nfs_gss.c source code [codebrowser/bsd/nfs/nfs_gss.c]

1	/*
2	* Copyright (c) 2007-2015 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	/*************
30	* These functions implement RPCSEC_GSS security for the NFS client and server.
31	* The code is specific to the use of Kerberos v5 and the use of DES MAC MD5
32	* protection as described in Internet RFC 2203 and 2623.
33	*
34	* In contrast to the original AUTH_SYS authentication, RPCSEC_GSS is stateful.
35	* It requires the client and server negotiate a secure connection as part of a
36	* security context. The context state is maintained in client and server structures.
37	* On the client side, each user of an NFS mount is assigned their own context,
38	* identified by UID, on their first use of the mount, and it persists until the
39	* unmount or until the context is renewed. Each user context has a corresponding
40	* server context which the server maintains until the client destroys it, or
41	* until the context expires.
42	*
43	* The client and server contexts are set up dynamically. When a user attempts
44	* to send an NFS request, if there is no context for the user, then one is
45	* set up via an exchange of NFS null procedure calls as described in RFC 2203.
46	* During this exchange, the client and server pass a security token that is
47	* forwarded via Mach upcall to the gssd, which invokes the GSS-API to authenticate
48	* the user to the server (and vice-versa). The client and server also receive
49	* a unique session key that can be used to digitally sign the credentials and
50	* verifier or optionally to provide data integrity and/or privacy.
51	*
52	* Once the context is complete, the client and server enter a normal data
53	* exchange phase - beginning with the NFS request that prompted the context
54	* creation. During this phase, the client's RPC header contains an RPCSEC_GSS
55	* credential and verifier, and the server returns a verifier as well.
56	* For simple authentication, the verifier contains a signed checksum of the
57	* RPC header, including the credential. The server's verifier has a signed
58	* checksum of the current sequence number.
59	*
60	* Each client call contains a sequence number that nominally increases by one
61	* on each request. The sequence number is intended to prevent replay attacks.
62	* Since the protocol can be used over UDP, there is some allowance for
63	* out-of-sequence requests, so the server checks whether the sequence numbers
64	* are within a sequence "window". If a sequence number is outside the lower
65	* bound of the window, the server silently drops the request. This has some
66	* implications for retransmission. If a request needs to be retransmitted, the
67	* client must bump the sequence number even if the request XID is unchanged.
68	*
69	* When the NFS mount is unmounted, the client sends a "destroy" credential
70	* to delete the server's context for each user of the mount. Since it's
71	* possible for the client to crash or disconnect without sending the destroy
72	* message, the server has a thread that reaps contexts that have been idle
73	* too long.
74	*/
75
76	#include <stdint.h>
77	#include <sys/param.h>
78	#include <sys/systm.h>
79	#include <sys/proc.h>
80	#include <sys/kauth.h>
81	#include <sys/kernel.h>
82	#include <sys/mount_internal.h>
83	#include <sys/vnode.h>
84	#include <sys/ubc.h>
85	#include <sys/malloc.h>
86	#include <sys/kpi_mbuf.h>
87	#include <sys/ucred.h>
88
89	#include <kern/host.h>
90	#include <kern/task.h>
91	#include <libkern/libkern.h>
92
93	#include <mach/task.h>
94	#include <mach/host_special_ports.h>
95	#include <mach/host_priv.h>
96	#include <mach/thread_act.h>
97	#include <mach/mig_errors.h>
98	#include <mach/vm_map.h>
99	#include <vm/vm_map.h>
100	#include <vm/vm_kern.h>
101	#include <gssd/gssd_mach.h>
102
103	#include <nfs/rpcv2.h>
104	#include <nfs/nfsproto.h>
105	#include <nfs/nfs.h>
106	#include <nfs/nfsnode.h>
107	#include <nfs/nfs_gss.h>
108	#include <nfs/nfsmount.h>
109	#include <nfs/xdr_subs.h>
110	#include <nfs/nfsm_subs.h>
111	#include <nfs/nfs_gss.h>
112	#include <mach_assert.h>
113	#include <kern/assert.h>
114
115	#define ASSERT(EX) assert(EX)
116
117	#define NFS_GSS_MACH_MAX_RETRIES 3
118
119	#define NFS_GSS_DBG(...) NFS_DBG(NFS_FAC_GSS, 7, ## __VA_ARGS__)
120	#define NFS_GSS_ISDBG (NFS_DEBUG_FACILITY & NFS_FAC_GSS)
121
122
123	#if NFSSERVER
124	u_long nfs_gss_svc_ctx_hash;
125	struct nfs_gss_svc_ctx_hashhead *nfs_gss_svc_ctx_hashtbl;
126	lck_mtx_t *nfs_gss_svc_ctx_mutex;
127	lck_grp_t *nfs_gss_svc_grp;
128	uint32_t nfsrv_gss_context_ttl = GSS_CTX_EXPIRE;
129	#define GSS_SVC_CTX_TTL ((uint64_t)max(2GSS_CTX_PEND, nfsrv_gss_context_ttl) NSEC_PER_SEC)
130	#endif /* NFSSERVER */
131
132	#if NFSCLIENT
133	lck_grp_t *nfs_gss_clnt_grp;
134	#endif /* NFSCLIENT */
135
136	#define KRB5_MAX_MIC_SIZE 128
137	uint8_t krb5_mech_oid[`11`] = { `0x06`, `0x09`, `0x2a`, `0x86`, `0x48`, `0x86`, `0xf7`, `0x12`, `0x01`, `0x02`, `0x02` };
138	static uint8_t xdrpad[] = { `0x00`, `0x00`, `0x00`, `0x00`};
139
140	#if NFSCLIENT
141	static int nfs_gss_clnt_ctx_find(struct nfsreq *);
142	static int nfs_gss_clnt_ctx_init(struct nfsreq , struct* nfs_gss_clnt_ctx *);
143	static int nfs_gss_clnt_ctx_init_retry(struct nfsreq , struct* nfs_gss_clnt_ctx *);
144	static int nfs_gss_clnt_ctx_callserver(struct nfsreq , struct* nfs_gss_clnt_ctx *);
145	static uint8_t nfs_gss_clnt_svcname(struct* nfsmount , gssd_nametype , uint32_t *);
146	static int nfs_gss_clnt_gssd_upcall(struct nfsreq , struct* nfs_gss_clnt_ctx *, uint32_t);
147	void nfs_gss_clnt_ctx_neg_cache_reap(struct nfsmount *);
148	static void nfs_gss_clnt_ctx_clean(struct nfs_gss_clnt_ctx *);
149	static int nfs_gss_clnt_ctx_copy(struct nfs_gss_clnt_ctx , struct* nfs_gss_clnt_ctx **);
150	static void nfs_gss_clnt_ctx_destroy(struct nfs_gss_clnt_ctx *);
151	static void nfs_gss_clnt_log_error(struct nfsreq , struct* nfs_gss_clnt_ctx *, uint32_t, uint32_t);
152	#endif /* NFSCLIENT */
153
154	#if NFSSERVER
155	static struct nfs_gss_svc_ctx *nfs_gss_svc_ctx_find(uint32_t);
156	static void nfs_gss_svc_ctx_insert(struct nfs_gss_svc_ctx *);
157	static void nfs_gss_svc_ctx_timer(void , void* *);
158	static int nfs_gss_svc_gssd_upcall(struct nfs_gss_svc_ctx *);
159	static int nfs_gss_svc_seqnum_valid(struct nfs_gss_svc_ctx *, uint32_t);
160	#endif /* NFSSERVER */
161
162	static void host_release_special_port(mach_port_t);
163	static mach_port_t host_copy_special_port(mach_port_t);
164	static void nfs_gss_mach_alloc_buffer(u_char , uint32_t, vm_map_copy_t );
165	static int nfs_gss_mach_vmcopyout(vm_map_copy_t, uint32_t, u_char *);
166
167	static int nfs_gss_mchain_length(mbuf_t);
168	static int nfs_gss_append_chain(struct nfsm_chain *, mbuf_t);
169	static void nfs_gss_nfsm_chain(struct nfsm_chain *, mbuf_t);
170
171	#if NFSSERVER
172	thread_call_t nfs_gss_svc_ctx_timer_call;
173	int nfs_gss_timer_on = `0`;
174	uint32_t nfs_gss_ctx_count = `0`;
175	const uint32_t nfs_gss_ctx_max = GSS_SVC_MAXCONTEXTS;
176	#endif /* NFSSERVER */
177
178	/*
179	* Initialization when NFS starts
180	*/
181	void
182	nfs_gss_init(void)
183	{
184	#if NFSCLIENT
185	nfs_gss_clnt_grp = lck_grp_alloc_init("rpcsec_gss_clnt", LCK_GRP_ATTR_NULL);
186	#endif /* NFSCLIENT */
187
188	#if NFSSERVER
189	nfs_gss_svc_grp = lck_grp_alloc_init("rpcsec_gss_svc", LCK_GRP_ATTR_NULL);
190
191	nfs_gss_svc_ctx_hashtbl = hashinit(SVC_CTX_HASHSZ, M_TEMP, &nfs_gss_svc_ctx_hash);
192	nfs_gss_svc_ctx_mutex = lck_mtx_alloc_init(nfs_gss_svc_grp, LCK_ATTR_NULL);
193
194	nfs_gss_svc_ctx_timer_call = thread_call_allocate(nfs_gss_svc_ctx_timer, NULL);
195	#endif /* NFSSERVER */
196	}
197
198	/*
199	* Common RPCSEC_GSS support routines
200	*/
201
202	static errno_t
203	rpc_gss_prepend_32(mbuf_t *mb, uint32_t value)
204	{
205	int error;
206	uint32_t *data;
207
208	#if 0
209	data = mbuf_data(*mb);
210	/*
211	* If a wap token comes back and is not aligned
212	* get a new buffer (which should be aligned) to put the
213	* length in.
214	*/
215	if ((uintptr_t)data & `0x3`) {
216	mbuf_t nmb;
217
218	error = mbuf_get(MBUF_WAITOK, MBUF_TYPE_DATA, &nmb);
219	if (error)
220	return (error);
221	mbuf_setnext(nmb, *mb);
222	*mb = nmb;
223	}
224	#endif
225	error = mbuf_prepend(mb, sizeof(uint32_t), MBUF_WAITOK);
226	if (error)
227	return (error);
228
229	data = mbuf_data(*mb);
230	*data = txdr_unsigned(value);
231
232	return (`0`);
233	}
234
235	/*
236	* Prepend the sequence number to the xdr encode argumen or result
237	* Sequence number is prepended in its own mbuf.
238	*
239	* On successful return mbp_head will point to the old mbuf chain
240	* prepended with a new mbuf that has the sequence number.
241	*/
242
243	static errno_t
244	rpc_gss_data_create(mbuf_t *mbp_head, uint32_t seqnum)
245	{
246	int error;
247	mbuf_t mb;
248	struct nfsm_chain nmc;
249	struct nfsm_chain *nmcp = &nmc;
250	uint8_t *data;
251
252	error = mbuf_get(MBUF_WAITOK, MBUF_TYPE_DATA, &mb);
253	if (error)
254	return (error);
255	data = mbuf_data(mb);
256	#if 0
257	/ Reserve space for prepending /
258	len = mbuf_maxlen(mb);
259	len = (len & ~`0x3`) - NFSX_UNSIGNED;
260	printf("%s: data = %p, len = %d\n", __func__, data, (int)len);
261	error = mbuf_setdata(mb, data + len, `0`);
262	if (error \|\| mbuf_trailingspace(mb))
263	printf("%s: data = %p trailingspace = %d error = %d\n", __func__, mbuf_data(mb), (int)mbuf_trailingspace(mb), error);
264	#endif
265	/ Reserve 16 words for prepending /
266	error = mbuf_setdata(mb, data + `16`*sizeof(uint32_t), `0`);
267	nfsm_chain_init(nmcp, mb);
268	nfsm_chain_add_32(error, nmcp, seqnum);
269	nfsm_chain_build_done(error, nmcp);
270	if (error)
271	return (EINVAL);
272	mbuf_setnext(nmcp->nmc_mcur, *mbp_head);
273	*mbp_head = nmcp->nmc_mhead;
274
275	return (`0`);
276	}
277
278	/*
279	* Create an rpc_gss_integ_data_t given an argument or result in mb_head.
280	* On successful return mb_head will point to the rpc_gss_integ_data_t of length len.
281	* Note mb_head will now point to a 4 byte sequence number. len does not include
282	* any extra xdr padding.
283	* Returns 0 on success, else an errno_t
284	*/
285
286	static errno_t
287	rpc_gss_integ_data_create(gss_ctx_id_t ctx, mbuf_t mb_head, uint32_t seqnum, uint32_t len)
288	{
289	uint32_t error;
290	uint32_t major;
291	uint32_t length;
292	gss_buffer_desc mic;
293	struct nfsm_chain nmc;
294
295	/ Length of the argument or result /
296	length = nfs_gss_mchain_length(*mb_head);
297	if (len)
298	*len = length;
299	error = rpc_gss_data_create(mb_head, seqnum);
300	if (error)
301	return (error);
302
303	/*
304	* length is the length of the rpc_gss_data
305	*/
306	length += NFSX_UNSIGNED; / Add the sequence number to the length /
307	major = gss_krb5_get_mic_mbuf(&error, ctx, `0`, *mb_head, `0`, length, &mic);
308	if (major != GSS_S_COMPLETE) {
309	printf("gss_krb5_get_mic_mbuf failed %d\n", error);
310	return (error);
311	}
312
313	error = rpc_gss_prepend_32(mb_head, length);
314	if (error)
315	return (error);
316
317	nfsm_chain_dissect_init(error, &nmc, *mb_head);
318	/ Append GSS mic token by advancing rpc_gss_data_t length + NFSX_UNSIGNED (size of the length field) /
319	nfsm_chain_adv(error, &nmc, length + NFSX_UNSIGNED);
320	nfsm_chain_finish_mbuf(error, &nmc); // Force the mic into its own sub chain.
321	nfsm_chain_add_32(error, &nmc, mic.length);
322	nfsm_chain_add_opaque(error, &nmc, mic.value, mic.length);
323	nfsm_chain_build_done(error, &nmc);
324	gss_release_buffer(NULL, &mic);
325
326	// printmbuf("rpc_gss_integ_data_create done", mb_head, 0, 0);*
327	assert(nmc.nmc_mhead == *mb_head);
328
329	return (error);
330	}
331
332	/*
333	* Create an rpc_gss_priv_data_t out of the supplied raw arguments or results in mb_head.
334	* On successful return mb_head will point to a wrap token of lenght len.
335	* Note len does not include any xdr padding
336	* Returns 0 on success, else an errno_t
337	*/
338	static errno_t
339	rpc_gss_priv_data_create(gss_ctx_id_t ctx, mbuf_t mb_head, uint32_t seqnum, uint32_t len)
340	{
341	uint32_t error;
342	uint32_t major;
343	struct nfsm_chain nmc;
344	uint32_t pad;
345	uint32_t length;
346
347	error = rpc_gss_data_create(mb_head, seqnum);
348	if (error)
349	return (error);
350
351	length = nfs_gss_mchain_length(*mb_head);
352	major = gss_krb5_wrap_mbuf(&error, ctx, `1`, `0`, mb_head, `0`, length, NULL);
353	if (major != GSS_S_COMPLETE)
354	return (error);
355
356	length = nfs_gss_mchain_length(*mb_head);
357	if (len)
358	*len = length;
359	pad = nfsm_pad(length);
360
361	/ Prepend the opaque length of rep rpc_gss_priv_data /
362	error = rpc_gss_prepend_32(mb_head, length);
363
364	if (error)
365	return (error);
366	if (pad) {
367	nfsm_chain_dissect_init(error, &nmc, *mb_head);
368	/ Advance the opauque size of length and length data /
369	nfsm_chain_adv(error, &nmc, NFSX_UNSIGNED + length);
370	nfsm_chain_finish_mbuf(error, &nmc);
371	nfsm_chain_add_opaque_nopad(error, &nmc, xdrpad, pad);
372	nfsm_chain_build_done(error, &nmc);
373	}
374
375	return (error);
376	}
377
378	#if NFSCLIENT
379
380	/*
381	* Restore the argument or result from an rpc_gss_integ_data mbuf chain
382	* We have a four byte seqence number, len arguments, and an opaque
383	* encoded mic, possibly followed by some pad bytes. The mic and possible
384	* pad bytes are on their own sub mbuf chains.
385	*
386	* On successful return mb_head is the chain of the xdr args or results sans
387	* the sequence number and mic and return 0. Otherwise return an errno.
388	*
389	*/
390	static errno_t
391	rpc_gss_integ_data_restore(gss_ctx_id_t ctx __unused, mbuf_t *mb_head, size_t len)
392	{
393	mbuf_t mb = *mb_head;
394	mbuf_t tail = NULL, next;
395
396	/ Chop of the opaque length and seq number /
397	mbuf_adj(mb, `2` * NFSX_UNSIGNED);
398
399	/ should only be one, ... but /
400	for (; mb; mb = next) {
401	next = mbuf_next(mb);
402	if (mbuf_len(mb) == `0`)
403	mbuf_free(mb);
404	else
405	break;
406	}
407	*mb_head = mb;
408
409	for (; mb && len; mb = mbuf_next(mb)) {
410	tail = mb;
411	if (mbuf_len(mb) <= len)
412	len -= mbuf_len(mb);
413	else
414	return (EBADRPC);
415	}
416	/ drop the mic /
417	if (tail) {
418	mbuf_setnext(tail, NULL);
419	mbuf_freem(mb);
420	}
421
422	return (`0`);
423	}
424
425	/*
426	* Restore the argument or result rfom an rpc_gss_priv_data mbuf chain
427	* mb_head points to the wrap token of length len.
428	*
429	* On successful return mb_head is our original xdr arg or result an
430	* the return value is 0. Otherise return an errno
431	*/
432	static errno_t
433	rpc_gss_priv_data_restore(gss_ctx_id_t ctx, mbuf_t *mb_head, size_t len)
434	{
435	uint32_t major, error;
436	mbuf_t mb = *mb_head, next;
437	uint32_t plen;
438	size_t length;
439	gss_qop_t qop = GSS_C_QOP_REVERSE;
440
441	/ Chop of the opaque length /
442	mbuf_adj(mb, NFSX_UNSIGNED);
443	/ If we have padding, drop it /
444	plen = nfsm_pad(len);
445	if (plen) {
446	mbuf_t tail = NULL;
447
448	for(length = `0`; length < len && mb; mb = mbuf_next(mb)) {
449	tail = mb;
450	length += mbuf_len(mb);
451	}
452	if ((length != len) \|\| (mb == NULL) \|\| (tail == NULL))
453	return (EBADRPC);
454
455	mbuf_freem(mb);
456	mbuf_setnext(tail, NULL);
457	}
458
459	major = gss_krb5_unwrap_mbuf(&error, ctx, mb_head, `0`, len, NULL, &qop);
460	if (major != GSS_S_COMPLETE) {
461	printf("gss_krb5_unwrap_mbuf failed. major = %d minor = %d\n", (int)major, error);
462	return (error);
463	}
464	mb = *mb_head;
465
466	/ Drop the seqence number /
467	mbuf_adj(mb, NFSX_UNSIGNED);
468	assert(mbuf_len(mb) == `0`);
469
470	/ Chop of any empty mbufs /
471	for (mb = *mb_head; mb; mb = next) {
472	next = mbuf_next(mb);
473	if (mbuf_len(mb) == `0`)
474	mbuf_free(mb);
475	else
476	break;
477	}
478	*mb_head = mb;
479
480	return (`0`);
481	}
482
483	/*
484	* Find the context for a particular user.
485	*
486	* If the context doesn't already exist
487	* then create a new context for this user.
488	*
489	* Note that the code allows superuser (uid == 0)
490	* to adopt the context of another user.
491	*
492	* We'll match on the audit session ids, since those
493	* processes will have acccess to the same credential cache.
494	*/
495
496	#define kauth_cred_getasid(cred) ((cred)->cr_audit.as_aia_p->ai_asid)
497	#define kauth_cred_getauid(cred) ((cred)->cr_audit.as_aia_p->ai_auid)
498
499	#define SAFE_CAST_INTTYPE( type, intval ) \
500	( (type)(intval)/(sizeof(type) < sizeof(intval) ? 0 : 1) )
501
502	uid_t
503	nfs_cred_getasid2uid(kauth_cred_t cred)
504	{
505	uid_t result = SAFE_CAST_INTTYPE(uid_t, kauth_cred_getasid(cred));
506	return (result);
507	}
508
509	/*
510	* Debugging
511	*/
512	static void
513	nfs_gss_clnt_ctx_dump(struct nfsmount *nmp)
514	{
515	struct nfs_gss_clnt_ctx *cp;
516
517	lck_mtx_lock(&nmp->nm_lock);
518	NFS_GSS_DBG("Enter\n");
519	TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) {
520	lck_mtx_lock(cp->gss_clnt_mtx);
521	printf("context %d/%d: refcnt = %d, flags = %x\n",
522	kauth_cred_getasid(cp->gss_clnt_cred),
523	kauth_cred_getauid(cp->gss_clnt_cred),
524	cp->gss_clnt_refcnt, cp->gss_clnt_flags);
525	lck_mtx_unlock(cp->gss_clnt_mtx);
526	}
527	NFS_GSS_DBG("Exit\n");
528	lck_mtx_unlock(&nmp->nm_lock);
529	}
530
531	static char *
532	nfs_gss_clnt_ctx_name(struct nfsmount nmp, struct* nfs_gss_clnt_ctx cp, char* buf, int* len)
533	{
534	char *np;
535	int nlen;
536	const char *server = "";
537
538	if (nmp && nmp->nm_mountp)
539	server = vfs_statfs(nmp->nm_mountp)->f_mntfromname;
540
541	if (cp == NULL) {
542	snprintf(buf, len, "[%s] NULL context", server);
543	return (buf);
544	}
545
546	if (cp->gss_clnt_principal && !cp->gss_clnt_display) {
547	np = (char *)cp->gss_clnt_principal;
548	nlen = cp->gss_clnt_prinlen;
549	} else {
550	np = cp->gss_clnt_display;
551	nlen = np ? strlen(cp->gss_clnt_display) : `0`;
552	}
553	if (nlen)
554	snprintf(buf, len, "[%s] %.*s %d/%d %s", server, nlen, np,
555	kauth_cred_getasid(cp->gss_clnt_cred),
556	kauth_cred_getuid(cp->gss_clnt_cred),
557	cp->gss_clnt_principal ? "" : "[from default cred] ");
558	else
559	snprintf(buf, len, "[%s] using default %d/%d ", server,
560	kauth_cred_getasid(cp->gss_clnt_cred),
561	kauth_cred_getuid(cp->gss_clnt_cred));
562	return (buf);
563	}
564
565	#define NFS_CTXBUFSZ 80
566	#define NFS_GSS_CTX(req, cp) nfs_gss_clnt_ctx_name((req)->r_nmp, cp ? cp : (req)->r_gss_ctx, CTXBUF, sizeof(CTXBUF))
567
568	#define NFS_GSS_CLNT_CTX_DUMP(nmp) \
569	do { \
570	if (NFS_GSS_ISDBG && (NFS_DEBUG_FLAGS & 0x2)) \
571	nfs_gss_clnt_ctx_dump((nmp)); \
572	} while (0)
573
574	static int
575	nfs_gss_clnt_ctx_cred_match(kauth_cred_t cred1, kauth_cred_t cred2)
576	{
577	if (kauth_cred_getasid(cred1) == kauth_cred_getasid(cred2))
578	return (`1`);
579	return (`0`);
580	}
581
582	/*
583	* Busy the mount for each principal set on the mount
584	* so that the automounter will not unmount the file
585	* system underneath us. With out this, if an unmount
586	* occurs the principal that is set for an audit session
587	* will be lost and we may end up with a different identity.
588	*
589	* Note setting principals on the mount is a bad idea. This
590	* really should be handle by KIM (Kerberos Identity Management)
591	* so that defaults can be set by service identities.
592	*/
593
594	static void
595	nfs_gss_clnt_mnt_ref(struct nfsmount *nmp)
596	{
597	int error;
598	vnode_t rvp;
599
600	if (nmp == NULL \|\|
601	!(vfs_flags(nmp->nm_mountp) & MNT_AUTOMOUNTED))
602	return;
603
604	error = VFS_ROOT(nmp->nm_mountp, &rvp, NULL);
605	if (!error) {
606	vnode_ref(rvp);
607	vnode_put(rvp);
608	}
609	}
610
611	/*
612	* Unbusy the mout. See above comment,
613	*/
614
615	static void
616	nfs_gss_clnt_mnt_rele(struct nfsmount *nmp)
617	{
618	int error;
619	vnode_t rvp;
620
621	if (nmp == NULL \|\|
622	!(vfs_flags(nmp->nm_mountp) & MNT_AUTOMOUNTED))
623	return;
624
625	error = VFS_ROOT(nmp->nm_mountp, &rvp, NULL);
626	if (!error) {
627	vnode_rele(rvp);
628	vnode_put(rvp);
629	}
630	}
631
632	int nfs_root_steals_ctx = `0`;
633
634	static int
635	nfs_gss_clnt_ctx_find_principal(struct nfsreq req, uint8_t principal, uint32_t plen, uint32_t nt)
636	{
637	struct nfsmount *nmp = req->r_nmp;
638	struct nfs_gss_clnt_ctx *cp;
639	struct nfsreq treq;
640	int error = `0`;
641	struct timeval now;
642	char CTXBUF[NFS_CTXBUFSZ];
643
644	bzero(&treq, sizeof (struct nfsreq));
645	treq.r_nmp = nmp;
646
647	microuptime(&now);
648	lck_mtx_lock(&nmp->nm_lock);
649	TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) {
650	lck_mtx_lock(cp->gss_clnt_mtx);
651	if (cp->gss_clnt_flags & GSS_CTX_DESTROY) {
652	NFS_GSS_DBG("Found destroyed context %s refcnt = %d continuing\n",
653	NFS_GSS_CTX(req, cp),
654	cp->gss_clnt_refcnt);
655	lck_mtx_unlock(cp->gss_clnt_mtx);
656	continue;
657	}
658	if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, req->r_cred)) {
659	if (nmp->nm_gsscl.tqh_first != cp) {
660	TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries);
661	TAILQ_INSERT_HEAD(&nmp->nm_gsscl, cp, gss_clnt_entries);
662	}
663	if (principal) {
664	/*
665	* If we have a principal, but it does not match the current cred
666	* mark it for removal
667	*/
668	if (cp->gss_clnt_prinlen != plen \|\| cp->gss_clnt_prinnt != nt \|\|
669	bcmp(cp->gss_clnt_principal, principal, plen) != `0`) {
670	cp->gss_clnt_flags \|= (GSS_CTX_INVAL \| GSS_CTX_DESTROY);
671	cp->gss_clnt_refcnt++;
672	lck_mtx_unlock(cp->gss_clnt_mtx);
673	NFS_GSS_DBG("Marking %s for deletion because %s does not match\n",
674	NFS_GSS_CTX(req, cp), principal);
675	NFS_GSS_DBG("len = (%d,%d), nt = (%d,%d)\n", cp->gss_clnt_prinlen, plen,
676	cp->gss_clnt_prinnt, nt);
677	treq.r_gss_ctx = cp;
678	cp = NULL;
679	break;
680	}
681	}
682	if (cp->gss_clnt_flags & GSS_CTX_INVAL) {
683	/*
684	* If we're still being used and we're not expired
685	* just return and don't bother gssd again. Note if
686	* gss_clnt_nctime is zero it is about to be set to now.
687	*/
688	if (cp->gss_clnt_nctime + GSS_NEG_CACHE_TO >= now.tv_sec \|\| cp->gss_clnt_nctime == `0`) {
689	NFS_GSS_DBG("Context %s (refcnt = %d) not expired returning EAUTH nctime = %ld now = %ld\n",
690	NFS_GSS_CTX(req, cp), cp->gss_clnt_refcnt, cp->gss_clnt_nctime, now.tv_sec);
691	lck_mtx_unlock(cp->gss_clnt_mtx);
692	lck_mtx_unlock(&nmp->nm_lock);
693	return (NFSERR_EAUTH);
694	}
695	if (cp->gss_clnt_refcnt) {
696	struct nfs_gss_clnt_ctx *ncp;
697	/*
698	* If this context has references, we can't use it so we mark if for
699	* destruction and create a new context based on this one in the
700	* same manner as renewing one.
701	*/
702	cp->gss_clnt_flags \|= GSS_CTX_DESTROY;
703	NFS_GSS_DBG("Context %s has expired but we still have %d references\n",
704	NFS_GSS_CTX(req, cp), cp->gss_clnt_refcnt);
705	error = nfs_gss_clnt_ctx_copy(cp, &ncp);
706	lck_mtx_unlock(cp->gss_clnt_mtx);
707	if (error) {
708	lck_mtx_unlock(&nmp->nm_lock);
709	return (error);
710	}
711	cp = ncp;
712	break;
713	} else {
714	if (cp->gss_clnt_nctime)
715	nmp->nm_ncentries--;
716	lck_mtx_unlock(cp->gss_clnt_mtx);
717	TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries);
718	break;
719	}
720	}
721	/ Found a valid context to return /
722	cp->gss_clnt_refcnt++;
723	req->r_gss_ctx = cp;
724	lck_mtx_unlock(cp->gss_clnt_mtx);
725	lck_mtx_unlock(&nmp->nm_lock);
726	return (`0`);
727	}
728	lck_mtx_unlock(cp->gss_clnt_mtx);
729	}
730
731	if (!cp && nfs_root_steals_ctx && principal == NULL && kauth_cred_getuid(req->r_cred) == `0`) {
732	/*
733	* If superuser is trying to get access, then co-opt
734	* the first valid context in the list.
735	* XXX Ultimately, we need to allow superuser to
736	* go ahead and attempt to set up its own context
737	* in case one is set up for it.
738	*/
739	TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) {
740	if (!(cp->gss_clnt_flags & (GSS_CTX_INVAL\|GSS_CTX_DESTROY))) {
741	nfs_gss_clnt_ctx_ref(req, cp);
742	lck_mtx_unlock(&nmp->nm_lock);
743	NFS_GSS_DBG("Root stole context %s\n", NFS_GSS_CTX(req, NULL));
744	return (`0`);
745	}
746	}
747	}
748
749	NFS_GSS_DBG("Context %s%sfound in Neg Cache @ %ld\n",
750	NFS_GSS_CTX(req, cp),
751	cp == NULL ? " not " : "",
752	cp == NULL ? `0L` : cp->gss_clnt_nctime);
753
754	/*
755	* Not found - create a new context
756	*/
757
758	if (cp == NULL) {
759	MALLOC(cp, struct nfs_gss_clnt_ctx , sizeof(cp), M_TEMP, M_WAITOK\|M_ZERO);
760	if (cp == NULL) {
761	lck_mtx_unlock(&nmp->nm_lock);
762	return (ENOMEM);
763	}
764	cp->gss_clnt_cred = req->r_cred;
765	kauth_cred_ref(cp->gss_clnt_cred);
766	cp->gss_clnt_mtx = lck_mtx_alloc_init(nfs_gss_clnt_grp, LCK_ATTR_NULL);
767	cp->gss_clnt_ptime = now.tv_sec - GSS_PRINT_DELAY;
768	if (principal) {
769	MALLOC(cp->gss_clnt_principal, uint8_t *, plen+`1`, M_TEMP, M_WAITOK\|M_ZERO);
770	memcpy(cp->gss_clnt_principal, principal, plen);
771	cp->gss_clnt_prinlen = plen;
772	cp->gss_clnt_prinnt = nt;
773	cp->gss_clnt_flags \|= GSS_CTX_STICKY;
774	nfs_gss_clnt_mnt_ref(nmp);
775	}
776	} else {
777	nfs_gss_clnt_ctx_clean(cp);
778	if (principal) {
779	/*
780	* If we have a principal and we found a matching audit
781	* session, then to get here, the principal had to match.
782	* In walking the context list if it has a principal
783	* or the principal is not set then we mark the context
784	* for destruction and set cp to NULL and we fall to the
785	* if clause above. If the context still has references
786	* again we copy the context which will preserve the principal
787	* and we end up here with the correct principal set.
788	* If we don't have references the the principal must have
789	* match and we will fall through here.
790	*/
791	cp->gss_clnt_flags \|= GSS_CTX_STICKY;
792	}
793	}
794
795	cp->gss_clnt_thread = current_thread();
796	nfs_gss_clnt_ctx_ref(req, cp);
797	TAILQ_INSERT_HEAD(&nmp->nm_gsscl, cp, gss_clnt_entries);
798	lck_mtx_unlock(&nmp->nm_lock);
799
800	error = nfs_gss_clnt_ctx_init_retry(req, cp); // Initialize new context
801	if (error) {
802	NFS_GSS_DBG("nfs_gss_clnt_ctx_init_retry returned %d for %s\n", error, NFS_GSS_CTX(req, cp));
803	nfs_gss_clnt_ctx_unref(req);
804	}
805
806	/ Remove any old matching contex that had a different principal /
807	nfs_gss_clnt_ctx_unref(&treq);
808
809	return (error);
810	}
811
812	static int
813	nfs_gss_clnt_ctx_find(struct nfsreq *req)
814	{
815	return (nfs_gss_clnt_ctx_find_principal(req, NULL, `0`, `0`));
816	}
817
818	/*
819	* Inserts an RPCSEC_GSS credential into an RPC header.
820	* After the credential is inserted, the code continues
821	* to build the verifier which contains a signed checksum
822	* of the RPC header.
823	*/
824
825	int
826	nfs_gss_clnt_cred_put(struct nfsreq req, struct* nfsm_chain *nmc, mbuf_t args)
827	{
828	struct nfs_gss_clnt_ctx *cp;
829	uint32_t seqnum = `0`;
830	uint32_t major;
831	uint32_t error = `0`;
832	int slpflag, recordmark = `0`, offset;
833	struct gss_seq *gsp;
834	gss_buffer_desc mic;
835
836	slpflag = (PZERO-`1`);
837	if (req->r_nmp) {
838	slpflag \|= (NMFLAG(req->r_nmp, INTR) && req->r_thread && !(req->r_flags & R_NOINTR)) ? PCATCH : `0`;
839	recordmark = (req->r_nmp->nm_sotype == SOCK_STREAM);
840	}
841
842	retry:
843	if (req->r_gss_ctx == NULL) {
844	/*
845	* Find the context for this user.
846	* If no context is found, one will
847	* be created.
848	*/
849	error = nfs_gss_clnt_ctx_find(req);
850	if (error)
851	return (error);
852	}
853	cp = req->r_gss_ctx;
854
855	/*
856	* If the context thread isn't null, then the context isn't
857	* yet complete and is for the exclusive use of the thread
858	* doing the context setup. Wait until the context thread
859	* is null.
860	*/
861	lck_mtx_lock(cp->gss_clnt_mtx);
862	if (cp->gss_clnt_thread && cp->gss_clnt_thread != current_thread()) {
863	cp->gss_clnt_flags \|= GSS_NEEDCTX;
864	msleep(cp, cp->gss_clnt_mtx, slpflag \| PDROP, "ctxwait", NULL);
865	slpflag &= ~PCATCH;
866	if ((error = nfs_sigintr(req->r_nmp, req, req->r_thread, `0`)))
867	return (error);
868	nfs_gss_clnt_ctx_unref(req);
869	goto retry;
870	}
871	lck_mtx_unlock(cp->gss_clnt_mtx);
872
873	if (cp->gss_clnt_flags & GSS_CTX_COMPLETE) {
874	/*
875	* Get a sequence number for this request.
876	* Check whether the oldest request in the window is complete.
877	* If it's still pending, then wait until it's done before
878	* we allocate a new sequence number and allow this request
879	* to proceed.
880	*/
881	lck_mtx_lock(cp->gss_clnt_mtx);
882	while (win_getbit(cp->gss_clnt_seqbits,
883	((cp->gss_clnt_seqnum - cp->gss_clnt_seqwin) + `1`) % cp->gss_clnt_seqwin)) {
884	cp->gss_clnt_flags \|= GSS_NEEDSEQ;
885	msleep(cp, cp->gss_clnt_mtx, slpflag \| PDROP, "seqwin", NULL);
886	slpflag &= ~PCATCH;
887	if ((error = nfs_sigintr(req->r_nmp, req, req->r_thread, `0`))) {
888	return (error);
889	}
890	lck_mtx_lock(cp->gss_clnt_mtx);
891	if (cp->gss_clnt_flags & GSS_CTX_INVAL) {
892	/ Renewed while while we were waiting /
893	lck_mtx_unlock(cp->gss_clnt_mtx);
894	nfs_gss_clnt_ctx_unref(req);
895	goto retry;
896	}
897	}
898	seqnum = ++cp->gss_clnt_seqnum;
899	win_setbit(cp->gss_clnt_seqbits, seqnum % cp->gss_clnt_seqwin);
900	lck_mtx_unlock(cp->gss_clnt_mtx);
901
902	MALLOC(gsp, struct gss_seq , sizeof(gsp), M_TEMP, M_WAITOK\|M_ZERO);
903	if (gsp == NULL)
904	return (ENOMEM);
905	gsp->gss_seqnum = seqnum;
906	SLIST_INSERT_HEAD(&req->r_gss_seqlist, gsp, gss_seqnext);
907	}
908
909	/ Insert the credential /
910	nfsm_chain_add_32(error, nmc, RPCSEC_GSS);
911	nfsm_chain_add_32(error, nmc, `5` * NFSX_UNSIGNED + cp->gss_clnt_handle_len);
912	nfsm_chain_add_32(error, nmc, RPCSEC_GSS_VERS_1);
913	nfsm_chain_add_32(error, nmc, cp->gss_clnt_proc);
914	nfsm_chain_add_32(error, nmc, seqnum);
915	nfsm_chain_add_32(error, nmc, cp->gss_clnt_service);
916	nfsm_chain_add_32(error, nmc, cp->gss_clnt_handle_len);
917	if (cp->gss_clnt_handle_len > `0`) {
918	if (cp->gss_clnt_handle == NULL)
919	return (EBADRPC);
920	nfsm_chain_add_opaque(error, nmc, cp->gss_clnt_handle, cp->gss_clnt_handle_len);
921	}
922	if (error)
923	return(error);
924	/*
925	* Now add the verifier
926	*/
927	if (cp->gss_clnt_proc == RPCSEC_GSS_INIT \|\|
928	cp->gss_clnt_proc == RPCSEC_GSS_CONTINUE_INIT) {
929	/*
930	* If the context is still being created
931	* then use a null verifier.
932	*/
933	nfsm_chain_add_32(error, nmc, RPCAUTH_NULL); // flavor
934	nfsm_chain_add_32(error, nmc, `0`); // length
935	nfsm_chain_build_done(error, nmc);
936	if (!error)
937	nfs_gss_append_chain(nmc, args);
938	return (error);
939	}
940
941	offset = recordmark ? NFSX_UNSIGNED : `0`; // record mark
942	nfsm_chain_build_done(error, nmc);
943
944	major = gss_krb5_get_mic_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, `0`, nmc->nmc_mhead, offset, `0`, &mic);
945	if (major != GSS_S_COMPLETE) {
946	printf ("gss_krb5_get_mic_buf failed %d\n", error);
947	return (error);
948	}
949
950	nfsm_chain_add_32(error, nmc, RPCSEC_GSS); // flavor
951	nfsm_chain_add_32(error, nmc, mic.length); // length
952	nfsm_chain_add_opaque(error, nmc, mic.value, mic.length);
953	(void)gss_release_buffer(NULL, &mic);
954	nfsm_chain_build_done(error, nmc);
955	if (error)
956	return (error);
957
958	/*
959	* Now we may have to compute integrity or encrypt the call args
960	* per RFC 2203 Section 5.3.2
961	*/
962	switch (cp->gss_clnt_service) {
963	case RPCSEC_GSS_SVC_NONE:
964	if (args)
965	nfs_gss_append_chain(nmc, args);
966	break;
967	case RPCSEC_GSS_SVC_INTEGRITY:
968	/*
969	* r_gss_arglen is the length of args mbuf going into the routine.
970	* Its used to find the mic if we need to restore the args.
971	*/
972	/ Note the mbufs that were used in r_mrest are being encapsulated in the rpc_gss_integ_data_t /
973	assert(req->r_mrest == args);
974	nfsm_chain_finish_mbuf(error, nmc);
975	if (error)
976	return (error);
977	error = rpc_gss_integ_data_create(cp->gss_clnt_ctx_id, &args, seqnum, &req->r_gss_arglen);
978	if (error)
979	break;
980	req->r_mrest = args;
981	req->r_gss_argoff = nfsm_chain_offset(nmc);
982	nfs_gss_append_chain(nmc, args);
983	break;
984	case RPCSEC_GSS_SVC_PRIVACY:
985	/*
986	* r_gss_arglen is the length of the wrap token sans any padding length.
987	* Its used to find any XDR padding of the wrap token.
988	*/
989	/ Note the mbufs that were used in r_mrest are being encapsulated in the rpc_gss_priv_data_t /
990	assert(req->r_mrest == args);
991	nfsm_chain_finish_mbuf(error, nmc);
992	if (error)
993	return (error);
994	error = rpc_gss_priv_data_create(cp->gss_clnt_ctx_id, &args, seqnum, &req->r_gss_arglen);
995	if (error)
996	break;
997	req->r_mrest = args;
998	req->r_gss_argoff = nfsm_chain_offset(nmc);
999	nfs_gss_append_chain(nmc, args);
1000	break;
1001	default:
1002	return (EINVAL);
1003	}
1004
1005	return (error);
1006	}
1007
1008	/*
1009	* When receiving a reply, the client checks the verifier
1010	* returned by the server. Check that the verifier is the
1011	* correct type, then extract the sequence number checksum
1012	* from the token in the credential and compare it with a
1013	* computed checksum of the sequence number in the request
1014	* that was sent.
1015	*/
1016	int
1017	nfs_gss_clnt_verf_get(
1018	struct nfsreq *req,
1019	struct nfsm_chain *nmc,
1020	uint32_t verftype,
1021	uint32_t verflen,
1022	uint32_t *accepted_statusp)
1023	{
1024	gss_buffer_desc cksum;
1025	uint32_t seqnum = `0`;
1026	uint32_t major;
1027	struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx;
1028	struct nfsm_chain nmc_tmp;
1029	struct gss_seq *gsp;
1030	uint32_t reslen, offset;
1031	int error = `0`;
1032	mbuf_t results_mbuf, prev_mbuf, pad_mbuf;
1033	size_t ressize;
1034
1035	reslen = `0`;
1036	*accepted_statusp = `0`;
1037
1038	if (cp == NULL)
1039	return (NFSERR_EAUTH);
1040	/*
1041	* If it's not an RPCSEC_GSS verifier, then it has to
1042	* be a null verifier that resulted from either
1043	* a CONTINUE_NEEDED reply during context setup or
1044	* from the reply to an AUTH_UNIX call from a dummy
1045	* context that resulted from a fallback to sec=sys.
1046	*/
1047	if (verftype != RPCSEC_GSS) {
1048	if (verftype != RPCAUTH_NULL)
1049	return (NFSERR_EAUTH);
1050	if (cp->gss_clnt_flags & GSS_CTX_COMPLETE)
1051	return (NFSERR_EAUTH);
1052	if (verflen > `0`)
1053	nfsm_chain_adv(error, nmc, nfsm_rndup(verflen));
1054	nfsm_chain_get_32(error, nmc, *accepted_statusp);
1055	return (error);
1056	}
1057
1058	/*
1059	* If we received an RPCSEC_GSS verifier but the
1060	* context isn't yet complete, then it must be
1061	* the context complete message from the server.
1062	* The verifier will contain an encrypted checksum
1063	* of the window but we don't have the session key
1064	* yet so we can't decrypt it. Stash the verifier
1065	* and check it later in nfs_gss_clnt_ctx_init() when
1066	* the context is complete.
1067	*/
1068	if (!(cp->gss_clnt_flags & GSS_CTX_COMPLETE)) {
1069	if (verflen > KRB5_MAX_MIC_SIZE)
1070	return (EBADRPC);
1071	MALLOC(cp->gss_clnt_verf, u_char *, verflen, M_TEMP, M_WAITOK\|M_ZERO);
1072	if (cp->gss_clnt_verf == NULL)
1073	return (ENOMEM);
1074	cp->gss_clnt_verflen = verflen;
1075	nfsm_chain_get_opaque(error, nmc, verflen, cp->gss_clnt_verf);
1076	nfsm_chain_get_32(error, nmc, *accepted_statusp);
1077	return (error);
1078	}
1079
1080	if (verflen > KRB5_MAX_MIC_SIZE)
1081	return (EBADRPC);
1082	cksum.length = verflen;
1083	MALLOC(cksum.value, void *, verflen, M_TEMP, M_WAITOK);
1084
1085	/*
1086	* Get the gss mic
1087	*/
1088	nfsm_chain_get_opaque(error, nmc, verflen, cksum.value);
1089	if (error) {
1090	FREE(cksum.value, M_TEMP);
1091	goto nfsmout;
1092	}
1093
1094	/*
1095	* Search the request sequence numbers for this reply, starting
1096	* with the most recent, looking for a checksum that matches
1097	* the one in the verifier returned by the server.
1098	*/
1099	SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) {
1100	gss_buffer_desc seqnum_buf;
1101	uint32_t network_seqnum = htonl(gsp->gss_seqnum);
1102
1103	seqnum_buf.length = sizeof(network_seqnum);
1104	seqnum_buf.value = &network_seqnum;
1105	major = gss_krb5_verify_mic(NULL, cp->gss_clnt_ctx_id, &seqnum_buf, &cksum, NULL);
1106	if (major == GSS_S_COMPLETE)
1107	break;
1108	}
1109	FREE(cksum.value, M_TEMP);
1110	if (gsp == NULL)
1111	return (NFSERR_EAUTH);
1112
1113	/*
1114	* Get the RPC accepted status
1115	*/
1116	nfsm_chain_get_32(error, nmc, *accepted_statusp);
1117	if (*accepted_statusp != RPC_SUCCESS)
1118	return (`0`);
1119
1120	/*
1121	* Now we may have to check integrity or decrypt the results
1122	* per RFC 2203 Section 5.3.2
1123	*/
1124	switch (cp->gss_clnt_service) {
1125	case RPCSEC_GSS_SVC_NONE:
1126	/ nothing to do /
1127	break;
1128	case RPCSEC_GSS_SVC_INTEGRITY:
1129	/*
1130	* Here's what we expect in the integrity results from RFC 2203:
1131	*
1132	* - length of seq num + results (4 bytes)
1133	* - sequence number (4 bytes)
1134	* - results (variable bytes)
1135	* - length of checksum token
1136	* - checksum of seqnum + results
1137	*/
1138
1139	nfsm_chain_get_32(error, nmc, reslen); // length of results
1140	if (reslen > NFS_MAXPACKET) {
1141	error = EBADRPC;
1142	goto nfsmout;
1143	}
1144
1145	/ Advance and fetch the mic /
1146	nmc_tmp = *nmc;
1147	nfsm_chain_adv(error, &nmc_tmp, reslen); // skip over the results
1148	nfsm_chain_get_32(error, &nmc_tmp, cksum.length);
1149	if (cksum.length > KRB5_MAX_MIC_SIZE) {
1150	error = EBADRPC;
1151	goto nfsmout;
1152	}
1153	MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
1154	nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value);
1155	//XXX chop offf the cksum?
1156
1157	/ Call verify mic /
1158	offset = nfsm_chain_offset(nmc);
1159	major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, nmc->nmc_mhead, offset, reslen, &cksum, NULL);
1160	FREE(cksum.value, M_TEMP);
1161	if (major != GSS_S_COMPLETE) {
1162	printf("client results: gss_krb5_verify_mic_mbuf failed %d\n", error);
1163	error = EBADRPC;
1164	goto nfsmout;
1165	}
1166
1167	/*
1168	* Get the sequence number prepended to the results
1169	* and compare it against the header.
1170	*/
1171	nfsm_chain_get_32(error, nmc, seqnum);
1172	if (gsp->gss_seqnum != seqnum) {
1173	error = EBADRPC;
1174	goto nfsmout;
1175	}
1176	#if 0
1177	SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) {
1178	if (seqnum == gsp->gss_seqnum)
1179	break;
1180	}
1181	if (gsp == NULL) {
1182	error = EBADRPC;
1183	goto nfsmout;
1184	}
1185	#endif
1186	break;
1187	case RPCSEC_GSS_SVC_PRIVACY:
1188	/*
1189	* Here's what we expect in the privacy results:
1190	*
1191	* opaque encodeing of the wrap token
1192	* - length of wrap token
1193	* - wrap token
1194	*/
1195	prev_mbuf = nmc->nmc_mcur;
1196	nfsm_chain_get_32(error, nmc, reslen); // length of results
1197	if (reslen == `0` \|\| reslen > NFS_MAXPACKET) {
1198	error = EBADRPC;
1199	goto nfsmout;
1200	}
1201
1202	/ Get the wrap token (current mbuf in the chain starting at the current offset) /
1203	offset = nmc->nmc_ptr - (caddr_t)mbuf_data(nmc->nmc_mcur);
1204
1205	/ split out the wrap token /
1206	ressize = reslen;
1207	error = gss_normalize_mbuf(nmc->nmc_mcur, offset, &ressize, &results_mbuf, &pad_mbuf, `0`);
1208	if (error)
1209	goto nfsmout;
1210
1211	if (pad_mbuf) {
1212	assert(nfsm_pad(reslen) == mbuf_len(pad_mbuf));
1213	mbuf_free(pad_mbuf);
1214	}
1215
1216	major = gss_krb5_unwrap_mbuf((uint32_t *)&error, cp->gss_clnt_ctx_id, &results_mbuf, `0`, ressize, NULL, NULL);
1217	if (major) {
1218	printf("%s unwraped failed %d\n", __func__, error);
1219	goto nfsmout;
1220	}
1221
1222	/ Now replace the wrapped arguments with the unwrapped ones /
1223	mbuf_setnext(prev_mbuf, results_mbuf);
1224	nmc->nmc_mcur = results_mbuf;
1225	nmc->nmc_ptr = mbuf_data(results_mbuf);
1226	nmc->nmc_left = mbuf_len(results_mbuf);
1227
1228	/*
1229	* Get the sequence number prepended to the results
1230	* and compare it against the header
1231	*/
1232	nfsm_chain_get_32(error, nmc, seqnum);
1233	if (gsp->gss_seqnum != seqnum) {
1234	printf("%s bad seqnum\n", __func__);
1235	error = EBADRPC;
1236	goto nfsmout;
1237	}
1238	#if 0
1239	SLIST_FOREACH(gsp, &req->r_gss_seqlist, gss_seqnext) {
1240	if (seqnum == gsp->gss_seqnum)
1241	break;
1242	}
1243	if (gsp == NULL) {
1244	error = EBADRPC;
1245	goto nfsmout;
1246	}
1247	#endif
1248	break;
1249	}
1250	nfsmout:
1251	return (error);
1252	}
1253
1254	/*
1255	* An RPCSEC_GSS request with no integrity or privacy consists
1256	* of just the header mbufs followed by the arg mbufs.
1257	*
1258	* However, integrity or privacy the original mbufs have mbufs
1259	* prepended and appended to, which means we have to do some work to
1260	* restore the arg mbuf chain to its previous state in case we need to
1261	* retransmit.
1262	*
1263	* The location and length of the args is marked by two fields
1264	* in the request structure: r_gss_argoff and r_gss_arglen,
1265	* which are stashed when the NFS request is built.
1266	*/
1267	int
1268	nfs_gss_clnt_args_restore(struct nfsreq *req)
1269	{
1270	struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx;
1271	struct nfsm_chain mchain, *nmc = &mchain;
1272	int error = `0`, merr;
1273
1274	if (cp == NULL)
1275	return (NFSERR_EAUTH);
1276
1277	if ((cp->gss_clnt_flags & GSS_CTX_COMPLETE) == `0`)
1278	return (ENEEDAUTH);
1279
1280	/ Nothing to restore for SVC_NONE /
1281	if (cp->gss_clnt_service == RPCSEC_GSS_SVC_NONE)
1282	return (`0`);
1283
1284	nfsm_chain_dissect_init(error, nmc, req->r_mhead); // start at RPC header
1285	nfsm_chain_adv(error, nmc, req->r_gss_argoff); // advance to args
1286	if (error)
1287	return (error);
1288
1289	if (cp->gss_clnt_service == RPCSEC_GSS_SVC_INTEGRITY)
1290	error = rpc_gss_integ_data_restore(cp->gss_clnt_ctx_id, &req->r_mrest, req->r_gss_arglen);
1291	else
1292	error = rpc_gss_priv_data_restore(cp->gss_clnt_ctx_id, &req->r_mrest, req->r_gss_arglen);
1293
1294	merr = mbuf_setnext(nmc->nmc_mcur, req->r_mrest); / Should always succeed /
1295	assert (merr == `0`);
1296
1297	return (error ? error : merr);
1298	}
1299
1300	/*
1301	* This function sets up a new context on the client.
1302	* Context setup alternates upcalls to the gssd with NFS nullproc calls
1303	* to the server. Each of these calls exchanges an opaque token, obtained
1304	* via the gssd's calls into the GSS-API on either the client or the server.
1305	* This cycle of calls ends when the client's upcall to the gssd and the
1306	* server's response both return GSS_S_COMPLETE. At this point, the client
1307	* should have its session key and a handle that it can use to refer to its
1308	* new context on the server.
1309	*/
1310	static int
1311	nfs_gss_clnt_ctx_init(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp)
1312	{
1313	struct nfsmount *nmp = req->r_nmp;
1314	gss_buffer_desc cksum, window;
1315	uint32_t network_seqnum;
1316	int client_complete = `0`;
1317	int server_complete = `0`;
1318	int error = `0`;
1319	int retrycnt = `0`;
1320	uint32_t major;
1321
1322	/ Initialize a new client context /
1323
1324	if (cp->gss_clnt_svcname == NULL) {
1325	cp->gss_clnt_svcname = nfs_gss_clnt_svcname(nmp, &cp->gss_clnt_svcnt, &cp->gss_clnt_svcnamlen);
1326	if (cp->gss_clnt_svcname == NULL) {
1327	error = NFSERR_EAUTH;
1328	goto nfsmout;
1329	}
1330	}
1331
1332	cp->gss_clnt_proc = RPCSEC_GSS_INIT;
1333
1334	cp->gss_clnt_service =
1335	req->r_auth == RPCAUTH_KRB5 ? RPCSEC_GSS_SVC_NONE :
1336	req->r_auth == RPCAUTH_KRB5I ? RPCSEC_GSS_SVC_INTEGRITY :
1337	req->r_auth == RPCAUTH_KRB5P ? RPCSEC_GSS_SVC_PRIVACY : `0`;
1338
1339	/*
1340	* Now loop around alternating gss_init_sec_context and
1341	* gss_accept_sec_context upcalls to the gssd on the client
1342	* and server side until the context is complete - or fails.
1343	*/
1344	for (;;) {
1345	retry:
1346	/ Upcall to the gss_init_sec_context in the gssd /
1347	error = nfs_gss_clnt_gssd_upcall(req, cp, retrycnt);
1348	if (error)
1349	goto nfsmout;
1350
1351	if (cp->gss_clnt_major == GSS_S_COMPLETE) {
1352	client_complete = `1`;
1353	NFS_GSS_DBG("Client complete\n");
1354	if (server_complete)
1355	break;
1356	} else if (cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) {
1357	/*
1358	* We may have gotten here because the accept sec context
1359	* from the server failed and sent back a GSS token that
1360	* encapsulates a kerberos error token per RFC 1964/4121
1361	* with a status of GSS_S_CONTINUE_NEEDED. That caused us
1362	* to loop to the above up call and received the now
1363	* decoded errors.
1364	*/
1365	retrycnt++;
1366	cp->gss_clnt_gssd_flags \|= GSSD_RESTART;
1367	NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor);
1368	goto retry;
1369	}
1370
1371	/*
1372	* Pass the token to the server.
1373	*/
1374	error = nfs_gss_clnt_ctx_callserver(req, cp);
1375	if (error) {
1376	if (error == ENEEDAUTH &&
1377	(cp->gss_clnt_proc == RPCSEC_GSS_INIT \|\|
1378	cp->gss_clnt_proc == RPCSEC_GSS_CONTINUE_INIT)) {
1379	/*
1380	* We got here because the server had a problem
1381	* trying to establish a context and sent that there
1382	* was a context problem at the rpc sec layer. Perhaps
1383	* gss_accept_sec_context succeeded in user space,
1384	* but the kernel could not handle the etype
1385	* to generate the mic for the verifier of the rpc_sec
1386	* window size.
1387	*/
1388	retrycnt++;
1389	cp->gss_clnt_gssd_flags \|= GSSD_RESTART;
1390	NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor);
1391	goto retry;
1392	}
1393	goto nfsmout;
1394	}
1395	if (cp->gss_clnt_major == GSS_S_COMPLETE) {
1396	NFS_GSS_DBG("Server complete\n");
1397	server_complete = `1`;
1398	if (client_complete)
1399	break;
1400	} else if (cp->gss_clnt_major == GSS_S_CONTINUE_NEEDED) {
1401	cp->gss_clnt_proc = RPCSEC_GSS_CONTINUE_INIT;
1402	} else {
1403	/ Server didn't like us. Try something else /
1404	retrycnt++;
1405	cp->gss_clnt_gssd_flags \|= GSSD_RESTART;
1406	NFS_GSS_DBG("Retrying major = %x minor = %d\n", cp->gss_clnt_major, (int)cp->gss_clnt_minor);
1407	}
1408	}
1409
1410	/*
1411	* The context is apparently established successfully
1412	*/
1413	lck_mtx_lock(cp->gss_clnt_mtx);
1414	cp->gss_clnt_flags \|= GSS_CTX_COMPLETE;
1415	lck_mtx_unlock(cp->gss_clnt_mtx);
1416	cp->gss_clnt_proc = RPCSEC_GSS_DATA;
1417
1418	network_seqnum = htonl(cp->gss_clnt_seqwin);
1419	window.length = sizeof (cp->gss_clnt_seqwin);
1420	window.value = &network_seqnum;
1421	cksum.value = cp->gss_clnt_verf;
1422	cksum.length = cp->gss_clnt_verflen;
1423	major = gss_krb5_verify_mic((uint32_t *)&error, cp->gss_clnt_ctx_id, &window, &cksum, NULL);
1424	cp->gss_clnt_verflen = `0`;
1425	FREE(cp->gss_clnt_verf, M_TEMP);
1426	cp->gss_clnt_verf = NULL;
1427	if (major != GSS_S_COMPLETE) {
1428	printf("%s: could not verify window\n", __func__);
1429	error = NFSERR_EAUTH;
1430	goto nfsmout;
1431	}
1432
1433	/*
1434	* Set an initial sequence number somewhat randomized.
1435	* Start small so we don't overflow GSS_MAXSEQ too quickly.
1436	* Add the size of the sequence window so seqbits arithmetic
1437	* doesn't go negative.
1438	*/
1439	cp->gss_clnt_seqnum = (random() & `0xffff`) + cp->gss_clnt_seqwin;
1440
1441	/*
1442	* Allocate a bitmap to keep track of which requests
1443	* are pending within the sequence number window.
1444	*/
1445	MALLOC(cp->gss_clnt_seqbits, uint32_t *,
1446	nfsm_rndup((cp->gss_clnt_seqwin + `7`) / `8`), M_TEMP, M_WAITOK\|M_ZERO);
1447	if (cp->gss_clnt_seqbits == NULL)
1448	error = NFSERR_EAUTH;
1449
1450	nfsmout:
1451	/*
1452	* If the error is ENEEDAUTH we're not done, so no need
1453	* to wake up other threads again. This thread will retry in
1454	* the find or renew routines.
1455	*/
1456	if (error == ENEEDAUTH) {
1457	NFS_GSS_DBG("Returning ENEEDAUTH\n");
1458	return (error);
1459	}
1460
1461	/*
1462	* If there's an error, just mark it as invalid.
1463	* It will be removed when the reference count
1464	* drops to zero.
1465	*/
1466	lck_mtx_lock(cp->gss_clnt_mtx);
1467	if (error)
1468	cp->gss_clnt_flags \|= GSS_CTX_INVAL;
1469
1470	/*
1471	* Wake any threads waiting to use the context
1472	*/
1473	cp->gss_clnt_thread = NULL;
1474	if (cp->gss_clnt_flags & GSS_NEEDCTX) {
1475	cp->gss_clnt_flags &= ~GSS_NEEDCTX;
1476	wakeup(cp);
1477	}
1478	lck_mtx_unlock(cp->gss_clnt_mtx);
1479
1480	NFS_GSS_DBG("Returning error = %d\n", error);
1481	return (error);
1482	}
1483
1484	/*
1485	* This function calls nfs_gss_clnt_ctx_init() to set up a new context.
1486	* But if there's a failure in trying to establish the context it keeps
1487	* retrying at progressively longer intervals in case the failure is
1488	* due to some transient condition. For instance, the server might be
1489	* failing the context setup because directory services is not coming
1490	* up in a timely fashion.
1491	*/
1492	static int
1493	nfs_gss_clnt_ctx_init_retry(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp)
1494	{
1495	struct nfsmount *nmp = req->r_nmp;
1496	struct timeval now;
1497	time_t waituntil;
1498	int error, slpflag;
1499	int retries = `0`;
1500	int timeo = NFS_TRYLATERDEL;
1501
1502	if (nfs_mount_gone(nmp)) {
1503	error = ENXIO;
1504	goto bad;
1505	}
1506
1507	/ For an "intr" mount allow a signal to interrupt the retries /
1508	slpflag = (NMFLAG(nmp, INTR) && !(req->r_flags & R_NOINTR)) ? PCATCH : `0`;
1509
1510	while ((error = nfs_gss_clnt_ctx_init(req, cp)) == ENEEDAUTH) {
1511	microuptime(&now);
1512	waituntil = now.tv_sec + timeo;
1513	while (now.tv_sec < waituntil) {
1514	tsleep(NULL, PSOCK \| slpflag, "nfs_gss_clnt_ctx_init_retry", hz);
1515	slpflag = `0`;
1516	error = nfs_sigintr(req->r_nmp, req, current_thread(), `0`);
1517	if (error)
1518	goto bad;
1519	microuptime(&now);
1520	}
1521
1522	retries++;
1523	/ If it's a soft mount just give up after a while /
1524	if ((NMFLAG(nmp, SOFT) \|\| (req->r_flags & R_SOFT)) && (retries > nmp->nm_retry)) {
1525	error = ETIMEDOUT;
1526	goto bad;
1527	}
1528	timeo *= `2`;
1529	if (timeo > `60`)
1530	timeo = `60`;
1531	}
1532
1533	if (error == `0`)
1534	return `0`; // success
1535	bad:
1536	/*
1537	* Give up on this context
1538	*/
1539	lck_mtx_lock(cp->gss_clnt_mtx);
1540	cp->gss_clnt_flags \|= GSS_CTX_INVAL;
1541
1542	/*
1543	* Wake any threads waiting to use the context
1544	*/
1545	cp->gss_clnt_thread = NULL;
1546	if (cp->gss_clnt_flags & GSS_NEEDCTX) {
1547	cp->gss_clnt_flags &= ~GSS_NEEDCTX;
1548	wakeup(cp);
1549	}
1550	lck_mtx_unlock(cp->gss_clnt_mtx);
1551
1552	return error;
1553	}
1554
1555	/*
1556	* Call the NFS server using a null procedure for context setup.
1557	* Even though it's a null procedure and nominally has no arguments
1558	* RFC 2203 requires that the GSS-API token be passed as an argument
1559	* and received as a reply.
1560	*/
1561	static int
1562	nfs_gss_clnt_ctx_callserver(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp)
1563	{
1564	struct nfsm_chain nmreq, nmrep;
1565	int error = `0`, status;
1566	uint32_t major = cp->gss_clnt_major, minor = cp->gss_clnt_minor;
1567	int sz;
1568
1569	if (nfs_mount_gone(req->r_nmp))
1570	return (ENXIO);
1571	nfsm_chain_null(&nmreq);
1572	nfsm_chain_null(&nmrep);
1573	sz = NFSX_UNSIGNED + nfsm_rndup(cp->gss_clnt_tokenlen);
1574	nfsm_chain_build_alloc_init(error, &nmreq, sz);
1575	nfsm_chain_add_32(error, &nmreq, cp->gss_clnt_tokenlen);
1576	if (cp->gss_clnt_tokenlen > `0`)
1577	nfsm_chain_add_opaque(error, &nmreq, cp->gss_clnt_token, cp->gss_clnt_tokenlen);
1578	nfsm_chain_build_done(error, &nmreq);
1579	if (error)
1580	goto nfsmout;
1581
1582	/ Call the server /
1583	error = nfs_request_gss(req->r_nmp->nm_mountp, &nmreq, req->r_thread, req->r_cred,
1584	(req->r_flags & R_OPTMASK), cp, &nmrep, &status);
1585	if (cp->gss_clnt_token != NULL) {
1586	FREE(cp->gss_clnt_token, M_TEMP);
1587	cp->gss_clnt_token = NULL;
1588	}
1589	if (!error)
1590	error = status;
1591	if (error)
1592	goto nfsmout;
1593
1594	/ Get the server's reply /
1595
1596	nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_handle_len);
1597	if (cp->gss_clnt_handle != NULL) {
1598	FREE(cp->gss_clnt_handle, M_TEMP);
1599	cp->gss_clnt_handle = NULL;
1600	}
1601	if (cp->gss_clnt_handle_len > `0` && cp->gss_clnt_handle_len < GSS_MAX_CTX_HANDLE_LEN) {
1602	MALLOC(cp->gss_clnt_handle, u_char *, cp->gss_clnt_handle_len, M_TEMP, M_WAITOK);
1603	if (cp->gss_clnt_handle == NULL) {
1604	error = ENOMEM;
1605	goto nfsmout;
1606	}
1607	nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_handle_len, cp->gss_clnt_handle);
1608	} else {
1609	error = EBADRPC;
1610	}
1611	nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_major);
1612	nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_minor);
1613	nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_seqwin);
1614	nfsm_chain_get_32(error, &nmrep, cp->gss_clnt_tokenlen);
1615	if (error)
1616	goto nfsmout;
1617	if (cp->gss_clnt_tokenlen > `0` && cp->gss_clnt_tokenlen < GSS_MAX_TOKEN_LEN) {
1618	MALLOC(cp->gss_clnt_token, u_char *, cp->gss_clnt_tokenlen, M_TEMP, M_WAITOK);
1619	if (cp->gss_clnt_token == NULL) {
1620	error = ENOMEM;
1621	goto nfsmout;
1622	}
1623	nfsm_chain_get_opaque(error, &nmrep, cp->gss_clnt_tokenlen, cp->gss_clnt_token);
1624	} else {
1625	error = EBADRPC;
1626	}
1627
1628	/*
1629	* Make sure any unusual errors are expanded and logged by gssd
1630	*/
1631	if (cp->gss_clnt_major != GSS_S_COMPLETE &&
1632	cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) {
1633
1634	printf("nfs_gss_clnt_ctx_callserver: gss_clnt_major = %d\n", cp->gss_clnt_major);
1635	nfs_gss_clnt_log_error(req, cp, major, minor);
1636
1637	}
1638
1639	nfsmout:
1640	nfsm_chain_cleanup(&nmreq);
1641	nfsm_chain_cleanup(&nmrep);
1642
1643	return (error);
1644	}
1645
1646	/*
1647	* We construct the service principal as a gss hostbased service principal of
1648	* the form nfs@<server>, unless the servers principal was passed down in the
1649	* mount arguments. If the arguments don't specify the service principal, the
1650	* server name is extracted the location passed in the mount argument if
1651	* available. Otherwise assume a format of <server>:<path> in the
1652	* mntfromname. We don't currently support url's or other bizarre formats like
1653	* path@server. Mount_url will convert the nfs url into <server>:<path> when
1654	* calling mount, so this works out well in practice.
1655	*
1656	*/
1657
1658	static uint8_t *
1659	nfs_gss_clnt_svcname(struct nfsmount nmp, gssd_nametype nt, uint32_t *len)
1660	{
1661	char svcname, d, *server;
1662	int lindx, sindx;
1663
1664	if (nfs_mount_gone(nmp))
1665	return (NULL);
1666
1667	if (nmp->nm_sprinc) {
1668	*len = strlen(nmp->nm_sprinc) + `1`;
1669	MALLOC(svcname, char , len, M_TEMP, M_WAITOK);
1670	*nt = GSSD_HOSTBASED;
1671	if (svcname == NULL)
1672	return (NULL);
1673	strlcpy(svcname, nmp->nm_sprinc, *len);
1674
1675	return ((uint8_t *)svcname);
1676	}
1677
1678	*nt = GSSD_HOSTBASED;
1679	if (nmp->nm_locations.nl_numlocs && !(NFS_GSS_ISDBG && (NFS_DEBUG_FLAGS & `0x1`))) {
1680	lindx = nmp->nm_locations.nl_current.nli_loc;
1681	sindx = nmp->nm_locations.nl_current.nli_serv;
1682	server = nmp->nm_locations.nl_locations[lindx]->nl_servers[sindx]->ns_name;
1683	*len = (uint32_t)strlen(server);
1684	} else {
1685	/ Older binaries using older mount args end up here /
1686	server = vfs_statfs(nmp->nm_mountp)->f_mntfromname;
1687	NFS_GSS_DBG("nfs getting gss svcname from %s\n", server);
1688	d = strchr(server, `':'`);
1689	*len = (uint32_t)(d ? (d - server) : strlen(server));
1690	}
1691
1692	len += `5`; /* "nfs@" plus null /
1693	MALLOC(svcname, char , len, M_TEMP, M_WAITOK);
1694	strlcpy(svcname, "nfs", *len);
1695	strlcat(svcname, "@", *len);
1696	strlcat(svcname, server, *len);
1697	NFS_GSS_DBG("nfs svcname = %s\n", svcname);
1698
1699	return ((uint8_t *)svcname);
1700	}
1701
1702	/*
1703	* Get a mach port to talk to gssd.
1704	* gssd lives in the root bootstrap, so we call gssd's lookup routine
1705	* to get a send right to talk to a new gssd instance that launchd has launched
1706	* based on the cred's uid and audit session id.
1707	*/
1708
1709	static mach_port_t
1710	nfs_gss_clnt_get_upcall_port(kauth_cred_t credp)
1711	{
1712	mach_port_t gssd_host_port, uc_port = IPC_PORT_NULL;
1713	kern_return_t kr;
1714	au_asid_t asid;
1715	uid_t uid;
1716
1717	kr = host_get_gssd_port(host_priv_self(), &gssd_host_port);
1718	if (kr != KERN_SUCCESS) {
1719	printf("nfs_gss_get_upcall_port: can't get gssd port, status %x (%d)\n", kr, kr);
1720	return (IPC_PORT_NULL);
1721	}
1722	if (!IPC_PORT_VALID(gssd_host_port)) {
1723	printf("nfs_gss_get_upcall_port: gssd port not valid\n");
1724	return (IPC_PORT_NULL);
1725	}
1726
1727	asid = kauth_cred_getasid(credp);
1728	uid = kauth_cred_getauid(credp);
1729	if (uid == AU_DEFAUDITID)
1730	uid = kauth_cred_getuid(credp);
1731	kr = mach_gss_lookup(gssd_host_port, uid, asid, &uc_port);
1732	if (kr != KERN_SUCCESS)
1733	printf("nfs_gss_clnt_get_upcall_port: mach_gssd_lookup failed: status %x (%d)\n", kr, kr);
1734	host_release_special_port(gssd_host_port);
1735
1736	return (uc_port);
1737	}
1738
1739
1740	static void
1741	nfs_gss_clnt_log_error(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp, uint32_t major, uint32_t minor)
1742	{
1743	#define GETMAJERROR(x) (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK)
1744	struct nfsmount *nmp = req->r_nmp;
1745	char who[] = "client";
1746	uint32_t gss_error = GETMAJERROR(cp->gss_clnt_major);
1747	const char *procn = "unkown";
1748	proc_t proc;
1749	pid_t pid = -`1`;
1750	struct timeval now;
1751
1752	if (req->r_thread) {
1753	proc = (proc_t)get_bsdthreadtask_info(req->r_thread);
1754	if (proc != NULL && (proc->p_fd == NULL \|\| (proc->p_lflag & P_LVFORK)))
1755	proc = NULL;
1756	if (proc) {
1757	if (*proc->p_comm)
1758	procn = proc->p_comm;
1759	pid = proc->p_pid;
1760	}
1761	} else {
1762	procn = "kernproc";
1763	pid = `0`;
1764	}
1765
1766	microuptime(&now);
1767	if ((cp->gss_clnt_major != major \|\| cp->gss_clnt_minor != minor \|\|
1768	cp->gss_clnt_ptime + GSS_PRINT_DELAY < now.tv_sec) &&
1769	(nmp->nm_state & NFSSTA_MOUNTED)) {
1770	/*
1771	* Will let gssd do some logging in hopes that it can translate
1772	* the minor code.
1773	*/
1774	if (cp->gss_clnt_minor && cp->gss_clnt_minor != minor) {
1775	(void) mach_gss_log_error(
1776	cp->gss_clnt_mport,
1777	vfs_statfs(nmp->nm_mountp)->f_mntfromname,
1778	kauth_cred_getuid(cp->gss_clnt_cred),
1779	who,
1780	cp->gss_clnt_major,
1781	cp->gss_clnt_minor);
1782	}
1783	gss_error = gss_error ? gss_error : cp->gss_clnt_major;
1784
1785	/*
1786	*%%% It would be really nice to get the terminal from the proc or auditinfo_addr struct and print that here.
1787	*/
1788	printf("NFS: gssd auth failure by %s on audit session %d uid %d proc %s/%d for mount %s. Error: major = %d minor = %d\n",
1789	cp->gss_clnt_display ? cp->gss_clnt_display : who, kauth_cred_getasid(req->r_cred), kauth_cred_getuid(req->r_cred),
1790	procn, pid, vfs_statfs(nmp->nm_mountp)->f_mntfromname, gss_error, (int32_t)cp->gss_clnt_minor);
1791	cp->gss_clnt_ptime = now.tv_sec;
1792	switch (gss_error) {
1793	case `7`: printf("NFS: gssd does not have credentials for session %d/%d, (kinit)?\n",
1794	kauth_cred_getasid(req->r_cred), kauth_cred_getauid(req->r_cred));
1795	break;
1796	case `11`: printf("NFS: gssd has expired credentals for session %d/%d, (kinit)?\n",
1797	kauth_cred_getasid(req->r_cred), kauth_cred_getauid(req->r_cred));
1798	break;
1799	}
1800	} else {
1801	NFS_GSS_DBG("NFS: gssd auth failure by %s on audit session %d uid %d proc %s/%d for mount %s. Error: major = %d minor = %d\n",
1802	cp->gss_clnt_display ? cp->gss_clnt_display : who, kauth_cred_getasid(req->r_cred), kauth_cred_getuid(req->r_cred),
1803	procn, pid, vfs_statfs(nmp->nm_mountp)->f_mntfromname, gss_error, (int32_t)cp->gss_clnt_minor);
1804	}
1805	}
1806
1807	/*
1808	* Make an upcall to the gssd using Mach RPC
1809	* The upcall is made using a host special port.
1810	* This allows launchd to fire up the gssd in the
1811	* user's session. This is important, since gssd
1812	* must have access to the user's credential cache.
1813	*/
1814	static int
1815	nfs_gss_clnt_gssd_upcall(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp, uint32_t retrycnt)
1816	{
1817	kern_return_t kr;
1818	gssd_byte_buffer octx = NULL;
1819	uint32_t lucidlen = `0`;
1820	void *lucid_ctx_buffer;
1821	int retry_cnt = `0`;
1822	vm_map_copy_t itoken = NULL;
1823	gssd_byte_buffer otoken = NULL;
1824	mach_msg_type_number_t otokenlen;
1825	int error = `0`;
1826	uint8_t *principal = NULL;
1827	uint32_t plen = `0`;
1828	int32_t nt = GSSD_STRING_NAME;
1829	vm_map_copy_t pname = NULL;
1830	vm_map_copy_t svcname = NULL;
1831	char display_name[MAX_DISPLAY_STR] = "";
1832	uint32_t ret_flags;
1833	struct nfsmount *nmp = req->r_nmp;
1834	uint32_t major = cp->gss_clnt_major, minor = cp->gss_clnt_minor;
1835	uint32_t selected = (uint32_t)-`1`;
1836	struct nfs_etype etype;
1837
1838	if (nmp == NULL \|\| vfs_isforce(nmp->nm_mountp) \|\| (nmp->nm_state & (NFSSTA_FORCE \| NFSSTA_DEAD)))
1839	return (ENXIO);
1840
1841	if (cp->gss_clnt_gssd_flags & GSSD_RESTART) {
1842	if (cp->gss_clnt_token)
1843	FREE(cp->gss_clnt_token, M_TEMP);
1844	cp->gss_clnt_token = NULL;
1845	cp->gss_clnt_tokenlen = `0`;
1846	cp->gss_clnt_proc = RPCSEC_GSS_INIT;
1847	/ Server's handle isn't valid. Don't reuse /
1848	cp->gss_clnt_handle_len = `0`;
1849	if (cp->gss_clnt_handle != NULL) {
1850	FREE(cp->gss_clnt_handle, M_TEMP);
1851	cp->gss_clnt_handle = NULL;
1852	}
1853	}
1854
1855	NFS_GSS_DBG("Retrycnt = %d nm_etype.count = %d\n", retrycnt, nmp->nm_etype.count);
1856	if (retrycnt >= nmp->nm_etype.count)
1857	return (EACCES);
1858
1859	/ Copy the mount etypes to an order set of etypes to try /
1860	etype = nmp->nm_etype;
1861
1862	/*
1863	* If we've already selected an etype, lets put that first in our
1864	* array of etypes to try, since overwhelmingly, that is likely
1865	* to be the etype we want.
1866	*/
1867	if (etype.selected < etype.count) {
1868	etype.etypes[`0`] = nmp->nm_etype.etypes[etype.selected];
1869	for (uint32_t i = `0`; i < etype.selected; i++)
1870	etype.etypes[i+`1`] = nmp->nm_etype.etypes[i];
1871	for (uint32_t i = etype.selected + `1`; i < etype.count; i++)
1872	etype.etypes[i] = nmp->nm_etype.etypes[i];
1873	}
1874
1875	/ Remove the ones we've already have tried /
1876	for (uint32_t i = retrycnt; i < etype.count; i++)
1877	etype.etypes[i - retrycnt] = etype.etypes[i];
1878	etype.count = etype.count - retrycnt;
1879
1880	NFS_GSS_DBG("etype count = %d preferred etype = %d\n", etype.count, etype.etypes[`0`]);
1881
1882	/*
1883	* NFS currently only supports default principals or
1884	* principals based on the uid of the caller, unless
1885	* the principal to use for the mounting cred was specified
1886	* in the mount argmuments. If the realm to use was specified
1887	* then will send that up as the principal since the realm is
1888	* preceed by an "@" gssd that will try and select the default
1889	* principal for that realm.
1890	*/
1891
1892	if (cp->gss_clnt_principal && cp->gss_clnt_prinlen) {
1893	principal = cp->gss_clnt_principal;
1894	plen = cp->gss_clnt_prinlen;
1895	nt = cp->gss_clnt_prinnt;
1896	} else if (nmp->nm_principal && IS_VALID_CRED(nmp->nm_mcred) && req->r_cred == nmp->nm_mcred) {
1897	plen = (uint32_t)strlen(nmp->nm_principal);
1898	principal = (uint8_t *)nmp->nm_principal;
1899	cp->gss_clnt_prinnt = nt = GSSD_USER;
1900	}
1901	else if (nmp->nm_realm) {
1902	plen = (uint32_t)strlen(nmp->nm_realm);
1903	principal = (uint8_t *)nmp->nm_realm;
1904	nt = GSSD_USER;
1905	}
1906
1907	if (!IPC_PORT_VALID(cp->gss_clnt_mport)) {
1908	cp->gss_clnt_mport = nfs_gss_clnt_get_upcall_port(req->r_cred);
1909	if (cp->gss_clnt_mport == IPC_PORT_NULL)
1910	goto out;
1911	}
1912
1913	if (plen)
1914	nfs_gss_mach_alloc_buffer(principal, plen, &pname);
1915	if (cp->gss_clnt_svcnamlen)
1916	nfs_gss_mach_alloc_buffer(cp->gss_clnt_svcname, cp->gss_clnt_svcnamlen, &svcname);
1917	if (cp->gss_clnt_tokenlen)
1918	nfs_gss_mach_alloc_buffer(cp->gss_clnt_token, cp->gss_clnt_tokenlen, &itoken);
1919
1920	/ Always want to export the lucid context /
1921	cp->gss_clnt_gssd_flags \|= GSSD_LUCID_CONTEXT;
1922
1923	retry:
1924	kr = mach_gss_init_sec_context_v3(
1925	cp->gss_clnt_mport,
1926	GSSD_KRB5_MECH,
1927	(gssd_byte_buffer) itoken, (mach_msg_type_number_t) cp->gss_clnt_tokenlen,
1928	kauth_cred_getuid(cp->gss_clnt_cred),
1929	nt,
1930	(gssd_byte_buffer)pname, (mach_msg_type_number_t) plen,
1931	cp->gss_clnt_svcnt,
1932	(gssd_byte_buffer)svcname, (mach_msg_type_number_t) cp->gss_clnt_svcnamlen,
1933	GSSD_MUTUAL_FLAG,
1934	(gssd_etype_list)etype.etypes, (mach_msg_type_number_t)etype.count,
1935	&cp->gss_clnt_gssd_flags,
1936	&cp->gss_clnt_context,
1937	&cp->gss_clnt_cred_handle,
1938	&ret_flags,
1939	&octx, (mach_msg_type_number_t *) &lucidlen,
1940	&otoken, &otokenlen,
1941	cp->gss_clnt_display ? NULL : display_name,
1942	&cp->gss_clnt_major,
1943	&cp->gss_clnt_minor);
1944
1945	/ Clear the RESTART flag /
1946	cp->gss_clnt_gssd_flags &= ~GSSD_RESTART;
1947	if (cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) {
1948	/ We're done with the gssd handles /
1949	cp->gss_clnt_context = `0`;
1950	cp->gss_clnt_cred_handle = `0`;
1951	}
1952
1953	if (kr != KERN_SUCCESS) {
1954	printf("nfs_gss_clnt_gssd_upcall: mach_gss_init_sec_context failed: %x (%d)\n", kr, kr);
1955	if (kr == MIG_SERVER_DIED && cp->gss_clnt_cred_handle == `0` &&
1956	retry_cnt++ < NFS_GSS_MACH_MAX_RETRIES &&
1957	!vfs_isforce(nmp->nm_mountp) && (nmp->nm_state & (NFSSTA_FORCE \| NFSSTA_DEAD)) == `0`) {
1958	if (plen)
1959	nfs_gss_mach_alloc_buffer(principal, plen, &pname);
1960	if (cp->gss_clnt_svcnamlen)
1961	nfs_gss_mach_alloc_buffer(cp->gss_clnt_svcname, cp->gss_clnt_svcnamlen, &svcname);
1962	if (cp->gss_clnt_tokenlen > `0`)
1963	nfs_gss_mach_alloc_buffer(cp->gss_clnt_token, cp->gss_clnt_tokenlen, &itoken);
1964	goto retry;
1965	}
1966
1967	host_release_special_port(cp->gss_clnt_mport);
1968	cp->gss_clnt_mport = IPC_PORT_NULL;
1969	goto out;
1970	}
1971
1972	if (cp->gss_clnt_display == NULL && *display_name != `'\0'`) {
1973	int dlen = strnlen(display_name, MAX_DISPLAY_STR) + `1`; / Add extra byte to include '\0' /
1974
1975	if (dlen < MAX_DISPLAY_STR) {
1976	MALLOC(cp->gss_clnt_display, char *, dlen, M_TEMP, M_WAITOK);
1977	if (cp->gss_clnt_display == NULL)
1978	goto skip;
1979	bcopy(display_name, cp->gss_clnt_display, dlen);
1980	} else {
1981	goto skip;
1982	}
1983	}
1984	skip:
1985	/*
1986	* Make sure any unusual errors are expanded and logged by gssd
1987	*
1988	* XXXX, we need to rethink this and just have gssd return a string for the major and minor codes.
1989	*/
1990	if (cp->gss_clnt_major != GSS_S_COMPLETE &&
1991	cp->gss_clnt_major != GSS_S_CONTINUE_NEEDED) {
1992	NFS_GSS_DBG("Up call returned error\n");
1993	nfs_gss_clnt_log_error(req, cp, major, minor);
1994	/ Server's handle isn't valid. Don't reuse /
1995	cp->gss_clnt_handle_len = `0`;
1996	if (cp->gss_clnt_handle != NULL) {
1997	FREE(cp->gss_clnt_handle, M_TEMP);
1998	cp->gss_clnt_handle = NULL;
1999	}
2000	}
2001
2002	if (lucidlen > `0`) {
2003	if (lucidlen > MAX_LUCIDLEN) {
2004	printf("nfs_gss_clnt_gssd_upcall: bad context length (%d)\n", lucidlen);
2005	vm_map_copy_discard((vm_map_copy_t) octx);
2006	vm_map_copy_discard((vm_map_copy_t) otoken);
2007	goto out;
2008	}
2009	MALLOC(lucid_ctx_buffer, void *, lucidlen, M_TEMP, M_WAITOK \| M_ZERO);
2010	error = nfs_gss_mach_vmcopyout((vm_map_copy_t) octx, lucidlen, lucid_ctx_buffer);
2011	if (error) {
2012	vm_map_copy_discard((vm_map_copy_t) otoken);
2013	goto out;
2014	}
2015
2016	if (cp->gss_clnt_ctx_id)
2017	gss_krb5_destroy_context(cp->gss_clnt_ctx_id);
2018	cp->gss_clnt_ctx_id = gss_krb5_make_context(lucid_ctx_buffer, lucidlen);
2019	if (cp->gss_clnt_ctx_id == NULL) {
2020	printf("Failed to make context from lucid_ctx_buffer\n");
2021	goto out;
2022	}
2023	for (uint32_t i = `0`; i < nmp->nm_etype.count; i++) {
2024	if (nmp->nm_etype.etypes[i] == cp->gss_clnt_ctx_id->gss_cryptor.etype) {
2025	selected = i;
2026	break;
2027	}
2028	}
2029	}
2030
2031	/ Free context token used as input /
2032	if (cp->gss_clnt_token)
2033	FREE(cp->gss_clnt_token, M_TEMP);
2034	cp->gss_clnt_token = NULL;
2035	cp->gss_clnt_tokenlen = `0`;
2036
2037	if (otokenlen > `0`) {
2038	/ Set context token to gss output token /
2039	MALLOC(cp->gss_clnt_token, u_char *, otokenlen, M_TEMP, M_WAITOK);
2040	if (cp->gss_clnt_token == NULL) {
2041	printf("nfs_gss_clnt_gssd_upcall: could not allocate %d bytes\n", otokenlen);
2042	vm_map_copy_discard((vm_map_copy_t) otoken);
2043	return (ENOMEM);
2044	}
2045	error = nfs_gss_mach_vmcopyout((vm_map_copy_t) otoken, otokenlen, cp->gss_clnt_token);
2046	if (error) {
2047	printf("Could not copyout gss token\n");
2048	FREE(cp->gss_clnt_token, M_TEMP);
2049	cp->gss_clnt_token = NULL;
2050	return (NFSERR_EAUTH);
2051	}
2052	cp->gss_clnt_tokenlen = otokenlen;
2053	}
2054
2055	if (selected != (uint32_t)-`1`) {
2056	nmp->nm_etype.selected = selected;
2057	NFS_GSS_DBG("etype selected = %d\n", nmp->nm_etype.etypes[selected]);
2058	}
2059	NFS_GSS_DBG("Up call succeeded major = %d\n", cp->gss_clnt_major);
2060	return (`0`);
2061
2062	out:
2063	if (cp->gss_clnt_token)
2064	FREE(cp->gss_clnt_token, M_TEMP);
2065	cp->gss_clnt_token = NULL;
2066	cp->gss_clnt_tokenlen = `0`;
2067	/ Server's handle isn't valid. Don't reuse /
2068	cp->gss_clnt_handle_len = `0`;
2069	if (cp->gss_clnt_handle != NULL) {
2070	FREE(cp->gss_clnt_handle, M_TEMP);
2071	cp->gss_clnt_handle = NULL;
2072	}
2073
2074	NFS_GSS_DBG("Up call returned NFSERR_EAUTH");
2075	return (NFSERR_EAUTH);
2076	}
2077
2078	/*
2079	* Invoked at the completion of an RPC call that uses an RPCSEC_GSS
2080	* credential. The sequence number window that the server returns
2081	* at context setup indicates the maximum number of client calls that
2082	* can be outstanding on a context. The client maintains a bitmap that
2083	* represents the server's window. Each pending request has a bit set
2084	* in the window bitmap. When a reply comes in or times out, we reset
2085	* the bit in the bitmap and if there are any other threads waiting for
2086	* a context slot we notify the waiting thread(s).
2087	*
2088	* Note that if a request is retransmitted, it will have a single XID
2089	* but it may be associated with multiple sequence numbers. So we
2090	* may have to reset multiple sequence number bits in the window bitmap.
2091	*/
2092	void
2093	nfs_gss_clnt_rpcdone(struct nfsreq *req)
2094	{
2095	struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx;
2096	struct gss_seq gsp, ngsp;
2097	int i = `0`;
2098
2099	if (cp == NULL \|\| !(cp->gss_clnt_flags & GSS_CTX_COMPLETE))
2100	return; // no context - don't bother
2101	/*
2102	* Reset the bit for this request in the
2103	* sequence number window to indicate it's done.
2104	* We do this even if the request timed out.
2105	*/
2106	lck_mtx_lock(cp->gss_clnt_mtx);
2107	gsp = SLIST_FIRST(&req->r_gss_seqlist);
2108	if (gsp && gsp->gss_seqnum > (cp->gss_clnt_seqnum - cp->gss_clnt_seqwin))
2109	win_resetbit(cp->gss_clnt_seqbits,
2110	gsp->gss_seqnum % cp->gss_clnt_seqwin);
2111
2112	/*
2113	* Limit the seqnum list to GSS_CLNT_SEQLISTMAX entries
2114	*/
2115	SLIST_FOREACH_SAFE(gsp, &req->r_gss_seqlist, gss_seqnext, ngsp) {
2116	if (++i > GSS_CLNT_SEQLISTMAX) {
2117	SLIST_REMOVE(&req->r_gss_seqlist, gsp, gss_seq, gss_seqnext);
2118	FREE(gsp, M_TEMP);
2119	}
2120	}
2121
2122	/*
2123	* If there's a thread waiting for
2124	* the window to advance, wake it up.
2125	*/
2126	if (cp->gss_clnt_flags & GSS_NEEDSEQ) {
2127	cp->gss_clnt_flags &= ~GSS_NEEDSEQ;
2128	wakeup(cp);
2129	}
2130	lck_mtx_unlock(cp->gss_clnt_mtx);
2131	}
2132
2133	/*
2134	* Create a reference to a context from a request
2135	* and bump the reference count
2136	*/
2137	void
2138	nfs_gss_clnt_ctx_ref(struct nfsreq req, struct* nfs_gss_clnt_ctx *cp)
2139	{
2140	req->r_gss_ctx = cp;
2141
2142	lck_mtx_lock(cp->gss_clnt_mtx);
2143	cp->gss_clnt_refcnt++;
2144	lck_mtx_unlock(cp->gss_clnt_mtx);
2145	}
2146
2147	/*
2148	* Remove a context reference from a request
2149	* If the reference count drops to zero, and the
2150	* context is invalid, destroy the context
2151	*/
2152	void
2153	nfs_gss_clnt_ctx_unref(struct nfsreq *req)
2154	{
2155	struct nfsmount *nmp = req->r_nmp;
2156	struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx;
2157	int on_neg_cache = `0`;
2158	int neg_cache = `0`;
2159	int destroy = `0`;
2160	struct timeval now;
2161	char CTXBUF[NFS_CTXBUFSZ];
2162
2163	if (cp == NULL)
2164	return;
2165
2166	req->r_gss_ctx = NULL;
2167
2168	lck_mtx_lock(cp->gss_clnt_mtx);
2169	if (--cp->gss_clnt_refcnt < `0`)
2170	panic("Over release of gss context!\n");
2171
2172	if (cp->gss_clnt_refcnt == `0`) {
2173	if ((cp->gss_clnt_flags & GSS_CTX_INVAL) &&
2174	cp->gss_clnt_ctx_id) {
2175	gss_krb5_destroy_context(cp->gss_clnt_ctx_id);
2176	cp->gss_clnt_ctx_id = NULL;
2177	}
2178	if (cp->gss_clnt_flags & GSS_CTX_DESTROY) {
2179	destroy = `1`;
2180	if (cp->gss_clnt_flags & GSS_CTX_STICKY)
2181	nfs_gss_clnt_mnt_rele(nmp);
2182	if (cp->gss_clnt_nctime)
2183	on_neg_cache = `1`;
2184	}
2185	}
2186	if (!destroy && cp->gss_clnt_nctime == `0` &&
2187	(cp->gss_clnt_flags & GSS_CTX_INVAL)) {
2188	microuptime(&now);
2189	cp->gss_clnt_nctime = now.tv_sec;
2190	neg_cache = `1`;
2191	}
2192	lck_mtx_unlock(cp->gss_clnt_mtx);
2193	if (destroy) {
2194	NFS_GSS_DBG("Destroying context %s\n", NFS_GSS_CTX(req, cp));
2195	if (nmp) {
2196	lck_mtx_lock(&nmp->nm_lock);
2197	if (cp->gss_clnt_entries.tqe_next != NFSNOLIST) {
2198	TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries);
2199	}
2200	if (on_neg_cache) {
2201	nmp->nm_ncentries--;
2202	}
2203	lck_mtx_unlock(&nmp->nm_lock);
2204	}
2205	nfs_gss_clnt_ctx_destroy(cp);
2206	} else if (neg_cache) {
2207	NFS_GSS_DBG("Entering context %s into negative cache\n", NFS_GSS_CTX(req, cp));
2208	if (nmp) {
2209	lck_mtx_lock(&nmp->nm_lock);
2210	nmp->nm_ncentries++;
2211	nfs_gss_clnt_ctx_neg_cache_reap(nmp);
2212	lck_mtx_unlock(&nmp->nm_lock);
2213	}
2214	}
2215	NFS_GSS_CLNT_CTX_DUMP(nmp);
2216	}
2217
2218	/*
2219	* Try and reap any old negative cache entries.
2220	* cache queue.
2221	*/
2222	void
2223	nfs_gss_clnt_ctx_neg_cache_reap(struct nfsmount *nmp)
2224	{
2225	struct nfs_gss_clnt_ctx cp, tcp;
2226	struct timeval now;
2227	int reaped = `0`;
2228
2229	/ Try and reap old, unreferenced, expired contexts /
2230	microuptime(&now);
2231
2232	NFS_GSS_DBG("Reaping contexts ncentries = %d\n", nmp->nm_ncentries);
2233
2234	TAILQ_FOREACH_SAFE(cp, &nmp->nm_gsscl, gss_clnt_entries, tcp) {
2235	int destroy = `0`;
2236
2237	/ Don't reap STICKY contexts /
2238	if ((cp->gss_clnt_flags & GSS_CTX_STICKY) \|\|
2239	!(cp->gss_clnt_flags & GSS_CTX_INVAL))
2240	continue;
2241	/ Keep up to GSS_MAX_NEG_CACHE_ENTRIES /
2242	if (nmp->nm_ncentries <= GSS_MAX_NEG_CACHE_ENTRIES)
2243	break;
2244	/ Contexts too young /
2245	if (cp->gss_clnt_nctime + GSS_NEG_CACHE_TO >= now.tv_sec)
2246	continue;
2247	/ Not referenced, remove it. /
2248	lck_mtx_lock(cp->gss_clnt_mtx);
2249	if (cp->gss_clnt_refcnt == `0`) {
2250	cp->gss_clnt_flags \|= GSS_CTX_DESTROY;
2251	destroy = `1`;
2252	}
2253	lck_mtx_unlock(cp->gss_clnt_mtx);
2254	if (destroy) {
2255	TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries);
2256	nmp->nm_ncentries++;
2257	reaped++;
2258	nfs_gss_clnt_ctx_destroy(cp);
2259	}
2260	}
2261	NFS_GSS_DBG("Reaped %d contexts ncentries = %d\n", reaped, nmp->nm_ncentries);
2262	}
2263
2264	/*
2265	* Clean a context to be cached
2266	*/
2267	static void
2268	nfs_gss_clnt_ctx_clean(struct nfs_gss_clnt_ctx *cp)
2269	{
2270	/ Preserve gss_clnt_mtx /
2271	assert(cp->gss_clnt_thread == NULL); / Will be set to this thread /
2272	/ gss_clnt_entries we should not be on any list at this point /
2273	cp->gss_clnt_flags = `0`;
2274	/ gss_clnt_refcnt should be zero /
2275	assert(cp->gss_clnt_refcnt == `0`);
2276	/*
2277	* We are who we are preserve:
2278	* gss_clnt_cred
2279	* gss_clnt_principal
2280	* gss_clnt_prinlen
2281	* gss_clnt_prinnt
2282	* gss_clnt_desplay
2283	*/
2284	/ gss_clnt_proc will be set in nfs_gss_clnt_ctx_init /
2285	cp->gss_clnt_seqnum = `0`;
2286	/ Preserve gss_clnt_service, we're not changing flavors /
2287	if (cp->gss_clnt_handle) {
2288	FREE(cp->gss_clnt_handle, M_TEMP);
2289	cp->gss_clnt_handle = NULL;
2290	}
2291	cp->gss_clnt_handle_len = `0`;
2292	cp->gss_clnt_nctime = `0`;
2293	cp->gss_clnt_seqwin = `0`;
2294	if (cp->gss_clnt_seqbits) {
2295	FREE(cp->gss_clnt_seqbits, M_TEMP);
2296	cp->gss_clnt_seqbits = NULL;
2297	}
2298	/ Preserve gss_clnt_mport. Still talking to the same gssd /
2299	if (cp->gss_clnt_verf) {
2300	FREE(cp->gss_clnt_verf, M_TEMP);
2301	cp->gss_clnt_verf = NULL;
2302	}
2303	/ Service name might change on failover, so reset it /
2304	if (cp->gss_clnt_svcname) {
2305	FREE(cp->gss_clnt_svcname, M_TEMP);
2306	cp->gss_clnt_svcname = NULL;
2307	cp->gss_clnt_svcnt = `0`;
2308	}
2309	cp->gss_clnt_svcnamlen = `0`;
2310	cp->gss_clnt_cred_handle = `0`;
2311	cp->gss_clnt_context = `0`;
2312	if (cp->gss_clnt_token) {
2313	FREE(cp->gss_clnt_token, M_TEMP);
2314	cp->gss_clnt_token = NULL;
2315	}
2316	cp->gss_clnt_tokenlen = `0`;
2317	/ XXX gss_clnt_ctx_id ??? /
2318	/*
2319	* Preserve:
2320	* gss_clnt_gssd_flags
2321	* gss_clnt_major
2322	* gss_clnt_minor
2323	* gss_clnt_ptime
2324	*/
2325	}
2326
2327	/*
2328	* Copy a source context to a new context. This is used to create a new context
2329	* with the identity of the old context for renewal. The old context is invalid
2330	* at this point but may have reference still to it, so it is not safe to use that
2331	* context.
2332	*/
2333	static int
2334	nfs_gss_clnt_ctx_copy(struct nfs_gss_clnt_ctx scp, struct* nfs_gss_clnt_ctx **dcpp)
2335	{
2336	struct nfs_gss_clnt_ctx *dcp;
2337
2338	dcpp = (struct* nfs_gss_clnt_ctx *)NULL;
2339	MALLOC(dcp, struct nfs_gss_clnt_ctx , sizeof* (struct nfs_gss_clnt_ctx), M_TEMP, M_WAITOK);
2340	if (dcp == NULL)
2341	return (ENOMEM);
2342	bzero(dcp, sizeof (struct nfs_gss_clnt_ctx));
2343	dcp->gss_clnt_mtx = lck_mtx_alloc_init(nfs_gss_clnt_grp, LCK_ATTR_NULL);
2344	dcp->gss_clnt_cred = scp->gss_clnt_cred;
2345	kauth_cred_ref(dcp->gss_clnt_cred);
2346	dcp->gss_clnt_prinlen = scp->gss_clnt_prinlen;
2347	dcp->gss_clnt_prinnt = scp->gss_clnt_prinnt;
2348	if (scp->gss_clnt_principal) {
2349	MALLOC(dcp->gss_clnt_principal, uint8_t *, dcp->gss_clnt_prinlen, M_TEMP, M_WAITOK \| M_ZERO);
2350	if (dcp->gss_clnt_principal == NULL) {
2351	FREE(dcp, M_TEMP);
2352	return (ENOMEM);
2353	}
2354	bcopy(scp->gss_clnt_principal, dcp->gss_clnt_principal, dcp->gss_clnt_prinlen);
2355	}
2356	/ Note we don't preserve the display name, that will be set by a successful up call /
2357	dcp->gss_clnt_service = scp->gss_clnt_service;
2358	dcp->gss_clnt_mport = host_copy_special_port(scp->gss_clnt_mport);
2359	dcp->gss_clnt_ctx_id = NULL; / Will be set from successful upcall /
2360	dcp->gss_clnt_gssd_flags = scp->gss_clnt_gssd_flags;
2361	dcp->gss_clnt_major = scp->gss_clnt_major;
2362	dcp->gss_clnt_minor = scp->gss_clnt_minor;
2363	dcp->gss_clnt_ptime = scp->gss_clnt_ptime;
2364
2365	*dcpp = dcp;
2366
2367	return (`0`);
2368	}
2369
2370	/*
2371	* Remove a context
2372	*/
2373	static void
2374	nfs_gss_clnt_ctx_destroy(struct nfs_gss_clnt_ctx *cp)
2375	{
2376	NFS_GSS_DBG("Destroying context %d/%d\n",
2377	kauth_cred_getasid(cp->gss_clnt_cred),
2378	kauth_cred_getauid(cp->gss_clnt_cred));
2379
2380	host_release_special_port(cp->gss_clnt_mport);
2381	cp->gss_clnt_mport = IPC_PORT_NULL;
2382
2383	if (cp->gss_clnt_mtx) {
2384	lck_mtx_destroy(cp->gss_clnt_mtx, nfs_gss_clnt_grp);
2385	cp->gss_clnt_mtx = (lck_mtx_t *)NULL;
2386	}
2387	if (IS_VALID_CRED(cp->gss_clnt_cred))
2388	kauth_cred_unref(&cp->gss_clnt_cred);
2389	cp->gss_clnt_entries.tqe_next = NFSNOLIST;
2390	cp->gss_clnt_entries.tqe_prev = NFSNOLIST;
2391	if (cp->gss_clnt_principal) {
2392	FREE(cp->gss_clnt_principal, M_TEMP);
2393	cp->gss_clnt_principal = NULL;
2394	}
2395	if (cp->gss_clnt_display) {
2396	FREE(cp->gss_clnt_display, M_TEMP);
2397	cp->gss_clnt_display = NULL;
2398	}
2399	if (cp->gss_clnt_ctx_id) {
2400	gss_krb5_destroy_context(cp->gss_clnt_ctx_id);
2401	cp->gss_clnt_ctx_id = NULL;
2402	}
2403
2404	nfs_gss_clnt_ctx_clean(cp);
2405
2406	FREE(cp, M_TEMP);
2407	}
2408
2409	/*
2410	* The context for a user is invalid.
2411	* Mark the context as invalid, then
2412	* create a new context.
2413	*/
2414	int
2415	nfs_gss_clnt_ctx_renew(struct nfsreq *req)
2416	{
2417	struct nfs_gss_clnt_ctx *cp = req->r_gss_ctx;
2418	struct nfs_gss_clnt_ctx *ncp;
2419	struct nfsmount *nmp;
2420	int error = `0`;
2421	char CTXBUF[NFS_CTXBUFSZ];
2422
2423	if (cp == NULL)
2424	return (`0`);
2425
2426	if (req->r_nmp == NULL)
2427	return (ENXIO);
2428	nmp = req->r_nmp;
2429
2430	lck_mtx_lock(cp->gss_clnt_mtx);
2431	if (cp->gss_clnt_flags & GSS_CTX_INVAL) {
2432	lck_mtx_unlock(cp->gss_clnt_mtx);
2433	nfs_gss_clnt_ctx_unref(req);
2434	return (`0`); // already being renewed
2435	}
2436
2437	cp->gss_clnt_flags \|= (GSS_CTX_INVAL \| GSS_CTX_DESTROY);
2438
2439	if (cp->gss_clnt_flags & (GSS_NEEDCTX \| GSS_NEEDSEQ)) {
2440	cp->gss_clnt_flags &= ~GSS_NEEDSEQ;
2441	wakeup(cp);
2442	}
2443	lck_mtx_unlock(cp->gss_clnt_mtx);
2444
2445	if (cp->gss_clnt_proc == RPCSEC_GSS_DESTROY)
2446	return (EACCES); / Destroying a context is best effort. Don't renew. /
2447	/*
2448	* If we're setting up a context let nfs_gss_clnt_ctx_init know this is not working
2449	* and to try some other etype.
2450	*/
2451	if (cp->gss_clnt_proc != RPCSEC_GSS_DATA)
2452	return (ENEEDAUTH);
2453	error = nfs_gss_clnt_ctx_copy(cp, &ncp);
2454	NFS_GSS_DBG("Renewing context %s\n", NFS_GSS_CTX(req, ncp));
2455	nfs_gss_clnt_ctx_unref(req);
2456	if (error)
2457	return (error);
2458
2459	lck_mtx_lock(&nmp->nm_lock);
2460	/*
2461	* Note we don't bother taking the new context mutex as we're
2462	* not findable at the moment.
2463	*/
2464	ncp->gss_clnt_thread = current_thread();
2465	nfs_gss_clnt_ctx_ref(req, ncp);
2466	TAILQ_INSERT_HEAD(&nmp->nm_gsscl, ncp, gss_clnt_entries);
2467	lck_mtx_unlock(&nmp->nm_lock);
2468
2469	error = nfs_gss_clnt_ctx_init_retry(req, ncp); // Initialize new context
2470	if (error)
2471	nfs_gss_clnt_ctx_unref(req);
2472
2473	return (error);
2474	}
2475
2476
2477	/*
2478	* Destroy all the contexts associated with a mount.
2479	* The contexts are also destroyed by the server.
2480	*/
2481	void
2482	nfs_gss_clnt_ctx_unmount(struct nfsmount *nmp)
2483	{
2484	struct nfs_gss_clnt_ctx *cp;
2485	struct nfsm_chain nmreq, nmrep;
2486	int error, status;
2487	struct nfsreq req;
2488	req.r_nmp = nmp;
2489
2490	if (!nmp)
2491	return;
2492
2493
2494	lck_mtx_lock(&nmp->nm_lock);
2495	while((cp = TAILQ_FIRST(&nmp->nm_gsscl))) {
2496	TAILQ_REMOVE(&nmp->nm_gsscl, cp, gss_clnt_entries);
2497	cp->gss_clnt_entries.tqe_next = NFSNOLIST;
2498	lck_mtx_lock(cp->gss_clnt_mtx);
2499	if (cp->gss_clnt_flags & GSS_CTX_DESTROY) {
2500	lck_mtx_unlock(cp->gss_clnt_mtx);
2501	continue;
2502	}
2503	cp->gss_clnt_refcnt++;
2504	lck_mtx_unlock(cp->gss_clnt_mtx);
2505	req.r_gss_ctx = cp;
2506
2507	lck_mtx_unlock(&nmp->nm_lock);
2508	/*
2509	* Tell the server to destroy its context.
2510	* But don't bother if it's a forced unmount.
2511	*/
2512	if (!nfs_mount_gone(nmp) &&
2513	(cp->gss_clnt_flags & (GSS_CTX_INVAL \| GSS_CTX_DESTROY \| GSS_CTX_COMPLETE)) == GSS_CTX_COMPLETE) {
2514	cp->gss_clnt_proc = RPCSEC_GSS_DESTROY;
2515
2516	error = `0`;
2517	nfsm_chain_null(&nmreq);
2518	nfsm_chain_null(&nmrep);
2519	nfsm_chain_build_alloc_init(error, &nmreq, `0`);
2520	nfsm_chain_build_done(error, &nmreq);
2521	if (!error)
2522	nfs_request_gss(nmp->nm_mountp, &nmreq,
2523	current_thread(), cp->gss_clnt_cred, `0`, cp, &nmrep, &status);
2524	nfsm_chain_cleanup(&nmreq);
2525	nfsm_chain_cleanup(&nmrep);
2526	}
2527
2528	/*
2529	* Mark the context invalid then drop
2530	* the reference to remove it if its
2531	* refcount is zero.
2532	*/
2533	lck_mtx_lock(cp->gss_clnt_mtx);
2534	cp->gss_clnt_flags \|= (GSS_CTX_INVAL \| GSS_CTX_DESTROY);
2535	lck_mtx_unlock(cp->gss_clnt_mtx);
2536	nfs_gss_clnt_ctx_unref(&req);
2537	lck_mtx_lock(&nmp->nm_lock);
2538	}
2539	lck_mtx_unlock(&nmp->nm_lock);
2540	assert(TAILQ_EMPTY(&nmp->nm_gsscl));
2541	}
2542
2543
2544	/*
2545	* Removes a mounts context for a credential
2546	*/
2547	int
2548	nfs_gss_clnt_ctx_remove(struct nfsmount *nmp, kauth_cred_t cred)
2549	{
2550	struct nfs_gss_clnt_ctx *cp;
2551	struct nfsreq req;
2552
2553	req.r_nmp = nmp;
2554
2555	NFS_GSS_DBG("Enter\n");
2556	NFS_GSS_CLNT_CTX_DUMP(nmp);
2557	lck_mtx_lock(&nmp->nm_lock);
2558	TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) {
2559	lck_mtx_lock(cp->gss_clnt_mtx);
2560	if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, cred)) {
2561	if (cp->gss_clnt_flags & GSS_CTX_DESTROY) {
2562	NFS_GSS_DBG("Found destroyed context %d/%d. refcnt = %d continuing\n",
2563	kauth_cred_getasid(cp->gss_clnt_cred),
2564	kauth_cred_getauid(cp->gss_clnt_cred),
2565	cp->gss_clnt_refcnt);
2566	lck_mtx_unlock(cp->gss_clnt_mtx);
2567	continue;
2568	}
2569	cp->gss_clnt_refcnt++;
2570	cp->gss_clnt_flags \|= (GSS_CTX_INVAL \| GSS_CTX_DESTROY);
2571	lck_mtx_unlock(cp->gss_clnt_mtx);
2572	req.r_gss_ctx = cp;
2573	lck_mtx_unlock(&nmp->nm_lock);
2574	/*
2575	* Drop the reference to remove it if its
2576	* refcount is zero.
2577	*/
2578	NFS_GSS_DBG("Removed context %d/%d refcnt = %d\n",
2579	kauth_cred_getasid(cp->gss_clnt_cred),
2580	kauth_cred_getuid(cp->gss_clnt_cred),
2581	cp->gss_clnt_refcnt);
2582	nfs_gss_clnt_ctx_unref(&req);
2583	return (`0`);
2584	}
2585	lck_mtx_unlock(cp->gss_clnt_mtx);
2586	}
2587
2588	lck_mtx_unlock(&nmp->nm_lock);
2589
2590	NFS_GSS_DBG("Returning ENOENT\n");
2591	return (ENOENT);
2592	}
2593
2594	/*
2595	* Sets a mounts principal for a session associated with cred.
2596	*/
2597	int
2598	nfs_gss_clnt_ctx_set_principal(struct nfsmount *nmp, vfs_context_t ctx,
2599	uint8_t *principal, uint32_t princlen, uint32_t nametype)
2600
2601	{
2602	struct nfsreq req;
2603	int error;
2604
2605	NFS_GSS_DBG("Enter:\n");
2606
2607	bzero(&req, sizeof(struct nfsreq));
2608	req.r_nmp = nmp;
2609	req.r_gss_ctx = NULL;
2610	req.r_auth = nmp->nm_auth;
2611	req.r_thread = vfs_context_thread(ctx);
2612	req.r_cred = vfs_context_ucred(ctx);
2613
2614	error = nfs_gss_clnt_ctx_find_principal(&req, principal, princlen, nametype);
2615	NFS_GSS_DBG("nfs_gss_clnt_ctx_find_principal returned %d\n", error);
2616	/*
2617	* We don't care about auth errors. Those would indicate that the context is in the
2618	* neagative cache and if and when the user has credentials for the principal
2619	* we should be good to go in that we will select those credentials for this principal.
2620	*/
2621	if (error == EACCES \|\| error == EAUTH \|\| error == ENEEDAUTH)
2622	error = `0`;
2623
2624	/ We're done with this request /
2625	nfs_gss_clnt_ctx_unref(&req);
2626
2627	return (error);
2628	}
2629
2630	/*
2631	* Gets a mounts principal from a session associated with cred
2632	*/
2633	int
2634	nfs_gss_clnt_ctx_get_principal(struct nfsmount *nmp, vfs_context_t ctx,
2635	struct user_nfs_gss_principal *p)
2636	{
2637	struct nfsreq req;
2638	int error = `0`;
2639	struct nfs_gss_clnt_ctx *cp;
2640	kauth_cred_t cred = vfs_context_ucred(ctx);
2641	const char *princ = NULL;
2642	char CTXBUF[NFS_CTXBUFSZ];
2643
2644	/ Make sure the the members of the struct user_nfs_gss_principal are initialized /
2645	p->nametype = GSSD_STRING_NAME;
2646	p->principal = USER_ADDR_NULL;
2647	p->princlen = `0`;
2648	p->flags = `0`;
2649
2650	req.r_nmp = nmp;
2651	lck_mtx_lock(&nmp->nm_lock);
2652	TAILQ_FOREACH(cp, &nmp->nm_gsscl, gss_clnt_entries) {
2653	lck_mtx_lock(cp->gss_clnt_mtx);
2654	if (cp->gss_clnt_flags & GSS_CTX_DESTROY) {
2655	NFS_GSS_DBG("Found destroyed context %s refcnt = %d continuing\n",
2656	NFS_GSS_CTX(&req, cp),
2657	cp->gss_clnt_refcnt);
2658	lck_mtx_unlock(cp->gss_clnt_mtx);
2659	continue;
2660	}
2661	if (nfs_gss_clnt_ctx_cred_match(cp->gss_clnt_cred, cred)) {
2662	cp->gss_clnt_refcnt++;
2663	lck_mtx_unlock(cp->gss_clnt_mtx);
2664	goto out;
2665	}
2666	lck_mtx_unlock(cp->gss_clnt_mtx);
2667	}
2668
2669	out:
2670	if (cp == NULL) {
2671	lck_mtx_unlock(&nmp->nm_lock);
2672	p->flags \|= NFS_IOC_NO_CRED_FLAG; / No credentials, valid or invalid on this mount /
2673	NFS_GSS_DBG("No context found for session %d by uid %d\n",
2674	kauth_cred_getasid(cred), kauth_cred_getuid(cred));
2675	return (`0`);
2676	}
2677
2678	/ Indicate if the cred is INVALID /
2679	if (cp->gss_clnt_flags & GSS_CTX_INVAL)
2680	p->flags \|= NFS_IOC_INVALID_CRED_FLAG;
2681
2682	/ We have set a principal on the mount /
2683	if (cp->gss_clnt_principal) {
2684	princ = (char *)cp->gss_clnt_principal;
2685	p->princlen = cp->gss_clnt_prinlen;
2686	p->nametype = cp->gss_clnt_prinnt;
2687	} else if (cp->gss_clnt_display) {
2688	/ We have a successful use the the default credential /
2689	princ = cp->gss_clnt_display;
2690	p->princlen = strlen(cp->gss_clnt_display);
2691	}
2692
2693	/*
2694	* If neither of the above is true we have an invalid default credential
2695	* So from above p->principal is USER_ADDR_NULL and princ is NULL
2696	*/
2697
2698	if (princ) {
2699	char *pp;
2700
2701	MALLOC(pp, char *, p->princlen, M_TEMP, M_WAITOK);
2702	bcopy(princ, pp, p->princlen);
2703	p->principal = CAST_USER_ADDR_T(pp);
2704	}
2705
2706	lck_mtx_unlock(&nmp->nm_lock);
2707
2708	req.r_gss_ctx = cp;
2709	NFS_GSS_DBG("Found context %s\n", NFS_GSS_CTX(&req, NULL));
2710	nfs_gss_clnt_ctx_unref(&req);
2711	return (error);
2712	}
2713	#endif /* NFSCLIENT */
2714
2715	/*************
2716	*
2717	* Server functions
2718	*/
2719
2720	#if NFSSERVER
2721
2722	/*
2723	* Find a server context based on a handle value received
2724	* in an RPCSEC_GSS credential.
2725	*/
2726	static struct nfs_gss_svc_ctx *
2727	nfs_gss_svc_ctx_find(uint32_t handle)
2728	{
2729	struct nfs_gss_svc_ctx_hashhead *head;
2730	struct nfs_gss_svc_ctx *cp;
2731	uint64_t timenow;
2732
2733	if (handle == `0`)
2734	return (NULL);
2735
2736	head = &nfs_gss_svc_ctx_hashtbl[SVC_CTX_HASH(handle)];
2737	/*
2738	* Don't return a context that is going to expire in GSS_CTX_PEND seconds
2739	*/
2740	clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC, &timenow);
2741
2742	lck_mtx_lock(nfs_gss_svc_ctx_mutex);
2743
2744	LIST_FOREACH(cp, head, gss_svc_entries) {
2745	if (cp->gss_svc_handle == handle) {
2746	if (timenow > cp->gss_svc_incarnation + GSS_SVC_CTX_TTL) {
2747	/*
2748	* Context has or is about to expire. Don't use.
2749	* We'll return null and the client will have to create
2750	* a new context.
2751	*/
2752	cp->gss_svc_handle = `0`;
2753	/*
2754	* Make sure though that we stay around for GSS_CTX_PEND seconds
2755	* for other threads that might be using the context.
2756	*/
2757	cp->gss_svc_incarnation = timenow;
2758
2759	cp = NULL;
2760	break;
2761	}
2762	lck_mtx_lock(cp->gss_svc_mtx);
2763	cp->gss_svc_refcnt++;
2764	lck_mtx_unlock(cp->gss_svc_mtx);
2765	break;
2766	}
2767	}
2768
2769	lck_mtx_unlock(nfs_gss_svc_ctx_mutex);
2770
2771	return (cp);
2772	}
2773
2774	/*
2775	* Insert a new server context into the hash table
2776	* and start the context reap thread if necessary.
2777	*/
2778	static void
2779	nfs_gss_svc_ctx_insert(struct nfs_gss_svc_ctx *cp)
2780	{
2781	struct nfs_gss_svc_ctx_hashhead *head;
2782	struct nfs_gss_svc_ctx *p;
2783
2784	lck_mtx_lock(nfs_gss_svc_ctx_mutex);
2785
2786	/*
2787	* Give the client a random handle so that if we reboot
2788	* it's unlikely the client will get a bad context match.
2789	* Make sure it's not zero or already assigned.
2790	*/
2791	retry:
2792	cp->gss_svc_handle = random();
2793	if (cp->gss_svc_handle == `0`)
2794	goto retry;
2795	head = &nfs_gss_svc_ctx_hashtbl[SVC_CTX_HASH(cp->gss_svc_handle)];
2796	LIST_FOREACH(p, head, gss_svc_entries)
2797	if (p->gss_svc_handle == cp->gss_svc_handle)
2798	goto retry;
2799
2800	clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC,
2801	&cp->gss_svc_incarnation);
2802	LIST_INSERT_HEAD(head, cp, gss_svc_entries);
2803	nfs_gss_ctx_count++;
2804
2805	if (!nfs_gss_timer_on) {
2806	nfs_gss_timer_on = `1`;
2807
2808	nfs_interval_timer_start(nfs_gss_svc_ctx_timer_call,
2809	min(GSS_TIMER_PERIOD, max(GSS_CTX_TTL_MIN, nfsrv_gss_context_ttl)) * MSECS_PER_SEC);
2810	}
2811
2812	lck_mtx_unlock(nfs_gss_svc_ctx_mutex);
2813	}
2814
2815	/*
2816	* This function is called via the kernel's callout
2817	* mechanism. It runs only when there are
2818	* cached RPCSEC_GSS contexts.
2819	*/
2820	void
2821	nfs_gss_svc_ctx_timer(__unused void param1, __unused void* *param2)
2822	{
2823	struct nfs_gss_svc_ctx cp, next;
2824	uint64_t timenow;
2825	int contexts = `0`;
2826	int i;
2827
2828	lck_mtx_lock(nfs_gss_svc_ctx_mutex);
2829	clock_get_uptime(&timenow);
2830
2831	NFS_GSS_DBG("is running\n");
2832
2833	/*
2834	* Scan all the hash chains
2835	*/
2836	for (i = `0`; i < SVC_CTX_HASHSZ; i++) {
2837	/*
2838	* For each hash chain, look for entries
2839	* that haven't been used in a while.
2840	*/
2841	LIST_FOREACH_SAFE(cp, &nfs_gss_svc_ctx_hashtbl[i], gss_svc_entries, next) {
2842	contexts++;
2843	if (timenow > cp->gss_svc_incarnation +
2844	(cp->gss_svc_handle ? GSS_SVC_CTX_TTL : `0`)
2845	&& cp->gss_svc_refcnt == `0`) {
2846	/*
2847	* A stale context - remove it
2848	*/
2849	LIST_REMOVE(cp, gss_svc_entries);
2850	NFS_GSS_DBG("Removing contex for %d\n", cp->gss_svc_uid);
2851	if (cp->gss_svc_seqbits)
2852	FREE(cp->gss_svc_seqbits, M_TEMP);
2853	lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp);
2854	FREE(cp, M_TEMP);
2855	contexts--;
2856	}
2857	}
2858	}
2859
2860	nfs_gss_ctx_count = contexts;
2861
2862	/*
2863	* If there are still some cached contexts left,
2864	* set up another callout to check on them later.
2865	*/
2866	nfs_gss_timer_on = nfs_gss_ctx_count > `0`;
2867	if (nfs_gss_timer_on)
2868	nfs_interval_timer_start(nfs_gss_svc_ctx_timer_call,
2869	min(GSS_TIMER_PERIOD, max(GSS_CTX_TTL_MIN, nfsrv_gss_context_ttl)) * MSECS_PER_SEC);
2870
2871	lck_mtx_unlock(nfs_gss_svc_ctx_mutex);
2872	}
2873
2874	/*
2875	* Here the server receives an RPCSEC_GSS credential in an
2876	* RPC call header. First there's some checking to make sure
2877	* the credential is appropriate - whether the context is still
2878	* being set up, or is complete. Then we use the handle to find
2879	* the server's context and validate the verifier, which contains
2880	* a signed checksum of the RPC header. If the verifier checks
2881	* out, we extract the user's UID and groups from the context
2882	* and use it to set up a UNIX credential for the user's request.
2883	*/
2884	int
2885	nfs_gss_svc_cred_get(struct nfsrv_descript nd, struct* nfsm_chain *nmc)
2886	{
2887	uint32_t vers, proc, seqnum, service;
2888	uint32_t handle, handle_len;
2889	uint32_t major;
2890	struct nfs_gss_svc_ctx *cp = NULL;
2891	uint32_t flavor = `0`, header_len;
2892	int error = `0`;
2893	uint32_t arglen, start;
2894	size_t argsize;
2895	gss_buffer_desc cksum;
2896	struct nfsm_chain nmc_tmp;
2897	mbuf_t reply_mbuf, prev_mbuf, pad_mbuf;
2898
2899	vers = proc = seqnum = service = handle_len = `0`;
2900	arglen = `0`;
2901
2902	nfsm_chain_get_32(error, nmc, vers);
2903	if (vers != RPCSEC_GSS_VERS_1) {
2904	error = NFSERR_AUTHERR \| AUTH_REJECTCRED;
2905	goto nfsmout;
2906	}
2907
2908	nfsm_chain_get_32(error, nmc, proc);
2909	nfsm_chain_get_32(error, nmc, seqnum);
2910	nfsm_chain_get_32(error, nmc, service);
2911	nfsm_chain_get_32(error, nmc, handle_len);
2912	if (error)
2913	goto nfsmout;
2914
2915	/*
2916	* Make sure context setup/destroy is being done with a nullproc
2917	*/
2918	if (proc != RPCSEC_GSS_DATA && nd->nd_procnum != NFSPROC_NULL) {
2919	error = NFSERR_AUTHERR \| RPCSEC_GSS_CREDPROBLEM;
2920	goto nfsmout;
2921	}
2922
2923	/*
2924	* If the sequence number is greater than the max
2925	* allowable, reject and have the client init a
2926	* new context.
2927	*/
2928	if (seqnum > GSS_MAXSEQ) {
2929	error = NFSERR_AUTHERR \| RPCSEC_GSS_CTXPROBLEM;
2930	goto nfsmout;
2931	}
2932
2933	nd->nd_sec =
2934	service == RPCSEC_GSS_SVC_NONE ? RPCAUTH_KRB5 :
2935	service == RPCSEC_GSS_SVC_INTEGRITY ? RPCAUTH_KRB5I :
2936	service == RPCSEC_GSS_SVC_PRIVACY ? RPCAUTH_KRB5P : `0`;
2937
2938	if (proc == RPCSEC_GSS_INIT) {
2939	/*
2940	* Limit the total number of contexts
2941	*/
2942	if (nfs_gss_ctx_count > nfs_gss_ctx_max) {
2943	error = NFSERR_AUTHERR \| RPCSEC_GSS_CTXPROBLEM;
2944	goto nfsmout;
2945	}
2946
2947	/*
2948	* Set up a new context
2949	*/
2950	MALLOC(cp, struct nfs_gss_svc_ctx , sizeof(cp), M_TEMP, M_WAITOK\|M_ZERO);
2951	if (cp == NULL) {
2952	error = ENOMEM;
2953	goto nfsmout;
2954	}
2955	cp->gss_svc_mtx = lck_mtx_alloc_init(nfs_gss_svc_grp, LCK_ATTR_NULL);
2956	cp->gss_svc_refcnt = `1`;
2957	} else {
2958	/*
2959	* Use the handle to find the context
2960	*/
2961	if (handle_len != sizeof(handle)) {
2962	error = NFSERR_AUTHERR \| RPCSEC_GSS_CREDPROBLEM;
2963	goto nfsmout;
2964	}
2965	nfsm_chain_get_32(error, nmc, handle);
2966	if (error)
2967	goto nfsmout;
2968	cp = nfs_gss_svc_ctx_find(handle);
2969	if (cp == NULL) {
2970	error = NFSERR_AUTHERR \| RPCSEC_GSS_CTXPROBLEM;
2971	goto nfsmout;
2972	}
2973	}
2974
2975	cp->gss_svc_proc = proc;
2976
2977	if (proc == RPCSEC_GSS_DATA \|\| proc == RPCSEC_GSS_DESTROY) {
2978	struct posix_cred temp_pcred;
2979
2980	if (cp->gss_svc_seqwin == `0`) {
2981	/*
2982	* Context isn't complete
2983	*/
2984	error = NFSERR_AUTHERR \| RPCSEC_GSS_CTXPROBLEM;
2985	goto nfsmout;
2986	}
2987
2988	if (!nfs_gss_svc_seqnum_valid(cp, seqnum)) {
2989	/*
2990	* Sequence number is bad
2991	*/
2992	error = EINVAL; // drop the request
2993	goto nfsmout;
2994	}
2995
2996	/*
2997	* Validate the verifier.
2998	* The verifier contains an encrypted checksum
2999	* of the call header from the XID up to and
3000	* including the credential. We compute the
3001	* checksum and compare it with what came in
3002	* the verifier.
3003	*/
3004	header_len = nfsm_chain_offset(nmc);
3005	nfsm_chain_get_32(error, nmc, flavor);
3006	nfsm_chain_get_32(error, nmc, cksum.length);
3007	if (error)
3008	goto nfsmout;
3009	if (flavor != RPCSEC_GSS \|\| cksum.length > KRB5_MAX_MIC_SIZE)
3010	error = NFSERR_AUTHERR \| AUTH_BADVERF;
3011	else {
3012	MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
3013	nfsm_chain_get_opaque(error, nmc, cksum.length, cksum.value);
3014	}
3015	if (error)
3016	goto nfsmout;
3017
3018	/ Now verify the client's call header checksum /
3019	major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id, nmc->nmc_mhead, `0`, header_len, &cksum, NULL);
3020	(void)gss_release_buffer(NULL, &cksum);
3021	if (major != GSS_S_COMPLETE) {
3022	printf("Server header: gss_krb5_verify_mic_mbuf failed %d\n", error);
3023	error = NFSERR_AUTHERR \| RPCSEC_GSS_CTXPROBLEM;
3024	goto nfsmout;
3025	}
3026
3027	nd->nd_gss_seqnum = seqnum;
3028
3029	/*
3030	* Set up the user's cred
3031	*/
3032	bzero(&temp_pcred, sizeof(temp_pcred));
3033	temp_pcred.cr_uid = cp->gss_svc_uid;
3034	bcopy(cp->gss_svc_gids, temp_pcred.cr_groups,
3035	sizeof(gid_t) * cp->gss_svc_ngroups);
3036	temp_pcred.cr_ngroups = cp->gss_svc_ngroups;
3037
3038	nd->nd_cr = posix_cred_create(&temp_pcred);
3039	if (nd->nd_cr == NULL) {
3040	error = ENOMEM;
3041	goto nfsmout;
3042	}
3043	clock_get_uptime(&cp->gss_svc_incarnation);
3044
3045	/*
3046	* If the call arguments are integrity or privacy protected
3047	* then we need to check them here.
3048	*/
3049	switch (service) {
3050	case RPCSEC_GSS_SVC_NONE:
3051	/ nothing to do /
3052	break;
3053	case RPCSEC_GSS_SVC_INTEGRITY:
3054	/*
3055	* Here's what we expect in the integrity call args:
3056	*
3057	* - length of seq num + call args (4 bytes)
3058	* - sequence number (4 bytes)
3059	* - call args (variable bytes)
3060	* - length of checksum token
3061	* - checksum of seqnum + call args
3062	*/
3063	nfsm_chain_get_32(error, nmc, arglen); // length of args
3064	if (arglen > NFS_MAXPACKET) {
3065	error = EBADRPC;
3066	goto nfsmout;
3067	}
3068
3069	nmc_tmp = *nmc;
3070	nfsm_chain_adv(error, &nmc_tmp, arglen);
3071	nfsm_chain_get_32(error, &nmc_tmp, cksum.length);
3072	cksum.value = NULL;
3073	if (cksum.length > `0` && cksum.length < GSS_MAX_MIC_LEN)
3074	MALLOC(cksum.value, void *, cksum.length, M_TEMP, M_WAITOK);
3075
3076	if (cksum.value == NULL) {
3077	error = EBADRPC;
3078	goto nfsmout;
3079	}
3080	nfsm_chain_get_opaque(error, &nmc_tmp, cksum.length, cksum.value);
3081
3082	/ Verify the checksum over the call args /
3083	start = nfsm_chain_offset(nmc);
3084
3085	major = gss_krb5_verify_mic_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id,
3086	nmc->nmc_mhead, start, arglen, &cksum, NULL);
3087	FREE(cksum.value, M_TEMP);
3088	if (major != GSS_S_COMPLETE) {
3089	printf("Server args: gss_krb5_verify_mic_mbuf failed %d\n", error);
3090	error = EBADRPC;
3091	goto nfsmout;
3092	}
3093
3094	/*
3095	* Get the sequence number prepended to the args
3096	* and compare it against the one sent in the
3097	* call credential.
3098	*/
3099	nfsm_chain_get_32(error, nmc, seqnum);
3100	if (seqnum != nd->nd_gss_seqnum) {
3101	error = EBADRPC; // returns as GARBAGEARGS
3102	goto nfsmout;
3103	}
3104	break;
3105	case RPCSEC_GSS_SVC_PRIVACY:
3106	/*
3107	* Here's what we expect in the privacy call args:
3108	*
3109	* - length of wrap token
3110	* - wrap token (37-40 bytes)
3111	*/
3112	prev_mbuf = nmc->nmc_mcur;
3113	nfsm_chain_get_32(error, nmc, arglen); // length of args
3114	if (arglen > NFS_MAXPACKET) {
3115	error = EBADRPC;
3116	goto nfsmout;
3117	}
3118
3119	/ Get the wrap token (current mbuf in the chain starting at the current offset) /
3120	start = nmc->nmc_ptr - (caddr_t)mbuf_data(nmc->nmc_mcur);
3121
3122	/ split out the wrap token /
3123	argsize = arglen;
3124	error = gss_normalize_mbuf(nmc->nmc_mcur, start, &argsize, &reply_mbuf, &pad_mbuf, `0`);
3125	if (error)
3126	goto nfsmout;
3127
3128	assert(argsize == arglen);
3129	if (pad_mbuf) {
3130	assert(nfsm_pad(arglen) == mbuf_len(pad_mbuf));
3131	mbuf_free(pad_mbuf);
3132	} else {
3133	assert(nfsm_pad(arglen) == `0`);
3134	}
3135
3136	major = gss_krb5_unwrap_mbuf((uint32_t *)&error, cp->gss_svc_ctx_id, &reply_mbuf, `0`, arglen, NULL, NULL);
3137	if (major != GSS_S_COMPLETE) {
3138	printf("%s: gss_krb5_unwrap_mbuf failes %d\n", __func__, error);
3139	goto nfsmout;
3140	}
3141
3142	/ Now replace the wrapped arguments with the unwrapped ones /
3143	mbuf_setnext(prev_mbuf, reply_mbuf);
3144	nmc->nmc_mcur = reply_mbuf;
3145	nmc->nmc_ptr = mbuf_data(reply_mbuf);
3146	nmc->nmc_left = mbuf_len(reply_mbuf);
3147
3148	/*
3149	* - sequence number (4 bytes)
3150	* - call args
3151	*/
3152
3153	// nfsm_chain_reverse(nmc, nfsm_pad(toklen));
3154
3155	/*
3156	* Get the sequence number prepended to the args
3157	* and compare it against the one sent in the
3158	* call credential.
3159	*/
3160	nfsm_chain_get_32(error, nmc, seqnum);
3161	if (seqnum != nd->nd_gss_seqnum) {
3162	printf("%s: Sequence number mismatch seqnum = %d nd->nd_gss_seqnum = %d\n",
3163	__func__, seqnum, nd->nd_gss_seqnum);
3164	printmbuf("reply_mbuf", nmc->nmc_mhead, `0`, `0`);
3165	printf("reply_mbuf %p nmc_head %p\n", reply_mbuf, nmc->nmc_mhead);
3166	error = EBADRPC; // returns as GARBAGEARGS
3167	goto nfsmout;
3168	}
3169	break;
3170	}
3171	} else {
3172	uint32_t verflen;
3173	/*
3174	* If the proc is RPCSEC_GSS_INIT or RPCSEC_GSS_CONTINUE_INIT
3175	* then we expect a null verifier.
3176	*/
3177	nfsm_chain_get_32(error, nmc, flavor);
3178	nfsm_chain_get_32(error, nmc, verflen);
3179	if (error \|\| flavor != RPCAUTH_NULL \|\| verflen > `0`)
3180	error = NFSERR_AUTHERR \| RPCSEC_GSS_CREDPROBLEM;
3181	if (error) {
3182	if (proc == RPCSEC_GSS_INIT) {
3183	lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp);
3184	FREE(cp, M_TEMP);
3185	cp = NULL;
3186	}
3187	goto nfsmout;
3188	}
3189	}
3190
3191	nd->nd_gss_context = cp;
3192	return `0`;
3193	nfsmout:
3194	if (cp)
3195	nfs_gss_svc_ctx_deref(cp);
3196	return (error);
3197	}
3198
3199	/*
3200	* Insert the server's verifier into the RPC reply header.
3201	* It contains a signed checksum of the sequence number that
3202	* was received in the RPC call.
3203	* Then go on to add integrity or privacy if necessary.
3204	*/
3205	int
3206	nfs_gss_svc_verf_put(struct nfsrv_descript nd, struct* nfsm_chain *nmc)
3207	{
3208	struct nfs_gss_svc_ctx *cp;
3209	int error = `0`;
3210	gss_buffer_desc cksum, seqbuf;
3211	uint32_t network_seqnum;
3212	cp = nd->nd_gss_context;
3213	uint32_t major;
3214
3215	if (cp->gss_svc_major != GSS_S_COMPLETE) {
3216	/*
3217	* If the context isn't yet complete
3218	* then return a null verifier.
3219	*/
3220	nfsm_chain_add_32(error, nmc, RPCAUTH_NULL);
3221	nfsm_chain_add_32(error, nmc, `0`);
3222	return (error);
3223	}
3224
3225	/*
3226	* Compute checksum of the request seq number
3227	* If it's the final reply of context setup
3228	* then return the checksum of the context
3229	* window size.
3230	*/
3231	seqbuf.length = NFSX_UNSIGNED;
3232	if (cp->gss_svc_proc == RPCSEC_GSS_INIT \|\|
3233	cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT)
3234	network_seqnum = htonl(cp->gss_svc_seqwin);
3235	else
3236	network_seqnum = htonl(nd->nd_gss_seqnum);
3237	seqbuf.value = &network_seqnum;
3238
3239	major = gss_krb5_get_mic((uint32_t *)&error, cp->gss_svc_ctx_id, `0`, &seqbuf, &cksum);
3240	if (major != GSS_S_COMPLETE)
3241	return (error);
3242
3243	/*
3244	* Now wrap it in a token and add
3245	* the verifier to the reply.
3246	*/
3247	nfsm_chain_add_32(error, nmc, RPCSEC_GSS);
3248	nfsm_chain_add_32(error, nmc, cksum.length);
3249	nfsm_chain_add_opaque(error, nmc, cksum.value, cksum.length);
3250	gss_release_buffer(NULL, &cksum);
3251
3252	return (error);
3253	}
3254
3255	/*
3256	* The results aren't available yet, but if they need to be
3257	* checksummed for integrity protection or encrypted, then
3258	* we can record the start offset here, insert a place-holder
3259	* for the results length, as well as the sequence number.
3260	* The rest of the work is done later by nfs_gss_svc_protect_reply()
3261	* when the results are available.
3262	*/
3263	int
3264	nfs_gss_svc_prepare_reply(struct nfsrv_descript nd, struct* nfsm_chain *nmc)
3265	{
3266	struct nfs_gss_svc_ctx *cp = nd->nd_gss_context;
3267	int error = `0`;
3268
3269	if (cp->gss_svc_proc == RPCSEC_GSS_INIT \|\|
3270	cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT)
3271	return (`0`);
3272
3273	switch (nd->nd_sec) {
3274	case RPCAUTH_KRB5:
3275	/ Nothing to do /
3276	break;
3277	case RPCAUTH_KRB5I:
3278	case RPCAUTH_KRB5P:
3279	nd->nd_gss_mb = nmc->nmc_mcur; // record current mbuf
3280	nfsm_chain_finish_mbuf(error, nmc); // split the chain here
3281	break;
3282	}
3283
3284	return (error);
3285	}
3286
3287	/*
3288	* The results are checksummed or encrypted for return to the client
3289	*/
3290	int
3291	nfs_gss_svc_protect_reply(struct nfsrv_descript *nd, mbuf_t mrep __unused)
3292	{
3293	struct nfs_gss_svc_ctx *cp = nd->nd_gss_context;
3294	struct nfsm_chain nmrep_res, *nmc_res = &nmrep_res;
3295	mbuf_t mb, results;
3296	uint32_t reslen;
3297	int error = `0`;
3298
3299	/ XXX*
3300	* Using a reference to the mbuf where we previously split the reply
3301	* mbuf chain, we split the mbuf chain argument into two mbuf chains,
3302	* one that allows us to prepend a length field or token, (nmc_pre)
3303	* and the second which holds just the results that we're going to
3304	* checksum and/or encrypt. When we're done, we join the chains back
3305	* together.
3306	*/
3307
3308	mb = nd->nd_gss_mb; // the mbuf where we split
3309	results = mbuf_next(mb); // first mbuf in the results
3310	error = mbuf_setnext(mb, NULL); // disconnect the chains
3311	if (error)
3312	return (error);
3313	nfs_gss_nfsm_chain(nmc_res, mb); // set up the prepend chain
3314	nfsm_chain_build_done(error, nmc_res);
3315	if (error)
3316	return (error);
3317
3318	if (nd->nd_sec == RPCAUTH_KRB5I) {
3319	error = rpc_gss_integ_data_create(cp->gss_svc_ctx_id, &results, nd->nd_gss_seqnum, &reslen);
3320	} else {
3321	/ RPCAUTH_KRB5P /
3322	error = rpc_gss_priv_data_create(cp->gss_svc_ctx_id, &results, nd->nd_gss_seqnum, &reslen);
3323	}
3324	nfs_gss_append_chain(nmc_res, results); // Append the results mbufs
3325	nfsm_chain_build_done(error, nmc_res);
3326
3327	return (error);
3328	}
3329
3330	/*
3331	* This function handles the context setup calls from the client.
3332	* Essentially, it implements the NFS null procedure calls when
3333	* an RPCSEC_GSS credential is used.
3334	* This is the context maintenance function. It creates and
3335	* destroys server contexts at the whim of the client.
3336	* During context creation, it receives GSS-API tokens from the
3337	* client, passes them up to gssd, and returns a received token
3338	* back to the client in the null procedure reply.
3339	*/
3340	int
3341	nfs_gss_svc_ctx_init(struct nfsrv_descript nd, struct* nfsrv_sock slp, mbuf_t mrepp)
3342	{
3343	struct nfs_gss_svc_ctx *cp = NULL;
3344	int error = `0`;
3345	int autherr = `0`;
3346	struct nfsm_chain *nmreq, nmrep;
3347	int sz;
3348
3349	nmreq = &nd->nd_nmreq;
3350	nfsm_chain_null(&nmrep);
3351	*mrepp = NULL;
3352	cp = nd->nd_gss_context;
3353	nd->nd_repstat = `0`;
3354
3355	switch (cp->gss_svc_proc) {
3356	case RPCSEC_GSS_INIT:
3357	nfs_gss_svc_ctx_insert(cp);
3358	/ FALLTHRU /
3359
3360	case RPCSEC_GSS_CONTINUE_INIT:
3361	/ Get the token from the request /
3362	nfsm_chain_get_32(error, nmreq, cp->gss_svc_tokenlen);
3363	cp->gss_svc_token = NULL;
3364	if (cp->gss_svc_tokenlen > `0` && cp->gss_svc_tokenlen < GSS_MAX_TOKEN_LEN)
3365	MALLOC(cp->gss_svc_token, u_char *, cp->gss_svc_tokenlen, M_TEMP, M_WAITOK);
3366	if (cp->gss_svc_token == NULL) {
3367	autherr = RPCSEC_GSS_CREDPROBLEM;
3368	break;
3369	}
3370	nfsm_chain_get_opaque(error, nmreq, cp->gss_svc_tokenlen, cp->gss_svc_token);
3371
3372	/ Use the token in a gss_accept_sec_context upcall /
3373	error = nfs_gss_svc_gssd_upcall(cp);
3374	if (error) {
3375	autherr = RPCSEC_GSS_CREDPROBLEM;
3376	if (error == NFSERR_EAUTH)
3377	error = `0`;
3378	break;
3379	}
3380
3381	/*
3382	* If the context isn't complete, pass the new token
3383	* back to the client for another round.
3384	*/
3385	if (cp->gss_svc_major != GSS_S_COMPLETE)
3386	break;
3387
3388	/*
3389	* Now the server context is complete.
3390	* Finish setup.
3391	*/
3392	clock_get_uptime(&cp->gss_svc_incarnation);
3393
3394	cp->gss_svc_seqwin = GSS_SVC_SEQWINDOW;
3395	MALLOC(cp->gss_svc_seqbits, uint32_t *,
3396	nfsm_rndup((cp->gss_svc_seqwin + `7`) / `8`), M_TEMP, M_WAITOK\|M_ZERO);
3397	if (cp->gss_svc_seqbits == NULL) {
3398	autherr = RPCSEC_GSS_CREDPROBLEM;
3399	break;
3400	}
3401	break;
3402
3403	case RPCSEC_GSS_DATA:
3404	/ Just a nullproc ping - do nothing /
3405	break;
3406
3407	case RPCSEC_GSS_DESTROY:
3408	/*
3409	* Don't destroy the context immediately because
3410	* other active requests might still be using it.
3411	* Instead, schedule it for destruction after
3412	* GSS_CTX_PEND time has elapsed.
3413	*/
3414	cp = nfs_gss_svc_ctx_find(cp->gss_svc_handle);
3415	if (cp != NULL) {
3416	cp->gss_svc_handle = `0`; // so it can't be found
3417	lck_mtx_lock(cp->gss_svc_mtx);
3418	clock_interval_to_deadline(GSS_CTX_PEND, NSEC_PER_SEC,
3419	&cp->gss_svc_incarnation);
3420	lck_mtx_unlock(cp->gss_svc_mtx);
3421	}
3422	break;
3423	default:
3424	autherr = RPCSEC_GSS_CREDPROBLEM;
3425	break;
3426	}
3427
3428	/ Now build the reply /
3429
3430	if (nd->nd_repstat == `0`)
3431	nd->nd_repstat = autherr ? (NFSERR_AUTHERR \| autherr) : NFSERR_RETVOID;
3432	sz = `7` * NFSX_UNSIGNED + nfsm_rndup(cp->gss_svc_tokenlen); // size of results
3433	error = nfsrv_rephead(nd, slp, &nmrep, sz);
3434	*mrepp = nmrep.nmc_mhead;
3435	if (error \|\| autherr)
3436	goto nfsmout;
3437
3438	if (cp->gss_svc_proc == RPCSEC_GSS_INIT \|\|
3439	cp->gss_svc_proc == RPCSEC_GSS_CONTINUE_INIT) {
3440	nfsm_chain_add_32(error, &nmrep, sizeof(cp->gss_svc_handle));
3441	nfsm_chain_add_32(error, &nmrep, cp->gss_svc_handle);
3442
3443	nfsm_chain_add_32(error, &nmrep, cp->gss_svc_major);
3444	nfsm_chain_add_32(error, &nmrep, cp->gss_svc_minor);
3445	nfsm_chain_add_32(error, &nmrep, cp->gss_svc_seqwin);
3446
3447	nfsm_chain_add_32(error, &nmrep, cp->gss_svc_tokenlen);
3448	if (cp->gss_svc_token != NULL) {
3449	nfsm_chain_add_opaque(error, &nmrep, cp->gss_svc_token, cp->gss_svc_tokenlen);
3450	FREE(cp->gss_svc_token, M_TEMP);
3451	cp->gss_svc_token = NULL;
3452	}
3453	}
3454
3455	nfsmout:
3456	if (autherr != `0`) {
3457	nd->nd_gss_context = NULL;
3458	LIST_REMOVE(cp, gss_svc_entries);
3459	if (cp->gss_svc_seqbits != NULL)
3460	FREE(cp->gss_svc_seqbits, M_TEMP);
3461	if (cp->gss_svc_token != NULL)
3462	FREE(cp->gss_svc_token, M_TEMP);
3463	lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp);
3464	FREE(cp, M_TEMP);
3465	}
3466
3467	nfsm_chain_build_done(error, &nmrep);
3468	if (error) {
3469	nfsm_chain_cleanup(&nmrep);
3470	*mrepp = NULL;
3471	}
3472	return (error);
3473	}
3474
3475	/*
3476	* This is almost a mirror-image of the client side upcall.
3477	* It passes and receives a token, but invokes gss_accept_sec_context.
3478	* If it's the final call of the context setup, then gssd also returns
3479	* the session key and the user's UID.
3480	*/
3481	static int
3482	nfs_gss_svc_gssd_upcall(struct nfs_gss_svc_ctx *cp)
3483	{
3484	kern_return_t kr;
3485	mach_port_t mp;
3486	int retry_cnt = `0`;
3487	gssd_byte_buffer octx = NULL;
3488	uint32_t lucidlen = `0`;
3489	void *lucid_ctx_buffer;
3490	uint32_t ret_flags;
3491	vm_map_copy_t itoken = NULL;
3492	gssd_byte_buffer otoken = NULL;
3493	mach_msg_type_number_t otokenlen;
3494	int error = `0`;
3495	char svcname[] = "nfs";
3496
3497	kr = host_get_gssd_port(host_priv_self(), &mp);
3498	if (kr != KERN_SUCCESS) {
3499	printf("nfs_gss_svc_gssd_upcall: can't get gssd port, status %x (%d)\n", kr, kr);
3500	goto out;
3501	}
3502	if (!IPC_PORT_VALID(mp)) {
3503	printf("nfs_gss_svc_gssd_upcall: gssd port not valid\n");
3504	goto out;
3505	}
3506
3507	if (cp->gss_svc_tokenlen > `0`)
3508	nfs_gss_mach_alloc_buffer(cp->gss_svc_token, cp->gss_svc_tokenlen, &itoken);
3509
3510	retry:
3511	printf("Calling mach_gss_accept_sec_context\n");
3512	kr = mach_gss_accept_sec_context(
3513	mp,
3514	(gssd_byte_buffer) itoken, (mach_msg_type_number_t) cp->gss_svc_tokenlen,
3515	svcname,
3516	`0`,
3517	&cp->gss_svc_context,
3518	&cp->gss_svc_cred_handle,
3519	&ret_flags,
3520	&cp->gss_svc_uid,
3521	cp->gss_svc_gids,
3522	&cp->gss_svc_ngroups,
3523	&octx, (mach_msg_type_number_t *) &lucidlen,
3524	&otoken, &otokenlen,
3525	&cp->gss_svc_major,
3526	&cp->gss_svc_minor);
3527
3528	printf("mach_gss_accept_sec_context returned %d\n", kr);
3529	if (kr != KERN_SUCCESS) {
3530	printf("nfs_gss_svc_gssd_upcall failed: %x (%d)\n", kr, kr);
3531	if (kr == MIG_SERVER_DIED && cp->gss_svc_context == `0` &&
3532	retry_cnt++ < NFS_GSS_MACH_MAX_RETRIES) {
3533	if (cp->gss_svc_tokenlen > `0`)
3534	nfs_gss_mach_alloc_buffer(cp->gss_svc_token, cp->gss_svc_tokenlen, &itoken);
3535	goto retry;
3536	}
3537	host_release_special_port(mp);
3538	goto out;
3539	}
3540
3541	host_release_special_port(mp);
3542
3543	if (lucidlen > `0`) {
3544	if (lucidlen > MAX_LUCIDLEN) {
3545	printf("nfs_gss_svc_gssd_upcall: bad context length (%d)\n", lucidlen);
3546	vm_map_copy_discard((vm_map_copy_t) octx);
3547	vm_map_copy_discard((vm_map_copy_t) otoken);
3548	goto out;
3549	}
3550	MALLOC(lucid_ctx_buffer, void *, lucidlen, M_TEMP, M_WAITOK \| M_ZERO);
3551	error = nfs_gss_mach_vmcopyout((vm_map_copy_t) octx, lucidlen, lucid_ctx_buffer);
3552	if (error) {
3553	vm_map_copy_discard((vm_map_copy_t) otoken);
3554	FREE(lucid_ctx_buffer, M_TEMP);
3555	goto out;
3556	}
3557	if (cp->gss_svc_ctx_id)
3558	gss_krb5_destroy_context(cp->gss_svc_ctx_id);
3559	cp->gss_svc_ctx_id = gss_krb5_make_context(lucid_ctx_buffer, lucidlen);
3560	if (cp->gss_svc_ctx_id == NULL) {
3561	printf("Failed to make context from lucid_ctx_buffer\n");
3562	goto out;
3563	}
3564	}
3565
3566	/ Free context token used as input /
3567	if (cp->gss_svc_token)
3568	FREE(cp->gss_svc_token, M_TEMP);
3569	cp->gss_svc_token = NULL;
3570	cp->gss_svc_tokenlen = `0`;
3571
3572	if (otokenlen > `0`) {
3573	/ Set context token to gss output token /
3574	MALLOC(cp->gss_svc_token, u_char *, otokenlen, M_TEMP, M_WAITOK);
3575	if (cp->gss_svc_token == NULL) {
3576	printf("nfs_gss_svc_gssd_upcall: could not allocate %d bytes\n", otokenlen);
3577	vm_map_copy_discard((vm_map_copy_t) otoken);
3578	return (ENOMEM);
3579	}
3580	error = nfs_gss_mach_vmcopyout((vm_map_copy_t) otoken, otokenlen, cp->gss_svc_token);
3581	if (error) {
3582	FREE(cp->gss_svc_token, M_TEMP);
3583	cp->gss_svc_token = NULL;
3584	return (NFSERR_EAUTH);
3585	}
3586	cp->gss_svc_tokenlen = otokenlen;
3587	}
3588
3589	return (`0`);
3590
3591	out:
3592	FREE(cp->gss_svc_token, M_TEMP);
3593	cp->gss_svc_tokenlen = `0`;
3594	cp->gss_svc_token = NULL;
3595
3596	return (NFSERR_EAUTH);
3597	}
3598
3599	/*
3600	* Validate the sequence number in the credential as described
3601	* in RFC 2203 Section 5.3.3.1
3602	*
3603	* Here the window of valid sequence numbers is represented by
3604	* a bitmap. As each sequence number is received, its bit is
3605	* set in the bitmap. An invalid sequence number lies below
3606	* the lower bound of the window, or is within the window but
3607	* has its bit already set.
3608	*/
3609	static int
3610	nfs_gss_svc_seqnum_valid(struct nfs_gss_svc_ctx *cp, uint32_t seq)
3611	{
3612	uint32_t *bits = cp->gss_svc_seqbits;
3613	uint32_t win = cp->gss_svc_seqwin;
3614	uint32_t i;
3615
3616	lck_mtx_lock(cp->gss_svc_mtx);
3617
3618	/*
3619	* If greater than the window upper bound,
3620	* move the window up, and set the bit.
3621	*/
3622	if (seq > cp->gss_svc_seqmax) {
3623	if (seq - cp->gss_svc_seqmax > win)
3624	bzero(bits, nfsm_rndup((win + `7`) / `8`));
3625	else
3626	for (i = cp->gss_svc_seqmax + `1`; i < seq; i++)
3627	win_resetbit(bits, i % win);
3628	win_setbit(bits, seq % win);
3629	cp->gss_svc_seqmax = seq;
3630	lck_mtx_unlock(cp->gss_svc_mtx);
3631	return (`1`);
3632	}
3633
3634	/*
3635	* Invalid if below the lower bound of the window
3636	*/
3637	if (seq <= cp->gss_svc_seqmax - win) {
3638	lck_mtx_unlock(cp->gss_svc_mtx);
3639	return (`0`);
3640	}
3641
3642	/*
3643	* In the window, invalid if the bit is already set
3644	*/
3645	if (win_getbit(bits, seq % win)) {
3646	lck_mtx_unlock(cp->gss_svc_mtx);
3647	return (`0`);
3648	}
3649	win_setbit(bits, seq % win);
3650	lck_mtx_unlock(cp->gss_svc_mtx);
3651	return (`1`);
3652	}
3653
3654	/*
3655	* Drop a reference to a context
3656	*
3657	* Note that it's OK for the context to exist
3658	* with a refcount of zero. The refcount isn't
3659	* checked until we're about to reap an expired one.
3660	*/
3661	void
3662	nfs_gss_svc_ctx_deref(struct nfs_gss_svc_ctx *cp)
3663	{
3664	lck_mtx_lock(cp->gss_svc_mtx);
3665	if (cp->gss_svc_refcnt > `0`)
3666	cp->gss_svc_refcnt--;
3667	else
3668	printf("nfs_gss_ctx_deref: zero refcount\n");
3669	lck_mtx_unlock(cp->gss_svc_mtx);
3670	}
3671
3672	/*
3673	* Called at NFS server shutdown - destroy all contexts
3674	*/
3675	void
3676	nfs_gss_svc_cleanup(void)
3677	{
3678	struct nfs_gss_svc_ctx_hashhead *head;
3679	struct nfs_gss_svc_ctx cp, ncp;
3680	int i;
3681
3682	lck_mtx_lock(nfs_gss_svc_ctx_mutex);
3683
3684	/*
3685	* Run through all the buckets
3686	*/
3687	for (i = `0`; i < SVC_CTX_HASHSZ; i++) {
3688	/*
3689	* Remove and free all entries in the bucket
3690	*/
3691	head = &nfs_gss_svc_ctx_hashtbl[i];
3692	LIST_FOREACH_SAFE(cp, head, gss_svc_entries, ncp) {
3693	LIST_REMOVE(cp, gss_svc_entries);
3694	if (cp->gss_svc_seqbits)
3695	FREE(cp->gss_svc_seqbits, M_TEMP);
3696	lck_mtx_destroy(cp->gss_svc_mtx, nfs_gss_svc_grp);
3697	FREE(cp, M_TEMP);
3698	}
3699	}
3700
3701	lck_mtx_unlock(nfs_gss_svc_ctx_mutex);
3702	}
3703
3704	#endif /* NFSSERVER */
3705
3706
3707	/*************
3708	* The following functions are used by both client and server.
3709	*/
3710
3711	/*
3712	* Release a host special port that was obtained by host_get_special_port
3713	* or one of its macros (host_get_gssd_port in this case).
3714	* This really should be in a public kpi.
3715	*/
3716
3717	/ This should be in a public header if this routine is not /
3718	extern void ipc_port_release_send(ipc_port_t);
3719	extern ipc_port_t ipc_port_copy_send(ipc_port_t);
3720
3721	static void
3722	host_release_special_port(mach_port_t mp)
3723	{
3724	if (IPC_PORT_VALID(mp))
3725	ipc_port_release_send(mp);
3726	}
3727
3728	static mach_port_t
3729	host_copy_special_port(mach_port_t mp)
3730	{
3731	return (ipc_port_copy_send(mp));
3732	}
3733
3734	/*
3735	* The token that is sent and received in the gssd upcall
3736	* has unbounded variable length. Mach RPC does not pass
3737	* the token in-line. Instead it uses page mapping to handle
3738	* these parameters. This function allocates a VM buffer
3739	* to hold the token for an upcall and copies the token
3740	* (received from the client) into it. The VM buffer is
3741	* marked with a src_destroy flag so that the upcall will
3742	* automatically de-allocate the buffer when the upcall is
3743	* complete.
3744	*/
3745	static void
3746	nfs_gss_mach_alloc_buffer(u_char buf, uint32_t buflen, vm_map_copy_t addr)
3747	{
3748	kern_return_t kr;
3749	vm_offset_t kmem_buf;
3750	vm_size_t tbuflen;
3751
3752	*addr = NULL;
3753	if (buf == NULL \|\| buflen == `0`)
3754	return;
3755
3756	tbuflen = vm_map_round_page(buflen,
3757	vm_map_page_mask(ipc_kernel_map));
3758	kr = vm_allocate_kernel(ipc_kernel_map, &kmem_buf, tbuflen, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_FILE);
3759	if (kr != `0`) {
3760	printf("nfs_gss_mach_alloc_buffer: vm_allocate failed\n");
3761	return;
3762	}
3763
3764	kr = vm_map_wire_kernel(ipc_kernel_map,
3765	vm_map_trunc_page(kmem_buf,
3766	vm_map_page_mask(ipc_kernel_map)),
3767	vm_map_round_page(kmem_buf + tbuflen,
3768	vm_map_page_mask(ipc_kernel_map)),
3769	VM_PROT_READ\|VM_PROT_WRITE, VM_KERN_MEMORY_FILE, FALSE);
3770	if (kr != `0`) {
3771	printf("nfs_gss_mach_alloc_buffer: vm_map_wire failed\n");
3772	return;
3773	}
3774
3775	bcopy(buf, (void *) kmem_buf, buflen);
3776	// Shouldn't need to bzero below since vm_allocate returns zeroed pages
3777	// bzero(kmem_buf + buflen, tbuflen - buflen);
3778
3779	kr = vm_map_unwire(ipc_kernel_map,
3780	vm_map_trunc_page(kmem_buf,
3781	vm_map_page_mask(ipc_kernel_map)),
3782	vm_map_round_page(kmem_buf + tbuflen,
3783	vm_map_page_mask(ipc_kernel_map)),
3784	FALSE);
3785	if (kr != `0`) {
3786	printf("nfs_gss_mach_alloc_buffer: vm_map_unwire failed\n");
3787	return;
3788	}
3789
3790	kr = vm_map_copyin(ipc_kernel_map, (vm_map_address_t) kmem_buf,
3791	(vm_map_size_t) buflen, TRUE, addr);
3792	if (kr != `0`) {
3793	printf("nfs_gss_mach_alloc_buffer: vm_map_copyin failed\n");
3794	return;
3795	}
3796	}
3797
3798	/*
3799	* Here we handle a token received from the gssd via an upcall.
3800	* The received token resides in an allocate VM buffer.
3801	* We copy the token out of this buffer to a chunk of malloc'ed
3802	* memory of the right size, then de-allocate the VM buffer.
3803	*/
3804	static int
3805	nfs_gss_mach_vmcopyout(vm_map_copy_t in, uint32_t len, u_char *out)
3806	{
3807	vm_map_offset_t map_data;
3808	vm_offset_t data;
3809	int error;
3810
3811	error = vm_map_copyout(ipc_kernel_map, &map_data, in);
3812	if (error)
3813	return (error);
3814
3815	data = CAST_DOWN(vm_offset_t, map_data);
3816	bcopy((void *) data, out, len);
3817	vm_deallocate(ipc_kernel_map, data, len);
3818
3819	return (`0`);
3820	}
3821
3822	/*
3823	* Return the number of bytes in an mbuf chain.
3824	*/
3825	static int
3826	nfs_gss_mchain_length(mbuf_t mhead)
3827	{
3828	mbuf_t mb;
3829	int len = `0`;
3830
3831	for (mb = mhead; mb; mb = mbuf_next(mb))
3832	len += mbuf_len(mb);
3833
3834	return (len);
3835	}
3836
3837	/*
3838	* Append an args or results mbuf chain to the header chain
3839	*/
3840	static int
3841	nfs_gss_append_chain(struct nfsm_chain *nmc, mbuf_t mc)
3842	{
3843	int error = `0`;
3844	mbuf_t mb, tail;
3845
3846	/ Connect the mbuf chains /
3847	error = mbuf_setnext(nmc->nmc_mcur, mc);
3848	if (error)
3849	return (error);
3850
3851	/ Find the last mbuf in the chain /
3852	tail = NULL;
3853	for (mb = mc; mb; mb = mbuf_next(mb))
3854	tail = mb;
3855
3856	nmc->nmc_mcur = tail;
3857	nmc->nmc_ptr = (caddr_t) mbuf_data(tail) + mbuf_len(tail);
3858	nmc->nmc_left = mbuf_trailingspace(tail);
3859
3860	return (`0`);
3861	}
3862
3863	/*
3864	* Convert an mbuf chain to an NFS mbuf chain
3865	*/
3866	static void
3867	nfs_gss_nfsm_chain(struct nfsm_chain *nmc, mbuf_t mc)
3868	{
3869	mbuf_t mb, tail;
3870
3871	/ Find the last mbuf in the chain /
3872	tail = NULL;
3873	for (mb = mc; mb; mb = mbuf_next(mb))
3874	tail = mb;
3875
3876	nmc->nmc_mhead = mc;
3877	nmc->nmc_mcur = tail;
3878	nmc->nmc_ptr = (caddr_t) mbuf_data(tail) + mbuf_len(tail);
3879	nmc->nmc_left = mbuf_trailingspace(tail);
3880	nmc->nmc_flags = `0`;
3881	}
3882
3883
3884
3885	#if 0
3886	#define DISPLAYLEN 16
3887	#define MAXDISPLAYLEN 256
3888
3889	static void
3890	hexdump(const char msg, void* *data, size_t len)
3891	{
3892	size_t i, j;
3893	u_char *d = data;
3894	char p, disbuf[`3`DISPLAYLEN+`1`];
3895
3896	printf("NFS DEBUG %s len=%d:\n", msg, (uint32_t)len);
3897	if (len > MAXDISPLAYLEN)
3898	len = MAXDISPLAYLEN;
3899
3900	for (i = `0`; i < len; i += DISPLAYLEN) {
3901	for (p = disbuf, j = `0`; (j + i) < len && j < DISPLAYLEN; j++, p += `3`)
3902	snprintf(p, `4`, "%02x ", d[i + j]);
3903	printf("\t%s\n", disbuf);
3904	}
3905	}
3906	#endif
3907

Browse the source code of codebrowser/bsd/nfs/nfs_gss.c