1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2012 Milan Jurik. All rights reserved.
24 */
25
26 /*
27 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
28 *
29 * $Id: svc_auth_gssapi.c,v 1.19 1994/10/27 12:38:51 jik Exp $
30 */
31
32 /*
33 * Server side handling of RPCSEC_GSS flavor.
34 */
35
36 #include <sys/systm.h>
37 #include <sys/kstat.h>
38 #include <sys/cmn_err.h>
39 #include <sys/debug.h>
40 #include <sys/types.h>
41 #include <sys/time.h>
42 #include <gssapi/gssapi.h>
43 #include <gssapi/gssapi_ext.h>
44 #include <rpc/rpc.h>
45 #include <rpc/rpcsec_defs.h>
46 #include <sys/sunddi.h>
47 #include <sys/atomic.h>
48
49 extern bool_t __rpc_gss_make_principal(rpc_gss_principal_t *, gss_buffer_t);
50
51 #ifdef DEBUG
52 extern void prom_printf(const char *, ...);
53 #endif
54
55 #ifdef _KERNEL
56 #define memcmp(a, b, l) bcmp((a), (b), (l))
57 #endif
58
59
60 /*
61 * Sequence window definitions.
62 */
63 #define SEQ_ARR_SIZE 4
64 #define SEQ_WIN (SEQ_ARR_SIZE*32)
65 #define SEQ_HI_BIT 0x80000000
66 #define SEQ_LO_BIT 1
67 #define DIV_BY_32 5
68 #define SEQ_MASK 0x1f
69 #define SEQ_MAX ((unsigned int)0x80000000)
70
71
72 /* cache retransmit data */
73 typedef struct _retrans_entry {
74 uint32_t xid;
75 rpc_gss_init_res result;
76 } retrans_entry;
77
78 /*
79 * Server side RPCSEC_GSS context information.
80 */
81 typedef struct _svc_rpc_gss_data {
82 struct _svc_rpc_gss_data *next, *prev;
83 struct _svc_rpc_gss_data *lru_next, *lru_prev;
84 bool_t established;
85 gss_ctx_id_t context;
86 gss_buffer_desc client_name;
87 time_t expiration;
88 uint_t seq_num;
89 uint_t seq_bits[SEQ_ARR_SIZE];
90 uint_t key;
91 OM_uint32 qop;
92 bool_t done_docallback;
93 bool_t locked;
94 rpc_gss_rawcred_t raw_cred;
95 rpc_gss_ucred_t u_cred;
96 time_t u_cred_set;
97 void *cookie;
98 gss_cred_id_t deleg;
99 kmutex_t clm;
100 int ref_cnt;
101 time_t last_ref_time;
102 bool_t stale;
103 retrans_entry *retrans_data;
104 } svc_rpc_gss_data;
105
106 /*
107 * Data structures used for LRU based context management.
108 */
109
110
111 #define HASH(key) ((key) % svc_rpc_gss_hashmod)
112 /* Size of hash table for svc_rpc_gss_data structures */
113 #define GSS_DATA_HASH_SIZE 1024
114
115 /*
116 * The following two defines specify a time delta that is used in
117 * sweep_clients. When the last_ref_time of a context is older than
118 * than the current time minus the delta, i.e, the context has not
119 * been referenced in the last delta seconds, we will return the
120 * context back to the cache if the ref_cnt is zero. The first delta
121 * value will be used when sweep_clients is called from
122 * svc_data_reclaim, the kmem_cache reclaim call back. We will reclaim
123 * all entries except those that are currently "active". By active we
124 * mean those that have been referenced in the last ACTIVE_DELTA
125 * seconds. If sweep_client is not being called from reclaim, then we
126 * will reclaim all entries that are "inactive". By inactive we mean
127 * those entries that have not been accessed in INACTIVE_DELTA
128 * seconds. Note we always assume that ACTIVE_DELTA is less than
129 * INACTIVE_DELTA, so that reaping entries from a reclaim operation
130 * will necessarily imply reaping all "inactive" entries and then
131 * some.
132 */
133
134 /*
135 * If low on memory reap cache entries that have not been active for
136 * ACTIVE_DELTA seconds and have a ref_cnt equal to zero.
137 */
138 #define ACTIVE_DELTA 30*60 /* 30 minutes */
139
140 /*
141 * If in sweeping contexts we find contexts with a ref_cnt equal to zero
142 * and the context has not been referenced in INACTIVE_DELTA seconds, return
143 * the entry to the cache.
144 */
145 #define INACTIVE_DELTA 8*60*60 /* 8 hours */
146
147 int svc_rpc_gss_hashmod = GSS_DATA_HASH_SIZE;
148 static svc_rpc_gss_data **clients;
149 static svc_rpc_gss_data *lru_first, *lru_last;
150 static time_t sweep_interval = 60*60;
151 static time_t last_swept = 0;
152 static int num_gss_contexts = 0;
153 static time_t svc_rpcgss_gid_timeout = 60*60*12;
154 static kmem_cache_t *svc_data_handle;
155 static time_t svc_rpc_gss_active_delta = ACTIVE_DELTA;
156 static time_t svc_rpc_gss_inactive_delta = INACTIVE_DELTA;
157
158 /*
159 * lock used with context/lru variables
160 */
161 static kmutex_t ctx_mutex;
162
163 /*
164 * Data structure to contain cache statistics
165 */
166
167 static struct {
168 int64_t total_entries_allocated;
169 int64_t no_reclaims;
170 int64_t no_returned_by_reclaim;
171 } svc_rpc_gss_cache_stats;
172
173
174 /*
175 * lock used with server credential variables list
176 *
177 * server cred list locking guidelines:
178 * - Writer's lock holder has exclusive access to the list
179 */
180 static krwlock_t cred_lock;
181
182 /*
183 * server callback list
184 */
185 typedef struct rpc_gss_cblist_s {
186 struct rpc_gss_cblist_s *next;
187 rpc_gss_callback_t cb;
188 } rpc_gss_cblist_t;
189
190 static rpc_gss_cblist_t *rpc_gss_cblist = NULL;
191
192 /*
193 * lock used with callback variables
194 */
195 static kmutex_t cb_mutex;
196
197 /*
198 * forward declarations
199 */
200 static bool_t svc_rpc_gss_wrap();
201 static bool_t svc_rpc_gss_unwrap();
202 static svc_rpc_gss_data *create_client();
203 static svc_rpc_gss_data *get_client();
204 static svc_rpc_gss_data *find_client();
205 static void destroy_client();
206 static void sweep_clients(bool_t);
207 static void insert_client();
208 static bool_t check_verf(struct rpc_msg *, gss_ctx_id_t,
209 int *, uid_t);
210 static bool_t set_response_verf();
211 static void retrans_add(svc_rpc_gss_data *, uint32_t,
212 rpc_gss_init_res *);
213 static void retrans_del(svc_rpc_gss_data *);
214 static bool_t transfer_sec_context(svc_rpc_gss_data *);
215 static void common_client_data_free(svc_rpc_gss_data *);
216
217 /*
218 * server side wrap/unwrap routines
219 */
220 struct svc_auth_ops svc_rpc_gss_ops = {
221 svc_rpc_gss_wrap,
222 svc_rpc_gss_unwrap,
223 };
224
225 /* taskq(9F) */
226 typedef struct svcrpcsec_gss_taskq_arg {
227 SVCXPRT *rq_xprt;
228 rpc_gss_init_arg *rpc_call_arg;
229 struct rpc_msg *msg;
230 svc_rpc_gss_data *client_data;
231 uint_t cr_version;
232 rpc_gss_service_t cr_service;
233 } svcrpcsec_gss_taskq_arg_t;
234
235 /* gssd is single threaded, so 1 thread for the taskq is probably good/ok */
236 int rpcsec_gss_init_taskq_nthreads = 1;
237 static ddi_taskq_t *svcrpcsec_gss_init_taskq = NULL;
238
239 extern struct rpc_msg *rpc_msg_dup(struct rpc_msg *);
240 extern void rpc_msg_free(struct rpc_msg **, int);
241
242 /*
243 * from svc_clts.c:
244 * Transport private data.
245 * Kept in xprt->xp_p2buf.
246 */
247 struct udp_data {
248 mblk_t *ud_resp; /* buffer for response */
249 mblk_t *ud_inmp; /* mblk chain of request */
250 };
251
252 /*ARGSUSED*/
253 static int
svc_gss_data_create(void * buf,void * pdata,int kmflag)254 svc_gss_data_create(void *buf, void *pdata, int kmflag)
255 {
256 svc_rpc_gss_data *client_data = (svc_rpc_gss_data *)buf;
257
258 mutex_init(&client_data->clm, NULL, MUTEX_DEFAULT, NULL);
259
260 return (0);
261 }
262
263 /*ARGSUSED*/
264 static void
svc_gss_data_destroy(void * buf,void * pdata)265 svc_gss_data_destroy(void *buf, void *pdata)
266 {
267 svc_rpc_gss_data *client_data = (svc_rpc_gss_data *)buf;
268
269 mutex_destroy(&client_data->clm);
270 }
271
272
273 /*ARGSUSED*/
274 static void
svc_gss_data_reclaim(void * pdata)275 svc_gss_data_reclaim(void *pdata)
276 {
277 mutex_enter(&ctx_mutex);
278
279 svc_rpc_gss_cache_stats.no_reclaims++;
280 sweep_clients(TRUE);
281
282 mutex_exit(&ctx_mutex);
283 }
284
285 /*
286 * Init stuff on the server side.
287 */
288 void
svc_gss_init()289 svc_gss_init()
290 {
291 mutex_init(&cb_mutex, NULL, MUTEX_DEFAULT, NULL);
292 mutex_init(&ctx_mutex, NULL, MUTEX_DEFAULT, NULL);
293 rw_init(&cred_lock, NULL, RW_DEFAULT, NULL);
294 clients = (svc_rpc_gss_data **)
295 kmem_zalloc(svc_rpc_gss_hashmod * sizeof (svc_rpc_gss_data *),
296 KM_SLEEP);
297 svc_data_handle = kmem_cache_create("rpc_gss_data_cache",
298 sizeof (svc_rpc_gss_data), 0,
299 svc_gss_data_create,
300 svc_gss_data_destroy,
301 svc_gss_data_reclaim,
302 NULL, NULL, 0);
303
304 if (svcrpcsec_gss_init_taskq == NULL) {
305 svcrpcsec_gss_init_taskq = ddi_taskq_create(NULL,
306 "rpcsec_gss_init_taskq", rpcsec_gss_init_taskq_nthreads,
307 TASKQ_DEFAULTPRI, 0);
308 if (svcrpcsec_gss_init_taskq == NULL)
309 cmn_err(CE_NOTE,
310 "svc_gss_init: ddi_taskq_create failed");
311 }
312 }
313
314 /*
315 * Destroy structures allocated in svc_gss_init().
316 * This routine is called by _init() if mod_install() failed.
317 */
318 void
svc_gss_fini()319 svc_gss_fini()
320 {
321 mutex_destroy(&cb_mutex);
322 mutex_destroy(&ctx_mutex);
323 rw_destroy(&cred_lock);
324 kmem_free(clients, svc_rpc_gss_hashmod * sizeof (svc_rpc_gss_data *));
325 kmem_cache_destroy(svc_data_handle);
326 }
327
328 /*
329 * Cleanup routine for destroying context, called after service
330 * procedure is executed. Actually we just decrement the reference count
331 * associated with this context. If the reference count is zero and the
332 * context is marked as stale, we would then destroy the context. Additionally,
333 * we check if its been longer than sweep_interval since the last sweep_clients
334 * was run, and if so run sweep_clients to free all stale contexts with zero
335 * reference counts or contexts that are old. (Haven't been access in
336 * svc_rpc_inactive_delta seconds).
337 */
338 void
rpc_gss_cleanup(SVCXPRT * clone_xprt)339 rpc_gss_cleanup(SVCXPRT *clone_xprt)
340 {
341 svc_rpc_gss_data *cl;
342 SVCAUTH *svcauth;
343
344 /*
345 * First check if current context needs to be cleaned up.
346 * There might be other threads stale this client data
347 * in between.
348 */
349 svcauth = &clone_xprt->xp_auth;
350 mutex_enter(&ctx_mutex);
351 if ((cl = (svc_rpc_gss_data *)svcauth->svc_ah_private) != NULL) {
352 mutex_enter(&cl->clm);
353 ASSERT(cl->ref_cnt > 0);
354 if (--cl->ref_cnt == 0 && cl->stale) {
355 mutex_exit(&cl->clm);
356 destroy_client(cl);
357 svcauth->svc_ah_private = NULL;
358 } else
359 mutex_exit(&cl->clm);
360 }
361
362 /*
363 * Check for other expired contexts.
364 */
365 if ((gethrestime_sec() - last_swept) > sweep_interval)
366 sweep_clients(FALSE);
367
368 mutex_exit(&ctx_mutex);
369 }
370
371 /*
372 * Shift the array arr of length arrlen right by nbits bits.
373 */
374 static void
shift_bits(arr,arrlen,nbits)375 shift_bits(arr, arrlen, nbits)
376 uint_t *arr;
377 int arrlen;
378 int nbits;
379 {
380 int i, j;
381 uint_t lo, hi;
382
383 /*
384 * If the number of bits to be shifted exceeds SEQ_WIN, just
385 * zero out the array.
386 */
387 if (nbits < SEQ_WIN) {
388 for (i = 0; i < nbits; i++) {
389 hi = 0;
390 for (j = 0; j < arrlen; j++) {
391 lo = arr[j] & SEQ_LO_BIT;
392 arr[j] >>= 1;
393 if (hi)
394 arr[j] |= SEQ_HI_BIT;
395 hi = lo;
396 }
397 }
398 } else {
399 for (j = 0; j < arrlen; j++)
400 arr[j] = 0;
401 }
402 }
403
404 /*
405 * Check that the received sequence number seq_num is valid.
406 */
407 static bool_t
check_seq(cl,seq_num,kill_context)408 check_seq(cl, seq_num, kill_context)
409 svc_rpc_gss_data *cl;
410 uint_t seq_num;
411 bool_t *kill_context;
412 {
413 int i, j;
414 uint_t bit;
415
416 /*
417 * If it exceeds the maximum, kill context.
418 */
419 if (seq_num >= SEQ_MAX) {
420 *kill_context = TRUE;
421 RPCGSS_LOG0(4, "check_seq: seq_num not valid\n");
422 return (FALSE);
423 }
424
425 /*
426 * If greater than the last seen sequence number, just shift
427 * the sequence window so that it starts at the new sequence
428 * number and extends downwards by SEQ_WIN.
429 */
430 if (seq_num > cl->seq_num) {
431 (void) shift_bits(cl->seq_bits, SEQ_ARR_SIZE,
432 (int)(seq_num - cl->seq_num));
433 cl->seq_bits[0] |= SEQ_HI_BIT;
434 cl->seq_num = seq_num;
435 return (TRUE);
436 }
437
438 /*
439 * If it is outside the sequence window, return failure.
440 */
441 i = cl->seq_num - seq_num;
442 if (i >= SEQ_WIN) {
443 RPCGSS_LOG0(4, "check_seq: seq_num is outside the window\n");
444 return (FALSE);
445 }
446
447 /*
448 * If within sequence window, set the bit corresponding to it
449 * if not already seen; if already seen, return failure.
450 */
451 j = SEQ_MASK - (i & SEQ_MASK);
452 bit = j > 0 ? (1 << j) : 1;
453 i >>= DIV_BY_32;
454 if (cl->seq_bits[i] & bit) {
455 RPCGSS_LOG0(4, "check_seq: sequence number already seen\n");
456 return (FALSE);
457 }
458 cl->seq_bits[i] |= bit;
459 return (TRUE);
460 }
461
462 /*
463 * Set server callback.
464 */
465 bool_t
rpc_gss_set_callback(cb)466 rpc_gss_set_callback(cb)
467 rpc_gss_callback_t *cb;
468 {
469 rpc_gss_cblist_t *cbl, *tmp;
470
471 if (cb->callback == NULL) {
472 RPCGSS_LOG0(1, "rpc_gss_set_callback: no callback to set\n");
473 return (FALSE);
474 }
475
476 /* check if there is already an entry in the rpc_gss_cblist. */
477 mutex_enter(&cb_mutex);
478 if (rpc_gss_cblist) {
479 for (tmp = rpc_gss_cblist; tmp != NULL; tmp = tmp->next) {
480 if ((tmp->cb.callback == cb->callback) &&
481 (tmp->cb.version == cb->version) &&
482 (tmp->cb.program == cb->program)) {
483 mutex_exit(&cb_mutex);
484 return (TRUE);
485 }
486 }
487 }
488
489 /* Not in rpc_gss_cblist. Create a new entry. */
490 if ((cbl = (rpc_gss_cblist_t *)kmem_alloc(sizeof (*cbl), KM_SLEEP))
491 == NULL) {
492 mutex_exit(&cb_mutex);
493 return (FALSE);
494 }
495 cbl->cb = *cb;
496 cbl->next = rpc_gss_cblist;
497 rpc_gss_cblist = cbl;
498 mutex_exit(&cb_mutex);
499 return (TRUE);
500 }
501
502 /*
503 * Locate callback (if specified) and call server. Release any
504 * delegated credentials unless passed to server and the server
505 * accepts the context. If a callback is not specified, accept
506 * the incoming context.
507 */
508 static bool_t
do_callback(req,client_data)509 do_callback(req, client_data)
510 struct svc_req *req;
511 svc_rpc_gss_data *client_data;
512 {
513 rpc_gss_cblist_t *cbl;
514 bool_t ret = TRUE, found = FALSE;
515 rpc_gss_lock_t lock;
516 OM_uint32 minor;
517 mutex_enter(&cb_mutex);
518 for (cbl = rpc_gss_cblist; cbl != NULL; cbl = cbl->next) {
519 if (req->rq_prog != cbl->cb.program ||
520 req->rq_vers != cbl->cb.version)
521 continue;
522 found = TRUE;
523 lock.locked = FALSE;
524 lock.raw_cred = &client_data->raw_cred;
525 ret = (*cbl->cb.callback)(req, client_data->deleg,
526 client_data->context, &lock, &client_data->cookie);
527 req->rq_xprt->xp_cookie = client_data->cookie;
528
529 if (ret) {
530 client_data->locked = lock.locked;
531 client_data->deleg = GSS_C_NO_CREDENTIAL;
532 }
533 break;
534 }
535 if (!found) {
536 if (client_data->deleg != GSS_C_NO_CREDENTIAL) {
537 (void) kgss_release_cred(&minor, &client_data->deleg,
538 crgetuid(CRED()));
539 client_data->deleg = GSS_C_NO_CREDENTIAL;
540 }
541 }
542 mutex_exit(&cb_mutex);
543 return (ret);
544 }
545
546 /*
547 * Get caller credentials.
548 */
549 bool_t
rpc_gss_getcred(req,rcred,ucred,cookie)550 rpc_gss_getcred(req, rcred, ucred, cookie)
551 struct svc_req *req;
552 rpc_gss_rawcred_t **rcred;
553 rpc_gss_ucred_t **ucred;
554 void **cookie;
555 {
556 SVCAUTH *svcauth;
557 svc_rpc_gss_data *client_data;
558 int gssstat, gidlen;
559
560 svcauth = &req->rq_xprt->xp_auth;
561 client_data = (svc_rpc_gss_data *)svcauth->svc_ah_private;
562
563 mutex_enter(&client_data->clm);
564
565 if (rcred != NULL) {
566 svcauth->raw_cred = client_data->raw_cred;
567 *rcred = &svcauth->raw_cred;
568 }
569 if (ucred != NULL) {
570 *ucred = &client_data->u_cred;
571
572 if (client_data->u_cred_set == 0 ||
573 client_data->u_cred_set < gethrestime_sec()) {
574 if (client_data->u_cred_set == 0) {
575 if ((gssstat = kgsscred_expname_to_unix_cred(
576 &client_data->client_name,
577 &client_data->u_cred.uid,
578 &client_data->u_cred.gid,
579 &client_data->u_cred.gidlist,
580 &gidlen, crgetuid(CRED()))) != GSS_S_COMPLETE) {
581 RPCGSS_LOG(1, "rpc_gss_getcred: "
582 "kgsscred_expname_to_unix_cred failed %x\n",
583 gssstat);
584 *ucred = NULL;
585 } else {
586 client_data->u_cred.gidlen = (short)gidlen;
587 client_data->u_cred_set =
588 gethrestime_sec() + svc_rpcgss_gid_timeout;
589 }
590 } else if (client_data->u_cred_set < gethrestime_sec()) {
591 if ((gssstat = kgss_get_group_info(
592 client_data->u_cred.uid,
593 &client_data->u_cred.gid,
594 &client_data->u_cred.gidlist,
595 &gidlen, crgetuid(CRED()))) != GSS_S_COMPLETE) {
596 RPCGSS_LOG(1, "rpc_gss_getcred: "
597 "kgss_get_group_info failed %x\n",
598 gssstat);
599 *ucred = NULL;
600 } else {
601 client_data->u_cred.gidlen = (short)gidlen;
602 client_data->u_cred_set =
603 gethrestime_sec() + svc_rpcgss_gid_timeout;
604 }
605 }
606 }
607 }
608
609 if (cookie != NULL)
610 *cookie = client_data->cookie;
611 req->rq_xprt->xp_cookie = client_data->cookie;
612
613 mutex_exit(&client_data->clm);
614
615 return (TRUE);
616 }
617
618 /*
619 * Transfer the context data from the user land to the kernel.
620 */
transfer_sec_context(svc_rpc_gss_data * client_data)621 bool_t transfer_sec_context(svc_rpc_gss_data *client_data) {
622
623 gss_buffer_desc process_token;
624 OM_uint32 gssstat, minor;
625
626 /*
627 * Call kgss_export_sec_context
628 * if an error is returned log a message
629 * go to error handling
630 * Otherwise call kgss_import_sec_context to
631 * convert the token into a context
632 */
633 gssstat = kgss_export_sec_context(&minor, client_data->context,
634 &process_token);
635 /*
636 * if export_sec_context returns an error we delete the
637 * context just to be safe.
638 */
639 if (gssstat == GSS_S_NAME_NOT_MN) {
640 RPCGSS_LOG0(4, "svc_rpcsec_gss: export sec context "
641 "Kernel mod unavailable\n");
642
643 } else if (gssstat != GSS_S_COMPLETE) {
644 RPCGSS_LOG(1, "svc_rpcsec_gss: export sec context failed "
645 " gssstat = 0x%x\n", gssstat);
646 (void) gss_release_buffer(&minor, &process_token);
647 (void) kgss_delete_sec_context(&minor, &client_data->context,
648 NULL);
649 return (FALSE);
650
651 } else if (process_token.length == 0) {
652 RPCGSS_LOG0(1, "svc_rpcsec_gss:zero length token in response "
653 "for export_sec_context, but "
654 "gsstat == GSS_S_COMPLETE\n");
655 (void) kgss_delete_sec_context(&minor, &client_data->context,
656 NULL);
657 return (FALSE);
658
659 } else {
660 gssstat = kgss_import_sec_context(&minor, &process_token,
661 client_data->context);
662 if (gssstat != GSS_S_COMPLETE) {
663 RPCGSS_LOG(1, "svc_rpcsec_gss: import sec context "
664 " failed gssstat = 0x%x\n", gssstat);
665 (void) kgss_delete_sec_context(&minor,
666 &client_data->context, NULL);
667 (void) gss_release_buffer(&minor, &process_token);
668 return (FALSE);
669 }
670
671 RPCGSS_LOG0(4, "gss_import_sec_context successful\n");
672 (void) gss_release_buffer(&minor, &process_token);
673 }
674
675 return (TRUE);
676 }
677
678 /*
679 * do_gss_accept is called from a taskq and does all the work for a
680 * RPCSEC_GSS_INIT call (mostly calling kgss_accept_sec_context()).
681 */
682 static enum auth_stat
do_gss_accept(SVCXPRT * xprt,rpc_gss_init_arg * call_arg,struct rpc_msg * msg,svc_rpc_gss_data * client_data,uint_t cr_version,rpc_gss_service_t cr_service)683 do_gss_accept(
684 SVCXPRT *xprt,
685 rpc_gss_init_arg *call_arg,
686 struct rpc_msg *msg,
687 svc_rpc_gss_data *client_data,
688 uint_t cr_version,
689 rpc_gss_service_t cr_service)
690 {
691 rpc_gss_init_res call_res;
692 gss_buffer_desc output_token;
693 OM_uint32 gssstat, minor, minor_stat, time_rec;
694 int ret_flags, ret;
695 gss_OID mech_type = GSS_C_NULL_OID;
696 int free_mech_type = 1;
697 struct svc_req r, *rqst;
698
699 rqst = &r;
700 rqst->rq_xprt = xprt;
701
702 /*
703 * Initialize output_token.
704 */
705 output_token.length = 0;
706 output_token.value = NULL;
707
708 bzero((char *)&call_res, sizeof (call_res));
709
710 mutex_enter(&client_data->clm);
711 if (client_data->stale) {
712 ret = RPCSEC_GSS_NOCRED;
713 RPCGSS_LOG0(1, "_svcrpcsec_gss: client data stale\n");
714 goto error2;
715 }
716
717 /*
718 * Any response we send will use ctx_handle, so set it now;
719 * also set seq_window since this won't change.
720 */
721 call_res.ctx_handle.length = sizeof (client_data->key);
722 call_res.ctx_handle.value = (char *)&client_data->key;
723 call_res.seq_window = SEQ_WIN;
724
725 gssstat = GSS_S_FAILURE;
726 minor = 0;
727 minor_stat = 0;
728 rw_enter(&cred_lock, RW_READER);
729
730 if (client_data->client_name.length) {
731 (void) gss_release_buffer(&minor,
732 &client_data->client_name);
733 }
734 gssstat = kgss_accept_sec_context(&minor_stat,
735 &client_data->context,
736 GSS_C_NO_CREDENTIAL,
737 call_arg,
738 GSS_C_NO_CHANNEL_BINDINGS,
739 &client_data->client_name,
740 &mech_type,
741 &output_token,
742 &ret_flags,
743 &time_rec,
744 NULL, /* don't need a delegated cred back */
745 crgetuid(CRED()));
746
747 RPCGSS_LOG(4, "gssstat 0x%x \n", gssstat);
748
749 if (gssstat == GSS_S_COMPLETE) {
750 /*
751 * Set the raw and unix credentials at this
752 * point. This saves a lot of computation
753 * later when credentials are retrieved.
754 */
755 client_data->raw_cred.version = cr_version;
756 client_data->raw_cred.service = cr_service;
757
758 if (client_data->raw_cred.mechanism) {
759 kgss_free_oid(client_data->raw_cred.mechanism);
760 client_data->raw_cred.mechanism = NULL;
761 }
762 client_data->raw_cred.mechanism = (rpc_gss_OID) mech_type;
763 /*
764 * client_data is now responsible for freeing
765 * the data of 'mech_type'.
766 */
767 free_mech_type = 0;
768
769 if (client_data->raw_cred.client_principal) {
770 kmem_free((caddr_t)client_data->\
771 raw_cred.client_principal,
772 client_data->raw_cred.\
773 client_principal->len + sizeof (int));
774 client_data->raw_cred.client_principal = NULL;
775 }
776
777 /*
778 * The client_name returned from
779 * kgss_accept_sec_context() is in an
780 * exported flat format.
781 */
782 if (! __rpc_gss_make_principal(
783 &client_data->raw_cred.client_principal,
784 &client_data->client_name)) {
785 RPCGSS_LOG0(1, "_svcrpcsec_gss: "
786 "make principal failed\n");
787 gssstat = GSS_S_FAILURE;
788 (void) gss_release_buffer(&minor_stat, &output_token);
789 }
790 }
791
792 rw_exit(&cred_lock);
793
794 call_res.gss_major = gssstat;
795 call_res.gss_minor = minor_stat;
796
797 if (gssstat != GSS_S_COMPLETE &&
798 gssstat != GSS_S_CONTINUE_NEEDED) {
799 call_res.ctx_handle.length = 0;
800 call_res.ctx_handle.value = NULL;
801 call_res.seq_window = 0;
802 rpc_gss_display_status(gssstat, minor_stat, mech_type,
803 crgetuid(CRED()),
804 "_svc_rpcsec_gss gss_accept_sec_context");
805 (void) svc_sendreply(rqst->rq_xprt,
806 __xdr_rpc_gss_init_res, (caddr_t)&call_res);
807 client_data->stale = TRUE;
808 ret = AUTH_OK;
809 goto error2;
810 }
811
812 /*
813 * If appropriate, set established to TRUE *after* sending
814 * response (otherwise, the client will receive the final
815 * token encrypted)
816 */
817 if (gssstat == GSS_S_COMPLETE) {
818 /*
819 * Context is established. Set expiration time
820 * for the context.
821 */
822 client_data->seq_num = 1;
823 if ((time_rec == GSS_C_INDEFINITE) || (time_rec == 0)) {
824 client_data->expiration = GSS_C_INDEFINITE;
825 } else {
826 client_data->expiration =
827 time_rec + gethrestime_sec();
828 }
829
830 if (!transfer_sec_context(client_data)) {
831 ret = RPCSEC_GSS_FAILED;
832 client_data->stale = TRUE;
833 RPCGSS_LOG0(1,
834 "_svc_rpcsec_gss: transfer sec context failed\n");
835 goto error2;
836 }
837
838 client_data->established = TRUE;
839 }
840
841 /*
842 * This step succeeded. Send a response, along with
843 * a token if there's one. Don't dispatch.
844 */
845
846 if (output_token.length != 0)
847 GSS_COPY_BUFFER(call_res.token, output_token);
848
849 /*
850 * If GSS_S_COMPLETE: set response verifier to
851 * checksum of SEQ_WIN
852 */
853 if (gssstat == GSS_S_COMPLETE) {
854 if (!set_response_verf(rqst, msg, client_data,
855 (uint_t)SEQ_WIN)) {
856 ret = RPCSEC_GSS_FAILED;
857 client_data->stale = TRUE;
858 RPCGSS_LOG0(1,
859 "_svc_rpcsec_gss:set response verifier failed\n");
860 goto error2;
861 }
862 }
863
864 if (!svc_sendreply(rqst->rq_xprt, __xdr_rpc_gss_init_res,
865 (caddr_t)&call_res)) {
866 ret = RPCSEC_GSS_FAILED;
867 client_data->stale = TRUE;
868 RPCGSS_LOG0(1, "_svc_rpcsec_gss:send reply failed\n");
869 goto error2;
870 }
871
872 /*
873 * Cache last response in case it is lost and the client
874 * retries on an established context.
875 */
876 (void) retrans_add(client_data, msg->rm_xid, &call_res);
877 ASSERT(client_data->ref_cnt > 0);
878 client_data->ref_cnt--;
879 mutex_exit(&client_data->clm);
880
881 (void) gss_release_buffer(&minor_stat, &output_token);
882
883 return (AUTH_OK);
884
885 error2:
886 ASSERT(client_data->ref_cnt > 0);
887 client_data->ref_cnt--;
888 mutex_exit(&client_data->clm);
889 (void) gss_release_buffer(&minor_stat, &output_token);
890 if (free_mech_type && mech_type)
891 kgss_free_oid(mech_type);
892
893 return (ret);
894 }
895
896 static void
svcrpcsec_gss_taskq_func(void * svcrpcsecgss_taskq_arg)897 svcrpcsec_gss_taskq_func(void *svcrpcsecgss_taskq_arg)
898 {
899 enum auth_stat retval;
900 svcrpcsec_gss_taskq_arg_t *arg = svcrpcsecgss_taskq_arg;
901
902 retval = do_gss_accept(arg->rq_xprt, arg->rpc_call_arg, arg->msg,
903 arg->client_data, arg->cr_version, arg->cr_service);
904 if (retval != AUTH_OK) {
905 cmn_err(CE_NOTE,
906 "svcrpcsec_gss_taskq_func: do_gss_accept fail 0x%x",
907 retval);
908 }
909 rpc_msg_free(&arg->msg, MAX_AUTH_BYTES);
910 svc_clone_unlink(arg->rq_xprt);
911 svc_clone_free(arg->rq_xprt);
912 xdr_free(__xdr_rpc_gss_init_arg, (caddr_t)arg->rpc_call_arg);
913 kmem_free(arg->rpc_call_arg, sizeof (*arg->rpc_call_arg));
914
915 kmem_free(arg, sizeof (*arg));
916 }
917
918 static enum auth_stat
rpcsec_gss_init(struct svc_req * rqst,struct rpc_msg * msg,rpc_gss_creds creds,bool_t * no_dispatch,svc_rpc_gss_data * c_d)919 rpcsec_gss_init(
920 struct svc_req *rqst,
921 struct rpc_msg *msg,
922 rpc_gss_creds creds,
923 bool_t *no_dispatch,
924 svc_rpc_gss_data *c_d) /* client data, can be NULL */
925 {
926 svc_rpc_gss_data *client_data;
927 int ret;
928 svcrpcsec_gss_taskq_arg_t *arg;
929
930 if (creds.ctx_handle.length != 0) {
931 RPCGSS_LOG0(1, "_svcrpcsec_gss: ctx_handle not null\n");
932 ret = AUTH_BADCRED;
933 return (ret);
934 }
935
936 client_data = c_d ? c_d : create_client();
937 if (client_data == NULL) {
938 RPCGSS_LOG0(1,
939 "_svcrpcsec_gss: can't create a new cache entry\n");
940 ret = AUTH_FAILED;
941 return (ret);
942 }
943
944 mutex_enter(&client_data->clm);
945 if (client_data->stale) {
946 ret = RPCSEC_GSS_NOCRED;
947 RPCGSS_LOG0(1, "_svcrpcsec_gss: client data stale\n");
948 goto error2;
949 }
950
951 /*
952 * kgss_accept_sec_context()/gssd(1M) can be overly time
953 * consuming so let's queue it and return asap.
954 *
955 * taskq func must free arg.
956 */
957 arg = kmem_alloc(sizeof (*arg), KM_SLEEP);
958
959 /* taskq func must free rpc_call_arg & deserialized arguments */
960 arg->rpc_call_arg = kmem_alloc(sizeof (*arg->rpc_call_arg), KM_SLEEP);
961
962 /* deserialize arguments */
963 bzero(arg->rpc_call_arg, sizeof (*arg->rpc_call_arg));
964 if (!SVC_GETARGS(rqst->rq_xprt, __xdr_rpc_gss_init_arg,
965 (caddr_t)arg->rpc_call_arg)) {
966 ret = RPCSEC_GSS_FAILED;
967 client_data->stale = TRUE;
968 goto error2;
969 }
970
971 /* get a xprt clone for taskq thread, taskq func must free it */
972 arg->rq_xprt = svc_clone_init();
973 svc_clone_link(rqst->rq_xprt->xp_master, arg->rq_xprt, rqst->rq_xprt);
974 arg->rq_xprt->xp_xid = rqst->rq_xprt->xp_xid;
975
976
977 /* set the appropriate wrap/unwrap routine for RPCSEC_GSS */
978 arg->rq_xprt->xp_auth.svc_ah_ops = svc_rpc_gss_ops;
979 arg->rq_xprt->xp_auth.svc_ah_private = (caddr_t)client_data;
980
981 /* get a dup of rpc msg for taskq thread */
982 arg->msg = rpc_msg_dup(msg); /* taskq func must free msg dup */
983
984 arg->client_data = client_data;
985 arg->cr_version = creds.version;
986 arg->cr_service = creds.service;
987
988 /* We no longer need the xp_xdrin, destroy it all here. */
989 XDR_DESTROY(&(rqst->rq_xprt->xp_xdrin));
990
991 /* should be ok to hold clm lock as taskq will have new thread(s) */
992 ret = ddi_taskq_dispatch(svcrpcsec_gss_init_taskq,
993 svcrpcsec_gss_taskq_func, arg, DDI_SLEEP);
994 if (ret == DDI_FAILURE) {
995 cmn_err(CE_NOTE, "rpcsec_gss_init: taskq dispatch fail");
996 ret = RPCSEC_GSS_FAILED;
997 rpc_msg_free(&arg->msg, MAX_AUTH_BYTES);
998 svc_clone_unlink(arg->rq_xprt);
999 svc_clone_free(arg->rq_xprt);
1000 kmem_free(arg, sizeof (*arg));
1001 goto error2;
1002 }
1003
1004 mutex_exit(&client_data->clm);
1005 *no_dispatch = TRUE;
1006 return (AUTH_OK);
1007
1008 error2:
1009 ASSERT(client_data->ref_cnt > 0);
1010 client_data->ref_cnt--;
1011 mutex_exit(&client_data->clm);
1012 cmn_err(CE_NOTE, "rpcsec_gss_init: error 0x%x", ret);
1013 return (ret);
1014 }
1015
1016 static enum auth_stat
rpcsec_gss_continue_init(struct svc_req * rqst,struct rpc_msg * msg,rpc_gss_creds creds,bool_t * no_dispatch)1017 rpcsec_gss_continue_init(
1018 struct svc_req *rqst,
1019 struct rpc_msg *msg,
1020 rpc_gss_creds creds,
1021 bool_t *no_dispatch)
1022 {
1023 int ret;
1024 svc_rpc_gss_data *client_data;
1025 svc_rpc_gss_parms_t *gss_parms;
1026 rpc_gss_init_res *retrans_result;
1027
1028 if (creds.ctx_handle.length == 0) {
1029 RPCGSS_LOG0(1, "_svcrpcsec_gss: no ctx_handle\n");
1030 ret = AUTH_BADCRED;
1031 return (ret);
1032 }
1033 if ((client_data = get_client(&creds.ctx_handle)) == NULL) {
1034 ret = RPCSEC_GSS_NOCRED;
1035 RPCGSS_LOG0(1, "_svcrpcsec_gss: no security context\n");
1036 return (ret);
1037 }
1038
1039 mutex_enter(&client_data->clm);
1040 if (client_data->stale) {
1041 ret = RPCSEC_GSS_NOCRED;
1042 RPCGSS_LOG0(1, "_svcrpcsec_gss: client data stale\n");
1043 goto error2;
1044 }
1045
1046 /*
1047 * If context not established, go thru INIT code but with
1048 * this client handle.
1049 */
1050 if (!client_data->established) {
1051 mutex_exit(&client_data->clm);
1052 return (rpcsec_gss_init(rqst, msg, creds, no_dispatch,
1053 client_data));
1054 }
1055
1056 /*
1057 * Set the appropriate wrap/unwrap routine for RPCSEC_GSS.
1058 */
1059 rqst->rq_xprt->xp_auth.svc_ah_ops = svc_rpc_gss_ops;
1060 rqst->rq_xprt->xp_auth.svc_ah_private = (caddr_t)client_data;
1061
1062 /*
1063 * Keep copy of parameters we'll need for response, for the
1064 * sake of reentrancy (we don't want to look in the context
1065 * data because when we are sending a response, another
1066 * request may have come in).
1067 */
1068 gss_parms = &rqst->rq_xprt->xp_auth.svc_gss_parms;
1069 gss_parms->established = client_data->established;
1070 gss_parms->service = creds.service;
1071 gss_parms->qop_rcvd = (uint_t)client_data->qop;
1072 gss_parms->context = (void *)client_data->context;
1073 gss_parms->seq_num = creds.seq_num;
1074
1075 /*
1076 * This is an established context. Continue to
1077 * satisfy retried continue init requests out of
1078 * the retransmit cache. Throw away any that don't
1079 * have a matching xid or the cach is empty.
1080 * Delete the retransmit cache once the client sends
1081 * a data request.
1082 */
1083 if (client_data->retrans_data &&
1084 (client_data->retrans_data->xid == msg->rm_xid)) {
1085 retrans_result = &client_data->retrans_data->result;
1086 if (set_response_verf(rqst, msg, client_data,
1087 (uint_t)retrans_result->seq_window)) {
1088 gss_parms->established = FALSE;
1089 (void) svc_sendreply(rqst->rq_xprt,
1090 __xdr_rpc_gss_init_res, (caddr_t)retrans_result);
1091 *no_dispatch = TRUE;
1092 ASSERT(client_data->ref_cnt > 0);
1093 client_data->ref_cnt--;
1094 }
1095 }
1096 mutex_exit(&client_data->clm);
1097
1098 return (AUTH_OK);
1099
1100 error2:
1101 ASSERT(client_data->ref_cnt > 0);
1102 client_data->ref_cnt--;
1103 mutex_exit(&client_data->clm);
1104 return (ret);
1105 }
1106
1107 static enum auth_stat
rpcsec_gss_data(struct svc_req * rqst,struct rpc_msg * msg,rpc_gss_creds creds,bool_t * no_dispatch)1108 rpcsec_gss_data(
1109 struct svc_req *rqst,
1110 struct rpc_msg *msg,
1111 rpc_gss_creds creds,
1112 bool_t *no_dispatch)
1113 {
1114 int ret;
1115 svc_rpc_gss_parms_t *gss_parms;
1116 svc_rpc_gss_data *client_data;
1117
1118 switch (creds.service) {
1119 case rpc_gss_svc_none:
1120 case rpc_gss_svc_integrity:
1121 case rpc_gss_svc_privacy:
1122 break;
1123 default:
1124 cmn_err(CE_NOTE, "__svcrpcsec_gss: unknown service type=0x%x",
1125 creds.service);
1126 RPCGSS_LOG(1, "_svcrpcsec_gss: unknown service type: 0x%x\n",
1127 creds.service);
1128 ret = AUTH_BADCRED;
1129 return (ret);
1130 }
1131
1132 if (creds.ctx_handle.length == 0) {
1133 RPCGSS_LOG0(1, "_svcrpcsec_gss: no ctx_handle\n");
1134 ret = AUTH_BADCRED;
1135 return (ret);
1136 }
1137 if ((client_data = get_client(&creds.ctx_handle)) == NULL) {
1138 ret = RPCSEC_GSS_NOCRED;
1139 RPCGSS_LOG0(1, "_svcrpcsec_gss: no security context\n");
1140 return (ret);
1141 }
1142
1143
1144 mutex_enter(&client_data->clm);
1145 if (!client_data->established) {
1146 ret = AUTH_FAILED;
1147 goto error2;
1148 }
1149 if (client_data->stale) {
1150 ret = RPCSEC_GSS_NOCRED;
1151 RPCGSS_LOG0(1, "_svcrpcsec_gss: client data stale\n");
1152 goto error2;
1153 }
1154
1155 /*
1156 * Once the context is established and there is no more
1157 * retransmission of last continue init request, it is safe
1158 * to delete the retransmit cache entry.
1159 */
1160 if (client_data->retrans_data)
1161 retrans_del(client_data);
1162
1163 /*
1164 * Set the appropriate wrap/unwrap routine for RPCSEC_GSS.
1165 */
1166 rqst->rq_xprt->xp_auth.svc_ah_ops = svc_rpc_gss_ops;
1167 rqst->rq_xprt->xp_auth.svc_ah_private = (caddr_t)client_data;
1168
1169 /*
1170 * Keep copy of parameters we'll need for response, for the
1171 * sake of reentrancy (we don't want to look in the context
1172 * data because when we are sending a response, another
1173 * request may have come in).
1174 */
1175 gss_parms = &rqst->rq_xprt->xp_auth.svc_gss_parms;
1176 gss_parms->established = client_data->established;
1177 gss_parms->service = creds.service;
1178 gss_parms->qop_rcvd = (uint_t)client_data->qop;
1179 gss_parms->context = (void *)client_data->context;
1180 gss_parms->seq_num = creds.seq_num;
1181
1182 /*
1183 * Context is already established. Check verifier, and
1184 * note parameters we will need for response in gss_parms.
1185 */
1186 if (!check_verf(msg, client_data->context,
1187 (int *)&gss_parms->qop_rcvd, client_data->u_cred.uid)) {
1188 ret = RPCSEC_GSS_NOCRED;
1189 RPCGSS_LOG0(1, "_svcrpcsec_gss: check verf failed\n");
1190 goto error2;
1191 }
1192
1193 /*
1194 * Check and invoke callback if necessary.
1195 */
1196 if (!client_data->done_docallback) {
1197 client_data->done_docallback = TRUE;
1198 client_data->qop = gss_parms->qop_rcvd;
1199 client_data->raw_cred.qop = gss_parms->qop_rcvd;
1200 client_data->raw_cred.service = creds.service;
1201 if (!do_callback(rqst, client_data)) {
1202 ret = AUTH_FAILED;
1203 RPCGSS_LOG0(1, "_svc_rpcsec_gss:callback failed\n");
1204 goto error2;
1205 }
1206 }
1207
1208 /*
1209 * If the context was locked, make sure that the client
1210 * has not changed QOP.
1211 */
1212 if (client_data->locked && gss_parms->qop_rcvd != client_data->qop) {
1213 ret = AUTH_BADVERF;
1214 RPCGSS_LOG0(1, "_svcrpcsec_gss: can not change qop\n");
1215 goto error2;
1216 }
1217
1218 /*
1219 * Validate sequence number.
1220 */
1221 if (!check_seq(client_data, creds.seq_num, &client_data->stale)) {
1222 if (client_data->stale) {
1223 ret = RPCSEC_GSS_FAILED;
1224 RPCGSS_LOG0(1,
1225 "_svc_rpcsec_gss:check seq failed\n");
1226 } else {
1227 RPCGSS_LOG0(4, "_svc_rpcsec_gss:check seq "
1228 "failed on good context. Ignoring "
1229 "request\n");
1230 /*
1231 * Operational error, drop packet silently.
1232 * The client will recover after timing out,
1233 * assuming this is a client error and not
1234 * a relpay attack. Don't dispatch.
1235 */
1236 ret = AUTH_OK;
1237 *no_dispatch = TRUE;
1238 }
1239 goto error2;
1240 }
1241
1242 /*
1243 * set response verifier
1244 */
1245 if (!set_response_verf(rqst, msg, client_data, creds.seq_num)) {
1246 ret = RPCSEC_GSS_FAILED;
1247 client_data->stale = TRUE;
1248 RPCGSS_LOG0(1,
1249 "_svc_rpcsec_gss:set response verifier failed\n");
1250 goto error2;
1251 }
1252
1253 /*
1254 * If context is locked, make sure that the client
1255 * has not changed the security service.
1256 */
1257 if (client_data->locked &&
1258 client_data->raw_cred.service != creds.service) {
1259 RPCGSS_LOG0(1, "_svc_rpcsec_gss: "
1260 "security service changed.\n");
1261 ret = AUTH_FAILED;
1262 goto error2;
1263 }
1264
1265 /*
1266 * Set client credentials to raw credential
1267 * structure in context. This is okay, since
1268 * this will not change during the lifetime of
1269 * the context (so it's MT safe).
1270 */
1271 rqst->rq_clntcred = (char *)&client_data->raw_cred;
1272
1273 mutex_exit(&client_data->clm);
1274 return (AUTH_OK);
1275
1276 error2:
1277 ASSERT(client_data->ref_cnt > 0);
1278 client_data->ref_cnt--;
1279 mutex_exit(&client_data->clm);
1280 return (ret);
1281 }
1282
1283 /*
1284 * Note we don't have a client yet to use this routine and test it.
1285 */
1286 static enum auth_stat
rpcsec_gss_destroy(struct svc_req * rqst,rpc_gss_creds creds,bool_t * no_dispatch)1287 rpcsec_gss_destroy(
1288 struct svc_req *rqst,
1289 rpc_gss_creds creds,
1290 bool_t *no_dispatch)
1291 {
1292 svc_rpc_gss_data *client_data;
1293 int ret;
1294
1295 if (creds.ctx_handle.length == 0) {
1296 RPCGSS_LOG0(1, "_svcrpcsec_gss: no ctx_handle\n");
1297 ret = AUTH_BADCRED;
1298 return (ret);
1299 }
1300 if ((client_data = get_client(&creds.ctx_handle)) == NULL) {
1301 ret = RPCSEC_GSS_NOCRED;
1302 RPCGSS_LOG0(1, "_svcrpcsec_gss: no security context\n");
1303 return (ret);
1304 }
1305
1306 mutex_enter(&client_data->clm);
1307 if (!client_data->established) {
1308 ret = AUTH_FAILED;
1309 goto error2;
1310 }
1311 if (client_data->stale) {
1312 ret = RPCSEC_GSS_NOCRED;
1313 RPCGSS_LOG0(1, "_svcrpcsec_gss: client data stale\n");
1314 goto error2;
1315 }
1316
1317 (void) svc_sendreply(rqst->rq_xprt, xdr_void, NULL);
1318 *no_dispatch = TRUE;
1319 ASSERT(client_data->ref_cnt > 0);
1320 client_data->ref_cnt--;
1321 client_data->stale = TRUE;
1322 mutex_exit(&client_data->clm);
1323 return (AUTH_OK);
1324
1325 error2:
1326 ASSERT(client_data->ref_cnt > 0);
1327 client_data->ref_cnt--;
1328 client_data->stale = TRUE;
1329 mutex_exit(&client_data->clm);
1330 return (ret);
1331 }
1332
1333 /*
1334 * Server side authentication for RPCSEC_GSS.
1335 */
1336 enum auth_stat
__svcrpcsec_gss(struct svc_req * rqst,struct rpc_msg * msg,bool_t * no_dispatch)1337 __svcrpcsec_gss(
1338 struct svc_req *rqst,
1339 struct rpc_msg *msg,
1340 bool_t *no_dispatch)
1341 {
1342 XDR xdrs;
1343 rpc_gss_creds creds;
1344 struct opaque_auth *cred;
1345 int ret;
1346
1347 *no_dispatch = FALSE;
1348
1349 /*
1350 * Initialize response verifier to NULL verifier. If
1351 * necessary, this will be changed later.
1352 */
1353 rqst->rq_xprt->xp_verf.oa_flavor = AUTH_NONE;
1354 rqst->rq_xprt->xp_verf.oa_base = NULL;
1355 rqst->rq_xprt->xp_verf.oa_length = 0;
1356
1357 /*
1358 * Pull out and check credential and verifier.
1359 */
1360 cred = &msg->rm_call.cb_cred;
1361
1362 if (cred->oa_length == 0) {
1363 RPCGSS_LOG0(1, "_svcrpcsec_gss: zero length cred\n");
1364 return (AUTH_BADCRED);
1365 }
1366
1367 xdrmem_create(&xdrs, cred->oa_base, cred->oa_length, XDR_DECODE);
1368 bzero((char *)&creds, sizeof (creds));
1369 if (!__xdr_rpc_gss_creds(&xdrs, &creds)) {
1370 XDR_DESTROY(&xdrs);
1371 RPCGSS_LOG0(1, "_svcrpcsec_gss: can't decode creds\n");
1372 ret = AUTH_BADCRED;
1373 return (AUTH_BADCRED);
1374 }
1375 XDR_DESTROY(&xdrs);
1376
1377 switch (creds.gss_proc) {
1378 case RPCSEC_GSS_INIT:
1379 ret = rpcsec_gss_init(rqst, msg, creds, no_dispatch, NULL);
1380 break;
1381 case RPCSEC_GSS_CONTINUE_INIT:
1382 ret = rpcsec_gss_continue_init(rqst, msg, creds, no_dispatch);
1383 break;
1384 case RPCSEC_GSS_DATA:
1385 ret = rpcsec_gss_data(rqst, msg, creds, no_dispatch);
1386 break;
1387 case RPCSEC_GSS_DESTROY:
1388 ret = rpcsec_gss_destroy(rqst, creds, no_dispatch);
1389 break;
1390 default:
1391 cmn_err(CE_NOTE, "__svcrpcsec_gss: bad proc=%d",
1392 creds.gss_proc);
1393 ret = AUTH_BADCRED;
1394 }
1395
1396 if (creds.ctx_handle.length != 0)
1397 xdr_free(__xdr_rpc_gss_creds, (caddr_t)&creds);
1398 return (ret);
1399 }
1400
1401 /*
1402 * Check verifier. The verifier is the checksum of the RPC header
1403 * upto and including the credentials field.
1404 */
1405
1406 /* ARGSUSED */
1407 static bool_t
check_verf(struct rpc_msg * msg,gss_ctx_id_t context,int * qop_state,uid_t uid)1408 check_verf(struct rpc_msg *msg, gss_ctx_id_t context, int *qop_state, uid_t uid)
1409 {
1410 int *buf, *tmp;
1411 char hdr[128];
1412 struct opaque_auth *oa;
1413 int len;
1414 gss_buffer_desc msg_buf;
1415 gss_buffer_desc tok_buf;
1416 OM_uint32 gssstat, minor_stat;
1417
1418 /*
1419 * We have to reconstruct the RPC header from the previously
1420 * parsed information, since we haven't kept the header intact.
1421 */
1422
1423 oa = &msg->rm_call.cb_cred;
1424 if (oa->oa_length > MAX_AUTH_BYTES)
1425 return (FALSE);
1426
1427 /* 8 XDR units from the IXDR macro calls. */
1428 if (sizeof (hdr) < (8 * BYTES_PER_XDR_UNIT +
1429 RNDUP(oa->oa_length)))
1430 return (FALSE);
1431 buf = (int *)hdr;
1432 IXDR_PUT_U_INT32(buf, msg->rm_xid);
1433 IXDR_PUT_ENUM(buf, msg->rm_direction);
1434 IXDR_PUT_U_INT32(buf, msg->rm_call.cb_rpcvers);
1435 IXDR_PUT_U_INT32(buf, msg->rm_call.cb_prog);
1436 IXDR_PUT_U_INT32(buf, msg->rm_call.cb_vers);
1437 IXDR_PUT_U_INT32(buf, msg->rm_call.cb_proc);
1438 IXDR_PUT_ENUM(buf, oa->oa_flavor);
1439 IXDR_PUT_U_INT32(buf, oa->oa_length);
1440 if (oa->oa_length) {
1441 len = RNDUP(oa->oa_length);
1442 tmp = buf;
1443 buf += len / sizeof (int);
1444 *(buf - 1) = 0;
1445 (void) bcopy(oa->oa_base, (caddr_t)tmp, oa->oa_length);
1446 }
1447 len = ((char *)buf) - hdr;
1448 msg_buf.length = len;
1449 msg_buf.value = hdr;
1450 oa = &msg->rm_call.cb_verf;
1451 tok_buf.length = oa->oa_length;
1452 tok_buf.value = oa->oa_base;
1453
1454 gssstat = kgss_verify(&minor_stat, context, &msg_buf, &tok_buf,
1455 qop_state);
1456 if (gssstat != GSS_S_COMPLETE) {
1457 RPCGSS_LOG(1, "check_verf: kgss_verify status 0x%x\n", gssstat);
1458
1459 RPCGSS_LOG(4, "check_verf: msg_buf length %d\n", len);
1460 RPCGSS_LOG(4, "check_verf: msg_buf value 0x%x\n", *(int *)hdr);
1461 RPCGSS_LOG(4, "check_verf: tok_buf length %ld\n",
1462 tok_buf.length);
1463 RPCGSS_LOG(4, "check_verf: tok_buf value 0x%p\n",
1464 (void *)oa->oa_base);
1465 RPCGSS_LOG(4, "check_verf: context 0x%p\n", (void *)context);
1466
1467 return (FALSE);
1468 }
1469 return (TRUE);
1470 }
1471
1472
1473 /*
1474 * Set response verifier. This is the checksum of the given number.
1475 * (e.g. sequence number or sequence window)
1476 */
1477 static bool_t
set_response_verf(rqst,msg,cl,num)1478 set_response_verf(rqst, msg, cl, num)
1479 struct svc_req *rqst;
1480 struct rpc_msg *msg;
1481 svc_rpc_gss_data *cl;
1482 uint_t num;
1483 {
1484 OM_uint32 minor;
1485 gss_buffer_desc in_buf, out_buf;
1486 uint_t num_net;
1487
1488 num_net = (uint_t)htonl(num);
1489 in_buf.length = sizeof (num);
1490 in_buf.value = (char *)&num_net;
1491 /* XXX uid ? */
1492
1493 if ((kgss_sign(&minor, cl->context, cl->qop, &in_buf,
1494 &out_buf)) != GSS_S_COMPLETE)
1495 return (FALSE);
1496
1497 rqst->rq_xprt->xp_verf.oa_flavor = RPCSEC_GSS;
1498 rqst->rq_xprt->xp_verf.oa_base = msg->rm_call.cb_verf.oa_base;
1499 rqst->rq_xprt->xp_verf.oa_length = out_buf.length;
1500 bcopy(out_buf.value, rqst->rq_xprt->xp_verf.oa_base, out_buf.length);
1501 (void) gss_release_buffer(&minor, &out_buf);
1502 return (TRUE);
1503 }
1504
1505 /*
1506 * Create client context.
1507 */
1508 static svc_rpc_gss_data *
create_client()1509 create_client()
1510 {
1511 svc_rpc_gss_data *client_data;
1512 static uint_t key = 1;
1513
1514 client_data = (svc_rpc_gss_data *) kmem_cache_alloc(svc_data_handle,
1515 KM_SLEEP);
1516 if (client_data == NULL)
1517 return (NULL);
1518
1519 /*
1520 * set up client data structure
1521 */
1522 client_data->next = NULL;
1523 client_data->prev = NULL;
1524 client_data->lru_next = NULL;
1525 client_data->lru_prev = NULL;
1526 client_data->client_name.length = 0;
1527 client_data->client_name.value = NULL;
1528 client_data->seq_num = 0;
1529 bzero(client_data->seq_bits, sizeof (client_data->seq_bits));
1530 client_data->key = 0;
1531 client_data->cookie = NULL;
1532 bzero(&client_data->u_cred, sizeof (client_data->u_cred));
1533 client_data->established = FALSE;
1534 client_data->locked = FALSE;
1535 client_data->u_cred_set = 0;
1536 client_data->context = GSS_C_NO_CONTEXT;
1537 client_data->expiration = GSS_C_INDEFINITE;
1538 client_data->deleg = GSS_C_NO_CREDENTIAL;
1539 client_data->ref_cnt = 1;
1540 client_data->last_ref_time = gethrestime_sec();
1541 client_data->qop = GSS_C_QOP_DEFAULT;
1542 client_data->done_docallback = FALSE;
1543 client_data->stale = FALSE;
1544 client_data->retrans_data = NULL;
1545 bzero(&client_data->raw_cred, sizeof (client_data->raw_cred));
1546
1547 /*
1548 * The client context handle is a 32-bit key (unsigned int).
1549 * The key is incremented until there is no duplicate for it.
1550 */
1551
1552 svc_rpc_gss_cache_stats.total_entries_allocated++;
1553 mutex_enter(&ctx_mutex);
1554 for (;;) {
1555 client_data->key = key++;
1556 if (find_client(client_data->key) == NULL) {
1557 insert_client(client_data);
1558 mutex_exit(&ctx_mutex);
1559 return (client_data);
1560 }
1561 }
1562 /*NOTREACHED*/
1563 }
1564
1565 /*
1566 * Insert client context into hash list and LRU list.
1567 */
1568 static void
insert_client(client_data)1569 insert_client(client_data)
1570 svc_rpc_gss_data *client_data;
1571 {
1572 svc_rpc_gss_data *cl;
1573 int index = HASH(client_data->key);
1574
1575 ASSERT(mutex_owned(&ctx_mutex));
1576
1577 client_data->prev = NULL;
1578 cl = clients[index];
1579 if ((client_data->next = cl) != NULL)
1580 cl->prev = client_data;
1581 clients[index] = client_data;
1582
1583 client_data->lru_prev = NULL;
1584 if ((client_data->lru_next = lru_first) != NULL)
1585 lru_first->lru_prev = client_data;
1586 else
1587 lru_last = client_data;
1588 lru_first = client_data;
1589
1590 num_gss_contexts++;
1591 }
1592
1593 /*
1594 * Fetch a client, given the client context handle. Move it to the
1595 * top of the LRU list since this is the most recently used context.
1596 */
1597 static svc_rpc_gss_data *
get_client(ctx_handle)1598 get_client(ctx_handle)
1599 gss_buffer_t ctx_handle;
1600 {
1601 uint_t key = *(uint_t *)ctx_handle->value;
1602 svc_rpc_gss_data *cl;
1603
1604 mutex_enter(&ctx_mutex);
1605 if ((cl = find_client(key)) != NULL) {
1606 mutex_enter(&cl->clm);
1607 if (cl->stale) {
1608 if (cl->ref_cnt == 0) {
1609 mutex_exit(&cl->clm);
1610 destroy_client(cl);
1611 } else {
1612 mutex_exit(&cl->clm);
1613 }
1614 mutex_exit(&ctx_mutex);
1615 return (NULL);
1616 }
1617 cl->ref_cnt++;
1618 cl->last_ref_time = gethrestime_sec();
1619 mutex_exit(&cl->clm);
1620 if (cl != lru_first) {
1621 cl->lru_prev->lru_next = cl->lru_next;
1622 if (cl->lru_next != NULL)
1623 cl->lru_next->lru_prev = cl->lru_prev;
1624 else
1625 lru_last = cl->lru_prev;
1626 cl->lru_prev = NULL;
1627 cl->lru_next = lru_first;
1628 lru_first->lru_prev = cl;
1629 lru_first = cl;
1630 }
1631 }
1632 mutex_exit(&ctx_mutex);
1633 return (cl);
1634 }
1635
1636 /*
1637 * Given the client context handle, find the context corresponding to it.
1638 * Don't change its LRU state since it may not be used.
1639 */
1640 static svc_rpc_gss_data *
find_client(key)1641 find_client(key)
1642 uint_t key;
1643 {
1644 int index = HASH(key);
1645 svc_rpc_gss_data *cl = NULL;
1646
1647 ASSERT(mutex_owned(&ctx_mutex));
1648
1649 for (cl = clients[index]; cl != NULL; cl = cl->next) {
1650 if (cl->key == key)
1651 break;
1652 }
1653 return (cl);
1654 }
1655
1656 /*
1657 * Destroy a client context.
1658 */
1659 static void
destroy_client(client_data)1660 destroy_client(client_data)
1661 svc_rpc_gss_data *client_data;
1662 {
1663 OM_uint32 minor;
1664 int index = HASH(client_data->key);
1665
1666 ASSERT(mutex_owned(&ctx_mutex));
1667
1668 /*
1669 * remove from hash list
1670 */
1671 if (client_data->prev == NULL)
1672 clients[index] = client_data->next;
1673 else
1674 client_data->prev->next = client_data->next;
1675 if (client_data->next != NULL)
1676 client_data->next->prev = client_data->prev;
1677
1678 /*
1679 * remove from LRU list
1680 */
1681 if (client_data->lru_prev == NULL)
1682 lru_first = client_data->lru_next;
1683 else
1684 client_data->lru_prev->lru_next = client_data->lru_next;
1685 if (client_data->lru_next != NULL)
1686 client_data->lru_next->lru_prev = client_data->lru_prev;
1687 else
1688 lru_last = client_data->lru_prev;
1689
1690 /*
1691 * If there is a GSS context, clean up GSS state.
1692 */
1693 if (client_data->context != GSS_C_NO_CONTEXT) {
1694 (void) kgss_delete_sec_context(&minor, &client_data->context,
1695 NULL);
1696
1697 common_client_data_free(client_data);
1698
1699 if (client_data->deleg != GSS_C_NO_CREDENTIAL) {
1700 (void) kgss_release_cred(&minor, &client_data->deleg,
1701 crgetuid(CRED()));
1702 }
1703 }
1704
1705 if (client_data->u_cred.gidlist != NULL) {
1706 kmem_free((char *)client_data->u_cred.gidlist,
1707 client_data->u_cred.gidlen * sizeof (gid_t));
1708 client_data->u_cred.gidlist = NULL;
1709 }
1710 if (client_data->retrans_data != NULL)
1711 retrans_del(client_data);
1712
1713 kmem_cache_free(svc_data_handle, client_data);
1714 num_gss_contexts--;
1715 }
1716
1717 /*
1718 * Check for expired and stale client contexts.
1719 */
1720 static void
sweep_clients(bool_t from_reclaim)1721 sweep_clients(bool_t from_reclaim)
1722 {
1723 svc_rpc_gss_data *cl, *next;
1724 time_t last_reference_needed;
1725 time_t now = gethrestime_sec();
1726
1727 ASSERT(mutex_owned(&ctx_mutex));
1728
1729 last_reference_needed = now - (from_reclaim ?
1730 svc_rpc_gss_active_delta : svc_rpc_gss_inactive_delta);
1731
1732 cl = lru_last;
1733 while (cl) {
1734 /*
1735 * We assume here that any manipulation of the LRU pointers
1736 * and hash bucket pointers are only done when holding the
1737 * ctx_mutex.
1738 */
1739 next = cl->lru_prev;
1740
1741 mutex_enter(&cl->clm);
1742
1743 if ((cl->expiration != GSS_C_INDEFINITE &&
1744 cl->expiration <= now) || cl->stale ||
1745 cl->last_ref_time <= last_reference_needed) {
1746
1747 if ((cl->expiration != GSS_C_INDEFINITE &&
1748 cl->expiration <= now) || cl->stale ||
1749 (cl->last_ref_time <= last_reference_needed &&
1750 cl->ref_cnt == 0)) {
1751
1752 cl->stale = TRUE;
1753
1754 if (cl->ref_cnt == 0) {
1755 mutex_exit(&cl->clm);
1756 if (from_reclaim)
1757 svc_rpc_gss_cache_stats.
1758 no_returned_by_reclaim++;
1759 destroy_client(cl);
1760 } else
1761 mutex_exit(&cl->clm);
1762 } else
1763 mutex_exit(&cl->clm);
1764 } else
1765 mutex_exit(&cl->clm);
1766
1767 cl = next;
1768 }
1769
1770 last_swept = gethrestime_sec();
1771 }
1772
1773 /*
1774 * Encrypt the serialized arguments from xdr_func applied to xdr_ptr
1775 * and write the result to xdrs.
1776 */
1777 static bool_t
svc_rpc_gss_wrap(auth,out_xdrs,xdr_func,xdr_ptr)1778 svc_rpc_gss_wrap(auth, out_xdrs, xdr_func, xdr_ptr)
1779 SVCAUTH *auth;
1780 XDR *out_xdrs;
1781 bool_t (*xdr_func)();
1782 caddr_t xdr_ptr;
1783 {
1784 svc_rpc_gss_parms_t *gss_parms = SVCAUTH_GSSPARMS(auth);
1785 bool_t ret;
1786
1787 /*
1788 * If context is not established, or if neither integrity nor
1789 * privacy service is used, don't wrap - just XDR encode.
1790 * Otherwise, wrap data using service and QOP parameters.
1791 */
1792 if (!gss_parms->established ||
1793 gss_parms->service == rpc_gss_svc_none)
1794 return ((*xdr_func)(out_xdrs, xdr_ptr));
1795
1796 ret = __rpc_gss_wrap_data(gss_parms->service,
1797 (OM_uint32)gss_parms->qop_rcvd,
1798 (gss_ctx_id_t)gss_parms->context,
1799 gss_parms->seq_num,
1800 out_xdrs, xdr_func, xdr_ptr);
1801 return (ret);
1802 }
1803
1804 /*
1805 * Decrypt the serialized arguments and XDR decode them.
1806 */
1807 static bool_t
svc_rpc_gss_unwrap(auth,in_xdrs,xdr_func,xdr_ptr)1808 svc_rpc_gss_unwrap(auth, in_xdrs, xdr_func, xdr_ptr)
1809 SVCAUTH *auth;
1810 XDR *in_xdrs;
1811 bool_t (*xdr_func)();
1812 caddr_t xdr_ptr;
1813 {
1814 svc_rpc_gss_parms_t *gss_parms = SVCAUTH_GSSPARMS(auth);
1815
1816 /*
1817 * If context is not established, or if neither integrity nor
1818 * privacy service is used, don't unwrap - just XDR decode.
1819 * Otherwise, unwrap data.
1820 */
1821 if (!gss_parms->established ||
1822 gss_parms->service == rpc_gss_svc_none)
1823 return ((*xdr_func)(in_xdrs, xdr_ptr));
1824
1825 return (__rpc_gss_unwrap_data(gss_parms->service,
1826 (gss_ctx_id_t)gss_parms->context,
1827 gss_parms->seq_num,
1828 gss_parms->qop_rcvd,
1829 in_xdrs, xdr_func, xdr_ptr));
1830 }
1831
1832
1833 /* ARGSUSED */
1834 int
rpc_gss_svc_max_data_length(struct svc_req * req,int max_tp_unit_len)1835 rpc_gss_svc_max_data_length(struct svc_req *req, int max_tp_unit_len)
1836 {
1837 return (0);
1838 }
1839
1840 /*
1841 * Add retransmit entry to the context cache entry for a new xid.
1842 * If there is already an entry, delete it before adding the new one.
1843 */
retrans_add(client,xid,result)1844 static void retrans_add(client, xid, result)
1845 svc_rpc_gss_data *client;
1846 uint32_t xid;
1847 rpc_gss_init_res *result;
1848 {
1849 retrans_entry *rdata;
1850
1851 if (client->retrans_data && client->retrans_data->xid == xid)
1852 return;
1853
1854 rdata = kmem_zalloc(sizeof (*rdata), KM_SLEEP);
1855
1856 if (rdata == NULL)
1857 return;
1858
1859 rdata->xid = xid;
1860 rdata->result = *result;
1861
1862 if (result->token.length != 0) {
1863 GSS_DUP_BUFFER(rdata->result.token, result->token);
1864 }
1865
1866 if (client->retrans_data)
1867 retrans_del(client);
1868
1869 client->retrans_data = rdata;
1870 }
1871
1872 /*
1873 * Delete the retransmit data from the context cache entry.
1874 */
retrans_del(client)1875 static void retrans_del(client)
1876 svc_rpc_gss_data *client;
1877 {
1878 retrans_entry *rdata;
1879 OM_uint32 minor_stat;
1880
1881 if (client->retrans_data == NULL)
1882 return;
1883
1884 rdata = client->retrans_data;
1885 if (rdata->result.token.length != 0) {
1886 (void) gss_release_buffer(&minor_stat, &rdata->result.token);
1887 }
1888
1889 kmem_free((caddr_t)rdata, sizeof (*rdata));
1890 client->retrans_data = NULL;
1891 }
1892
1893 /*
1894 * This function frees the following fields of svc_rpc_gss_data:
1895 * client_name, raw_cred.client_principal, raw_cred.mechanism.
1896 */
1897 static void
common_client_data_free(svc_rpc_gss_data * client_data)1898 common_client_data_free(svc_rpc_gss_data *client_data)
1899 {
1900 if (client_data->client_name.length > 0) {
1901 (void) gss_release_buffer(NULL, &client_data->client_name);
1902 }
1903
1904 if (client_data->raw_cred.client_principal) {
1905 kmem_free((caddr_t)client_data->raw_cred.client_principal,
1906 client_data->raw_cred.client_principal->len +
1907 sizeof (int));
1908 client_data->raw_cred.client_principal = NULL;
1909 }
1910
1911 /*
1912 * In the user GSS-API library, mechanism (mech_type returned
1913 * by gss_accept_sec_context) is static storage, however
1914 * since all the work is done for gss_accept_sec_context under
1915 * gssd, what is returned in the kernel, is a copy from the oid
1916 * obtained under from gssd, so need to free it when destroying
1917 * the client data.
1918 */
1919
1920 if (client_data->raw_cred.mechanism) {
1921 kgss_free_oid(client_data->raw_cred.mechanism);
1922 client_data->raw_cred.mechanism = NULL;
1923 }
1924 }
1925