projects / apple / xnu.git / blame
| Commit | Line | Data |
|---|---|---|
| 2d21ac55 | 1 | /* |
| 3e170ce0 | 2 | * Copyright (c) 2007-2015 Apple Inc. All rights reserved. |
| 2d21ac55 A |
3 | * |
| 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
| 0a7de745 | 5 | * |
| 2d21ac55 A |
6 | * This file contains Original Code and/or Modifications of Original Code |
| 7 | * as defined in and that are subject to the Apple Public Source License | |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in | |
| 9 | * compliance with the License. The rights granted to you under the License | |
| 10 | * may not be used to create, or enable the creation or redistribution of, | |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any | |
| 13 | * terms of an Apple operating system software license agreement. | |
| 0a7de745 | 14 | * |
| 2d21ac55 A |
15 | * Please obtain a copy of the License at |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
| 0a7de745 | 17 | * |
| 2d21ac55 A |
18 | * The Original Code and all software distributed under the License are |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
| 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
| 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
| 23 | * Please see the License for the specific language governing rights and | |
| 24 | * limitations under the License. | |
| 0a7de745 | 25 | * |
| 2d21ac55 A |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
| 27 | */ | |
| 28 | ||
| ea3f0419 A |
29 | #include <nfs/nfs_conf.h> |
| 30 | #if CONFIG_NFS | |
| 31 | ||
| 2d21ac55 A |
32 | /************* |
| 33 | * These functions implement RPCSEC_GSS security for the NFS client and server. | |
| 34 | * The code is specific to the use of Kerberos v5 and the use of DES MAC MD5 | |
| 35 | * protection as described in Internet RFC 2203 and 2623. | |
| 36 | * | |
| 37 | * In contrast to the original AUTH_SYS authentication, RPCSEC_GSS is stateful. | |
| 38 | * It requires the client and server negotiate a secure connection as part of a | |
| 39 | * security context. The context state is maintained in client and server structures. | |
| 40 | * On the client side, each user of an NFS mount is assigned their own context, | |
| 41 | * identified by UID, on their first use of the mount, and it persists until the | |
| 42 | * unmount or until the context is renewed. Each user context has a corresponding | |
| 43 | * server context which the server maintains until the client destroys it, or | |
| 44 | * until the context expires. | |
| 45 | * | |
| 46 | * The client and server contexts are set up dynamically. When a user attempts | |
| 47 | * to send an NFS request, if there is no context for the user, then one is | |
| 48 | * set up via an exchange of NFS null procedure calls as described in RFC 2203. | |
| 49 | * During this exchange, the client and server pass a security token that is | |
| 50 | * forwarded via Mach upcall to the gssd, which invokes the GSS-API to authenticate | |
| 51 | * the user to the server (and vice-versa). The client and server also receive | |
| 52 | * a unique session key that can be used to digitally sign the credentials and | |
| 53 | * verifier or optionally to provide data integrity and/or privacy. | |
| 54 | * | |
| 55 | * Once the context is complete, the client and server enter a normal data | |
| 56 | * exchange phase - beginning with the NFS request that prompted the context | |
| 57 | * creation. During this phase, the client's RPC header contains an RPCSEC_GSS | |
| 58 | * credential and verifier, and the server returns a verifier as well. | |
| 59 | * For simple authentication, the verifier contains a signed checksum of the | |
| 60 | * RPC header, including the credential. The server's verifier has a signed | |
| 61 | * checksum of the current sequence number. | |
| 62 | * | |
| 63 | * Each client call contains a sequence number that nominally increases by one | |
| 64 | * on each request. The sequence number is intended to prevent replay attacks. | |
| 65 | * Since the protocol can be used over UDP, there is some allowance for | |
| 66 | * out-of-sequence requests, so the server checks whether the sequence numbers | |
| 67 | * are within a sequence "window". If a sequence number is outside the lower | |
| 68 | * bound of the window, the server silently drops the request. This has some | |
| 69 | * implications for retransmission. If a request needs to be retransmitted, the | |
| 70 | * client must bump the sequence number even if the request XID is unchanged. | |
| 71 | * | |
| 72 | * When the NFS mount is unmounted, the client sends a "destroy" credential | |
| 73 | * to delete the server's context for each user of the mount. Since it's | |
| 74 | * possible for the client to crash or disconnect without sending the destroy | |
| 75 | * message, the server has a thread that reaps contexts that have been idle | |
| 76 | * too long. | |
| 77 | */ | |
| 78 | ||
| 79 | #include <stdint.h> | |
| 80 | #include <sys/param.h> | |
| 81 | #include <sys/systm.h> | |
| 82 | #include <sys/proc.h> | |
| 83 | #include <sys/kauth.h> | |
| 84 | #include <sys/kernel.h> | |
| 85 | #include <sys/mount_internal.h> | |
| 86 | #include <sys/vnode.h> | |
| 87 | #include <sys/ubc.h> | |
| 88 | #include <sys/malloc.h> | |
| 89 | #include <sys/kpi_mbuf.h> | |
| 39236c6e | 90 | #include <sys/ucred.h> |
| 2d21ac55 A |
91 | |
| 92 | #include <kern/host.h> | |
| fe8ab488 | 93 | #include <kern/task.h> |
| 2d21ac55 A |
94 | #include <libkern/libkern.h> |
| 95 | ||
| 96 | #include <mach/task.h> | |
| 316670eb | 97 | #include <mach/host_special_ports.h> |
| 2d21ac55 A |
98 | #include <mach/host_priv.h> |
| 99 | #include <mach/thread_act.h> | |
| 100 | #include <mach/mig_errors.h> | |
| 101 | #include <mach/vm_map.h> | |
| 102 | #include <vm/vm_map.h> | |
| 103 | #include <vm/vm_kern.h> | |
| 104 | #include <gssd/gssd_mach.h> | |
| 105 | ||
| 106 | #include <nfs/rpcv2.h> | |
| 107 | #include <nfs/nfsproto.h> | |
| 108 | #include <nfs/nfs.h> | |
| 109 | #include <nfs/nfsnode.h> | |
| 110 | #include <nfs/nfs_gss.h> | |
| 111 | #include <nfs/nfsmount.h> | |
| 112 | #include <nfs/xdr_subs.h> | |
| 113 | #include <nfs/nfsm_subs.h> | |
| 114 | #include <nfs/nfs_gss.h> | |
| 3e170ce0 A |
115 | #include <mach_assert.h> |
| 116 | #include <kern/assert.h> | |
| 117 | ||
| 118 | #define ASSERT(EX) assert(EX) | |
| b0d623f7 | 119 | |
| 2d21ac55 A |
120 | #define NFS_GSS_MACH_MAX_RETRIES 3 |
| 121 | ||
| 39236c6e A |
122 | #define NFS_GSS_DBG(...) NFS_DBG(NFS_FAC_GSS, 7, ## __VA_ARGS__) |
| 123 | #define NFS_GSS_ISDBG (NFS_DEBUG_FACILITY & NFS_FAC_GSS) | |
| 124 | ||
| b0d623f7 | 125 | |
| ea3f0419 | 126 | #if CONFIG_NFS_SERVER |
| 2d21ac55 A |
127 | u_long nfs_gss_svc_ctx_hash; |
| 128 | struct nfs_gss_svc_ctx_hashhead *nfs_gss_svc_ctx_hashtbl; | |
| 129 | lck_mtx_t *nfs_gss_svc_ctx_mutex; | |
| 130 | lck_grp_t *nfs_gss_svc_grp; | |
| b0d623f7 A |
131 | uint32_t nfsrv_gss_context_ttl = GSS_CTX_EXPIRE; |
| 132 | #define GSS_SVC_CTX_TTL ((uint64_t)max(2*GSS_CTX_PEND, nfsrv_gss_context_ttl) * NSEC_PER_SEC) | |
| ea3f0419 | 133 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 | 134 | |
| ea3f0419 | 135 | #if CONFIG_NFS_CLIENT |
| 2d21ac55 | 136 | lck_grp_t *nfs_gss_clnt_grp; |
| ea3f0419 | 137 | #endif /* CONFIG_NFS_CLIENT */ |
| 2d21ac55 | 138 | |
| 39037602 A |
139 | #define KRB5_MAX_MIC_SIZE 128 |
| 140 | uint8_t krb5_mech_oid[11] = { 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 }; | |
| 141 | static uint8_t xdrpad[] = { 0x00, 0x00, 0x00, 0x00}; | |
| 2d21ac55 | 142 | |
| ea3f0419 | 143 | #if CONFIG_NFS_CLIENT |
| 0a7de745 A |
144 | static int nfs_gss_clnt_ctx_find(struct nfsreq *); |
| 145 | static int nfs_gss_clnt_ctx_init(struct nfsreq *, struct nfs_gss_clnt_ctx *); | |
| 146 | static int nfs_gss_clnt_ctx_init_retry(struct nfsreq *, struct nfs_gss_clnt_ctx *); | |
| 147 | static int nfs_gss_clnt_ctx_callserver(struct nfsreq *, struct nfs_gss_clnt_ctx *); | |
| 148 | static uint8_t *nfs_gss_clnt_svcname(struct nfsmount *, gssd_nametype *, uint32_t *); | |
| 149 | static int nfs_gss_clnt_gssd_upcall(struct nfsreq *, struct nfs_gss_clnt_ctx *, uint32_t); | |
| 150 | void nfs_gss_clnt_ctx_neg_cache_reap(struct nfsmount *); | |
| 151 | static void nfs_gss_clnt_ctx_clean(struct nfs_gss_clnt_ctx *); | |
| 152 | static int nfs_gss_clnt_ctx_copy(struct nfs_gss_clnt_ctx *, struct nfs_gss_clnt_ctx **); | |
| 153 | static void nfs_gss_clnt_ctx_destroy(struct nfs_gss_clnt_ctx *); | |
| 154 | static void nfs_gss_clnt_log_error(struct nfsreq *, struct nfs_gss_clnt_ctx *, uint32_t, uint32_t); | |
| ea3f0419 | 155 | #endif /* CONFIG_NFS_CLIENT */ |
| 2d21ac55 | 156 | |
| ea3f0419 | 157 | #if CONFIG_NFS_SERVER |
| 2d21ac55 | 158 | static struct nfs_gss_svc_ctx *nfs_gss_svc_ctx_find(uint32_t); |
| 0a7de745 A |
159 | static void nfs_gss_svc_ctx_insert(struct nfs_gss_svc_ctx *); |
| 160 | static void nfs_gss_svc_ctx_timer(void *, void *); | |
| 161 | static int nfs_gss_svc_gssd_upcall(struct nfs_gss_svc_ctx *); | |
| 162 | static int nfs_gss_svc_seqnum_valid(struct nfs_gss_svc_ctx *, uint32_t); | |
| cb323159 A |
163 | |
| 164 | /* This is only used by server code */ | |
| 165 | static void nfs_gss_nfsm_chain(struct nfsm_chain *, mbuf_t); | |
| ea3f0419 | 166 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 | 167 | |
| 0a7de745 | 168 | static void host_release_special_port(mach_port_t); |
| 316670eb | 169 | static mach_port_t host_copy_special_port(mach_port_t); |
| 0a7de745 A |
170 | static void nfs_gss_mach_alloc_buffer(u_char *, uint32_t, vm_map_copy_t *); |
| 171 | static int nfs_gss_mach_vmcopyout(vm_map_copy_t, uint32_t, u_char *); | |
| 39037602 | 172 | |
| 0a7de745 A |
173 | static int nfs_gss_mchain_length(mbuf_t); |
| 174 | static int nfs_gss_append_chain(struct nfsm_chain *, mbuf_t); | |
| 2d21ac55 | 175 | |
| ea3f0419 | 176 | #if CONFIG_NFS_SERVER |
| 2d21ac55 A |
177 | thread_call_t nfs_gss_svc_ctx_timer_call; |
| 178 | int nfs_gss_timer_on = 0; | |
| 179 | uint32_t nfs_gss_ctx_count = 0; | |
| 180 | const uint32_t nfs_gss_ctx_max = GSS_SVC_MAXCONTEXTS; | |
| ea3f0419 | 181 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 A |
182 | |
| 183 | /* | |
| 184 | * Initialization when NFS starts | |
| 185 | */ | |
| 186 | void | |
| 187 | nfs_gss_init(void) | |
| 188 | { | |
| ea3f0419 | 189 | #if CONFIG_NFS_CLIENT |
| 2d21ac55 | 190 | nfs_gss_clnt_grp = lck_grp_alloc_init("rpcsec_gss_clnt", LCK_GRP_ATTR_NULL); |
| ea3f0419 | 191 | #endif /* CONFIG_NFS_CLIENT */ |
| 2d21ac55 | 192 | |
| ea3f0419 | 193 | #if CONFIG_NFS_SERVER |
| 0a7de745 | 194 | nfs_gss_svc_grp = lck_grp_alloc_init("rpcsec_gss_svc", LCK_GRP_ATTR_NULL); |
| 2d21ac55 A |
195 | |
| 196 | nfs_gss_svc_ctx_hashtbl = hashinit(SVC_CTX_HASHSZ, M_TEMP, &nfs_gss_svc_ctx_hash); | |
| 197 | nfs_gss_svc_ctx_mutex = lck_mtx_alloc_init(nfs_gss_svc_grp, LCK_ATTR_NULL); | |
| 198 | ||
| 199 | nfs_gss_svc_ctx_timer_call = thread_call_allocate(nfs_gss_svc_ctx_timer, NULL); | |
| ea3f0419 | 200 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 A |
201 | } |
| 202 | ||
| 39037602 A |
203 | /* |
| 204 | * Common RPCSEC_GSS support routines | |
| 205 | */ | |
| 206 | ||
| 207 | static errno_t | |
| 208 | rpc_gss_prepend_32(mbuf_t *mb, uint32_t value) | |
| 209 | { | |
| 210 | int error; | |
| 211 | uint32_t *data; | |
| 212 | ||
| 213 | #if 0 | |
| 214 | data = mbuf_data(*mb); | |
| 215 | /* | |
| 216 | * If a wap token comes back and is not aligned | |
| 217 | * get a new buffer (which should be aligned) to put the | |
| 218 | * length in. | |
| 219 | */ | |
| 220 | if ((uintptr_t)data & 0x3) { | |
| 221 | mbuf_t nmb; | |
| 222 | ||
| 223 | error = mbuf_get(MBUF_WAITOK, MBUF_TYPE_DATA, &nmb); | |
| 0a7de745 A |
224 | if (error) { |
| 225 | return error; | |
| 226 | } | |
| 39037602 A |
227 | mbuf_setnext(nmb, *mb); |
| 228 | *mb = nmb; | |
| 229 | } | |
| 230 | #endif | |
| 231 | error = mbuf_prepend(mb, sizeof(uint32_t), MBUF_WAITOK); | |
| 0a7de745 A |
232 | if (error) { |
| 233 | return error; | |
| 234 | } | |
| 39037602 A |
235 | |
| 236 | data = mbuf_data(*mb); | |
| 237 | *data = txdr_unsigned(value); | |
| 238 | ||
| 0a7de745 | 239 | return 0; |
| 39037602 A |
240 | } |
| 241 | ||
| 242 | /* | |
| 243 | * Prepend the sequence number to the xdr encode argumen or result | |
| 244 | * Sequence number is prepended in its own mbuf. | |
| 245 | * | |
| 246 | * On successful return mbp_head will point to the old mbuf chain | |
| 247 | * prepended with a new mbuf that has the sequence number. | |
| 248 | */ | |
| 249 | ||
| 250 | static errno_t | |
| 251 | rpc_gss_data_create(mbuf_t *mbp_head, uint32_t seqnum) | |
| 252 | { | |
| 253 | int error; | |
| 254 | mbuf_t mb; | |
| 255 | struct nfsm_chain nmc; | |
| 256 | struct nfsm_chain *nmcp = &nmc; | |
| 257 | uint8_t *data; | |
| 258 | ||
| 259 | error = mbuf_get(MBUF_WAITOK, MBUF_TYPE_DATA, &mb); | |
| 0a7de745 A |
260 | if (error) { |
| 261 | return error; | |
| 262 | } | |
| 39037602 A |
263 | data = mbuf_data(mb); |
| 264 | #if 0 | |
| 265 | /* Reserve space for prepending */ | |
| 266 | len = mbuf_maxlen(mb); | |
| 267 | len = (len & ~0x3) - NFSX_UNSIGNED; | |
| 268 | printf("%s: data = %p, len = %d\n", __func__, data, (int)len); | |
| 269 | error = mbuf_setdata(mb, data + len, 0); | |
| 0a7de745 | 270 | if (error || mbuf_trailingspace(mb)) { |
| 39037602 | 271 | printf("%s: data = %p trailingspace = %d error = %d\n", __func__, mbuf_data(mb), (int)mbuf_trailingspace(mb), error); |
| 0a7de745 | 272 | } |
| 39037602 A |
273 | #endif |
| 274 | /* Reserve 16 words for prepending */ | |
| 0a7de745 | 275 | error = mbuf_setdata(mb, data + 16 * sizeof(uint32_t), 0); |
| 39037602 A |
276 | nfsm_chain_init(nmcp, mb); |
| 277 | nfsm_chain_add_32(error, nmcp, seqnum); | |
| 278 | nfsm_chain_build_done(error, nmcp); | |
| 0a7de745 A |
279 | if (error) { |
| 280 | return EINVAL; | |
| 281 | } | |
| 39037602 A |
282 | mbuf_setnext(nmcp->nmc_mcur, *mbp_head); |
| 283 | *mbp_head = nmcp->nmc_mhead; | |
| 284 | ||
| 0a7de745 | 285 | return 0; |
| 39037602 A |
286 | } |
| 287 | ||
| 288 | /* | |
| 289 | * Create an rpc_gss_integ_data_t given an argument or result in mb_head. | |
| 290 | * On successful return mb_head will point to the rpc_gss_integ_data_t of length len. | |
| 0a7de745 | 291 | * Note mb_head will now point to a 4 byte sequence number. len does not include |
| 39037602 A |
292 | * any extra xdr padding. |
| 293 | * Returns 0 on success, else an errno_t | |
| 294 | */ | |
| 295 | ||
| 296 | static errno_t | |
| 297 | rpc_gss_integ_data_create(gss_ctx_id_t ctx, mbuf_t *mb_head, uint32_t seqnum, uint32_t *len) | |
| 298 | { | |
| 299 | uint32_t error; | |
| 300 | uint32_t major; | |
| 301 | uint32_t length; | |
| 302 | gss_buffer_desc mic; | |
| 303 | struct nfsm_chain nmc; | |
| 304 | ||
| 305 | /* Length of the argument or result */ | |
| 306 | length = nfs_gss_mchain_length(*mb_head); | |
| 0a7de745 | 307 | if (len) { |
| 39037602 | 308 | *len = length; |
| 0a7de745 | 309 | } |
| 39037602 | 310 | error = rpc_gss_data_create(mb_head, seqnum); |
| 0a7de745 A |
311 | if (error) { |
| 312 | return error; | |
| 313 | } | |
| 39037602 A |
314 | |
| 315 | /* | |
| 316 | * length is the length of the rpc_gss_data | |
| 317 | */ | |
| 318 | length += NFSX_UNSIGNED; /* Add the sequence number to the length */ | |
| 319 | major = gss_krb5_get_mic_mbuf(&error, ctx, 0, *mb_head, 0, length, &mic); | |
| 320 | if (major != GSS_S_COMPLETE) { | |
| 321 | printf("gss_krb5_get_mic_mbuf failed %d\n", error); | |
| 0a7de745 | 322 | return error; |
| 39037602 A |
323 | } |
| 324 | ||
| 325 | error = rpc_gss_prepend_32(mb_head, length); | |
| 0a7de745 A |
326 | if (error) { |
| 327 | return error; | |
| 328 | } | |
| 39037602 A |
329 | |
| 330 | nfsm_chain_dissect_init(error, &nmc, *mb_head); | |
| 331 | /* Append GSS mic token by advancing rpc_gss_data_t length + NFSX_UNSIGNED (size of the length field) */ | |
| 332 | nfsm_chain_adv(error, &nmc, length + NFSX_UNSIGNED); | |
| 333 | nfsm_chain_finish_mbuf(error, &nmc); // Force the mic into its own sub chain. | |
| 334 | nfsm_chain_add_32(error, &nmc, mic.length); | |
| 335 | nfsm_chain_add_opaque(error, &nmc, mic.value, mic.length); | |
| 336 | nfsm_chain_build_done(error, &nmc); | |
| 337 | gss_release_buffer(NULL, &mic); | |
| 338 | ||
| 339 | // printmbuf("rpc_gss_integ_data_create done", *mb_head, 0, 0); | |
| 340 | assert(nmc.nmc_mhead == *mb_head); | |
| 341 | ||
| 0a7de745 | 342 | return error; |
| 39037602 A |
343 | } |
| 344 | ||
| 345 | /* | |
| 346 | * Create an rpc_gss_priv_data_t out of the supplied raw arguments or results in mb_head. | |
| 347 | * On successful return mb_head will point to a wrap token of lenght len. | |
| 348 | * Note len does not include any xdr padding | |
| 349 | * Returns 0 on success, else an errno_t | |
| 350 | */ | |
| 351 | static errno_t | |
| 352 | rpc_gss_priv_data_create(gss_ctx_id_t ctx, mbuf_t *mb_head, uint32_t seqnum, uint32_t *len) | |
| 353 | { | |
| 354 | uint32_t error; | |
| 355 | uint32_t major; | |
| 356 | struct nfsm_chain nmc; | |
| 357 | uint32_t pad; | |
| 358 | uint32_t length; | |
| 359 | ||
| 360 | error = rpc_gss_data_create(mb_head, seqnum); | |
| 0a7de745 A |
361 | if (error) { |
| 362 | return error; | |
| 363 | } | |
| 39037602 A |
364 | |
| 365 | length = nfs_gss_mchain_length(*mb_head); | |
| 366 | major = gss_krb5_wrap_mbuf(&error, ctx, 1, 0, mb_head, 0, length, NULL); | |
| 0a7de745 A |
367 | if (major != GSS_S_COMPLETE) { |
| 368 | return error; | |
| 369 | } | |
| 39037602 A |
370 | |
| 371 | length = nfs_gss_mchain_length(*mb_head); | |
| 0a7de745 | 372 | if (len) { |
| 39037602 | 373 | *len = length; |
| 0a7de745 | 374 | } |
| 39037602 A |
375 | pad = nfsm_pad(length); |
| 376 | ||
| 377 | /* Prepend the opaque length of rep rpc_gss_priv_data */ | |
| 378 | error = rpc_gss_prepend_32(mb_head, length); | |
| 379 | ||
| 0a7de745 A |
380 | if (error) { |
| 381 | return error; | |
| 382 | } | |
| 39037602 A |
383 | if (pad) { |
| 384 | nfsm_chain_dissect_init(error, &nmc, *mb_head); | |
| 385 | /* Advance the opauque size of length and length data */ | |
| 386 | nfsm_chain_adv(error, &nmc, NFSX_UNSIGNED + length); | |
| 387 | nfsm_chain_finish_mbuf(error, &nmc); | |
| 388 | nfsm_chain_add_opaque_nopad(error, &nmc, xdrpad, pad); | |
| 389 | nfsm_chain_build_done(error, &nmc); | |
| 390 | } | |
| 391 | ||
| 0a7de745 | 392 | return error; |
| 39037602 A |
393 | } |
| 394 | ||
| ea3f0419 | 395 | #if CONFIG_NFS_CLIENT |
| 2d21ac55 | 396 | |
| 39037602 A |
397 | /* |
| 398 | * Restore the argument or result from an rpc_gss_integ_data mbuf chain | |
| 399 | * We have a four byte seqence number, len arguments, and an opaque | |
| 400 | * encoded mic, possibly followed by some pad bytes. The mic and possible | |
| 401 | * pad bytes are on their own sub mbuf chains. | |
| 402 | * | |
| 403 | * On successful return mb_head is the chain of the xdr args or results sans | |
| 404 | * the sequence number and mic and return 0. Otherwise return an errno. | |
| 405 | * | |
| 406 | */ | |
| 407 | static errno_t | |
| 408 | rpc_gss_integ_data_restore(gss_ctx_id_t ctx __unused, mbuf_t *mb_head, size_t len) | |
| 409 | { | |
| 410 | mbuf_t mb = *mb_head; | |
| 411 | mbuf_t tail = NULL, next; | |
| 412 | ||
| 413 | /* Chop of the opaque length and seq number */ | |
| 414 | mbuf_adj(mb, 2 * NFSX_UNSIGNED); | |
| 415 | ||
| 416 | /* should only be one, ... but */ | |
| 417 | for (; mb; mb = next) { | |
| 418 | next = mbuf_next(mb); | |
| 0a7de745 | 419 | if (mbuf_len(mb) == 0) { |
| 39037602 | 420 | mbuf_free(mb); |
| 0a7de745 | 421 | } else { |
| 39037602 | 422 | break; |
| 0a7de745 | 423 | } |
| 39037602 A |
424 | } |
| 425 | *mb_head = mb; | |
| 426 | ||
| 427 | for (; mb && len; mb = mbuf_next(mb)) { | |
| 428 | tail = mb; | |
| 0a7de745 | 429 | if (mbuf_len(mb) <= len) { |
| 39037602 | 430 | len -= mbuf_len(mb); |
| 0a7de745 A |
431 | } else { |
| 432 | return EBADRPC; | |
| 433 | } | |
| 39037602 A |
434 | } |
| 435 | /* drop the mic */ | |
| 436 | if (tail) { | |
| 0a7de745 A |
437 | mbuf_setnext(tail, NULL); |
| 438 | mbuf_freem(mb); | |
| 39037602 A |
439 | } |
| 440 | ||
| 0a7de745 | 441 | return 0; |
| 39037602 A |
442 | } |
| 443 | ||
| 444 | /* | |
| 445 | * Restore the argument or result rfom an rpc_gss_priv_data mbuf chain | |
| 446 | * mb_head points to the wrap token of length len. | |
| 447 | * | |
| 448 | * On successful return mb_head is our original xdr arg or result an | |
| 449 | * the return value is 0. Otherise return an errno | |
| 450 | */ | |
| 451 | static errno_t | |
| 452 | rpc_gss_priv_data_restore(gss_ctx_id_t ctx, mbuf_t *mb_head, size_t len) | |
| 453 | { | |
| 454 | uint32_t major, error; | |
| 455 | mbuf_t mb = *mb_head, next; | |
| 456 | uint32_t plen; | |
| 457 | size_t length; | |
| 458 | gss_qop_t qop = GSS_C_QOP_REVERSE; | |
| 459 | ||
| 460 | /* Chop of the opaque length */ | |
| 461 | mbuf_adj(mb, NFSX_UNSIGNED); | |
| 462 | /* If we have padding, drop it */ | |
| 463 | plen = nfsm_pad(len); | |
| 464 | if (plen) { | |
| 465 | mbuf_t tail = NULL; | |
| 466 | ||
| 0a7de745 | 467 | for (length = 0; length < len && mb; mb = mbuf_next(mb)) { |
| 39037602 A |
468 | tail = mb; |
| 469 | length += mbuf_len(mb); | |
| 470 | } | |
| 0a7de745 A |
471 | if ((length != len) || (mb == NULL) || (tail == NULL)) { |
| 472 | return EBADRPC; | |
| 473 | } | |
| 39037602 A |
474 | |
| 475 | mbuf_freem(mb); | |
| 476 | mbuf_setnext(tail, NULL); | |
| 477 | } | |
| 478 | ||
| 479 | major = gss_krb5_unwrap_mbuf(&error, ctx, mb_head, 0, len, NULL, &qop); | |
| 480 | if (major != GSS_S_COMPLETE) { | |
| 481 | printf("gss_krb5_unwrap_mbuf failed. major = %d minor = %d\n", (int)major, error); | |
| 0a7de745 | 482 | return error; |
| 39037602 A |
483 | } |
| 484 | mb = *mb_head; | |
| 485 | ||
| 486 | /* Drop the seqence number */ | |
| 487 | mbuf_adj(mb, NFSX_UNSIGNED); | |
| 488 | assert(mbuf_len(mb) == 0); | |
| 489 | ||
| 490 | /* Chop of any empty mbufs */ | |
| 491 | for (mb = *mb_head; mb; mb = next) { | |
| 492 | next = mbuf_next(mb); | |
| 0a7de745 | 493 | if (mbuf_len(mb) == 0) { |
| 39037602 | 494 | mbuf_free(mb); |
| 0a7de745 | 495 | } else { |
| 39037602 | 496 | break; |
| 0a7de745 | 497 | } |
| 39037602 A |
498 | } |
| 499 | *mb_head = mb; | |
| 500 | ||
| 0a7de745 | 501 | return 0; |
| 39037602 A |
502 | } |
| 503 | ||
| 2d21ac55 A |
504 | /* |
| 505 | * Find the context for a particular user. | |
| 506 | * | |
| 507 | * If the context doesn't already exist | |
| 508 | * then create a new context for this user. | |
| 509 | * | |
| 510 | * Note that the code allows superuser (uid == 0) | |
| 511 | * to adopt the context of another user. | |
| 39236c6e A |
512 | * |
| 513 | * We'll match on the audit session ids, since those | |
| 514 | * processes will have acccess to the same credential cache. | |
| 2d21ac55 | 515 | */ |
| 39236c6e A |
516 | |
| 517 | #define kauth_cred_getasid(cred) ((cred)->cr_audit.as_aia_p->ai_asid) | |
| 518 | #define kauth_cred_getauid(cred) ((cred)->cr_audit.as_aia_p->ai_auid) | |
| 519 | ||
| 3e170ce0 A |
520 | #define SAFE_CAST_INTTYPE( type, intval ) \ |
| 521 | ( (type)(intval)/(sizeof(type) < sizeof(intval) ? 0 : 1) ) | |
| 522 | ||
| 523 | uid_t | |
| 524 | nfs_cred_getasid2uid(kauth_cred_t cred) | |
| 525 | { | |
| 526 | uid_t result = SAFE_CAST_INTTYPE(uid_t, kauth_cred_getasid(cred)); | |
| 0a7de745 | 527 | return result; |
| 3e170ce0 A |
528 | } |
| 529 | ||
| fe8ab488 A |
530 | /* |
| 531 | * Debugging | |
| 532 | */ | |
| 533 | static void | |
| 534 | nfs_gss_clnt_ctx_dump(struct nfsmount *nmp) | |
| 535 | { | |
| 536 | struct nfs_gss_clnt_ctx *cp; | |
| 537 | ||
| 538 | lck_mtx_lock(&nmp->nm_lock); | |
| 3e170ce0 | 539 | NFS_GSS_DBG("Enter\n"); |
| fe8ab488 A |
540 | TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) { |
| 541 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 542 | printf("context %d/%d: refcnt = %d, flags = %x\n", | |
| 0a7de745 A |
543 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 544 | kauth_cred_getauid(cp->gss_clnt_cred), | |
| 545 | cp->gss_clnt_refcnt, cp->gss_clnt_flags); | |
| fe8ab488 A |
546 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 547 | } | |
| 3e170ce0 | 548 | NFS_GSS_DBG("Exit\n"); |
| fe8ab488 A |
549 | lck_mtx_unlock(&nmp->nm_lock); |
| 550 | } | |
| 551 | ||
| 3e170ce0 A |
552 | static char * |
| 553 | nfs_gss_clnt_ctx_name(struct nfsmount *nmp, struct nfs_gss_clnt_ctx *cp, char *buf, int len) | |
| 554 | { | |
| 555 | char *np; | |
| 556 | int nlen; | |
| 557 | const char *server = ""; | |
| 558 | ||
| 0a7de745 | 559 | if (nmp && nmp->nm_mountp) { |
| 3e170ce0 | 560 | server = vfs_statfs(nmp->nm_mountp)->f_mntfromname; |
| 0a7de745 | 561 | } |
| 3e170ce0 A |
562 | |
| 563 | if (cp == NULL) { | |
| 564 | snprintf(buf, len, "[%s] NULL context", server); | |
| 0a7de745 | 565 | return buf; |
| 3e170ce0 A |
566 | } |
| 567 | ||
| 568 | if (cp->gss_clnt_principal && !cp->gss_clnt_display) { | |
| 569 | np = (char *)cp->gss_clnt_principal; | |
| 570 | nlen = cp->gss_clnt_prinlen; | |
| 571 | } else { | |
| 572 | np = cp->gss_clnt_display; | |
| 573 | nlen = np ? strlen(cp->gss_clnt_display) : 0; | |
| 574 | } | |
| 0a7de745 | 575 | if (nlen) { |
| 3e170ce0 | 576 | snprintf(buf, len, "[%s] %.*s %d/%d %s", server, nlen, np, |
| 0a7de745 A |
577 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 578 | kauth_cred_getuid(cp->gss_clnt_cred), | |
| 579 | cp->gss_clnt_principal ? "" : "[from default cred] "); | |
| 580 | } else { | |
| 3e170ce0 | 581 | snprintf(buf, len, "[%s] using default %d/%d ", server, |
| 0a7de745 A |
582 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 583 | kauth_cred_getuid(cp->gss_clnt_cred)); | |
| 584 | } | |
| 585 | return buf; | |
| 3e170ce0 A |
586 | } |
| 587 | ||
| 588 | #define NFS_CTXBUFSZ 80 | |
| 589 | #define NFS_GSS_CTX(req, cp) nfs_gss_clnt_ctx_name((req)->r_nmp, cp ? cp : (req)->r_gss_ctx, CTXBUF, sizeof(CTXBUF)) | |
| 590 | ||
| 0a7de745 A |
591 | #define NFS_GSS_CLNT_CTX_DUMP(nmp) \ |
| 592 | do { \ | |
| 593 | if (NFS_GSS_ISDBG && (NFS_DEBUG_FLAGS & 0x2)) \ | |
| 594 | nfs_gss_clnt_ctx_dump((nmp)); \ | |
| fe8ab488 A |
595 | } while (0) |
| 596 | ||
| 39236c6e A |
597 | static int |
| 598 | nfs_gss_clnt_ctx_cred_match(kauth_cred_t cred1, kauth_cred_t cred2) | |
| 599 | { | |
| 0a7de745 A |
600 | if (kauth_cred_getasid(cred1) == kauth_cred_getasid(cred2)) { |
| 601 | return 1; | |
| 602 | } | |
| 603 | return 0; | |
| 39236c6e A |
604 | } |
| 605 | ||
| 3e170ce0 A |
606 | /* |
| 607 | * Busy the mount for each principal set on the mount | |
| 608 | * so that the automounter will not unmount the file | |
| 609 | * system underneath us. With out this, if an unmount | |
| 610 | * occurs the principal that is set for an audit session | |
| 611 | * will be lost and we may end up with a different identity. | |
| 612 | * | |
| 613 | * Note setting principals on the mount is a bad idea. This | |
| 614 | * really should be handle by KIM (Kerberos Identity Management) | |
| 615 | * so that defaults can be set by service identities. | |
| 616 | */ | |
| 617 | ||
| 618 | static void | |
| 619 | nfs_gss_clnt_mnt_ref(struct nfsmount *nmp) | |
| 620 | { | |
| 621 | int error; | |
| 622 | vnode_t rvp; | |
| 623 | ||
| 624 | if (nmp == NULL || | |
| 0a7de745 | 625 | !(vfs_flags(nmp->nm_mountp) & MNT_AUTOMOUNTED)) { |
| 3e170ce0 | 626 | return; |
| 0a7de745 | 627 | } |
| 3e170ce0 A |
628 | |
| 629 | error = VFS_ROOT(nmp->nm_mountp, &rvp, NULL); | |
| 630 | if (!error) { | |
| 631 | vnode_ref(rvp); | |
| 632 | vnode_put(rvp); | |
| 633 | } | |
| 634 | } | |
| 635 | ||
| 636 | /* | |
| 637 | * Unbusy the mout. See above comment, | |
| 638 | */ | |
| 639 | ||
| 640 | static void | |
| 641 | nfs_gss_clnt_mnt_rele(struct nfsmount *nmp) | |
| 642 | { | |
| 643 | int error; | |
| 644 | vnode_t rvp; | |
| 645 | ||
| 646 | if (nmp == NULL || | |
| 0a7de745 | 647 | !(vfs_flags(nmp->nm_mountp) & MNT_AUTOMOUNTED)) { |
| 3e170ce0 | 648 | return; |
| 0a7de745 | 649 | } |
| 3e170ce0 A |
650 | |
| 651 | error = VFS_ROOT(nmp->nm_mountp, &rvp, NULL); | |
| 652 | if (!error) { | |
| 653 | vnode_rele(rvp); | |
| 654 | vnode_put(rvp); | |
| 655 | } | |
| 656 | } | |
| 657 | ||
| 5ba3f43e | 658 | int nfs_root_steals_ctx = 0; |
| 3e170ce0 | 659 | |
| 2d21ac55 | 660 | static int |
| 3e170ce0 | 661 | nfs_gss_clnt_ctx_find_principal(struct nfsreq *req, uint8_t *principal, uint32_t plen, uint32_t nt) |
| 2d21ac55 A |
662 | { |
| 663 | struct nfsmount *nmp = req->r_nmp; | |
| 664 | struct nfs_gss_clnt_ctx *cp; | |
| 3e170ce0 | 665 | struct nfsreq treq; |
| 2d21ac55 | 666 | int error = 0; |
| fe8ab488 | 667 | struct timeval now; |
| 3e170ce0 A |
668 | char CTXBUF[NFS_CTXBUFSZ]; |
| 669 | ||
| 0a7de745 | 670 | bzero(&treq, sizeof(struct nfsreq)); |
| 3e170ce0 A |
671 | treq.r_nmp = nmp; |
| 672 | ||
| fe8ab488 | 673 | microuptime(&now); |
| 2d21ac55 A |
674 | lck_mtx_lock(&nmp->nm_lock); |
| 675 | TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) { | |
| fe8ab488 A |
676 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 677 | if (cp->gss_clnt_flags & GSS_CTX_DESTROY) { | |
| 3e170ce0 | 678 | NFS_GSS_DBG("Found destroyed context %s refcnt = %d continuing\n", |
| 0a7de745 A |
679 | NFS_GSS_CTX(req, cp), |
| 680 | cp->gss_clnt_refcnt); | |
| fe8ab488 A |
681 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 682 | continue; | |
| 683 | } | |
| 39236c6e | 684 | if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, req->r_cred)) { |
| fe8ab488 A |
685 | if (nmp->nm_gsscl.tqh_first != cp) { |
| 686 | TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries); | |
| 687 | TAILQ_INSERT_HEAD(&nmp->nm_gsscl, cp, gss_clnt_entries); | |
| 688 | } | |
| 3e170ce0 A |
689 | if (principal) { |
| 690 | /* | |
| 691 | * If we have a principal, but it does not match the current cred | |
| 692 | * mark it for removal | |
| 693 | */ | |
| 694 | if (cp->gss_clnt_prinlen != plen || cp->gss_clnt_prinnt != nt || | |
| 695 | bcmp(cp->gss_clnt_principal, principal, plen) != 0) { | |
| 696 | cp->gss_clnt_flags |= (GSS_CTX_INVAL | GSS_CTX_DESTROY); | |
| 697 | cp->gss_clnt_refcnt++; | |
| 698 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 699 | NFS_GSS_DBG("Marking %s for deletion because %s does not match\n", | |
| 0a7de745 | 700 | NFS_GSS_CTX(req, cp), principal); |
| 3e170ce0 | 701 | NFS_GSS_DBG("len = (%d,%d), nt = (%d,%d)\n", cp->gss_clnt_prinlen, plen, |
| 0a7de745 | 702 | cp->gss_clnt_prinnt, nt); |
| 3e170ce0 A |
703 | treq.r_gss_ctx = cp; |
| 704 | cp = NULL; | |
| 705 | break; | |
| 706 | } | |
| 707 | } | |
| fe8ab488 | 708 | if (cp->gss_clnt_flags & GSS_CTX_INVAL) { |
| 3e170ce0 A |
709 | /* |
| 710 | * If we're still being used and we're not expired | |
| 711 | * just return and don't bother gssd again. Note if | |
| 712 | * gss_clnt_nctime is zero it is about to be set to now. | |
| 713 | */ | |
| 714 | if (cp->gss_clnt_nctime + GSS_NEG_CACHE_TO >= now.tv_sec || cp->gss_clnt_nctime == 0) { | |
| 715 | NFS_GSS_DBG("Context %s (refcnt = %d) not expired returning EAUTH nctime = %ld now = %ld\n", | |
| 0a7de745 | 716 | NFS_GSS_CTX(req, cp), cp->gss_clnt_refcnt, cp->gss_clnt_nctime, now.tv_sec); |
| 3e170ce0 A |
717 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 718 | lck_mtx_unlock(&nmp->nm_lock); | |
| 0a7de745 | 719 | return NFSERR_EAUTH; |
| 3e170ce0 A |
720 | } |
| 721 | if (cp->gss_clnt_refcnt) { | |
| 722 | struct nfs_gss_clnt_ctx *ncp; | |
| 723 | /* | |
| 724 | * If this context has references, we can't use it so we mark if for | |
| 725 | * destruction and create a new context based on this one in the | |
| 726 | * same manner as renewing one. | |
| 727 | */ | |
| 728 | cp->gss_clnt_flags |= GSS_CTX_DESTROY; | |
| 729 | NFS_GSS_DBG("Context %s has expired but we still have %d references\n", | |
| 0a7de745 | 730 | NFS_GSS_CTX(req, cp), cp->gss_clnt_refcnt); |
| 39037602 | 731 | error = nfs_gss_clnt_ctx_copy(cp, &ncp); |
| 3e170ce0 A |
732 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 733 | if (error) { | |
| 734 | lck_mtx_unlock(&nmp->nm_lock); | |
| 0a7de745 | 735 | return error; |
| 3e170ce0 A |
736 | } |
| 737 | cp = ncp; | |
| 738 | break; | |
| 739 | } else { | |
| 0a7de745 | 740 | if (cp->gss_clnt_nctime) { |
| 3e170ce0 | 741 | nmp->nm_ncentries--; |
| 0a7de745 | 742 | } |
| 3e170ce0 A |
743 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 744 | TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries); | |
| 745 | break; | |
| 746 | } | |
| fe8ab488 | 747 | } |
| 3e170ce0 A |
748 | /* Found a valid context to return */ |
| 749 | cp->gss_clnt_refcnt++; | |
| 750 | req->r_gss_ctx = cp; | |
| fe8ab488 | 751 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 6d2010ae | 752 | lck_mtx_unlock(&nmp->nm_lock); |
| 0a7de745 | 753 | return 0; |
| 2d21ac55 | 754 | } |
| fe8ab488 | 755 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2d21ac55 A |
756 | } |
| 757 | ||
| 4bd07ac2 | 758 | if (!cp && nfs_root_steals_ctx && principal == NULL && kauth_cred_getuid(req->r_cred) == 0) { |
| 2d21ac55 A |
759 | /* |
| 760 | * If superuser is trying to get access, then co-opt | |
| 761 | * the first valid context in the list. | |
| 762 | * XXX Ultimately, we need to allow superuser to | |
| 763 | * go ahead and attempt to set up its own context | |
| 764 | * in case one is set up for it. | |
| 765 | */ | |
| 766 | TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) { | |
| 0a7de745 | 767 | if (!(cp->gss_clnt_flags & (GSS_CTX_INVAL | GSS_CTX_DESTROY))) { |
| 2d21ac55 | 768 | nfs_gss_clnt_ctx_ref(req, cp); |
| 6d2010ae | 769 | lck_mtx_unlock(&nmp->nm_lock); |
| 3e170ce0 | 770 | NFS_GSS_DBG("Root stole context %s\n", NFS_GSS_CTX(req, NULL)); |
| 0a7de745 | 771 | return 0; |
| 2d21ac55 A |
772 | } |
| 773 | } | |
| 774 | } | |
| 775 | ||
| 3e170ce0 | 776 | NFS_GSS_DBG("Context %s%sfound in Neg Cache @ %ld\n", |
| 0a7de745 A |
777 | NFS_GSS_CTX(req, cp), |
| 778 | cp == NULL ? " not " : "", | |
| 779 | cp == NULL ? 0L : cp->gss_clnt_nctime); | |
| 3e170ce0 | 780 | |
| 2d21ac55 | 781 | /* |
| fe8ab488 | 782 | * Not found - create a new context |
| 2d21ac55 | 783 | */ |
| 2d21ac55 | 784 | |
| 2d21ac55 | 785 | if (cp == NULL) { |
| 0a7de745 | 786 | MALLOC(cp, struct nfs_gss_clnt_ctx *, sizeof(*cp), M_TEMP, M_WAITOK | M_ZERO); |
| fe8ab488 A |
787 | if (cp == NULL) { |
| 788 | lck_mtx_unlock(&nmp->nm_lock); | |
| 0a7de745 | 789 | return ENOMEM; |
| fe8ab488 A |
790 | } |
| 791 | cp->gss_clnt_cred = req->r_cred; | |
| 792 | kauth_cred_ref(cp->gss_clnt_cred); | |
| 793 | cp->gss_clnt_mtx = lck_mtx_alloc_init(nfs_gss_clnt_grp, LCK_ATTR_NULL); | |
| 794 | cp->gss_clnt_ptime = now.tv_sec - GSS_PRINT_DELAY; | |
| 3e170ce0 | 795 | if (principal) { |
| 0a7de745 | 796 | MALLOC(cp->gss_clnt_principal, uint8_t *, plen + 1, M_TEMP, M_WAITOK | M_ZERO); |
| 3e170ce0 A |
797 | memcpy(cp->gss_clnt_principal, principal, plen); |
| 798 | cp->gss_clnt_prinlen = plen; | |
| 799 | cp->gss_clnt_prinnt = nt; | |
| 800 | cp->gss_clnt_flags |= GSS_CTX_STICKY; | |
| 801 | nfs_gss_clnt_mnt_ref(nmp); | |
| 802 | } | |
| fe8ab488 A |
803 | } else { |
| 804 | nfs_gss_clnt_ctx_clean(cp); | |
| 3e170ce0 A |
805 | if (principal) { |
| 806 | /* | |
| 807 | * If we have a principal and we found a matching audit | |
| 808 | * session, then to get here, the principal had to match. | |
| 809 | * In walking the context list if it has a principal | |
| 810 | * or the principal is not set then we mark the context | |
| 811 | * for destruction and set cp to NULL and we fall to the | |
| 812 | * if clause above. If the context still has references | |
| 813 | * again we copy the context which will preserve the principal | |
| 814 | * and we end up here with the correct principal set. | |
| 815 | * If we don't have references the the principal must have | |
| 816 | * match and we will fall through here. | |
| 817 | */ | |
| 818 | cp->gss_clnt_flags |= GSS_CTX_STICKY; | |
| 819 | } | |
| 2d21ac55 | 820 | } |
| 3e170ce0 | 821 | |
| 2d21ac55 A |
822 | cp->gss_clnt_thread = current_thread(); |
| 823 | nfs_gss_clnt_ctx_ref(req, cp); | |
| fe8ab488 | 824 | TAILQ_INSERT_HEAD(&nmp->nm_gsscl, cp, gss_clnt_entries); |
| 2d21ac55 A |
825 | lck_mtx_unlock(&nmp->nm_lock); |
| 826 | ||
| 6d2010ae | 827 | error = nfs_gss_clnt_ctx_init_retry(req, cp); // Initialize new context |
| 3e170ce0 A |
828 | if (error) { |
| 829 | NFS_GSS_DBG("nfs_gss_clnt_ctx_init_retry returned %d for %s\n", error, NFS_GSS_CTX(req, cp)); | |
| b0d623f7 | 830 | nfs_gss_clnt_ctx_unref(req); |
| 3e170ce0 A |
831 | } |
| 832 | ||
| 833 | /* Remove any old matching contex that had a different principal */ | |
| 834 | nfs_gss_clnt_ctx_unref(&treq); | |
| b0d623f7 | 835 | |
| 0a7de745 | 836 | return error; |
| 2d21ac55 A |
837 | } |
| 838 | ||
| 3e170ce0 A |
839 | static int |
| 840 | nfs_gss_clnt_ctx_find(struct nfsreq *req) | |
| 841 | { | |
| 0a7de745 | 842 | return nfs_gss_clnt_ctx_find_principal(req, NULL, 0, 0); |
| 3e170ce0 A |
843 | } |
| 844 | ||
| 2d21ac55 A |
845 | /* |
| 846 | * Inserts an RPCSEC_GSS credential into an RPC header. | |
| 847 | * After the credential is inserted, the code continues | |
| 848 | * to build the verifier which contains a signed checksum | |
| 849 | * of the RPC header. | |
| 850 | */ | |
| 39037602 | 851 | |
| 2d21ac55 A |
852 | int |
| 853 | nfs_gss_clnt_cred_put(struct nfsreq *req, struct nfsm_chain *nmc, mbuf_t args) | |
| 854 | { | |
| 2d21ac55 A |
855 | struct nfs_gss_clnt_ctx *cp; |
| 856 | uint32_t seqnum = 0; | |
| 39037602 A |
857 | uint32_t major; |
| 858 | uint32_t error = 0; | |
| 859 | int slpflag, recordmark = 0, offset; | |
| 2d21ac55 | 860 | struct gss_seq *gsp; |
| 39037602 | 861 | gss_buffer_desc mic; |
| 3e170ce0 | 862 | |
| 0a7de745 | 863 | slpflag = (PZERO - 1); |
| b0d623f7 | 864 | if (req->r_nmp) { |
| 6d2010ae | 865 | slpflag |= (NMFLAG(req->r_nmp, INTR) && req->r_thread && !(req->r_flags & R_NOINTR)) ? PCATCH : 0; |
| b0d623f7 A |
866 | recordmark = (req->r_nmp->nm_sotype == SOCK_STREAM); |
| 867 | } | |
| 3e170ce0 | 868 | |
| 2d21ac55 A |
869 | retry: |
| 870 | if (req->r_gss_ctx == NULL) { | |
| 871 | /* | |
| 872 | * Find the context for this user. | |
| 873 | * If no context is found, one will | |
| 874 | * be created. | |
| 875 | */ | |
| 876 | error = nfs_gss_clnt_ctx_find(req); | |
| 0a7de745 A |
877 | if (error) { |
| 878 | return error; | |
| 879 | } | |
| 2d21ac55 A |
880 | } |
| 881 | cp = req->r_gss_ctx; | |
| 882 | ||
| 2d21ac55 A |
883 | /* |
| 884 | * If the context thread isn't null, then the context isn't | |
| 885 | * yet complete and is for the exclusive use of the thread | |
| 886 | * doing the context setup. Wait until the context thread | |
| 887 | * is null. | |
| 888 | */ | |
| 889 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 890 | if (cp->gss_clnt_thread && cp->gss_clnt_thread != current_thread()) { | |
| 891 | cp->gss_clnt_flags |= GSS_NEEDCTX; | |
| b0d623f7 | 892 | msleep(cp, cp->gss_clnt_mtx, slpflag | PDROP, "ctxwait", NULL); |
| 6d2010ae | 893 | slpflag &= ~PCATCH; |
| 0a7de745 A |
894 | if ((error = nfs_sigintr(req->r_nmp, req, req->r_thread, 0))) { |
| 895 | return error; | |
| 896 | } | |
| 2d21ac55 A |
897 | nfs_gss_clnt_ctx_unref(req); |
| 898 | goto retry; | |
| 899 | } | |
| 900 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 901 | ||
| 902 | if (cp->gss_clnt_flags & GSS_CTX_COMPLETE) { | |
| 903 | /* | |
| 904 | * Get a sequence number for this request. | |
| 905 | * Check whether the oldest request in the window is complete. | |
| 906 | * If it's still pending, then wait until it's done before | |
| 907 | * we allocate a new sequence number and allow this request | |
| 908 | * to proceed. | |
| 909 | */ | |
| 910 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 0a7de745 A |
911 | while (win_getbit(cp->gss_clnt_seqbits, |
| 912 | ((cp->gss_clnt_seqnum - cp->gss_clnt_seqwin) + 1) % cp->gss_clnt_seqwin)) { | |
| 2d21ac55 | 913 | cp->gss_clnt_flags |= GSS_NEEDSEQ; |
| ebb1b9f4 | 914 | msleep(cp, cp->gss_clnt_mtx, slpflag | PDROP, "seqwin", NULL); |
| 6d2010ae | 915 | slpflag &= ~PCATCH; |
| b0d623f7 | 916 | if ((error = nfs_sigintr(req->r_nmp, req, req->r_thread, 0))) { |
| 0a7de745 | 917 | return error; |
| 2d21ac55 | 918 | } |
| ebb1b9f4 | 919 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 2d21ac55 A |
920 | if (cp->gss_clnt_flags & GSS_CTX_INVAL) { |
| 921 | /* Renewed while while we were waiting */ | |
| 922 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 923 | nfs_gss_clnt_ctx_unref(req); | |
| 924 | goto retry; | |
| 925 | } | |
| 926 | } | |
| 927 | seqnum = ++cp->gss_clnt_seqnum; | |
| 928 | win_setbit(cp->gss_clnt_seqbits, seqnum % cp->gss_clnt_seqwin); | |
| 929 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 930 | ||
| 0a7de745 A |
931 | MALLOC(gsp, struct gss_seq *, sizeof(*gsp), M_TEMP, M_WAITOK | M_ZERO); |
| 932 | if (gsp == NULL) { | |
| 933 | return ENOMEM; | |
| 934 | } | |
| 2d21ac55 A |
935 | gsp->gss_seqnum = seqnum; |
| 936 | SLIST_INSERT_HEAD(&req->r_gss_seqlist, gsp, gss_seqnext); | |
| 937 | } | |
| 938 | ||
| 939 | /* Insert the credential */ | |
| 940 | nfsm_chain_add_32(error, nmc, RPCSEC_GSS); | |
| 941 | nfsm_chain_add_32(error, nmc, 5 * NFSX_UNSIGNED + cp->gss_clnt_handle_len); | |
| 942 | nfsm_chain_add_32(error, nmc, RPCSEC_GSS_VERS_1); | |
| 943 | nfsm_chain_add_32(error, nmc, cp->gss_clnt_proc); | |
| 944 | nfsm_chain_add_32(error, nmc, seqnum); | |
| 945 | nfsm_chain_add_32(error, nmc, cp->gss_clnt_service); | |
| 946 | nfsm_chain_add_32(error, nmc, cp->gss_clnt_handle_len); | |
| b0d623f7 | 947 | if (cp->gss_clnt_handle_len > 0) { |
| 0a7de745 A |
948 | if (cp->gss_clnt_handle == NULL) { |
| 949 | return EBADRPC; | |
| 950 | } | |
| b0d623f7 A |
951 | nfsm_chain_add_opaque(error, nmc, cp->gss_clnt_handle, cp->gss_clnt_handle_len); |
| 952 | } | |
| 0a7de745 A |
953 | if (error) { |
| 954 | return error; | |
| 955 | } | |
| 2d21ac55 A |
956 | /* |
| 957 | * Now add the verifier | |
| 958 | */ | |
| 959 | if (cp->gss_clnt_proc == RPCSEC_GSS_INIT || | |
| 0a7de745 | 960 | cp->gss_clnt_proc == RPCSEC_GSS_CONTINUE_INIT) { |
| 2d21ac55 A |
961 | /* |
| 962 | * If the context is still being created | |
| 963 | * then use a null verifier. | |
| 964 | */ | |
| 0a7de745 A |
965 | nfsm_chain_add_32(error, nmc, RPCAUTH_NULL); // flavor |
| 966 | nfsm_chain_add_32(error, nmc, 0); // length | |
| 2d21ac55 | 967 | nfsm_chain_build_done(error, nmc); |
| 0a7de745 | 968 | if (!error) { |
| 2d21ac55 | 969 | nfs_gss_append_chain(nmc, args); |
| 0a7de745 A |
970 | } |
| 971 | return error; | |
| 2d21ac55 A |
972 | } |
| 973 | ||
| b0d623f7 | 974 | offset = recordmark ? NFSX_UNSIGNED : 0; // record mark |
| 2d21ac55 | 975 | nfsm_chain_build_done(error, nmc); |
| 2d21ac55 | 976 | |
| 39037602 A |
977 | major = gss_krb5_get_mic_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, 0, nmc->nmc_mhead, offset, 0, &mic); |
| 978 | if (major != GSS_S_COMPLETE) { | |
| 0a7de745 A |
979 | printf("gss_krb5_get_mic_buf failed %d\n", error); |
| 980 | return error; | |
| 39037602 A |
981 | } |
| 982 | ||
| 0a7de745 A |
983 | nfsm_chain_add_32(error, nmc, RPCSEC_GSS); // flavor |
| 984 | nfsm_chain_add_32(error, nmc, mic.length); // length | |
| 39037602 A |
985 | nfsm_chain_add_opaque(error, nmc, mic.value, mic.length); |
| 986 | (void)gss_release_buffer(NULL, &mic); | |
| 2d21ac55 | 987 | nfsm_chain_build_done(error, nmc); |
| 0a7de745 A |
988 | if (error) { |
| 989 | return error; | |
| 990 | } | |
| 2d21ac55 A |
991 | |
| 992 | /* | |
| 993 | * Now we may have to compute integrity or encrypt the call args | |
| 994 | * per RFC 2203 Section 5.3.2 | |
| 995 | */ | |
| 996 | switch (cp->gss_clnt_service) { | |
| 997 | case RPCSEC_GSS_SVC_NONE: | |
| 0a7de745 | 998 | if (args) { |
| 39037602 | 999 | nfs_gss_append_chain(nmc, args); |
| 0a7de745 | 1000 | } |
| 2d21ac55 A |
1001 | break; |
| 1002 | case RPCSEC_GSS_SVC_INTEGRITY: | |
| 39037602 A |
1003 | /* |
| 1004 | * r_gss_arglen is the length of args mbuf going into the routine. | |
| 1005 | * Its used to find the mic if we need to restore the args. | |
| 1006 | */ | |
| 1007 | /* Note the mbufs that were used in r_mrest are being encapsulated in the rpc_gss_integ_data_t */ | |
| 1008 | assert(req->r_mrest == args); | |
| 1009 | nfsm_chain_finish_mbuf(error, nmc); | |
| 0a7de745 A |
1010 | if (error) { |
| 1011 | return error; | |
| 1012 | } | |
| 39037602 | 1013 | error = rpc_gss_integ_data_create(cp->gss_clnt_ctx_id, &args, seqnum, &req->r_gss_arglen); |
| 0a7de745 | 1014 | if (error) { |
| 39037602 | 1015 | break; |
| 0a7de745 | 1016 | } |
| 39037602 A |
1017 | req->r_mrest = args; |
| 1018 | req->r_gss_argoff = nfsm_chain_offset(nmc); | |
| 1019 | nfs_gss_append_chain(nmc, args); | |
| 2d21ac55 A |
1020 | break; |
| 1021 | case RPCSEC_GSS_SVC_PRIVACY: | |
| 2d21ac55 | 1022 | /* |
| 39037602 A |
1023 | * r_gss_arglen is the length of the wrap token sans any padding length. |
| 1024 | * Its used to find any XDR padding of the wrap token. | |
| 2d21ac55 | 1025 | */ |
| 39037602 A |
1026 | /* Note the mbufs that were used in r_mrest are being encapsulated in the rpc_gss_priv_data_t */ |
| 1027 | assert(req->r_mrest == args); | |
| 1028 | nfsm_chain_finish_mbuf(error, nmc); | |
| 0a7de745 A |
1029 | if (error) { |
| 1030 | return error; | |
| 1031 | } | |
| 39037602 | 1032 | error = rpc_gss_priv_data_create(cp->gss_clnt_ctx_id, &args, seqnum, &req->r_gss_arglen); |
| 0a7de745 | 1033 | if (error) { |
| 39037602 | 1034 | break; |
| 0a7de745 | 1035 | } |
| 39037602 A |
1036 | req->r_mrest = args; |
| 1037 | req->r_gss_argoff = nfsm_chain_offset(nmc); | |
| 1038 | nfs_gss_append_chain(nmc, args); | |
| 2d21ac55 | 1039 | break; |
| 39037602 | 1040 | default: |
| 0a7de745 | 1041 | return EINVAL; |
| 2d21ac55 A |
1042 | } |
| 1043 | ||
| 0a7de745 | 1044 | return error; |
| 2d21ac55 A |
1045 | } |
| 1046 | ||
| 1047 | /* | |
| 1048 | * When receiving a reply, the client checks the verifier | |
| 1049 | * returned by the server. Check that the verifier is the | |
| 1050 | * correct type, then extract the sequence number checksum | |
| 1051 | * from the token in the credential and compare it with a | |
| 1052 | * computed checksum of the sequence number in the request | |
| 1053 | * that was sent. | |
| 1054 | */ | |
| 1055 | int | |
| 1056 | nfs_gss_clnt_verf_get( | |
| 1057 | struct nfsreq *req, | |
| 1058 | struct nfsm_chain *nmc, | |
| 1059 | uint32_t verftype, | |
| 1060 | uint32_t verflen, | |
| 1061 | uint32_t *accepted_statusp) | |
| 1062 | { | |
| 39037602 | 1063 | gss_buffer_desc cksum; |
| 2d21ac55 | 1064 | uint32_t seqnum = 0; |
| 39037602 | 1065 | uint32_t major; |
| 2d21ac55 A |
1066 | struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx; |
| 1067 | struct nfsm_chain nmc_tmp; | |
| 1068 | struct gss_seq *gsp; | |
| 39037602 | 1069 | uint32_t reslen, offset; |
| 2d21ac55 | 1070 | int error = 0; |
| 39037602 A |
1071 | mbuf_t results_mbuf, prev_mbuf, pad_mbuf; |
| 1072 | size_t ressize; | |
| 2d21ac55 | 1073 | |
| 39037602 | 1074 | reslen = 0; |
| 2d21ac55 A |
1075 | *accepted_statusp = 0; |
| 1076 | ||
| 0a7de745 A |
1077 | if (cp == NULL) { |
| 1078 | return NFSERR_EAUTH; | |
| 1079 | } | |
| 2d21ac55 A |
1080 | /* |
| 1081 | * If it's not an RPCSEC_GSS verifier, then it has to | |
| 1082 | * be a null verifier that resulted from either | |
| 1083 | * a CONTINUE_NEEDED reply during context setup or | |
| 1084 | * from the reply to an AUTH_UNIX call from a dummy | |
| 1085 | * context that resulted from a fallback to sec=sys. | |
| 1086 | */ | |
| 1087 | if (verftype != RPCSEC_GSS) { | |
| 0a7de745 A |
1088 | if (verftype != RPCAUTH_NULL) { |
| 1089 | return NFSERR_EAUTH; | |
| 1090 | } | |
| 1091 | if (cp->gss_clnt_flags & GSS_CTX_COMPLETE) { | |
| 1092 | return NFSERR_EAUTH; | |
| 1093 | } | |
| 1094 | if (verflen > 0) { | |
| 2d21ac55 | 1095 | nfsm_chain_adv(error, nmc, nfsm_rndup(verflen)); |
| 0a7de745 | 1096 | } |
| 2d21ac55 | 1097 | nfsm_chain_get_32(error, nmc, *accepted_statusp); |
| 0a7de745 | 1098 | return error; |
| 2d21ac55 A |
1099 | } |
| 1100 | ||
| 2d21ac55 A |
1101 | /* |
| 1102 | * If we received an RPCSEC_GSS verifier but the | |
| 1103 | * context isn't yet complete, then it must be | |
| 1104 | * the context complete message from the server. | |
| 1105 | * The verifier will contain an encrypted checksum | |
| 1106 | * of the window but we don't have the session key | |
| 1107 | * yet so we can't decrypt it. Stash the verifier | |
| 1108 | * and check it later in nfs_gss_clnt_ctx_init() when | |
| 1109 | * the context is complete. | |
| 1110 | */ | |
| 1111 | if (!(cp->gss_clnt_flags & GSS_CTX_COMPLETE)) { | |
| 0a7de745 A |
1112 | if (verflen > KRB5_MAX_MIC_SIZE) { |
| 1113 | return EBADRPC; | |
| 1114 | } | |
| 1115 | MALLOC(cp->gss_clnt_verf, u_char *, verflen, M_TEMP, M_WAITOK | M_ZERO); | |
| 1116 | if (cp->gss_clnt_verf == NULL) { | |
| 1117 | return ENOMEM; | |
| 1118 | } | |
| 39037602 | 1119 | cp->gss_clnt_verflen = verflen; |
| 2d21ac55 A |
1120 | nfsm_chain_get_opaque(error, nmc, verflen, cp->gss_clnt_verf); |
| 1121 | nfsm_chain_get_32(error, nmc, *accepted_statusp); | |
| 0a7de745 | 1122 | return error; |
| 2d21ac55 A |
1123 | } |
| 1124 | ||
| 0a7de745 A |
1125 | if (verflen > KRB5_MAX_MIC_SIZE) { |
| 1126 | return EBADRPC; | |
| 1127 | } | |
| 39037602 A |
1128 | cksum.length = verflen; |
| 1129 | MALLOC(cksum.value, void *, verflen, M_TEMP, M_WAITOK); | |
| b0d623f7 | 1130 | |
| 2d21ac55 | 1131 | /* |
| 39037602 | 1132 | * Get the gss mic |
| 2d21ac55 | 1133 | */ |
| 39037602 A |
1134 | nfsm_chain_get_opaque(error, nmc, verflen, cksum.value); |
| 1135 | if (error) { | |
| 1136 | FREE(cksum.value, M_TEMP); | |
| 2d21ac55 | 1137 | goto nfsmout; |
| 39037602 | 1138 | } |
| 2d21ac55 A |
1139 | |
| 1140 | /* | |
| 1141 | * Search the request sequence numbers for this reply, starting | |
| 1142 | * with the most recent, looking for a checksum that matches | |
| 1143 | * the one in the verifier returned by the server. | |
| 1144 | */ | |
| 1145 | SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) { | |
| 39037602 A |
1146 | gss_buffer_desc seqnum_buf; |
| 1147 | uint32_t network_seqnum = htonl(gsp->gss_seqnum); | |
| 1148 | ||
| 1149 | seqnum_buf.length = sizeof(network_seqnum); | |
| 1150 | seqnum_buf.value = &network_seqnum; | |
| 1151 | major = gss_krb5_verify_mic(NULL, cp->gss_clnt_ctx_id, &seqnum_buf, &cksum, NULL); | |
| 0a7de745 | 1152 | if (major == GSS_S_COMPLETE) { |
| 2d21ac55 | 1153 | break; |
| 0a7de745 | 1154 | } |
| 2d21ac55 | 1155 | } |
| 39037602 | 1156 | FREE(cksum.value, M_TEMP); |
| 0a7de745 A |
1157 | if (gsp == NULL) { |
| 1158 | return NFSERR_EAUTH; | |
| 1159 | } | |
| 2d21ac55 A |
1160 | |
| 1161 | /* | |
| 1162 | * Get the RPC accepted status | |
| 1163 | */ | |
| 1164 | nfsm_chain_get_32(error, nmc, *accepted_statusp); | |
| 0a7de745 A |
1165 | if (*accepted_statusp != RPC_SUCCESS) { |
| 1166 | return 0; | |
| 1167 | } | |
| 2d21ac55 A |
1168 | |
| 1169 | /* | |
| 1170 | * Now we may have to check integrity or decrypt the results | |
| 1171 | * per RFC 2203 Section 5.3.2 | |
| 1172 | */ | |
| 1173 | switch (cp->gss_clnt_service) { | |
| 1174 | case RPCSEC_GSS_SVC_NONE: | |
| 1175 | /* nothing to do */ | |
| 1176 | break; | |
| 1177 | case RPCSEC_GSS_SVC_INTEGRITY: | |
| 1178 | /* | |
| 39037602 | 1179 | * Here's what we expect in the integrity results from RFC 2203: |
| 2d21ac55 A |
1180 | * |
| 1181 | * - length of seq num + results (4 bytes) | |
| 1182 | * - sequence number (4 bytes) | |
| 1183 | * - results (variable bytes) | |
| 39037602 A |
1184 | * - length of checksum token |
| 1185 | * - checksum of seqnum + results | |
| 2d21ac55 | 1186 | */ |
| 39037602 | 1187 | |
| 0a7de745 | 1188 | nfsm_chain_get_32(error, nmc, reslen); // length of results |
| 2d21ac55 A |
1189 | if (reslen > NFS_MAXPACKET) { |
| 1190 | error = EBADRPC; | |
| 1191 | goto nfsmout; | |
| 1192 | } | |
| 1193 | ||
| 39037602 A |
1194 | /* Advance and fetch the mic */ |
| 1195 | nmc_tmp = *nmc; | |
| 0a7de745 A |
1196 | nfsm_chain_adv(error, &nmc_tmp, reslen); // skip over the results |
| 1197 | nfsm_chain_get_32(error, &nmc_tmp, cksum.length); | |
| d26ffc64 A |
1198 | if (cksum.length > KRB5_MAX_MIC_SIZE) { |
| 1199 | error = EBADRPC; | |
| 1200 | goto nfsmout; | |
| 1201 | } | |
| 39037602 A |
1202 | MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK); |
| 1203 | nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value); | |
| 1204 | //XXX chop offf the cksum? | |
| 1205 | ||
| 1206 | /* Call verify mic */ | |
| 1207 | offset = nfsm_chain_offset(nmc); | |
| 1208 | major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, nmc->nmc_mhead, offset, reslen, &cksum, NULL); | |
| 1209 | FREE(cksum.value, M_TEMP); | |
| 1210 | if (major != GSS_S_COMPLETE) { | |
| 1211 | printf("client results: gss_krb5_verify_mic_mbuf failed %d\n", error); | |
| 1212 | error = EBADRPC; | |
| 1213 | goto nfsmout; | |
| 1214 | } | |
| 2d21ac55 A |
1215 | |
| 1216 | /* | |
| 1217 | * Get the sequence number prepended to the results | |
| 39037602 | 1218 | * and compare it against the header. |
| 2d21ac55 A |
1219 | */ |
| 1220 | nfsm_chain_get_32(error, nmc, seqnum); | |
| 39037602 A |
1221 | if (gsp->gss_seqnum != seqnum) { |
| 1222 | error = EBADRPC; | |
| 1223 | goto nfsmout; | |
| 1224 | } | |
| 1225 | #if 0 | |
| 2d21ac55 | 1226 | SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) { |
| 0a7de745 | 1227 | if (seqnum == gsp->gss_seqnum) { |
| 2d21ac55 | 1228 | break; |
| 0a7de745 | 1229 | } |
| 2d21ac55 A |
1230 | } |
| 1231 | if (gsp == NULL) { | |
| 1232 | error = EBADRPC; | |
| 1233 | goto nfsmout; | |
| 1234 | } | |
| 39037602 | 1235 | #endif |
| 2d21ac55 A |
1236 | break; |
| 1237 | case RPCSEC_GSS_SVC_PRIVACY: | |
| 1238 | /* | |
| 1239 | * Here's what we expect in the privacy results: | |
| 1240 | * | |
| 39037602 A |
1241 | * opaque encodeing of the wrap token |
| 1242 | * - length of wrap token | |
| 1243 | * - wrap token | |
| 2d21ac55 | 1244 | */ |
| 39037602 | 1245 | prev_mbuf = nmc->nmc_mcur; |
| 0a7de745 | 1246 | nfsm_chain_get_32(error, nmc, reslen); // length of results |
| 39037602 | 1247 | if (reslen == 0 || reslen > NFS_MAXPACKET) { |
| 2d21ac55 A |
1248 | error = EBADRPC; |
| 1249 | goto nfsmout; | |
| 1250 | } | |
| 1251 | ||
| 39037602 A |
1252 | /* Get the wrap token (current mbuf in the chain starting at the current offset) */ |
| 1253 | offset = nmc->nmc_ptr - (caddr_t)mbuf_data(nmc->nmc_mcur); | |
| 1254 | ||
| 1255 | /* split out the wrap token */ | |
| 1256 | ressize = reslen; | |
| 1257 | error = gss_normalize_mbuf(nmc->nmc_mcur, offset, &ressize, &results_mbuf, &pad_mbuf, 0); | |
| 0a7de745 | 1258 | if (error) { |
| 2d21ac55 | 1259 | goto nfsmout; |
| 0a7de745 | 1260 | } |
| 2d21ac55 | 1261 | |
| 39037602 A |
1262 | if (pad_mbuf) { |
| 1263 | assert(nfsm_pad(reslen) == mbuf_len(pad_mbuf)); | |
| 1264 | mbuf_free(pad_mbuf); | |
| 1265 | } | |
| 2d21ac55 | 1266 | |
| 39037602 A |
1267 | major = gss_krb5_unwrap_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, &results_mbuf, 0, ressize, NULL, NULL); |
| 1268 | if (major) { | |
| 1269 | printf("%s unwraped failed %d\n", __func__, error); | |
| 2d21ac55 A |
1270 | goto nfsmout; |
| 1271 | } | |
| 1272 | ||
| 39037602 A |
1273 | /* Now replace the wrapped arguments with the unwrapped ones */ |
| 1274 | mbuf_setnext(prev_mbuf, results_mbuf); | |
| 1275 | nmc->nmc_mcur = results_mbuf; | |
| 1276 | nmc->nmc_ptr = mbuf_data(results_mbuf); | |
| 1277 | nmc->nmc_left = mbuf_len(results_mbuf); | |
| 2d21ac55 A |
1278 | |
| 1279 | /* | |
| 1280 | * Get the sequence number prepended to the results | |
| 39037602 | 1281 | * and compare it against the header |
| 2d21ac55 A |
1282 | */ |
| 1283 | nfsm_chain_get_32(error, nmc, seqnum); | |
| 39037602 A |
1284 | if (gsp->gss_seqnum != seqnum) { |
| 1285 | printf("%s bad seqnum\n", __func__); | |
| 1286 | error = EBADRPC; | |
| 1287 | goto nfsmout; | |
| 1288 | } | |
| 1289 | #if 0 | |
| 2d21ac55 | 1290 | SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) { |
| 0a7de745 | 1291 | if (seqnum == gsp->gss_seqnum) { |
| 2d21ac55 | 1292 | break; |
| 0a7de745 | 1293 | } |
| 2d21ac55 A |
1294 | } |
| 1295 | if (gsp == NULL) { | |
| 1296 | error = EBADRPC; | |
| 1297 | goto nfsmout; | |
| 1298 | } | |
| 39037602 | 1299 | #endif |
| 2d21ac55 A |
1300 | break; |
| 1301 | } | |
| 1302 | nfsmout: | |
| 0a7de745 | 1303 | return error; |
| 2d21ac55 A |
1304 | } |
| 1305 | ||
| 1306 | /* | |
| 1307 | * An RPCSEC_GSS request with no integrity or privacy consists | |
| 1308 | * of just the header mbufs followed by the arg mbufs. | |
| 1309 | * | |
| 39037602 A |
1310 | * However, integrity or privacy the original mbufs have mbufs |
| 1311 | * prepended and appended to, which means we have to do some work to | |
| 1312 | * restore the arg mbuf chain to its previous state in case we need to | |
| 1313 | * retransmit. | |
| 2d21ac55 A |
1314 | * |
| 1315 | * The location and length of the args is marked by two fields | |
| 1316 | * in the request structure: r_gss_argoff and r_gss_arglen, | |
| 1317 | * which are stashed when the NFS request is built. | |
| 3e170ce0 | 1318 | */ |
| 2d21ac55 A |
1319 | int |
| 1320 | nfs_gss_clnt_args_restore(struct nfsreq *req) | |
| 1321 | { | |
| 1322 | struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx; | |
| 1323 | struct nfsm_chain mchain, *nmc = &mchain; | |
| 39037602 | 1324 | int error = 0, merr; |
| 2d21ac55 | 1325 | |
| 0a7de745 A |
1326 | if (cp == NULL) { |
| 1327 | return NFSERR_EAUTH; | |
| 1328 | } | |
| 2d21ac55 | 1329 | |
| 0a7de745 A |
1330 | if ((cp->gss_clnt_flags & GSS_CTX_COMPLETE) == 0) { |
| 1331 | return ENEEDAUTH; | |
| 1332 | } | |
| 2d21ac55 | 1333 | |
| 39037602 | 1334 | /* Nothing to restore for SVC_NONE */ |
| 0a7de745 A |
1335 | if (cp->gss_clnt_service == RPCSEC_GSS_SVC_NONE) { |
| 1336 | return 0; | |
| 1337 | } | |
| 39037602 | 1338 | |
| 0a7de745 A |
1339 | nfsm_chain_dissect_init(error, nmc, req->r_mhead); // start at RPC header |
| 1340 | nfsm_chain_adv(error, nmc, req->r_gss_argoff); // advance to args | |
| 1341 | if (error) { | |
| 1342 | return error; | |
| 1343 | } | |
| 2d21ac55 | 1344 | |
| 0a7de745 | 1345 | if (cp->gss_clnt_service == RPCSEC_GSS_SVC_INTEGRITY) { |
| 39037602 | 1346 | error = rpc_gss_integ_data_restore(cp->gss_clnt_ctx_id, &req->r_mrest, req->r_gss_arglen); |
| 0a7de745 | 1347 | } else { |
| 39037602 | 1348 | error = rpc_gss_priv_data_restore(cp->gss_clnt_ctx_id, &req->r_mrest, req->r_gss_arglen); |
| 0a7de745 | 1349 | } |
| 2d21ac55 | 1350 | |
| 39037602 | 1351 | merr = mbuf_setnext(nmc->nmc_mcur, req->r_mrest); /* Should always succeed */ |
| 0a7de745 | 1352 | assert(merr == 0); |
| 2d21ac55 | 1353 | |
| 0a7de745 | 1354 | return error ? error : merr; |
| 2d21ac55 A |
1355 | } |
| 1356 | ||
| 1357 | /* | |
| 1358 | * This function sets up a new context on the client. | |
| 1359 | * Context setup alternates upcalls to the gssd with NFS nullproc calls | |
| 1360 | * to the server. Each of these calls exchanges an opaque token, obtained | |
| 1361 | * via the gssd's calls into the GSS-API on either the client or the server. | |
| 1362 | * This cycle of calls ends when the client's upcall to the gssd and the | |
| 1363 | * server's response both return GSS_S_COMPLETE. At this point, the client | |
| 1364 | * should have its session key and a handle that it can use to refer to its | |
| 1365 | * new context on the server. | |
| 1366 | */ | |
| 1367 | static int | |
| 1368 | nfs_gss_clnt_ctx_init(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp) | |
| 1369 | { | |
| 1370 | struct nfsmount *nmp = req->r_nmp; | |
| 39037602 A |
1371 | gss_buffer_desc cksum, window; |
| 1372 | uint32_t network_seqnum; | |
| 2d21ac55 A |
1373 | int client_complete = 0; |
| 1374 | int server_complete = 0; | |
| 2d21ac55 | 1375 | int error = 0; |
| 39037602 A |
1376 | int retrycnt = 0; |
| 1377 | uint32_t major; | |
| 2d21ac55 A |
1378 | |
| 1379 | /* Initialize a new client context */ | |
| 1380 | ||
| 2d21ac55 | 1381 | if (cp->gss_clnt_svcname == NULL) { |
| fe8ab488 A |
1382 | cp->gss_clnt_svcname = nfs_gss_clnt_svcname(nmp, &cp->gss_clnt_svcnt, &cp->gss_clnt_svcnamlen); |
| 1383 | if (cp->gss_clnt_svcname == NULL) { | |
| 1384 | error = NFSERR_EAUTH; | |
| 1385 | goto nfsmout; | |
| 1386 | } | |
| 2d21ac55 | 1387 | } |
| b0d623f7 | 1388 | |
| 2d21ac55 A |
1389 | cp->gss_clnt_proc = RPCSEC_GSS_INIT; |
| 1390 | ||
| 1391 | cp->gss_clnt_service = | |
| 0a7de745 A |
1392 | req->r_auth == RPCAUTH_KRB5 ? RPCSEC_GSS_SVC_NONE : |
| 1393 | req->r_auth == RPCAUTH_KRB5I ? RPCSEC_GSS_SVC_INTEGRITY : | |
| 1394 | req->r_auth == RPCAUTH_KRB5P ? RPCSEC_GSS_SVC_PRIVACY : 0; | |
| 2d21ac55 A |
1395 | |
| 1396 | /* | |
| 1397 | * Now loop around alternating gss_init_sec_context and | |
| 1398 | * gss_accept_sec_context upcalls to the gssd on the client | |
| 1399 | * and server side until the context is complete - or fails. | |
| 1400 | */ | |
| 1401 | for (;;) { | |
| b0d623f7 | 1402 | retry: |
| 2d21ac55 | 1403 | /* Upcall to the gss_init_sec_context in the gssd */ |
| 39037602 | 1404 | error = nfs_gss_clnt_gssd_upcall(req, cp, retrycnt); |
| 0a7de745 | 1405 | if (error) { |
| 2d21ac55 | 1406 | goto nfsmout; |
| 0a7de745 | 1407 | } |
| 2d21ac55 A |
1408 | |
| 1409 | if (cp->gss_clnt_major == GSS_S_COMPLETE) { | |
| 1410 | client_complete = 1; | |
| 39037602 | 1411 | NFS_GSS_DBG("Client complete\n"); |
| 0a7de745 | 1412 | if (server_complete) { |
| 2d21ac55 | 1413 | break; |
| 0a7de745 | 1414 | } |
| 2d21ac55 | 1415 | } else if (cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) { |
| 39037602 A |
1416 | /* |
| 1417 | * We may have gotten here because the accept sec context | |
| 1418 | * from the server failed and sent back a GSS token that | |
| 1419 | * encapsulates a kerberos error token per RFC 1964/4121 | |
| 1420 | * with a status of GSS_S_CONTINUE_NEEDED. That caused us | |
| 1421 | * to loop to the above up call and received the now | |
| 1422 | * decoded errors. | |
| 1423 | */ | |
| 1424 | retrycnt++; | |
| 1425 | cp->gss_clnt_gssd_flags |= GSSD_RESTART; | |
| 1426 | NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor); | |
| 1427 | goto retry; | |
| 2d21ac55 A |
1428 | } |
| 1429 | ||
| 1430 | /* | |
| 1431 | * Pass the token to the server. | |
| 1432 | */ | |
| 1433 | error = nfs_gss_clnt_ctx_callserver(req, cp); | |
| b0d623f7 | 1434 | if (error) { |
| 39037602 A |
1435 | if (error == ENEEDAUTH && |
| 1436 | (cp->gss_clnt_proc == RPCSEC_GSS_INIT || | |
| 0a7de745 | 1437 | cp->gss_clnt_proc == RPCSEC_GSS_CONTINUE_INIT)) { |
| 39037602 A |
1438 | /* |
| 1439 | * We got here because the server had a problem | |
| 1440 | * trying to establish a context and sent that there | |
| 1441 | * was a context problem at the rpc sec layer. Perhaps | |
| 1442 | * gss_accept_sec_context succeeded in user space, | |
| 1443 | * but the kernel could not handle the etype | |
| 1444 | * to generate the mic for the verifier of the rpc_sec | |
| 1445 | * window size. | |
| 1446 | */ | |
| 1447 | retrycnt++; | |
| 1448 | cp->gss_clnt_gssd_flags |= GSSD_RESTART; | |
| 1449 | NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor); | |
| b0d623f7 A |
1450 | goto retry; |
| 1451 | } | |
| 2d21ac55 | 1452 | goto nfsmout; |
| b0d623f7 | 1453 | } |
| 2d21ac55 | 1454 | if (cp->gss_clnt_major == GSS_S_COMPLETE) { |
| 39037602 | 1455 | NFS_GSS_DBG("Server complete\n"); |
| 2d21ac55 | 1456 | server_complete = 1; |
| 0a7de745 | 1457 | if (client_complete) { |
| 2d21ac55 | 1458 | break; |
| 0a7de745 | 1459 | } |
| 39037602 A |
1460 | } else if (cp->gss_clnt_major == GSS_S_CONTINUE_NEEDED) { |
| 1461 | cp->gss_clnt_proc = RPCSEC_GSS_CONTINUE_INIT; | |
| 1462 | } else { | |
| 1463 | /* Server didn't like us. Try something else */ | |
| 1464 | retrycnt++; | |
| 1465 | cp->gss_clnt_gssd_flags |= GSSD_RESTART; | |
| 1466 | NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor); | |
| 2d21ac55 | 1467 | } |
| 2d21ac55 A |
1468 | } |
| 1469 | ||
| 1470 | /* | |
| 1471 | * The context is apparently established successfully | |
| 1472 | */ | |
| 6d2010ae | 1473 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 2d21ac55 | 1474 | cp->gss_clnt_flags |= GSS_CTX_COMPLETE; |
| 6d2010ae | 1475 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2d21ac55 | 1476 | cp->gss_clnt_proc = RPCSEC_GSS_DATA; |
| 2d21ac55 | 1477 | |
| 39037602 | 1478 | network_seqnum = htonl(cp->gss_clnt_seqwin); |
| 0a7de745 | 1479 | window.length = sizeof(cp->gss_clnt_seqwin); |
| 39037602 A |
1480 | window.value = &network_seqnum; |
| 1481 | cksum.value = cp->gss_clnt_verf; | |
| 1482 | cksum.length = cp->gss_clnt_verflen; | |
| 1483 | major = gss_krb5_verify_mic((uint32_t *)&error, cp->gss_clnt_ctx_id, &window, &cksum, NULL); | |
| 1484 | cp->gss_clnt_verflen = 0; | |
| 2d21ac55 A |
1485 | FREE(cp->gss_clnt_verf, M_TEMP); |
| 1486 | cp->gss_clnt_verf = NULL; | |
| 39037602 A |
1487 | if (major != GSS_S_COMPLETE) { |
| 1488 | printf("%s: could not verify window\n", __func__); | |
| b0d623f7 | 1489 | error = NFSERR_EAUTH; |
| 2d21ac55 A |
1490 | goto nfsmout; |
| 1491 | } | |
| 1492 | ||
| 1493 | /* | |
| 1494 | * Set an initial sequence number somewhat randomized. | |
| 1495 | * Start small so we don't overflow GSS_MAXSEQ too quickly. | |
| 1496 | * Add the size of the sequence window so seqbits arithmetic | |
| 1497 | * doesn't go negative. | |
| 1498 | */ | |
| 1499 | cp->gss_clnt_seqnum = (random() & 0xffff) + cp->gss_clnt_seqwin; | |
| 1500 | ||
| 1501 | /* | |
| 1502 | * Allocate a bitmap to keep track of which requests | |
| 1503 | * are pending within the sequence number window. | |
| 1504 | */ | |
| 1505 | MALLOC(cp->gss_clnt_seqbits, uint32_t *, | |
| 0a7de745 A |
1506 | nfsm_rndup((cp->gss_clnt_seqwin + 7) / 8), M_TEMP, M_WAITOK | M_ZERO); |
| 1507 | if (cp->gss_clnt_seqbits == NULL) { | |
| b0d623f7 | 1508 | error = NFSERR_EAUTH; |
| 0a7de745 | 1509 | } |
| 39037602 | 1510 | |
| 2d21ac55 | 1511 | nfsmout: |
| 3e170ce0 | 1512 | /* |
| b0d623f7 A |
1513 | * If the error is ENEEDAUTH we're not done, so no need |
| 1514 | * to wake up other threads again. This thread will retry in | |
| 1515 | * the find or renew routines. | |
| 1516 | */ | |
| 39037602 A |
1517 | if (error == ENEEDAUTH) { |
| 1518 | NFS_GSS_DBG("Returning ENEEDAUTH\n"); | |
| 0a7de745 | 1519 | return error; |
| 39037602 | 1520 | } |
| b0d623f7 | 1521 | |
| 2d21ac55 A |
1522 | /* |
| 1523 | * If there's an error, just mark it as invalid. | |
| 1524 | * It will be removed when the reference count | |
| 1525 | * drops to zero. | |
| 1526 | */ | |
| 6d2010ae | 1527 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 0a7de745 | 1528 | if (error) { |
| 2d21ac55 | 1529 | cp->gss_clnt_flags |= GSS_CTX_INVAL; |
| 0a7de745 | 1530 | } |
| 2d21ac55 A |
1531 | |
| 1532 | /* | |
| 1533 | * Wake any threads waiting to use the context | |
| 1534 | */ | |
| 2d21ac55 A |
1535 | cp->gss_clnt_thread = NULL; |
| 1536 | if (cp->gss_clnt_flags & GSS_NEEDCTX) { | |
| 1537 | cp->gss_clnt_flags &= ~GSS_NEEDCTX; | |
| 1538 | wakeup(cp); | |
| 1539 | } | |
| 1540 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 1541 | ||
| 39037602 | 1542 | NFS_GSS_DBG("Returning error = %d\n", error); |
| 0a7de745 | 1543 | return error; |
| 2d21ac55 A |
1544 | } |
| 1545 | ||
| 6d2010ae A |
1546 | /* |
| 1547 | * This function calls nfs_gss_clnt_ctx_init() to set up a new context. | |
| 1548 | * But if there's a failure in trying to establish the context it keeps | |
| 1549 | * retrying at progressively longer intervals in case the failure is | |
| 1550 | * due to some transient condition. For instance, the server might be | |
| 1551 | * failing the context setup because directory services is not coming | |
| 1552 | * up in a timely fashion. | |
| 1553 | */ | |
| 1554 | static int | |
| 1555 | nfs_gss_clnt_ctx_init_retry(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp) | |
| 1556 | { | |
| 1557 | struct nfsmount *nmp = req->r_nmp; | |
| 1558 | struct timeval now; | |
| 1559 | time_t waituntil; | |
| 1560 | int error, slpflag; | |
| 1561 | int retries = 0; | |
| 1562 | int timeo = NFS_TRYLATERDEL; | |
| 1563 | ||
| fe8ab488 | 1564 | if (nfs_mount_gone(nmp)) { |
| 6d2010ae A |
1565 | error = ENXIO; |
| 1566 | goto bad; | |
| 1567 | } | |
| 1568 | ||
| 1569 | /* For an "intr" mount allow a signal to interrupt the retries */ | |
| 1570 | slpflag = (NMFLAG(nmp, INTR) && !(req->r_flags & R_NOINTR)) ? PCATCH : 0; | |
| 1571 | ||
| 1572 | while ((error = nfs_gss_clnt_ctx_init(req, cp)) == ENEEDAUTH) { | |
| 1573 | microuptime(&now); | |
| 1574 | waituntil = now.tv_sec + timeo; | |
| 1575 | while (now.tv_sec < waituntil) { | |
| 39236c6e | 1576 | tsleep(NULL, PSOCK | slpflag, "nfs_gss_clnt_ctx_init_retry", hz); |
| 6d2010ae A |
1577 | slpflag = 0; |
| 1578 | error = nfs_sigintr(req->r_nmp, req, current_thread(), 0); | |
| 0a7de745 | 1579 | if (error) { |
| 6d2010ae | 1580 | goto bad; |
| 0a7de745 | 1581 | } |
| 6d2010ae A |
1582 | microuptime(&now); |
| 1583 | } | |
| 1584 | ||
| 1585 | retries++; | |
| 1586 | /* If it's a soft mount just give up after a while */ | |
| fe8ab488 | 1587 | if ((NMFLAG(nmp, SOFT) || (req->r_flags & R_SOFT)) && (retries > nmp->nm_retry)) { |
| 6d2010ae A |
1588 | error = ETIMEDOUT; |
| 1589 | goto bad; | |
| 1590 | } | |
| 1591 | timeo *= 2; | |
| 0a7de745 | 1592 | if (timeo > 60) { |
| 6d2010ae | 1593 | timeo = 60; |
| 0a7de745 | 1594 | } |
| 6d2010ae A |
1595 | } |
| 1596 | ||
| 0a7de745 A |
1597 | if (error == 0) { |
| 1598 | return 0; // success | |
| 1599 | } | |
| 6d2010ae A |
1600 | bad: |
| 1601 | /* | |
| 1602 | * Give up on this context | |
| 1603 | */ | |
| 1604 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 1605 | cp->gss_clnt_flags |= GSS_CTX_INVAL; | |
| 1606 | ||
| 1607 | /* | |
| 1608 | * Wake any threads waiting to use the context | |
| 1609 | */ | |
| 1610 | cp->gss_clnt_thread = NULL; | |
| 1611 | if (cp->gss_clnt_flags & GSS_NEEDCTX) { | |
| 1612 | cp->gss_clnt_flags &= ~GSS_NEEDCTX; | |
| 1613 | wakeup(cp); | |
| 1614 | } | |
| 0a7de745 | 1615 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 6d2010ae A |
1616 | |
| 1617 | return error; | |
| 1618 | } | |
| 1619 | ||
| 2d21ac55 A |
1620 | /* |
| 1621 | * Call the NFS server using a null procedure for context setup. | |
| 1622 | * Even though it's a null procedure and nominally has no arguments | |
| 1623 | * RFC 2203 requires that the GSS-API token be passed as an argument | |
| 1624 | * and received as a reply. | |
| 1625 | */ | |
| 1626 | static int | |
| 1627 | nfs_gss_clnt_ctx_callserver(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp) | |
| 1628 | { | |
| 2d21ac55 A |
1629 | struct nfsm_chain nmreq, nmrep; |
| 1630 | int error = 0, status; | |
| fe8ab488 | 1631 | uint32_t major = cp->gss_clnt_major, minor = cp->gss_clnt_minor; |
| 2d21ac55 A |
1632 | int sz; |
| 1633 | ||
| 0a7de745 A |
1634 | if (nfs_mount_gone(req->r_nmp)) { |
| 1635 | return ENXIO; | |
| 1636 | } | |
| 2d21ac55 A |
1637 | nfsm_chain_null(&nmreq); |
| 1638 | nfsm_chain_null(&nmrep); | |
| 1639 | sz = NFSX_UNSIGNED + nfsm_rndup(cp->gss_clnt_tokenlen); | |
| 1640 | nfsm_chain_build_alloc_init(error, &nmreq, sz); | |
| 1641 | nfsm_chain_add_32(error, &nmreq, cp->gss_clnt_tokenlen); | |
| 0a7de745 | 1642 | if (cp->gss_clnt_tokenlen > 0) { |
| b0d623f7 | 1643 | nfsm_chain_add_opaque(error, &nmreq, cp->gss_clnt_token, cp->gss_clnt_tokenlen); |
| 0a7de745 | 1644 | } |
| 2d21ac55 | 1645 | nfsm_chain_build_done(error, &nmreq); |
| 0a7de745 | 1646 | if (error) { |
| 2d21ac55 | 1647 | goto nfsmout; |
| 0a7de745 | 1648 | } |
| 2d21ac55 A |
1649 | |
| 1650 | /* Call the server */ | |
| 0a7de745 A |
1651 | error = nfs_request_gss(req->r_nmp->nm_mountp, &nmreq, req->r_thread, req->r_cred, |
| 1652 | (req->r_flags & R_OPTMASK), cp, &nmrep, &status); | |
| 2d21ac55 A |
1653 | if (cp->gss_clnt_token != NULL) { |
| 1654 | FREE(cp->gss_clnt_token, M_TEMP); | |
| 1655 | cp->gss_clnt_token = NULL; | |
| 1656 | } | |
| 0a7de745 | 1657 | if (!error) { |
| 2d21ac55 | 1658 | error = status; |
| 0a7de745 A |
1659 | } |
| 1660 | if (error) { | |
| 2d21ac55 | 1661 | goto nfsmout; |
| 0a7de745 | 1662 | } |
| 2d21ac55 A |
1663 | |
| 1664 | /* Get the server's reply */ | |
| 1665 | ||
| 1666 | nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_handle_len); | |
| b0d623f7 | 1667 | if (cp->gss_clnt_handle != NULL) { |
| 2d21ac55 | 1668 | FREE(cp->gss_clnt_handle, M_TEMP); |
| b0d623f7 A |
1669 | cp->gss_clnt_handle = NULL; |
| 1670 | } | |
| d9a64523 | 1671 | if (cp->gss_clnt_handle_len > 0 && cp->gss_clnt_handle_len < GSS_MAX_CTX_HANDLE_LEN) { |
| 2d21ac55 A |
1672 | MALLOC(cp->gss_clnt_handle, u_char *, cp->gss_clnt_handle_len, M_TEMP, M_WAITOK); |
| 1673 | if (cp->gss_clnt_handle == NULL) { | |
| 1674 | error = ENOMEM; | |
| 1675 | goto nfsmout; | |
| 1676 | } | |
| 1677 | nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_handle_len, cp->gss_clnt_handle); | |
| d9a64523 A |
1678 | } else { |
| 1679 | error = EBADRPC; | |
| 2d21ac55 A |
1680 | } |
| 1681 | nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_major); | |
| 1682 | nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_minor); | |
| 1683 | nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_seqwin); | |
| 1684 | nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_tokenlen); | |
| 0a7de745 | 1685 | if (error) { |
| 2d21ac55 | 1686 | goto nfsmout; |
| 0a7de745 | 1687 | } |
| d9a64523 | 1688 | if (cp->gss_clnt_tokenlen > 0 && cp->gss_clnt_tokenlen < GSS_MAX_TOKEN_LEN) { |
| 2d21ac55 A |
1689 | MALLOC(cp->gss_clnt_token, u_char *, cp->gss_clnt_tokenlen, M_TEMP, M_WAITOK); |
| 1690 | if (cp->gss_clnt_token == NULL) { | |
| 1691 | error = ENOMEM; | |
| 1692 | goto nfsmout; | |
| 1693 | } | |
| 1694 | nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_tokenlen, cp->gss_clnt_token); | |
| d9a64523 A |
1695 | } else { |
| 1696 | error = EBADRPC; | |
| 2d21ac55 A |
1697 | } |
| 1698 | ||
| 1699 | /* | |
| 1700 | * Make sure any unusual errors are expanded and logged by gssd | |
| 1701 | */ | |
| 1702 | if (cp->gss_clnt_major != GSS_S_COMPLETE && | |
| 1703 | cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) { | |
| fe8ab488 A |
1704 | printf("nfs_gss_clnt_ctx_callserver: gss_clnt_major = %d\n", cp->gss_clnt_major); |
| 1705 | nfs_gss_clnt_log_error(req, cp, major, minor); | |
| 2d21ac55 A |
1706 | } |
| 1707 | ||
| 1708 | nfsmout: | |
| 1709 | nfsm_chain_cleanup(&nmreq); | |
| 1710 | nfsm_chain_cleanup(&nmrep); | |
| 1711 | ||
| 0a7de745 | 1712 | return error; |
| 2d21ac55 A |
1713 | } |
| 1714 | ||
| 1715 | /* | |
| 39236c6e A |
1716 | * We construct the service principal as a gss hostbased service principal of |
| 1717 | * the form nfs@<server>, unless the servers principal was passed down in the | |
| 1718 | * mount arguments. If the arguments don't specify the service principal, the | |
| 1719 | * server name is extracted the location passed in the mount argument if | |
| 1720 | * available. Otherwise assume a format of <server>:<path> in the | |
| 1721 | * mntfromname. We don't currently support url's or other bizarre formats like | |
| 1722 | * path@server. Mount_url will convert the nfs url into <server>:<path> when | |
| 1723 | * calling mount, so this works out well in practice. | |
| 1724 | * | |
| 2d21ac55 | 1725 | */ |
| 39236c6e A |
1726 | |
| 1727 | static uint8_t * | |
| 1728 | nfs_gss_clnt_svcname(struct nfsmount *nmp, gssd_nametype *nt, uint32_t *len) | |
| 2d21ac55 | 1729 | { |
| 39236c6e A |
1730 | char *svcname, *d, *server; |
| 1731 | int lindx, sindx; | |
| 2d21ac55 | 1732 | |
| 0a7de745 A |
1733 | if (nfs_mount_gone(nmp)) { |
| 1734 | return NULL; | |
| 1735 | } | |
| 2d21ac55 | 1736 | |
| 39236c6e A |
1737 | if (nmp->nm_sprinc) { |
| 1738 | *len = strlen(nmp->nm_sprinc) + 1; | |
| 1739 | MALLOC(svcname, char *, *len, M_TEMP, M_WAITOK); | |
| 1740 | *nt = GSSD_HOSTBASED; | |
| 0a7de745 A |
1741 | if (svcname == NULL) { |
| 1742 | return NULL; | |
| 1743 | } | |
| 39236c6e A |
1744 | strlcpy(svcname, nmp->nm_sprinc, *len); |
| 1745 | ||
| 0a7de745 | 1746 | return (uint8_t *)svcname; |
| 39236c6e A |
1747 | } |
| 1748 | ||
| 1749 | *nt = GSSD_HOSTBASED; | |
| 1750 | if (nmp->nm_locations.nl_numlocs && !(NFS_GSS_ISDBG && (NFS_DEBUG_FLAGS & 0x1))) { | |
| 1751 | lindx = nmp->nm_locations.nl_current.nli_loc; | |
| 1752 | sindx = nmp->nm_locations.nl_current.nli_serv; | |
| 1753 | server = nmp->nm_locations.nl_locations[lindx]->nl_servers[sindx]->ns_name; | |
| 1754 | *len = (uint32_t)strlen(server); | |
| 1755 | } else { | |
| 1756 | /* Older binaries using older mount args end up here */ | |
| 1757 | server = vfs_statfs(nmp->nm_mountp)->f_mntfromname; | |
| 1758 | NFS_GSS_DBG("nfs getting gss svcname from %s\n", server); | |
| 1759 | d = strchr(server, ':'); | |
| 1760 | *len = (uint32_t)(d ? (d - server) : strlen(server)); | |
| 1761 | } | |
| 0a7de745 | 1762 | |
| 39236c6e A |
1763 | *len += 5; /* "nfs@" plus null */ |
| 1764 | MALLOC(svcname, char *, *len, M_TEMP, M_WAITOK); | |
| 1765 | strlcpy(svcname, "nfs", *len); | |
| 1766 | strlcat(svcname, "@", *len); | |
| 1767 | strlcat(svcname, server, *len); | |
| 1768 | NFS_GSS_DBG("nfs svcname = %s\n", svcname); | |
| 1769 | ||
| 0a7de745 | 1770 | return (uint8_t *)svcname; |
| 2d21ac55 A |
1771 | } |
| 1772 | ||
| 316670eb A |
1773 | /* |
| 1774 | * Get a mach port to talk to gssd. | |
| 1775 | * gssd lives in the root bootstrap, so we call gssd's lookup routine | |
| 1776 | * to get a send right to talk to a new gssd instance that launchd has launched | |
| 1777 | * based on the cred's uid and audit session id. | |
| 1778 | */ | |
| 316670eb A |
1779 | |
| 1780 | static mach_port_t | |
| 1781 | nfs_gss_clnt_get_upcall_port(kauth_cred_t credp) | |
| 1782 | { | |
| 1783 | mach_port_t gssd_host_port, uc_port = IPC_PORT_NULL; | |
| 1784 | kern_return_t kr; | |
| 1785 | au_asid_t asid; | |
| 1786 | uid_t uid; | |
| 1787 | ||
| 1788 | kr = host_get_gssd_port(host_priv_self(), &gssd_host_port); | |
| 1789 | if (kr != KERN_SUCCESS) { | |
| 1790 | printf("nfs_gss_get_upcall_port: can't get gssd port, status %x (%d)\n", kr, kr); | |
| 0a7de745 | 1791 | return IPC_PORT_NULL; |
| 316670eb A |
1792 | } |
| 1793 | if (!IPC_PORT_VALID(gssd_host_port)) { | |
| 1794 | printf("nfs_gss_get_upcall_port: gssd port not valid\n"); | |
| 0a7de745 | 1795 | return IPC_PORT_NULL; |
| 316670eb A |
1796 | } |
| 1797 | ||
| 1798 | asid = kauth_cred_getasid(credp); | |
| 1799 | uid = kauth_cred_getauid(credp); | |
| 0a7de745 | 1800 | if (uid == AU_DEFAUDITID) { |
| 316670eb | 1801 | uid = kauth_cred_getuid(credp); |
| 0a7de745 | 1802 | } |
| 316670eb | 1803 | kr = mach_gss_lookup(gssd_host_port, uid, asid, &uc_port); |
| 0a7de745 | 1804 | if (kr != KERN_SUCCESS) { |
| 316670eb | 1805 | printf("nfs_gss_clnt_get_upcall_port: mach_gssd_lookup failed: status %x (%d)\n", kr, kr); |
| 0a7de745 | 1806 | } |
| 3e170ce0 | 1807 | host_release_special_port(gssd_host_port); |
| 316670eb | 1808 | |
| 0a7de745 | 1809 | return uc_port; |
| 316670eb A |
1810 | } |
| 1811 | ||
| fe8ab488 A |
1812 | |
| 1813 | static void | |
| 1814 | nfs_gss_clnt_log_error(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp, uint32_t major, uint32_t minor) | |
| 1815 | { | |
| 0a7de745 | 1816 | #define GETMAJERROR(x) (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK) |
| fe8ab488 A |
1817 | struct nfsmount *nmp = req->r_nmp; |
| 1818 | char who[] = "client"; | |
| 1819 | uint32_t gss_error = GETMAJERROR(cp->gss_clnt_major); | |
| 1820 | const char *procn = "unkown"; | |
| 1821 | proc_t proc; | |
| 1822 | pid_t pid = -1; | |
| 1823 | struct timeval now; | |
| 1824 | ||
| 1825 | if (req->r_thread) { | |
| 1826 | proc = (proc_t)get_bsdthreadtask_info(req->r_thread); | |
| 0a7de745 | 1827 | if (proc != NULL && (proc->p_fd == NULL || (proc->p_lflag & P_LVFORK))) { |
| fe8ab488 | 1828 | proc = NULL; |
| 0a7de745 | 1829 | } |
| fe8ab488 | 1830 | if (proc) { |
| 0a7de745 | 1831 | if (*proc->p_comm) { |
| fe8ab488 | 1832 | procn = proc->p_comm; |
| 0a7de745 | 1833 | } |
| fe8ab488 A |
1834 | pid = proc->p_pid; |
| 1835 | } | |
| 1836 | } else { | |
| 1837 | procn = "kernproc"; | |
| 1838 | pid = 0; | |
| 1839 | } | |
| 0a7de745 | 1840 | |
| fe8ab488 A |
1841 | microuptime(&now); |
| 1842 | if ((cp->gss_clnt_major != major || cp->gss_clnt_minor != minor || | |
| 0a7de745 | 1843 | cp->gss_clnt_ptime + GSS_PRINT_DELAY < now.tv_sec) && |
| fe8ab488 | 1844 | (nmp->nm_state & NFSSTA_MOUNTED)) { |
| 0a7de745 | 1845 | /* |
| fe8ab488 A |
1846 | * Will let gssd do some logging in hopes that it can translate |
| 1847 | * the minor code. | |
| 1848 | */ | |
| 1849 | if (cp->gss_clnt_minor && cp->gss_clnt_minor != minor) { | |
| 1850 | (void) mach_gss_log_error( | |
| 1851 | cp->gss_clnt_mport, | |
| 1852 | vfs_statfs(nmp->nm_mountp)->f_mntfromname, | |
| 1853 | kauth_cred_getuid(cp->gss_clnt_cred), | |
| 1854 | who, | |
| 1855 | cp->gss_clnt_major, | |
| 1856 | cp->gss_clnt_minor); | |
| 1857 | } | |
| 1858 | gss_error = gss_error ? gss_error : cp->gss_clnt_major; | |
| 1859 | ||
| 1860 | /* | |
| 1861 | *%%% It would be really nice to get the terminal from the proc or auditinfo_addr struct and print that here. | |
| 1862 | */ | |
| 1863 | printf("NFS: gssd auth failure by %s on audit session %d uid %d proc %s/%d for mount %s. Error: major = %d minor = %d\n", | |
| 0a7de745 A |
1864 | cp->gss_clnt_display ? cp->gss_clnt_display : who, kauth_cred_getasid(req->r_cred), kauth_cred_getuid(req->r_cred), |
| 1865 | procn, pid, vfs_statfs(nmp->nm_mountp)->f_mntfromname, gss_error, (int32_t)cp->gss_clnt_minor); | |
| fe8ab488 A |
1866 | cp->gss_clnt_ptime = now.tv_sec; |
| 1867 | switch (gss_error) { | |
| 1868 | case 7: printf("NFS: gssd does not have credentials for session %d/%d, (kinit)?\n", | |
| 0a7de745 | 1869 | kauth_cred_getasid(req->r_cred), kauth_cred_getauid(req->r_cred)); |
| fe8ab488 A |
1870 | break; |
| 1871 | case 11: printf("NFS: gssd has expired credentals for session %d/%d, (kinit)?\n", | |
| 0a7de745 | 1872 | kauth_cred_getasid(req->r_cred), kauth_cred_getauid(req->r_cred)); |
| fe8ab488 A |
1873 | break; |
| 1874 | } | |
| 1875 | } else { | |
| 1876 | NFS_GSS_DBG("NFS: gssd auth failure by %s on audit session %d uid %d proc %s/%d for mount %s. Error: major = %d minor = %d\n", | |
| 0a7de745 A |
1877 | cp->gss_clnt_display ? cp->gss_clnt_display : who, kauth_cred_getasid(req->r_cred), kauth_cred_getuid(req->r_cred), |
| 1878 | procn, pid, vfs_statfs(nmp->nm_mountp)->f_mntfromname, gss_error, (int32_t)cp->gss_clnt_minor); | |
| fe8ab488 A |
1879 | } |
| 1880 | } | |
| 1881 | ||
| 2d21ac55 A |
1882 | /* |
| 1883 | * Make an upcall to the gssd using Mach RPC | |
| 316670eb | 1884 | * The upcall is made using a host special port. |
| 2d21ac55 A |
1885 | * This allows launchd to fire up the gssd in the |
| 1886 | * user's session. This is important, since gssd | |
| 1887 | * must have access to the user's credential cache. | |
| 1888 | */ | |
| 1889 | static int | |
| 39037602 | 1890 | nfs_gss_clnt_gssd_upcall(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp, uint32_t retrycnt) |
| 2d21ac55 A |
1891 | { |
| 1892 | kern_return_t kr; | |
| 39037602 A |
1893 | gssd_byte_buffer octx = NULL; |
| 1894 | uint32_t lucidlen = 0; | |
| 1895 | void *lucid_ctx_buffer; | |
| 2d21ac55 A |
1896 | int retry_cnt = 0; |
| 1897 | vm_map_copy_t itoken = NULL; | |
| 6d2010ae | 1898 | gssd_byte_buffer otoken = NULL; |
| b0d623f7 | 1899 | mach_msg_type_number_t otokenlen; |
| 2d21ac55 | 1900 | int error = 0; |
| 39236c6e A |
1901 | uint8_t *principal = NULL; |
| 1902 | uint32_t plen = 0; | |
| 1903 | int32_t nt = GSSD_STRING_NAME; | |
| 1904 | vm_map_copy_t pname = NULL; | |
| 1905 | vm_map_copy_t svcname = NULL; | |
| 1906 | char display_name[MAX_DISPLAY_STR] = ""; | |
| b0d623f7 | 1907 | uint32_t ret_flags; |
| 39037602 | 1908 | struct nfsmount *nmp = req->r_nmp; |
| fe8ab488 | 1909 | uint32_t major = cp->gss_clnt_major, minor = cp->gss_clnt_minor; |
| 39037602 A |
1910 | uint32_t selected = (uint32_t)-1; |
| 1911 | struct nfs_etype etype; | |
| 1912 | ||
| 0a7de745 A |
1913 | if (nmp == NULL || vfs_isforce(nmp->nm_mountp) || (nmp->nm_state & (NFSSTA_FORCE | NFSSTA_DEAD))) { |
| 1914 | return ENXIO; | |
| 1915 | } | |
| 39037602 A |
1916 | |
| 1917 | if (cp->gss_clnt_gssd_flags & GSSD_RESTART) { | |
| 0a7de745 | 1918 | if (cp->gss_clnt_token) { |
| 39037602 | 1919 | FREE(cp->gss_clnt_token, M_TEMP); |
| 0a7de745 | 1920 | } |
| 39037602 A |
1921 | cp->gss_clnt_token = NULL; |
| 1922 | cp->gss_clnt_tokenlen = 0; | |
| 1923 | cp->gss_clnt_proc = RPCSEC_GSS_INIT; | |
| 5ba3f43e A |
1924 | /* Server's handle isn't valid. Don't reuse */ |
| 1925 | cp->gss_clnt_handle_len = 0; | |
| 1926 | if (cp->gss_clnt_handle != NULL) { | |
| 1927 | FREE(cp->gss_clnt_handle, M_TEMP); | |
| 1928 | cp->gss_clnt_handle = NULL; | |
| 1929 | } | |
| 39037602 A |
1930 | } |
| 1931 | ||
| 1932 | NFS_GSS_DBG("Retrycnt = %d nm_etype.count = %d\n", retrycnt, nmp->nm_etype.count); | |
| 0a7de745 A |
1933 | if (retrycnt >= nmp->nm_etype.count) { |
| 1934 | return EACCES; | |
| 1935 | } | |
| 39037602 A |
1936 | |
| 1937 | /* Copy the mount etypes to an order set of etypes to try */ | |
| 1938 | etype = nmp->nm_etype; | |
| 1939 | ||
| 1940 | /* | |
| 1941 | * If we've already selected an etype, lets put that first in our | |
| 1942 | * array of etypes to try, since overwhelmingly, that is likely | |
| 1943 | * to be the etype we want. | |
| 1944 | */ | |
| 1945 | if (etype.selected < etype.count) { | |
| 1946 | etype.etypes[0] = nmp->nm_etype.etypes[etype.selected]; | |
| 0a7de745 A |
1947 | for (uint32_t i = 0; i < etype.selected; i++) { |
| 1948 | etype.etypes[i + 1] = nmp->nm_etype.etypes[i]; | |
| 1949 | } | |
| 1950 | for (uint32_t i = etype.selected + 1; i < etype.count; i++) { | |
| 39037602 | 1951 | etype.etypes[i] = nmp->nm_etype.etypes[i]; |
| 0a7de745 | 1952 | } |
| 39037602 A |
1953 | } |
| 1954 | ||
| 1955 | /* Remove the ones we've already have tried */ | |
| 0a7de745 | 1956 | for (uint32_t i = retrycnt; i < etype.count; i++) { |
| 39037602 | 1957 | etype.etypes[i - retrycnt] = etype.etypes[i]; |
| 0a7de745 | 1958 | } |
| 39037602 A |
1959 | etype.count = etype.count - retrycnt; |
| 1960 | ||
| 1961 | NFS_GSS_DBG("etype count = %d preferred etype = %d\n", etype.count, etype.etypes[0]); | |
| 1962 | ||
| 1963 | /* | |
| 1964 | * NFS currently only supports default principals or | |
| 1965 | * principals based on the uid of the caller, unless | |
| 1966 | * the principal to use for the mounting cred was specified | |
| 1967 | * in the mount argmuments. If the realm to use was specified | |
| 1968 | * then will send that up as the principal since the realm is | |
| 39236c6e A |
1969 | * preceed by an "@" gssd that will try and select the default |
| 1970 | * principal for that realm. | |
| 2d21ac55 | 1971 | */ |
| 39236c6e | 1972 | |
| 39236c6e A |
1973 | if (cp->gss_clnt_principal && cp->gss_clnt_prinlen) { |
| 1974 | principal = cp->gss_clnt_principal; | |
| 1975 | plen = cp->gss_clnt_prinlen; | |
| 1976 | nt = cp->gss_clnt_prinnt; | |
| 1977 | } else if (nmp->nm_principal && IS_VALID_CRED(nmp->nm_mcred) && req->r_cred == nmp->nm_mcred) { | |
| 1978 | plen = (uint32_t)strlen(nmp->nm_principal); | |
| 5ba3f43e | 1979 | principal = (uint8_t *)nmp->nm_principal; |
| 39236c6e | 1980 | cp->gss_clnt_prinnt = nt = GSSD_USER; |
| 0a7de745 | 1981 | } else if (nmp->nm_realm) { |
| 39236c6e A |
1982 | plen = (uint32_t)strlen(nmp->nm_realm); |
| 1983 | principal = (uint8_t *)nmp->nm_realm; | |
| 1984 | nt = GSSD_USER; | |
| 1985 | } | |
| 1986 | ||
| 6d2010ae | 1987 | if (!IPC_PORT_VALID(cp->gss_clnt_mport)) { |
| 316670eb | 1988 | cp->gss_clnt_mport = nfs_gss_clnt_get_upcall_port(req->r_cred); |
| 0a7de745 | 1989 | if (cp->gss_clnt_mport == IPC_PORT_NULL) { |
| b0d623f7 | 1990 | goto out; |
| 0a7de745 | 1991 | } |
| 2d21ac55 A |
1992 | } |
| 1993 | ||
| 0a7de745 | 1994 | if (plen) { |
| 39236c6e | 1995 | nfs_gss_mach_alloc_buffer(principal, plen, &pname); |
| 0a7de745 A |
1996 | } |
| 1997 | if (cp->gss_clnt_svcnamlen) { | |
| 39236c6e | 1998 | nfs_gss_mach_alloc_buffer(cp->gss_clnt_svcname, cp->gss_clnt_svcnamlen, &svcname); |
| 0a7de745 A |
1999 | } |
| 2000 | if (cp->gss_clnt_tokenlen) { | |
| 2d21ac55 | 2001 | nfs_gss_mach_alloc_buffer(cp->gss_clnt_token, cp->gss_clnt_tokenlen, &itoken); |
| 0a7de745 | 2002 | } |
| 2d21ac55 | 2003 | |
| 39037602 A |
2004 | /* Always want to export the lucid context */ |
| 2005 | cp->gss_clnt_gssd_flags |= GSSD_LUCID_CONTEXT; | |
| 2006 | ||
| 2d21ac55 | 2007 | retry: |
| 39037602 | 2008 | kr = mach_gss_init_sec_context_v3( |
| 2d21ac55 | 2009 | cp->gss_clnt_mport, |
| 6d2010ae A |
2010 | GSSD_KRB5_MECH, |
| 2011 | (gssd_byte_buffer) itoken, (mach_msg_type_number_t) cp->gss_clnt_tokenlen, | |
| 39236c6e A |
2012 | kauth_cred_getuid(cp->gss_clnt_cred), |
| 2013 | nt, | |
| 2014 | (gssd_byte_buffer)pname, (mach_msg_type_number_t) plen, | |
| 2015 | cp->gss_clnt_svcnt, | |
| 2016 | (gssd_byte_buffer)svcname, (mach_msg_type_number_t) cp->gss_clnt_svcnamlen, | |
| b0d623f7 | 2017 | GSSD_MUTUAL_FLAG, |
| 39037602 | 2018 | (gssd_etype_list)etype.etypes, (mach_msg_type_number_t)etype.count, |
| 39236c6e | 2019 | &cp->gss_clnt_gssd_flags, |
| 2d21ac55 A |
2020 | &cp->gss_clnt_context, |
| 2021 | &cp->gss_clnt_cred_handle, | |
| b0d623f7 | 2022 | &ret_flags, |
| 0a7de745 | 2023 | &octx, (mach_msg_type_number_t *) &lucidlen, |
| b0d623f7 | 2024 | &otoken, &otokenlen, |
| 39236c6e | 2025 | cp->gss_clnt_display ? NULL : display_name, |
| 2d21ac55 A |
2026 | &cp->gss_clnt_major, |
| 2027 | &cp->gss_clnt_minor); | |
| 2028 | ||
| 39037602 | 2029 | /* Clear the RESTART flag */ |
| b0d623f7 | 2030 | cp->gss_clnt_gssd_flags &= ~GSSD_RESTART; |
| 39037602 A |
2031 | if (cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) { |
| 2032 | /* We're done with the gssd handles */ | |
| 2033 | cp->gss_clnt_context = 0; | |
| 2034 | cp->gss_clnt_cred_handle = 0; | |
| 2035 | } | |
| 39236c6e | 2036 | |
| b0d623f7 A |
2037 | if (kr != KERN_SUCCESS) { |
| 2038 | printf("nfs_gss_clnt_gssd_upcall: mach_gss_init_sec_context failed: %x (%d)\n", kr, kr); | |
| 2d21ac55 | 2039 | if (kr == MIG_SERVER_DIED && cp->gss_clnt_cred_handle == 0 && |
| 0a7de745 A |
2040 | retry_cnt++ < NFS_GSS_MACH_MAX_RETRIES && |
| 2041 | !vfs_isforce(nmp->nm_mountp) && (nmp->nm_state & (NFSSTA_FORCE | NFSSTA_DEAD)) == 0) { | |
| 2042 | if (plen) { | |
| 39236c6e | 2043 | nfs_gss_mach_alloc_buffer(principal, plen, &pname); |
| 0a7de745 A |
2044 | } |
| 2045 | if (cp->gss_clnt_svcnamlen) { | |
| 39236c6e | 2046 | nfs_gss_mach_alloc_buffer(cp->gss_clnt_svcname, cp->gss_clnt_svcnamlen, &svcname); |
| 0a7de745 A |
2047 | } |
| 2048 | if (cp->gss_clnt_tokenlen > 0) { | |
| b0d623f7 | 2049 | nfs_gss_mach_alloc_buffer(cp->gss_clnt_token, cp->gss_clnt_tokenlen, &itoken); |
| 0a7de745 | 2050 | } |
| 2d21ac55 | 2051 | goto retry; |
| b0d623f7 | 2052 | } |
| 316670eb A |
2053 | |
| 2054 | host_release_special_port(cp->gss_clnt_mport); | |
| 2055 | cp->gss_clnt_mport = IPC_PORT_NULL; | |
| b0d623f7 | 2056 | goto out; |
| 2d21ac55 A |
2057 | } |
| 2058 | ||
| 39236c6e A |
2059 | if (cp->gss_clnt_display == NULL && *display_name != '\0') { |
| 2060 | int dlen = strnlen(display_name, MAX_DISPLAY_STR) + 1; /* Add extra byte to include '\0' */ | |
| 39037602 | 2061 | |
| 39236c6e A |
2062 | if (dlen < MAX_DISPLAY_STR) { |
| 2063 | MALLOC(cp->gss_clnt_display, char *, dlen, M_TEMP, M_WAITOK); | |
| 0a7de745 | 2064 | if (cp->gss_clnt_display == NULL) { |
| 39236c6e | 2065 | goto skip; |
| 0a7de745 A |
2066 | } |
| 2067 | bcopy(display_name, cp->gss_clnt_display, dlen); | |
| 39236c6e A |
2068 | } else { |
| 2069 | goto skip; | |
| 2070 | } | |
| 2071 | } | |
| 2072 | skip: | |
| 2d21ac55 A |
2073 | /* |
| 2074 | * Make sure any unusual errors are expanded and logged by gssd | |
| 39236c6e A |
2075 | * |
| 2076 | * XXXX, we need to rethink this and just have gssd return a string for the major and minor codes. | |
| 2d21ac55 A |
2077 | */ |
| 2078 | if (cp->gss_clnt_major != GSS_S_COMPLETE && | |
| 2079 | cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) { | |
| 39037602 | 2080 | NFS_GSS_DBG("Up call returned error\n"); |
| fe8ab488 | 2081 | nfs_gss_clnt_log_error(req, cp, major, minor); |
| 5ba3f43e A |
2082 | /* Server's handle isn't valid. Don't reuse */ |
| 2083 | cp->gss_clnt_handle_len = 0; | |
| 2084 | if (cp->gss_clnt_handle != NULL) { | |
| 2085 | FREE(cp->gss_clnt_handle, M_TEMP); | |
| 2086 | cp->gss_clnt_handle = NULL; | |
| 2087 | } | |
| 2d21ac55 A |
2088 | } |
| 2089 | ||
| 39037602 A |
2090 | if (lucidlen > 0) { |
| 2091 | if (lucidlen > MAX_LUCIDLEN) { | |
| 2092 | printf("nfs_gss_clnt_gssd_upcall: bad context length (%d)\n", lucidlen); | |
| 2093 | vm_map_copy_discard((vm_map_copy_t) octx); | |
| b0d623f7 A |
2094 | vm_map_copy_discard((vm_map_copy_t) otoken); |
| 2095 | goto out; | |
| 2096 | } | |
| 39037602 A |
2097 | MALLOC(lucid_ctx_buffer, void *, lucidlen, M_TEMP, M_WAITOK | M_ZERO); |
| 2098 | error = nfs_gss_mach_vmcopyout((vm_map_copy_t) octx, lucidlen, lucid_ctx_buffer); | |
| b0d623f7 A |
2099 | if (error) { |
| 2100 | vm_map_copy_discard((vm_map_copy_t) otoken); | |
| 2101 | goto out; | |
| 2d21ac55 | 2102 | } |
| 39037602 | 2103 | |
| 0a7de745 | 2104 | if (cp->gss_clnt_ctx_id) { |
| 39037602 | 2105 | gss_krb5_destroy_context(cp->gss_clnt_ctx_id); |
| 0a7de745 | 2106 | } |
| 39037602 A |
2107 | cp->gss_clnt_ctx_id = gss_krb5_make_context(lucid_ctx_buffer, lucidlen); |
| 2108 | if (cp->gss_clnt_ctx_id == NULL) { | |
| 2109 | printf("Failed to make context from lucid_ctx_buffer\n"); | |
| b0d623f7 | 2110 | goto out; |
| 39037602 A |
2111 | } |
| 2112 | for (uint32_t i = 0; i < nmp->nm_etype.count; i++) { | |
| 2113 | if (nmp->nm_etype.etypes[i] == cp->gss_clnt_ctx_id->gss_cryptor.etype) { | |
| 2114 | selected = i; | |
| 2115 | break; | |
| 2116 | } | |
| 2117 | } | |
| 2d21ac55 A |
2118 | } |
| 2119 | ||
| b0d623f7 | 2120 | /* Free context token used as input */ |
| 0a7de745 | 2121 | if (cp->gss_clnt_token) { |
| b0d623f7 | 2122 | FREE(cp->gss_clnt_token, M_TEMP); |
| 0a7de745 | 2123 | } |
| b0d623f7 A |
2124 | cp->gss_clnt_token = NULL; |
| 2125 | cp->gss_clnt_tokenlen = 0; | |
| 2126 | ||
| 2127 | if (otokenlen > 0) { | |
| 2128 | /* Set context token to gss output token */ | |
| 2129 | MALLOC(cp->gss_clnt_token, u_char *, otokenlen, M_TEMP, M_WAITOK); | |
| 2130 | if (cp->gss_clnt_token == NULL) { | |
| 2131 | printf("nfs_gss_clnt_gssd_upcall: could not allocate %d bytes\n", otokenlen); | |
| 2132 | vm_map_copy_discard((vm_map_copy_t) otoken); | |
| 0a7de745 | 2133 | return ENOMEM; |
| b0d623f7 A |
2134 | } |
| 2135 | error = nfs_gss_mach_vmcopyout((vm_map_copy_t) otoken, otokenlen, cp->gss_clnt_token); | |
| 2136 | if (error) { | |
| 39037602 | 2137 | printf("Could not copyout gss token\n"); |
| b0d623f7 A |
2138 | FREE(cp->gss_clnt_token, M_TEMP); |
| 2139 | cp->gss_clnt_token = NULL; | |
| 0a7de745 | 2140 | return NFSERR_EAUTH; |
| b0d623f7 A |
2141 | } |
| 2142 | cp->gss_clnt_tokenlen = otokenlen; | |
| 2d21ac55 A |
2143 | } |
| 2144 | ||
| 39037602 A |
2145 | if (selected != (uint32_t)-1) { |
| 2146 | nmp->nm_etype.selected = selected; | |
| 2147 | NFS_GSS_DBG("etype selected = %d\n", nmp->nm_etype.etypes[selected]); | |
| 2148 | } | |
| 2149 | NFS_GSS_DBG("Up call succeeded major = %d\n", cp->gss_clnt_major); | |
| 0a7de745 | 2150 | return 0; |
| b0d623f7 A |
2151 | |
| 2152 | out: | |
| 0a7de745 | 2153 | if (cp->gss_clnt_token) { |
| b0d623f7 | 2154 | FREE(cp->gss_clnt_token, M_TEMP); |
| 0a7de745 | 2155 | } |
| b0d623f7 A |
2156 | cp->gss_clnt_token = NULL; |
| 2157 | cp->gss_clnt_tokenlen = 0; | |
| 5ba3f43e A |
2158 | /* Server's handle isn't valid. Don't reuse */ |
| 2159 | cp->gss_clnt_handle_len = 0; | |
| 2160 | if (cp->gss_clnt_handle != NULL) { | |
| 2161 | FREE(cp->gss_clnt_handle, M_TEMP); | |
| 2162 | cp->gss_clnt_handle = NULL; | |
| 2163 | } | |
| 0a7de745 | 2164 | |
| 39037602 | 2165 | NFS_GSS_DBG("Up call returned NFSERR_EAUTH"); |
| 0a7de745 | 2166 | return NFSERR_EAUTH; |
| 2d21ac55 A |
2167 | } |
| 2168 | ||
| 2169 | /* | |
| 2170 | * Invoked at the completion of an RPC call that uses an RPCSEC_GSS | |
| 2171 | * credential. The sequence number window that the server returns | |
| 2172 | * at context setup indicates the maximum number of client calls that | |
| 2173 | * can be outstanding on a context. The client maintains a bitmap that | |
| 2174 | * represents the server's window. Each pending request has a bit set | |
| 2175 | * in the window bitmap. When a reply comes in or times out, we reset | |
| 2176 | * the bit in the bitmap and if there are any other threads waiting for | |
| 2177 | * a context slot we notify the waiting thread(s). | |
| 2178 | * | |
| 2179 | * Note that if a request is retransmitted, it will have a single XID | |
| 2180 | * but it may be associated with multiple sequence numbers. So we | |
| 2181 | * may have to reset multiple sequence number bits in the window bitmap. | |
| 2182 | */ | |
| 2183 | void | |
| 2184 | nfs_gss_clnt_rpcdone(struct nfsreq *req) | |
| 2185 | { | |
| 2186 | struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx; | |
| 2187 | struct gss_seq *gsp, *ngsp; | |
| 2188 | int i = 0; | |
| 2189 | ||
| 0a7de745 A |
2190 | if (cp == NULL || !(cp->gss_clnt_flags & GSS_CTX_COMPLETE)) { |
| 2191 | return; // no context - don't bother | |
| 2192 | } | |
| 2d21ac55 A |
2193 | /* |
| 2194 | * Reset the bit for this request in the | |
| 2195 | * sequence number window to indicate it's done. | |
| 2196 | * We do this even if the request timed out. | |
| 2197 | */ | |
| 2198 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 2199 | gsp = SLIST_FIRST(&req->r_gss_seqlist); | |
| 0a7de745 | 2200 | if (gsp && gsp->gss_seqnum > (cp->gss_clnt_seqnum - cp->gss_clnt_seqwin)) { |
| 2d21ac55 | 2201 | win_resetbit(cp->gss_clnt_seqbits, |
| 0a7de745 A |
2202 | gsp->gss_seqnum % cp->gss_clnt_seqwin); |
| 2203 | } | |
| 2d21ac55 A |
2204 | |
| 2205 | /* | |
| 2206 | * Limit the seqnum list to GSS_CLNT_SEQLISTMAX entries | |
| 2207 | */ | |
| 2208 | SLIST_FOREACH_SAFE(gsp, &req->r_gss_seqlist, gss_seqnext, ngsp) { | |
| 2209 | if (++i > GSS_CLNT_SEQLISTMAX) { | |
| 2210 | SLIST_REMOVE(&req->r_gss_seqlist, gsp, gss_seq, gss_seqnext); | |
| 2211 | FREE(gsp, M_TEMP); | |
| 2212 | } | |
| 2213 | } | |
| 2214 | ||
| 2215 | /* | |
| 2216 | * If there's a thread waiting for | |
| 2217 | * the window to advance, wake it up. | |
| 2218 | */ | |
| 2219 | if (cp->gss_clnt_flags & GSS_NEEDSEQ) { | |
| 2220 | cp->gss_clnt_flags &= ~GSS_NEEDSEQ; | |
| 2221 | wakeup(cp); | |
| 2222 | } | |
| 2223 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2224 | } | |
| 2225 | ||
| 2226 | /* | |
| 2227 | * Create a reference to a context from a request | |
| 2228 | * and bump the reference count | |
| 2229 | */ | |
| 2230 | void | |
| 2231 | nfs_gss_clnt_ctx_ref(struct nfsreq *req, struct nfs_gss_clnt_ctx *cp) | |
| 2232 | { | |
| 2233 | req->r_gss_ctx = cp; | |
| 2234 | ||
| 2235 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 2236 | cp->gss_clnt_refcnt++; | |
| 2237 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2238 | } | |
| 2239 | ||
| 2240 | /* | |
| 2241 | * Remove a context reference from a request | |
| 2242 | * If the reference count drops to zero, and the | |
| 2243 | * context is invalid, destroy the context | |
| 2244 | */ | |
| 2245 | void | |
| 2246 | nfs_gss_clnt_ctx_unref(struct nfsreq *req) | |
| 2247 | { | |
| 2248 | struct nfsmount *nmp = req->r_nmp; | |
| 2249 | struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx; | |
| fe8ab488 | 2250 | int on_neg_cache = 0; |
| 3e170ce0 | 2251 | int neg_cache = 0; |
| fe8ab488 | 2252 | int destroy = 0; |
| 3e170ce0 A |
2253 | struct timeval now; |
| 2254 | char CTXBUF[NFS_CTXBUFSZ]; | |
| 2d21ac55 | 2255 | |
| 0a7de745 | 2256 | if (cp == NULL) { |
| 2d21ac55 | 2257 | return; |
| 0a7de745 | 2258 | } |
| 2d21ac55 A |
2259 | |
| 2260 | req->r_gss_ctx = NULL; | |
| 2261 | ||
| 2262 | lck_mtx_lock(cp->gss_clnt_mtx); | |
| 0a7de745 | 2263 | if (--cp->gss_clnt_refcnt < 0) { |
| fe8ab488 | 2264 | panic("Over release of gss context!\n"); |
| 0a7de745 | 2265 | } |
| fe8ab488 | 2266 | |
| 3e170ce0 A |
2267 | if (cp->gss_clnt_refcnt == 0) { |
| 2268 | if ((cp->gss_clnt_flags & GSS_CTX_INVAL) && | |
| 39037602 A |
2269 | cp->gss_clnt_ctx_id) { |
| 2270 | gss_krb5_destroy_context(cp->gss_clnt_ctx_id); | |
| 2271 | cp->gss_clnt_ctx_id = NULL; | |
| 3e170ce0 A |
2272 | } |
| 2273 | if (cp->gss_clnt_flags & GSS_CTX_DESTROY) { | |
| 2274 | destroy = 1; | |
| 0a7de745 | 2275 | if (cp->gss_clnt_flags & GSS_CTX_STICKY) { |
| 3e170ce0 | 2276 | nfs_gss_clnt_mnt_rele(nmp); |
| 0a7de745 A |
2277 | } |
| 2278 | if (cp->gss_clnt_nctime) { | |
| 3e170ce0 | 2279 | on_neg_cache = 1; |
| 0a7de745 | 2280 | } |
| 3e170ce0 A |
2281 | } |
| 2282 | } | |
| 2283 | if (!destroy && cp->gss_clnt_nctime == 0 && | |
| 2284 | (cp->gss_clnt_flags & GSS_CTX_INVAL)) { | |
| 2285 | microuptime(&now); | |
| 2286 | cp->gss_clnt_nctime = now.tv_sec; | |
| fe8ab488 A |
2287 | neg_cache = 1; |
| 2288 | } | |
| 2289 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2290 | if (destroy) { | |
| 3e170ce0 | 2291 | NFS_GSS_DBG("Destroying context %s\n", NFS_GSS_CTX(req, cp)); |
| fe8ab488 | 2292 | if (nmp) { |
| 2d21ac55 | 2293 | lck_mtx_lock(&nmp->nm_lock); |
| fe8ab488 | 2294 | if (cp->gss_clnt_entries.tqe_next != NFSNOLIST) { |
| 3e170ce0 A |
2295 | TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries); |
| 2296 | } | |
| 2297 | if (on_neg_cache) { | |
| 2298 | nmp->nm_ncentries--; | |
| fe8ab488 | 2299 | } |
| 2d21ac55 | 2300 | lck_mtx_unlock(&nmp->nm_lock); |
| fe8ab488 A |
2301 | } |
| 2302 | nfs_gss_clnt_ctx_destroy(cp); | |
| 3e170ce0 A |
2303 | } else if (neg_cache) { |
| 2304 | NFS_GSS_DBG("Entering context %s into negative cache\n", NFS_GSS_CTX(req, cp)); | |
| 2305 | if (nmp) { | |
| 2306 | lck_mtx_lock(&nmp->nm_lock); | |
| 2307 | nmp->nm_ncentries++; | |
| 2308 | nfs_gss_clnt_ctx_neg_cache_reap(nmp); | |
| 2309 | lck_mtx_unlock(&nmp->nm_lock); | |
| 2310 | } | |
| 2311 | } | |
| fe8ab488 A |
2312 | NFS_GSS_CLNT_CTX_DUMP(nmp); |
| 2313 | } | |
| 2314 | ||
| 2315 | /* | |
| 3e170ce0 | 2316 | * Try and reap any old negative cache entries. |
| fe8ab488 A |
2317 | * cache queue. |
| 2318 | */ | |
| 2319 | void | |
| 3e170ce0 | 2320 | nfs_gss_clnt_ctx_neg_cache_reap(struct nfsmount *nmp) |
| fe8ab488 | 2321 | { |
| 3e170ce0 | 2322 | struct nfs_gss_clnt_ctx *cp, *tcp; |
| fe8ab488 A |
2323 | struct timeval now; |
| 2324 | int reaped = 0; | |
| 2d21ac55 | 2325 | |
| fe8ab488 | 2326 | /* Try and reap old, unreferenced, expired contexts */ |
| 39037602 A |
2327 | microuptime(&now); |
| 2328 | ||
| 2329 | NFS_GSS_DBG("Reaping contexts ncentries = %d\n", nmp->nm_ncentries); | |
| 3e170ce0 A |
2330 | |
| 2331 | TAILQ_FOREACH_SAFE(cp, &nmp->nm_gsscl, gss_clnt_entries, tcp) { | |
| fe8ab488 A |
2332 | int destroy = 0; |
| 2333 | ||
| 3e170ce0 A |
2334 | /* Don't reap STICKY contexts */ |
| 2335 | if ((cp->gss_clnt_flags & GSS_CTX_STICKY) || | |
| 0a7de745 | 2336 | !(cp->gss_clnt_flags & GSS_CTX_INVAL)) { |
| 3e170ce0 | 2337 | continue; |
| 0a7de745 | 2338 | } |
| fe8ab488 | 2339 | /* Keep up to GSS_MAX_NEG_CACHE_ENTRIES */ |
| 0a7de745 | 2340 | if (nmp->nm_ncentries <= GSS_MAX_NEG_CACHE_ENTRIES) { |
| fe8ab488 | 2341 | break; |
| 0a7de745 | 2342 | } |
| 3e170ce0 | 2343 | /* Contexts too young */ |
| 0a7de745 | 2344 | if (cp->gss_clnt_nctime + GSS_NEG_CACHE_TO >= now.tv_sec) { |
| 3e170ce0 | 2345 | continue; |
| 0a7de745 | 2346 | } |
| fe8ab488 | 2347 | /* Not referenced, remove it. */ |
| 3e170ce0 A |
2348 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 2349 | if (cp->gss_clnt_refcnt == 0) { | |
| 2350 | cp->gss_clnt_flags |= GSS_CTX_DESTROY; | |
| fe8ab488 A |
2351 | destroy = 1; |
| 2352 | } | |
| 3e170ce0 A |
2353 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2354 | if (destroy) { | |
| 2355 | TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries); | |
| 2356 | nmp->nm_ncentries++; | |
| 2357 | reaped++; | |
| 2358 | nfs_gss_clnt_ctx_destroy(cp); | |
| 2359 | } | |
| fe8ab488 A |
2360 | } |
| 2361 | NFS_GSS_DBG("Reaped %d contexts ncentries = %d\n", reaped, nmp->nm_ncentries); | |
| fe8ab488 A |
2362 | } |
| 2363 | ||
| 2364 | /* | |
| 2365 | * Clean a context to be cached | |
| 2366 | */ | |
| 2367 | static void | |
| 2368 | nfs_gss_clnt_ctx_clean(struct nfs_gss_clnt_ctx *cp) | |
| 2369 | { | |
| 3e170ce0 A |
2370 | /* Preserve gss_clnt_mtx */ |
| 2371 | assert(cp->gss_clnt_thread == NULL); /* Will be set to this thread */ | |
| 2372 | /* gss_clnt_entries we should not be on any list at this point */ | |
| fe8ab488 | 2373 | cp->gss_clnt_flags = 0; |
| 3e170ce0 A |
2374 | /* gss_clnt_refcnt should be zero */ |
| 2375 | assert(cp->gss_clnt_refcnt == 0); | |
| 2376 | /* | |
| 2377 | * We are who we are preserve: | |
| 2378 | * gss_clnt_cred | |
| 2379 | * gss_clnt_principal | |
| 2380 | * gss_clnt_prinlen | |
| 2381 | * gss_clnt_prinnt | |
| 2382 | * gss_clnt_desplay | |
| 2383 | */ | |
| 2384 | /* gss_clnt_proc will be set in nfs_gss_clnt_ctx_init */ | |
| 2385 | cp->gss_clnt_seqnum = 0; | |
| 2386 | /* Preserve gss_clnt_service, we're not changing flavors */ | |
| fe8ab488 A |
2387 | if (cp->gss_clnt_handle) { |
| 2388 | FREE(cp->gss_clnt_handle, M_TEMP); | |
| 2389 | cp->gss_clnt_handle = NULL; | |
| 2390 | } | |
| 3e170ce0 A |
2391 | cp->gss_clnt_handle_len = 0; |
| 2392 | cp->gss_clnt_nctime = 0; | |
| 2393 | cp->gss_clnt_seqwin = 0; | |
| fe8ab488 A |
2394 | if (cp->gss_clnt_seqbits) { |
| 2395 | FREE(cp->gss_clnt_seqbits, M_TEMP); | |
| 2396 | cp->gss_clnt_seqbits = NULL; | |
| 2397 | } | |
| 3e170ce0 A |
2398 | /* Preserve gss_clnt_mport. Still talking to the same gssd */ |
| 2399 | if (cp->gss_clnt_verf) { | |
| 2400 | FREE(cp->gss_clnt_verf, M_TEMP); | |
| 2401 | cp->gss_clnt_verf = NULL; | |
| fe8ab488 | 2402 | } |
| 3e170ce0 | 2403 | /* Service name might change on failover, so reset it */ |
| fe8ab488 A |
2404 | if (cp->gss_clnt_svcname) { |
| 2405 | FREE(cp->gss_clnt_svcname, M_TEMP); | |
| 2406 | cp->gss_clnt_svcname = NULL; | |
| 3e170ce0 | 2407 | cp->gss_clnt_svcnt = 0; |
| fe8ab488 | 2408 | } |
| 3e170ce0 A |
2409 | cp->gss_clnt_svcnamlen = 0; |
| 2410 | cp->gss_clnt_cred_handle = 0; | |
| 2411 | cp->gss_clnt_context = 0; | |
| 2412 | if (cp->gss_clnt_token) { | |
| 2413 | FREE(cp->gss_clnt_token, M_TEMP); | |
| 2414 | cp->gss_clnt_token = NULL; | |
| 2415 | } | |
| 2416 | cp->gss_clnt_tokenlen = 0; | |
| 39037602 | 2417 | /* XXX gss_clnt_ctx_id ??? */ |
| 3e170ce0 A |
2418 | /* |
| 2419 | * Preserve: | |
| 2420 | * gss_clnt_gssd_flags | |
| 2421 | * gss_clnt_major | |
| 2422 | * gss_clnt_minor | |
| 2423 | * gss_clnt_ptime | |
| 2424 | */ | |
| 2425 | } | |
| 2426 | ||
| 2427 | /* | |
| 2428 | * Copy a source context to a new context. This is used to create a new context | |
| 2429 | * with the identity of the old context for renewal. The old context is invalid | |
| 2430 | * at this point but may have reference still to it, so it is not safe to use that | |
| 2431 | * context. | |
| 2432 | */ | |
| 2433 | static int | |
| 39037602 | 2434 | nfs_gss_clnt_ctx_copy(struct nfs_gss_clnt_ctx *scp, struct nfs_gss_clnt_ctx **dcpp) |
| 3e170ce0 A |
2435 | { |
| 2436 | struct nfs_gss_clnt_ctx *dcp; | |
| 2437 | ||
| 2438 | *dcpp = (struct nfs_gss_clnt_ctx *)NULL; | |
| 0a7de745 A |
2439 | MALLOC(dcp, struct nfs_gss_clnt_ctx *, sizeof(struct nfs_gss_clnt_ctx), M_TEMP, M_WAITOK); |
| 2440 | if (dcp == NULL) { | |
| 2441 | return ENOMEM; | |
| 2442 | } | |
| 2443 | bzero(dcp, sizeof(struct nfs_gss_clnt_ctx)); | |
| 3e170ce0 A |
2444 | dcp->gss_clnt_mtx = lck_mtx_alloc_init(nfs_gss_clnt_grp, LCK_ATTR_NULL); |
| 2445 | dcp->gss_clnt_cred = scp->gss_clnt_cred; | |
| 2446 | kauth_cred_ref(dcp->gss_clnt_cred); | |
| 2447 | dcp->gss_clnt_prinlen = scp->gss_clnt_prinlen; | |
| 2448 | dcp->gss_clnt_prinnt = scp->gss_clnt_prinnt; | |
| 2449 | if (scp->gss_clnt_principal) { | |
| 2450 | MALLOC(dcp->gss_clnt_principal, uint8_t *, dcp->gss_clnt_prinlen, M_TEMP, M_WAITOK | M_ZERO); | |
| 2451 | if (dcp->gss_clnt_principal == NULL) { | |
| 3e170ce0 | 2452 | FREE(dcp, M_TEMP); |
| 0a7de745 | 2453 | return ENOMEM; |
| 3e170ce0 A |
2454 | } |
| 2455 | bcopy(scp->gss_clnt_principal, dcp->gss_clnt_principal, dcp->gss_clnt_prinlen); | |
| 2456 | } | |
| 2457 | /* Note we don't preserve the display name, that will be set by a successful up call */ | |
| 2458 | dcp->gss_clnt_service = scp->gss_clnt_service; | |
| 2459 | dcp->gss_clnt_mport = host_copy_special_port(scp->gss_clnt_mport); | |
| 39037602 | 2460 | dcp->gss_clnt_ctx_id = NULL; /* Will be set from successful upcall */ |
| 3e170ce0 A |
2461 | dcp->gss_clnt_gssd_flags = scp->gss_clnt_gssd_flags; |
| 2462 | dcp->gss_clnt_major = scp->gss_clnt_major; | |
| 2463 | dcp->gss_clnt_minor = scp->gss_clnt_minor; | |
| 2464 | dcp->gss_clnt_ptime = scp->gss_clnt_ptime; | |
| 2465 | ||
| 2466 | *dcpp = dcp; | |
| 2467 | ||
| 0a7de745 | 2468 | return 0; |
| 2d21ac55 A |
2469 | } |
| 2470 | ||
| 2471 | /* | |
| 2472 | * Remove a context | |
| 2473 | */ | |
| 2474 | static void | |
| fe8ab488 | 2475 | nfs_gss_clnt_ctx_destroy(struct nfs_gss_clnt_ctx *cp) |
| 2d21ac55 | 2476 | { |
| fe8ab488 | 2477 | NFS_GSS_DBG("Destroying context %d/%d\n", |
| 0a7de745 A |
2478 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 2479 | kauth_cred_getauid(cp->gss_clnt_cred)); | |
| 2d21ac55 | 2480 | |
| 316670eb | 2481 | host_release_special_port(cp->gss_clnt_mport); |
| fe8ab488 | 2482 | cp->gss_clnt_mport = IPC_PORT_NULL; |
| 3e170ce0 | 2483 | |
| fe8ab488 | 2484 | if (cp->gss_clnt_mtx) { |
| 2d21ac55 | 2485 | lck_mtx_destroy(cp->gss_clnt_mtx, nfs_gss_clnt_grp); |
| fe8ab488 A |
2486 | cp->gss_clnt_mtx = (lck_mtx_t *)NULL; |
| 2487 | } | |
| 0a7de745 | 2488 | if (IS_VALID_CRED(cp->gss_clnt_cred)) { |
| 39236c6e | 2489 | kauth_cred_unref(&cp->gss_clnt_cred); |
| 0a7de745 | 2490 | } |
| fe8ab488 A |
2491 | cp->gss_clnt_entries.tqe_next = NFSNOLIST; |
| 2492 | cp->gss_clnt_entries.tqe_prev = NFSNOLIST; | |
| 2493 | if (cp->gss_clnt_principal) { | |
| 39236c6e | 2494 | FREE(cp->gss_clnt_principal, M_TEMP); |
| fe8ab488 A |
2495 | cp->gss_clnt_principal = NULL; |
| 2496 | } | |
| 2497 | if (cp->gss_clnt_display) { | |
| 39236c6e | 2498 | FREE(cp->gss_clnt_display, M_TEMP); |
| fe8ab488 A |
2499 | cp->gss_clnt_display = NULL; |
| 2500 | } | |
| 39037602 A |
2501 | if (cp->gss_clnt_ctx_id) { |
| 2502 | gss_krb5_destroy_context(cp->gss_clnt_ctx_id); | |
| 2503 | cp->gss_clnt_ctx_id = NULL; | |
| 3e170ce0 A |
2504 | } |
| 2505 | ||
| fe8ab488 | 2506 | nfs_gss_clnt_ctx_clean(cp); |
| 3e170ce0 | 2507 | |
| 2d21ac55 A |
2508 | FREE(cp, M_TEMP); |
| 2509 | } | |
| 2510 | ||
| 2511 | /* | |
| 2512 | * The context for a user is invalid. | |
| 2513 | * Mark the context as invalid, then | |
| 2514 | * create a new context. | |
| 2515 | */ | |
| 2516 | int | |
| 2517 | nfs_gss_clnt_ctx_renew(struct nfsreq *req) | |
| 2518 | { | |
| 2519 | struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx; | |
| 2d21ac55 | 2520 | struct nfs_gss_clnt_ctx *ncp; |
| 3e170ce0 | 2521 | struct nfsmount *nmp; |
| 2d21ac55 | 2522 | int error = 0; |
| 3e170ce0 | 2523 | char CTXBUF[NFS_CTXBUFSZ]; |
| 2d21ac55 | 2524 | |
| 0a7de745 A |
2525 | if (cp == NULL) { |
| 2526 | return 0; | |
| 2527 | } | |
| 2d21ac55 | 2528 | |
| 0a7de745 A |
2529 | if (req->r_nmp == NULL) { |
| 2530 | return ENXIO; | |
| 2531 | } | |
| 3e170ce0 A |
2532 | nmp = req->r_nmp; |
| 2533 | ||
| 2d21ac55 A |
2534 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 2535 | if (cp->gss_clnt_flags & GSS_CTX_INVAL) { | |
| 2536 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2537 | nfs_gss_clnt_ctx_unref(req); | |
| 0a7de745 | 2538 | return 0; // already being renewed |
| 2d21ac55 | 2539 | } |
| 2d21ac55 | 2540 | |
| fe8ab488 | 2541 | cp->gss_clnt_flags |= (GSS_CTX_INVAL | GSS_CTX_DESTROY); |
| 2d21ac55 | 2542 | |
| 2d21ac55 A |
2543 | if (cp->gss_clnt_flags & (GSS_NEEDCTX | GSS_NEEDSEQ)) { |
| 2544 | cp->gss_clnt_flags &= ~GSS_NEEDSEQ; | |
| 2545 | wakeup(cp); | |
| 2546 | } | |
| 2547 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2548 | ||
| 0a7de745 A |
2549 | if (cp->gss_clnt_proc == RPCSEC_GSS_DESTROY) { |
| 2550 | return EACCES; /* Destroying a context is best effort. Don't renew. */ | |
| 2551 | } | |
| 39037602 A |
2552 | /* |
| 2553 | * If we're setting up a context let nfs_gss_clnt_ctx_init know this is not working | |
| 2554 | * and to try some other etype. | |
| 2555 | */ | |
| 0a7de745 A |
2556 | if (cp->gss_clnt_proc != RPCSEC_GSS_DATA) { |
| 2557 | return ENEEDAUTH; | |
| 2558 | } | |
| 39037602 | 2559 | error = nfs_gss_clnt_ctx_copy(cp, &ncp); |
| 3e170ce0 A |
2560 | NFS_GSS_DBG("Renewing context %s\n", NFS_GSS_CTX(req, ncp)); |
| 2561 | nfs_gss_clnt_ctx_unref(req); | |
| 0a7de745 A |
2562 | if (error) { |
| 2563 | return error; | |
| 2564 | } | |
| 3e170ce0 A |
2565 | |
| 2566 | lck_mtx_lock(&nmp->nm_lock); | |
| 2d21ac55 | 2567 | /* |
| 3e170ce0 A |
2568 | * Note we don't bother taking the new context mutex as we're |
| 2569 | * not findable at the moment. | |
| 2d21ac55 | 2570 | */ |
| 2d21ac55 | 2571 | ncp->gss_clnt_thread = current_thread(); |
| 2d21ac55 | 2572 | nfs_gss_clnt_ctx_ref(req, ncp); |
| 3e170ce0 A |
2573 | TAILQ_INSERT_HEAD(&nmp->nm_gsscl, ncp, gss_clnt_entries); |
| 2574 | lck_mtx_unlock(&nmp->nm_lock); | |
| 2d21ac55 | 2575 | |
| 3e170ce0 | 2576 | error = nfs_gss_clnt_ctx_init_retry(req, ncp); // Initialize new context |
| 0a7de745 | 2577 | if (error) { |
| 2d21ac55 | 2578 | nfs_gss_clnt_ctx_unref(req); |
| 0a7de745 | 2579 | } |
| 3e170ce0 | 2580 | |
| 0a7de745 | 2581 | return error; |
| 2d21ac55 A |
2582 | } |
| 2583 | ||
| fe8ab488 | 2584 | |
| 2d21ac55 A |
2585 | /* |
| 2586 | * Destroy all the contexts associated with a mount. | |
| 2587 | * The contexts are also destroyed by the server. | |
| 2588 | */ | |
| 2589 | void | |
| 6d2010ae | 2590 | nfs_gss_clnt_ctx_unmount(struct nfsmount *nmp) |
| 2d21ac55 A |
2591 | { |
| 2592 | struct nfs_gss_clnt_ctx *cp; | |
| 2d21ac55 | 2593 | struct nfsm_chain nmreq, nmrep; |
| 2d21ac55 A |
2594 | int error, status; |
| 2595 | struct nfsreq req; | |
| 2d21ac55 A |
2596 | req.r_nmp = nmp; |
| 2597 | ||
| 0a7de745 | 2598 | if (!nmp) { |
| fe8ab488 | 2599 | return; |
| 0a7de745 | 2600 | } |
| fe8ab488 | 2601 | |
| 3e170ce0 A |
2602 | |
| 2603 | lck_mtx_lock(&nmp->nm_lock); | |
| 0a7de745 | 2604 | while ((cp = TAILQ_FIRST(&nmp->nm_gsscl))) { |
| 3e170ce0 A |
2605 | TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries); |
| 2606 | cp->gss_clnt_entries.tqe_next = NFSNOLIST; | |
| fe8ab488 | 2607 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 3e170ce0 A |
2608 | if (cp->gss_clnt_flags & GSS_CTX_DESTROY) { |
| 2609 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2610 | continue; | |
| 2611 | } | |
| fe8ab488 A |
2612 | cp->gss_clnt_refcnt++; |
| 2613 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2614 | req.r_gss_ctx = cp; | |
| 2615 | ||
| 2d21ac55 | 2616 | lck_mtx_unlock(&nmp->nm_lock); |
| 2d21ac55 A |
2617 | /* |
| 2618 | * Tell the server to destroy its context. | |
| fe8ab488 | 2619 | * But don't bother if it's a forced unmount. |
| 2d21ac55 | 2620 | */ |
| 3e170ce0 A |
2621 | if (!nfs_mount_gone(nmp) && |
| 2622 | (cp->gss_clnt_flags & (GSS_CTX_INVAL | GSS_CTX_DESTROY | GSS_CTX_COMPLETE)) == GSS_CTX_COMPLETE) { | |
| 2d21ac55 A |
2623 | cp->gss_clnt_proc = RPCSEC_GSS_DESTROY; |
| 2624 | ||
| 2625 | error = 0; | |
| 2626 | nfsm_chain_null(&nmreq); | |
| 2627 | nfsm_chain_null(&nmrep); | |
| 2628 | nfsm_chain_build_alloc_init(error, &nmreq, 0); | |
| 2629 | nfsm_chain_build_done(error, &nmreq); | |
| 0a7de745 | 2630 | if (!error) { |
| b0d623f7 | 2631 | nfs_request_gss(nmp->nm_mountp, &nmreq, |
| 0a7de745 A |
2632 | current_thread(), cp->gss_clnt_cred, 0, cp, &nmrep, &status); |
| 2633 | } | |
| 2d21ac55 A |
2634 | nfsm_chain_cleanup(&nmreq); |
| 2635 | nfsm_chain_cleanup(&nmrep); | |
| 2d21ac55 A |
2636 | } |
| 2637 | ||
| 2638 | /* | |
| 2639 | * Mark the context invalid then drop | |
| 2640 | * the reference to remove it if its | |
| 2641 | * refcount is zero. | |
| 2642 | */ | |
| 6d2010ae | 2643 | lck_mtx_lock(cp->gss_clnt_mtx); |
| fe8ab488 | 2644 | cp->gss_clnt_flags |= (GSS_CTX_INVAL | GSS_CTX_DESTROY); |
| 6d2010ae | 2645 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2d21ac55 | 2646 | nfs_gss_clnt_ctx_unref(&req); |
| fe8ab488 | 2647 | lck_mtx_lock(&nmp->nm_lock); |
| fe8ab488 | 2648 | } |
| 3e170ce0 A |
2649 | lck_mtx_unlock(&nmp->nm_lock); |
| 2650 | assert(TAILQ_EMPTY(&nmp->nm_gsscl)); | |
| 2d21ac55 A |
2651 | } |
| 2652 | ||
| 3e170ce0 | 2653 | |
| 39236c6e | 2654 | /* |
| fe8ab488 | 2655 | * Removes a mounts context for a credential |
| 39236c6e A |
2656 | */ |
| 2657 | int | |
| fe8ab488 | 2658 | nfs_gss_clnt_ctx_remove(struct nfsmount *nmp, kauth_cred_t cred) |
| 39236c6e A |
2659 | { |
| 2660 | struct nfs_gss_clnt_ctx *cp; | |
| 2661 | struct nfsreq req; | |
| 2662 | ||
| 2663 | req.r_nmp = nmp; | |
| 2664 | ||
| fe8ab488 A |
2665 | NFS_GSS_DBG("Enter\n"); |
| 2666 | NFS_GSS_CLNT_CTX_DUMP(nmp); | |
| 39236c6e A |
2667 | lck_mtx_lock(&nmp->nm_lock); |
| 2668 | TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) { | |
| fe8ab488 | 2669 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 39236c6e | 2670 | if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, cred)) { |
| fe8ab488 A |
2671 | if (cp->gss_clnt_flags & GSS_CTX_DESTROY) { |
| 2672 | NFS_GSS_DBG("Found destroyed context %d/%d. refcnt = %d continuing\n", | |
| 0a7de745 A |
2673 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 2674 | kauth_cred_getauid(cp->gss_clnt_cred), | |
| 2675 | cp->gss_clnt_refcnt); | |
| fe8ab488 | 2676 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 39236c6e | 2677 | continue; |
| fe8ab488 | 2678 | } |
| 39236c6e | 2679 | cp->gss_clnt_refcnt++; |
| fe8ab488 | 2680 | cp->gss_clnt_flags |= (GSS_CTX_INVAL | GSS_CTX_DESTROY); |
| 39236c6e A |
2681 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2682 | req.r_gss_ctx = cp; | |
| fe8ab488 A |
2683 | lck_mtx_unlock(&nmp->nm_lock); |
| 2684 | /* | |
| 2685 | * Drop the reference to remove it if its | |
| 2686 | * refcount is zero. | |
| 2687 | */ | |
| 2688 | NFS_GSS_DBG("Removed context %d/%d refcnt = %d\n", | |
| 0a7de745 A |
2689 | kauth_cred_getasid(cp->gss_clnt_cred), |
| 2690 | kauth_cred_getuid(cp->gss_clnt_cred), | |
| 2691 | cp->gss_clnt_refcnt); | |
| fe8ab488 | 2692 | nfs_gss_clnt_ctx_unref(&req); |
| 0a7de745 | 2693 | return 0; |
| 39236c6e | 2694 | } |
| fe8ab488 | 2695 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 39236c6e | 2696 | } |
| 39236c6e | 2697 | |
| 3e170ce0 | 2698 | lck_mtx_unlock(&nmp->nm_lock); |
| 0a7de745 | 2699 | |
| 3e170ce0 | 2700 | NFS_GSS_DBG("Returning ENOENT\n"); |
| 0a7de745 | 2701 | return ENOENT; |
| 3e170ce0 A |
2702 | } |
| 2703 | ||
| 2704 | /* | |
| 2705 | * Sets a mounts principal for a session associated with cred. | |
| 2706 | */ | |
| 2707 | int | |
| 2708 | nfs_gss_clnt_ctx_set_principal(struct nfsmount *nmp, vfs_context_t ctx, | |
| 0a7de745 | 2709 | uint8_t *principal, uint32_t princlen, uint32_t nametype) |
| 3e170ce0 A |
2710 | { |
| 2711 | struct nfsreq req; | |
| 2712 | int error; | |
| 2713 | ||
| 2714 | NFS_GSS_DBG("Enter:\n"); | |
| 2715 | ||
| 2716 | bzero(&req, sizeof(struct nfsreq)); | |
| 2717 | req.r_nmp = nmp; | |
| 2718 | req.r_gss_ctx = NULL; | |
| 2719 | req.r_auth = nmp->nm_auth; | |
| 2720 | req.r_thread = vfs_context_thread(ctx); | |
| 2721 | req.r_cred = vfs_context_ucred(ctx); | |
| 2722 | ||
| 2723 | error = nfs_gss_clnt_ctx_find_principal(&req, principal, princlen, nametype); | |
| 2724 | NFS_GSS_DBG("nfs_gss_clnt_ctx_find_principal returned %d\n", error); | |
| 2725 | /* | |
| 2726 | * We don't care about auth errors. Those would indicate that the context is in the | |
| 2727 | * neagative cache and if and when the user has credentials for the principal | |
| 2728 | * we should be good to go in that we will select those credentials for this principal. | |
| 2729 | */ | |
| 0a7de745 | 2730 | if (error == EACCES || error == EAUTH || error == ENEEDAUTH) { |
| 3e170ce0 | 2731 | error = 0; |
| 0a7de745 | 2732 | } |
| 3e170ce0 A |
2733 | |
| 2734 | /* We're done with this request */ | |
| 2735 | nfs_gss_clnt_ctx_unref(&req); | |
| 2736 | ||
| 0a7de745 | 2737 | return error; |
| 3e170ce0 A |
2738 | } |
| 2739 | ||
| 2740 | /* | |
| 2741 | * Gets a mounts principal from a session associated with cred | |
| 2742 | */ | |
| 2743 | int | |
| 2744 | nfs_gss_clnt_ctx_get_principal(struct nfsmount *nmp, vfs_context_t ctx, | |
| 0a7de745 | 2745 | struct user_nfs_gss_principal *p) |
| 3e170ce0 A |
2746 | { |
| 2747 | struct nfsreq req; | |
| 2748 | int error = 0; | |
| 2749 | struct nfs_gss_clnt_ctx *cp; | |
| 2750 | kauth_cred_t cred = vfs_context_ucred(ctx); | |
| 39037602 | 2751 | const char *princ = NULL; |
| 3e170ce0 A |
2752 | char CTXBUF[NFS_CTXBUFSZ]; |
| 2753 | ||
| 39037602 A |
2754 | /* Make sure the the members of the struct user_nfs_gss_principal are initialized */ |
| 2755 | p->nametype = GSSD_STRING_NAME; | |
| 2756 | p->principal = USER_ADDR_NULL; | |
| 2757 | p->princlen = 0; | |
| 2758 | p->flags = 0; | |
| 2759 | ||
| 3e170ce0 A |
2760 | req.r_nmp = nmp; |
| 2761 | lck_mtx_lock(&nmp->nm_lock); | |
| 2762 | TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) { | |
| fe8ab488 | 2763 | lck_mtx_lock(cp->gss_clnt_mtx); |
| 3e170ce0 A |
2764 | if (cp->gss_clnt_flags & GSS_CTX_DESTROY) { |
| 2765 | NFS_GSS_DBG("Found destroyed context %s refcnt = %d continuing\n", | |
| 0a7de745 A |
2766 | NFS_GSS_CTX(&req, cp), |
| 2767 | cp->gss_clnt_refcnt); | |
| 3e170ce0 A |
2768 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 2769 | continue; | |
| 2770 | } | |
| fe8ab488 | 2771 | if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, cred)) { |
| fe8ab488 | 2772 | cp->gss_clnt_refcnt++; |
| fe8ab488 | 2773 | lck_mtx_unlock(cp->gss_clnt_mtx); |
| 3e170ce0 | 2774 | goto out; |
| fe8ab488 A |
2775 | } |
| 2776 | lck_mtx_unlock(cp->gss_clnt_mtx); | |
| 2777 | } | |
| 39236c6e | 2778 | |
| 3e170ce0 A |
2779 | out: |
| 2780 | if (cp == NULL) { | |
| 2781 | lck_mtx_unlock(&nmp->nm_lock); | |
| 39037602 | 2782 | p->flags |= NFS_IOC_NO_CRED_FLAG; /* No credentials, valid or invalid on this mount */ |
| 3e170ce0 | 2783 | NFS_GSS_DBG("No context found for session %d by uid %d\n", |
| 0a7de745 A |
2784 | kauth_cred_getasid(cred), kauth_cred_getuid(cred)); |
| 2785 | return 0; | |
| 3e170ce0 A |
2786 | } |
| 2787 | ||
| 39037602 | 2788 | /* Indicate if the cred is INVALID */ |
| 0a7de745 | 2789 | if (cp->gss_clnt_flags & GSS_CTX_INVAL) { |
| 39037602 | 2790 | p->flags |= NFS_IOC_INVALID_CRED_FLAG; |
| 0a7de745 | 2791 | } |
| 39037602 A |
2792 | |
| 2793 | /* We have set a principal on the mount */ | |
| 2794 | if (cp->gss_clnt_principal) { | |
| 2795 | princ = (char *)cp->gss_clnt_principal; | |
| 2796 | p->princlen = cp->gss_clnt_prinlen; | |
| 2797 | p->nametype = cp->gss_clnt_prinnt; | |
| 2798 | } else if (cp->gss_clnt_display) { | |
| 2799 | /* We have a successful use the the default credential */ | |
| 2800 | princ = cp->gss_clnt_display; | |
| 2801 | p->princlen = strlen(cp->gss_clnt_display); | |
| 2802 | } | |
| 2803 | ||
| 2804 | /* | |
| 2805 | * If neither of the above is true we have an invalid default credential | |
| 2806 | * So from above p->principal is USER_ADDR_NULL and princ is NULL | |
| 2807 | */ | |
| 2808 | ||
| 3e170ce0 A |
2809 | if (princ) { |
| 2810 | char *pp; | |
| 39236c6e | 2811 | |
| 3e170ce0 | 2812 | MALLOC(pp, char *, p->princlen, M_TEMP, M_WAITOK); |
| 39037602 A |
2813 | bcopy(princ, pp, p->princlen); |
| 2814 | p->principal = CAST_USER_ADDR_T(pp); | |
| 3e170ce0 | 2815 | } |
| 39037602 | 2816 | |
| 3e170ce0 | 2817 | lck_mtx_unlock(&nmp->nm_lock); |
| 39236c6e | 2818 | |
| 3e170ce0 A |
2819 | req.r_gss_ctx = cp; |
| 2820 | NFS_GSS_DBG("Found context %s\n", NFS_GSS_CTX(&req, NULL)); | |
| 2821 | nfs_gss_clnt_ctx_unref(&req); | |
| 0a7de745 | 2822 | return error; |
| 3e170ce0 | 2823 | } |
| ea3f0419 | 2824 | #endif /* CONFIG_NFS_CLIENT */ |
| 2d21ac55 A |
2825 | |
| 2826 | /************* | |
| 2827 | * | |
| 2828 | * Server functions | |
| 2829 | */ | |
| 2830 | ||
| ea3f0419 | 2831 | #if CONFIG_NFS_SERVER |
| 2d21ac55 A |
2832 | |
| 2833 | /* | |
| 2834 | * Find a server context based on a handle value received | |
| 2835 | * in an RPCSEC_GSS credential. | |
| 2836 | */ | |
| 2837 | static struct nfs_gss_svc_ctx * | |
| 2838 | nfs_gss_svc_ctx_find(uint32_t handle) | |
| 2839 | { | |
| 2840 | struct nfs_gss_svc_ctx_hashhead *head; | |
| 2841 | struct nfs_gss_svc_ctx *cp; | |
| b0d623f7 A |
2842 | uint64_t timenow; |
| 2843 | ||
| 0a7de745 A |
2844 | if (handle == 0) { |
| 2845 | return NULL; | |
| 2846 | } | |
| 2847 | ||
| 2d21ac55 | 2848 | head = &nfs_gss_svc_ctx_hashtbl[SVC_CTX_HASH(handle)]; |
| b0d623f7 A |
2849 | /* |
| 2850 | * Don't return a context that is going to expire in GSS_CTX_PEND seconds | |
| 2851 | */ | |
| 2852 | clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC, &timenow); | |
| 2d21ac55 A |
2853 | |
| 2854 | lck_mtx_lock(nfs_gss_svc_ctx_mutex); | |
| b0d623f7 | 2855 | |
| 6d2010ae | 2856 | LIST_FOREACH(cp, head, gss_svc_entries) { |
| b0d623f7 A |
2857 | if (cp->gss_svc_handle == handle) { |
| 2858 | if (timenow > cp->gss_svc_incarnation + GSS_SVC_CTX_TTL) { | |
| 0a7de745 | 2859 | /* |
| b0d623f7 A |
2860 | * Context has or is about to expire. Don't use. |
| 2861 | * We'll return null and the client will have to create | |
| 2862 | * a new context. | |
| 2863 | */ | |
| 2864 | cp->gss_svc_handle = 0; | |
| 2865 | /* | |
| 0a7de745 | 2866 | * Make sure though that we stay around for GSS_CTX_PEND seconds |
| b0d623f7 A |
2867 | * for other threads that might be using the context. |
| 2868 | */ | |
| 2869 | cp->gss_svc_incarnation = timenow; | |
| 6d2010ae | 2870 | |
| b0d623f7 | 2871 | cp = NULL; |
| 6d2010ae | 2872 | break; |
| b0d623f7 | 2873 | } |
| 0a7de745 | 2874 | lck_mtx_lock(cp->gss_svc_mtx); |
| 6d2010ae | 2875 | cp->gss_svc_refcnt++; |
| 0a7de745 | 2876 | lck_mtx_unlock(cp->gss_svc_mtx); |
| 2d21ac55 | 2877 | break; |
| b0d623f7 | 2878 | } |
| 6d2010ae | 2879 | } |
| b0d623f7 | 2880 | |
| 2d21ac55 A |
2881 | lck_mtx_unlock(nfs_gss_svc_ctx_mutex); |
| 2882 | ||
| 0a7de745 | 2883 | return cp; |
| 2d21ac55 A |
2884 | } |
| 2885 | ||
| 2886 | /* | |
| 2887 | * Insert a new server context into the hash table | |
| 2888 | * and start the context reap thread if necessary. | |
| 2889 | */ | |
| 2890 | static void | |
| 2891 | nfs_gss_svc_ctx_insert(struct nfs_gss_svc_ctx *cp) | |
| 2892 | { | |
| 2893 | struct nfs_gss_svc_ctx_hashhead *head; | |
| 6d2010ae | 2894 | struct nfs_gss_svc_ctx *p; |
| 0a7de745 | 2895 | |
| 6d2010ae A |
2896 | lck_mtx_lock(nfs_gss_svc_ctx_mutex); |
| 2897 | ||
| 2898 | /* | |
| 2899 | * Give the client a random handle so that if we reboot | |
| 2900 | * it's unlikely the client will get a bad context match. | |
| 2901 | * Make sure it's not zero or already assigned. | |
| 2902 | */ | |
| 2903 | retry: | |
| 2904 | cp->gss_svc_handle = random(); | |
| 0a7de745 | 2905 | if (cp->gss_svc_handle == 0) { |
| 6d2010ae | 2906 | goto retry; |
| 0a7de745 | 2907 | } |
| 2d21ac55 | 2908 | head = &nfs_gss_svc_ctx_hashtbl[SVC_CTX_HASH(cp->gss_svc_handle)]; |
| 6d2010ae | 2909 | LIST_FOREACH(p, head, gss_svc_entries) |
| 0a7de745 A |
2910 | if (p->gss_svc_handle == cp->gss_svc_handle) { |
| 2911 | goto retry; | |
| 2912 | } | |
| 2d21ac55 | 2913 | |
| 6d2010ae | 2914 | clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC, |
| 0a7de745 | 2915 | &cp->gss_svc_incarnation); |
| 2d21ac55 A |
2916 | LIST_INSERT_HEAD(head, cp, gss_svc_entries); |
| 2917 | nfs_gss_ctx_count++; | |
| 2918 | ||
| 2919 | if (!nfs_gss_timer_on) { | |
| 2920 | nfs_gss_timer_on = 1; | |
| b0d623f7 | 2921 | |
| 2d21ac55 | 2922 | nfs_interval_timer_start(nfs_gss_svc_ctx_timer_call, |
| 0a7de745 | 2923 | min(GSS_TIMER_PERIOD, max(GSS_CTX_TTL_MIN, nfsrv_gss_context_ttl)) * MSECS_PER_SEC); |
| 2d21ac55 | 2924 | } |
| b0d623f7 | 2925 | |
| 2d21ac55 A |
2926 | lck_mtx_unlock(nfs_gss_svc_ctx_mutex); |
| 2927 | } | |
| 2928 | ||
| 2929 | /* | |
| 2930 | * This function is called via the kernel's callout | |
| 2931 | * mechanism. It runs only when there are | |
| 2932 | * cached RPCSEC_GSS contexts. | |
| 2933 | */ | |
| 2934 | void | |
| 2935 | nfs_gss_svc_ctx_timer(__unused void *param1, __unused void *param2) | |
| 2936 | { | |
| 2d21ac55 A |
2937 | struct nfs_gss_svc_ctx *cp, *next; |
| 2938 | uint64_t timenow; | |
| 2939 | int contexts = 0; | |
| 2940 | int i; | |
| 2941 | ||
| 2942 | lck_mtx_lock(nfs_gss_svc_ctx_mutex); | |
| 2943 | clock_get_uptime(&timenow); | |
| 2944 | ||
| fe8ab488 A |
2945 | NFS_GSS_DBG("is running\n"); |
| 2946 | ||
| 2d21ac55 A |
2947 | /* |
| 2948 | * Scan all the hash chains | |
| 2d21ac55 A |
2949 | */ |
| 2950 | for (i = 0; i < SVC_CTX_HASHSZ; i++) { | |
| 2951 | /* | |
| 2952 | * For each hash chain, look for entries | |
| 2953 | * that haven't been used in a while. | |
| 2954 | */ | |
| 6d2010ae | 2955 | LIST_FOREACH_SAFE(cp, &nfs_gss_svc_ctx_hashtbl[i], gss_svc_entries, next) { |
| 2d21ac55 | 2956 | contexts++; |
| 0a7de745 A |
2957 | if (timenow > cp->gss_svc_incarnation + |
| 2958 | (cp->gss_svc_handle ? GSS_SVC_CTX_TTL : 0) | |
| 2959 | && cp->gss_svc_refcnt == 0) { | |
| 2d21ac55 A |
2960 | /* |
| 2961 | * A stale context - remove it | |
| 2962 | */ | |
| 2963 | LIST_REMOVE(cp, gss_svc_entries); | |
| fe8ab488 | 2964 | NFS_GSS_DBG("Removing contex for %d\n", cp->gss_svc_uid); |
| 0a7de745 | 2965 | if (cp->gss_svc_seqbits) { |
| 2d21ac55 | 2966 | FREE(cp->gss_svc_seqbits, M_TEMP); |
| 0a7de745 | 2967 | } |
| 2d21ac55 A |
2968 | lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp); |
| 2969 | FREE(cp, M_TEMP); | |
| 2970 | contexts--; | |
| 2971 | } | |
| 2972 | } | |
| 2973 | } | |
| 2974 | ||
| 2975 | nfs_gss_ctx_count = contexts; | |
| 2976 | ||
| 2977 | /* | |
| 2978 | * If there are still some cached contexts left, | |
| 2979 | * set up another callout to check on them later. | |
| 2980 | */ | |
| 2981 | nfs_gss_timer_on = nfs_gss_ctx_count > 0; | |
| 0a7de745 | 2982 | if (nfs_gss_timer_on) { |
| 2d21ac55 | 2983 | nfs_interval_timer_start(nfs_gss_svc_ctx_timer_call, |
| 0a7de745 A |
2984 | min(GSS_TIMER_PERIOD, max(GSS_CTX_TTL_MIN, nfsrv_gss_context_ttl)) * MSECS_PER_SEC); |
| 2985 | } | |
| 2d21ac55 A |
2986 | |
| 2987 | lck_mtx_unlock(nfs_gss_svc_ctx_mutex); | |
| 2988 | } | |
| 2989 | ||
| 2990 | /* | |
| 2991 | * Here the server receives an RPCSEC_GSS credential in an | |
| 2992 | * RPC call header. First there's some checking to make sure | |
| 2993 | * the credential is appropriate - whether the context is still | |
| 2994 | * being set up, or is complete. Then we use the handle to find | |
| 2995 | * the server's context and validate the verifier, which contains | |
| 2996 | * a signed checksum of the RPC header. If the verifier checks | |
| 2997 | * out, we extract the user's UID and groups from the context | |
| 2998 | * and use it to set up a UNIX credential for the user's request. | |
| 2999 | */ | |
| 3000 | int | |
| 3001 | nfs_gss_svc_cred_get(struct nfsrv_descript *nd, struct nfsm_chain *nmc) | |
| 3002 | { | |
| 3003 | uint32_t vers, proc, seqnum, service; | |
| 3004 | uint32_t handle, handle_len; | |
| 39037602 | 3005 | uint32_t major; |
| 2d21ac55 | 3006 | struct nfs_gss_svc_ctx *cp = NULL; |
| 39037602 | 3007 | uint32_t flavor = 0, header_len; |
| 2d21ac55 | 3008 | int error = 0; |
| 39037602 A |
3009 | uint32_t arglen, start; |
| 3010 | size_t argsize; | |
| 3011 | gss_buffer_desc cksum; | |
| 2d21ac55 | 3012 | struct nfsm_chain nmc_tmp; |
| 39037602 A |
3013 | mbuf_t reply_mbuf, prev_mbuf, pad_mbuf; |
| 3014 | ||
| 2d21ac55 | 3015 | vers = proc = seqnum = service = handle_len = 0; |
| 39037602 | 3016 | arglen = 0; |
| 2d21ac55 A |
3017 | |
| 3018 | nfsm_chain_get_32(error, nmc, vers); | |
| 3019 | if (vers != RPCSEC_GSS_VERS_1) { | |
| 3020 | error = NFSERR_AUTHERR | AUTH_REJECTCRED; | |
| 3021 | goto nfsmout; | |
| 3022 | } | |
| 3023 | ||
| 3024 | nfsm_chain_get_32(error, nmc, proc); | |
| 3025 | nfsm_chain_get_32(error, nmc, seqnum); | |
| 3026 | nfsm_chain_get_32(error, nmc, service); | |
| 3027 | nfsm_chain_get_32(error, nmc, handle_len); | |
| 0a7de745 | 3028 | if (error) { |
| 2d21ac55 | 3029 | goto nfsmout; |
| 0a7de745 | 3030 | } |
| 2d21ac55 A |
3031 | |
| 3032 | /* | |
| 3033 | * Make sure context setup/destroy is being done with a nullproc | |
| 3034 | */ | |
| 3035 | if (proc != RPCSEC_GSS_DATA && nd->nd_procnum != NFSPROC_NULL) { | |
| 3036 | error = NFSERR_AUTHERR | RPCSEC_GSS_CREDPROBLEM; | |
| 3037 | goto nfsmout; | |
| 3038 | } | |
| 3039 | ||
| 3040 | /* | |
| 3041 | * If the sequence number is greater than the max | |
| 3042 | * allowable, reject and have the client init a | |
| 3043 | * new context. | |
| 3044 | */ | |
| 3045 | if (seqnum > GSS_MAXSEQ) { | |
| 3046 | error = NFSERR_AUTHERR | RPCSEC_GSS_CTXPROBLEM; | |
| 3047 | goto nfsmout; | |
| 3048 | } | |
| 3049 | ||
| 0a7de745 A |
3050 | nd->nd_sec = |
| 3051 | service == RPCSEC_GSS_SVC_NONE ? RPCAUTH_KRB5 : | |
| 3052 | service == RPCSEC_GSS_SVC_INTEGRITY ? RPCAUTH_KRB5I : | |
| 3053 | service == RPCSEC_GSS_SVC_PRIVACY ? RPCAUTH_KRB5P : 0; | |
| 2d21ac55 A |
3054 | |
| 3055 | if (proc == RPCSEC_GSS_INIT) { | |
| 3056 | /* | |
| 3057 | * Limit the total number of contexts | |
| 3058 | */ | |
| 3059 | if (nfs_gss_ctx_count > nfs_gss_ctx_max) { | |
| 3060 | error = NFSERR_AUTHERR | RPCSEC_GSS_CTXPROBLEM; | |
| 3061 | goto nfsmout; | |
| 3062 | } | |
| 3063 | ||
| 3064 | /* | |
| 3065 | * Set up a new context | |
| 3066 | */ | |
| 0a7de745 | 3067 | MALLOC(cp, struct nfs_gss_svc_ctx *, sizeof(*cp), M_TEMP, M_WAITOK | M_ZERO); |
| 2d21ac55 A |
3068 | if (cp == NULL) { |
| 3069 | error = ENOMEM; | |
| 3070 | goto nfsmout; | |
| 3071 | } | |
| 6d2010ae A |
3072 | cp->gss_svc_mtx = lck_mtx_alloc_init(nfs_gss_svc_grp, LCK_ATTR_NULL); |
| 3073 | cp->gss_svc_refcnt = 1; | |
| 2d21ac55 | 3074 | } else { |
| 2d21ac55 A |
3075 | /* |
| 3076 | * Use the handle to find the context | |
| 3077 | */ | |
| 3078 | if (handle_len != sizeof(handle)) { | |
| 3079 | error = NFSERR_AUTHERR | RPCSEC_GSS_CREDPROBLEM; | |
| 3080 | goto nfsmout; | |
| 3081 | } | |
| 3082 | nfsm_chain_get_32(error, nmc, handle); | |
| 0a7de745 | 3083 | if (error) { |
| 2d21ac55 | 3084 | goto nfsmout; |
| 0a7de745 | 3085 | } |
| 2d21ac55 A |
3086 | cp = nfs_gss_svc_ctx_find(handle); |
| 3087 | if (cp == NULL) { | |
| 3088 | error = NFSERR_AUTHERR | RPCSEC_GSS_CTXPROBLEM; | |
| 3089 | goto nfsmout; | |
| 3090 | } | |
| 3091 | } | |
| 3092 | ||
| 3093 | cp->gss_svc_proc = proc; | |
| 3094 | ||
| 3095 | if (proc == RPCSEC_GSS_DATA || proc == RPCSEC_GSS_DESTROY) { | |
| 6d2010ae | 3096 | struct posix_cred temp_pcred; |
| 2d21ac55 A |
3097 | |
| 3098 | if (cp->gss_svc_seqwin == 0) { | |
| 3099 | /* | |
| 3100 | * Context isn't complete | |
| 3101 | */ | |
| 3102 | error = NFSERR_AUTHERR | RPCSEC_GSS_CTXPROBLEM; | |
| 3103 | goto nfsmout; | |
| 3104 | } | |
| 3105 | ||
| 3106 | if (!nfs_gss_svc_seqnum_valid(cp, seqnum)) { | |
| 3107 | /* | |
| 3108 | * Sequence number is bad | |
| 3109 | */ | |
| 0a7de745 | 3110 | error = EINVAL; // drop the request |
| 2d21ac55 A |
3111 | goto nfsmout; |
| 3112 | } | |
| 3113 | ||
| 2d21ac55 A |
3114 | /* |
| 3115 | * Validate the verifier. | |
| 3116 | * The verifier contains an encrypted checksum | |
| 3117 | * of the call header from the XID up to and | |
| 3118 | * including the credential. We compute the | |
| 3119 | * checksum and compare it with what came in | |
| 3120 | * the verifier. | |
| 3121 | */ | |
| 39037602 | 3122 | header_len = nfsm_chain_offset(nmc); |
| 2d21ac55 | 3123 | nfsm_chain_get_32(error, nmc, flavor); |
| 39037602 | 3124 | nfsm_chain_get_32(error, nmc, cksum.length); |
| 0a7de745 | 3125 | if (error) { |
| 6d2010ae | 3126 | goto nfsmout; |
| 0a7de745 A |
3127 | } |
| 3128 | if (flavor != RPCSEC_GSS || cksum.length > KRB5_MAX_MIC_SIZE) { | |
| 2d21ac55 | 3129 | error = NFSERR_AUTHERR | AUTH_BADVERF; |
| 0a7de745 | 3130 | } else { |
| d26ffc64 A |
3131 | MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK); |
| 3132 | nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value); | |
| 3133 | } | |
| 0a7de745 | 3134 | if (error) { |
| 2d21ac55 | 3135 | goto nfsmout; |
| 0a7de745 | 3136 | } |
| 2d21ac55 | 3137 | |
| 39037602 A |
3138 | /* Now verify the client's call header checksum */ |
| 3139 | major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id, nmc->nmc_mhead, 0, header_len, &cksum, NULL); | |
| 3140 | (void)gss_release_buffer(NULL, &cksum); | |
| 3141 | if (major != GSS_S_COMPLETE) { | |
| 3142 | printf("Server header: gss_krb5_verify_mic_mbuf failed %d\n", error); | |
| 2d21ac55 A |
3143 | error = NFSERR_AUTHERR | RPCSEC_GSS_CTXPROBLEM; |
| 3144 | goto nfsmout; | |
| 3145 | } | |
| 3146 | ||
| 3147 | nd->nd_gss_seqnum = seqnum; | |
| 3148 | ||
| 3149 | /* | |
| 3150 | * Set up the user's cred | |
| 3151 | */ | |
| 6d2010ae A |
3152 | bzero(&temp_pcred, sizeof(temp_pcred)); |
| 3153 | temp_pcred.cr_uid = cp->gss_svc_uid; | |
| 3154 | bcopy(cp->gss_svc_gids, temp_pcred.cr_groups, | |
| 0a7de745 | 3155 | sizeof(gid_t) * cp->gss_svc_ngroups); |
| 6d2010ae | 3156 | temp_pcred.cr_ngroups = cp->gss_svc_ngroups; |
| 2d21ac55 | 3157 | |
| 6d2010ae | 3158 | nd->nd_cr = posix_cred_create(&temp_pcred); |
| 2d21ac55 A |
3159 | if (nd->nd_cr == NULL) { |
| 3160 | error = ENOMEM; | |
| 3161 | goto nfsmout; | |
| 3162 | } | |
| b0d623f7 | 3163 | clock_get_uptime(&cp->gss_svc_incarnation); |
| 2d21ac55 A |
3164 | |
| 3165 | /* | |
| 3166 | * If the call arguments are integrity or privacy protected | |
| 3167 | * then we need to check them here. | |
| 3168 | */ | |
| 3169 | switch (service) { | |
| 3170 | case RPCSEC_GSS_SVC_NONE: | |
| 3171 | /* nothing to do */ | |
| 3172 | break; | |
| 3173 | case RPCSEC_GSS_SVC_INTEGRITY: | |
| 3174 | /* | |
| 3175 | * Here's what we expect in the integrity call args: | |
| 3176 | * | |
| 3177 | * - length of seq num + call args (4 bytes) | |
| 3178 | * - sequence number (4 bytes) | |
| 3179 | * - call args (variable bytes) | |
| 39037602 A |
3180 | * - length of checksum token |
| 3181 | * - checksum of seqnum + call args | |
| 2d21ac55 | 3182 | */ |
| 0a7de745 | 3183 | nfsm_chain_get_32(error, nmc, arglen); // length of args |
| 2d21ac55 A |
3184 | if (arglen > NFS_MAXPACKET) { |
| 3185 | error = EBADRPC; | |
| 3186 | goto nfsmout; | |
| 3187 | } | |
| 3188 | ||
| 39037602 A |
3189 | nmc_tmp = *nmc; |
| 3190 | nfsm_chain_adv(error, &nmc_tmp, arglen); | |
| 3191 | nfsm_chain_get_32(error, &nmc_tmp, cksum.length); | |
| d9a64523 | 3192 | cksum.value = NULL; |
| 0a7de745 | 3193 | if (cksum.length > 0 && cksum.length < GSS_MAX_MIC_LEN) { |
| d9a64523 | 3194 | MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK); |
| 0a7de745 | 3195 | } |
| 39037602 A |
3196 | |
| 3197 | if (cksum.value == NULL) { | |
| 3198 | error = EBADRPC; | |
| 3199 | goto nfsmout; | |
| 3200 | } | |
| 3201 | nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value); | |
| 3202 | ||
| 3203 | /* Verify the checksum over the call args */ | |
| 2d21ac55 | 3204 | start = nfsm_chain_offset(nmc); |
| 39037602 A |
3205 | |
| 3206 | major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id, | |
| 0a7de745 | 3207 | nmc->nmc_mhead, start, arglen, &cksum, NULL); |
| 39037602 A |
3208 | FREE(cksum.value, M_TEMP); |
| 3209 | if (major != GSS_S_COMPLETE) { | |
| 3210 | printf("Server args: gss_krb5_verify_mic_mbuf failed %d\n", error); | |
| 3211 | error = EBADRPC; | |
| 3212 | goto nfsmout; | |
| 3213 | } | |
| 3214 | ||
| 2d21ac55 A |
3215 | /* |
| 3216 | * Get the sequence number prepended to the args | |
| 3217 | * and compare it against the one sent in the | |
| 3218 | * call credential. | |
| 3219 | */ | |
| 3220 | nfsm_chain_get_32(error, nmc, seqnum); | |
| 3221 | if (seqnum != nd->nd_gss_seqnum) { | |
| 0a7de745 | 3222 | error = EBADRPC; // returns as GARBAGEARGS |
| 2d21ac55 A |
3223 | goto nfsmout; |
| 3224 | } | |
| 2d21ac55 A |
3225 | break; |
| 3226 | case RPCSEC_GSS_SVC_PRIVACY: | |
| 3227 | /* | |
| 3228 | * Here's what we expect in the privacy call args: | |
| 3229 | * | |
| 39037602 | 3230 | * - length of wrap token |
| 2d21ac55 | 3231 | * - wrap token (37-40 bytes) |
| 2d21ac55 | 3232 | */ |
| 39037602 | 3233 | prev_mbuf = nmc->nmc_mcur; |
| 0a7de745 | 3234 | nfsm_chain_get_32(error, nmc, arglen); // length of args |
| 2d21ac55 A |
3235 | if (arglen > NFS_MAXPACKET) { |
| 3236 | error = EBADRPC; | |
| 3237 | goto nfsmout; | |
| 3238 | } | |
| 39037602 A |
3239 | |
| 3240 | /* Get the wrap token (current mbuf in the chain starting at the current offset) */ | |
| 3241 | start = nmc->nmc_ptr - (caddr_t)mbuf_data(nmc->nmc_mcur); | |
| 3242 | ||
| 3243 | /* split out the wrap token */ | |
| 3244 | argsize = arglen; | |
| 3245 | error = gss_normalize_mbuf(nmc->nmc_mcur, start, &argsize, &reply_mbuf, &pad_mbuf, 0); | |
| 0a7de745 | 3246 | if (error) { |
| 2d21ac55 | 3247 | goto nfsmout; |
| 0a7de745 | 3248 | } |
| 39037602 A |
3249 | |
| 3250 | assert(argsize == arglen); | |
| 3251 | if (pad_mbuf) { | |
| 3252 | assert(nfsm_pad(arglen) == mbuf_len(pad_mbuf)); | |
| 3253 | mbuf_free(pad_mbuf); | |
| 3254 | } else { | |
| 3255 | assert(nfsm_pad(arglen) == 0); | |
| 3256 | } | |
| 3257 | ||
| 3258 | major = gss_krb5_unwrap_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id, &reply_mbuf, 0, arglen, NULL, NULL); | |
| 3259 | if (major != GSS_S_COMPLETE) { | |
| 3260 | printf("%s: gss_krb5_unwrap_mbuf failes %d\n", __func__, error); | |
| 2d21ac55 A |
3261 | goto nfsmout; |
| 3262 | } | |
| 3263 | ||
| 39037602 A |
3264 | /* Now replace the wrapped arguments with the unwrapped ones */ |
| 3265 | mbuf_setnext(prev_mbuf, reply_mbuf); | |
| 3266 | nmc->nmc_mcur = reply_mbuf; | |
| 3267 | nmc->nmc_ptr = mbuf_data(reply_mbuf); | |
| 3268 | nmc->nmc_left = mbuf_len(reply_mbuf); | |
| 3269 | ||
| 3270 | /* | |
| 3271 | * - sequence number (4 bytes) | |
| 3272 | * - call args | |
| 3273 | */ | |
| 3274 | ||
| 3275 | // nfsm_chain_reverse(nmc, nfsm_pad(toklen)); | |
| 3276 | ||
| 2d21ac55 A |
3277 | /* |
| 3278 | * Get the sequence number prepended to the args | |
| 3279 | * and compare it against the one sent in the | |
| 3280 | * call credential. | |
| 3281 | */ | |
| 2d21ac55 A |
3282 | nfsm_chain_get_32(error, nmc, seqnum); |
| 3283 | if (seqnum != nd->nd_gss_seqnum) { | |
| 39037602 | 3284 | printf("%s: Sequence number mismatch seqnum = %d nd->nd_gss_seqnum = %d\n", |
| 0a7de745 | 3285 | __func__, seqnum, nd->nd_gss_seqnum); |
| 39037602 A |
3286 | printmbuf("reply_mbuf", nmc->nmc_mhead, 0, 0); |
| 3287 | printf("reply_mbuf %p nmc_head %p\n", reply_mbuf, nmc->nmc_mhead); | |
| 0a7de745 | 3288 | error = EBADRPC; // returns as GARBAGEARGS |
| 2d21ac55 A |
3289 | goto nfsmout; |
| 3290 | } | |
| 3291 | break; | |
| 3292 | } | |
| 3293 | } else { | |
| 39037602 | 3294 | uint32_t verflen; |
| 2d21ac55 A |
3295 | /* |
| 3296 | * If the proc is RPCSEC_GSS_INIT or RPCSEC_GSS_CONTINUE_INIT | |
| 3297 | * then we expect a null verifier. | |
| 3298 | */ | |
| 3299 | nfsm_chain_get_32(error, nmc, flavor); | |
| 3300 | nfsm_chain_get_32(error, nmc, verflen); | |
| 0a7de745 | 3301 | if (error || flavor != RPCAUTH_NULL || verflen > 0) { |
| 2d21ac55 | 3302 | error = NFSERR_AUTHERR | RPCSEC_GSS_CREDPROBLEM; |
| 0a7de745 | 3303 | } |
| 6d2010ae A |
3304 | if (error) { |
| 3305 | if (proc == RPCSEC_GSS_INIT) { | |
| 3306 | lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp); | |
| 3307 | FREE(cp, M_TEMP); | |
| 3308 | cp = NULL; | |
| 3309 | } | |
| 2d21ac55 | 3310 | goto nfsmout; |
| 6d2010ae | 3311 | } |
| 2d21ac55 A |
3312 | } |
| 3313 | ||
| 3314 | nd->nd_gss_context = cp; | |
| 6d2010ae | 3315 | return 0; |
| 2d21ac55 | 3316 | nfsmout: |
| 0a7de745 | 3317 | if (cp) { |
| 6d2010ae | 3318 | nfs_gss_svc_ctx_deref(cp); |
| 0a7de745 A |
3319 | } |
| 3320 | return error; | |
| 2d21ac55 A |
3321 | } |
| 3322 | ||
| 3323 | /* | |
| 3324 | * Insert the server's verifier into the RPC reply header. | |
| 3325 | * It contains a signed checksum of the sequence number that | |
| 3326 | * was received in the RPC call. | |
| 3327 | * Then go on to add integrity or privacy if necessary. | |
| 3328 | */ | |
| 3329 | int | |
| 3330 | nfs_gss_svc_verf_put(struct nfsrv_descript *nd, struct nfsm_chain *nmc) | |
| 3331 | { | |
| 3332 | struct nfs_gss_svc_ctx *cp; | |
| 3333 | int error = 0; | |
| 39037602 A |
3334 | gss_buffer_desc cksum, seqbuf; |
| 3335 | uint32_t network_seqnum; | |
| 2d21ac55 | 3336 | cp = nd->nd_gss_context; |
| 39037602 A |
3337 | uint32_t major; |
| 3338 | ||
| 2d21ac55 A |
3339 | if (cp->gss_svc_major != GSS_S_COMPLETE) { |
| 3340 | /* | |
| 3341 | * If the context isn't yet complete | |
| 3342 | * then return a null verifier. | |
| 3343 | */ | |
| 3344 | nfsm_chain_add_32(error, nmc, RPCAUTH_NULL); | |
| 3345 | nfsm_chain_add_32(error, nmc, 0); | |
| 0a7de745 | 3346 | return error; |
| 2d21ac55 A |
3347 | } |
| 3348 | ||
| 3349 | /* | |
| 3350 | * Compute checksum of the request seq number | |
| 3351 | * If it's the final reply of context setup | |
| 3352 | * then return the checksum of the context | |
| 3353 | * window size. | |
| 3354 | */ | |
| 39037602 | 3355 | seqbuf.length = NFSX_UNSIGNED; |
| 2d21ac55 | 3356 | if (cp->gss_svc_proc == RPCSEC_GSS_INIT || |
| 0a7de745 | 3357 | cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT) { |
| 39037602 | 3358 | network_seqnum = htonl(cp->gss_svc_seqwin); |
| 0a7de745 | 3359 | } else { |
| 39037602 | 3360 | network_seqnum = htonl(nd->nd_gss_seqnum); |
| 0a7de745 | 3361 | } |
| 39037602 A |
3362 | seqbuf.value = &network_seqnum; |
| 3363 | ||
| 3364 | major = gss_krb5_get_mic((uint32_t *)&error, cp->gss_svc_ctx_id, 0, &seqbuf, &cksum); | |
| 0a7de745 A |
3365 | if (major != GSS_S_COMPLETE) { |
| 3366 | return error; | |
| 3367 | } | |
| 39037602 | 3368 | |
| 2d21ac55 A |
3369 | /* |
| 3370 | * Now wrap it in a token and add | |
| 3371 | * the verifier to the reply. | |
| 3372 | */ | |
| 2d21ac55 | 3373 | nfsm_chain_add_32(error, nmc, RPCSEC_GSS); |
| 39037602 A |
3374 | nfsm_chain_add_32(error, nmc, cksum.length); |
| 3375 | nfsm_chain_add_opaque(error, nmc, cksum.value, cksum.length); | |
| 3376 | gss_release_buffer(NULL, &cksum); | |
| 2d21ac55 | 3377 | |
| 0a7de745 | 3378 | return error; |
| 2d21ac55 A |
3379 | } |
| 3380 | ||
| 3381 | /* | |
| 3382 | * The results aren't available yet, but if they need to be | |
| 3383 | * checksummed for integrity protection or encrypted, then | |
| 3384 | * we can record the start offset here, insert a place-holder | |
| 3385 | * for the results length, as well as the sequence number. | |
| 3386 | * The rest of the work is done later by nfs_gss_svc_protect_reply() | |
| 3387 | * when the results are available. | |
| 3388 | */ | |
| 3389 | int | |
| 3390 | nfs_gss_svc_prepare_reply(struct nfsrv_descript *nd, struct nfsm_chain *nmc) | |
| 3391 | { | |
| 3392 | struct nfs_gss_svc_ctx *cp = nd->nd_gss_context; | |
| 3393 | int error = 0; | |
| 3394 | ||
| 3395 | if (cp->gss_svc_proc == RPCSEC_GSS_INIT || | |
| 0a7de745 A |
3396 | cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT) { |
| 3397 | return 0; | |
| 3398 | } | |
| 2d21ac55 A |
3399 | |
| 3400 | switch (nd->nd_sec) { | |
| 3401 | case RPCAUTH_KRB5: | |
| 3402 | /* Nothing to do */ | |
| 3403 | break; | |
| 3404 | case RPCAUTH_KRB5I: | |
| 2d21ac55 | 3405 | case RPCAUTH_KRB5P: |
| 0a7de745 A |
3406 | nd->nd_gss_mb = nmc->nmc_mcur; // record current mbuf |
| 3407 | nfsm_chain_finish_mbuf(error, nmc); // split the chain here | |
| 2d21ac55 A |
3408 | break; |
| 3409 | } | |
| 3410 | ||
| 0a7de745 | 3411 | return error; |
| 2d21ac55 A |
3412 | } |
| 3413 | ||
| 3414 | /* | |
| 3415 | * The results are checksummed or encrypted for return to the client | |
| 3416 | */ | |
| 3417 | int | |
| 39037602 | 3418 | nfs_gss_svc_protect_reply(struct nfsrv_descript *nd, mbuf_t mrep __unused) |
| 2d21ac55 A |
3419 | { |
| 3420 | struct nfs_gss_svc_ctx *cp = nd->nd_gss_context; | |
| 3421 | struct nfsm_chain nmrep_res, *nmc_res = &nmrep_res; | |
| 2d21ac55 A |
3422 | mbuf_t mb, results; |
| 3423 | uint32_t reslen; | |
| 2d21ac55 A |
3424 | int error = 0; |
| 3425 | ||
| 39037602 | 3426 | /* XXX |
| 2d21ac55 A |
3427 | * Using a reference to the mbuf where we previously split the reply |
| 3428 | * mbuf chain, we split the mbuf chain argument into two mbuf chains, | |
| 3429 | * one that allows us to prepend a length field or token, (nmc_pre) | |
| 3430 | * and the second which holds just the results that we're going to | |
| 3431 | * checksum and/or encrypt. When we're done, we join the chains back | |
| 3432 | * together. | |
| 3433 | */ | |
| 39037602 | 3434 | |
| 0a7de745 A |
3435 | mb = nd->nd_gss_mb; // the mbuf where we split |
| 3436 | results = mbuf_next(mb); // first mbuf in the results | |
| 3437 | error = mbuf_setnext(mb, NULL); // disconnect the chains | |
| 3438 | if (error) { | |
| 3439 | return error; | |
| 3440 | } | |
| 3441 | nfs_gss_nfsm_chain(nmc_res, mb); // set up the prepend chain | |
| 39037602 | 3442 | nfsm_chain_build_done(error, nmc_res); |
| 0a7de745 A |
3443 | if (error) { |
| 3444 | return error; | |
| 3445 | } | |
| 2d21ac55 A |
3446 | |
| 3447 | if (nd->nd_sec == RPCAUTH_KRB5I) { | |
| 39037602 | 3448 | error = rpc_gss_integ_data_create(cp->gss_svc_ctx_id, &results, nd->nd_gss_seqnum, &reslen); |
| 2d21ac55 A |
3449 | } else { |
| 3450 | /* RPCAUTH_KRB5P */ | |
| 39037602 | 3451 | error = rpc_gss_priv_data_create(cp->gss_svc_ctx_id, &results, nd->nd_gss_seqnum, &reslen); |
| 2d21ac55 | 3452 | } |
| 0a7de745 | 3453 | nfs_gss_append_chain(nmc_res, results); // Append the results mbufs |
| 39037602 | 3454 | nfsm_chain_build_done(error, nmc_res); |
| 2d21ac55 | 3455 | |
| 0a7de745 | 3456 | return error; |
| 2d21ac55 A |
3457 | } |
| 3458 | ||
| 3459 | /* | |
| 3460 | * This function handles the context setup calls from the client. | |
| 3461 | * Essentially, it implements the NFS null procedure calls when | |
| 3462 | * an RPCSEC_GSS credential is used. | |
| 3463 | * This is the context maintenance function. It creates and | |
| 3464 | * destroys server contexts at the whim of the client. | |
| 3465 | * During context creation, it receives GSS-API tokens from the | |
| 3466 | * client, passes them up to gssd, and returns a received token | |
| 3467 | * back to the client in the null procedure reply. | |
| 3468 | */ | |
| 3469 | int | |
| 3470 | nfs_gss_svc_ctx_init(struct nfsrv_descript *nd, struct nfsrv_sock *slp, mbuf_t *mrepp) | |
| 3471 | { | |
| 3472 | struct nfs_gss_svc_ctx *cp = NULL; | |
| 2d21ac55 A |
3473 | int error = 0; |
| 3474 | int autherr = 0; | |
| 3475 | struct nfsm_chain *nmreq, nmrep; | |
| 3476 | int sz; | |
| 3477 | ||
| 3478 | nmreq = &nd->nd_nmreq; | |
| 3479 | nfsm_chain_null(&nmrep); | |
| 3480 | *mrepp = NULL; | |
| 3481 | cp = nd->nd_gss_context; | |
| 3482 | nd->nd_repstat = 0; | |
| 3483 | ||
| 3484 | switch (cp->gss_svc_proc) { | |
| 3485 | case RPCSEC_GSS_INIT: | |
| 2d21ac55 | 3486 | nfs_gss_svc_ctx_insert(cp); |
| 0a7de745 | 3487 | /* FALLTHRU */ |
| 2d21ac55 A |
3488 | |
| 3489 | case RPCSEC_GSS_CONTINUE_INIT: | |
| 3490 | /* Get the token from the request */ | |
| 3491 | nfsm_chain_get_32(error, nmreq, cp->gss_svc_tokenlen); | |
| d9a64523 | 3492 | cp->gss_svc_token = NULL; |
| 0a7de745 | 3493 | if (cp->gss_svc_tokenlen > 0 && cp->gss_svc_tokenlen < GSS_MAX_TOKEN_LEN) { |
| d9a64523 | 3494 | MALLOC(cp->gss_svc_token, u_char *, cp->gss_svc_tokenlen, M_TEMP, M_WAITOK); |
| 0a7de745 | 3495 | } |
| 2d21ac55 A |
3496 | if (cp->gss_svc_token == NULL) { |
| 3497 | autherr = RPCSEC_GSS_CREDPROBLEM; | |
| 3498 | break; | |
| 3499 | } | |
| 3500 | nfsm_chain_get_opaque(error, nmreq, cp->gss_svc_tokenlen, cp->gss_svc_token); | |
| 3501 | ||
| 3502 | /* Use the token in a gss_accept_sec_context upcall */ | |
| 3503 | error = nfs_gss_svc_gssd_upcall(cp); | |
| 3504 | if (error) { | |
| 3505 | autherr = RPCSEC_GSS_CREDPROBLEM; | |
| 0a7de745 | 3506 | if (error == NFSERR_EAUTH) { |
| 2d21ac55 | 3507 | error = 0; |
| 0a7de745 | 3508 | } |
| 2d21ac55 A |
3509 | break; |
| 3510 | } | |
| 3511 | ||
| 3512 | /* | |
| 3513 | * If the context isn't complete, pass the new token | |
| 3514 | * back to the client for another round. | |
| 3515 | */ | |
| 0a7de745 | 3516 | if (cp->gss_svc_major != GSS_S_COMPLETE) { |
| 2d21ac55 | 3517 | break; |
| 0a7de745 | 3518 | } |
| 2d21ac55 A |
3519 | |
| 3520 | /* | |
| 3521 | * Now the server context is complete. | |
| 3522 | * Finish setup. | |
| 3523 | */ | |
| b0d623f7 A |
3524 | clock_get_uptime(&cp->gss_svc_incarnation); |
| 3525 | ||
| 2d21ac55 A |
3526 | cp->gss_svc_seqwin = GSS_SVC_SEQWINDOW; |
| 3527 | MALLOC(cp->gss_svc_seqbits, uint32_t *, | |
| 0a7de745 | 3528 | nfsm_rndup((cp->gss_svc_seqwin + 7) / 8), M_TEMP, M_WAITOK | M_ZERO); |
| 2d21ac55 A |
3529 | if (cp->gss_svc_seqbits == NULL) { |
| 3530 | autherr = RPCSEC_GSS_CREDPROBLEM; | |
| 3531 | break; | |
| 3532 | } | |
| 2d21ac55 A |
3533 | break; |
| 3534 | ||
| 3535 | case RPCSEC_GSS_DATA: | |
| 3536 | /* Just a nullproc ping - do nothing */ | |
| 3537 | break; | |
| 3538 | ||
| 3539 | case RPCSEC_GSS_DESTROY: | |
| 3540 | /* | |
| 3541 | * Don't destroy the context immediately because | |
| 3542 | * other active requests might still be using it. | |
| 3543 | * Instead, schedule it for destruction after | |
| 3544 | * GSS_CTX_PEND time has elapsed. | |
| 3545 | */ | |
| 3546 | cp = nfs_gss_svc_ctx_find(cp->gss_svc_handle); | |
| 3547 | if (cp != NULL) { | |
| 0a7de745 | 3548 | cp->gss_svc_handle = 0; // so it can't be found |
| 2d21ac55 A |
3549 | lck_mtx_lock(cp->gss_svc_mtx); |
| 3550 | clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC, | |
| 0a7de745 | 3551 | &cp->gss_svc_incarnation); |
| 2d21ac55 A |
3552 | lck_mtx_unlock(cp->gss_svc_mtx); |
| 3553 | } | |
| 3554 | break; | |
| 3555 | default: | |
| 3556 | autherr = RPCSEC_GSS_CREDPROBLEM; | |
| 3557 | break; | |
| 3558 | } | |
| 3559 | ||
| 3560 | /* Now build the reply */ | |
| 3561 | ||
| 0a7de745 | 3562 | if (nd->nd_repstat == 0) { |
| 2d21ac55 | 3563 | nd->nd_repstat = autherr ? (NFSERR_AUTHERR | autherr) : NFSERR_RETVOID; |
| 0a7de745 | 3564 | } |
| 2d21ac55 A |
3565 | sz = 7 * NFSX_UNSIGNED + nfsm_rndup(cp->gss_svc_tokenlen); // size of results |
| 3566 | error = nfsrv_rephead(nd, slp, &nmrep, sz); | |
| 3567 | *mrepp = nmrep.nmc_mhead; | |
| 0a7de745 | 3568 | if (error || autherr) { |
| 2d21ac55 | 3569 | goto nfsmout; |
| 0a7de745 | 3570 | } |
| 2d21ac55 A |
3571 | |
| 3572 | if (cp->gss_svc_proc == RPCSEC_GSS_INIT || | |
| 3573 | cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT) { | |
| 3574 | nfsm_chain_add_32(error, &nmrep, sizeof(cp->gss_svc_handle)); | |
| 3575 | nfsm_chain_add_32(error, &nmrep, cp->gss_svc_handle); | |
| 0a7de745 | 3576 | |
| 2d21ac55 A |
3577 | nfsm_chain_add_32(error, &nmrep, cp->gss_svc_major); |
| 3578 | nfsm_chain_add_32(error, &nmrep, cp->gss_svc_minor); | |
| 3579 | nfsm_chain_add_32(error, &nmrep, cp->gss_svc_seqwin); | |
| 0a7de745 | 3580 | |
| 2d21ac55 | 3581 | nfsm_chain_add_32(error, &nmrep, cp->gss_svc_tokenlen); |
| 2d21ac55 | 3582 | if (cp->gss_svc_token != NULL) { |
| b0d623f7 | 3583 | nfsm_chain_add_opaque(error, &nmrep, cp->gss_svc_token, cp->gss_svc_tokenlen); |
| 2d21ac55 A |
3584 | FREE(cp->gss_svc_token, M_TEMP); |
| 3585 | cp->gss_svc_token = NULL; | |
| 3586 | } | |
| 3587 | } | |
| 3588 | ||
| 3589 | nfsmout: | |
| 3590 | if (autherr != 0) { | |
| b0d623f7 | 3591 | nd->nd_gss_context = NULL; |
| 2d21ac55 | 3592 | LIST_REMOVE(cp, gss_svc_entries); |
| 0a7de745 | 3593 | if (cp->gss_svc_seqbits != NULL) { |
| 2d21ac55 | 3594 | FREE(cp->gss_svc_seqbits, M_TEMP); |
| 0a7de745 A |
3595 | } |
| 3596 | if (cp->gss_svc_token != NULL) { | |
| 2d21ac55 | 3597 | FREE(cp->gss_svc_token, M_TEMP); |
| 0a7de745 | 3598 | } |
| 2d21ac55 A |
3599 | lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp); |
| 3600 | FREE(cp, M_TEMP); | |
| 3601 | } | |
| 3602 | ||
| 3603 | nfsm_chain_build_done(error, &nmrep); | |
| 3604 | if (error) { | |
| 3605 | nfsm_chain_cleanup(&nmrep); | |
| 3606 | *mrepp = NULL; | |
| 3607 | } | |
| 0a7de745 | 3608 | return error; |
| 2d21ac55 A |
3609 | } |
| 3610 | ||
| 3611 | /* | |
| 3612 | * This is almost a mirror-image of the client side upcall. | |
| 3613 | * It passes and receives a token, but invokes gss_accept_sec_context. | |
| 3614 | * If it's the final call of the context setup, then gssd also returns | |
| 3615 | * the session key and the user's UID. | |
| 3616 | */ | |
| 3617 | static int | |
| 3618 | nfs_gss_svc_gssd_upcall(struct nfs_gss_svc_ctx *cp) | |
| 3619 | { | |
| 3620 | kern_return_t kr; | |
| 3621 | mach_port_t mp; | |
| 3622 | int retry_cnt = 0; | |
| 39037602 A |
3623 | gssd_byte_buffer octx = NULL; |
| 3624 | uint32_t lucidlen = 0; | |
| 3625 | void *lucid_ctx_buffer; | |
| b0d623f7 | 3626 | uint32_t ret_flags; |
| 2d21ac55 | 3627 | vm_map_copy_t itoken = NULL; |
| 6d2010ae | 3628 | gssd_byte_buffer otoken = NULL; |
| b0d623f7 | 3629 | mach_msg_type_number_t otokenlen; |
| 2d21ac55 A |
3630 | int error = 0; |
| 3631 | char svcname[] = "nfs"; | |
| 3632 | ||
| 316670eb | 3633 | kr = host_get_gssd_port(host_priv_self(), &mp); |
| 2d21ac55 | 3634 | if (kr != KERN_SUCCESS) { |
| b0d623f7 A |
3635 | printf("nfs_gss_svc_gssd_upcall: can't get gssd port, status %x (%d)\n", kr, kr); |
| 3636 | goto out; | |
| 2d21ac55 A |
3637 | } |
| 3638 | if (!IPC_PORT_VALID(mp)) { | |
| 3639 | printf("nfs_gss_svc_gssd_upcall: gssd port not valid\n"); | |
| b0d623f7 | 3640 | goto out; |
| 2d21ac55 A |
3641 | } |
| 3642 | ||
| 0a7de745 | 3643 | if (cp->gss_svc_tokenlen > 0) { |
| 2d21ac55 | 3644 | nfs_gss_mach_alloc_buffer(cp->gss_svc_token, cp->gss_svc_tokenlen, &itoken); |
| 0a7de745 | 3645 | } |
| 2d21ac55 A |
3646 | |
| 3647 | retry: | |
| 39037602 | 3648 | printf("Calling mach_gss_accept_sec_context\n"); |
| 2d21ac55 A |
3649 | kr = mach_gss_accept_sec_context( |
| 3650 | mp, | |
| 6d2010ae | 3651 | (gssd_byte_buffer) itoken, (mach_msg_type_number_t) cp->gss_svc_tokenlen, |
| 2d21ac55 A |
3652 | svcname, |
| 3653 | 0, | |
| 2d21ac55 A |
3654 | &cp->gss_svc_context, |
| 3655 | &cp->gss_svc_cred_handle, | |
| b0d623f7 | 3656 | &ret_flags, |
| 2d21ac55 A |
3657 | &cp->gss_svc_uid, |
| 3658 | cp->gss_svc_gids, | |
| 3659 | &cp->gss_svc_ngroups, | |
| 39037602 | 3660 | &octx, (mach_msg_type_number_t *) &lucidlen, |
| b0d623f7 | 3661 | &otoken, &otokenlen, |
| 2d21ac55 A |
3662 | &cp->gss_svc_major, |
| 3663 | &cp->gss_svc_minor); | |
| 3664 | ||
| 39037602 | 3665 | printf("mach_gss_accept_sec_context returned %d\n", kr); |
| 0a7de745 | 3666 | if (kr != KERN_SUCCESS) { |
| b0d623f7 | 3667 | printf("nfs_gss_svc_gssd_upcall failed: %x (%d)\n", kr, kr); |
| 2d21ac55 | 3668 | if (kr == MIG_SERVER_DIED && cp->gss_svc_context == 0 && |
| 0a7de745 A |
3669 | retry_cnt++ < NFS_GSS_MACH_MAX_RETRIES) { |
| 3670 | if (cp->gss_svc_tokenlen > 0) { | |
| b0d623f7 | 3671 | nfs_gss_mach_alloc_buffer(cp->gss_svc_token, cp->gss_svc_tokenlen, &itoken); |
| 0a7de745 | 3672 | } |
| 2d21ac55 | 3673 | goto retry; |
| b0d623f7 | 3674 | } |
| 316670eb | 3675 | host_release_special_port(mp); |
| b0d623f7 | 3676 | goto out; |
| 2d21ac55 A |
3677 | } |
| 3678 | ||
| 316670eb | 3679 | host_release_special_port(mp); |
| b0d623f7 | 3680 | |
| 39037602 A |
3681 | if (lucidlen > 0) { |
| 3682 | if (lucidlen > MAX_LUCIDLEN) { | |
| 3683 | printf("nfs_gss_svc_gssd_upcall: bad context length (%d)\n", lucidlen); | |
| 3684 | vm_map_copy_discard((vm_map_copy_t) octx); | |
| b0d623f7 A |
3685 | vm_map_copy_discard((vm_map_copy_t) otoken); |
| 3686 | goto out; | |
| 2d21ac55 | 3687 | } |
| 39037602 A |
3688 | MALLOC(lucid_ctx_buffer, void *, lucidlen, M_TEMP, M_WAITOK | M_ZERO); |
| 3689 | error = nfs_gss_mach_vmcopyout((vm_map_copy_t) octx, lucidlen, lucid_ctx_buffer); | |
| b0d623f7 A |
3690 | if (error) { |
| 3691 | vm_map_copy_discard((vm_map_copy_t) otoken); | |
| 39037602 | 3692 | FREE(lucid_ctx_buffer, M_TEMP); |
| b0d623f7 A |
3693 | goto out; |
| 3694 | } | |
| 0a7de745 | 3695 | if (cp->gss_svc_ctx_id) { |
| 39037602 | 3696 | gss_krb5_destroy_context(cp->gss_svc_ctx_id); |
| 0a7de745 | 3697 | } |
| 39037602 A |
3698 | cp->gss_svc_ctx_id = gss_krb5_make_context(lucid_ctx_buffer, lucidlen); |
| 3699 | if (cp->gss_svc_ctx_id == NULL) { | |
| 3700 | printf("Failed to make context from lucid_ctx_buffer\n"); | |
| b0d623f7 | 3701 | goto out; |
| 39037602 | 3702 | } |
| 2d21ac55 A |
3703 | } |
| 3704 | ||
| b0d623f7 | 3705 | /* Free context token used as input */ |
| 0a7de745 | 3706 | if (cp->gss_svc_token) { |
| b0d623f7 | 3707 | FREE(cp->gss_svc_token, M_TEMP); |
| 0a7de745 | 3708 | } |
| b0d623f7 A |
3709 | cp->gss_svc_token = NULL; |
| 3710 | cp->gss_svc_tokenlen = 0; | |
| 0a7de745 | 3711 | |
| b0d623f7 A |
3712 | if (otokenlen > 0) { |
| 3713 | /* Set context token to gss output token */ | |
| 3714 | MALLOC(cp->gss_svc_token, u_char *, otokenlen, M_TEMP, M_WAITOK); | |
| 3715 | if (cp->gss_svc_token == NULL) { | |
| 3716 | printf("nfs_gss_svc_gssd_upcall: could not allocate %d bytes\n", otokenlen); | |
| 3717 | vm_map_copy_discard((vm_map_copy_t) otoken); | |
| 0a7de745 | 3718 | return ENOMEM; |
| b0d623f7 A |
3719 | } |
| 3720 | error = nfs_gss_mach_vmcopyout((vm_map_copy_t) otoken, otokenlen, cp->gss_svc_token); | |
| 3721 | if (error) { | |
| 3722 | FREE(cp->gss_svc_token, M_TEMP); | |
| 3723 | cp->gss_svc_token = NULL; | |
| 0a7de745 | 3724 | return NFSERR_EAUTH; |
| b0d623f7 A |
3725 | } |
| 3726 | cp->gss_svc_tokenlen = otokenlen; | |
| 2d21ac55 A |
3727 | } |
| 3728 | ||
| 0a7de745 | 3729 | return 0; |
| b0d623f7 A |
3730 | |
| 3731 | out: | |
| 3732 | FREE(cp->gss_svc_token, M_TEMP); | |
| 3733 | cp->gss_svc_tokenlen = 0; | |
| 3734 | cp->gss_svc_token = NULL; | |
| 3735 | ||
| 0a7de745 | 3736 | return NFSERR_EAUTH; |
| 2d21ac55 A |
3737 | } |
| 3738 | ||
| 3739 | /* | |
| 3740 | * Validate the sequence number in the credential as described | |
| 3741 | * in RFC 2203 Section 5.3.3.1 | |
| 3742 | * | |
| 3743 | * Here the window of valid sequence numbers is represented by | |
| 3744 | * a bitmap. As each sequence number is received, its bit is | |
| 3745 | * set in the bitmap. An invalid sequence number lies below | |
| 3746 | * the lower bound of the window, or is within the window but | |
| 3747 | * has its bit already set. | |
| 3748 | */ | |
| 3749 | static int | |
| 3750 | nfs_gss_svc_seqnum_valid(struct nfs_gss_svc_ctx *cp, uint32_t seq) | |
| 3751 | { | |
| 3752 | uint32_t *bits = cp->gss_svc_seqbits; | |
| 3753 | uint32_t win = cp->gss_svc_seqwin; | |
| 3754 | uint32_t i; | |
| 3755 | ||
| 3756 | lck_mtx_lock(cp->gss_svc_mtx); | |
| 3757 | ||
| 3758 | /* | |
| 3759 | * If greater than the window upper bound, | |
| 3760 | * move the window up, and set the bit. | |
| 3761 | */ | |
| 3762 | if (seq > cp->gss_svc_seqmax) { | |
| 0a7de745 | 3763 | if (seq - cp->gss_svc_seqmax > win) { |
| 2d21ac55 | 3764 | bzero(bits, nfsm_rndup((win + 7) / 8)); |
| 0a7de745 A |
3765 | } else { |
| 3766 | for (i = cp->gss_svc_seqmax + 1; i < seq; i++) { | |
| 2d21ac55 | 3767 | win_resetbit(bits, i % win); |
| 0a7de745 A |
3768 | } |
| 3769 | } | |
| 2d21ac55 A |
3770 | win_setbit(bits, seq % win); |
| 3771 | cp->gss_svc_seqmax = seq; | |
| 3772 | lck_mtx_unlock(cp->gss_svc_mtx); | |
| 0a7de745 | 3773 | return 1; |
| 2d21ac55 A |
3774 | } |
| 3775 | ||
| 3776 | /* | |
| 3777 | * Invalid if below the lower bound of the window | |
| 3778 | */ | |
| 3779 | if (seq <= cp->gss_svc_seqmax - win) { | |
| 3780 | lck_mtx_unlock(cp->gss_svc_mtx); | |
| 0a7de745 | 3781 | return 0; |
| 2d21ac55 A |
3782 | } |
| 3783 | ||
| 3784 | /* | |
| 3785 | * In the window, invalid if the bit is already set | |
| 3786 | */ | |
| 3787 | if (win_getbit(bits, seq % win)) { | |
| 3788 | lck_mtx_unlock(cp->gss_svc_mtx); | |
| 0a7de745 | 3789 | return 0; |
| 2d21ac55 A |
3790 | } |
| 3791 | win_setbit(bits, seq % win); | |
| 3792 | lck_mtx_unlock(cp->gss_svc_mtx); | |
| 0a7de745 | 3793 | return 1; |
| 2d21ac55 A |
3794 | } |
| 3795 | ||
| 6d2010ae A |
3796 | /* |
| 3797 | * Drop a reference to a context | |
| 3798 | * | |
| 3799 | * Note that it's OK for the context to exist | |
| 3800 | * with a refcount of zero. The refcount isn't | |
| 3801 | * checked until we're about to reap an expired one. | |
| 3802 | */ | |
| 3803 | void | |
| 3804 | nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *cp) | |
| 3805 | { | |
| 0a7de745 A |
3806 | lck_mtx_lock(cp->gss_svc_mtx); |
| 3807 | if (cp->gss_svc_refcnt > 0) { | |
| 6d2010ae | 3808 | cp->gss_svc_refcnt--; |
| 0a7de745 | 3809 | } else { |
| 6d2010ae | 3810 | printf("nfs_gss_ctx_deref: zero refcount\n"); |
| 0a7de745 A |
3811 | } |
| 3812 | lck_mtx_unlock(cp->gss_svc_mtx); | |
| 6d2010ae A |
3813 | } |
| 3814 | ||
| 2d21ac55 A |
3815 | /* |
| 3816 | * Called at NFS server shutdown - destroy all contexts | |
| 3817 | */ | |
| 3818 | void | |
| 3819 | nfs_gss_svc_cleanup(void) | |
| 3820 | { | |
| 3821 | struct nfs_gss_svc_ctx_hashhead *head; | |
| 3822 | struct nfs_gss_svc_ctx *cp, *ncp; | |
| 3823 | int i; | |
| 0a7de745 | 3824 | |
| 2d21ac55 A |
3825 | lck_mtx_lock(nfs_gss_svc_ctx_mutex); |
| 3826 | ||
| 3827 | /* | |
| 3828 | * Run through all the buckets | |
| 3829 | */ | |
| 3830 | for (i = 0; i < SVC_CTX_HASHSZ; i++) { | |
| 3831 | /* | |
| 3832 | * Remove and free all entries in the bucket | |
| 3833 | */ | |
| 3834 | head = &nfs_gss_svc_ctx_hashtbl[i]; | |
| 3835 | LIST_FOREACH_SAFE(cp, head, gss_svc_entries, ncp) { | |
| 3836 | LIST_REMOVE(cp, gss_svc_entries); | |
| 0a7de745 | 3837 | if (cp->gss_svc_seqbits) { |
| 2d21ac55 | 3838 | FREE(cp->gss_svc_seqbits, M_TEMP); |
| 0a7de745 | 3839 | } |
| 2d21ac55 A |
3840 | lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp); |
| 3841 | FREE(cp, M_TEMP); | |
| 3842 | } | |
| 3843 | } | |
| 3844 | ||
| 3845 | lck_mtx_unlock(nfs_gss_svc_ctx_mutex); | |
| 3846 | } | |
| 3847 | ||
| ea3f0419 | 3848 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 A |
3849 | |
| 3850 | ||
| 3851 | /************* | |
| 3852 | * The following functions are used by both client and server. | |
| 3853 | */ | |
| 3854 | ||
| 3855 | /* | |
| 316670eb A |
3856 | * Release a host special port that was obtained by host_get_special_port |
| 3857 | * or one of its macros (host_get_gssd_port in this case). | |
| 0a7de745 | 3858 | * This really should be in a public kpi. |
| 2d21ac55 A |
3859 | */ |
| 3860 | ||
| 3861 | /* This should be in a public header if this routine is not */ | |
| 3862 | extern void ipc_port_release_send(ipc_port_t); | |
| 3863 | extern ipc_port_t ipc_port_copy_send(ipc_port_t); | |
| 3864 | ||
| 3865 | static void | |
| 316670eb | 3866 | host_release_special_port(mach_port_t mp) |
| 2d21ac55 | 3867 | { |
| 0a7de745 | 3868 | if (IPC_PORT_VALID(mp)) { |
| 6d2010ae | 3869 | ipc_port_release_send(mp); |
| 0a7de745 | 3870 | } |
| 2d21ac55 A |
3871 | } |
| 3872 | ||
| 3873 | static mach_port_t | |
| 316670eb | 3874 | host_copy_special_port(mach_port_t mp) |
| 2d21ac55 | 3875 | { |
| 0a7de745 | 3876 | return ipc_port_copy_send(mp); |
| 2d21ac55 A |
3877 | } |
| 3878 | ||
| 3879 | /* | |
| 3880 | * The token that is sent and received in the gssd upcall | |
| 3881 | * has unbounded variable length. Mach RPC does not pass | |
| 3882 | * the token in-line. Instead it uses page mapping to handle | |
| 3883 | * these parameters. This function allocates a VM buffer | |
| 3884 | * to hold the token for an upcall and copies the token | |
| 3885 | * (received from the client) into it. The VM buffer is | |
| 3886 | * marked with a src_destroy flag so that the upcall will | |
| 3887 | * automatically de-allocate the buffer when the upcall is | |
| 3888 | * complete. | |
| 3889 | */ | |
| 3890 | static void | |
| 3891 | nfs_gss_mach_alloc_buffer(u_char *buf, uint32_t buflen, vm_map_copy_t *addr) | |
| 3892 | { | |
| 3893 | kern_return_t kr; | |
| 3894 | vm_offset_t kmem_buf; | |
| 3895 | vm_size_t tbuflen; | |
| 3896 | ||
| 3897 | *addr = NULL; | |
| 0a7de745 | 3898 | if (buf == NULL || buflen == 0) { |
| 2d21ac55 | 3899 | return; |
| 0a7de745 | 3900 | } |
| 2d21ac55 | 3901 | |
| 39236c6e | 3902 | tbuflen = vm_map_round_page(buflen, |
| 0a7de745 | 3903 | vm_map_page_mask(ipc_kernel_map)); |
| cb323159 A |
3904 | |
| 3905 | if (tbuflen < buflen) { | |
| 3906 | printf("nfs_gss_mach_alloc_buffer: vm_map_round_page failed\n"); | |
| 3907 | return; | |
| 3908 | } | |
| 3909 | ||
| 5ba3f43e | 3910 | kr = vm_allocate_kernel(ipc_kernel_map, &kmem_buf, tbuflen, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_FILE); |
| 2d21ac55 A |
3911 | if (kr != 0) { |
| 3912 | printf("nfs_gss_mach_alloc_buffer: vm_allocate failed\n"); | |
| 3913 | return; | |
| 3914 | } | |
| 3915 | ||
| 5ba3f43e | 3916 | kr = vm_map_wire_kernel(ipc_kernel_map, |
| 0a7de745 A |
3917 | vm_map_trunc_page(kmem_buf, |
| 3918 | vm_map_page_mask(ipc_kernel_map)), | |
| 3919 | vm_map_round_page(kmem_buf + tbuflen, | |
| 3920 | vm_map_page_mask(ipc_kernel_map)), | |
| 3921 | VM_PROT_READ | VM_PROT_WRITE, VM_KERN_MEMORY_FILE, FALSE); | |
| b0d623f7 A |
3922 | if (kr != 0) { |
| 3923 | printf("nfs_gss_mach_alloc_buffer: vm_map_wire failed\n"); | |
| 3924 | return; | |
| 3925 | } | |
| 0a7de745 | 3926 | |
| 2d21ac55 | 3927 | bcopy(buf, (void *) kmem_buf, buflen); |
| b0d623f7 A |
3928 | // Shouldn't need to bzero below since vm_allocate returns zeroed pages |
| 3929 | // bzero(kmem_buf + buflen, tbuflen - buflen); | |
| 0a7de745 | 3930 | |
| 39236c6e | 3931 | kr = vm_map_unwire(ipc_kernel_map, |
| 0a7de745 A |
3932 | vm_map_trunc_page(kmem_buf, |
| 3933 | vm_map_page_mask(ipc_kernel_map)), | |
| 3934 | vm_map_round_page(kmem_buf + tbuflen, | |
| 3935 | vm_map_page_mask(ipc_kernel_map)), | |
| 3936 | FALSE); | |
| 2d21ac55 A |
3937 | if (kr != 0) { |
| 3938 | printf("nfs_gss_mach_alloc_buffer: vm_map_unwire failed\n"); | |
| 3939 | return; | |
| 3940 | } | |
| 3941 | ||
| 3942 | kr = vm_map_copyin(ipc_kernel_map, (vm_map_address_t) kmem_buf, | |
| 0a7de745 | 3943 | (vm_map_size_t) buflen, TRUE, addr); |
| 2d21ac55 A |
3944 | if (kr != 0) { |
| 3945 | printf("nfs_gss_mach_alloc_buffer: vm_map_copyin failed\n"); | |
| 3946 | return; | |
| 3947 | } | |
| 2d21ac55 A |
3948 | } |
| 3949 | ||
| 3950 | /* | |
| 3951 | * Here we handle a token received from the gssd via an upcall. | |
| 3952 | * The received token resides in an allocate VM buffer. | |
| 3953 | * We copy the token out of this buffer to a chunk of malloc'ed | |
| 3954 | * memory of the right size, then de-allocate the VM buffer. | |
| 3955 | */ | |
| 3956 | static int | |
| 3957 | nfs_gss_mach_vmcopyout(vm_map_copy_t in, uint32_t len, u_char *out) | |
| 3958 | { | |
| 3959 | vm_map_offset_t map_data; | |
| 3960 | vm_offset_t data; | |
| 3961 | int error; | |
| 3962 | ||
| 3963 | error = vm_map_copyout(ipc_kernel_map, &map_data, in); | |
| 0a7de745 A |
3964 | if (error) { |
| 3965 | return error; | |
| 3966 | } | |
| 2d21ac55 A |
3967 | |
| 3968 | data = CAST_DOWN(vm_offset_t, map_data); | |
| 3969 | bcopy((void *) data, out, len); | |
| 3970 | vm_deallocate(ipc_kernel_map, data, len); | |
| 3971 | ||
| 0a7de745 | 3972 | return 0; |
| 2d21ac55 A |
3973 | } |
| 3974 | ||
| 2d21ac55 A |
3975 | /* |
| 3976 | * Return the number of bytes in an mbuf chain. | |
| 3977 | */ | |
| 3978 | static int | |
| 3979 | nfs_gss_mchain_length(mbuf_t mhead) | |
| 3980 | { | |
| 3981 | mbuf_t mb; | |
| 3982 | int len = 0; | |
| 3983 | ||
| 0a7de745 | 3984 | for (mb = mhead; mb; mb = mbuf_next(mb)) { |
| 2d21ac55 | 3985 | len += mbuf_len(mb); |
| 0a7de745 | 3986 | } |
| 2d21ac55 | 3987 | |
| 0a7de745 | 3988 | return len; |
| 2d21ac55 A |
3989 | } |
| 3990 | ||
| 3991 | /* | |
| 3992 | * Append an args or results mbuf chain to the header chain | |
| 3993 | */ | |
| 3994 | static int | |
| 3995 | nfs_gss_append_chain(struct nfsm_chain *nmc, mbuf_t mc) | |
| 3996 | { | |
| 3997 | int error = 0; | |
| 3998 | mbuf_t mb, tail; | |
| 3999 | ||
| 4000 | /* Connect the mbuf chains */ | |
| 4001 | error = mbuf_setnext(nmc->nmc_mcur, mc); | |
| 0a7de745 A |
4002 | if (error) { |
| 4003 | return error; | |
| 4004 | } | |
| 2d21ac55 A |
4005 | |
| 4006 | /* Find the last mbuf in the chain */ | |
| 4007 | tail = NULL; | |
| 0a7de745 | 4008 | for (mb = mc; mb; mb = mbuf_next(mb)) { |
| 2d21ac55 | 4009 | tail = mb; |
| 0a7de745 | 4010 | } |
| 2d21ac55 A |
4011 | |
| 4012 | nmc->nmc_mcur = tail; | |
| 4013 | nmc->nmc_ptr = (caddr_t) mbuf_data(tail) + mbuf_len(tail); | |
| 4014 | nmc->nmc_left = mbuf_trailingspace(tail); | |
| 4015 | ||
| 0a7de745 | 4016 | return 0; |
| 2d21ac55 A |
4017 | } |
| 4018 | ||
| ea3f0419 | 4019 | #if CONFIG_NFS_SERVER /* Only used by CONFIG_NFS_SERVER */ |
| 2d21ac55 A |
4020 | /* |
| 4021 | * Convert an mbuf chain to an NFS mbuf chain | |
| 4022 | */ | |
| 4023 | static void | |
| 4024 | nfs_gss_nfsm_chain(struct nfsm_chain *nmc, mbuf_t mc) | |
| 4025 | { | |
| 4026 | mbuf_t mb, tail; | |
| 4027 | ||
| 4028 | /* Find the last mbuf in the chain */ | |
| 4029 | tail = NULL; | |
| 0a7de745 | 4030 | for (mb = mc; mb; mb = mbuf_next(mb)) { |
| 2d21ac55 | 4031 | tail = mb; |
| 0a7de745 | 4032 | } |
| 2d21ac55 A |
4033 | |
| 4034 | nmc->nmc_mhead = mc; | |
| 4035 | nmc->nmc_mcur = tail; | |
| 4036 | nmc->nmc_ptr = (caddr_t) mbuf_data(tail) + mbuf_len(tail); | |
| 4037 | nmc->nmc_left = mbuf_trailingspace(tail); | |
| 4038 | nmc->nmc_flags = 0; | |
| 4039 | } | |
| ea3f0419 | 4040 | #endif /* CONFIG_NFS_SERVER */ |
| 2d21ac55 | 4041 | |
| b0d623f7 A |
4042 | |
| 4043 | #if 0 | |
| 4044 | #define DISPLAYLEN 16 | |
| 4045 | #define MAXDISPLAYLEN 256 | |
| 4046 | ||
| 4047 | static void | |
| 4048 | hexdump(const char *msg, void *data, size_t len) | |
| 4049 | { | |
| 4050 | size_t i, j; | |
| 4051 | u_char *d = data; | |
| 0a7de745 A |
4052 | char *p, disbuf[3 * DISPLAYLEN + 1]; |
| 4053 | ||
| b0d623f7 | 4054 | printf("NFS DEBUG %s len=%d:\n", msg, (uint32_t)len); |
| 0a7de745 | 4055 | if (len > MAXDISPLAYLEN) { |
| b0d623f7 | 4056 | len = MAXDISPLAYLEN; |
| 0a7de745 | 4057 | } |
| b0d623f7 A |
4058 | |
| 4059 | for (i = 0; i < len; i += DISPLAYLEN) { | |
| 0a7de745 | 4060 | for (p = disbuf, j = 0; (j + i) < len && j < DISPLAYLEN; j++, p += 3) { |
| b0d623f7 | 4061 | snprintf(p, 4, "%02x ", d[i + j]); |
| 0a7de745 | 4062 | } |
| b0d623f7 | 4063 | printf("\t%s\n", disbuf); |
| 2d21ac55 | 4064 | } |
| 2d21ac55 | 4065 | } |
| b0d623f7 | 4066 | #endif |
| ea3f0419 A |
4067 | |
| 4068 | #endif /* CONFIG_NFS */ |