1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * A module for Kerberos V5 security mechanism. 26 * 27 */ 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 char _depends_on[] = "misc/kgssapi crypto/md5"; 32 33 #include <sys/types.h> 34 #include <sys/modctl.h> 35 #include <sys/errno.h> 36 #include <mechglueP.h> 37 #include <gssapiP_krb5.h> 38 #include <gssapi_err_generic.h> 39 #include <gssapi/kgssapi_defs.h> 40 #include <sys/debug.h> 41 #include <k5-int.h> 42 43 /* mechglue wrappers */ 44 45 static OM_uint32 k5glue_delete_sec_context 46 (void *, OM_uint32 *, /* minor_status */ 47 gss_ctx_id_t *, /* context_handle */ 48 gss_buffer_t, /* output_token */ 49 OM_uint32); 50 51 static OM_uint32 k5glue_sign 52 (void *, OM_uint32 *, /* minor_status */ 53 gss_ctx_id_t, /* context_handle */ 54 int, /* qop_req */ 55 gss_buffer_t, /* message_buffer */ 56 gss_buffer_t, /* message_token */ 57 OM_uint32); 58 59 static OM_uint32 k5glue_verify 60 (void *, OM_uint32 *, /* minor_status */ 61 gss_ctx_id_t, /* context_handle */ 62 gss_buffer_t, /* message_buffer */ 63 gss_buffer_t, /* token_buffer */ 64 int *, /* qop_state */ 65 OM_uint32); 66 67 /* EXPORT DELETE START */ 68 static OM_uint32 k5glue_seal 69 (void *, OM_uint32 *, /* minor_status */ 70 gss_ctx_id_t, /* context_handle */ 71 int, /* conf_req_flag */ 72 int, /* qop_req */ 73 gss_buffer_t, /* input_message_buffer */ 74 int *, /* conf_state */ 75 gss_buffer_t, /* output_message_buffer */ 76 OM_uint32); 77 78 static OM_uint32 k5glue_unseal 79 (void *, OM_uint32 *, /* minor_status */ 80 gss_ctx_id_t, /* context_handle */ 81 gss_buffer_t, /* input_message_buffer */ 82 gss_buffer_t, /* output_message_buffer */ 83 int *, /* conf_state */ 84 int *, /* qop_state */ 85 OM_uint32); 86 /* EXPORT DELETE END */ 87 88 static OM_uint32 k5glue_import_sec_context 89 (void *, OM_uint32 *, /* minor_status */ 90 gss_buffer_t, /* interprocess_token */ 91 gss_ctx_id_t *); /* context_handle */ 92 93 94 95 static struct gss_config krb5_mechanism = 96 {{9, "\052\206\110\206\367\022\001\002\002"}, 97 NULL, /* context */ 98 NULL, /* next */ 99 TRUE, /* uses_kmod */ 100 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 101 k5glue_unseal, 102 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 103 k5glue_delete_sec_context, 104 /* EXPORT DELETE START */ /* CRYPT DELETE START */ 105 k5glue_seal, 106 /* EXPORT DELETE END */ /* CRYPT DELETE END */ 107 k5glue_import_sec_context, 108 /* EXPORT DELETE START */ 109 /* CRYPT DELETE START */ 110 #if 0 111 /* CRYPT DELETE END */ 112 k5glue_seal, 113 k5glue_unseal, 114 /* CRYPT DELETE START */ 115 #endif 116 /* CRYPT DELETE END */ 117 /* EXPORT DELETE END */ 118 k5glue_sign, 119 k5glue_verify, 120 }; 121 122 static gss_mechanism 123 gss_mech_initialize() 124 { 125 return (&krb5_mechanism); 126 } 127 128 129 /* 130 * Module linkage information for the kernel. 131 */ 132 extern struct mod_ops mod_miscops; 133 134 static struct modlmisc modlmisc = { 135 &mod_miscops, "Krb5 GSS mechanism" 136 }; 137 138 static struct modlinkage modlinkage = { 139 MODREV_1, 140 (void *)&modlmisc, 141 NULL 142 }; 143 144 145 static int krb5_fini_code = EBUSY; 146 147 int 148 _init() 149 { 150 int retval; 151 gss_mechanism mech, tmp; 152 153 if ((retval = mod_install(&modlinkage)) != 0) 154 return (retval); 155 156 mech = gss_mech_initialize(); 157 158 mutex_enter(&__kgss_mech_lock); 159 tmp = __kgss_get_mechanism(&mech->mech_type); 160 if (tmp != NULL) { 161 162 KRB5_LOG0(KRB5_INFO, 163 "KRB5 GSS mechanism: mechanism already in table.\n"); 164 165 if (tmp->uses_kmod == TRUE) { 166 KRB5_LOG0(KRB5_INFO, "KRB5 GSS mechanism: mechanism " 167 "table supports kernel operations!\n"); 168 } 169 /* 170 * keep us loaded, but let us be unloadable. This 171 * will give the developer time to trouble shoot 172 */ 173 krb5_fini_code = 0; 174 } else { 175 __kgss_add_mechanism(mech); 176 ASSERT(__kgss_get_mechanism(&mech->mech_type) == mech); 177 } 178 mutex_exit(&__kgss_mech_lock); 179 180 return (0); 181 } 182 183 int 184 _fini() 185 { 186 int ret = krb5_fini_code; 187 188 if (ret == 0) { 189 ret = (mod_remove(&modlinkage)); 190 } 191 return (ret); 192 } 193 194 int 195 _info(struct modinfo *modinfop) 196 { 197 return (mod_info(&modlinkage, modinfop)); 198 } 199 200 /* ARGSUSED */ 201 static OM_uint32 202 k5glue_delete_sec_context(ctx, minor_status, context_handle, output_token, 203 gssd_ctx_verifier) 204 void *ctx; 205 OM_uint32 *minor_status; 206 gss_ctx_id_t *context_handle; 207 gss_buffer_t output_token; 208 OM_uint32 gssd_ctx_verifier; 209 { 210 return (krb5_gss_delete_sec_context(minor_status, 211 context_handle, output_token, 212 gssd_ctx_verifier)); 213 } 214 215 /* V2 */ 216 /* ARGSUSED */ 217 static OM_uint32 218 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle) 219 void *ctx; 220 OM_uint32 *minor_status; 221 gss_buffer_t interprocess_token; 222 gss_ctx_id_t *context_handle; 223 { 224 return (krb5_gss_import_sec_context(minor_status, 225 interprocess_token, 226 context_handle)); 227 } 228 229 /* EXPORT DELETE START */ 230 /* V1 only */ 231 /* ARGSUSED */ 232 static OM_uint32 233 k5glue_seal(ctx, minor_status, context_handle, conf_req_flag, qop_req, 234 input_message_buffer, conf_state, output_message_buffer, 235 gssd_ctx_verifier) 236 void *ctx; 237 OM_uint32 *minor_status; 238 gss_ctx_id_t context_handle; 239 int conf_req_flag; 240 int qop_req; 241 gss_buffer_t input_message_buffer; 242 int *conf_state; 243 gss_buffer_t output_message_buffer; 244 OM_uint32 gssd_ctx_verifier; 245 { 246 return (krb5_gss_seal(minor_status, context_handle, 247 conf_req_flag, qop_req, input_message_buffer, 248 conf_state, output_message_buffer, gssd_ctx_verifier)); 249 } 250 /* EXPORT DELETE END */ 251 252 /* ARGSUSED */ 253 static OM_uint32 254 k5glue_sign(ctx, minor_status, context_handle, 255 qop_req, message_buffer, 256 message_token, gssd_ctx_verifier) 257 void *ctx; 258 OM_uint32 *minor_status; 259 gss_ctx_id_t context_handle; 260 int qop_req; 261 gss_buffer_t message_buffer; 262 gss_buffer_t message_token; 263 OM_uint32 gssd_ctx_verifier; 264 { 265 return (krb5_gss_sign(minor_status, context_handle, 266 qop_req, message_buffer, message_token, gssd_ctx_verifier)); 267 } 268 269 /* EXPORT DELETE START */ 270 /* ARGSUSED */ 271 static OM_uint32 272 k5glue_unseal(ctx, minor_status, context_handle, input_message_buffer, 273 output_message_buffer, conf_state, qop_state, gssd_ctx_verifier) 274 void *ctx; 275 OM_uint32 *minor_status; 276 gss_ctx_id_t context_handle; 277 gss_buffer_t input_message_buffer; 278 gss_buffer_t output_message_buffer; 279 int *conf_state; 280 int *qop_state; 281 OM_uint32 gssd_ctx_verifier; 282 { 283 return (krb5_gss_unseal(minor_status, context_handle, 284 input_message_buffer, output_message_buffer, 285 conf_state, qop_state, gssd_ctx_verifier)); 286 } 287 /* EXPORT DELETE END */ 288 289 /* V1 only */ 290 /* ARGSUSED */ 291 static OM_uint32 292 k5glue_verify(ctx, minor_status, context_handle, message_buffer, 293 token_buffer, qop_state, gssd_ctx_verifier) 294 void *ctx; 295 OM_uint32 *minor_status; 296 gss_ctx_id_t context_handle; 297 gss_buffer_t message_buffer; 298 gss_buffer_t token_buffer; 299 int *qop_state; 300 OM_uint32 gssd_ctx_verifier; 301 { 302 return (krb5_gss_verify(minor_status, 303 context_handle, 304 message_buffer, 305 token_buffer, 306 qop_state, gssd_ctx_verifier)); 307 } 308