 619 if (client->cl_cname) 620 gss_release_name(&min_stat, &client->cl_cname); 621 622 if (client->cl_rawcred.client_principal) 623 mem_free(client->cl_rawcred.client_principal, 624 sizeof(*client->cl_rawcred.client_principal) 625 + client->cl_rawcred.client_principal->len); 626 627 if (client->cl_cred) 628 crfree(client->cl_cred); 629 630 sx_destroy(&client->cl_lock); 631 mem_free(client, sizeof(*client)); 632 } 633 634 /* 635 * Drop a reference to a client and free it if that was the last reference. 636 */ 637 static void 638 svc_rpc_gss_release_client(struct svc_rpc_gss_client *client) 639 { 640 641 if (!refcount_release(&client->cl_refs)) 642 return; 643 svc_rpc_gss_destroy_client(client); 644 } 645 646 /* 647 * Remove a client from our global lists. 648 * Must be called with svc_rpc_gss_lock held. 649 */ 650 static void 651 svc_rpc_gss_forget_client_locked(struct svc_rpc_gss_client *client) 652 { 653 struct svc_rpc_gss_client_list *list; 654 655 sx_assert(&svc_rpc_gss_lock, SX_XLOCKED); 656 list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % svc_rpc_gss_client_hash_size]; 657 TAILQ_REMOVE(list, client, cl_link); 658 TAILQ_REMOVE(&svc_rpc_gss_clients, client, cl_alllink); 659 svc_rpc_gss_client_count--; 660 } 661 662 /* 663 * Remove a client from our global lists and free it if we can. 664 */ 665 static void 666 svc_rpc_gss_forget_client(struct svc_rpc_gss_client *client) 667 { 668 struct svc_rpc_gss_client_list *list; 669 struct svc_rpc_gss_client *tclient; 670 671 list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % svc_rpc_gss_client_hash_size]; 672 sx_xlock(&svc_rpc_gss_lock); 673 TAILQ_FOREACH(tclient, list, cl_link) { 674 /* 675 * Make sure this client has not already been removed 676 * from the lists by svc_rpc_gss_forget_client() or 677 * svc_rpc_gss_forget_client_locked(). 678 */ 679 if (client == tclient) { 680 svc_rpc_gss_forget_client_locked(client); 681 sx_xunlock(&svc_rpc_gss_lock); 682 svc_rpc_gss_release_client(client); 683 return; 684 } 685 } 686 sx_xunlock(&svc_rpc_gss_lock); 687 } 688 689 static void 690 svc_rpc_gss_timeout_clients(void) 691 { 692 struct svc_rpc_gss_client *client; 693 time_t now = time_uptime; 694 695 rpc_gss_log_debug("in svc_rpc_gss_timeout_clients()"); 696 697 /* 698 * First enforce the max client limit. We keep 699 * svc_rpc_gss_clients in LRU order. 700 */ 701 sx_xlock(&svc_rpc_gss_lock); 702 client = TAILQ_LAST(&svc_rpc_gss_clients, svc_rpc_gss_client_list); 703 while (svc_rpc_gss_client_count > svc_rpc_gss_client_max && client != NULL) { 704 svc_rpc_gss_forget_client_locked(client); 705 sx_xunlock(&svc_rpc_gss_lock); 706 svc_rpc_gss_release_client(client); 707 sx_xlock(&svc_rpc_gss_lock); 708 client = TAILQ_LAST(&svc_rpc_gss_clients, 709 svc_rpc_gss_client_list); 710 } 711 again: 712 TAILQ_FOREACH(client, &svc_rpc_gss_clients, cl_alllink) { 713 if (client->cl_state == CLIENT_STALE 714 || now > client->cl_expiration) { 715 svc_rpc_gss_forget_client_locked(client); 716 sx_xunlock(&svc_rpc_gss_lock); 717 rpc_gss_log_debug("expiring client %p", client); 718 svc_rpc_gss_release_client(client); 719 sx_xlock(&svc_rpc_gss_lock); 720 goto again; 721 } 722 } 723 sx_xunlock(&svc_rpc_gss_lock); 724 } 725 726 #ifdef DEBUG 727 /* 728 * OID<->string routines. These are uuuuugly. 729 */ 730 static OM_uint32 731 gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str) 732 { 733 char numstr[128]; 734 unsigned long number; 735 int numshift; 736 size_t string_length; 737 size_t i; 738 unsigned char *cp; 739 char *bp; 740 741 /* Decoded according to krb5/gssapi_krb5.c */ 742 743 /* First determine the size of the string */ 744 string_length = 0; 745 number = 0; 746 numshift = 0; 747 cp = (unsigned char *) oid->elements; 748 number = (unsigned long) cp[0]; 749 sprintf(numstr, "%ld ", number/40); 750 string_length += strlen(numstr); 751 sprintf(numstr, "%ld ", number%40); 752 string_length += strlen(numstr); 753 for (i=1; i<oid->length; i++) { 754 if ( (size_t) (numshift+7) < (sizeof(unsigned long)*8)) { 755 number = (number << 7) | (cp[i] & 0x7f); 756 numshift += 7; 757 } 758 else { 759 *minor_status = 0; 760 return(GSS_S_FAILURE); 761 } 762 if ((cp[i] & 0x80) == 0) { 763 sprintf(numstr, "%ld ", number); 764 string_length += strlen(numstr); 765 number = 0; 766 numshift = 0; 767 } 768 } 769 /* 770 * If we get here, we've calculated the length of "n n n ... n ". Add 4 771 * here for "{ " and "}\0". 772 */ 773 string_length += 4; 774 if ((bp = malloc(string_length, M_GSSAPI, M_WAITOK | M_ZERO))) { 775 strcpy(bp, "{ "); 776 number = (unsigned long) cp[0]; 777 sprintf(numstr, "%ld ", number/40); 778 strcat(bp, numstr); 779 sprintf(numstr, "%ld ", number%40); 780 strcat(bp, numstr); 781 number = 0; 782 cp = (unsigned char *) oid->elements; 783 for (i=1; i<oid->length; i++) { 784 number = (number << 7) | (cp[i] & 0x7f); 785 if ((cp[i] & 0x80) == 0) { 786 sprintf(numstr, "%ld ", number); 787 strcat(bp, numstr); 788 number = 0; 789 } 790 } 791 strcat(bp, "}"); 792 oid_str->length = strlen(bp)+1; 793 oid_str->value = (void *) bp; 794 *minor_status = 0; 795 return(GSS_S_COMPLETE); 796 } 797 *minor_status = 0; 798 return(GSS_S_FAILURE); 799 } 800 #endif 801 802 static void 803 svc_rpc_gss_build_ucred(struct svc_rpc_gss_client *client, 804 const gss_name_t name) 805 { 806 OM_uint32 maj_stat, min_stat; 807 rpc_gss_ucred_t *uc = &client->cl_ucred; 808 int numgroups; 809 810 uc->uid = 65534; 811 uc->gid = 65534; 812 uc->gidlist = client->cl_gid_storage; 813 814 numgroups = NGROUPS; 815 maj_stat = gss_pname_to_unix_cred(&min_stat, name, client->cl_mech, 816 &uc->uid, &uc->gid, &numgroups, &uc->gidlist[0]); 817 if (GSS_ERROR(maj_stat)) 818 uc->gidlen = 0; 819 else 820 uc->gidlen = numgroups; 821 } 822 823 static void 824 svc_rpc_gss_set_flavor(struct svc_rpc_gss_client *client) 825 { 826 static gss_OID_desc krb5_mech_oid = 827 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; 828 829 /* 830 * Attempt to translate mech type and service into a 831 * 'pseudo flavor'. Hardwire in krb5 support for now. 832 */ 833 if (kgss_oid_equal(client->cl_mech, &krb5_mech_oid)) { 834 switch (client->cl_rawcred.service) { 835 case rpc_gss_svc_default: 836 case rpc_gss_svc_none: 837 client->cl_rpcflavor = RPCSEC_GSS_KRB5; 838 break; 839 case rpc_gss_svc_integrity: 840 client->cl_rpcflavor = RPCSEC_GSS_KRB5I; 841 break; 842 case rpc_gss_svc_privacy: 843 client->cl_rpcflavor = RPCSEC_GSS_KRB5P; 844 break; 845 } 846 } else { 847 client->cl_rpcflavor = RPCSEC_GSS; 848 } 849 } 850 851 static bool_t 852 svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client, 853 struct svc_req *rqst, 854 struct rpc_gss_init_res *gr, 855 struct rpc_gss_cred *gc) 856 { 857 gss_buffer_desc recv_tok; 858 gss_OID mech; 859 OM_uint32 maj_stat = 0, min_stat = 0, ret_flags; 860 OM_uint32 cred_lifetime; 861 struct svc_rpc_gss_svc_name *sname; 862 863 rpc_gss_log_debug("in svc_rpc_gss_accept_context()"); 864 865 /* Deserialize arguments. */ 866 memset(&recv_tok, 0, sizeof(recv_tok)); 867 868 if (!svc_getargs(rqst, 869 (xdrproc_t) xdr_gss_buffer_desc, 870 (caddr_t) &recv_tok)) { 871 client->cl_state = CLIENT_STALE; 872 return (FALSE); 873 } 874 875 /* 876 * First time round, try all the server names we have until 877 * one matches. Afterwards, stick with that one. 878 */ 879 sx_xlock(&svc_rpc_gss_lock); 880 if (!client->cl_sname) { 881 SLIST_FOREACH(sname, &svc_rpc_gss_svc_names, sn_link) { 882 if (sname->sn_program == rqst->rq_prog 883 && sname->sn_version == rqst->rq_vers) { 884 retry: 885 gr->gr_major = gss_accept_sec_context( 886 &gr->gr_minor, 887 &client->cl_ctx, 888 sname->sn_cred, 889 &recv_tok, 890 GSS_C_NO_CHANNEL_BINDINGS, 891 &client->cl_cname, 892 &mech, 893 &gr->gr_token, 894 &ret_flags, 895 &cred_lifetime, 896 &client->cl_creds); 897 if (gr->gr_major == 898 GSS_S_CREDENTIALS_EXPIRED) { 899 /* 900 * Either our creds really did 901 * expire or gssd was 902 * restarted. 903 */ 904 if (rpc_gss_acquire_svc_cred(sname)) 905 goto retry; 906 } 907 client->cl_sname = sname; 908 break; 909 } 910 } 911 if (!sname) { 912 xdr_free((xdrproc_t) xdr_gss_buffer_desc, 913 (char *) &recv_tok); 914 sx_xunlock(&svc_rpc_gss_lock); 915 return (FALSE); 916 } 917 } else { 918 gr->gr_major = gss_accept_sec_context( 919 &gr->gr_minor, 920 &client->cl_ctx, 921 client->cl_sname->sn_cred, 922 &recv_tok, 923 GSS_C_NO_CHANNEL_BINDINGS, 924 &client->cl_cname, 925 &mech, 926 &gr->gr_token, 927 &ret_flags, 928 &cred_lifetime, 929 NULL); 930 } 931 sx_xunlock(&svc_rpc_gss_lock); 932 933 xdr_free((xdrproc_t) xdr_gss_buffer_desc, (char *) &recv_tok); 934 935 /* 936 * If we get an error from gss_accept_sec_context, send the 937 * reply anyway so that the client gets a chance to see what 938 * is wrong. 939 */ 940 if (gr->gr_major != GSS_S_COMPLETE && 941 gr->gr_major != GSS_S_CONTINUE_NEEDED) { 942 rpc_gss_log_status("accept_sec_context", client->cl_mech, 943 gr->gr_major, gr->gr_minor); 944 client->cl_state = CLIENT_STALE; 945 return (TRUE); 946 } 947 948 gr->gr_handle.value = &client->cl_id; 949 gr->gr_handle.length = sizeof(client->cl_id); 950 gr->gr_win = SVC_RPC_GSS_SEQWINDOW; 951 952 /* Save client info. */ 953 client->cl_mech = mech; 954 client->cl_qop = GSS_C_QOP_DEFAULT; 955 client->cl_done_callback = FALSE; 956 957 if (gr->gr_major == GSS_S_COMPLETE) { 958 gss_buffer_desc export_name; 959 960 /* 961 * Change client expiration time to be near when the 962 * client creds expire (or 24 hours if we can't figure 963 * that out). 964 */ 965 if (cred_lifetime == GSS_C_INDEFINITE) 966 cred_lifetime = 24*60*60; 967 968 /* 969 * Cap cred_lifetime if sysctl kern.rpc.gss.lifetime_max is set. 970 */ 971 if (svc_rpc_gss_lifetime_max > 0 && cred_lifetime > 972 svc_rpc_gss_lifetime_max) 973 cred_lifetime = svc_rpc_gss_lifetime_max; 974 975 client->cl_expiration = time_uptime + cred_lifetime; 976 977 /* 978 * Fill in cred details in the rawcred structure. 979 */ 980 client->cl_rawcred.version = RPCSEC_GSS_VERSION; 981 rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism); 982 maj_stat = gss_export_name(&min_stat, client->cl_cname, 983 &export_name); 984 if (maj_stat != GSS_S_COMPLETE) { 985 rpc_gss_log_status("gss_export_name", client->cl_mech, 986 maj_stat, min_stat); 987 return (FALSE); 988 } 989 client->cl_rawcred.client_principal = 990 mem_alloc(sizeof(*client->cl_rawcred.client_principal) 991 + export_name.length); 992 client->cl_rawcred.client_principal->len = export_name.length; 993 memcpy(client->cl_rawcred.client_principal->name, 994 export_name.value, export_name.length); 995 gss_release_buffer(&min_stat, &export_name); 996 client->cl_rawcred.svc_principal = 997 client->cl_sname->sn_principal; 998 client->cl_rawcred.service = gc->gc_svc; 999 1000 /* 1001 * Use gss_pname_to_uid to map to unix creds. For 1002 * kerberos5, this uses krb5_aname_to_localname. 1003 */ 1004 svc_rpc_gss_build_ucred(client, client->cl_cname); 1005 svc_rpc_gss_set_flavor(client); 1006 gss_release_name(&min_stat, &client->cl_cname); 1007 1008 #ifdef DEBUG 1009 { 1010 gss_buffer_desc mechname; 1011 1012 gss_oid_to_str(&min_stat, mech, &mechname); 1013 1014 rpc_gss_log_debug("accepted context for %s with " 1015 "<mech %.*s, qop %d, svc %d>", 1016 client->cl_rawcred.client_principal->name, 1017 mechname.length, (char *)mechname.value, 1018 client->cl_qop, client->cl_rawcred.service); 1019 1020 gss_release_buffer(&min_stat, &mechname); 1021 } 1022 #endif /* DEBUG */ 1023 } 1024 return (TRUE); 1025 } 1026 1027 static bool_t 1028 svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg, 1029 gss_qop_t *qop, rpc_gss_proc_t gcproc) 1030 { 1031 struct opaque_auth *oa; 1032 gss_buffer_desc rpcbuf, checksum; 1033 OM_uint32 maj_stat, min_stat; 1034 gss_qop_t qop_state; 1035 int32_t rpchdr[128 / sizeof(int32_t)]; 1036 int32_t *buf; 1037 1038 rpc_gss_log_debug("in svc_rpc_gss_validate()"); 1039 1040 memset(rpchdr, 0, sizeof(rpchdr)); 1041 1042 /* Reconstruct RPC header for signing (from xdr_callmsg). */ 1043 buf = rpchdr; 1044 IXDR_PUT_LONG(buf, msg->rm_xid); 1045 IXDR_PUT_ENUM(buf, msg->rm_direction); 1046 IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers); 1047 IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); 1048 IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); 1049 IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); 1050 oa = &msg->rm_call.cb_cred; 1051 IXDR_PUT_ENUM(buf, oa->oa_flavor); 1052 IXDR_PUT_LONG(buf, oa->oa_length); 1053 if (oa->oa_length) { 1054 memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); 1055 buf += RNDUP(oa->oa_length) / sizeof(int32_t); 1056 } 1057 rpcbuf.value = rpchdr; 1058 rpcbuf.length = (u_char *)buf - (u_char *)rpchdr; 1059 1060 checksum.value = msg->rm_call.cb_verf.oa_base; 1061 checksum.length = msg->rm_call.cb_verf.oa_length; 1062 1063 maj_stat = gss_verify_mic(&min_stat, client->cl_ctx, &rpcbuf, &checksum, 1064 &qop_state); 1065 1066 if (maj_stat != GSS_S_COMPLETE) { 1067 rpc_gss_log_status("gss_verify_mic", client->cl_mech, 1068 maj_stat, min_stat); 1069 /* 1070 * A bug in some versions of the Linux client generates a 1071 * Destroy operation with a bogus encrypted checksum. Deleting 1072 * the credential handle for that case causes the mount to fail. 1073 * Since the checksum is bogus (gss_verify_mic() failed), it 1074 * doesn't make sense to destroy the handle and not doing so 1075 * fixes the Linux mount. 1076 */ 1077 if (gcproc != RPCSEC_GSS_DESTROY) 1078 client->cl_state = CLIENT_STALE; 1079 return (FALSE); 1080 } 1081 1082 *qop = qop_state; 1083 return (TRUE); 1084 } 1085 1086 static bool_t 1087 svc_rpc_gss_nextverf(struct svc_rpc_gss_client *client, 1088 struct svc_req *rqst, u_int seq) 1089 { 1090 gss_buffer_desc signbuf; 1091 gss_buffer_desc mic; 1092 OM_uint32 maj_stat, min_stat; 1093 uint32_t nseq; 1094 1095 rpc_gss_log_debug("in svc_rpc_gss_nextverf()"); 1096 1097 nseq = htonl(seq); 1098 signbuf.value = &nseq; 1099 signbuf.length = sizeof(nseq); 1100 1101 maj_stat = gss_get_mic(&min_stat, client->cl_ctx, client->cl_qop, 1102 &signbuf, &mic); 1103 1104 if (maj_stat != GSS_S_COMPLETE) { 1105 rpc_gss_log_status("gss_get_mic", client->cl_mech, maj_stat, min_stat); 1106 client->cl_state = CLIENT_STALE; 1107 return (FALSE); 1108 } 1109 1110 KASSERT(mic.length <= MAX_AUTH_BYTES, 1111 ("MIC too large for RPCSEC_GSS")); 1112 1113 rqst->rq_verf.oa_flavor = RPCSEC_GSS; 1114 rqst->rq_verf.oa_length = mic.length; 1115 bcopy(mic.value, rqst->rq_verf.oa_base, mic.length); 1116 1117 gss_release_buffer(&min_stat, &mic); 1118 1119 return (TRUE); 1120 } 1121 1122 static bool_t 1123 svc_rpc_gss_callback(struct svc_rpc_gss_client *client, struct svc_req *rqst) 1124 { 1125 struct svc_rpc_gss_callback *scb; 1126 rpc_gss_lock_t lock; 1127 void *cookie; 1128 bool_t cb_res; 1129 bool_t result; 1130 1131 /* 1132 * See if we have a callback for this guy. 1133 */ 1134 result = TRUE; 1135 SLIST_FOREACH(scb, &svc_rpc_gss_callbacks, cb_link) { 1136 if (scb->cb_callback.program == rqst->rq_prog 1137 && scb->cb_callback.version == rqst->rq_vers) { 1138 /* 1139 * This one matches. Call the callback and see 1140 * if it wants to veto or something. 1141 */ 1142 lock.locked = FALSE; 1143 lock.raw_cred = &client->cl_rawcred; 1144 cb_res = scb->cb_callback.callback(rqst, 1145 client->cl_creds, 1146 client->cl_ctx, 1147 &lock, 1148 &cookie); 1149 1150 if (!cb_res) { 1151 client->cl_state = CLIENT_STALE; 1152 result = FALSE; 1153 break; 1154 } 1155 1156 /* 1157 * The callback accepted the connection - it 1158 * is responsible for freeing client->cl_creds 1159 * now. 1160 */ 1161 client->cl_creds = GSS_C_NO_CREDENTIAL; 1162 client->cl_locked = lock.locked; 1163 client->cl_cookie = cookie; 1164 return (TRUE); 1165 } 1166 } 1167 1168 /* 1169 * Either no callback exists for this program/version or one 1170 * of the callbacks rejected the connection. We just need to 1171 * clean up the delegated client creds, if any. 1172 */ 1173 if (client->cl_creds) { 1174 OM_uint32 min_ver; 1175 gss_release_cred(&min_ver, &client->cl_creds); 1176 } 1177 return (result); 1178 } 1179 1180 static bool_t 1181 svc_rpc_gss_check_replay(struct svc_rpc_gss_client *client, uint32_t seq) 1182 { 1183 uint32_t offset; 1184 int word, bit; 1185 bool_t result; 1186 1187 sx_xlock(&client->cl_lock); 1188 if (seq <= client->cl_seqlast) { 1189 /* 1190 * The request sequence number is less than 1191 * the largest we have seen so far. If it is 1192 * outside the window or if we have seen a 1193 * request with this sequence before, silently 1194 * discard it. 1195 */ 1196 offset = client->cl_seqlast - seq; 1197 if (offset >= SVC_RPC_GSS_SEQWINDOW) { 1198 result = FALSE; 1199 goto out; 1200 } 1201 word = offset / 32; 1202 bit = offset % 32; 1203 if (client->cl_seqmask[word] & (1 << bit)) { 1204 result = FALSE; 1205 goto out; 1206 } 1207 } 1208 1209 result = TRUE; 1210 out: 1211 sx_xunlock(&client->cl_lock); 1212 return (result); 1213 } 1214 1215 static void 1216 svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq) 1217 { 1218 int offset, i, word, bit; 1219 uint32_t carry, newcarry; 1220 1221 sx_xlock(&client->cl_lock); 1222 if (seq > client->cl_seqlast) { 1223 /* 1224 * This request has a sequence number greater 1225 * than any we have seen so far. Advance the 1226 * seq window and set bit zero of the window 1227 * (which corresponds to the new sequence 1228 * number) 1229 */ 1230 offset = seq - client->cl_seqlast; 1231 while (offset > 32) { 1232 for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1; 1233 i > 0; i--) { 1234 client->cl_seqmask[i] = client->cl_seqmask[i-1]; 1235 } 1236 client->cl_seqmask[0] = 0; 1237 offset -= 32; 1238 } 1239 carry = 0; 1240 for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) { 1241 newcarry = client->cl_seqmask[i] >> (32 - offset); 1242 client->cl_seqmask[i] = 1243 (client->cl_seqmask[i] << offset) | carry; 1244 carry = newcarry; 1245 } 1246 client->cl_seqmask[0] |= 1; 1247 client->cl_seqlast = seq; 1248 } else { 1249 offset = client->cl_seqlast - seq; 1250 word = offset / 32; 1251 bit = offset % 32; 1252 client->cl_seqmask[word] |= (1 << bit); 1253 } 1254 sx_xunlock(&client->cl_lock); 1255 } 1256 1257 enum auth_stat 1258 svc_rpc_gss(struct svc_req *rqst, struct rpc_msg *msg) 1259 1260 { 1261 OM_uint32 min_stat; 1262 XDR xdrs; 1263 struct svc_rpc_gss_cookedcred *cc; 1264 struct svc_rpc_gss_client *client; 1265 struct rpc_gss_cred gc; 1266 struct rpc_gss_init_res gr; 1267 gss_qop_t qop; 1268 int call_stat; 1269 enum auth_stat result; 1270 1271 rpc_gss_log_debug("in svc_rpc_gss()"); 1272 1273 /* Garbage collect old clients. */ 1274 svc_rpc_gss_timeout_clients(); 1275 1276 /* Initialize reply. */ 1277 rqst->rq_verf = _null_auth; 1278 1279 /* Deserialize client credentials. */ 1280 if (rqst->rq_cred.oa_length <= 0) 1281 return (AUTH_BADCRED); 1282 1283 memset(&gc, 0, sizeof(gc)); 1284 1285 xdrmem_create(&xdrs, rqst->rq_cred.oa_base, 1286 rqst->rq_cred.oa_length, XDR_DECODE); 1287 1288 if (!xdr_rpc_gss_cred(&xdrs, &gc)) { 1289 XDR_DESTROY(&xdrs); 1290 return (AUTH_BADCRED); 1291 } 1292 XDR_DESTROY(&xdrs); 1293 1294 client = NULL; 1295 1296 /* Check version. */ 1297 if (gc.gc_version != RPCSEC_GSS_VERSION) { 1298 result = AUTH_BADCRED; 1299 goto out; 1300 } 1301 1302 /* Check the proc and find the client (or create it) */ 1303 if (gc.gc_proc == RPCSEC_GSS_INIT) { 1304 if (gc.gc_handle.length != 0) { 1305 result = AUTH_BADCRED; 1306 goto out; 1307 } 1308 client = svc_rpc_gss_create_client(); 1309 } else { 1310 struct svc_rpc_gss_clientid *p; 1311 if (gc.gc_handle.length != sizeof(*p)) { 1312 result = AUTH_BADCRED; 1313 goto out; 1314 } 1315 p = gc.gc_handle.value; 1316 client = svc_rpc_gss_find_client(p); 1317 if (!client) { 1318 /* 1319 * Can't find the client - we may have 1320 * destroyed it - tell the other side to 1321 * re-authenticate. 1322 */ 1323 result = RPCSEC_GSS_CREDPROBLEM; 1324 goto out; 1325 } 1326 } 1327 cc = rqst->rq_clntcred; 1328 cc->cc_client = client; 1329 cc->cc_service = gc.gc_svc; 1330 cc->cc_seq = gc.gc_seq; 1331 1332 /* 1333 * The service and sequence number must be ignored for 1334 * RPCSEC_GSS_INIT and RPCSEC_GSS_CONTINUE_INIT. 1335 */ 1336 if (gc.gc_proc != RPCSEC_GSS_INIT 1337 && gc.gc_proc != RPCSEC_GSS_CONTINUE_INIT) { 1338 /* 1339 * Check for sequence number overflow. 1340 */ 1341 if (gc.gc_seq >= MAXSEQ) { 1342 result = RPCSEC_GSS_CTXPROBLEM; 1343 goto out; 1344 } 1345 1346 /* 1347 * Check for valid service. 1348 */ 1349 if (gc.gc_svc != rpc_gss_svc_none && 1350 gc.gc_svc != rpc_gss_svc_integrity && 1351 gc.gc_svc != rpc_gss_svc_privacy) { 1352 result = AUTH_BADCRED; 1353 goto out; 1354 } 1355 } 1356 1357 /* Handle RPCSEC_GSS control procedure. */ 1358 switch (gc.gc_proc) { 1359 1360 case RPCSEC_GSS_INIT: 1361 case RPCSEC_GSS_CONTINUE_INIT: 1362 if (rqst->rq_proc != NULLPROC) { 1363 result = AUTH_REJECTEDCRED; 1364 break; 1365 } 1366 1367 memset(&gr, 0, sizeof(gr)); 1368 if (!svc_rpc_gss_accept_sec_context(client, rqst, &gr, &gc)) { 1369 result = AUTH_REJECTEDCRED; 1370 break; 1371 } 1372 1373 if (gr.gr_major == GSS_S_COMPLETE) { 1374 /* 1375 * We borrow the space for the call verf to 1376 * pack our reply verf. 1377 */ 1378 rqst->rq_verf = msg->rm_call.cb_verf; 1379 if (!svc_rpc_gss_nextverf(client, rqst, gr.gr_win)) { 1380 result = AUTH_REJECTEDCRED; 1381 break; 1382 } 1383 } else { 1384 rqst->rq_verf = _null_auth; 1385 } 1386 1387 call_stat = svc_sendreply(rqst, 1388 (xdrproc_t) xdr_rpc_gss_init_res, 1389 (caddr_t) &gr); 1390 1391 gss_release_buffer(&min_stat, &gr.gr_token); 1392 1393 if (!call_stat) { 1394 result = AUTH_FAILED; 1395 break; 1396 } 1397 1398 if (gr.gr_major == GSS_S_COMPLETE) 1399 client->cl_state = CLIENT_ESTABLISHED; 1400 1401 result = RPCSEC_GSS_NODISPATCH; 1402 break; 1403 1404 case RPCSEC_GSS_DATA: 1405 case RPCSEC_GSS_DESTROY: 1406 if (!svc_rpc_gss_check_replay(client, gc.gc_seq)) { 1407 result = RPCSEC_GSS_NODISPATCH; 1408 break; 1409 } 1410 1411 if (!svc_rpc_gss_validate(client, msg, &qop, gc.gc_proc)) { 1412 result = RPCSEC_GSS_CREDPROBLEM; 1413 break; 1414 } 1415 1416 /* 1417 * We borrow the space for the call verf to pack our 1418 * reply verf. 1419 */ 1420 rqst->rq_verf = msg->rm_call.cb_verf; 1421 if (!svc_rpc_gss_nextverf(client, rqst, gc.gc_seq)) { 1422 result = RPCSEC_GSS_CTXPROBLEM; 1423 break; 1424 } 1425 1426 svc_rpc_gss_update_seq(client, gc.gc_seq); 1427 1428 /* 1429 * Change the SVCAUTH ops on the request to point at 1430 * our own code so that we can unwrap the arguments 1431 * and wrap the result. The caller will re-set this on 1432 * every request to point to a set of null wrap/unwrap 1433 * methods. Acquire an extra reference to the client 1434 * which will be released by svc_rpc_gss_release() 1435 * after the request has finished processing. 1436 */ 1437 refcount_acquire(&client->cl_refs); 1438 rqst->rq_auth.svc_ah_ops = &svc_auth_gss_ops; 1439 rqst->rq_auth.svc_ah_private = cc; 1440 1441 if (gc.gc_proc == RPCSEC_GSS_DATA) { 1442 /* 1443 * We might be ready to do a callback to the server to 1444 * see if it wants to accept/reject the connection. 1445 */ 1446 sx_xlock(&client->cl_lock); 1447 if (!client->cl_done_callback) { 1448 client->cl_done_callback = TRUE; 1449 client->cl_qop = qop; 1450 client->cl_rawcred.qop = _rpc_gss_num_to_qop( 1451 client->cl_rawcred.mechanism, qop); 1452 if (!svc_rpc_gss_callback(client, rqst)) { 1453 result = AUTH_REJECTEDCRED; 1454 sx_xunlock(&client->cl_lock); 1455 break; 1456 } 1457 } 1458 sx_xunlock(&client->cl_lock); 1459 1460 /* 1461 * If the server has locked this client to a 1462 * particular service+qop pair, enforce that 1463 * restriction now. 1464 */ 1465 if (client->cl_locked) { 1466 if (client->cl_rawcred.service != gc.gc_svc) { 1467 result = AUTH_FAILED; 1468 break; 1469 } else if (client->cl_qop != qop) { 1470 result = AUTH_BADVERF; 1471 break; 1472 } 1473 } 1474 1475 /* 1476 * If the qop changed, look up the new qop 1477 * name for rawcred. 1478 */ 1479 if (client->cl_qop != qop) { 1480 client->cl_qop = qop; 1481 client->cl_rawcred.qop = _rpc_gss_num_to_qop( 1482 client->cl_rawcred.mechanism, qop); 1483 } 1484 1485 /* 1486 * Make sure we use the right service value 1487 * for unwrap/wrap. 1488 */ 1489 if (client->cl_rawcred.service != gc.gc_svc) { 1490 client->cl_rawcred.service = gc.gc_svc; 1491 svc_rpc_gss_set_flavor(client); 1492 } 1493 1494 result = AUTH_OK; 1495 } else { 1496 if (rqst->rq_proc != NULLPROC) { 1497 result = AUTH_REJECTEDCRED; 1498 break; 1499 } 1500 1501 call_stat = svc_sendreply(rqst, 1502 (xdrproc_t) xdr_void, (caddr_t) NULL); 1503 1504 if (!call_stat) { 1505 result = AUTH_FAILED; 1506 break; 1507 } 1508 1509 svc_rpc_gss_forget_client(client); 1510 1511 result = RPCSEC_GSS_NODISPATCH; 1512 break; 1513 } 1514 break; 1515 1516 default: 1517 result = AUTH_BADCRED; 1518 break; 1519 } 1520 out: 1521 if (client) 1522 svc_rpc_gss_release_client(client); 1523 1524 xdr_free((xdrproc_t) xdr_rpc_gss_cred, (char *) &gc); 1525 return (result); 1526 } 1527 1528 static bool_t 1529 svc_rpc_gss_wrap(SVCAUTH *auth, struct mbuf **mp) 1530 { 1531 struct svc_rpc_gss_cookedcred *cc; 1532 struct svc_rpc_gss_client *client; 1533 1534 rpc_gss_log_debug("in svc_rpc_gss_wrap()"); 1535 1536 cc = (struct svc_rpc_gss_cookedcred *) auth->svc_ah_private; 1537 client = cc->cc_client; 1538 if (client->cl_state != CLIENT_ESTABLISHED 1539 || cc->cc_service == rpc_gss_svc_none || *mp == NULL) { 1540 return (TRUE); 1541 } 1542 1543 return (xdr_rpc_gss_wrap_data(mp, 1544 client->cl_ctx, client->cl_qop, 1545 cc->cc_service, cc->cc_seq)); 1546 } 1547 1548 static bool_t 1549 svc_rpc_gss_unwrap(SVCAUTH *auth, struct mbuf **mp) 1550 { 1551 struct svc_rpc_gss_cookedcred *cc; 1552 struct svc_rpc_gss_client *client; 1553 1554 rpc_gss_log_debug("in svc_rpc_gss_unwrap()"); 1555 1556 cc = (struct svc_rpc_gss_cookedcred *) auth->svc_ah_private; 1557 client = cc->cc_client; 1558 if (client->cl_state != CLIENT_ESTABLISHED 1559 || cc->cc_service == rpc_gss_svc_none) { 1560 return (TRUE); 1561 } 1562 1563 return (xdr_rpc_gss_unwrap_data(mp, 1564 client->cl_ctx, client->cl_qop, 1565 cc->cc_service, cc->cc_seq)); 1566 } 1567 1568 static void 1569 svc_rpc_gss_release(SVCAUTH *auth) 1570 { 1571 struct svc_rpc_gss_cookedcred *cc; 1572 struct svc_rpc_gss_client *client; 1573 1574 rpc_gss_log_debug("in svc_rpc_gss_release()"); 1575 1576 cc = (struct svc_rpc_gss_cookedcred *) auth->svc_ah_private; 1577 client = cc->cc_client; 1578 svc_rpc_gss_release_client(client); 1579 } 1580