xref: /illumos-gate/usr/src/uts/common/rpc/sec_gss/rpcsec_gss.c (revision a4aeef46cda1835da2b19f8f62b4526de6521e6c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
28  *
29  * $Header:
30  * /afs/gza.com/product/secure/rel-eng/src/1.1/rpc/RCS/auth_gssapi.c,v
31  * 1.14 1995/03/22 22:07:55 jik Exp $
32  */
33 
34 #include  <sys/systm.h>
35 #include  <sys/types.h>
36 #include  <gssapi/gssapi.h>
37 #include  <rpc/rpc.h>
38 #include  <rpc/rpcsec_defs.h>
39 #include  <sys/debug.h>
40 #include  <sys/cmn_err.h>
41 #include  <sys/ddi.h>
42 
43 static	void	rpc_gss_nextverf();
44 static	bool_t	rpc_gss_marshall();
45 static	bool_t	rpc_gss_validate();
46 static	bool_t	rpc_gss_refresh();
47 static	void	rpc_gss_destroy();
48 #if 0
49 static	void	rpc_gss_destroy_pvt();
50 #endif
51 static	void	rpc_gss_free_pvt();
52 static	int	rpc_gss_seccreate_pvt();
53 static  bool_t	rpc_gss_wrap();
54 static  bool_t	rpc_gss_unwrap();
55 static	bool_t	validate_seqwin();
56 
57 
58 #ifdef	DEBUG
59 #include <sys/promif.h>
60 #endif
61 
62 static struct auth_ops rpc_gss_ops = {
63 	rpc_gss_nextverf,
64 	rpc_gss_marshall,
65 	rpc_gss_validate,
66 	rpc_gss_refresh,
67 	rpc_gss_destroy,
68 	rpc_gss_wrap,
69 	rpc_gss_unwrap,
70 };
71 
72 /*
73  * Private data for RPCSEC_GSS.
74  */
75 typedef struct _rpc_gss_data {
76 	bool_t		established;	/* TRUE when established */
77 	CLIENT		*clnt;		/* associated client handle */
78 	int		version;	/* RPCSEC version */
79 	gss_ctx_id_t	context;	/* GSS context id */
80 	gss_buffer_desc	ctx_handle;	/* RPCSEC GSS context handle */
81 	uint_t		seq_num;	/* last sequence number rcvd */
82 	gss_cred_id_t	my_cred;	/* caller's GSS credentials */
83 	OM_uint32	qop;		/* requested QOP */
84 	rpc_gss_service_t	service;	/* requested service */
85 	uint_t		gss_proc;	/* GSS control procedure */
86 	gss_name_t	target_name;	/* target server */
87 	int		req_flags;	/* GSS request bits */
88 	gss_OID		mech_type;	/* GSS mechanism */
89 	OM_uint32	time_req;	/* requested cred lifetime */
90 	bool_t		invalid;	/* can't use this any more */
91 	OM_uint32	seq_window;	/* server sequence window */
92 	struct opaque_auth *verifier;	/* rpc reply verifier saved for */
93 					/* validating the sequence window */
94 	gss_channel_bindings_t	icb;
95 } rpc_gss_data;
96 #define	AUTH_PRIVATE(auth)	((rpc_gss_data *)auth->ah_private)
97 
98 #define	INTERRUPT_OK	1	/* allow interrupt */
99 
100 /*
101  *  RPCSEC_GSS auth cache definitions.
102  */
103 
104 /* The table size must be a power of two. */
105 #define	GSSAUTH_TABLESIZE 16
106 #define	HASH(keynum, uid_num) \
107 	((((intptr_t)(keynum)) ^ ((int)uid_num)) & (GSSAUTH_TABLESIZE - 1))
108 
109 /*
110  * gss auth cache entry.
111  */
112 typedef struct ga_cache_entry {
113 	void	*cache_key;
114 	uid_t	uid;
115 	zoneid_t zoneid;
116 	bool_t	in_use;
117 	time_t	ref_time; /* the time referenced previously */
118 	time_t	ctx_expired_time; /* when the context will be expired */
119 	AUTH	*auth;
120 	struct ga_cache_entry *next;
121 } *ga_cache_list;
122 
123 struct ga_cache_entry	*ga_cache_table[GSSAUTH_TABLESIZE];
124 static krwlock_t	ga_cache_table_lock;
125 static struct kmem_cache *ga_cache_handle;
126 static void gssauth_cache_reclaim(void *);
127 
128 static void gssauth_zone_fini(zoneid_t, void *);
129 static zone_key_t	gssauth_zone_key;
130 
131 int ga_cache_hit;
132 int ga_cache_miss;
133 int ga_cache_reclaim;
134 
135 #define	NOT_DEAD(ptr)	ASSERT((((intptr_t)(ptr)) != 0xdeadbeef))
136 
137 void
138 gssauth_init(void)
139 {
140 	/*
141 	 * Initialize gss auth cache table lock
142 	 */
143 	rw_init(&ga_cache_table_lock, NULL, RW_DEFAULT, NULL);
144 
145 	/*
146 	 * Allocate gss auth cache handle
147 	 */
148 	ga_cache_handle = kmem_cache_create("ga_cache_handle",
149 	    sizeof (struct ga_cache_entry), 0, NULL, NULL,
150 	    gssauth_cache_reclaim, NULL, NULL, 0);
151 	zone_key_create(&gssauth_zone_key, NULL, NULL, gssauth_zone_fini);
152 }
153 
154 /*
155  * Destroy the structures previously initialized in gssauth_init()
156  * This routine is called by _init() if mod_install() failed.
157  */
158 void
159 gssauth_fini(void)
160 {
161 	(void) zone_key_delete(gssauth_zone_key);
162 	kmem_cache_destroy(ga_cache_handle);
163 	rw_destroy(&ga_cache_table_lock);
164 }
165 
166 /*
167  * This is a cleanup routine to release cached entries when a zone is being
168  * destroyed.  The code is also used when kmem calls us to free up memory, at
169  * which point ``zoneid'' will be ALL_ZONES.  We don't honor the cache timeout
170  * when the zone is going away, since the zoneid (and all associated cached
171  * entries) are invalid.
172  */
173 time_t rpc_gss_cache_time = 60 * 60;
174 
175 /* ARGSUSED */
176 static void
177 gssauth_zone_fini(zoneid_t zoneid, void *unused)
178 {
179 	struct ga_cache_entry *p, *prev, *next;
180 	int i;
181 	time_t now;
182 
183 	rw_enter(&ga_cache_table_lock, RW_WRITER);
184 
185 	for (i = 0; i < GSSAUTH_TABLESIZE; i++) {
186 		prev = NULL;
187 		for (p = ga_cache_table[i]; p; p = next) {
188 			NOT_DEAD(p->next);
189 			next = p->next;
190 			NOT_DEAD(next);
191 			if (zoneid == ALL_ZONES) {	/* kmem callback */
192 				/*
193 				 * Free entries that have not been
194 				 * used for rpc_gss_cache_time seconds.
195 				 */
196 				now = gethrestime_sec();
197 				if ((p->ref_time + rpc_gss_cache_time >
198 				    now) || p->in_use) {
199 					if ((p->ref_time + rpc_gss_cache_time <=
200 					    now) && p->in_use) {
201 						RPCGSS_LOG0(2, "gssauth_cache_"
202 						    "reclaim: in_use\n");
203 					}
204 					prev = p;
205 					continue;
206 				}
207 			} else {
208 				if (p->zoneid != zoneid) {
209 					prev = p;
210 					continue;
211 				}
212 				ASSERT(!p->in_use);
213 			}
214 
215 			RPCGSS_LOG(2, "gssauth_cache_reclaim: destroy auth "
216 			    "%p\n", (void *)p->auth);
217 			rpc_gss_destroy(p->auth);
218 			kmem_cache_free(ga_cache_handle, (void *)p);
219 			if (prev == NULL) {
220 				ga_cache_table[i] = next;
221 			} else {
222 				NOT_DEAD(prev->next);
223 				prev->next = next;
224 			}
225 		}
226 	}
227 
228 	rw_exit(&ga_cache_table_lock);
229 
230 }
231 
232 /*
233  * Called by the kernel memory allocator when
234  * memory is low. Free unused cache entries.
235  * If that's not enough, the VM system will
236  * call again for some more.
237  */
238 /*ARGSUSED*/
239 static void
240 gssauth_cache_reclaim(void *cdrarg)
241 {
242 	gssauth_zone_fini(ALL_ZONES, NULL);
243 }
244 
245 #define	NOT_NULL(ptr)	ASSERT(ptr)
246 #define	IS_ALIGNED(ptr)	ASSERT((((intptr_t)(ptr)) & 3) == 0)
247 
248 /*
249  *  Get the client gss security service handle.
250  *  If it is in the cache table, get it, otherwise, create
251  *  a new one by calling rpc_gss_seccreate().
252  */
253 int
254 rpc_gss_secget(CLIENT *clnt,
255 	char	*principal,
256 	rpc_gss_OID	mechanism,
257 	rpc_gss_service_t service_type,
258 	uint_t	qop,
259 	rpc_gss_options_req_t *options_req,
260 	rpc_gss_options_ret_t *options_ret,
261 	void *cache_key,
262 	cred_t *cr,
263 	AUTH **retauth)
264 {
265 	struct ga_cache_entry **head, *current, *new, *prev;
266 	AUTH *auth = NULL;
267 	rpc_gss_data	*ap;
268 	rpc_gss_options_ret_t opt_ret;
269 	int status = 0;
270 	uid_t uid = crgetuid(cr);
271 	zoneid_t zoneid = getzoneid();
272 
273 	if (retauth == NULL)
274 		return (EINVAL);
275 	*retauth = NULL;
276 
277 	NOT_NULL(cr);
278 	IS_ALIGNED(cr);
279 #ifdef DEBUG
280 if (HASH(cache_key, uid) < 0) {
281 	prom_printf("cache_key %p, cr %p\n", cache_key, (void *)cr);
282 }
283 #endif
284 
285 	/*
286 	 *  Get a valid gss auth handle from the cache table.
287 	 *  If auth in cache is invalid and not in use, destroy it.
288 	 */
289 	prev = NULL;
290 	rw_enter(&ga_cache_table_lock, RW_WRITER);
291 
292 	ASSERT(HASH(cache_key, uid) >= 0);
293 	head = &ga_cache_table[HASH(cache_key, uid)];
294 	NOT_NULL(head);
295 	IS_ALIGNED(head);
296 
297 	for (current = *head; current; current = current->next) {
298 		NOT_NULL(current);
299 		IS_ALIGNED(current);
300 		if ((cache_key == current->cache_key) &&
301 			(uid == current->uid) && (zoneid == current->zoneid) &&
302 			!current->in_use) {
303 			current->in_use = TRUE;
304 			current->ref_time = gethrestime_sec();
305 			ap = AUTH_PRIVATE(current->auth);
306 			ap->clnt = clnt;
307 			ga_cache_hit++;
308 			if (ap->invalid ||
309 			    ((current->ctx_expired_time != GSS_C_INDEFINITE) &&
310 			    (gethrestime_sec() >=
311 			    current->ctx_expired_time))) {
312 			    RPCGSS_LOG0(1, "NOTICE: rpc_gss_secget: time to "
313 					"refresh the auth\n");
314 			    if (prev == NULL) {
315 				*head = current->next;
316 			    } else {
317 				prev->next = current->next;
318 			    }
319 			    rpc_gss_destroy(current->auth);
320 			    kmem_cache_free(ga_cache_handle, (void *) current);
321 			    auth = NULL;
322 			} else {
323 			    auth = current->auth;
324 			}
325 			break;
326 		} else {
327 			prev = current;
328 		}
329 	}
330 	rw_exit(&ga_cache_table_lock);
331 
332 	/*
333 	 *  If no valid gss auth handle can be found in the cache, create
334 	 *  a new one.
335 	 */
336 	if (!auth) {
337 		ga_cache_miss++;
338 		if (options_ret == NULL)
339 			options_ret = &opt_ret;
340 
341 		status = rpc_gss_seccreate(clnt, principal, mechanism,
342 			service_type, qop, options_req, options_ret, cr, &auth);
343 		if (status == 0) {
344 			RPCGSS_LOG(2, "rpc_gss_secget: new auth %p\n",
345 					(void *)auth);
346 			new = kmem_cache_alloc(ga_cache_handle, KM_NOSLEEP);
347 			IS_ALIGNED(new);
348 			NOT_DEAD(new);
349 			if (new) {
350 				new->cache_key = cache_key;
351 				new->uid = uid;
352 				new->zoneid = zoneid;
353 				new->in_use = TRUE;
354 				new->ref_time = gethrestime_sec();
355 				if (options_ret->time_ret != GSS_C_INDEFINITE) {
356 				    new->ctx_expired_time = new->ref_time +
357 					options_ret->time_ret;
358 				} else {
359 				    new->ctx_expired_time = GSS_C_INDEFINITE;
360 				}
361 				new->auth = auth;
362 				rw_enter(&ga_cache_table_lock, RW_WRITER);
363 				NOT_DEAD(*head);
364 				NOT_DEAD(new->next);
365 				new->next = *head;
366 				*head = new;
367 				rw_exit(&ga_cache_table_lock);
368 			}
369 			/* done with opt_ret */
370 			if (options_ret == &opt_ret) {
371 			    kgss_free_oid((gss_OID) opt_ret.actual_mechanism);
372 			}
373 		}
374 	}
375 
376 	*retauth = auth;
377 	return (status);
378 }
379 
380 
381 
382 /*
383  *  rpc_gss_secfree will destroy a rpcsec_gss context only if
384  *  the auth handle is not in the cache table.
385  */
386 void
387 rpc_gss_secfree(AUTH *auth)
388 {
389 	struct ga_cache_entry *next, *cur;
390 	int i;
391 
392 	/*
393 	 *  Check the cache table to find the auth.
394 	 *  Marked it unused.
395 	 */
396 	rw_enter(&ga_cache_table_lock, RW_WRITER);
397 	for (i = 0; i < GSSAUTH_TABLESIZE; i++) {
398 		for (cur = ga_cache_table[i]; cur; cur = next) {
399 			NOT_DEAD(cur);
400 			next = cur->next;
401 			NOT_DEAD(next);
402 			if (cur->auth == auth) {
403 				ASSERT(cur->in_use == TRUE);
404 				cur->in_use = FALSE;
405 				rw_exit(&ga_cache_table_lock);
406 				return;
407 			}
408 		}
409 	}
410 	rw_exit(&ga_cache_table_lock);
411 	RPCGSS_LOG(2, "rpc_gss_secfree: destroy auth %p\n", (void *)auth);
412 	rpc_gss_destroy(auth);
413 }
414 
415 
416 /*
417  *  Create a gss security service context.
418  */
419 int
420 rpc_gss_seccreate(CLIENT *clnt,
421 	char			*principal,	/* target service@server */
422 	rpc_gss_OID		mechanism,	/* security mechanism */
423 	rpc_gss_service_t	service_type,	/* security service */
424 	uint_t			qop,		/* requested QOP */
425 	rpc_gss_options_req_t	*options_req,	/* requested options */
426 	rpc_gss_options_ret_t	*options_ret,	/* returned options */
427 	cred_t			*cr,		/* client's unix cred */
428 	AUTH			**retauth)	/* auth handle */
429 {
430 	OM_uint32		gssstat;
431 	OM_uint32		minor_stat;
432 	gss_name_t		target_name;
433 	int			ret_flags;
434 	OM_uint32		time_rec;
435 	gss_buffer_desc		input_name;
436 	AUTH			*auth = NULL;
437 	rpc_gss_data		*ap = NULL;
438 	int			error;
439 
440 	/*
441 	 * convert name to GSS internal type
442 	 */
443 	input_name.value = principal;
444 	input_name.length = strlen(principal);
445 
446 	gssstat = gss_import_name(&minor_stat, &input_name,
447 	    (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, &target_name);
448 
449 	if (gssstat != GSS_S_COMPLETE) {
450 		RPCGSS_LOG0(1,
451 		    "rpc_gss_seccreate: unable to import gss name\n");
452 		return (ENOMEM);
453 	}
454 
455 	/*
456 	 * Create AUTH handle.  Save the necessary interface information
457 	 * so that the client can refresh the handle later if needed.
458 	 */
459 	if ((auth = (AUTH *) kmem_alloc(sizeof (*auth), KM_SLEEP)) != NULL)
460 		ap = (rpc_gss_data *) kmem_alloc(sizeof (*ap), KM_SLEEP);
461 	if (auth == NULL || ap == NULL) {
462 		RPCGSS_LOG0(1, "rpc_gss_seccreate: out of memory\n");
463 		if (auth != NULL)
464 			kmem_free((char *)auth, sizeof (*auth));
465 		(void) gss_release_name(&minor_stat, &target_name);
466 		return (ENOMEM);
467 	}
468 
469 	bzero((char *)ap, sizeof (*ap));
470 	ap->clnt = clnt;
471 	ap->version = RPCSEC_GSS_VERSION;
472 	if (options_req != NULL) {
473 		ap->my_cred = options_req->my_cred;
474 		ap->req_flags = options_req->req_flags;
475 		ap->time_req = options_req->time_req;
476 		ap->icb = options_req->input_channel_bindings;
477 	} else {
478 		ap->my_cred = GSS_C_NO_CREDENTIAL;
479 		ap->req_flags = GSS_C_MUTUAL_FLAG;
480 		ap->time_req = 0;
481 		ap->icb = GSS_C_NO_CHANNEL_BINDINGS;
482 	}
483 	if ((ap->service = service_type) == rpc_gss_svc_default)
484 		ap->service = rpc_gss_svc_integrity;
485 	ap->qop = qop;
486 	ap->target_name = target_name;
487 
488 	/*
489 	 * Now invoke the real interface that sets up the context from
490 	 * the information stashed away in the private data.
491 	 */
492 	if (error = rpc_gss_seccreate_pvt(&gssstat, &minor_stat, auth, ap,
493 	    mechanism, &ap->mech_type, &ret_flags, &time_rec, cr, 0)) {
494 		if (ap->target_name) {
495 			(void) gss_release_name(&minor_stat, &ap->target_name);
496 		}
497 		kmem_free((char *)ap, sizeof (*ap));
498 		kmem_free((char *)auth, sizeof (*auth));
499 		RPCGSS_LOG(1, "rpc_gss_seccreate: init context failed"
500 		    " errno=%d\n", error);
501 		return (error);
502 	}
503 
504 	/*
505 	 * Make sure that the requested service is supported.  In all
506 	 * cases, integrity service must be available.
507 	 */
508 	if ((ap->service == rpc_gss_svc_privacy &&
509 	    !(ret_flags & GSS_C_CONF_FLAG)) ||
510 	    !(ret_flags & GSS_C_INTEG_FLAG)) {
511 		rpc_gss_destroy(auth);
512 		RPCGSS_LOG0(1, "rpc_gss_seccreate: service not supported\n");
513 		return (EPROTONOSUPPORT);
514 	}
515 
516 	/*
517 	 * return option values if requested
518 	 */
519 	if (options_ret != NULL) {
520 		options_ret->major_status = gssstat;
521 		options_ret->minor_status = minor_stat;
522 		options_ret->rpcsec_version = ap->version;
523 		options_ret->ret_flags = ret_flags;
524 		options_ret->time_ret = time_rec;
525 		options_ret->gss_context = ap->context;
526 		/*
527 		 *  Caller's responsibility to free this.
528 		 */
529 		NOT_NULL(ap->mech_type);
530 		__rpc_gss_dup_oid(ap->mech_type,
531 		    (gss_OID *)&options_ret->actual_mechanism);
532 	}
533 
534 	*retauth = auth;
535 	return (0);
536 }
537 
538 /*
539  * Private interface to create a context.  This is the interface
540  * that's invoked when the context has to be refreshed.
541  */
542 static int
543 rpc_gss_seccreate_pvt(gssstat, minor_stat, auth, ap, desired_mech_type,
544 			actual_mech_type, ret_flags, time_rec, cr, isrefresh)
545 	OM_uint32		*gssstat;
546 	OM_uint32		*minor_stat;
547 	AUTH			*auth;
548 	rpc_gss_data		*ap;
549 	gss_OID			desired_mech_type;
550 	gss_OID			*actual_mech_type;
551 	int			*ret_flags;
552 	OM_uint32		*time_rec;
553 	cred_t			*cr;
554 	int			isrefresh;
555 {
556 	CLIENT			*clnt = ap->clnt;
557 	AUTH			*save_auth;
558 	enum clnt_stat		callstat;
559 	rpc_gss_init_arg	call_arg;
560 	rpc_gss_init_res	call_res;
561 	gss_buffer_desc		*input_token_p, input_token, process_token;
562 	int 			free_results = 0;
563 	k_sigset_t		smask;
564 	int			error = 0;
565 
566 	/*
567 	 * (re)initialize AUTH handle and private data.
568 	 */
569 	bzero((char *)auth, sizeof (*auth));
570 	auth->ah_ops = &rpc_gss_ops;
571 	auth->ah_private = (caddr_t)ap;
572 	auth->ah_cred.oa_flavor = RPCSEC_GSS;
573 
574 	ap->established = FALSE;
575 	ap->ctx_handle.length = 0;
576 	ap->ctx_handle.value = NULL;
577 	ap->context = NULL;
578 	ap->seq_num = 0;
579 	ap->gss_proc = RPCSEC_GSS_INIT;
580 
581 	/*
582 	 * should not change clnt->cl_auth at this time, so save
583 	 * old handle
584 	 */
585 	save_auth = clnt->cl_auth;
586 	clnt->cl_auth = auth;
587 
588 	/*
589 	 * set state for starting context setup
590 	 */
591 	bzero((char *)&call_arg, sizeof (call_arg));
592 	input_token_p = GSS_C_NO_BUFFER;
593 
594 next_token:
595 	*gssstat = kgss_init_sec_context(minor_stat,
596 					ap->my_cred,
597 					&ap->context,
598 					ap->target_name,
599 					desired_mech_type,
600 					ap->req_flags,
601 					ap->time_req,
602 					NULL,
603 					input_token_p,
604 					actual_mech_type,
605 					&call_arg,
606 					ret_flags,
607 					time_rec,
608 					crgetuid(cr));
609 
610 	if (input_token_p != GSS_C_NO_BUFFER) {
611 		OM_uint32 minor_stat2;
612 
613 		(void) gss_release_buffer(&minor_stat2, input_token_p);
614 		input_token_p = GSS_C_NO_BUFFER;
615 	}
616 
617 	if (*gssstat != GSS_S_COMPLETE && *gssstat != GSS_S_CONTINUE_NEEDED) {
618 		rpc_gss_display_status(*gssstat, *minor_stat,
619 			desired_mech_type, crgetuid(cr),
620 			"rpcsec_gss_secreate_pvt:gss_init_sec_context");
621 		error = EACCES;
622 		goto cleanup;
623 	}
624 
625 	/*
626 	 * if we got a token, pass it on
627 	 */
628 	if (call_arg.length != 0) {
629 		struct timeval timeout = {30, 0};
630 		int	 rpcsec_retry = isrefresh ?
631 			RPCSEC_GSS_REFRESH_ATTEMPTS : 1;
632 		uint32_t oldxid;
633 		uint32_t zeroxid = 0;
634 
635 		bzero((char *)&call_res, sizeof (call_res));
636 
637 		(void) CLNT_CONTROL(clnt, CLGET_XID, (char *)&oldxid);
638 		(void) CLNT_CONTROL(clnt, CLSET_XID, (char *)&zeroxid);
639 
640 
641 		while (rpcsec_retry > 0) {
642 			struct rpc_err rpcerr;
643 
644 			sigintr(&smask, INTERRUPT_OK);
645 
646 			callstat = clnt_call(clnt, NULLPROC,
647 				__xdr_rpc_gss_init_arg, (caddr_t)&call_arg,
648 				__xdr_rpc_gss_init_res, (caddr_t)&call_res,
649 				timeout);
650 
651 			sigunintr(&smask);
652 
653 			if (callstat == RPC_SUCCESS) {
654 				error = 0;
655 				if (isrefresh &&
656 				    call_res.gss_major == GSS_S_FAILURE) {
657 
658 					clock_t one_sec = drv_usectohz(1000000);
659 
660 					rpcsec_retry--;
661 
662 					/*
663 					 * Pause a little and try again.
664 					 */
665 
666 					if (clnt->cl_nosignal == TRUE) {
667 						delay(one_sec);
668 					} else {
669 						if (delay_sig(one_sec)) {
670 							error = EINTR;
671 							break;
672 						}
673 					}
674 					continue;
675 				}
676 				break;
677 			}
678 
679 			if (callstat == RPC_TIMEDOUT) {
680 				error = ETIMEDOUT;
681 				break;
682 			}
683 
684 			if (callstat == RPC_XPRTFAILED) {
685 				error = ECONNRESET;
686 				break;
687 			}
688 
689 			if (callstat == RPC_INTR) {
690 				error = EINTR;
691 				break;
692 			}
693 
694 			if (callstat == RPC_INPROGRESS) {
695 				continue;
696 			}
697 
698 			clnt_geterr(clnt, &rpcerr);
699 			error = rpcerr.re_errno;
700 			break;
701 		}
702 
703 		(void) CLNT_CONTROL(clnt, CLSET_XID, (char *)&oldxid);
704 
705 		(void) gss_release_buffer(minor_stat, &call_arg);
706 
707 		if (callstat != RPC_SUCCESS) {
708 			RPCGSS_LOG(1,
709 			    "rpc_gss_seccreate_pvt: clnt_call failed %d\n",
710 			    callstat);
711 			goto cleanup;
712 		}
713 
714 		/*
715 		 * we have results - note that these need to be freed
716 		 */
717 		free_results = 1;
718 
719 		if ((call_res.gss_major != GSS_S_COMPLETE) &&
720 		    (call_res.gss_major != GSS_S_CONTINUE_NEEDED)) {
721 			RPCGSS_LOG1(1, "rpc_gss_seccreate_pvt: "
722 				"call_res gss_major %x, gss_minor %x\n",
723 				call_res.gss_major, call_res.gss_minor);
724 			error = EACCES;
725 			goto cleanup;
726 		}
727 
728 		ap->gss_proc = RPCSEC_GSS_CONTINUE_INIT;
729 
730 		/*
731 		 * check for ctx_handle
732 		 */
733 		if (ap->ctx_handle.length == 0) {
734 			if (call_res.ctx_handle.length == 0) {
735 				RPCGSS_LOG0(1, "rpc_gss_seccreate_pvt: zero "
736 					"length handle in response\n");
737 				error = EACCES;
738 				goto cleanup;
739 			}
740 			GSS_DUP_BUFFER(ap->ctx_handle,
741 					call_res.ctx_handle);
742 		} else if (!GSS_BUFFERS_EQUAL(ap->ctx_handle,
743 						call_res.ctx_handle)) {
744 			RPCGSS_LOG0(1,
745 			"rpc_gss_seccreate_pvt: ctx_handle not the same\n");
746 			error = EACCES;
747 			goto cleanup;
748 		}
749 
750 		/*
751 		 * check for token
752 		 */
753 		if (call_res.token.length != 0) {
754 			if (*gssstat == GSS_S_COMPLETE) {
755 				RPCGSS_LOG0(1, "rpc_gss_seccreate_pvt: non "
756 					"zero length token in response, but "
757 					"gsstat == GSS_S_COMPLETE\n");
758 				error = EACCES;
759 				goto cleanup;
760 			}
761 			GSS_DUP_BUFFER(input_token, call_res.token);
762 			input_token_p = &input_token;
763 
764 		} else if (*gssstat != GSS_S_COMPLETE) {
765 			RPCGSS_LOG0(1, "rpc_gss_seccreate_pvt:zero length "
766 				"token in response, but "
767 				"gsstat != GSS_S_COMPLETE\n");
768 			error = EACCES;
769 			goto cleanup;
770 		}
771 
772 		/* save the sequence window value; validate later */
773 		ap->seq_window = call_res.seq_window;
774 		xdr_free(__xdr_rpc_gss_init_res, (caddr_t)&call_res);
775 		free_results = 0;
776 	}
777 
778 	/*
779 	 * results were okay.. continue if necessary
780 	 */
781 	if (*gssstat == GSS_S_CONTINUE_NEEDED) {
782 		goto next_token;
783 	}
784 
785 	/*
786 	 * Context is established. Now use kgss_export_sec_context and
787 	 * kgss_import_sec_context to transfer the context from the user
788 	 * land to kernel if the mechanism specific kernel module is
789 	 * available.
790 	 */
791 	*gssstat  = kgss_export_sec_context(minor_stat, ap->context,
792 						&process_token);
793 	if (*gssstat == GSS_S_NAME_NOT_MN) {
794 		RPCGSS_LOG(2, "rpc_gss_seccreate_pvt: export_sec_context "
795 			"Kernel Module unavailable  gssstat = 0x%x\n",
796 			*gssstat);
797 		goto done;
798 	} else if (*gssstat != GSS_S_COMPLETE) {
799 		(void) rpc_gss_display_status(*gssstat, *minor_stat,
800 			isrefresh ? GSS_C_NULL_OID : *actual_mech_type,
801 					crgetuid(cr),
802 			"rpcsec_gss_secreate_pvt:gss_export_sec_context");
803 		(void) kgss_delete_sec_context(minor_stat,
804 					&ap->context, NULL);
805 		error = EACCES;
806 		goto cleanup;
807 	} else if (process_token.length == 0) {
808 		RPCGSS_LOG0(1, "rpc_gss_seccreate_pvt:zero length "
809 				"token in response for export_sec_context, but "
810 				"gsstat == GSS_S_COMPLETE\n");
811 		(void) kgss_delete_sec_context(minor_stat,
812 					&ap->context, NULL);
813 		error = EACCES;
814 		goto cleanup;
815 	} else
816 		*gssstat = kgss_import_sec_context(minor_stat, &process_token,
817 							ap->context);
818 
819 	if (*gssstat == GSS_S_COMPLETE) {
820 		(void) gss_release_buffer(minor_stat, &process_token);
821 	} else {
822 		rpc_gss_display_status(*gssstat, *minor_stat,
823 			desired_mech_type, crgetuid(cr),
824 			"rpcsec_gss_secreate_pvt:gss_import_sec_context");
825 		(void) kgss_delete_sec_context(minor_stat,
826 					&ap->context, NULL);
827 		(void) gss_release_buffer(minor_stat, &process_token);
828 		error = EACCES;
829 		goto cleanup;
830 	}
831 
832 done:
833 	/*
834 	 * Validate the sequence window - RFC 2203 section 5.2.3.1
835 	 */
836 	if (!validate_seqwin(ap)) {
837 		error = EACCES;
838 		goto cleanup;
839 	}
840 
841 	/*
842 	 * Done!  Security context creation is successful.
843 	 * Ready for exchanging data.
844 	 */
845 	ap->established = TRUE;
846 	ap->seq_num = 1;
847 	ap->gss_proc = RPCSEC_GSS_DATA;
848 	ap->invalid = FALSE;
849 
850 	clnt->cl_auth = save_auth;	/* restore cl_auth */
851 
852 	return (0);
853 
854 cleanup:
855 	if (free_results)
856 		xdr_free(__xdr_rpc_gss_init_res, (caddr_t)&call_res);
857 	clnt->cl_auth = save_auth;	/* restore cl_auth */
858 
859 	/*
860 	 * If need to retry for AUTH_REFRESH, do not cleanup the
861 	 * auth private data.
862 	 */
863 	if (isrefresh && (error == ETIMEDOUT || error == ECONNRESET)) {
864 		return (error);
865 	}
866 
867 	if (ap->context != NULL) {
868 		rpc_gss_free_pvt(auth);
869 	}
870 
871 	return (error? error : EACCES);
872 }
873 
874 /*
875  * Marshall credentials.
876  */
877 static bool_t
878 marshall_creds(ap, xdrs, cred_buf_len)
879 	rpc_gss_data		*ap;
880 	XDR			*xdrs;
881 	uint_t			cred_buf_len;
882 {
883 	rpc_gss_creds		ag_creds;
884 	char			*cred_buf;
885 	struct opaque_auth	creds;
886 	XDR			cred_xdrs;
887 
888 	ag_creds.version = ap->version;
889 	ag_creds.gss_proc = ap->gss_proc;
890 	ag_creds.seq_num = ap->seq_num;
891 	ag_creds.service = ap->service;
892 
893 	/*
894 	 * If context has not been set up yet, use NULL handle.
895 	 */
896 	if (ap->ctx_handle.length > 0)
897 		ag_creds.ctx_handle = ap->ctx_handle;
898 	else {
899 		ag_creds.ctx_handle.length = 0;
900 		ag_creds.ctx_handle.value = NULL;
901 	}
902 
903 	cred_buf = kmem_alloc(cred_buf_len, KM_SLEEP);
904 	xdrmem_create(&cred_xdrs, (caddr_t)cred_buf, cred_buf_len,
905 								XDR_ENCODE);
906 	if (!__xdr_rpc_gss_creds(&cred_xdrs, &ag_creds)) {
907 		kmem_free(cred_buf, MAX_AUTH_BYTES);
908 		XDR_DESTROY(&cred_xdrs);
909 		return (FALSE);
910 	}
911 
912 	creds.oa_flavor = RPCSEC_GSS;
913 	creds.oa_base = cred_buf;
914 	creds.oa_length = xdr_getpos(&cred_xdrs);
915 	XDR_DESTROY(&cred_xdrs);
916 
917 	if (!xdr_opaque_auth(xdrs, &creds)) {
918 		kmem_free(cred_buf, cred_buf_len);
919 		return (FALSE);
920 	}
921 
922 	kmem_free(cred_buf, cred_buf_len);
923 	return (TRUE);
924 }
925 
926 /*
927  * Marshall verifier.  The verifier is the checksum of the RPC header
928  * up to and including the credential field.  The XDR handle that's
929  * passed in has the header up to and including the credential field
930  * encoded.  A pointer to the transmit buffer is also passed in.
931  */
932 static bool_t
933 marshall_verf(ap, xdrs, buf)
934 	rpc_gss_data		*ap;
935 	XDR			*xdrs;	/* send XDR */
936 	char			*buf;	/* pointer of send buffer */
937 {
938 	struct opaque_auth	verf;
939 	OM_uint32		major, minor;
940 	gss_buffer_desc		in_buf, out_buf;
941 	bool_t			ret = FALSE;
942 
943 	/*
944 	 * If context is not established yet, use NULL verifier.
945 	 */
946 	if (!ap->established) {
947 		verf.oa_flavor = AUTH_NONE;
948 		verf.oa_base = NULL;
949 		verf.oa_length = 0;
950 		return (xdr_opaque_auth(xdrs, &verf));
951 	}
952 
953 	verf.oa_flavor = RPCSEC_GSS;
954 	in_buf.length = xdr_getpos(xdrs);
955 	in_buf.value = buf;
956 	if ((major = kgss_sign(&minor, ap->context, ap->qop, &in_buf,
957 				&out_buf)) != GSS_S_COMPLETE) {
958 		if (major == GSS_S_CONTEXT_EXPIRED) {
959 			ap->invalid = TRUE;
960 		}
961 		RPCGSS_LOG1(1,
962 		    "marshall_verf: kgss_sign failed GSS Major %x Minor %x\n",
963 		    major, minor);
964 		return (FALSE);
965 	}
966 	verf.oa_base = out_buf.value;
967 	verf.oa_length = out_buf.length;
968 	ret = xdr_opaque_auth(xdrs, &verf);
969 	(void) gss_release_buffer(&minor, &out_buf);
970 
971 	return (ret);
972 }
973 
974 /*
975  * Validate sequence window upon a successful RPCSEC_GSS INIT session.
976  * The sequence window sent back by the server should be verifiable by
977  * the verifier which is a checksum of the sequence window.
978  */
979 static bool_t
980 validate_seqwin(rpc_gss_data *ap)
981 {
982 	uint_t			seq_win_net;
983 	OM_uint32		major = 0, minor = 0;
984 	gss_buffer_desc		msg_buf, tok_buf;
985 	int			qop_state = 0;
986 
987 	ASSERT(ap->verifier);
988 	ASSERT(ap->context);
989 	seq_win_net = (uint_t)htonl(ap->seq_window);
990 	msg_buf.length = sizeof (seq_win_net);
991 	msg_buf.value = (char *)&seq_win_net;
992 	tok_buf.length = ap->verifier->oa_length;
993 	tok_buf.value = ap->verifier->oa_base;
994 	major = kgss_verify(&minor, ap->context, &msg_buf, &tok_buf,
995 	    &qop_state);
996 
997 	if (major != GSS_S_COMPLETE) {
998 		RPCGSS_LOG1(1,
999 		    "validate_seqwin: kgss_verify failed GSS Major "
1000 		    "%x Minor %x\n", major, minor);
1001 		RPCGSS_LOG1(1, "seq_window %d, verf len %d ", ap->seq_window,
1002 		    ap->verifier->oa_length);
1003 		return (FALSE);
1004 	}
1005 	return (TRUE);
1006 }
1007 
1008 /*
1009  * Validate RPC response verifier from server.  The response verifier
1010  * is the checksum of the request sequence number.
1011  */
1012 static bool_t
1013 rpc_gss_validate(auth, verf)
1014 	AUTH			*auth;
1015 	struct opaque_auth	*verf;
1016 {
1017 	rpc_gss_data		*ap = AUTH_PRIVATE(auth);
1018 	uint_t			seq_num_net;
1019 	OM_uint32		major, minor;
1020 	gss_buffer_desc		msg_buf, tok_buf;
1021 	int			qop_state;
1022 
1023 	/*
1024 	 * If context is not established yet, save the verifier for
1025 	 * validating the sequence window later at the end of context
1026 	 * creation session.
1027 	 */
1028 	if (!ap->established) {
1029 	    if (ap->verifier == NULL) {
1030 		ap->verifier = kmem_zalloc(sizeof (struct opaque_auth),
1031 						KM_SLEEP);
1032 		if (verf->oa_length > 0)
1033 		    ap->verifier->oa_base = kmem_zalloc(verf->oa_length,
1034 						KM_SLEEP);
1035 	    } else {
1036 		if (ap->verifier->oa_length > 0)
1037 		    kmem_free(ap->verifier->oa_base, ap->verifier->oa_length);
1038 		if (verf->oa_length > 0)
1039 		    ap->verifier->oa_base = kmem_zalloc(verf->oa_length,
1040 						KM_SLEEP);
1041 	    }
1042 	    ap->verifier->oa_length = verf->oa_length;
1043 	    bcopy(verf->oa_base, ap->verifier->oa_base, verf->oa_length);
1044 	    return (TRUE);
1045 	}
1046 
1047 	seq_num_net = (uint_t)htonl(ap->seq_num);
1048 	msg_buf.length = sizeof (seq_num_net);
1049 	msg_buf.value = (char *)&seq_num_net;
1050 	tok_buf.length = verf->oa_length;
1051 	tok_buf.value = verf->oa_base;
1052 	major = kgss_verify(&minor, ap->context, &msg_buf, &tok_buf,
1053 				&qop_state);
1054 	if (major != GSS_S_COMPLETE) {
1055 		RPCGSS_LOG1(1,
1056 		"rpc_gss_validate: kgss_verify failed GSS Major %x Minor %x\n",
1057 		major, minor);
1058 		return (FALSE);
1059 	}
1060 	return (TRUE);
1061 }
1062 
1063 /*
1064  * Refresh client context.  This is necessary sometimes because the
1065  * server will ocassionally destroy contexts based on LRU method, or
1066  * because of expired credentials.
1067  */
1068 static bool_t
1069 rpc_gss_refresh(auth, msg, cr)
1070 	AUTH		*auth;
1071 	struct rpc_msg	*msg;
1072 	cred_t		*cr;
1073 {
1074 	rpc_gss_data	*ap = AUTH_PRIVATE(auth);
1075 	gss_ctx_id_t	ctx_sav = NULL;
1076 	gss_buffer_desc	ctx_hdle_sav = {0, NULL};
1077 	uint_t		sn_sav, proc_sav;
1078 	bool_t		est_sav;
1079 	OM_uint32	gssstat, minor_stat;
1080 	int error;
1081 
1082 	/*
1083 	 * The context needs to be recreated only when the error status
1084 	 * returned from the server is one of the following:
1085 	 *	RPCSEC_GSS_NOCRED and RPCSEC_GSS_FAILED
1086 	 * The existing context should not be destroyed unless the above
1087 	 * error status codes are received or if the context has not
1088 	 * been set up.
1089 	 */
1090 
1091 	if (msg->rjcted_rply.rj_why == RPCSEC_GSS_NOCRED ||
1092 			msg->rjcted_rply.rj_why == RPCSEC_GSS_FAILED ||
1093 							!ap->established) {
1094 		/*
1095 		 * Destroy the context if necessary.  Use the same memory
1096 		 * for the new context since we've already passed a pointer
1097 		 * to it to the user.
1098 		 */
1099 		if (ap->context != NULL) {
1100 			ctx_sav = ap->context;
1101 			ap->context = NULL;
1102 		}
1103 		if (ap->ctx_handle.length != 0) {
1104 			ctx_hdle_sav.length = ap->ctx_handle.length;
1105 			ctx_hdle_sav.value = ap->ctx_handle.value;
1106 			ap->ctx_handle.length = 0;
1107 			ap->ctx_handle.value = NULL;
1108 		}
1109 
1110 		/*
1111 		 * If the context was not already established, don't try to
1112 		 * recreate it.
1113 		 */
1114 		if (!ap->established) {
1115 			ap->invalid = TRUE;
1116 			RPCGSS_LOG0(1,
1117 			"rpc_gss_refresh: context was not established\n");
1118 			error = EINVAL;
1119 			goto out;
1120 		}
1121 
1122 		est_sav = ap->established;
1123 		sn_sav = ap->seq_num;
1124 		proc_sav = ap->gss_proc;
1125 
1126 		/*
1127 		 * Recreate context.
1128 		 */
1129 		error = rpc_gss_seccreate_pvt(&gssstat, &minor_stat, auth,
1130 				ap, ap->mech_type, (gss_OID *)NULL, (int *)NULL,
1131 				(OM_uint32 *)NULL, cr, 1);
1132 
1133 		switch (error) {
1134 		case 0:
1135 			RPCGSS_LOG(1,
1136 			"rpc_gss_refresh: auth %p refreshed\n", (void *)auth);
1137 			goto out;
1138 
1139 		case ETIMEDOUT:
1140 		case ECONNRESET:
1141 			RPCGSS_LOG0(1, "rpc_gss_refresh: try again\n");
1142 
1143 			if (ap->context != NULL) {
1144 			    (void) kgss_delete_sec_context(&minor_stat,
1145 					&ap->context, NULL);
1146 			}
1147 			if (ap->ctx_handle.length != 0) {
1148 			    (void) gss_release_buffer(&minor_stat,
1149 					&ap->ctx_handle);
1150 			}
1151 
1152 			/*
1153 			 * Restore the original value for the caller to
1154 			 * try again later.
1155 			 */
1156 			ap->context = ctx_sav;
1157 			ap->ctx_handle.length = ctx_hdle_sav.length;
1158 			ap->ctx_handle.value = ctx_hdle_sav.value;
1159 			ap->established = est_sav;
1160 			ap->seq_num = sn_sav;
1161 			ap->gss_proc = proc_sav;
1162 
1163 			return (FALSE);
1164 
1165 		default:
1166 			ap->invalid = TRUE;
1167 			RPCGSS_LOG(1, "rpc_gss_refresh: can't refresh this "
1168 				"auth, error=%d\n", error);
1169 			goto out;
1170 		}
1171 	}
1172 	RPCGSS_LOG0(1, "rpc_gss_refresh: don't refresh");
1173 	return (FALSE);
1174 
1175 out:
1176 	if (ctx_sav != NULL) {
1177 		(void) kgss_delete_sec_context(&minor_stat,
1178 				&ctx_sav, NULL);
1179 	}
1180 	if (ctx_hdle_sav.length != 0) {
1181 		(void) gss_release_buffer(&minor_stat, &ctx_hdle_sav);
1182 	}
1183 
1184 	return (error == 0);
1185 }
1186 
1187 /*
1188  * Destroy a context.
1189  */
1190 static void
1191 rpc_gss_destroy(auth)
1192 	AUTH		*auth;
1193 {
1194 	rpc_gss_data	*ap = AUTH_PRIVATE(auth);
1195 
1196 	/*
1197 	 *  XXX Currently, we do not ping the server (rpc_gss_destroy_pvt)
1198 	 *  to destroy the context in the server cache.
1199 	 *  We assume there is a good LRU/aging mechanism for the
1200 	 *  context cache on the server side.
1201 	 */
1202 	rpc_gss_free_pvt(auth);
1203 	kmem_free((char *)ap, sizeof (*ap));
1204 	kmem_free(auth, sizeof (*auth));
1205 }
1206 
1207 /*
1208  * Private interface to free memory allocated in the rpcsec_gss private
1209  * data structure (rpc_gss_data).
1210  */
1211 static void
1212 rpc_gss_free_pvt(auth)
1213 	AUTH		*auth;
1214 {
1215 	OM_uint32	minor_stat;
1216 	rpc_gss_data	*ap = AUTH_PRIVATE(auth);
1217 
1218 	if (ap->ctx_handle.length != 0) {
1219 		(void) gss_release_buffer(&minor_stat, &ap->ctx_handle);
1220 		ap->ctx_handle.length = 0;
1221 		ap->ctx_handle.value = NULL;
1222 	}
1223 
1224 	/*
1225 	 * Destroy local GSS context.
1226 	 */
1227 	if (ap->context != NULL) {
1228 		(void) kgss_delete_sec_context(&minor_stat, &ap->context, NULL);
1229 		ap->context = NULL;
1230 	}
1231 
1232 	/*
1233 	 * Looks like we need to release default credentials if we use it.
1234 	 * Non-default creds need to be released by user.
1235 	 */
1236 	if (ap->my_cred == GSS_C_NO_CREDENTIAL)
1237 		(void) kgss_release_cred(&minor_stat, &ap->my_cred,
1238 					crgetuid(CRED()));
1239 
1240 	/*
1241 	 * Release any internal name structures.
1242 	 */
1243 	if (ap->target_name != NULL) {
1244 		(void) gss_release_name(&minor_stat, &ap->target_name);
1245 		ap->target_name = NULL;
1246 	}
1247 
1248 	/*
1249 	 * Free mech_type oid structure.
1250 	 */
1251 	if (ap->mech_type != NULL) {
1252 		kgss_free_oid(ap->mech_type);
1253 		ap->mech_type = NULL;
1254 	}
1255 
1256 	/*
1257 	 * Free the verifier saved for sequence window checking.
1258 	 */
1259 	if (ap->verifier != NULL) {
1260 	    if (ap->verifier->oa_length > 0) {
1261 		kmem_free(ap->verifier->oa_base, ap->verifier->oa_length);
1262 	    }
1263 	    kmem_free(ap->verifier, sizeof (struct opaque_auth));
1264 	    ap->verifier = NULL;
1265 	}
1266 }
1267 
1268 #if 0
1269 /*
1270  * XXX this function is not used right now.
1271  * There is a client handle issue needs to be resolved.
1272  *
1273  * This is a private interface which will destroy a context
1274  * without freeing up the memory used by it.  We need to do this when
1275  * a refresh fails, for example, so the user will still have a handle.
1276  */
1277 static void
1278 rpc_gss_destroy_pvt(auth)
1279 	AUTH		*auth;
1280 {
1281 	struct timeval	timeout;
1282 	rpc_gss_data	*ap = AUTH_PRIVATE(auth);
1283 
1284 	/*
1285 	 * If we have a server context id, inform server that we are
1286 	 * destroying the context.
1287 	 */
1288 	if (ap->ctx_handle.length != 0) {
1289 		uint32_t oldxid;
1290 		uint32_t zeroxid = 0;
1291 
1292 		ap->gss_proc = RPCSEC_GSS_DESTROY;
1293 		timeout.tv_sec = 10;
1294 		timeout.tv_usec = 0;
1295 		(void) CLNT_CONTROL(ap->clnt, CLGET_XID, (char *)&oldxid);
1296 		(void) CLNT_CONTROL(ap->clnt, CLSET_XID, (char *)&zeroxid);
1297 		(void) clnt_call(ap->clnt, NULLPROC, xdr_void, NULL,
1298 						xdr_void, NULL, timeout);
1299 		(void) CLNT_CONTROL(ap->clnt, CLSET_XID, (char *)&oldxid);
1300 	}
1301 
1302 	rpc_gss_free_pvt(auth);
1303 }
1304 #endif
1305 
1306 /*
1307  * Wrap client side data.  The encoded header is passed in through
1308  * buf and buflen.  The header is up to but not including the
1309  * credential field.
1310  */
1311 bool_t
1312 rpc_gss_wrap(auth, buf, buflen, out_xdrs, xdr_func, xdr_ptr)
1313 	AUTH			*auth;
1314 	char			*buf;		/* encoded header */
1315 /* has been changed to u_int in the user land */
1316 	uint_t			buflen;		/* encoded header length */
1317 	XDR			*out_xdrs;
1318 	xdrproc_t		xdr_func;
1319 	caddr_t			xdr_ptr;
1320 {
1321 	rpc_gss_data		*ap = AUTH_PRIVATE(auth);
1322 	XDR			xdrs;
1323 	char			*tmp_buf;
1324 	uint_t			xdr_buf_len, cred_buf_len;
1325 
1326 /*
1327  *  Here is how MAX_SIGNED_LEN is estimated.
1328  *  Signing a 48 bytes buffer using des_cbc_md5 would end up with
1329  *  a buffer length 33 (padded data + 16 bytes of seq_num/checksum).
1330  *  Current known max seq_num/checksum size is 24 bytes.
1331  *  88 is derived from RNDUP(33+(24-16)) * 2.
1332  */
1333 #define	MAX_SIGNED_LEN	88
1334 
1335 	/*
1336 	 * Reject an invalid context.
1337 	 */
1338 	if (ap->invalid) {
1339 		RPCGSS_LOG0(1, "rpc_gss_wrap: reject an invalid context\n");
1340 		return (FALSE);
1341 	}
1342 
1343 	/*
1344 	 * If context is established, bump up sequence number.
1345 	 */
1346 	if (ap->established)
1347 		ap->seq_num++;
1348 
1349 	/*
1350 	 * Create the header in a temporary XDR context and buffer
1351 	 * before putting it out.
1352 	 */
1353 	cred_buf_len = RNDUP(sizeof (ap->version) + sizeof (ap->gss_proc) +
1354 			sizeof (ap->seq_num) + sizeof (ap->service) +
1355 			sizeof (ap->ctx_handle) + ap->ctx_handle.length);
1356 
1357 	xdr_buf_len = buflen + cred_buf_len + sizeof (struct opaque_auth) +
1358 			MAX_SIGNED_LEN;
1359 	tmp_buf = kmem_alloc(xdr_buf_len, KM_SLEEP);
1360 	xdrmem_create(&xdrs, tmp_buf, xdr_buf_len, XDR_ENCODE);
1361 	if (!XDR_PUTBYTES(&xdrs, buf, buflen)) {
1362 		kmem_free(tmp_buf, xdr_buf_len);
1363 		RPCGSS_LOG0(1, "rpc_gss_wrap: xdr putbytes failed\n");
1364 		return (FALSE);
1365 	}
1366 
1367 	/*
1368 	 * create cred field
1369 	 */
1370 	if (!marshall_creds(ap, &xdrs, cred_buf_len)) {
1371 		kmem_free(tmp_buf, xdr_buf_len);
1372 		RPCGSS_LOG0(1, "rpc_gss_wrap: marshall_creds failed\n");
1373 		return (FALSE);
1374 	}
1375 
1376 	/*
1377 	 * create verifier
1378 	 */
1379 	if (!marshall_verf(ap, &xdrs, tmp_buf)) {
1380 		kmem_free(tmp_buf, xdr_buf_len);
1381 		RPCGSS_LOG0(1, "rpc_gss_wrap: marshall_verf failed\n");
1382 		return (FALSE);
1383 	}
1384 
1385 	/*
1386 	 * write out header and destroy temp structures
1387 	 */
1388 	if (!XDR_PUTBYTES(out_xdrs, tmp_buf, XDR_GETPOS(&xdrs))) {
1389 		kmem_free(tmp_buf, xdr_buf_len);
1390 		RPCGSS_LOG0(1, "rpc_gss_wrap: write out header failed\n");
1391 		return (FALSE);
1392 	}
1393 	XDR_DESTROY(&xdrs);
1394 	kmem_free(tmp_buf, xdr_buf_len);
1395 
1396 	/*
1397 	 * If context is not established, or if neither integrity
1398 	 * nor privacy is used, just XDR encode data.
1399 	 */
1400 	if (!ap->established || ap->service == rpc_gss_svc_none) {
1401 		return ((*xdr_func)(out_xdrs, xdr_ptr));
1402 	}
1403 
1404 	return (__rpc_gss_wrap_data(ap->service, ap->qop, ap->context,
1405 				ap->seq_num, out_xdrs, xdr_func, xdr_ptr));
1406 }
1407 
1408 /*
1409  * Unwrap received data.
1410  */
1411 bool_t
1412 rpc_gss_unwrap(auth, in_xdrs, xdr_func, xdr_ptr)
1413 	AUTH			*auth;
1414 	XDR			*in_xdrs;
1415 	bool_t			(*xdr_func)();
1416 	caddr_t			xdr_ptr;
1417 {
1418 	rpc_gss_data		*ap = AUTH_PRIVATE(auth);
1419 
1420 	/*
1421 	 * If context is not established, of if neither integrity
1422 	 * nor privacy is used, just XDR encode data.
1423 	 */
1424 	if (!ap->established || ap->service == rpc_gss_svc_none)
1425 		return ((*xdr_func)(in_xdrs, xdr_ptr));
1426 
1427 	return (__rpc_gss_unwrap_data(ap->service,
1428 				ap->context,
1429 				ap->seq_num,
1430 				ap->qop,
1431 				in_xdrs, xdr_func, xdr_ptr));
1432 }
1433 
1434 /*
1435  *  Revoke an GSSAPI based security credentials
1436  *  from the cache table.
1437  */
1438 int
1439 rpc_gss_revauth(uid_t uid, rpc_gss_OID mech)
1440 {
1441 	struct ga_cache_entry *next, *prev, *cur;
1442 	rpc_gss_data *ap;
1443 	zoneid_t zoneid = getzoneid();
1444 	int i;
1445 
1446 	/*
1447 	 *  Check the cache table against the uid and the
1448 	 *  mechanism type.
1449 	 */
1450 	rw_enter(&ga_cache_table_lock, RW_WRITER);
1451 	for (i = 0; i < GSSAUTH_TABLESIZE; i++) {
1452 		prev = NULL;
1453 		for (cur = ga_cache_table[i]; cur; cur = next) {
1454 			NOT_DEAD(cur);
1455 			next = cur->next;
1456 			NOT_DEAD(next);
1457 			ap = AUTH_PRIVATE(cur->auth);
1458 			if (__rpc_gss_oids_equal(ap->mech_type,
1459 			    (gss_OID) mech) && (cur->uid == uid) &&
1460 			    (cur->zoneid == zoneid)) {
1461 				if (cur->in_use) {
1462 					RPCGSS_LOG(2, "rpc_gss_revauth:invalid "
1463 					    "auth %p\n", (void *)cur->auth);
1464 					ap->invalid = TRUE;
1465 				} else {
1466 					RPCGSS_LOG(2, "rpc_gss_revauth:destroy "
1467 					    "auth %p\n", (void *)cur->auth);
1468 					rpc_gss_destroy(cur->auth);
1469 					kmem_cache_free(ga_cache_handle,
1470 					    (void *)cur);
1471 				}
1472 				if (prev == NULL) {
1473 					ga_cache_table[i] = next;
1474 				} else {
1475 					prev->next = next;
1476 					NOT_DEAD(prev->next);
1477 				}
1478 			} else {
1479 				prev = cur;
1480 			}
1481 		}
1482 	}
1483 	rw_exit(&ga_cache_table_lock);
1484 
1485 	return (0);
1486 }
1487 
1488 
1489 /*
1490  *  Delete all the entries indexed by the cache_key.
1491  *
1492  *  For example, the cache_key used for NFS is the address of the
1493  *  security entry for each mount point.  When the file system is unmounted,
1494  *  all the cache entries indexed by this key should be deleted.
1495  */
1496 void
1497 rpc_gss_secpurge(void *cache_key)
1498 {
1499 	struct ga_cache_entry *next, *prev, *cur;
1500 	int i;
1501 
1502 	/*
1503 	 *  Check the cache table against the cache_key.
1504 	 */
1505 	rw_enter(&ga_cache_table_lock, RW_WRITER);
1506 	for (i = 0; i < GSSAUTH_TABLESIZE; i++) {
1507 		prev = NULL;
1508 		for (cur = ga_cache_table[i]; cur; cur = next) {
1509 			NOT_DEAD(cur);
1510 			next = cur->next;
1511 			NOT_DEAD(next);
1512 			if (cache_key == cur->cache_key) {
1513 				RPCGSS_LOG(2, "rpc_gss_secpurge: destroy auth "
1514 				    "%p\n", (void *)cur->auth);
1515 				if (cur->in_use == FALSE)
1516 					rpc_gss_destroy(cur->auth);
1517 				kmem_cache_free(ga_cache_handle, (void *)cur);
1518 				if (prev == NULL) {
1519 					ga_cache_table[i] = next;
1520 				} else {
1521 					NOT_DEAD(prev->next);
1522 					prev->next = next;
1523 				}
1524 			} else {
1525 				prev = cur;
1526 			}
1527 		}
1528 	}
1529 	rw_exit(&ga_cache_table_lock);
1530 }
1531 
1532 /*
1533  * Function: rpc_gss_nextverf.  Not used.
1534  */
1535 static void
1536 rpc_gss_nextverf()
1537 {
1538 }
1539 
1540 /*
1541  * Function: rpc_gss_marshall - no op routine.
1542  *		rpc_gss_wrap() is doing the marshalling.
1543  */
1544 /*ARGSUSED*/
1545 static bool_t
1546 rpc_gss_marshall(auth, xdrs)
1547 	AUTH		*auth;
1548 	XDR		*xdrs;
1549 {
1550 	return (TRUE);
1551 }
1552 
1553 /*
1554  * Set service defaults.
1555  * Not supported yet.
1556  */
1557 /* ARGSUSED */
1558 bool_t
1559 rpc_gss_set_defaults(auth, service, qop)
1560 	AUTH			*auth;
1561 	rpc_gss_service_t	service;
1562 	uint_t			qop;
1563 {
1564 	return (FALSE);
1565 }
1566 
1567 /* ARGSUSED */
1568 int
1569 rpc_gss_max_data_length(AUTH *rpcgss_handle, int max_tp_unit_len)
1570 {
1571 	return (0);
1572 }
1573 
1574 rpc_gss_service_t
1575 rpc_gss_get_service_type(AUTH *auth)
1576 {
1577 	rpc_gss_data		*ap = AUTH_PRIVATE(auth);
1578 
1579 	return (ap->service);
1580 }
1581