Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/net/sunrpc/gss_krb5_mech.c | |
3 | * | |
4 | * Copyright (c) 2001 The Regents of the University of Michigan. | |
5 | * All rights reserved. | |
6 | * | |
7 | * Andy Adamson <andros@umich.edu> | |
8 | * J. Bruce Fields <bfields@umich.edu> | |
9 | * | |
10 | * Redistribution and use in source and binary forms, with or without | |
11 | * modification, are permitted provided that the following conditions | |
12 | * are met: | |
13 | * | |
14 | * 1. Redistributions of source code must retain the above copyright | |
15 | * notice, this list of conditions and the following disclaimer. | |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in the | |
18 | * documentation and/or other materials provided with the distribution. | |
19 | * 3. Neither the name of the University nor the names of its | |
20 | * contributors may be used to endorse or promote products derived | |
21 | * from this software without specific prior written permission. | |
22 | * | |
23 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
24 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | |
25 | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
26 | * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
28 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
29 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
30 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
31 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | |
32 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | |
33 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
34 | * | |
35 | */ | |
36 | ||
37 | #include <linux/module.h> | |
38 | #include <linux/init.h> | |
39 | #include <linux/types.h> | |
40 | #include <linux/slab.h> | |
41 | #include <linux/sunrpc/auth.h> | |
1da177e4 LT |
42 | #include <linux/sunrpc/gss_krb5.h> |
43 | #include <linux/sunrpc/xdr.h> | |
44 | #include <linux/crypto.h> | |
45 | ||
46 | #ifdef RPC_DEBUG | |
47 | # define RPCDBG_FACILITY RPCDBG_AUTH | |
48 | #endif | |
49 | ||
50 | static const void * | |
51 | simple_get_bytes(const void *p, const void *end, void *res, int len) | |
52 | { | |
53 | const void *q = (const void *)((const char *)p + len); | |
54 | if (unlikely(q > end || q < p)) | |
55 | return ERR_PTR(-EFAULT); | |
56 | memcpy(res, p, len); | |
57 | return q; | |
58 | } | |
59 | ||
60 | static const void * | |
61 | simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) | |
62 | { | |
63 | const void *q; | |
64 | unsigned int len; | |
65 | ||
66 | p = simple_get_bytes(p, end, &len, sizeof(len)); | |
67 | if (IS_ERR(p)) | |
68 | return p; | |
69 | q = (const void *)((const char *)p + len); | |
70 | if (unlikely(q > end || q < p)) | |
71 | return ERR_PTR(-EFAULT); | |
72 | res->data = kmalloc(len, GFP_KERNEL); | |
73 | if (unlikely(res->data == NULL)) | |
74 | return ERR_PTR(-ENOMEM); | |
75 | memcpy(res->data, p, len); | |
76 | res->len = len; | |
77 | return q; | |
78 | } | |
79 | ||
80 | static inline const void * | |
81 | get_key(const void *p, const void *end, struct crypto_tfm **res) | |
82 | { | |
83 | struct xdr_netobj key; | |
84 | int alg, alg_mode; | |
85 | char *alg_name; | |
86 | ||
87 | p = simple_get_bytes(p, end, &alg, sizeof(alg)); | |
88 | if (IS_ERR(p)) | |
89 | goto out_err; | |
90 | p = simple_get_netobj(p, end, &key); | |
91 | if (IS_ERR(p)) | |
92 | goto out_err; | |
93 | ||
94 | switch (alg) { | |
95 | case ENCTYPE_DES_CBC_RAW: | |
96 | alg_name = "des"; | |
97 | alg_mode = CRYPTO_TFM_MODE_CBC; | |
98 | break; | |
99 | default: | |
9e56904e | 100 | printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); |
1da177e4 LT |
101 | goto out_err_free_key; |
102 | } | |
9e56904e BF |
103 | if (!(*res = crypto_alloc_tfm(alg_name, alg_mode))) { |
104 | printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); | |
1da177e4 | 105 | goto out_err_free_key; |
9e56904e BF |
106 | } |
107 | if (crypto_cipher_setkey(*res, key.data, key.len)) { | |
108 | printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); | |
1da177e4 | 109 | goto out_err_free_tfm; |
9e56904e | 110 | } |
1da177e4 LT |
111 | |
112 | kfree(key.data); | |
113 | return p; | |
114 | ||
115 | out_err_free_tfm: | |
116 | crypto_free_tfm(*res); | |
117 | out_err_free_key: | |
118 | kfree(key.data); | |
119 | p = ERR_PTR(-EINVAL); | |
120 | out_err: | |
121 | return p; | |
122 | } | |
123 | ||
124 | static int | |
125 | gss_import_sec_context_kerberos(const void *p, | |
126 | size_t len, | |
127 | struct gss_ctx *ctx_id) | |
128 | { | |
129 | const void *end = (const void *)((const char *)p + len); | |
130 | struct krb5_ctx *ctx; | |
131 | ||
0da974f4 | 132 | if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) |
1da177e4 | 133 | goto out_err; |
1da177e4 LT |
134 | |
135 | p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); | |
136 | if (IS_ERR(p)) | |
137 | goto out_err_free_ctx; | |
138 | p = simple_get_bytes(p, end, &ctx->seed_init, sizeof(ctx->seed_init)); | |
139 | if (IS_ERR(p)) | |
140 | goto out_err_free_ctx; | |
141 | p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); | |
142 | if (IS_ERR(p)) | |
143 | goto out_err_free_ctx; | |
144 | p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); | |
145 | if (IS_ERR(p)) | |
146 | goto out_err_free_ctx; | |
147 | p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); | |
148 | if (IS_ERR(p)) | |
149 | goto out_err_free_ctx; | |
150 | p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); | |
151 | if (IS_ERR(p)) | |
152 | goto out_err_free_ctx; | |
153 | p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); | |
154 | if (IS_ERR(p)) | |
155 | goto out_err_free_ctx; | |
156 | p = simple_get_netobj(p, end, &ctx->mech_used); | |
157 | if (IS_ERR(p)) | |
158 | goto out_err_free_ctx; | |
159 | p = get_key(p, end, &ctx->enc); | |
160 | if (IS_ERR(p)) | |
161 | goto out_err_free_mech; | |
162 | p = get_key(p, end, &ctx->seq); | |
163 | if (IS_ERR(p)) | |
164 | goto out_err_free_key1; | |
165 | if (p != end) { | |
166 | p = ERR_PTR(-EFAULT); | |
167 | goto out_err_free_key2; | |
168 | } | |
169 | ||
170 | ctx_id->internal_ctx_id = ctx; | |
d6e05edc | 171 | dprintk("RPC: Successfully imported new context.\n"); |
1da177e4 LT |
172 | return 0; |
173 | ||
174 | out_err_free_key2: | |
175 | crypto_free_tfm(ctx->seq); | |
176 | out_err_free_key1: | |
177 | crypto_free_tfm(ctx->enc); | |
178 | out_err_free_mech: | |
179 | kfree(ctx->mech_used.data); | |
180 | out_err_free_ctx: | |
181 | kfree(ctx); | |
182 | out_err: | |
183 | return PTR_ERR(p); | |
184 | } | |
185 | ||
186 | static void | |
187 | gss_delete_sec_context_kerberos(void *internal_ctx) { | |
188 | struct krb5_ctx *kctx = internal_ctx; | |
189 | ||
573dbd95 JJ |
190 | crypto_free_tfm(kctx->seq); |
191 | crypto_free_tfm(kctx->enc); | |
192 | kfree(kctx->mech_used.data); | |
1da177e4 LT |
193 | kfree(kctx); |
194 | } | |
195 | ||
1da177e4 LT |
196 | static struct gss_api_ops gss_kerberos_ops = { |
197 | .gss_import_sec_context = gss_import_sec_context_kerberos, | |
198 | .gss_get_mic = gss_get_mic_kerberos, | |
199 | .gss_verify_mic = gss_verify_mic_kerberos, | |
14ae162c BF |
200 | .gss_wrap = gss_wrap_kerberos, |
201 | .gss_unwrap = gss_unwrap_kerberos, | |
1da177e4 LT |
202 | .gss_delete_sec_context = gss_delete_sec_context_kerberos, |
203 | }; | |
204 | ||
205 | static struct pf_desc gss_kerberos_pfs[] = { | |
206 | [0] = { | |
207 | .pseudoflavor = RPC_AUTH_GSS_KRB5, | |
208 | .service = RPC_GSS_SVC_NONE, | |
209 | .name = "krb5", | |
210 | }, | |
211 | [1] = { | |
212 | .pseudoflavor = RPC_AUTH_GSS_KRB5I, | |
213 | .service = RPC_GSS_SVC_INTEGRITY, | |
214 | .name = "krb5i", | |
215 | }, | |
14ae162c BF |
216 | [2] = { |
217 | .pseudoflavor = RPC_AUTH_GSS_KRB5P, | |
218 | .service = RPC_GSS_SVC_PRIVACY, | |
219 | .name = "krb5p", | |
220 | }, | |
1da177e4 LT |
221 | }; |
222 | ||
223 | static struct gss_api_mech gss_kerberos_mech = { | |
224 | .gm_name = "krb5", | |
225 | .gm_owner = THIS_MODULE, | |
226 | .gm_ops = &gss_kerberos_ops, | |
227 | .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), | |
228 | .gm_pfs = gss_kerberos_pfs, | |
229 | }; | |
230 | ||
231 | static int __init init_kerberos_module(void) | |
232 | { | |
233 | int status; | |
234 | ||
235 | status = gss_mech_register(&gss_kerberos_mech); | |
236 | if (status) | |
237 | printk("Failed to register kerberos gss mechanism!\n"); | |
238 | return status; | |
239 | } | |
240 | ||
241 | static void __exit cleanup_kerberos_module(void) | |
242 | { | |
243 | gss_mech_unregister(&gss_kerberos_mech); | |
244 | } | |
245 | ||
246 | MODULE_LICENSE("GPL"); | |
247 | module_init(init_kerberos_module); | |
248 | module_exit(cleanup_kerberos_module); |