1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved. 25 * 26 * A module for Kerberos V5 security mechanism. 27 * 28 */ 29 30 #include <sys/types.h> 31 #include <sys/modctl.h> 32 #include <sys/errno.h> 33 #include <mechglueP.h> 34 #include <gssapiP_krb5.h> 35 #include <gssapi_err_generic.h> 36 #include <gssapi/kgssapi_defs.h> 37 #include <sys/debug.h> 38 #include <k5-int.h> 39 40 /* mechglue wrappers */ 41 42 static OM_uint32 k5glue_delete_sec_context 43 (void *, OM_uint32 *, /* minor_status */ 44 gss_ctx_id_t *, /* context_handle */ 45 gss_buffer_t, /* output_token */ 46 OM_uint32); 47 48 static OM_uint32 k5glue_sign 49 (void *, OM_uint32 *, /* minor_status */ 50 gss_ctx_id_t, /* context_handle */ 51 int, /* qop_req */ 52 gss_buffer_t, /* message_buffer */ 53 gss_buffer_t, /* message_token */ 54 OM_uint32); 55 56 static OM_uint32 k5glue_verify 57 (void *, OM_uint32 *, /* minor_status */ 58 gss_ctx_id_t, /* context_handle */ 59 gss_buffer_t, /* message_buffer */ 60 gss_buffer_t, /* token_buffer */ 61 int *, /* qop_state */ 62 OM_uint32); 63 64 /* EXPORT DELETE START */ 65 static OM_uint32 k5glue_seal 66 (void *, OM_uint32 *, /* minor_status */ 67 gss_ctx_id_t, /* context_handle */ 68 int, /* conf_req_flag */ 69 int, /* qop_req */ 70 gss_buffer_t, /* input_message_buffer */ 71 int *, /* conf_state */ 72 gss_buffer_t, /* output_message_buffer */ 73 OM_uint32); 74 75 static OM_uint32 k5glue_unseal 76 (void *, OM_uint32 *, /* minor_status */ 77 gss_ctx_id_t, /* context_handle */ 78 gss_buffer_t, /* input_message_buffer */ 79 gss_buffer_t, /* output_message_buffer */ 80 int *, /* conf_state */ 81 int *, /* qop_state */ 82 OM_uint32); 83 /* EXPORT DELETE END */ 84 85 static OM_uint32 k5glue_import_sec_context 86 (void *, OM_uint32 *, /* minor_status */ 87 gss_buffer_t, /* interprocess_token */ 88 gss_ctx_id_t *); /* context_handle */ 89 90 91 92 static struct gss_config krb5_mechanism = 93 {{9, "\052\206\110\206\367\022\001\002\002"}, 94 NULL, /* context */ 95 NULL, /* next */ 96 TRUE, /* uses_kmod */ 97 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 98 k5glue_unseal, 99 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 100 k5glue_delete_sec_context, 101 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 102 k5glue_seal, 103 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 104 k5glue_import_sec_context, 105 /* EXPORT DELETE START */ 106 /* CRYPT DELETE START */ 107 #if 0 108 /* CRYPT DELETE END */ 109 k5glue_seal, 110 k5glue_unseal, 111 /* CRYPT DELETE START */ 112 #endif 113 /* CRYPT DELETE END */ 114 /* EXPORT DELETE END */ 115 k5glue_sign, 116 k5glue_verify, 117 }; 118 119 static gss_mechanism 120 gss_mech_initialize() 121 { 122 return (&krb5_mechanism); 123 } 124 125 126 /* 127 * Module linkage information for the kernel. 128 */ 129 extern struct mod_ops mod_miscops; 130 131 static struct modlmisc modlmisc = { 132 &mod_miscops, "Krb5 GSS mechanism" 133 }; 134 135 static struct modlinkage modlinkage = { 136 MODREV_1, 137 (void *)&modlmisc, 138 NULL 139 }; 140 141 142 static int krb5_fini_code = EBUSY; 143 144 int 145 _init() 146 { 147 int retval; 148 gss_mechanism mech, tmp; 149 150 if ((retval = mod_install(&modlinkage)) != 0) 151 return (retval); 152 153 mech = gss_mech_initialize(); 154 155 mutex_enter(&__kgss_mech_lock); 156 tmp = __kgss_get_mechanism(&mech->mech_type); 157 if (tmp != NULL) { 158 159 KRB5_LOG0(KRB5_INFO, 160 "KRB5 GSS mechanism: mechanism already in table.\n"); 161 162 if (tmp->uses_kmod == TRUE) { 163 KRB5_LOG0(KRB5_INFO, "KRB5 GSS mechanism: mechanism " 164 "table supports kernel operations!\n"); 165 } 166 /* 167 * keep us loaded, but let us be unloadable. This 168 * will give the developer time to trouble shoot 169 */ 170 krb5_fini_code = 0; 171 } else { 172 __kgss_add_mechanism(mech); 173 ASSERT(__kgss_get_mechanism(&mech->mech_type) == mech); 174 } 175 mutex_exit(&__kgss_mech_lock); 176 177 return (0); 178 } 179 180 int 181 _fini() 182 { 183 int ret = krb5_fini_code; 184 185 if (ret == 0) { 186 ret = (mod_remove(&modlinkage)); 187 } 188 return (ret); 189 } 190 191 int 192 _info(struct modinfo *modinfop) 193 { 194 return (mod_info(&modlinkage, modinfop)); 195 } 196 197 /* ARGSUSED */ 198 static OM_uint32 199 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token, 200 gssd_ctx_verifier) 201 void *ctx; 202 OM_uint32 *minor_status; 203 gss_ctx_id_t *context_handle; 204 gss_buffer_t output_token; 205 OM_uint32 gssd_ctx_verifier; 206 { 207 return (krb5_gss_delete_sec_context(minor_status, 208 context_handle, output_token, 209 gssd_ctx_verifier)); 210 } 211 212 /* V2 */ 213 /* ARGSUSED */ 214 static OM_uint32 215 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle) 216 void *ctx; 217 OM_uint32 *minor_status; 218 gss_buffer_t interprocess_token; 219 gss_ctx_id_t *context_handle; 220 { 221 return (krb5_gss_import_sec_context(minor_status, 222 interprocess_token, 223 context_handle)); 224 } 225 226 /* EXPORT DELETE START */ 227 /* V1 only */ 228 /* ARGSUSED */ 229 static OM_uint32 230 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req, 231 input_message_buffer, conf_state, output_message_buffer, 232 gssd_ctx_verifier) 233 void *ctx; 234 OM_uint32 *minor_status; 235 gss_ctx_id_t context_handle; 236 int conf_req_flag; 237 int qop_req; 238 gss_buffer_t input_message_buffer; 239 int *conf_state; 240 gss_buffer_t output_message_buffer; 241 OM_uint32 gssd_ctx_verifier; 242 { 243 return (krb5_gss_seal(minor_status, context_handle, 244 conf_req_flag, qop_req, input_message_buffer, 245 conf_state, output_message_buffer, gssd_ctx_verifier)); 246 } 247 /* EXPORT DELETE END */ 248 249 /* ARGSUSED */ 250 static OM_uint32 251 k5glue_sign(ctx, minor_status, context_handle, 252 qop_req, message_buffer, 253 message_token, gssd_ctx_verifier) 254 void *ctx; 255 OM_uint32 *minor_status; 256 gss_ctx_id_t context_handle; 257 int qop_req; 258 gss_buffer_t message_buffer; 259 gss_buffer_t message_token; 260 OM_uint32 gssd_ctx_verifier; 261 { 262 return (krb5_gss_sign(minor_status, context_handle, 263 qop_req, message_buffer, message_token, gssd_ctx_verifier)); 264 } 265 266 /* EXPORT DELETE START */ 267 /* ARGSUSED */ 268 static OM_uint32 269 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer, 270 output_message_buffer, conf_state, qop_state, gssd_ctx_verifier) 271 void *ctx; 272 OM_uint32 *minor_status; 273 gss_ctx_id_t context_handle; 274 gss_buffer_t input_message_buffer; 275 gss_buffer_t output_message_buffer; 276 int *conf_state; 277 int *qop_state; 278 OM_uint32 gssd_ctx_verifier; 279 { 280 return (krb5_gss_unseal(minor_status, context_handle, 281 input_message_buffer, output_message_buffer, 282 conf_state, qop_state, gssd_ctx_verifier)); 283 } 284 /* EXPORT DELETE END */ 285 286 /* V1 only */ 287 /* ARGSUSED */ 288 static OM_uint32 289 k5glue_verify(ctx, minor_status, context_handle, message_buffer, 290 token_buffer, qop_state, gssd_ctx_verifier) 291 void *ctx; 292 OM_uint32 *minor_status; 293 gss_ctx_id_t context_handle; 294 gss_buffer_t message_buffer; 295 gss_buffer_t token_buffer; 296 int *qop_state; 297 OM_uint32 gssd_ctx_verifier; 298 { 299 return (krb5_gss_verify(minor_status, 300 context_handle, 301 message_buffer, 302 token_buffer, 303 qop_state, gssd_ctx_verifier)); 304 } 305