2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 2008 Doug Rabson
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 RPCSEC_GSS client routines.
33 Copyright (c) 2000 The Regents of the University of Michigan.
36 Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>.
37 All rights reserved, all wrongs reversed.
39 Redistribution and use in source and binary forms, with or without
40 modification, are permitted provided that the following conditions
43 1. Redistributions of source code must retain the above copyright
44 notice, this list of conditions and the following disclaimer.
45 2. Redistributions in binary form must reproduce the above copyright
46 notice, this list of conditions and the following disclaimer in the
47 documentation and/or other materials provided with the distribution.
48 3. Neither the name of the University nor the names of its
49 contributors may be used to endorse or promote products derived
50 from this software without specific prior written permission.
52 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
53 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
54 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
55 DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
57 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
58 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
59 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
60 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
61 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
62 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
64 $Id: auth_gss.c,v 1.32 2002/01/15 15:43:00 andros Exp $
67 #include <sys/cdefs.h>
68 __FBSDID("$FreeBSD$");
70 #include <sys/param.h>
71 #include <sys/systm.h>
73 #include <sys/kernel.h>
76 #include <sys/malloc.h>
78 #include <sys/mutex.h>
80 #include <sys/refcount.h>
82 #include <sys/ucred.h>
85 #include <rpc/rpcsec_gss.h>
87 #include <kgssapi/krb5/kcrypto.h>
89 #include "rpcsec_gss_int.h"
91 static void rpc_gss_nextverf(AUTH*);
92 static bool_t rpc_gss_marshal(AUTH *, uint32_t, XDR *, struct mbuf *);
93 static bool_t rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret);
94 static bool_t rpc_gss_refresh(AUTH *, void *);
95 static bool_t rpc_gss_validate(AUTH *, uint32_t, struct opaque_auth *,
97 static void rpc_gss_destroy(AUTH *);
98 static void rpc_gss_destroy_context(AUTH *, bool_t);
100 static struct auth_ops rpc_gss_ops = {
108 enum rpcsec_gss_state {
111 RPCSEC_GSS_ESTABLISHED,
112 RPCSEC_GSS_DESTROYING
115 struct rpc_pending_request {
116 uint32_t pr_xid; /* XID of rpc */
117 uint32_t pr_seq; /* matching GSS seq */
118 LIST_ENTRY(rpc_pending_request) pr_link;
120 LIST_HEAD(rpc_pending_request_list, rpc_pending_request);
122 struct rpc_gss_data {
123 volatile u_int gd_refs; /* number of current users */
126 AUTH *gd_auth; /* link back to AUTH */
127 struct ucred *gd_ucred; /* matching local cred */
128 char *gd_principal; /* server principal name */
129 char *gd_clntprincipal; /* client principal name */
130 rpc_gss_options_req_t gd_options; /* GSS context options */
131 enum rpcsec_gss_state gd_state; /* connection state */
132 gss_buffer_desc gd_verf; /* save GSS_S_COMPLETE
133 * NULL RPC verfier to
135 * context negotiation */
136 CLIENT *gd_clnt; /* client handle */
137 gss_OID gd_mech; /* mechanism to use */
138 gss_qop_t gd_qop; /* quality of protection */
139 gss_ctx_id_t gd_ctx; /* context id */
140 struct rpc_gss_cred gd_cred; /* client credentials */
141 uint32_t gd_seq; /* next sequence number */
142 u_int gd_win; /* sequence window */
143 struct rpc_pending_request_list gd_reqs;
144 TAILQ_ENTRY(rpc_gss_data) gd_link;
145 TAILQ_ENTRY(rpc_gss_data) gd_alllink;
147 TAILQ_HEAD(rpc_gss_data_list, rpc_gss_data);
149 #define AUTH_PRIVATE(auth) ((struct rpc_gss_data *)auth->ah_private)
151 static struct timeval AUTH_TIMEOUT = { 25, 0 };
153 #define RPC_GSS_HASH_SIZE 11
154 #define RPC_GSS_MAX 256
155 static struct rpc_gss_data_list rpc_gss_cache[RPC_GSS_HASH_SIZE];
156 static struct rpc_gss_data_list rpc_gss_all;
157 static struct sx rpc_gss_lock;
158 static int rpc_gss_count;
160 static AUTH *rpc_gss_seccreate_int(CLIENT *, struct ucred *, const char *,
161 const char *, gss_OID, rpc_gss_service_t, u_int, rpc_gss_options_req_t *,
162 rpc_gss_options_ret_t *);
165 rpc_gss_hashinit(void *dummy)
169 for (i = 0; i < RPC_GSS_HASH_SIZE; i++)
170 TAILQ_INIT(&rpc_gss_cache[i]);
171 TAILQ_INIT(&rpc_gss_all);
172 sx_init(&rpc_gss_lock, "rpc_gss_lock");
174 SYSINIT(rpc_gss_hashinit, SI_SUB_KMEM, SI_ORDER_ANY, rpc_gss_hashinit, NULL);
177 rpc_gss_hash(const char *principal, gss_OID mech,
178 struct ucred *cred, rpc_gss_service_t service)
182 h = HASHSTEP(HASHINIT, cred->cr_uid);
183 h = hash32_str(principal, h);
184 h = hash32_buf(mech->elements, mech->length, h);
185 h = HASHSTEP(h, (int) service);
187 return (h % RPC_GSS_HASH_SIZE);
191 * Simplified interface to create a security association for the
192 * current thread's * ucred.
195 rpc_gss_secfind(CLIENT *clnt, struct ucred *cred, const char *principal,
196 gss_OID mech_oid, rpc_gss_service_t service)
200 struct rpc_gss_data *gd, *tgd;
201 rpc_gss_options_ret_t options;
203 if (rpc_gss_count > RPC_GSS_MAX) {
204 while (rpc_gss_count > RPC_GSS_MAX) {
205 sx_xlock(&rpc_gss_lock);
206 tgd = TAILQ_FIRST(&rpc_gss_all);
208 TAILQ_REMOVE(&rpc_gss_cache[th], tgd, gd_link);
209 TAILQ_REMOVE(&rpc_gss_all, tgd, gd_alllink);
211 sx_xunlock(&rpc_gss_lock);
212 AUTH_DESTROY(tgd->gd_auth);
217 * See if we already have an AUTH which matches.
219 h = rpc_gss_hash(principal, mech_oid, cred, service);
222 sx_slock(&rpc_gss_lock);
223 TAILQ_FOREACH(gd, &rpc_gss_cache[h], gd_link) {
224 if (gd->gd_ucred->cr_uid == cred->cr_uid
225 && !strcmp(gd->gd_principal, principal)
226 && gd->gd_mech == mech_oid
227 && gd->gd_cred.gc_svc == service) {
228 refcount_acquire(&gd->gd_refs);
229 if (sx_try_upgrade(&rpc_gss_lock)) {
231 * Keep rpc_gss_all LRU sorted.
233 TAILQ_REMOVE(&rpc_gss_all, gd, gd_alllink);
234 TAILQ_INSERT_TAIL(&rpc_gss_all, gd,
236 sx_xunlock(&rpc_gss_lock);
238 sx_sunlock(&rpc_gss_lock);
242 * If the state != ESTABLISHED, try and initialize
243 * the authenticator again. This will happen if the
244 * user's credentials have expired. It may succeed now,
245 * if they have done a kinit or similar.
247 if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
248 memset(&options, 0, sizeof (options));
249 (void) rpc_gss_init(gd->gd_auth, &options);
251 return (gd->gd_auth);
254 sx_sunlock(&rpc_gss_lock);
257 * We missed in the cache - create a new association.
259 auth = rpc_gss_seccreate_int(clnt, cred, NULL, principal, mech_oid,
260 service, GSS_C_QOP_DEFAULT, NULL, NULL);
264 gd = AUTH_PRIVATE(auth);
267 sx_xlock(&rpc_gss_lock);
268 TAILQ_FOREACH(tgd, &rpc_gss_cache[h], gd_link) {
269 if (tgd->gd_ucred->cr_uid == cred->cr_uid
270 && !strcmp(tgd->gd_principal, principal)
271 && tgd->gd_mech == mech_oid
272 && tgd->gd_cred.gc_svc == service) {
274 * We lost a race to create the AUTH that
277 sx_xunlock(&rpc_gss_lock);
284 TAILQ_INSERT_TAIL(&rpc_gss_cache[h], gd, gd_link);
285 TAILQ_INSERT_TAIL(&rpc_gss_all, gd, gd_alllink);
286 refcount_acquire(&gd->gd_refs); /* one for the cache, one for user */
287 sx_xunlock(&rpc_gss_lock);
293 rpc_gss_secpurge(CLIENT *clnt)
296 struct rpc_gss_data *gd, *tgd;
298 TAILQ_FOREACH_SAFE(gd, &rpc_gss_all, gd_alllink, tgd) {
299 if (gd->gd_clnt == clnt) {
300 sx_xlock(&rpc_gss_lock);
302 TAILQ_REMOVE(&rpc_gss_cache[h], gd, gd_link);
303 TAILQ_REMOVE(&rpc_gss_all, gd, gd_alllink);
305 sx_xunlock(&rpc_gss_lock);
306 AUTH_DESTROY(gd->gd_auth);
312 rpc_gss_seccreate(CLIENT *clnt, struct ucred *cred, const char *clnt_principal,
313 const char *principal, const char *mechanism, rpc_gss_service_t service,
314 const char *qop, rpc_gss_options_req_t *options_req,
315 rpc_gss_options_ret_t *options_ret)
321 * Bail out now if we don't know this mechanism.
323 if (!rpc_gss_mech_to_oid(mechanism, &oid))
327 if (!rpc_gss_qop_to_num(qop, mechanism, &qop_num))
330 qop_num = GSS_C_QOP_DEFAULT;
333 return (rpc_gss_seccreate_int(clnt, cred, clnt_principal, principal,
334 oid, service, qop_num, options_req, options_ret));
338 rpc_gss_refresh_auth(AUTH *auth)
340 struct rpc_gss_data *gd;
341 rpc_gss_options_ret_t options;
343 gd = AUTH_PRIVATE(auth);
345 * If the state != ESTABLISHED, try and initialize
346 * the authenticator again. This will happen if the
347 * user's credentials have expired. It may succeed now,
348 * if they have done a kinit or similar.
350 if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
351 memset(&options, 0, sizeof (options));
352 (void) rpc_gss_init(auth, &options);
357 rpc_gss_seccreate_int(CLIENT *clnt, struct ucred *cred,
358 const char *clnt_principal, const char *principal, gss_OID mech_oid,
359 rpc_gss_service_t service, u_int qop_num,
360 rpc_gss_options_req_t *options_req, rpc_gss_options_ret_t *options_ret)
363 rpc_gss_options_ret_t options;
364 struct rpc_gss_data *gd;
367 * If the caller doesn't want the options, point at local
368 * storage to simplify the code below.
371 options_ret = &options;
374 * Default service is integrity.
376 if (service == rpc_gss_svc_default)
377 service = rpc_gss_svc_integrity;
379 memset(options_ret, 0, sizeof(*options_ret));
381 rpc_gss_log_debug("in rpc_gss_seccreate()");
383 memset(&rpc_createerr, 0, sizeof(rpc_createerr));
385 auth = mem_alloc(sizeof(*auth));
387 rpc_createerr.cf_stat = RPC_SYSTEMERROR;
388 rpc_createerr.cf_error.re_errno = ENOMEM;
391 gd = mem_alloc(sizeof(*gd));
393 rpc_createerr.cf_stat = RPC_SYSTEMERROR;
394 rpc_createerr.cf_error.re_errno = ENOMEM;
395 mem_free(auth, sizeof(*auth));
399 auth->ah_ops = &rpc_gss_ops;
400 auth->ah_private = (caddr_t) gd;
401 auth->ah_cred.oa_flavor = RPCSEC_GSS;
403 refcount_init(&gd->gd_refs, 1);
404 mtx_init(&gd->gd_lock, "gd->gd_lock", NULL, MTX_DEF);
406 gd->gd_ucred = crdup(cred);
407 gd->gd_principal = strdup(principal, M_RPC);
408 if (clnt_principal != NULL)
409 gd->gd_clntprincipal = strdup(clnt_principal, M_RPC);
411 gd->gd_clntprincipal = NULL;
415 gd->gd_options = *options_req;
417 gd->gd_options.req_flags = GSS_C_MUTUAL_FLAG;
418 gd->gd_options.time_req = 0;
419 gd->gd_options.my_cred = GSS_C_NO_CREDENTIAL;
420 gd->gd_options.input_channel_bindings = NULL;
424 gd->gd_ctx = GSS_C_NO_CONTEXT;
425 gd->gd_mech = mech_oid;
426 gd->gd_qop = qop_num;
428 gd->gd_cred.gc_version = RPCSEC_GSS_VERSION;
429 gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
430 gd->gd_cred.gc_seq = 0;
431 gd->gd_cred.gc_svc = service;
432 LIST_INIT(&gd->gd_reqs);
434 if (!rpc_gss_init(auth, options_ret)) {
446 rpc_gss_set_defaults(AUTH *auth, rpc_gss_service_t service, const char *qop)
448 struct rpc_gss_data *gd;
450 const char *mechanism;
452 gd = AUTH_PRIVATE(auth);
453 if (!rpc_gss_oid_to_mech(gd->gd_mech, &mechanism)) {
458 if (!rpc_gss_qop_to_num(qop, mechanism, &qop_num)) {
462 qop_num = GSS_C_QOP_DEFAULT;
465 gd->gd_cred.gc_svc = service;
466 gd->gd_qop = qop_num;
471 rpc_gss_purge_xid(struct rpc_gss_data *gd, uint32_t xid)
473 struct rpc_pending_request *pr, *npr;
474 struct rpc_pending_request_list reqs;
477 mtx_lock(&gd->gd_lock);
478 LIST_FOREACH_SAFE(pr, &gd->gd_reqs, pr_link, npr) {
479 if (pr->pr_xid == xid) {
480 LIST_REMOVE(pr, pr_link);
481 LIST_INSERT_HEAD(&reqs, pr, pr_link);
485 mtx_unlock(&gd->gd_lock);
487 LIST_FOREACH_SAFE(pr, &reqs, pr_link, npr) {
488 mem_free(pr, sizeof(*pr));
493 rpc_gss_alloc_seq(struct rpc_gss_data *gd)
497 mtx_lock(&gd->gd_lock);
500 mtx_unlock(&gd->gd_lock);
506 rpc_gss_nextverf(__unused AUTH *auth)
513 rpc_gss_marshal(AUTH *auth, uint32_t xid, XDR *xdrs, struct mbuf *args)
515 struct rpc_gss_data *gd;
516 struct rpc_pending_request *pr;
519 struct rpc_gss_cred gsscred;
520 char credbuf[MAX_AUTH_BYTES];
521 struct opaque_auth creds, verf;
522 gss_buffer_desc rpcbuf, checksum;
523 OM_uint32 maj_stat, min_stat;
526 rpc_gss_log_debug("in rpc_gss_marshal()");
528 gd = AUTH_PRIVATE(auth);
530 gsscred = gd->gd_cred;
531 seq = rpc_gss_alloc_seq(gd);
532 gsscred.gc_seq = seq;
534 xdrmem_create(&tmpxdrs, credbuf, sizeof(credbuf), XDR_ENCODE);
535 if (!xdr_rpc_gss_cred(&tmpxdrs, &gsscred)) {
536 XDR_DESTROY(&tmpxdrs);
537 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, ENOMEM);
540 creds.oa_flavor = RPCSEC_GSS;
541 creds.oa_base = credbuf;
542 creds.oa_length = XDR_GETPOS(&tmpxdrs);
543 XDR_DESTROY(&tmpxdrs);
545 xdr_opaque_auth(xdrs, &creds);
547 if (gd->gd_cred.gc_proc == RPCSEC_GSS_INIT ||
548 gd->gd_cred.gc_proc == RPCSEC_GSS_CONTINUE_INIT) {
549 if (!xdr_opaque_auth(xdrs, &_null_auth)) {
550 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, ENOMEM);
553 xdrmbuf_append(xdrs, args);
557 * Keep track of this XID + seq pair so that we can do
558 * the matching gss_verify_mic in AUTH_VALIDATE.
560 pr = mem_alloc(sizeof(struct rpc_pending_request));
561 mtx_lock(&gd->gd_lock);
564 LIST_INSERT_HEAD(&gd->gd_reqs, pr, pr_link);
565 mtx_unlock(&gd->gd_lock);
568 * Checksum serialized RPC header, up to and including
569 * credential. For the in-kernel environment, we
570 * assume that our XDR stream is on a contiguous
571 * memory buffer (e.g. an mbuf).
573 rpcbuf.length = XDR_GETPOS(xdrs);
575 rpcbuf.value = XDR_INLINE(xdrs, rpcbuf.length);
577 maj_stat = gss_get_mic(&min_stat, gd->gd_ctx, gd->gd_qop,
580 if (maj_stat != GSS_S_COMPLETE) {
581 rpc_gss_log_status("gss_get_mic", gd->gd_mech,
583 if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
584 rpc_gss_destroy_context(auth, TRUE);
586 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, EPERM);
590 verf.oa_flavor = RPCSEC_GSS;
591 verf.oa_base = checksum.value;
592 verf.oa_length = checksum.length;
594 xdr_stat = xdr_opaque_auth(xdrs, &verf);
595 gss_release_buffer(&min_stat, &checksum);
597 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, ENOMEM);
600 if (gd->gd_state != RPCSEC_GSS_ESTABLISHED ||
601 gd->gd_cred.gc_svc == rpc_gss_svc_none) {
602 xdrmbuf_append(xdrs, args);
605 if (!xdr_rpc_gss_wrap_data(&args,
606 gd->gd_ctx, gd->gd_qop, gd->gd_cred.gc_svc,
609 xdrmbuf_append(xdrs, args);
618 rpc_gss_validate(AUTH *auth, uint32_t xid, struct opaque_auth *verf,
619 struct mbuf **resultsp)
621 struct rpc_gss_data *gd;
622 struct rpc_pending_request *pr, *npr;
623 struct rpc_pending_request_list reqs;
626 gss_buffer_desc signbuf, checksum;
627 OM_uint32 maj_stat, min_stat;
629 rpc_gss_log_debug("in rpc_gss_validate()");
631 gd = AUTH_PRIVATE(auth);
634 * The client will call us with a NULL verf when it gives up
638 rpc_gss_purge_xid(gd, xid);
642 if (gd->gd_state == RPCSEC_GSS_CONTEXT) {
644 * Save the on the wire verifier to validate last INIT
645 * phase packet after decode if the major status is
648 if (gd->gd_verf.value)
649 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
650 (char *) &gd->gd_verf);
651 gd->gd_verf.value = mem_alloc(verf->oa_length);
652 if (gd->gd_verf.value == NULL) {
653 printf("gss_validate: out of memory\n");
654 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, ENOMEM);
659 memcpy(gd->gd_verf.value, verf->oa_base, verf->oa_length);
660 gd->gd_verf.length = verf->oa_length;
666 * We need to check the verifier against all the requests
667 * we've send for this XID - for unreliable protocols, we
668 * retransmit with the same XID but different sequence
669 * number. We temporarily take this set of requests out of the
670 * list so that we can work through the list without having to
673 mtx_lock(&gd->gd_lock);
675 LIST_FOREACH_SAFE(pr, &gd->gd_reqs, pr_link, npr) {
676 if (pr->pr_xid == xid) {
677 LIST_REMOVE(pr, pr_link);
678 LIST_INSERT_HEAD(&reqs, pr, pr_link);
681 mtx_unlock(&gd->gd_lock);
682 LIST_FOREACH(pr, &reqs, pr_link) {
683 if (pr->pr_xid == xid) {
686 signbuf.value = #
687 signbuf.length = sizeof(num);
689 checksum.value = verf->oa_base;
690 checksum.length = verf->oa_length;
692 maj_stat = gss_verify_mic(&min_stat, gd->gd_ctx,
693 &signbuf, &checksum, &qop_state);
694 if (maj_stat != GSS_S_COMPLETE
695 || qop_state != gd->gd_qop) {
698 if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
699 rpc_gss_destroy_context(auth, TRUE);
702 //rpc_gss_purge_reqs(gd, seq);
703 LIST_FOREACH_SAFE(pr, &reqs, pr_link, npr)
704 mem_free(pr, sizeof(*pr));
706 if (gd->gd_cred.gc_svc == rpc_gss_svc_none) {
709 if (!xdr_rpc_gss_unwrap_data(resultsp,
710 gd->gd_ctx, gd->gd_qop,
711 gd->gd_cred.gc_svc, seq)) {
720 * We didn't match - put back any entries for this XID so that
721 * a future call to validate can retry.
723 mtx_lock(&gd->gd_lock);
724 LIST_FOREACH_SAFE(pr, &reqs, pr_link, npr) {
725 LIST_REMOVE(pr, pr_link);
726 LIST_INSERT_HEAD(&gd->gd_reqs, pr, pr_link);
728 mtx_unlock(&gd->gd_lock);
731 * Nothing matches - give up.
733 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, EPERM);
740 rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
742 struct thread *td = curthread;
743 struct ucred *crsave;
744 struct rpc_gss_data *gd;
745 struct rpc_gss_init_res gr;
746 gss_buffer_desc principal_desc;
747 gss_buffer_desc *recv_tokenp, recv_token, send_token;
749 OM_uint32 maj_stat, min_stat, call_stat;
751 struct rpc_callextra ext;
753 gss_OID_set mechlist;
755 rpc_gss_log_debug("in rpc_gss_refresh()");
757 gd = AUTH_PRIVATE(auth);
759 mtx_lock(&gd->gd_lock);
761 * If the context isn't in START state, someone else is
762 * refreshing - we wait till they are done. If they fail, they
763 * will put the state back to START and we can try (most
764 * likely to also fail).
766 while (gd->gd_state != RPCSEC_GSS_START
767 && gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
768 msleep(gd, &gd->gd_lock, 0, "gssstate", 0);
770 if (gd->gd_state == RPCSEC_GSS_ESTABLISHED) {
771 mtx_unlock(&gd->gd_lock);
774 gd->gd_state = RPCSEC_GSS_CONTEXT;
775 mtx_unlock(&gd->gd_lock);
777 gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
778 gd->gd_cred.gc_seq = 0;
781 * For KerberosV, if there is a client principal name, that implies
782 * that this is a host based initiator credential in the default
783 * keytab file. For this case, it is necessary to do a
784 * gss_acquire_cred(). When this is done, the gssd daemon will
785 * do the equivalent of "kinit -k" to put a TGT for the name in
786 * the credential cache file for the gssd daemon.
788 if (gd->gd_clntprincipal != NULL &&
789 rpc_gss_mech_to_oid("kerberosv5", &mech_oid) &&
790 gd->gd_mech == mech_oid) {
791 /* Get rid of any old credential. */
792 if (gd->gd_options.my_cred != GSS_C_NO_CREDENTIAL) {
793 gss_release_cred(&min_stat, &gd->gd_options.my_cred);
794 gd->gd_options.my_cred = GSS_C_NO_CREDENTIAL;
798 * The mechanism must be set to KerberosV for acquisition
799 * of credentials to work reliably.
801 maj_stat = gss_create_empty_oid_set(&min_stat, &mechlist);
802 if (maj_stat != GSS_S_COMPLETE) {
803 options_ret->major_status = maj_stat;
804 options_ret->minor_status = min_stat;
807 maj_stat = gss_add_oid_set_member(&min_stat, gd->gd_mech,
809 if (maj_stat != GSS_S_COMPLETE) {
810 options_ret->major_status = maj_stat;
811 options_ret->minor_status = min_stat;
812 gss_release_oid_set(&min_stat, &mechlist);
816 principal_desc.value = (void *)gd->gd_clntprincipal;
817 principal_desc.length = strlen(gd->gd_clntprincipal);
818 maj_stat = gss_import_name(&min_stat, &principal_desc,
819 GSS_C_NT_HOSTBASED_SERVICE, &name);
820 if (maj_stat != GSS_S_COMPLETE) {
821 options_ret->major_status = maj_stat;
822 options_ret->minor_status = min_stat;
823 gss_release_oid_set(&min_stat, &mechlist);
826 /* Acquire the credentials. */
827 maj_stat = gss_acquire_cred(&min_stat, name, 0,
828 mechlist, GSS_C_INITIATE,
829 &gd->gd_options.my_cred, NULL, NULL);
830 gss_release_name(&min_stat, &name);
831 gss_release_oid_set(&min_stat, &mechlist);
832 if (maj_stat != GSS_S_COMPLETE) {
833 options_ret->major_status = maj_stat;
834 options_ret->minor_status = min_stat;
839 principal_desc.value = (void *)gd->gd_principal;
840 principal_desc.length = strlen(gd->gd_principal);
841 maj_stat = gss_import_name(&min_stat, &principal_desc,
842 GSS_C_NT_HOSTBASED_SERVICE, &name);
843 if (maj_stat != GSS_S_COMPLETE) {
844 options_ret->major_status = maj_stat;
845 options_ret->minor_status = min_stat;
849 /* GSS context establishment loop. */
850 memset(&recv_token, 0, sizeof(recv_token));
851 memset(&gr, 0, sizeof(gr));
852 memset(options_ret, 0, sizeof(*options_ret));
853 options_ret->major_status = GSS_S_FAILURE;
854 recv_tokenp = GSS_C_NO_BUFFER;
857 crsave = td->td_ucred;
858 td->td_ucred = gd->gd_ucred;
859 maj_stat = gss_init_sec_context(&min_stat,
860 gd->gd_options.my_cred,
864 gd->gd_options.req_flags,
865 gd->gd_options.time_req,
866 gd->gd_options.input_channel_bindings,
868 &gd->gd_mech, /* used mech */
870 &options_ret->ret_flags,
871 &options_ret->time_req);
872 td->td_ucred = crsave;
875 * Free the token which we got from the server (if
876 * any). Remember that this was allocated by XDR, not
879 if (recv_tokenp != GSS_C_NO_BUFFER) {
880 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
881 (char *) &recv_token);
882 recv_tokenp = GSS_C_NO_BUFFER;
884 if (gd->gd_mech && rpc_gss_oid_to_mech(gd->gd_mech, &mech)) {
885 strlcpy(options_ret->actual_mechanism,
887 sizeof(options_ret->actual_mechanism));
889 if (maj_stat != GSS_S_COMPLETE &&
890 maj_stat != GSS_S_CONTINUE_NEEDED) {
891 rpc_gss_log_status("gss_init_sec_context", gd->gd_mech,
893 options_ret->major_status = maj_stat;
894 options_ret->minor_status = min_stat;
897 if (send_token.length != 0) {
898 memset(&gr, 0, sizeof(gr));
900 bzero(&ext, sizeof(ext));
902 call_stat = CLNT_CALL_EXT(gd->gd_clnt, &ext, NULLPROC,
903 (xdrproc_t)xdr_gss_buffer_desc,
905 (xdrproc_t)xdr_rpc_gss_init_res,
906 (caddr_t)&gr, AUTH_TIMEOUT);
908 gss_release_buffer(&min_stat, &send_token);
910 if (call_stat != RPC_SUCCESS)
913 if (gr.gr_major != GSS_S_COMPLETE &&
914 gr.gr_major != GSS_S_CONTINUE_NEEDED) {
915 rpc_gss_log_status("server reply", gd->gd_mech,
916 gr.gr_major, gr.gr_minor);
917 options_ret->major_status = gr.gr_major;
918 options_ret->minor_status = gr.gr_minor;
923 * Save the server's gr_handle value, freeing
924 * what we have already (remember that this
925 * was allocated by XDR, not GSS-API).
927 if (gr.gr_handle.length != 0) {
928 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
929 (char *) &gd->gd_cred.gc_handle);
930 gd->gd_cred.gc_handle = gr.gr_handle;
934 * Save the server's token as well.
936 if (gr.gr_token.length != 0) {
937 recv_token = gr.gr_token;
938 recv_tokenp = &recv_token;
942 * Since we have copied out all the bits of gr
943 * which XDR allocated for us, we don't need
946 gd->gd_cred.gc_proc = RPCSEC_GSS_CONTINUE_INIT;
949 if (maj_stat == GSS_S_COMPLETE) {
950 gss_buffer_desc bufin;
951 u_int seq, qop_state = 0;
954 * gss header verifier,
955 * usually checked in gss_validate
957 seq = htonl(gr.gr_win);
958 bufin.value = (unsigned char *)&seq;
959 bufin.length = sizeof(seq);
961 maj_stat = gss_verify_mic(&min_stat, gd->gd_ctx,
962 &bufin, &gd->gd_verf, &qop_state);
964 if (maj_stat != GSS_S_COMPLETE ||
965 qop_state != gd->gd_qop) {
966 rpc_gss_log_status("gss_verify_mic", gd->gd_mech,
968 if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
969 rpc_gss_destroy_context(auth, TRUE);
971 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR,
973 options_ret->major_status = maj_stat;
974 options_ret->minor_status = min_stat;
978 options_ret->major_status = GSS_S_COMPLETE;
979 options_ret->minor_status = 0;
980 options_ret->rpcsec_version = gd->gd_cred.gc_version;
981 options_ret->gss_context = gd->gd_ctx;
983 gd->gd_cred.gc_proc = RPCSEC_GSS_DATA;
985 gd->gd_win = gr.gr_win;
990 gss_release_name(&min_stat, &name);
991 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
992 (char *) &gd->gd_verf);
995 /* End context negotiation loop. */
996 if (gd->gd_cred.gc_proc != RPCSEC_GSS_DATA) {
997 rpc_createerr.cf_stat = RPC_AUTHERROR;
998 _rpc_gss_set_error(RPC_GSS_ER_SYSTEMERROR, EPERM);
1000 gss_delete_sec_context(&min_stat, &gd->gd_ctx,
1003 mtx_lock(&gd->gd_lock);
1004 gd->gd_state = RPCSEC_GSS_START;
1006 mtx_unlock(&gd->gd_lock);
1010 mtx_lock(&gd->gd_lock);
1011 gd->gd_state = RPCSEC_GSS_ESTABLISHED;
1013 mtx_unlock(&gd->gd_lock);
1019 rpc_gss_refresh(AUTH *auth, void *msg)
1021 struct rpc_msg *reply = (struct rpc_msg *) msg;
1022 rpc_gss_options_ret_t options;
1023 struct rpc_gss_data *gd;
1025 gd = AUTH_PRIVATE(auth);
1028 * If the context is in DESTROYING state, then just return, since
1029 * there is no point in refreshing the credentials.
1031 mtx_lock(&gd->gd_lock);
1032 if (gd->gd_state == RPCSEC_GSS_DESTROYING) {
1033 mtx_unlock(&gd->gd_lock);
1036 mtx_unlock(&gd->gd_lock);
1039 * If the error was RPCSEC_GSS_CREDPROBLEM of
1040 * RPCSEC_GSS_CTXPROBLEM we start again from scratch. All
1041 * other errors are fatal.
1043 if (reply->rm_reply.rp_stat == MSG_DENIED
1044 && reply->rm_reply.rp_rjct.rj_stat == AUTH_ERROR
1045 && (reply->rm_reply.rp_rjct.rj_why == RPCSEC_GSS_CREDPROBLEM
1046 || reply->rm_reply.rp_rjct.rj_why == RPCSEC_GSS_CTXPROBLEM)) {
1047 rpc_gss_destroy_context(auth, FALSE);
1048 memset(&options, 0, sizeof(options));
1049 return (rpc_gss_init(auth, &options));
1056 rpc_gss_destroy_context(AUTH *auth, bool_t send_destroy)
1058 struct rpc_gss_data *gd;
1059 struct rpc_pending_request *pr;
1061 struct rpc_callextra ext;
1063 rpc_gss_log_debug("in rpc_gss_destroy_context()");
1065 gd = AUTH_PRIVATE(auth);
1067 mtx_lock(&gd->gd_lock);
1069 * If the context isn't in ESTABISHED state, someone else is
1070 * destroying/refreshing - we wait till they are done.
1072 if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
1073 while (gd->gd_state != RPCSEC_GSS_START
1074 && gd->gd_state != RPCSEC_GSS_ESTABLISHED)
1075 msleep(gd, &gd->gd_lock, 0, "gssstate", 0);
1076 mtx_unlock(&gd->gd_lock);
1079 gd->gd_state = RPCSEC_GSS_DESTROYING;
1080 mtx_unlock(&gd->gd_lock);
1083 gd->gd_cred.gc_proc = RPCSEC_GSS_DESTROY;
1084 bzero(&ext, sizeof(ext));
1086 CLNT_CALL_EXT(gd->gd_clnt, &ext, NULLPROC,
1087 (xdrproc_t)xdr_void, NULL,
1088 (xdrproc_t)xdr_void, NULL, AUTH_TIMEOUT);
1091 while ((pr = LIST_FIRST(&gd->gd_reqs)) != NULL) {
1092 LIST_REMOVE(pr, pr_link);
1093 mem_free(pr, sizeof(*pr));
1097 * Free the context token. Remember that this was
1098 * allocated by XDR, not GSS-API.
1100 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
1101 (char *) &gd->gd_cred.gc_handle);
1102 gd->gd_cred.gc_handle.length = 0;
1104 if (gd->gd_ctx != GSS_C_NO_CONTEXT)
1105 gss_delete_sec_context(&min_stat, &gd->gd_ctx, NULL);
1107 mtx_lock(&gd->gd_lock);
1108 gd->gd_state = RPCSEC_GSS_START;
1110 mtx_unlock(&gd->gd_lock);
1114 rpc_gss_destroy(AUTH *auth)
1116 struct rpc_gss_data *gd;
1118 rpc_gss_log_debug("in rpc_gss_destroy()");
1120 gd = AUTH_PRIVATE(auth);
1122 if (!refcount_release(&gd->gd_refs))
1125 rpc_gss_destroy_context(auth, TRUE);
1127 CLNT_RELEASE(gd->gd_clnt);
1128 crfree(gd->gd_ucred);
1129 free(gd->gd_principal, M_RPC);
1130 if (gd->gd_clntprincipal != NULL)
1131 free(gd->gd_clntprincipal, M_RPC);
1132 if (gd->gd_verf.value)
1133 xdr_free((xdrproc_t) xdr_gss_buffer_desc,
1134 (char *) &gd->gd_verf);
1135 mtx_destroy(&gd->gd_lock);
1137 mem_free(gd, sizeof(*gd));
1138 mem_free(auth, sizeof(*auth));
1142 rpc_gss_max_data_length(AUTH *auth, int max_tp_unit_len)
1144 struct rpc_gss_data *gd;
1147 OM_uint32 maj_stat, min_stat;
1150 gd = AUTH_PRIVATE(auth);
1152 switch (gd->gd_cred.gc_svc) {
1153 case rpc_gss_svc_none:
1154 return (max_tp_unit_len);
1157 case rpc_gss_svc_default:
1158 case rpc_gss_svc_integrity:
1162 case rpc_gss_svc_privacy:
1170 maj_stat = gss_wrap_size_limit(&min_stat, gd->gd_ctx, want_conf,
1171 gd->gd_qop, max_tp_unit_len, &max);
1173 if (maj_stat == GSS_S_COMPLETE) {
1179 rpc_gss_log_status("gss_wrap_size_limit", gd->gd_mech,
1180 maj_stat, min_stat);