1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 *
26 * A module for Kerberos V5 security mechanism.
27 *
28 */
29
30 #include <sys/types.h>
31 #include <sys/modctl.h>
32 #include <sys/errno.h>
33 #include <mechglueP.h>
34 #include <gssapiP_krb5.h>
35 #include <gssapi_err_generic.h>
36 #include <gssapi/kgssapi_defs.h>
37 #include <sys/debug.h>
38 #include <k5-int.h>
39
40 /* mechglue wrappers */
41
42 static OM_uint32 k5glue_delete_sec_context
43 (void *, OM_uint32 *, /* minor_status */
44 gss_ctx_id_t *, /* context_handle */
45 gss_buffer_t, /* output_token */
46 OM_uint32);
47
48 static OM_uint32 k5glue_sign
49 (void *, OM_uint32 *, /* minor_status */
50 gss_ctx_id_t, /* context_handle */
51 int, /* qop_req */
52 gss_buffer_t, /* message_buffer */
53 gss_buffer_t, /* message_token */
54 OM_uint32);
55
56 static OM_uint32 k5glue_verify
57 (void *, OM_uint32 *, /* minor_status */
58 gss_ctx_id_t, /* context_handle */
59 gss_buffer_t, /* message_buffer */
60 gss_buffer_t, /* token_buffer */
61 int *, /* qop_state */
62 OM_uint32);
63
64 static OM_uint32 k5glue_seal
65 (void *, OM_uint32 *, /* minor_status */
66 gss_ctx_id_t, /* context_handle */
67 int, /* conf_req_flag */
68 int, /* qop_req */
69 gss_buffer_t, /* input_message_buffer */
70 int *, /* conf_state */
71 gss_buffer_t, /* output_message_buffer */
72 OM_uint32);
73
74 static OM_uint32 k5glue_unseal
75 (void *, OM_uint32 *, /* minor_status */
76 gss_ctx_id_t, /* context_handle */
77 gss_buffer_t, /* input_message_buffer */
78 gss_buffer_t, /* output_message_buffer */
79 int *, /* conf_state */
80 int *, /* qop_state */
81 OM_uint32);
82
83 static OM_uint32 k5glue_import_sec_context
84 (void *, OM_uint32 *, /* minor_status */
85 gss_buffer_t, /* interprocess_token */
86 gss_ctx_id_t *); /* context_handle */
87
88
89
90 static struct gss_config krb5_mechanism =
91 {{9, "\052\206\110\206\367\022\001\002\002"},
92 NULL, /* context */
93 NULL, /* next */
94 TRUE, /* uses_kmod */
95 k5glue_unseal,
96 k5glue_delete_sec_context,
97 k5glue_seal,
98 k5glue_import_sec_context,
99 k5glue_sign,
100 k5glue_verify,
101 };
102
103 static gss_mechanism
gss_mech_initialize()104 gss_mech_initialize()
105 {
106 return (&krb5_mechanism);
107 }
108
109
110 /*
111 * Module linkage information for the kernel.
112 */
113 extern struct mod_ops mod_miscops;
114
115 static struct modlmisc modlmisc = {
116 &mod_miscops, "Krb5 GSS mechanism"
117 };
118
119 static struct modlinkage modlinkage = {
120 MODREV_1,
121 (void *)&modlmisc,
122 NULL
123 };
124
125
126 static int krb5_fini_code = EBUSY;
127
128 int
_init()129 _init()
130 {
131 int retval;
132 gss_mechanism mech, tmp;
133
134 if ((retval = mod_install(&modlinkage)) != 0)
135 return (retval);
136
137 mech = gss_mech_initialize();
138
139 mutex_enter(&__kgss_mech_lock);
140 tmp = __kgss_get_mechanism(&mech->mech_type);
141 if (tmp != NULL) {
142
143 KRB5_LOG0(KRB5_INFO,
144 "KRB5 GSS mechanism: mechanism already in table.\n");
145
146 if (tmp->uses_kmod == TRUE) {
147 KRB5_LOG0(KRB5_INFO, "KRB5 GSS mechanism: mechanism "
148 "table supports kernel operations!\n");
149 }
150 /*
151 * keep us loaded, but let us be unloadable. This
152 * will give the developer time to trouble shoot
153 */
154 krb5_fini_code = 0;
155 } else {
156 __kgss_add_mechanism(mech);
157 ASSERT(__kgss_get_mechanism(&mech->mech_type) == mech);
158 }
159 mutex_exit(&__kgss_mech_lock);
160
161 return (0);
162 }
163
164 int
_fini()165 _fini()
166 {
167 int ret = krb5_fini_code;
168
169 if (ret == 0) {
170 ret = (mod_remove(&modlinkage));
171 }
172 return (ret);
173 }
174
175 int
_info(struct modinfo * modinfop)176 _info(struct modinfo *modinfop)
177 {
178 return (mod_info(&modlinkage, modinfop));
179 }
180
181 /* ARGSUSED */
182 static OM_uint32
k5glue_delete_sec_context(ctx,minor_status,context_handle,output_token,gssd_ctx_verifier)183 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token,
184 gssd_ctx_verifier)
185 void *ctx;
186 OM_uint32 *minor_status;
187 gss_ctx_id_t *context_handle;
188 gss_buffer_t output_token;
189 OM_uint32 gssd_ctx_verifier;
190 {
191 return (krb5_gss_delete_sec_context(minor_status,
192 context_handle, output_token,
193 gssd_ctx_verifier));
194 }
195
196 /* V2 */
197 /* ARGSUSED */
198 static OM_uint32
k5glue_import_sec_context(ctx,minor_status,interprocess_token,context_handle)199 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
200 void *ctx;
201 OM_uint32 *minor_status;
202 gss_buffer_t interprocess_token;
203 gss_ctx_id_t *context_handle;
204 {
205 return (krb5_gss_import_sec_context(minor_status,
206 interprocess_token,
207 context_handle));
208 }
209
210 /* V1 only */
211 /* ARGSUSED */
212 static OM_uint32
k5glue_seal(ctx,minor_status,context_handle,conf_req_flag,qop_req,input_message_buffer,conf_state,output_message_buffer,gssd_ctx_verifier)213 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req,
214 input_message_buffer, conf_state, output_message_buffer,
215 gssd_ctx_verifier)
216 void *ctx;
217 OM_uint32 *minor_status;
218 gss_ctx_id_t context_handle;
219 int conf_req_flag;
220 int qop_req;
221 gss_buffer_t input_message_buffer;
222 int *conf_state;
223 gss_buffer_t output_message_buffer;
224 OM_uint32 gssd_ctx_verifier;
225 {
226 return (krb5_gss_seal(minor_status, context_handle,
227 conf_req_flag, qop_req, input_message_buffer,
228 conf_state, output_message_buffer, gssd_ctx_verifier));
229 }
230
231 /* ARGSUSED */
232 static OM_uint32
k5glue_sign(ctx,minor_status,context_handle,qop_req,message_buffer,message_token,gssd_ctx_verifier)233 k5glue_sign(ctx, minor_status, context_handle,
234 qop_req, message_buffer,
235 message_token, gssd_ctx_verifier)
236 void *ctx;
237 OM_uint32 *minor_status;
238 gss_ctx_id_t context_handle;
239 int qop_req;
240 gss_buffer_t message_buffer;
241 gss_buffer_t message_token;
242 OM_uint32 gssd_ctx_verifier;
243 {
244 return (krb5_gss_sign(minor_status, context_handle,
245 qop_req, message_buffer, message_token, gssd_ctx_verifier));
246 }
247
248 /* ARGSUSED */
249 static OM_uint32
k5glue_unseal(ctx,minor_status,context_handle,input_message_buffer,output_message_buffer,conf_state,qop_state,gssd_ctx_verifier)250 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer,
251 output_message_buffer, conf_state, qop_state, gssd_ctx_verifier)
252 void *ctx;
253 OM_uint32 *minor_status;
254 gss_ctx_id_t context_handle;
255 gss_buffer_t input_message_buffer;
256 gss_buffer_t output_message_buffer;
257 int *conf_state;
258 int *qop_state;
259 OM_uint32 gssd_ctx_verifier;
260 {
261 return (krb5_gss_unseal(minor_status, context_handle,
262 input_message_buffer, output_message_buffer,
263 conf_state, qop_state, gssd_ctx_verifier));
264 }
265
266 /* V1 only */
267 /* ARGSUSED */
268 static OM_uint32
k5glue_verify(ctx,minor_status,context_handle,message_buffer,token_buffer,qop_state,gssd_ctx_verifier)269 k5glue_verify(ctx, minor_status, context_handle, message_buffer,
270 token_buffer, qop_state, gssd_ctx_verifier)
271 void *ctx;
272 OM_uint32 *minor_status;
273 gss_ctx_id_t context_handle;
274 gss_buffer_t message_buffer;
275 gss_buffer_t token_buffer;
276 int *qop_state;
277 OM_uint32 gssd_ctx_verifier;
278 {
279 return (krb5_gss_verify(minor_status,
280 context_handle,
281 message_buffer,
282 token_buffer,
283 qop_state, gssd_ctx_verifier));
284 }
285