1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 */
26
27 /*
28 * GSSAPI library stub module for gssd.
29 */
30
31 #include <mechglueP.h>
32 #include "gssd_prot.h"
33 #include <rpc/rpc.h>
34
35 #include <sys/systm.h>
36 #include <sys/types.h>
37 #include <sys/cmn_err.h>
38 #include <sys/kmem.h>
39 #include <gssapi/kgssapi_defs.h>
40 #include <sys/debug.h>
41
42 #ifdef GSSDEBUG
43 /*
44 * Kernel kgssd module debugging aid. The global variable "gss_log"
45 * is a bit mask which allows various types of debugging messages
46 * to be printed out.
47 *
48 * gss_log & 1 will cause actual failures to be printed.
49 * gss_log & 2 will cause informational messages to be
50 * printed on the client side of kgssd.
51 * gss_log & 4 will cause informational messages to be
52 * printed on the server side of kgssd.
53 * gss_log & 8 will cause informational messages to be
54 * printed on both client and server side of kgssd.
55 */
56
57 uint_t gss_log = 1;
58
59 #endif /* GSSDEBUG */
60
61 #ifdef DEBUG
62 extern void prom_printf(const char *, ...);
63 #endif
64
65 char *server = "localhost";
66
67 static OM_uint32 kgss_sign_wrapped(void *, OM_uint32 *, gss_ctx_id_t, int,
68 gss_buffer_t, gss_buffer_t, OM_uint32);
69
70 static OM_uint32 kgss_verify_wrapped(void *, OM_uint32 *, gss_ctx_id_t,
71 gss_buffer_t, gss_buffer_t, int *qop_state, OM_uint32);
72
73 static OM_uint32 kgss_seal_wrapped(void *, OM_uint32 *, gss_ctx_id_t,
74 int, int, gss_buffer_t, int *, gss_buffer_t, OM_uint32);
75
76 static OM_uint32 kgss_unseal_wrapped(void *, OM_uint32 *, gss_ctx_id_t,
77 gss_buffer_t, gss_buffer_t, int *conf_state, int *qop_state,
78 OM_uint32);
79
80 static OM_uint32 kgss_delete_sec_context_wrapped(void *, OM_uint32 *,
81 gssd_ctx_id_t *, gss_buffer_t, OM_uint32);
82
83 static void __kgss_reset_mech(gss_mechanism *, gss_OID);
84
85 #define DEFAULT_MINOR_STAT ((OM_uint32) ~0)
86
87 OM_uint32
kgss_acquire_cred_wrapped(minor_status,desired_name,time_req,desired_mechs,cred_usage,output_cred_handle,actual_mechs,time_rec,uid,gssd_cred_verifier)88 kgss_acquire_cred_wrapped(minor_status,
89 desired_name,
90 time_req,
91 desired_mechs,
92 cred_usage,
93 output_cred_handle,
94 actual_mechs,
95 time_rec,
96 uid,
97 gssd_cred_verifier)
98 OM_uint32 *minor_status;
99 const gss_name_t desired_name;
100 OM_uint32 time_req;
101 const gss_OID_set desired_mechs;
102 int cred_usage;
103 gssd_cred_id_t *output_cred_handle;
104 gss_OID_set *actual_mechs;
105 OM_uint32 *time_rec;
106 uid_t uid;
107 OM_uint32 *gssd_cred_verifier;
108 {
109 CLIENT *clnt;
110
111 OM_uint32 minor_status_temp;
112 gss_buffer_desc external_name;
113 gss_OID name_type;
114 enum clnt_stat client_stat;
115 int i;
116
117 gss_acquire_cred_arg arg;
118 gss_acquire_cred_res res;
119
120 /* get the client handle to GSSD */
121
122 if ((clnt = getgssd_handle()) == NULL) {
123 GSSLOG(1, "kgss_acquire_cred: can't connect to server on %s\n",
124 server);
125 return (GSS_S_FAILURE);
126 }
127
128 /* convert the desired name from internal to external format */
129
130 if (gss_display_name(&minor_status_temp, desired_name, &external_name,
131 &name_type) != GSS_S_COMPLETE) {
132
133 *minor_status = (OM_uint32) minor_status_temp;
134 killgssd_handle(clnt);
135 GSSLOG0(1, "kgss_acquire_cred: display name failed\n");
136 return ((OM_uint32) GSS_S_FAILURE);
137 }
138
139
140 /* copy the procedure arguments into the rpc arg parameter */
141
142 arg.uid = (OM_uint32) uid;
143
144 arg.desired_name.GSS_BUFFER_T_len = (uint_t)external_name.length;
145 arg.desired_name.GSS_BUFFER_T_val = (char *)external_name.value;
146
147 arg.name_type.GSS_OID_len =
148 name_type == GSS_C_NULL_OID ?
149 0 : (uint_t)name_type->length;
150
151 arg.name_type.GSS_OID_val =
152 name_type == GSS_C_NULL_OID ?
153 (char *)NULL : (char *)name_type->elements;
154
155 arg.time_req = time_req;
156
157 if (desired_mechs != GSS_C_NULL_OID_SET) {
158 arg.desired_mechs.GSS_OID_SET_len =
159 (uint_t)desired_mechs->count;
160 arg.desired_mechs.GSS_OID_SET_val = (GSS_OID *)
161 MALLOC(sizeof (GSS_OID) * desired_mechs->count);
162
163 for (i = 0; i < desired_mechs->count; i++) {
164 arg.desired_mechs.GSS_OID_SET_val[i].GSS_OID_len =
165 (uint_t)desired_mechs->elements[i].length;
166 arg.desired_mechs.GSS_OID_SET_val[i].GSS_OID_val =
167 (char *)MALLOC(desired_mechs->elements[i].length);
168 (void) memcpy(
169 arg.desired_mechs.GSS_OID_SET_val[i].GSS_OID_val,
170 desired_mechs->elements[i].elements,
171 desired_mechs->elements[i].length);
172 }
173 } else
174 arg.desired_mechs.GSS_OID_SET_len = 0;
175
176 arg.cred_usage = cred_usage;
177
178 /* call the remote procedure */
179
180 bzero((caddr_t)&res, sizeof (res));
181 client_stat = gss_acquire_cred_1(&arg, &res, clnt);
182
183 (void) gss_release_buffer(&minor_status_temp, &external_name);
184 if (desired_mechs != GSS_C_NULL_OID_SET) {
185 for (i = 0; i < desired_mechs->count; i++)
186 FREE(arg.desired_mechs.GSS_OID_SET_val[i].GSS_OID_val,
187 arg.desired_mechs.GSS_OID_SET_val[i].GSS_OID_len);
188 FREE(arg.desired_mechs.GSS_OID_SET_val,
189 arg.desired_mechs.GSS_OID_SET_len * sizeof (GSS_OID));
190 }
191
192 if (client_stat != RPC_SUCCESS) {
193
194 /*
195 * if the RPC call times out, null out all return arguments,
196 * set minor_status to its maximum value, and return
197 * GSS_S_FAILURE
198 */
199
200 if (minor_status != NULL)
201 *minor_status = DEFAULT_MINOR_STAT;
202 if (output_cred_handle != NULL)
203 *output_cred_handle = 0;
204 if (actual_mechs != NULL)
205 *actual_mechs = NULL;
206 if (time_rec != NULL)
207 *time_rec = 0;
208
209 killgssd_handle(clnt);
210 GSSLOG0(1, "kgss_acquire_cred: RPC call times out\n");
211 return (GSS_S_FAILURE);
212 }
213
214 /* copy the rpc results into the return arguments */
215
216 if (minor_status != NULL)
217 *minor_status = res.minor_status;
218
219 if (output_cred_handle != NULL &&
220 (res.status == GSS_S_COMPLETE)) {
221 *output_cred_handle =
222 *((gssd_cred_id_t *)res.output_cred_handle.GSS_CRED_ID_T_val);
223 *gssd_cred_verifier = res.gssd_cred_verifier;
224 }
225
226 if (res.status == GSS_S_COMPLETE &&
227 res.actual_mechs.GSS_OID_SET_len != 0 &&
228 actual_mechs != NULL) {
229 *actual_mechs = (gss_OID_set) MALLOC(sizeof (gss_OID_set_desc));
230 (*actual_mechs)->count =
231 (int)res.actual_mechs.GSS_OID_SET_len;
232 (*actual_mechs)->elements = (gss_OID)
233 MALLOC(sizeof (gss_OID_desc) * (*actual_mechs)->count);
234
235 for (i = 0; i < (*actual_mechs)->count; i++) {
236 (*actual_mechs)->elements[i].length = (OM_uint32)
237 res.actual_mechs.GSS_OID_SET_val[i].GSS_OID_len;
238 (*actual_mechs)->elements[i].elements =
239 (void *) MALLOC((*actual_mechs)->elements[i].length);
240 (void) memcpy((*actual_mechs)->elements[i].elements,
241 res.actual_mechs.GSS_OID_SET_val[i].GSS_OID_val,
242 (*actual_mechs)->elements[i].length);
243 }
244 } else {
245 if (res.status == GSS_S_COMPLETE &&
246 actual_mechs != NULL)
247 (*actual_mechs) = NULL;
248 }
249
250 if (time_rec != NULL)
251 *time_rec = res.time_rec;
252
253 /*
254 * free the memory allocated for the results and return with the status
255 * received in the rpc call
256 */
257
258 clnt_freeres(clnt, xdr_gss_acquire_cred_res, (caddr_t)&res);
259 killgssd_handle(clnt);
260 return (res.status);
261
262 }
263
264 OM_uint32
kgss_acquire_cred(minor_status,desired_name,time_req,desired_mechs,cred_usage,output_cred_handle,actual_mechs,time_rec,uid)265 kgss_acquire_cred(minor_status,
266 desired_name,
267 time_req,
268 desired_mechs,
269 cred_usage,
270 output_cred_handle,
271 actual_mechs,
272 time_rec,
273 uid)
274 OM_uint32 *minor_status;
275 const gss_name_t desired_name;
276 OM_uint32 time_req;
277 const gss_OID_set desired_mechs;
278 int cred_usage;
279 gss_cred_id_t *output_cred_handle;
280 gss_OID_set *actual_mechs;
281 OM_uint32 *time_rec;
282 uid_t uid;
283 {
284
285 OM_uint32 err;
286 struct kgss_cred *kcred;
287
288 kcred = KGSS_CRED_ALLOC();
289 *output_cred_handle = (gss_cred_id_t)kcred;
290 err = kgss_acquire_cred_wrapped(minor_status, desired_name, time_req,
291 desired_mechs, cred_usage, &kcred->gssd_cred, actual_mechs,
292 time_rec, uid, &kcred->gssd_cred_verifier);
293 if (GSS_ERROR(err)) {
294 KGSS_CRED_FREE(kcred);
295 *output_cred_handle = GSS_C_NO_CREDENTIAL;
296 }
297 return (err);
298 }
299
300 OM_uint32
kgss_add_cred_wrapped(minor_status,input_cred_handle,gssd_cred_verifier,desired_name,desired_mech_type,cred_usage,initiator_time_req,acceptor_time_req,actual_mechs,initiator_time_rec,acceptor_time_rec,uid)301 kgss_add_cred_wrapped(minor_status,
302 input_cred_handle,
303 gssd_cred_verifier,
304 desired_name,
305 desired_mech_type,
306 cred_usage,
307 initiator_time_req,
308 acceptor_time_req,
309 actual_mechs,
310 initiator_time_rec,
311 acceptor_time_rec,
312 uid)
313 OM_uint32 *minor_status;
314 gssd_cred_id_t input_cred_handle;
315 OM_uint32 gssd_cred_verifier;
316 gss_name_t desired_name;
317 gss_OID desired_mech_type;
318 int cred_usage;
319 int initiator_time_req;
320 int acceptor_time_req;
321 gss_OID_set *actual_mechs;
322 OM_uint32 *initiator_time_rec;
323 OM_uint32 *acceptor_time_rec;
324 uid_t uid;
325 {
326 CLIENT *clnt;
327
328 OM_uint32 minor_status_temp;
329 gss_buffer_desc external_name;
330 gss_OID name_type;
331 int i;
332
333 gss_add_cred_arg arg;
334 gss_add_cred_res res;
335
336
337 /*
338 * NULL the params here once
339 * If there are errors then we won't
340 * have to do it for every error
341 * case
342 */
343
344 if (minor_status != NULL)
345 *minor_status = DEFAULT_MINOR_STAT;
346 if (actual_mechs != NULL)
347 *actual_mechs = NULL;
348 if (initiator_time_rec != NULL)
349 *initiator_time_rec = 0;
350 if (acceptor_time_rec != NULL)
351 *acceptor_time_rec = 0;
352 /* get the client handle to GSSD */
353
354 if ((clnt = getgssd_handle()) == NULL) {
355 GSSLOG(1, "kgss_add_cred: can't connect to server on %s\n",
356 server);
357 return (GSS_S_FAILURE);
358 }
359
360
361 /* convert the desired name from internal to external format */
362
363 if (gss_display_name(&minor_status_temp, desired_name, &external_name,
364 &name_type) != GSS_S_COMPLETE) {
365
366 *minor_status = (OM_uint32) minor_status_temp;
367 killgssd_handle(clnt);
368 GSSLOG0(1, "kgss_acquire_cred: display name failed\n");
369 return ((OM_uint32) GSS_S_FAILURE);
370 }
371
372
373 /* copy the procedure arguments into the rpc arg parameter */
374
375 arg.uid = (OM_uint32)uid;
376 arg.input_cred_handle.GSS_CRED_ID_T_len =
377 input_cred_handle == GSSD_NO_CREDENTIAL ?
378 0 : (uint_t)sizeof (gssd_cred_id_t);
379 arg.input_cred_handle.GSS_CRED_ID_T_val = (char *)&input_cred_handle;
380 arg.gssd_cred_verifier = gssd_cred_verifier;
381 arg.desired_name.GSS_BUFFER_T_len = (uint_t)external_name.length;
382 arg.desired_name.GSS_BUFFER_T_val = (char *)external_name.value;
383 arg.name_type.GSS_OID_len =
384 name_type == GSS_C_NULL_OID ?
385 0 : (uint_t)name_type->length;
386 arg.name_type.GSS_OID_val =
387 name_type == GSS_C_NULL_OID ?
388 (char *)NULL : (char *)name_type->elements;
389
390 arg.desired_mech_type.GSS_OID_len =
391 (uint_t)(desired_mech_type != GSS_C_NULL_OID ?
392 desired_mech_type->length : 0);
393 arg.desired_mech_type.GSS_OID_val =
394 (char *)(desired_mech_type != GSS_C_NULL_OID ?
395 desired_mech_type->elements : 0);
396 arg.cred_usage = cred_usage;
397 arg.initiator_time_req = initiator_time_req;
398 arg.acceptor_time_req = acceptor_time_req;
399
400 /* call the remote procedure */
401
402 bzero((caddr_t)&res, sizeof (res));
403 if (gss_add_cred_1(&arg, &res, clnt) != RPC_SUCCESS) {
404
405 /*
406 * if the RPC call times out, null out all return arguments,
407 * set minor_status to its maximum value, and return
408 * GSS_S_FAILURE
409 */
410
411 killgssd_handle(clnt);
412 (void) gss_release_buffer(&minor_status_temp, &external_name);
413 GSSLOG0(1, "kgss_add_cred: RPC call times out\n");
414 return (GSS_S_FAILURE);
415 }
416
417 /* free the allocated memory for the flattened name */
418
419 (void) gss_release_buffer(&minor_status_temp, &external_name);
420
421 /* copy the rpc results into the return arguments */
422
423 if (minor_status != NULL)
424 *minor_status = res.minor_status;
425
426 if (res.status == GSS_S_COMPLETE &&
427 res.actual_mechs.GSS_OID_SET_len != 0 &&
428 actual_mechs != NULL) {
429 *actual_mechs = (gss_OID_set) MALLOC(sizeof (gss_OID_set_desc));
430 (*actual_mechs)->count =
431 (int)res.actual_mechs.GSS_OID_SET_len;
432 (*actual_mechs)->elements = (gss_OID)
433 MALLOC(sizeof (gss_OID_desc) * (*actual_mechs)->count);
434
435 for (i = 0; i < (*actual_mechs)->count; i++) {
436 (*actual_mechs)->elements[i].length = (OM_uint32)
437 res.actual_mechs.GSS_OID_SET_val[i].GSS_OID_len;
438 (*actual_mechs)->elements[i].elements =
439 (void *) MALLOC((*actual_mechs)->elements[i].length);
440 (void) memcpy((*actual_mechs)->elements[i].elements,
441 res.actual_mechs.GSS_OID_SET_val[i].GSS_OID_val,
442 (*actual_mechs)->elements[i].length);
443 }
444 } else {
445 if (res.status == GSS_S_COMPLETE && actual_mechs != NULL)
446 (*actual_mechs) = NULL;
447 }
448 if (initiator_time_rec != NULL)
449 *initiator_time_rec = res.acceptor_time_rec;
450 if (acceptor_time_rec != NULL)
451 *acceptor_time_rec = res.acceptor_time_rec;
452
453 /*
454 * free the memory allocated for the results and return with the status
455 * received in the rpc call
456 */
457
458 clnt_freeres(clnt, xdr_gss_add_cred_res, (caddr_t)&res);
459 killgssd_handle(clnt);
460 return (res.status);
461
462 }
463
464 OM_uint32
kgss_add_cred(minor_status,input_cred_handle,desired_name,desired_mech_type,cred_usage,initiator_time_req,acceptor_time_req,actual_mechs,initiator_time_rec,acceptor_time_rec,uid)465 kgss_add_cred(minor_status,
466 input_cred_handle,
467 desired_name,
468 desired_mech_type,
469 cred_usage,
470 initiator_time_req,
471 acceptor_time_req,
472 actual_mechs,
473 initiator_time_rec,
474 acceptor_time_rec,
475 uid)
476 OM_uint32 *minor_status;
477 gss_cred_id_t input_cred_handle;
478 gss_name_t desired_name;
479 gss_OID desired_mech_type;
480 int cred_usage;
481 int initiator_time_req;
482 int acceptor_time_req;
483 gss_OID_set *actual_mechs;
484 OM_uint32 *initiator_time_rec;
485 OM_uint32 *acceptor_time_rec;
486 uid_t uid;
487 {
488
489 OM_uint32 err;
490 OM_uint32 gssd_cred_verifier;
491 gssd_cred_id_t gssd_input_cred_handle;
492
493 if (input_cred_handle != GSS_C_NO_CREDENTIAL) {
494 gssd_cred_verifier = KCRED_TO_CREDV(input_cred_handle);
495 gssd_input_cred_handle = KCRED_TO_CRED(input_cred_handle);
496 } else {
497 gssd_input_cred_handle = GSSD_NO_CREDENTIAL;
498 }
499
500 err = kgss_add_cred_wrapped(minor_status, gssd_input_cred_handle,
501 gssd_cred_verifier, desired_name, desired_mech_type,
502 cred_usage, initiator_time_req, acceptor_time_req,
503 actual_mechs, initiator_time_rec,
504 acceptor_time_rec, uid);
505 return (err);
506 }
507
508
509 OM_uint32
kgss_release_cred_wrapped(minor_status,cred_handle,uid,gssd_cred_verifier)510 kgss_release_cred_wrapped(minor_status,
511 cred_handle,
512 uid,
513 gssd_cred_verifier)
514 OM_uint32 *minor_status;
515 gssd_cred_id_t *cred_handle;
516 uid_t uid;
517 OM_uint32 gssd_cred_verifier;
518 {
519 CLIENT *clnt;
520
521 gss_release_cred_arg arg;
522 gss_release_cred_res res;
523
524
525 /* get the client handle to GSSD */
526
527 if ((clnt = getgssd_handle()) == NULL) {
528 GSSLOG(1, "kgss_release_cred: can't connect to server on %s\n",
529 server);
530 return (GSS_S_FAILURE);
531 }
532
533 /* copy the procedure arguments into the rpc arg parameter */
534
535 arg.uid = (OM_uint32)uid;
536 arg.gssd_cred_verifier = gssd_cred_verifier;
537
538 if (cred_handle != NULL) {
539 arg.cred_handle.GSS_CRED_ID_T_len =
540 (uint_t)sizeof (gssd_cred_id_t);
541 arg.cred_handle.GSS_CRED_ID_T_val = (char *)cred_handle;
542 } else
543 arg.cred_handle.GSS_CRED_ID_T_len = 0;
544
545 /* call the remote procedure */
546
547 bzero((caddr_t)&res, sizeof (res));
548 if (gss_release_cred_1(&arg, &res, clnt) != RPC_SUCCESS) {
549
550 /*
551 * if the RPC call times out, null out all return arguments, set
552 * minor_status to its maximum value, and return GSS_S_FAILURE
553 */
554
555 if (minor_status != NULL)
556 *minor_status = DEFAULT_MINOR_STAT;
557 if (cred_handle != NULL)
558 *cred_handle = 0;
559
560 killgssd_handle(clnt);
561 GSSLOG0(1, "kgss_release_cred: RPC call times out\n");
562 return (GSS_S_FAILURE);
563 }
564
565 /* if the release succeeded, null out the cred_handle */
566
567 if (res.status == GSS_S_COMPLETE && cred_handle != NULL)
568 *cred_handle = 0;
569
570 /* copy the rpc results into the return arguments */
571
572 if (minor_status != NULL)
573 *minor_status = res.minor_status;
574
575 /* return with status returned in rpc call */
576
577 killgssd_handle(clnt);
578
579 return (res.status);
580
581 }
582
583 OM_uint32
kgss_release_cred(minor_status,cred_handle,uid)584 kgss_release_cred(minor_status,
585 cred_handle,
586 uid)
587 OM_uint32 *minor_status;
588 gss_cred_id_t *cred_handle;
589 uid_t uid;
590
591 {
592
593 OM_uint32 err;
594 struct kgss_cred *kcred;
595
596 if (*cred_handle == GSS_C_NO_CREDENTIAL)
597 return (GSS_S_COMPLETE);
598 else
599 kcred = KCRED_TO_KGSS_CRED(*cred_handle);
600
601 err = kgss_release_cred_wrapped(minor_status, &kcred->gssd_cred,
602 uid, kcred->gssd_cred_verifier);
603 KGSS_CRED_FREE(kcred);
604 *cred_handle = GSS_C_NO_CREDENTIAL;
605 return (err);
606 }
607
608 static OM_uint32
kgss_init_sec_context_wrapped(OM_uint32 * minor_status,const gssd_cred_id_t claimant_cred_handle,OM_uint32 gssd_cred_verifier,gssd_ctx_id_t * context_handle,OM_uint32 * gssd_context_verifier,const gss_name_t target_name,const gss_OID mech_type,int req_flags,OM_uint32 time_req,const gss_channel_bindings_t input_chan_bindings,const gss_buffer_t input_token,gss_OID * actual_mech_type,gss_buffer_t output_token,int * ret_flags,OM_uint32 * time_rec,uid_t uid)609 kgss_init_sec_context_wrapped(
610 OM_uint32 *minor_status,
611 const gssd_cred_id_t claimant_cred_handle,
612 OM_uint32 gssd_cred_verifier,
613 gssd_ctx_id_t *context_handle,
614 OM_uint32 *gssd_context_verifier,
615 const gss_name_t target_name,
616 const gss_OID mech_type,
617 int req_flags,
618 OM_uint32 time_req,
619 const gss_channel_bindings_t input_chan_bindings,
620 const gss_buffer_t input_token,
621 gss_OID *actual_mech_type,
622 gss_buffer_t output_token,
623 int *ret_flags,
624 OM_uint32 *time_rec,
625 uid_t uid)
626 {
627 CLIENT *clnt;
628
629 OM_uint32 minor_status_temp;
630 gss_buffer_desc external_name;
631 gss_OID name_type;
632
633 gss_init_sec_context_arg arg;
634 gss_init_sec_context_res res;
635
636 /* get the client handle to GSSD */
637
638 if ((clnt = getgssd_handle()) == NULL) {
639 GSSLOG(1,
640 "kgss_init_sec_context: can't connect to server on %s\n",
641 server);
642 return (GSS_S_FAILURE);
643 }
644
645 /* convert the target name from internal to external format */
646
647 if (gss_display_name(&minor_status_temp, target_name,
648 &external_name, &name_type) != GSS_S_COMPLETE) {
649
650 *minor_status = (OM_uint32) minor_status_temp;
651 killgssd_handle(clnt);
652 GSSLOG0(1, "kgss_init_sec_context: can't display name\n");
653 return ((OM_uint32) GSS_S_FAILURE);
654 }
655
656
657 /* copy the procedure arguments into the rpc arg parameter */
658
659 arg.uid = (OM_uint32)uid;
660
661 arg.context_handle.GSS_CTX_ID_T_len =
662 *context_handle == GSSD_NO_CONTEXT ?
663 0 : (uint_t)sizeof (gssd_ctx_id_t);
664 arg.context_handle.GSS_CTX_ID_T_val = (char *)context_handle;
665
666 arg.gssd_context_verifier = *gssd_context_verifier;
667
668 arg.claimant_cred_handle.GSS_CRED_ID_T_len =
669 claimant_cred_handle == GSSD_NO_CREDENTIAL ?
670 0 : (uint_t)sizeof (gssd_cred_id_t);
671 arg.claimant_cred_handle.GSS_CRED_ID_T_val =
672 (char *)&claimant_cred_handle;
673 arg.gssd_cred_verifier = gssd_cred_verifier;
674
675 arg.target_name.GSS_BUFFER_T_len = (uint_t)external_name.length;
676 arg.target_name.GSS_BUFFER_T_val = (char *)external_name.value;
677
678 arg.name_type.GSS_OID_len =
679 name_type == GSS_C_NULL_OID ? 0 : (uint_t)name_type->length;
680
681 arg.name_type.GSS_OID_val =
682 name_type == GSS_C_NULL_OID ?
683 (char *)NULL : (char *)name_type->elements;
684
685 arg.mech_type.GSS_OID_len = (uint_t)(mech_type != GSS_C_NULL_OID ?
686 mech_type->length : 0);
687 arg.mech_type.GSS_OID_val = (char *)(mech_type != GSS_C_NULL_OID ?
688 mech_type->elements : 0);
689
690 arg.req_flags = req_flags;
691
692 arg.time_req = time_req;
693
694 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
695 arg.input_chan_bindings.present = YES;
696 arg.input_chan_bindings.initiator_addrtype =
697 input_chan_bindings->initiator_addrtype;
698 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_len =
699 (uint_t)input_chan_bindings->initiator_address.length;
700 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_val =
701 (void *)input_chan_bindings->initiator_address.value;
702 arg.input_chan_bindings.acceptor_addrtype =
703 input_chan_bindings->acceptor_addrtype;
704 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_len =
705 (uint_t)input_chan_bindings->acceptor_address.length;
706 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_val =
707 (void *)input_chan_bindings->acceptor_address.value;
708 arg.input_chan_bindings.application_data.GSS_BUFFER_T_len =
709 (uint_t)input_chan_bindings->application_data.length;
710 arg.input_chan_bindings.application_data.GSS_BUFFER_T_val =
711 (void *)input_chan_bindings->application_data.value;
712 } else {
713 arg.input_chan_bindings.present = NO;
714 arg.input_chan_bindings.initiator_addrtype = 0;
715 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_len = 0;
716 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_val = 0;
717 arg.input_chan_bindings.acceptor_addrtype = 0;
718 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_len = 0;
719 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_val = 0;
720 arg.input_chan_bindings.application_data.GSS_BUFFER_T_len = 0;
721 arg.input_chan_bindings.application_data.GSS_BUFFER_T_val = 0;
722 }
723
724 arg.input_token.GSS_BUFFER_T_len =
725 (uint_t)(input_token != GSS_C_NO_BUFFER ? input_token->length : 0);
726 arg.input_token.GSS_BUFFER_T_val =
727 (char *)(input_token != GSS_C_NO_BUFFER ? input_token->value : 0);
728
729 /* call the remote procedure */
730
731 bzero((caddr_t)&res, sizeof (res));
732 if (gss_init_sec_context_1(&arg, &res, clnt) != RPC_SUCCESS) {
733
734 /*
735 * if the RPC call times out, null out all return arguments, set
736 * minor_status to its maximum value, and return GSS_S_FAILURE
737 */
738
739 if (minor_status != NULL)
740 *minor_status = DEFAULT_MINOR_STAT;
741 if (actual_mech_type != NULL)
742 *actual_mech_type = NULL;
743 if (output_token != NULL)
744 output_token->length = 0;
745 if (ret_flags != NULL)
746 *ret_flags = 0;
747 if (time_rec != NULL)
748 *time_rec = 0;
749
750 killgssd_handle(clnt);
751 (void) gss_release_buffer(&minor_status_temp, &external_name);
752 GSSLOG0(1, "kgss_init_sec_context: RPC call times out\n");
753 return (GSS_S_FAILURE);
754 }
755
756 /* free the allocated memory for the flattened name */
757
758 (void) gss_release_buffer(&minor_status_temp, &external_name);
759
760 if (minor_status != NULL)
761 *minor_status = res.minor_status;
762
763 if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) {
764 output_token->length =
765 (size_t)res.output_token.GSS_BUFFER_T_len;
766 output_token->value =
767 (void *)MALLOC(output_token->length);
768 (void) memcpy(output_token->value,
769 res.output_token.GSS_BUFFER_T_val, output_token->length);
770 }
771
772 /* if the call was successful, copy out the results */
773 if (res.status == (OM_uint32) GSS_S_COMPLETE ||
774 res.status == (OM_uint32) GSS_S_CONTINUE_NEEDED) {
775 /*
776 * if the return code is GSS_S_CONTINUE_NEEDED
777 * ignore all return parameters except for
778 * status codes, output token and context handle.
779 */
780 *context_handle =
781 *((gssd_ctx_id_t *)res.context_handle.GSS_CTX_ID_T_val);
782 *gssd_context_verifier = res.gssd_context_verifier;
783
784 if (res.status == GSS_S_COMPLETE) {
785 if (actual_mech_type != NULL) {
786 *actual_mech_type =
787 (gss_OID) MALLOC(sizeof (gss_OID_desc));
788 (*actual_mech_type)->length =
789 (OM_UINT32)res.actual_mech_type.GSS_OID_len;
790 (*actual_mech_type)->elements =
791 (void *)MALLOC((*actual_mech_type)->length);
792 (void) memcpy((*actual_mech_type)->elements,
793 (void *)res.actual_mech_type.GSS_OID_val,
794 (*actual_mech_type)->length);
795 }
796
797
798 if (ret_flags != NULL)
799 *ret_flags = res.ret_flags;
800
801 if (time_rec != NULL)
802 *time_rec = res.time_rec;
803 }
804 }
805
806 /*
807 * free the memory allocated for the results and return with the status
808 * received in the rpc call
809 */
810
811 clnt_freeres(clnt, xdr_gss_init_sec_context_res, (caddr_t)&res);
812 killgssd_handle(clnt);
813 return (res.status);
814
815 }
816
817 static struct gss_config default_gc = {
818 { 0, NULL},
819 NULL,
820 NULL,
821 0,
822 kgss_unseal_wrapped,
823 NULL, /* kgss_delete_sec_context_wrapped */
824 kgss_seal_wrapped,
825 NULL, /* kgss_import_sec_context */
826 kgss_sign_wrapped,
827 kgss_verify_wrapped
828 };
829
830 void
kgss_free_oid(gss_OID oid)831 kgss_free_oid(gss_OID oid)
832 {
833 FREE(oid->elements, oid->length);
834 FREE(oid, sizeof (gss_OID_desc));
835 }
836
837 OM_uint32
kgss_init_sec_context(OM_uint32 * minor_status,const gss_cred_id_t claimant_cred_handle,gss_ctx_id_t * context_handle,const gss_name_t target_name,const gss_OID mech_type,int req_flags,OM_uint32 time_req,const gss_channel_bindings_t input_chan_bindings,const gss_buffer_t input_token,gss_OID * actual_mech_type,gss_buffer_t output_token,int * ret_flags,OM_uint32 * time_rec,uid_t uid)838 kgss_init_sec_context(
839 OM_uint32 *minor_status,
840 const gss_cred_id_t claimant_cred_handle,
841 gss_ctx_id_t *context_handle,
842 const gss_name_t target_name,
843 const gss_OID mech_type,
844 int req_flags,
845 OM_uint32 time_req,
846 const gss_channel_bindings_t input_chan_bindings,
847 const gss_buffer_t input_token,
848 gss_OID *actual_mech_type,
849 gss_buffer_t output_token,
850 int *ret_flags,
851 OM_uint32 *time_rec,
852 uid_t uid)
853 {
854 OM_uint32 err;
855 struct kgss_ctx *kctx;
856 gss_OID amt;
857 gssd_cred_id_t gssd_cl_cred_handle;
858 OM_uint32 gssd_cred_verifier;
859
860 /*
861 * If this is an initial call, we'll need to create the
862 * wrapper struct that contains kernel state information, and
863 * a reference to the handle from gssd.
864 */
865 if (*context_handle == GSS_C_NO_CONTEXT) {
866 kctx = KGSS_ALLOC();
867 /*
868 * The default gss-mechanism struct as pointers to
869 * the sign/seal/verify/unseal routines that make
870 * upcalls to gssd.
871 */
872 kctx->mech = &default_gc;
873 kctx->gssd_ctx = GSSD_NO_CONTEXT;
874 *context_handle = (gss_ctx_id_t)kctx;
875 } else
876 kctx = (struct kgss_ctx *)*context_handle;
877
878 if (claimant_cred_handle != GSS_C_NO_CREDENTIAL) {
879 gssd_cred_verifier = KCRED_TO_CREDV(claimant_cred_handle);
880 gssd_cl_cred_handle = KCRED_TO_CRED(claimant_cred_handle);
881 } else {
882 gssd_cl_cred_handle = GSSD_NO_CREDENTIAL;
883 }
884
885 /*
886 * We need to know the resulting mechanism oid, so allocate
887 * it if the caller won't.
888 */
889 if (actual_mech_type == NULL)
890 actual_mech_type = &amt;
891
892 err = kgss_init_sec_context_wrapped(minor_status, gssd_cl_cred_handle,
893 gssd_cred_verifier, &kctx->gssd_ctx, &kctx->gssd_ctx_verifier,
894 target_name, mech_type, req_flags, time_req,
895 input_chan_bindings, input_token, actual_mech_type,
896 output_token, ret_flags, time_rec, uid);
897
898 if (GSS_ERROR(err)) {
899 KGSS_FREE(kctx);
900 *context_handle = GSS_C_NO_CONTEXT;
901 } else if (err == GSS_S_COMPLETE) {
902 /*
903 * Now check if there is a kernel module for this
904 * mechanism OID. If so, set the gss_mechanism structure
905 * in the wrapper context to point to the kernel mech.
906 */
907 __kgss_reset_mech(&kctx->mech, *actual_mech_type);
908
909 /*
910 * If the mech oid was allocated for us, free it.
911 */
912 if (&amt == actual_mech_type) {
913 kgss_free_oid(amt);
914 }
915 }
916 return (err);
917 }
918
919 static OM_uint32
kgss_accept_sec_context_wrapped(OM_uint32 * minor_status,gssd_ctx_id_t * context_handle,OM_uint32 * gssd_context_verifier,const gssd_cred_id_t verifier_cred_handle,OM_uint32 gssd_cred_verifier,const gss_buffer_t input_token,const gss_channel_bindings_t input_chan_bindings,gss_buffer_t src_name,gss_OID * mech_type,gss_buffer_t output_token,int * ret_flags,OM_uint32 * time_rec,gss_cred_id_t * delegated_cred_handle,uid_t uid)920 kgss_accept_sec_context_wrapped(
921 OM_uint32 *minor_status,
922 gssd_ctx_id_t *context_handle,
923 OM_uint32 *gssd_context_verifier,
924 const gssd_cred_id_t verifier_cred_handle,
925 OM_uint32 gssd_cred_verifier,
926 const gss_buffer_t input_token,
927 const gss_channel_bindings_t input_chan_bindings,
928 gss_buffer_t src_name,
929 gss_OID *mech_type,
930 gss_buffer_t output_token,
931 int *ret_flags,
932 OM_uint32 *time_rec,
933 gss_cred_id_t *delegated_cred_handle,
934 uid_t uid)
935 {
936 CLIENT *clnt;
937
938 gss_accept_sec_context_arg arg;
939 gss_accept_sec_context_res res;
940 struct kgss_cred *kcred;
941
942 /* get the client handle to GSSD */
943
944 if ((clnt = getgssd_handle()) == NULL) {
945 GSSLOG(1,
946 "kgss_accept_sec_context: can't connect to server on %s\n",
947 server);
948 return (GSS_S_FAILURE);
949 }
950
951 /* copy the procedure arguments into the rpc arg parameter */
952
953 arg.uid = (OM_uint32)uid;
954
955 arg.context_handle.GSS_CTX_ID_T_len =
956 *context_handle == GSSD_NO_CONTEXT ?
957 0 : (uint_t)sizeof (gssd_ctx_id_t);
958 arg.context_handle.GSS_CTX_ID_T_val = (char *)context_handle;
959 arg.gssd_context_verifier = *gssd_context_verifier;
960
961 arg.verifier_cred_handle.GSS_CRED_ID_T_len =
962 verifier_cred_handle == GSSD_NO_CREDENTIAL ?
963 0 : (uint_t)sizeof (gssd_cred_id_t);
964 arg.verifier_cred_handle.GSS_CRED_ID_T_val =
965 (char *)&verifier_cred_handle;
966 arg.gssd_cred_verifier = gssd_cred_verifier;
967
968 arg.input_token_buffer.GSS_BUFFER_T_len =
969 (uint_t)(input_token != GSS_C_NO_BUFFER ? input_token->length : 0);
970 arg.input_token_buffer.GSS_BUFFER_T_val =
971 (char *)(input_token != GSS_C_NO_BUFFER ? input_token->value : 0);
972
973 if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
974 arg.input_chan_bindings.present = YES;
975 arg.input_chan_bindings.initiator_addrtype =
976 input_chan_bindings->initiator_addrtype;
977 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_len =
978 (uint_t)input_chan_bindings->initiator_address.length;
979 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_val =
980 (void *)input_chan_bindings->initiator_address.value;
981 arg.input_chan_bindings.acceptor_addrtype =
982 input_chan_bindings->acceptor_addrtype;
983 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_len =
984 (uint_t)input_chan_bindings->acceptor_address.length;
985 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_val =
986 (void *)input_chan_bindings->acceptor_address.value;
987 arg.input_chan_bindings.application_data.GSS_BUFFER_T_len =
988 (uint_t)input_chan_bindings->application_data.length;
989 arg.input_chan_bindings.application_data.GSS_BUFFER_T_val =
990 (void *)input_chan_bindings->application_data.value;
991 } else {
992
993 arg.input_chan_bindings.present = NO;
994 arg.input_chan_bindings.initiator_addrtype = 0;
995 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_len = 0;
996 arg.input_chan_bindings.initiator_address.GSS_BUFFER_T_val = 0;
997 arg.input_chan_bindings.acceptor_addrtype = 0;
998 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_len = 0;
999 arg.input_chan_bindings.acceptor_address.GSS_BUFFER_T_val = 0;
1000 arg.input_chan_bindings.application_data.GSS_BUFFER_T_len = 0;
1001 arg.input_chan_bindings.application_data.GSS_BUFFER_T_val = 0;
1002 }
1003
1004 /* set the return parameters in case of errors.... */
1005 if (minor_status != NULL)
1006 *minor_status = DEFAULT_MINOR_STAT;
1007 if (src_name != NULL) {
1008 src_name->length = 0;
1009 src_name->value = NULL;
1010 }
1011 if (mech_type != NULL)
1012 *mech_type = NULL;
1013 if (output_token != NULL)
1014 output_token->length = 0;
1015 if (ret_flags != NULL)
1016 *ret_flags = 0;
1017 if (time_rec != NULL)
1018 *time_rec = 0;
1019 if (delegated_cred_handle != NULL)
1020 *delegated_cred_handle = NULL;
1021
1022 /* call the remote procedure */
1023
1024 bzero((caddr_t)&res, sizeof (res));
1025 if (gss_accept_sec_context_1(&arg, &res, clnt) != RPC_SUCCESS) {
1026 killgssd_handle(clnt);
1027 GSSLOG0(1, "kgss_accept_sec_context: RPC call times out\n");
1028 return (GSS_S_FAILURE);
1029 }
1030
1031 if (minor_status != NULL)
1032 *minor_status = res.minor_status;
1033
1034 if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) {
1035 output_token->length = res.output_token.GSS_BUFFER_T_len;
1036 output_token->value = (void *)MALLOC(output_token->length);
1037 (void) memcpy(output_token->value,
1038 res.output_token.GSS_BUFFER_T_val, output_token->length);
1039 }
1040
1041 /* if the call was successful, copy out the results */
1042
1043 if (res.status == (OM_uint32)GSS_S_COMPLETE ||
1044 res.status == (OM_uint32)GSS_S_CONTINUE_NEEDED) {
1045
1046 /*
1047 * the only parameters that are ready when we
1048 * get GSS_S_CONTINUE_NEEDED are: minor, ctxt_handle,
1049 * and the output token to send to the peer.
1050 */
1051
1052 *context_handle = *((gssd_ctx_id_t *)
1053 res.context_handle.GSS_CTX_ID_T_val);
1054 *gssd_context_verifier = res.gssd_context_verifier;
1055
1056 /* these other parameters are only ready upon GSS_S_COMPLETE */
1057 if (res.status == (OM_uint32)GSS_S_COMPLETE) {
1058
1059 if (src_name != NULL) {
1060 src_name->length =
1061 res.src_name.GSS_BUFFER_T_len;
1062 src_name->value = res.src_name.GSS_BUFFER_T_val;
1063 res.src_name.GSS_BUFFER_T_val = NULL;
1064 res.src_name.GSS_BUFFER_T_len = 0;
1065 }
1066
1067 /*
1068 * move mech type returned to mech_type
1069 * for gss_import_name_for_mech()
1070 */
1071 if (mech_type != NULL) {
1072 *mech_type =
1073 (gss_OID)MALLOC(sizeof (gss_OID_desc));
1074 (*mech_type)->length =
1075 (OM_UINT32)res.mech_type.GSS_OID_len;
1076 (*mech_type)->elements =
1077 (void *)MALLOC((*mech_type)->length);
1078 (void) memcpy((*mech_type)->elements,
1079 res.mech_type.GSS_OID_val,
1080 (*mech_type)->length);
1081 }
1082
1083 if (ret_flags != NULL)
1084 *ret_flags = res.ret_flags;
1085
1086 if (time_rec != NULL)
1087 *time_rec = res.time_rec;
1088
1089 if ((delegated_cred_handle != NULL) &&
1090 (res.delegated_cred_handle.GSS_CRED_ID_T_len
1091 != 0)) {
1092 kcred = KGSS_CRED_ALLOC();
1093 kcred->gssd_cred =
1094 *((gssd_cred_id_t *)
1095 res.delegated_cred_handle.GSS_CRED_ID_T_val);
1096 kcred->gssd_cred_verifier =
1097 res.gssd_context_verifier;
1098 *delegated_cred_handle = (gss_cred_id_t)kcred;
1099 }
1100
1101 }
1102 }
1103
1104
1105 /*
1106 * free the memory allocated for the results and return with the status
1107 * received in the rpc call
1108 */
1109
1110 clnt_freeres(clnt, xdr_gss_accept_sec_context_res, (caddr_t)&res);
1111 killgssd_handle(clnt);
1112 return (res.status);
1113
1114 }
1115
1116 OM_uint32
kgss_accept_sec_context(OM_uint32 * minor_status,gss_ctx_id_t * context_handle,const gss_cred_id_t verifier_cred_handle,const gss_buffer_t input_token,const gss_channel_bindings_t input_chan_bindings,gss_buffer_t src_name,gss_OID * mech_type,gss_buffer_t output_token,int * ret_flags,OM_uint32 * time_rec,gss_cred_id_t * delegated_cred_handle,uid_t uid)1117 kgss_accept_sec_context(
1118 OM_uint32 *minor_status,
1119 gss_ctx_id_t *context_handle,
1120 const gss_cred_id_t verifier_cred_handle,
1121 const gss_buffer_t input_token,
1122 const gss_channel_bindings_t input_chan_bindings,
1123 gss_buffer_t src_name,
1124 gss_OID *mech_type,
1125 gss_buffer_t output_token,
1126 int *ret_flags,
1127 OM_uint32 *time_rec,
1128 gss_cred_id_t *delegated_cred_handle,
1129 uid_t uid)
1130 {
1131 OM_uint32 err;
1132 struct kgss_ctx *kctx;
1133 gss_OID mt;
1134 OM_uint32 gssd_cred_verifier;
1135 gssd_cred_id_t gssd_ver_cred_handle;
1136
1137
1138 /*
1139 * See kgss_init_sec_context() to get an idea of what is going
1140 * on here.
1141 */
1142 if (mech_type == NULL)
1143 mech_type = &mt;
1144
1145 if (*context_handle == GSS_C_NO_CONTEXT) {
1146 kctx = KGSS_ALLOC();
1147 kctx->mech = &default_gc;
1148 kctx->gssd_ctx = GSSD_NO_CONTEXT;
1149 *context_handle = (gss_ctx_id_t)kctx;
1150 } else
1151 kctx = (struct kgss_ctx *)*context_handle;
1152
1153 if (verifier_cred_handle != GSS_C_NO_CREDENTIAL) {
1154 gssd_cred_verifier = KCRED_TO_CREDV(verifier_cred_handle);
1155 gssd_ver_cred_handle = KCRED_TO_CRED(verifier_cred_handle);
1156 } else {
1157 gssd_ver_cred_handle = GSSD_NO_CREDENTIAL;
1158 }
1159
1160 err = kgss_accept_sec_context_wrapped(minor_status,
1161 &kctx->gssd_ctx, &kctx->gssd_ctx_verifier,
1162 gssd_ver_cred_handle, gssd_cred_verifier,
1163 input_token, input_chan_bindings, src_name,
1164 mech_type, output_token, ret_flags,
1165 time_rec, delegated_cred_handle, uid);
1166
1167 if (GSS_ERROR(err)) {
1168 KGSS_FREE(kctx);
1169 *context_handle = GSS_C_NO_CONTEXT;
1170
1171 } else if (err == GSS_S_COMPLETE) {
1172 __kgss_reset_mech(&kctx->mech, *mech_type);
1173
1174 /*
1175 * If the mech oid was allocated for us, free it.
1176 */
1177 if (&mt == mech_type) {
1178 kgss_free_oid(mt);
1179 }
1180 }
1181
1182 return (err);
1183 }
1184
1185 OM_uint32
kgss_process_context_token(minor_status,context_handle,token_buffer,uid)1186 kgss_process_context_token(minor_status,
1187 context_handle,
1188 token_buffer,
1189 uid)
1190 OM_uint32 *minor_status;
1191 const gss_ctx_id_t context_handle;
1192 gss_buffer_t token_buffer;
1193 uid_t uid;
1194 {
1195 CLIENT *clnt;
1196 OM_uint32 gssd_context_verifier;
1197 gssd_ctx_id_t gssd_ctx_handle;
1198 gss_process_context_token_arg arg;
1199 gss_process_context_token_res res;
1200
1201 gssd_context_verifier = KGSS_CTX_TO_GSSD_CTXV(context_handle);
1202 gssd_ctx_handle = (gssd_ctx_id_t)KGSS_CTX_TO_GSSD_CTX(context_handle);
1203
1204 /* get the client handle to GSSD */
1205
1206 if ((clnt = getgssd_handle()) == NULL) {
1207 GSSLOG(1,
1208 "kgss_process_context_token: can't connect to server on %s\n",
1209 server);
1210 return (GSS_S_FAILURE);
1211 }
1212
1213 /* copy the procedure arguments into the rpc arg parameter */
1214
1215 arg.uid = (OM_uint32) uid;
1216
1217 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1218 arg.context_handle.GSS_CTX_ID_T_val = (char *)&gssd_ctx_handle;
1219 arg.gssd_context_verifier = gssd_context_verifier;
1220 arg.token_buffer.GSS_BUFFER_T_len = (uint_t)token_buffer->length;
1221 arg.token_buffer.GSS_BUFFER_T_val = (char *)token_buffer->value;
1222
1223 /* call the remote procedure */
1224
1225 bzero(&res, sizeof (res));
1226
1227 if (gss_process_context_token_1(&arg, &res, clnt) != RPC_SUCCESS) {
1228
1229 /*
1230 * if the RPC call times out, null out all return arguments, set
1231 * minor_status to its maximum value, and return GSS_S_FAILURE
1232 */
1233
1234 if (minor_status != NULL)
1235 *minor_status = DEFAULT_MINOR_STAT;
1236 GSSLOG0(1, "kgss_process_context_token: RPC call times out\n");
1237 killgssd_handle(clnt);
1238 return (GSS_S_FAILURE);
1239 }
1240
1241 /* copy the rpc results into the return arguments */
1242
1243 if (minor_status != NULL)
1244 *minor_status = res.minor_status;
1245
1246 /* return with status returned in rpc call */
1247
1248 killgssd_handle(clnt);
1249 return (res.status);
1250
1251 }
1252
1253 /*ARGSUSED*/
1254 static OM_uint32
kgss_delete_sec_context_wrapped(void * private,OM_uint32 * minor_status,gssd_ctx_id_t * context_handle,gss_buffer_t output_token,OM_uint32 gssd_context_verifier)1255 kgss_delete_sec_context_wrapped(void *private,
1256 OM_uint32 *minor_status,
1257 gssd_ctx_id_t *context_handle,
1258 gss_buffer_t output_token,
1259 OM_uint32 gssd_context_verifier)
1260
1261
1262 {
1263 CLIENT *clnt;
1264
1265 gss_delete_sec_context_arg arg;
1266 gss_delete_sec_context_res res;
1267
1268
1269 /* get the client handle to GSSD */
1270
1271 if ((clnt = getgssd_handle()) == NULL) {
1272 GSSLOG(1,
1273 "kgss_delete_sec_context: can't connect to server on %s\n",
1274 server);
1275 return (GSS_S_FAILURE);
1276 }
1277
1278 /* copy the procedure arguments into the rpc arg parameter */
1279
1280 arg.context_handle.GSS_CTX_ID_T_len =
1281 *context_handle == GSSD_NO_CONTEXT ?
1282 0 : (uint_t)sizeof (gssd_ctx_id_t);
1283 arg.context_handle.GSS_CTX_ID_T_val = (char *)context_handle;
1284
1285 arg.gssd_context_verifier = gssd_context_verifier;
1286
1287 /* call the remote procedure */
1288
1289 bzero((caddr_t)&res, sizeof (res));
1290 if (gss_delete_sec_context_1(&arg, &res, clnt) != RPC_SUCCESS) {
1291
1292 /*
1293 * if the RPC call times out, null out all return arguments, set
1294 * minor_status to its maximum value, and return GSS_S_FAILURE
1295 */
1296
1297 if (minor_status != NULL)
1298 *minor_status = DEFAULT_MINOR_STAT;
1299 if (context_handle != NULL)
1300 *context_handle = 0;
1301 if (output_token != NULL)
1302 output_token->length = 0;
1303
1304 killgssd_handle(clnt);
1305 GSSLOG0(1, "kgssd_delete_sec_context: RPC call times out\n");
1306 return (GSS_S_FAILURE);
1307 }
1308
1309 /* copy the rpc results into the return arguments */
1310
1311 if (minor_status != NULL)
1312 *minor_status = res.minor_status;
1313
1314 if (res.context_handle.GSS_CTX_ID_T_len == 0)
1315 *context_handle = 0;
1316 else
1317 *context_handle =
1318 *((gssd_ctx_id_t *)res.context_handle.GSS_CTX_ID_T_val);
1319
1320 if (output_token != NULL) {
1321 output_token->length = res.output_token.GSS_BUFFER_T_len;
1322 output_token->value = res.output_token.GSS_BUFFER_T_val;
1323 res.output_token.GSS_BUFFER_T_len = 0;
1324 res.output_token.GSS_BUFFER_T_val = NULL;
1325 }
1326
1327 /*
1328 * free the memory allocated for the results and return with the status
1329 * received in the rpc call
1330 */
1331
1332 clnt_freeres(clnt, xdr_gss_delete_sec_context_res, (caddr_t)&res);
1333 killgssd_handle(clnt);
1334 return (res.status);
1335
1336 }
1337
1338 OM_uint32
kgss_delete_sec_context(OM_uint32 * minor_status,gss_ctx_id_t * context_handle,gss_buffer_t output_token)1339 kgss_delete_sec_context(
1340 OM_uint32 *minor_status,
1341 gss_ctx_id_t *context_handle,
1342 gss_buffer_t output_token)
1343 {
1344 OM_uint32 err;
1345 struct kgss_ctx *kctx;
1346
1347 if (*context_handle == GSS_C_NO_CONTEXT) {
1348 GSSLOG0(8, "kgss_delete_sec_context: Null context handle \n");
1349 return (GSS_S_COMPLETE);
1350 } else
1351 kctx = (struct kgss_ctx *)*context_handle;
1352
1353 if (kctx->ctx_imported == FALSE) {
1354 if (kctx->gssd_ctx == GSSD_NO_CONTEXT) {
1355 KGSS_FREE(kctx);
1356 *context_handle = GSS_C_NO_CONTEXT;
1357 return (GSS_S_COMPLETE);
1358 }
1359 err = kgss_delete_sec_context_wrapped(
1360 KCTX_TO_PRIVATE(*context_handle),
1361 minor_status,
1362 &kctx->gssd_ctx,
1363 output_token,
1364 kctx->gssd_ctx_verifier);
1365 } else {
1366 if (kctx->gssd_i_ctx == (gss_ctx_id_t)GSS_C_NO_CONTEXT) {
1367 KGSS_FREE(kctx);
1368 *context_handle = GSS_C_NO_CONTEXT;
1369 return (GSS_S_COMPLETE);
1370 }
1371 err = KGSS_DELETE_SEC_CONTEXT(minor_status, kctx,
1372 &kctx->gssd_i_ctx, output_token);
1373 }
1374 KGSS_FREE(kctx);
1375 *context_handle = GSS_C_NO_CONTEXT;
1376 return (err);
1377
1378 }
1379
1380
1381 OM_uint32
kgss_export_sec_context_wrapped(minor_status,context_handle,output_token,gssd_context_verifier)1382 kgss_export_sec_context_wrapped(minor_status,
1383 context_handle,
1384 output_token,
1385 gssd_context_verifier)
1386 OM_uint32 *minor_status;
1387 gssd_ctx_id_t *context_handle;
1388 gss_buffer_t output_token;
1389 OM_uint32 gssd_context_verifier;
1390 {
1391 CLIENT *clnt;
1392 gss_export_sec_context_arg arg;
1393 gss_export_sec_context_res res;
1394
1395
1396 /* get the client handle to GSSD */
1397
1398 if ((clnt = getgssd_handle()) == NULL) {
1399 GSSLOG(1, "kgss_export_sec_context_wrapped :"
1400 " can't connect to server on %s\n", server);
1401 return (GSS_S_FAILURE);
1402 }
1403
1404 /* copy the procedure arguments into the rpc arg parameter */
1405
1406 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1407 arg.context_handle.GSS_CTX_ID_T_val = (char *)context_handle;
1408 arg.gssd_context_verifier = gssd_context_verifier;
1409
1410 /* call the remote procedure */
1411
1412 (void) memset(&res, 0, sizeof (res));
1413 if (gss_export_sec_context_1(&arg, &res, clnt) != RPC_SUCCESS) {
1414
1415 /*
1416 * if the RPC call times out, null out all return arguments,
1417 * set minor_status to its maximum value, and return
1418 * GSS_S_FAILURE
1419 */
1420
1421 if (minor_status != NULL)
1422 *minor_status = DEFAULT_MINOR_STAT;
1423 if (context_handle != NULL)
1424 *context_handle = 0;
1425 if (output_token != NULL)
1426 output_token->length = 0;
1427 killgssd_handle(clnt);
1428 GSSLOG0(1,
1429 "kgss_export_sec_context_wrapped: RPC call times out\n");
1430 return (GSS_S_FAILURE);
1431 }
1432
1433 /* copy the rpc results into the return arguments */
1434
1435 if (minor_status != NULL)
1436 *minor_status = res.minor_status;
1437
1438 if (res.context_handle.GSS_CTX_ID_T_len == 0)
1439 *context_handle = 0;
1440 else
1441 *context_handle =
1442 *((gssd_ctx_id_t *)res.context_handle.GSS_CTX_ID_T_val);
1443
1444 if (output_token != NULL) {
1445 output_token->length = res.output_token.GSS_BUFFER_T_len;
1446 output_token->value =
1447 (void *) MALLOC(output_token->length);
1448 (void) memcpy(output_token->value,
1449 res.output_token.GSS_BUFFER_T_val,
1450 output_token->length);
1451 }
1452
1453 /*
1454 * free the memory allocated for the results and return with the status
1455 * received in the rpc call
1456 */
1457
1458 clnt_freeres(clnt, xdr_gss_export_sec_context_res, (caddr_t)&res);
1459 killgssd_handle(clnt);
1460 return (res.status);
1461
1462 }
1463
1464 OM_uint32
kgss_export_sec_context(minor_status,context_handle,output_token)1465 kgss_export_sec_context(minor_status,
1466 context_handle,
1467 output_token)
1468 OM_uint32 *minor_status;
1469 gss_ctx_id_t context_handle;
1470 gss_buffer_t output_token;
1471 {
1472 struct kgss_ctx *kctx;
1473
1474 if (context_handle == GSS_C_NO_CONTEXT)
1475 return (GSS_S_FAILURE);
1476 else
1477 kctx = (struct kgss_ctx *)context_handle;
1478
1479
1480
1481 /*
1482 * If there is a kernel module then import_sec context must be
1483 * supported and we make an upcall to export_sec_context.
1484 * If there is no kernel module then we return an error
1485 */
1486
1487 *minor_status = 0;
1488
1489 if (kctx->mech->gss_import_sec_context) {
1490 GSSLOG0(8, "kgss_export_sec_context: Kernel mod available \n");
1491 return (kgss_export_sec_context_wrapped(minor_status,
1492 &kctx->gssd_ctx,
1493 output_token,
1494 kctx->gssd_ctx_verifier));
1495
1496 } else {
1497
1498 /*
1499 * This is not the right error value; instead of
1500 * inventing new error we return GSS_S_NAME_NOT_MN
1501 * This error is not returned by the export routine
1502 */
1503
1504 GSSLOG0(8, "kgss_export_sec_context: Kernel mod "
1505 "unavailable \n");
1506 return (GSS_S_NAME_NOT_MN);
1507 }
1508
1509 }
1510
1511 OM_uint32
kgss_import_sec_context(minor_status,interprocess_token,context_handle)1512 kgss_import_sec_context(minor_status,
1513 interprocess_token,
1514 context_handle)
1515
1516 OM_uint32 * minor_status;
1517 const gss_buffer_t interprocess_token;
1518 gss_ctx_id_t context_handle;
1519
1520 {
1521 OM_uint32 status;
1522 struct kgss_ctx *kctx;
1523
1524 size_t length;
1525 char *p;
1526 gss_buffer_desc token;
1527 gss_ctx_id_t internal_ctx_id;
1528 kctx = (struct kgss_ctx *)context_handle;
1529
1530 if (kctx->gssd_ctx != GSSD_NO_CONTEXT) {
1531 return (GSS_S_FAILURE);
1532 }
1533
1534 if (!(KCTX_TO_MECH(context_handle)->gss_import_sec_context)) {
1535
1536 /*
1537 * This should never happen
1538 * If Kernel import sec context does not exist the export
1539 * sec context should have caught this and returned an error
1540 * and the caller should not have called this routine
1541 */
1542 GSSLOG0(1, "import_sec_context called improperly\n");
1543 return (GSS_S_FAILURE);
1544 }
1545 *minor_status = 0;
1546
1547 if (interprocess_token->length == 0 || interprocess_token->value == 0)
1548 return (GSS_S_DEFECTIVE_TOKEN);
1549
1550 status = GSS_S_FAILURE;
1551
1552 p = interprocess_token->value;
1553 length = *p++;
1554 length = (length << 8) + *p++;
1555 length = (length << 8) + *p++;
1556 length = (length << 8) + *p++;
1557
1558 p += length;
1559
1560 token.length = interprocess_token->length - 4 - length;
1561 token.value = p;
1562
1563 /*
1564 * select the approprate underlying mechanism routine and
1565 * call it.
1566 */
1567
1568 status = KGSS_IMPORT_SEC_CONTEXT(minor_status, &token, kctx,
1569 &internal_ctx_id);
1570
1571 if (status == GSS_S_COMPLETE) {
1572 KCTX_TO_I_CTX(kctx) = internal_ctx_id;
1573 kctx->ctx_imported = TRUE;
1574 return (GSS_S_COMPLETE);
1575 } else
1576 return (status);
1577 }
1578
1579 /*ARGSUSED*/
1580 OM_uint32
kgss_context_time(minor_status,context_handle,time_rec,uid)1581 kgss_context_time(minor_status,
1582 context_handle,
1583 time_rec,
1584 uid)
1585 OM_uint32 *minor_status;
1586 const gss_ctx_id_t context_handle;
1587 OM_uint32 *time_rec;
1588 uid_t uid;
1589 {
1590 return (GSS_S_FAILURE);
1591 }
1592
1593 /*ARGSUSED*/
1594 static OM_uint32
kgss_sign_wrapped(void * private,OM_uint32 * minor_status,const gss_ctx_id_t ctx_handle,int qop_req,const gss_buffer_t message_buffer,gss_buffer_t msg_token,OM_uint32 gssd_context_verifier)1595 kgss_sign_wrapped(void *private,
1596 OM_uint32 *minor_status,
1597 const gss_ctx_id_t ctx_handle,
1598 int qop_req,
1599 const gss_buffer_t message_buffer,
1600 gss_buffer_t msg_token,
1601 OM_uint32 gssd_context_verifier)
1602 {
1603 CLIENT *clnt;
1604 gssd_ctx_id_t context_handle;
1605
1606 gss_sign_arg arg;
1607 gss_sign_res res;
1608 context_handle = (gssd_ctx_id_t)KCTX_TO_GSSD_CTX(ctx_handle);
1609 /* get the client handle to GSSD */
1610
1611 if ((clnt = getgssd_handle()) == NULL) {
1612 GSSLOG(1, "kgss_sign: can't connect to server on %s\n", server);
1613 return (GSS_S_FAILURE);
1614 }
1615
1616 /* copy the procedure arguments into the rpc arg parameter */
1617
1618 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1619 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1620
1621 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1622 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1623 arg.gssd_context_verifier = gssd_context_verifier;
1624
1625 arg.qop_req = qop_req;
1626
1627 arg.message_buffer.GSS_BUFFER_T_len = (uint_t)message_buffer->length;
1628 arg.message_buffer.GSS_BUFFER_T_val = (char *)message_buffer->value;
1629
1630 /* call the remote procedure */
1631
1632 bzero((caddr_t)&res, sizeof (res));
1633 if (gss_sign_1(&arg, &res, clnt) != RPC_SUCCESS) {
1634
1635 /*
1636 * if the RPC call times out, null out all return arguments, set
1637 * minor_status to its maximum value, and return GSS_S_FAILURE
1638 */
1639
1640 if (minor_status != NULL)
1641 *minor_status = DEFAULT_MINOR_STAT;
1642 if (msg_token != NULL)
1643 msg_token->length = 0;
1644
1645 killgssd_handle(clnt);
1646 GSSLOG0(1, "kgss_sign: RPC call times out\n");
1647 return (GSS_S_FAILURE);
1648 }
1649
1650 /* copy the rpc results into the return arguments */
1651
1652 if (minor_status != NULL)
1653 *minor_status = res.minor_status;
1654
1655 if (msg_token != NULL) {
1656 msg_token->length = res.msg_token.GSS_BUFFER_T_len;
1657 msg_token->value = (void *) MALLOC(msg_token->length);
1658 (void) memcpy(msg_token->value, res.msg_token.GSS_BUFFER_T_val,
1659 msg_token->length);
1660 }
1661
1662 /*
1663 * free the memory allocated for the results and return with the status
1664 * received in the rpc call
1665 */
1666
1667 clnt_freeres(clnt, xdr_gss_sign_res, (caddr_t)&res);
1668 killgssd_handle(clnt);
1669 return (res.status);
1670
1671 }
1672
1673 OM_uint32
kgss_sign(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,int qop_req,const gss_buffer_t message_buffer,gss_buffer_t msg_token)1674 kgss_sign(
1675 OM_uint32 *minor_status,
1676 const gss_ctx_id_t context_handle,
1677 int qop_req,
1678 const gss_buffer_t message_buffer,
1679 gss_buffer_t msg_token)
1680 {
1681 if (context_handle == GSS_C_NO_CONTEXT)
1682 return (GSS_S_FAILURE);
1683 return (KGSS_SIGN(minor_status, context_handle, qop_req,
1684 message_buffer, msg_token));
1685 }
1686
1687 /*ARGSUSED*/
1688 static OM_uint32
kgss_verify_wrapped(void * private,OM_uint32 * minor_status,const gss_ctx_id_t ctx_handle,const gss_buffer_t message_buffer,const gss_buffer_t token_buffer,int * qop_state,OM_uint32 gssd_context_verifier)1689 kgss_verify_wrapped(void *private,
1690 OM_uint32 *minor_status,
1691 const gss_ctx_id_t ctx_handle,
1692 const gss_buffer_t message_buffer,
1693 const gss_buffer_t token_buffer,
1694 int *qop_state,
1695 OM_uint32 gssd_context_verifier)
1696 {
1697 CLIENT *clnt;
1698
1699 gssd_ctx_id_t context_handle;
1700 gss_verify_arg arg;
1701 gss_verify_res res;
1702
1703 context_handle = (gssd_ctx_id_t)KCTX_TO_GSSD_CTX(ctx_handle);
1704
1705 /* get the client handle to GSSD */
1706
1707 if ((clnt = getgssd_handle()) == NULL) {
1708 GSSLOG(1, "kgss_verify: can't connect to server on %s\n",
1709 server);
1710 return (GSS_S_FAILURE);
1711 }
1712
1713 /* copy the procedure arguments into the rpc arg parameter */
1714
1715 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gss_ctx_id_t);
1716 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1717
1718 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1719 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1720 arg.gssd_context_verifier = gssd_context_verifier;
1721
1722 arg.message_buffer.GSS_BUFFER_T_len = (uint_t)message_buffer->length;
1723 arg.message_buffer.GSS_BUFFER_T_val = (char *)message_buffer->value;
1724
1725 arg.token_buffer.GSS_BUFFER_T_len = (uint_t)token_buffer->length;
1726 arg.token_buffer.GSS_BUFFER_T_val = (char *)token_buffer->value;
1727
1728 /* call the remote procedure */
1729
1730 bzero((caddr_t)&res, sizeof (res));
1731 if (gss_verify_1(&arg, &res, clnt) != RPC_SUCCESS) {
1732
1733 /*
1734 * if the RPC call times out, null out all return arguments, set
1735 * minor_status to its maximum value, and return GSS_S_FAILURE
1736 */
1737
1738 if (minor_status != NULL)
1739 *minor_status = DEFAULT_MINOR_STAT;
1740 if (qop_state != NULL)
1741 *qop_state = 0;
1742
1743 killgssd_handle(clnt);
1744 GSSLOG0(1, "kgss_verify: RPC call times out\n");
1745 return (GSS_S_FAILURE);
1746 }
1747
1748 /* copy the rpc results into the return arguments */
1749
1750 if (minor_status != NULL)
1751 *minor_status = res.minor_status;
1752
1753 if (qop_state != NULL)
1754 *qop_state = res.qop_state;
1755
1756 /* return with status returned in rpc call */
1757
1758 killgssd_handle(clnt);
1759 return (res.status);
1760
1761 }
1762
1763 OM_uint32
kgss_verify(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_buffer_t message_buffer,const gss_buffer_t token_buffer,int * qop_state)1764 kgss_verify(OM_uint32 *minor_status,
1765 const gss_ctx_id_t context_handle,
1766 const gss_buffer_t message_buffer,
1767 const gss_buffer_t token_buffer,
1768 int *qop_state)
1769 {
1770 if (context_handle == GSS_C_NO_CONTEXT)
1771 return (GSS_S_FAILURE);
1772 return (KGSS_VERIFY(minor_status, context_handle,
1773 message_buffer, token_buffer, qop_state));
1774 }
1775
1776 /*ARGSUSED*/
1777 static OM_uint32
kgss_seal_wrapped(void * private,OM_uint32 * minor_status,const gss_ctx_id_t ctx_handle,int conf_req_flag,int qop_req,const gss_buffer_t input_message_buffer,int * conf_state,gss_buffer_t output_message_buffer,OM_uint32 gssd_context_verifier)1778 kgss_seal_wrapped(void *private,
1779 OM_uint32 *minor_status,
1780 const gss_ctx_id_t ctx_handle,
1781 int conf_req_flag,
1782 int qop_req,
1783 const gss_buffer_t input_message_buffer,
1784 int *conf_state,
1785 gss_buffer_t output_message_buffer,
1786 OM_uint32 gssd_context_verifier)
1787 {
1788 CLIENT *clnt;
1789 gssd_ctx_id_t context_handle;
1790
1791 gss_seal_arg arg;
1792 gss_seal_res res;
1793
1794 context_handle = (gssd_ctx_id_t)KCTX_TO_GSSD_CTX(ctx_handle);
1795
1796 /* get the client handle to GSSD */
1797
1798 if ((clnt = getgssd_handle()) == NULL) {
1799 GSSLOG(1, "kgss_seal: can't connect to server on %s\n", server);
1800 return (GSS_S_FAILURE);
1801 }
1802
1803 /* copy the procedure arguments into the rpc arg parameter */
1804
1805 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gss_ctx_id_t);
1806 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1807
1808 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (OM_uint32);
1809 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1810 arg.gssd_context_verifier = gssd_context_verifier;
1811
1812 arg.conf_req_flag = conf_req_flag;
1813
1814 arg.qop_req = qop_req;
1815
1816 arg.input_message_buffer.GSS_BUFFER_T_len =
1817 (uint_t)input_message_buffer->length;
1818
1819 arg.input_message_buffer.GSS_BUFFER_T_val =
1820 (char *)input_message_buffer->value;
1821
1822 /* call the remote procedure */
1823
1824 bzero((caddr_t)&res, sizeof (res));
1825 if (gss_seal_1(&arg, &res, clnt) != RPC_SUCCESS) {
1826
1827 /*
1828 * if the RPC call times out, null out all return arguments, set
1829 * minor_status to its maximum value, and return GSS_S_FAILURE
1830 */
1831
1832 if (minor_status != NULL)
1833 *minor_status = DEFAULT_MINOR_STAT;
1834 if (conf_state != NULL)
1835 *conf_state = 0;
1836 if (output_message_buffer != NULL)
1837 output_message_buffer->length = 0;
1838
1839 killgssd_handle(clnt);
1840 GSSLOG0(1, "kgss_seal: RPC call times out\n");
1841 return (GSS_S_FAILURE);
1842 }
1843
1844 /* copy the rpc results into the return arguments */
1845
1846 if (minor_status != NULL)
1847 *minor_status = res.minor_status;
1848
1849 if (conf_state != NULL)
1850 *conf_state = res.conf_state;
1851
1852 if (output_message_buffer != NULL) {
1853 output_message_buffer->length =
1854 res.output_message_buffer.GSS_BUFFER_T_len;
1855
1856 output_message_buffer->value =
1857 (void *) MALLOC(output_message_buffer->length);
1858 (void) memcpy(output_message_buffer->value,
1859 res.output_message_buffer.GSS_BUFFER_T_val,
1860 output_message_buffer->length);
1861 }
1862
1863 /*
1864 * free the memory allocated for the results and return with the status
1865 * received in the rpc call
1866 */
1867
1868 clnt_freeres(clnt, xdr_gss_seal_res, (caddr_t)&res);
1869 killgssd_handle(clnt);
1870 return (res.status);
1871 }
1872
1873 /*ARGSUSED*/
1874 OM_uint32
kgss_seal(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,int conf_req_flag,int qop_req,const gss_buffer_t input_message_buffer,int * conf_state,gss_buffer_t output_message_buffer)1875 kgss_seal(OM_uint32 *minor_status,
1876 const gss_ctx_id_t context_handle,
1877 int conf_req_flag,
1878 int qop_req,
1879 const gss_buffer_t input_message_buffer,
1880 int *conf_state,
1881 gss_buffer_t output_message_buffer)
1882
1883 {
1884 if (context_handle == GSS_C_NO_CONTEXT)
1885 return (GSS_S_FAILURE);
1886 return (KGSS_SEAL(minor_status, context_handle,
1887 conf_req_flag, qop_req,
1888 input_message_buffer, conf_state,
1889 output_message_buffer));
1890 }
1891
1892 /*ARGSUSED*/
1893 static OM_uint32
kgss_unseal_wrapped(void * private,OM_uint32 * minor_status,const gss_ctx_id_t ctx_handle,const gss_buffer_t input_message_buffer,gss_buffer_t output_message_buffer,int * conf_state,int * qop_state,OM_uint32 gssd_context_verifier)1894 kgss_unseal_wrapped(void *private,
1895 OM_uint32 *minor_status,
1896 const gss_ctx_id_t ctx_handle,
1897 const gss_buffer_t input_message_buffer,
1898 gss_buffer_t output_message_buffer,
1899 int *conf_state,
1900 int *qop_state,
1901 OM_uint32 gssd_context_verifier)
1902 {
1903 CLIENT *clnt;
1904
1905 gss_unseal_arg arg;
1906 gss_unseal_res res;
1907 gssd_ctx_id_t context_handle;
1908
1909 context_handle = (gssd_ctx_id_t)KCTX_TO_GSSD_CTX(ctx_handle);
1910
1911 /* get the client handle to GSSD */
1912
1913 if ((clnt = getgssd_handle()) == NULL) {
1914 GSSLOG(1, "kgss_unseal: can't connect to server on %s\n",
1915 server);
1916 return (GSS_S_FAILURE);
1917 }
1918
1919 /* copy the procedure arguments into the rpc arg parameter */
1920
1921 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gss_ctx_id_t);
1922 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1923
1924 arg.context_handle.GSS_CTX_ID_T_len = (uint_t)sizeof (gssd_ctx_id_t);
1925 arg.context_handle.GSS_CTX_ID_T_val = (char *)&context_handle;
1926 arg.gssd_context_verifier = gssd_context_verifier;
1927
1928 arg.input_message_buffer.GSS_BUFFER_T_len =
1929 (uint_t)input_message_buffer->length;
1930
1931 arg.input_message_buffer.GSS_BUFFER_T_val =
1932 (char *)input_message_buffer->value;
1933
1934 /* call the remote procedure */
1935
1936 bzero((caddr_t)&res, sizeof (res));
1937 if (gss_unseal_1(&arg, &res, clnt) != RPC_SUCCESS) {
1938
1939 /*
1940 * if the RPC call times out, null out all return arguments, set
1941 * minor_status to its maximum value, and return GSS_S_FAILURE
1942 */
1943
1944 if (minor_status != NULL)
1945 *minor_status = DEFAULT_MINOR_STAT;
1946 if (output_message_buffer != NULL)
1947 output_message_buffer->length = 0;
1948 if (conf_state != NULL)
1949 *conf_state = 0;
1950 if (qop_state != NULL)
1951 *qop_state = 0;
1952
1953 killgssd_handle(clnt);
1954 GSSLOG0(1, "kgss_unseal: RPC call times out\n");
1955 return (GSS_S_FAILURE);
1956 }
1957
1958 /* copy the rpc results into the return arguments */
1959
1960 if (minor_status != NULL)
1961 *minor_status = res.minor_status;
1962
1963 if (output_message_buffer != NULL) {
1964 output_message_buffer->length =
1965 res.output_message_buffer.GSS_BUFFER_T_len;
1966
1967 output_message_buffer->value =
1968 (void *) MALLOC(output_message_buffer->length);
1969 (void) memcpy(output_message_buffer->value,
1970 res.output_message_buffer.GSS_BUFFER_T_val,
1971 output_message_buffer->length);
1972 }
1973
1974 if (conf_state != NULL)
1975 *conf_state = res.conf_state;
1976
1977 if (qop_state != NULL)
1978 *qop_state = res.qop_state;
1979
1980 /*
1981 * free the memory allocated for the results and return with the
1982 * status received in the rpc call
1983 */
1984
1985 clnt_freeres(clnt, xdr_gss_unseal_res, (caddr_t)&res);
1986 killgssd_handle(clnt);
1987 return (res.status);
1988 }
1989
1990 OM_uint32
kgss_unseal(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_buffer_t input_message_buffer,const gss_buffer_t output_message_buffer,int * conf_state,int * qop_state)1991 kgss_unseal(OM_uint32 *minor_status,
1992 const gss_ctx_id_t context_handle,
1993 const gss_buffer_t input_message_buffer,
1994 const gss_buffer_t output_message_buffer,
1995 int *conf_state,
1996 int *qop_state)
1997 {
1998
1999 if (context_handle == GSS_C_NO_CONTEXT)
2000 return (GSS_S_FAILURE);
2001
2002 return (KGSS_UNSEAL(minor_status, context_handle, input_message_buffer,
2003 output_message_buffer, conf_state, qop_state));
2004 }
2005
2006 OM_uint32
kgss_display_status(minor_status,status_value,status_type,mech_type,message_context,status_string,uid)2007 kgss_display_status(minor_status,
2008 status_value,
2009 status_type,
2010 mech_type,
2011 message_context,
2012 status_string,
2013 uid)
2014 OM_uint32 *minor_status;
2015 OM_uint32 status_value;
2016 int status_type;
2017 const gss_OID mech_type;
2018 int *message_context;
2019 gss_buffer_t status_string;
2020 uid_t uid;
2021 {
2022 CLIENT *clnt;
2023
2024 gss_display_status_arg arg;
2025 gss_display_status_res res;
2026
2027 /* get the client handle to GSSD */
2028
2029 if ((clnt = getgssd_handle()) == NULL) {
2030 GSSLOG(1, "kgss_display_status: can't connect to server on %s\n",
2031 server);
2032 return (GSS_S_FAILURE);
2033 }
2034
2035 /* copy the procedure arguments into the rpc arg parameter */
2036
2037 arg.uid = (OM_uint32) uid;
2038
2039 arg.status_value = status_value;
2040 arg.status_type = status_type;
2041
2042 arg.mech_type.GSS_OID_len = (uint_t)(mech_type != GSS_C_NULL_OID ?
2043 mech_type->length : 0);
2044 arg.mech_type.GSS_OID_val = (char *)(mech_type != GSS_C_NULL_OID ?
2045 mech_type->elements : 0);
2046
2047 arg.message_context = *message_context;
2048
2049 /* call the remote procedure */
2050
2051 if (message_context != NULL)
2052 *message_context = 0;
2053 if (status_string != NULL) {
2054 status_string->length = 0;
2055 status_string->value = NULL;
2056 }
2057
2058 bzero((caddr_t)&res, sizeof (res));
2059 if (gss_display_status_1(&arg, &res, clnt) != RPC_SUCCESS) {
2060
2061 /*
2062 * if the RPC call times out, null out all return arguments, set
2063 * minor_status to its maximum value, and return GSS_S_FAILURE
2064 */
2065
2066 if (minor_status != NULL)
2067 *minor_status = DEFAULT_MINOR_STAT;
2068
2069 killgssd_handle(clnt);
2070 GSSLOG0(1, "kgss_display_status: RPC call time out\n");
2071 return (GSS_S_FAILURE);
2072 }
2073
2074
2075 /* now process the results and pass them back to the caller */
2076
2077 if (res.status == GSS_S_COMPLETE) {
2078 if (minor_status != NULL)
2079 *minor_status = res.minor_status;
2080 if (message_context != NULL)
2081 *message_context = res.message_context;
2082 if (status_string != NULL) {
2083 status_string->length =
2084 (size_t)res.status_string.GSS_BUFFER_T_len;
2085 status_string->value =
2086 (void *) MALLOC(status_string->length);
2087 (void) memcpy(status_string->value,
2088 res.status_string.GSS_BUFFER_T_val,
2089 status_string->length);
2090 }
2091 }
2092
2093 clnt_freeres(clnt, xdr_gss_display_status_res, (caddr_t)&res);
2094 killgssd_handle(clnt);
2095 return (res.status);
2096 }
2097
2098 /*ARGSUSED*/
2099 OM_uint32
kgss_indicate_mechs(minor_status,mech_set,uid)2100 kgss_indicate_mechs(minor_status,
2101 mech_set,
2102 uid)
2103 OM_uint32 *minor_status;
2104 gss_OID_set *mech_set;
2105 uid_t uid;
2106 {
2107 CLIENT *clnt;
2108 void *arg;
2109 gss_indicate_mechs_res res;
2110 int i;
2111
2112 /* get the client handle to GSSD */
2113
2114 if ((clnt = getgssd_handle()) == NULL) {
2115 GSSLOG(1, "kgss_indicate_mechs: can't connect to server on %s\n",
2116 server);
2117 return (GSS_S_FAILURE);
2118 }
2119
2120 bzero((caddr_t)&res, sizeof (res));
2121 if (gss_indicate_mechs_1(&arg, &res, clnt) != RPC_SUCCESS) {
2122
2123 /*
2124 * if the RPC call times out, null out all return arguments, set
2125 * minor_status to its maximum value, and return GSS_S_FAILURE
2126 */
2127
2128 if (minor_status != NULL)
2129 *minor_status = DEFAULT_MINOR_STAT;
2130 if (mech_set != NULL)
2131 *mech_set = NULL;
2132
2133 killgssd_handle(clnt);
2134 GSSLOG0(1, "kgss_indicate_mechs: RPC call times out\n");
2135 return (GSS_S_FAILURE);
2136 }
2137
2138 /* copy the rpc results into the return arguments */
2139
2140 if (minor_status != NULL)
2141 *minor_status = res.minor_status;
2142
2143 if (mech_set != NULL) {
2144 *mech_set = (gss_OID_set) MALLOC(sizeof (gss_OID_set_desc));
2145 (*mech_set)->count = res.mech_set.GSS_OID_SET_len;
2146 (*mech_set)->elements = (void *)
2147 MALLOC ((*mech_set)->count * sizeof (gss_OID_desc));
2148 for (i = 0; i < (*mech_set)->count; i++) {
2149 (*mech_set)->elements[i].length =
2150 res.mech_set.GSS_OID_SET_val[i].GSS_OID_len;
2151 (*mech_set)->elements[i].elements = (void *)
2152 MALLOC ((*mech_set)->elements[i].length);
2153 (void) memcpy((*mech_set)->elements[i].elements,
2154 res.mech_set.GSS_OID_SET_val[i].GSS_OID_val,
2155 (*mech_set)->elements[i].length);
2156 }
2157 }
2158
2159 /*
2160 * free the memory allocated for the results and return with the status
2161 * received in the rpc call
2162 */
2163
2164 clnt_freeres(clnt, xdr_gss_indicate_mechs_res, (caddr_t)&res);
2165 killgssd_handle(clnt);
2166 return (res.status);
2167 }
2168
2169
2170 OM_uint32
kgss_inquire_cred_wrapped(minor_status,cred_handle,gssd_cred_verifier,name,lifetime,cred_usage,mechanisms,uid)2171 kgss_inquire_cred_wrapped(minor_status,
2172 cred_handle,
2173 gssd_cred_verifier,
2174 name,
2175 lifetime,
2176 cred_usage,
2177 mechanisms,
2178 uid)
2179 OM_uint32 *minor_status;
2180 const gssd_cred_id_t cred_handle;
2181 OM_uint32 gssd_cred_verifier;
2182 gss_name_t *name;
2183 OM_uint32 *lifetime;
2184 int *cred_usage;
2185 gss_OID_set *mechanisms;
2186 uid_t uid;
2187 {
2188 CLIENT *clnt;
2189
2190 OM_uint32 minor_status_temp;
2191 gss_buffer_desc external_name;
2192 gss_OID_desc name_type;
2193 int i;
2194
2195 gss_inquire_cred_arg arg;
2196 gss_inquire_cred_res res;
2197
2198 /*
2199 * NULL the params here once
2200 * If there are errors then we won't
2201 * have to do it for every error
2202 * case
2203 */
2204 if (minor_status != NULL)
2205 *minor_status = DEFAULT_MINOR_STAT;
2206 if (name != NULL)
2207 *name = NULL;
2208 if (lifetime != NULL)
2209 *lifetime = 0;
2210 if (cred_usage != NULL)
2211 *cred_usage = 0;
2212 if (mechanisms != NULL)
2213 *mechanisms = NULL;
2214
2215 /* get the client handle to GSSD */
2216
2217 if ((clnt = getgssd_handle()) == NULL) {
2218 GSSLOG(1, "kgss_inquire_cred: can't connect to server on %s\n",
2219 server);
2220 return (GSS_S_FAILURE);
2221 }
2222
2223
2224 /* copy the procedure arguments into the rpc arg parameter */
2225
2226 arg.uid = (OM_uint32) uid;
2227
2228 arg.cred_handle.GSS_CRED_ID_T_len =
2229 cred_handle == GSSD_NO_CREDENTIAL ?
2230 0 : (uint_t)sizeof (gssd_cred_id_t);
2231 arg.cred_handle.GSS_CRED_ID_T_val = (char *)&cred_handle;
2232 arg.gssd_cred_verifier = gssd_cred_verifier;
2233
2234 /* call the remote procedure */
2235
2236 bzero((caddr_t)&res, sizeof (res));
2237 if (gss_inquire_cred_1(&arg, &res, clnt) != RPC_SUCCESS) {
2238
2239 /*
2240 * if the RPC call times out
2241 * kill the handle and return GSS_S_FAILURE
2242 * the parameters have been set to NULL already
2243 */
2244
2245 killgssd_handle(clnt);
2246 GSSLOG0(1, "kgss_inquire_cred: RPC call times out\n");
2247 return (GSS_S_FAILURE);
2248 }
2249
2250 /* copy the rpc results into the return arguments */
2251
2252 if (minor_status != NULL)
2253 *minor_status = res.minor_status;
2254
2255 /* convert name from external to internal format */
2256
2257 if (name != NULL) {
2258 external_name.length = res.name.GSS_BUFFER_T_len;
2259 external_name.value = res.name.GSS_BUFFER_T_val;
2260
2261 /*
2262 * we can pass a pointer to res structure
2263 * since gss_import_name treats the name_type
2264 * parameter as read only and performs a copy
2265 */
2266
2267 name_type.length = res.name_type.GSS_OID_len;
2268 name_type.elements = (void *)res.name_type.GSS_OID_val;
2269
2270 if (gss_import_name(&minor_status_temp, &external_name,
2271 &name_type, name) != GSS_S_COMPLETE) {
2272
2273 *minor_status = (OM_uint32) minor_status_temp;
2274 clnt_freeres(clnt, xdr_gss_inquire_cred_res,
2275 (caddr_t)&res);
2276 killgssd_handle(clnt);
2277 GSSLOG0(1, "kgss_inquire_cred: import name fails\n");
2278 return ((OM_uint32) GSS_S_FAILURE);
2279 }
2280 }
2281
2282 if (lifetime != NULL)
2283 *lifetime = res.lifetime;
2284
2285 if (cred_usage != NULL)
2286 *cred_usage = res.cred_usage;
2287
2288 if (res.status == GSS_S_COMPLETE &&
2289 res.mechanisms.GSS_OID_SET_len != 0 &&
2290 mechanisms != NULL) {
2291 *mechanisms = (gss_OID_set) MALLOC(sizeof (gss_OID_set_desc));
2292 (*mechanisms)->count =
2293 (int)res.mechanisms.GSS_OID_SET_len;
2294 (*mechanisms)->elements = (gss_OID)
2295 MALLOC(sizeof (gss_OID_desc) * (*mechanisms)->count);
2296
2297 for (i = 0; i < (*mechanisms)->count; i++) {
2298 (*mechanisms)->elements[i].length = (OM_uint32)
2299 res.mechanisms.GSS_OID_SET_val[i].GSS_OID_len;
2300 (*mechanisms)->elements[i].elements =
2301 (void *) MALLOC((*mechanisms)->elements[i].length);
2302 (void) memcpy((*mechanisms)->elements[i].elements,
2303 res.mechanisms.GSS_OID_SET_val[i].GSS_OID_val,
2304 (*mechanisms)->elements[i].length);
2305 }
2306 } else {
2307 if (res.status == GSS_S_COMPLETE &&
2308 mechanisms != NULL)
2309 (*mechanisms) = NULL;
2310 }
2311 /*
2312 * free the memory allocated for the results and return with the status
2313 * received in the rpc call
2314 */
2315
2316 clnt_freeres(clnt, xdr_gss_inquire_cred_res, (caddr_t)&res);
2317 killgssd_handle(clnt);
2318 return (res.status);
2319
2320 }
2321
2322 OM_uint32
kgss_inquire_cred(minor_status,cred_handle,name,lifetime,cred_usage,mechanisms,uid)2323 kgss_inquire_cred(minor_status,
2324 cred_handle,
2325 name,
2326 lifetime,
2327 cred_usage,
2328 mechanisms,
2329 uid)
2330 OM_uint32 *minor_status;
2331 const gss_cred_id_t cred_handle;
2332 gss_name_t *name;
2333 OM_uint32 *lifetime;
2334 int *cred_usage;
2335 gss_OID_set * mechanisms;
2336 uid_t uid;
2337 {
2338
2339 OM_uint32 gssd_cred_verifier;
2340 OM_uint32 gssd_cred_handle;
2341
2342 gssd_cred_verifier = KCRED_TO_CREDV(cred_handle);
2343 gssd_cred_handle = KCRED_TO_CRED(cred_handle);
2344
2345 return (kgss_inquire_cred_wrapped(minor_status,
2346 gssd_cred_handle, gssd_cred_verifier,
2347 name, lifetime, cred_usage, mechanisms, uid));
2348 }
2349
2350 OM_uint32
kgss_inquire_cred_by_mech_wrapped(minor_status,cred_handle,gssd_cred_verifier,mech_type,uid)2351 kgss_inquire_cred_by_mech_wrapped(minor_status,
2352 cred_handle,
2353 gssd_cred_verifier,
2354 mech_type,
2355 uid)
2356 OM_uint32 *minor_status;
2357 gssd_cred_id_t cred_handle;
2358 OM_uint32 gssd_cred_verifier;
2359 gss_OID mech_type;
2360 uid_t uid;
2361 {
2362 CLIENT *clnt;
2363
2364 gss_inquire_cred_by_mech_arg arg;
2365 gss_inquire_cred_by_mech_res res;
2366
2367 /* get the client handle to GSSD */
2368
2369 if ((clnt = getgssd_handle()) == NULL) {
2370 GSSLOG(1, "kgss_inquire_cred: can't connect to server on %s\n",
2371 server);
2372 return (GSS_S_FAILURE);
2373 }
2374
2375
2376 /* copy the procedure arguments into the rpc arg parameter */
2377
2378 arg.uid = (OM_uint32) uid;
2379
2380 arg.cred_handle.GSS_CRED_ID_T_len =
2381 cred_handle == GSSD_NO_CREDENTIAL ?
2382 0 : (uint_t)sizeof (gssd_cred_id_t);
2383 arg.cred_handle.GSS_CRED_ID_T_val = (char *)&cred_handle;
2384 arg.gssd_cred_verifier = gssd_cred_verifier;
2385
2386 arg.mech_type.GSS_OID_len =
2387 (uint_t)(mech_type != GSS_C_NULL_OID ?
2388 mech_type->length : 0);
2389 arg.mech_type.GSS_OID_val =
2390 (char *)(mech_type != GSS_C_NULL_OID ?
2391 mech_type->elements : 0);
2392 /* call the remote procedure */
2393
2394 bzero((caddr_t)&res, sizeof (res));
2395 if (gss_inquire_cred_by_mech_1(&arg, &res, clnt) != RPC_SUCCESS) {
2396
2397 /*
2398 * if the RPC call times out, null out all return arguments, set
2399 * minor_status to its maximum value, and return GSS_S_FAILURE
2400 */
2401
2402 if (minor_status != NULL)
2403 *minor_status = DEFAULT_MINOR_STAT;
2404 killgssd_handle(clnt);
2405 GSSLOG0(1, "kgss_inquire_cred: RPC call times out\n");
2406 return (GSS_S_FAILURE);
2407 }
2408
2409 /* copy the rpc results into the return arguments */
2410
2411 if (minor_status != NULL)
2412 *minor_status = res.minor_status;
2413
2414 clnt_freeres(clnt, xdr_gss_inquire_cred_by_mech_res, (caddr_t)&res);
2415 killgssd_handle(clnt);
2416 return (res.status);
2417
2418 }
2419
2420 OM_uint32
kgss_inquire_cred_by_mech(minor_status,cred_handle,mech_type,uid)2421 kgss_inquire_cred_by_mech(minor_status,
2422 cred_handle,
2423 mech_type,
2424 uid)
2425 OM_uint32 *minor_status;
2426 gss_cred_id_t cred_handle;
2427 gss_OID mech_type;
2428 uid_t uid;
2429 {
2430
2431 OM_uint32 gssd_cred_verifier;
2432 OM_uint32 gssd_cred_handle;
2433
2434 gssd_cred_verifier = KCRED_TO_CREDV(cred_handle);
2435 gssd_cred_handle = KCRED_TO_CRED(cred_handle);
2436
2437 return (kgss_inquire_cred_by_mech_wrapped(minor_status,
2438 gssd_cred_handle, gssd_cred_verifier,
2439 mech_type, uid));
2440 }
2441
2442 OM_uint32
kgsscred_expname_to_unix_cred(expName,uidOut,gidOut,gids,gidsLen,uid)2443 kgsscred_expname_to_unix_cred(expName, uidOut, gidOut, gids, gidsLen, uid)
2444 const gss_buffer_t expName;
2445 uid_t *uidOut;
2446 gid_t *gidOut;
2447 gid_t *gids[];
2448 int *gidsLen;
2449 uid_t uid;
2450 {
2451 CLIENT *clnt;
2452 gsscred_expname_to_unix_cred_arg args;
2453 gsscred_expname_to_unix_cred_res res;
2454
2455 /* check input/output parameters */
2456 if (expName == NULL || expName->value == NULL)
2457 return (GSS_S_CALL_INACCESSIBLE_READ);
2458
2459 if (uidOut == NULL)
2460 return (GSS_S_CALL_INACCESSIBLE_WRITE);
2461
2462 /* NULL out output parameters */
2463 *uidOut = UID_NOBODY;
2464 if (gidsLen)
2465 *gidsLen = 0;
2466
2467 if (gids)
2468 *gids = NULL;
2469
2470 /* get the client handle to gssd */
2471 if ((clnt = getgssd_handle()) == NULL)
2472 {
2473 GSSLOG(1, "kgsscred_expname_to_unix_cred:"
2474 " can't connect to server on %s\n", server);
2475 return (GSS_S_FAILURE);
2476 }
2477
2478 /* copy the procedure arguments */
2479 args.uid = uid;
2480 args.expname.GSS_BUFFER_T_val = expName->value;
2481 args.expname.GSS_BUFFER_T_len = expName->length;
2482
2483 /* null out the return buffer and call the remote proc */
2484 bzero(&res, sizeof (res));
2485
2486 if (gsscred_expname_to_unix_cred_1(&args, &res, clnt) != RPC_SUCCESS)
2487 {
2488 killgssd_handle(clnt);
2489 GSSLOG0(1,
2490 "kgsscred_expname_to_unix_cred: RPC call times out\n");
2491 return (GSS_S_FAILURE);
2492 }
2493
2494 /* copy the results into the result parameters */
2495 if (res.major == GSS_S_COMPLETE)
2496 {
2497 *uidOut = res.uid;
2498 if (gidOut)
2499 *gidOut = res.gid;
2500 if (gids && gidsLen)
2501 {
2502 *gids = res.gids.GSSCRED_GIDS_val;
2503 *gidsLen = res.gids.GSSCRED_GIDS_len;
2504 res.gids.GSSCRED_GIDS_val = NULL;
2505 res.gids.GSSCRED_GIDS_len = 0;
2506 }
2507 }
2508
2509 /* free RPC results */
2510 clnt_freeres(clnt, xdr_gsscred_expname_to_unix_cred_res, (caddr_t)&res);
2511 killgssd_handle(clnt);
2512
2513 return (res.major);
2514 } /* kgsscred_expname_to_unix_cred */
2515
2516 OM_uint32
kgsscred_name_to_unix_cred(intName,mechType,uidOut,gidOut,gids,gidsLen,uid)2517 kgsscred_name_to_unix_cred(intName, mechType, uidOut, gidOut, gids,
2518 gidsLen, uid)
2519 const gss_name_t intName;
2520 const gss_OID mechType;
2521 uid_t *uidOut;
2522 gid_t *gidOut;
2523 gid_t *gids[];
2524 int *gidsLen;
2525 uid_t uid;
2526 {
2527 CLIENT *clnt;
2528 gsscred_name_to_unix_cred_arg args;
2529 gsscred_name_to_unix_cred_res res;
2530 OM_uint32 major, minor;
2531 gss_OID nameOid;
2532 gss_buffer_desc flatName = GSS_C_EMPTY_BUFFER;
2533
2534 /* check the input/output parameters */
2535 if (intName == NULL || mechType == NULL)
2536 return (GSS_S_CALL_INACCESSIBLE_READ);
2537
2538 if (uidOut == NULL)
2539 return (GSS_S_CALL_INACCESSIBLE_WRITE);
2540
2541 /* NULL out the output parameters */
2542 *uidOut = UID_NOBODY;
2543 if (gids)
2544 *gids = NULL;
2545
2546 if (gidsLen)
2547 *gidsLen = 0;
2548
2549 /* get the client handle to gssd */
2550 if ((clnt = getgssd_handle()) == NULL)
2551 {
2552 GSSLOG(1,
2553 "kgsscred_name_to_unix_cred: can't connect to server %s\n",
2554 server);
2555 return (GSS_S_FAILURE);
2556 }
2557
2558 /* convert the name to flat representation */
2559 if ((major = gss_display_name(&minor, intName, &flatName, &nameOid))
2560 != GSS_S_COMPLETE)
2561 {
2562 killgssd_handle(clnt);
2563 GSSLOG0(1, "kgsscred_name_to_unix_cred: display name failed\n");
2564 return (major);
2565 }
2566
2567 /* set the rpc parameters */
2568 args.uid = uid;
2569 args.pname.GSS_BUFFER_T_len = flatName.length;
2570 args.pname.GSS_BUFFER_T_val = flatName.value;
2571 args.name_type.GSS_OID_len = nameOid->length;
2572 args.name_type.GSS_OID_val = nameOid->elements;
2573 args.mech_type.GSS_OID_len = mechType->length;
2574 args.mech_type.GSS_OID_val = mechType->elements;
2575
2576 /* call the remote procedure */
2577 bzero(&res, sizeof (res));
2578 if (gsscred_name_to_unix_cred_1(&args, &res, clnt) != RPC_SUCCESS) {
2579 killgssd_handle(clnt);
2580 (void) gss_release_buffer(&minor, &flatName);
2581 GSSLOG0(1, "kgsscred_name_to_unix_cred: RPC call times out\n");
2582 return (GSS_S_FAILURE);
2583 }
2584
2585 /* delete the flat name buffer */
2586 (void) gss_release_buffer(&minor, &flatName);
2587
2588 /* copy the output parameters on output */
2589 if (res.major == GSS_S_COMPLETE) {
2590 *uidOut = res.uid;
2591
2592 if (gidOut)
2593 *gidOut = res.gid;
2594 if (gids && gidsLen) {
2595 *gids = res.gids.GSSCRED_GIDS_val;
2596 *gidsLen = res.gids.GSSCRED_GIDS_len;
2597 res.gids.GSSCRED_GIDS_val = NULL;
2598 res.gids.GSSCRED_GIDS_len = 0;
2599 }
2600 }
2601
2602 /* delete RPC allocated memory */
2603 clnt_freeres(clnt, xdr_gsscred_name_to_unix_cred_res, (caddr_t)&res);
2604 killgssd_handle(clnt);
2605
2606 return (res.major);
2607 } /* kgsscred_name_to_unix_cred */
2608
2609 OM_uint32
kgss_get_group_info(puid,gidOut,gids,gidsLen,uid)2610 kgss_get_group_info(puid, gidOut, gids, gidsLen, uid)
2611 const uid_t puid;
2612 gid_t *gidOut;
2613 gid_t *gids[];
2614 int *gidsLen;
2615 uid_t uid;
2616 {
2617 CLIENT *clnt;
2618 gss_get_group_info_arg args;
2619 gss_get_group_info_res res;
2620
2621
2622 /* check the output parameters */
2623 if (gidOut == NULL || gids == NULL || gidsLen == NULL)
2624 return (GSS_S_CALL_INACCESSIBLE_WRITE);
2625
2626 /* get the client GSSD handle */
2627 if ((clnt = getgssd_handle()) == NULL) {
2628 GSSLOG(1,
2629 "kgss_get_group_info: can't connect to server on %s\n",
2630 server);
2631 return (GSS_S_FAILURE);
2632 }
2633
2634 /* set the input parameters */
2635 args.uid = uid;
2636 args.puid = puid;
2637
2638 /* call the remote procedure */
2639 bzero(&res, sizeof (res));
2640 if (gss_get_group_info_1(&args, &res, clnt) != RPC_SUCCESS) {
2641 killgssd_handle(clnt);
2642 GSSLOG0(1, "kgss_get_group_info: RPC call times out\n");
2643 return (GSS_S_FAILURE);
2644 }
2645
2646 /* copy the results */
2647 if (res.major == GSS_S_COMPLETE) {
2648 *gidOut = res.gid;
2649 *gids = res.gids.GSSCRED_GIDS_val;
2650 *gidsLen = res.gids.GSSCRED_GIDS_len;
2651 res.gids.GSSCRED_GIDS_val = NULL;
2652 res.gids.GSSCRED_GIDS_len = 0;
2653 }
2654
2655 /* no results to free */
2656 killgssd_handle(clnt);
2657
2658 return (res.major);
2659 } /* kgss_get_group_info */
2660
2661 static char *
kgss_get_kmod(gss_OID mech_oid)2662 kgss_get_kmod(gss_OID mech_oid)
2663 {
2664 CLIENT *clnt;
2665 gss_get_kmod_arg args;
2666 gss_get_kmod_res res;
2667
2668
2669 /* get the client GSSD handle */
2670 if ((clnt = getgssd_handle()) == NULL) {
2671 GSSLOG(1, "kgss_get_kmod: can't connect to server on %s\n",
2672 server);
2673 return (NULL);
2674 }
2675
2676 /* set the input parameters */
2677 args.mech_oid.GSS_OID_len = mech_oid->length;
2678 args.mech_oid.GSS_OID_val = mech_oid->elements;
2679
2680 /* call the remote procedure */
2681 bzero(&res, sizeof (res));
2682 if (gss_get_kmod_1(&args, &res, clnt) != RPC_SUCCESS) {
2683 killgssd_handle(clnt);
2684 GSSLOG0(1, "gss_get_kmod_1: RPC call times out\n");
2685 return (NULL);
2686 }
2687 /* no results to free */
2688 killgssd_handle(clnt);
2689
2690 if (res.module_follow == TRUE) {
2691 return (res.gss_get_kmod_res_u.modname);
2692 } else
2693 return (NULL);
2694 } /* kgss_get_kmod */
2695
2696 static gss_mechanism kgss_mech_head;
2697 static gss_mechanism kgss_mech_tail;
2698 kmutex_t __kgss_mech_lock;
2699
2700 /*
2701 * See if there is kernel mechanism module, and if so, attempt to
2702 * load it and reset the pointer (gss_mechanism) to the sign/seal/etc.
2703 * entry points to that of the kernel module.
2704 */
2705 static void
__kgss_reset_mech(gss_mechanism * mechp,gss_OID mech_oid)2706 __kgss_reset_mech(gss_mechanism *mechp, gss_OID mech_oid)
2707 {
2708 gss_mechanism mech;
2709 char *kmod;
2710
2711 /*
2712 * We can search the list without a mutex, becuase the list never
2713 * shrinks and we always add to the end.
2714 */
2715 mech = __kgss_get_mechanism(mech_oid);
2716 if (mech) {
2717 *mechp = mech;
2718 return;
2719 }
2720
2721 /*
2722 * Get the module name from the kernel.
2723 */
2724 kmod = kgss_get_kmod(mech_oid);
2725
2726 if (kmod) {
2727 extern int modload(const char *, const char *);
2728 if (modload("misc/kgss", kmod) < 0) {
2729 /*
2730 * Modload of 'kmod' failed, so log an
2731 * appropriate comment
2732 */
2733 cmn_err(CE_NOTE, "kgss_reset_mech: Algorithm modload "
2734 "(%s) failed. Userland gssd will now handle "
2735 "all GSSAPI calls, which may result in "
2736 "reduced performance.\n", kmod);
2737 };
2738
2739 /*
2740 * Allocated in the XDR routine called by gss_get_kmod_1().
2741 */
2742 FREE(kmod, strlen(kmod)+1);
2743
2744 mech = __kgss_get_mechanism(mech_oid);
2745 if (mech) {
2746 *mechp = mech;
2747 }
2748
2749 /*
2750 * If for some reason the module load didn't take,
2751 * we return anyway and hope that the next context
2752 * creation succeeds.
2753 */
2754 return;
2755 }
2756
2757
2758 /*
2759 * No kernel module, so enter this mech oid into the list
2760 * using the default sign/seal/etc. operations that upcall to
2761 * gssd.
2762 */
2763 mutex_enter(&__kgss_mech_lock);
2764 mech = __kgss_get_mechanism(mech_oid);
2765 if (mech) {
2766 mutex_exit(&__kgss_mech_lock);
2767 *mechp = mech;
2768 return;
2769 }
2770
2771 /*
2772 * Allocate space for the mechanism entry.
2773 */
2774 mech = kmem_zalloc(sizeof (struct gss_config), KM_SLEEP);
2775
2776 /*
2777 * Copy basic information from default mechanism struct.
2778 */
2779 *mech = default_gc;
2780
2781 /*
2782 * Record the real mech OID.
2783 */
2784 mech->mech_type.length = mech_oid->length;
2785 mech->mech_type.elements = MALLOC(mech_oid->length);
2786 bcopy(mech_oid->elements, mech->mech_type.elements, mech_oid->length);
2787
2788 /*
2789 * Add it to the table.
2790 */
2791 __kgss_add_mechanism(mech);
2792 mutex_exit(&__kgss_mech_lock);
2793 *mechp = mech;
2794 }
2795
2796 /*
2797 * Called with __kgss_mech_lock held.
2798 */
2799 void
__kgss_add_mechanism(gss_mechanism mech)2800 __kgss_add_mechanism(gss_mechanism mech)
2801 {
2802 gss_mechanism tmp;
2803
2804 tmp = kgss_mech_tail;
2805 kgss_mech_tail = mech;
2806
2807 if (tmp != NULL)
2808 tmp->next = mech;
2809
2810 if (kgss_mech_head == NULL)
2811 kgss_mech_head = mech;
2812 }
2813
2814 /*
2815 * given the mechs_array and a mechanism OID, return the
2816 * pointer to the mechanism, or NULL if that mechanism is
2817 * not supported.
2818 */
2819 gss_mechanism
__kgss_get_mechanism(gss_OID type)2820 __kgss_get_mechanism(gss_OID type)
2821 {
2822 gss_mechanism mech;
2823
2824 mech = kgss_mech_head;
2825
2826 /*
2827 * Note that a reader can scan this list without the mutex held.
2828 * This is safe because we always append, and never shrink the list.
2829 * Moreover, the entry is fully initialized before it is ever
2830 * added to the list.
2831 */
2832 while (mech != NULL) {
2833 if ((mech->mech_type.length == type->length) &&
2834 (bcmp(mech->mech_type.elements, type->elements,
2835 type->length) == 0))
2836 return (mech);
2837
2838 mech = mech->next;
2839 }
2840 return (NULL);
2841 }
2842