141 	enum svc_rpc_gss_client_state cl_state;	/* client state */
145 	gss_name_t		cl_cname;	/* client name */
408 	struct svc_rpc_gss_client *client;
414 	client = cc->cc_client;
416 		*rcred = &client->cl_rawcred;
418 		*ucred = &client->cl_ucred;
420 		*cookie = client->cl_cookie;
433 	struct svc_rpc_gss_client *client;
440 	client = cc->cc_client;
443 		*flavorp = client->cl_rpcflavor;
445 	if (client->cl_cred) {
446 		*crp = crhold(client->cl_cred);
450 	uc = &client->cl_ucred;
451 	cr = client->cl_cred = crget();
466 	struct svc_rpc_gss_client *client = cc->cc_client;
472 	switch (client->cl_rawcred.service) {
490 	maj_stat = gss_wrap_size_limit(&min_stat, client->cl_ctx, want_conf,
491 	    client->cl_qop, max_tp_unit_len, &max);
499 		rpc_gss_log_status("gss_wrap_size_limit", client->cl_mech,
508 	struct svc_rpc_gss_client *client;
520 	TAILQ_FOREACH(client, list, cl_link) {
521 		if (client->cl_id.ci_id == id->ci_id) {
523 			 * Move this client to the front of the LRU
526 			TAILQ_REMOVE(&svc_rpc_gss_clients, client, cl_alllink);
527 			TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client,
529 			refcount_acquire(&client->cl_refs);
535 	return (client);
541 	struct svc_rpc_gss_client *client;
547 	client = mem_alloc(sizeof(struct svc_rpc_gss_client));
548 	memset(client, 0, sizeof(struct svc_rpc_gss_client));
549 	refcount_init(&client->cl_refs, 1);
550 	sx_init(&client->cl_lock, "GSS-client");
552 	client->cl_id.ci_hostid = hostid;
553 	client->cl_id.ci_boottime = boottime.tv_sec;
554 	client->cl_id.ci_id = svc_rpc_gss_next_clientid++;
555 	list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % CLIENT_HASH_SIZE];
557 	TAILQ_INSERT_HEAD(list, client, cl_link);
558 	TAILQ_INSERT_HEAD(&svc_rpc_gss_clients, client, cl_alllink);
563 	 * Start the client off with a short expiration time. We will
564 	 * try to get a saner value from the client creds later.
566 	client->cl_state = CLIENT_NEW;
567 	client->cl_locked = FALSE;
568 	client->cl_expiration = time_uptime + 5*60;
570 	return (client);
574 svc_rpc_gss_destroy_client(struct svc_rpc_gss_client *client)
580 	if (client->cl_ctx)
582 		    &client->cl_ctx, GSS_C_NO_BUFFER);
584 	if (client->cl_cname)
585 		gss_release_name(&min_stat, &client->cl_cname);
587 	if (client->cl_rawcred.client_principal)
588 		mem_free(client->cl_rawcred.client_principal,
589 		    sizeof(*client->cl_rawcred.client_principal)
590 		    + client->cl_rawcred.client_principal->len);
592 	if (client->cl_cred)
593 		crfree(client->cl_cred);
595 	sx_destroy(&client->cl_lock);
596 	mem_free(client, sizeof(*client));
600  * Drop a reference to a client and free it if that was the last reference.
603 svc_rpc_gss_release_client(struct svc_rpc_gss_client *client)
606 	if (!refcount_release(&client->cl_refs))
608 	svc_rpc_gss_destroy_client(client);
612  * Remove a client from our global lists.
616 svc_rpc_gss_forget_client_locked(struct svc_rpc_gss_client *client)
621 	list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % CLIENT_HASH_SIZE];
622 	TAILQ_REMOVE(list, client, cl_link);
623 	TAILQ_REMOVE(&svc_rpc_gss_clients, client, cl_alllink);
628  * Remove a client from our global lists and free it if we can.
631 svc_rpc_gss_forget_client(struct svc_rpc_gss_client *client)
636 	list = &svc_rpc_gss_client_hash[client->cl_id.ci_id % CLIENT_HASH_SIZE];
640 		 * Make sure this client has not already been removed
644 		if (client == tclient) {
645 			svc_rpc_gss_forget_client_locked(client);
647 			svc_rpc_gss_release_client(client);
657 	struct svc_rpc_gss_client *client;
663 	 * First enforce the max client limit. We keep
667 	client = TAILQ_LAST(&svc_rpc_gss_clients, svc_rpc_gss_client_list);
668 	while (svc_rpc_gss_client_count > CLIENT_MAX && client != NULL) {
669 		svc_rpc_gss_forget_client_locked(client);
671 		svc_rpc_gss_release_client(client);
673 		client = TAILQ_LAST(&svc_rpc_gss_clients,
677 	TAILQ_FOREACH(client, &svc_rpc_gss_clients, cl_alllink) {
678 		if (client->cl_state == CLIENT_STALE
679 		    || now > client->cl_expiration) {
680 			svc_rpc_gss_forget_client_locked(client);
682 			rpc_gss_log_debug("expiring client %p", client);
683 			svc_rpc_gss_release_client(client);
768 svc_rpc_gss_build_ucred(struct svc_rpc_gss_client *client,
772 	rpc_gss_ucred_t		*uc = &client->cl_ucred;
777 	uc->gidlist = client->cl_gid_storage;
780 	maj_stat = gss_pname_to_unix_cred(&min_stat, name, client->cl_mech,
789 svc_rpc_gss_set_flavor(struct svc_rpc_gss_client *client)
798 	if (kgss_oid_equal(client->cl_mech, &krb5_mech_oid)) {
799 		switch (client->cl_rawcred.service) {
802 			client->cl_rpcflavor = RPCSEC_GSS_KRB5;
805 			client->cl_rpcflavor = RPCSEC_GSS_KRB5I;
808 			client->cl_rpcflavor = RPCSEC_GSS_KRB5P;
812 		client->cl_rpcflavor = RPCSEC_GSS;
817 svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_client *client,
836 		client->cl_state = CLIENT_STALE;
845 	if (!client->cl_sname) {
852 					&client->cl_ctx,
856 					&client->cl_cname,
861 					&client->cl_creds);
872 				client->cl_sname = sname;
885 			&client->cl_ctx,
886 			client->cl_sname->sn_cred,
889 			&client->cl_cname,
902 	 * reply anyway so that the client gets a chance to see what
907 		rpc_gss_log_status("accept_sec_context", client->cl_mech,
909 		client->cl_state = CLIENT_STALE;
913 	gr->gr_handle.value = &client->cl_id;
914 	gr->gr_handle.length = sizeof(client->cl_id);
917 	/* Save client info. */
918 	client->cl_mech = mech;
919 	client->cl_qop = GSS_C_QOP_DEFAULT;
920 	client->cl_done_callback = FALSE;
926 		 * Change client expiration time to be near when the
927 		 * client creds expire (or 24 hours if we can't figure
933 		client->cl_expiration = time_uptime + cred_lifetime;
938 		client->cl_rawcred.version = RPCSEC_GSS_VERSION;
939 		rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism);
940 		maj_stat = gss_export_name(&min_stat, client->cl_cname,
943 			rpc_gss_log_status("gss_export_name", client->cl_mech,
947 		client->cl_rawcred.client_principal =
948 			mem_alloc(sizeof(*client->cl_rawcred.client_principal)
950 		client->cl_rawcred.client_principal->len = export_name.length;
951 		memcpy(client->cl_rawcred.client_principal->name,
954 		client->cl_rawcred.svc_principal =
955 			client->cl_sname->sn_principal;
956 		client->cl_rawcred.service = gc->gc_svc;
962 		svc_rpc_gss_build_ucred(client, client->cl_cname);
963 		svc_rpc_gss_set_flavor(client);
964 		gss_release_name(&min_stat, &client->cl_cname);
974 			    client->cl_rawcred.client_principal->name,
976 			    client->cl_qop, client->cl_rawcred.service);
986 svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
1021 	maj_stat = gss_verify_mic(&min_stat, client->cl_ctx, &rpcbuf, &checksum,
1025 		rpc_gss_log_status("gss_verify_mic", client->cl_mech,
1028 		 * A bug in some versions of the Linux client generates a
1036 			client->cl_state = CLIENT_STALE;
1045 svc_rpc_gss_nextverf(struct svc_rpc_gss_client *client,
1059 	maj_stat = gss_get_mic(&min_stat, client->cl_ctx, client->cl_qop,
1063 		rpc_gss_log_status("gss_get_mic", client->cl_mech, maj_stat, min_stat);
1064 		client->cl_state = CLIENT_STALE;
1081 svc_rpc_gss_callback(struct svc_rpc_gss_client *client, struct svc_req *rqst)
1101 			lock.raw_cred = &client->cl_rawcred;
1103 			    client->cl_creds,
1104 			    client->cl_ctx,
1109 				client->cl_state = CLIENT_STALE;
1116 			 * is responsible for freeing client->cl_creds
1119 			client->cl_creds = GSS_C_NO_CREDENTIAL;
1120 			client->cl_locked = lock.locked;
1121 			client->cl_cookie = cookie;
1129 	 * clean up the delegated client creds, if any.
1131 	if (client->cl_creds) {
1133 		gss_release_cred(&min_ver, &client->cl_creds);
1139 svc_rpc_gss_check_replay(struct svc_rpc_gss_client *client, uint32_t seq)
1145 	sx_xlock(&client->cl_lock);
1146 	if (seq <= client->cl_seqlast) {
1154 		offset = client->cl_seqlast - seq;
1161 		if (client->cl_seqmask[word] & (1 << bit)) {
1169 	sx_xunlock(&client->cl_lock);
1174 svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
1179 	sx_xlock(&client->cl_lock);
1180 	if (seq > client->cl_seqlast) {
1188 		offset = seq - client->cl_seqlast;
1192 				client->cl_seqmask[i] = client->cl_seqmask[i-1];
1194 			client->cl_seqmask[0] = 0;
1199 			newcarry = client->cl_seqmask[i] >> (32 - offset);
1200 			client->cl_seqmask[i] =
1201 				(client->cl_seqmask[i] << offset) | carry;
1204 		client->cl_seqmask[0] |= 1;
1205 		client->cl_seqlast = seq;
1207 		offset = client->cl_seqlast - seq;
1210 		client->cl_seqmask[word] |= (1 << bit);
1212 	sx_xunlock(&client->cl_lock);
1222 	struct svc_rpc_gss_client *client;
1237 	/* Deserialize client credentials. */
1252 	client = NULL;
1260 	/* Check the proc and find the client (or create it) */
1266 		client = svc_rpc_gss_create_client();
1267 		refcount_acquire(&client->cl_refs);
1275 		client = svc_rpc_gss_find_client(p);
1276 		if (!client) {
1278 			 * Can't find the client - we may have
1287 	cc->cc_client = client;
1327 		if (!svc_rpc_gss_accept_sec_context(client, rqst, &gr, &gc)) {
1338 			if (!svc_rpc_gss_nextverf(client, rqst, gr.gr_win)) {
1358 			client->cl_state = CLIENT_ESTABLISHED;
1365 		if (!svc_rpc_gss_check_replay(client, gc.gc_seq)) {
1370 		if (!svc_rpc_gss_validate(client, msg, &qop, gc.gc_proc)) {
1380 		if (!svc_rpc_gss_nextverf(client, rqst, gc.gc_seq)) {
1385 		svc_rpc_gss_update_seq(client, gc.gc_seq);
1392 		 * methods. Acquire an extra reference to the client
1396 		refcount_acquire(&client->cl_refs);
1405 			sx_xlock(&client->cl_lock);
1406 			if (!client->cl_done_callback) {
1407 				client->cl_done_callback = TRUE;
1408 				client->cl_qop = qop;
1409 				client->cl_rawcred.qop = _rpc_gss_num_to_qop(
1410 					client->cl_rawcred.mechanism, qop);
1411 				if (!svc_rpc_gss_callback(client, rqst)) {
1413 					sx_xunlock(&client->cl_lock);
1417 			sx_xunlock(&client->cl_lock);
1420 			 * If the server has locked this client to a
1424 			if (client->cl_locked) {
1425 				if (client->cl_rawcred.service != gc.gc_svc) {
1428 				} else if (client->cl_qop != qop) {
1438 			if (client->cl_qop != qop) {
1439 				client->cl_qop = qop;
1440 				client->cl_rawcred.qop = _rpc_gss_num_to_qop(
1441 					client->cl_rawcred.mechanism, qop);
1448 			if (client->cl_rawcred.service != gc.gc_svc) {
1449 				client->cl_rawcred.service = gc.gc_svc;
1450 				svc_rpc_gss_set_flavor(client);
1468 			svc_rpc_gss_forget_client(client);
1480 	if (client)
1481 		svc_rpc_gss_release_client(client);
1491 	struct svc_rpc_gss_client *client;
1496 	client = cc->cc_client;
1497 	if (client->cl_state != CLIENT_ESTABLISHED
1503 		client->cl_ctx, client->cl_qop,
1511 	struct svc_rpc_gss_client *client;
1516 	client = cc->cc_client;
1517 	if (client->cl_state != CLIENT_ESTABLISHED
1523 		client->cl_ctx, client->cl_qop,
1531 	struct svc_rpc_gss_client *client;
1536 	client = cc->cc_client;
1537 	svc_rpc_gss_release_client(client);

Indexes created Fri Jun 21 18:57:21 MDT 2024