4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
28 * This contains miscellaneous functions moved from commands to the library.
37 #include <gssapi/gssapi.h>
39 #include <rpcsvc/nis.h>
40 #include <rpcsvc/nis_dhext.h>
42 #include <rpc/auth_sys.h>
43 #include <rpc/auth_des.h>
44 #include <rpc/key_prot.h>
46 #include <netconfig.h>
47 #include <sys/socket.h>
48 #include <netinet/in.h>
51 #include <gssapi/gssapi.h>
54 static char hex
[16] = {
55 '0', '1', '2', '3', '4', '5', '6', '7',
56 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f',
60 bin2hex(int len
, unsigned char *binnum
, char *hexnum
)
65 for (i
= 0; i
< len
; i
++) {
67 hexnum
[i
*2] = hex
[val
>> 4];
68 hexnum
[i
*2+1] = hex
[val
& 0xf];
74 #define MECH_LIB_PREFIX1 "/usr/lib/"
78 #define MECH_LIB_PREFIX2 "64/"
82 #define MECH_LIB_PREFIX2 ""
86 #define MECH_LIB_DIR "gss/"
88 #define MECH_LIB_PREFIX MECH_LIB_PREFIX1 MECH_LIB_PREFIX2
90 #define MECHDH MECH_LIB_PREFIX MECH_LIB_DIR "mech_dh.so.1"
91 #define LIBGSS MECH_LIB_PREFIX "libgss.so.1"
93 static gss_OID_desc __dh_gss_c_nt_netname
= {
94 9, "\053\006\004\001\052\002\032\001\001"
97 mutex_t gss_load_lock
= DEFAULTMUTEX
;
98 static gss_OID GSS_EXPORT_NAME
= 0;
99 static gss_OID DH_NETNAME
= &__dh_gss_c_nt_netname
;
101 typedef OM_uint32 (*gss_fptr
)();
102 OM_uint32 (*g_import_name
)();
103 OM_uint32 (*g_display_name
)();
104 OM_uint32 (*g_release_name
)();
105 OM_uint32 (*g_release_buffer
)();
106 OM_uint32 (*g_release_oid
)();
111 * This routine is called by __nis_gssprin2netname to define values for
112 * the gss-api-export-name OID, the Diffie-Hellman netname OID, and
113 * the gss support routines that it needs.
114 * The reason for this support routine is that libnsl cannot have an
115 * explicit dependency on libgss. Callers of __nisgssprin2netname are
116 * expected to have loaded libgss through the rpcsec layer. The work around
117 * is to dlopen the needed shared objects and grab the symbols with dlsym.
118 * This routine opens libgss RTLD_NOLOAD. If this fails then libgss.so.1
119 * is not loaded and we return error. Otherwise it uses dlsym to
120 * defines GSS_EXPORT_NAME to have the value of GSS_C_NT_EXPORT_NAME and
121 * to assign the above fuction pointers.
122 * If this succeeds then the routine will attempt to load mech_dh.so.1
123 * and over ride DH_NETNAME with the value of __DH_GSS_C_NT_NETNAME from
124 * that shared object. We don't consider it an error if this fails because
125 * its conceivable that another mechanism backend will support the netname
126 * name type and mech_dh.so.1 not be available.
128 * Return 0 on failer, 1 on success.
138 (void) mutex_lock(&gss_load_lock
);
139 if (GSS_EXPORT_NAME
) {
140 (void) mutex_unlock(&gss_load_lock
);
144 /* if LIBGSS is not loaded return an error */
145 if ((dh
= dlopen(LIBGSS
, RTLD_NOLOAD
)) == NULL
) {
146 (void) mutex_unlock(&gss_load_lock
);
150 OIDptr
= (gss_OID
*)dlsym(dh
, "GSS_C_NT_EXPORT_NAME");
152 GSS_EXPORT_NAME
= *OIDptr
;
156 g_import_name
= (gss_fptr
)dlsym(dh
, "gss_import_name");
157 if (g_import_name
== 0)
160 g_display_name
= (gss_fptr
)dlsym(dh
, "gss_display_name");
161 if (g_display_name
== 0)
164 g_release_name
= (gss_fptr
)dlsym(dh
, "gss_release_name");
165 if (g_release_name
== 0)
168 g_release_buffer
= (gss_fptr
)dlsym(dh
, "gss_release_buffer");
169 if (g_release_buffer
== 0)
172 g_release_oid
= (gss_fptr
)dlsym(dh
, "gss_release_oid");
173 if (g_release_oid
== 0)
178 * Try and get the official netname oid from mech_dh.so.
179 * If this fails will just keep our default from above.
182 if ((dh
= dlopen(MECHDH
, RTLD_LAZY
)) != NULL
) {
184 OIDptr
= (gss_OID
*)dlsym(dh
, "__DH_GSS_C_NT_NETNAME");
186 DH_NETNAME
= *OIDptr
;
190 (void) mutex_unlock(&gss_load_lock
);
201 * __nis_gssprin2netname(rpc_gss_principal_t prin,
202 * char netname[MAXNETNAMELEN+1])
204 * This routine attempts to extract the netname from an rpc_gss_principal_t
205 * which is in { gss-api-exorted-name } format. Return 0 if a netname was
206 * found, else return -1.
210 * This routine has a dependency on libgss.so. So we will pragma weak
211 * the interfaces that we need. When this routine is called libgss
212 * should have been loaded by the rpcsec layer. We will call gss_OID_load
213 * to get the value for GSS_EXPORT_NAME. If gss_OID_load failes return -1.
216 #define OID_IS_EQUAL(o1, o2) ((o1) && (o2) && \
217 ((o1)->length == (o2)->length) && \
218 (memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
221 __nis_gssprin2netname(rpc_gss_principal_t prin
, char netname
[MAXNETNAMELEN
+1])
223 gss_buffer_desc display_name
;
226 gss_buffer_desc expName
;
228 OM_uint32 major
, minor
;
230 /* See if we already got the OID */
231 if (GSS_EXPORT_NAME
== 0) {
232 /* Nope. See if GSS is loaded and get the OIDs */
234 return (-1); /* if libgss.so.1 isn't loaded */
237 expName
.length
= prin
->len
;
238 expName
.value
= prin
->name
;
240 major
= (*g_import_name
)(&minor
, &expName
,
241 (gss_OID
) GSS_EXPORT_NAME
, &name
);
243 if (major
== GSS_S_COMPLETE
) {
244 major
= (*g_display_name
)(&minor
, name
,
245 &display_name
, &name_type
);
247 /* We're done with the gss_internal name */
248 (void) (*g_release_name
)(&minor
, &name
);
250 if (major
== GSS_S_COMPLETE
) {
252 * Check if we've got a netname. If we do we copy it
253 * and make sure that its null terminated.
255 if (OID_IS_EQUAL(DH_NETNAME
, name_type
)) {
256 (void) strncpy(netname
,
257 (char *)display_name
.value
,
259 netname
[MAXNETNAMELEN
] = '\0';
263 * If there are other display formats that can
264 * be converted to netnames easily, insert here.
266 * else if (OID_IS_EQUAL(OTHER_NT_OID, name_type)) {
267 * convert2netname(display_name.value, netname);
271 /* Release temporty storage */
272 (void) (*g_release_buffer
)(&minor
, &display_name
);
273 (void) (*g_release_oid
)(&minor
, &name_type
);
284 * Extract a public key given a key length and alg. type from a packed
285 * netobj containing extended Diffie-Hellman keys.
288 __nis_dhext_extract_pkey(netobj
*no
, keylen_t keylen
, algtype_t algtype
)
291 /* LINTED pointer cast */
292 extdhkey_t
*keyent
= (extdhkey_t
*)no
->n_bytes
;
294 /* LINTED pointer cast */
295 while (keyent
< (extdhkey_t
*)(no
->n_bytes
+ no
->n_len
)) {
297 size_t binlen
= (ntohs(keyent
->keylen
) + 7) / 8;
298 size_t binpadlen
= ((binlen
+ 3) / 4) * 4;
299 size_t hexkeylen
= binlen
* 2 + 1;
301 if (keylen
== ntohs(keyent
->keylen
) &&
302 algtype
== ntohs(keyent
->algtype
)) {
304 if (!(hexkey
= malloc(hexkeylen
)))
307 (void) bin2hex(binlen
, keyent
->key
, hexkey
);
310 keyoffset
= (char *)keyent
+ (sizeof (ushort_t
) * 2) +
312 /* LINTED pointer cast */
313 keyent
= (extdhkey_t
*)keyoffset
;