17c478bd9Sstevel@tonic-gate /* 2*919de62bSmp153739 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate * 57c478bd9Sstevel@tonic-gate * A module for Kerberos V5 security mechanism. 67c478bd9Sstevel@tonic-gate * 77c478bd9Sstevel@tonic-gate */ 87c478bd9Sstevel@tonic-gate 97c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 107c478bd9Sstevel@tonic-gate 117c478bd9Sstevel@tonic-gate char _depends_on[] = "misc/kgssapi crypto/md5"; 127c478bd9Sstevel@tonic-gate 137c478bd9Sstevel@tonic-gate #include <sys/types.h> 147c478bd9Sstevel@tonic-gate #include <sys/modctl.h> 157c478bd9Sstevel@tonic-gate #include <sys/errno.h> 167c478bd9Sstevel@tonic-gate #include <mechglueP.h> 177c478bd9Sstevel@tonic-gate #include <gssapiP_krb5.h> 187c478bd9Sstevel@tonic-gate #include <gssapi_err_generic.h> 197c478bd9Sstevel@tonic-gate #include <gssapi/kgssapi_defs.h> 207c478bd9Sstevel@tonic-gate #include <sys/debug.h> 217c478bd9Sstevel@tonic-gate #include <k5-int.h> 227c478bd9Sstevel@tonic-gate 237c478bd9Sstevel@tonic-gate OM_uint32 krb5_gss_get_context(void ** context); 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate extern krb5_error_code krb5_ser_context_init 26505d05c7Sgtb (krb5_context); 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate extern krb5_error_code krb5_ser_auth_context_init 29505d05c7Sgtb (krb5_context); 307c478bd9Sstevel@tonic-gate 317c478bd9Sstevel@tonic-gate static struct gss_config krb5_mechanism = 327c478bd9Sstevel@tonic-gate {{9, "\052\206\110\206\367\022\001\002\002"}, 337c478bd9Sstevel@tonic-gate NULL, /* context */ 347c478bd9Sstevel@tonic-gate NULL, /* next */ 357c478bd9Sstevel@tonic-gate TRUE, /* uses_kmod */ 367c478bd9Sstevel@tonic-gate /* EXPORT DELETE START */ /* CRYPT DELETE START */ 377c478bd9Sstevel@tonic-gate krb5_gss_unseal, 387c478bd9Sstevel@tonic-gate /* EXPORT DELETE END */ /* CRYPT DELETE END */ 397c478bd9Sstevel@tonic-gate krb5_gss_delete_sec_context, 407c478bd9Sstevel@tonic-gate /* EXPORT DELETE START */ /* CRYPT DELETE START */ 417c478bd9Sstevel@tonic-gate krb5_gss_seal, 427c478bd9Sstevel@tonic-gate /* EXPORT DELETE END */ /* CRYPT DELETE END */ 437c478bd9Sstevel@tonic-gate krb5_gss_import_sec_context, 447c478bd9Sstevel@tonic-gate /* EXPORT DELETE START */ 457c478bd9Sstevel@tonic-gate /* CRYPT DELETE START */ 467c478bd9Sstevel@tonic-gate #if 0 477c478bd9Sstevel@tonic-gate /* CRYPT DELETE END */ 487c478bd9Sstevel@tonic-gate krb5_gss_seal, 497c478bd9Sstevel@tonic-gate krb5_gss_unseal, 507c478bd9Sstevel@tonic-gate /* CRYPT DELETE START */ 517c478bd9Sstevel@tonic-gate #endif 527c478bd9Sstevel@tonic-gate /* CRYPT DELETE END */ 537c478bd9Sstevel@tonic-gate /* EXPORT DELETE END */ 547c478bd9Sstevel@tonic-gate krb5_gss_sign, 557c478bd9Sstevel@tonic-gate krb5_gss_verify, 567c478bd9Sstevel@tonic-gate }; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate static gss_mechanism 597c478bd9Sstevel@tonic-gate gss_mech_initialize() 607c478bd9Sstevel@tonic-gate { 617c478bd9Sstevel@tonic-gate (void) krb5_gss_get_context(&(krb5_mechanism.context)); 627c478bd9Sstevel@tonic-gate return (&krb5_mechanism); 637c478bd9Sstevel@tonic-gate } 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate /* 677c478bd9Sstevel@tonic-gate * Module linkage information for the kernel. 687c478bd9Sstevel@tonic-gate */ 697c478bd9Sstevel@tonic-gate extern struct mod_ops mod_miscops; 707c478bd9Sstevel@tonic-gate 717c478bd9Sstevel@tonic-gate static struct modlmisc modlmisc = { 727c478bd9Sstevel@tonic-gate &mod_miscops, "Krb5 GSS mechanism" 737c478bd9Sstevel@tonic-gate }; 747c478bd9Sstevel@tonic-gate 757c478bd9Sstevel@tonic-gate static struct modlinkage modlinkage = { 767c478bd9Sstevel@tonic-gate MODREV_1, 777c478bd9Sstevel@tonic-gate (void *)&modlmisc, 787c478bd9Sstevel@tonic-gate NULL 797c478bd9Sstevel@tonic-gate }; 807c478bd9Sstevel@tonic-gate 817c478bd9Sstevel@tonic-gate 827c478bd9Sstevel@tonic-gate static int krb5_fini_code = EBUSY; 837c478bd9Sstevel@tonic-gate 847c478bd9Sstevel@tonic-gate int 857c478bd9Sstevel@tonic-gate _init() 867c478bd9Sstevel@tonic-gate { 877c478bd9Sstevel@tonic-gate int retval; 887c478bd9Sstevel@tonic-gate gss_mechanism mech, tmp; 897c478bd9Sstevel@tonic-gate 907c478bd9Sstevel@tonic-gate if ((retval = mod_install(&modlinkage)) != 0) 917c478bd9Sstevel@tonic-gate return (retval); 927c478bd9Sstevel@tonic-gate 937c478bd9Sstevel@tonic-gate mech = gss_mech_initialize(); 947c478bd9Sstevel@tonic-gate 957c478bd9Sstevel@tonic-gate mutex_enter(&__kgss_mech_lock); 967c478bd9Sstevel@tonic-gate tmp = __kgss_get_mechanism(&mech->mech_type); 977c478bd9Sstevel@tonic-gate if (tmp != NULL) { 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, 1007c478bd9Sstevel@tonic-gate "KRB5 GSS mechanism: mechanism already in table.\n"); 1017c478bd9Sstevel@tonic-gate 1027c478bd9Sstevel@tonic-gate if (tmp->uses_kmod == TRUE) { 1037c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "KRB5 GSS mechanism: mechanism " 1047c478bd9Sstevel@tonic-gate "table supports kernel operations!\n"); 1057c478bd9Sstevel@tonic-gate } 1067c478bd9Sstevel@tonic-gate /* 1077c478bd9Sstevel@tonic-gate * keep us loaded, but let us be unloadable. This 1087c478bd9Sstevel@tonic-gate * will give the developer time to trouble shoot 1097c478bd9Sstevel@tonic-gate */ 1107c478bd9Sstevel@tonic-gate krb5_fini_code = 0; 1117c478bd9Sstevel@tonic-gate } else { 1127c478bd9Sstevel@tonic-gate __kgss_add_mechanism(mech); 1137c478bd9Sstevel@tonic-gate ASSERT(__kgss_get_mechanism(&mech->mech_type) == mech); 1147c478bd9Sstevel@tonic-gate } 1157c478bd9Sstevel@tonic-gate mutex_exit(&__kgss_mech_lock); 1167c478bd9Sstevel@tonic-gate 1177c478bd9Sstevel@tonic-gate return (0); 1187c478bd9Sstevel@tonic-gate } 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate int 1217c478bd9Sstevel@tonic-gate _fini() 1227c478bd9Sstevel@tonic-gate { 1237c478bd9Sstevel@tonic-gate int ret = krb5_fini_code; 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate if (ret == 0) { 1267c478bd9Sstevel@tonic-gate ret = (mod_remove(&modlinkage)); 1277c478bd9Sstevel@tonic-gate } 1287c478bd9Sstevel@tonic-gate return (ret); 1297c478bd9Sstevel@tonic-gate } 1307c478bd9Sstevel@tonic-gate 1317c478bd9Sstevel@tonic-gate int 1327c478bd9Sstevel@tonic-gate _info(struct modinfo *modinfop) 1337c478bd9Sstevel@tonic-gate { 1347c478bd9Sstevel@tonic-gate return (mod_info(&modlinkage, modinfop)); 1357c478bd9Sstevel@tonic-gate } 1367c478bd9Sstevel@tonic-gate 1377c478bd9Sstevel@tonic-gate OM_uint32 1387c478bd9Sstevel@tonic-gate krb5_gss_get_context(context) 1397c478bd9Sstevel@tonic-gate void ** context; 1407c478bd9Sstevel@tonic-gate { 1417c478bd9Sstevel@tonic-gate OM_uint32 major_status = 0; 1427c478bd9Sstevel@tonic-gate 1437c478bd9Sstevel@tonic-gate mutex_lock(&krb5_mutex); 1447c478bd9Sstevel@tonic-gate if (context == NULL) 1457c478bd9Sstevel@tonic-gate { 1467c478bd9Sstevel@tonic-gate major_status = GSS_S_FAILURE; 1477c478bd9Sstevel@tonic-gate goto unlock; 1487c478bd9Sstevel@tonic-gate } 1497c478bd9Sstevel@tonic-gate if (kg_context) { 1507c478bd9Sstevel@tonic-gate *context = kg_context; 1517c478bd9Sstevel@tonic-gate major_status = GSS_S_COMPLETE; 1527c478bd9Sstevel@tonic-gate goto unlock; 1537c478bd9Sstevel@tonic-gate } 1547c478bd9Sstevel@tonic-gate 1557c478bd9Sstevel@tonic-gate if (krb5_init_context(&kg_context)) 1567c478bd9Sstevel@tonic-gate { 1577c478bd9Sstevel@tonic-gate major_status = GSS_S_FAILURE; 1587c478bd9Sstevel@tonic-gate goto unlock; 1597c478bd9Sstevel@tonic-gate } 1607c478bd9Sstevel@tonic-gate if (krb5_ser_auth_context_init(kg_context)) 1617c478bd9Sstevel@tonic-gate { 1627c478bd9Sstevel@tonic-gate kg_context = 0; 1637c478bd9Sstevel@tonic-gate major_status = GSS_S_FAILURE; 1647c478bd9Sstevel@tonic-gate goto unlock; 1657c478bd9Sstevel@tonic-gate } 1667c478bd9Sstevel@tonic-gate 1677c478bd9Sstevel@tonic-gate *context = kg_context; 1687c478bd9Sstevel@tonic-gate unlock: 1697c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 1707c478bd9Sstevel@tonic-gate return (major_status); 1717c478bd9Sstevel@tonic-gate } 172