nis/gen/nis_misc_proc.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * This contains miscellaneous functions moved from commands to the library.
 */

#include "mt.h"
#include <stdlib.h>
#include <stdio.h>
#include <syslog.h>
#include <string.h>
#include <unistd.h>
#include <gssapi/gssapi.h>
#include <rpc/rpc.h>
#include <rpcsvc/nis.h>
#include <rpcsvc/nis_dhext.h>
#include <rpc/auth.h>
#include <rpc/auth_sys.h>
#include <rpc/auth_des.h>
#include <rpc/key_prot.h>
#include <netdir.h>
#include <netconfig.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <dlfcn.h>
#include <gssapi/gssapi.h>

extern int bin2hex(int len, unsigned char *binnum, char *hexnum);
extern int hex2bin(int len, char *hexnum, char *binnum);

#define	MECH_LIB_PREFIX1	"/usr/lib/"

#ifdef  _LP64

#define	MECH_LIB_PREFIX2	"64/"

#else   /* _LP64 */

#define	MECH_LIB_PREFIX2	""

#endif  /* _LP64 */

#define	MECH_LIB_DIR		"gss/"

#define	MECH_LIB_PREFIX MECH_LIB_PREFIX1 MECH_LIB_PREFIX2

#define	MECHDH		MECH_LIB_PREFIX MECH_LIB_DIR "mech_dh.so.1"
#define	LIBGSS		MECH_LIB_PREFIX "libgss.so.1"

static gss_OID_desc __dh_gss_c_nt_netname = {
	9,  "\053\006\004\001\052\002\032\001\001"
};

mutex_t gss_load_lock = DEFAULTMUTEX;
static gss_OID GSS_EXPORT_NAME = 0;
static gss_OID DH_NETNAME = &__dh_gss_c_nt_netname;

typedef OM_uint32 (*gss_fptr)();
OM_uint32 (*g_import_name)();
OM_uint32 (*g_display_name)();
OM_uint32 (*g_release_name)();
OM_uint32 (*g_release_buffer)();
OM_uint32 (*g_release_oid)();

/*
 * gss_OID_load()
 *
 * This routine is called by __nis_gssprin2netname to define values for
 * the gss-api-export-name OID, the Diffie-Hellman netname OID, and
 * the gss support routines that it needs.
 * The reason for this support routine is that libnsl cannot have an
 * explicit dependency on libgss. Callers of __nisgssprin2netname are
 * expected to have loaded libgss through the rpcsec layer. The work around
 * is to dlopen the needed shared objects and grab the symbols with dlsym.
 * This routine opens libgss RTLD_NOLOAD. If this fails then libgss.so.1
 * is not loaded and we return error. Otherwise it uses dlsym to
 * defines GSS_EXPORT_NAME to have the value of GSS_C_NT_EXPORT_NAME and
 * to assign the above fuction pointers.
 * If this succeeds then the routine will attempt to load mech_dh.so.1
 * and over ride DH_NETNAME with the value of __DH_GSS_C_NT_NETNAME from
 * that shared object. We don't consider it an error if this fails because
 * its conceivable that another mechanism backend will support the netname
 * name type and mech_dh.so.1 not be available.
 *
 * Return 0 on failer, 1 on success.
 */

static int
gss_OID_load()
{
	void *dh;
	gss_OID *OIDptr;
	int stat = 0;

	(void) mutex_lock(&gss_load_lock);
	if (GSS_EXPORT_NAME) {
		(void) mutex_unlock(&gss_load_lock);
		return (0);
	}

	/* if LIBGSS is not loaded return an error */
	if ((dh = dlopen(LIBGSS, RTLD_NOLOAD)) == NULL) {
		(void) mutex_unlock(&gss_load_lock);
		return (0);
	}

	OIDptr = (gss_OID *)dlsym(dh, "GSS_C_NT_EXPORT_NAME");
	if (OIDptr)
		GSS_EXPORT_NAME = *OIDptr;
	else
		goto Done;

	g_import_name = (gss_fptr)dlsym(dh, "gss_import_name");
	if (g_import_name == 0)
		goto Done;

	g_display_name = (gss_fptr)dlsym(dh, "gss_display_name");
	if (g_display_name == 0)
		goto Done;

	g_release_name = (gss_fptr)dlsym(dh, "gss_release_name");
	if (g_release_name == 0)
		goto Done;

	g_release_buffer = (gss_fptr)dlsym(dh, "gss_release_buffer");
	if (g_release_buffer == 0)
		goto Done;

	g_release_oid = (gss_fptr)dlsym(dh, "gss_release_oid");
	if (g_release_oid == 0)
		goto Done;

	stat = 1;
	/*
	 * Try and get the official netname oid from mech_dh.so.
	 * If this fails will just keep our default from above.
	 */

	if ((dh = dlopen(MECHDH, RTLD_LAZY)) != NULL) {

		OIDptr = (gss_OID *)dlsym(dh, "__DH_GSS_C_NT_NETNAME");
		if (OIDptr)
			DH_NETNAME = *OIDptr;
	}

Done:
	(void) mutex_unlock(&gss_load_lock);

	if (stat == 0)
		GSS_EXPORT_NAME = 0;

	return (stat);
}


/*
 * int
 * __nis_gssprin2netname(rpc_gss_principal_t prin,
 *			 char netname[MAXNETNAMELEN+1])
 *
 * This routine attempts to extract the netname from an rpc_gss_principal_t
 * which is in { gss-api-exorted-name } format. Return 0 if a netname was
 * found, else return -1.
 */

/*
 * This routine has a dependency on libgss.so. So we will pragma weak
 * the interfaces that we need. When this routine is called libgss
 * should have been loaded by the rpcsec layer. We will call gss_OID_load
 * to get the value for GSS_EXPORT_NAME. If gss_OID_load failes return -1.
 */

#define	OID_IS_EQUAL(o1, o2) ((o1) && (o2) && \
	((o1)->length == (o2)->length) && \
	(memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))

int
__nis_gssprin2netname(rpc_gss_principal_t prin, char netname[MAXNETNAMELEN+1])
{
	gss_buffer_desc display_name;
	gss_name_t name;
	gss_OID name_type;
	gss_buffer_desc expName;
	int stat = -1;
	OM_uint32 major, minor;

	/* See if we already got the OID */
	if (GSS_EXPORT_NAME == 0) {
		/* Nope. See if GSS is loaded and get the OIDs */
		if (!gss_OID_load())
			return (-1);	/* if libgss.so.1 isn't loaded */
	}

	expName.length = prin->len;
	expName.value = prin->name;

	major = (*g_import_name)(&minor, &expName,
	    (gss_OID) GSS_EXPORT_NAME, &name);

	if (major == GSS_S_COMPLETE) {
		major = (*g_display_name)(&minor, name,
		    &display_name, &name_type);

		/* We're done with the gss_internal name */
		(void) (*g_release_name)(&minor, &name);

		if (major == GSS_S_COMPLETE) {
			/*
			 * Check if we've got a netname. If we do we copy it
			 * and make sure that its null terminated.
			 */
			if (OID_IS_EQUAL(DH_NETNAME, name_type)) {
				(void) strncpy(netname,
				    (char *)display_name.value,
				    MAXNETNAMELEN);
				netname[MAXNETNAMELEN] = '\0';
				stat = 0;
			}
			/*
			 * If there are other display formats that can
			 * be converted to netnames easily, insert here.
			 *
			 * else if (OID_IS_EQUAL(OTHER_NT_OID, name_type)) {
			 *	convert2netname(display_name.value, netname);
			 * } ...
			 */

			/* Release temporty storage */
			(void) (*g_release_buffer)(&minor, &display_name);
			(void) (*g_release_oid)(&minor, &name_type);
		}
	}

	if (stat == 0)
		return (stat);

	return (stat);
}

/*
 * Extract a public key given a key length and alg. type from a packed
 * netobj containing extended Diffie-Hellman keys.
 */
char *
__nis_dhext_extract_pkey(netobj *no, keylen_t keylen, algtype_t algtype)
{
	char		*hexkey;
	/* LINTED pointer cast */
	extdhkey_t	*keyent = (extdhkey_t *)no->n_bytes;

	/* LINTED pointer cast */
	while (keyent < (extdhkey_t *)(no->n_bytes + no->n_len)) {
		char	*keyoffset;
		size_t	binlen = (ntohs(keyent->keylen) + 7) / 8;
		size_t	binpadlen = ((binlen + 3) / 4) * 4;
		size_t	hexkeylen = binlen * 2 + 1;

		if (keylen == ntohs(keyent->keylen) &&
		    algtype == ntohs(keyent->algtype)) {

			if (!(hexkey = malloc(hexkeylen)))
				return (NULL);

			(void) bin2hex(binlen, keyent->key, hexkey);
			return (hexkey);
		}
		keyoffset = (char *)keyent + (sizeof (ushort_t) * 2) +
		    binpadlen;
		/* LINTED pointer cast */
		keyent = (extdhkey_t *)keyoffset;
	}
	return (NULL);
}